1# frozen_string_literal: true
 2
 3require 'rails_helper'
 4
 5RSpec.describe "/response" do
 6  describe 'GET /response' do
 7    context "when the user has not completed password authentication" do
 8      before { get '/response' }
 9
10      specify { expect(response).to redirect_to(new_session_path) }
11    end
12
13    context "when the user has completed password authentication" do
14      let(:current_user) { create(:user) }
15
16      before { http_login(current_user, skip_mfa: true) }
17
18      context "when a saml request was present in session" do
19        let(:registry) { Saml::Kit::DefaultRegistry.new }
20        let(:issuer) { Saml::Kit.configuration.entity_id }
21        let(:redirect_binding) { Saml::Kit::Bindings::HttpRedirect.new(location: new_session_url) }
22        let(:relay_state) { SecureRandom.uuid }
23        let(:sp_metadata) do
24          Saml::Kit::ServiceProviderMetadata.build do |x|
25            x.add_assertion_consumer_service(FFaker::Internet.uri("https"), binding: :http_post)
26            x.add_single_logout_service(FFaker::Internet.uri("https"), binding: :http_post)
27          end
28        end
29
30        before do
31          Saml::Kit.configuration.registry = registry
32          allow(registry).to receive(:metadata_for).with(issuer).and_return(sp_metadata)
33          get redirect_binding.serialize(Saml::Kit::AuthenticationRequest.builder, relay_state: relay_state)[0]
34        end
35
36        context "when the saml request is still valid" do
37          before { get '/response' }
38
39          specify { expect(response).to have_http_status(:ok) }
40          specify { expect(response.body).to include(sp_metadata.assertion_consumer_service_for(binding: :http_post).location) }
41          specify { expect(response.body).to include('SAMLResponse') }
42          specify { expect(response.body).to include('RelayState') }
43          specify { expect(response.body).to include(relay_state) }
44        end
45
46        context "when the SAML request is no longer valid" do
47          before do
48            allow(registry).to receive(:metadata_for).with(issuer).and_return(nil)
49            get '/response'
50          end
51
52          specify { expect(response).to have_http_status(:forbidden) }
53        end
54      end
55
56      context "when a saml request was not present in session" do
57        before { get '/response' }
58
59        specify { expect(response).to redirect_to(my_dashboard_path) }
60      end
61
62      context "when MFA authentication has not been completed" do
63        let(:current_user) { create(:user, :mfa_configured) }
64
65        before { get '/response' }
66
67        specify { expect(response).to redirect_to(new_mfa_path) }
68      end
69    end
70  end
71end