18F · aduth · Jul 27, 2023 · Jul 25, 2023
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
@@ -360,6 +360,8 @@ def sp_required_mfa_verification_url
 
     if TwoFactorAuthentication::PivCacPolicy.new(current_user).enabled? && !mobile?
       login_two_factor_piv_cac_url
+    elsif TwoFactorAuthentication::WebauthnPolicy.new(current_user).platform_enabled?
+      login_two_factor_webauthn_url(platform: true)
     elsif TwoFactorAuthentication::WebauthnPolicy.new(current_user).enabled?
       login_two_factor_webauthn_url
     else

diff --git a/spec/features/openid_connect/phishing_resistant_required_spec.rb b/spec/features/openid_connect/phishing_resistant_required_spec.rb
@@ -18,12 +18,40 @@
     end
 
     context 'user has phishing-resistant auth configured' do
-      it 'sends user to authenticate with phishing-resistant auth' do
-        sign_in_before_2fa(user_with_phishing_resistant_2fa)
+      context 'with piv cac configured' do
+        let(:user) { create(:user, :fully_registered, :with_piv_or_cac) }
 
-        visit_idp_from_ial1_oidc_sp_requesting_aal3(prompt: 'select_account')
-        visit login_two_factor_path(otp_delivery_preference: 'sms')
-        expect(current_url).to eq(login_two_factor_webauthn_url)
+        it 'sends user to authenticate with piv cac' do
+          sign_in_before_2fa(user)
+
+          visit_idp_from_ial1_oidc_sp_requesting_aal3(prompt: 'select_account')
+          visit login_two_factor_path(otp_delivery_preference: 'sms')
+          expect(current_url).to eq(login_two_factor_piv_cac_url)
+        end
+      end
+
+      context 'with webauthn configured' do
+        let(:user) { create(:user, :fully_registered, :with_webauthn) }
+
+        it 'sends user to authenticate with webauthn' do
+          sign_in_before_2fa(user)
+
+          visit_idp_from_ial1_oidc_sp_requesting_aal3(prompt: 'select_account')
+          visit login_two_factor_path(otp_delivery_preference: 'sms')
+          expect(current_url).to eq(login_two_factor_webauthn_url)
+        end
+      end
+
+      context 'with webauthn platform configured' do
+        let(:user) { create(:user, :fully_registered, :with_webauthn_platform) }
+
+        it 'sends user to authenticate with webauthn platform' do
+          sign_in_before_2fa(user)
+
+          visit_idp_from_ial1_oidc_sp_requesting_aal3(prompt: 'select_account')
+          visit login_two_factor_path(otp_delivery_preference: 'sms')
+          expect(current_url).to eq(login_two_factor_webauthn_url(platform: true))
+        end
       end
 
       it 'does not allow an already signed in user to bypass phishing-resistant auth' do
@@ -50,12 +78,40 @@
     end
 
     context 'user has phishing-resistant auth configured' do
-      it 'sends user to authenticate with phishing-resistant auth' do
-        sign_in_before_2fa(user_with_phishing_resistant_2fa)
+      context 'with piv cac configured' do
+        let(:user) { create(:user, :fully_registered, :with_piv_or_cac) }
 
-        visit_idp_from_ial1_oidc_sp_requesting_phishing_resistant(prompt: 'select_account')
-        visit login_two_factor_path(otp_delivery_preference: 'sms')
-        expect(current_url).to eq(login_two_factor_webauthn_url)
+        it 'sends user to authenticate with piv cac' do
+          sign_in_before_2fa(user)
+
+          visit_idp_from_ial1_oidc_sp_requesting_phishing_resistant(prompt: 'select_account')
+          visit login_two_factor_path(otp_delivery_preference: 'sms')
+          expect(current_url).to eq(login_two_factor_piv_cac_url)
+        end
+      end
+
+      context 'with webauthn configured' do
+        let(:user) { create(:user, :fully_registered, :with_webauthn) }
+
+        it 'sends user to authenticate with webauthn' do
+          sign_in_before_2fa(user)
+
+          visit_idp_from_ial1_oidc_sp_requesting_phishing_resistant(prompt: 'select_account')
+          visit login_two_factor_path(otp_delivery_preference: 'sms')
+          expect(current_url).to eq(login_two_factor_webauthn_url)
+        end
+      end
+
+      context 'with webauthn platform configured' do
+        let(:user) { create(:user, :fully_registered, :with_webauthn_platform) }
+
+        it 'sends user to authenticate with webauthn platform' do
+          sign_in_before_2fa(user)
+
+          visit_idp_from_ial1_oidc_sp_requesting_phishing_resistant(prompt: 'select_account')
+          visit login_two_factor_path(otp_delivery_preference: 'sms')
+          expect(current_url).to eq(login_two_factor_webauthn_url(platform: true))
+        end
       end
 
       it 'does not allow an already signed in user to bypass phishing-resistant auth' do
@@ -97,12 +153,40 @@
     end
 
     context 'user has phishing-resistant auth configured' do
-      it 'sends user to authenticate with phishing-resistant auth' do
-        sign_in_before_2fa(user_with_phishing_resistant_2fa)
-        visit_idp_from_ial1_oidc_sp_defaulting_to_aal3(prompt: 'select_account')
-        visit login_two_factor_path(otp_delivery_preference: 'sms')
+      context 'with piv cac configured' do
+        let(:user) { create(:user, :fully_registered, :with_piv_or_cac) }
 
