FI-3404: Add SMART on FHIR Workflow Support to CARIN Client tests

README.md

@@ -43,7 +43,7 @@ requests needed to pass all of the tests. Note that some requests within the col
 
 To run the client tests against the Postman collection:
 1. Start an Inferno session of the CARIN for Blue Button Client test suite.
-3. Click the "Run All Tests" button in the upper right and type in "SAMPLE_TOKEN" for the `access_token` input in the dialog that appears.
+3. Click the "Run All Tests" button in the upper right and type in "SAMPLE_TOKEN" for the `Client ID` input in the dialog that appears.
 4. Click the "Submit" button. The simulated server will then be waiting for an interaction.
 4. Open Postman and import the `C4BB Client Search Tests` Postman collection.
 5. Send each of the requests listed under the `C4BB Client Search Tests` Postman collection and ensure a
@@ -55,8 +55,7 @@ To run the client tests against the Postman collection:
 ### CPCDS Reference Implementation Client
 
 To try out these tests without a Carin for Blue Button client implementation, you may
-run them using the [CPCDS Reference Implementation Client](https://github.com/carin-alliance/cpcds-client-ri). Use this
-[forked repository](https://github.com/emichaud998/cpcds-client-ri), which been adjusted to work with this test kit.
+run them using the [CPCDS Reference Implementation Client](https://github.com/carin-alliance/cpcds-client-ri).
 
 1. Follow the instructions listed [here](https://github.com/carin-alliance/cpcds-client-ri?tab=readme-ov-file#running-app-locally)
    to get the CPCDS Reference Implementation Client running locally.
@@ -70,9 +69,9 @@ To run the client tests against the CPCDS Reference Implementation Client:
 3. Click the "Wait for Claims Data and Search Requests" test group in the left navigation sidebar.
 4. Click the "Run Tests" button in the upper right and click the "Submit" button in the dialog
    that appears. The simulated server will then be waiting for an interaction.
-5. Navigate to `localhost:3000`. Enter the Carin Client Suite FHIR endpoint URL, and then type the Carin patient id, `888`,
-   into the client secret and client id fields. Hit the "Connect" button.
-6. On the next page, hit the "Display" button to make a request to the Carin Client Suite .
+5. Navigate to `localhost:3000`. Enter the Carin Client Suite FHIR endpoint URL, and then type `SAMPLE_CLIENT_ID`
+   into the client ID field and `SAMPLE_CLIENT_SECRET` into the client secret field. Hit the "Connect" button.
+6. This will connect the client with the test suite via SMART and the client will automatically make a request to the test suite.
 7. In the Inferno Client Suite, click the "Click here" link in the wait dialog to signal the client has finished submitting requests.
 8. Navigate to each Carin for Blue Button Profile test group in the left navigation sidebar, and for each test group hit the run
    icon next all the tests listed except for the last required search parameters test

config/presets/carin_cpcds_client_ri.json

@@ -4,9 +4,9 @@
   "test_suite_id": "c4bb_v200_client",
   "inputs": [
     {
-      "name": "access_token",
+      "name": "client_id",
       "type": "text",
-      "value": "SAMPLE_TOKEN"
+      "value": "SAMPLE_CLIENT_ID"
     }
   ]
 }

lib/carin_for_blue_button_test_kit/client/v2.0.0/c4bb_client_test_suite.rb

@@ -1,6 +1,7 @@
 require 'inferno/dsl/oauth_credentials'
 require_relative 'endpoints/resource_api_endpoint'
 require_relative 'endpoints/token_endpoint'
+require_relative 'endpoints/authorize_endpoint'
 require_relative 'endpoints/next_page_endpoint'
 require_relative 'endpoints/resource_id_endpoint'
 
@@ -77,7 +78,9 @@ def self.test_resumes?(test)
       end
     end
 
-    suite_endpoint :post, TOKEN_PATH, TokenEndpoint
+    suite_endpoint :post, TOKEN_PATH, MockAuthorization::TokenEndpoint
+    suite_endpoint :get, AUTH_PATH, MockAuthorization::AuthorizeEndpoint
+    suite_endpoint :post, AUTH_PATH, MockAuthorization::AuthorizeEndpoint
 
     suite_endpoint :get, PATIENT_PATH, ResourceAPIEndpoint
 
@@ -87,11 +90,11 @@ def self.test_resumes?(test)
 
     suite_endpoint :get, BASE_FHIR_PATH, NextPageEndpoint
 
-    resume_test_route :get, RESUME_PASS_PATH do |request|
-      C4BBV200ClientSuite.extract_token_from_query_params(request)
+    resume_test_route :get, RESUME_CLAIMS_DATA_PATH do |request|
+      C4BBV200ClientSuite.extract_test_run_identifier_from_query_params(request)
     end
 
