Update to Latest MFA Authorization responses

Author: jzheaux

servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/test/java/example/CustomPagesConfigTests.java

@@ -25,33 +25,32 @@ class CustomPagesConfigTests {
 
 	@Test
 	void indexWhenUnauthenticatedThenRedirectsToLogin() throws Exception {
-		this.mvc.perform(get("/"))
-			.andExpect(status().is3xxRedirection())
-			.andExpect(redirectedUrl("http://localhost/auth/password"));
+		this.mvc.perform(get("/")).andExpect(status().is3xxRedirection()).andExpect(redirectedUrl("/auth/password"));
 	}
 
 	@Test
 	@WithMockUser
 	void indexWhenAuthenticatedButNoFactorsThenRedirectsToLogin() throws Exception {
 		this.mvc.perform(get("/"))
 			.andExpect(status().is3xxRedirection())
-			.andExpect(redirectedUrl("http://localhost/auth/password?factor=password"));
+			.andExpect(redirectedUrl(
+					"/auth/password?factor.type=password&factor.type=ott&factor.reason=missing&factor.reason=missing"));
 	}
 
 	@Test
 	@WithMockUser(authorities = OTT_AUTHORITY)
 	void indexWhenAuthenticatedWithX509ThenRedirectsToLogin() throws Exception {
 		this.mvc.perform(get("/"))
 			.andExpect(status().is3xxRedirection())
-			.andExpect(redirectedUrl("http://localhost/auth/password?factor=password"));
+			.andExpect(redirectedUrl("/auth/password?factor.type=password&factor.reason=missing"));
 	}
 
 	@Test
 	@WithMockUser(authorities = PASSWORD_AUTHORITY)
 	void indexWhenAuthenticatedWithPasswordThenRedirectsToOtt() throws Exception {
 		this.mvc.perform(get("/"))
 			.andExpect(status().is3xxRedirection())
-			.andExpect(redirectedUrl("http://localhost/auth/ott?factor=ott"));
+			.andExpect(redirectedUrl("/auth/ott?factor.type=ott&factor.reason=missing"));
 	}
 
 }

servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/test/java/example/DefaultConfigTests.java

@@ -1,16 +1,22 @@
 package example;
 
+import java.time.Instant;
+
 import org.junit.jupiter.api.Test;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.boot.webmvc.test.autoconfigure.AutoConfigureMockMvc;
+import org.springframework.security.core.authority.FactorGrantedAuthority;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.test.context.support.WithMockUser;
 import org.springframework.test.context.ActiveProfiles;
 import org.springframework.test.web.servlet.MockMvc;
 
 import static org.springframework.security.core.authority.FactorGrantedAuthority.OTT_AUTHORITY;
 import static org.springframework.security.core.authority.FactorGrantedAuthority.PASSWORD_AUTHORITY;
+import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.user;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrl;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
@@ -25,33 +31,73 @@ class DefaultConfigTests {
 
 	@Test
 	void indexWhenUnauthenticatedThenRedirectsToLogin() throws Exception {
-		this.mvc.perform(get("/"))
-			.andExpect(status().is3xxRedirection())
-			.andExpect(redirectedUrl("http://localhost/login"));
+		this.mvc.perform(get("/")).andExpect(status().is3xxRedirection()).andExpect(redirectedUrl("/login"));
 	}
 
 	@Test
 	@WithMockUser
 	void indexWhenAuthenticatedButNoFactorsThenRedirectsToLogin() throws Exception {
 		this.mvc.perform(get("/"))
 			.andExpect(status().is3xxRedirection())
-			.andExpect(redirectedUrl("http://localhost/login?factor=password"));
+			.andExpect(redirectedUrl(
+					"/login?factor.type=password&factor.type=ott&factor.reason=missing&factor.reason=missing"));
 	}
 
 	@Test
 	@WithMockUser(authorities = OTT_AUTHORITY)
 	void indexWhenAuthenticatedWithX509ThenRedirectsToLogin() throws Exception {
 		this.mvc.perform(get("/"))
 			.andExpect(status().is3xxRedirection())
-			.andExpect(redirectedUrl("http://localhost/login?factor=password"));
+			.andExpect(redirectedUrl("/login?factor.type=password&factor.reason=missing"));
 	}
 
