2020-02-01 12:54:50 +00:00
|
|
|
package handlers
|
|
|
|
|
|
|
|
import (
|
|
|
|
"encoding/json"
|
2022-03-03 11:20:43 +00:00
|
|
|
"errors"
|
2020-02-29 23:13:33 +00:00
|
|
|
"regexp"
|
2020-02-01 12:54:50 +00:00
|
|
|
"testing"
|
|
|
|
|
|
|
|
"github.com/golang/mock/gomock"
|
2020-12-16 01:47:31 +00:00
|
|
|
"github.com/stretchr/testify/require"
|
2020-02-01 12:54:50 +00:00
|
|
|
"github.com/stretchr/testify/suite"
|
2020-04-05 12:37:21 +00:00
|
|
|
|
2021-08-11 01:04:35 +00:00
|
|
|
"github.com/authelia/authelia/v4/internal/mocks"
|
2022-03-06 05:47:40 +00:00
|
|
|
"github.com/authelia/authelia/v4/internal/model"
|
2021-11-29 03:09:14 +00:00
|
|
|
"github.com/authelia/authelia/v4/internal/regulation"
|
2020-02-01 12:54:50 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
type HandlerSignTOTPSuite struct {
|
|
|
|
suite.Suite
|
|
|
|
|
|
|
|
mock *mocks.MockAutheliaCtx
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *HandlerSignTOTPSuite) SetupTest() {
|
|
|
|
s.mock = mocks.NewMockAutheliaCtx(s.T())
|
|
|
|
userSession := s.mock.Ctx.GetSession()
|
2020-05-02 16:20:40 +00:00
|
|
|
userSession.Username = testUsername
|
2020-12-16 01:47:31 +00:00
|
|
|
err := s.mock.Ctx.SaveSession(userSession)
|
|
|
|
require.NoError(s.T(), err)
|
2020-02-01 12:54:50 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (s *HandlerSignTOTPSuite) TearDownTest() {
|
|
|
|
s.mock.Close()
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *HandlerSignTOTPSuite) TestShouldRedirectUserToDefaultURL() {
|
2022-03-06 05:47:40 +00:00
|
|
|
config := model.TOTPConfiguration{ID: 1, Username: "john", Digits: 6, Secret: []byte("secret"), Period: 30, Algorithm: "SHA1"}
|
2021-11-23 09:45:38 +00:00
|
|
|
|
2021-12-01 12:11:29 +00:00
|
|
|
s.mock.StorageMock.EXPECT().
|
2021-11-23 09:45:38 +00:00
|
|
|
LoadTOTPConfiguration(s.mock.Ctx, gomock.Any()).
|
|
|
|
Return(&config, nil)
|
2020-02-01 12:54:50 +00:00
|
|
|
|
2021-12-01 12:11:29 +00:00
|
|
|
s.mock.StorageMock.
|
2021-11-29 03:09:14 +00:00
|
|
|
EXPECT().
|
2022-03-06 05:47:40 +00:00
|
|
|
AppendAuthenticationLog(s.mock.Ctx, gomock.Eq(model.AuthenticationAttempt{
|
2021-11-29 03:09:14 +00:00
|
|
|
Username: "john",
|
|
|
|
Successful: true,
|
|
|
|
Banned: false,
|
|
|
|
Time: s.mock.Clock.Now(),
|
|
|
|
Type: regulation.AuthTypeTOTP,
|
2022-03-06 05:47:40 +00:00
|
|
|
RemoteIP: model.NewNullIPFromString("0.0.0.0"),
|
2021-11-29 03:09:14 +00:00
|
|
|
}))
|
|
|
|
|
2021-12-01 12:11:29 +00:00
|
|
|
s.mock.TOTPMock.EXPECT().Validate(gomock.Eq("abc"), gomock.Eq(&config)).Return(true, nil)
|
2020-02-01 12:54:50 +00:00
|
|
|
|
2022-03-03 11:20:43 +00:00
|
|
|
s.mock.StorageMock.
|
|
|
|
EXPECT().
