diff --git a/app/controllers/concerns/saml_idp_auth_concern.rb b/app/controllers/concerns/saml_idp_auth_concern.rb index a4629033738..425e024dcd8 100644 --- a/app/controllers/concerns/saml_idp_auth_concern.rb +++ b/app/controllers/concerns/saml_idp_auth_concern.rb @@ -24,7 +24,7 @@ def sign_out_if_forceauthn_is_true_and_user_is_signed_in end def check_sp_active - return if current_service_provider&.active? + return if saml_request_service_provider&.active? redirect_to sp_inactive_error_url end @@ -32,7 +32,7 @@ def validate_service_provider_and_authn_context @saml_request_validator = SamlRequestValidator.new @result = @saml_request_validator.call( - service_provider: current_service_provider, + service_provider: saml_request_service_provider, authn_context: requested_authn_contexts, authn_context_comparison: saml_request.requested_authn_context_comparison, nameid_format: name_id_format, @@ -49,7 +49,7 @@ def name_id_format end def specified_name_id_format - if recognized_name_id_format? || current_service_provider&.use_legacy_name_id_behavior + if recognized_name_id_format? || saml_request_service_provider&.use_legacy_name_id_behavior saml_request.name_id_format end end @@ -59,7 +59,7 @@ def recognized_name_id_format? end def default_name_id_format - if current_service_provider&.email_nameid_format_allowed + if saml_request_service_provider&.email_nameid_format_allowed return Saml::Idp::Constants::NAME_ID_FORMAT_EMAIL end Saml::Idp::Constants::NAME_ID_FORMAT_PERSISTENT @@ -80,16 +80,16 @@ def requested_authn_contexts end def default_aal_context - if current_service_provider&.default_aal - Saml::Idp::Constants::AUTHN_CONTEXT_AAL_TO_CLASSREF[current_service_provider.default_aal] + if saml_request_service_provider&.default_aal + Saml::Idp::Constants::AUTHN_CONTEXT_AAL_TO_CLASSREF[saml_request_service_provider.default_aal] else Saml::Idp::Constants::DEFAULT_AAL_AUTHN_CONTEXT_CLASSREF end end def default_ial_context - if current_service_provider&.ial - Saml::Idp::Constants::AUTHN_CONTEXT_IAL_TO_CLASSREF[current_service_provider.ial] + if saml_request_service_provider&.ial + Saml::Idp::Constants::AUTHN_CONTEXT_IAL_TO_CLASSREF[saml_request_service_provider.ial] else Saml::Idp::Constants::IAL1_AUTHN_CONTEXT_CLASSREF end @@ -105,7 +105,7 @@ def requested_ial_authn_context def link_identity_from_session_data IdentityLinker. - new(current_user, current_issuer). + new(current_user, saml_request_service_provider). link_identity( ial: ial_context.ial_for_identity_record, rails_session_id: session.id, @@ -121,7 +121,7 @@ def identity_needs_verification? def ial_context @ial_context ||= IalContext.new( ial: requested_ial_authn_context, - service_provider: current_service_provider, + service_provider: saml_request_service_provider, ) end @@ -137,7 +137,7 @@ def encode_authn_response(principal, opts) def attribute_asserter(principal) AttributeAsserter.new( user: principal, - service_provider: current_service_provider, + service_provider: saml_request_service_provider, name_id_format: name_id_format, authn_request: saml_request, decrypted_pii: decrypted_pii, @@ -163,20 +163,21 @@ def saml_response reference_id: active_identity.session_uuid, encryption: encryption_opts, signature: saml_response_signature_options, - signed_response_message: current_service_provider&.signed_response_message_requested, + signed_response_message: saml_request_service_provider&.signed_response_message_requested, ) end def encryption_opts query_params = UriService.params(request.original_url) - if query_params[:skip_encryption].present? && current_service_provider&.skip_encryption_allowed + if