]> BookStack Code Mirror - bookstack/blob - tests/Auth/MfaConfigurationTest.php
projects / bookstack / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Bump composer/composer from 2.1.8 to 2.1.9
[bookstack] / tests / Auth / MfaConfigurationTest.php
1 <?php
2
3 namespace Tests\Auth;
4
5 use BookStack\Actions\ActivityType;
6 use BookStack\Auth\Access\Mfa\MfaValue;
7 use BookStack\Auth\User;
8 use PragmaRX\Google2FA\Google2FA;
9 use Tests\TestCase;
10
11 class MfaConfigurationTest extends TestCase
12 {
13     public function test_totp_setup()
14     {
15         $editor = $this->getEditor();
16         $this->assertDatabaseMissing('mfa_values', ['user_id' => $editor->id]);
17
18         // Setup page state
19         $resp = $this->actingAs($editor)->get('/mfa/setup');
20         $resp->assertElementContains('a[href$="/mfa/totp/generate"]', 'Setup');
21
22         // Generate page access
23         $resp = $this->get('/mfa/totp/generate');
24         $resp->assertSee('Mobile App Setup');
25         $resp->assertSee('Verify Setup');
26         $resp->assertElementExists('form[action$="/mfa/totp/confirm"] button');
27         $this->assertSessionHas('mfa-setup-totp-secret');
28         $svg = $resp->getElementHtml('#main-content .card svg');
29
30         // Validation error, code should remain the same
31         $resp = $this->post('/mfa/totp/confirm', [
32             'code' => 'abc123',
33         ]);
34         $resp->assertRedirect('/mfa/totp/generate');
35         $resp = $this->followRedirects($resp);
36         $resp->assertSee('The provided code is not valid or has expired.');
37         $revisitSvg = $resp->getElementHtml('#main-content .card svg');
38         $this->assertTrue($svg === $revisitSvg);
39         $secret = decrypt(session()->get('mfa-setup-totp-secret'));
40
41         $resp->assertSee(htmlentities("?secret={$secret}&issuer=BookStack&algorithm=SHA1&digits=6&period=30"));
42
43         // Successful confirmation
44         $google2fa = new Google2FA();
45         $otp = $google2fa->getCurrentOtp($secret);
46         $resp = $this->post('/mfa/totp/confirm', [
47             'code' => $otp,
48         ]);
49         $resp->assertRedirect('/mfa/setup');
50
51         // Confirmation of setup
52         $resp = $this->followRedirects($resp);
53         $resp->assertSee('Multi-factor method successfully configured');
54         $resp->assertElementContains('a[href$="/mfa/totp/generate"]', 'Reconfigure');
55
56         $this->assertDatabaseHas('mfa_values', [
57             'user_id' => $editor->id,
58             'method'  => 'totp',
59         ]);
60         $this->assertFalse(session()->has('mfa-setup-totp-secret'));
61         $value = MfaValue::query()->where('user_id', '=', $editor->id)
62             ->where('method', '=', 'totp')->first();
63         $this->assertEquals($secret, decrypt($value->value));
64     }
65
66     public function test_backup_codes_setup()
67     {
68         $editor = $this->getEditor();
69         $this->assertDatabaseMissing('mfa_values', ['user_id' => $editor->id]);
70
71         // Setup page state
72         $resp = $this->actingAs($editor)->get('/mfa/setup');
73         $resp->assertElementContains('a[href$="/mfa/backup_codes/generate"]', 'Setup');
74
75         // Generate page access
76         $resp = $this->get('/mfa/backup_codes/generate');
77         $resp->assertSee('Backup Codes');
78         $resp->assertElementContains('form[action$="/mfa/backup_codes/confirm"]', 'Confirm and Enable');
79         $this->assertSessionHas('mfa-setup-backup-codes');
80         $codes = decrypt(session()->get('mfa-setup-backup-codes'));
81         // Check code format
82         $this->assertCount(16, $codes);
