Test RA error handling during authentcation

OpenConext · Sep 19, 2024 · ac7b97d · ac7b97d
1 parent 065b08f
commit ac7b97d
Show file tree

Hide file tree

Showing 2 changed files with 47 additions and 3 deletions.
diff --git a/stepup/tests/behat/features/bootstrap/RaContext.php b/stepup/tests/behat/features/bootstrap/RaContext.php
@@ -119,7 +119,7 @@ public function iVetASecondFactor($secondFactorId, $activationCode)
     /**
      * @Given /^I am logged in into the ra portal as "([^"]*)" with a "([^"]*)" token$/
      */
-    public function iAmLoggedInIntoTheRaPortalAs($userName, $tokenType)
+    public function iAmLoggedInIntoTheRaPortalAsWith($userName, $tokenType)
     {
         // Login into RA
         $this->iTryToLoginIntoTheRaPortalAs($userName, $tokenType);
@@ -131,16 +131,24 @@ public function iAmLoggedInIntoTheRaPortalAs($userName, $tokenType)
     }
 
     /**
-     * @Given /^I try to login into the ra portal as "([^"]*)" with a "([^"]*)" token$/
+     * @Given /^I try to login into the ra portal as "([^"]*)"$/
      */
-    public function iTryToLoginIntoTheRaPortalAs($userName, $tokenType)
+    public function iTryToLoginIntoTheRaPortalAs($userName)
     {
         // We visit the RA location url
         $this->minkContext->getSession()->reset();
         $this->minkContext->visit($this->raUrl);
 
         // The admin user logs in and gives a Yubikey second factor
         $this->authContext->authenticateWithIdentityProviderForWithStepup($userName);
+    }
+
+    /**
+     * @Given /^I try to login into the ra portal as "([^"]*)" with a "([^"]*)" token$/
+     */
+    public function iTryToLoginIntoTheRaPortalAsWith($userName, $tokenType)
+    {
+        $this->iTryToLoginIntoTheRaPortalAs($userName);
         switch ($tokenType) {
             case "yubikey":
                 $this->authContext->verifyYuikeySecondFactor();
@@ -705,4 +713,12 @@ private function diePrintingContent()
         echo $this->minkContext->getSession()->getPage()->getContent();
         die;
     }
+
+    /**
+     * @Given /^I die$/
+     */
+    public function andIDie()
+    {
+        $this->diePrintingContent();
+    }
 }
diff --git a/stepup/tests/behat/features/ra_login-exception.feature b/stepup/tests/behat/features/ra_login-exception.feature
@@ -12,3 +12,31 @@ Feature: A RAA can only manage R RA(A)'s on the promotion page
     Then I should see "Error - Access denied"
      And I should see "Authentication was successful, but you are not authorised to use the RA management portal"
 
+  Scenario: User "jane-d4" tries to login with no 2FA token available
+    Given a user "jane-d4" identified by "urn:collab:person:institution-d.example.com:jane-d4" from institution "institution-d.example.com"
+    # The identity does not have a second factor token and can by no means log in to RA
+    And I try to login into the ra portal as "jane-d4"
+    And I press "Submit"
+    Then I should see "Error - Not authorised to sign in"
+    And I should see "Error code"
+    And I should see "11430"
+
+  Scenario: User "joe-a3" tries to login while no acceptable 2FA token is available
+    Given a user "joe-a3" identified by "urn:collab:person:institution-a.example.com:joe-a3" from institution "institution-a.example.com"
+    # The token is not suitable to log in to RA, and the user is not acreditted the RA role.
+    And the user "urn:collab:person:institution-a.example.com:joe-a3" has a vetted "sms" with identifier "+31 (0) 687654321"
+    And I try to login into the ra portal as "joe-a3"
+    And I press "Submit"
+    Then I should see "Error - Not authorised to sign in"
+    And I should see "Error code"
+    And I should see "11430"
+
+  Scenario: User "admin" cancels the second factor authentication
+    Given I try to login into the ra portal as "admin"
+    # Cancel the yubikey second factor authentication
+    Then I press "Cancel"
+    # Pass throug gateway
+    And I press "Submit"
+    Then I should see "Error - Sign in"
+    And I should see "Error code"
+    And I should see "32592"