inferno-framework · emichaud998 · Dec 18, 2024 · Dec 19, 2024 · Dec 19, 2024 · Dec 20, 2024
diff --git a/README.md b/README.md
@@ -43,7 +43,7 @@ requests needed to pass all of the tests. Note that some requests within the col
 
 To run the client tests against the Postman collection:
 1. Start an Inferno session of the CARIN for Blue Button Client test suite.
-3. Click the "Run All Tests" button in the upper right and type in "SAMPLE_TOKEN" for the `access_token` input in the dialog that appears.
+3. Click the "Run All Tests" button in the upper right and type in "SAMPLE_TOKEN" for the `Client ID` input in the dialog that appears.
 4. Click the "Submit" button. The simulated server will then be waiting for an interaction.
 4. Open Postman and import the `C4BB Client Search Tests` Postman collection.
 5. Send each of the requests listed under the `C4BB Client Search Tests` Postman collection and ensure a
@@ -55,8 +55,7 @@ To run the client tests against the Postman collection:
 ### CPCDS Reference Implementation Client
 
 To try out these tests without a Carin for Blue Button client implementation, you may
-run them using the [CPCDS Reference Implementation Client](https://github.com/carin-alliance/cpcds-client-ri). Use this
-[forked repository](https://github.com/emichaud998/cpcds-client-ri), which been adjusted to work with this test kit.
+run them using the [CPCDS Reference Implementation Client](https://github.com/carin-alliance/cpcds-client-ri).
 
 1. Follow the instructions listed [here](https://github.com/carin-alliance/cpcds-client-ri?tab=readme-ov-file#running-app-locally)
    to get the CPCDS Reference Implementation Client running locally.
@@ -70,9 +69,9 @@ To run the client tests against the CPCDS Reference Implementation Client:
 3. Click the "Wait for Claims Data and Search Requests" test group in the left navigation sidebar.
 4. Click the "Run Tests" button in the upper right and click the "Submit" button in the dialog
    that appears. The simulated server will then be waiting for an interaction.
-5. Navigate to `localhost:3000`. Enter the Carin Client Suite FHIR endpoint URL, and then type the Carin patient id, `888`,
-   into the client secret and client id fields. Hit the "Connect" button.
-6. On the next page, hit the "Display" button to make a request to the Carin Client Suite .
+5. Navigate to `localhost:3000`. Enter the Carin Client Suite FHIR endpoint URL, and then type `SAMPLE_CLIENT_ID`
+   into the client ID field and `SAMPLE_CLIENT_SECRET` into the client secret field. Hit the "Connect" button.
+6. This will connect the client with the test suite via SMART and the client will automatically make a request to the test suite.
 7. In the Inferno Client Suite, click the "Click here" link in the wait dialog to signal the client has finished submitting requests.
 8. Navigate to each Carin for Blue Button Profile test group in the left navigation sidebar, and for each test group hit the run
    icon next all the tests listed except for the last required search parameters test

diff --git a/config/presets/carin_cpcds_client_ri.json b/config/presets/carin_cpcds_client_ri.json
@@ -4,9 +4,9 @@
   "test_suite_id": "c4bb_v200_client",
   "inputs": [
     {
-      "name": "access_token",
+      "name": "client_id",
       "type": "text",
-      "value": "SAMPLE_TOKEN"
+      "value": "SAMPLE_CLIENT_ID"
     }
   ]
 }
diff --git a/lib/carin_for_blue_button_test_kit/client/v2.0.0/c4bb_client_test_suite.rb b/lib/carin_for_blue_button_test_kit/client/v2.0.0/c4bb_client_test_suite.rb
@@ -1,6 +1,7 @@
 require 'inferno/dsl/oauth_credentials'
 require_relative 'endpoints/resource_api_endpoint'
 require_relative 'endpoints/token_endpoint'
+require_relative 'endpoints/authorize_endpoint'
 require_relative 'endpoints/next_page_endpoint'
 require_relative 'endpoints/resource_id_endpoint'
 
