Implement Push Auth support for 2FA verification

When `2fa_verify` command is executed: - A user is asked to enter OTP - A blocking call for push auth is performed Then: - If the push auth request fails, the user is still able to enter OTP - If OTP is invalid, the `2fa_verify` command ends the execution - If OTP is valid or push auth request succeeded, then the user is successfully authenticated - If 30 seconds passed while no OTP or Push have been provided, then the `2fa_verify` command ends the execution
author: kmcknight <kmcknight@gitlab.com> 2021-02-25 17:17:25 -0800
committer: Igor Drozdov <idrozdov@gitlab.com> 2022-07-18 07:28:32 +0200
commit: fe5feeea22a639a4835724cf42b337773b54d83c (patch)
tree: 9dd8851a2d05460c713c46227e8365244eda3022 /internal/gitlabnet/twofactorverify
parent: 9cacca57e5300c9a23dfc9ae18f48ee48483451b (diff)
download: gitlab-shell-fe5feeea22a639a4835724cf42b337773b54d83c.tar.gz
3 files changed, 177 insertions, 23 deletions
diff --git a/internal/gitlabnet/twofactorverify/client.go b/internal/gitlabnet/twofactorverify/client.go
index 3b4e724..9ab3ac6 100644
--- a/internal/gitlabnet/twofactorverify/client.go
+++ b/internal/gitlabnet/twofactorverify/client.go
@@ -2,7 +2,6 @@ package twofactorverify
 
 import (
 	"context"
-	"errors"
 	"fmt"
 	"net/http"
 
@@ -38,32 +37,48 @@ func NewClient(config *config.Config) (*Client, error) {
 	return &Client{config: config, client: client}, nil
 }
 
-func (c *Client) VerifyOTP(ctx context.Context, args *commandargs.Shell, otp string) error {
+func (c *Client) VerifyOTP(ctx context.Context, args *commandargs.Shell, otp string) (bool, string, error) {
 	requestBody, err := c.getRequestBody(ctx, args, otp)
 	if err != nil {
-		return err
+		return false, "", err
 	}
 
-	response, err := c.client.Post(ctx, "/two_factor_otp_check", requestBody)
+	response, err := c.client.Post(ctx, "/two_factor_manual_otp_check", requestBody)
 	if err != nil {
-		return err
+		return false, "", err
 	}
 	defer response.Body.Close()
 
 	return parse(response)
 }
 
-func parse(hr *http.Response) error {
+func (c *Client) PushAuth(ctx context.Context, args *commandargs.Shell) (bool, string, error) {
+	// enable push auth in internal rest api
+	requestBody, err := c.getRequestBody(ctx, args, "")
+	if err != nil {
+		return false, "", err
+	}
+
+	response, err := c.client.Post(ctx, "/two_factor_push_otp_check", requestBody)
+	if err != nil {
+		return false, "", err
+	}
+	defer response.Body.Close()
+
+	return parse(response)
+}
+
+func parse(hr *http.Response) (bool, string, error) {
 	response := &Response{}
 	if err := gitlabnet.ParseJSON(hr, response); err != nil {
-		return err
+		return false, "", err
 	}
 
 	if !response.Success {
-		return errors.New(response.Message)
+		return false, response.Message, nil
 	}
 
-	return nil
+	return true, response.Message, nil
 }
 
 func (c *Client) getRequestBody(ctx context.Context, args *commandargs.Shell, otp string) (*RequestBody, error) {
diff --git a/internal/gitlabnet/twofactorverify/client_test.go b/internal/gitlabnet/twofactorverify/clientmanual_test.go
index ec8e05d..6324165 100644
--- a/internal/gitlabnet/twofactorverify/client_test.go
+++ b/internal/gitlabnet/twofactorverify/clientmanual_test.go
@@ -16,10 +16,10 @@ import (
 	"gitlab.com/gitlab-org/gitlab-shell/v14/internal/config"
 )
 
