123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243 |
- # frozen_string_literal: true
-
- # Redmine - project management software
- # Copyright (C) 2006-2023 Jean-Philippe Lang
- #
- # This program is free software; you can redistribute it and/or
- # modify it under the terms of the GNU General Public License
- # as published by the Free Software Foundation; either version 2
- # of the License, or (at your option) any later version.
- #
- # This program is distributed in the hope that it will be useful,
- # but WITHOUT ANY WARRANTY; without even the implied warranty of
- # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- # GNU General Public License for more details.
- #
- # You should have received a copy of the GNU General Public License
- # along with this program; if not, write to the Free Software
- # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-
- require_relative '../test_helper'
-
- class TwofaTest < Redmine::IntegrationTest
- fixtures :projects, :users, :email_addresses
-
- test "should require twofa setup when configured" do
- with_settings twofa: "2" do
- assert Setting.twofa_required?
- log_user('jsmith', 'jsmith')
- follow_redirect!
- assert_redirected_to "/my/twofa/totp/activate/confirm"
- end
- end
-
- test "should require twofa setup when required for administrators" do
- admin = User.find_by_login 'admin'
- user = User.find_by_login 'jsmith'
-
- assert_not admin.must_activate_twofa?
- assert_not user.must_activate_twofa?
-
- with_settings twofa: "3" do
- assert_not Setting.twofa_required?
-
- assert Setting.twofa_optional?
- assert Setting.twofa_required_for_administrators?
- assert admin.must_activate_twofa?
- assert_not user.must_activate_twofa?
-
- log_user('admin', 'admin')
- follow_redirect!
- assert_redirected_to "/my/twofa/totp/activate/confirm"
- end
- end
-
- test "should require twofa setup when required by group" do
- user = User.find_by_login 'jsmith'
- assert_not user.must_activate_twofa?
-
- group = Group.first
- group.update_column :twofa_required, true
- group.users << user
- user.reload
-
- with_settings twofa: "0" do
- assert_not Setting.twofa_optional?
- assert_not Setting.twofa_required?
- assert_not user.must_activate_twofa?
- end
-
- with_settings twofa: "1" do
- assert Setting.twofa_optional?
- assert_not Setting.twofa_required?
- assert user.must_activate_twofa?
- log_user('jsmith', 'jsmith')
- follow_redirect!
- assert_redirected_to "/my/twofa/totp/activate/confirm"
- end
- end
-
- test 'should require to change password first when must_change_passwd is true' do
- User.find_by(login: 'jsmith').update_attribute(:must_change_passwd, true)
- with_settings twofa: '2' do
- log_user('jsmith', 'jsmith')
- follow_redirect!
- assert_redirected_to '/my/password'
- follow_redirect!
- # Skip the before action check_twofa_activation for '/my/password'
- # to avoid redirect loop
- assert_response :success
- end
- end
-
- test 'should allow logout even if twofa setup is required' do
- with_settings twofa: '2' do
- log_user('jsmith', 'jsmith')
- follow_redirect!
- assert_redirected_to '/my/twofa/totp/activate/confirm'
- follow_redirect!
- post '/logout'
- assert_redirected_to '/'
- follow_redirect!
- assert_response :success
- end
- end
-
- test "should generate and accept backup codes" do
- log_user('jsmith', 'jsmith')
- get "/my/account"
- assert_response :success
- post "/my/twofa/totp/activate/init"
- assert_redirected_to "/my/twofa/totp/activate/confirm"
- follow_redirect!
- assert_response :success
-
- totp = ROTP::TOTP.new User.find_by_login('jsmith').twofa_totp_key
- post "/my/twofa/totp/activate", params: {twofa_code: totp.now}
- assert_redirected_to "/my/account"
- follow_redirect!
- assert_response :success
- assert_select '.flash', /Two-factor authentication successfully enabled/i
-
- post "/my/twofa/backup_codes/init"
- assert_redirected_to "/my/twofa/backup_codes/confirm"
- follow_redirect!
- assert_response :success
- assert_select 'form', /Please enter your two-factor authentication code/i
-
- post "/my/twofa/backup_codes/create", params: {twofa_code: "wrong"}
- assert_redirected_to "/my/twofa/backup_codes/confirm"
- follow_redirect!