query_params[:skip_encryption].present? && + saml_request_service_provider&.skip_encryption_allowed nil - elsif current_service_provider&.encrypt_responses? + elsif saml_request_service_provider&.encrypt_responses? cert = saml_request.service_provider.matching_cert || - current_service_provider&.ssl_certs&.first + saml_request_service_provider&.ssl_certs&.first { cert: cert, - block_encryption: current_service_provider&.block_encryption, + block_encryption: saml_request_service_provider&.block_encryption, key_transport: 'rsa-oaep-mgf1p', } end @@ -190,9 +191,9 @@ def saml_response_signature_options } end - def current_service_provider - return @current_service_provider if defined?(@current_service_provider) - @current_service_provider = ServiceProvider.find_by(issuer: current_issuer) + def saml_request_service_provider + return @saml_request_service_provider if defined?(@saml_request_service_provider) + @saml_request_service_provider = ServiceProvider.find_by(issuer: current_issuer) end def current_issuer diff --git a/app/controllers/concerns/verify_sp_attributes_concern.rb b/app/controllers/concerns/verify_sp_attributes_concern.rb index 7ef5fc4ba6b..3ebb24f2587 100644 --- a/app/controllers/concerns/verify_sp_attributes_concern.rb +++ b/app/controllers/concerns/verify_sp_attributes_concern.rb @@ -16,7 +16,7 @@ def needs_completion_screen_reason def update_verified_attributes IdentityLinker.new( current_user, - sp_session[:issuer], + current_sp, ).link_identity( ial: sp_session_ial, verified_attributes: sp_session[:requested_attributes], diff --git a/app/forms/openid_connect_authorize_form.rb b/app/forms/openid_connect_authorize_form.rb index f9c200a7030..a3ce0de093c 100644 --- a/app/forms/openid_connect_authorize_form.rb +++ b/app/forms/openid_connect_authorize_form.rb @@ -70,7 +70,7 @@ def service_provider end def link_identity_to_service_provider(current_user, rails_session_id) - identity_linker = IdentityLinker.new(current_user, client_id) + identity_linker = IdentityLinker.new(current_user, service_provider) @identity = identity_linker.link_identity( nonce: nonce, rails_session_id: rails_session_id, diff --git a/app/services/identity_linker.rb b/app/services/identity_linker.rb index f769fc751a4..254f0326ec8 100644 --- a/app/services/identity_linker.rb +++ b/app/services/identity_linker.rb @@ -1,14 +1,14 @@ class IdentityLinker - attr_reader :user, :issuer + attr_reader :user, :service_provider - def initialize(user, issuer) + def initialize(user, service_provider) @user = user - @issuer = issuer + @service_provider = service_provider @ial = nil end def link_identity(**extra_attrs) - return unless user && issuer.present? + return unless user && service_provider.present? process_ial(extra_attrs) attributes = merged_attributes(extra_attrs) identity.update!(attributes) @@ -46,11 +46,11 @@ def find_or_create_identity_with_costing identity_record = identity_relation.first return identity_record if identity_record Db::SpCost::AddSpCost.call(service_provider, @ial, :user_added) - user.identities.create(service_provider: issuer) + user.identities.create(service_provider: service_provider.issuer) end def identity_relation - user.identities.where(service_provider: issuer) + user.identities.where(service_provider: service_provider.issuer) end def merged_attributes(extra_attrs) @@ -92,9 +92,4 @@ def merge_attributes(verified_attributes) verified_attributes = verified_attributes.to_a.map(&:to_s) (identity.verified_attributes.to_a + verified_attributes).uniq.sort end - - def service_provider - return if issuer.blank? - @service_provider ||= ServiceProvider.find_by(issuer: issuer) - end end diff --git a/spec/controllers/openid_connect/authorization_controller_spec.rb