Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add activation flow preference test #17

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Add activation flow preference test #17

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
af5a4cd
Add activation flow preference test
pablothedude Nov 1, 2024
4632e58
Add activation tests IdP attribute preference
pablothedude Nov 25, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions stepup/tests/behat/features/bootstrap/SecondFactorAuthContext.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@

use Behat\Behat\Context\Context;
use Behat\Behat\Hook\Scope\BeforeScenarioScope;
use Behat\Gherkin\Node\TableNode;
use Behat\Mink\Exception\ElementNotFoundException;
use Behat\MinkExtension\Context\MinkContext;

Expand Down Expand Up @@ -361,6 +362,28 @@ public function authenticateWithIdentityProvider()

}

/**
* @Given /^I receive the following attributes for "([^"]*)" from the IdP:$/
* @param TableNode $table
*/
public function authenticateIdentityProviderAndExpectAttributes(string $user, TableNode $table)
{
$this->minkContext->visit('https://ssp.dev.openconext.local/simplesaml/aa.php');

$this->minkContext->pressButton('delete all');

$hash = $table->getHash();
foreach ($hash as $row) {
var_dump($row);
$name = $row['name'];
$value = $row['value'];
$this->minkContext->fillField('uid', $user);
$this->minkContext->fillField('name', $name);
$this->minkContext->fillField('value', $value);
$this->minkContext->pressButton('add');
}
}

/**
* @When I authenticate as :arg1 with the identity provider
*/
Expand Down
47 changes: 46 additions & 1 deletion stepup/tests/behat/features/bootstrap/SelfServiceContext.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,20 @@ public function iAmLoggedInIntoTheSelfServicePortalAs($userName)
$this->minkContext->assertPageContainsText('Registration Portal');
}


/**
* @Given /^I log into the selfservice portal as "([^"]*)" with activation preference "([^"]*)"$/
*/
public function ilogIntoTheSelfServicePortalAsWithPreference($userName, $preference)
{
// We visit the Self Service location url
$this->minkContext->visit($this->selfServiceUrl.'?activate='.$preference);
$this->authContext->authenticateWithIdentityProviderFor($userName);
$this->authContext->passTroughGatewaySsoAssertionConsumerService();
$this->iSwitchLocaleTo('English');
$this->minkContext->assertPageContainsText('Registration Portal');
}

/**
* @When I register a new :tokenType token
*/
Expand Down Expand Up @@ -214,10 +228,41 @@ public function iTryToSelfVetANewYubikeyTokenWithMySMSToken()

}

/**
* @When I verify my e-mail address
*/
public function verifyEmailAddress()
{
## And we should now be on the mail verification page
$this->minkContext->assertPageContainsText('Verify your e-mail');
$this->minkContext->assertPageContainsText('Check your inbox');

$this->minkContext->visit(
$this->getEmailVerificationUrl()
);
}

/**
* @When I activate my token
*/
public function activateToken()
{
$matches = [];
preg_match('#/second-factor/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/vetting-types#', $this->minkContext->getSession()->getPage()->getContent(), $matches);
if (empty($matches)) {
throw new Exception('Could not find a valid second factor verification id in the url');
}
$href = reset($matches);

$this->minkContext->getSession()
->getPage()
->find('css', '[href="'.$href.'"]')->click();
}

/**
* @When I verify my e-mail address and choose the :vettingType vetting type
*/
public function verifyEmailAddress(string $vettingType)
public function verifyEmailAddressAndChooseVettingType(string $vettingType)
{
## And we should now be on the mail verification page
$this->minkContext->assertPageContainsText('Verify your e-mail');
Expand Down
46 changes: 46 additions & 0 deletions stepup/tests/behat/features/selfservice_activation_flow.feature
View file
Open in desktop
Copy link
Member

@MKodde MKodde Nov 6, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome to cover these vetting nudging flows in the behat tests.

IRL you mentioned that the new feature to express the preference via a entitlement attribute was hard to test in this test suite right? OpenConext/Stepup-SelfService#336. It might be possible to collaborate with Pieter and create a new feature in the SSP SP.php test page. And let the SP notify the demo IdP to release a certain attribute if this is requested in the relay state. Just a wild idea that might be usefull in other situations.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI: https://www.pivotaltracker.com/story/show/188537157

Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
Feature: A user manages his tokens in the SelfService portal
In order to use a second factor token
As a user
I must be able to manage my second factor tokens

Scenario: A user registers a Yubikey token in selfservice using RA vetting preference
Given I receive the following attributes for "joe-a4" from the IdP:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome test!!

Suggestion: maybe create a dedicated step definition to indicate you expect the IdP to release no attributes? Perhaps a bit more expressive than the empty table?

| name | value |
And I log into the selfservice portal as "joe-a4" with activation preference "ra"
When I register a new "Yubikey" token
And I verify my e-mail address
And I visit the "overview" page in the selfservice portal
And I activate my token
Then I should see "Activation code"

Scenario: A user registers a Yubikey token in selfservice using self vetting preference
Given I receive the following attributes for "joe-a5" from the IdP:
| name | value |
And I log into the selfservice portal as "joe-a5" with activation preference "self"
When I register a new "Yubikey" token
And I verify my e-mail address
And I visit the "overview" page in the selfservice portal
And I activate my token
Then I should see "Add recovery method"

Scenario: A user registers a Yubikey token in selfservice using RA vetting preference set through eduPersonEntitlement attribute
Given I receive the following attributes for "jane-a4" from the IdP:
| name | value |
| urn:mace:dir:attribute-def:eduPersonEntitlement | urn:mace:surf.nl:surfsecureid:activation:ra |
And I am logged in into the selfservice portal as "jane-a4"
When I register a new "Yubikey" token
And I verify my e-mail address
And I visit the "overview" page in the selfservice portal
And I activate my token
Then I should see "Activation code"

Scenario: A user registers a Yubikey token in selfservice using self vetting preference set through eduPersonEntitlement attribute
Given I receive the following attributes for "jane-a5" from the IdP:
| name | value |
| urn:mace:dir:attribute-def:eduPersonEntitlement | urn:mace:surf.nl:surfsecureid:activation:self |
And I am logged in into the selfservice portal as "jane-a5"
When I register a new "Yubikey" token
And I verify my e-mail address
And I visit the "overview" page in the selfservice portal
And I activate my token
Then I should see "Add recovery method"
Loading