From 7f5a88f00fe692de78c9b5e20f1fb676cada6718 Mon Sep 17 00:00:00 2001 From: Andrew Duthie Date: Fri, 2 Aug 2024 17:05:08 -0400 Subject: [PATCH 1/2] Remove OIDC form-action CSP assertions from account creation specs changelog: Internal, Automated Testing, Remove OIDC form-action CSP assertions from account creation specs --- .../shared_examples/account_creation.rb | 61 +------------------ 1 file changed, 2 insertions(+), 59 deletions(-) diff --git a/spec/support/shared_examples/account_creation.rb b/spec/support/shared_examples/account_creation.rb index 38625da6863..1434d60fd41 100644 --- a/spec/support/shared_examples/account_creation.rb +++ b/spec/support/shared_examples/account_creation.rb @@ -1,38 +1,9 @@ RSpec.shared_examples 'creating an account with the site in Spanish' do |sp| - it 'redirects to the SP with SP URIs in form-action CSP if enabled', email: true do - allow(IdentityConfig.store).to receive(:openid_connect_content_security_form_action_enabled). - and_return(true) - Capybara.current_session.driver.header('Accept-Language', 'es') - visit_idp_from_sp_with_ial1(sp) - register_user - - if sp == :oidc - expect(page.response_headers['Content-Security-Policy']). - to(include('form-action \'self\' http://localhost:7654')) - end - - click_agree_and_continue - if :sp == :saml - expect(current_url).to eq UriService.add_params(@saml_authn_request, locale: :es) - elsif sp == :oidc - redirect_uri = URI(oidc_redirect_url) - - expect(redirect_uri.to_s).to start_with('http://localhost:7654/auth/result') - end - end - - it 'redirects to the SP without SP URIs in form-action CSP if disabled', email: true do - allow(IdentityConfig.store).to receive(:openid_connect_content_security_form_action_enabled). - and_return(false) + it 'redirects to the SP', email: true do Capybara.current_session.driver.header('Accept-Language', 'es') visit_idp_from_sp_with_ial1(sp) register_user - if sp == :oidc - expect(page.response_headers['Content-Security-Policy']). - to(include('form-action \'self\'')) - end - click_agree_and_continue if :sp == :saml expect(current_url).to eq UriService.add_params(@saml_authn_request, locale: :es) @@ -45,38 +16,10 @@ end RSpec.shared_examples 'creating an account using authenticator app for 2FA' do |sp| - it 'redirects to the SP with SP URIs in form-action CSP if enabled', email: true do - allow(IdentityConfig.store).to receive(:openid_connect_content_security_form_action_enabled). - and_return(true) + it 'redirects to the SP', email: true do visit_idp_from_sp_with_ial1(sp) register_user_with_authenticator_app - if sp == :oidc - expect(page.response_headers['Content-Security-Policy']). - to(include('form-action \'self\' http://localhost:7654')) - end - - click_agree_and_continue - expect(current_url).to eq complete_saml_url if sp == :saml - - if sp == :oidc - redirect_uri = URI(oidc_redirect_url) - - expect(redirect_uri.to_s).to start_with('http://localhost:7654/auth/result') - end - end - - it 'redirects to the SP without SP URIs in form-action CSP if disabled', email: true do - allow(IdentityConfig.store).to receive(:openid_connect_content_security_form_action_enabled). - and_return(false) - visit_idp_from_sp_with_ial1(sp) - register_user_with_authenticator_app - - if sp == :oidc - expect(page.response_headers['Content-Security-Policy']). - to(include('form-action \'self\'')) - end - click_agree_and_continue expect(current_url).to eq complete_saml_url if sp == :saml From 70a38102964ba127f9700e3da6befb39ff10c6ec Mon Sep 17 00:00:00 2001 From: Andrew Duthie Date: Fri, 2 Aug 2024 17:38:40 -0400 Subject: [PATCH 2/2] Remove PIV/CAC sign-up CSP assertions --- .../shared_examples/account_creation.rb | 30 +------------------ 1 file changed, 1 insertion(+), 29 deletions(-) diff --git a/spec/support/shared_examples/account_creation.rb b/spec/support/shared_examples/account_creation.rb index 1434d60fd41..cac5c3a31c5 100644 --- a/spec/support/shared_examples/account_creation.rb +++ b/spec/support/shared_examples/account_creation.rb @@ -57,38 +57,10 @@ end RSpec.shared_examples 'creating an account using PIV/CAC for 2FA' do |sp| - it 'redirects to the SP with SP URIs in form-action CSP if enabled', email: true do - allow(IdentityConfig.store).to receive(:openid_connect_content_security_form_action_enabled). - and_return(true) - visit_idp_from_sp_with_ial1(sp) - register_user_with_piv_cac - - if sp == :oidc - expect(page.response_headers['Content-Security-Policy']). - to(include('form-action \'self\' http://localhost:7654')) - end - - click_agree_and_continue - expect(current_url).to eq complete_saml_url if sp == :saml - - if sp == :oidc - redirect_uri = URI(oidc_redirect_url) - - expect(redirect_uri.to_s).to start_with('http://localhost:7654/auth/result') - end - end - - it 'redirects to the SP without SP URIs in form-action CSP if disabled', email: true do - allow(IdentityConfig.store).to receive(:openid_connect_content_security_form_action_enabled). - and_return(false) + it 'redirects to the SP', email: true do visit_idp_from_sp_with_ial1(sp) register_user_with_piv_cac - if sp == :oidc - expect(page.response_headers['Content-Security-Policy']). - to(include('form-action \'self\'')) - end - click_agree_and_continue expect(current_url).to eq complete_saml_url if sp == :saml