b/spec/controllers/openid_connect/authorization_controller_spec.rb index 255282e8850..c451d374f8b 100644 --- a/spec/controllers/openid_connect/authorization_controller_spec.rb +++ b/spec/controllers/openid_connect/authorization_controller_spec.rb @@ -10,6 +10,7 @@ end let(:client_id) { 'urn:gov:gsa:openidconnect:test' } + let(:service_provider) { build(:service_provider, issuer: client_id) } let(:params) do { acr_values: Saml::Idp::Constants::IAL1_AUTHN_CONTEXT_CLASSREF, @@ -34,7 +35,7 @@ context 'with valid params' do it 'redirects back to the client app with a code' do - IdentityLinker.new(user, client_id).link_identity(ial: 1) + IdentityLinker.new(user, service_provider).link_identity(ial: 1) user.identities.last.update!(verified_attributes: %w[given_name family_name birthdate]) action @@ -61,7 +62,7 @@ with(Analytics::SP_REDIRECT_INITIATED, ial: 1) - IdentityLinker.new(user, client_id).link_identity(ial: 1) + IdentityLinker.new(user, service_provider).link_identity(ial: 1) user.identities.last.update!(verified_attributes: %w[given_name family_name birthdate]) action @@ -77,7 +78,7 @@ let(:user) { create(:profile, :active, :verified).user } it 'redirects to the redirect_uri immediately when pii is unlocked' do - IdentityLinker.new(user, client_id).link_identity(ial: 3) + IdentityLinker.new(user, service_provider).link_identity(ial: 3) user.identities.last.update!( verified_attributes: %w[given_name family_name birthdate verified_at], ) @@ -88,7 +89,7 @@ end it 'redirects to the password capture url when pii is locked' do - IdentityLinker.new(user, client_id).link_identity(ial: 3) + IdentityLinker.new(user, service_provider).link_identity(ial: 3) user.identities.last.update!( verified_attributes: %w[given_name family_name birthdate verified_at], ) @@ -113,7 +114,7 @@ with(Analytics::SP_REDIRECT_INITIATED, ial: 2) - IdentityLinker.new(user, client_id).link_identity(ial: 2) + IdentityLinker.new(user, service_provider).link_identity(ial: 2) user.identities.last.update!( verified_attributes: %w[given_name family_name birthdate verified_at], ) @@ -131,7 +132,7 @@ end it 'creates an IAL2 SpReturnLog record' do - IdentityLinker.new(user, client_id).link_identity(ial: 22) + IdentityLinker.new(user, service_provider).link_identity(ial: 22) user.identities.last.update!( verified_attributes: %w[given_name family_name birthdate verified_at], ) @@ -176,7 +177,7 @@ context 'user has already approved this application' do before do - IdentityLinker.new(user, client_id).link_identity + IdentityLinker.new(user, service_provider).link_identity user.identities.last.update!(verified_attributes: %w[given_name family_name birthdate]) end diff --git a/spec/controllers/openid_connect/token_controller_spec.rb b/spec/controllers/openid_connect/token_controller_spec.rb index d1d37291655..c0354bb3969 100644 --- a/spec/controllers/openid_connect/token_controller_spec.rb +++ b/spec/controllers/openid_connect/token_controller_spec.rb @@ -18,6 +18,7 @@ let(:grant_type) { 'authorization_code' } let(:code) { identity.session_uuid } let(:client_id) { 'urn:gov:gsa:openidconnect:test' } + let(:service_provider) { build(:service_provider, issuer: client_id) } let(:client_assertion) do jwt_payload = { iss: client_id, @@ -33,7 +34,10 @@ end let!