| Name | /FHIRSandbox/DaVinci/FHIR4-0-1-PAS/PAS-1-0-0/03-BackendAuth/backend-authorization-json |
|---|
| Description | Backend Authorization |
|---|
| Version | 1 | Latest | 1 |
|---|
<?xml version="1.0" encoding="UTF-8"?>
<TestScript xmlns="http://hl7.org/fhir">
<id value="BackEndAuthorization"/>
<meta>
<profile value="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript"/>
</meta>
<text>
<status value="generated"/>
<div xmlns="http://www.w3.org/1999/xhtml">
<p>BackEndAuthorization</p>
</div>
</text>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-rule">
<extension url="ruleId">
<valueId value="rule-verifyTLS"/>
</extension>
<extension url="path">
<valueString value="/FHIRCommon/_reference/rule/VerifyTLS.groovy"/>
</extension>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-rule">
<extension url="ruleId">
<valueId value="rule-getSignedJwt"/>
</extension>
<extension url="path">
<valueString value="/FHIRCommon/_reference/rule/GetSignedJwt.groovy"/>
</extension>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-rule">
<extension url="ruleId">
<valueId value="rule-verifyAccessToken"/>
</extension>
<extension url="path">
<valueString value="/FHIRCommon/_reference/rule/VerifyAccessToken.groovy"/>
</extension>
</extension>
<url value="http://wildfhir.aegis.net/fhir4-0-1/TestScript/atr-r4-scenario-02-request-member-attr-list-vi-get-02-json"/>
<name value="BackendAuthorization"/>
<title value="BackendAuthorization"/>
<status value="active"/>
<date value="2020-05-06"/>
<publisher value="AEGIS.net, Inc."/>
<contact>
<name value="Touchstone Support"/>
<telecom>
<system value="email"/>
<value value="Touchstone_Support@aegis.net"/>
<use value="work"/>
</telecom>
</contact>
<description value="Backend Authorization"/>
<copyright value="This FHIR Test Script is licensed under Creative Commons (CC0) 'No Rights Reserved'. Learn more at https://creativecommons.org/licenses"/>
<destination id="Server">
<index value="1"/>
<profile>
<system value="http://terminology.hl7.org/CodeSystem/testscript-profile-destination-types"/>
<code value="FHIR-Server"/>
</profile>
</destination>
<fixture id="get-token">
<autocreate value="false"/>
<autodelete value="false"/>
<resource>
<reference value="_reference/oauth2-get-token.frm"/>
</resource>
</fixture>
<fixture id="get-token-invalid-scope">
<autocreate value="false"/>
<autodelete value="false"/>
<resource>
<reference value="_reference/oauth2-get-token-invalid-scope.frm"/>
</resource>
</fixture>
<fixture id="get-token-invalid-grant-type">
<autocreate value="false"/>
<autodelete value="false"/>
<resource>
<reference value="_reference/oauth2-get-token-invalid-grant-type.frm"/>
</resource>
</fixture>
<fixture id="get-token-invalid-client-assertion-type">
<autocreate value="false"/>
<autodelete value="false"/>
<resource>
<reference value="_reference/oauth2-get-token-invalid-client-assertion-type.frm"/>
</resource>
</fixture>
<fixture id="get-token-invalid-client-assertion">
<autocreate value="false"/>
<autodelete value="false"/>
<resource>
<reference value="_reference/oauth2-get-token-invalid-client-assertion.frm"/>
</resource>
</fixture>
<test id="01-Auth-Endpoint-Secured-by-TLS">
<name value="01-Auth-Endpoint-Secured-by-TLS"/>
<description value="01: Authorization service token endpoint secured by transport layer security"/>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-rule">
<extension url="ruleId">
<valueId value="rule-verifyTLS"/>
</extension>
<extension url="param">
<extension url="name">
<valueString value="endpointName"/>
</extension>
<extension url="value">
<valueString value="OAuth2 Token Endpoint"/>
</extension>
</extension>
<extension url="param">
<extension url="name">
<valueString value="endpointURL"/>
</extension>
<extension url="value">
<valueString value="${dest1SystemConfig.tokenEndpoint}"/>
</extension>
</extension>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="01: Authorization service token endpoint secured by transport layer security."/>
<warningOnly value="false"/>
</assert>
</action>
</test>
<test id="02-Auth-Fails-Inv-content-type">
<name value="02-Auth-Fails-Inv-content-type"/>
<description value="02: Authorization request fails when client supplies invalid content_type"/>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-rule">
<extension url="ruleId">
<valueId value="rule-getSignedJwt"/>
</extension>
<extension url="param">
<extension url="name">
<valueString value="testSystemName"/>
</extension>
<extension url="value">
<valueString value="${dest1SystemConfig.fullName}"/>
</extension>
</extension>
<extension url="param">
<extension url="name">
<valueString value="dest"/>
</extension>
<extension url="value">
<valueString value="1"/>
</extension>
</extension>
<extension url="output">
<extension url="name">
<valueString value="signed-JWT-dest1"/>
</extension>
</extension>
</extension>
<description value="Get Signed-JWT for the target test system."/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<operation>
<type>
<system value="http://touchstone.aegis.net/touchstone/fhir/testing/CodeSystem/codesystem-testscript-operation-codes"/>
