2019-04-24 21:52:08 +00:00
|
|
|
package handlers
|
|
|
|
|
|
|
|
import (
|
2020-02-01 12:54:50 +00:00
|
|
|
"encoding/json"
|
2021-12-01 03:32:58 +00:00
|
|
|
"errors"
|
2019-04-24 21:52:08 +00:00
|
|
|
"fmt"
|
|
|
|
"net/url"
|
2020-02-29 23:13:33 +00:00
|
|
|
"regexp"
|
2019-04-24 21:52:08 +00:00
|
|
|
"testing"
|
|
|
|
|
|
|
|
"github.com/golang/mock/gomock"
|
|
|
|
"github.com/stretchr/testify/assert"
|
2020-12-16 01:47:31 +00:00
|
|
|
"github.com/stretchr/testify/require"
|
2019-04-24 21:52:08 +00:00
|
|
|
"github.com/stretchr/testify/suite"
|
2020-04-05 12:37:21 +00:00
|
|
|
|
2023-01-12 10:57:44 +00:00
|
|
|
"github.com/authelia/authelia/v4/internal/configuration/schema"
|
2021-08-11 01:04:35 +00:00
|
|
|
"github.com/authelia/authelia/v4/internal/duo"
|
|
|
|
"github.com/authelia/authelia/v4/internal/mocks"
|
2022-03-06 05:47:40 +00:00
|
|
|
"github.com/authelia/authelia/v4/internal/model"
|
2021-11-29 03:09:14 +00:00
|
|
|
"github.com/authelia/authelia/v4/internal/regulation"
|
2019-04-24 21:52:08 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
type SecondFactorDuoPostSuite struct {
|
|
|
|
suite.Suite
|
|
|
|
mock *mocks.MockAutheliaCtx
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *SecondFactorDuoPostSuite) SetupTest() {
|
|
|
|
s.mock = mocks.NewMockAutheliaCtx(s.T())
|
|
|
|
userSession := s.mock.Ctx.GetSession()
|
2020-05-02 16:20:40 +00:00
|
|
|
userSession.Username = testUsername
|
2020-12-16 01:47:31 +00:00
|
|
|
err := s.mock.Ctx.SaveSession(userSession)
|
|
|
|
require.NoError(s.T(), err)
|
2019-04-24 21:52:08 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (s *SecondFactorDuoPostSuite) TearDownTest() {
|
|
|
|
s.mock.Close()
|
|
|
|
}
|
|
|
|
|
2021-12-01 03:32:58 +00:00
|
|
|
func (s *SecondFactorDuoPostSuite) TestShouldEnroll() {
|
2019-04-24 21:52:08 +00:00
|
|
|
duoMock := mocks.NewMockAPI(s.mock.Ctrl)
|
|
|
|
|
2021-12-01 12:11:29 +00:00
|
|
|
s.mock.StorageMock.EXPECT().
|
2021-12-01 03:32:58 +00:00
|
|
|
LoadPreferredDuoDevice(s.mock.Ctx, "john").
|
|
|
|
Return(nil, errors.New("no Duo device and method saved"))
|
|
|
|
|
|
|
|
var enrollURL = "https://api-example.duosecurity.com/portal?code=1234567890ABCDEF&akey=12345ABCDEFGHIJ67890"
|
|
|
|
|
2019-04-24 21:52:08 +00:00
|
|
|
values := url.Values{}
|
|
|
|
values.Set("username", "john")
|
2021-12-01 03:32:58 +00:00
|
|
|
|
|
|
|
preAuthResponse := duo.PreAuthResponse{}
|
|
|
|
preAuthResponse.Result = enroll
|
|
|
|
preAuthResponse.EnrollPortalURL = enrollURL
|
|
|
|
|
|
|
|
duoMock.EXPECT().PreAuthCall(s.mock.Ctx, gomock.Eq(values)).Return(&preAuthResponse, nil)
|
|
|
|
|
2022-10-20 02:16:36 +00:00
|
|
|
bodyBytes, err := json.Marshal(bodySignDuoRequest{})
|
2021-12-01 03:32:58 +00:00
|
|
|
s.Require().NoError(err)
|
|
|
|
s.mock.Ctx.Request.SetBody(bodyBytes)
|
|
|
|
|
2022-04-08 04:13:47 +00:00
|
|
|
DuoPOST(duoMock)(s.mock.Ctx)
|
2021-12-01 03:32:58 +00:00
|
|
|
|
|
|
|
s.mock.Assert200OK(s.T(), DuoSignResponse{
|
|
|
|
Result: enroll,
|
|
|
|
EnrollURL: enrollURL,
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *SecondFactorDuoPostSuite) TestShouldAutoSelect() {
|
|
|
|
duoMock := mocks.NewMockAPI(s.mock.Ctrl)
|
|
|
|
|
2021-12-01 12:11:29 +00:00
|
|
|
s.mock.StorageMock.EXPECT().LoadPreferredDuoDevice(s.mock.Ctx, "john").Return(nil, errors.New("no Duo device and method saved"))
|
2021-12-01 03:32:58 +00:00
|
|
|
|
|
|
|
var duoDevices = []duo.Device{
|
|
|
|
{Capabilities: []string{"auto", "push", "sms", "mobile_otp"}, Number: " ", Device: "12345ABCDEFGHIJ67890", DisplayName: "Test Device 1"},
|
|
|
|
{Capabilities: []string{"auto", "sms", "mobile_otp"}, Number: "+123456789****", Device: "1234567890ABCDEFGHIJ", DisplayName: "Test Device 2"},
|
|
|
|
}
|
|
|
|
|
|
|
|
values := url.Values{}
|
|
|
|
values.Set("username", "john")
|
|
|
|
|
|
|
|
preAuthResponse := duo.PreAuthResponse{}
|
|
|
|
preAuthResponse.Result = auth
|
|
|
|
preAuthResponse.Devices = duoDevices
|
|
|
|
|
|
|
|
duoMock.EXPECT().PreAuthCall(s.mock.Ctx, gomock.Eq(values)).Return(&preAuthResponse, nil)
|
|
|
|
|
2021-12-01 12:11:29 +00:00
|
|
|
s.mock.StorageMock.EXPECT().
|
2022-03-06 05:47:40 +00:00
|
|
|
SavePreferredDuoDevice(s.mock.Ctx, model.DuoDevice{Username: "john", Device: "12345ABCDEFGHIJ67890", Method: "push"}).
|
2021-12-01 03:32:58 +00:00
|
|
|
Return(nil)
|
|
|
|
|
2021-12-01 12:11:29 +00:00
|
|
|
s.mock.StorageMock.
|
2021-12-01 03:32:58 +00:00
|
|
|
EXPECT().
|
2022-03-06 05:47:40 +00:00
|
|
|
AppendAuthenticationLog(s.mock.Ctx, gomock.Eq(model.AuthenticationAttempt{
|
2021-12-01 03:32:58 +00:00
|
|
|
Username: "john",
|
|
|
|
Successful: true,
|
|
|
|
Banned: false,
|
|
|
|
Time: s.mock.Clock.Now(),
|
2021-12-02 10:28:16 +00:00
|
|
|
Type: regulation.AuthTypeDuo,
|
2022-03-06 05:47:40 +00:00
|
|
|
RemoteIP: model.NewNullIPFromString("0.0.0.0"),
|
2021-12-01 03:32:58 +00:00
|
|
|
})).
