diff --git a/app/controllers/openid_connect/authorization_controller.rb b/app/controllers/openid_connect/authorization_controller.rb index 1baa9ad5024..e35fe9164a9 100644 --- a/app/controllers/openid_connect/authorization_controller.rb +++ b/app/controllers/openid_connect/authorization_controller.rb @@ -76,7 +76,10 @@ def handle_successful_handoff track_events SpHandoffBounce::AddHandoffTimeToSession.call(sp_session) - redirect_user(@authorize_form.success_redirect_uri) + redirect_user( + @authorize_form.success_redirect_uri, + current_user.uuid, + ) delete_branded_experience end @@ -127,7 +130,7 @@ def pre_validate_authorize_form if redirect_uri.nil? render :error else - redirect_user(redirect_uri) + redirect_user(redirect_uri, current_user&.uuid) end end @@ -186,15 +189,20 @@ def track_events track_billing_events end - def redirect_user(redirect_uri) - case IdentityConfig.store.openid_connect_redirect - when :client_side + def redirect_user(redirect_uri, user_uuid) + redirect_method = IdentityConfig.store.openid_connect_redirect_uuid_override_map.fetch( + user_uuid, + IdentityConfig.store.openid_connect_redirect, + ) + + case redirect_method + when 'client_side' @oidc_redirect_uri = redirect_uri render( 'openid_connect/shared/redirect', layout: false, ) - when :client_side_js + when 'client_side_js' @oidc_redirect_uri = redirect_uri render( 'openid_connect/shared/redirect_js', diff --git a/app/controllers/openid_connect/logout_controller.rb b/app/controllers/openid_connect/logout_controller.rb index 3fa57af6885..fd549921441 100644 --- a/app/controllers/openid_connect/logout_controller.rb +++ b/app/controllers/openid_connect/logout_controller.rb @@ -30,7 +30,7 @@ def delete analytics.logout_initiated(**result.to_h.except(:redirect_uri)) irs_attempts_api_tracker.logout_initiated(success: result.success?) - redirect_user(redirect_uri) + redirect_user(redirect_uri, current_user&.uuid) sign_out else render :error @@ -39,15 +39,20 @@ def delete private - def redirect_user(redirect_uri) - case IdentityConfig.store.openid_connect_redirect - when :client_side + def redirect_user(redirect_uri, user_uuid) + redirect_method = IdentityConfig.store.openid_connect_redirect_uuid_override_map.fetch( + user_uuid, + IdentityConfig.store.openid_connect_redirect, + ) + + case redirect_method + when 'client_side' @oidc_redirect_uri = redirect_uri render( 'openid_connect/shared/redirect', layout: false, ) - when :client_side_js + when 'client_side_js' @oidc_redirect_uri = redirect_uri render( 'openid_connect/shared/redirect_js', @@ -105,7 +110,7 @@ def handle_successful_logout_request(result, redirect_uri) sign_out - redirect_user(redirect_uri) + redirect_user(redirect_uri, current_user&.uuid) end end diff --git a/config/application.yml.default b/config/application.yml.default index f41cd6eb149..1df4e363f6f 100644 --- a/config/application.yml.default +++ b/config/application.yml.default @@ -211,6 +211,7 @@ minimum_wait_before_another_usps_letter_in_hours: 24 mx_timeout: 3 openid_connect_redirect: client_side_js openid_connect_content_security_form_action_enabled: false +openid_connect_redirect_uuid_override_map: '{}' otp_delivery_blocklist_maxretry: 10 otp_valid_for: 10 otp_expiration_warning_seconds: 150 diff --git a/lib/identity_config.rb b/lib/identity_config.rb index 1b17b4a86af..cc66f26af2f 100644 --- a/lib/identity_config.rb +++ b/lib/identity_config.rb @@ -322,8 +322,12 @@ def self.build_store(config_map) config.add(:nonessential_email_banlist, type: :json) config.add( :openid_connect_redirect, - type: :symbol, - enum: [:server_side, :client_side, :client_side_js], + type: :string, + enum: ['server_side', 'client_side', 'client_side_js'], + ) + config.add( + :openid_connect_redirect_uuid_override_map, + type: :json, ) config.add(:openid_connect_content_security_form_action_enabled, type: :boolean) config.add(:otp_delivery_blocklist_findtime, type: :integer) diff --git a/spec/controllers/openid_connect/authorization_controller_spec.rb b/spec/controllers/openid_connect/authorization_controller_spec.rb index 9c9727feb69..6b362094969 100644 --- a/spec/controllers/openid_connect/authorization_controller_spec.rb +++ b/spec/controllers/openid_connect/authorization_controller_spec.rb @@ -50,7 +50,7 @@ context 'with valid params' do it 'redirects back to the client app with a code if server-side redirect is enabled' do allow(IdentityConfig.store).to receive(:openid_connect_redirect). - and_return(:server_side) + and_return('server_side') IdentityLinker.new(user, service_provider).link_identity(ial: 1) user.identities.last.update!