add new E2E tests for capabilities (#2648)

Author: nilo-ms

MSAL/src/native_auth/controllers/jit/MSALNativeAuthJITController.swift

@@ -243,6 +243,7 @@ final class MSALNativeAuthJITController: MSALNativeAuthBaseController, MSALNativ
         }
     }
 
+    // swiftlint:disable:next function_body_length
     private func handleSubmitChallengeResponse(
         _ response: MSALNativeAuthJITContinueValidatedResponse,
         continuationToken: String,

MSAL/test/integration/native_auth/end_to_end/mfa/MSALNativeAuthSignInJITEndToEndTests.swift

@@ -33,53 +33,14 @@ final class MSALNativeAuthSignInJITEndToEndTests: MSALNativeAuthEndToEndPassword
 #if os(macOS)
         throw XCTSkip("For some reason this test now requires Keychain access, reason needs to be investigated")
 #endif
-
-        // Step 1: Create User
-        guard let application = initialisePublicClientApplication() else {
-            XCTFail("Failed to initialize public client application")
-            return
-        }
-
         let username = generateSignUpRandomEmail()
-        let password = generateRandomPassword()
-
-        let codeRequiredExp = expectation(description: "code required")
-        let signUpStartDelegate = SignUpPasswordStartDelegateSpy(expectation: codeRequiredExp)
-
-        let signUpParam = MSALNativeAuthSignUpParameters(username: username)
-        signUpParam.password = password
-        signUpParam.correlationId = correlationId
-
-        application.signUp(parameters: signUpParam, delegate: signUpStartDelegate)
-
-        await fulfillment(of: [codeRequiredExp])
-        checkSignUpStartDelegate(signUpStartDelegate)
-
-        guard signUpStartDelegate.onSignUpCodeRequiredCalled else {
-            XCTFail("onSignUpCodeRequired not called")
-            return
-        }
-
-        // Step 2: Get & Submit Code for Sign Up
-        guard let code = await retrieveCodeFor(email: username) else {
-            XCTFail("OTP code could not be retrieved")
-            return
-        }
-
-        let signUpCompleteExp = expectation(description: "sign-up complete")
-        let signUpVerifyCodeDelegate = SignUpVerifyCodeDelegateSpy(expectation: signUpCompleteExp)
-
-        signUpStartDelegate.newState?.submitCode(code: code, delegate: signUpVerifyCodeDelegate)
-
-        await fulfillment(of: [signUpCompleteExp])
-
-        guard signUpVerifyCodeDelegate.onSignUpCompletedCalled,
-              let signInAfterSignUpState = signUpVerifyCodeDelegate.signInAfterSignUpState else {
+        // Step 1: Create User
+        guard let signInAfterSignUpState = await signUpInternally(username: username, password: generateRandomPassword(), application: initialisePublicClientApplication()) else {
             XCTFail("onSignUpCompleted not called or state is nil")
             return
         }
 
-        // Step 3: Attempt to Sign In automtically
+        // Step 2: Attempt to Sign In automtically
         let signInExpectation = expectation(description: "signing in")
         let signInDelegateSpy = SignInAfterSignUpDelegateSpy(expectation: signInExpectation)
 
@@ -96,7 +57,7 @@ final class MSALNativeAuthSignInJITEndToEndTests: MSALNativeAuthEndToEndPassword
             return
         }
 
-        // Step 4: Add Strong Auth Method, but don't specify verification contact so it's preverified
+        // Step 3: Add Strong Auth Method, but don't specify verification contact so it's preverified
         let challengeParameters = MSALNativeAuthChallengeAuthMethodParameters(authMethod: authMethod)
         let challengeExpectation = expectation(description: "challenging auth method")
         let challengeDelegateSpy = RegisterStrongAuthChallengeDelegateSpy(expectation: challengeExpectation)
@@ -117,52 +78,14 @@ final class MSALNativeAuthSignInJITEndToEndTests: MSALNativeAuthEndToEndPassword
         throw XCTSkip("For some reason this test now requires Keychain access, reason needs to be investigated")
 #endif
 