|
|
|
|
UpdateTOTPConfigurationSignIn(s.mock.Ctx, gomock.Any(), gomock.Any())
|
|
|
|
|
2020-05-02 16:20:40 +00:00
|
|
|
s.mock.Ctx.Configuration.DefaultRedirectionURL = testRedirectionURL
|
2020-02-01 12:54:50 +00:00
|
|
|
|
|
|
|
bodyBytes, err := json.Marshal(signTOTPRequestBody{
|
|
|
|
Token: "abc",
|
|
|
|
})
|
|
|
|
s.Require().NoError(err)
|
|
|
|
s.mock.Ctx.Request.SetBody(bodyBytes)
|
|
|
|
|
2022-04-08 04:13:47 +00:00
|
|
|
TimeBasedOneTimePasswordPOST(s.mock.Ctx)
|
2020-02-01 12:54:50 +00:00
|
|
|
s.mock.Assert200OK(s.T(), redirectResponse{
|
2020-05-02 16:20:40 +00:00
|
|
|
Redirect: testRedirectionURL,
|
2020-02-01 12:54:50 +00:00
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2022-03-03 11:20:43 +00:00
|
|
|
func (s *HandlerSignTOTPSuite) TestShouldFailWhenTOTPSignInInfoFailsToUpdate() {
|
2022-03-06 05:47:40 +00:00
|
|
|
config := model.TOTPConfiguration{ID: 1, Username: "john", Digits: 6, Secret: []byte("secret"), Period: 30, Algorithm: "SHA1"}
|
2022-03-03 11:20:43 +00:00
|
|
|
|
|
|
|
s.mock.StorageMock.EXPECT().
|
|
|
|
LoadTOTPConfiguration(s.mock.Ctx, gomock.Any()).
|
|
|
|
Return(&config, nil)
|
|
|
|
|
|
|
|
s.mock.StorageMock.
|
|
|
|
EXPECT().
|
2022-03-06 05:47:40 +00:00
|
|
|
AppendAuthenticationLog(s.mock.Ctx, gomock.Eq(model.AuthenticationAttempt{
|
2022-03-03 11:20:43 +00:00
|
|
|
Username: "john",
|
|
|
|
Successful: true,
|
|
|
|
Banned: false,
|
|
|
|
Time: s.mock.Clock.Now(),
|
|
|
|
Type: regulation.AuthTypeTOTP,
|
2022-03-06 05:47:40 +00:00
|
|
|
RemoteIP: model.NewNullIPFromString("0.0.0.0"),
|
2022-03-03 11:20:43 +00:00
|
|
|
}))
|
|
|
|
|
|
|
|
s.mock.TOTPMock.EXPECT().Validate(gomock.Eq("abc"), gomock.Eq(&config)).Return(true, nil)
|
|
|
|
|
|
|
|
s.mock.StorageMock.
|
|
|
|
EXPECT().
|
|
|
|
UpdateTOTPConfigurationSignIn(s.mock.Ctx, gomock.Any(), gomock.Any()).Return(errors.New("failed to perform update"))
|
|
|
|
|
|
|
|
s.mock.Ctx.Configuration.DefaultRedirectionURL = testRedirectionURL
|
|
|
|
|
|
|
|
bodyBytes, err := json.Marshal(signTOTPRequestBody{
|
|
|
|
Token: "abc",
|
|
|
|
})
|
|
|
|
s.Require().NoError(err)
|
|
|
|
s.mock.Ctx.Request.SetBody(bodyBytes)
|
|
|
|
|
2022-04-08 04:13:47 +00:00
|
|
|
TimeBasedOneTimePasswordPOST(s.mock.Ctx)
|
2022-03-03 11:20:43 +00:00
|
|
|
s.mock.Assert401KO(s.T(), "Authentication failed, please retry later.")
|
|
|
|
}
|
|
|
|
|
2020-02-01 12:54:50 +00:00
|
|
|
func (s *HandlerSignTOTPSuite) TestShouldNotReturnRedirectURL() {
|
2022-03-06 05:47:40 +00:00
|
|
|
config := model.TOTPConfiguration{ID: 1, Username: "john", Digits: 6, Secret: []byte("secret"), Period: 30, Algorithm: "SHA1"}
|
2021-11-23 09:45:38 +00:00
|
|
|
|
2021-12-01 12:11:29 +00:00
|
|
|
s.mock.StorageMock.EXPECT().
