From b9308e5deb30868c88c4862b40494dd1c8f98bab Mon Sep 17 00:00:00 2001 From: Matthias Fischmann Date: Thu, 16 Dec 2021 12:51:06 +0100 Subject: [PATCH 1/6] Add end-tags for test tag parser (BSI audit). --- libs/zauth/test/ZAuth.hs | 2 ++ .../brig/test/integration/API/User/Account.hs | 10 ++++++++++ services/brig/test/integration/API/User/Auth.hs | 8 ++++++++ .../brig/test/integration/API/User/Client.hs | 8 ++++++++ .../brig/test/integration/API/User/Handles.hs | 2 ++ services/galley/test/integration/API.hs | 16 ++++++++++++++++ .../spar/test-integration/Test/Spar/APISpec.hs | 12 ++++++++++++ .../test-integration/Test/Spar/Scim/AuthSpec.hs | 4 ++++ .../test-integration/Test/Spar/Scim/UserSpec.hs | 4 ++++ 9 files changed, 66 insertions(+) diff --git a/libs/zauth/test/ZAuth.hs b/libs/zauth/test/ZAuth.hs index 67729073b4..65dbd8b4c8 100644 --- a/libs/zauth/test/ZAuth.hs +++ b/libs/zauth/test/ZAuth.hs @@ -105,6 +105,8 @@ testExpired p = do x <- liftIO $ runValidate p $ check t liftIO $ Left Expired @=? x +-- @END + testSignAndVerify :: V.Env -> Create () testSignAndVerify p = do u <- liftIO nextRandom diff --git a/services/brig/test/integration/API/User/Account.hs b/services/brig/test/integration/API/User/Account.hs index f09af13c4a..7c4959d9b9 100644 --- a/services/brig/test/integration/API/User/Account.hs +++ b/services/brig/test/integration/API/User/Account.hs @@ -177,6 +177,8 @@ testCreateUserWithInvalidVerificationCode brig = do ] postUserRegister' regEmail brig !!! const 404 === statusCode +-- @END + testUpdateUserEmailByTeamOwner :: Brig -> Http () testUpdateUserEmailByTeamOwner brig = do (_, teamOwner, emailOwner : otherTeamMember : _) <- createPopulatedBindingTeamWithNamesAndHandles brig 2 @@ -305,6 +307,8 @@ testCreateUserEmptyName brig = do post (brig . path "/register" . contentJson . body p) !!! const 400 === statusCode +-- @END + -- The testCreateUserLongName test conforms to the following testing standards: -- @SF.Provisioning @TSFI.RESTfulAPI @S2 -- @@ -319,6 +323,8 @@ testCreateUserLongName brig = do post (brig . path "/register" . contentJson . body p) !!! const 400 === statusCode +-- @END + testCreateUserAnon :: Brig -> Galley -> Http () testCreateUserAnon brig galley = do let p = @@ -437,6 +443,8 @@ testCreateUserConflict _ brig = do const 409 === statusCode const (Just "key-exists") === fmap Error.label . responseJsonMaybe +-- @END + -- The testCreateUserInvalidEmailOrPhone test conforms to the following testing standards: -- @SF.Provisioning @TSFI.RESTfulAPI @S2 -- @@ -468,6 +476,8 @@ testCreateUserInvalidEmailOrPhone _ brig = do post (brig . path "/register" . contentJson . body reqPhone) !!! const 400 === statusCode +-- @END + testCreateUserBlacklist :: Opt.Opts -> Brig -> AWS.Env -> Http () testCreateUserBlacklist (Opt.setRestrictUserCreation . Opt.optSettings -> Just True) _ _ = pure () testCreateUserBlacklist _ brig aws = diff --git a/services/brig/test/integration/API/User/Auth.hs b/services/brig/test/integration/API/User/Auth.hs index 22ed0ea735..f4ee97ea3f 100644 --- a/services/brig/test/integration/API/User/Auth.hs +++ b/services/brig/test/integration/API/User/Auth.hs @@ -377,6 +377,8 @@ testLoginFailure brig = do login brig (PasswordLogin (LoginByEmail badmail) defPassword Nothing) PersistentCookie !!! const 403 === statusCode +-- @END + testThrottleLogins :: Opts.Opts -> Brig -> Http () testThrottleLogins conf b = do -- Get the maximum amount of times we are allowed to login before @@ -455,6 +457,8 @@ testLimitRetries conf brig = do liftIO $ threadDelay (1000000 * 2) login brig (defEmailLogin email) SessionCookie !!! const 200 === statusCode +-- @END + ------------------------------------------------------------------------------- -- LegalHold Login @@ -599,6 +603,8 @@ testInvalidCookie z b = do const 403 === statusCode const (Just "expired") =~= responseBody +-- @END + testInvalidToken :: Brig -> Http () testInvalidToken b = do -- Syntactically invalid @@ -967,6 +973,8 @@ testTooManyCookies config b = do ) xxx -> error ("Unexpected status code when logging in: " ++ show xxx) +-- @END + testLogout :: Brig -> Http () testLogout b = do Just email <- userEmail <$> randomUser b diff --git a/services/brig/test/integration/API/User/Client.hs b/services/brig/test/integration/API/User/Client.hs index 27a20c4c3e..9b4caa0cc8 100644 --- a/services/brig/test/integration/API/User/Client.hs +++ b/services/brig/test/integration/API/User/Client.hs @@ -489,6 +489,8 @@ testRemoveClient hasPwd brig cannon = do newClientCookie = Just defCookieLabel } +-- @END + -- The testRemoveClientShortPwd test conforms to the following testing standards: -- @SF.Provisioning @TSFI.RESTfulAPI @S2 -- @@ -521,6 +523,8 @@ testRemoveClientShortPwd brig = do newClientCookie = Just defCookieLabel } +-- @END + -- The testRemoveClientIncorrectPwd test conforms to the following testing standards: -- @SF.Provisioning @TSFI.RESTfulAPI @S2 -- @@ -553,6 +557,8 @@ testRemoveClientIncorrectPwd brig = do newClientCookie = Just defCookieLabel } +-- @END + testUpdateClient :: Opt.Opts -> Brig -> Http () testUpdateClient opts brig = do uid <- userId <$> randomUser brig @@ -760,6 +766,8 @@ testAddMultipleTemporary brig galley = do . zUser u return $ Vec.length <$> (preview _Array =<< responseJsonMaybe @Value r) +-- @END + testPreKeyRace :: Brig -> Http () testPreKeyRace brig = do uid <- userId <$> randomUser brig diff --git a/services/brig/test/integration/API/User/Handles.hs b/services/brig/test/integration/API/User/Handles.hs index a339199128..5ea8fce5b7 100644 --- a/services/brig/test/integration/API/User/Handles.hs +++ b/services/brig/test/integration/API/User/Handles.hs @@ -138,6 +138,8 @@ testHandleUpdate brig cannon = do put (brig . path "/self/handle" . contentJson . zUser uid2 . zConn "c" . body update) !!! const 200 === statusCode +-- @END + testHandleRace :: Brig -> Http () testHandleRace brig = do us <- replicateM 10 (userId <$> randomUser brig) diff --git a/services/galley/test/integration/API.hs b/services/galley/test/integration/API.hs index 0186f3448d..13d41e2b80 100644 --- a/services/galley/test/integration/API.hs +++ b/services/galley/test/integration/API.hs @@ -452,6 +452,8 @@ postCryptoMessageVerifyMsgSentAndRejectIfMissingClient = do liftIO $ assertBool "unexpected equal clients" (bc /= bc2) assertNoMsg wsB2 (wsAssertOtr qconv qalice ac bc cipher) +-- @END + -- @SF.Separation @TSFI.RESTfulAPI @S2 -- This test verifies basic mismatch behavior of the the JSON endpoint. postCryptoMessageVerifyRejectMissingClientAndRepondMissingPrekeysJson :: TestM () @@ -478,6 +480,8 @@ postCryptoMessageVerifyRejectMissingClientAndRepondMissingPrekeysJson = do Map.keys (userClientMap (getUserClientPrekeyMap p)) @=? [eve] Map.keys <$> Map.lookup eve (userClientMap (getUserClientPrekeyMap p)) @=? Just [ec] +-- @END + -- @SF.Separation @TSFI.RESTfulAPI @S2 -- This test verifies basic mismatch behaviour of the protobuf endpoint. postCryptoMessageVerifyRejectMissingClientAndRepondMissingPrekeysProto :: TestM () @@ -506,6 +510,8 @@ postCryptoMessageVerifyRejectMissingClientAndRepondMissingPrekeysProto = do Map.keys (userClientMap (getUserClientPrekeyMap p)) @=? [eve] Map.keys <$> Map.lookup