summaryrefslogtreecommitdiff
path: root/spec/controllers/admin/sessions_controller_spec.rb
diff options
context:
space:
mode:
Diffstat (limited to 'spec/controllers/admin/sessions_controller_spec.rb')
-rw-r--r--spec/controllers/admin/sessions_controller_spec.rb116
1 files changed, 111 insertions, 5 deletions
diff --git a/spec/controllers/admin/sessions_controller_spec.rb b/spec/controllers/admin/sessions_controller_spec.rb
index 4bab6b51102..fabd79133ec 100644
--- a/spec/controllers/admin/sessions_controller_spec.rb
+++ b/spec/controllers/admin/sessions_controller_spec.rb
@@ -68,7 +68,7 @@ describe Admin::SessionsController, :do_not_mock_admin_mode do
# triggering the auth form will request admin mode
get :new
- post :create, params: { password: user.password }
+ post :create, params: { user: { password: user.password } }
expect(response).to redirect_to admin_root_path
expect(controller.current_user_mode.admin_mode?).to be(true)
@@ -82,7 +82,7 @@ describe Admin::SessionsController, :do_not_mock_admin_mode do
# triggering the auth form will request admin mode
get :new
- post :create, params: { password: '' }
+ post :create, params: { user: { password: '' } }
expect(response).to render_template :new
expect(controller.current_user_mode.admin_mode?).to be(false)
@@ -95,7 +95,7 @@ describe Admin::SessionsController, :do_not_mock_admin_mode do
# do not trigger the auth form
- post :create, params: { password: user.password }
+ post :create, params: { user: { password: user.password } }
expect(response).to redirect_to(new_admin_session_path)
expect(controller.current_user_mode.admin_mode?).to be(false)
@@ -110,12 +110,118 @@ describe Admin::SessionsController, :do_not_mock_admin_mode do
get :new
Timecop.freeze(Gitlab::Auth::CurrentUserMode::ADMIN_MODE_REQUESTED_GRACE_PERIOD.from_now) do
- post :create, params: { password: user.password }
+ post :create, params: { user: { password: user.password } }
expect(response).to redirect_to(new_admin_session_path)
expect(controller.current_user_mode.admin_mode?).to be(false)
end
end
+
+ context 'when using two-factor authentication via OTP' do
+ let(:user) { create(:admin, :two_factor) }
+
+ def authenticate_2fa(user_params)
+ post(:create, params: { user: user_params }, session: { otp_user_id: user.id })
+ end
+
+ it 'requests two factor after a valid password is provided' do
+ expect(controller.current_user_mode.admin_mode?).to be(false)
+
+ # triggering the auth form will request admin mode
+ get :new
+
+ post :create, params: { user: { password: user.password } }
+
+ expect(response).to render_template('admin/sessions/two_factor')
+ expect(controller.current_user_mode.admin_mode?).to be(false)
+ end
+
+ it 'can login with valid otp' do
+ expect(controller.current_user_mode.admin_mode?).to be(false)
+
+ controller.store_location_for(:redirect, admin_root_path)
+ controller.current_user_mode.request_admin_mode!
+
+ authenticate_2fa(otp_attempt: user.current_otp)
+
+ expect(response).to redirect_to admin_root_path
+ expect(controller.current_user_mode.admin_mode?).to be(true)
+ end
+
+ it 'cannot login with invalid otp' do
+ expect(controller.current_user_mode.admin_mode?).to be(false)
+
+ controller.current_user_mode.request_admin_mode!
+
+ authenticate_2fa(otp_attempt: 'invalid')
+
+ expect(response).to render_template('admin/sessions/two_factor')
+ expect(controller.current_user_mode.admin_mode?).to be(false)
+ end
+
+ context 'with password authentication disabled' do
+ before do
+ stub_application_setting(password_authentication_enabled_for_web: false)
+ end
+
+ it 'allows 2FA stage of non-password login' do
+ expect(controller.current_user_mode.admin_mode?).to be(false)
+
+ controller.store_location_for(:redirect, admin_root_path)
+ controller.current_user_mode.request_admin_mode!
+
+ authenticate_2fa(otp_attempt: user.current_otp)
+
+ expect(response).to redirect_to admin_root_path
+ expect(controller.current_user_mode.admin_mode?).to be(true)
+ end
+ end
+ end
+
+ context 'when using two-factor authentication via U2F' do
+ let(:user) { create(:admin, :two_factor_via_u2f) }
+
+ def authenticate_2fa_u2f(user_params)
+ post(:create, params: { user: user_params }, session: { otp_user_id: user.id })
+ end
+
+ it 'requests two factor after a valid password is provided' do
+ expect(controller.current_user_mode.admin_mode?).to be(false)
+
+ # triggering the auth form will request admin mode
+ get :new
+ post :create, params: { user: { password: user.password } }
+
+ expect(response).to render_template('admin/sessions/two_factor')
+ expect(controller.current_user_mode.admin_mode?).to be(false)
+ end
+
+ it 'can login with valid auth' do
+ allow(U2fRegistration).to receive(:authenticate).and_return(true)
+
+ expect(controller.current_user_mode.admin_mode?).to be(false)
+
+ controller.store_location_for(:redirect, admin_root_path)
+ controller.current_user_mode.request_admin_mode!
+
+ authenticate_2fa_u2f(login: user.username, device_response: '{}')
+
+ expect(response).to redirect_to admin_root_path
+ expect(controller.current_user_mode.admin_mode?).to be(true)
+ end
+
+ it 'cannot login with invalid auth' do
+ allow(U2fRegistration).to receive(:authenticate).and_return(false)
+
+ expect(controller.current_user_mode.admin_mode?).to be(false)
+
+ controller.current_user_mode.request_admin_mode!
+ authenticate_2fa_u2f(login: user.username, device_response: '{}')
+
+ expect(response).to render_template('admin/sessions/two_factor')
+ expect(controller.current_user_mode.admin_mode?).to be(false)
+ end
+ end
end
end
@@ -136,7 +242,7 @@ describe Admin::SessionsController, :do_not_mock_admin_mode do
expect(controller.current_user_mode.admin_mode?).to be(false)
get :new
- post :create, params: { password: user.password }
+ post :create, params: { user: { password: user.password } }
expect(controller.current_user_mode.admin_mode?).to be(true)
post :destroy
View Lorry Controller Status