|
2021-11-23 09:45:38 +00:00
|
|
|
LoadTOTPConfiguration(s.mock.Ctx, gomock.Any()).
|
|
|
|
Return(&config, nil)
|
2020-02-01 12:54:50 +00:00
|
|
|
|
2021-12-01 12:11:29 +00:00
|
|
|
s.mock.StorageMock.
|
2021-11-29 03:09:14 +00:00
|
|
|
EXPECT().
|
2022-03-06 05:47:40 +00:00
|
|
|
AppendAuthenticationLog(s.mock.Ctx, gomock.Eq(model.AuthenticationAttempt{
|
2021-11-29 03:09:14 +00:00
|
|
|
Username: "john",
|
|
|
|
Successful: true,
|
|
|
|
Banned: false,
|
|
|
|
Time: s.mock.Clock.Now(),
|
|
|
|
Type: regulation.AuthTypeTOTP,
|
2022-03-06 05:47:40 +00:00
|
|
|
RemoteIP: model.NewNullIPFromString("0.0.0.0"),
|
2021-11-29 03:09:14 +00:00
|
|
|
}))
|
|
|
|
|
2021-12-01 12:11:29 +00:00
|
|
|
s.mock.TOTPMock.EXPECT().Validate(gomock.Eq("abc"), gomock.Eq(&config)).Return(true, nil)
|
2020-02-01 12:54:50 +00:00
|
|
|
|
2022-03-03 11:20:43 +00:00
|
|
|
s.mock.StorageMock.
|
|
|
|
EXPECT().
|
|
|
|
UpdateTOTPConfigurationSignIn(s.mock.Ctx, gomock.Any(), gomock.Any())
|
|
|
|
|
2020-02-01 12:54:50 +00:00
|
|
|
bodyBytes, err := json.Marshal(signTOTPRequestBody{
|
|
|
|
Token: "abc",
|
|
|
|
})
|
|
|
|
s.Require().NoError(err)
|
|
|
|
s.mock.Ctx.Request.SetBody(bodyBytes)
|
|
|
|
|
2022-04-08 04:13:47 +00:00
|
|
|
TimeBasedOneTimePasswordPOST(s.mock.Ctx)
|
2020-02-01 12:54:50 +00:00
|
|
|
s.mock.Assert200OK(s.T(), nil)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *HandlerSignTOTPSuite) TestShouldRedirectUserToSafeTargetURL() {
|
2022-03-06 05:47:40 +00:00
|
|
|
config := model.TOTPConfiguration{ID: 1, Username: "john", Digits: 6, Secret: []byte("secret"), Period: 30, Algorithm: "SHA1"}
|
2021-11-23 09:45:38 +00:00
|
|
|
|
2021-12-01 12:11:29 +00:00
|
|
|
s.mock.StorageMock.EXPECT().
|
2021-11-23 09:45:38 +00:00
|
|
|
LoadTOTPConfiguration(s.mock.Ctx, gomock.Any()).
|
|
|
|
Return(&config, nil)
|
2020-02-01 12:54:50 +00:00
|
|
|
|
2021-12-01 12:11:29 +00:00
|
|
|
s.mock.StorageMock.
|
2021-11-29 03:09:14 +00:00
|
|
|
EXPECT().
|
2022-03-06 05:47:40 +00:00
|
|
|
AppendAuthenticationLog(s.mock.Ctx, gomock.Eq(model.AuthenticationAttempt{
|
2021-11-29 03:09:14 +00:00
|
|
|
Username: "john",
|
|
|
|
Successful: true,
|
|
|
|
Banned: false,
|
|
|
|
Time: s.mock.Clock.Now(),
|
|
|
|
Type: regulation.AuthTypeTOTP,
|
2022-03-06 05:47:40 +00:00
|
|
|
RemoteIP: model.NewNullIPFromString("0.0.0.0"),
|
2021-11-29 03:09:14 +00:00
|
|
|
}))
|
|
|
|
|
2021-12-01 12:11:29 +00:00
|
|
|
s.mock.TOTPMock.EXPECT().Validate(gomock.Eq("abc"), gomock.Eq(&config)).Return(true, nil)
|
2020-02-01 12:54:50 +00:00
|
|
|
|
2022-03-03 11:20:43 +00:00
|
|
|
s.mock.StorageMock.
