onc-healthit / inferno-community Goto Github PK

I used the batch CLI tool to run Inferno against the Sync for Science demo portal, and I noticed the standalone launch sequence took nearly 20 seconds to complete. I see that there are lots of hardcoded sleep statements in the web driver code - the authorization process on our demo portal requires about 10 clicks, and the 1 second sleep between each of them plus the 5 second sleep at the end add up to a big delay. Is it possible to reduce the amount of sleeping here, and rely on the explicit wait command available in the config when necessary?

Is your feature request related to a problem? Please describe it.
Support for CORS in OAuth and FHIR servers that provide the standalone patient-facing SMART app launch flow varies between vendors (some of the largest vendors have support, but overall support is mixed). This capability enables browser based SMART apps to run without unnecessarily passing the PHI through a server, reducing the attack surface for some classes of apps. Unfortunately, vendor support is poorly documented.

Describe the solution you'd like to see implemented
While not part of the current version of the SMART or Argonaut specs, it would be great to include CORS support testing as an optional item in the community edition of the Inferno SMART launch and Argonaut query test suites.

Execute the USCore310DocumentreferenceSequence from uscore_v3.1.0 test suite.
Test case - USCDR-14 DocumentReference resources returned conform to US Core R4 profiles

 X fail - USCDR-14 DocumentReference resources returned conform to US Core R4 profiles
    Message: DocumentReference/5e8cd2544ee1c10006d58936: DocumentReference.content.attachment.url is not a valid url: 'http://fhir:3447/4_0_0/Binary/5e8cd2544ee1c10006d58936?type=document'<br/>
DocumentReference/5e8cd2544ee1c10006d58936: DocumentReference.content.attachment.url did not match one of the valid data types: ["url"]
    200 GET http://fhir:3447/4_0_0/DocumentReference/5e8cd2544ee1c10006d58936

Here is the actual data for content element -

    "content": [
        {
            "attachment": {
                "contentType": "text/xml",
                "url": "http://fhir:3447/4_0_0/Binary/5e8cd2544ee1c10006d58936?type=document",
                "title": "ccd for fhir demo"
            }
        }
    ],

Your environment

• Edition of inferno (Community or Program): Community
• Version of inferno: Version of inferno: 2.9.0
• Browser and version(s) is the bug present on?: Tested via batch file.

It seems like the data types /lib/fhir_models/fhir_ext/structure_definition.rb are still pointing to older version of fhir spec( http://hl7.org/fhir/2015May/datatypes.html). They have not been updated 4.0.0

Here some additional info

INFO | Inferno | GETTING: http://fhir:3447/4_0_0/DocumentReference/5e8cd2544ee1c10006d58936
WARN | Inferno | Unable to check http://fhir:3447/4_0_0/Binary/5e8cd2544ee1c10006d58936?type=document for datatype url
WARN | Inferno | Unable to check http://fhir:3447/4_0_0/Binary/5e8cd2544ee1c10006d58936?type=document for datatype url
ERROR | Inferno | AssertionException: DocumentReference/5e8cd2544ee1c10006d58936: DocumentReference.content.attachment.url is not a valid url: 'http://fhir:3447/4_0_0/Binary/5e8cd2544ee1c10006d58936?type=document'<br/>
DocumentReference/5e8cd2544ee1c10006d58936: DocumentReference.content.attachment.url did not match one of the valid data types: ["url"]
INFO | Inferno | Finished Test: USCDR-14 [fail]

The link to the tests in the first sentence of this section is broken.

This ID will not change, even if tests are added / removed / rearranged. This will facilitate long term tracking of requirements.

Add ID within app (perhaps inline, or within the test details popup). Also add to the CSV export.

I may be misusing the tool here but I'm just playing around with things and trying to send an R4 AllergyIntolerance request to my FHIR service. When I launch the Inferno site, I select US Core R4, enter my FHIR base URL, hit Begin, and then click "Run" under US Core R4 Allergyintolerance Tests.

It then prompts me for a Bearer Token and Patient ID. I enter both and click Execute.

The AllergyIntolerance-02 test fails and then when I click "Results..." it shows me the URL it hit which contains the patient parameter but no value... it just looks like this:

GET 403 https://my-base-url/**AllergyIntolerance?patient**

Shouldn't it be including the Patient ID I provided? (I realize I'm getting a 403 in my case which is my fault but I'd still expect the patient ID to be included... unless it is and just not displayed in the UI for the Inferno tool).

Would be awesome to be able to create a link with all the settings pre-baked - Base URL, Patient ID etc.

In other words,
https://inferno.healthit.gov/inferno/?server=URL&patient=1234&bearertoken=abcdef Should load a session with all of those values pre-set.

