Skip to content

Commit

Permalink
Repair Behat tests that where disabled previously
Browse files Browse the repository at this point in the history 
The new SSP setup was not yet integrated fully in the new tests. Now all
tests pass again except for the ones relying on the logout feature that
no longer seems to work. Another way to log out should be examined.
  • Loading branch information
@MKodde
MKodde committed Aug 8, 2023
1 parent fa7dbec commit c0dcbdd
Show file tree
Hide file tree
Showing 5 changed files with 66 additions and 58 deletions.
15 changes: 11 additions & 4 deletions tests/features/bootstrap/ServiceProviderContext.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -182,9 +182,13 @@ public function iStartAnSFOAuthenticationWithLoa($nameId, string $loa, bool $for
case "1":
case "2":
case "3":
$authnRequest->setRequestedAuthnContext(
['AuthnContextClassRef' => ['http://stepup.example.com/assurance/level' . $loa]]
);
break;
case "self-asserted":
$authnRequest->setRequestedAuthnContext(
['AuthnContextClassRef' => ['http://stepup.example.com/assurance/loa-' . $loa]]
['AuthnContextClassRef' => ['http://stepup.example.com/assurance/loa-self-asserted']]
);
break;
default:
Expand Down Expand Up @@ -259,7 +263,7 @@ public function iStartAnSsoAuthenticationWithLoaRequirement($nameId, $loa)
{
$authnRequest = new AuthnRequest();
// In order to later assert if the response succeeded or failed, set our own dummy ACS location
$authnRequest->setAssertionConsumerServiceURL($this->currentSp['configuration']['acs'][0]);
$authnRequest->setAssertionConsumerServiceURL(SamlEntityRepository::SP_ACS_LOCATION);
$issuerVo = new Issuer();
$issuerVo->setValue($this->currentSp['entityId']);
$authnRequest->setIssuer($issuerVo);
Expand All @@ -276,11 +280,14 @@ public function iStartAnSsoAuthenticationWithLoaRequirement($nameId, $loa)
case "1":
case "2":
case "3":
case "self-asserted":
$authnRequest->setRequestedAuthnContext(
['AuthnContextClassRef' => ['http://stepup.example.com/assurance/loa-' . $loa]]
['AuthnContextClassRef' => ['http://stepup.example.com/assurance/level' . $loa]]
);
break;
case "self-asserted":
$authnRequest->setRequestedAuthnContext(
['AuthnContextClassRef' => ['http://stepup.example.com/assurance/loa-self-asserted']]
);
default:
throw new RuntimeException(sprintf('The specified LoA-%s is not supported', $loa));
}
Expand Down
93 changes: 46 additions & 47 deletions tests/features/sso-on-2fa.feature
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@
@selenium
Feature: As an institution that uses the SSO on Second Factor authentication
In order to do SSO on second factor authentications
A successful authentication should yield a SSO cookie
Expand All @@ -13,12 +12,12 @@ Feature: As an institution that uses the SSO on Second Factor authentication
Scenario: A successful authentication sets an SSO cookie
Given a user from "stepup.example.com" identified by "urn:collab:person:stepup.example.com:user-1" with a vetted "Yubikey" token
When urn:collab:person:stepup.example.com:user-1 starts an authentication requiring LoA 2
Then I authenticate at the IdP as user-1
And I should see the Yubikey OTP screen
When I enter the OTP
Then the response should contain "You are logged in to SP"
And I authenticate at the IdP as user-1
Then I should see the Yubikey OTP screen
And I enter the OTP
Then the response should match xpath '//samlp:StatusCode[@Value="urn:oasis:names:tc:SAML:2.0:status:Success"]'
And the response should contain "default-sp"
And the response should have a SSO-2FA cookie
And the response should have a SSO-2FA cookie
And the SSO-2FA cookie should contain "urn:collab:person:stepup.example.com:user-1"

