From bbb47fd254ca5c4bfbfe3bd05d3d360b5084b636 Mon Sep 17 00:00:00 2001 From: Mitchell Henke Date: Wed, 2 Aug 2023 15:03:59 -0500 Subject: [PATCH 01/10] Set Remember Device Expiration for AAL2 to 0 hours changelog: Internal, Configuration, Set Remember Device Expiration for AAL2 to 0 hours --- config/application.yml.default | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/application.yml.default b/config/application.yml.default index 1b44e3e9cc1..9796844e003 100644 --- a/config/application.yml.default +++ b/config/application.yml.default @@ -275,7 +275,7 @@ reg_unconfirmed_email_max_attempts: 20 reg_unconfirmed_email_window_in_minutes: 60 reject_id_token_hint_in_logout: false remember_device_expiration_hours_aal_1: 720 -remember_device_expiration_hours_aal_2: 12 +remember_device_expiration_hours_aal_2: 0 report_timeout: 0 requests_per_ip_cidr_allowlist: '' requests_per_ip_limit: 300 From d928f2fa9f102be975db891623dfab20a66fcf60 Mon Sep 17 00:00:00 2001 From: Mitchell Henke Date: Thu, 3 Aug 2023 09:51:48 -0500 Subject: [PATCH 02/10] change default saml authn context in specs --- spec/support/saml_auth_helper.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/support/saml_auth_helper.rb b/spec/support/saml_auth_helper.rb index 56de7b322df..be09152ae77 100644 --- a/spec/support/saml_auth_helper.rb +++ b/spec/support/saml_auth_helper.rb @@ -41,7 +41,7 @@ def saml_settings(overrides: {}) def request_authn_contexts [ - Saml::Idp::Constants::AAL2_AUTHN_CONTEXT_CLASSREF, + Saml::Idp::Constants::DEFAULT_AAL_AUTHN_CONTEXT_CLASSREF, Saml::Idp::Constants::IAL1_AUTHN_CONTEXT_CLASSREF, ] end From 55b79b15603c4f3239b2f2f12f61318aa4621581 Mon Sep 17 00:00:00 2001 From: Mitchell Henke Date: Fri, 4 Aug 2023 09:04:38 -0500 Subject: [PATCH 03/10] use IAL1 issuer for OIDC ial1 tests --- config/service_providers.localdev.yml | 14 ++++++++++++++ .../service_provider_session_decorator_spec.rb | 4 ++-- .../remember_device/session_expiration_spec.rb | 2 +- spec/support/oidc_auth_helper.rb | 3 ++- spec/support/saml_auth_helper.rb | 2 +- spec/support/shared_examples/remember_device.rb | 4 ++-- 6 files changed, 22 insertions(+), 7 deletions(-) diff --git a/config/service_providers.localdev.yml b/config/service_providers.localdev.yml index 86b96114d01..ab8affd53ff 100644 --- a/config/service_providers.localdev.yml +++ b/config/service_providers.localdev.yml @@ -218,6 +218,20 @@ test: ial: 2 allow_prompt_login: true + 'urn:gov:gsa:openidconnect:sp:server_ial1': + agency_id: 2 + redirect_uris: + - 'http://localhost:7654/auth/result' + - 'https://example.com' + - 'http://www.example.com/test/oidc' + certs: + - 'saml_test_sp' + friendly_name: 'Test SP' + return_to_sp_url: 'https://example.com/' + assertion_consumer_logout_service_url: '' + ial: 1 + allow_prompt_login: true + 'urn:gov:gsa:openidconnect:sp:server_two': agency_id: 2 redirect_uris: diff --git a/spec/decorators/service_provider_session_decorator_spec.rb b/spec/decorators/service_provider_session_decorator_spec.rb index 90fecdf679a..bc7acf9e58c 100644 --- a/spec/decorators/service_provider_session_decorator_spec.rb +++ b/spec/decorators/service_provider_session_decorator_spec.rb @@ -205,7 +205,7 @@ allow(sp).to receive(:default_aal).and_return(2) end - it { expect(subject.mfa_expiration_interval).to eq(12.hours) } + it { expect(subject.mfa_expiration_interval).to eq(0.hours) } end context 'with an IAL2 sp' do @@ -213,7 +213,7 @@ allow(sp).to receive(:ial).and_return(2) end - it { expect(subject.mfa_expiration_interval).to eq(12.hours) } + it { expect(subject.mfa_expiration_interval).to eq(0.hours) } end context 'with an sp that is not AAL2 or IAL2' do diff --git a/spec/features/remember_device/session_expiration_spec.rb b/spec/features/remember_device/session_expiration_spec.rb index 8e003418aee..d6d12484038 100644 --- a/spec/features/remember_device/session_expiration_spec.rb +++ b/spec/features/remember_device/session_expiration_spec.rb @@ -18,7 +18,7 @@ first(:link, t('links.sign_out')).click IdentityLinker.new( - user, build(:service_provider, issuer: 'urn:gov:gsa:openidconnect:sp:server') + user, build(:service_provider, issuer: OidcAuthHelper::OIDC_IAL1_ISSUER) ).link_identity(verified_attributes: %w[email]) visit_idp_from_sp_with_ial1(:oidc) diff --git a/spec/support/oidc_auth_helper.rb b/spec/support/oidc_auth_helper.rb index 81c42b79990..36181e7812c 100644 --- a/spec/support/oidc_auth_helper.rb +++ b/spec/support/oidc_auth_helper.rb @@ -1,5 +1,6 @@ module OidcAuthHelper OIDC_ISSUER = 'urn:gov:gsa:openidconnect:sp:server'.freeze + OIDC_IAL1_ISSUER = 'urn:gov:gsa:openidconnect:sp:server_ial1'.freeze OIDC_AAL3_ISSUER = 'urn:gov:gsa:openidconnect:sp:server_requiring_aal3'.freeze def sign_in_oidc_user(user) @@ -57,7 +58,7 @@ def visit_idp_from_ial1_oidc_sp_defaulting_to_aal3(**args) def ial1_params(prompt: nil, state: SecureRandom.hex, nonce: SecureRandom.hex, - client_id: OIDC_ISSUER, + client_id: OIDC_IAL1_ISSUER, tid: nil) ial1_params = { client_id: client_id, diff --git a/spec/support/saml_auth_helper.rb b/spec/support/saml_auth_helper.rb index be09152ae77..2fa63db8610 100644 --- a/spec/support/saml_auth_helper.rb +++ b/spec/support/saml_auth_helper.rb @@ -241,7 +241,7 @@ def visit_idp_from_sp_with_ial1(sp) ) elsif sp == :oidc @state = SecureRandom.hex - @client_id = 'urn:gov:gsa:openidconnect:sp:server' + @client_id = OidcAuthHelper::OIDC_IAL1_ISSUER @nonce = SecureRandom.hex visit_idp_from_oidc_sp_with_ial1(state: @state, client_id: @client_id, nonce: @nonce) end diff --git a/spec/support/shared_examples/remember_device.rb b/spec/support/shared_examples/remember_device.rb index 365c2f21461..e9e10d20801 100644 --- a/spec/support/shared_examples/remember_device.rb +++ b/spec/support/shared_examples/remember_device.rb @@ -40,7 +40,7 @@ it 'redirects to an SP from the sign in page' do oidc_url = openid_connect_authorize_url( - client_id: 'urn:gov:gsa:openidconnect:sp:server', + client_id: OidcAuthHelper::OIDC_IAL1_ISSUER, response_type: 'code', acr_values: Saml::Idp::Constants::IAL1_AUTHN_CONTEXT_CLASSREF, scope: 'openid email', @@ -51,7 +51,7 @@ user = remember_device_and_sign_out_user IdentityLinker.new( - user, build(:service_provider, issuer: 'urn:gov:gsa:openidconnect:sp:server') + user, build(:service_provider, issuer: OidcAuthHelper::OIDC_IAL1_ISSUER) ).link_identity(verified_attributes: %w[email]) visit oidc_url From bafa083af4d1d0442d055c33093128187c3d550e Mon Sep 17 00:00:00 2001 From: Mitchell Henke Date: Fri, 4 Aug 2023 09:32:00 -0500 Subject: [PATCH 04/10] fix specs --- spec/controllers/saml_idp_controller_spec.rb | 14 +++++++------- .../features/openid_connect/openid_connect_spec.rb | 2 +- .../features/remember_device/sp_expiration_spec.rb | 2 +- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/spec/controllers/saml_idp_controller_spec.rb b/spec/controllers/saml_idp_controller_spec.rb index 3904e5e911b..4501b6c6470 100644 --- a/spec/controllers/saml_idp_controller_spec.rb +++ b/spec/controllers/saml_idp_controller_spec.rb @@ -461,7 +461,7 @@ def name_id_version(format_urn) end