-        // Step 1: Create User
-        guard let application = initialisePublicClientApplication() else {
-            XCTFail("Failed to initialize public client application")
-            return
-        }
-
         let username = generateSignUpRandomEmail()
-        let password = generateRandomPassword()
-
-        let codeRequiredExp = expectation(description: "code required")
-        let signUpStartDelegate = SignUpPasswordStartDelegateSpy(expectation: codeRequiredExp)
-
-        let signUpParam = MSALNativeAuthSignUpParameters(username: username)
-        signUpParam.password = password
-        signUpParam.correlationId = correlationId
-
-        application.signUp(parameters: signUpParam, delegate: signUpStartDelegate)
-
-        await fulfillment(of: [codeRequiredExp])
-        checkSignUpStartDelegate(signUpStartDelegate)
-
-        guard signUpStartDelegate.onSignUpCodeRequiredCalled else {
-            XCTFail("onSignUpCodeRequired not called")
-            return
-        }
-
-        // Step 2: Get & Submit Code for Sign Up
-        guard let code = await retrieveCodeFor(email: username) else {
-            XCTFail("OTP code could not be retrieved")
-            return
-        }
-
-        let signUpCompleteExp = expectation(description: "sign-up complete")
-        let signUpVerifyCodeDelegate = SignUpVerifyCodeDelegateSpy(expectation: signUpCompleteExp)
-
-        signUpStartDelegate.newState?.submitCode(code: code, delegate: signUpVerifyCodeDelegate)
-
-        await fulfillment(of: [signUpCompleteExp])
-
-        guard signUpVerifyCodeDelegate.onSignUpCompletedCalled,
-              let signInAfterSignUpState = signUpVerifyCodeDelegate.signInAfterSignUpState else {
+        // Step 1: Create User
+        guard let signInAfterSignUpState = await signUpInternally(username: username, password: generateRandomPassword(), application: initialisePublicClientApplication()) else {
             XCTFail("onSignUpCompleted not called or state is nil")
             return
         }
 
-        // Step 3: Attempt to Sign In automatically
+        // Step 2: Attempt to Sign In automatically
         let signInExpectation = expectation(description: "signing in")
         let signInDelegateSpy = SignInAfterSignUpDelegateSpy(expectation: signInExpectation)
 
@@ -179,7 +102,7 @@ final class MSALNativeAuthSignInJITEndToEndTests: MSALNativeAuthEndToEndPassword
             return
         }
 
-        // Step 4: Add Strong Auth Method and specify different email
+        // Step 3: Add Strong Auth Method and specify different email
         let newEmail = generateSignUpRandomEmail()
         let challengeParameters = MSALNativeAuthChallengeAuthMethodParameters(authMethod: authMethod)
         challengeParameters.verificationContact = newEmail
@@ -196,13 +119,13 @@ final class MSALNativeAuthSignInJITEndToEndTests: MSALNativeAuthEndToEndPassword
             return
         }
 
-        // Step 5: Get Code for Register Strong Auth
+        // Step 4: Get Code for Register Strong Auth
         guard let code = await retrieveCodeFor(email: newEmail) else {
             XCTFail("OTP code could not be retrieved")
             return
         }
 
-        // Step 6: Submit Code to Register Strong Auth
+        // Step 5: Submit Code to Register Strong Auth
         let submitChallengeExpectation = expectation(description: "submitChallenge")
         let submitChallengeDelegateSpy = RegisterStrongAuthSubmitChallengeDelegateSpy(expectation: submitChallengeExpectation)
 
@@ -214,56 +137,24 @@ final class MSALNativeAuthSignInJITEndToEndTests: MSALNativeAuthEndToEndPassword
     }
 
     func test_createUserAndAddDifferentEmailAsStrongAuthMethod_thenSignInSuccessfully() async throws {
-        throw XCTSkip("Retrieving OTP failure")
+        throw XCTSkip("Capabilities feature not available in eSTS production")
 #if os(macOS)
         throw XCTSkip("For some reason this test now requires Keychain access, reason needs to be investigated")
 #endif
 
-        // Step 1: Create User
-        guard let application = initialisePublicClientApplication() else {
-            XCTFail("Failed to initialize public client application")
-            return
-        }
-
         let username = generateSignUpRandomEmail()
         let password = generateRandomPassword()
-
-        let codeRequiredExp = expectation(description: "code required")
-        let signUpStartDelegate = SignUpPasswordStartDelegateSpy(expectation: codeRequiredExp)
-
-        let signUpParam = MSALNativeAuthSignUpParameters(username: username)
-        signUpParam.password = password
-        signUpParam.correlationId = correlationId
-
-        application.signUp(parameters: signUpParam, delegate: signUpStartDelegate)
-
-        await fulfillment(of: [codeRequiredExp])
-        checkSignUpStartDelegate(signUpStartDelegate)
-
-        guard signUpStartDelegate.onSignUpCodeRequiredCalled else {
-            XCTFail("onSignUpCodeRequired not called")
-            return
-        }
-
-        // Step 2: Get & Submit Code for Sign Up
-        guard let code = await retrieveCodeFor(email: username) else {
-            XCTFail("OTP code could not be retrieved")
+        guard let application = initialisePublicClientApplication() else {
+            XCTFail("Failed to initialize public client application")
             return
         }
-
-        let signUpCompleteExp = expectation(description: "sign-up complete")
-        let signUpVerifyCodeDelegate = SignUpVerifyCodeDelegateSpy(expectation: signUpCompleteExp)
-
-        signUpStartDelegate.newState?.submitCode(code: code, delegate: signUpVerifyCodeDelegate)
-
-        await fulfillment(of: [signUpCompleteExp])
-
-        guard signUpVerifyCodeDelegate.onSignUpCompletedCalled else {
-            XCTFail("onSignUpCompleted not called")
+        // Step 1: Create User
+        guard let _ = await signUpInternally(username: username, password: password, application: application) else {
+            XCTFail("onSignUpCompleted not called or state is nil")
             return
         }
 