@@ -77,7 +78,9 @@ def self.test_resumes?(test)
       end
     end
 
-    suite_endpoint :post, TOKEN_PATH, TokenEndpoint
+    suite_endpoint :post, TOKEN_PATH, MockAuthorization::TokenEndpoint
+    suite_endpoint :get, AUTH_PATH, MockAuthorization::AuthorizeEndpoint
+    suite_endpoint :post, AUTH_PATH, MockAuthorization::AuthorizeEndpoint
 
     suite_endpoint :get, PATIENT_PATH, ResourceAPIEndpoint
 
@@ -100,6 +103,7 @@ def self.test_resumes?(test)
     end
 
     route(:get, METADATA_PATH, get_metadata)
+    route(:get, SMART_CONFIG_PATH, carin_smart_config)
 
     group do
       run_as_group

diff --git a/...tton_test_kit/client/v2.0.0/claim_data_request_tests/coverage_claims_data_request_test.rb b/...tton_test_kit/client/v2.0.0/claim_data_request_tests/coverage_claims_data_request_test.rb
@@ -12,7 +12,6 @@ class C4BBClientCoverageSubmitClaimsDataRequestTest < Inferno::Test
       This test verifies that an instance returned by requests made by the client is a Coverage resource
       that conforms to the CARIN for Blue Button [Coverage profile](https://hl7.org/fhir/us/carin-bb/STU2/StructureDefinition-C4BB-Coverage.html).
     )
-    input :access_token
 
     run do
       resources = previous_resource_requests(:Coverage)

diff --git a/...test_kit/client/v2.0.0/claim_data_request_tests/eob_inpatient_claims_data_request_test.rb b/...test_kit/client/v2.0.0/claim_data_request_tests/eob_inpatient_claims_data_request_test.rb
@@ -12,7 +12,6 @@ class C4BBClientEOBInpatientSubmitClaimsDataRequestTest < Inferno::Test
       This test verifies that an instance returned by requests made by the client is an ExplanationOfBenefit resource
       that conforms to the CARIN for Blue Button [Outpatient Institutional ExplanationOfBenefit profile](https://hl7.org/fhir/us/carin-bb/STU2/StructureDefinition-C4BB-ExplanationOfBenefit-Outpatient-Institutional.html).
     )
-    input :access_token
 
     run do
       resources = previous_resource_requests(:ExplanationOfBenefit_Inpatient_Institutional)

diff --git a/...tton_test_kit/client/v2.0.0/claim_data_request_tests/eob_oral_claims_data_request_test.rb b/...tton_test_kit/client/v2.0.0/claim_data_request_tests/eob_oral_claims_data_request_test.rb
@@ -12,7 +12,6 @@ class C4BBClientEOBOralSubmitClaimsDataRequestTest < Inferno::Test
       This test verifies that an instance returned by requests made by the client is an ExplanationOfBenefit resource
       that conforms to the CARIN for Blue Button [Oral ExplanationOfBenefit profile](https://hl7.org/fhir/us/carin-bb/STU2/StructureDefinition-C4BB-ExplanationOfBenefit-Oral.html).
     )
-    input :access_token
 
     run do
       resources = previous_resource_requests(:ExplanationOfBenefit_Oral)

diff --git a/...est_kit/client/v2.0.0/claim_data_request_tests/eob_outpatient_claims_data_request_test.rb b/...est_kit/client/v2.0.0/claim_data_request_tests/eob_outpatient_claims_data_request_test.rb
@@ -12,7 +12,6 @@ class C4BBClientEOBOutpatientSubmitClaimsDataRequestTest < Inferno::Test
       This test verifies that an instance returned by requests made by the client is an ExplanationOfBenefit resource
       that conforms to the CARIN for Blue Button [Outpatient Institutional ExplanationOfBenefit profile](https://hl7.org/fhir/us/carin-bb/STU2/StructureDefinition-C4BB-ExplanationOfBenefit-Outpatient-Institutional.html).
     )
-    input :access_token
 
     run do
       resources = previous_resource_requests(:ExplanationOfBenefit_Outpatient_Institutional)

diff --git a/..._test_kit/client/v2.0.0/claim_data_request_tests/eob_pharmacy_claims_data_request_test.rb b/..._test_kit/client/v2.0.0/claim_data_request_tests/eob_pharmacy_claims_data_request_test.rb
@@ -12,7 +12,6 @@ class C4BBClientEOBPharmacySubmitClaimsDataRequestTest < Inferno::Test
       This test verifies that an instance returned by requests made by the client is an ExplanationOfBenefit resource
       that conforms to the CARIN for Blue Button [Pharmacy ExplanationOfBenefit profile](https://hl7.org/fhir/us/carin-bb/STU2/StructureDefinition-C4BB-ExplanationOfBenefit-Pharmacy.html).
     )
-    input :access_token
 
     run do
       resources = previous_resource_requests(:ExplanationOfBenefit_Pharmacy)