(verified_attributes: %w[given_name family_name birthdate]) action @@ -65,7 +65,7 @@ it 'renders a client-side redirect back to the client app with a code if it is enabled' do allow(IdentityConfig.store).to receive(:openid_connect_redirect). - and_return(:client_side) + and_return('client_side') IdentityLinker.new(user, service_provider).link_identity(ial: 1) user.identities.last.update!(verified_attributes: %w[given_name family_name birthdate]) action @@ -81,7 +81,7 @@ it 'renders a JS client-side redirect back to the client app with a code if it is enabled' do allow(IdentityConfig.store).to receive(:openid_connect_redirect). - and_return(:client_side_js) + and_return('client_side_js') IdentityLinker.new(user, service_provider).link_identity(ial: 1) user.identities.last.update!(verified_attributes: %w[given_name family_name birthdate]) action @@ -145,7 +145,7 @@ it 'redirects to the redirect_uri immediately when pii is unlocked if client-side redirect is disabled' do allow(IdentityConfig.store).to receive(:openid_connect_redirect). - and_return(:server_side) + and_return('server_side') IdentityLinker.new(user, service_provider).link_identity(ial: 3) user.identities.last.update!( verified_attributes: %w[given_name family_name birthdate verified_at], @@ -158,7 +158,7 @@ it 'renders a client-side redirect back to the client app immediately if it is enabled' do allow(IdentityConfig.store).to receive(:openid_connect_redirect). - and_return(:client_side) + and_return('client_side') IdentityLinker.new(user, service_provider).link_identity(ial: 3) user.identities.last.update!( verified_attributes: %w[given_name family_name birthdate verified_at], @@ -172,7 +172,54 @@ it 'renders a JS client-side redirect back to the client app immediately if it is enabled' do allow(IdentityConfig.store).to receive(:openid_connect_redirect). - and_return(:client_side_js) + and_return('client_side_js') + IdentityLinker.new(user, service_provider).link_identity(ial: 3) + user.identities.last.update!( + verified_attributes: %w[given_name family_name birthdate verified_at], + ) + allow(controller).to receive(:pii_requested_but_locked?).and_return(false) + action + + expect(controller).to render_template('openid_connect/shared/redirect_js') + expect(assigns(:oidc_redirect_uri)).to start_with(params[:redirect_uri]) + end + + it 'redirects back to the client app immediately if UUID is overridden to server-side redirect' do + allow(IdentityConfig.store).to receive(:openid_connect_redirect). + and_return('client_side') + allow(IdentityConfig.store).to receive(:openid_connect_redirect_uuid_override_map). + and_return({ user.uuid => 'server_side' }) + IdentityLinker.new(user, service_provider).link_identity(ial: 3) + user.identities.last.update!( + verified_attributes: %w[given_name family_name birthdate verified_at], + ) + allow(controller).to receive(:pii_requested_but_locked?).and_return(false) + action + + expect(response).to redirect_to(/^#{params[:redirect_uri]}/) + end + + it 'renders a client-side redirect back to the client app immediately if UUID is overridden to client-side redirect' do + allow(IdentityConfig.store).to receive(:openid_connect_redirect). + and_return('server_side') + allow(IdentityConfig.store).to receive(:openid_connect_redirect_uuid_override_map). + and_return({ user.uuid => 'client_side' }) + IdentityLinker.new(user, service_provider).link_identity(ial: 3) + user.identities.last.update!