|
|
|
|
Return(nil)
|
|
|
|
|
|
|
|
values = url.Values{}
|
|
|
|
values.Set("username", "john")
|
2019-04-24 21:52:08 +00:00
|
|
|
values.Set("ipaddr", s.mock.Ctx.RemoteIP().String())
|
|
|
|
values.Set("factor", "push")
|
2021-12-01 03:32:58 +00:00
|
|
|
values.Set("device", "12345ABCDEFGHIJ67890")
|
2019-04-24 21:52:08 +00:00
|
|
|
values.Set("pushinfo", "target%20url=https://target.example.com")
|
|
|
|
|
2021-12-01 03:32:58 +00:00
|
|
|
authResponse := duo.AuthResponse{}
|
|
|
|
authResponse.Result = allow
|
|
|
|
|
|
|
|
duoMock.EXPECT().AuthCall(s.mock.Ctx, gomock.Eq(values)).Return(&authResponse, nil)
|
|
|
|
|
2022-10-20 02:16:36 +00:00
|
|
|
bodyBytes, err := json.Marshal(bodySignDuoRequest{TargetURL: "https://target.example.com"})
|
2021-12-01 03:32:58 +00:00
|
|
|
s.Require().NoError(err)
|
|
|
|
s.mock.Ctx.Request.SetBody(bodyBytes)
|
|
|
|
|
2022-04-08 04:13:47 +00:00
|
|
|
DuoPOST(duoMock)(s.mock.Ctx)
|
2021-12-01 03:32:58 +00:00
|
|
|
assert.Equal(s.T(), 200, s.mock.Ctx.Response.StatusCode())
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *SecondFactorDuoPostSuite) TestShouldDenyAutoSelect() {
|
|
|
|
duoMock := mocks.NewMockAPI(s.mock.Ctrl)
|
|
|
|
|
2021-12-01 12:11:29 +00:00
|
|
|
s.mock.StorageMock.EXPECT().
|
2021-12-01 03:32:58 +00:00
|
|
|
LoadPreferredDuoDevice(s.mock.Ctx, "john").
|
|
|
|
Return(nil, errors.New("no Duo device and method saved"))
|
|
|
|
|
|
|
|
values := url.Values{}
|
|
|
|
values.Set("username", "john")
|
|
|
|
|
|
|
|
preAuthResponse := duo.PreAuthResponse{}
|
|
|
|
preAuthResponse.Result = deny
|
|
|
|
|
|
|
|
duoMock.EXPECT().PreAuthCall(s.mock.Ctx, gomock.Eq(values)).Return(&preAuthResponse, nil)
|
|
|
|
|
|
|
|
values = url.Values{}
|
|
|
|
values.Set("username", "john")
|
|
|
|
values.Set("ipaddr", s.mock.Ctx.RemoteIP().String())
|
|
|
|
values.Set("factor", "push")
|
|
|
|
values.Set("device", "12345ABCDEFGHIJ67890")
|
|
|
|
|
2022-10-20 02:16:36 +00:00
|
|
|
bodyBytes, err := json.Marshal(bodySignDuoRequest{})
|
2021-12-01 03:32:58 +00:00
|
|
|
s.Require().NoError(err)
|
|
|
|
s.mock.Ctx.Request.SetBody(bodyBytes)
|
|
|
|
|
2022-04-08 04:13:47 +00:00
|
|
|
DuoPOST(duoMock)(s.mock.Ctx)
|
2021-12-01 03:32:58 +00:00
|
|
|
|
|
|
|
s.mock.Assert200OK(s.T(), DuoSignResponse{
|
|
|
|
Result: deny,
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *SecondFactorDuoPostSuite) TestShouldFailAutoSelect() {
|
|
|
|
duoMock := mocks.NewMockAPI(s.mock.Ctrl)
|
|
|
|
|
2021-12-01 12:11:29 +00:00
|
|
|
s.mock.StorageMock.EXPECT().
|
2021-12-01 03:32:58 +00:00
|
|
|
LoadPreferredDuoDevice(s.mock.Ctx, "john").
|
|
|
|
Return(nil, errors.New("no Duo device and method saved"))
|
|
|
|
|
|
|
|
duoMock.EXPECT().PreAuthCall(s.mock.Ctx, gomock.Any()).Return(nil, fmt.Errorf("Connnection error"))
|
|
|
|
|
2022-10-20 02:16:36 +00:00
|
|
|
bodyBytes, err := json.Marshal(bodySignDuoRequest{TargetURL: "https://target.example.com"})
|
2021-12-01 03:32:58 +00:00
|
|
|
s.Require().NoError(err)
|
|
|
|
s.mock.Ctx.Request.SetBody(bodyBytes)
|
|
|
|
|
2022-04-08 04:13:47 +00:00
|
|
|
DuoPOST(duoMock)(s.mock.Ctx)
|
2021-12-01 03:32:58 +00:00
|
|
|
|
|
|
|
s.mock.Assert401KO(s.T(), "Authentication failed, please retry later.")
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *SecondFactorDuoPostSuite) TestShouldDeleteOldDeviceAndEnroll() {
|
|
|
|
duoMock := mocks.NewMockAPI(s.mock.Ctrl)
|
|
|
|
|
2021-12-01 12:11:29 +00:00
|
|
|
s.mock.StorageMock.EXPECT().
|
2021-12-01 03:32:58 +00:00
|
|
|
LoadPreferredDuoDevice(s.mock.Ctx, "john").
|
2022-03-06 05:47:40 +00:00
|
|
|
Return(&model.DuoDevice{ID: 1, Username: "john", Device: "NOTEXISTENT", Method: "push"}, nil)
|
2021-12-01 03:32:58 +00:00
|
|
|
|
|
|
|
var enrollURL = "https://api-example.duosecurity.com/portal?code=1234567890ABCDEF&akey=12345ABCDEFGHIJ67890"
|
|
|
|
|
|
|
|
values := url.Values{}
|
|
|
|
values.Set("username", "john")
|
|
|
|
|
|
|
|
preAuthResponse := duo.PreAuthResponse{}
|
|
|
|
preAuthResponse.Result = enroll
|
|
|
|
preAuthResponse.EnrollPortalURL = enrollURL
|
|
|
|
|
|
|
|
duoMock.EXPECT().PreAuthCall(s.mock.Ctx, gomock.Eq(values)).Return(&preAuthResponse, nil)
|
|
|
|
|
2021-12-01 12:11:29 +00:00
|
|
|
s.mock.StorageMock.EXPECT().DeletePreferredDuoDevice(s.mock.Ctx, "john").Return(nil)
|
2021-12-01 03:32:58 +00:00
|
|
|
|
2022-10-20 02:16:36 +00:00
|
|
|
bodyBytes, err := json.Marshal(bodySignDuoRequest{})
|
2021-12-01 03:32:58 +00:00
|
|
|
s.Require().NoError(err)
|
|
|
|
s.mock.Ctx.Request.SetBody(bodyBytes)
|
|
|
|
|
2022-04-08 04:13:47 +00:00
|
|
|
DuoPOST(duoMock)(s.mock.Ctx)
|
2021-12-01 03:32:58 +00:00
|
|
|
|
|
|
|
s.mock.Assert200OK(s.T(), DuoSignResponse{
|
|
|
|
Result: enroll,
|
|
|
|
EnrollURL: enrollURL,
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *SecondFactorDuoPostSuite) TestShouldDeleteOldDeviceAndCallPreauthAPIWithInvalidDevicesAndEnroll() {
|
|
|
|
duoMock := mocks.NewMockAPI(s.mock.Ctrl)
|
|
|
|
|
2021-12-01 12:11:29 +00:00
|
|
|
s.mock.StorageMock.EXPECT().