<code value="post"/>
</type>
<description value="Request token with correct payload but wrong Content-Type header"/>
<encodeRequestUrl value="true"/>
<requestHeader>
<field value="Authorization"/>
<value value="none"/>
</requestHeader>
<requestHeader>
<field value="Accept"/>
<value value="application/json"/>
</requestHeader>
<requestHeader>
<field value="Content-Type"/>
<value value="application/json"/>
</requestHeader>
<sourceId value="get-token"/>
<url value="${dest1SystemConfig.tokenEndpoint}"/>
</operation>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="02: Authorization request fails when client supplies invalid content_type"/>
<operator value="in"/>
<responseCode value="400,401,403,415"/>
<warningOnly value="false"/>
</assert>
</action>
</test>
<test id="03-Auth-Fails-Inv-Scope">
<name value="03-Auth-Fails-Inv-Scope"/>
<description value="03: Authorization request fails when client supplies invalid scope"/>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-rule">
<extension url="ruleId">
<valueId value="rule-getSignedJwt"/>
</extension>
<extension url="param">
<extension url="name">
<valueString value="testSystemName"/>
</extension>
<extension url="value">
<valueString value="${dest1SystemConfig.fullName}"/>
</extension>
</extension>
<extension url="param">
<extension url="name">
<valueString value="dest"/>
</extension>
<extension url="value">
<valueString value="1"/>
</extension>
</extension>
<extension url="output">
<extension url="name">
<valueString value="signed-JWT-dest1"/>
</extension>
</extension>
</extension>
<description value="Get Signed-JWT for the target test system."/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<operation>
<type>
<system value="http://touchstone.aegis.net/touchstone/fhir/testing/CodeSystem/codesystem-testscript-operation-codes"/>
<code value="post"/>
</type>
<description value="Submit request with correct headers but incorrect scope in body"/>
<encodeRequestUrl value="true"/>
<requestHeader>
<field value="Authorization"/>
<value value="none"/>
</requestHeader>
<requestHeader>
<field value="Accept"/>
<value value="application/json"/>
</requestHeader>
<requestHeader>
<field value="Content-Type"/>
<value value="application/x-www-form-urlencoded"/>
</requestHeader>
<sourceId value="get-token-invalid-scope"/>
<url value="${dest1SystemConfig.tokenEndpoint}"/>
</operation>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="03: Authorization request fails when client supplies invalid scope"/>
<operator value="in"/>
<responseCode value="400,401,403,415"/>
<warningOnly value="false"/>
</assert>
</action>
</test>
<test id="04-Auth-Fails-Inv-grant-type">
<name value="04-Auth-Fails-Inv-grant-type"/>
<description value="04: Authorization request fails when client supplies invalid grant_type"/>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-rule">
<extension url="ruleId">
<valueId value="rule-getSignedJwt"/>
</extension>
<extension url="param">
<extension url="name">
<valueString value="testSystemName"/>
</extension>
<extension url="value">
<valueString value="${dest1SystemConfig.fullName}"/>
</extension>
</extension>
<extension url="param">
<extension url="name">
<valueString value="dest"/>
</extension>
<extension url="value">
<valueString value="1"/>
</extension>
</extension>
<extension url="output">
<extension url="name">
<valueString value="signed-JWT-dest1"/>
</extension>
</extension>
</extension>
<description value="Get Signed-JWT for the target test system."/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<operation>
<type>
<system value="http://touchstone.aegis.net/touchstone/fhir/testing/CodeSystem/codesystem-testscript-operation-codes"/>
<code value="post"/>
</type>
<description value="Submit request with correct headers but invalid grant type in body"/>
<encodeRequestUrl value="true"/>
<requestHeader>
<field value="Authorization"/>
<value value="none"/>
</requestHeader>
<requestHeader>
<field value="Accept"/>
<value value="application/json"/>
</requestHeader>
<requestHeader>
<field value="Content-Type"/>
<value value="application/x-www-form-urlencoded"/>
</requestHeader>
<sourceId value="get-token-invalid-grant-type"/>
<url value="${dest1SystemConfig.tokenEndpoint}"/>
</operation>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="04: Authorization request fails when client supplies invalid grant_type"/>
<operator value="in"/>
<responseCode value="400,401,403,415"/>
<warningOnly value="false"/>
</assert>
</action>
</test>
<test id="05-Auth-Fails-Inv-client-assrt-type">
<name value="05-Auth-Fails-Inv-client-assrt-type"/>
<description value="05: Authorization request fails when supplied invalid client_assertion_type"/>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-rule">
<extension url="ruleId">
<valueId value="rule-getSignedJwt"/>
</extension>
<extension url="param">
<extension url="name">
<valueString value="testSystemName"/>
</extension>
<extension url="value">
<valueString value="${dest1SystemConfig.fullName}"/>
</extension>
</extension>
