SMusatov
/
zammad
mirror of https://github.com/zammad/zammad.git


			
				
					
						
						
							12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091
							# Copyright (C) 2012-2024 Zammad Foundation, https://zammad-foundation.org/

require 'rails_helper'

RSpec.describe Gql::Mutations::AdminPasswordAuthSend, type: :graphql do
  context 'when sending admin password auth' do
    let(:query) do
      <<~QUERY
        mutation adminPasswordAuthSend($login: String!) {
          adminPasswordAuthSend(login: $login) {
            success
          }
        }
      QUERY
    end

    let(:variables) do
      { login: login }
    end

    context 'with enabled password login' do
      let(:login) { 'john.doe' }

      before do
        Setting.set('user_show_password_login', true)
      end

      it 'raises an error' do
        gql.execute(query, variables: variables)
        expect(gql.result.error_message).to eq 'This feature is not enabled.'
      end
    end

    context 'with disabled password login' do
      let(:login) { 'john.doe' }

      context 'when no third-party authenticator is enabled' do
        before do
          Setting.set('user_show_password_login', false)
        end

        it 'raises an error' do
          gql.execute(query, variables: variables)
          expect(gql.result.error_message).to eq 'This feature is not enabled.'
        end
      end

      context 'when any third-party authenticator is enabled' do
        before do
          Setting.set('user_show_password_login', false)
          Setting.set('auth_saml', true)
        end

        let(:login) { create(:admin).login }

        it 'sends a valid login link' do
          message = nil

          allow(NotificationFactory::Mailer).to receive(:deliver) do |params|
            message = params[:body]
          end

          gql.execute(query, variables: variables)

          expect(message).to include "<a href=\"http://zammad.example.com/desktop/login?token=#{Token.last.token}\">"
        end

        context 'when user requests admin auth more than throttle allows', :rack_attack do

          let(:static_ipv4) { Faker::Internet.ip_v4_address }

          it 'blocks due to username throttling (multiple IPs)' do
            4.times do
              gql.execute(query, variables: variables, context: { REMOTE_IP: Faker::Internet.ip_v4_address })
            end

            expect(gql.result.error_message).to eq 'The request limit for this operation was exceeded.'
          end

          it 'blocks due to source IP address throttling (multiple usernames)' do
            4.times do
              gql.execute(query, variables: variables.merge(username: create(:admin).login), context: { REMOTE_IP: static_ipv4 })
            end

            expect(gql.result.error_message).to eq 'The request limit for this operation was exceeded.'
          end
        end
      end
    end
  end
end