|
2021-12-01 03:32:58 +00:00
|
|
|
LoadPreferredDuoDevice(s.mock.Ctx, "john").
|
2022-03-06 05:47:40 +00:00
|
|
|
Return(&model.DuoDevice{ID: 1, Username: "john", Device: "NOTEXISTENT", Method: "push"}, nil)
|
2021-12-01 03:32:58 +00:00
|
|
|
|
|
|
|
var duoDevices = []duo.Device{
|
|
|
|
{Capabilities: []string{"sms"}, Number: " ", Device: "12345ABCDEFGHIJ67890", DisplayName: "Test Device 1"},
|
|
|
|
}
|
|
|
|
|
|
|
|
values := url.Values{}
|
|
|
|
values.Set("username", "john")
|
|
|
|
|
|
|
|
preAuthResponse := duo.PreAuthResponse{}
|
|
|
|
preAuthResponse.Result = auth
|
|
|
|
preAuthResponse.Devices = duoDevices
|
|
|
|
|
|
|
|
duoMock.EXPECT().PreAuthCall(s.mock.Ctx, gomock.Eq(values)).Return(&preAuthResponse, nil)
|
|
|
|
|
2021-12-01 12:11:29 +00:00
|
|
|
s.mock.StorageMock.EXPECT().DeletePreferredDuoDevice(s.mock.Ctx, "john").Return(nil)
|
2021-12-01 03:32:58 +00:00
|
|
|
|
2022-10-20 02:16:36 +00:00
|
|
|
bodyBytes, err := json.Marshal(bodySignDuoRequest{})
|
2021-12-01 03:32:58 +00:00
|
|
|
s.Require().NoError(err)
|
|
|
|
s.mock.Ctx.Request.SetBody(bodyBytes)
|
|
|
|
|
2022-04-08 04:13:47 +00:00
|
|
|
DuoPOST(duoMock)(s.mock.Ctx)
|
2021-12-01 03:32:58 +00:00
|
|
|
|
|
|
|
s.mock.Assert200OK(s.T(), DuoSignResponse{
|
|
|
|
Result: enroll,
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *SecondFactorDuoPostSuite) TestShouldUseOldDeviceAndSelect() {
|
|
|
|
duoMock := mocks.NewMockAPI(s.mock.Ctrl)
|
|
|
|
|
2021-12-01 12:11:29 +00:00
|
|
|
s.mock.StorageMock.EXPECT().
|
2021-12-01 03:32:58 +00:00
|
|
|
LoadPreferredDuoDevice(s.mock.Ctx, "john").
|
2022-03-06 05:47:40 +00:00
|
|
|
Return(&model.DuoDevice{ID: 1, Username: "john", Device: "NOTEXISTENT", Method: "push"}, nil)
|
2021-12-01 03:32:58 +00:00
|
|
|
|
|
|
|
var duoDevices = []duo.Device{
|
|
|
|
{Capabilities: []string{"auto", "push", "sms", "mobile_otp"}, Number: " ", Device: "12345ABCDEFGHIJ67890", DisplayName: "Test Device 1"},
|
|
|
|
{Capabilities: []string{"auto", "push", "sms", "mobile_otp"}, Number: "+123456789****", Device: "1234567890ABCDEFGHIJ", DisplayName: "Test Device 2"},
|
|
|
|
{Capabilities: []string{"auto", "sms", "mobile_otp"}, Number: "+123456789****", Device: "1234567890ABCDEFGHIJ", DisplayName: "Test Device 3"},
|
|
|
|
}
|
|
|
|
|
|
|
|
var apiDevices = []DuoDevice{
|
|
|
|
{Capabilities: []string{"push"}, Device: "12345ABCDEFGHIJ67890", DisplayName: "Test Device 1"},
|
|
|
|
{Capabilities: []string{"push"}, Device: "1234567890ABCDEFGHIJ", DisplayName: "Test Device 2"},
|
|
|
|
}
|
|
|
|
|
|
|
|
values := url.Values{}
|
|
|
|
values.Set("username", "john")
|
|
|
|
|
|
|
|
preAuthResponse := duo.PreAuthResponse{}
|
|
|
|
preAuthResponse.Result = auth
|
|
|
|
preAuthResponse.Devices = duoDevices
|
|
|
|
|
|
|
|
duoMock.EXPECT().PreAuthCall(s.mock.Ctx, gomock.Eq(values)).Return(&preAuthResponse, nil)
|
|
|
|
|
2022-10-20 02:16:36 +00:00
|
|
|
bodyBytes, err := json.Marshal(bodySignDuoRequest{})
|
2021-12-01 03:32:58 +00:00
|
|
|
s.Require().NoError(err)
|
|
|
|
s.mock.Ctx.Request.SetBody(bodyBytes)
|
|
|
|
|
2022-04-08 04:13:47 +00:00
|
|
|
DuoPOST(duoMock)(s.mock.Ctx)
|
2021-12-01 03:32:58 +00:00
|
|
|
s.mock.Assert200OK(s.T(), DuoDevicesResponse{Result: auth, Devices: apiDevices})
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *SecondFactorDuoPostSuite) TestShouldUseInvalidMethodAndAutoSelect() {
|
|
|
|
duoMock := mocks.NewMockAPI(s.mock.Ctrl)
|
|
|
|
|
2021-12-01 12:11:29 +00:00
|
|
|
s.mock.StorageMock.EXPECT().
|
2021-12-01 03:32:58 +00:00
|
|
|
LoadPreferredDuoDevice(s.mock.Ctx, "john").
|
2022-03-06 05:47:40 +00:00
|
|
|
Return(&model.DuoDevice{ID: 1, Username: "john", Device: "12345ABCDEFGHIJ67890", Method: "invalidmethod"}, nil)
|
2019-04-24 21:52:08 +00:00
|
|
|
|
2021-12-01 12:11:29 +00:00
|
|
|
s.mock.StorageMock.
|
2021-11-29 03:09:14 +00:00
|
|
|
EXPECT().