$ unicorn -c deployment-files/unicorn.rb -E development -D
Traceback (most recent call last):
2: from /usr/local/bin/unicorn:23:in <main>' 1: from /usr/lib/ruby/2.5.0/rubygems.rb:308:in activate_bin_path'
/usr/lib/ruby/2.5.0/rubygems.rb:289:in `find_spec_for_exe': can't find gem unicorn (>= 0.a) with executable unicorn (Gem::GemNotFoundException)

When running the Manual Registration sequence for a confidential client, only the client ID gets saved to the client state.

There is a known high severity security vulnerability detected in sinatra >= 2.0.0, < 2.0.2 defined in Gemfile.lock.

Gemfile.lock update suggested: sinatra ~> 2.0.2.

Reference: https://www.cybersecurity-help.cz/vdb/SB2018060501?affChecked=1

When I click on the link at https://github.com/onc-healthit/inferno#contact-us it takes me to a zulip page that says:

"This stream does not exist or is private."

Is there a new name for the stream?

If Inferno's client receives a redirect (through HTTP 301 for example), it will silently follow that redirect and not log it in the interface. This can lead to confusion if there is a server-side bug causing the site to redirect the client somewhere unexpected, because Inferno does not display the request/response that resulted in the redirect.

See https://chat.fhir.org/#narrow/stream/179309-inferno/topic/Server.20rejects.20Resource.20read.20without.20proper.20authorization/near/159359365

I am building a standalone application that will be an external provider launch. I am able to launch the application using the following launch scope:

online_access openid profile offline_access launch/patient user/*.* patient/*.*

I am routed to the EPIC login, but it appears that the only users you have provisioned are patients.

I would expect that I could launch the EHR as a provider, get an authentication token and then be able to produce a list of patients that I am authorized to see Patient/*

It appears that you provide the following user id and password to test patient launch:
Username: fhirjason
Password: epicepic1

Is there an equivalent for an external provider launch? Please advise?

When I test https://portal.demo.syncfor.science/api/fhir I get

https://portal.demo.syncfor.science/api/fhir/metadata includes

      "security": {
        "extension": [
          {
            "extension": [
              {
                "url": "authorize", 
                "valueUri": "https://portal.demo.syncfor.science/oauth/authorize"
              }, 
              {
                "url": "manage", 
                "valueUri": "https://portal.demo.syncfor.science/apps"
              }, 
              {
                "url": "token", 
                "valueUri": "https://portal.demo.syncfor.science/oauth/token"
              }, 
              {
                "url": "register", 
                "valueUri": "https://portal.demo.syncfor.science/oauth/register"
              }
            ], 
            "url": "http://fhir-registry.smarthealthit.org/StructureDefinition/oauth-uris"
          }
        ]
      }

... which I think should be valid. Clicking on the "Details: No authorize URI provided in conformance statement." error line turns the screen grey but does not convey additional information about what went wrong.

I am using the online tool for R4.

In the Condition resource data access test, the onset-date is not being set. Our server is generating a bad request. The inferno tool should provide a value for the onset-date search parameter regardless. I'm not aware of a rule that says the value does not have to be provided and that a default value can be used. If there is one, please let me know.

This is the request being made with the onset-date search parameter, but no value being set:

docker-compose up fails at the bundle install step. Here is the full output:

Creating network "inferno_default" with the default driver
Building ruby_server
Step 1/4 : FROM ruby:2.5
2.5: Pulling from library/ruby
e79bb959ec00: Pull complete
d4b7902036fe: Pull complete
1b2a72d4e030: Pull complete
d54db43011fd: Pull complete
69d473365bb3: Pull complete
84ed2a0dc034: Pull complete
1f97f190db1e: Pull complete
761e711814b0: Pull complete
Digest: sha256:063f661153e37b60c8345c63d76c02ba914f54e0df9f6de48e7111d49d1b2828
Status: Downloaded newer image for ruby:2.5
 ---> e86557c9a8ab
Step 2/4 : COPY Gemfile* ./
 ---> bab7a6522fd0
Step 3/4 : RUN bundle install
 ---> Running in 05d607c314cf

[!] There was an error parsing `Gemfile`: There are no gemspecs at /. Bundler cannot continue.

 #  from /Gemfile:6
 #  -------------------------------------------
 #
 >  gemspec
 #
 #  -------------------------------------------
ERROR: Service 'ruby_server' failed to build: The command '/bin/sh -c bundle install' returned a non-zero code: 15

Testing this on Windows and Ubuntu yielded the same results. Testing this on latest master and v2.0.0 also yielded the same results.

Last sentence confused me. SHould it say: "This test refers to it as CONFORMANCE statement as that is what it was called in DSTU2."

accimidate-->accomodate

Here is what it was:
"The Conformance Statement Sequence tests a FHIR server’s ability to formally describe features supported by the API by using the Conformance Statement resource. The features described in the Conformance Statement must be consistent with the required capabilities of an Argonaut server. The Conformance Statement must also advertise the location of the required SMART on FHIR endpoints that enable authenticated access to the FHIR server resources.

