2021-07-02 14:51:30 -04:00
|
|
|
<?php
|
|
|
|
|
|
|
|
namespace Tests\Auth;
|
|
|
|
|
2021-07-02 15:53:33 -04:00
|
|
|
use BookStack\Auth\Access\Mfa\MfaValue;
|
2021-07-14 15:18:48 -04:00
|
|
|
use BookStack\Auth\User;
|
2021-07-02 14:51:30 -04:00
|
|
|
use PragmaRX\Google2FA\Google2FA;
|
|
|
|
use Tests\TestCase;
|
|
|
|
|
|
|
|
class MfaConfigurationTest extends TestCase
|
|
|
|
{
|
|
|
|
|
|
|
|
public function test_totp_setup()
|
|
|
|
{
|
|
|
|
$editor = $this->getEditor();
|
|
|
|
$this->assertDatabaseMissing('mfa_values', ['user_id' => $editor->id]);
|
|
|
|
|
|
|
|
// Setup page state
|
|
|
|
$resp = $this->actingAs($editor)->get('/mfa/setup');
|
|
|
|
$resp->assertElementContains('a[href$="/mfa/totp-generate"]', 'Setup');
|
|
|
|
|
|
|
|
// Generate page access
|
|
|
|
$resp = $this->get('/mfa/totp-generate');
|
|
|
|
$resp->assertSee('Mobile App Setup');
|
|
|
|
$resp->assertSee('Verify Setup');
|
|
|
|
$resp->assertElementExists('form[action$="/mfa/totp-confirm"] button');
|
|
|
|
$this->assertSessionHas('mfa-setup-totp-secret');
|
|
|
|
$svg = $resp->getElementHtml('#main-content .card svg');
|
|
|
|
|
|
|
|
// Validation error, code should remain the same
|
|
|
|
$resp = $this->post('/mfa/totp-confirm', [
|
|
|
|
'code' => 'abc123',
|
|
|
|
]);
|
|
|
|
$resp->assertRedirect('/mfa/totp-generate');
|
|
|
|
$resp = $this->followRedirects($resp);
|
|
|
|
$resp->assertSee('The provided code is not valid or has expired.');
|
|
|
|
$revisitSvg = $resp->getElementHtml('#main-content .card svg');
|
|
|
|
$this->assertTrue($svg === $revisitSvg);
|
|
|
|
|
|
|
|
// Successful confirmation
|
|
|
|
$google2fa = new Google2FA();
|
2021-07-02 15:53:33 -04:00
|
|
|
$secret = decrypt(session()->get('mfa-setup-totp-secret'));
|
|
|
|
$otp = $google2fa->getCurrentOtp($secret);
|
2021-07-02 14:51:30 -04:00
|
|
|
$resp = $this->post('/mfa/totp-confirm', [
|
|
|
|
'code' => $otp,
|
|
|
|
]);
|
|
|
|
$resp->assertRedirect('/mfa/setup');
|
|
|
|
|
|
|
|
// Confirmation of setup
|
|
|
|
$resp = $this->followRedirects($resp);
|
|
|
|
$resp->assertSee('Multi-factor method successfully configured');
|
|
|
|
$resp->assertElementContains('a[href$="/mfa/totp-generate"]', 'Reconfigure');
|
2021-07-02 15:53:33 -04:00
|
|
|
|
|
|
|
$this->assertDatabaseHas('mfa_values', [
|
|
|
|
'user_id' => $editor->id,
|
|
|
|
'method' => 'totp',
|
|
|
|
]);
|
|
|
|
$this->assertFalse(session()->has('mfa-setup-totp-secret'));
|
|
|
|
$value = MfaValue::query()->where('user_id', '=', $editor->id)
|
|
|
|
->where('method', '=', 'totp')->first();
|
|
|
|
$this->assertEquals($secret, decrypt($value->value));
|
|
|
|
}
|
|
|
|
|
|
|
|
public function test_backup_codes_setup()
|
|
|
|
{
|
|
|
|
$editor = $this->getEditor();
|
|
|
|
$this->assertDatabaseMissing('mfa_values', ['user_id' => $editor->id]);
|
|
|
|
|
|
|
|
// Setup page state
|
|
|
|
$resp = $this->actingAs($editor)->get('/mfa/setup');
|
|
|
|
$resp->assertElementContains('a[href$="/mfa/backup-codes-generate"]', 'Setup');
|
|
|
|
|
|
|
|
// Generate page access
|
|
|
|
$resp = $this->get('/mfa/backup-codes-generate');
|
|
|
|
$resp->assertSee('Backup Codes');
|
|
|
|
$resp->assertElementContains('form[action$="/mfa/backup-codes-confirm"]', 'Confirm and Enable');
|
|
|
|