|
|
|
|
EXPECT().
|
|
|
|
UpdateTOTPConfigurationSignIn(s.mock.Ctx, gomock.Any(), gomock.Any())
|
|
|
|
|
2020-02-01 12:54:50 +00:00
|
|
|
bodyBytes, err := json.Marshal(signTOTPRequestBody{
|
|
|
|
Token: "abc",
|
2022-10-01 11:47:09 +00:00
|
|
|
TargetURL: "https://mydomain.example.com",
|
2020-02-01 12:54:50 +00:00
|
|
|
})
|
2022-03-03 11:20:43 +00:00
|
|
|
|
2020-02-01 12:54:50 +00:00
|
|
|
s.Require().NoError(err)
|
|
|
|
s.mock.Ctx.Request.SetBody(bodyBytes)
|
|
|
|
|
2022-04-08 04:13:47 +00:00
|
|
|
TimeBasedOneTimePasswordPOST(s.mock.Ctx)
|
2020-02-01 12:54:50 +00:00
|
|
|
s.mock.Assert200OK(s.T(), redirectResponse{
|
2022-10-01 11:47:09 +00:00
|
|
|
Redirect: "https://mydomain.example.com",
|
2020-02-01 12:54:50 +00:00
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *HandlerSignTOTPSuite) TestShouldNotRedirectToUnsafeURL() {
|
2021-12-01 12:11:29 +00:00
|
|
|
s.mock.StorageMock.EXPECT().
|
2022-03-03 11:20:43 +00:00
|
|
|
LoadTOTPConfiguration(s.mock.Ctx, "john").
|
2022-03-06 05:47:40 +00:00
|
|
|
Return(&model.TOTPConfiguration{Secret: []byte("secret")}, nil)
|
2020-02-01 12:54:50 +00:00
|
|
|
|
2021-12-01 12:11:29 +00:00
|
|
|
s.mock.StorageMock.
|
2021-11-29 03:09:14 +00:00
|
|
|
EXPECT().
|
2022-03-06 05:47:40 +00:00
|
|
|
AppendAuthenticationLog(s.mock.Ctx, gomock.Eq(model.AuthenticationAttempt{
|
2021-11-29 03:09:14 +00:00
|
|
|
Username: "john",
|
|
|
|
Successful: true,
|
|
|
|
Banned: false,
|
|
|
|
Time: s.mock.Clock.Now(),
|
|
|
|
Type: regulation.AuthTypeTOTP,
|
2022-03-06 05:47:40 +00:00
|
|
|
RemoteIP: model.NewNullIPFromString("0.0.0.0"),
|
2021-11-29 03:09:14 +00:00
|
|
|
}))
|
|
|
|
|
2022-03-03 11:20:43 +00:00
|
|
|
s.mock.StorageMock.
|
|
|
|
EXPECT().
|
|
|
|
UpdateTOTPConfigurationSignIn(s.mock.Ctx, gomock.Any(), gomock.Any())
|
|
|
|
|
2021-12-01 12:11:29 +00:00
|
|
|
s.mock.TOTPMock.EXPECT().
|
2022-03-06 05:47:40 +00:00
|
|
|
Validate(gomock.Eq("abc"), gomock.Eq(&model.TOTPConfiguration{Secret: []byte("secret")})).