Not all servers are expected to implement all possible queries and data elements described in the Argonaut API. For example, the Argonaut specification requires that the Patient resource and only one other Argonaut resource are required. Implementing the Conformance Statement resource allows clients to dynamically determine which of these resources are supported at runtime, instead of having to specifically write the application to accomidate every known server implementation at development time. Similarly, by providing information about the location of SMART on FHIR OAuth 2.0 endpoints, the client does not have to be hard-coded with information about the authorization services associated with every FHIR API.

Note that the name of this resource changed to ‘Capability Statement’ in STU3 to better describe the intent of this resource. This test refers to it as the Capability Statement as that is what it was called in DSTU2."

Thank you for reporting a possible bug in Inferno! Please fill in as much of the template below as you can.

Subject of the issue
USCSSO-03 is currently a required test for looking up smoking status via Observation search by patient+category+date. However, date is not a mandatory search parameter per the US Core smoking status profile. As such, USCSSO-03 should be an optional test for US Core v3.1.0 compliance rather than a required test.

Your environment

• Edition of inferno (Community or Program): Community
• Version of inferno: 2.9.0

I am using the online tool for R4.

I am receiving this error: Fatal Error: undefined method 'coding' for #<Array:0x00007fa6c7bbee80>

I am not sure exactly why. Here is a screenshot of the request:

Here is the response body our server generated:

{
  "resourceType": "Bundle",
  "type": "searchset",
  "total": 1,
  "entry": [
    {
      "fullUrl": "https://fhir-staging.bluebuttonpro.com/myhealth-r4/DiagnosticReport/5d3a089b72e89ba0945a1ec2",
      "resource": {
        "resourceType": "DiagnosticReport",
        "id": "5d3a089b72e89ba0945a1ec2",
        "meta": {
          "versionId": "1",
          "lastUpdated": "2019-07-25T19:53:01.253+00:00"
        },
        "identifier": [
          {
            "system": "http://terminology.bluebuttonpro.com/identifier",
            "value": "6e111e681224433592ac6baa5a451b68_5d3a089b72e89ba0945a1ec2"
          }
        ],
        "status": "unknown",
        "category": [
          {
            "coding": [
              {
                "system": "http://terminology.hl7.org/CodeSystem/v2-0074",
                "code": "LAB"
              }
            ]
          }
        ],
        "code": {
          "coding": [
            {
              "system": "http://loinc.org",
              "code": "11134-4",
              "display": "Appearance of Spun Body fluid"
            }
          ]
        },
        "subject": {
          "reference": "Patient/5d3a089b72e89ba0945a1ea9"
        },
        "effectiveDateTime": "2019-04-07T21:43:14.0000000Z",
        "issued": "2018-08-14T22:59:48+00:00"
      },
      "response": {
        "lastModified": "2019-07-25T19:53:01.253+00:00"
      }
    }
  ]
}

This is only happening for the DiagnosticReport (Lab) resource. The error occurs on Test numbers 2, 4, and 8.

Some systems (at least: https://open.epic.com/Clinical/Medication, https://open.epic.com/Clinical/Condition) return only a limited set of results when no search parameters are used, e.g. to GET Condition or GET MedicationRequest. To see full results, a search needs to be performed with extra search parameters that filter by additional statuses. This violates the FHIR semantics, and it's something we should be able to detect automatically, by:

1. Ensure sample data are available that use multiple statuses (active, complete)

2. Issue an API call for all results (i.e., no status parameter in the call)

3. Issue an API call for specific statuses (e.g., ?status=completed in the call)

4. Ensure that the results of (4) are a strict subset of (3)

I just realized this is a behavior the S4S Test Suite never checked for -- but it's important for API providers to get right to prevent certain attacks (i.e., a malicious server whose /metadata claims association with a legitimate authorization server).

I am using the online tool for R4.

I am receiving the error Fatal Error: undefined method 'occurrenceDateTime'.......... It's a pretty long error. This is only happening for the Procedure request for test numbers 3 and 4. Here is a screenshot of the error:

The result there says 0 requests were made, so I'm wondering if this error occurred before the request was even made.