( + verified_attributes: %w[given_name family_name birthdate verified_at], + ) + allow(controller).to receive(:pii_requested_but_locked?).and_return(false) + action + + expect(controller).to render_template('openid_connect/shared/redirect') + expect(assigns(:oidc_redirect_uri)).to start_with(params[:redirect_uri]) + end + + it 'renders a JS client-side redirect back to the client app immediately if UUID is overridden to JS client-side redirect' do + allow(IdentityConfig.store).to receive(:openid_connect_redirect). + and_return('server_side') + allow(IdentityConfig.store).to receive(:openid_connect_redirect_uuid_override_map). + and_return({ user.uuid => 'client_side_js' }) IdentityLinker.new(user, service_provider).link_identity(ial: 3) user.identities.last.update!( verified_attributes: %w[given_name family_name birthdate verified_at], @@ -339,7 +386,7 @@ it 'redirects to the redirect_uri immediately when pii is unlocked if server-side redirect is enabled' do allow(IdentityConfig.store).to receive(:openid_connect_redirect). - and_return(:server_side) + and_return('server_side') IdentityLinker.new(user, service_provider).link_identity(ial: 3) user.identities.last.update!( verified_attributes: %w[given_name family_name birthdate verified_at], @@ -352,7 +399,7 @@ it 'renders client-side redirect to the client app immediately if PII is unlocked and it is enabled' do allow(IdentityConfig.store).to receive(:openid_connect_redirect). - and_return(:client_side) + and_return('client_side') IdentityLinker.new(user, service_provider).link_identity(ial: 3) user.identities.last.update!( @@ -367,7 +414,7 @@ it 'renders JS client-side redirect to the client app immediately if PII is unlocked and it is enabled' do allow(IdentityConfig.store).to receive(:openid_connect_redirect). - and_return(:client_side_js) + and_return('client_side_js') IdentityLinker.new(user, service_provider).link_identity(ial: 3) user.identities.last.update!( @@ -435,7 +482,7 @@ context 'account is not already verified' do it 'redirects to the redirect_uri immediately without proofing if server-side redirect is enabled' do allow(IdentityConfig.store).to receive(:openid_connect_redirect). - and_return(:server_side) + and_return('server_side') IdentityLinker.new(user, service_provider).link_identity(ial: 1) user.identities.last.update!( verified_attributes: %w[given_name family_name birthdate verified_at], @@ -448,7 +495,7 @@ it 'renders client-side redirect to the client app immediately if client-side redirect is enabled' do allow(IdentityConfig.store).to receive(:openid_connect_redirect). - and_return(:client_side) + and_return('client_side') IdentityLinker.new(user, service_provider).link_identity(ial: 1) user.identities.last.update!( @@ -462,7 +509,7 @@ it 'renders JS client-side redirect to the client app immediately if JS client-side redirect is enabled' do allow(IdentityConfig.store).to receive(:openid_connect_redirect). - and_return(:client_side_js) + and_return('client_side_js') IdentityLinker.new(user, service_provider).link_identity(ial: 1) user.identities.last.update!( @@ -519,7 +566,7 @@ it 'redirects to the redirect_uri immediately without proofing if server-side redirect is enabled' do allow(IdentityConfig.store).to receive(:openid_connect_redirect). - and_return(:server_side) + and_return('server_side') IdentityLinker.new(user, service_provider).link_identity(ial: 1) user.identities.last.update!( @@ -533,7 +580,7 @@ it 'renders client-side redirect to the client app immediately if client-side redirect is enabled' do allow(IdentityConfig.store).to receive(:openid_connect_redirect). - and_return(:client_side) + and_return('client_side') IdentityLinker.new(user, service_provider).link_identity(ial: 1) user.identities.last.update!( @@ -547,7 +594,7 @@ it 'renders JS client-side redirect to the client app immediately if JS client-side redirect is enabled' do allow(IdentityConfig.store).to receive(:openid_connect_redirect). - and_return(:client_side_js) + and_return('client_side_js') IdentityLinker.new(user, service_provider).link_identity(ial: 1) user.identities.last.update!