<extension url="param">
<extension url="name">
<valueString value="dest"/>
</extension>
<extension url="value">
<valueString value="1"/>
</extension>
</extension>
<extension url="output">
<extension url="name">
<valueString value="signed-JWT-dest1"/>
</extension>
</extension>
</extension>
<description value="Get Signed-JWT for the target test system."/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<operation>
<type>
<system value="http://touchstone.aegis.net/touchstone/fhir/testing/CodeSystem/codesystem-testscript-operation-codes"/>
<code value="post"/>
</type>
<description value="Submit request with correct headers and body"/>
<encodeRequestUrl value="true"/>
<requestHeader>
<field value="Authorization"/>
<value value="none"/>
</requestHeader>
<requestHeader>
<field value="Accept"/>
<value value="application/json"/>
</requestHeader>
<requestHeader>
<field value="Content-Type"/>
<value value="application/x-www-form-urlencoded"/>
</requestHeader>
<sourceId value="get-token-invalid-client-assertion-type"/>
<url value="${dest1SystemConfig.tokenEndpoint}"/>
</operation>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="05: Authorization request fails when supplied invalid client_assertion_type"/>
<operator value="in"/>
<responseCode value="400,401,403,415"/>
<warningOnly value="false"/>
</assert>
</action>
</test>
<test id="06-Auth-Fails-Inv-JWT-token">
<name value="06-Auth-Fails-Inv-JWT-token"/>
<description value="06: Authorization request fails when client supplies invalid JWT token"/>
<action>
<operation>
<type>
<system value="http://touchstone.aegis.net/touchstone/fhir/testing/CodeSystem/codesystem-testscript-operation-codes"/>
<code value="post"/>
</type>
<description value="Submit request with correct headers and body"/>
<encodeRequestUrl value="true"/>
<requestHeader>
<field value="Authorization"/>
<value value="none"/>
</requestHeader>
<requestHeader>
<field value="Accept"/>
<value value="application/json"/>
</requestHeader>
<requestHeader>
<field value="Content-Type"/>
<value value="application/x-www-form-urlencoded"/>
</requestHeader>
<sourceId value="get-token-invalid-client-assertion"/>
<url value="${dest1SystemConfig.tokenEndpoint}"/>
</operation>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="06: Authorization request fails when client supplies invalid JWT token"/>
<operator value="in"/>
<responseCode value="400,401,403,415"/>
<warningOnly value="false"/>
</assert>
</action>
</test>
<test id="07-Auth-Succeeds">
<name value="07-Auth-Succeeds"/>
<description value="07: Authorization request succeeds when supplied correct information"/>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-rule">
<extension url="ruleId">
<valueId value="rule-getSignedJwt"/>
</extension>
<extension url="param">
<extension url="name">
<valueString value="testSystemName"/>
</extension>
<extension url="value">
<valueString value="${dest1SystemConfig.fullName}"/>
</extension>
</extension>
<extension url="param">
<extension url="name">
<valueString value="dest"/>
</extension>
<extension url="value">
<valueString value="1"/>
</extension>
</extension>
<extension url="output">
<extension url="name">
<valueString value="signed-JWT-dest1"/>
</extension>
</extension>
</extension>
<description value="Get Signed-JWT for the target test system."/>
<warningOnly value="false"/>
</assert>
</action>
<action>
<operation>
<type>
<system value="http://touchstone.aegis.net/touchstone/fhir/testing/CodeSystem/codesystem-testscript-operation-codes"/>
<code value="post"/>
</type>
<description value="Submit request with correct headers and body"/>
<encodeRequestUrl value="true"/>
<requestHeader>
<field value="Authorization"/>
<value value="none"/>
</requestHeader>
<requestHeader>
<field value="Accept"/>
<value value="application/json"/>
</requestHeader>
<requestHeader>
<field value="Content-Type"/>
<value value="application/x-www-form-urlencoded"/>
</requestHeader>
<responseId value="oauth2GetTokenResponse1"/>
<sourceId value="get-token"/>
<url value="${dest1SystemConfig.tokenEndpoint}"/>
</operation>
</action>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="07: Authorization request succeeds when supplied correct information"/>
<operator value="in"/>
<responseCode value="200,201"/>
<warningOnly value="false"/>
</assert>
</action>
</test>
<test id="08-Auth-Resp-Reqd-Info-Check">
<name value="08-Auth-Resp-Reqd-Info-Check"/>
<description value="08: Authorization request response body contains required information encoded in JSON"/>
<action>
<assert>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-rule">
<extension url="ruleId">
<valueId value="rule-verifyAccessToken"/>
</extension>
</extension>
<extension url="http://touchstone.aegis.net/touchstone/fhir/testing/StructureDefinition/testscript-assert-stopTestOnFail">
<valueBoolean value="false"/>
</extension>
<description value="08: Authorization request response body contains required information encoded in JSON"/>
<sourceId value="oauth2GetTokenResponse1"/>
<warningOnly value="false"/>
</assert>
</action>
</test>
</TestScript>