I'll copy paste the error below in text for easier access:

Error Message: Fatal Error: undefined method `occurrenceDateTime' for #<FHIR::Procedure:0x00007fa6ced57678 @id="5d3a089b72e89ba0945a1ef6", @meta=#<FHIR::Meta:0x00007fa6ced56688 @id=nil, @extension=[], @versionId="1", @lastUpdated="2019-07-25T19:53:02.557+00:00", @source=nil, @profile=[], @security=[], @tag=[]>, @implicitRules=nil, @language=nil, @text=nil, @contained=[], @extension=[], @modifierExtension=[], @identifier=[#<FHIR::Identifier:0x00007fa6ced55be8 @id=nil, @extension=[], @use=nil, @type=nil, @system="http://terminology.bluebuttonpro.com/identifier", @value="6e111e681224433592ac6baa5a451b68_5d3a089b72e89ba0945a1ef6", @period=nil, @assigner=nil>], @instantiatesCanonical=[], @instantiatesUri=[], @basedOn=[], @partOf=[], @status="entered-in-error", @statusReason=nil, @category=nil, @code=#<FHIR::CodeableConcept:0x00007fa6ced555f8 @id=nil, @extension=[], @coding=[#<FHIR::Coding:0x00007fa6ced550f8 @id=nil, @extension=[], @system="http://snomed.info/sct", @version=nil, @code="1698001", @display="Ulcer of bile duct", @userSelected=nil>], @text=nil>, @subject=#<FHIR::Reference:0x00007fa6ced54a40 @id=nil, @extension=[], @reference="Patient/5d3a089b72e89ba0945a1ea9", @type=nil, @identifier=nil, @display=nil>, @encounter=nil, @performedDateTime="2017-09-10T08:15:49.0000000Z", @performedPeriod=nil, @performedString=nil, @performedAge=nil, @performedRange=nil, @recorder=nil, @asserter=nil, @performer=[], @location=nil, @reasonCode=[], @reasonReference=[], @bodySite=[], @outcome=nil, @report=[], @complication=[], @complicationDetail=[], @followUp=[], @note=[], @focalDevice=[], @usedReference=[], @usedCode=[]> 

We can't disable tls flag when executing through batch file

Environment -

• Edition of inferno (Community or Program): Community
• Version of inferno: 2.9.0

Steps to reproduce
Update the config.yml to set -
====. Omit TLS tests ===
disable_tls_tests: true

Execute Test suite - US Core v3.1.0, UsCoreR4CapabilityStatementSequence from rake task.
bundle exec rake inferno:execute_batch[test.json]

Expected behavior
The Test - C-01: FHIR server secured by transport layer security should be omitted.

Actual behavior
The Test - C-01: FHIR server secured by transport layer security is not omitted.

It seems like the disable_tls_tests flag is always set to false in the rake task.

instance.save
sequence_instance = sequence.new(instance, client, false)
sequence_result = nil

Anyone facing problem with the Standalone Launch (confidential) with the new update?
I'm using the reference implementation for testing: https://inferno.healthit.gov/inferno/
Our FHIR Server was getting all green checks in the previous release.
I'm trying to understand if it's actually a bug in the new release.

Test Step: SLS-06: OAuth token exchange request succeeds when supplied correct information
After obtaining an authorization code, the app trades the code for an access token via HTTP POST to the EHR authorization server’s token endpoint URL, using content-type application/x-www-form-urlencoded, as described in section 4.1.3 of RFC6749. http://www.hl7.org/fhir/smart-app-launch/

Test Result:
Error Message: Fatal Error: no implicit conversion of nil into String

During token refresh, the SMART App Launch spec states that a scope parameter is optional -- i.e., that the client may include or omit it. Inferno should test both ways to ensure that servers can handle the presence + absence of this scope parameter. (We've seen servers in the wild that only work in one case or the other, so it'd be good to catch this in testing.)

Should the returned scopes in response to a token refresh be validated? Currently Inferno is okay with something like "oob" here:

{
  "access_token": "2c4cab52-67b6-4c42-981f-dfba700f66fb",
  "token_type": "Bearer",
  "expires_in": 3600,
  "refresh_token": "979638f9-646f-4d73-baf2-e20d7ec7ef04",
  "scope": "oob"
}

-- which is surprising; I think it'd be good to apply the same logic to compare these as in the initial token request.

$ sudo docker-compose  up
Starting inferno_ruby_server_1 ... 
Starting inferno_ruby_server_1 ... done
Starting inferno_nginx_server_1 ... 
Starting inferno_nginx_server_1 ... done
Attaching to inferno_ruby_server_1, inferno_nginx_server_1
ruby_server_1   | ruby: No such file or directory -- app.rb (LoadError)
nginx_server_1  | 2018/10/02 23:59:13 [emerg] 1#1: host not found in upstream "ruby_server" in /etc/nginx/nginx.conf:72
nginx_server_1  | nginx: [emerg] host not found in upstream "ruby_server" in /etc/nginx/nginx.conf:72
inferno_ruby_server_1 exited with code 1
inferno_nginx_server_1 exited with code 1

I don't see where the upstream is define in deployment-files/nginx.conf. Is some pre-configuration expected? Would be good to document.