( @@ -622,7 +669,7 @@ it 'redirects back to the client app with a code if client-side redirect is disabled' do allow(IdentityConfig.store).to receive(:openid_connect_redirect). - and_return(:server_side) + and_return('server_side') action expect(response).to redirect_to(/^#{params[:redirect_uri]}/) @@ -635,7 +682,7 @@ it 'renders a client-side redirect back to the client app with a code if it is enabled' do allow(IdentityConfig.store).to receive(:openid_connect_redirect). - and_return(:client_side) + and_return('client_side') action @@ -649,7 +696,7 @@ it 'renders a JS client-side redirect back to the client app with a code if it is enabled' do allow(IdentityConfig.store).to receive(:openid_connect_redirect). - and_return(:client_side_js) + and_return('client_side_js') action @@ -668,7 +715,7 @@ it 'redirects the user with an invalid request if client-side redirect is disabled' do allow(IdentityConfig.store).to receive(:openid_connect_redirect). - and_return(:server_side) + and_return('server_side') action expect(response).to redirect_to(/^#{params[:redirect_uri]}/) @@ -682,7 +729,7 @@ it 'renders client-side redirect with an invalid request if client-side redirect is enabled' do allow(IdentityConfig.store).to receive(:openid_connect_redirect). - and_return(:client_side) + and_return('client_side') action expect(controller).to render_template('openid_connect/shared/redirect') @@ -697,7 +744,57 @@ it 'renders JS client-side redirect with an invalid request if JS client-side redirect is enabled' do allow(IdentityConfig.store).to receive(:openid_connect_redirect). - and_return(:client_side_js) + and_return('client_side_js') + action + + expect(controller).to render_template('openid_connect/shared/redirect_js') + expect(assigns(:oidc_redirect_uri)).to start_with(params[:redirect_uri]) + + redirect_params = UriService.params(assigns(:oidc_redirect_uri)) + + expect(redirect_params[:error]).to eq('invalid_request') + expect(redirect_params[:error_description]).to be_present + expect(redirect_params[:state]).to eq(params[:state]) + end + + it 'redirects the user with an invalid request if UUID is in server-side redirect list' do + allow(IdentityConfig.store).to receive(:openid_connect_redirect). + and_return('client_side') + allow(IdentityConfig.store).to receive(:openid_connect_redirect_uuid_override_map). + and_return({ user.uuid => 'server_side' }) + action + + expect(response).to redirect_to(/^#{params[:redirect_uri]}/) + + redirect_params = UriService.params(response.location) + + expect(redirect_params[:error]).to eq('invalid_request') + expect(redirect_params[:error_description]).to be_present + expect(redirect_params[:state]).to eq(params[:state]) + end + + it 'renders client-side redirect with an invalid request if UUID is overriden for client-side redirect' do + allow(IdentityConfig.store).to receive(:openid_connect_redirect). + and_return('server_side') + allow(IdentityConfig.store).to receive(:openid_connect_redirect_uuid_override_map). + and_return({ user.uuid => 'client_side' }) + action + + expect(controller).to render_template('openid_connect/shared/redirect') + expect(assigns(:oidc_redirect_uri)).to start_with(params[:redirect_uri]) + + redirect_params = UriService.params(assigns(:oidc_redirect_uri)) + + expect(redirect_params[:error]).to eq('invalid_request') + expect(redirect_params[:error_description]).to be_present + expect(redirect_params[:state]).to eq(params[:state]) + end + + it 'renders JS client-side redirect with an invalid request if UUID is overriden for JS client-side redirect' do + allow(IdentityConfig.store).to receive(:openid_connect_redirect). + and_return('server_side') + allow(IdentityConfig.store).to receive(:openid_connect_redirect_uuid_override_map). + and_return({ user.uuid => 'client_side_js' }) action expect(controller).to render_template('openid_connect/shared/redirect_js') @@ -775,7 +872,7 @@ it 'handles the error and does not blow up when server-side redirect is enabled' do