let(:xmldoc) { SamlResponseDoc.new('controller', 'response_assertion', response) } - let(:aal_level) { 2 } + let(:aal_level) { 0 } let(:ial2_settings) do saml_settings( overrides: { @@ -934,7 +934,7 @@ def name_id_version(format_urn) with('SAML Auth Request', { requested_ial: Saml::Idp::Constants::IAL1_AUTHN_CONTEXT_CLASSREF, service_provider: 'http://localhost:3000', - requested_aal_authn_context: Saml::Idp::Constants::AAL2_AUTHN_CONTEXT_CLASSREF, + requested_aal_authn_context: Saml::Idp::Constants::DEFAULT_AAL_AUTHN_CONTEXT_CLASSREF, force_authn: true, }) @@ -1564,7 +1564,7 @@ def name_id_version(format_urn) with('SAML Auth Request', { requested_ial: Saml::Idp::Constants::IAL1_AUTHN_CONTEXT_CLASSREF, service_provider: 'http://localhost:3000', - requested_aal_authn_context: Saml::Idp::Constants::AAL2_AUTHN_CONTEXT_CLASSREF, + requested_aal_authn_context: Saml::Idp::Constants::DEFAULT_AAL_AUTHN_CONTEXT_CLASSREF, force_authn: false, }) @@ -1931,8 +1931,8 @@ def name_id_version(format_urn) expect(subject).to_not be_nil end - it 'has contents set to AAL2' do - expect(subject.content).to eq Saml::Idp::Constants::AAL2_AUTHN_CONTEXT_CLASSREF + it 'has contents set to default AAL' do + expect(subject.content).to eq Saml::Idp::Constants::DEFAULT_AAL_AUTHN_CONTEXT_CLASSREF end end end @@ -2056,7 +2056,7 @@ def stub_requested_attributes with('SAML Auth Request', { requested_ial: Saml::Idp::Constants::IAL1_AUTHN_CONTEXT_CLASSREF, service_provider: 'http://localhost:3000', - requested_aal_authn_context: Saml::Idp::Constants::AAL2_AUTHN_CONTEXT_CLASSREF, + requested_aal_authn_context: Saml::Idp::Constants::DEFAULT_AAL_AUTHN_CONTEXT_CLASSREF, force_authn: false, }) expect(@analytics).to receive(:track_event).with('SAML Auth', analytics_hash) @@ -2094,7 +2094,7 @@ def stub_requested_attributes with('SAML Auth Request', { requested_ial: Saml::Idp::Constants::IAL1_AUTHN_CONTEXT_CLASSREF, service_provider: 'http://localhost:3000', - requested_aal_authn_context: Saml::Idp::Constants::AAL2_AUTHN_CONTEXT_CLASSREF, + requested_aal_authn_context: Saml::Idp::Constants::DEFAULT_AAL_AUTHN_CONTEXT_CLASSREF, force_authn: false, }) expect(@analytics).to receive(:track_event).with('SAML Auth', analytics_hash) diff --git a/spec/features/openid_connect/openid_connect_spec.rb b/spec/features/openid_connect/openid_connect_spec.rb index c55cb3619fe..581edfa1d8e 100644 --- a/spec/features/openid_connect/openid_connect_spec.rb +++ b/spec/features/openid_connect/openid_connect_spec.rb @@ -10,7 +10,7 @@ visit_idp_from_ial1_oidc_sp cookie = cookies.find { |c| c.name == 'sp_issuer' }.value - expect(cookie).to eq(OidcAuthHelper::OIDC_ISSUER) + expect(cookie).to eq(OidcAuthHelper::OIDC_IAL1_ISSUER) end it 'receives an ID token with a kid that matches the certs endpooint' do diff --git a/spec/features/remember_device/sp_expiration_spec.rb b/spec/features/remember_device/sp_expiration_spec.rb index 25514f5f48d..aeeded7e91a 100644 --- a/spec/features/remember_device/sp_expiration_spec.rb +++ b/spec/features/remember_device/sp_expiration_spec.rb @@ -115,7 +115,7 @@ before do allow(IdentityConfig.store).to receive(:otp_delivery_blocklist_maxretry).and_return(1000) - ServiceProvider.find_by(issuer: 'urn:gov:gsa:openidconnect:sp:server').update!( + ServiceProvider.find_by(issuer: OidcAuthHelper::OIDC_IAL1_ISSUER).update!