diff --git a/...t_kit/client/v2.0.0/claim_data_request_tests/eob_professional_claims_data_request_test.rb b/...t_kit/client/v2.0.0/claim_data_request_tests/eob_professional_claims_data_request_test.rb
@@ -12,7 +12,6 @@ class C4BBClientEOBProfessionalSubmitClaimsDataRequestTest < Inferno::Test
       This test verifies that an instance returned by requests made by the client is an ExplanationOfBenefit resource
       that conforms to the CARIN for Blue Button [Professional NonClinician ExplanationOfBenefit profile](https://hl7.org/fhir/us/carin-bb/STU2/StructureDefinition-C4BB-ExplanationOfBenefit-Professional-NonClinician.html).
     )
-    input :access_token
 
     run do
       resources = previous_resource_requests(:ExplanationOfBenefit_Professional_NonClinician)

diff --git a/..._test_kit/client/v2.0.0/claim_data_request_tests/organization_claims_data_request_test.rb b/..._test_kit/client/v2.0.0/claim_data_request_tests/organization_claims_data_request_test.rb
@@ -12,7 +12,6 @@ class C4BBClientOrganizationSubmitClaimsDataRequestTest < Inferno::Test
       This test verifies that an instance returned by requests made by the client is an Organization resource
       that conforms to the CARIN for Blue Button [Organization profile](https://hl7.org/fhir/us/carin-bb/STU2/StructureDefinition-C4BB-Organization.html).
     )
-    input :access_token
 
     run do
       resources = previous_resource_requests(:Organization)

diff --git a/...utton_test_kit/client/v2.0.0/claim_data_request_tests/patient_claims_data_request_test.rb b/...utton_test_kit/client/v2.0.0/claim_data_request_tests/patient_claims_data_request_test.rb
@@ -12,7 +12,6 @@ class C4BBClientPatientSubmitClaimsDataRequestTest < Inferno::Test
       This test verifies that an instance returned by requests made by the client is a Patient resource
       that conforms to the CARIN for Blue Button [Patient profile](https://hl7.org/fhir/us/carin-bb/STU2/StructureDefinition-C4BB-Patient.html).
     )
-    input :access_token
 
     run do
       resources = previous_resource_requests(:Patient)

diff --git a/..._test_kit/client/v2.0.0/claim_data_request_tests/practitioner_claims_data_request_test.rb b/..._test_kit/client/v2.0.0/claim_data_request_tests/practitioner_claims_data_request_test.rb
@@ -12,7 +12,6 @@ class C4BBClientPractitionerSubmitClaimsDataRequestTest < Inferno::Test
       This test verifies that an instance returned by requests made by the client is a Practitioner resource
       that conforms to the CARIN for Blue Button [Practitioner profile](https://hl7.org/fhir/us/carin-bb/STU2/StructureDefinition-C4BB-Practitioner.html).
     )
-    input :access_token
 
     run do
       resources = previous_resource_requests(:Practitioner)

diff --git a/...test_kit/client/v2.0.0/claim_data_request_tests/relatedperson_claims_data_request_test.rb b/...test_kit/client/v2.0.0/claim_data_request_tests/relatedperson_claims_data_request_test.rb
@@ -12,7 +12,6 @@ class C4BBClientRelatedPersonSubmitClaimsDataRequestTest < Inferno::Test
       This test verifies that an instance returned by requests made by the client is a RelatedPerson resource
       that conforms to the CARIN for Blue Button [RelatedPerson profile](https://hl7.org/fhir/us/carin-bb/STU2/StructureDefinition-C4BB-RelatedPerson.html).
     )
-    input :access_token
 
     run do
       resources = previous_resource_requests(:RelatedPerson)

