two_factor_spec.rb 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346
  1. # Copyright (C) 2012-2025 Zammad Foundation, https://zammad-foundation.org/
  2. require 'rails_helper'
  3. RSpec.describe 'User', current_user_id: 1, performs_jobs: true, type: :request do
  4. let(:agent) { create(:agent) }
  5. let(:admin) { create(:admin) }
  6. let(:two_factor_pref) { create(:user_two_factor_preference, :authenticator_app, user: agent) }
  7. let(:two_factor_enabled) { true }
  8. before do |example|
  9. Setting.set('two_factor_authentication_method_authenticator_app', two_factor_enabled)
  10. two_factor_pref
  11. if example.metadata[:as] == :admin
  12. action_user = admin
  13. permissions = %w[admin.user]
  14. else
  15. action_user = agent
  16. permissions = %w[user_preferences.two_factor_authentication]
  17. end
  18. authenticated_as(action_user, token: create(:token, user: action_user, permissions: permissions))
  19. end
  20. describe 'DELETE /users/:id/two_factor_remove_authentication_method' do
  21. context 'when agent' do
  22. it 'gets the result', :aggregate_failures do
  23. delete "/api/v1/users/#{agent.id}/two_factor_remove_authentication_method", params: { method: 'authenticator_app' }, as: :json
  24. expect(response).to have_http_status(:ok)
  25. expect { two_factor_pref.reload }.to raise_error(ActiveRecord::RecordNotFound)
  26. end
  27. end
  28. context 'when admin', as: :admin do
  29. it 'gets the result', :aggregate_failures do
  30. delete "/api/v1/users/#{agent.id}/two_factor_remove_authentication_method", params: { method: 'authenticator_app' }, as: :json
  31. expect(response).to have_http_status(:ok)
  32. expect { two_factor_pref.reload }.to raise_error(ActiveRecord::RecordNotFound)
  33. end
  34. end
  35. end
  36. describe 'DELETE /users/:id/two_factor_remove_all_authentication_methods' do
  37. context 'when agent' do
  38. it 'gets the result', :aggregate_failures do
  39. delete "/api/v1/users/#{agent.id}/two_factor_remove_all_authentication_methods", as: :json
  40. expect(response).to have_http_status(:ok)
  41. expect { two_factor_pref.reload }.to raise_error(ActiveRecord::RecordNotFound)
  42. end
  43. context 'with disabled method' do
  44. let(:other_two_factor_pref) { create(:user_two_factor_preference, :security_keys, user: agent) }
  45. before { other_two_factor_pref }
  46. it 'removes all methods', :aggregate_failures do
  47. expect { delete "/api/v1/users/#{agent.id}/two_factor_remove_all_authentication_methods", as: :json }
  48. .to change { agent.two_factor_preferences.exists? }
  49. .to false
  50. end
  51. end
  52. end
  53. context 'when admin', as: :admin do
  54. it 'gets the result', :aggregate_failures do
  55. delete "/api/v1/users/#{agent.id}/two_factor_remove_all_authentication_methods", as: :json
  56. expect(response).to have_http_status(:ok)
  57. expect { two_factor_pref.reload }.to raise_error(ActiveRecord::RecordNotFound)
  58. end
  59. end
  60. end
  61. describe 'GET /users/two_factor_enabled_authentication_methods' do
  62. context 'with disabled authenticator app method' do
  63. let(:two_factor_enabled) { false }
  64. let(:two_factor_pref) { nil }
  65. it 'returns nothing', :aggregate_failures do
  66. get "/api/v1/users/#{agent.id}/two_factor_enabled_authentication_methods", as: :json
  67. expect(response).to have_http_status(:ok)
  68. expect(json_response).to be_blank
  69. end
  70. end
  71. context 'with not having authenticator app configured' do
  72. let(:two_factor_pref) { nil }
  73. it 'returns the correct result', :aggregate_failures do
  74. get "/api/v1/users/#{agent.id}/two_factor_enabled_authentication_methods", as: :json
  75. expect(response).to have_http_status(:ok)
  76. expect(json_response.first).to eq({
  77. 'method' => 'authenticator_app',
  78. 'configured' => false,
  79. 'default' => false,
