UI: Add auth tests (#30033)

* rename page test to login form

* add username/password tests to auth page test

* add github and generalize tests

* finish standard auth types for page test

* add tests for onNamespaceInput

* fix accessibility violation

* add oidc provider qp test

* move helper into test

* move destructured arg

* address oidc auth method flakiness...maybe?

* cleanup unused fake window methods

* add comment why...

* fix diff

* fix header

* finish mfa acceptance tests move mfa selectors to folder

Author: hellobontempo

ui/app/components/auth/page.hbs

@@ -21,7 +21,7 @@
     <:header>
       {{#if @oidcProviderQueryParam}}
         <div class="box is-shadowless is-flex-v-centered" data-test-auth-logo>
-          <LogoEdition aria-label="Sign in with Hashicorp Vault" />
+          <LogoEdition aria-label="Sign in with Hashicorp Vault" role="img" />
         </div>
       {{else}}
         <div class="is-flex-v-centered has-bottom-margin-xxl">
@@ -37,6 +37,7 @@
               @isIconOnly={{true}}
               @color="tertiary"
               {{on "click" (fn (mut this.mfaAuthData) null)}}
+              data-test-back-button
             />
           {{/if}}
           <h1 class="title is-3">

ui/app/components/auth/page.js

@@ -10,12 +10,22 @@ import { action } from '@ember/object';
 
 /**
  * @module AuthPage
- * The Auth::Page wraps OktaNumberChallenge and AuthForm to manage the login flow and is responsible for calling the authenticate method
+ * The Auth::Page is the route template for the login splash view. It renders the Auth::LoginForm or MFA component if an 
+ * mfa validation is returned from the auth request. It also handles display logic if there is an oidc provider query param.
  *
  * @example
- * <Auth::Page @namespaceQueryParam={{this.namespaceQueryParam}} @onAuthSuccess={{action "authSuccess"}} @oidcProviderQueryParam={{this.oidcProvider}} @cluster={{this.model}} @onNamespaceUpdate={{perform this.updateNamespace}} />
+ * <Auth::Page
+ * @authMethodQueryParam={{this.authMethod}}
+ * @cluster={{this.model}}
+ * @namespaceQueryParam={{this.namespaceQueryParam}}
+ * @oidcProviderQueryParam={{this.oidcProvider}}
+ * @onAuthSuccess={{action "authSuccess"}}
+ * @onNamespaceUpdate={{perform this.updateNamespace}}
+ * @wrappedToken={{this.wrappedToken}}
+/>
  *
  * @param {string} authMethodQueryParam - auth method type to login with, updated by selecting an auth method from the dropdown
+ * @param {object} cluster - the ember data cluster model. contains information such as cluster id, name and boolean for if the cluster is in standby
  * @param {string} namespaceQueryParam - namespace to login with, updated by typing in to the namespace input
  * @param {string} oidcProviderQueryParam - oidc provider query param, set in url as "?o=someprovider"
  * @param {function} onAuthSuccess - callback task in controller that receives the auth response (after MFA, if enabled) when login is successful

ui/tests/acceptance/auth-test.js

@@ -19,7 +19,7 @@ import {
 import { login, loginMethod, loginNs, logout } from 'vault/tests/helpers/auth/auth-helpers';
 import { AUTH_FORM } from 'vault/tests/helpers/auth/auth-form-selectors';
 import { v4 as uuidv4 } from 'uuid';
-import { GENERAL } from '../helpers/general-selectors';
+import { GENERAL } from 'vault/tests/helpers/general-selectors';
 
 const ENT_AUTH_METHODS = ['saml'];
 const { rootToken } = VAULT_KEYS;
@@ -263,10 +263,15 @@ module('Acceptance | auth', function (hooks) {
         `write auth/${this.userpass}/users/${this.user} password=${this.user} token_policies=${this.policyName}`,
       ]);
 
-      const options = { username: this.user, password: this.user, 'auth-form-mount-path': this.userpass };
+      const inputValues = {
+        username: this.user,
+        password: this.user,
+        'auth-form-mount-path': this.userpass,
+        'auth-form-ns-input': this.ns,
+      };
 
