diff --git a/spec/features/idv/usps_verification_spec.rb b/spec/features/idv/usps_verification_spec.rb new file mode 100644 index 00000000000..0815936b27f --- /dev/null +++ b/spec/features/idv/usps_verification_spec.rb @@ -0,0 +1,12 @@ +require 'rails_helper' + +feature 'USPS verification' do + include SamlAuthHelper + include IdvHelper + + context 'signing in when profile is pending USPS verification' do + it_behaves_like 'signing in with pending USPS verification' + it_behaves_like 'signing in with pending USPS verification', :saml + it_behaves_like 'signing in with pending USPS verification', :oidc + end +end diff --git a/spec/features/openid_connect/openid_connect_spec.rb b/spec/features/openid_connect/openid_connect_spec.rb index 5eabe644c9e..b24b07de74a 100644 --- a/spec/features/openid_connect/openid_connect_spec.rb +++ b/spec/features/openid_connect/openid_connect_spec.rb @@ -271,26 +271,6 @@ ) end - context 'USPS verification' do - let(:phone_confirmed) { false } - - it 'prompts to finish verifying profile, then redirects to SP' do - allow(FeatureManagement).to receive(:reveal_usps_code?).and_return(true) - visit oidc_auth_url - - sign_in_live_with_2fa(user) - - click_button t('forms.verify_profile.submit') - - expect(current_path).to eq(sign_up_completed_path) - find('input').click - - redirect_uri = URI(current_url) - - expect(redirect_uri.to_s).to start_with('http://localhost:7654/auth/result') - end - end - context 'phone verification' do let(:phone_confirmed) { true } diff --git a/spec/features/saml/loa3_sso_spec.rb b/spec/features/saml/loa3_sso_spec.rb index 439e57c505c..6923fd055ea 100644 --- a/spec/features/saml/loa3_sso_spec.rb +++ b/spec/features/saml/loa3_sso_spec.rb @@ -164,26 +164,6 @@ def sign_out_user context 'having previously selected USPS verification' do let(:phone_confirmed) { false } - it 'prompts for confirmation code at sign in' do - allow(FeatureManagement).to receive(:reveal_usps_code?).and_return(true) - - saml_authn_request = auth_request.create(loa3_with_bundle_saml_settings) - visit saml_authn_request - sign_in_live_with_2fa(user) - - expect(current_path).to eq verify_account_path - expect(page).to have_content t('idv.messages.usps.resend') - - click_button t('forms.verify_profile.submit') - - expect(user.events.account_verified.size).to be(1) - expect(current_path).to eq(sign_up_completed_path) - - find('input').click - - expect(current_url).to eq saml_authn_request - end - context 'provides an option to send another letter' do it 'without signing out' do user = create(:user, :signed_up) diff --git a/spec/features/users/verify_profile_spec.rb b/spec/features/users/verify_profile_spec.rb index ed8942ab3b8..9babf534b43 100644 --- a/spec/features/users/verify_profile_spec.rb +++ b/spec/features/users/verify_profile_spec.rb @@ -17,18 +17,6 @@ context 'USPS letter' do let(:phone_confirmed) { false } - scenario 'received OTP via USPS' do - sign_in_live_with_2fa(user) - - expect(current_path).to eq verify_account_path - - fill_in t('forms.verify_profile.name'), with: otp - click_button t('forms.verify_profile.submit') - - expect(current_path).to eq account_path - expect(page).to_not have_content(t('account.index.verification.reactivate_button')) - end - xscenario 'OTP has expired' do # see https://github.com/18F/identity-private/issues/1108#issuecomment-293328267 end diff --git a/spec/support/features/idv_helper.rb b/spec/support/features/idv_helper.rb index a228756ac77..ebb40023a86 100644 --- a/spec/support/features/idv_helper.rb +++ b/spec/support/features/idv_helper.rb @@ -96,4 +96,29 @@ def complete_idv_profile_ok(user, password = user_password) fill_in 'Password', with: password click_submit_default end + + def visit_idp_from_sp_with_loa3(sp) + if sp == :saml + @saml_authn_request = auth_request.create(loa3_with_bundle_saml_settings) + visit @saml_authn_request + elsif sp == :oidc + @state = SecureRandom.hex + @client_id = 'urn:gov:gsa:openidconnect:sp:server' + @nonce = SecureRandom.hex + visit_idp_from_oidc_sp_with_loa3(state: @state, client_id: @client_id, nonce: @nonce) + end + end + + def visit_idp_from_oidc_sp_with_loa3(state: SecureRandom.hex, client_id:, nonce:) + visit openid_connect_authorize_path( + client_id: client_id, + response_type: 'code', + acr_values: Saml::Idp::Constants::LOA3_AUTHN_CONTEXT_CLASSREF, + scope: 'openid email profile:name phone social_security_number', + redirect_uri: 'http://localhost:7654/auth/result', + state: state, + prompt: 'select_account', + nonce: nonce + ) + end end diff --git a/spec/support/features/session_helper.rb b/spec/support/features/session_helper.rb index bf4c8adc240..65d9c4dbd87 