-    resume_test_route :get, RESUME_CLAIMS_DATA_PATH do |request|
+    resume_test_route :get, RESUME_PASS_PATH do |request|
       C4BBV200ClientSuite.extract_token_from_query_params(request)
     end
 
@@ -100,6 +103,8 @@ def self.test_resumes?(test)
     end
 
     route(:get, METADATA_PATH, get_metadata)
+    route(:get, SMART_CONFIG_PATH, carin_smart_config)
+    route(:get, JKWS_PATH, MockAuthorization.method(:jwks))
 
     group do
       run_as_group

lib/carin_for_blue_button_test_kit/client/v2.0.0/claim_data_request_tests/coverage_claims_data_request_test.rb

@@ -12,7 +12,6 @@ class C4BBClientCoverageSubmitClaimsDataRequestTest < Inferno::Test
       This test verifies that an instance returned by requests made by the client is a Coverage resource
       that conforms to the CARIN for Blue Button [Coverage profile](https://hl7.org/fhir/us/carin-bb/STU2/StructureDefinition-C4BB-Coverage.html).
     )
-    input :access_token
 
     run do
       resources = previous_resource_requests(:Coverage)

lib/carin_for_blue_button_test_kit/client/v2.0.0/claim_data_request_tests/eob_inpatient_claims_data_request_test.rb

@@ -12,7 +12,6 @@ class C4BBClientEOBInpatientSubmitClaimsDataRequestTest < Inferno::Test
       This test verifies that an instance returned by requests made by the client is an ExplanationOfBenefit resource
       that conforms to the CARIN for Blue Button [Outpatient Institutional ExplanationOfBenefit profile](https://hl7.org/fhir/us/carin-bb/STU2/StructureDefinition-C4BB-ExplanationOfBenefit-Outpatient-Institutional.html).
     )
-    input :access_token
 
     run do
       resources = previous_resource_requests(:ExplanationOfBenefit_Inpatient_Institutional)

lib/carin_for_blue_button_test_kit/client/v2.0.0/claim_data_request_tests/eob_oral_claims_data_request_test.rb

@@ -12,7 +12,6 @@ class C4BBClientEOBOralSubmitClaimsDataRequestTest < Inferno::Test
       This test verifies that an instance returned by requests made by the client is an ExplanationOfBenefit resource
       that conforms to the CARIN for Blue Button [Oral ExplanationOfBenefit profile](https://hl7.org/fhir/us/carin-bb/STU2/StructureDefinition-C4BB-ExplanationOfBenefit-Oral.html).
     )
-    input :access_token
 
     run do
       resources = previous_resource_requests(:ExplanationOfBenefit_Oral)

lib/carin_for_blue_button_test_kit/client/v2.0.0/claim_data_request_tests/eob_outpatient_claims_data_request_test.rb

@@ -12,7 +12,6 @@ class C4BBClientEOBOutpatientSubmitClaimsDataRequestTest < Inferno::Test
       This test verifies that an instance returned by requests made by the client is an ExplanationOfBenefit resource
       that conforms to the CARIN for Blue Button [Outpatient Institutional ExplanationOfBenefit profile](https://hl7.org/fhir/us/carin-bb/STU2/StructureDefinition-C4BB-ExplanationOfBenefit-Outpatient-Institutional.html).
     )
-    input :access_token
 
     run do
       resources = previous_resource_requests(:ExplanationOfBenefit_Outpatient_Institutional)

lib/carin_for_blue_button_test_kit/client/v2.0.0/claim_data_request_tests/eob_pharmacy_claims_data_request_test.rb

