2020-08-29 07:07:25 +00:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
|
|
|
|
|
# Redmine - project management software
|
2021-03-25 06:58:56 +00:00
|
|
|
# Copyright (C) 2006-2021 Jean-Philippe Lang
|
2020-08-29 07:07:25 +00:00
|
|
|
#
|
|
|
|
|
# This program is free software; you can redistribute it and/or
|
|
|
|
|
# modify it under the terms of the GNU General Public License
|
|
|
|
|
# as published by the Free Software Foundation; either version 2
|
|
|
|
|
# of the License, or (at your option) any later version.
|
|
|
|
|
#
|
|
|
|
|
# This program is distributed in the hope that it will be useful,
|
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
# GNU General Public License for more details.
|
|
|
|
|
#
|
|
|
|
|
# You should have received a copy of the GNU General Public License
|
|
|
|
|
# along with this program; if not, write to the Free Software
|
|
|
|
|
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
|
|
|
|
|
|
|
|
|
require File.expand_path('../../test_helper', __FILE__)
|
|
|
|
|
|
|
|
|
|
class TwofaTest < Redmine::IntegrationTest
|
|
|
|
|
fixtures :projects, :users, :email_addresses
|
|
|
|
|
|
|
|
|
|
test "should require twofa setup when configured" do
|
|
|
|
|
with_settings twofa: "2" do
|
|
|
|
|
log_user('jsmith', 'jsmith')
|
|
|
|
|
follow_redirect!
|
|
|
|
|
assert_redirected_to "/my/twofa/totp/activate/confirm"
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2021-02-02 07:15:08 +00:00
|
|
|
test 'should require to change password first when must_change_passwd is true' do
|
|
|
|
|
User.find_by(login: 'jsmith').update_attribute(:must_change_passwd, true)
|
|
|
|
|
with_settings twofa: '2' do
|
|
|
|
|
log_user('jsmith', 'jsmith')
|
|
|
|
|
follow_redirect!
|
|
|
|
|
assert_redirected_to '/my/password'
|
|
|
|
|
follow_redirect!
|
|
|
|
|
# Skip the before action check_twofa_activation for '/my/password'
|
|
|
|
|
# to avoid redirect loop
|
|
|
|
|
assert_response :success
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2020-08-29 07:07:25 +00:00
|
|
|
test "should generate and accept backup codes" do
|
|
|
|
|
log_user('jsmith', 'jsmith')
|
|
|
|
|
get "/my/account"
|
|
|
|
|
assert_response :success
|
|
|
|
|
post "/my/twofa/totp/activate/init"
|
|
|
|
|
assert_redirected_to "/my/twofa/totp/activate/confirm"
|
|
|
|
|
follow_redirect!
|
|
|
|
|
assert_response :success
|
|
|
|
|
|
|
|
|
|
totp = ROTP::TOTP.new User.find_by_login('jsmith').twofa_totp_key
|
2020-11-21 13:52:21 +00:00
|
|
|
post "/my/twofa/totp/activate", params: {twofa_code: totp.now}
|
2020-08-29 07:07:25 +00:00
|
|
|
assert_redirected_to "/my/account"
|
|
|
|
|
follow_redirect!
|
|
|
|
|
assert_response :success
|
|
|
|
|
assert_select '.flash', /Two-factor authentication successfully enabled/i
|
|
|
|
|
|
|
|
|
|
post "/my/twofa/backup_codes/init"
|
|
|
|
|
assert_redirected_to "/my/twofa/backup_codes/confirm"
|
|
|
|
|
follow_redirect!
|
|
|
|
|
assert_response :success
|
|
|
|
|
assert_select 'form', /Please enter your two-factor authentication code/i
|
|
|
|
|
|
2020-11-21 13:52:21 +00:00
|
|
|
post "/my/twofa/backup_codes/create", params: {twofa_code: "wrong"}
|
2020-08-29 07:07:25 +00:00
|
|
|
assert_redirected_to "/my/twofa/backup_codes/confirm"
|
|
|
|
|
follow_redirect!
|
|
|
|
|
assert_response :success
|
|
|
|
|
assert_select 'form', /Please enter your two-factor authentication code/i
|
|
|
|
|
|
|
|
|
|
# prevent replay attack prevention from kicking in
|
|
|
|
|
User.find_by_login('jsmith').update_column :twofa_totp_last_used_at, 2.minutes.ago.to_i
|
|
|
|
|
|
2020-11-21 13:52:21 +00:00
|
|
|
post "/my/twofa/backup_codes/create", params: {twofa_code: totp.now}
|
2020-08-29 07:07:25 +00:00
|
|
|
assert_redirected_to "/my/twofa/backup_codes"
|
|
|
|
|
follow_redirect!