( default_aal: aal, ial: ial, ) From ea4bc5c1c7f4373819fc27fa2266232dbea1bd29 Mon Sep 17 00:00:00 2001 From: Mitchell Henke Date: Fri, 4 Aug 2023 10:05:53 -0500 Subject: [PATCH 05/10] refactor sp expiration spec --- .../remember_device/sp_expiration_spec.rb | 118 ++++++++++-------- 1 file changed, 64 insertions(+), 54 deletions(-) diff --git a/spec/features/remember_device/sp_expiration_spec.rb b/spec/features/remember_device/sp_expiration_spec.rb index aeeded7e91a..f2dbfdeb3ae 100644 --- a/spec/features/remember_device/sp_expiration_spec.rb +++ b/spec/features/remember_device/sp_expiration_spec.rb @@ -1,14 +1,22 @@ require 'rails_helper' -RSpec.shared_examples 'expiring remember device for an sp config' do |expiration_time, protocol| +RSpec.shared_examples 'expiring remember device for an sp config' do |expiration_time, protocol, aal| before do user # Go through the signup flow and remember user before visiting SP end + def visit_sp(protocol, aal) + if aal == 2 + visit_idp_from_sp_with_ial1_aal2(protocol) + else + visit_idp_from_sp_with_ial1(protocol) + end + end + context "#{protocol}: signing in" do it "does not require MFA before #{expiration_time.inspect}" do travel_to(expiration_time.from_now - 1.day) do - visit_idp_from_sp_with_ial1(protocol) + visit_sp(protocol, aal) sign_in_user(user) click_submit_default if protocol == :saml expect(page).to have_current_path(sign_up_completed_path) @@ -17,22 +25,7 @@ it "does require MFA after #{expiration_time.inspect}" do travel_to(expiration_time.from_now + 1.day) do - visit_idp_from_sp_with_ial1(protocol) - sign_in_user(user) - - expect(page).to have_content(t('two_factor_authentication.header_text')) - expect(current_path).to eq(login_two_factor_path(otp_delivery_preference: :sms)) - - fill_in_code_with_last_phone_otp - protocol == :saml ? click_submit_default_twice : click_submit_default - - expect(page).to have_current_path(sign_up_completed_path) - end - end - - it 'requires MFA when AAL2 request is sent after 12 hours' do - travel_to(12.hours.from_now + 1.day) do - visit_idp_from_sp_with_ial1_aal2(protocol) + visit_sp(protocol, aal) sign_in_user(user) expect(page).to have_content(t('two_factor_authentication.header_text')) @@ -44,50 +37,45 @@ expect(page).to have_current_path(sign_up_completed_path) end end - end - context "#{protocol}: visiting while already signed in" do - it "does not require MFA before #{expiration_time.inspect}" do - travel_to(expiration_time.from_now - 1.day) do - sign_in_user(user) - visit_idp_from_sp_with_ial1(protocol) + context "#{protocol}: visiting while already signed in" do + it "does not require MFA before #{expiration_time.inspect}" do + travel_to(expiration_time.from_now - 1.day) do + sign_in_user(user) + visit_sp(protocol, aal) - expect(page).to have_current_path(sign_up_completed_path) + expect(page).to have_current_path(sign_up_completed_path) + end end - end - it "does require MFA after #{expiration_time.inspect}" do - travel_to(expiration_time.from_now + 1.day) do - if expiration_time == 30.days - sign_in_live_with_2fa(user) - visit_idp_from_sp_with_ial1(protocol) - else + it "does require MFA after #{expiration_time.inspect}" do + travel_to(expiration_time.from_now + 1.day) do sign_in_user(user) - visit_idp_from_sp_with_ial1(protocol) + visit_sp(protocol, aal) - expect(page).to have_content(t('two_factor_authentication.header_text')) expect(current_path).to eq(login_two_factor_path(otp_delivery_preference: :sms)) + expect(page).to have_content(t('two_factor_authentication.header_text')) fill_in_code_with_last_phone_otp protocol == :saml ? click_submit_default_twice : click_submit_default - end - expect(page).to have_current_path(sign_up_completed_path) + expect(page).to