|
2020-03-25 01:48:20 +00:00
|
|
|
Return(true, nil)
|
2020-02-01 12:54:50 +00:00
|
|
|
|
|
|
|
bodyBytes, err := json.Marshal(signTOTPRequestBody{
|
|
|
|
Token: "abc",
|
2022-10-01 11:47:09 +00:00
|
|
|
TargetURL: "http://mydomain.example.com",
|
2020-02-01 12:54:50 +00:00
|
|
|
})
|
2021-12-01 12:11:29 +00:00
|
|
|
|
2020-02-01 12:54:50 +00:00
|
|
|
s.Require().NoError(err)
|
|
|
|
s.mock.Ctx.Request.SetBody(bodyBytes)
|
|
|
|
|
2022-04-08 04:13:47 +00:00
|
|
|
TimeBasedOneTimePasswordPOST(s.mock.Ctx)
|
2020-02-01 12:54:50 +00:00
|
|
|
s.mock.Assert200OK(s.T(), nil)
|
|
|
|
}
|
|
|
|
|
2020-02-29 23:13:33 +00:00
|
|
|
func (s *HandlerSignTOTPSuite) TestShouldRegenerateSessionForPreventingSessionFixation() {
|
2022-03-06 05:47:40 +00:00
|
|
|
config := model.TOTPConfiguration{ID: 1, Username: "john", Digits: 6, Secret: []byte("secret"), Period: 30, Algorithm: "SHA1"}
|
2021-11-23 09:45:38 +00:00
|
|
|
|
2021-12-01 12:11:29 +00:00
|
|
|
s.mock.StorageMock.EXPECT().
|
2021-11-23 09:45:38 +00:00
|
|
|
LoadTOTPConfiguration(s.mock.Ctx, gomock.Any()).
|
|
|
|
Return(&config, nil)
|
2020-02-29 23:13:33 +00:00
|
|
|
|
2021-12-01 12:11:29 +00:00
|
|
|
s.mock.StorageMock.
|
2021-11-29 03:09:14 +00:00
|
|
|
EXPECT().
|
2022-03-06 05:47:40 +00:00
|
|
|
AppendAuthenticationLog(s.mock.Ctx, gomock.Eq(model.AuthenticationAttempt{
|
2021-11-29 03:09:14 +00:00
|
|
|
Username: "john",
|
|
|
|
Successful: true,
|
|
|
|
Banned: false,
|
|
|
|
Time: s.mock.Clock.Now(),
|
|
|
|
Type: regulation.AuthTypeTOTP,
|
2022-03-06 05:47:40 +00:00
|
|
|
RemoteIP: model.NewNullIPFromString("0.0.0.0"),
|
2021-11-29 03:09:14 +00:00
|
|
|
}))
|
|
|
|
|
2021-12-01 12:11:29 +00:00
|
|
|
s.mock.TOTPMock.EXPECT().
|
|
|
|
Validate(gomock.Eq("abc"), gomock.Eq(&config)).
|
2020-03-25 01:48:20 +00:00
|
|
|
Return(true, nil)
|
2020-02-29 23:13:33 +00:00
|
|
|
|
2022-03-03 11:20:43 +00:00
|
|
|
s.mock.StorageMock.
|
|
|
|
EXPECT().
|
|
|
|
UpdateTOTPConfigurationSignIn(s.mock.Ctx, gomock.Any(), gomock.Any())
|
|
|
|
|
2020-02-29 23:13:33 +00:00
|
|
|
bodyBytes, err := json.Marshal(signTOTPRequestBody{
|
|
|
|
Token: "abc",
|
|
|
|
})
|
|
|
|
s.Require().NoError(err)
|
|
|
|
s.mock.Ctx.Request.SetBody(bodyBytes)
|
|
|
|
|
|
|
|
r := regexp.MustCompile("^authelia_session=(.*); path=")
|
|
|
|
res := r.FindAllStringSubmatch(string(s.mock.Ctx.Response.Header.PeekCookie("authelia_session")), -1)
|
|
|
|
|
2022-04-08 04:13:47 +00:00
|
|
|
TimeBasedOneTimePasswordPOST(s.mock.Ctx)
|
2020-02-29 23:13:33 +00:00
|
|
|
s.mock.Assert200OK(s.T(), nil)
|
|
|
|
|
|
|
|
s.Assert().NotEqual(
|
|
|
|
res[0][1],
|
|
|
|
string(s.mock.Ctx.Request.Header.Cookie("authelia_session")))
|
|
|
|
}
|
|
|
|
|
2020-02-01 12:54:50 +00:00
|
|
|
func TestRunHandlerSignTOTPSuite(t *testing.T) {
|
|
|
|
suite.Run(t, new(HandlerSignTOTPSuite))
|
|
|
|
}
|