session_spec.rb 9.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335
  1. # Copyright (C) 2012-2025 Zammad Foundation, https://zammad-foundation.org/
  2. require 'rails_helper'
  3. RSpec.describe 'Sessions endpoints', type: :request do
  4. describe 'GET /' do
  5. let(:headers) { {} }
  6. let(:session_key) { Zammad::Application::Initializer::SessionStore::SESSION_KEY }
  7. before do
  8. Setting.set('http_type', http_type)
  9. get '/', headers: headers
  10. end
  11. context "when Setting 'http_type' is set to 'https'" do
  12. let(:http_type) { 'https' }
  13. context "when it's not an HTTPS request" do
  14. it 'sets no Cookie' do
  15. expect(response.header['Set-Cookie']).to be_nil
  16. end
  17. end
  18. context "when it's an HTTPS request" do
  19. let(:headers) do
  20. {
  21. 'X-Forwarded-Proto' => 'https'
  22. }
  23. end
  24. it "sets Cookie with 'secure' flag" do
  25. expect(response.header['Set-Cookie']).to include(session_key).and include('; secure;')
  26. end
  27. end
  28. end
  29. context "when Setting 'http_type' is set to 'http'" do
  30. let(:http_type) { 'http' }
  31. context "when it's not an HTTPS request" do
  32. it 'sets Cookie' do
  33. expect(response.header['Set-Cookie']).to include(session_key).and not_include('; secure;')
  34. end
  35. end
  36. context "when it's an HTTPS request" do
  37. let(:headers) do
  38. {
  39. 'X-Forwarded-Proto' => 'https'
  40. }
  41. end
  42. it "sets Cookie without 'secure' flag" do
  43. expect(response.header['Set-Cookie']).to include(session_key).and not_include('; secure;')
  44. end
  45. end
  46. end
  47. end
  48. describe 'GET /signshow' do
  49. context 'user logged in' do
  50. subject(:user) { create(:agent, password: password) }
  51. let(:password) { SecureRandom.urlsafe_base64(20) }
  52. let(:fingerprint) { SecureRandom.urlsafe_base64(40) }
  53. before do
  54. setting if defined?(setting)
  55. params = {
  56. fingerprint: fingerprint,
  57. username: user.login,
  58. password: password
  59. }
  60. post '/api/v1/signin', params: params, as: :json
  61. end
  62. it 'leaks no sensitive data' do
  63. params = { fingerprint: fingerprint }
  64. get '/api/v1/signshow', params: params, as: :json
  65. expect(json_response['session']).not_to include('password')
  66. end
  67. context 'when after auth modules are triggered' do
  68. subject(:user) { create(:customer, roles: [role], password: password) }
  69. let(:role) { create(:role, name: '2FA') }
  70. context 'with no enforcing roles' do
  71. it 'returns nil' do
  72. expect(json_response['after_auth']).to be_nil
  73. end
  74. end
  75. context 'with enforcing roles' do
  76. let(:setting) do
  77. Setting.set('two_factor_authentication_enforce_role_ids', [role.id])
  78. Setting.set('two_factor_authentication_method_authenticator_app', true)
  79. end
  80. it 'returns the after auth information' do
  81. expect(json_response['after_auth']).to eq({ 'data' => {}, 'type' => 'TwoFactorConfiguration' })
  82. end
  83. end
  84. end
  85. end
  86. context 'user not logged in' do
  87. subject(:user) { nil }
  88. it 'contains only user related object manager attributes' do
  89. get '/api/v1/signshow', params: {}, as: :json
  90. expect(json_response['models'].keys).to match_array(%w[User])
  91. end
  92. it 'does not contain fields with permission admin.*' do
  93. get '/api/v1/signshow', params: {}, as: :json
  94. expect(json_response['models']['User']).not_to include(hash_including('name' => 'role_ids'))
  95. end
  96. end
  97. end
  98. describe 'GET /auth/sso (single sign-on)' do
  99. before do
  100. Setting.set('auth_sso', true)
  101. end
  102. context 'when SSO is disabled' do
  103. before do
  104. Setting.set('auth_sso', false)
  105. end
  106. let(:headers) { { 'X-Forwarded-User' => login } }
  107. let(:login) { User.last.login }
  108. it 'returns a new user-session response' do
  109. get '/auth/sso', as: :json, headers: headers
  110. expect(response).to have_http_status(:forbidden)
  111. end
  112. end
  113. context 'with invalid user login' do
  114. let(:login) { User.pluck(:login).max.next }
  115. context 'in "REMOTE_USER" request env var' do
  116. let(:env) { { 'REMOTE_USER' => login } }
  117. it 'returns unauthorized response' do
  118. get '/auth/sso', as: :json, env: env
  119. expect(response).to have_http_status(:unauthorized)
  120. end
  121. end
  122. context 'in "HTTP_REMOTE_USER" request env var' do
  123. let(:env) { { 'HTTP_REMOTE_USER' => login } }
  124. it 'returns unauthorized response' do
  125. get '/auth/sso', as: :json, env: env
  126. expect(response).to have_http_status(:unauthorized)
  127. end
  128. end
  129. context 'in "X-Forwarded-User" request header' do
  130. let(:headers) { { 'X-Forwarded-User' => login } }
  131. it 'returns unauthorized response' do
  132. get '/auth/sso', as: :json, headers: headers
  133. expect(response).to have_http_status(:unauthorized)
  134. end
  135. end
  136. end
  137. context 'with valid user login' do
  138. let(:user) { create(:agent) }
  139. let(:login) { user.login }
  140. context 'in Maintenance Mode' do
  141. before { Setting.set('maintenance_mode', true) }
  142. context 'in "REMOTE_USER" request env var' do
  143. let(:env) { { 'REMOTE_USER' => login } }
  144. it 'returns 403 Forbidden' do
  145. get '/auth/sso', as: :json, env: env
  146. expect(response).to have_http_status(:forbidden)
  147. expect(json_response).to include('error' => 'Maintenance mode enabled!')