  80. })
  81. end
  82. end
  83. context 'with having authenticator app configured' do
  84. it 'returns the correct result', :aggregate_failures do
  85. get "/api/v1/users/#{agent.id}/two_factor_enabled_authentication_methods", as: :json
  86. expect(response).to have_http_status(:ok)
  87. expect(json_response.first).to eq({
  88. 'method' => 'authenticator_app',
  89. 'configured' => true,
  90. 'default' => true,
  91. })
  92. end
  93. end
  94. end
  95. describe 'POST /users/two_factor_verify_configuration' do
  96. let(:recover_codes_enabled) { true }
  97. let(:has_recovery_codes) { false }
  98. let(:two_factor_pref) { nil }
  99. let(:params) { {} }
  100. let(:method) { 'authenticator_app' }
  101. let(:verification_code) { ROTP::TOTP.new(configuration[:secret]).now }
  102. let(:configuration) { agent.auth_two_factor.authentication_method_object(method).initiate_configuration }
  103. before do
  104. if has_recovery_codes
  105. create(:user_two_factor_preference, :recovery_codes, user: agent)
  106. end
  107. Setting.set('two_factor_authentication_recovery_codes', recover_codes_enabled)
  108. post '/api/v1/users/two_factor_verify_configuration', params: params, as: :json
  109. end
  110. it 'fails without needed params' do
  111. expect(response).to have_http_status(:unprocessable_entity)
  112. end
  113. context 'with needed params' do
  114. let(:params) do
  115. {
  116. method: method,
  117. payload: verification_code,
  118. configuration: configuration,
  119. }
  120. end
  121. context 'with wrong verification code' do
  122. let(:verification_code) { 'wrong' }
  123. it 'verified is false' do
  124. expect(json_response['verified']).to be(false)
  125. end
  126. end
  127. context 'with correct verification code', :aggregate_failures do
  128. it 'verified is true' do
  129. expect(json_response['verified']).to be(true)
  130. expect(json_response['recovery_codes'].length).to eq(10)
  131. end
  132. context 'with disabled recovery codes' do
  133. let(:recover_codes_enabled) { false }
  134. it 'verified is true (but without recovery codes)' do
  135. expect(json_response['verified']).to be(true)
  136. expect(json_response['recovery_codes']).to be_nil
  137. end
  138. end
  139. context 'with existing recovery codes' do
  140. let(:has_recovery_codes) { true }
  141. it 'verified is true (but without recovery codes)' do
  142. expect(json_response['verified']).to be(true)
  143. expect(json_response['recovery_codes']).to be_nil
  144. end
  145. end
  146. end
  147. end
  148. end
  149. describe 'POST /users/two_factor_recovery_codes_generate' do
  150. let(:recover_codes_enabled) { true }
  151. let(:current_codes) { [] }
  152. before do
  153. Setting.set('two_factor_authentication_recovery_codes', recover_codes_enabled)
  154. current_codes
  155. post '/api/v1/users/two_factor_recovery_codes_generate', params: {}, as: :json
  156. end
  157. context 'with disabled recovery codes' do
  158. let(:recover_codes_enabled) { false }
  159. it 'does not generate codes' do
  160. expect(json_response).to be_nil
  161. end
  162. end
  163. context 'without existing recovery codes' do
  164. it 'does generate codes' do
  165. expect(json_response.length).to eq(10)
  166. end
  167. end
  168. context 'with existing recovery codes' do
  169. let(:current_codes) { Auth::TwoFactor::RecoveryCodes.new(agent).generate }
  170. it 'does not generate codes' do
  171. expect(json_response).not_to eq(current_codes)
  172. end
  173. end
  174. end
  175. describe 'GET /users/two_factor_authentication_method_initiate_configuration/:method' do
  176. let(:two_factor_pref) { nil }
  177. let(:method) { 'authenticator_app' }
  178. before do
  179. get "/api/v1/users/two_factor_authentication_method_initiate_configuration/#{method}", as: :json
  180. end
  181. context 'with invalid params' do
