diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 01321adbffa..52790bc08c0 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -360,6 +360,8 @@ def sp_required_mfa_verification_url if TwoFactorAuthentication::PivCacPolicy.new(current_user).enabled? && !mobile? login_two_factor_piv_cac_url + elsif TwoFactorAuthentication::WebauthnPolicy.new(current_user).platform_enabled? + login_two_factor_webauthn_url(platform: true) elsif TwoFactorAuthentication::WebauthnPolicy.new(current_user).enabled? login_two_factor_webauthn_url else diff --git a/spec/features/openid_connect/phishing_resistant_required_spec.rb b/spec/features/openid_connect/phishing_resistant_required_spec.rb index 59dae4b2843..9c1914b3236 100644 --- a/spec/features/openid_connect/phishing_resistant_required_spec.rb +++ b/spec/features/openid_connect/phishing_resistant_required_spec.rb @@ -18,12 +18,40 @@ end context 'user has phishing-resistant auth configured' do - it 'sends user to authenticate with phishing-resistant auth' do - sign_in_before_2fa(user_with_phishing_resistant_2fa) + context 'with piv cac configured' do + let(:user) { create(:user, :fully_registered, :with_piv_or_cac) } - visit_idp_from_ial1_oidc_sp_requesting_aal3(prompt: 'select_account') - visit login_two_factor_path(otp_delivery_preference: 'sms') - expect(current_url).to eq(login_two_factor_webauthn_url) + it 'sends user to authenticate with piv cac' do + sign_in_before_2fa(user) + + visit_idp_from_ial1_oidc_sp_requesting_aal3(prompt: 'select_account') + visit login_two_factor_path(otp_delivery_preference: 'sms') + expect(current_url).to eq(login_two_factor_piv_cac_url) + end + end + + context 'with webauthn configured' do + let(:user) { create(:user, :fully_registered, :with_webauthn) } + + it 'sends user to authenticate with webauthn' do + sign_in_before_2fa(user) + + visit_idp_from_ial1_oidc_sp_requesting_aal3(prompt: 'select_account') + visit login_two_factor_path(otp_delivery_preference: 'sms') + expect(current_url).to eq(login_two_factor_webauthn_url) + end + end + + context 'with webauthn platform configured' do + let(:user) { create(:user, :fully_registered, :with_webauthn_platform) } + + it 'sends user to authenticate with webauthn platform' do + sign_in_before_2fa(user) + + visit_idp_from_ial1_oidc_sp_requesting_aal3(prompt: 'select_account') + visit login_two_factor_path(otp_delivery_preference: 'sms') + expect(current_url).to eq(login_two_factor_webauthn_url(platform: true)) + end end it 'does not allow an already signed in user to bypass phishing-resistant auth' do @@ -50,12 +78,40 @@ end context 'user has phishing-resistant auth configured' do - it 'sends user to authenticate with phishing-resistant auth' do - sign_in_before_2fa(user_with_phishing_resistant_2fa) + context 'with piv cac configured' do + let(:user) { create(:user, :fully_registered, :with_piv_or_cac) } - visit_idp_from_ial1_oidc_sp_requesting_phishing_resistant(prompt: 'select_account') - visit login_two_factor_path(otp_delivery_preference: 'sms') - expect(current_url).to eq(login_two_factor_webauthn_url) + it 'sends user to authenticate with piv cac' do + sign_in_before_2fa(user) + + visit_idp_from_ial1_oidc_sp_requesting_phishing_resistant(prompt: 'select_account') + visit login_two_factor_path(otp_delivery_preference: 'sms') + expect(current_url).to eq(login_two_factor_piv_cac_url) + end + end + + context 'with webauthn configured' do + let(:user) { create(:user, :fully_registered, :with_webauthn) } + + it 'sends user to authenticate with webauthn' do + sign_in_before_2fa(user) + + visit_idp_from_ial1_oidc_sp_requesting_phishing_resistant(prompt: 'select_account') + visit login_two_factor_path(otp_delivery_preference: 'sms') + expect(current_url).to eq(login_two_factor_webauthn_url) + end + end + + context 'with webauthn platform configured' do + let(:user) { create(:user, :fully_registered, :with_webauthn_platform) } + + it 'sends user to authenticate with webauthn platform' do + sign_in_before_2fa(user) + + visit_idp_from_ial1_oidc_sp_requesting_phishing_resistant(prompt: 'select_account') + visit login_two_factor_path(otp_delivery_preference: 'sms') + expect(current_url).to eq(login_two_factor_webauthn_url(platform: true)) + end end it 'does not allow an already signed in user to bypass phishing-resistant auth' do @@ -97,12 +153,40 @@ end context 'user has phishing-resistant auth configured' do - it 'sends user to authenticate with phishing-resistant auth' do - sign_in_before_2fa(user_with_phishing_resistant_2fa) - visit_idp_from_ial1_oidc_sp_defaulting_to_aal3(prompt: 'select_account') - visit login_two_factor_path(otp_delivery_preference: 'sms') + context 'with piv cac configured' do + let(:user) { create(:user, :fully_registered, :with_piv_or_cac) } - expect(current_url).to eq(login_two_factor_webauthn_url) + it 'sends user to authenticate with piv cac' do + sign_in_before_2fa(user) + + visit_idp_from_ial1_oidc_sp_defaulting_to_aal3(prompt: 'select_account') + visit login_two_factor_path(otp_delivery_preference: 'sms') + expect(current_url).to eq(login_two_factor_piv_cac_url) + end + end + + context 'with webauthn configured' do + let(:user) { create(:user, :fully_registered, :with_webauthn) } + + it 'sends user to authenticate with webauthn' do + sign_in_before_2fa(user) + + visit_idp_from_ial1_oidc_sp_defaulting_to_aal3(prompt: 'select_account') + visit login_two_factor_path(otp_delivery_preference: 'sms') + expect(current_url).to eq(login_two_factor_webauthn_url) + end + end + + context 'with webauthn platform configured' do + let(:user) { create(:user, :fully_registered, :with_webauthn_platform) } + + it 'sends user to authenticate with webauthn platform' do + sign_in_before_2fa(user) + + visit_idp_from_ial1_oidc_sp_defaulting_to_aal3(prompt: 'select_account') + visit login_two_factor_path(otp_delivery_preference: 'sms') + expect(current_url).to eq(login_two_factor_webauthn_url(platform: true)) + end end it 'does not allow an already signed in user to bypass phishing-resistant auth' do diff --git a/spec/features/saml/phishing_resistant_required_spec.rb b/spec/features/saml/phishing_resistant_required_spec.rb index a2788362651..efd2c403447 100644 --- a/spec/features/saml/phishing_resistant_required_spec.rb +++ b/spec/features/saml/phishing_resistant_required_spec.rb @@ -21,16 +21,55 @@ end context 'user has phishing-resistant auth configured' do - it 'sends user to authenticate with phishing-resistant auth' do - sign_in_before_2fa(user_with_phishing_resistant_2fa) - visit_saml_authn_request_url( - overrides: { - issuer: sp1_issuer, - authn_context: Saml::Idp::Constants::AAL2_PHISHING_RESISTANT_AUTHN_CONTEXT_CLASSREF, - }, - ) - visit login_two_factor_path(otp_delivery_preference: 'sms') - expect(current_url).to eq(login_two_factor_webauthn_url) + context 'with piv cac configured' do + let(:user) { create(:user, :fully_registered, :with_piv_or_cac) } + + it 'sends user to authenticate with piv cac' do + sign_in_before_2fa(user) + + visit_saml_authn_request_url( + overrides: { + issuer: sp1_issuer, + authn_context: Saml::Idp::Constants::AAL2_PHISHING_RESISTANT_AUTHN_CONTEXT_CLASSREF, + }, + ) + visit login_two_factor_path(otp_delivery_preference: 'sms') + expect(current_url).to eq(login_two_factor_piv_cac_url) + end + end + + context 'with webauthn configured' do + let(:user) { create(:user, :fully_registered, :with_webauthn) } + + it 'sends user to authenticate with webauthn' do + sign_in_before_2fa(user) + + visit_saml_authn_request_url( + overrides: { + issuer: sp1_issuer, + authn_context: Saml::Idp::Constants::AAL2_PHISHING_RESISTANT_AUTHN_CONTEXT_CLASSREF, + }, + ) + visit login_two_factor_path(otp_delivery_preference: 'sms') + expect(current_url).to eq(login_two_factor_webauthn_url) + end + end + + context 'with webauthn platform configured' do + let(:user) { create(:user, :fully_registered, :with_webauthn_platform) } + + it 'sends user to authenticate with webauthn platform' do + sign_in_before_2fa(user) + + visit_saml_authn_request_url( + overrides: { + issuer: sp1_issuer, + authn_context: Saml::Idp::Constants::AAL2_PHISHING_RESISTANT_AUTHN_CONTEXT_CLASSREF, + }, + ) + visit login_two_factor_path(otp_delivery_preference: 'sms') + expect(current_url).to eq(login_two_factor_webauthn_url(platform: true)) + end end end end @@ -52,15 +91,52 @@ end context 'user has phishing-resistant auth configured' do - it 'sends user to authenticate with phishing-resistant auth' do - sign_in_before_2fa(user_with_phishing_resistant_2fa) - visit_saml_authn_request_url( - overrides: { - issuer: sp1_issuer, authn_context: Saml::Idp::Constants::AAL3_AUTHN_CONTEXT_CLASSREF - }, - ) - visit login_two_factor_path(otp_delivery_preference: 'sms') - expect(current_url).to eq(login_two_factor_webauthn_url) + context 'with piv cac configured' do + let(:user) { create(:user, :fully_registered, :with_piv_or_cac) } + + it 'sends user to authenticate with piv cac' do + sign_in_before_2fa(user) + + visit_saml_authn_request_url( + overrides: { + issuer: sp1_issuer, authn_context: Saml::Idp::Constants::AAL3_AUTHN_CONTEXT_CLASSREF + }, + ) + visit login_two_factor_path(otp_delivery_preference: 'sms') + expect(current_url).to eq(login_two_factor_piv_cac_url) + end + end + + context 'with webauthn configured' do + let(:user) { create(:user, :fully_registered, :with_webauthn) } + + it 'sends user to authenticate with webauthn' do + sign_in_before_2fa(user) + + visit_saml_authn_request_url( + overrides: { + issuer: sp1_issuer, authn_context: Saml::Idp::Constants::AAL3_AUTHN_CONTEXT_CLASSREF + }, + ) + visit login_two_factor_path(otp_delivery_preference: 'sms') + expect(current_url).to eq(login_two_factor_webauthn_url) + end + end + + context 'with webauthn platform configured' do + let(:user) { create(:user, :fully_registered, :with_webauthn_platform) } + + it 'sends user to authenticate with webauthn platform' do + sign_in_before_2fa(user) + + visit_saml_authn_request_url( + overrides: { + issuer: sp1_issuer, authn_context: Saml::Idp::Constants::AAL3_AUTHN_CONTEXT_CLASSREF + }, + ) + visit login_two_factor_path(otp_delivery_preference: 'sms') + expect(current_url).to eq(login_two_factor_webauthn_url(platform: true)) + end end end end @@ -82,15 +158,52 @@ end context 'user has phishing-resistant auth configured' do - it 'sends user to authenticate with phishing-resistant auth' do - sign_in_before_2fa(user_with_phishing_resistant_2fa) - visit_saml_authn_request_url( - overrides: { - issuer: aal3_issuer, authn_context: nil - }, - ) - visit login_two_factor_path(otp_delivery_preference: 'sms') - expect(current_url).to eq(login_two_factor_webauthn_url) + context 'with piv cac configured' do + let(:user) { create(:user, :fully_registered, :with_piv_or_cac) } + + it 'sends user to authenticate with piv cac' do + sign_in_before_2fa(user) + + visit_saml_authn_request_url( + overrides: { + issuer: aal3_issuer, authn_context: nil + }, + ) + visit login_two_factor_path(otp_delivery_preference: 'sms') + expect(current_url).to eq(login_two_factor_piv_cac_url) + end + end + + context 'with webauthn configured' do + let(:user) { create(:user, :fully_registered, :with_webauthn) } + + it 'sends user to authenticate with webauthn' do + sign_in_before_2fa(user) + + visit_saml_authn_request_url( + overrides: { + issuer: aal3_issuer, authn_context: nil + }, + ) + visit login_two_factor_path(otp_delivery_preference: 'sms') + expect(current_url).to eq(login_two_factor_webauthn_url) + end + end + + context 'with webauthn platform configured' do + let(:user) { create(:user, :fully_registered, :with_webauthn_platform) } + + it 'sends user to authenticate with webauthn platform' do + sign_in_before_2fa(user) + + visit_saml_authn_request_url( + overrides: { + issuer: aal3_issuer, authn_context: nil + }, + ) + visit login_two_factor_path(otp_delivery_preference: 'sms') + expect(current_url).to eq(login_two_factor_webauthn_url(platform: true)) + end end it 'does not allow an already signed in user to bypass phishing-resistant auth' do