summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGo MAEDA <maeda@farend.jp>2020-08-29 07:07:25 +0000
committerGo MAEDA <maeda@farend.jp>2020-08-29 07:07:25 +0000
commit6a9f859f84e60b994dee58e391708c3a9075389c (patch)
tree8e5ff59ba508c81695ea568a99eb97b90df863b0
parent8900eb6eb5994310e3f957398cc21a512c5951ab (diff)
downloadredmine-6a9f859f84e60b994dee58e391708c3a9075389c.tar.gz
redmine-6a9f859f84e60b994dee58e391708c3a9075389c.zip
Integration test for 2fa auth (#1237).
Patch by Jens Krämer. git-svn-id: http://svn.redmine.org/redmine/trunk@19991 e93f8b46-1217-0410-a6f0-8f06a7374b81
-rw-r--r--test/integration/twofa_test.rb144
1 files changed, 144 insertions, 0 deletions
diff --git a/test/integration/twofa_test.rb b/test/integration/twofa_test.rb
new file mode 100644
index 000000000..c849a536a
--- /dev/null
+++ b/test/integration/twofa_test.rb
@@ -0,0 +1,144 @@
+# frozen_string_literal: true
+
+# Redmine - project management software
+# Copyright (C) 2006-2020 Jean-Philippe Lang
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+require File.expand_path('../../test_helper', __FILE__)
+
+class TwofaTest < Redmine::IntegrationTest
+ fixtures :projects, :users, :email_addresses
+
+ test "should require twofa setup when configured" do
+ with_settings twofa: "2" do
+ log_user('jsmith', 'jsmith')
+ follow_redirect!
+ assert_redirected_to "/my/twofa/totp/activate/confirm"
+ end
+ end
+
+ test "should generate and accept backup codes" do
+ log_user('jsmith', 'jsmith')
+ get "/my/account"
+ assert_response :success
+ post "/my/twofa/totp/activate/init"
+ assert_redirected_to "/my/twofa/totp/activate/confirm"
+ follow_redirect!
+ assert_response :success
+
+ totp = ROTP::TOTP.new User.find_by_login('jsmith').twofa_totp_key
+ post "/my/twofa/totp/activate", params: { twofa_code: totp.now }
+ assert_redirected_to "/my/account"
+ follow_redirect!
+ assert_response :success
+ assert_select '.flash', /Two-factor authentication successfully enabled/i
+
+ post "/my/twofa/backup_codes/init"
+ assert_redirected_to "/my/twofa/backup_codes/confirm"
+ follow_redirect!
+ assert_response :success
+ assert_select 'form', /Please enter your two-factor authentication code/i
+
+ post "/my/twofa/backup_codes/create", params: { twofa_code: "wrong" }
+ assert_redirected_to "/my/twofa/backup_codes/confirm"
+ follow_redirect!
+ assert_response :success
+ assert_select 'form', /Please enter your two-factor authentication code/i
+
+ # prevent replay attack prevention from kicking in
+ User.find_by_login('jsmith').update_column :twofa_totp_last_used_at, 2.minutes.ago.to_i
+
+ post "/my/twofa/backup_codes/create", params: { twofa_code: totp.now }
+ assert_redirected_to "/my/twofa/backup_codes"
+ follow_redirect!
+ assert_response :success
+ assert_select ".flash", /your backup codes have been generated/i
+
+ assert code = response.body.scan(/<code>([a-z0-9]{4} [a-z0-9]{4} [a-z0-9]{4})<\/code>/).flatten.first
+
+ post "/logout"
+ follow_redirect!
+ # prevent replay attack prevention from kicking in
+ User.find_by_login('jsmith').update_column :twofa_totp_last_used_at, 2.minutes.ago.to_i
+
+ # sign in with backup code
+ get "/login"
+ assert_nil session[:user_id]
+ assert_response :success
+ post "/login", params: {
+ username: 'jsmith',
+ password: 'jsmith'
+ }
+ assert_redirected_to "/account/twofa/confirm"
+ follow_redirect!
+
+ assert_select "#login-form h3", /two-factor authentication/i
+ post "/account/twofa", params: { twofa_code: code }
+ assert_redirected_to "/my/page"
+ follow_redirect!
+ assert_response :success
+ end
+
+ test "should configure totp and require code on login" do
+ with_settings twofa: "2" do
+ log_user('jsmith', 'jsmith')
+ follow_redirect!
+ assert_redirected_to "/my/twofa/totp/activate/confirm"
+ follow_redirect!
+
+ assert key = User.find_by_login('jsmith').twofa_totp_key
+ assert key.present?
+ totp = ROTP::TOTP.new key
+
+ post "/my/twofa/totp/activate", params: { twofa_code: '123456789' }
+ assert_redirected_to "/my/twofa/totp/activate/confirm"
+ follow_redirect!
+
+ post "/my/twofa/totp/activate", params: { twofa_code: totp.now }
+ assert_redirected_to "/my/account"
+
+ post "/logout"
+ follow_redirect!
+
+ # prevent replay attack prevention from kicking in
+ User.find_by_login('jsmith').update_column :twofa_totp_last_used_at, 2.minutes.ago.to_i
+
+ # sign in with totp
+ get "/login"
+ assert_nil session[:user_id]
+ assert_response :success
+ post "/login", params: {
+ username: 'jsmith',
+ password: 'jsmith'
+ }
+
+ assert_redirected_to "/account/twofa/confirm"
+ follow_redirect!
+
+ assert_select "#login-form h3", /two-factor authentication/i
+ post "/account/twofa", params: { twofa_code: 'wrong code' }
+ assert_redirected_to "/account/twofa/confirm"
+ follow_redirect!
+ assert_select "#login-form h3", /two-factor authentication/i
+ assert_select ".flash", /code is invalid/i
+
+ post "/account/twofa", params: { twofa_code: totp.now }
+ assert_redirected_to "/my/page"
+ follow_redirect!
+ assert_response :success
+ end
+ end
+end