       // login as user just to get token (this is the only way to generate a token in the UI right now..)
-      await loginMethod('userpass', options, { toggleOptions: true, ns: this.ns });
+      await loginMethod(inputValues, { authType: 'userpass', toggleOptions: true });
       await click('[data-test-user-menu-trigger=""]');
       const token = find('[data-test-copy-button]').getAttribute('data-test-copy-button');
 

ui/tests/acceptance/auth/mfa-test.js

@@ -0,0 +1,224 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { module, test } from 'qunit';
+import { setupApplicationTest } from 'ember-qunit';
+import { click, visit, fillIn } from '@ember/test-helpers';
+import { setupMirage } from 'ember-cli-mirage/test-support';
+import { AUTH_FORM } from 'vault/tests/helpers/auth/auth-form-selectors';
+import { GENERAL } from 'vault/tests/helpers/general-selectors';
+import { MFA_SELECTORS } from 'vault/tests/helpers/mfa/mfa-selectors';
+import { constraintId, setupTotpMfaResponse } from 'vault/tests/helpers/mfa/mfa-helpers';
+import { fillInLoginFields } from 'vault/tests/helpers/auth/auth-helpers';
+import { callbackData, WindowStub } from 'vault/tests/helpers/oidc-window-stub';
+import sinon from 'sinon';
+
+const ENT_ONLY = ['saml'];
+
+// See AUTH_METHOD_TEST_CASES for how request data maps to method types
+// authRequest is the request made on submit and what returns mfa_validation requirements (if any)
+// additionalRequest are any third party requests the auth method expects
+const REQUEST_DATA = {
+  username: {
+    loginData: { username: 'matilda', password: 'password' },
+    stubRequests: (server, path) =>
+      server.post(`/auth/${path}/login/matilda`, () => setupTotpMfaResponse(path)),
+  },
+  github: {
+    loginData: { token: 'mysupersecuretoken' },
+    stubRequests: (server, path) => server.post(`/auth/${path}/login`, () => setupTotpMfaResponse(path)),
+  },
+  oidc: {
+    loginData: { role: 'some-dev' },
+    hasPopupWindow: true,
+    stubRequests: (server, path) => {
+      server.get(`/auth/${path}/oidc/callback`, () => setupTotpMfaResponse(path));
+      server.post(`/auth/${path}/oidc/auth_url`, () => ({
+        data: { auth_url: 'http://dev-foo-bar.com' },
+      }));
+    },
+  },
+  saml: {
+    loginData: { role: 'some-dev' },
+    hasPopupWindow: true,
+    stubRequests: (server, path) => {
+      server.put(`/auth/${path}/token`, () => setupTotpMfaResponse(path));
+      server.put(`/auth/${path}/sso_service_url`, () => ({
+        data: { sso_service_url: 'http://sso-url.hashicorp.com/service', token_poll_id: '1234' },
+      }));
+    },
+  },
+};
+
+// maps auth type to request data (line breaks to help separate and clarify which methods share request paths)
+const AUTH_METHOD_TEST_CASES = [
+  { authType: 'github', options: REQUEST_DATA.github },
+
+  { authType: 'userpass', options: REQUEST_DATA.username },
+  { authType: 'ldap', options: REQUEST_DATA.username },
+  { authType: 'okta', options: REQUEST_DATA.username },
+  { authType: 'radius', options: REQUEST_DATA.username },
+
+  { authType: 'oidc', options: REQUEST_DATA.oidc },
+  { authType: 'jwt', options: REQUEST_DATA.oidc },
+
+  // ENTERPRISE ONLY
+  { authType: 'saml', options: REQUEST_DATA.saml },
+];
+
+for (const method of AUTH_METHOD_TEST_CASES) {
+  const { authType, options } = method;
+  const isEntMethod = ENT_ONLY.includes(authType);
+  // adding "enterprise" to the module title filters it out of the test runner for the CE repo
+  module(`Acceptance | auth | mfa ${authType}${isEntMethod ? ' enterprise' : ''}`, function (hooks) {
+    setupApplicationTest(hooks);
+    setupMirage(hooks);
+
+    hooks.beforeEach(async function () {
+      if (options?.hasPopupWindow) {
+        this.windowStub = sinon.stub(window, 'open').callsFake(() => new WindowStub());
+      }
+      await visit('/vault/auth');
+    });
+
+    hooks.afterEach(function () {
+      if (options?.hasPopupWindow) {
+        this.windowStub.restore();
+      }
+    });
+
+    test(`${authType}: it displays mfa requirement for default paths`, async function (assert) {
+      this.mountPath = authType;
+      options.stubRequests(this.server, this.mountPath);
+
+      const loginKeys = Object.keys(options.loginData);
+      assert.expect(3 + loginKeys.length);
+
+      // Fill in login form
+      await fillIn(AUTH_FORM.method, authType);
+      await fillInLoginFields(options.loginData);
+
+      if (options?.hasPopupWindow) {
+        // fires "message" event which methods that rely on popup windows wait for
+        setTimeout(() => {
+          // set path which is used to set :mount param in the callback url => /auth/:mount/oidc/callback
+          window.postMessage(callbackData({ path: this.mountPath }), window.origin);
+        }, 50);
+      }
+