|
2022-03-06 05:47:40 +00:00
|
|
|
AppendAuthenticationLog(s.mock.Ctx, gomock.Eq(model.AuthenticationAttempt{
|
2021-11-29 03:09:14 +00:00
|
|
|
Username: "john",
|
|
|
|
Successful: true,
|
|
|
|
Banned: false,
|
|
|
|
Time: s.mock.Clock.Now(),
|
2021-12-02 10:28:16 +00:00
|
|
|
Type: regulation.AuthTypeDuo,
|
2022-03-06 05:47:40 +00:00
|
|
|
RemoteIP: model.NewNullIPFromString("0.0.0.0"),
|
2021-12-01 03:32:58 +00:00
|
|
|
})).
|
|
|
|
Return(nil)
|
|
|
|
|
|
|
|
var duoDevices = []duo.Device{
|
|
|
|
{Capabilities: []string{"auto", "push", "sms", "mobile_otp"}, Number: " ", Device: "12345ABCDEFGHIJ67890", DisplayName: "Test Device 1"},
|
|
|
|
}
|
2021-11-29 03:09:14 +00:00
|
|
|
|
2021-12-01 03:32:58 +00:00
|
|
|
values := url.Values{}
|
|
|
|
values.Set("username", "john")
|
2019-04-24 21:52:08 +00:00
|
|
|
|
2021-12-01 03:32:58 +00:00
|
|
|
preAuthResponse := duo.PreAuthResponse{}
|
|
|
|
preAuthResponse.Result = auth
|
|
|
|
preAuthResponse.Devices = duoDevices
|
|
|
|
|
|
|
|
duoMock.EXPECT().PreAuthCall(s.mock.Ctx, gomock.Eq(values)).Return(&preAuthResponse, nil)
|
|
|
|
|
2021-12-01 12:11:29 +00:00
|
|
|
s.mock.StorageMock.EXPECT().
|
2022-03-06 05:47:40 +00:00
|
|
|
SavePreferredDuoDevice(s.mock.Ctx, model.DuoDevice{Username: "john", Device: "12345ABCDEFGHIJ67890", Method: "push"}).
|
2021-12-01 03:32:58 +00:00
|
|
|
Return(nil)
|
|
|
|
|
|
|
|
values = url.Values{}
|
|
|
|
values.Set("username", "john")
|
|
|
|
values.Set("ipaddr", s.mock.Ctx.RemoteIP().String())
|
|
|
|
values.Set("factor", "push")
|
|
|
|
values.Set("device", "12345ABCDEFGHIJ67890")
|
|
|
|
values.Set("pushinfo", "target%20url=https://target.example.com")
|
|
|
|
|
|
|
|
authResponse := duo.AuthResponse{}
|
|
|
|
authResponse.Result = allow
|
|
|
|
|
|
|
|
duoMock.EXPECT().AuthCall(s.mock.Ctx, gomock.Eq(values)).Return(&authResponse, nil)
|
|
|
|
|
2022-10-20 02:16:36 +00:00
|
|
|
bodyBytes, err := json.Marshal(bodySignDuoRequest{TargetURL: "https://target.example.com"})
|
2021-12-01 03:32:58 +00:00
|
|
|
s.Require().NoError(err)
|
|
|
|
s.mock.Ctx.Request.SetBody(bodyBytes)
|
2019-04-24 21:52:08 +00:00
|
|
|
|
2022-04-08 04:13:47 +00:00
|
|
|
DuoPOST(duoMock)(s.mock.Ctx)
|
2021-12-01 03:32:58 +00:00
|
|
|
assert.Equal(s.T(), 200, s.mock.Ctx.Response.StatusCode())
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *SecondFactorDuoPostSuite) TestShouldCallDuoPreauthAPIAndAllowAccess() {
|
|
|
|
duoMock := mocks.NewMockAPI(s.mock.Ctrl)
|
|
|
|
|
2021-12-01 12:11:29 +00:00
|
|
|
s.mock.StorageMock.EXPECT().
|
2021-12-01 03:32:58 +00:00
|
|
|
LoadPreferredDuoDevice(s.mock.Ctx, "john").
|
2022-03-06 05:47:40 +00:00
|
|
|
Return(&model.DuoDevice{ID: 1, Username: "john", Device: "12345ABCDEFGHIJ67890", Method: "push"}, nil)
|
2021-12-01 03:32:58 +00:00
|
|
|
|
|
|
|
values := url.Values{}
|
|
|
|
values.Set("username", "john")
|
|
|
|
|
|
|
|
preAuthResponse := duo.PreAuthResponse{}
|
|
|
|
preAuthResponse.Result = allow
|
2019-04-24 21:52:08 +00:00
|
|
|
|
2021-12-01 03:32:58 +00:00
|
|
|
duoMock.EXPECT().PreAuthCall(s.mock.Ctx, gomock.Eq(values)).Return(&preAuthResponse, nil)
|
|
|
|
|
2022-10-20 02:16:36 +00:00
|
|
|
bodyBytes, err := json.Marshal(bodySignDuoRequest{TargetURL: "https://target.example.com"})
|
2021-12-01 03:32:58 +00:00
|
|
|
s.Require().NoError(err)
|
|
|
|
s.mock.Ctx.Request.SetBody(bodyBytes)
|
|
|
|
|
2022-04-08 04:13:47 +00:00
|
|
|
DuoPOST(duoMock)(s.mock.Ctx)
|
2021-12-01 03:32:58 +00:00
|
|
|
|
|
|
|
assert.Equal(s.T(), 200, s.mock.Ctx.Response.StatusCode())
|
2019-04-24 21:52:08 +00:00
|
|
|
}
|
|
|
|
|
2021-12-01 03:32:58 +00:00
|
|
|
func (s *SecondFactorDuoPostSuite) TestShouldCallDuoPreauthAPIAndDenyAccess() {
|
2019-04-24 21:52:08 +00:00
|
|
|
duoMock := mocks.NewMockAPI(s.mock.Ctrl)
|
|
|
|
|
2021-12-01 12:11:29 +00:00
|
|
|
s.mock.StorageMock.EXPECT().
|
2021-12-01 03:32:58 +00:00
|
|
|
LoadPreferredDuoDevice(s.mock.Ctx, "john").
