diff options
author | Go MAEDA <maeda@farend.jp> | 2020-08-29 07:07:25 +0000 |
---|---|---|
committer | Go MAEDA <maeda@farend.jp> | 2020-08-29 07:07:25 +0000 |
commit | 6a9f859f84e60b994dee58e391708c3a9075389c (patch) | |
tree | 8e5ff59ba508c81695ea568a99eb97b90df863b0 | |
parent | 8900eb6eb5994310e3f957398cc21a512c5951ab (diff) | |
download | redmine-6a9f859f84e60b994dee58e391708c3a9075389c.tar.gz redmine-6a9f859f84e60b994dee58e391708c3a9075389c.zip |
Integration test for 2fa auth (#1237).
Patch by Jens Krämer.
git-svn-id: http://svn.redmine.org/redmine/trunk@19991 e93f8b46-1217-0410-a6f0-8f06a7374b81
-rw-r--r-- | test/integration/twofa_test.rb | 144 |
1 files changed, 144 insertions, 0 deletions
diff --git a/test/integration/twofa_test.rb b/test/integration/twofa_test.rb new file mode 100644 index 000000000..c849a536a --- /dev/null +++ b/test/integration/twofa_test.rb @@ -0,0 +1,144 @@ +# frozen_string_literal: true + +# Redmine - project management software +# Copyright (C) 2006-2020 Jean-Philippe Lang +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +require File.expand_path('../../test_helper', __FILE__) + +class TwofaTest < Redmine::IntegrationTest + fixtures :projects, :users, :email_addresses + + test "should require twofa setup when configured" do + with_settings twofa: "2" do + log_user('jsmith', 'jsmith') + follow_redirect! + assert_redirected_to "/my/twofa/totp/activate/confirm" + end + end + + test "should generate and accept backup codes" do + log_user('jsmith', 'jsmith') + get "/my/account" + assert_response :success + post "/my/twofa/totp/activate/init" + assert_redirected_to "/my/twofa/totp/activate/confirm" + follow_redirect! + assert_response :success + + totp = ROTP::TOTP.new User.find_by_login('jsmith').twofa_totp_key + post "/my/twofa/totp/activate", params: { twofa_code: totp.now } + assert_redirected_to "/my/account" + follow_redirect! + assert_response :success + assert_select '.flash', /Two-factor authentication successfully enabled/i + + post "/my/twofa/backup_codes/init" + assert_redirected_to "/my/twofa/backup_codes/confirm" + follow_redirect! + assert_response :success + assert_select 'form', /Please enter your two-factor authentication code/i + + post "/my/twofa/backup_codes/create", params: { twofa_code: "wrong" } + assert_redirected_to "/my/twofa/backup_codes/confirm" + follow_redirect! + assert_response :success + assert_select 'form', /Please enter your two-factor authentication code/i + + # prevent replay attack prevention from kicking in + User.find_by_login('jsmith').update_column :twofa_totp_last_used_at, 2.minutes.ago.to_i + + post "/my/twofa/backup_codes/create", params: { twofa_code: totp.now } + assert_redirected_to "/my/twofa/backup_codes" + follow_redirect! + assert_response :success + assert_select ".flash", /your backup codes have been generated/i + + assert code = response.body.scan(/<code>([a-z0-9]{4} [a-z0-9]{4} [a-z0-9]{4})<\/code>/).flatten.first + + post "/logout" + follow_redirect! + # prevent replay attack prevention from kicking in + User.find_by_login('jsmith').update_column :twofa_totp_last_used_at, 2.minutes.ago.to_i + + # sign in with backup code + get "/login" + assert_nil session[:user_id] + assert_response :success + post "/login", params: { + username: 'jsmith', + password: 'jsmith' + } + assert_redirected_to "/account/twofa/confirm" + follow_redirect! + + assert_select "#login-form h3", /two-factor authentication/i + post "/account/twofa", params: { twofa_code: code } + assert_redirected_to "/my/page" + follow_redirect! + assert_response :success + end + + test "should configure totp and require code on login" do + with_settings twofa: "2" do + log_user('jsmith', 'jsmith') + follow_redirect! + assert_redirected_to "/my/twofa/totp/activate/confirm" + follow_redirect! + + assert key = User.find_by_login('jsmith').twofa_totp_key + assert key.present? + totp = ROTP::TOTP.new key + + post "/my/twofa/totp/activate", params: { twofa_code: '123456789' } + assert_redirected_to "/my/twofa/totp/activate/confirm" + follow_redirect! + + post "/my/twofa/totp/activate", params: { twofa_code: totp.now } + assert_redirected_to "/my/account" + + post "/logout" + follow_redirect! + + # prevent replay attack prevention from kicking in + User.find_by_login('jsmith').update_column :twofa_totp_last_used_at, 2.minutes.ago.to_i + + # sign in with totp + get "/login" + assert_nil session[:user_id] + assert_response :success + post "/login", params: { + username: 'jsmith', + password: 'jsmith' + } + + assert_redirected_to "/account/twofa/confirm" + follow_redirect! + + assert_select "#login-form h3", /two-factor authentication/i + post "/account/twofa", params: { twofa_code: 'wrong code' } + assert_redirected_to "/account/twofa/confirm" + follow_redirect! + assert_select "#login-form h3", /two-factor authentication/i + assert_select ".flash", /code is invalid/i + + post "/account/twofa", params: { twofa_code: totp.now } + assert_redirected_to "/my/page" + follow_redirect! + assert_response :success + end + end +end |