- assert_response :success
- assert_select 'form', /Please enter your two-factor authentication code/i
-
- # prevent replay attack prevention from kicking in
- User.find_by_login('jsmith').update_column :twofa_totp_last_used_at, 2.minutes.ago.to_i
-
- post "/my/twofa/backup_codes/create", params: {twofa_code: totp.now}
- assert_redirected_to "/my/twofa/backup_codes"
- follow_redirect!
- assert_response :success
- assert_select ".flash", /your backup codes have been generated/i
-
- assert code = response.body.scan(/<code>([a-z0-9]{4} [a-z0-9]{4} [a-z0-9]{4})<\/code>/).flatten.first
-
- post "/logout"
- follow_redirect!
- # prevent replay attack prevention from kicking in
- User.find_by_login('jsmith').update_column :twofa_totp_last_used_at, 2.minutes.ago.to_i
-
- # sign in with backup code
- get "/login"
- assert_nil session[:user_id]
- assert_response :success
- post "/login", params: {
- username: 'jsmith',
- password: 'jsmith'
- }
- assert_redirected_to "/account/twofa/confirm"
- follow_redirect!
-
- assert_select "#login-form h3", /two-factor authentication/i
- post "/account/twofa", params: {twofa_code: code}
- assert_redirected_to "/my/page"
- follow_redirect!
- assert_response :success
- end
-
- test "should configure totp and require code on login" do
- with_settings twofa: "2" do
- log_user('jsmith', 'jsmith')
- follow_redirect!
- assert_redirected_to "/my/twofa/totp/activate/confirm"
- follow_redirect!
-
- assert key = User.find_by_login('jsmith').twofa_totp_key
- assert key.present?
- totp = ROTP::TOTP.new key
-
- post "/my/twofa/totp/activate", params: {twofa_code: '123456789'}
- assert_redirected_to "/my/twofa/totp/activate/confirm"
- follow_redirect!
-
- post "/my/twofa/totp/activate", params: {twofa_code: totp.now}
- assert_redirected_to "/my/account"
-
- post "/logout"
- follow_redirect!
-
- # prevent replay attack prevention from kicking in
- User.find_by_login('jsmith').update_column :twofa_totp_last_used_at, 2.minutes.ago.to_i
-
- # sign in with totp
- get "/login"
- assert_nil session[:user_id]
- assert_response :success
- post "/login", params: {
- username: 'jsmith',
- password: 'jsmith'
- }
-
- assert_redirected_to "/account/twofa/confirm"
- follow_redirect!
-
- assert_select "#login-form h3", /two-factor authentication/i
- post "/account/twofa", params: {twofa_code: 'wrong code'}
- assert_redirected_to "/account/twofa/confirm"
- follow_redirect!
- assert_select "#login-form h3", /two-factor authentication/i
- assert_select ".flash", /code is invalid/i
-
- post "/account/twofa", params: {twofa_code: totp.now}
- assert_redirected_to "/my/page"
- follow_redirect!
- assert_response :success
- end
- end
-
- def test_enable_twofa_should_destroy_tokens
- recovery_token = Token.create!(:user_id => 2, :action => 'recovery')
- autologin_token = Token.create!(:user_id => 2, :action => 'autologin')
-
- with_settings twofa: "2" do
- log_user('jsmith', 'jsmith')
- follow_redirect!
- assert_redirected_to "/my/twofa/totp/activate/confirm"
- follow_redirect!
-
- assert key = User.find_by_login('jsmith').twofa_totp_key
- assert key.present?
- totp = ROTP::TOTP.new key
-
- post "/my/twofa/totp/activate", params: {twofa_code: '123456789'}
- assert_redirected_to "/my/twofa/totp/activate/confirm"
- follow_redirect!
-
- post "/my/twofa/totp/activate", params: {twofa_code: totp.now}
- assert_redirected_to "/my/account"
- end
-
- assert_nil Token.find_by_id(recovery_token.id)
- assert_nil Token.find_by_id(autologin_token.id)
- end
- end
|