|
2022-03-06 05:47:40 +00:00
|
|
|
Return(&model.DuoDevice{ID: 1, Username: "john", Device: "12345ABCDEFGHIJ67890", Method: "push"}, nil)
|
2021-12-01 03:32:58 +00:00
|
|
|
|
2019-04-24 21:52:08 +00:00
|
|
|
values := url.Values{}
|
|
|
|
values.Set("username", "john")
|
2021-12-01 03:32:58 +00:00
|
|
|
|
|
|
|
preAuthResponse := duo.PreAuthResponse{}
|
|
|
|
preAuthResponse.Result = deny
|
|
|
|
|
|
|
|
duoMock.EXPECT().PreAuthCall(s.mock.Ctx, gomock.Eq(values)).Return(&preAuthResponse, nil)
|
|
|
|
|
|
|
|
values = url.Values{}
|
|
|
|
values.Set("username", "john")
|
2019-04-24 21:52:08 +00:00
|
|
|
values.Set("ipaddr", s.mock.Ctx.RemoteIP().String())
|
|
|
|
values.Set("factor", "push")
|
2021-12-01 03:32:58 +00:00
|
|
|
values.Set("device", "12345ABCDEFGHIJ67890")
|
2019-04-24 21:52:08 +00:00
|
|
|
|
2022-10-20 02:16:36 +00:00
|
|
|
bodyBytes, err := json.Marshal(bodySignDuoRequest{})
|
2021-12-01 03:32:58 +00:00
|
|
|
s.Require().NoError(err)
|
|
|
|
s.mock.Ctx.Request.SetBody(bodyBytes)
|
|
|
|
|
2022-04-08 04:13:47 +00:00
|
|
|
DuoPOST(duoMock)(s.mock.Ctx)
|
2021-12-01 03:32:58 +00:00
|
|
|
|
|
|
|
assert.Equal(s.T(), 401, s.mock.Ctx.Response.StatusCode())
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *SecondFactorDuoPostSuite) TestShouldCallDuoPreauthAPIAndFail() {
|
|
|
|
duoMock := mocks.NewMockAPI(s.mock.Ctrl)
|
|
|
|
|
2021-12-01 12:11:29 +00:00
|
|
|
s.mock.StorageMock.EXPECT().
|
2021-12-01 03:32:58 +00:00
|
|
|
LoadPreferredDuoDevice(s.mock.Ctx, "john").
|
2022-03-06 05:47:40 +00:00
|
|
|
Return(&model.DuoDevice{ID: 1, Username: "john", Device: "12345ABCDEFGHIJ67890", Method: "push"}, nil)
|
2021-12-01 03:32:58 +00:00
|
|
|
|
|
|
|
duoMock.EXPECT().PreAuthCall(s.mock.Ctx, gomock.Any()).Return(nil, fmt.Errorf("Connnection error"))
|
|
|
|
|
2022-10-20 02:16:36 +00:00
|
|
|
bodyBytes, err := json.Marshal(bodySignDuoRequest{})
|
2021-12-01 03:32:58 +00:00
|
|
|
s.Require().NoError(err)
|
|
|
|
s.mock.Ctx.Request.SetBody(bodyBytes)
|
|
|
|
|
2022-04-08 04:13:47 +00:00
|
|
|
DuoPOST(duoMock)(s.mock.Ctx)
|
2021-12-01 03:32:58 +00:00
|
|
|
|
|
|
|
s.mock.Assert401KO(s.T(), "Authentication failed, please retry later.")
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *SecondFactorDuoPostSuite) TestShouldCallDuoAPIAndDenyAccess() {
|
|
|
|
duoMock := mocks.NewMockAPI(s.mock.Ctrl)
|
|
|
|
|
2021-12-01 12:11:29 +00:00
|
|
|
s.mock.StorageMock.EXPECT().
|
2021-12-01 03:32:58 +00:00
|
|
|
LoadPreferredDuoDevice(s.mock.Ctx, "john").
|
2022-03-06 05:47:40 +00:00
|
|
|
Return(&model.DuoDevice{ID: 1, Username: "john", Device: "12345ABCDEFGHIJ67890", Method: "push"}, nil)
|
2019-04-24 21:52:08 +00:00
|
|
|
|
2021-12-01 12:11:29 +00:00
|
|
|
s.mock.StorageMock.
|
2021-11-29 03:09:14 +00:00
|
|
|
EXPECT().
|
2022-03-06 05:47:40 +00:00
|
|
|
AppendAuthenticationLog(s.mock.Ctx, gomock.Eq(model.AuthenticationAttempt{
|
2021-11-29 03:09:14 +00:00
|
|
|
Username: "john",
|
|
|
|
Successful: false,
|
|
|
|
Banned: false,
|
|
|
|
Time: s.mock.Clock.Now(),
|
2021-12-02 10:28:16 +00:00
|
|
|
Type: regulation.AuthTypeDuo,
|
2022-03-06 05:47:40 +00:00
|
|
|
RemoteIP: model.NewNullIPFromString("0.0.0.0"),
|
2021-12-01 03:32:58 +00:00
|
|
|
})).
|
|
|
|
Return(nil)
|
|
|
|
|
|
|
|
var duoDevices = []duo.Device{
|
|
|
|
{Capabilities: []string{"auto", "push", "sms", "mobile_otp"}, Number: " ", Device: "12345ABCDEFGHIJ67890", DisplayName: "Test Device 1"},
|
|
|
|
}
|
|
|
|
|
|
|
|
values := url.Values{}
|
|
|
|
values.Set("username", "john")
|
2021-11-29 03:09:14 +00:00
|
|
|
|
2021-12-01 03:32:58 +00:00
|
|
|
preAuthResponse := duo.PreAuthResponse{}
|
|
|
|
preAuthResponse.Result = auth
|
|
|
|
preAuthResponse.Devices = duoDevices
|
2019-04-24 21:52:08 +00:00
|
|
|
|
2021-12-01 03:32:58 +00:00
|
|
|
duoMock.EXPECT().PreAuthCall(s.mock.Ctx, gomock.Eq(values)).Return(&preAuthResponse, nil)
|
|
|
|
|
|
|
|
values = url.Values{}
|
|
|
|
values.Set("username", "john")
|
|
|
|
values.Set("ipaddr", s.mock.Ctx.RemoteIP().String())
|
|
|
|
values.Set("factor", "push")
|
|
|
|
values.Set("device", "12345ABCDEFGHIJ67890")
|
|
|
|
|
|
|
|
response := duo.AuthResponse{}
|
|
|
|
response.Result = deny
|
|
|
|
|
|
|
|
duoMock.EXPECT().AuthCall(s.mock.Ctx, gomock.Eq(values)).Return(&response, nil)
|
|
|
|
|
2022-10-20 02:16:36 +00:00
|
|
|
bodyBytes, err := json.Marshal(bodySignDuoRequest{})
|
2021-12-01 03:32:58 +00:00
|
|
|
s.Require().NoError(err)
|
|
|
|
s.mock.Ctx.Request.SetBody(bodyBytes)
|
2019-04-24 21:52:08 +00:00
|
|
|
|
2022-04-08 04:13:47 +00:00
|
|
|
DuoPOST(duoMock)(s.mock.Ctx)
|
2019-04-24 21:52:08 +00:00
|
|
|
|
2021-12-01 03:32:58 +00:00
|
|
|
assert.Equal(s.T(), 401, s.mock.Ctx.Response.StatusCode())
|
2019-04-24 21:52:08 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (s *SecondFactorDuoPostSuite) TestShouldCallDuoAPIAndFail() {
|
|
|
|
duoMock := mocks.NewMockAPI(s.mock.Ctrl)
|
|
|
|
|
2021-12-01 12:11:29 +00:00
|
|
|
s.mock.StorageMock.EXPECT().
|
2021-12-01 03:32:58 +00:00
|
|
|
LoadPreferredDuoDevice(s.mock.Ctx, "john").