83         $this->assertEquals(16 * 11, strlen(implode('', $codes)));
84         // Check download link
85         $resp->assertSee(base64_encode(implode("\n\n", $codes)));
86
87         // Confirm submit
88         $resp = $this->post('/mfa/backup_codes/confirm');
89         $resp->assertRedirect('/mfa/setup');
90
91         // Confirmation of setup
92         $resp = $this->followRedirects($resp);
93         $resp->assertSee('Multi-factor method successfully configured');
94         $resp->assertElementContains('a[href$="/mfa/backup_codes/generate"]', 'Reconfigure');
95
96         $this->assertDatabaseHas('mfa_values', [
97             'user_id' => $editor->id,
98             'method'  => 'backup_codes',
99         ]);
100         $this->assertFalse(session()->has('mfa-setup-backup-codes'));
101         $value = MfaValue::query()->where('user_id', '=', $editor->id)
102             ->where('method', '=', 'backup_codes')->first();
103         $this->assertEquals($codes, json_decode(decrypt($value->value)));
104     }
105
106     public function test_backup_codes_cannot_be_confirmed_if_not_previously_generated()
107     {
108         $resp = $this->asEditor()->post('/mfa/backup_codes/confirm');
109         $resp->assertStatus(500);
110     }
111
112     public function test_mfa_method_count_is_visible_on_user_edit_page()
113     {
114         $user = $this->getEditor();
115         $resp = $this->actingAs($this->getAdmin())->get($user->getEditUrl());
116         $resp->assertSee('0 methods configured');
117
118         MfaValue::upsertWithValue($user, MfaValue::METHOD_TOTP, 'test');
119         $resp = $this->get($user->getEditUrl());
120         $resp->assertSee('1 method configured');
121
122         MfaValue::upsertWithValue($user, MfaValue::METHOD_BACKUP_CODES, 'test');
123         $resp = $this->get($user->getEditUrl());
124         $resp->assertSee('2 methods configured');
125     }
126
127     public function test_mfa_setup_link_only_shown_when_viewing_own_user_edit_page()
128     {
129         $admin = $this->getAdmin();
130         $resp = $this->actingAs($admin)->get($admin->getEditUrl());
131         $resp->assertElementExists('a[href$="/mfa/setup"]');
132
133         $resp = $this->actingAs($admin)->get($this->getEditor()->getEditUrl());
134         $resp->assertElementNotExists('a[href$="/mfa/setup"]');
135     }
136
137     public function test_mfa_indicator_shows_in_user_list()
138     {
139         $admin = $this->getAdmin();
140         User::query()->where('id', '!=', $admin->id)->delete();
141
142         $resp = $this->actingAs($admin)->get('/settings/users');
143         $resp->assertElementNotExists('[title="MFA Configured"] svg');
144
145         MfaValue::upsertWithValue($admin, MfaValue::METHOD_TOTP, 'test');
146         $resp = $this->actingAs($admin)->get('/settings/users');
147         $resp->assertElementExists('[title="MFA Configured"] svg');
148     }
149
150     public function test_remove_mfa_method()
151     {
152         $admin = $this->getAdmin();
153
154         MfaValue::upsertWithValue($admin, MfaValue::METHOD_TOTP, 'test');
155         $this->assertEquals(1, $admin->mfaValues()->count());
156         $resp = $this->actingAs($admin)->get('/mfa/setup');
157         $resp->assertElementExists('form[action$="/mfa/totp/remove"]');
158
159         $resp = $this->delete('/mfa/totp/remove');
160         $resp->assertRedirect('/mfa/setup');
161         $resp = $this->followRedirects($resp);
162         $resp->assertSee('Multi-factor method successfully removed');
163
164         $this->assertActivityExists(ActivityType::MFA_REMOVE_METHOD);
165         $this->assertEquals(0, $admin->mfaValues()->count());
166     }
167 }
The core source code for the BookStack project.