SMusatov
/
zammad
mirror of https://github.com/zammad/zammad.git


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263
							# Copyright (C) 2012-2024 Zammad Foundation, https://zammad-foundation.org/

require 'rails_helper'

RSpec.describe 'Manage > Settings > Security', type: :system do
  describe 'Manage Two-Factor Authentication' do
    before do
      visit '/#settings/security'

      within :active_content do
        click 'a[href="#two_factor_auth"]'
      end
    end

    shared_examples 'switching a method on and off' do |method|
      let(:method_setting)  { "two_factor_authentication_method_#{method}" }
      let(:method_checkbox) { "setting-#{method_setting}" }

      it "switches #{method} method on and off" do
        expect(Setting.find_by(name: method_setting).state_current['value']).to be(false)

        click "label[for='#{method_checkbox}']"

        expect(Setting.find_by(name: method_setting).state_current['value']).to be(true)

        click "label[for='#{method_checkbox}']"

        expect(Setting.find_by(name: method_setting).state_current['value']).to be(false)
      end
    end

    shared_examples 'configuring a user role setting' do |setting|
      let(:setting_name) { "two_factor_authentication_#{setting}" }

      it "configures a user role setting #{setting}" do
        click "[data-attribute-name='#{setting_name}'] .columnSelect-column--sidebar .columnSelect-option", exact_text: 'Customer'
        click "##{setting_name} .btn--primary"

        expect(Setting.find_by(name: setting_name).state_current['value']).to include(
          Role.find_by(name: 'Customer').id.to_s
        )

        click "[data-attribute-name='#{setting_name}'] .columnSelect-column--selected .columnSelect-option", exact_text: 'Customer'
        click "##{setting_name} .btn--primary"

        expect(Setting.find_by(name: setting_name).state_current['value']).not_to include(
          Role.find_by(name: 'Customer').id.to_s
        )
      end
    end

    context 'with authenticator app method' do
      it_behaves_like 'switching a method on and off', 'authenticator_app'
    end

    context 'with recovery codes' do
      let(:method_setting) { 'two_factor_authentication_recovery_codes' }

      it 'allows to switch recovery codes on and off' do
        expect(Setting.find_by(name: method_setting).state_current['value']).to be(true)

        within "##{method_setting}" do
          select 'no', from: method_setting
          click_on 'Submit'
        end

        expect(Setting.find_by(name: method_setting).state_current['value']).to be(false)

        within "##{method_setting}" do
          select 'yes', from: method_setting
          click_on 'Submit'
        end

        expect(Setting.find_by(name: method_setting).state_current['value']).to be(true)
      end
    end

    context 'with enforcing setup to certain user roles' do
      it_behaves_like 'configuring a user role setting', 'enforce_role_ids'
    end
  end

  describe 'configure third-party applications' do
    shared_examples 'for third-party applications button in login page' do |**args|
      context "for third-party applications button in login page #{args.empty? ? '' : args.to_s}", authenticated_as: false do
        let(:display_name) { args[:display_name] || app_name }

        before do
          Setting.set("#{app_setting}_credentials", { display_name: args[:display_name] }) if args[:display_name]
        end

        context 'when feature is on' do
          before { Setting.set(app_setting, true) }

          it 'has authentication button in login page' do
            visit 'login'
            expect(page).to have_button(display_name)
          end
        end

        context 'when feature is off' do
          before { Setting.set(app_setting, false) }

          it 'does not have authentication button in login page' do
            visit 'login'
            expect(page).to have_no_button(display_name)
          end
        end
      end
    end

    shared_examples 'for third-party applications settings' do
      context 'for third-party applications settings', authenticated_as: true do
        let(:app_checkbox) { "setting-#{app_setting}" }

        context 'when app is turned on in setting page' do
          before do
            Setting.set(app_setting, false)
            visit '/#settings/security'

            within :active_content do
              click 'a[href="#third_party_auth"]'
            end

            check app_checkbox, allow_label_click: true
            await_empty_ajax_queue
          end

          it 'sets settings to be true' do
            expect(Setting.get(app_setting)).to be_truthy
          end
        end

