-
Notifications
You must be signed in to change notification settings - Fork 23
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
WIP: feat: acr can be used to force identity with IAL=2
- Loading branch information
Showing
18 changed files
with
398 additions
and
42 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
DO_NOT_SEND_MAIL="True" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
INSERT INTO users | ||
(id, email, email_verified, email_verified_at, encrypted_password, created_at, updated_at, | ||
given_name, family_name, phone_number, job, encrypted_totp_key, totp_key_verified_at, force_2fa) | ||
VALUES | ||
(1, '[email protected]', true, CURRENT_TIMESTAMP, | ||
'$2a$10$kzY3LINL6..50Fy9shWCcuNlRfYq0ft5lS.KCcJ5PzrhlWfKK4NIO', CURRENT_TIMESTAMP, CURRENT_TIMESTAMP, | ||
'Jean', 'IAL2 AAL2', '0123456789', 'Sbire', | ||
'kuOSXGk68H2B3pYnph0uyXAHrmpbWaWyX/iX49xVaUc=.VMPBZSO+eAng7mjS.cI2kRY9rwhXchcKiiaMZIg==', | ||
CURRENT_TIMESTAMP, false | ||
), | ||
(2, '[email protected]', true, CURRENT_TIMESTAMP, | ||
'$2a$10$kzY3LINL6..50Fy9shWCcuNlRfYq0ft5lS.KCcJ5PzrhlWfKK4NIO', CURRENT_TIMESTAMP, CURRENT_TIMESTAMP, | ||
'Jean', 'IAL1 AAL2', '0123456789', 'Sbire', | ||
'kuOSXGk68H2B3pYnph0uyXAHrmpbWaWyX/iX49xVaUc=.VMPBZSO+eAng7mjS.cI2kRY9rwhXchcKiiaMZIg==', | ||
CURRENT_TIMESTAMP, false | ||
), | ||
(3, '[email protected]', true, CURRENT_TIMESTAMP, | ||
'$2a$10$kzY3LINL6..50Fy9shWCcuNlRfYq0ft5lS.KCcJ5PzrhlWfKK4NIO', CURRENT_TIMESTAMP, CURRENT_TIMESTAMP, | ||
'Jean', 'IAL2 AAL1', '0123456789', 'Sbire', | ||
null, null, false), | ||
(4, '[email protected]', true, CURRENT_TIMESTAMP, | ||
'$2a$10$kzY3LINL6..50Fy9shWCcuNlRfYq0ft5lS.KCcJ5PzrhlWfKK4NIO', CURRENT_TIMESTAMP, CURRENT_TIMESTAMP, | ||
'Jean', 'IAL1 AAL1', '0123456789', 'Sbire', | ||
null, null, false); | ||
|
||
INSERT INTO organizations | ||
(id, siret, created_at, updated_at) | ||
VALUES | ||
(1, '21340126800130', CURRENT_TIMESTAMP, CURRENT_TIMESTAMP); | ||
|
||
INSERT INTO users_organizations | ||
(user_id, organization_id, is_external, verification_type, has_been_greeted) | ||
VALUES | ||
(1, 1, false, 'domain', true), | ||
(2, 1, false, null, true), | ||
(3, 1, false, 'domain', true), | ||
(4, 1, false, null, true); | ||
|
||
INSERT INTO oidc_clients | ||
(client_name, client_id, client_secret, redirect_uris, | ||
post_logout_redirect_uris, scope, client_uri, client_description, | ||
userinfo_signed_response_alg, id_token_signed_response_alg, | ||
authorization_signed_response_alg, introspection_signed_response_alg) | ||
VALUES | ||
('Oidc Test Client', | ||
'acr_client_id', | ||
'acr_client_secret', | ||
ARRAY [ | ||
'http://localhost:4003/login-callback' | ||
], | ||
ARRAY [ | ||
'http://localhost:4003/' | ||
], | ||
'openid email profile organization', | ||
'http://localhost:4003/', | ||
'MonComptePro test client. More info: https://github.com/numerique-gouv/moncomptepro-test-client.', | ||
null, 'RS256', null, null); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
// | ||
|
||
describe("sign-in with a client requiring consistency-checked identity", () => { | ||
it("should sign-in an return the right acr value", function () { | ||
cy.visit("http://localhost:4003"); | ||
cy.get("button#force-2fa").click(); | ||
|
||
cy.login("[email protected]"); | ||
|
||
cy.contains('"acr": "urn:dinum:ac:classes:consistency-checked"'); | ||
}); | ||
it("should return an error with ial1", function () { | ||
cy.visit("http://localhost:4003"); | ||
cy.get("button#force-2fa").click(); | ||
|
||
cy.login("[email protected]"); | ||
|
||
cy.contains("access_denied (none of the requested ACRs could be obtained)"); | ||
}); | ||
|
||
// TODO add tests: | ||
// - log with a client requiring consistency-checked and consistency-checked-mfa | ||
// - with a consistency checked user and MFA => see the right acr returned | ||
// - with a self-asserted user and MFA => see an error | ||
// - log with a client not requiring any acr | ||
// - with a self-asserted user => see acr self-asserted | ||
// - with a consistency checked user => see acr consistency-checked | ||
// - log with acr_values=eidas1 and ENABLE_FIXED_ACR=True | ||
// - with all type of acr => see the right acr | ||
// these tests required the mcp-test-client to be modifiable like fc-mock | ||
}); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -14,7 +14,9 @@ describe("sign-in with TOTP on untrusted browser", () => { | |
|
||
cy.login("[email protected]"); | ||
|
||
cy.contains("Vérifier votre email"); | ||
// TODO get browser enrollment code | ||
|
||
cy.contains("moncomptepro-standard-client"); | ||
}); | ||
|
||
it("should sign-in with password and TOTP when forced by SP", function () { | ||
|
@@ -26,6 +28,25 @@ describe("sign-in with TOTP on untrusted browser", () => { | |
cy.contains('"amr": [\n "pwd",\n "totp",\n "mfa"\n ],'); | ||
}); | ||
|
||
it("should only show totp step when already logged", function () { | ||
cy.visit("http://localhost:4000"); | ||
cy.get("button.proconnect-button").click(); | ||
|
||
cy.login("[email protected]"); | ||
|
||
// TODO get browser enrollment code | ||
|
||
cy.contains("moncomptepro-standard-client"); | ||
|
||
cy.get("button#force-2fa").click(); | ||
|
||
cy.contains("merci de valider votre deuxième étape de connexion"); | ||
|
||
cy.fillTotpFields(); | ||
|
||
cy.contains('"amr": [\n "pwd",\n "totp",\n "mfa"\n ],'); | ||
}); | ||
|
||
it("should trigger totp rate limiting", function () { | ||
cy.visit("/users/start-sign-in"); | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.