(:identity) do - IdentityLinker.new(user, client_id).link_identity(rails_session_id: SecureRandom.hex, ial: 1) + IdentityLinker.new(user, service_provider).link_identity( + rails_session_id: SecureRandom.hex, + ial: 1, + ) end context 'with valid params' do diff --git a/spec/controllers/risc/security_events_controller_spec.rb b/spec/controllers/risc/security_events_controller_spec.rb index dae4d633b0e..97f834b66ee 100644 --- a/spec/controllers/risc/security_events_controller_spec.rb +++ b/spec/controllers/risc/security_events_controller_spec.rb @@ -4,7 +4,7 @@ include Rails.application.routes.url_helpers let(:user) { create(:user) } - let(:identity) { IdentityLinker.new(user, service_provider.issuer).link_identity } + let(:identity) { IdentityLinker.new(user, service_provider).link_identity } let(:service_provider) { create(:service_provider) } let(:rp_private_key) do diff --git a/spec/controllers/saml_idp_controller_spec.rb b/spec/controllers/saml_idp_controller_spec.rb index acda9d56987..44aef2e0d06 100644 --- a/spec/controllers/saml_idp_controller_spec.rb +++ b/spec/controllers/saml_idp_controller_spec.rb @@ -476,7 +476,7 @@ def name_id_version(format_urn) before do stub_sign_in(user) - IdentityLinker.new(user, sp1_issuer).link_identity(ial: 2) + IdentityLinker.new(user, sp1).link_identity(ial: 2) user.identities.last.update!( verified_attributes: %w[given_name family_name social_security_number address], ) @@ -892,7 +892,8 @@ def name_id_version(format_urn) end it 'does not redirect after verifying attributes' do - IdentityLinker.new(@user, saml_settings.issuer).link_identity( + service_provider = build(:service_provider, issuer: saml_settings.issuer) + IdentityLinker.new(@user, service_provider).link_identity( verified_attributes: ['email'], ) saml_get_auth(saml_settings) @@ -968,7 +969,8 @@ def name_id_version(format_urn) Saml::Idp::Constants::DEFAULT_AAL_AUTHN_CONTEXT_CLASSREF, ] }, ) - IdentityLinker.new(user, auth_settings.issuer).link_identity + service_provider = build(:service_provider, issuer: auth_settings.issuer) + IdentityLinker.new(user, service_provider).link_identity user.identities.last.update!(verified_attributes: ['email']) generate_saml_response(user, auth_settings) @@ -1002,7 +1004,8 @@ def name_id_version(format_urn) it 'defaults to persistent' do auth_settings = saml_settings(overrides: { name_identifier_format: nil }) - IdentityLinker.new(user, auth_settings.issuer).link_identity + service_provider = build(:service_provider, issuer: auth_settings.issuer) + IdentityLinker.new(user, service_provider).link_identity user.identities.last.update!(verified_attributes: ['email']) generate_saml_response(user, auth_settings) @@ -1035,7 +1038,7 @@ def name_id_version(format_urn) ServiceProvider. find_by(issuer: auth_settings.issuer). update!(email_nameid_format_allowed: true) - IdentityLinker.new(user, auth_settings.issuer).link_identity + IdentityLinker.new(user, sp1).link_identity user.identities.last.update!(verified_attributes: ['email']) generate_saml_response(user, auth_settings) @@ -1103,7 +1106,8 @@ def name_id_version(format_urn) auth_settings = saml_settings(overrides: { name_identifier_format: nil }) auth_settings.name_identifier_format = 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified' - IdentityLinker.new(user, auth_settings.issuer).link_identity + service_provider = build(:service_provider, issuer: auth_settings.issuer) + IdentityLinker.new(user, service_provider).link_identity user.identities.last.update!(verified_attributes: ['email']) generate_saml_response(user, auth_settings) @@ -1126,14 +1130,14 @@ def name_id_version(format_urn) expect(@analytics).to have_received(:track_event). with(Analytics::SAML_AUTH, analytics_hash) end + it 'sends the appropriate identifier for email NameID SPs' do auth_settings = saml_settings(overrides: { name_identifier_format: nil }) auth_settings.name_identifier_format = 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified' - ServiceProvider. - find_by(issuer: auth_settings.issuer). - update!