-        // Step 3: Attempt to Sign In with new flow
+        // Step 2: Attempt to Sign In with new flow
         let signInExpectation = expectation(description: "signing in")
         let signInDelegateSpy = SignInPasswordStartDelegateSpy(expectation: signInExpectation)
 
@@ -282,7 +173,7 @@ final class MSALNativeAuthSignInJITEndToEndTests: MSALNativeAuthEndToEndPassword
             return
         }
 
-        // Step 4: Add Strong Auth Method and specify different email
+        // Step 3: Add Strong Auth Method and specify different email
         let newEmail = generateSignUpRandomEmail()
         let challengeParameters = MSALNativeAuthChallengeAuthMethodParameters(authMethod: authMethod)
         challengeParameters.verificationContact = newEmail
@@ -299,13 +190,13 @@ final class MSALNativeAuthSignInJITEndToEndTests: MSALNativeAuthEndToEndPassword
             return
         }
 
-        // Step 5: Get Code for Register Strong Auth
+        // Step 4: Get Code for Register Strong Auth
         guard let code = await retrieveCodeFor(email: newEmail) else {
             XCTFail("OTP code could not be retrieved")
             return
         }
 
-        // Step 6: Submit Code to Register Strong Auth
+        // Step 5: Submit Code to Register Strong Auth
         let submitChallengeExpectation = expectation(description: "submitChallenge")
         let submitChallengeDelegateSpy = RegisterStrongAuthSubmitChallengeDelegateSpy(expectation: submitChallengeExpectation)
 
@@ -315,6 +206,95 @@ final class MSALNativeAuthSignInJITEndToEndTests: MSALNativeAuthEndToEndPassword
 
