authelia/internal/handlers/handler_sign_totp_test.go

package handlers

import (
	"encoding/json"
	"regexp"
	"testing"

	"github.com/golang/mock/gomock"
	"github.com/stretchr/testify/require"
	"github.com/stretchr/testify/suite"
	"github.com/tstranex/u2f"

	"github.com/authelia/authelia/v4/internal/mocks"
	"github.com/authelia/authelia/v4/internal/session"
)

type HandlerSignTOTPSuite struct {
	suite.Suite

	mock *mocks.MockAutheliaCtx
}

func (s *HandlerSignTOTPSuite) SetupTest() {
	s.mock = mocks.NewMockAutheliaCtx(s.T())
	userSession := s.mock.Ctx.GetSession()
	userSession.Username = testUsername
	userSession.U2FChallenge = &u2f.Challenge{}
	userSession.U2FRegistration = &session.U2FRegistration{}
	err := s.mock.Ctx.SaveSession(userSession)
	require.NoError(s.T(), err)
}

func (s *HandlerSignTOTPSuite) TearDownTest() {
	s.mock.Close()
}

func (s *HandlerSignTOTPSuite) TestShouldRedirectUserToDefaultURL() {
	verifier := NewMockTOTPVerifier(s.mock.Ctrl)

	s.mock.StorageProviderMock.EXPECT().
		LoadTOTPSecret(gomock.Any()).
		Return("secret", nil)

	verifier.EXPECT().
		Verify(gomock.Eq("abc"), gomock.Eq("secret")).
		Return(true, nil)

	s.mock.Ctx.Configuration.DefaultRedirectionURL = testRedirectionURL

	bodyBytes, err := json.Marshal(signTOTPRequestBody{
		Token: "abc",
	})
	s.Require().NoError(err)
	s.mock.Ctx.Request.SetBody(bodyBytes)

	SecondFactorTOTPPost(verifier)(s.mock.Ctx)
	s.mock.Assert200OK(s.T(), redirectResponse{
		Redirect: testRedirectionURL,
	})
}

func (s *HandlerSignTOTPSuite) TestShouldNotReturnRedirectURL() {
	verifier := NewMockTOTPVerifier(s.mock.Ctrl)

	s.mock.StorageProviderMock.EXPECT().
		LoadTOTPSecret(gomock.Any()).
		Return("secret", nil)

	verifier.EXPECT().
		Verify(gomock.Eq("abc"), gomock.Eq("secret")).
		Return(true, nil)

	bodyBytes, err := json.Marshal(signTOTPRequestBody{
		Token: "abc",
	})
	s.Require().NoError(err)
	s.mock.Ctx.Request.SetBody(bodyBytes)

	SecondFactorTOTPPost(verifier)(s.mock.Ctx)
	s.mock.Assert200OK(s.T(), nil)
}

func (s *HandlerSignTOTPSuite) TestShouldRedirectUserToSafeTargetURL() {
	verifier := NewMockTOTPVerifier(s.mock.Ctrl)

	s.mock.StorageProviderMock.EXPECT().
		LoadTOTPSecret(gomock.Any()).
		Return("secret", nil)

	verifier.EXPECT().
		Verify(gomock.Eq("abc"), gomock.Eq("secret")).
		Return(true, nil)

	bodyBytes, err := json.Marshal(signTOTPRequestBody{
		Token:     "abc",
		TargetURL: "https://mydomain.local",
	})
	s.Require().NoError(err)
	s.mock.Ctx.Request.SetBody(bodyBytes)

	SecondFactorTOTPPost(verifier)(s.mock.Ctx)
	s.mock.Assert200OK(s.T(), redirectResponse{
		Redirect: "https://mydomain.local",
	})
}

func (s *HandlerSignTOTPSuite) TestShouldNotRedirectToUnsafeURL() {
	verifier := NewMockTOTPVerifier(s.mock.Ctrl)

	s.mock.StorageProviderMock.EXPECT().
		LoadTOTPSecret(gomock.Any()).
		Return("secret", nil)

	verifier.EXPECT().
		Verify(gomock.Eq("abc"), gomock.Eq("secret")).
		Return(true, nil)

	bodyBytes, err := json.Marshal(signTOTPRequestBody{
		Token:     "abc",
		TargetURL: "http://mydomain.local",
	})
	s.Require().NoError(err)
	s.mock.Ctx.Request.SetBody(bodyBytes)