|
|
|
|
|
assert_response :success
|
|
|
|
|
assert_select ".flash", /your backup codes have been generated/i
|
|
|
|
|
|
|
|
|
|
assert code = response.body.scan(/<code>([a-z0-9]{4} [a-z0-9]{4} [a-z0-9]{4})<\/code>/).flatten.first
|
|
|
|
|
|
|
|
|
|
post "/logout"
|
|
|
|
|
follow_redirect!
|
|
|
|
|
# prevent replay attack prevention from kicking in
|
|
|
|
|
User.find_by_login('jsmith').update_column :twofa_totp_last_used_at, 2.minutes.ago.to_i
|
|
|
|
|
|
|
|
|
|
# sign in with backup code
|
|
|
|
|
get "/login"
|
|
|
|
|
assert_nil session[:user_id]
|
|
|
|
|
assert_response :success
|
|
|
|
|
post "/login", params: {
|
|
|
|
|
username: 'jsmith',
|
|
|
|
|
password: 'jsmith'
|
|
|
|
|
}
|
|
|
|
|
assert_redirected_to "/account/twofa/confirm"
|
|
|
|
|
follow_redirect!
|
|
|
|
|
|
|
|
|
|
assert_select "#login-form h3", /two-factor authentication/i
|
2020-11-21 13:52:21 +00:00
|
|
|
post "/account/twofa", params: {twofa_code: code}
|
2020-08-29 07:07:25 +00:00
|
|
|
assert_redirected_to "/my/page"
|
|
|
|
|
follow_redirect!
|
|
|
|
|
assert_response :success
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
test "should configure totp and require code on login" do
|
|
|
|
|
with_settings twofa: "2" do
|
|
|
|
|
log_user('jsmith', 'jsmith')
|
|
|
|
|
follow_redirect!
|
|
|
|
|
assert_redirected_to "/my/twofa/totp/activate/confirm"
|
|
|
|
|
follow_redirect!
|
|
|
|
|
|
|
|
|
|
assert key = User.find_by_login('jsmith').twofa_totp_key
|
|
|
|
|
assert key.present?
|
|
|
|
|
totp = ROTP::TOTP.new key
|
|
|
|
|
|
2020-11-21 13:52:21 +00:00
|
|
|
post "/my/twofa/totp/activate", params: {twofa_code: '123456789'}
|
2020-08-29 07:07:25 +00:00
|
|
|
assert_redirected_to "/my/twofa/totp/activate/confirm"
|
|
|
|
|
follow_redirect!
|
|
|
|
|
|
2020-11-21 13:52:21 +00:00
|
|
|
post "/my/twofa/totp/activate", params: {twofa_code: totp.now}
|
2020-08-29 07:07:25 +00:00
|
|
|
assert_redirected_to "/my/account"
|
|
|
|
|
|
|
|
|
|
post "/logout"
|
|
|
|
|
follow_redirect!
|
|
|
|
|
|
|
|
|
|
# prevent replay attack prevention from kicking in
|
|
|
|
|
User.find_by_login('jsmith').update_column :twofa_totp_last_used_at, 2.minutes.ago.to_i
|
|
|
|
|
|
|
|
|
|
# sign in with totp
|
|
|
|
|
get "/login"
|
|
|
|
|
assert_nil session[:user_id]
|
|
|
|
|
assert_response :success
|
|
|
|
|
post "/login", params: {
|
|
|
|
|
username: 'jsmith',
|
|
|
|
|
password: 'jsmith'
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
assert_redirected_to "/account/twofa/confirm"
|
|
|
|
|
follow_redirect!
|
|
|
|
|
|
|
|
|
|
assert_select "#login-form h3", /two-factor authentication/i
|
2020-11-21 13:52:21 +00:00
|
|
|
post "/account/twofa", params: {twofa_code: 'wrong code'}
|
2020-08-29 07:07:25 +00:00
|
|
|
assert_redirected_to "/account/twofa/confirm"
|
|
|
|
|
follow_redirect!
|
|
|
|
|
assert_select "#login-form h3", /two-factor authentication/i
|
|
|
|
|
assert_select ".flash", /code is invalid/i
|
|
|
|
|
|
2020-11-21 13:52:21 +00:00
|
|
|
post "/account/twofa", params: {twofa_code: totp.now}
|
2020-08-29 07:07:25 +00:00
|
|
|
assert_redirected_to "/my/page"
|
|
|
|
|
follow_redirect!
|
|
|
|
|
assert_response :success
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