+      await click(AUTH_FORM.login);
+      assert
+        .dom(MFA_SELECTORS.mfaForm)
+        .hasText(
+          'Multi-factor authentication is enabled for your account. Enter your authentication code to log in. TOTP passcode Verify'
+        );
+      await click(GENERAL.backButton);
+      assert.dom(AUTH_FORM.form).exists('clicking back returns to auth form');
+      assert.dom(GENERAL.selectByAttr('auth-method')).hasValue(authType, 'preserves method type on back');
+      for (const field of loginKeys) {
+        assert.dom(AUTH_FORM.input(field)).hasValue('', `${field} input clears on back`);
+      }
+    });
+
+    test(`${authType}: it displays mfa requirement for custom paths`, async function (assert) {
+      this.mountPath = `${authType}-custom`;
+      options.stubRequests(this.server, this.mountPath);
+      const loginKeys = Object.keys(options.loginData);
+      assert.expect(3 + loginKeys.length);
+
+      // Fill in login form
+      await fillIn(AUTH_FORM.method, authType);
+      // Toggle more options to input a custom mount path
+      await fillInLoginFields(
+        { ...options.loginData, 'auth-form-mount-path': this.mountPath },
+        { toggleOptions: true }
+      );
+
+      if (options?.hasPopupWindow) {
+        // fires "message" event which methods that rely on popup windows wait for
+        setTimeout(() => {
+          // set path which is used to set :mount param in the callback url => /auth/:mount/oidc/callback
+          window.postMessage(callbackData({ path: this.mountPath }), window.origin);
+        }, 50);
+      }
+
+      await click(AUTH_FORM.login);
+      assert
+        .dom(MFA_SELECTORS.mfaForm)
+        .hasText(
+          'Multi-factor authentication is enabled for your account. Enter your authentication code to log in. TOTP passcode Verify'
+        );
+      await click(GENERAL.backButton);
+      assert.dom(AUTH_FORM.form).exists('clicking back returns to auth form');
+      assert.dom(GENERAL.selectByAttr('auth-method')).hasValue(authType, 'preserves method type on back');
+      for (const field of loginKeys) {
+        assert.dom(AUTH_FORM.input(field)).hasValue('', `${field} input clears on back`);
+      }
+    });
+
+    test(`${authType}: it submits mfa requirement for default paths`, async function (assert) {
+      assert.expect(2);
+      this.mountPath = authType;
+      options.stubRequests(this.server, this.mountPath);
+
+      const expectedOtp = '12345';
+      server.post('/sys/mfa/validate', async (_, req) => {
+        const [actualOtp] = JSON.parse(req.requestBody).mfa_payload[constraintId];
+        assert.true(true, 'it makes request to mfa validate endpoint');
+        assert.strictEqual(actualOtp, expectedOtp, 'payload contains otp');
+      });
+
+      // Fill in login form
+      await fillIn(AUTH_FORM.method, authType);
+      await fillInLoginFields(options.loginData);
+
+      if (options?.hasPopupWindow) {
+        // fires "message" event which methods that rely on popup windows wait for
+        setTimeout(() => {
+          // set path which is used to set :mount param in the callback url => /auth/:mount/oidc/callback
+          window.postMessage(callbackData({ path: this.mountPath }), window.origin);
+        }, 50);
+      }
+
+      await click(AUTH_FORM.login);
+      await fillIn(MFA_SELECTORS.passcode(0), expectedOtp);
+      await click(MFA_SELECTORS.validate);
+    });
+
+    test(`${authType}: it submits mfa requirement for custom paths`, async function (assert) {
+      assert.expect(2);
+
+      this.mountPath = `${authType}-custom`;
+      options.stubRequests(this.server, this.mountPath);
+
+      const expectedOtp = '12345';
+      server.post('/sys/mfa/validate', async (_, req) => {
+        const [actualOtp] = JSON.parse(req.requestBody).mfa_payload[constraintId];
+        assert.true(true, 'it makes request to mfa validate endpoint');
+        assert.strictEqual(actualOtp, expectedOtp, 'payload contains otp');
+      });
+
+      // Fill in login form
+      await fillIn(AUTH_FORM.method, authType);
+      // Toggle more options to input a custom mount path
+      await fillInLoginFields(
+        { ...options.loginData, 'auth-form-mount-path': this.mountPath },
+        { toggleOptions: true }
+      );
+
+      if (options?.hasPopupWindow) {
+        // fires "message" event which methods that rely on popup windows wait for
+        setTimeout(() => {
+          // set path which is used to set :mount param in the callback url => /auth/:mount/oidc/callback
+          window.postMessage(callbackData({ path: this.mountPath }), window.origin);
+        }, 50);
+      }
+
+      await click(AUTH_FORM.login);
+      await fillIn(MFA_SELECTORS.passcode(0), expectedOtp);
+      await click(MFA_SELECTORS.validate);
+    });
+  });
+}