|
2022-03-06 05:47:40 +00:00
|
|
|
Return(&model.DuoDevice{ID: 1, Username: "john", Device: "12345ABCDEFGHIJ67890", Method: "push"}, nil)
|
2021-12-01 03:32:58 +00:00
|
|
|
|
|
|
|
var duoDevices = []duo.Device{
|
|
|
|
{Capabilities: []string{"auto", "push", "sms", "mobile_otp"}, Number: " ", Device: "12345ABCDEFGHIJ67890", DisplayName: "Test Device 1"},
|
|
|
|
}
|
|
|
|
|
2019-04-24 21:52:08 +00:00
|
|
|
values := url.Values{}
|
|
|
|
values.Set("username", "john")
|
|
|
|
|
2021-12-01 03:32:58 +00:00
|
|
|
preAuthResponse := duo.PreAuthResponse{}
|
|
|
|
preAuthResponse.Result = auth
|
|
|
|
preAuthResponse.Devices = duoDevices
|
2019-04-24 21:52:08 +00:00
|
|
|
|
2021-12-01 03:32:58 +00:00
|
|
|
duoMock.EXPECT().PreAuthCall(s.mock.Ctx, gomock.Eq(values)).Return(&preAuthResponse, nil)
|
|
|
|
|
|
|
|
duoMock.EXPECT().AuthCall(s.mock.Ctx, gomock.Any()).Return(nil, fmt.Errorf("Connnection error"))
|
|
|
|
|
2022-10-20 02:16:36 +00:00
|
|
|
bodyBytes, err := json.Marshal(bodySignDuoRequest{})
|
2021-12-01 03:32:58 +00:00
|
|
|
s.Require().NoError(err)
|
|
|
|
s.mock.Ctx.Request.SetBody(bodyBytes)
|
2019-04-24 21:52:08 +00:00
|
|
|
|
2022-04-08 04:13:47 +00:00
|
|
|
DuoPOST(duoMock)(s.mock.Ctx)
|
2019-04-24 21:52:08 +00:00
|
|
|
|
2020-05-05 21:27:38 +00:00
|
|
|
s.mock.Assert401KO(s.T(), "Authentication failed, please retry later.")
|
2019-04-24 21:52:08 +00:00
|
|
|
}
|
|
|
|
|
2020-02-01 12:54:50 +00:00
|
|
|
func (s *SecondFactorDuoPostSuite) TestShouldRedirectUserToDefaultURL() {
|
|
|
|
duoMock := mocks.NewMockAPI(s.mock.Ctrl)
|
|
|
|
|
2021-12-01 12:11:29 +00:00
|
|
|
s.mock.StorageMock.EXPECT().
|
2021-12-01 03:32:58 +00:00
|
|
|
LoadPreferredDuoDevice(s.mock.Ctx, "john").
|
2022-03-06 05:47:40 +00:00
|
|
|
Return(&model.DuoDevice{ID: 1, Username: "john", Device: "12345ABCDEFGHIJ67890", Method: "push"}, nil)
|
2020-02-01 12:54:50 +00:00
|
|
|
|
2021-12-01 12:11:29 +00:00
|
|
|
s.mock.StorageMock.
|
2021-11-29 03:09:14 +00:00
|
|
|
EXPECT().
|
2022-03-06 05:47:40 +00:00
|
|
|
AppendAuthenticationLog(s.mock.Ctx, gomock.Eq(model.AuthenticationAttempt{
|
2021-11-29 03:09:14 +00:00
|
|
|
Username: "john",
|
|
|
|
Successful: true,
|
|
|
|
Banned: false,
|
|
|
|
Time: s.mock.Clock.Now(),
|
2021-12-02 10:28:16 +00:00
|
|
|
Type: regulation.AuthTypeDuo,
|
2022-03-06 05:47:40 +00:00
|
|
|
RemoteIP: model.NewNullIPFromString("0.0.0.0"),
|
2021-12-01 03:32:58 +00:00
|
|
|
})).
|
|
|
|
Return(nil)
|
|
|
|
|
|
|
|
var duoDevices = []duo.Device{
|
|
|
|
{Capabilities: []string{"auto", "push", "sms", "mobile_otp"}, Number: " ", Device: "12345ABCDEFGHIJ67890", DisplayName: "Test Device 1"},
|
|
|
|
}
|
|
|
|
|
|
|
|
values := url.Values{}
|
|
|
|
values.Set("username", "john")
|
|
|
|
|
|
|
|
preAuthResponse := duo.PreAuthResponse{}
|
|
|
|
preAuthResponse.Result = auth
|
|
|
|
preAuthResponse.Devices = duoDevices
|
|
|
|
|
|
|
|
duoMock.EXPECT().PreAuthCall(s.mock.Ctx, gomock.Eq(values)).Return(&preAuthResponse, nil)
|
|
|
|
|
|
|
|
response := duo.AuthResponse{}
|
|
|
|
response.Result = allow
|
|
|
|
|
|
|
|
duoMock.EXPECT().AuthCall(s.mock.Ctx, gomock.Any()).Return(&response, nil)
|
2021-11-29 03:09:14 +00:00
|
|
|
|
2020-05-02 16:20:40 +00:00
|
|
|
s.mock.Ctx.Configuration.DefaultRedirectionURL = testRedirectionURL
|
2020-02-01 12:54:50 +00:00
|
|
|
|
2022-10-20 02:16:36 +00:00
|
|
|
bodyBytes, err := json.Marshal(bodySignDuoRequest{})
|
2020-02-01 12:54:50 +00:00
|
|
|
s.Require().NoError(err)
|
|
|
|
s.mock.Ctx.Request.SetBody(bodyBytes)
|
|
|
|
|
2022-04-08 04:13:47 +00:00
|
|
|
DuoPOST(duoMock)(s.mock.Ctx)
|
2020-02-01 12:54:50 +00:00
|
|
|
s.mock.Assert200OK(s.T(), redirectResponse{
|
2020-05-02 16:20:40 +00:00
|
|
|
Redirect: testRedirectionURL,
|
2020-02-01 12:54:50 +00:00
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *SecondFactorDuoPostSuite) TestShouldNotReturnRedirectURL() {
|
|
|
|
duoMock := mocks.NewMockAPI(s.mock.Ctrl)
|
|
|
|
|
2021-12-01 12:11:29 +00:00
|
|
|
s.mock.StorageMock.EXPECT().
|
2021-12-01 03:32:58 +00:00
|
|
|
LoadPreferredDuoDevice(s.mock.Ctx, "john").
|
2022-03-06 05:47:40 +00:00
|
|
|
Return(&model.DuoDevice{ID: 1, Username: "john", Device: "12345ABCDEFGHIJ67890", Method: "push"}, nil)
|
2020-02-01 12:54:50 +00:00
|
|
|
|
2021-12-01 12:11:29 +00:00
|
|
|
s.mock.StorageMock.
|
2021-11-29 03:09:14 +00:00
|
|
|
EXPECT().
