OpenConext · pablothedude · Apr 16, 2025
diff --git a/stepup/tests/behat/features/bootstrap/FeatureContext.php b/stepup/tests/behat/features/bootstrap/FeatureContext.php
@@ -440,4 +440,14 @@ private function vetGsspToken($identityData)
         $this->connectToApi('ra', 'secret');
         $this->apiContext->iRequest('POST', '/command');
     }
+
+    /**
+     * @When die printing content
+     */
+    public function diePrintingContent()
+    {
+        echo $this->minkContext->getSession()->getCurrentUrl();
+        echo $this->minkContext->getSession()->getPage()->getContent();
+        die;
+    }
 }
diff --git a/stepup/tests/behat/features/bootstrap/SelfServiceContext.php b/stepup/tests/behat/features/bootstrap/SelfServiceContext.php
@@ -99,6 +99,25 @@ public function iAmLoggedInIntoTheSelfServicePortalAs($userName)
     }
 
 
+    /**
+     * @Given /^I log in again into selfservice$/
+     */
+    public function loginAgainIntoSelfService()
+    {
+        // We visit the Self Service location url
+        $this->minkContext->visit($this->selfServiceUrl);
+        $this->minkContext->pressButton('Sign out');
+
+        $this->minkContext->visit($this->selfServiceUrl);
+        $this->minkContext->pressButton('Yes, continue');
+        // Pass through Gateway (already authenticated)
+        $this->minkContext->pressButton('Submit');
+
+        $this->iSwitchLocaleTo('English');
+        $this->minkContext->assertPageContainsText('Registration Portal');
+    }
+
+
     /**
      * @Given /^I log into the selfservice portal as "([^"]*)" with activation preference "([^"]*)"$/
      */
@@ -117,7 +136,7 @@ public function ilogIntoTheSelfServicePortalAsWithPreference($userName, $prefere
      */
     public function registerNewToken(string $tokenType)
     {
-        $this->minkContext->assertPageAddress('/registration/select-token');
+        $this->minkContext->visit('/registration/select-token');
 
         switch ($tokenType) {
             case 'Yubikey':
@@ -173,79 +192,6 @@ public function registerNewToken(string $tokenType)
         }
     }
 
-    /**
-     * @When I self-vet a new SMS token with my Yubikey token
-
-     */
-    public function selfVetNewSmsToken()
-    {
-        $this->minkContext->visit($this->selfServiceUrl);
-        $this->minkContext->assertPageAddress('/overview');
-
-        $this->minkContext->assertPageContainsText('The following tokens are registered for your account');
-        $this->minkContext->assertPageContainsText('Yubikey');
-
-        $this->minkContext->visit('/registration/select-token');
-
-        // Select the sms second factor type
-        $this->minkContext->getSession()
-            ->getPage()
-            ->find('css', '[href="/registration/sms/send-challenge"]')->click();
-        $this->minkContext->assertPageAddress('/registration/sms/send-challenge');
-
-        // Start registration
-        $this->minkContext->assertPageContainsText('Send SMS code');
-        $this->minkContext->fillField('ss_send_sms_challenge_subscriber', '612345678');
-        $this->minkContext->pressButton('Send code');
-
-        $this->minkContext->assertPageContainsText('Enter the code that was sent to your phone');
-        $this->minkContext->fillField('ss_verify_sms_challenge_challenge', '999');
-        $this->minkContext->pressButton('Verify');
-
-        $this->minkContext->assertPageContainsText('Verify your e-mail');
-        $this->minkContext->assertPageContainsText('Check your inbox');
-        $this->minkContext->visit(
-            $this->getEmailVerificationUrl()
-        );
-        // Now we should be on the choose vetting page
-        $this->minkContext->assertPageContainsText('Use your existing token');
-        $page = $this->minkContext->getSession()->getPage();
-        $form = $page->find('css', 'form[action$="self-vet"]');
-        $form->submit();
-        $this->minkContext->pressButton('Yes, continue');
-        $this->minkContext->pressButton('Submit');
-        $this->authContext->authenticateUserYubikeyInGateway();
-    }
-
-    /**
-     * @Given /^I try to self\-vet a new Yubikey token with my SMS token$/
-     */
-    public function iTryToSelfVetANewYubikeyTokenWithMySMSToken()
-    {
-        $this->minkContext->visit($this->selfServiceUrl);
-        $this->minkContext->assertPageAddress('/overview');
-
-        $this->minkContext->assertPageContainsText('The following tokens are registered for your account');
-        $this->minkContext->assertPageContainsText('SMS');
-        $this->minkContext->assertPageContainsText('+31 (0) 612345678');
-
-        $this->minkContext->visit('/registration/select-token');
-
-        // Select the sms second factor type
-        $this->minkContext->getSession()
-            ->getPage()
-            ->find('css', '[href="/registration/yubikey/prove-possession"]')->click();
-        $this->minkContext->assertPageAddress('/registration/yubikey/prove-possession');
-
-        // Start registration
-        $this->minkContext->assertPageContainsText('Link your YubiKey');
-        $this->minkContext->fillField('ss_prove_yubikey_possession_otp', 'ccccccdhgrbtfddefpkffhkkukbgfcdilhiltrrncmig');
-        $page = $this->minkContext->getSession()->getPage();
-        $form = $page->find('css', 'form[name="ss_prove_yubikey_possession"]');
-        $form->submit();
-
-    }
-
     /**
      * @When I verify my e-mail address
      */
@@ -325,23 +271,7 @@ public function verifyEmailAddressAndChooseVettingType(string $vettingType)
                 $this->iChooseToActivateMyTokenUsingSat();
                 break;
             case "Self vetting":
-                // Select the sms second factor type
-                $this->minkContext->getSession()
-                    ->getPage()
-                    ->find('css', '[href="/registration/sms/send-challenge"]')->click();
-                $this->minkContext->assertPageAddress('/registration/sms/send-challenge');
-
-                // Start registration
-                $this->minkContext->assertPageContainsText('Send SMS code');
-                $this->minkContext->fillField('ss_send_sms_challenge_subscriber', '612345678');
-                $this->minkContext->pressButton('Send code');
-
-                $this->minkContext->assertPageContainsText('Enter the code that was sent to your phone');
-                $this->minkContext->fillField('ss_verify_sms_challenge_challenge', '999');
-                $this->minkContext->pressButton('Verify');
-
-
-                $this->iChooseToActivateMyTokenUsingSat();
+                $this->iChooseToVetMyTokenMyself();
                 break;
             default:
                 throw new Exception(sprintf('Vetting type "%s" is not supported', $vettingType));
@@ -435,6 +365,12 @@ public function iChooseToActivateMyTokenUsingSAT()
         $this->minkContext->pressButton('sat-button');
     }
 