allow(IdentityConfig.store).to receive(:openid_connect_redirect). - and_return(:server_side) + and_return('server_side') action expect(response).to redirect_to(/^#{params[:redirect_uri]}/) @@ -783,7 +880,7 @@ it 'handles the error and does not blow up when client-side redirect is enabled' do allow(IdentityConfig.store).to receive(:openid_connect_redirect). - and_return(:client_side) + and_return('client_side') action expect(controller).to render_template('openid_connect/shared/redirect') @@ -792,7 +889,7 @@ it 'handles the error and does not blow up when client-side redirect is enabled' do allow(IdentityConfig.store).to receive(:openid_connect_redirect). - and_return(:client_side_js) + and_return('client_side_js') action expect(controller).to render_template('openid_connect/shared/redirect_js') @@ -816,7 +913,7 @@ it 'redirects the user if server-side redirect is enabled' do allow(IdentityConfig.store).to receive(:openid_connect_redirect). - and_return(:server_side) + and_return('server_side') action expect(response).to redirect_to(/^#{params[:redirect_uri]}/) @@ -830,7 +927,7 @@ it 'renders a client-side redirect if client-side redirect is enabled' do allow(IdentityConfig.store).to receive(:openid_connect_redirect). - and_return(:client_side) + and_return('client_side') action expect(controller).to render_template('openid_connect/shared/redirect') @@ -845,7 +942,7 @@ it 'renders a JS client-side redirect if JS client-side redirect is enabled' do allow(IdentityConfig.store).to receive(:openid_connect_redirect). - and_return(:client_side_js) + and_return('client_side_js') action expect(controller).to render_template('openid_connect/shared/redirect_js') diff --git a/spec/controllers/openid_connect/logout_controller_spec.rb b/spec/controllers/openid_connect/logout_controller_spec.rb index 8d7d502fe64..a6cb848065c 100644 --- a/spec/controllers/openid_connect/logout_controller_spec.rb +++ b/spec/controllers/openid_connect/logout_controller_spec.rb @@ -64,7 +64,7 @@ it 'redirects back to the client if server-side redirect is enabled' do allow(IdentityConfig.store).to receive(:openid_connect_redirect). - and_return(:server_side) + and_return('server_side') action expect(response).to redirect_to(/^#{post_logout_redirect_uri}/) @@ -72,7 +72,7 @@ it 'renders client-side redirect if client-side redirect is enabled' do allow(IdentityConfig.store).to receive(:openid_connect_redirect). - and_return(:client_side) + and_return('client_side') action expect(controller).to render_template('openid_connect/shared/redirect') @@ -81,7 +81,39 @@ it 'renders JS client-side redirect if client-side JS redirect is enabled' do allow(IdentityConfig.store).to receive(:openid_connect_redirect). - and_return(:client_side_js) + and_return('client_side_js') + action + + expect(controller).to render_template('openid_connect/shared/redirect_js') + expect(assigns(:oidc_redirect_uri)).to start_with(post_logout_redirect_uri) + end + + it 'redirects back to the client if UUID set to server-side redirect' do + allow(IdentityConfig.store).to receive(:openid_connect_redirect). + and_return('client_side') + allow(IdentityConfig.store).to receive(:openid_connect_redirect_uuid_override_map). + and_return({ user.uuid => 'server_side' }) + action + + expect(response).to redirect_to(/^#{post_logout_redirect_uri}/) + end + + it 'renders client-side redirect if UUID set to to client-side redirect' do + allow(IdentityConfig.store).to receive(:openid_connect_redirect). + and_return('server_side') + allow(IdentityConfig.store).to receive(:openid_connect_redirect_uuid_override_map). + and_return({ user.uuid => 'client_side' }) + action + + expect(controller).to render_template('openid_connect/shared/redirect') + expect(assigns(:oidc_redirect_uri)).to start_with(post_logout_redirect_uri) + end + + it 'renders JS client-side redirect if UUID set to JS client-side redirect' do + allow(IdentityConfig.store).to receive(:openid_connect_redirect). + and_return('server_side') + allow(IdentityConfig.store).to