 	@Test
 	@WithMockUser(authorities = PASSWORD_AUTHORITY)
 	void indexWhenAuthenticatedWithPasswordThenRedirectsToOtt() throws Exception {
 		this.mvc.perform(get("/"))
 			.andExpect(status().is3xxRedirection())
-			.andExpect(redirectedUrl("http://localhost/login?factor=ott"));
+			.andExpect(redirectedUrl("/login?factor.type=ott&factor.reason=missing"));
+	}
+
+	@Test
+	void profileWhenAuthenticatedWithPasswordThenRedirectsToOtt() throws Exception {
+		UserDetails user = User.withDefaultPasswordEncoder()
+			.username("user")
+			.authorities(FactorGrantedAuthority.fromAuthority(PASSWORD_AUTHORITY))
+			.build();
+		this.mvc.perform(get("/profile").with(user(user)))
+			.andExpect(status().is3xxRedirection())
+			.andExpect(redirectedUrl("/login?factor.type=ott&factor.reason=missing"));
+	}
+
+	@Test
+	void profileWhenAuthenticatedWithOttThenRedirectsToPassword() throws Exception {
+		UserDetails user = User.withDefaultPasswordEncoder()
+			.username("user")
+			.authorities(FactorGrantedAuthority.fromAuthority(OTT_AUTHORITY))
+			.build();
+		this.mvc.perform(get("/profile").with(user(user)))
+			.andExpect(status().is3xxRedirection())
+			.andExpect(redirectedUrl("/login?factor.type=password&factor.reason=missing"));
+	}
+
+	@Test
+	void profileWhenExpiredPasswordAuthorityThenRedirectsToPassword() throws Exception {
+		FactorGrantedAuthority expiredPassword = FactorGrantedAuthority.withAuthority(PASSWORD_AUTHORITY)
+			.issuedAt(Instant.now().minusSeconds(600))
+			.build();
+		FactorGrantedAuthority ott = FactorGrantedAuthority.fromAuthority(OTT_AUTHORITY);
+		UserDetails user = User.withDefaultPasswordEncoder().username("user").authorities(expiredPassword, ott).build();
+		this.mvc.perform(get("/profile").with(user(user)))
+			.andExpect(redirectedUrl("/login?factor.type=password&factor.reason=expired"));
+	}
+
+	@Test
+	void profileWhenAuthenticatedWithPasswordAndOttThenAllows() throws Exception {
+		FactorGrantedAuthority password = FactorGrantedAuthority.fromAuthority(PASSWORD_AUTHORITY);
+		FactorGrantedAuthority ott = FactorGrantedAuthority.fromAuthority(OTT_AUTHORITY);
+		UserDetails user = User.withDefaultPasswordEncoder().username("user").authorities(password, ott).build();
+		this.mvc.perform(get("/profile").with(user(user))).andExpect(status().isOk());
 	}
 
 }

servlet/spring-boot/java/authentication/mfa/formLogin+ott/src/test/java/example/ElevatedSecurityPageConfigTests.java

@@ -42,9 +42,7 @@ class MfaApplicationTests {
 
 	@Test
 	void indexWhenUnauthenticatedThenRedirectsToLogin() throws Exception {
-		this.mvc.perform(get("/"))
-			.andExpect(status().is3xxRedirection())
-			.andExpect(redirectedUrl("http://localhost/login"));
+		this.mvc.perform(get("/")).andExpect(status().is3xxRedirection()).andExpect(redirectedUrl("/login"));
 	}
 
 	@Test
@@ -58,7 +56,7 @@ void indexWhenAuthenticatedButNoFactorsThenForbidden() throws Exception {
 	void indexWhenAuthenticatedWithX509ThenRedirectsToLogin() throws Exception {
 		this.mvc.perform(get("/"))
 			.andExpect(status().is3xxRedirection())
-			.andExpect(redirectedUrl("http://localhost/login?factor=password"));
+			.andExpect(redirectedUrl("/login?factor.type=password&factor.reason=missing"));
 	}
 
 	@Test

servlet/spring-boot/java/authentication/mfa/x509+formLogin/src/test/java/example/MfaApplicationTests.java

@@ -42,9 +42,7 @@ public class X509WebAuthnMfaApplicationTests {
 
 	@Test
 	void indexWhenUnauthenticatedThenRedirectsToLogin() throws Exception {
-		this.mvc.perform(get("/"))
-			.andExpect(status().is3xxRedirection())
-			.andExpect(redirectedUrl("http://localhost/login"));
+		this.mvc.perform(get("/")).andExpect(status().is3xxRedirection()).andExpect(redirectedUrl("/login"));
 	}
 
 	@Test
@@ -64,7 +62,7 @@ void indexWhenAuthenticatedWithWebAuthnThenForbidden() throws Exception {
 	void indexWhenAuthenticatedWithX509ThenRedirectsToWebAuthn() throws Exception {
 		this.mvc.perform(get("/"))
 			.andExpect(status().is3xxRedirection())
-			.andExpect(redirectedUrl("http://localhost/login?factor=webauthn"));
+			.andExpect(redirectedUrl("/login?factor.type=webauthn&factor.reason=missing"));
 	}
 
 }