+    public function iChooseToVetMyTokenMyself()
+    {
+        $this->minkContext->assertPageContainsText('Use your existing token');
+        $this->minkContext->pressButton('self-vet-button');
+    }
+
     /**
      * @Then I can add an :recoveryTokenType recovery token using :tokenType
      */

diff --git a/stepup/tests/behat/features/self_vet.feature b/stepup/tests/behat/features/self_vet.feature
@@ -20,6 +20,7 @@ Feature: A user manages his tokens in the selfservice portal
                 "show_raa_contact_information": true,
                 "verify_email": true,
                 "self_vet": true,
+                "allow_self_asserted_tokens": true,
                 "allowed_second_factors": [],
                 "number_of_tokens_per_identity": 3
             }
@@ -30,18 +31,49 @@ Feature: A user manages his tokens in the selfservice portal
 
   Scenario: A user self vets a token in selfservice
     Given a user "joe-a2" identified by "urn:collab:person:institution-a.example.com:joe-a2" from institution "institution-a.example.com" with UUID "00000000-0000-4000-a000-000000000001"
-    And the user "urn:collab:person:institution-a.example.com:joe-a2" has a vetted "yubikey" with identifier "00000001"
-    And I am logged in into the selfservice portal as "joe-a2"
-    And I self-vet a new SMS token with my Yubikey token
-    And I visit the "overview" page in the selfservice portal
+      And the user "urn:collab:person:institution-a.example.com:joe-a2" has a vetted "yubikey" with identifier "00000001"
+     When I am logged in into the selfservice portal as "joe-a2"
+      And I register a new "SMS" token
+      And I verify my e-mail address and choose the "Self vetting" vetting type
+      And I visit the "overview" page in the selfservice portal
     Then I should see "The following tokens are registered for your account."
-    And I should see "SMS"
-    And I should see "Yubikey"
+      And I should see "SMS"
+      And I should see "Yubikey"
 
-  Scenario: A user needs a suitable token to self vet
-    Given a user "joe-a3" identified by "urn:collab:person:institution-a.example.com:joe-a3" from institution "institution-a.example.com"
-    And the user "urn:collab:person:institution-a.example.com:joe-a3" has a vetted "sms" with identifier "+31 (0) 612345678"
-    And I am logged in into the selfservice portal as "joe-a3"
-    And I try to self-vet a new Yubikey token with my SMS token
-    # The self vet option is not available on the token vetting page
-    Then I should not see "Use your existing token"
+    Scenario: A user can self vet a token with a lower LOA
+      Given a user "joe-a2" identified by "urn:collab:person:institution-a.example.com:joe-a3" from institution "institution-a.example.com" with UUID "00000000-0000-4000-a000-000000000002"
+        And the user "urn:collab:person:institution-a.example.com:joe-a3" has a vetted "sms" with identifier "+31 (0) 612345678"
+      When I am logged in into the selfservice portal as "joe-a3"
+        And I register a new "Yubikey" token
+        And I verify my e-mail address
+        And I visit the "overview" page in the selfservice portal
+        And I activate my token
+        Then I should see "Activation code"
+
+    Scenario: A user can self vet a token with the same LOA
+      Given a user "joe-a4" identified by "urn:collab:person:institution-a.example.com:joe-a4" from institution "institution-a.example.com" with UUID "00000000-0000-4000-a000-000000000003"
+        And the user "urn:collab:person:institution-a.example.com:joe-a4" has a vetted "demo-gssp" with identifier "gssp-identifier123"
+      When I am logged in into the selfservice portal as "joe-a4"
+        And I register a new "Yubikey" token
+        And I verify my e-mail address and choose the "Self vetting" vetting type
+        And I visit the "overview" page in the selfservice portal
+      Then I should see "The following tokens are registered for your account."
+        And I should see "Demo GSSP"
+        And I should see "Yubikey"
+
+
+    Scenario: A user can self vet a token after registering a token using SAT
+      Given I am logged in into the selfservice portal as "joe-a5"
+        And I register a new "Demo GSSP" token
+        And I verify my e-mail address and choose the "Self Asserted Token registration" vetting type
+        And I vet my "Demo GSSP" second factor in selfservice
+      When I receive the following attributes for "joe-a5" from the IdP:
+            | name                                            | value                                            |
+            | urn:mace:dir:attribute-def:eduPersonEntitlement | urn:mace:surf.nl:surfsecureid:activation:self    |
+        And I log in again into selfservice
+        And I register a new "Yubikey" token
+        And I verify my e-mail address and choose the "Self vetting" vetting type
+        And I visit the "overview" page in the selfservice portal
+      Then I should see "The following tokens are registered for your account."
+        And I should see "Demo GSSP"
+        And I should see "Yubikey"