Hi,
After the new update to the Inferno Test Tool:
The Client OAuth Endpoints displayed in the Client State modal window seems to be incorrect.

Launch URI: http://inferno.healthit.gov/inferno/oauth2/static/launch
Redirect URI: http://inferno.healthit.gov/inferno/oauth2/static/launch

Previous Redirect URL seems to work : http://inferno.healthit.gov/inferno/oauth2/static/redirect

The links mentioned are not present:

"For more information of the Conformance Statement, visit these links:

Conformance
Argonaut Conformance Requirements
SMART on FHIR Conformance
"

Thank you for reporting a possible bug in Inferno! Please fill in as much of the template below as you can.

Subject of the issue
I cannot test our patient and practitioner launch flows. The current suite assumes that the same application can be used for both sets, and that the same FHIR URL is involved, and there's not a good way to bypass the assumptions/previous test suites or mark them as NA.

When I try to skip the patient tests (let them fail), I get to the "EHR Practitioner App" and it sits at the "waiting for launch" page forever/never makes progress. If this needs to test an actual EHR launch, the suite itself will need to act as if it's the EHR (I assume it's not going to launch an external chart). It would need an input for a launch scope to provide the app, and it would use the provided FHIR URL as the iss.

Your environment

• Edition of inferno (Community or Program): Program, DSTU 2
• Version of inferno: 2.7.0 (public website)
• Which browser and version(s) is the bug present on?: I'm using Chrome, 78.0.3904.97

Steps to reproduce

1. Select the DSTU 2 Program
2. Enter this FHIR URL: https://fhir-ehr.sandboxcerner.com/dstu2/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/
3. Click "Begin"
4. On next page, click "Run tests" Use client id d545b3a7-c82a-4315-8810-2ea6b9efaf3b (public client). (You'll see errors about the well known endpoint, which is expected right now)
5. Click Next.
6. On patient tests, use defaults (this won't work, so you can cancel out).
7. Click Next.
8. On EHR Tests, enter following (note: using "user" level scopes since I can't mimic an EHR launch without being able to provide a launch code)
   Scopes: user/AllergyIntolerance.read user/Binary.read user/CarePlan.read user/Condition.read user/Device.read user/DocumentReference.read user/Encounter.read user/Goal.read user/Immunization.read user/MedicationStatement.read user/Observation.read user/Patient.read user/ProcedureRequest.read user/RelatedPerson.read user/Person.read user/Practitioner.read profile openid online_access
9. Click "Execute"

The test will just sit there waiting for a redirect. If you click cancel, there will be no progress nor error shown on the main page to indicate what went wrong.

Expected behavior
Ideally, I would be able to run separate suites/steps for practitioner and patient apps, since they are never the same app for both workflows and require different permissions in real systems. If the app intends to test an EHR launch for practitioner, it will need to allow entry of a launch code to provide during authentication. Then the application would launch and follow normal redirects, or display an error if it encounters one.

Actual behavior
Just sits at the "waiting for redirect" window and you have to cancel out. No steps are completed, no additional output is provided.

Looking throgh https://openid.net/specs/openid-connect-core-1_0.html#IDToken and https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-41 I'm not seeing that this is required in the id_token JWT header -- but I may just be missing it.

Error creating inferno_nginx_server_1
I'm trying to start inferno with: docker-compose up

I'm running Docker Engine - Enterprise on Windows Server 2019 standard
I have docker configured to use Linux containers.
I had Inferno working on my own personal machine with Windows 8 and Docker Desktop but now I am attempting to run it on Windows Server 2019 which doesn't seem to support Docker Desktop. Hence, I'm just using Docker Engine and compose from powershell.

Your environment

• Edition of inferno (Community or Program): Whatever edition is here: https://github.com/onc-healthit/inferno/releases/tag/v2.5.0
• Version of inferno: 2.5.0
• Which browser and version(s) is the bug present on?:

Steps to reproduce
When I run docker-compose up I get this error:

Step 4/4 : EXPOSE 4567
 ---> Running in 596d367909f9
Removing intermediate container 596d367909f9
 ---> 10855ae52912
Successfully built 10855ae52912
Successfully tagged inferno_ruby_server:latest
WARNING: Image for service ruby_server was built because it did not already exist. To rebuild this image you must use `docker-compose build` or `docker-compose up --build`.
Pulling nginx_server (nginx:)...
latest: Pulling from library/nginx
b8f262c62ec6: Pull complete
a6639d774c21: Pull complete
22a7aa8442bf: Pull complete
Digest: sha256:9688d0dae8812dd2437947b756393eb0779487e361aa2ffbc3a529dca61f102c
Status: Downloaded newer image for nginx:latest
Creating inferno_ruby_server_1 ... done
Creating inferno_nginx_server_1 ... error

ERROR: for inferno_nginx_server_1  Cannot create container for service nginx_server: invalid volume specification: 'C:\Inferno\inferno\deployment-files\nginx.conf:/etc/nginx/nginx.conf:ro': invalid mount config for type "bind": source path must be a directory

ERROR: for nginx_server  Cannot create container for service nginx_server: invalid volume specification: 'C:\Inferno\inferno\deployment-files\nginx.conf:/etc/nginx/nginx.conf:ro': invalid mount config for type "bind": source path must be a directory
ERROR: Encountered errors while bringing up the project.
PS C:\Inferno\inferno>

Expected behavior
Inferno should start :)

Actual behavior
Error as shown above.