have_current_path(sign_up_completed_path) + end end - end - it 'does require MFA when AAL2 request is sent after 12 hours' do - travel_to(12.hours.from_now + 1.day) do - visit_idp_from_sp_with_ial1_aal2(protocol) - sign_in_user(user) + it 'does require MFA when AAL2 request is sent after configured AAL2 timeframe' do + travel_to(AAL2_REMEMBER_DEVICE_EXPIRATION.from_now + 1.day) do + visit_idp_from_sp_with_ial1_aal2(protocol) + sign_in_user(user) - expect(page).to have_content(t('two_factor_authentication.header_text')) - expect(current_path).to eq(login_two_factor_path(otp_delivery_preference: :sms)) + expect(page).to have_content(t('two_factor_authentication.header_text')) + expect(current_path).to eq(login_two_factor_path(otp_delivery_preference: :sms)) - fill_in_code_with_last_phone_otp - protocol == :saml ? click_submit_default_twice : click_submit_default + fill_in_code_with_last_phone_otp + protocol == :saml ? click_submit_default_twice : click_submit_default - expect(page).to have_current_path(sign_up_completed_path) + expect(page).to have_current_path(sign_up_completed_path) + end end end end @@ -95,6 +83,10 @@ RSpec.feature 'remember device sp expiration' do include SamlAuthHelper + AAL1_REMEMBER_DEVICE_EXPIRATION = + IdentityConfig.store.remember_device_expiration_hours_aal_1.hours + AAL2_REMEMBER_DEVICE_EXPIRATION = + IdentityConfig.store.remember_device_expiration_hours_aal_2.hours let(:user) do user_record = sign_up_and_set_password @@ -130,32 +122,50 @@ let(:aal) { 2 } let(:ial) { 1 } - it_behaves_like 'expiring remember device for an sp config', 12.hours, :oidc - it_behaves_like 'expiring remember device for an sp config', 12.hours, :saml + it_behaves_like 'expiring remember device for an sp config', AAL2_REMEMBER_DEVICE_EXPIRATION, + :oidc + it_behaves_like 'expiring remember device for an sp config', AAL2_REMEMBER_DEVICE_EXPIRATION, + :saml end context 'with an IAL2 SP' do let(:aal) { 1 } let(:ial) { 2 } - it_behaves_like 'expiring remember device for an sp config', 12.hours, :oidc - it_behaves_like 'expiring remember device for an sp config', 12.hours, :saml + it_behaves_like 'expiring remember device for an sp config', AAL2_REMEMBER_DEVICE_EXPIRATION, + :oidc + it_behaves_like 'expiring remember device for an sp config', AAL2_REMEMBER_DEVICE_EXPIRATION, + :saml end context 'with an AAL2 and IAL2 SP' do let(:aal) { 2 } let(:ial) { 2 } - it_behaves_like 'expiring remember device for an sp config', 12.hours, :oidc - it_behaves_like 'expiring remember device for an sp config', 12.hours, :saml + it_behaves_like 'expiring remember device for an sp config', AAL2_REMEMBER_DEVICE_EXPIRATION, + :oidc + it_behaves_like 'expiring remember device for an sp config', AAL2_REMEMBER_DEVICE_EXPIRATION, + :saml end context 'with an AAL1 and IAL1 SP' do let(:aal) { 1 } let(:ial) { 1 } - it_behaves_like 'expiring remember device for an sp config', 30.days, :oidc - it_behaves_like 'expiring remember device for an sp config', 30.days, :saml + it_behaves_like 'expiring remember device for an sp config', AAL1_REMEMBER_DEVICE_EXPIRATION, + :oidc + it_behaves_like 'expiring remember device for an sp config', AAL1_REMEMBER_DEVICE_EXPIRATION, + :saml + end + + context 'with an AAL1 and IAL1 SP requesting AAL2' do + let(:aal) { 1 } + let(:ial) { 1 } + + it_behaves_like 'expiring remember device for an sp config', AAL2_REMEMBER_DEVICE_EXPIRATION, + :oidc, 2 + it_behaves_like 'expiring remember device for an sp config', AAL2_REMEMBER_DEVICE_EXPIRATION, + :saml, 2 end end end From a60a6680a86d14177de8933939bdd6a9684b4c88 