-
Notifications
You must be signed in to change notification settings - Fork 78
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #981 from alphagov/improve-handling-of-invalid-sso…
…-requests Improve handling of invalid SSO requests
- Loading branch information
Showing
4 changed files
with
142 additions
and
12 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -21,26 +21,40 @@ | |
expect(response.status).to eq 400 | ||
end | ||
|
||
context "when logged in as an admin" do | ||
context "when logged in as an admin", csrf: false do | ||
let(:user_attributes) do | ||
{ | ||
first_name: "System", | ||
last_name: "Administrator", | ||
email: "admin@petition.parliament.uk" | ||
email: "admin@example.com" | ||
} | ||
end | ||
|
||
let(:login_params) do | ||
{ email: "admin@petition.parliament.uk", password: "L3tme1n!" } | ||
{ email: "admin@example.com" } | ||
end | ||
|
||
let!(:user) { FactoryBot.create(:sysadmin_user, user_attributes) } | ||
|
||
before do | ||
host! "moderate.petition.parliament.uk" | ||
https! | ||
|
||
post "/admin/user_sessions", params: { admin_user_session: login_params } | ||
sso_user = FactoryBot.create(:sysadmin_sso_user, **user_attributes) | ||
OmniAuth.config.mock_auth[:example] = sso_user | ||
|
||
post "/admin/login", params: { user: login_params } | ||
|
||
expect(response.status).to eq(307) | ||
expect(response.location).to eq("https://moderate.petition.parliament.uk/admin/auth/example") | ||
|
||
follow_redirect!(params: request.POST) | ||
|
||
expect(response.status).to eq(302) | ||
expect(response.location).to eq("https://moderate.petition.parliament.uk/admin/auth/example/callback") | ||
|
||
follow_redirect! | ||
|
||
expect(response.status).to eq(200) | ||
expect(response).to have_header("Refresh", "0; url=https://moderate.petition.parliament.uk/admin") | ||
end | ||
|
||
context "and uploading a debate outcome image" do | ||
|
@@ -49,7 +63,87 @@ | |
|
||
it 'does not return 400 for an image containing null bytes' do | ||
patch "/admin/petitions/#{petition.id}/debate-outcome", params: { debate_outcome: { image: image } } | ||
expect(response.status).to eq 302 | ||
|
||
expect(response.status).to eq(302) | ||
expect(response.location).to eq("https://moderate.petition.parliament.uk/admin/petitions/#{petition.id}") | ||
end | ||
end | ||
end | ||
|
||
context "when attempting to login as an admin", csrf: false do | ||
before do | ||
host! "moderate.petition.parliament.uk" | ||
https! | ||
end | ||
|
||
context "on an unknown provider" do | ||
let(:provider) { "/admin/auth/unknown" } | ||
|
||
it "redirects to the login page on the passthru url" do | ||
get "#{provider}" | ||
|
||
expect(response.status).to eq(302) | ||
expect(response.location).to eq("https://moderate.petition.parliament.uk/admin/login") | ||
expect(flash[:alert]).to eq("Invalid login details") | ||
end | ||
|
||
it "redirects to the login page on the callback url" do | ||
get "#{provider}/callback" | ||
|
||
expect(response.status).to eq(302) | ||
expect(response.location).to eq("https://moderate.petition.parliament.uk/admin/login") | ||
expect(flash[:alert]).to eq("Invalid login details") | ||
end | ||
end | ||
|
||
context "on a known provider" do | ||
let(:provider) { "/admin/auth/example" } | ||
|
||
it "redirects to the login page on the passthru url" do | ||
get "#{provider}" | ||
|
||
expect(response.status).to eq(302) | ||
expect(response.location).to eq("https://moderate.petition.parliament.uk/admin/login") | ||
expect(flash[:alert]).to eq("Invalid login details") | ||
end | ||
|
||
it "redirects to the login page on the callback url" do | ||
get "#{provider}/callback" | ||
|
||
expect(response.status).to eq(302) | ||
expect(response.location).to eq("https://moderate.petition.parliament.uk/admin/login") | ||
expect(flash[:alert]).to eq("Invalid login details") | ||
end | ||
|
||
context "with invalid auth data" do | ||
let(:user_attributes) do | ||
{ first_name: "", last_name: "", email: "" } | ||
end | ||
|
||
let(:login_params) do | ||
{ email: "[email protected]" } | ||
end | ||
|
||
it "redirects to the login page" do | ||
sso_user = FactoryBot.create(:sso_user, **user_attributes) | ||
OmniAuth.config.mock_auth[:example] = sso_user | ||
|
||
post "/admin/login", params: { user: login_params } | ||
|
||
expect(response.status).to eq(307) | ||
expect(response.location).to eq("https://moderate.petition.parliament.uk/admin/auth/example") | ||
|
||
follow_redirect!(params: request.POST) | ||
|
||
expect(response.status).to eq(302) | ||
expect(response.location).to eq("https://moderate.petition.parliament.uk/admin/auth/example/callback") | ||
|
||
follow_redirect! | ||
|
||
expect(response.status).to eq(302) | ||
expect(response.location).to eq("https://moderate.petition.parliament.uk/admin/login") | ||
expect(flash[:alert]).to eq("Invalid login details") | ||
end | ||
end | ||
end | ||
end | ||
|