From 13c45dcf2144cd948b53e8d926d646590289c4c4 Mon Sep 17 00:00:00 2001 From: Matthias Fischmann Date: Fri, 21 Oct 2022 12:33:32 +0200 Subject: [PATCH] More spar integration tests. --- .../test-integration/Test/Spar/APISpec.hs | 72 ++++++++++++++++--- 1 file changed, 64 insertions(+), 8 deletions(-) diff --git a/services/spar/test-integration/Test/Spar/APISpec.hs b/services/spar/test-integration/Test/Spar/APISpec.hs index 3cae977964..3ce1555741 100644 --- a/services/spar/test-integration/Test/Spar/APISpec.hs +++ b/services/spar/test-integration/Test/Spar/APISpec.hs @@ -81,7 +81,7 @@ import Text.XML.DSig (SignPrivCreds, mkSignCredsWithCert) import qualified URI.ByteString as URI import URI.ByteString.QQ (uri) import Util.Core -import Util.Scim (filterBy, listUsers, registerScimToken) +import Util.Scim (createUser, filterBy, listUsers, randomScimUserWithEmail, registerScimToken) import qualified Util.Scim as ScimT import Util.Types import qualified Web.Cookie as Cky @@ -705,17 +705,43 @@ specCRUDIdentityProvider = do describe "PUT /identity-providers/:idp" $ do testGetPutDelete callIdpUpdate - context "known IdP, client is team owner" $ do + focus . context "known IdP, client is team owner" $ do it "responds with 2xx and updates IdP" $ do + let haveScim = True env <- ask - (owner, _, (^. idpId) -> idpid, (IdPMetadataValue _ idpmeta, _)) <- registerTestIdPWithMeta - (_, _, cert1) <- liftIO $ mkSignCredsWithCert Nothing 96 + (owner, teamid, idp, (IdPMetadataValue _ idpmeta, privCreds)) <- registerTestIdPWithMeta + let idpid = idp ^. idpId + + Just tok <- + if haveScim + then Just <$> registerScimToken teamid (Just idpid) + else pure Nothing + + (user, email) <- randomScimUserWithEmail + let Just externalId = Scim.externalId user + let nameid = emailToSAMLNameID email + scimStoredUser <- createUser tok user + _ :: SAML.UserRef <- tryLogin privCreds idp nameid + + (newPrivCreds, _, cert1) <- liftIO $ mkSignCredsWithCert Nothing 96 (_, _, cert2) <- liftIO $ mkSignCredsWithCert Nothing 96 let idpmeta' = idpmeta & edCertAuthnResponse .~ (cert1 :| [cert2]) callIdpUpdate (env ^. teSpar) (Just owner) idpid (IdPMetadataValue (cs $ SAML.encode idpmeta') undefined) `shouldRespondWith` ((== 200) . statusCode) - callIdpGet (env ^. teSpar) (Just owner) idpid - `shouldRespondWith` ((== idpmeta') . view idpMetadata) + newIdp <- call $ callIdpGet (env ^. teSpar) (Just owner) idpid + liftIO $ (newIdp ^. idpMetadata) `shouldBe` idpmeta' + + do + resp <- listUsers tok (Just (filterBy "externalId" externalId)) + liftIO $ resp `shouldBe` [scimStoredUser] + + -- TODO: try both logging in with old and with new, in two different test runs. + _ :: SAML.UserRef <- tryLogin newPrivCreds newIdp nameid + + do + resp <- listUsers tok (Just (filterBy "externalId" externalId)) + liftIO $ resp `shouldBe` [scimStoredUser] + it "updates the handle" $ do env <- ask (owner, _) <- call $ createUserWithTeam (env ^. teBrig) (env ^. teGalley) @@ -728,6 +754,7 @@ specCRUDIdentityProvider = do `shouldRespondWith` ((== 200) . statusCode) callIdpGet (env ^. teSpar) (Just owner) (idp ^. idpId) `shouldRespondWith` ((== expected) . (\idp' -> idp' ^. (SAML.idpExtraInfo . wiHandle))) + it "updates IdP metadata and creates a new IdP with the first metadata" $ do env <- ask (owner, _) <- call $ createUserWithTeam (env ^. teBrig) (env ^. teGalley) @@ -1054,10 +1081,25 @@ specCRUDIdentityProvider = do idp `shouldBe` idp' let prefix = " registerScimToken teamid (Just idp1id) + else pure Nothing + + (user, email) <- randomScimUserWithEmail + let Just externalId = Scim.externalId user + let nameid = emailToSAMLNameID email + scimStoredUser <- createUser tok user + _ :: SAML.UserRef <- tryLogin privCreds idp1 nameid + issuer2 <- makeIssuer idp2 <- let idpmeta2 = idpmeta1 & edIssuer .~ issuer2 @@ -1082,6 +1124,18 @@ specCRUDIdentityProvider = do . (idpExtraInfo . wiReplacedBy .~ (idp1 ^. idpExtraInfo . wiReplacedBy)) . (idpExtraInfo . wiHandle .~ (idp1 ^. idpExtraInfo . wiHandle)) erase idp1 `shouldBe` erase idp2 + + do + resp <- listUsers tok (Just (filterBy "externalId" externalId)) + liftIO $ resp `shouldBe` [scimStoredUser] + + -- TODO: try both logging in with old and with new, in two different test runs. + _ :: SAML.UserRef <- tryLogin privCreds idp2 nameid + + do + resp <- listUsers tok (Just (filterBy "externalId" externalId)) + liftIO $ resp `shouldBe` [scimStoredUser] + it "users can still login on old idp as before" $ do env <- ask (owner1, _, idp1, (IdPMetadataValue _ idpmeta1, privkey1)) <- registerTestIdPWithMeta @@ -1100,6 +1154,7 @@ specCRUDIdentityProvider = do olduid `shouldBe` newuid (olduref ^. SAML.uidTenant) `shouldBe` issuer1 (newuref ^. SAML.uidTenant) `shouldBe` issuer1 + it "migrates old users to new idp on their next login on new idp; after that, login on old won't work any more" $ do env <- ask (owner1, _, idp1, (IdPMetadataValue _ idpmeta1, privkey1)) <- registerTestIdPWithMeta @@ -1120,6 +1175,7 @@ specCRUDIdentityProvider = do (olduref ^. SAML.uidTenant) `shouldBe` issuer1 (newuref ^. SAML.uidTenant) `shouldBe` issuer2 tryLoginFail privkey1 idp1 userSubject "cannont-provision-on-replaced-idp" + it "creates non-existent users on new idp" $ do env <- ask (owner1, _, idp1, (IdPMetadataValue _ idpmeta1, privkey1)) <- registerTestIdPWithMeta