Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[IDP-1010] Add automated tests for trying to log in (authenticate) while WebAuthn MFA API is unusable #346

Merged
merged 21 commits into from
Jun 4, 2024
Merged

[IDP-1010] Add automated tests for trying to log in (authenticate) while WebAuthn MFA API is unusable #346

merged 21 commits into from
Jun 4, 2024

Conversation

forevermatt
Copy link
Contributor

Backlog issue: IDP-1010

Added

  • Update documentation on how to run just a specific test scenario
  • Add automated tests for trying to log in (authenticate) while WebAuthn MFA API is unusable

Changed (non-breaking)

  • Move the authentication tests to their own test suite

Fixed

  • Simplify the list of paths in the behat.yml file

Feature PR Checklist

  • Documentation (README, local.env.dist, etc.)
  • Unit tests created or updated
  • Run make composershow
  • Run make psr2

@forevermatt
Draft a test scenario for logging in when the WebAuthn MFA is down
a5f6ee9
@forevermatt
Add a response-code check
e2b723d
@forevermatt
Set up a new context class for authentication-specific test steps
f648d25
@forevermatt
Simplify the list of paths in the behat.yml file
8112bd4
@forevermatt
Remove authentication from common_features now that it has its own suite
53bc1e6
@forevermatt
Refactor test scenario to more closely align with existing test steps
9bbdbdf
@forevermatt
Update documentation on how to run just a specific test scenario
3e93a9f
@forevermatt
Begin implementing test for logging in while WebAuthn MFA API is down
7c4d796
@forevermatt
Switch to using Mfa::create() for the TOTP
4bf1bbc
@forevermatt
Stop trying to add a TOTP method
360b813
@forevermatt
Use the U2F-simulator (like other tests) for adding a WebAuthn MFA
331e827
@forevermatt
Get the test to successfully verify the WebAuthn MFA option
96d3bb5
@forevermatt
Clean up the userHasAValidWebauthnMfaMethod() test step's code
cd87e49
@forevermatt
Get the test to (with manual intervention) work
3aeff02
@forevermatt
Update test to automatically change the local WebAuthn MFA API's secret
ed3b7ea
@forevermatt
Remove temp code
4f15d8f
@forevermatt
Test both cases (right/wrong password for WebAuthn MFA API)
6e49e09
@forevermatt
Clean up the test code for readability
3f8d3a3
@forevermatt forevermatt requested a review from a team May 30, 2024 18:58
@forevermatt
Copy link
Contributor Author

I'm working on fixing the failed test.

@forevermatt
Improve the name of the test scenario
58b2cfc
@forevermatt
Update actions-services.yml to have new env. vars. needed by new test
2ed1752
@forevermatt
Always use bcrypt to hash the WebAuthn MFA API's api secret
76e3415 
Our MFA APIs use bcrypt for that, and at some point the
`PASSWORD_DEFAULT` may change for PHP. This commit's code change
protects this code from breaking when the default PHP password hashing
algorithm does change.
@forevermatt
Copy link
Contributor Author

I'm working on fixing the failed test.

Fixed

briskt
briskt approved these changes May 31, 2024
View reviewed changes
Copy link
Contributor

@briskt briskt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nicely done. I like that you made a new Context for Authentication.

application/features/authentication.feature

Examples:
| rightOrWrongPassword | containPublicKeyOrNot |
| wrong password | not contain "publicKey" |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a way to write this with a positive test? Verifying that the response body does not contain something is, to me, more fragile. Some unrelated failure could happen and we wouldn't know about it because many possible responses could not contain the token. I suppose the real test is the previous line ("response status code should be 200") so this may not be a big deal.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, the 200 response code is the main test. The "doesn't contain publicKey" is sort of to verify that the WebAuthn MFA API call did in fact fail. I could revise it to specifically look for the WebAuthn MFA API entry, and verify that it doesn't have the publicKey, but this seemed sufficient to be effective.

@forevermatt forevermatt merged commit 3679ae3 into develop Jun 4, 2024
2 checks passed
@forevermatt forevermatt deleted the feature/IDP-1010-test-login-with-mfa-api-down branch June 4, 2024 19:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@briskt briskt briskt approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@forevermatt @briskt