From f0807df9d883d6655e5974098b764f1862238c63 Mon Sep 17 00:00:00 2001
From: Jens Kraemer <jk@jkraemer.net>
Date: Sat, 17 Aug 2019 09:34:08 +0000
Subject: [PATCH 4/5] adds integration test for totp two factor auth

---
 test/integration/twofa_test.rb | 126 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 126 insertions(+)
 create mode 100644 test/integration/twofa_test.rb

diff --git a/test/integration/twofa_test.rb b/test/integration/twofa_test.rb
new file mode 100644
index 000000000..25e47332c
--- /dev/null
+++ b/test/integration/twofa_test.rb
@@ -0,0 +1,126 @@
+require File.expand_path('../../test_helper', __FILE__)
+
+class TwofaTest < Redmine::IntegrationTest
+  fixtures :projects, :users, :email_addresses
+
+  test "should require twofa setup when configured" do
+    with_settings twofa: "2" do
+      log_user('jsmith', 'jsmith')
+      follow_redirect!
+      assert_redirected_to "/my/twofa/totp/activate/confirm"
+    end
+  end
+
+  test "should generate and accept backup codes" do
+    log_user('jsmith', 'jsmith')
+    get "/my/account"
+    assert_response :success
+    post "/my/twofa/totp/activate/init"
+    assert_redirected_to "/my/twofa/totp/activate/confirm"
+    follow_redirect!
+    assert_response :success
+
+    totp = ROTP::TOTP.new User.find_by_login('jsmith').twofa_totp_key
+    post "/my/twofa/totp/activate", params: { twofa_code: totp.now }
+    assert_redirected_to "/my/account"
+    follow_redirect!
+    assert_response :success
+    assert_select '.flash', /Two-factor authentication successfully enabled/i
+
+    post "/my/twofa/backup_codes/init"
+    assert_redirected_to "/my/twofa/backup_codes/confirm"
+    follow_redirect!
+    assert_response :success
+    assert_select 'form', /Please enter your two-factor authentication code/i
+
+    post "/my/twofa/backup_codes/create", params: { twofa_code: "wrong" }
+    assert_redirected_to "/my/twofa/backup_codes/confirm"
+    follow_redirect!
+    assert_response :success
+    assert_select 'form', /Please enter your two-factor authentication code/i
+
+    # prevent replay attack prevention from kicking in
+    User.find_by_login('jsmith').update_column :twofa_totp_last_used_at, 2.minutes.ago.to_i
+
+    post "/my/twofa/backup_codes/create", params: { twofa_code: totp.now }
+    assert_redirected_to "/my/twofa/backup_codes"
+    follow_redirect!
+    assert_response :success
+    assert_select ".flash", /your backup codes have been generated/i
+
+    assert code = response.body.scan(/<code>([a-z0-9]{4} [a-z0-9]{4} [a-z0-9]{4})<\/code>/).flatten.first
+
+    post "/logout"
+    follow_redirect!
+    # prevent replay attack prevention from kicking in
+    User.find_by_login('jsmith').update_column :twofa_totp_last_used_at, 2.minutes.ago.to_i
+
+    # sign in with backup code
+    get "/login"
+    assert_nil session[:user_id]
+    assert_response :success
+    post "/login", params: {
+      username: 'jsmith',
+      password: 'jsmith'
+    }
+    assert_redirected_to "/account/twofa/confirm"
+    follow_redirect!
+
+    assert_select "#login-form h3", /two-factor authentication/i
+    post "/account/twofa", params: { twofa_code: code }
+    assert_redirected_to "/my/page"
+    follow_redirect!
+    assert_response :success
+  end
+
+  test "should configure totp and require code on login" do
+    with_settings twofa: "2" do
+      log_user('jsmith', 'jsmith')
+      follow_redirect!
+      assert_redirected_to "/my/twofa/totp/activate/confirm"
+      follow_redirect!
+
+      assert key = User.find_by_login('jsmith').twofa_totp_key
+      assert key.present?
+      totp = ROTP::TOTP.new key
+
+      post "/my/twofa/totp/activate", params: { twofa_code: '123456789' }
+      assert_redirected_to "/my/twofa/totp/activate/confirm"
+      follow_redirect!
+
+      post "/my/twofa/totp/activate", params: { twofa_code: totp.now }
+      assert_redirected_to "/my/account"
+
+      post "/logout"
+      follow_redirect!
+
+      # prevent replay attack prevention from kicking in
+      User.find_by_login('jsmith').update_column :twofa_totp_last_used_at, 2.minutes.ago.to_i
+
+      # sign in with totp
+      get "/login"
+      assert_nil session[:user_id]
+      assert_response :success
+      post "/login", params: {
+        username: 'jsmith',
+        password: 'jsmith'
+      }
+
+      assert_redirected_to "/account/twofa/confirm"
+      follow_redirect!
+
+      assert_select "#login-form h3", /two-factor authentication/i
+      post "/account/twofa", params: { twofa_code: 'wrong code' }
+      assert_redirected_to "/account/twofa/confirm"
+      follow_redirect!
+      assert_select "#login-form h3", /two-factor authentication/i
+      assert_select ".flash", /code is invalid/i
+
+      post "/account/twofa", params: { twofa_code: totp.now }
+      assert_redirected_to "/my/page"
+      follow_redirect!
+      assert_response :success
+    end
+
+  end
+end
-- 
2.11.0