eve (userClientMap (getUserClientPrekeyMap p)) @=? Just [ec] +-- @END + -- | This test verifies behaviour when an unknown client posts the message. Only -- tests the Protobuf endpoint. postCryptoMessageNotAuthorizeUnknownClient :: TestM () @@ -547,6 +553,8 @@ postMessageClientNotInGroupDoesNotReceiveMsg = do checkEveGetsMsg checkChadDoesNotGetMsg +-- @END + -- @SF.Separation @TSFI.RESTfulAPI @S2 -- This test verifies that when a client sends a message not to all clients of a group then the server should reject the message and sent a notification to the sender (412 Missing clients). -- The test is somewhat redundant because this is already tested as part of other tests already. This is a stand alone test that solely tests the behavior described above. @@ -575,6 +583,8 @@ postMessageRejectIfMissingClients = do mkMsg :: ByteString -> (UserId, ClientId) -> (UserId, ClientId, Text) mkMsg text (userId, clientId) = (userId, clientId, toBase64Text text) +-- @END + -- @SF.Separation @TSFI.RESTfulAPI @S2 -- This test verifies behaviour under various values of ignore_missing and -- report_missing. Only tests the JSON endpoint. @@ -633,6 +643,8 @@ postCryptoMessageVerifyCorrectResponseIfIgnoreAndReportMissingQueryParam = do where listToByteString = BS.intercalate "," . map toByteString' +-- @END + -- | Sets up a conversation on Backend A known as "owning backend". All user's -- on this backend have names begining with 'A'. The conversation has a couple -- of users from backend B and one user from backend C. @@ -832,6 +844,8 @@ postMessageQualifiedLocalOwningBackendMissingClients = do assertMismatchQualified mempty expectedMissing mempty mempty WS.assertNoEvent (1 # Second) [wsBob, wsChad] +-- @END + -- | Sets up a conversation on Backend A known as "owning backend". One of the -- users from Backend A will send the message, it is expected that message will -- be sent successfully. @@ -1056,6 +1070,8 @@ postMessageQualifiedLocalOwningBackendIgnoreMissingClients = do assertMismatchQualified mempty expectedMissing mempty mempty WS.assertNoEvent (1 # Second) [wsBob, wsChad] +-- @END + postMessageQualifiedLocalOwningBackendFailedToSendClients :: TestM () postMessageQualifiedLocalOwningBackendFailedToSendClients = do -- WS receive timeout diff --git a/services/spar/test-integration/Test/Spar/APISpec.hs b/services/spar/test-integration/Test/Spar/APISpec.hs index 272674dac7..1472b9434c 100644 --- a/services/spar/test-integration/Test/Spar/APISpec.hs +++ b/services/spar/test-integration/Test/Spar/APISpec.hs @@ -222,6 +222,8 @@ specFinalizeLogin = do bdy `shouldContain` "}, receiverOrigin)" hasPersistentCookieHeader sparresp `shouldBe` Left "no set-cookie header" + -- @END + context "access granted" $ do let loginSuccess :: HasCallStack => ResponseLBS -> TestSpar () loginSuccess sparresp = liftIO $ do @@ -321,6 +323,8 @@ specFinalizeLogin = do authnresp <- runSimpleSP $ mkAuthnResponseWithSubj subj privcreds idp2 spmeta authnreq True loginFailure =<< submitAuthnResponse tid2 authnresp + -- @END + context "user is created once, then deleted in team settings, then can login again." $ do it "responds with 'allowed'" $ do (ownerid, teamid, idp, (_, privcreds)) <- registerTestIdPWithMeta @@ -433,6 +437,8 @@ specFinalizeLogin = do (cs . fromJust . responseBody $ sparresp) `shouldContainInBase64` "Input {iName = \"SAMLResponse\"" check mkareq mkaresp submitaresp checkresp + -- @END + -- @SF.CHANNEL@TSFI.RESTfulAPI @S2 @S3 it "rejects saml responses signed with the wrong private key" $ do (_, _, _, (_, badprivcreds)) <- registerTestIdPWithMeta @@ -448,6 +454,8 @@ specFinalizeLogin = do checkresp sparresp = statusCode sparresp `shouldBe` 400 check mkareq mkaresp submitaresp checkresp + -- @END + -- @SF.CHANNEL@TSFI.RESTfulAPI @S2 @S3 it "rejects saml responses to requests not in cassandra:spar.authreq" $ do let mkareq idp = do @@ -462,6 +470,8 @@ specFinalizeLogin = do (cs . fromJust . responseBody $ sparresp) `shouldContain` "bad InResponseTo attribute(s)" check mkareq mkaresp submitaresp checkresp + -- @END + -- @SF.CHANNEL@TSFI.RESTfulAPI @S2 @S3 it "rejects saml responses already seen (and recorded in cassandra:spar.authresp)" $ do let mkareq = negotiateAuthnRequest @@ -474,6 +484,8 @@ specFinalizeLogin = do (cs . fromJust . responseBody $ sparresp) `shouldContain` "wire:sso:error:forbidden" check mkareq mkaresp submitaresp checkresp + -- @END + context "IdP changes response format" $ do it "treats NameId case-insensitively" $ do (_ownerid, tid, idp, (_, privcreds)) <- registerTestIdPWithMeta diff --git a/services/spar/test-integration/Test/Spar/Scim/AuthSpec.hs b/services/spar/test-integration/Test/Spar/Scim/AuthSpec.hs index 8d100b1545..60840faf2e 100644 --- a/services/spar/test-integration/Test/Spar/Scim/AuthSpec.hs +++ b/services/spar/test-integration/Test/Spar/Scim/AuthSpec.hs @@ -178,6 +178,8 @@ testCreateTokenAuthorizesOnlyAdmins = do (mkUser Galley.RoleAdmin >>= createToken') !!! const 200 === statusCode +-- @END + -- | Test that for a user with a password, token creation requires reauthentication (i.e. the -- field @"password"@ should be provided). -- @@ -374,3 +376,5 @@ testAuthIsNeeded = do listUsers_ (Just invalidToken) Nothing (env ^. teSpar) !!! checkErr 401 Nothing -- Try to do @GET /Users@ without a token and check that it fails listUsers_ Nothing Nothing (env ^. teSpar) !!! checkErr 401 Nothing + +-- @END diff --git a/services/spar/test-integration/Test/Spar/Scim/UserSpec.hs b/services/spar/test-integration/Test/Spar/Scim/UserSpec.hs index ef91c6fd2f..669b4c4971 100644 --- a/services/spar/test-integration/Test/Spar/Scim/UserSpec.hs +++ b/services/spar/test-integration/Test/Spar/Scim/UserSpec.hs @@ -479,6 +479,8 @@ testCreateRejectsInvalidHandle = do createUser_ (Just tok) (user {Scim.User.userName = "#invalid name"}) (env ^. teSpar) !!! const 400 === statusCode +-- @END + -- | Test that user creation fails if handle is already in use (even on different team). testCreateRejectsTakenHandle :: TestSpar () testCreateRejectsTakenHandle = do @@ -716,6 +718,8 @@ testScimCreateVsUserRef = do (call . delete $ brig . paths ["i", "users", toByteString' uid]) !!! const 202 === statusCode +-- @END + testCreateUserTimeout :: TestSpar () testCreateUserTimeout = do env <- ask From 8c8b7ec9f2148ed298bcf646304605496c98f8c4 Mon Sep 17 00:00:00 2001 From: Matthias Fischmann Date: Thu, 16 Dec 2021 13:00:46 +0100 Subject: [PATCH 2/6] Changelog. --- changelog.d/5-internal/sqservices-1118-2 | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog.d/5-internal/sqservices-1118-2 diff --git a/changelog.d/5-internal/sqservices-1118-2 b/changelog.d/5-internal/sqservices-1118-2 new file mode 100644 index 0000000000..0d24028303 --- /dev/null +++ b/changelog.d/5-internal/sqservices-1118-2 @@ -0,0 +1 @@ +Tag integration tests for certification. From 31e196684b549909902674493e7c296f9774f2a7 Mon Sep 17 00:00:00 2001 From: Matthias Fischmann Date: Thu, 16 Dec 2021 14:37:31 +0100 Subject: [PATCH 3/6] Fixup --- services/brig/test/integration/API/User/Client.hs | 2 ++ services/spar/test-integration/Test/Spar/Scim/UserSpec.hs | 2 -- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/services/brig/test/integration/API/User/Client.hs