admin_password_auth_spec.rb 4.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114
  1. # Copyright (C) 2012-2025 Zammad Foundation, https://zammad-foundation.org/
  2. require 'rails_helper'
  3. RSpec.describe 'User endpoint', authenticated_as: false, type: :request do
  4. describe 'admin_auth' do
  5. context 'with enabled password login' do
  6. before { Setting.set('user_show_password_login', true) }
  7. it 'is not processable' do
  8. post api_v1_users_admin_password_auth_path, params: { username: 'john.doe' }
  9. expect(response).to have_http_status(:unprocessable_entity)
  10. end
  11. end
  12. context 'with disabled password login' do
  13. before { Setting.set('user_show_password_login', false) }
  14. context 'when no third-party authenticator is enabled' do
  15. it 'is not processable' do
  16. post api_v1_users_admin_password_auth_path, params: { username: 'john.doe' }
  17. expect(response).to have_http_status(:unprocessable_entity)
  18. end
  19. end
  20. context 'when any third-party authenticator is enabled' do
  21. before { Setting.set('auth_saml', true) }
  22. it 'is processable' do
  23. post api_v1_users_admin_password_auth_path, params: { username: 'john.doe' }
  24. expect(response).to have_http_status(:ok)
  25. end
  26. it 'sends a valid login link' do
  27. user = create(:admin)
  28. message = nil
  29. allow(NotificationFactory::Mailer).to receive(:deliver) do |params|
  30. message = params[:body]
  31. end
  32. post api_v1_users_admin_password_auth_path, params: { username: user.email }
  33. expect(message).to include "<a href=\"http://zammad.example.com/#login/admin/#{Token.last.token}\">"
  34. end
  35. end
  36. end
  37. # For the throttling, see config/initializers/rack_attack.rb.
  38. context 'when user requests admin auth more than throttle allows', :rack_attack do
  39. let(:static_username) { create(:admin).login }
  40. let(:static_ipv4) { Faker::Internet.ip_v4_address }
  41. it 'blocks due to username throttling (multiple IPs)' do
  42. 4.times do
  43. post api_v1_users_admin_password_auth_path, params: { username: static_username }, headers: { 'X-Forwarded-For': Faker::Internet.ip_v4_address }
  44. end
  45. expect(response).to have_http_status(:too_many_requests)
  46. end
  47. it 'blocks due to source IP address throttling (multiple usernames)' do
  48. 4.times do
  49. # Ensure throttling even on modified path.
  50. post "#{api_v1_users_admin_password_auth_path}.json", params: { username: create(:admin).login }, headers: { 'X-Forwarded-For': static_ipv4 }
  51. end
  52. expect(response).to have_http_status(:too_many_requests)
  53. end
  54. end
  55. end
  56. describe 'admin_password_auth_verify' do
  57. context 'with enabled password login' do
  58. before { Setting.set('user_show_password_login', true) }
  59. it 'is not processable' do
  60. post api_v1_users_admin_password_auth_verify_path, params: { token: 4711, }
  61. expect(response).to have_http_status(:unprocessable_entity)
  62. end
  63. end
  64. context 'with disabled password login' do
  65. before { Setting.set('user_show_password_login', false) }
  66. context 'when no third-party authenticator is enabled' do
  67. it 'is not processable' do
  68. post api_v1_users_admin_password_auth_verify_path, params: { token: 4711 }
  69. expect(response).to have_http_status(:unprocessable_entity)
  70. end
  71. end
  72. context 'when any third-party authenticator is enabled' do
  73. before { Setting.set('auth_saml', true) }
  74. it 'is processable with valid token', :aggregate_failures do
  75. user = create(:admin)
  76. token = Token.create(action: 'AdminAuth', user_id: user.id, persistent: false)
  77. post api_v1_users_admin_password_auth_verify_path, params: { token: token.token }
  78. expect(response).to have_http_status(:ok)
  79. expect(response.parsed_body).to include('message' => 'ok', 'user_login' => user.login)
  80. end
  81. it 'is not processable with invalid token' do
  82. post api_v1_users_admin_password_auth_verify_path, params: { token: 4711 }
  83. expect(response).to have_http_status(:unprocessable_entity)
  84. end
  85. end
  86. end
  87. end
  88. end