	SecondFactorTOTPPost(verifier)(s.mock.Ctx)
	s.mock.Assert200OK(s.T(), nil)
}

func (s *HandlerSignTOTPSuite) TestShouldRegenerateSessionForPreventingSessionFixation() {
	verifier := NewMockTOTPVerifier(s.mock.Ctrl)

	s.mock.StorageProviderMock.EXPECT().
		LoadTOTPSecret(gomock.Any()).
		Return("secret", nil)

	verifier.EXPECT().
		Verify(gomock.Eq("abc"), gomock.Eq("secret")).
		Return(true, nil)

	bodyBytes, err := json.Marshal(signTOTPRequestBody{
		Token: "abc",
	})
	s.Require().NoError(err)
	s.mock.Ctx.Request.SetBody(bodyBytes)

	r := regexp.MustCompile("^authelia_session=(.*); path=")
	res := r.FindAllStringSubmatch(string(s.mock.Ctx.Response.Header.PeekCookie("authelia_session")), -1)

	SecondFactorTOTPPost(verifier)(s.mock.Ctx)
	s.mock.Assert200OK(s.T(), nil)

	s.Assert().NotEqual(
		res[0][1],
		string(s.mock.Ctx.Request.Header.Cookie("authelia_session")))
}

func TestRunHandlerSignTOTPSuite(t *testing.T) {
	suite.Run(t, new(HandlerSignTOTPSuite))
}
[FIX] Fix default redirection URL not taken into account (#600) * Remove unused mongo docker-compose file. * Default redirection URL was not taken into account. * Fix possible storage options in config template. * Remove useless checks in u2f registration endpoints. * Add default redirection url in config of duo suite. * Fix log line in response handler of 2FA methods. * Fix integration tests. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2020-02-01 12:54:50 +00:00			`package handlers`

			`import (`
			`"encoding/json"`
[FEATURE] Regenerate session IDs after 2FA authentication. (#670) Session fixation attacks were prevented because a session ID was regenerated at each first factor authentication but this commit generalize session regeneration from first to second factor too. Fixes #180 2020-02-29 23:13:33 +00:00			`"regexp"`
[FIX] Fix default redirection URL not taken into account (#600) * Remove unused mongo docker-compose file. * Default redirection URL was not taken into account. * Fix possible storage options in config template. * Remove useless checks in u2f registration endpoints. * Add default redirection url in config of duo suite. * Fix log line in response handler of 2FA methods. * Fix integration tests. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2020-02-01 12:54:50 +00:00			`"testing"`

			`"github.com/golang/mock/gomock"`
[MISC] Refactor and address most errcheck linter ignores (#1511) * [MISC] Refactor and address most errcheck linter ignores This is mostly a quality of life change. When we first implemented the errcheck linter we ignored a number of items in our legacy codebase with intent to revisit down the track. * Handle errors for regulation marks and remove unnecessary logging 2020-12-16 01:47:31 +00:00			`"github.com/stretchr/testify/require"`
[FIX] Fix default redirection URL not taken into account (#600) * Remove unused mongo docker-compose file. * Default redirection URL was not taken into account. * Fix possible storage options in config template. * Remove useless checks in u2f registration endpoints. * Add default redirection url in config of duo suite. * Fix log line in response handler of 2FA methods. * Fix integration tests. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2020-02-01 12:54:50 +00:00			`"github.com/stretchr/testify/suite"`
			`"github.com/tstranex/u2f"`
[MISC] Update durations to notation format and housekeeping (#824) * added regulation validator * made regulations find_time and ban_time values duration notation strings * added DefaultRegulationConfiguration for the validator * made session expiration and inactivity values duration notation strings * TOTP period does not need to be converted because adjustment should be discouraged * moved TOTP defaults to DefaultTOTPConfiguration and removed the consts * arranged the root config validator in configuration file order * adjusted tests for the changes * moved duration notation docs to root of configuration * added references to duration notation where applicable * project wide gofmt and goimports: * run gofmt * run goimports -local github.com/authelia/authelia -w on all files * Make jwt_secret error uniform and add tests * now at 100% coverage for internal/configuration/validator/configuration.go 2020-04-05 12:37:21 +00:00
fix: include major in go.mod module directive (#2278) * build: include major in go.mod module directive * fix: xflags * revert: cobra changes * fix: mock doc 2021-08-11 01:04:35 +00:00			`"github.com/authelia/authelia/v4/internal/mocks"`
			`"github.com/authelia/authelia/v4/internal/session"`
[FIX] Fix default redirection URL not taken into account (#600) * Remove unused mongo docker-compose file. * Default redirection URL was not taken into account. * Fix possible storage options in config template. * Remove useless checks in u2f registration endpoints. * Add default redirection url in config of duo suite. * Fix log line in response handler of 2FA methods. * Fix integration tests. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2020-02-01 12:54:50 +00:00			`)`