  182. context 'with an unknown method' do
  183. let(:method) { 'unknown' }
  184. it 'fails' do
  185. expect(response).to have_http_status(:unprocessable_entity)
  186. end
  187. end
  188. end
  189. context 'with valid params' do
  190. it 'returns configuration', :aggregate_failures do
  191. expect(response).to have_http_status(:ok)
  192. expect(json_response['configuration']).to include('secret').and include('provisioning_uri')
  193. end
  194. end
  195. end
  196. describe 'GET /users/two_factor_authentication_method_configuration/:method' do
  197. let(:method) { 'authenticator_app' }
  198. before do
  199. get "/api/v1/users/two_factor_authentication_method_configuration/#{method}", as: :json
  200. end
  201. context 'with invalid params' do
  202. context 'with an unknown method' do
  203. let(:method) { 'unknown' }
  204. it 'fails' do
  205. expect(response).to have_http_status(:unprocessable_entity)
  206. end
  207. end
  208. end
  209. context 'with valid params' do
  210. context 'with no stored two-factor preference' do
  211. let(:two_factor_pref) { nil }
  212. it 'returns nothing', :aggregate_failures do
  213. expect(response).to have_http_status(:ok)
  214. expect(json_response['configuration']).to be_empty
  215. end
  216. end
  217. it 'returns configuration', :aggregate_failures do
  218. expect(response).to have_http_status(:ok)
  219. expect(json_response['configuration']).to include('secret').and include('code').and include('provisioning_uri')
  220. end
  221. end
  222. end
  223. describe 'DELETE /users/two_factor_authentication_remove_credentials/:method/:credential_id' do
  224. it 'fails without needed params' do
  225. delete '/api/v1/users/two_factor_authentication_remove_credentials/security_keys',
  226. params: {},
  227. as: :json
  228. expect(response).to have_http_status(:unprocessable_entity)
  229. end
  230. context 'with needed params' do
  231. let(:method) { 'security_keys' }
  232. let(:credential_id) { 'credential_id' }
  233. let(:two_factor_pref) do
  234. create(:user_two_factor_preference, :security_keys, credential_public_key: credential_id, user: agent)
  235. end
  236. context 'when removing configuration' do
  237. let(:params) { { credential_id: } }
  238. it 'returns ok and updates configuration', :aggregate_failures do
  239. allow(Service::User::TwoFactor::RemoveMethodCredentials)
  240. .to receive(:new)
  241. .and_call_original
  242. expect_any_instance_of(Service::User::TwoFactor::RemoveMethodCredentials)
  243. .to receive(:execute)
  244. .and_call_original
  245. delete '/api/v1/users/two_factor_authentication_remove_credentials/security_keys',
  246. params: params,
  247. as: :json
  248. expect(response).to have_http_status(:ok)
  249. expect(Service::User::TwoFactor::RemoveMethodCredentials)
  250. .to have_received(:new).with(user: agent, method_name: 'security_keys', credential_id:)
  251. end
  252. end
  253. end
  254. end
  255. describe 'POST /users/two_factor_default_authentication_method' do
  256. let(:method) { 'unknown' }
  257. let(:params) { {} }
  258. before do
  259. Setting.set('two_factor_authentication_method_security_keys', two_factor_enabled)
  260. create(:user_two_factor_preference, :security_keys, user: agent)
  261. post '/api/v1/users/two_factor_default_authentication_method', params: params, as: :json
  262. end
  263. it 'fails without needed params' do
  264. expect(response).to have_http_status(:unprocessable_entity)
  265. end
  266. context 'with needed params' do
  267. let(:params) { { method: method } }
  268. let(:method) { 'security_keys' }
  269. it 'returns ok and updates default method', :aggregate_failures do
  270. expect(response).to have_http_status(:ok)
  271. expect(agent.reload.preferences.dig(:two_factor_authentication, :default)).to eq(method)
  272. end
  273. end
  274. end
  275. end