Mon Sep 17 00:00:00 2001 From: Mitchell Henke Date: Fri, 4 Aug 2023 10:07:54 -0500 Subject: [PATCH 06/10] fix spec --- spec/features/reports/sp_active_users_report_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/features/reports/sp_active_users_report_spec.rb b/spec/features/reports/sp_active_users_report_spec.rb index 2064aaa5657..63e704a0804 100644 --- a/spec/features/reports/sp_active_users_report_spec.rb +++ b/spec/features/reports/sp_active_users_report_spec.rb @@ -13,7 +13,7 @@ click_agree_and_continue expect(current_url).to start_with('http://localhost:7654/auth/result') - results = [{ issuer: 'urn:gov:gsa:openidconnect:sp:server', + results = [{ issuer: 'urn:gov:gsa:openidconnect:sp:server_ial1', app_id: nil, total_ial1_active: 1, total_ial2_active: 0 }].to_json From 5a77d27be91f5c0828e357a30d26f1ad45b40001 Mon Sep 17 00:00:00 2001 From: Mitchell Henke Date: Fri, 4 Aug 2023 10:14:04 -0500 Subject: [PATCH 07/10] update specs --- spec/features/idv/doc_auth/verify_info_step_spec.rb | 2 +- spec/features/reports/sp_active_users_report_spec.rb | 2 +- spec/features/sign_in/banned_users_spec.rb | 3 ++- spec/features/users/sign_up_spec.rb | 2 +- 4 files changed, 5 insertions(+), 4 deletions(-) diff --git a/spec/features/idv/doc_auth/verify_info_step_spec.rb b/spec/features/idv/doc_auth/verify_info_step_spec.rb index 25fade79048..287bd42bb9f 100644 --- a/spec/features/idv/doc_auth/verify_info_step_spec.rb +++ b/spec/features/idv/doc_auth/verify_info_step_spec.rb @@ -324,7 +324,7 @@ context 'when the SP is in the AAMVA banlist' do it 'does not perform the state ID check' do allow(IdentityConfig.store).to receive(:aamva_sp_banlist_issuers). - and_return('["urn:gov:gsa:openidconnect:sp:server"]') + and_return("[\"#{OidcAuthHelper::OIDC_IAL1_ISSUER}\"]") user = create(:user, :fully_registered) expect_any_instance_of(Idv::Agent). to receive(:proof_resolution). diff --git a/spec/features/reports/sp_active_users_report_spec.rb b/spec/features/reports/sp_active_users_report_spec.rb index 63e704a0804..f5586511427 100644 --- a/spec/features/reports/sp_active_users_report_spec.rb +++ b/spec/features/reports/sp_active_users_report_spec.rb @@ -13,7 +13,7 @@ click_agree_and_continue expect(current_url).to start_with('http://localhost:7654/auth/result') - results = [{ issuer: 'urn:gov:gsa:openidconnect:sp:server_ial1', + results = [{ issuer: OidcAuthHelper::OIDC_IAL1_ISSUER, app_id: nil, total_ial1_active: 1, total_ial2_active: 0 }].to_json diff --git a/spec/features/sign_in/banned_users_spec.rb b/spec/features/sign_in/banned_users_spec.rb index 57d473ff161..4e333e815ea 100644 --- a/spec/features/sign_in/banned_users_spec.rb +++ b/spec/features/sign_in/banned_users_spec.rb @@ -2,6 +2,7 @@ RSpec.feature 'Banning users for an SP' do include SamlAuthHelper + include OidcAuthHelper context 'a user is banned from all SPs' do it 'does not let the user sign in to any SP' do @@ -45,7 +46,7 @@ it 'bans the user from signing in to the banned SP but allows other sign ins' do user = create(:user, :fully_registered) - SignInRestriction.create(user: user, service_provider: 'urn:gov:gsa:openidconnect:sp:server') + SignInRestriction.create(user: user, service_provider: OidcAuthHelper::OIDC_IAL1_ISSUER) sign_in_live_with_2fa(user) expect(current_path).to eq(account_path) diff --git a/spec/features/users/sign_up_spec.rb b/spec/features/users/sign_up_spec.rb index cf296af76fd..df7f6be12f5 100644 --- a/spec/features/users/sign_up_spec.rb +++ b/spec/features/users/sign_up_spec.rb @@ -389,7 +389,7 @@ def clipboard_text end it 'does not show the remember device option as the default when the SP is AAL2' do - ServiceProvider.find_by(issuer: 'urn:gov:gsa:openidconnect:sp:server').update!