diff options
Diffstat (limited to 'spec/controllers/admin/sessions_controller_spec.rb')
-rw-r--r-- | spec/controllers/admin/sessions_controller_spec.rb | 116 |
1 files changed, 111 insertions, 5 deletions
diff --git a/spec/controllers/admin/sessions_controller_spec.rb b/spec/controllers/admin/sessions_controller_spec.rb index 4bab6b51102..fabd79133ec 100644 --- a/spec/controllers/admin/sessions_controller_spec.rb +++ b/spec/controllers/admin/sessions_controller_spec.rb @@ -68,7 +68,7 @@ describe Admin::SessionsController, :do_not_mock_admin_mode do # triggering the auth form will request admin mode get :new - post :create, params: { password: user.password } + post :create, params: { user: { password: user.password } } expect(response).to redirect_to admin_root_path expect(controller.current_user_mode.admin_mode?).to be(true) @@ -82,7 +82,7 @@ describe Admin::SessionsController, :do_not_mock_admin_mode do # triggering the auth form will request admin mode get :new - post :create, params: { password: '' } + post :create, params: { user: { password: '' } } expect(response).to render_template :new expect(controller.current_user_mode.admin_mode?).to be(false) @@ -95,7 +95,7 @@ describe Admin::SessionsController, :do_not_mock_admin_mode do # do not trigger the auth form - post :create, params: { password: user.password } + post :create, params: { user: { password: user.password } } expect(response).to redirect_to(new_admin_session_path) expect(controller.current_user_mode.admin_mode?).to be(false) @@ -110,12 +110,118 @@ describe Admin::SessionsController, :do_not_mock_admin_mode do get :new Timecop.freeze(Gitlab::Auth::CurrentUserMode::ADMIN_MODE_REQUESTED_GRACE_PERIOD.from_now) do - post :create, params: { password: user.password } + post :create, params: { user: { password: user.password } } expect(response).to redirect_to(new_admin_session_path) expect(controller.current_user_mode.admin_mode?).to be(false) end end + + context 'when using two-factor authentication via OTP' do + let(:user) { create(:admin, :two_factor) } + + def authenticate_2fa(user_params) + post(:create, params: { user: user_params }, session: { otp_user_id: user.id }) + end + + it 'requests two factor after a valid password is provided' do + expect(controller.current_user_mode.admin_mode?).to be(false) + + # triggering the auth form will request admin mode + get :new + + post :create, params: { user: { password: user.password } } + + expect(response).to render_template('admin/sessions/two_factor') + expect(controller.current_user_mode.admin_mode?).to be(false) + end + + it 'can login with valid otp' do + expect(controller.current_user_mode.admin_mode?).to be(false) + + controller.store_location_for(:redirect, admin_root_path) + controller.current_user_mode.request_admin_mode! + + authenticate_2fa(otp_attempt: user.current_otp) + + expect(response).to redirect_to admin_root_path + expect(controller.current_user_mode.admin_mode?).to be(true) + end + + it 'cannot login with invalid otp' do + expect(controller.current_user_mode.admin_mode?).to be(false) + + controller.current_user_mode.request_admin_mode! + + authenticate_2fa(otp_attempt: 'invalid') + + expect(response).to render_template('admin/sessions/two_factor') + expect(controller.current_user_mode.admin_mode?).to be(false) + end + + context 'with password authentication disabled' do + before do + stub_application_setting(password_authentication_enabled_for_web: false) + end + + it 'allows 2FA stage of non-password login' do + expect(controller.current_user_mode.admin_mode?).to be(false) + + controller.store_location_for(:redirect, admin_root_path) + controller.current_user_mode.request_admin_mode! + + authenticate_2fa(otp_attempt: user.current_otp) + + expect(response).to redirect_to admin_root_path + expect(controller.current_user_mode.admin_mode?).to be(true) + end + end + end + + context 'when using two-factor authentication via U2F' do + let(:user) { create(:admin, :two_factor_via_u2f) } + + def authenticate_2fa_u2f(user_params) + post(:create, params: { user: user_params }, session: { otp_user_id: user.id }) + end + + it 'requests two factor after a valid password is provided' do + expect(controller.current_user_mode.admin_mode?).to be(false) + + # triggering the auth form will request admin mode + get :new + post :create, params: { user: { password: user.password } } + + expect(response).to render_template('admin/sessions/two_factor') + expect(controller.current_user_mode.admin_mode?).to be(false) + end + + it 'can login with valid auth' do + allow(U2fRegistration).to receive(:authenticate).and_return(true) + + expect(controller.current_user_mode.admin_mode?).to be(false) + + controller.store_location_for(:redirect, admin_root_path) + controller.current_user_mode.request_admin_mode! + + authenticate_2fa_u2f(login: user.username, device_response: '{}') + + expect(response).to redirect_to admin_root_path + expect(controller.current_user_mode.admin_mode?).to be(true) + end + + it 'cannot login with invalid auth' do + allow(U2fRegistration).to receive(:authenticate).and_return(false) + + expect(controller.current_user_mode.admin_mode?).to be(false) + + controller.current_user_mode.request_admin_mode! + authenticate_2fa_u2f(login: user.username, device_response: '{}') + + expect(response).to render_template('admin/sessions/two_factor') + expect(controller.current_user_mode.admin_mode?).to be(false) + end + end end end @@ -136,7 +242,7 @@ describe Admin::SessionsController, :do_not_mock_admin_mode do expect(controller.current_user_mode.admin_mode?).to be(false) get :new - post :create, params: { password: user.password } + post :create, params: { user: { password: user.password } } expect(controller.current_user_mode.admin_mode?).to be(true) post :destroy |