debian-mirror-gitlab/spec/features/u2f_spec.rb

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

217 lines
7.5 KiB
Ruby
Raw Normal View History

2019-10-12 21:52:04 +05:30
# frozen_string_literal: true
require 'spec_helper'
2023-03-04 22:38:38 +05:30
RSpec.describe 'Using U2F (Universal 2nd Factor) Devices for Authentication', :js,
feature_category: :authentication_and_authorization do
2020-11-24 15:15:51 +05:30
include Spec::Support::Helpers::Features::TwoFactorHelpers
2016-09-13 17:45:13 +05:30
2020-11-24 15:15:51 +05:30
before do
stub_feature_flags(webauthn: false)
end
2020-11-24 15:15:51 +05:30
it_behaves_like 'hardware device for 2fa', 'U2F'
describe "registration" do
let(:user) { create(:user) }
before do
2017-09-10 17:25:29 +05:30
gitlab_sign_in(user)
user.update_attribute(:otp_required_for_login, true)
end
describe 'when 2FA via OTP is enabled' do
it 'allows registering more than one device' do
visit profile_account_path
# First device
2016-09-13 17:45:13 +05:30
manage_two_factor_authentication
first_device = register_u2f_device
2017-08-17 22:00:37 +05:30
expect(page).to have_content('Your U2F device was registered')
# Second device
2017-08-17 22:00:37 +05:30
second_device = register_u2f_device(name: 'My other device')
expect(page).to have_content('Your U2F device was registered')
2016-09-13 17:45:13 +05:30
2017-08-17 22:00:37 +05:30
expect(page).to have_content(first_device.name)
expect(page).to have_content(second_device.name)
2016-09-13 17:45:13 +05:30
expect(U2fRegistration.count).to eq(2)
end
end
it 'allows the same device to be registered for multiple users' do
2021-03-11 19:13:27 +05:30
# U2f specs will be removed after WebAuthn migration completed
pending('FakeU2fDevice has static key handle, '\
'leading to duplicate credential_xid for WebAuthn during migration, '\
'resulting in unique constraint violation')
# First user
visit profile_account_path
2016-09-13 17:45:13 +05:30
manage_two_factor_authentication
u2f_device = register_u2f_device
2017-08-17 22:00:37 +05:30
expect(page).to have_content('Your U2F device was registered')
2017-09-10 17:25:29 +05:30
gitlab_sign_out
# Second user
2017-09-10 17:25:29 +05:30
user = gitlab_sign_in(:user)
user.update_attribute(:otp_required_for_login, true)
visit profile_account_path
2016-09-13 17:45:13 +05:30
manage_two_factor_authentication
2017-08-17 22:00:37 +05:30
register_u2f_device(u2f_device, name: 'My other device')
expect(page).to have_content('Your U2F device was registered')
expect(U2fRegistration.count).to eq(2)
end
context "when there are form errors" do
it "doesn't register the device if there are errors" do
visit profile_account_path
2016-09-13 17:45:13 +05:30
manage_two_factor_authentication
# Have the "u2f device" respond with bad data
page.execute_script("u2f.register = function(_,_,_,callback) { callback('bad response'); };")
2020-11-24 15:15:51 +05:30
click_on 'Set up new device'
expect(page).to have_content('Your device was successfully set up')
2020-11-24 15:15:51 +05:30
click_on 'Register device'
expect(U2fRegistration.count).to eq(0)
2017-08-17 22:00:37 +05:30
expect(page).to have_content("The form contains the following error")
expect(page).to have_content("did not send a valid JSON response")
end
it "allows retrying registration" do
visit profile_account_path
2016-09-13 17:45:13 +05:30
manage_two_factor_authentication
# Failed registration
page.execute_script("u2f.register = function(_,_,_,callback) { callback('bad response'); };")
2020-11-24 15:15:51 +05:30
click_on 'Set up new device'
expect(page).to have_content('Your device was successfully set up')
2020-11-24 15:15:51 +05:30
click_on 'Register device'
2017-08-17 22:00:37 +05:30
expect(page).to have_content("The form contains the following error")
# Successful registration
register_u2f_device
2017-08-17 22:00:37 +05:30
expect(page).to have_content('Your U2F device was registered')
expect(U2fRegistration.count).to eq(1)
end
end
end
describe "authentication" do
let(:user) { create(:user) }
before do
# Register and logout
2017-09-10 17:25:29 +05:30
gitlab_sign_in(user)
user.update_attribute(:otp_required_for_login, true)
visit profile_account_path