diff --git a/lib/carin_for_blue_button_test_kit/client/v2.0.0/endpoints/authorize_endpoint.rb b/lib/carin_for_blue_button_test_kit/client/v2.0.0/endpoints/authorize_endpoint.rb
@@ -0,0 +1,32 @@
+module CarinForBlueButtonTestKit
+  module MockAuthorization
+    class AuthorizeEndpoint < Inferno::DSL::SuiteEndpoint
+      def test_run_identifier
+        request.params[:client_id]
+      end
+
+      def tags
+        [AUTHORIZE_TAG]
+      end
+
+      def make_response
+        if request.params[:redirect_uri].present?
+          redirect_uri = "#{request.params[:redirect_uri]}?" \
+                         "code=#{SecureRandom.hex}&" \
+                         "state=#{request.params[:state]}"
+          response.status = 302
+          response.headers['Location'] = redirect_uri
+        else
+          response.status = 400
+          response.format = 'application/fhir+json'
+          response.body = FHIR::OperationOutcome.new(
+            issue: FHIR::OperationOutcome::Issue.new(severity: 'fatal', code: 'required',
+                                                     details: FHIR::CodeableConcept.new(
+                                                       text: 'No redirect_uri provided'
+                                                     ))
+          ).to_json
+        end
+      end
+    end
+  end
+end
diff --git a/lib/carin_for_blue_button_test_kit/client/v2.0.0/endpoints/token_endpoint.rb b/lib/carin_for_blue_button_test_kit/client/v2.0.0/endpoints/token_endpoint.rb
@@ -1,24 +1,114 @@
 require_relative '../tags'
+require_relative '../urls'
 require_relative '../mock_server'
 
 module CarinForBlueButtonTestKit
-  class TokenEndpoint < Inferno::DSL::SuiteEndpoint
-    include CarinForBlueButtonTestKit::MockServer
+  module MockAuthorization
+    AUTHORIZED_PRACTITIONER_ID = 'c4bb-Practitioner'.freeze # Must exist on the FHIR_REFERENCE_SERVER (env var)
 
-    def test_run_identifier
-      extract_client_id(request)
-    end
+    class TokenEndpoint < Inferno::DSL::SuiteEndpoint
+      include CarinForBlueButtonTestKit::MockServer
 
-    def make_response
-      token_response(request)
-    end
+      def test_run_identifier
+        extract_client_id
+      end
 
-    def tags
-      [AUTH_TAG]
-    end
+      def tags
+        [TOKEN_TAG]
+      end
+
+      def make_response
+        client_id = extract_client_id
+        access_token = client_id
+        granted_scopes = SUPPORTED_SCOPES & requested_scopes
+
+        response_hash = { access_token:, scope: granted_scopes.join(' '), token_type: 'bearer',
+                          expires_in: 3600 }
+
+        if granted_scopes.include?('openid')
+          response_hash.merge!(id_token: create_id_token(client_id,
+                                                         fhir_user: granted_scopes.include?('fhirUser')))
+        end
+
+        response_hash.merge!(patient: '888')
+
+        response.body = response_hash.to_json
+        response.headers['Cache-Control'] = 'no-store'
+        response.headers['Pragma'] = 'no-cache'
+        response.headers['Access-Control-Allow-Origin'] = '*'
+        response.status = 200
+      end
+
+      private
+
+      def extract_client_id
+        # Public client            || confidential client asymmetric          || confidential client symmetric
+        request.params[:client_id] || extract_client_id_from_client_assertion || extract_client_id_from_basic_auth
+      end
+
+      def extract_client_id_from_client_assertion
+        encoded_jwt = request.params[:client_assertion]
+        return unless encoded_jwt.present?
+
+        jwt_payload =
+          begin
+            JWT.decode(encoded_jwt, nil, false)&.first # skip signature verification
+          rescue StandardError
+            nil
+          end
+
+        jwt_payload['iss'] || jwt_payload['sub'] if jwt_payload.present?
+      end
+
+      def input_group_prefix
+        if test.id.include?('static')
+          'static'
+        elsif test.id.include?('adaptive')
+          'adaptive'
+        else
+          'resp'
+        end
+      end
+
+      def find_test_input(input_name)
+        JSON.parse(result.input_json)&.find { |input| input['name'] == input_name }&.dig('value')
+      end
+
+      def extract_client_id_from_basic_auth
+        encoded_credentials = request.headers['authorization']&.delete_prefix('Basic ')
+        return unless encoded_credentials.present?
+
+        decoded_credentials = Base64.decode64(encoded_credentials)
+        decoded_credentials&.split(':')&.first
+      end
+
+      def requested_scopes
+        auth_request = requests_repo.tagged_requests(result.test_session_id, [AUTHORIZE_TAG]).last
+        return [] unless auth_request
+
+        auth_params = if auth_request.verb.downcase == 'get'
+                        auth_request.query_parameters
+                      else
+                        URI.decode_www_form(auth_request.request_body)&.to_h
+                      end
+        scope_str = auth_params&.dig('scope')
+        scope_str ? URI.decode_www_form_component(scope_str).split : []
+      end
+
+      def create_id_token(client_id, fhir_user: false)
+        # No point in mocking an identity provider, just always use known Practitioner as the authorized user
+        suite_fhir_base_url = request.url.split(TOKEN_PATH).first + BASE_FHIR_PATH
+        id_token_hash = {
+          iss: suite_fhir_base_url,
+          sub: AUTHORIZED_PRACTITIONER_ID,
+          aud: client_id,
+          exp: Time.now.to_i + (24 * 60 * 60), # 24 hrs
+          iat: Time.now.to_i
+        }
+        id_token_hash.merge!(fhirUser: "#{suite_fhir_base_url}/Practitioner/#{AUTHORIZED_PRACTITIONER_ID}") if fhir_user
 