-        expect(current_url).to eq(login_two_factor_webauthn_url)
+        it 'sends user to authenticate with piv cac' do
+          sign_in_before_2fa(user)
+
+          visit_idp_from_ial1_oidc_sp_defaulting_to_aal3(prompt: 'select_account')
+          visit login_two_factor_path(otp_delivery_preference: 'sms')
+          expect(current_url).to eq(login_two_factor_piv_cac_url)
+        end
+      end
+
+      context 'with webauthn configured' do
+        let(:user) { create(:user, :fully_registered, :with_webauthn) }
+
+        it 'sends user to authenticate with webauthn' do
+          sign_in_before_2fa(user)
+
+          visit_idp_from_ial1_oidc_sp_defaulting_to_aal3(prompt: 'select_account')
+          visit login_two_factor_path(otp_delivery_preference: 'sms')
+          expect(current_url).to eq(login_two_factor_webauthn_url)
+        end
+      end
+
+      context 'with webauthn platform configured' do
+        let(:user) { create(:user, :fully_registered, :with_webauthn_platform) }
+
+        it 'sends user to authenticate with webauthn platform' do
+          sign_in_before_2fa(user)
+
+          visit_idp_from_ial1_oidc_sp_defaulting_to_aal3(prompt: 'select_account')
+          visit login_two_factor_path(otp_delivery_preference: 'sms')
+          expect(current_url).to eq(login_two_factor_webauthn_url(platform: true))
+        end
       end
 
       it 'does not allow an already signed in user to bypass phishing-resistant auth' do

diff --git a/spec/features/saml/phishing_resistant_required_spec.rb b/spec/features/saml/phishing_resistant_required_spec.rb
@@ -21,16 +21,55 @@
     end
 
     context 'user has phishing-resistant auth configured' do
-      it 'sends user to authenticate with phishing-resistant auth' do
-        sign_in_before_2fa(user_with_phishing_resistant_2fa)
-        visit_saml_authn_request_url(
-          overrides: {
-            issuer: sp1_issuer,
-            authn_context: Saml::Idp::Constants::AAL2_PHISHING_RESISTANT_AUTHN_CONTEXT_CLASSREF,
-          },
-        )
-        visit login_two_factor_path(otp_delivery_preference: 'sms')
-        expect(current_url).to eq(login_two_factor_webauthn_url)
+      context 'with piv cac configured' do
+        let(:user) { create(:user, :fully_registered, :with_piv_or_cac) }
+
+        it 'sends user to authenticate with piv cac' do
+          sign_in_before_2fa(user)
+
+          visit_saml_authn_request_url(
+            overrides: {
+              issuer: sp1_issuer,
+              authn_context: Saml::Idp::Constants::AAL2_PHISHING_RESISTANT_AUTHN_CONTEXT_CLASSREF,
+            },
+          )
+          visit login_two_factor_path(otp_delivery_preference: 'sms')
+          expect(current_url).to eq(login_two_factor_piv_cac_url)
+        end
+      end
+
+      context 'with webauthn configured' do
+        let(:user) { create(:user, :fully_registered, :with_webauthn) }
+
+        it 'sends user to authenticate with webauthn' do
+          sign_in_before_2fa(user)
+
+          visit_saml_authn_request_url(
+            overrides: {
+              issuer: sp1_issuer,
+              authn_context: Saml::Idp::Constants::AAL2_PHISHING_RESISTANT_AUTHN_CONTEXT_CLASSREF,
+            },
+          )
+          visit login_two_factor_path(otp_delivery_preference: 'sms')
+          expect(current_url).to eq(login_two_factor_webauthn_url)
+        end
+      end
+
+      context 'with webauthn platform configured' do
+        let(:user) { create(:user, :fully_registered, :with_webauthn_platform) }
+
+        it 'sends user to authenticate with webauthn platform' do
+          sign_in_before_2fa(user)
+
+          visit_saml_authn_request_url(
+            overrides: {
+              issuer: sp1_issuer,
+              authn_context: Saml::Idp::Constants::AAL2_PHISHING_RESISTANT_AUTHN_CONTEXT_CLASSREF,
+            },
+          )
+          visit login_two_factor_path(otp_delivery_preference: 'sms')
+          expect(current_url).to eq(login_two_factor_webauthn_url(platform: true))
+        end
       end
     end
   end
@@ -52,15 +91,52 @@
     end
 