2016-09-13 17:45:13 +05:30
manage_two_factor_authentication
@u2f_device = register_u2f_device
2017-09-10 17:25:29 +05:30
gitlab_sign_out
end
describe "when 2FA via OTP is disabled" do
it "allows logging in with the U2F device" do
2016-09-29 09:46:39 +05:30
user.update_attribute(:otp_required_for_login, false)
2017-09-10 17:25:29 +05:30
gitlab_sign_in(user)
@u2f_device.respond_to_u2f_authentication
2017-08-17 22:00:37 +05:30
expect(page).to have_css('.sign-out-link', visible: false)
end
end
describe "when 2FA via OTP is enabled" do
it "allows logging in with the U2F device" do
user.update_attribute(:otp_required_for_login, true)
2017-09-10 17:25:29 +05:30
gitlab_sign_in(user)
@u2f_device.respond_to_u2f_authentication
2017-08-17 22:00:37 +05:30
expect(page).to have_css('.sign-out-link', visible: false)
end
end
describe "when a given U2F device has already been registered by another user" do
describe "but not the current user" do
it "does not allow logging in with that particular device" do
# Register current user with the different U2F device
2017-09-10 17:25:29 +05:30
current_user = gitlab_sign_in(:user)
current_user.update_attribute(:otp_required_for_login, true)
visit profile_account_path
2016-09-13 17:45:13 +05:30
manage_two_factor_authentication
2017-08-17 22:00:37 +05:30
register_u2f_device(name: 'My other device')
2017-09-10 17:25:29 +05:30
gitlab_sign_out
# Try authenticating user with the old U2F device
2017-09-10 17:25:29 +05:30
gitlab_sign_in(current_user)
@u2f_device.respond_to_u2f_authentication
2017-08-17 22:00:37 +05:30
expect(page).to have_content('Authentication via U2F device failed')
end
end
describe "and also the current user" do
it "allows logging in with that particular device" do
2021-03-11 19:13:27 +05:30
# U2f specs will be removed after WebAuthn migration completed
pending('FakeU2fDevice has static key handle, '\
'leading to duplicate credential_xid for WebAuthn during migration, '\
'resulting in unique constraint violation')
# Register current user with the same U2F device
2017-09-10 17:25:29 +05:30
current_user = gitlab_sign_in(:user)
current_user.update_attribute(:otp_required_for_login, true)
visit profile_account_path
2016-09-13 17:45:13 +05:30
manage_two_factor_authentication
register_u2f_device(@u2f_device)
2017-09-10 17:25:29 +05:30
gitlab_sign_out
# Try authenticating user with the same U2F device
2017-09-10 17:25:29 +05:30
gitlab_sign_in(current_user)
@u2f_device.respond_to_u2f_authentication
2017-08-17 22:00:37 +05:30
expect(page).to have_css('.sign-out-link', visible: false)
end
end
end
describe "when a given U2F device has not been registered" do
it "does not allow logging in with that particular device" do
2017-08-17 22:00:37 +05:30
unregistered_device = FakeU2fDevice.new(page, 'My device')
2017-09-10 17:25:29 +05:30
gitlab_sign_in(user)
unregistered_device.respond_to_u2f_authentication
2017-08-17 22:00:37 +05:30
expect(page).to have_content('Authentication via U2F device failed')
end
end
2016-08-24 12:49:21 +05:30
describe "when more than one device has been registered by the same user" do
it "allows logging in with either device" do
# Register first device
2017-09-10 17:25:29 +05:30
user = gitlab_sign_in(:user)
2016-08-24 12:49:21 +05:30
user.update_attribute(:otp_required_for_login, true)
visit profile_two_factor_auth_path
2020-11-24 15:15:51 +05:30
expect(page).to have_content("Your device needs to be set up.")
2016-08-24 12:49:21 +05:30
first_device = register_u2f_device
# Register second device
visit profile_two_factor_auth_path
2020-11-24 15:15:51 +05:30
expect(page).to have_content("Your device needs to be set up.")
2017-08-17 22:00:37 +05:30
second_device = register_u2f_device(name: 'My other device')
2017-09-10 17:25:29 +05:30
gitlab_sign_out
2016-08-24 12:49:21 +05:30
# Authenticate as both devices
[first_device, second_device].each do |device|
2017-09-10 17:25:29 +05:30
gitlab_sign_in(user)
2016-08-24 12:49:21 +05:30
device.respond_to_u2f_authentication
2017-08-17 22:00:37 +05:30
expect(page).to have_css('.sign-out-link', visible: false)
2016-08-24 12:49:21 +05:30
2017-09-10 17:25:29 +05:30
gitlab_sign_out
2016-08-24 12:49:21 +05:30
end
end
end
end
end