Touchstone - Test Script - /FHIRSandbox/DaVinci/FHIR4-0-1-DTR/EHR-Launch/99-DTR-SMART-EHR-Revoke-Token

Test Script

Name	/FHIRSandbox/DaVinci/FHIR4-0-1-DTR/EHR-Launch/99-DTR-SMART-EHR-Revoke-Token
Description	DaVinci DTR - SMART on FHIR EHR Launch - Revoke Token (Simple) Tests - Verifies revocation of access granted to an application when the security token is revoked.
Version	2	Latest	2
Content

<?xml version="1.0" encoding="UTF-8"?>

<TestScript xmlns="http://hl7.org/fhir">  
    <id value="dtr-revoke-token-simple"/>  
    <meta> 
        <profile value="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript"/> 
    </meta>  
    <text> 
        <status value="generated"/>  
        <div xmlns="http://www.w3.org/1999/xhtml">  
            <p>DaVinci DTR - SMART on FHIR EHR Launch - Revoke Token (Simple)</p> 
        </div> 
    </text>  
    <url value="http://wildfhir.aegis.net/fhir4-0-1/TestScript/security-fhir-r4-revoke-token-simple"/>  
    <name value="DaVinciDTREHRRevokeTokenSimple"/>  
    <title value="DaVinci DTR - SMART on FHIR EHR - Revoke Token (Simple)"/>  
    <status value="active"/>  
    <date value="2020-12-28"/>  
    <publisher value="AEGIS.net, Inc."/>  
    <contact> 
        <name value="Touchstone Support"/>  
        <telecom> 
            <system value="email"/>  
            <value value="Touchstone_Support@aegis.net"/>  
            <use value="work"/> 
        </telecom> 
    </contact>  
    <description value="DaVinci DTR - SMART on FHIR EHR Launch - Revoke Token (Simple) Tests - Verifies revocation of access granted to an application when the security token is revoked."/>  
    <copyright value="This FHIR Test Script is licensed under Creative Commons (CC0) 'No Rights Reserved'. Learn more at https://creativecommons.org/licenses"/>  
    <fixture id="refresh-token-with-revoked-refresh-token"> 
        <autocreate value="false"/>  
        <autodelete value="false"/>  
        <resource> 
            <reference value="/FHIR4-0-1-SMART-PRV-EHR/_reference/oauth2-refresh-token-with-revoked-refresh-token.frm"/> 
        </resource> 
    </fixture>  
    <variable> 
        <name value="authorizedPatientId"/>  
        <hint value="[Enter authorized Patient id here]"/> 
    </variable>  
    <variable> 
        <name value="oauth2AuthToken"/>  
        <hint value="[Copy revoked auth token here]"/> 
    </variable>  
    <variable> 
        <name value="oauth2RefreshToken"/>  
        <hint value="[Copy revoked refresh token here]"/> 
    </variable>  
    <variable> 
        <name value="tokenEndpoint"/>  
        <path value=".token_endpoint"/>  
        <sourceId value="dest1SmartConfig"/> 
    </variable>  
    <test id="01-AccessUnauthorized"> 
        <name value="01 - Patient resource Access Unauthorized"/>  
        <description value="Verify access to Patient resource returns unauthorized after token revocation."/>  
        <action> 
            <operation> 
                <type> 
                    <system value="http://hl7.org/fhir/testscript-operation-codes"/>  
                    <code value="read"/> 
                </type>  
                <resource value="Patient"/>  
                <description value="Patient read where expected response is unauthorized."/>  
                <accept value="json"/>  
                <encodeRequestUrl value="true"/>  
                <params value="/${authorizedPatientId}"/>  
                <requestHeader> 
                    <field value="Authorization"/>  
                    <value value="Bearer ${oauth2AuthToken}"/> 
                </requestHeader> 
            </operation> 
        </action>  
        <action> 
            <assert> 
                <description value="Confirm that the returned HTTP status is 401(Unauthorized)."/>  
                <direction value="response"/>  
                <responseCode value="401"/>  
                <warningOnly value="false"/> 
            </assert> 
        </action> 
    </test>  
    <test id="02-TokenRefreshFails"> 
        <name value="02 - Token Refresh Fails"/>  
        <description value="Verify use of revoked refresh token to get new access token fails."/>  
        <action> 
            <operation> 
                <type> 
                    <system value="http://touchstone.aegis.net/touchstone/fhir/testing/CodeSystem/codesystem-testscript-operation-codes"/>  
                    <code value="oauth2-refresh-token"/> 
                </type>  
                <description value="Refresh token exchange fails when supplied revoked Refresh Token"/>  
                <encodeRequestUrl value="true"/>  
                <requestHeader> 
                    <field value="Accept"/>  
                    <value value="application/json"/> 
                </requestHeader>  
                <requestHeader> 
                    <field value="Authorization"/>  
                    <value value="Basic ${dest1SystemConfig.clientId}:${dest1SystemConfig.clientSecret}"/> 
                </requestHeader>  
                <sourceId value="refresh-token-with-revoked-refresh-token"/>  
                <url value="${tokenEndpoint}"/> 
            </operation> 
        </action>  
        <action> 
            <assert> 
                <description value="Refresh token exchange fails when supplied revoked Refresh Token.  Response values of 400, 401, or 403 are valid."/>  
                <operator value="in"/>  
                <responseCode value="400,401,403"/>  
                <warningOnly value="false"/> 
            </assert> 
        </action> 
    </test> 
</TestScript>