(email_nameid_format_allowed: true) - IdentityLinker.new(user, auth_settings.issuer).link_identity + service_provider = ServiceProvider.find_by(issuer: auth_settings.issuer) + service_provider.update!(email_nameid_format_allowed: true) + IdentityLinker.new(user, service_provider).link_identity user.identities.last.update!(verified_attributes: ['email']) generate_saml_response(user, auth_settings) @@ -1156,14 +1160,14 @@ def name_id_version(format_urn) expect(@analytics).to have_received(:track_event). with(Analytics::SAML_AUTH, analytics_hash) end + it 'sends the old user ID for legacy SPS' do auth_settings = saml_settings(overrides: { name_identifier_format: nil }) auth_settings.name_identifier_format = 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified' - ServiceProvider. - find_by(issuer: auth_settings.issuer). - update!(use_legacy_name_id_behavior: true) - IdentityLinker.new(user, auth_settings.issuer).link_identity + service_provider = ServiceProvider.find_by(issuer: auth_settings.issuer) + service_provider.update!(use_legacy_name_id_behavior: true) + IdentityLinker.new(user, service_provider).link_identity user.identities.last.update!(verified_attributes: ['email']) generate_saml_response(user, auth_settings) diff --git a/spec/controllers/users/service_provider_revoke_controller_spec.rb b/spec/controllers/users/service_provider_revoke_controller_spec.rb index 1650e53d6a3..c7049737bda 100644 --- a/spec/controllers/users/service_provider_revoke_controller_spec.rb +++ b/spec/controllers/users/service_provider_revoke_controller_spec.rb @@ -18,7 +18,7 @@ before do stub_sign_in(user) - @identity = IdentityLinker.new(user, service_provider.issuer).link_identity + @identity = IdentityLinker.new(user, service_provider).link_identity end describe '#show' do diff --git a/spec/features/account_reset/delete_account_spec.rb b/spec/features/account_reset/delete_account_spec.rb index faa51a1b96b..f1fe12d60ca 100644 --- a/spec/features/account_reset/delete_account_spec.rb +++ b/spec/features/account_reset/delete_account_spec.rb @@ -62,7 +62,8 @@ end it 'sends push notifications if push_notifications_enabled is true' do - identity = IdentityLinker.new(user, 'urn:gov:gsa:openidconnect:test').link_identity + service_provider = build(:service_provider, issuer: 'urn:gov:gsa:openidconnect:test') + identity = IdentityLinker.new(user, service_provider).link_identity agency_identity = AgencyIdentityLinker.new(identity).link_identity signin(user_email, user.password) diff --git a/spec/features/openid_connect/openid_connect_spec.rb b/spec/features/openid_connect/openid_connect_spec.rb index fce26cb454b..dc19149b817 100644 --- a/spec/features/openid_connect/openid_connect_spec.rb +++ b/spec/features/openid_connect/openid_connect_spec.rb @@ -87,9 +87,10 @@ it 'auto-allows with a second authorization and includes redirect_uris in CSP headers' do client_id = 'urn:gov:gsa:openidconnect:sp:server' + service_provider = build(:service_provider, issuer: client_id) user = user_with_2fa - IdentityLinker.new(user, client_id).link_identity + IdentityLinker.new(user, service_provider).link_identity user.identities.last.update!(verified_attributes: ['email']) visit_idp_from_ial1_oidc_sp(client_id: client_id, prompt: 'select_account') @@ -107,9 +108,10 @@ it 'auto-allows and includes redirect_uris in CSP headers after an incorrect OTP' do client_id = 'urn:gov:gsa:openidconnect:sp:server' + service_provider = build(:service_provider, issuer: client_id) user = user_with_2fa - IdentityLinker.new(user, client_id).link_identity + IdentityLinker.new(user, service_provider).link_identity user.identities.last.update!