|
2022-03-06 05:47:40 +00:00
|
|
|
AppendAuthenticationLog(s.mock.Ctx, gomock.Eq(model.AuthenticationAttempt{
|
2021-11-29 03:09:14 +00:00
|
|
|
Username: "john",
|
|
|
|
Successful: true,
|
|
|
|
Banned: false,
|
|
|
|
Time: s.mock.Clock.Now(),
|
2021-12-02 10:28:16 +00:00
|
|
|
Type: regulation.AuthTypeDuo,
|
2022-03-06 05:47:40 +00:00
|
|
|
RemoteIP: model.NewNullIPFromString("0.0.0.0"),
|
2021-12-01 03:32:58 +00:00
|
|
|
})).
|
|
|
|
Return(nil)
|
|
|
|
|
|
|
|
var duoDevices = []duo.Device{
|
|
|
|
{Capabilities: []string{"auto", "push", "sms", "mobile_otp"}, Number: " ", Device: "12345ABCDEFGHIJ67890", DisplayName: "Test Device 1"},
|
|
|
|
}
|
|
|
|
|
|
|
|
values := url.Values{}
|
|
|
|
values.Set("username", "john")
|
|
|
|
|
|
|
|
preAuthResponse := duo.PreAuthResponse{}
|
|
|
|
preAuthResponse.Result = auth
|
|
|
|
preAuthResponse.Devices = duoDevices
|
|
|
|
|
|
|
|
duoMock.EXPECT().PreAuthCall(s.mock.Ctx, gomock.Eq(values)).Return(&preAuthResponse, nil)
|
|
|
|
|
|
|
|
response := duo.AuthResponse{}
|
|
|
|
response.Result = allow
|
|
|
|
|
|
|
|
duoMock.EXPECT().AuthCall(s.mock.Ctx, gomock.Any()).Return(&response, nil)
|
2021-11-29 03:09:14 +00:00
|
|
|
|
2022-10-20 02:16:36 +00:00
|
|
|
bodyBytes, err := json.Marshal(bodySignDuoRequest{})
|
2020-02-01 12:54:50 +00:00
|
|
|
s.Require().NoError(err)
|
|
|
|
s.mock.Ctx.Request.SetBody(bodyBytes)
|
|
|
|
|
2022-04-08 04:13:47 +00:00
|
|
|
DuoPOST(duoMock)(s.mock.Ctx)
|
2020-02-01 12:54:50 +00:00
|
|
|
s.mock.Assert200OK(s.T(), nil)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *SecondFactorDuoPostSuite) TestShouldRedirectUserToSafeTargetURL() {
|
|
|
|
duoMock := mocks.NewMockAPI(s.mock.Ctrl)
|
|
|
|
|
2023-01-12 10:57:44 +00:00
|
|
|
s.mock.Ctx.Configuration.Session.Cookies = []schema.SessionCookieConfiguration{
|
|
|
|
{
|
|
|
|
SessionCookieCommonConfiguration: schema.SessionCookieCommonConfiguration{
|
|
|
|
Domain: "example.com",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
SessionCookieCommonConfiguration: schema.SessionCookieCommonConfiguration{
|
|
|
|
Domain: "mydomain.local",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
2021-12-01 12:11:29 +00:00
|
|
|
s.mock.StorageMock.EXPECT().
|
2021-12-01 03:32:58 +00:00
|
|
|
LoadPreferredDuoDevice(s.mock.Ctx, "john").
|
2022-03-06 05:47:40 +00:00
|
|
|
Return(&model.DuoDevice{ID: 1, Username: "john", Device: "12345ABCDEFGHIJ67890", Method: "push"}, nil)
|
2020-02-01 12:54:50 +00:00
|
|
|
|
2021-12-01 12:11:29 +00:00
|
|
|
s.mock.StorageMock.
|
2021-11-29 03:09:14 +00:00
|
|
|
EXPECT().
|
2022-03-06 05:47:40 +00:00
|
|
|
AppendAuthenticationLog(s.mock.Ctx, gomock.Eq(model.AuthenticationAttempt{
|
2021-11-29 03:09:14 +00:00
|
|
|
Username: "john",
|
|
|
|
Successful: true,
|
|
|
|
Banned: false,
|
|
|
|
Time: s.mock.Clock.Now(),
|
2021-12-02 10:28:16 +00:00
|
|
|
Type: regulation.AuthTypeDuo,
|
2022-03-06 05:47:40 +00:00
|
|
|
RemoteIP: model.NewNullIPFromString("0.0.0.0"),
|
2021-12-01 03:32:58 +00:00
|
|
|
})).
|
|
|
|
Return(nil)
|
|
|
|
|
|
|
|
var duoDevices = []duo.Device{
|
|
|
|
{Capabilities: []string{"auto", "push", "sms", "mobile_otp"}, Number: " ", Device: "12345ABCDEFGHIJ67890", DisplayName: "Test Device 1"},
|
|
|
|
}
|
|
|
|
|
|
|
|
values := url.Values{}
|
|
|
|
values.Set("username", "john")
|
|
|
|
|
|
|
|
preAuthResponse := duo.PreAuthResponse{}
|
|
|
|
preAuthResponse.Result = auth
|
|
|
|
preAuthResponse.Devices = duoDevices
|
|
|
|
|
|
|
|
duoMock.EXPECT().PreAuthCall(s.mock.Ctx, gomock.Eq(values)).Return(&preAuthResponse, nil)
|
|
|
|
|
|
|
|
response := duo.AuthResponse{}
|
|
|
|
response.Result = allow
|
|
|
|
|
|
|
|
duoMock.EXPECT().AuthCall(s.mock.Ctx, gomock.Any()).Return(&response, nil)
|
2021-11-29 03:09:14 +00:00
|
|
|
|
2022-10-20 02:16:36 +00:00
|
|
|
bodyBytes, err := json.Marshal(bodySignDuoRequest{
|
|
|
|
TargetURL: "https://example.com",
|
2020-02-01 12:54:50 +00:00
|
|
|
})
|
|
|
|
s.Require().NoError(err)
|
|
|
|
s.mock.Ctx.Request.SetBody(bodyBytes)
|
|
|
|
|
2022-04-08 04:13:47 +00:00
|
|
|
DuoPOST(duoMock)(s.mock.Ctx)
|
2020-02-01 12:54:50 +00:00
|
|
|
s.mock.Assert200OK(s.T(), redirectResponse{
|
2022-10-20 02:16:36 +00:00
|
|
|
Redirect: "https://example.com",
|
2020-02-01 12:54:50 +00:00
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *SecondFactorDuoPostSuite) TestShouldNotRedirectToUnsafeURL() {
|
|
|
|
duoMock := mocks.NewMockAPI(s.mock.Ctrl)
|
|
|
|
|
2021-12-01 12:11:29 +00:00
|
|
|
s.mock.StorageMock.EXPECT().
|
2021-12-01 03:32:58 +00:00
|
|
|
LoadPreferredDuoDevice(s.mock.Ctx, "john").
|
2022-03-06 05:47:40 +00:00
|
|
|
Return(&model.DuoDevice{ID: 1, Username: "john", Device: "12345ABCDEFGHIJ67890", Method: "push"}, nil)
|
2020-02-01 12:54:50 +00:00
|
|
|
|
2021-12-01 12:11:29 +00:00
|
|
|
s.mock.StorageMock.