$this->assertSessionHas('mfa-setup-backup-codes');
|
|
|
|
$codes = decrypt(session()->get('mfa-setup-backup-codes'));
|
|
|
|
// Check code format
|
|
|
|
$this->assertCount(16, $codes);
|
|
|
|
$this->assertEquals(16*11, strlen(implode('', $codes)));
|
|
|
|
// Check download link
|
|
|
|
$resp->assertSee(base64_encode(implode("\n\n", $codes)));
|
|
|
|
|
|
|
|
// Confirm submit
|
|
|
|
$resp = $this->post('/mfa/backup-codes-confirm');
|
|
|
|
$resp->assertRedirect('/mfa/setup');
|
|
|
|
|
|
|
|
// Confirmation of setup
|
|
|
|
$resp = $this->followRedirects($resp);
|
|
|
|
$resp->assertSee('Multi-factor method successfully configured');
|
|
|
|
$resp->assertElementContains('a[href$="/mfa/backup-codes-generate"]', 'Reconfigure');
|
|
|
|
|
|
|
|
$this->assertDatabaseHas('mfa_values', [
|
|
|
|
'user_id' => $editor->id,
|
|
|
|
'method' => 'backup_codes',
|
|
|
|
]);
|
|
|
|
$this->assertFalse(session()->has('mfa-setup-backup-codes'));
|
|
|
|
$value = MfaValue::query()->where('user_id', '=', $editor->id)
|
|
|
|
->where('method', '=', 'backup_codes')->first();
|
|
|
|
$this->assertEquals($codes, json_decode(decrypt($value->value)));
|
|
|
|
}
|
|
|
|
|
|
|
|
public function test_backup_codes_cannot_be_confirmed_if_not_previously_generated()
|
|
|
|
{
|
|
|
|
$resp = $this->asEditor()->post('/mfa/backup-codes-confirm');
|
|
|
|
$resp->assertStatus(500);
|
2021-07-02 14:51:30 -04:00
|
|
|
}
|
|
|
|
|
2021-07-14 15:06:41 -04:00
|
|
|
public function test_mfa_method_count_is_visible_on_user_edit_page()
|
|
|
|
{
|
2021-07-14 15:18:48 -04:00
|
|
|
$user = $this->getEditor();
|
|
|
|
$resp = $this->actingAs($this->getAdmin())->get($user->getEditUrl());
|
2021-07-14 15:06:41 -04:00
|
|
|
$resp->assertSee('0 methods configured');
|
|
|
|
|
2021-07-14 15:18:48 -04:00
|
|
|
MfaValue::upsertWithValue($user, MfaValue::METHOD_TOTP, 'test');
|
|
|
|
$resp = $this->get($user->getEditUrl());
|
2021-07-14 15:06:41 -04:00
|
|
|
$resp->assertSee('1 method configured');
|
|
|
|
|
2021-07-14 15:18:48 -04:00
|
|
|
MfaValue::upsertWithValue($user, MfaValue::METHOD_BACKUP_CODES, 'test');
|
|
|
|
$resp = $this->get($user->getEditUrl());
|
2021-07-14 15:06:41 -04:00
|
|
|
$resp->assertSee('2 methods configured');
|
|
|
|
}
|
|
|
|
|
|
|
|
public function test_mfa_setup_link_only_shown_when_viewing_own_user_edit_page()
|
|
|
|
{
|
|
|
|
$admin = $this->getAdmin();
|
|
|
|
$resp = $this->actingAs($admin)->get($admin->getEditUrl());
|
|
|
|
$resp->assertElementExists('a[href$="/mfa/setup"]');
|
|
|
|
|
|
|
|
$resp = $this->actingAs($admin)->get($this->getEditor()->getEditUrl());
|
|
|
|
$resp->assertElementNotExists('a[href$="/mfa/setup"]');
|
|
|
|
}
|
|
|
|
|
2021-07-14 15:18:48 -04:00
|
|
|
public function test_mfa_indicator_shows_in_user_list()
|
|
|
|
{
|
|
|
|
$admin = $this->getAdmin();
|
|
|
|
User::query()->where('id', '!=', $admin->id)->delete();
|
|
|
|
|
|
|
|
$resp = $this->actingAs($admin)->get('/settings/users');
|
|
|
|
$resp->assertElementNotExists('[title="MFA Configured"] svg');
|
|
|
|
|
|
|
|
MfaValue::upsertWithValue($admin, MfaValue::METHOD_TOTP, 'test');
|
|
|
|
$resp = $this->actingAs($admin)->get('/settings/users');
|
|
|
|
$resp->assertElementExists('[title="MFA Configured"] svg');
|
|
|
|
}
|
|
|
|
|
2021-07-02 14:51:30 -04:00
|
|
|
}
|