(verified_attributes: ['email']) visit_idp_from_ial1_oidc_sp(client_id: client_id, prompt: 'select_account') @@ -292,7 +294,7 @@ it 'prompts for consent if last consent time was over a year ago', driver: :mobile_rack_test do client_id = 'urn:gov:gsa:openidconnect:test' user = user_with_2fa - link_identity(user, client_id) + link_identity(user, build(:service_provider, issuer: client_id)) user.identities.last.update( last_consented_at: 2.years.ago, @@ -314,7 +316,7 @@ it 'prompts for consent if consent was revoked/soft deleted', driver: :mobile_rack_test do client_id = 'urn:gov:gsa:openidconnect:test' user = user_with_2fa - link_identity(user, client_id) + link_identity(user, build(:service_provider, issuer: client_id)) user.identities.last.update!( last_consented_at: 2.years.ago, @@ -343,7 +345,7 @@ code_challenge = Digest::SHA256.base64digest(code_verifier) user = user_with_2fa - link_identity(user, client_id) + link_identity(user, build(:service_provider, issuer: client_id)) user.identities.last.update!(verified_attributes: ['email']) visit openid_connect_authorize_path( @@ -386,7 +388,7 @@ it 'returns the most recent nonce when there are multiple authorize calls' do client_id = 'urn:gov:gsa:openidconnect:test' user = user_with_2fa - link_identity(user, client_id) + link_identity(user, build(:service_provider, issuer: client_id)) user.identities.last.update!(verified_attributes: ['email']) state1 = SecureRandom.hex @@ -650,7 +652,7 @@ def sign_in_get_token_response( code_verifier = SecureRandom.hex code_challenge = Digest::SHA256.base64digest(code_verifier) - link_identity(user, client_id) + link_identity(user, build(:service_provider, issuer: client_id)) user.identities.last.update!(verified_attributes: ['email']) visit openid_connect_authorize_path( diff --git a/spec/features/remember_device/session_expiration_spec.rb b/spec/features/remember_device/session_expiration_spec.rb index f3e2190ded4..31825f01fca 100644 --- a/spec/features/remember_device/session_expiration_spec.rb +++ b/spec/features/remember_device/session_expiration_spec.rb @@ -18,7 +18,7 @@ first(:link, t('links.sign_out')).click IdentityLinker.new( - user, 'urn:gov:gsa:openidconnect:sp:server' + user, build(:service_provider, issuer: 'urn:gov:gsa:openidconnect:sp:server') ).link_identity(verified_attributes: %w[email]) visit_idp_from_sp_with_ial1(:oidc) diff --git a/spec/features/users/user_profile_spec.rb b/spec/features/users/user_profile_spec.rb index bd12412fb03..6fcb0e55832 100644 --- a/spec/features/users/user_profile_spec.rb +++ b/spec/features/users/user_profile_spec.rb @@ -43,8 +43,9 @@ it 'deletes the account and pushes notifications if push_notifications_enabled is true' do allow(IdentityConfig.store).to receive(:push_notifications_enabled).and_return(true) + service_provider = build(:service_provider, issuer: 'urn:gov:gsa:openidconnect:test') user = sign_in_and_2fa_user - identity = IdentityLinker.new(user, 'urn:gov:gsa:openidconnect:test').link_identity + identity = IdentityLinker.new(user, service_provider).link_identity agency_identity = AgencyIdentityLinker.new(identity).link_identity visit account_path diff --git a/spec/forms/openid_connect_token_form_spec.rb b/spec/forms/openid_connect_token_form_spec.rb index 3ff40d46b17..14b62dfb08f 100644 --- a/spec/forms/openid_connect_token_form_spec.rb +++ b/spec/forms/openid_connect_token_form_spec.rb @@ -51,7 +51,7 @@ let(:user) { create(:user) } let!