			`type HandlerSignTOTPSuite struct {`
			`suite.Suite`

			`mock *mocks.MockAutheliaCtx`
			`}`

			`func (s *HandlerSignTOTPSuite) SetupTest() {`
			`s.mock = mocks.NewMockAutheliaCtx(s.T())`
			`userSession := s.mock.Ctx.GetSession()`
[CI] Add goconst linter (#961) * [CI] Add goconst linter * Implement goconst recommendations * Rename defaultPolicy to denyPolicy * Change order for test constants Co-authored-by: Clément Michaud <clement.michaud34@gmail.com> 2020-05-02 16:20:40 +00:00			`userSession.Username = testUsername`
[FIX] Fix default redirection URL not taken into account (#600) * Remove unused mongo docker-compose file. * Default redirection URL was not taken into account. * Fix possible storage options in config template. * Remove useless checks in u2f registration endpoints. * Add default redirection url in config of duo suite. * Fix log line in response handler of 2FA methods. * Fix integration tests. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2020-02-01 12:54:50 +00:00			`userSession.U2FChallenge = &u2f.Challenge{}`
			`userSession.U2FRegistration = &session.U2FRegistration{}`
[MISC] Refactor and address most errcheck linter ignores (#1511) * [MISC] Refactor and address most errcheck linter ignores This is mostly a quality of life change. When we first implemented the errcheck linter we ignored a number of items in our legacy codebase with intent to revisit down the track. * Handle errors for regulation marks and remove unnecessary logging 2020-12-16 01:47:31 +00:00			`err := s.mock.Ctx.SaveSession(userSession)`
			`require.NoError(s.T(), err)`
[FIX] Fix default redirection URL not taken into account (#600) * Remove unused mongo docker-compose file. * Default redirection URL was not taken into account. * Fix possible storage options in config template. * Remove useless checks in u2f registration endpoints. * Add default redirection url in config of duo suite. * Fix log line in response handler of 2FA methods. * Fix integration tests. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2020-02-01 12:54:50 +00:00			`}`

			`func (s *HandlerSignTOTPSuite) TearDownTest() {`
			`s.mock.Close()`
			`}`

			`func (s *HandlerSignTOTPSuite) TestShouldRedirectUserToDefaultURL() {`
			`verifier := NewMockTOTPVerifier(s.mock.Ctrl)`

			`s.mock.StorageProviderMock.EXPECT().`
			`LoadTOTPSecret(gomock.Any()).`
			`Return("secret", nil)`

			`verifier.EXPECT().`
			`Verify(gomock.Eq("abc"), gomock.Eq("secret")).`
[FEATURE] TOTP Tuning Configuration Options and Fix Timer Graphic (#773) * Add period TOPT config key to define the time in seconds each OTP is rotated * Add skew TOTP config to define how many keys either side of the current one should be considered valid * Add tests and set minimum values * Update config template * Use unix epoch for position calculation and Fix QR gen * This resolves the timer resetting improperly at the 0 seconds mark and allows for periods longer than 1 minute * Generate QR based on period * Fix OTP timer graphic 2020-03-25 01:48:20 +00:00			`Return(true, nil)`
[FIX] Fix default redirection URL not taken into account (#600) * Remove unused mongo docker-compose file. * Default redirection URL was not taken into account. * Fix possible storage options in config template. * Remove useless checks in u2f registration endpoints. * Add default redirection url in config of duo suite. * Fix log line in response handler of 2FA methods. * Fix integration tests. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2020-02-01 12:54:50 +00:00
[CI] Add goconst linter (#961) * [CI] Add goconst linter * Implement goconst recommendations * Rename defaultPolicy to denyPolicy * Change order for test constants Co-authored-by: Clément Michaud <clement.michaud34@gmail.com> 2020-05-02 16:20:40 +00:00			`s.mock.Ctx.Configuration.DefaultRedirectionURL = testRedirectionURL`
[FIX] Fix default redirection URL not taken into account (#600) * Remove unused mongo docker-compose file. * Default redirection URL was not taken into account. * Fix possible storage options in config template. * Remove useless checks in u2f registration endpoints. * Add default redirection url in config of duo suite. * Fix log line in response handler of 2FA methods. * Fix integration tests. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2020-02-01 12:54:50 +00:00
			`bodyBytes, err := json.Marshal(signTOTPRequestBody{`
			`Token: "abc",`
			`})`
			`s.Require().NoError(err)`
			`s.mock.Ctx.Request.SetBody(bodyBytes)`