( + ServiceProvider.find_by(issuer: OidcAuthHelper::OIDC_IAL1_ISSUER).update!( default_aal: 2, ) visit_idp_from_sp_with_ial1(:oidc) From 2008409fd2346cfce9e15a9ea724e3c050b884a2 Mon Sep 17 00:00:00 2001 From: Mitchell Henke Date: Fri, 4 Aug 2023 10:17:11 -0500 Subject: [PATCH 08/10] fix lint --- spec/features/remember_device/sp_expiration_spec.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/spec/features/remember_device/sp_expiration_spec.rb b/spec/features/remember_device/sp_expiration_spec.rb index f2dbfdeb3ae..d7307451a8a 100644 --- a/spec/features/remember_device/sp_expiration_spec.rb +++ b/spec/features/remember_device/sp_expiration_spec.rb @@ -1,6 +1,8 @@ require 'rails_helper' +# rubocop:disable Layout/LineLength RSpec.shared_examples 'expiring remember device for an sp config' do |expiration_time, protocol, aal| + # rubocop:enable Layout/LineLength before do user # Go through the signup flow and remember user before visiting SP end From 0f05cf61c1a98a4c80ec5956aae2494754294a19 Mon Sep 17 00:00:00 2001 From: Mitchell Henke Date: Fri, 4 Aug 2023 10:37:57 -0500 Subject: [PATCH 09/10] fix specs --- spec/features/saml/saml_spec.rb | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/spec/features/saml/saml_spec.rb b/spec/features/saml/saml_spec.rb index 2e155ee2c23..b77825ef175 100644 --- a/spec/features/saml/saml_spec.rb +++ b/spec/features/saml/saml_spec.rb @@ -340,6 +340,7 @@ # log in for second time fill_in_credentials_and_submit(user.email, user.password) + fill_in_code_with_last_phone_otp click_submit_default_twice xmldoc = SamlResponseDoc.new('feature', 'response_assertion') @@ -408,7 +409,7 @@ expect(fake_analytics.events['SAML Auth Request']).to eq( [{ requested_ial: 'http://idmanagement.gov/ns/assurance/ial/1', service_provider: 'http://localhost:3000', - requested_aal_authn_context: Saml::Idp::Constants::AAL2_AUTHN_CONTEXT_CLASSREF, + requested_aal_authn_context: Saml::Idp::Constants::DEFAULT_AAL_AUTHN_CONTEXT_CLASSREF, force_authn: false }], ) expect(fake_analytics.events['SAML Auth'].count).to eq 2 @@ -467,7 +468,7 @@ expect(fake_analytics.events['SAML Auth Request']).to eq( [{ requested_ial: 'http://idmanagement.gov/ns/assurance/ial/1', service_provider: 'http://localhost:3000', - requested_aal_authn_context: Saml::Idp::Constants::AAL2_AUTHN_CONTEXT_CLASSREF, + requested_aal_authn_context: Saml::Idp::Constants::DEFAULT_AAL_AUTHN_CONTEXT_CLASSREF, force_authn: false }], ) expect(fake_analytics.events['SAML Auth'].count).to eq 2 From 621ef9d32a0e11175b47b26d6a7bb696372ead23 Mon Sep 17 00:00:00 2001 From: Mitchell Henke Date: Fri, 4 Aug 2023 10:56:21 -0500 Subject: [PATCH 10/10] fix spec --- spec/features/sign_in/remember_device_default_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/features/sign_in/remember_device_default_spec.rb b/spec/features/sign_in/remember_device_default_spec.rb index eb6d9ce1e9e..6679e98eca3 100644 --- a/spec/features/sign_in/remember_device_default_spec.rb +++ b/spec/features/sign_in/remember_device_default_spec.rb @@ -21,7 +21,7 @@ it 'does not have remember device checked' do user = create(:user, :fully_registered) - visit_idp_from_sp_with_ial1(:oidc) + visit_idp_from_sp_with_ial1_aal2(:oidc) fill_in_credentials_and_submit(user.email, user.password) expect(page).to_not have_checked_field t('forms.messages.remember_device') end