b/services/brig/test/integration/API/User/Client.hs index 9b4caa0cc8..0a2e131569 100644 --- a/services/brig/test/integration/API/User/Client.hs +++ b/services/brig/test/integration/API/User/Client.hs @@ -444,6 +444,8 @@ testTooManyClients opts brig = do const (Just "too-many-clients") === fmap Error.label . responseJsonMaybe const (Just "application/json;charset=utf-8") === getHeader "Content-Type" +-- @END + -- The testRemoveClient test conforms to the following testing standards: -- @SF.Provisioning @TSFI.RESTfulAPI @S2 -- diff --git a/services/spar/test-integration/Test/Spar/Scim/UserSpec.hs b/services/spar/test-integration/Test/Spar/Scim/UserSpec.hs index 669b4c4971..118ecc6745 100644 --- a/services/spar/test-integration/Test/Spar/Scim/UserSpec.hs +++ b/services/spar/test-integration/Test/Spar/Scim/UserSpec.hs @@ -718,8 +718,6 @@ testScimCreateVsUserRef = do (call . delete $ brig . paths ["i", "users", toByteString' uid]) !!! const 202 === statusCode --- @END - testCreateUserTimeout :: TestSpar () testCreateUserTimeout = do env <- ask From 4c60583504551fb0670ebf3d41b7c0aed19dac45 Mon Sep 17 00:00:00 2001 From: Matthias Fischmann Date: Thu, 16 Dec 2021 14:44:49 +0100 Subject: [PATCH 4/6] Make test identifiers unique-ish. --- .../spar/test-integration/Test/Spar/APISpec.hs | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/services/spar/test-integration/Test/Spar/APISpec.hs b/services/spar/test-integration/Test/Spar/APISpec.hs index 1472b9434c..229ab56ffc 100644 --- a/services/spar/test-integration/Test/Spar/APISpec.hs +++ b/services/spar/test-integration/Test/Spar/APISpec.hs @@ -201,8 +201,7 @@ specFinalizeLogin :: SpecWith TestEnv specFinalizeLogin = do describe "POST /sso/finalize-login" $ do -- @SF.CHANNEL@TSFI.RESTfulAPI @S2 @S3 - -- Receiving an invalid SAML token from client should not give the user a valid access token - context "access denied" $ do + context "rejectsSAMLResponseSayingAccessNotGranted" $ do it "responds with a very peculiar 'forbidden' HTTP response" $ do (_, tid, idp, (_, privcreds)) <- registerTestIdPWithMeta authnreq <- negotiateAuthnRequest idp @@ -298,8 +297,7 @@ specFinalizeLogin = do loginSuccess =<< submitAuthnResponse tid3 authnresp -- @SF.CHANNEL@TSFI.RESTfulAPI @S2 @S3 - -- Receiving an invalid SAML token from client should not give the user a valid access token - context "idp sends user to two teams with same issuer, nameid" $ do + context "rejectsSAMLResponseInWrongTeam" $ do it "fails" $ do skipIdPAPIVersions [ WireIdPAPIV1 @@ -419,7 +417,7 @@ specFinalizeLogin = do g "" = "" -- @SF.CHANNEL@TSFI.RESTfulAPI @S2 @S3 - it "rejects saml responses with invalid issuer entity id" $ do + it "rejectsSAMLResponseFromWrongIssuer" $ do let mkareq = negotiateAuthnRequest mkaresp privcreds idp spmeta authnreq = mkAuthnResponse @@ -440,7 +438,7 @@ specFinalizeLogin = do -- @END -- @SF.CHANNEL@TSFI.RESTfulAPI @S2 @S3 - it "rejects saml responses signed with the wrong private key" $ do + it "rejectsSAMLResponseSignedWithWrongKey" $ do (_, _, _, (_, badprivcreds)) <- registerTestIdPWithMeta let mkareq = negotiateAuthnRequest mkaresp _ idp spmeta authnreq = @@ -457,7 +455,7 @@ specFinalizeLogin = do -- @END -- @SF.CHANNEL@TSFI.RESTfulAPI @S2 @S3 - it "rejects saml responses to requests not in cassandra:spar.authreq" $ do + it "rejectsSAMLResponseIfRequestIsStale" $ do let mkareq idp = do req <- negotiateAuthnRequest idp runSpar $ AReqIDStore.unStore (req ^. SAML.rqID) @@ -473,7 +471,7 @@ specFinalizeLogin = do -- @END -- @SF.CHANNEL@TSFI.RESTfulAPI @S2 @S3 - it "rejects saml responses