From bd00670e462234e91bbbed742e1e434892f7434c Mon Sep 17 00:00:00 2001
From: Jonathan Hooper <jonathan.hooper@gsa.gov>
Date: Thu, 16 May 2024 14:42:04 -0400
Subject: [PATCH] Add tests for IdentityLinker#process_ial logic

The `IdentityLinker` seems to be setting the following attributes on `ServiceProviderIdentities` for reporting purposes:

- `last_ial2_authenticated_at`
- `last_ial1_authenticated_at`
- `verified_at`

These fields seems to be queried for a number of reports and aren't used by any business logic in the IdP.

This behavior is currently untested. You could remove this entire method and the test suite would still be green. This commit tests the current behavior. The current behavior does not appear to account for a number of edge cases e.g. users who sign in with IALMax or users who are signing into multiple service providers. This commit addresses none of those edge cases because I do not understand the ramifications of addressing those edge cases for our reporting.

[skip changelog]
---
 spec/services/identity_linker_spec.rb | 92 +++++++++++++++++++++++++++
 1 file changed, 92 insertions(+)

diff --git a/spec/services/identity_linker_spec.rb b/spec/services/identity_linker_spec.rb
index 99f1922f395..89b67124dcb 100644
--- a/spec/services/identity_linker_spec.rb
+++ b/spec/services/identity_linker_spec.rb
@@ -155,5 +155,97 @@
       IdentityLinker.new(user, service_provider1).link_identity(rails_session_id: rails_session_id)
       IdentityLinker.new(user, service_provider2).link_identity(rails_session_id: rails_session_id)
     end
+
+    context 'identity.last_ial2_authenticated_at' do
+      context 'the request includes identity proofing' do
+        it 'sets the timestamp' do
+          IdentityLinker.new(user, service_provider).link_identity(ial: 2)
+
+          expect(
+            user.last_identity.last_ial2_authenticated_at,
+          ).to be_within(1.second).of(Time.zone.now)
+        end
+      end
+
+      context 'the request does not include identity proofing' do
+        it 'does not set the timestamp' do
+          IdentityLinker.new(user, service_provider).link_identity(ial: 1)
+
+          expect(user.last_identity.last_ial2_authenticated_at).to be_nil
+        end
+      end
+
+      context 'the request is IALMax and verified_at is null' do
+        it 'does not set the timestamp' do
+          IdentityLinker.new(user, service_provider).link_identity(ial: 0)
+
+          expect(user.last_identity.last_ial2_authenticated_at).to be_nil
+        end
+      end
+
+      context 'the request is IALMax and verified_at is not null' do
+        it 'sets the timestamp' do
+          IdentityLinker.new(user, service_provider).link_identity(ial: 2)
+          IdentityLinker.new(user, service_provider).link_identity(ial: 0)
+
+          expect(
+            user.last_identity.last_ial2_authenticated_at,
+          ).to be_within(1.second).of(Time.zone.now)
+        end
+      end
+    end
+
+    context 'identity.last_ial1_authenticated_at' do
+      context 'the request includes identity proofing' do
+        it 'does not set the timestamp' do
+          IdentityLinker.new(user, service_provider).link_identity(ial: 2)
+
+          expect(user.last_identity.last_ial1_authenticated_at).to be_nil
+        end
+      end
+
+      context 'the request does not include identity proofing' do
+        it 'sets the timestamp' do
+          IdentityLinker.new(user, service_provider).link_identity(ial: 1)
+
+          expect(
+            user.last_identity.last_ial1_authenticated_at,
+          ).to be_within(1.second).of(Time.zone.now)
+        end
+      end
+    end
+
+    context 'identity.verified_at' do
+      context 'the request is includes identity proofing and verified_at is null' do
+        it 'sets the timestamp' do
+          IdentityLinker.new(user, service_provider).link_identity(ial: 2)
+
+          expect(
+            user.last_identity.verified_at,
+          ).to be_within(1.second).of(Time.zone.now)
+        end
+      end
+
+      context 'the request is includes identity proofing and verified_at is not null' do
+        it 'does not set the timestamp' do
+          travel_to 1.week.ago do
+            IdentityLinker.new(user, service_provider).link_identity(ial: 2)
+          end
+          IdentityLinker.new(user, service_provider).link_identity(ial: 2)
+
+          expect(
+            user.last_identity.verified_at,
+          ).to be_within(1.second).of(1.week.ago)
+        end
+      end
+
+      context 'the request does not include identity proofing' do
+        it 'does not set the timestamp' do
+          IdentityLinker.new(user, service_provider).link_identity(ial: 1)
+
+          expect(user.last_identity.verified_at).to be_nil
+        end
+      end
+    end
   end
 end