test: ensure aal2 can not be used for oidc

ory · Oct 19, 2021 · cbbcdd2 · cbbcdd2
1 parent d9d39f0
commit cbbcdd2
Show file tree

Hide file tree

Showing 2 changed files with 54 additions and 2 deletions.
diff --git a/selfservice/strategy/oidc/strategy_test.go b/selfservice/strategy/oidc/strategy_test.go
@@ -1,6 +1,7 @@
 package oidc_test
 
 import (
+	"bytes"
 	"context"
 	"encoding/json"
 	"fmt"
@@ -13,6 +14,8 @@ import (
 	"testing"
 	"time"
 
+	"github.com/ory/kratos/text"
+
 	"github.com/ory/x/ioutilx"
 
 	"github.com/ory/x/assertx"
@@ -57,7 +60,9 @@ func TestStrategy(t *testing.T) {
 	returnTS := newReturnTs(t, reg)
 	uiTS := newUI(t, reg)
 	errTS := testhelpers.NewErrorTestServer(t, reg)
-	ts, tsA := testhelpers.NewKratosServers(t)
+	routerP := x.NewRouterPublic()
+	routerA := x.NewRouterAdmin()
+	ts, _ := testhelpers.NewKratosServerWithRouters(t, reg, routerP, routerA)
 
 	viperSetProviderConfig(
 		t,
@@ -72,7 +77,6 @@ func TestStrategy(t *testing.T) {
 			Mapper:       "file://./stub/oidc.hydra.jsonnet",
 		},
 	)
-	testhelpers.InitKratosServers(t, reg, ts, tsA)
 	conf.MustSet(config.ViperKeyDefaultIdentitySchemaURL, "file://./stub/registration.schema.json")
 	conf.MustSet(config.HookStrategyKey(config.ViperKeySelfServiceRegistrationAfter,
 		identity.CredentialsTypeOIDC.String()), []config.SelfServiceHook{{Name: "session"}})
@@ -268,6 +272,29 @@ func TestStrategy(t *testing.T) {
 		}
 	})
 
+	t.Run("case=should fail because password can not handle AAL2", func(t *testing.T) {
+		conf.MustSet(config.ViperKeyDefaultIdentitySchemaURL, "file://./stub/registration-aal.schema.json")
+		t.Cleanup(func() {
+			conf.MustSet(config.ViperKeyDefaultIdentitySchemaURL, "file://./stub/registration.schema.json")
+		})
+		bc := testhelpers.NewDebugClient(t)
+		f := testhelpers.InitializeLoginFlowViaAPI(t, bc, ts, false)
+
+		update, err := reg.LoginFlowPersister().GetLoginFlow(context.Background(), uuid.FromStringOrNil(f.Id))
+		require.NoError(t, err)
+		update.RequestedAAL = identity.AuthenticatorAssuranceLevel2
+		require.NoError(t, reg.LoginFlowPersister().UpdateLoginFlow(context.Background(), update))
+
+		req, err := http.NewRequest("POST", f.Ui.Action, bytes.NewBufferString(`{"method":"oidc"}`))
+		require.NoError(t, err)
+		req.Header.Set("Accept", "application/json")
+		req.Header.Set("Content-Type", "application/json")
+
+		actual, res := testhelpers.MockMakeAuthenticatedRequest(t, reg, conf, routerP.Router, req)
+		assert.Contains(t, res.Request.URL.String(), ts.URL+login.RouteSubmitFlow)
+		assert.Equal(t, text.NewErrorValidationLoginNoStrategyFound().Text, gjson.GetBytes(actual, "ui.messages.0.text").String())
+	})
+
 	t.Run("case=should fail login because scope was not provided", func(t *testing.T) {
 		r := newLoginFlow(t, returnTS.URL, time.Minute)
 		action := afv(t, r.ID, "valid")

diff --git a/selfservice/strategy/oidc/stub/registration-aal.schema.json b/selfservice/strategy/oidc/stub/registration-aal.schema.json
@@ -0,0 +1,25 @@
+{
+  "$id": "https://example.com/person.schema.json",
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "Person",
+  "type": "object",
+  "properties": {
+    "traits": {
+      "type": "object",
+      "properties": {
+        "email": {
+          "format": "email",
+          "type": "string",
+          "ory.sh/kratos": {
+            "credentials": {
+              "password": {
+                "identifier": true
+              }
+            }
+          }
+        }
+      }
+    }
+  },
+  "additionalProperties": false
+}