			`SecondFactorTOTPPost(verifier)(s.mock.Ctx)`
			`s.mock.Assert200OK(s.T(), redirectResponse{`
[CI] Add goconst linter (#961) * [CI] Add goconst linter * Implement goconst recommendations * Rename defaultPolicy to denyPolicy * Change order for test constants Co-authored-by: Clément Michaud <clement.michaud34@gmail.com> 2020-05-02 16:20:40 +00:00			`Redirect: testRedirectionURL,`
[FIX] Fix default redirection URL not taken into account (#600) * Remove unused mongo docker-compose file. * Default redirection URL was not taken into account. * Fix possible storage options in config template. * Remove useless checks in u2f registration endpoints. * Add default redirection url in config of duo suite. * Fix log line in response handler of 2FA methods. * Fix integration tests. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2020-02-01 12:54:50 +00:00			`})`
			`}`

			`func (s *HandlerSignTOTPSuite) TestShouldNotReturnRedirectURL() {`
			`verifier := NewMockTOTPVerifier(s.mock.Ctrl)`

			`s.mock.StorageProviderMock.EXPECT().`
			`LoadTOTPSecret(gomock.Any()).`
			`Return("secret", nil)`

			`verifier.EXPECT().`
			`Verify(gomock.Eq("abc"), gomock.Eq("secret")).`
[FEATURE] TOTP Tuning Configuration Options and Fix Timer Graphic (#773) * Add period TOPT config key to define the time in seconds each OTP is rotated * Add skew TOTP config to define how many keys either side of the current one should be considered valid * Add tests and set minimum values * Update config template * Use unix epoch for position calculation and Fix QR gen * This resolves the timer resetting improperly at the 0 seconds mark and allows for periods longer than 1 minute * Generate QR based on period * Fix OTP timer graphic 2020-03-25 01:48:20 +00:00			`Return(true, nil)`
[FIX] Fix default redirection URL not taken into account (#600) * Remove unused mongo docker-compose file. * Default redirection URL was not taken into account. * Fix possible storage options in config template. * Remove useless checks in u2f registration endpoints. * Add default redirection url in config of duo suite. * Fix log line in response handler of 2FA methods. * Fix integration tests. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2020-02-01 12:54:50 +00:00
			`bodyBytes, err := json.Marshal(signTOTPRequestBody{`
			`Token: "abc",`
			`})`
			`s.Require().NoError(err)`
			`s.mock.Ctx.Request.SetBody(bodyBytes)`

			`SecondFactorTOTPPost(verifier)(s.mock.Ctx)`
			`s.mock.Assert200OK(s.T(), nil)`
			`}`

			`func (s *HandlerSignTOTPSuite) TestShouldRedirectUserToSafeTargetURL() {`
			`verifier := NewMockTOTPVerifier(s.mock.Ctrl)`

			`s.mock.StorageProviderMock.EXPECT().`
			`LoadTOTPSecret(gomock.Any()).`
			`Return("secret", nil)`

			`verifier.EXPECT().`
			`Verify(gomock.Eq("abc"), gomock.Eq("secret")).`
[FEATURE] TOTP Tuning Configuration Options and Fix Timer Graphic (#773) * Add period TOPT config key to define the time in seconds each OTP is rotated * Add skew TOTP config to define how many keys either side of the current one should be considered valid * Add tests and set minimum values * Update config template * Use unix epoch for position calculation and Fix QR gen * This resolves the timer resetting improperly at the 0 seconds mark and allows for periods longer than 1 minute * Generate QR based on period * Fix OTP timer graphic 2020-03-25 01:48:20 +00:00			`Return(true, nil)`
[FIX] Fix default redirection URL not taken into account (#600) * Remove unused mongo docker-compose file. * Default redirection URL was not taken into account. * Fix possible storage options in config template. * Remove useless checks in u2f registration endpoints. * Add default redirection url in config of duo suite. * Fix log line in response handler of 2FA methods. * Fix integration tests. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2020-02-01 12:54:50 +00:00
			`bodyBytes, err := json.Marshal(signTOTPRequestBody{`
			`Token: "abc",`
			`TargetURL: "https://mydomain.local",`
			`})`
			`s.Require().NoError(err)`
			`s.mock.Ctx.Request.SetBody(bodyBytes)`

			`SecondFactorTOTPPost(verifier)(s.mock.Ctx)`
			`s.mock.Assert200OK(s.T(), redirectResponse{`
			`Redirect: "https://mydomain.local",`
			`})`
			`}`