(:identity) do - IdentityLinker.new(user, client_id). + IdentityLinker.new(user, service_provider). link_identity( nonce: nonce, rails_session_id: SecureRandom.hex, diff --git a/spec/forms/security_event_form_spec.rb b/spec/forms/security_event_form_spec.rb index 396243d1039..073b4010f4d 100644 --- a/spec/forms/security_event_form_spec.rb +++ b/spec/forms/security_event_form_spec.rb @@ -13,7 +13,7 @@ File.read(Rails.root.join('keys', 'saml_test_sp.key')), ) end - let(:identity) { IdentityLinker.new(user, service_provider.issuer).link_identity } + let(:identity) { IdentityLinker.new(user, service_provider).link_identity } let(:jti) { SecureRandom.urlsafe_base64 } let(:event_type) { SecurityEvent::AUTHORIZATION_FRAUD_DETECTED } diff --git a/spec/services/identity_linker_spec.rb b/spec/services/identity_linker_spec.rb index 6d33c12c304..725835281fb 100644 --- a/spec/services/identity_linker_spec.rb +++ b/spec/services/identity_linker_spec.rb @@ -3,15 +3,16 @@ describe IdentityLinker do describe '#link_identity' do let(:user) { create(:user) } + let(:service_provider) { build(:service_provider, issuer: 'test.host') } it "updates user's last authenticated identity" do - IdentityLinker.new(user, 'test.host').link_identity + IdentityLinker.new(user, service_provider).link_identity user.reload last_identity = user.last_identity new_attributes = { - service_provider: 'test.host', + service_provider: service_provider.issuer, user_id: user.id, uuid: last_identity.uuid, } @@ -32,7 +33,7 @@ scope = 'openid profile email' code_challenge = SecureRandom.hex - IdentityLinker.new(user, 'test.host').link_identity( + IdentityLinker.new(user, service_provider).link_identity( rails_session_id: rails_session_id, nonce: nonce, ial: ial, @@ -54,18 +55,18 @@ let(:six_months_ago) { 6.months.ago } it 'does override a previous last_consented_at by default' do - IdentityLinker.new(user, 'test.host'). + IdentityLinker.new(user, service_provider). link_identity(last_consented_at: six_months_ago) last_identity = user.reload.last_identity expect(last_identity.last_consented_at.to_i).to eq(six_months_ago.to_i) - IdentityLinker.new(user, 'test.host').link_identity + IdentityLinker.new(user, service_provider).link_identity last_identity = user.reload.last_identity expect(last_identity.last_consented_at.to_i).to eq(six_months_ago.to_i) end it 'updates last_consented_at when present' do - IdentityLinker.new(user, 'test.host'). + IdentityLinker.new(user, service_provider). link_identity(last_consented_at: now) last_identity = user.reload.last_identity @@ -77,13 +78,13 @@ let(:yesterday) { 1.day.ago } before do - IdentityLinker.new(user, 'test.host').link_identity + IdentityLinker.new(user, service_provider).link_identity last_identity = user.reload.last_identity last_identity.update!(deleted_at: yesterday) end subject(:link_identity) do - IdentityLinker.new(user, 'test.host'). + IdentityLinker.new(user, service_provider). link_identity(clear_deleted_at: clear_deleted_at) end @@ -109,7 +110,7 @@ end it 'rejects bad attributes names' do - expect { IdentityLinker.new(user, 'test.host').link_identity(foobar: true) }. + expect { IdentityLinker.new(user, service_provider).link_identity(foobar: true) }. to raise_error(ArgumentError) end @@ -120,9 +121,11 @@ it 'can link two different clients to the same rails_session_id' do rails_session_id = SecureRandom.uuid + service_provider1 = build(:service_provider, issuer: 'client1') + service_provider2 = build(:service_provider, issuer: 'client2') - IdentityLinker.new(user, 'client1').link_identity(rails_session_id: rails_session_id) - IdentityLinker.new(user, 'client2').link_identity(rails_session_id: rails_session_id) + IdentityLinker.new(user, service_provider1).link_identity(rails_session_id: rails_session_id) + IdentityLinker.new(user, service_provider2).link_identity(rails_session_id: rails_session_id) end end end diff --git a/spec/services/push_notification/http_push_spec.rb b/spec/services/push_notification/http_push_spec.rb index 9c6566b129e..b78d12681ce 100644 --- a/spec/services/push_notification/http_push_spec.rb +++ b/spec/services/push_notification/http_push_spec.rb @@ -9,10 +9,10 @@ let(:sp_no_push_url) { create(:service_provider, push_notification_url: nil) } let!