  148. end
  149. end
  150. context 'in "HTTP_REMOTE_USER" request env var' do
  151. let(:env) { { 'HTTP_REMOTE_USER' => login } }
  152. it 'returns 403 Forbidden' do
  153. get '/auth/sso', as: :json, env: env
  154. expect(response).to have_http_status(:forbidden)
  155. expect(json_response).to include('error' => 'Maintenance mode enabled!')
  156. end
  157. end
  158. context 'in "X-Forwarded-User" request header' do
  159. let(:headers) { { 'X-Forwarded-User' => login } }
  160. it 'returns 403 Forbidden' do
  161. get '/auth/sso', as: :json, headers: headers
  162. expect(response).to have_http_status(:forbidden)
  163. expect(json_response).to include('error' => 'Maintenance mode enabled!')
  164. end
  165. end
  166. end
  167. context 'in "REMOTE_USER" request env var' do
  168. let(:env) { { 'REMOTE_USER' => login } }
  169. it 'returns a new user-session response' do
  170. get '/auth/sso', as: :json, env: env
  171. expect(response).to redirect_to('/#')
  172. end
  173. it 'sets the :user_id session parameter' do
  174. expect { get '/auth/sso', as: :json, env: env }
  175. .to change { request&.session&.fetch(:user_id) }.to(user.id)
  176. end
  177. end
  178. context 'in "HTTP_REMOTE_USER" request env var' do
  179. let(:env) { { 'HTTP_REMOTE_USER' => login } }
  180. it 'returns a new user-session response' do
  181. get '/auth/sso', as: :json, env: env
  182. expect(response).to redirect_to('/#')
  183. end
  184. it 'sets the :user_id session parameter' do
  185. expect { get '/auth/sso', as: :json, env: env }
  186. .to change { request&.session&.fetch(:user_id) }.to(user.id)
  187. end
  188. end
  189. context 'in "X-Forwarded-User" request header' do
  190. let(:headers) { { 'X-Forwarded-User' => login } }
  191. it 'returns a new user-session response' do
  192. get '/auth/sso', as: :json, headers: headers
  193. expect(response).to redirect_to('/#')
  194. end
  195. it 'sets the :user_id session parameter on the client' do
  196. expect { get '/auth/sso', as: :json, headers: headers }
  197. .to change { request&.session&.fetch(:user_id) }.to(user.id)
  198. end
  199. end
  200. end
  201. end
  202. describe 'POST /auth/two_factor_itwo_factor_method_enablednitiate_authentication/:method' do
  203. let(:user) { create(:user, password: 'dummy') }
  204. let(:params) { {} }
  205. let(:method) { 'security_keys' }
  206. let(:user_two_factor_preference) { nil }
  207. let(:two_factor_method_enabled) { true }
  208. before do
  209. Setting.set('two_factor_authentication_method_security_keys', two_factor_method_enabled)
  210. if defined?(user_two_factor_preference)
  211. user_two_factor_preference
  212. user.reload
  213. end
  214. post "/api/v1/auth/two_factor_initiate_authentication/#{method}", params: params, as: :json
  215. end
  216. context 'with missing params' do
  217. it 'returns an error' do
  218. expect(response).to have_http_status(:unprocessable_entity)
  219. end
  220. end
  221. context 'with valid params' do
  222. let(:user_two_factor_preference) { create(:user_two_factor_preference, :security_keys, user: user) }
  223. let(:params) { { username: user.login, password: password, method: method } }
  224. context 'with invalid user/password' do
  225. let(:password) { 'invalid' }
  226. it 'returns an error' do
  227. expect(response).to have_http_status(:unprocessable_entity)
  228. end
  229. end
  230. context 'with valid user/password' do
  231. let(:password) { 'dummy' }
  232. it 'returns options for initiation phase', :aggregate_failures do
  233. expect(response).to have_http_status(:ok)
  234. expect(json_response).to include('challenge')
  235. end
  236. context 'with disabled authenticator method' do
  237. let(:two_factor_method_enabled) { false }
  238. it 'returns an error' do
  239. expect(response).to have_http_status(:unprocessable_entity)
  240. end
  241. end
  242. end
  243. end
  244. end
  245. end