			`func (s *HandlerSignTOTPSuite) TestShouldNotRedirectToUnsafeURL() {`
			`verifier := NewMockTOTPVerifier(s.mock.Ctrl)`

			`s.mock.StorageProviderMock.EXPECT().`
			`LoadTOTPSecret(gomock.Any()).`
			`Return("secret", nil)`

			`verifier.EXPECT().`
			`Verify(gomock.Eq("abc"), gomock.Eq("secret")).`
[FEATURE] TOTP Tuning Configuration Options and Fix Timer Graphic (#773) * Add period TOPT config key to define the time in seconds each OTP is rotated * Add skew TOTP config to define how many keys either side of the current one should be considered valid * Add tests and set minimum values * Update config template * Use unix epoch for position calculation and Fix QR gen * This resolves the timer resetting improperly at the 0 seconds mark and allows for periods longer than 1 minute * Generate QR based on period * Fix OTP timer graphic 2020-03-25 01:48:20 +00:00			`Return(true, nil)`
[FIX] Fix default redirection URL not taken into account (#600) * Remove unused mongo docker-compose file. * Default redirection URL was not taken into account. * Fix possible storage options in config template. * Remove useless checks in u2f registration endpoints. * Add default redirection url in config of duo suite. * Fix log line in response handler of 2FA methods. * Fix integration tests. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2020-02-01 12:54:50 +00:00
			`bodyBytes, err := json.Marshal(signTOTPRequestBody{`
			`Token: "abc",`
			`TargetURL: "http://mydomain.local",`
			`})`
			`s.Require().NoError(err)`
			`s.mock.Ctx.Request.SetBody(bodyBytes)`

			`SecondFactorTOTPPost(verifier)(s.mock.Ctx)`
			`s.mock.Assert200OK(s.T(), nil)`
			`}`

[FEATURE] Regenerate session IDs after 2FA authentication. (#670) Session fixation attacks were prevented because a session ID was regenerated at each first factor authentication but this commit generalize session regeneration from first to second factor too. Fixes #180 2020-02-29 23:13:33 +00:00			`func (s *HandlerSignTOTPSuite) TestShouldRegenerateSessionForPreventingSessionFixation() {`
			`verifier := NewMockTOTPVerifier(s.mock.Ctrl)`

			`s.mock.StorageProviderMock.EXPECT().`
			`LoadTOTPSecret(gomock.Any()).`
			`Return("secret", nil)`

			`verifier.EXPECT().`
			`Verify(gomock.Eq("abc"), gomock.Eq("secret")).`
[FEATURE] TOTP Tuning Configuration Options and Fix Timer Graphic (#773) * Add period TOPT config key to define the time in seconds each OTP is rotated * Add skew TOTP config to define how many keys either side of the current one should be considered valid * Add tests and set minimum values * Update config template * Use unix epoch for position calculation and Fix QR gen * This resolves the timer resetting improperly at the 0 seconds mark and allows for periods longer than 1 minute * Generate QR based on period * Fix OTP timer graphic 2020-03-25 01:48:20 +00:00			`Return(true, nil)`
[FEATURE] Regenerate session IDs after 2FA authentication. (#670) Session fixation attacks were prevented because a session ID was regenerated at each first factor authentication but this commit generalize session regeneration from first to second factor too. Fixes #180 2020-02-29 23:13:33 +00:00
			`bodyBytes, err := json.Marshal(signTOTPRequestBody{`
			`Token: "abc",`
			`})`
			`s.Require().NoError(err)`
			`s.mock.Ctx.Request.SetBody(bodyBytes)`

			`r := regexp.MustCompile("^authelia_session=(.*); path=")`
			`res := r.FindAllStringSubmatch(string(s.mock.Ctx.Response.Header.PeekCookie("authelia_session")), -1)`

			`SecondFactorTOTPPost(verifier)(s.mock.Ctx)`
			`s.mock.Assert200OK(s.T(), nil)`

			`s.Assert().NotEqual(`
			`res[0][1],`
			`string(s.mock.Ctx.Request.Header.Cookie("authelia_session")))`
			`}`

[FIX] Fix default redirection URL not taken into account (#600) * Remove unused mongo docker-compose file. * Default redirection URL was not taken into account. * Fix possible storage options in config template. * Remove useless checks in u2f registration endpoints. * Add default redirection url in config of duo suite. * Fix log line in response handler of 2FA methods. * Fix integration tests. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2020-02-01 12:54:50 +00:00			`func TestRunHandlerSignTOTPSuite(t *testing.T) {`
			`suite.Run(t, new(HandlerSignTOTPSuite))`
			`}`