(:sp_with_push_url_identity) do - IdentityLinker.new(user, sp_with_push_url.issuer).link_identity + IdentityLinker.new(user, sp_with_push_url).link_identity end let!(:sp_no_push_url_identity) do - IdentityLinker.new(user, sp_no_push_url.issuer).link_identity + IdentityLinker.new(user, sp_no_push_url).link_identity end let(:event) do @@ -109,7 +109,7 @@ let(:third_sp) { create(:service_provider, push_notification_url: 'http://sp.url/push') } before do - IdentityLinker.new(user, third_sp.issuer).link_identity + IdentityLinker.new(user, third_sp).link_identity stub_request(:post, sp_with_push_url.push_notification_url).to_timeout stub_request(:post, third_sp.push_notification_url).to_return(status: 200) diff --git a/spec/services/uuid_reporter_spec.rb b/spec/services/uuid_reporter_spec.rb index 0b7719648e4..bba9f5cccee 100644 --- a/spec/services/uuid_reporter_spec.rb +++ b/spec/services/uuid_reporter_spec.rb @@ -87,11 +87,11 @@ let!(:user2) { create(:user, :signed_up, email: 'user2@example.com') } let!(:user3) { create(:user, :signed_up, email: 'user3@example.com') } let!(:uuid1) do - IdentityLinker.new(user1, sp1.issuer).link_identity + IdentityLinker.new(user1, sp1).link_identity AgencyIdentity.find_by(user_id: user1.id, agency_id: agency.id).uuid end let!(:uuid2) do - IdentityLinker.new(user2, sp2.issuer).link_identity + IdentityLinker.new(user2, sp2).link_identity AgencyIdentity.find_by(user_id: user2.id, agency_id: agency.id).uuid end @@ -104,7 +104,7 @@ end before(:each) do - IdentityLinker.new(user3, create(:service_provider).issuer).link_identity + IdentityLinker.new(user3, create(:service_provider)).link_identity end after(:each) { File.delete(valid_output) } diff --git a/spec/support/features/session_helper.rb b/spec/support/features/session_helper.rb index 5ffb3a648f5..1737c3a89e6 100644 --- a/spec/support/features/session_helper.rb +++ b/spec/support/features/session_helper.rb @@ -615,10 +615,10 @@ def piv_cac_nonce_from_form_action nonce end - def link_identity(user, client_id, ial = nil) + def link_identity(user, service_provider, ial = nil) IdentityLinker.new( user, - client_id, + service_provider, ).link_identity( ial: ial, ) diff --git a/spec/support/saml_auth_helper.rb b/spec/support/saml_auth_helper.rb index 467b356c238..7d64ab2c3e2 100644 --- a/spec/support/saml_auth_helper.rb +++ b/spec/support/saml_auth_helper.rb @@ -125,6 +125,10 @@ def saml_test_idp_cert public + def sp1 + build(:service_provider, issuer: sp1_issuer) + end + def sp1_issuer 'https://rp1.serviceprovider.com/auth/saml/metadata' end @@ -175,7 +179,7 @@ def link_user_to_identity(user, link, settings) IdentityLinker.new( user, - settings.issuer, + build(:service_provider, issuer: settings.issuer), ).link_identity( ial: ial2_requested?(settings) ? true : nil, verified_attributes: ['email'], diff --git a/spec/support/shared_examples/remember_device.rb b/spec/support/shared_examples/remember_device.rb index 26e6b5d1196..7d8483accbd 100644 --- a/spec/support/shared_examples/remember_device.rb +++ b/spec/support/shared_examples/remember_device.rb @@ -51,7 +51,7 @@ user = remember_device_and_sign_out_user IdentityLinker.new( - user, 'urn:gov:gsa:openidconnect:sp:server' + user, build(:service_provider, issuer: 'urn:gov:gsa:openidconnect:sp:server') ).link_identity(verified_attributes: %w[email]) visit oidc_url