     context 'user has phishing-resistant auth configured' do
-      it 'sends user to authenticate with phishing-resistant auth' do
-        sign_in_before_2fa(user_with_phishing_resistant_2fa)
-        visit_saml_authn_request_url(
-          overrides: {
-            issuer: sp1_issuer, authn_context: Saml::Idp::Constants::AAL3_AUTHN_CONTEXT_CLASSREF
-          },
-        )
-        visit login_two_factor_path(otp_delivery_preference: 'sms')
-        expect(current_url).to eq(login_two_factor_webauthn_url)
+      context 'with piv cac configured' do
+        let(:user) { create(:user, :fully_registered, :with_piv_or_cac) }
+
+        it 'sends user to authenticate with piv cac' do
+          sign_in_before_2fa(user)
+
+          visit_saml_authn_request_url(
+            overrides: {
+              issuer: sp1_issuer, authn_context: Saml::Idp::Constants::AAL3_AUTHN_CONTEXT_CLASSREF
+            },
+          )
+          visit login_two_factor_path(otp_delivery_preference: 'sms')
+          expect(current_url).to eq(login_two_factor_piv_cac_url)
+        end
+      end
+
+      context 'with webauthn configured' do
+        let(:user) { create(:user, :fully_registered, :with_webauthn) }
+
+        it 'sends user to authenticate with webauthn' do
+          sign_in_before_2fa(user)
+
+          visit_saml_authn_request_url(
+            overrides: {
+              issuer: sp1_issuer, authn_context: Saml::Idp::Constants::AAL3_AUTHN_CONTEXT_CLASSREF
+            },
+          )
+          visit login_two_factor_path(otp_delivery_preference: 'sms')
+          expect(current_url).to eq(login_two_factor_webauthn_url)
+        end
+      end
+
+      context 'with webauthn platform configured' do
+        let(:user) { create(:user, :fully_registered, :with_webauthn_platform) }
+
+        it 'sends user to authenticate with webauthn platform' do
+          sign_in_before_2fa(user)
+
+          visit_saml_authn_request_url(
+            overrides: {
+              issuer: sp1_issuer, authn_context: Saml::Idp::Constants::AAL3_AUTHN_CONTEXT_CLASSREF
+            },
+          )
+          visit login_two_factor_path(otp_delivery_preference: 'sms')
+          expect(current_url).to eq(login_two_factor_webauthn_url(platform: true))
+        end
       end
     end
   end
@@ -82,15 +158,52 @@
     end
 
     context 'user has phishing-resistant auth configured' do
-      it 'sends user to authenticate with phishing-resistant auth' do
-        sign_in_before_2fa(user_with_phishing_resistant_2fa)
-        visit_saml_authn_request_url(
-          overrides: {
-            issuer: aal3_issuer, authn_context: nil
-          },
-        )
-        visit login_two_factor_path(otp_delivery_preference: 'sms')
-        expect(current_url).to eq(login_two_factor_webauthn_url)
+      context 'with piv cac configured' do
+        let(:user) { create(:user, :fully_registered, :with_piv_or_cac) }
+
+        it 'sends user to authenticate with piv cac' do
+          sign_in_before_2fa(user)
+
+          visit_saml_authn_request_url(
+            overrides: {
+              issuer: aal3_issuer, authn_context: nil
+            },
+          )
+          visit login_two_factor_path(otp_delivery_preference: 'sms')
+          expect(current_url).to eq(login_two_factor_piv_cac_url)
+        end
+      end
+
+      context 'with webauthn configured' do
+        let(:user) { create(:user, :fully_registered, :with_webauthn) }
+
+        it 'sends user to authenticate with webauthn' do
+          sign_in_before_2fa(user)
+
+          visit_saml_authn_request_url(
+            overrides: {
+              issuer: aal3_issuer, authn_context: nil
+            },
+          )
+          visit login_two_factor_path(otp_delivery_preference: 'sms')
+          expect(current_url).to eq(login_two_factor_webauthn_url)
+        end
+      end
+
+      context 'with webauthn platform configured' do
+        let(:user) { create(:user, :fully_registered, :with_webauthn_platform) }
+
+        it 'sends user to authenticate with webauthn platform' do
+          sign_in_before_2fa(user)
+
+          visit_saml_authn_request_url(
+            overrides: {
+              issuer: aal3_issuer, authn_context: nil
+            },
+          )
+          visit login_two_factor_path(otp_delivery_preference: 'sms')
+          expect(current_url).to eq(login_two_factor_webauthn_url(platform: true))
+        end
       end
 
       it 'does not allow an already signed in user to bypass phishing-resistant auth' do