• Update Readme
• Update any in-app links that point to the old Github repo (see footer)
• Other documents (deployment, etc)?

Currently, it appears that the redirect URI used by Inferno is dynamic, with what looks like a session or test ID or something in the URL:

http://inferno.healthit.gov/inferno/9OQgz2pxcQt/2BxrGc/redirect

For systems that perform strict validation of redirect URIs, a new redirect would need to be registered by the owner of the client for each new set of tests run.

If instead, a fixed redirect URI were used, where the session/test identifier is passed as the state parameter, that would allow a single client registration to be used.

https://github.com/siteadmin/inferno/tree/master/lib/sequences

I am using the online tool with R4.

The tool says that the various CRUD operations are not supported because it was not stated in the conformance statement. Here is an example from the CareTeam resource:

Here is our FHIR server's conformance statement: https://fhir-staging.bluebuttonpro.com/myhealth-r4/metadata

Using the CareTeam resource, we can clearly see that the conformance statement indicates all CRUD operations are supported:

This same error is being displayed in several other resources in the tool. Here are the following:

• DiagnosticReport (Note)
  • States that create operations are not supported
• DocumentReference
  • States create operations are not supported
• MedicationRequest
  • States that read operations are not supported
  • States that vread operations are not supported
  • States that history operations are not supported
  • States that search operations are not supported

Hi,

i have verified on HL7 site there is no relation between patient and medication. then why you are using patient as a parameter.

I am trying to verify bulk data , using inferno but not getting the JWKS Url .

Thanks,
Tarun

I'm trying to track down the source of https://github.com/siteadmin/inferno/blob/master/resources/argonauts/ValueSet-procedure-icd10pcs.json -- specifically, "http://www.icd10data.com/icd10pcs" isn't how FHIR refers to ICD-10, and I'd like to track this down and see if we could get it fixed.

It would be helpful to document what is required to get the launch scripts operational from the CLI. For instance, I had to download chromedriver, put it in my path, and make sure Chrome or Chromium was installed.

Also, with ChromeDriver 70.0.3538.16 and Chromium 69.0.3497.92, I was getting the following error when running the Standalone Launch sequence:

 X fail - SLS-02 OAuth server redirects client browser to app redirect URI
    Message: Automated browser script failed: unknown error: Chrome failed to start: exited abnormally
  (unknown error: DevToolsActivePort file doesn't exist)
  (The process started from chrome location /usr/bin/chromium is no longer running, so ChromeDriver is assuming that Chrome has crashed.)
  (Driver info: chromedriver=70.0.3538.16 (16ed95b41bb05e565b11fb66ac33c660b721f778),platform=Linux 4.9.93-linuxkit-aufs x86_64)

To resolve this, I added an argument to the WebDriver options:

       options.add_argument('--headless')
       options.add_argument('--kiosk')
       options.add_argument('--disable-gpu')
       options.add_argument('--incognito')
+      options.add_argument('--no-sandbox')

Server response included:

content-type: application/json;charset=utf-8

If the "charset=utf-8" weren't there, would this be acceptable? Does the charset make it wrong per Inferno?

Subject of the issue
A fatal error occurs for DiagnosticReport test number 9:

This issue also occurs for the following resource tests:

• DiagnosticReport for Laboratory Results Reporting Tests
• DocumentReference

Here is our server's metadata: https://fhir-staging.bluebuttonpro.com/example/metadata. This indicates we do support create:

Your environment

• Edition of inferno (Community or Program): Community
• Version of inferno: 2.7.0
• Which browser and version(s) is the bug present on?: Firefox v70.0.1

Subject of the issue
Getting JSON::JWS::VerificationFailed on testing OpenId ID Token when I can verify signature with own code and using third party jwt.io

Your environment

• Edition of inferno (Community or Program): Web
• Version of inferno: Proposed ONC Health IT Certification FHIR DSTU2
• Which browser and version(s) is the bug present on?: Chrome