receive(:openid_connect_redirect_uuid_override_map). + and_return({ user.uuid => 'client_side_js' }) action expect(controller).to render_template('openid_connect/shared/redirect_js') @@ -195,7 +227,7 @@ context 'user is not signed in' do it 'renders server-side redirect if server-side redirect is enabled' do allow(IdentityConfig.store).to receive(:openid_connect_redirect). - and_return(:server_side) + and_return('server_side') action expect(response).to redirect_to(/^#{post_logout_redirect_uri}/) @@ -203,7 +235,7 @@ it 'redirects back to the client if client-side redirect is enabled' do allow(IdentityConfig.store).to receive(:openid_connect_redirect). - and_return(:client_side) + and_return('client_side') action expect(controller).to render_template('openid_connect/shared/redirect') @@ -212,7 +244,7 @@ it 'redirects back to the client if JS client-side redirect is enabledj' do allow(IdentityConfig.store).to receive(:openid_connect_redirect). - and_return(:client_side_js) + and_return('client_side_js') action expect(controller).to render_template('openid_connect/shared/redirect_js') @@ -318,7 +350,7 @@ context 'user is not signed in' do it 'redirects back to the client if server-side redirect is enabled' do allow(IdentityConfig.store).to receive(:openid_connect_redirect). - and_return(:server_side) + and_return('server_side') action expect(response).to redirect_to(/^#{post_logout_redirect_uri}/) @@ -326,7 +358,7 @@ it 'renders client-side redirect if client-side redirect is enabled' do allow(IdentityConfig.store).to receive(:openid_connect_redirect). - and_return(:client_side) + and_return('client_side') action expect(controller).to render_template('openid_connect/shared/redirect') @@ -335,7 +367,7 @@ it 'renders JS client-side redirect if JS client-side redirect is enabled' do allow(IdentityConfig.store).to receive(:openid_connect_redirect). - and_return(:client_side_js) + and_return('client_side_js') action expect(controller).to render_template('openid_connect/shared/redirect_js') @@ -363,7 +395,7 @@ it 'destroys the session and redirects to client if server-side redirect is enabled' do expect(controller).to receive(:sign_out) allow(IdentityConfig.store).to receive(:openid_connect_redirect). - and_return(:server_side) + and_return('server_side') action expect(response).to redirect_to(/^#{post_logout_redirect_uri}/) @@ -372,7 +404,7 @@ it 'destroys session and renders client-side redirect if enabled' do expect(controller).to receive(:sign_out) allow(IdentityConfig.store).to receive(:openid_connect_redirect). - and_return(:client_side) + and_return('client_side') action expect(controller).to render_template('openid_connect/shared/redirect') @@ -382,7 +414,42 @@ it 'destroys session and renders JS client-side redirect if enabled' do expect(controller).to receive(:sign_out) allow(IdentityConfig.store).to receive(:openid_connect_redirect). - and_return(:client_side_js) + and_return('client_side_js') + action + + expect(controller).to render_template('openid_connect/shared/redirect_js') + expect(assigns(:oidc_redirect_uri)).to start_with(post_logout_redirect_uri) + end + + it 'destroys the session and redirects to client if UUID set to server-side redirect' do + expect(controller).to receive(:sign_out) + allow(IdentityConfig.store).to receive(:openid_connect_redirect). + and_return('client_side') + allow(IdentityConfig.store).to receive(:openid_connect_redirect_uuid_override_map). + and_return({ user.uuid => 'server_side' }) + action + + expect(response).to redirect_to(/^#{post_logout_redirect_uri}/) + end + + it 'destroys session and renders client-side redirect if UUID is set to client-side' do + expect(controller).to receive(:sign_out) + allow(IdentityConfig.store).to receive(:openid_connect_redirect). + and_return('server_side') + allow(IdentityConfig.store).to receive(:openid_connect_redirect_uuid_override_map). + and_return({ user.uuid => 'client_side' }) + action + + expect(controller).to render_template('openid_connect/shared/redirect') + expect(assigns(:oidc_redirect_uri)).to