-    def update_result
-      results_repo.update(result.id, result: 'pass') unless test.config.options[:accepts_multiple_requests]
+        JWT.encode(id_token_hash, RSA_PRIVATE_KEY, 'RS256')
+      end
     end
   end
 end
diff --git a/lib/carin_for_blue_button_test_kit/client/v2.0.0/initial_wait_test.rb b/lib/carin_for_blue_button_test_kit/client/v2.0.0/initial_wait_test.rb
@@ -8,14 +8,20 @@ class C4BBClientInitialWaitTest < Inferno::Test
     description %(
       This test will receive claims data requests and search requests until the user confirms they are done.
     )
-    input :access_token
+    input :client_id,
+          title: 'Client ID',
+          description: %(
+            Enter the client ID you will use to connect to this CARIN server via SMART. This client ID will be sent
+            back as the access token to send requests to this server.
+          )
+
     config options: { accepts_multiple_requests: true }
 
     run do
       wait(
-        identifier: access_token,
+        identifier: client_id,
         message: %(
-          Access Token: #{access_token} \n
+          Access Token: #{client_id} \n
           Submit CARIN requests via the following method:
           * Single Resource API: `#{submit_url}?:search_params`, with `:endpoint` replaced with the endpoint you want
           to reach and `:search_params` replaced with the search parameters for the request.
@@ -67,7 +73,7 @@ class C4BBClientInitialWaitTest < Inferno::Test
                 * ExplanationOfBenefit:payee
                 * ExplanationOfBenefit:*
 
-          [Click here](#{resume_claims_data_url}?token=#{access_token}) when done.
+          [Click here](#{resume_claims_data_url}?token=#{client_id}) when done.
         ),
         timeout: 900
       )

diff --git a/...0/metadata/mock_capability_statement.json → ...tadata/mock_capability_statement.json.erb b/...0/metadata/mock_capability_statement.json → ...tadata/mock_capability_statement.json.erb
@@ -23,6 +23,34 @@
     {
       "mode": "server",
       "documentation": "The C4BB  Server **SHALL**:\n\n1. Support all profiles defined in this Implementation Guide..\n2.  Implement the RESTful behavior according to the FHIR specification.\n3. Return the following response classes:\n   - (Status 400): invalid parameter\n   - (Status 401/4xx): unauthorized request\n   - (Status 403): insufficient scope\n   - (Status 404): unknown resource\n   - (Status 410): deleted resource.\n4. Support json source formats for all CARIN-BB interactions.\n5. Identify the CARIN-BB  profiles supported as part of the FHIR `meta.profile` attribute for each instance.\n6. Support the searchParameters on each profile  individually and in combination.\n\nThe C4BB  Server **SHOULD**:\n\n1. Support xml source formats for all C4BB interactions.\n",
+      "security": {
+        "extension": [
+            {
+                "url": "http://fhir-registry.smarthealthit.org/StructureDefinition/oauth-uris",
+                "extension": [
+                    {
+                        "url": "token",
+                        "valueUri": "<%= Inferno::Application['base_url']  %>/custom/c4bb_v200_client/mock_auth/token"
+                    },
+                    {
+                        "url": "authorize",
+                        "valueUri": "<%= Inferno::Application['base_url']  %>/custom/c4bb_v200_client/mock_auth/authorization"
+                    }
+                ]
+            }
+        ],
+        "service": [
+            {
+                "coding": [
+                    {
+                        "system": "http://terminology.hl7.org/CodeSystem/restful-security-service",
+                        "code": "SMART-on-FHIR"
+                    }
+                ],
+                "text": "OAuth2 using SMART-on-FHIR profile (see http://docs.smarthealthit.org)"
+            }
+        ]
+      },
       "resource": [
         {
           "extension": [