Steps to reproduce
IdToken:
ewoJImFsZyIgOiAiUlMyNTYiLAoJInR5cCIgOiAiSldUIgp9.ewoJImF1ZCIgOiAiZmU3YzgzMDM3NTlkMWQiLAoJImV4cCIgOiAiMTU3NTM5MjA0OCIsCgkiZmhpclVzZXIiIDogImh0dHBzOi8vd3d3Lm1lZGVudG1vYmlsZXRlc3QuY29tL2ZoaXIvRFNUVTIvc2F2Y3cyMzUvUGF0aWVudC8xMjM0IiwKCSJpYXQiIDogIjE1NzUzOTE3NDgiLAoJImlzcyIgOiAiaHR0cHM6Ly93d3cubWVkZW50bW9iaWxldGVzdC5jb20vZmhpci9EU1RVMi9zYXZjdzIzNSIsCgkic3ViIiA6ICJDRDgwMDVGNTc0MzI2M0VDQjBFQzE1NzUzOTE3NDgiCn0.EAazBFLIeW-0DB-DSsoFYp099QlVoFIYg8XMhFpY2pdESUjvW-IvV1BX0BZhrGxgMRgfkdmJ6ehsqwGBsFWhU28vgbk47Lg5cgIAckglQseDt3eQbqrXy6nCYTQottQdaOfZZCrsw9c57_0XfztdBXADN-Pxkw9c8pMalMUXCrg2NrO7XffUCQNpc1TG2O1yfDp9-2lfE0PIjS5hf9zrxEY7FBph4zavOnmEBAqmvOEqMRnroPbOdZBK8KTSETP57cuYq6QBzYLAyH_OBYALNrlcq9VDIEsoqnoBuAiD0K40R27dxoGY0oWykncZdOZYJHCOtmdhcGKmG-aP3O6AccIDgxD6tDuE_midfKBY6fUR7ZMfkF6k9ndaWcrUky3wIcSM73Fpzf1ffnV7lxDIrNDh3-5YN5DHHvCfrCDGKHHeaSC3VwJV6zeA1O8Wr6wOWnxaStM4pSw6yyrz8lzlpZmfPvypFb3UmaVXiGi092Pty8spnaFHrENwQo2ubNLe

Public Key:
-----BEGIN RSA PUBLIC KEY-----
MIIBiAKCAYEA8fCdlJwwoPRoT1+eyBYgG1BQEq4sQJkiioBQ4lMyTlu9ToX1vkjRqFvhTbcQ8E+mlaVofub0ZxOXp//y0yMASEs80CWNuoAjz9W//MhwZGErp0lyMSZnddeDrNO6rMQl9R60i+M4jz4FKIspzznMiM30vM+le4GgIENckguhiGpAl35NwRfL/Q+py0gmUb0NxpHPa+wLjJ0iraB4j0aaKVV7QU8IzGsia3CApiwVPd7eAdNr1ex+/pum7t3mf9HeXHSNJkQ6QvHOJAb4VpReZfRIxc4zvozJn9YkCASh8+C7vJ8G2bSeqcVxIkN+CJLn3EHD0rWplrQCVaYMFQ9MiAa4HlFBBMN2Ka6xctXK1hSDGJhpUYYJJOBBCw1r9ssXe5k+VwWcX0rYp3wo6wJe/6SFnqn7SxhOVjkw9psxMSTWKVbqTk8lFD7XZKlxb0BLEjOmWS1UPaTOtpucznrGdp2Z6D0aWxak6BV7E2uEGqPP6B0BjBpM8qjVJF8zE4sXAgER
-----END RSA PUBLIC KEY-----

JWK URI:
https://www.medentmobiletest.com/fhir/DSTU2/jwks/index.php?medent_practice_id=savcw235

If I use https://jwt.io/ and plug in the IdToken and Public Key, and select RS2526 as the Algorithm, the signature is verified.

This is the first time I've tried to implement OpenId so I'm wondering if maybe I'm missing a parameter in the JWK or ID Token that's preventing the signature from validating, or maybe Inferno doesn't support RSA256? The error message is not very clear to me on why it does not validate.

I'm getting an error when I run "docker-compose -up":

C:\Inferno>docker-compose up
Starting inferno_ruby_server_1 ... done
Starting inferno_nginx_server_1 ... error

ERROR: for inferno_nginx_server_1  Cannot start service nginx_server: OCI runtime create failed: container_linux.go:344: starting container process caused "process_linux.go:424: container init caused \"rootfs_linux.go:58: mounting \\\"/host_mnt/c/Inferno/deployment-files/nginx.conf\\\" to rootfs \\\"/var/lib/docker/overlay2/3ed3f42550ac3db281a34768af0d9c42c1581e676e44ab3ec3eec55616ba0ceb/merged\\\" at \\\"/var/lib/docker/overlay2/3ed3f42550ac3db281a34768af0d9c42c1581e676e44ab3ec3eec55616ba0ceb/merged/etc/nginx/nginx.conf\\\" caused \\\"not a directory\\\"\"": unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type