100644 --- a/spec/support/features/session_helper.rb +++ b/spec/support/features/session_helper.rb @@ -359,5 +359,12 @@ def register_user(email) set_up_2fa_with_valid_phone enter_2fa_code end + + def sign_in_via_branded_page(user) + allow(FeatureManagement).to receive(:prefill_otp_codes?).and_return(true) + click_link t('links.sign_in') + fill_in_credentials_and_submit(user.email, user.password) + click_submit_default + end end end diff --git a/spec/support/idv_examples/account_creation.rb b/spec/support/idv_examples/account_creation.rb index 427cdbbff76..5e9f8c37e7e 100644 --- a/spec/support/idv_examples/account_creation.rb +++ b/spec/support/idv_examples/account_creation.rb @@ -3,16 +3,7 @@ allow(FeatureManagement).to receive(:prefill_otp_codes?).and_return(true) email = 'test@test.com' - if sp == :saml - saml_authn_request = auth_request.create(loa3_with_bundle_saml_settings) - xmldoc = SamlResponseDoc.new('feature', 'response_assertion') - visit saml_authn_request - elsif sp == :oidc - state = SecureRandom.hex - client_id = 'urn:gov:gsa:openidconnect:sp:server' - nonce = SecureRandom.hex - visit_idp_from_sp_with_loa3(state: state, client_id: client_id, nonce: nonce) - end + visit_idp_from_sp_with_loa3(sp) register_user(email) @@ -50,8 +41,9 @@ if sp == :saml user_access_key = user.unlock_user_access_key(Features::SessionHelper::VALID_PASSWORD) profile_phone = user.active_profile.decrypt_pii(user_access_key).phone + xmldoc = SamlResponseDoc.new('feature', 'response_assertion') - expect(current_url).to eq saml_authn_request + expect(current_url).to eq @saml_authn_request expect(xmldoc.phone_number.children.children.to_s).to eq(profile_phone) end @@ -60,14 +52,14 @@ redirect_params = Rack::Utils.parse_query(redirect_uri.query).with_indifferent_access expect(redirect_uri.to_s).to start_with('http://localhost:7654/auth/result') - expect(redirect_params[:state]).to eq(state) + expect(redirect_params[:state]).to eq(@state) code = redirect_params[:code] expect(code).to be_present jwt_payload = { - iss: client_id, - sub: client_id, + iss: @client_id, + sub: @client_id, aud: api_openid_connect_token_url, jti: SecureRandom.hex, exp: 5.minutes.from_now.to_i, @@ -94,8 +86,8 @@ sub = decoded_id_token[:sub] expect(sub).to be_present - expect(decoded_id_token[:nonce]).to eq(nonce) - expect(decoded_id_token[:aud]).to eq(client_id) + expect(decoded_id_token[:nonce]).to eq(@nonce) + expect(decoded_id_token[:aud]).to eq(@client_id) expect(decoded_id_token[:acr]).to eq(Saml::Idp::Constants::LOA3_AUTHN_CONTEXT_CLASSREF) expect(decoded_id_token[:iss]).to eq(root_url) expect(decoded_id_token[:email]).to eq(user.email) @@ -118,19 +110,6 @@ end end -def visit_idp_from_sp_with_loa3(state: SecureRandom.hex, client_id:, nonce:) - visit openid_connect_authorize_path( - client_id: client_id, - response_type: 'code', - acr_values: Saml::Idp::Constants::LOA3_AUTHN_CONTEXT_CLASSREF, - scope: 'openid email profile:name phone social_security_number', - redirect_uri: 'http://localhost:7654/auth/result', - state: state, - prompt: 'select_account', - nonce: nonce - ) -end - def client_private_key @client_private_key ||= begin OpenSSL::PKey::RSA.new( diff --git a/spec/support/idv_examples/usps_verification.rb b/spec/support/idv_examples/usps_verification.rb new file mode 100644 index 00000000000..821499e9d32 --- /dev/null +++ b/spec/support/idv_examples/usps_verification.rb @@ -0,0 +1,45 @@ +shared_examples 'signing in with pending USPS verification' do |sp| + it 'prompts for confirmation code at sign in' do + otp = 'abc123' + profile = create( + :profile, + deactivation_reason: :verification_pending, + phone_confirmed: false, + pii: { otp: otp, ssn: '123-45-6789', dob: '1970-01-01' } + ) + user = profile.user + + visit_idp_from_sp_with_loa3(sp) + + if %i[saml oidc].include?(sp) + sign_in_via_branded_page(user) + else + sign_in_live_with_2fa(user) + end + + expect(current_path).to eq verify_account_path + expect(page).to have_content t('idv.messages.usps.resend') + + fill_in t('forms.verify_profile.name'), with: otp + click_button t('forms.verify_profile.submit') + + expect(user.events.account_verified.size).to eq 1 + expect(page).to_not have_content(t('account.index.verification.reactivate_button')) + + if %i[saml oidc].include?(sp) + expect(current_path).to eq(sign_up_completed_path) + + click_button t('forms.buttons.continue') + + if sp == :saml + expect(current_url).to eq @saml_authn_request + elsif sp == :oidc + redirect_uri = URI(current_url) + + expect(redirect_uri.to_s).to start_with('http://localhost:7654/auth/result') + end + else + expect(current_path).to eq account_path + end + end +end