ui/tests/acceptance/oidc-auth-method-test.js

@@ -8,18 +8,17 @@ import { setupApplicationTest } from 'ember-qunit';
 import { click, fillIn, find, waitUntil } from '@ember/test-helpers';
 import authPage from 'vault/tests/pages/auth';
 import { setupMirage } from 'ember-cli-mirage/test-support';
-import { fakeWindow, buildMessage } from '../helpers/oidc-window-stub';
+import { WindowStub, buildMessage } from 'vault/tests/helpers/oidc-window-stub';
 import sinon from 'sinon';
-import { later, _cancelTimers as cancelTimers } from '@ember/runloop';
 import { Response } from 'miragejs';
-import { setupTotpMfaResponse } from 'vault/tests/helpers/auth/mfa-helpers';
+import { setupTotpMfaResponse } from 'vault/tests/helpers/mfa/mfa-helpers';
 
 module('Acceptance | oidc auth method', function (hooks) {
   setupApplicationTest(hooks);
   setupMirage(hooks);
 
   hooks.beforeEach(function () {
-    this.openStub = sinon.stub(window, 'open').callsFake(() => fakeWindow.create());
+    this.openStub = sinon.stub(window, 'open').callsFake(() => new WindowStub());
 
     this.setupMocks = (assert) => {
       this.server.post('/auth/oidc/oidc/auth_url', () => ({
@@ -67,10 +66,9 @@ module('Acceptance | oidc auth method', function (hooks) {
     this.setupMocks(assert);
 
     await this.selectMethod('oidc');
-    later(() => {
+    setTimeout(() => {
       window.postMessage(buildMessage().data, window.origin);
-      cancelTimers();
-    }, 100);
+    }, 50);
 
     await click('[data-test-auth-submit]');
   });
@@ -96,21 +94,19 @@ module('Acceptance | oidc auth method', function (hooks) {
     });
 
     await this.selectMethod('oidc', true);
-    later(() => {
+    setTimeout(() => {
       window.postMessage(buildMessage().data, window.origin);
-      cancelTimers();
     }, 50);
-
     await click('[data-test-auth-submit]');
   });
 
   // coverage for bug where token was selected as auth method for oidc and jwt
   test('it should populate oidc auth method on logout', async function (assert) {
     this.setupMocks();
     await this.selectMethod('oidc');
-    later(() => {
+
+    setTimeout(() => {
       window.postMessage(buildMessage().data, window.origin);
-      cancelTimers();
     }, 50);
 
     await click('[data-test-auth-submit]');
@@ -163,9 +159,8 @@ module('Acceptance | oidc auth method', function (hooks) {
     this.setupMocks(assert);
     this.server.get('/auth/foo/oidc/callback', () => setupTotpMfaResponse('foo'));
     await this.selectMethod('oidc');
-    later(() => {
+    setTimeout(() => {
       window.postMessage(buildMessage().data, window.origin);
-      cancelTimers();
     }, 50);
 
     await click('[data-test-auth-submit]');

ui/tests/acceptance/saml-auth-method-test.js

@@ -10,15 +10,15 @@ import { click, fillIn, find, waitUntil } from '@ember/test-helpers';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import { Response } from 'miragejs';
 import authPage from 'vault/tests/pages/auth';
-import { fakeWindow } from 'vault/tests/helpers/oidc-window-stub';
-import { setupTotpMfaResponse } from 'vault/tests/helpers/auth/mfa-helpers';
+import { WindowStub } from 'vault/tests/helpers/oidc-window-stub';
+import { setupTotpMfaResponse } from 'vault/tests/helpers/mfa/mfa-helpers';
 
 module('Acceptance | enterprise saml auth method', function (hooks) {
   setupApplicationTest(hooks);
   setupMirage(hooks);
 
   hooks.beforeEach(function () {
-    this.openStub = sinon.stub(window, 'open').callsFake(() => fakeWindow.create());
+    this.openStub = sinon.stub(window, 'open').callsFake(() => new WindowStub());
     this.server.put('/auth/saml/sso_service_url', () => ({
       data: {
         sso_service_url: 'http://sso-url.hashicorp.com/service',

ui/tests/helpers/auth/auth-form-selectors.ts

@@ -14,4 +14,6 @@ export const AUTH_FORM = {
   mountPathInput: '[data-test-auth-form-mount-path]',
   moreOptions: '[data-test-auth-form-options-toggle]',
   namespaceInput: '[data-test-auth-form-ns-input]',
+  logo: '[data-test-auth-logo]',
+  helpText: '[data-test-auth-helptext]',
 };