ERROR: for nginx_server  Cannot start service nginx_server: OCI runtime create failed: container_linux.go:344: starting container process caused "process_linux.go:424: container init caused \"rootfs_linux.go:58: mounting \\\"/host_mnt/c/Inferno/deployment-files/nginx.conf\\\" to rootfs \\\"/var/lib/docker/overlay2/3ed3f42550ac3db281a34768af0d9c42c1581e676e44ab3ec3eec55616ba0ceb/merged\\\" at \\\"/var/lib/docker/overlay2/3ed3f42550ac3db281a34768af0d9c42c1581e676e44ab3ec3eec55616ba0ceb/merged/etc/nginx/nginx.conf\\\" caused \\\"not a directory\\\"\"": unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type
ERROR: Encountered errors while bringing up the project.

C:\Inferno>

This isn't covered in the Troubleshooting wiki so I figured I'd post it here... This is with v2.3.0.

Also, it may be worth pointing out in the instructions that you have to configure Docker for Windows to use Linux Containers for this to work... I was getting different errors prior to switching that.

Thank you for reporting a possible bug in Inferno! Please fill in as much of the template below as you can.

Subject of the issue
Today, the inferno application requires some manual driving (via the website), which can take quite a bit of time. In addition, the tests that look at all of the resource profiles themselves can take a decent amount of time. Since access tokens are recommended to have a short lifetime, it is possible that they may expire during this workflow. The inferno application should automatically refresh the token if it has expired to continue running tests.

Your environment

• Edition of inferno (Community or Program): Community
• Version of inferno: 2.7.0
• Which browser and version(s) is the bug present on?: I'm on Chrome, but do not expect this to be influenced by the browser

Steps to reproduce

1. Select the DSTU 2 Community test suite
2. Run through tests with an authorization server that limits token lifetimes (ours is 10-15 minutes), pause between the token retrieval and "Data Access" tests for long enough for the token to expire (or have the requests take long enough for the token to expire). In my case, Inferno seemed to "get stuck" for about 5 minutes, at which point the token expired - I believe it was doing some resource validation or other tests that may not have hit our server directly during this time.
3. Tests will show that the token is being rejected (in our case, we're returning the signature expired error per the OAuth 2 specification)

Include:

• The selected test suite
• The URL of the FHIR server being tested
• The Test ID, if it's a problem with a specific test.
• Any required configuration options (client ID, client secret, etc.)
• Anything else needed to make the issue occur.

Expected behavior
Ideally, inferno would attempt to refresh the token if it has hit the expiry as returned by that authorization server for that bearer token.

Actual behavior
All tests from point of expiry on fail.

https://github.com/siteadmin/inferno/blob/2604511d2835a5c6914794942da868ca940a9c22/lib/app/utils/validation.rb#L42 looks at just the first Coding, but http://www.fhir.org/guides/argonaut/r2/StructureDefinition-argo-vitalsigns.html really just requires that any coding of (say) {"system":"http://hl7.org/fhir/observation-category","code":"vital-signs"} be present.

The OIDC test asks the user to paste in a token; it should use the id_token from the access token response (if any) by default.

An assertion should check that searches by code for DiagnosticReports only return DR's with proper codes. We should validate that similar issues don't exist for other resources.

Subject of the issue
This used to pass before, but it no longer does. Either in the standalone launch or the ehr launch, the section open id connect, test number 6, always displays "Invalid iat". There aren't any further details as to why it is invalid.

Here is the test result:

I am retrieving the id token from clicking on the "Inputs" tab:

Here is the decoded token in jwt.io:

Everything seems fine to me...

Your environment

• Edition of inferno (Community or Program): Community
• Version of inferno: 2.7.0
• Which browser and version(s) is the bug present on?: Firefox v70.0.1

Steps to reproduce
Follow through with the standalone or ehr launch sequences as normal. The error will occur once the sequence has completed.

Expected behavior
ID token validation should pass

Actual behavior
ID token validation fails with "Invalid iat" error.

Please let me know if there is any additional information required

The conformance statement returned by the https://greenfield-apis.meditech.com/v1/argonaut/v1 end point contains an invalid search parameter target:

       {
          "type": "Observation",
          "interaction": [
            { "code": "read" },
            { "code": "search-type" }
          ],
          "searchParam": [
            {
              "name": "patient",
              "definition": "http://www.fhir.org/guides/argonaut/r2/",
              "type": "reference",
              "documentation": "Search for all Observation resources for a patient",
              "target": [ "reference" ],

that is not flagged by the tests.

(This is a pretty bad problem because if you are using a library to access that server you are stuck: the library won't accept the conformance - and reading that is the very first thing you have to do)