-func initialize(t *testing.T) []testserver.TestRequestHandler {
+func initializeManual(t *testing.T) []testserver.TestRequestHandler {
 	requests := []testserver.TestRequestHandler{
 		{
-			Path: "/api/v4/internal/two_factor_otp_check",
+			Path: "/api/v4/internal/two_factor_manual_otp_check",
 			Handler: func(w http.ResponseWriter, r *http.Request) {
 				b, err := io.ReadAll(r.Body)
 				defer r.Body.Close()
@@ -78,35 +78,35 @@ func initialize(t *testing.T) []testserver.TestRequestHandler {
 }
 
 const (
-	otpAttempt = "123456"
+	manualOtpAttempt = "123456"
 )
 
 func TestVerifyOTPByKeyId(t *testing.T) {
-	client := setup(t)
+	client := setupManual(t)
 
 	args := &commandargs.Shell{GitlabKeyId: "0"}
-	err := client.VerifyOTP(context.Background(), args, otpAttempt)
+	_, _, err := client.VerifyOTP(context.Background(), args, manualOtpAttempt)
 	require.NoError(t, err)
 }
 
 func TestVerifyOTPByUsername(t *testing.T) {
-	client := setup(t)
+	client := setupManual(t)
 
 	args := &commandargs.Shell{GitlabUsername: "jane-doe"}
-	err := client.VerifyOTP(context.Background(), args, otpAttempt)
+	_, _, err := client.VerifyOTP(context.Background(), args, manualOtpAttempt)
 	require.NoError(t, err)
 }
 
 func TestErrorMessage(t *testing.T) {
-	client := setup(t)
+	client := setupManual(t)
 
 	args := &commandargs.Shell{GitlabKeyId: "1"}
-	err := client.VerifyOTP(context.Background(), args, otpAttempt)
-	require.Equal(t, "error message", err.Error())
+	_, reason, _ := client.VerifyOTP(context.Background(), args, manualOtpAttempt)
+	require.Equal(t, "error message", reason)
 }
 
 func TestErrorResponses(t *testing.T) {
-	client := setup(t)
+	client := setupManual(t)
 
 	testCases := []struct {
 		desc          string
@@ -133,15 +133,15 @@ func TestErrorResponses(t *testing.T) {
 	for _, tc := range testCases {
 		t.Run(tc.desc, func(t *testing.T) {
 			args := &commandargs.Shell{GitlabKeyId: tc.fakeId}
-			err := client.VerifyOTP(context.Background(), args, otpAttempt)
+			_, _, err := client.VerifyOTP(context.Background(), args, manualOtpAttempt)
 
 			require.EqualError(t, err, tc.expectedError)
 		})
 	}
 }
 
-func setup(t *testing.T) *Client {
-	requests := initialize(t)
+func setupManual(t *testing.T) *Client {
+	requests := initializeManual(t)
 	url := testserver.StartSocketHttpServer(t, requests)
 