@@ -12,7 +12,6 @@ class C4BBClientEOBPharmacySubmitClaimsDataRequestTest < Inferno::Test
       This test verifies that an instance returned by requests made by the client is an ExplanationOfBenefit resource
       that conforms to the CARIN for Blue Button [Pharmacy ExplanationOfBenefit profile](https://hl7.org/fhir/us/carin-bb/STU2/StructureDefinition-C4BB-ExplanationOfBenefit-Pharmacy.html).
     )
-    input :access_token
 
     run do
       resources = previous_resource_requests(:ExplanationOfBenefit_Pharmacy)

lib/carin_for_blue_button_test_kit/client/v2.0.0/claim_data_request_tests/eob_professional_claims_data_request_test.rb

@@ -12,7 +12,6 @@ class C4BBClientEOBProfessionalSubmitClaimsDataRequestTest < Inferno::Test
       This test verifies that an instance returned by requests made by the client is an ExplanationOfBenefit resource
       that conforms to the CARIN for Blue Button [Professional NonClinician ExplanationOfBenefit profile](https://hl7.org/fhir/us/carin-bb/STU2/StructureDefinition-C4BB-ExplanationOfBenefit-Professional-NonClinician.html).
     )
-    input :access_token
 
     run do
       resources = previous_resource_requests(:ExplanationOfBenefit_Professional_NonClinician)

lib/carin_for_blue_button_test_kit/client/v2.0.0/claim_data_request_tests/organization_claims_data_request_test.rb

@@ -12,7 +12,6 @@ class C4BBClientOrganizationSubmitClaimsDataRequestTest < Inferno::Test
       This test verifies that an instance returned by requests made by the client is an Organization resource
       that conforms to the CARIN for Blue Button [Organization profile](https://hl7.org/fhir/us/carin-bb/STU2/StructureDefinition-C4BB-Organization.html).
     )
-    input :access_token
 
     run do
       resources = previous_resource_requests(:Organization)

lib/carin_for_blue_button_test_kit/client/v2.0.0/claim_data_request_tests/patient_claims_data_request_test.rb

@@ -12,7 +12,6 @@ class C4BBClientPatientSubmitClaimsDataRequestTest < Inferno::Test
       This test verifies that an instance returned by requests made by the client is a Patient resource
       that conforms to the CARIN for Blue Button [Patient profile](https://hl7.org/fhir/us/carin-bb/STU2/StructureDefinition-C4BB-Patient.html).
     )
-    input :access_token
 
     run do
       resources = previous_resource_requests(:Patient)

lib/carin_for_blue_button_test_kit/client/v2.0.0/claim_data_request_tests/practitioner_claims_data_request_test.rb

@@ -12,7 +12,6 @@ class C4BBClientPractitionerSubmitClaimsDataRequestTest < Inferno::Test
       This test verifies that an instance returned by requests made by the client is a Practitioner resource
       that conforms to the CARIN for Blue Button [Practitioner profile](https://hl7.org/fhir/us/carin-bb/STU2/StructureDefinition-C4BB-Practitioner.html).
     )
-    input :access_token
 
     run do
       resources = previous_resource_requests(:Practitioner)

lib/carin_for_blue_button_test_kit/client/v2.0.0/claim_data_request_tests/relatedperson_claims_data_request_test.rb

@@ -12,7 +12,6 @@ class C4BBClientRelatedPersonSubmitClaimsDataRequestTest < Inferno::Test
       This test verifies that an instance returned by requests made by the client is a RelatedPerson resource
       that conforms to the CARIN for Blue Button [RelatedPerson profile](https://hl7.org/fhir/us/carin-bb/STU2/StructureDefinition-C4BB-RelatedPerson.html).
     )
-    input :access_token
 
     run do
       resources = previous_resource_requests(:RelatedPerson)

lib/carin_for_blue_button_test_kit/client/v2.0.0/endpoints/authorize_endpoint.rb

@@ -0,0 +1,32 @@
+module CarinForBlueButtonTestKit
+  module MockAuthorization
+    class AuthorizeEndpoint < Inferno::DSL::SuiteEndpoint
+      def test_run_identifier
+        request.params[:client_id]
+      end
+
+      def tags
+        [AUTHORIZE_TAG]
+      end
+
+      def make_response
+        if request.params[:redirect_uri].present?
+          redirect_uri = "#{request.params[:redirect_uri]}?" \
+                         "code=#{SecureRandom.hex}&" \
+                         "state=#{request.params[:state]}"
+          response.status = 302
+          response.headers['Location'] = redirect_uri
+        else
+          response.status = 400
+          response.format = 'application/fhir+json'
+          response.body = FHIR::OperationOutcome.new(
+            issue: FHIR::OperationOutcome::Issue.new(severity: 'fatal', code: 'required',
+                                                     details: FHIR::CodeableConcept.new(
+                                                       text: 'No redirect_uri provided'
+                                                     ))
+          ).to_json
+        end
+      end
+    end
+  end
+end