         checkSubmitChallengeDelegate(submitChallengeDelegateSpy, username: username)
     }
+    
+    func test_createUserAndDoNotSendCapabilities_thenBrowserRequiredIsExpected() async throws {
+        throw XCTSkip("Retrieving OTP failure")
+#if os(macOS)
+        throw XCTSkip("For some reason this test now requires Keychain access, reason needs to be investigated")
+#endif
+
+        let username = generateSignUpRandomEmail()
+        let password = generateRandomPassword()
+        guard let application = initialisePublicClientApplication(capabilities: []) else {
+            XCTFail("Failed to initialize public client application")
+            return
+        }
+        // Step 1: Create User
+        guard let _ = await signUpInternally(username: username, password: password, application: application) else {
+            XCTFail("onSignUpCompleted not called or state is nil")
+            return
+        }
+
+        // Step 2: Attempt to Sign In with new flow
+        let signInExpectation = expectation(description: "signing in")
+        let signInDelegateSpy = SignInPasswordStartDelegateSpy(expectation: signInExpectation)
+
+        let signInParameters = MSALNativeAuthSignInParameters(username: username)
+        signInParameters.password = password
+        signInParameters.claimsRequest = MSALClaimsRequest(jsonString: "{\"access_token\":{\"acrs\":{\"essential\":true,\"value\":\"c4\"}}}", error: nil)
+
+        application.signIn(parameters: signInParameters, delegate: signInDelegateSpy)
+
+        await fulfillment(of: [signInExpectation])
+
+        guard signInDelegateSpy.onSignInStrongAuthMethodRegistrationCalled,
+              let strongAuthState = signInDelegateSpy.newStateStrongAuthMethodRegistration,
+              let authMethod = signInDelegateSpy.authMethods?.first else {
+            XCTFail("Sign in failed or strong auth method registration not required")
+            return
+        }
+
+        // browser required is expected here
+        XCTAssertTrue(signInDelegateSpy.onSignInPasswordErrorCalled)
+        XCTAssertTrue(signInDelegateSpy.error?.isBrowserRequired ?? false)
+        XCTAssertNotNil(signInDelegateSpy.error?.errorDescription)
+    }
+    
+    // MARK: private methods
+    
+    private func signUpInternally(username: String, password: String, application:  MSALNativeAuthPublicClientApplication?) async -> SignInAfterSignUpState? {
+        // Step 1: Create User
+        guard let application = application else {
+            XCTFail("Failed to initialize public client application")
+            return nil
+        }
+        
+        let codeRequiredExp = expectation(description: "code required")
+        let signUpStartDelegate = SignUpPasswordStartDelegateSpy(expectation: codeRequiredExp)
+
+        let signUpParam = MSALNativeAuthSignUpParameters(username: username)
+        signUpParam.password = password
+        signUpParam.correlationId = correlationId
+
+        application.signUp(parameters: signUpParam, delegate: signUpStartDelegate)
+
+        await fulfillment(of: [codeRequiredExp])
+        checkSignUpStartDelegate(signUpStartDelegate)
+
+        guard signUpStartDelegate.onSignUpCodeRequiredCalled else {
+            XCTFail("onSignUpCodeRequired not called")
+            return nil
+        }
+
+        // Step 2: Get & Submit Code for Sign Up
+        guard let code = await retrieveCodeFor(email: username) else {
+            XCTFail("OTP code could not be retrieved")
+            return nil
+        }
+
+        let signUpCompleteExp = expectation(description: "sign-up complete")
+        let signUpVerifyCodeDelegate = SignUpVerifyCodeDelegateSpy(expectation: signUpCompleteExp)
+
+        signUpStartDelegate.newState?.submitCode(code: code, delegate: signUpVerifyCodeDelegate)
+
+        await fulfillment(of: [signUpCompleteExp])
+
+        guard signUpVerifyCodeDelegate.onSignUpCompletedCalled else {
+            XCTFail("onSignUpCompleted not called or state is nil")
+            return nil
+        }
+        return signUpVerifyCodeDelegate.signInAfterSignUpState
+    }
 
     private func checkSignUpStartDelegate(_ delegate: SignUpPasswordStartDelegateSpy) {
         XCTAssertTrue(delegate.onSignUpCodeRequiredCalled)

MSAL/test/integration/native_auth/end_to_end/mfa/MSALNativeAuthSignInWithMFAEndToEndTests.swift

@@ -312,11 +312,42 @@ final class MSALNativeAuthSignInWithMFAEndToEndTests: MSALNativeAuthEndToEndPass
 
         XCTAssertTrue(atString.contains(authenticationContextATClaimJson))
     }
+    
+    func test_signInWithMFANoCapabilities_thenBrowserRequiredIsReturned() async throws {
+        throw XCTSkip("Capabilities feature not available in eSTS production")
+#if os(macOS)
+        throw XCTSkip("For some reason this test now requires Keychain access, reason needs to be investigated")
+#endif
+        guard let username = retrieveUsernameForSignInUsernamePasswordAndMFA(),
+              let password = await retrievePasswordForSignInUsername(),
+              let awaitingMFAState = await signInUsernameAndPassword(username: username, password: password, capabilities: [])
+        else {
+            XCTFail("Something went wrong")
+            return
+        }
+        
+        // Request to send challenge to the default strong auth method
+        let mfaExpectation = expectation(description: "mfa")
+        let mfaDelegateSpy = MFARequestChallengeDelegateSpy(expectation: mfaExpectation)
+        
+        awaitingMFAState.requestChallenge(delegate: mfaDelegateSpy)
+        
+        await fulfillment(of: [mfaExpectation])
+        // browser required is expected here
+        XCTAssertTrue(mfaDelegateSpy.onMFARequestChallengeError)
+        XCTAssertNil(mfaDelegateSpy.newStateMFARequired)
+        XCTAssertTrue(mfaDelegateSpy.error?.isBrowserRequired ?? false)
+        XCTAssertNotNil(mfaDelegateSpy.error?.errorDescription)
+    }
 
     // MARK: private methods
 
-    private func signInUsernameAndPassword(username: String, password: String) async -> AwaitingMFAState? {
-        guard let application = initialisePublicClientApplication()
+    private func signInUsernameAndPassword(
+        username: String,
+        password: String,
+        capabilities: MSALNativeAuthCapabilities = [.mfaRequired, .registrationRequired]
+    ) async -> AwaitingMFAState? {
+        guard let application = initialisePublicClientApplication(capabilities: capabilities)
         else {
             XCTFail("Missing information")
             return nil