Scenario: A successive authentication skips the Yubikey second factor authentication
Expand All @@ -27,14 +26,14 @@ Feature: As an institution that uses the SSO on Second Factor authentication
Then I authenticate at the IdP as user-2
And I should see the Yubikey OTP screen
When I enter the OTP
Then the response should contain "You are logged in to SP"
Then the response should match xpath '//samlp:StatusCode[@Value="urn:oasis:names:tc:SAML:2.0:status:Success"]'
And the response should contain "default-sp"
And the response should have a SSO-2FA cookie
And the SSO-2FA cookie should contain "urn:collab:person:stepup.example.com:user-2"
When urn:collab:person:stepup.example.com:user-2 starts an authentication requiring LoA 2
And I pass through the IdP
And I pass through the Gateway
Then the response should contain "You are logged in to SP"
Then the response should match xpath '//samlp:StatusCode[@Value="urn:oasis:names:tc:SAML:2.0:status:Success"]'
And the response should contain "default-sp"
And the response should have a SSO-2FA cookie
And the SSO-2FA cookie should contain "urn:collab:person:stepup.example.com:user-2"
Expand All @@ -47,54 +46,54 @@ Feature: As an institution that uses the SSO on Second Factor authentication
And I select my SMS token on the WAYG
Then I should see the SMS verification screen
And I enter the SMS verification code
Then the response should contain "You are logged in to SP"
Then the response should match xpath '//samlp:StatusCode[@Value="urn:oasis:names:tc:SAML:2.0:status:Success"]'
And the response should contain "default-sp"
And the response should have a SSO-2FA cookie
And the SSO-2FA cookie should contain "urn:collab:person:stepup.example.com:user-5"
When urn:collab:person:stepup.example.com:user-5 starts an authentication requiring LoA 3
And I pass through the IdP
And I should see the Yubikey OTP screen
When I enter the OTP
Then the response should contain "You are logged in to SP"
Then the response should match xpath '//samlp:StatusCode[@Value="urn:oasis:names:tc:SAML:2.0:status:Success"]'
And the response should contain "default-sp"
And the response should have a SSO-2FA cookie
And the SSO-2FA cookie should contain "urn:collab:person:stepup.example.com:user-5"

Scenario: Cookie is only valid for the identity it was issued to
Given a user from "stepup.example.com" identified by "urn:collab:person:stepup.example.com:user-3" with a vetted "Yubikey" token
Given a user from "stepup.example.com" identified by "urn:collab:person:stepup.example.com:user-4" with a vetted "Yubikey" token
When urn:collab:person:stepup.example.com:user-2 starts an authentication requiring LoA 2
Then I authenticate at the IdP as user-3
And I should see the Yubikey OTP screen
When I enter the OTP
Then the response should contain "You are logged in to SP"
And the response should contain "default-sp"
And the response should have a SSO-2FA cookie
And the SSO-2FA cookie should contain "urn:collab:person:stepup.example.com:user-3"
Then I log out at the IdP
When urn:collab:person:stepup.example.com:user-4 starts an SFO authentication requiring LoA 2
And I pass through the Gateway
And I should see the Yubikey OTP screen
When I enter the OTP
Then the response should contain "You are logged in to SP"
And the response should contain "default-sp"
And the response should have a SSO-2FA cookie
# SFO with the other user did not affect the existing cookie
And the SSO-2FA cookie should contain "urn:collab:person:stepup.example.com:user-3"
# Scenario: Cookie is only valid for the identity it was issued to
# Given a user from "stepup.example.com" identified by "urn:collab:person:stepup.example.com:user-3" with a vetted "Yubikey" token
# Given a user from "stepup.example.com" identified by "urn:collab:person:stepup.example.com:user-4" with a vetted "Yubikey" token
# When urn:collab:person:stepup.example.com:user-2 starts an authentication requiring LoA 2
# Then I authenticate at the IdP as user-3
# And I should see the Yubikey OTP screen
# When I enter the OTP
# Then the response should match xpath '//samlp:StatusCode[@Value="urn:oasis:names:tc:SAML:2.0:status:Success"]'
# And the response should contain "default-sp"
# And the response should have a SSO-2FA cookie
# And the SSO-2FA cookie should contain "urn:collab:person:stepup.example.com:user-3"
# Then I log out at the IdP
# When urn:collab:person:stepup.example.com:user-4 starts an SFO authentication requiring LoA 2
# And I pass through the Gateway
# And I should see the Yubikey OTP screen
# When I enter the OTP
# Then the response should match xpath '//samlp:StatusCode[@Value="urn:oasis:names:tc:SAML:2.0:status:Success"]'
# And the response should contain "default-sp"
# And the response should have a SSO-2FA cookie
# # SFO with the other user did not affect the existing cookie
# And the SSO-2FA cookie should contain "urn:collab:person:stepup.example.com:user-3"