|
2021-11-29 03:09:14 +00:00
|
|
|
EXPECT().
|
2022-03-06 05:47:40 +00:00
|
|
|
AppendAuthenticationLog(s.mock.Ctx, gomock.Eq(model.AuthenticationAttempt{
|
2021-11-29 03:09:14 +00:00
|
|
|
Username: "john",
|
|
|
|
Successful: true,
|
|
|
|
Banned: false,
|
|
|
|
Time: s.mock.Clock.Now(),
|
2021-12-02 10:28:16 +00:00
|
|
|
Type: regulation.AuthTypeDuo,
|
2022-03-06 05:47:40 +00:00
|
|
|
RemoteIP: model.NewNullIPFromString("0.0.0.0"),
|
2021-12-01 03:32:58 +00:00
|
|
|
})).
|
|
|
|
Return(nil)
|
|
|
|
|
|
|
|
var duoDevices = []duo.Device{
|
|
|
|
{Capabilities: []string{"auto", "push", "sms", "mobile_otp"}, Number: " ", Device: "12345ABCDEFGHIJ67890", DisplayName: "Test Device 1"},
|
|
|
|
}
|
|
|
|
|
|
|
|
values := url.Values{}
|
|
|
|
values.Set("username", "john")
|
|
|
|
|
|
|
|
preAuthResponse := duo.PreAuthResponse{}
|
|
|
|
preAuthResponse.Result = auth
|
|
|
|
preAuthResponse.Devices = duoDevices
|
|
|
|
|
|
|
|
duoMock.EXPECT().PreAuthCall(s.mock.Ctx, gomock.Eq(values)).Return(&preAuthResponse, nil)
|
|
|
|
|
|
|
|
response := duo.AuthResponse{}
|
|
|
|
response.Result = allow
|
|
|
|
|
|
|
|
duoMock.EXPECT().AuthCall(s.mock.Ctx, gomock.Any()).Return(&response, nil)
|
2021-11-29 03:09:14 +00:00
|
|
|
|
2022-10-20 02:16:36 +00:00
|
|
|
bodyBytes, err := json.Marshal(bodySignDuoRequest{
|
|
|
|
TargetURL: "http://example.com",
|
2020-02-01 12:54:50 +00:00
|
|
|
})
|
|
|
|
s.Require().NoError(err)
|
|
|
|
s.mock.Ctx.Request.SetBody(bodyBytes)
|
|
|
|
|
2022-04-08 04:13:47 +00:00
|
|
|
DuoPOST(duoMock)(s.mock.Ctx)
|
2020-02-01 12:54:50 +00:00
|
|
|
s.mock.Assert200OK(s.T(), nil)
|
|
|
|
}
|
|
|
|
|
2020-02-29 23:13:33 +00:00
|
|
|
func (s *SecondFactorDuoPostSuite) TestShouldRegenerateSessionForPreventingSessionFixation() {
|
|
|
|
duoMock := mocks.NewMockAPI(s.mock.Ctrl)
|
|
|
|
|
2021-12-01 12:11:29 +00:00
|
|
|
s.mock.StorageMock.EXPECT().
|
2021-12-01 03:32:58 +00:00
|
|
|
LoadPreferredDuoDevice(s.mock.Ctx, "john").
|
2022-03-06 05:47:40 +00:00
|
|
|
Return(&model.DuoDevice{ID: 1, Username: "john", Device: "12345ABCDEFGHIJ67890", Method: "push"}, nil)
|
2020-02-29 23:13:33 +00:00
|
|
|
|
2021-12-01 12:11:29 +00:00
|
|
|
s.mock.StorageMock.
|
2021-11-29 03:09:14 +00:00
|
|
|
EXPECT().
|
2022-03-06 05:47:40 +00:00
|
|
|
AppendAuthenticationLog(s.mock.Ctx, gomock.Eq(model.AuthenticationAttempt{
|
2021-11-29 03:09:14 +00:00
|
|
|
Username: "john",
|
|
|
|
Successful: true,
|
|
|
|
Banned: false,
|
|
|
|
Time: s.mock.Clock.Now(),
|
2021-12-02 10:28:16 +00:00
|
|
|
Type: regulation.AuthTypeDuo,
|
2022-03-06 05:47:40 +00:00
|
|
|
RemoteIP: model.NewNullIPFromString("0.0.0.0"),
|
2021-12-01 03:32:58 +00:00
|
|
|
})).
|
|
|
|
Return(nil)
|
|
|
|
|
|
|
|
var duoDevices = []duo.Device{
|
|
|
|
{Capabilities: []string{"auto", "push", "sms", "mobile_otp"}, Number: " ", Device: "12345ABCDEFGHIJ67890", DisplayName: "Test Device 1"},
|
|
|
|
}
|
|
|
|
|
|
|
|
values := url.Values{}
|
|
|
|
values.Set("username", "john")
|
|
|
|
|
|
|
|
preAuthResponse := duo.PreAuthResponse{}
|
|
|
|
preAuthResponse.Result = auth
|
|
|
|
preAuthResponse.Devices = duoDevices
|
|
|
|
|
|
|
|
duoMock.EXPECT().PreAuthCall(s.mock.Ctx, gomock.Eq(values)).Return(&preAuthResponse, nil)
|
|
|
|
|
|
|
|
response := duo.AuthResponse{}
|
|
|
|
response.Result = allow
|
|
|
|
|
|
|
|
duoMock.EXPECT().AuthCall(s.mock.Ctx, gomock.Any()).Return(&response, nil)
|
2021-11-29 03:09:14 +00:00
|
|
|
|
2022-10-20 02:16:36 +00:00
|
|
|
bodyBytes, err := json.Marshal(bodySignDuoRequest{
|
|
|
|
TargetURL: "http://example.com",
|
2020-02-29 23:13:33 +00:00
|
|
|
})
|
|
|
|
s.Require().NoError(err)
|
|
|
|
s.mock.Ctx.Request.SetBody(bodyBytes)
|
|
|
|
|
|
|
|
r := regexp.MustCompile("^authelia_session=(.*); path=")
|
|
|
|
res := r.FindAllStringSubmatch(string(s.mock.Ctx.Response.Header.PeekCookie("authelia_session")), -1)
|
|
|
|
|
2022-04-08 04:13:47 +00:00
|
|
|
DuoPOST(duoMock)(s.mock.Ctx)
|
2020-02-29 23:13:33 +00:00
|
|
|
s.mock.Assert200OK(s.T(), nil)
|
|
|
|
|
|
|
|
s.Assert().NotEqual(
|
|
|
|
res[0][1],
|
|
|
|
string(s.mock.Ctx.Request.Header.Cookie("authelia_session")))
|
|
|
|
}
|
|
|
|
|
2020-01-21 00:10:00 +00:00
|
|
|
func TestRunSecondFactorDuoPostSuite(t *testing.T) {
|
2019-04-24 21:52:08 +00:00
|
|
|
s := new(SecondFactorDuoPostSuite)
|
|
|
|
suite.Run(t, s)
|
|
|
|
}
|