 	client, err := NewClient(&config.Config{GitlabUrl: url})
diff --git a/internal/gitlabnet/twofactorverify/clientpush_test.go b/internal/gitlabnet/twofactorverify/clientpush_test.go
new file mode 100644
index 0000000..d1624e6
--- /dev/null
+++ b/internal/gitlabnet/twofactorverify/clientpush_test.go
@@ -0,0 +1,139 @@
+package twofactorverify
+
+import (
+	"context"
+	"encoding/json"
+	"io"
+	"net/http"
+	"testing"
+
+	"gitlab.com/gitlab-org/gitlab-shell/v14/internal/gitlabnet/discover"
+
+	"github.com/stretchr/testify/require"
+	"gitlab.com/gitlab-org/gitlab-shell/v14/client"
+	"gitlab.com/gitlab-org/gitlab-shell/v14/client/testserver"
+	"gitlab.com/gitlab-org/gitlab-shell/v14/internal/command/commandargs"
+	"gitlab.com/gitlab-org/gitlab-shell/v14/internal/config"
+)
+
+func initializePush(t *testing.T) []testserver.TestRequestHandler {
+	requests := []testserver.TestRequestHandler{
+		{
+			Path: "/api/v4/internal/two_factor_push_otp_check",
+			Handler: func(w http.ResponseWriter, r *http.Request) {
+				b, err := io.ReadAll(r.Body)
+				defer r.Body.Close()
+
+				require.NoError(t, err)
+
+				var requestBody *RequestBody
+				require.NoError(t, json.Unmarshal(b, &requestBody))
+
+				switch requestBody.KeyId {
+				case "0":
+					body := map[string]interface{}{
+						"success": true,
+					}
+					require.NoError(t, json.NewEncoder(w).Encode(body))
+				case "1":
+					body := map[string]interface{}{
+						"success": false,
+						"message": "error message",
+					}
+					require.NoError(t, json.NewEncoder(w).Encode(body))
+				case "2":
+					w.WriteHeader(http.StatusForbidden)
+					body := &client.ErrorResponse{
+						Message: "Not allowed!",
+					}
+					require.NoError(t, json.NewEncoder(w).Encode(body))
+				case "3":
+					w.Write([]byte("{ \"message\": \"broken json!\""))
+				case "4":
+					w.WriteHeader(http.StatusForbidden)
+				}
+
+				if requestBody.UserId == 1 {
+					body := map[string]interface{}{
+						"success": true,
+					}
+					require.NoError(t, json.NewEncoder(w).Encode(body))
+				}
+			},
+		},
+		{
+			Path: "/api/v4/internal/discover",
+			Handler: func(w http.ResponseWriter, r *http.Request) {
+				body := &discover.Response{
+					UserId:   1,
+					Username: "jane-doe",
+					Name:     "Jane Doe",
+				}
+				require.NoError(t, json.NewEncoder(w).Encode(body))
+			},
+		},
+	}
+
+	return requests
+}
+
+func TestVerifyPush(t *testing.T) {
+	client := setupPush(t)
+
+	args := &commandargs.Shell{GitlabKeyId: "0"}
+	_, _, err := client.PushAuth(context.Background(), args)
+	require.NoError(t, err)
+}
+
+func TestErrorMessagePush(t *testing.T) {
+	client := setupPush(t)
+
+	args := &commandargs.Shell{GitlabKeyId: "1"}
+	_, reason, _ := client.PushAuth(context.Background(), args)
+	require.Equal(t, "error message", reason)
+}
+
+func TestErrorResponsesPush(t *testing.T) {
+	client := setupPush(t)
+
+	testCases := []struct {
+		desc          string
+		fakeId        string
+		expectedError string
+	}{
+		{
+			desc:          "A response with an error message",
+			fakeId:        "2",
+			expectedError: "Not allowed!",
+		},
+		{
+			desc:          "A response with bad JSON",
+			fakeId:        "3",
+			expectedError: "Parsing failed",
+		},
+		{
+			desc:          "An error response without message",
+			fakeId:        "4",
+			expectedError: "Internal API error (403)",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.desc, func(t *testing.T) {
+			args := &commandargs.Shell{GitlabKeyId: tc.fakeId}
+			_, _, err := client.PushAuth(context.Background(), args)
+
+			require.EqualError(t, err, tc.expectedError)
+		})
+	}
+}
+
+func setupPush(t *testing.T) *Client {
+	requests := initializePush(t)
+	url := testserver.StartSocketHttpServer(t, requests)
+
+	client, err := NewClient(&config.Config{GitlabUrl: url})
+	require.NoError(t, err)
+
+	return client
+}
author	kmcknight <kmcknight@gitlab.com>	2021-02-25 17:17:25 -0800
committer	Igor Drozdov <idrozdov@gitlab.com>	2022-07-18 07:28:32 +0200
commit	fe5feeea22a639a4835724cf42b337773b54d83c (patch)
tree	9dd8851a2d05460c713c46227e8365244eda3022 /internal/gitlabnet/twofactorverify
parent	9cacca57e5300c9a23dfc9ae18f48ee48483451b (diff)
download	gitlab-shell-fe5feeea22a639a4835724cf42b337773b54d83c.tar.gz