admin_password_auth_send_spec.rb 2.7 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091
  1. # Copyright (C) 2012-2025 Zammad Foundation, https://zammad-foundation.org/
  2. require 'rails_helper'
  3. RSpec.describe Gql::Mutations::AdminPasswordAuthSend, type: :graphql do
  4. context 'when sending admin password auth' do
  5. let(:query) do
  6. <<~QUERY
  7. mutation adminPasswordAuthSend($login: String!) {
  8. adminPasswordAuthSend(login: $login) {
  9. success
  10. }
  11. }
  12. QUERY
  13. end
  14. let(:variables) do
  15. { login: login }
  16. end
  17. context 'with enabled password login' do
  18. let(:login) { 'john.doe' }
  19. before do
  20. Setting.set('user_show_password_login', true)
  21. end
  22. it 'raises an error' do
  23. gql.execute(query, variables: variables)
  24. expect(gql.result.error_message).to eq 'This feature is not enabled.'
  25. end
  26. end
  27. context 'with disabled password login' do
  28. let(:login) { 'john.doe' }
  29. context 'when no third-party authenticator is enabled' do
  30. before do
  31. Setting.set('user_show_password_login', false)
  32. end
  33. it 'raises an error' do
  34. gql.execute(query, variables: variables)
  35. expect(gql.result.error_message).to eq 'This feature is not enabled.'
  36. end
  37. end
  38. context 'when any third-party authenticator is enabled' do
  39. before do
  40. Setting.set('user_show_password_login', false)
  41. Setting.set('auth_saml', true)
  42. end
  43. let(:login) { create(:admin).login }
  44. it 'sends a valid login link' do
  45. message = nil
  46. allow(NotificationFactory::Mailer).to receive(:deliver) do |params|
  47. message = params[:body]
  48. end
  49. gql.execute(query, variables: variables)
  50. expect(message).to include "<a href=\"http://zammad.example.com/desktop/login?token=#{Token.last.token}\">"
  51. end
  52. context 'when user requests admin auth more than throttle allows', :rack_attack do
  53. let(:static_ipv4) { Faker::Internet.ip_v4_address }
  54. it 'blocks due to username throttling (multiple IPs)' do
  55. 4.times do
  56. gql.execute(query, variables: variables, context: { REMOTE_IP: Faker::Internet.ip_v4_address })
  57. end
  58. expect(gql.result.error_message).to eq 'The request limit for this operation was exceeded.'
  59. end
  60. it 'blocks due to source IP address throttling (multiple usernames)' do
  61. 4.times do
  62. gql.execute(query, variables: variables.merge(username: create(:admin).login), context: { REMOTE_IP: static_ipv4 })
  63. end
  64. expect(gql.result.error_message).to eq 'The request limit for this operation was exceeded.'
  65. end
  66. end
  67. end
  68. end
  69. end
  70. end