diff --git a/app/controllers/openid_connect/authorization_controller.rb b/app/controllers/openid_connect/authorization_controller.rb index 2f719e90e42..80b379e0236 100644 --- a/app/controllers/openid_connect/authorization_controller.rb +++ b/app/controllers/openid_connect/authorization_controller.rb @@ -26,6 +26,7 @@ class AuthorizationController < ApplicationController before_action :confirm_two_factor_authenticated, only: :index before_action :redirect_to_reauthenticate, only: :index, if: :remember_device_expired_for_sp? before_action :prompt_for_password_if_ial2_request_and_pii_locked, only: [:index] + before_action :confirm_user_is_not_suspended, only: :index def index if resolved_authn_context_result.identity_proofing? @@ -276,5 +277,9 @@ def unknown_authn_contexts (params[:acr_values].split - Saml::Idp::Constants::VALID_AUTHN_CONTEXTS) .join(' ').presence end + + def confirm_user_is_not_suspended + redirect_to user_please_call_url if current_user.suspended? + end end end diff --git a/app/controllers/saml_idp_controller.rb b/app/controllers/saml_idp_controller.rb index f703b22930a..18a3a61e58c 100644 --- a/app/controllers/saml_idp_controller.rb +++ b/app/controllers/saml_idp_controller.rb @@ -31,6 +31,7 @@ class SamlIdpController < ApplicationController before_action :confirm_two_factor_authenticated, only: :auth before_action :redirect_to_reauthenticate, only: :auth, if: :remember_device_expired_for_sp? before_action :prompt_for_password_if_ial2_request_and_pii_locked, only: :auth + before_action :confirm_user_is_not_suspended, only: :auth def auth capture_analytics @@ -270,4 +271,8 @@ def requested_authn_contexts def req_attrs_regexp Regexp.escape(Saml::Idp::Constants::REQUESTED_ATTRIBUTES_CLASSREF) end + + def confirm_user_is_not_suspended + redirect_to user_please_call_url if current_user.suspended? + end end diff --git a/spec/controllers/openid_connect/authorization_controller_spec.rb b/spec/controllers/openid_connect/authorization_controller_spec.rb index ed022f26efb..66726ceec9a 100644 --- a/spec/controllers/openid_connect/authorization_controller_spec.rb +++ b/spec/controllers/openid_connect/authorization_controller_spec.rb @@ -2269,6 +2269,34 @@ end end end + + context 'user is suspended' do + let(:user) { create(:user, :fully_registered, :suspended) } + let(:acr_values) { Saml::Idp::Constants::IAL1_AUTHN_CONTEXT_CLASSREF } + let(:vtr) { nil } + let(:sign_in_flow) { :sign_in } + + context 'user is signed in' do + before do + stub_sign_in user + session[:sign_in_flow] = sign_in_flow + session[:sign_in_page_visited_at] = Time.zone.now.to_s + end + + it 'redirects to the please call page if the user is signed in and suspended' do + sign_in_as_user(user) + action + expect(response).to redirect_to(user_please_call_url) + end + end + + context 'user not signed in' do + it 'redirects to sign in page' do + action + expect(response).to redirect_to(new_user_session_url) + end + end + end end end # rubocop:enable Layout/LineLength diff --git a/spec/controllers/saml_idp_controller_spec.rb b/spec/controllers/saml_idp_controller_spec.rb index dbf77b8f238..48543c64953 100644 --- a/spec/controllers/saml_idp_controller_spec.rb +++ b/spec/controllers/saml_idp_controller_spec.rb @@ -2195,6 +2195,25 @@ def name_id_version(format_urn) end end + context 'User is suspended' do + let(:user) { create(:user, :fully_registered, :suspended) } + let(:acr_values) do + Saml::Idp::Constants::DEFAULT_AAL_AUTHN_CONTEXT_CLASSREF + + ' ' + + Saml::Idp::Constants::IAL1_AUTHN_CONTEXT_CLASSREF + end + + before do + sign_in(user) + stub_analytics + end + + it 'renders the please call for suspended user page' do + saml_get_auth(saml_settings) + expect(response).to redirect_to(user_please_call_url) + end + end + describe 'NameID format' do let(:user) { create(:user, :fully_registered) } let(:subject_element) { xmldoc.subject_nodeset[0] }