start_with(post_logout_redirect_uri) + end + + it 'destroy session and render JS client-side redirect if UUID set to JS client-side' do + expect(controller).to receive(:sign_out) + allow(IdentityConfig.store).to receive(:openid_connect_redirect). + and_return('server_side') + allow(IdentityConfig.store).to receive(:openid_connect_redirect_uuid_override_map). + and_return({ user.uuid => 'client_side_js' }) action expect(controller).to render_template('openid_connect/shared/redirect_js') @@ -416,7 +483,7 @@ it 'destroys the session and redirects if client-side redirect is disabled' do expect(controller).to receive(:sign_out) allow(IdentityConfig.store).to receive(:openid_connect_redirect). - and_return(:server_side) + and_return('server_side') action expect(response).to redirect_to(/^#{post_logout_redirect_uri}/) @@ -425,7 +492,7 @@ it 'destroys the session and renders client-side redirect if enabled' do expect(controller).to receive(:sign_out) allow(IdentityConfig.store).to receive(:openid_connect_redirect). - and_return(:client_side) + and_return('client_side') action expect(controller).to render_template('openid_connect/shared/redirect') @@ -435,7 +502,7 @@ it 'destroys the session and renders JS client-side redirect if enabled' do expect(controller).to receive(:sign_out) allow(IdentityConfig.store).to receive(:openid_connect_redirect). - and_return(:client_side_js) + and_return('client_side_js') action expect(controller).to render_template('openid_connect/shared/redirect_js') @@ -602,7 +669,7 @@ it 'redirects back to the client if server-side redirect is enabled' do expect(controller).to receive(:sign_out) allow(IdentityConfig.store).to receive(:openid_connect_redirect). - and_return(:server_side) + and_return('server_side') action expect(response).to redirect_to(/^#{post_logout_redirect_uri}/) @@ -611,7 +678,7 @@ it 'renders client-side redirect if client-side redirect is enabled' do expect(controller).to receive(:sign_out) allow(IdentityConfig.store).to receive(:openid_connect_redirect). - and_return(:client_side) + and_return('client_side') action expect(controller).to render_template('openid_connect/shared/redirect') @@ -621,7 +688,7 @@ it 'renders JS client-side redirect if JS client-side redirect is enabled' do expect(controller).to receive(:sign_out) allow(IdentityConfig.store).to receive(:openid_connect_redirect). - and_return(:client_side_js) + and_return('client_side_js') action expect(controller).to render_template('openid_connect/shared/redirect_js') @@ -646,7 +713,7 @@ it 'destroys session and redirects to client if server-side redirect is enabled' do expect(controller).to receive(:sign_out) allow(IdentityConfig.store).to receive(:openid_connect_redirect). - and_return(:server_side) + and_return('server_side') action expect(response).to redirect_to(/^#{post_logout_redirect_uri}/) @@ -655,7 +722,7 @@ it 'destroys the session and renders client-side redirect if enabled' do expect(controller).to receive(:sign_out) allow(IdentityConfig.store).to receive(:openid_connect_redirect). - and_return(:client_side) + and_return('client_side') action expect(controller).to render_template('openid_connect/shared/redirect') @@ -665,7 +732,7 @@ it 'destroys the session and renders JS client-side redirect if enabled' do expect(controller).to receive(:sign_out) allow(IdentityConfig.store).to receive(:openid_connect_redirect). - and_return(:client_side_js) + and_return('client_side_js') action expect(controller).to render_template('openid_connect/shared/redirect_js') diff --git a/spec/support/oidc_auth_helper.rb b/spec/support/oidc_auth_helper.rb index 52e102ab944..0aa6ad7beb6 100644 --- a/spec/support/oidc_auth_helper.rb +++ b/spec/support/oidc_auth_helper.rb @@ -122,9 +122,9 @@ def extract_redirect_url def oidc_redirect_url case IdentityConfig.store.openid_connect_redirect - when :client_side + when 'client_side' extract_meta_refresh_url - when :client_side_js + when 'client_side_js' extract_redirect_url else # should only be :server_side current_url