already seen (and recorded in cassandra:spar.authresp)" $ do + it "rejectsSAMLResponseIfResponseIsStale" $ do let mkareq = negotiateAuthnRequest mkaresp privcreds idp spmeta authnreq = mkAuthnResponse privcreds idp spmeta authnreq True submitaresp teamid authnresp = do From 6d1d1b9d36f3b1af754c522bc18562c0bccc8cc8 Mon Sep 17 00:00:00 2001 From: Matthias Fischmann Date: Thu, 16 Dec 2021 14:46:43 +0100 Subject: [PATCH 5/6] Fixup --- services/spar/test-integration/Test/Spar/Scim/AuthSpec.hs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/spar/test-integration/Test/Spar/Scim/AuthSpec.hs b/services/spar/test-integration/Test/Spar/Scim/AuthSpec.hs index 60840faf2e..bee95ef511 100644 --- a/services/spar/test-integration/Test/Spar/Scim/AuthSpec.hs +++ b/services/spar/test-integration/Test/Spar/Scim/AuthSpec.hs @@ -364,7 +364,7 @@ testDeletedTokensAreUnlistable = do ---------------------------------------------------------------------------- -- Miscellaneous tests --- @SF.PROVISIONING @TSFI.RESTfulAPI @S2 +-- @SF.Provisioning @TSFI.RESTfulAPI @S2 -- This test verifies that the SCIM API responds with an authentication error -- and can't be used if it receives an invalid secret token -- or if no token is provided at all From c9eeec13a2131b6447891375ed6041b0c020600e Mon Sep 17 00:00:00 2001 From: Matthias Fischmann Date: Thu, 16 Dec 2021 14:54:40 +0100 Subject: [PATCH 6/6] Fixup --- services/spar/test-integration/Test/Spar/APISpec.hs | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/services/spar/test-integration/Test/Spar/APISpec.hs b/services/spar/test-integration/Test/Spar/APISpec.hs index 229ab56ffc..af466b1650 100644 --- a/services/spar/test-integration/Test/Spar/APISpec.hs +++ b/services/spar/test-integration/Test/Spar/APISpec.hs @@ -200,7 +200,7 @@ specInitiateLogin = do specFinalizeLogin :: SpecWith TestEnv specFinalizeLogin = do describe "POST /sso/finalize-login" $ do - -- @SF.CHANNEL@TSFI.RESTfulAPI @S2 @S3 + -- @SF.Channel @TSFI.RESTfulAPI @S2 @S3 context "rejectsSAMLResponseSayingAccessNotGranted" $ do it "responds with a very peculiar 'forbidden' HTTP response" $ do (_, tid, idp, (_, privcreds)) <- registerTestIdPWithMeta @@ -296,7 +296,7 @@ specFinalizeLogin = do authnresp <- runSimpleSP $ mkAuthnResponse privcreds idp3 spmeta authnreq True loginSuccess =<< submitAuthnResponse tid3 authnresp - -- @SF.CHANNEL@TSFI.RESTfulAPI @S2 @S3 + -- @SF.Channel @TSFI.RESTfulAPI @S2 @S3 context "rejectsSAMLResponseInWrongTeam" $ do it "fails" $ do skipIdPAPIVersions @@ -416,7 +416,7 @@ specFinalizeLogin = do g (c : s) = c : g s g "" = "" - -- @SF.CHANNEL@TSFI.RESTfulAPI @S2 @S3 + -- @SF.Channel @TSFI.RESTfulAPI @S2 @S3 it "rejectsSAMLResponseFromWrongIssuer" $ do let mkareq = negotiateAuthnRequest mkaresp privcreds idp spmeta authnreq = @@ -437,7 +437,7 @@ specFinalizeLogin = do -- @END - -- @SF.CHANNEL@TSFI.RESTfulAPI @S2 @S3 + -- @SF.Channel @TSFI.RESTfulAPI @S2 @S3 it "rejectsSAMLResponseSignedWithWrongKey" $ do (_, _, _, (_, badprivcreds)) <- registerTestIdPWithMeta let mkareq = negotiateAuthnRequest @@ -454,7 +454,7 @@ specFinalizeLogin = do -- @END - -- @SF.CHANNEL@TSFI.RESTfulAPI @S2 @S3 + -- @SF.Channel @TSFI.RESTfulAPI @S2 @S3 it "rejectsSAMLResponseIfRequestIsStale" $ do let mkareq idp = do req <- negotiateAuthnRequest idp @@ -470,7 +470,7 @@ specFinalizeLogin = do -- @END - -- @SF.CHANNEL@TSFI.RESTfulAPI @S2 @S3 + -- @SF.Channel @TSFI.RESTfulAPI @S2 @S3 it "rejectsSAMLResponseIfResponseIsStale" $ do let mkareq = negotiateAuthnRequest mkaresp privcreds idp spmeta authnreq = mkAuthnResponse privcreds idp spmeta authnreq True