lib/carin_for_blue_button_test_kit/client/v2.0.0/endpoints/next_page_endpoint.rb

@@ -1,12 +1,14 @@
 require_relative '../tags'
 require_relative '../mock_server'
+require_relative '../mock_authorization'
 
 module CarinForBlueButtonTestKit
   class NextPageEndpoint < Inferno::DSL::SuiteEndpoint
     include CarinForBlueButtonTestKit::MockServer
+    include CarinForBlueButtonTestKit::MockAuthorization
 
     def test_run_identifier
-      extract_bearer_token(request)
+      extract_client_id_from_bearer_token(request) || extract_bearer_token(request)
     end
 
     def make_response

lib/carin_for_blue_button_test_kit/client/v2.0.0/endpoints/resource_api_endpoint.rb

@@ -1,14 +1,16 @@
 require_relative '../tags'
 require_relative '../mock_server'
+require_relative '../mock_authorization'
 require_relative '../client_validation_test'
 
 module CarinForBlueButtonTestKit
   class ResourceAPIEndpoint < Inferno::DSL::SuiteEndpoint
     include CarinForBlueButtonTestKit::MockServer
+    include CarinForBlueButtonTestKit::MockAuthorization
     include CarinForBlueButtonTestKit::ClientValidationTest
 
     def test_run_identifier
-      extract_bearer_token(request)
+      extract_client_id_from_bearer_token(request) || extract_bearer_token(request)
     end
 
     def make_response

lib/carin_for_blue_button_test_kit/client/v2.0.0/endpoints/resource_id_endpoint.rb

@@ -1,12 +1,14 @@
 require_relative '../tags'
 require_relative '../mock_server'
+require_relative '../mock_authorization'
 
 module CarinForBlueButtonTestKit
   class ResourceIDEndpoint < Inferno::DSL::SuiteEndpoint
     include CarinForBlueButtonTestKit::MockServer
+    include CarinForBlueButtonTestKit::MockAuthorization
 
     def test_run_identifier
-      extract_bearer_token(request)
+      extract_client_id_from_bearer_token(request) || extract_bearer_token(request)
     end
 
     def make_response

lib/carin_for_blue_button_test_kit/client/v2.0.0/endpoints/token_endpoint.rb

@@ -1,24 +1,102 @@
 require_relative '../tags'
+require_relative '../urls'
 require_relative '../mock_server'
+require_relative '../mock_authorization'
 
 module CarinForBlueButtonTestKit
-  class TokenEndpoint < Inferno::DSL::SuiteEndpoint
-    include CarinForBlueButtonTestKit::MockServer
+  module MockAuthorization
+    AUTHORIZED_PRACTITIONER_ID = 'c4bb-Practitioner'.freeze # Must exist on the FHIR_REFERENCE_SERVER (env var)
+    CARIN_PATIENT_ID = '888'.freeze # Must exist on the FHIR_REFERENCE_SERVER (env var)
 
-    def test_run_identifier
-      extract_client_id(request)
-    end
+    class TokenEndpoint < Inferno::DSL::SuiteEndpoint
+      include CarinForBlueButtonTestKit::MockServer
 
-    def make_response
-      token_response(request)
-    end
+      def test_run_identifier
+        extract_client_id
+      end
 