        context 'when app is turned off in setting page' do
          before do
            Setting.set(app_setting, true)
            visit '/#settings/security'

            within :active_content do
              click 'a[href="#third_party_auth"]'
            end

            uncheck app_checkbox, allow_label_click: true
            await_empty_ajax_queue
          end

          it 'sets settings to be false' do
            expect(Setting.get(app_setting)).to be_falsey
          end
        end
      end
    end

    shared_examples 'Display callback urls for third-party applications #3622' do
      def callback_url
        page.evaluate_script("$('[data-name=#{app_setting}]').closest('.page-header').parent().find('[data-attribute-name=callback_url] input').val()")
      end

      context 'Display callback urls for third-party applications #3622', authenticated_as: true do
        before do
          visit '/#settings/security'
          within :active_content do
            click 'a[href="#third_party_auth"]'
          end
        end

        it 'does have a filled callback url' do
          expect(callback_url).to be_present
        end
      end
    end

    describe 'Authentication via Facebook' do
      let(:app_name)    { 'Facebook' }
      let(:app_setting) { 'auth_facebook' }

      include_examples 'for third-party applications button in login page'
      include_examples 'for third-party applications settings'
      include_examples 'Display callback urls for third-party applications #3622'
    end

    describe 'Authentication via Github' do
      let(:app_name) { 'GitHub' }
      let(:app_setting) { 'auth_github' }

      include_examples 'for third-party applications button in login page'
      include_examples 'for third-party applications settings'
      include_examples 'Display callback urls for third-party applications #3622'
    end

    describe 'Authentication via GitLab' do
      let(:app_name) { 'GitLab' }
      let(:app_setting) { 'auth_gitlab' }

      include_examples 'for third-party applications button in login page'
      include_examples 'for third-party applications settings'
      include_examples 'Display callback urls for third-party applications #3622'
    end

    describe 'Authentication via Google' do
      let(:app_name) { 'Google' }
      let(:app_setting) { 'auth_google_oauth2' }

      include_examples 'for third-party applications button in login page'
      include_examples 'for third-party applications settings'
      include_examples 'Display callback urls for third-party applications #3622'
    end

    describe 'Authentication via LinkedIn' do
      let(:app_name) { 'LinkedIn' }
      let(:app_setting) { 'auth_linkedin' }

      include_examples 'for third-party applications button in login page'
      include_examples 'for third-party applications settings'
      include_examples 'Display callback urls for third-party applications #3622'
    end

    describe 'Authentication via Microsoft' do
      let(:app_name) { 'Microsoft' }
      let(:app_setting) { 'auth_microsoft_office365' }

      include_examples 'for third-party applications button in login page'
      include_examples 'for third-party applications settings'
      include_examples 'Display callback urls for third-party applications #3622'
    end

    describe 'Authentication via SAML' do
      let(:app_name) { 'SAML' }
      let(:app_setting) { 'auth_saml' }

      include_examples 'for third-party applications button in login page'
      include_examples 'for third-party applications button in login page', display_name: 'Security Assertion Markup Language'
      include_examples 'for third-party applications settings'
      include_examples 'Display callback urls for third-party applications #3622'
    end

    describe 'Authentication via SSO' do
      let(:app_name)    { 'SSO' }
      let(:app_setting) { 'auth_sso' }

      include_examples 'for third-party applications button in login page'
      include_examples 'for third-party applications settings'
    end

    describe 'Authentication via Twitter' do
      let(:app_name) { 'Twitter' }
      let(:app_setting) { 'auth_twitter' }

      include_examples 'for third-party applications button in login page'
      include_examples 'for third-party applications settings'
      include_examples 'Display callback urls for third-party applications #3622'
    end

    describe 'Authentication via Weibo' do
      let(:app_name) { 'Weibo' }
      let(:app_setting) { 'auth_weibo' }

      include_examples 'for third-party applications button in login page'
      include_examples 'for third-party applications settings'
      include_examples 'Display callback urls for third-party applications #3622'
    end
  end
end