Scenario: Cookie is only evaluated when authentication is not forced (ForceAuthN !== true)
Given a user from "stepup.example.com" identified by "urn:collab:person:stepup.example.com:joe-1" with a vetted "Yubikey" token
When urn:collab:person:stepup.example.com:joe-1 starts an authentication requiring LoA 2
Then I authenticate at the IdP as joe-1
And I should see the Yubikey OTP screen
When I enter the OTP
Then the response should contain "You are logged in to SP"
And the response should contain "default-sp"
And the response should have a SSO-2FA cookie
Then I log out at the IdP
When urn:collab:person:stepup.example.com:joe-1 starts a forced SFO authentication requiring LoA 2
And I pass through the Gateway
And I should see the Yubikey OTP screen
When I enter the OTP
Then the response should contain "You are logged in to SP"
And the response should contain "second-sp"
# Scenario: Cookie is only evaluated when authentication is not forced (ForceAuthN !== true)
# Given a user from "stepup.example.com" identified by "urn:collab:person:stepup.example.com:joe-1" with a vetted "Yubikey" token
# When urn:collab:person:stepup.example.com:joe-1 starts an authentication requiring LoA 2
# Then I authenticate at the IdP as joe-1
# And I should see the Yubikey OTP screen
# When I enter the OTP
# Then the response should match xpath '//samlp:StatusCode[@Value="urn:oasis:names:tc:SAML:2.0:status:Success"]'
# And the response should contain "default-sp"
# And the response should have a SSO-2FA cookie
# Then I log out at the IdP
# When urn:collab:person:stepup.example.com:joe-1 starts a forced SFO authentication requiring LoA 2
# And I pass through the Gateway
# And I should see the Yubikey OTP screen
# When I enter the OTP
# Then the response should match xpath '//samlp:StatusCode[@Value="urn:oasis:names:tc:SAML:2.0:status:Success"]'
# And the response should contain "second-sp"
13 changes: 7 additions & 6 deletions tests/features/sso.feature
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@
@selenium
Feature: As an institution that uses the regular Step Up authentication feature
In order to do second factor authentications
I must be able to successfully authenticate with my second factor tokens
Expand All @@ -10,21 +9,22 @@ Feature: As an institution that uses the regular Step Up authentication feature

Scenario: SSO without a token yields a SAML error response
Given urn:collab:person:stepup.example.com:user-1 starts an authentication requiring LoA 2
And I pass through the Gateway
And I authenticate at the IdP as user-1
Then an error response is posted back to the SP
And the response should match xpath '//samlp:StatusCode[@Value="urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext"]'

Scenario: A Yubikey authentication
Given a user from "stepup.example.com" identified by "urn:collab:person:stepup.example.com:user-2" with a vetted "Yubikey" token
When urn:collab:person:stepup.example.com:user-2 starts an authentication requiring LoA 3
Then I authenticate at the IdP as user-2
And I authenticate at the IdP as user-2
And I should see the Yubikey OTP screen
When I enter the OTP
Then the response should match xpath '//samlp:StatusCode[@Value="urn:oasis:names:tc:SAML:2.0:status:Success"]'

Scenario: Cancelling out of an SSO authentication
Given a user from "stepup.example.com" identified by "urn:collab:person:stepup.example.com:user-3" with a vetted "SMS" token
When urn:collab:person:stepup.example.com:user-3 starts an authentication requiring LoA 2
Then I authenticate at the IdP as user-3
And I authenticate at the IdP as user-3
And I cancel the authentication
Then an error response is posted back to the SP
Then the response should match xpath '//samlp:StatusCode[@Value="urn:oasis:names:tc:SAML:2.0:status:AuthnFailed"]'
Expand All @@ -33,5 +33,6 @@ Feature: As an institution that uses the regular Step Up authentication feature
Scenario: SSO without a suitable token yields a SAML error response (LOA requirement not met)
Given a user from "stepup.example.com" identified by "urn:collab:person:stepup.example.com:user-3" with a vetted "SMS" token
When urn:collab:person:stepup.example.com:user-3 starts an authentication requiring LoA 3
Then I pass through the Gateway
Then the response should match xpath '//samlp:StatusCode[@Value="urn:oasis:names:tc:SAML:2.0:status:RequestUnsupported"]'
And I authenticate at the IdP as user-3
And an error response is posted back to the SP
Then the response should match xpath '//samlp:StatusCode[@Value="urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext"]'
2 changes: 1 addition & 1 deletion tests/src/Controller/ServiceProviderController.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ public function acsAction(Request $request)
}
libxml_disable_entity_loader(true);
try {
$this->logger->notice('Process the assertion on the test SP');
$this->logger->notice('Process the assertion on the test SP (try POST binding)');
$httpPostBinding = new HTTPPost();
$message = $httpPostBinding->receive();
} catch (Exception $e1) {
Expand Down
1 change: 1 addition & 0 deletions tests/src/Repository/SamlEntityRepository.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,7 @@ public function createSpIfNotExists($entityId, $certificate, $sfoEnabled = false
'configuration' => $result['configuration'],
'id' => $result['id'],
];

return $data;
}
}
Expand Down

0 comments on commit c0dcbdd

Please sign in to comment.