-    def tags
-      [AUTH_TAG]
-    end
+      def tags
+        [TOKEN_TAG]
+      end
+
+      def make_response
+        client_id = extract_client_id
+        access_token = JWT.encode({ inferno_client_id: client_id }, nil, 'none')
+        granted_scopes = SUPPORTED_SCOPES & requested_scopes
+
+        response_hash = { access_token:, scope: granted_scopes.join(' '), token_type: 'bearer',
+                          expires_in: 3600 }
+
+        if granted_scopes.include?('openid')
+          response_hash.merge!(id_token: create_id_token(client_id,
+                                                         fhir_user: granted_scopes.include?('fhirUser')))
+        end
+
+        response_hash.merge!(patient: CARIN_PATIENT_ID)
+
+        response.body = response_hash.to_json
+        response.headers['Cache-Control'] = 'no-store'
+        response.headers['Pragma'] = 'no-cache'
+        response.headers['Access-Control-Allow-Origin'] = '*'
+        response.status = 200
+      end
+
+      private
+
+      def extract_client_id
+        # Public client            || confidential client asymmetric          || confidential client symmetric
+        request.params[:client_id] || extract_client_id_from_client_assertion || extract_client_id_from_basic_auth
+      end
+
+      def extract_client_id_from_client_assertion
+        encoded_jwt = request.params[:client_assertion]
+        return unless encoded_jwt.present?
+
+        jwt_payload =
+          begin
+            JWT.decode(encoded_jwt, nil, false)&.first # skip signature verification
+          rescue StandardError
+            nil
+          end
+
+        jwt_payload['iss'] || jwt_payload['sub'] if jwt_payload.present?
+      end
+
+      def extract_client_id_from_basic_auth
+        encoded_credentials = request.headers['authorization']&.delete_prefix('Basic ')
+        return unless encoded_credentials.present?
+
+        decoded_credentials = Base64.decode64(encoded_credentials)
+        decoded_credentials&.split(':')&.first
+      end
+
+      def requested_scopes
+        auth_request = requests_repo.tagged_requests(result.test_session_id, [AUTHORIZE_TAG]).last
+        return [] unless auth_request
+
+        auth_params = if auth_request.verb.downcase == 'get'
+                        auth_request.query_parameters
+                      else
+                        URI.decode_www_form(auth_request.request_body)&.to_h
+                      end
+        scope_str = auth_params&.dig('scope')
+        scope_str ? URI.decode_www_form_component(scope_str).split : []
+      end
+
+      def create_id_token(client_id, fhir_user: false)
+        # No point in mocking an identity provider, just always use known Practitioner as the authorized user
+        suite_fhir_base_url = request.url.split(TOKEN_PATH).first + BASE_FHIR_PATH
+        id_token_hash = {
+          iss: suite_fhir_base_url,
+          sub: AUTHORIZED_PRACTITIONER_ID,
+          aud: client_id,
+          exp: Time.now.to_i + (24 * 60 * 60), # 24 hrs
+          iat: Time.now.to_i
+        }
+        id_token_hash.merge!(fhirUser: "#{suite_fhir_base_url}/Practitioner/#{AUTHORIZED_PRACTITIONER_ID}") if fhir_user
 
-    def update_result
-      results_repo.update(result.id, result: 'pass') unless test.config.options[:accepts_multiple_requests]
+        JWT.encode(id_token_hash, RSA_PRIVATE_KEY, 'RS256')
+      end
     end
   end
 end

lib/carin_for_blue_button_test_kit/client/v2.0.0/initial_wait_test.rb

@@ -8,14 +8,21 @@ class C4BBClientInitialWaitTest < Inferno::Test
     description %(
       This test will receive claims data requests and search requests until the user confirms they are done.
     )
-    input :access_token
+    input :client_id,
+          title: 'Client ID',
+          description: %(
+            Enter the client ID you will use to connect to this CARIN server via a SMART launch. If you wish to send
+            requests without performing a SMART launch, enter the Bearer access token you will provide with your
+            requests here instead.
+          )
+
     config options: { accepts_multiple_requests: true }
 
     run do
       wait(
-        identifier: access_token,
+        identifier: client_id,
         message: %(
-          Access Token: #{access_token} \n
+          Access Token: #{client_id} \n
           Submit CARIN requests via the following method:
           * Single Resource API: `#{submit_url}?:search_params`, with `:endpoint` replaced with the endpoint you want
           to reach and `:search_params` replaced with the search parameters for the request.
@@ -67,7 +74,7 @@ class C4BBClientInitialWaitTest < Inferno::Test
                 * ExplanationOfBenefit:payee
                 * ExplanationOfBenefit:*
 
-          [Click here](#{resume_claims_data_url}?token=#{access_token}) when done.
+          [Click here](#{resume_claims_data_url}?test_run_identifier=#{client_id}) when done.
         ),
         timeout: 900
       )