authelia/internal/suites/scenario_two_factor_test.go

package suites

import (
	"context"
	"fmt"
	"log"
	"testing"
	"time"

	"github.com/clems4ever/authelia/internal/storage"
	"github.com/stretchr/testify/require"
	"github.com/stretchr/testify/suite"
)

type TwoFactorSuite struct {
	*SeleniumSuite
}

func NewTwoFactorScenario() *TwoFactorSuite {
	return &TwoFactorSuite{
		SeleniumSuite: new(SeleniumSuite),
	}
}

func (s *TwoFactorSuite) SetupSuite() {
	wds, err := StartWebDriver()

	if err != nil {
		log.Fatal(err)
	}

	s.WebDriverSession = wds
}

func (s *TwoFactorSuite) TearDownSuite() {
	err := s.WebDriverSession.Stop()

	if err != nil {
		log.Fatal(err)
	}
}

func (s *TwoFactorSuite) SetupTest() {
	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
	defer cancel()

	s.doLogout(ctx, s.T())
	s.doVisit(s.T(), HomeBaseURL)
	s.verifyIsHome(ctx, s.T())
}

func (s *TwoFactorSuite) TestShouldCheckUserIsAskedToRegisterDevice() {
	ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
	defer cancel()

	username := "john"
	password := "password"

	// Clean up any TOTP secret already in DB
	provider := storage.NewSQLiteProvider("/tmp/authelia/db.sqlite3")
	require.NoError(s.T(), provider.DeleteTOTPSecret(username))

	// Login one factor
	s.doLoginOneFactor(ctx, s.T(), username, password, false, "")

	// Check the user is asked to register a new device
	s.WaitElementLocatedByClassName(ctx, s.T(), "state-not-registered")

	// Then register the TOTP factor
	s.doRegisterTOTP(ctx, s.T())
	// And logout
	s.doLogout(ctx, s.T())

	// Login one factor again
	s.doLoginOneFactor(ctx, s.T(), username, password, false, "")

	// now the user should be asked to perform 2FA
	s.WaitElementLocatedByClassName(ctx, s.T(), "state-method")
}

func (s *TwoFactorSuite) TestShouldAuthorizeSecretAfterTwoFactor() {
	ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
	defer cancel()

	username := "john"
	password := "password"

	// Login one factor
	s.doLoginOneFactor(ctx, s.T(), username, password, false, "")

	// Check he reaches the 2FA stage
	s.verifyIsSecondFactorPage(ctx, s.T())

	// Then register the TOTP factor
	secret := s.doRegisterTOTP(ctx, s.T())

	// And logout
	s.doLogout(ctx, s.T())

	// Login again with 1FA & 2FA
	targetURL := fmt.Sprintf("%s/secret.html", AdminBaseURL)
	s.doLoginTwoFactor(ctx, s.T(), "john", "password", false, secret, targetURL)

	// And check if the user is redirected to the secret.
	s.verifySecretAuthorized(ctx, s.T())

	// Leave the secret
	s.doVisit(s.T(), HomeBaseURL)
	s.verifyIsHome(ctx, s.T())

	// And try to reload it again to check the session is kept
	s.doVisit(s.T(), targetURL)
	s.verifySecretAuthorized(ctx, s.T())
}

func (s *TwoFactorSuite) TestShouldFailTwoFactor() {
	ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
	defer cancel()

	// Register TOTP secret and logout.
	s.doRegisterThenLogout(ctx, s.T(), "john", "password")

	wrongPasscode := "123456"
	s.doLoginOneFactor(ctx, s.T(), "john", "password", false, "")
	s.verifyIsSecondFactorPage(ctx, s.T())
	s.doEnterOTP(ctx, s.T(), wrongPasscode)

	s.verifyNotificationDisplayed(ctx, s.T(), "The one-time password might be wrong")
}

func TestRunTwoFactor(t *testing.T) {
	suite.Run(t, NewTwoFactorScenario())
}
Declare suites as Go structs and bootstrap e2e test framework in Go. Some tests are not fully rewritten in Go, a typescript wrapper is called instead until we remove the remaining TS tests and dependencies. Also, dockerize every components (mainly Authelia backend, frontend and kind) so that the project does not interfere with user host anymore (open ports for instance). The only remaining intrusive change is the one done during bootstrap to add entries in /etc/hosts. It will soon be avoided using authelia.com domain that I own. 2019-11-02 21:32:58 +07:00			`package suites`

			`import (`
			`"context"`
			`"fmt"`
			`"log"`
			`"testing"`
			`"time"`

Test user does see the not registered message. When a user use Authelia for the first time no device is enrolled in DB. Now we test that the user does see the "not registered" message when no device is enrolled and see the standard 2FA method when a device is already enrolled. 2019-12-08 00:14:26 +07:00			`"github.com/clems4ever/authelia/internal/storage"`
			`"github.com/stretchr/testify/require"`
Declare suites as Go structs and bootstrap e2e test framework in Go. Some tests are not fully rewritten in Go, a typescript wrapper is called instead until we remove the remaining TS tests and dependencies. Also, dockerize every components (mainly Authelia backend, frontend and kind) so that the project does not interfere with user host anymore (open ports for instance). The only remaining intrusive change is the one done during bootstrap to add entries in /etc/hosts. It will soon be avoided using authelia.com domain that I own. 2019-11-02 21:32:58 +07:00			`"github.com/stretchr/testify/suite"`
			`)`

			`type TwoFactorSuite struct {`
			`*SeleniumSuite`
			`}`

Rewrite and fix remaining suites in Go. 2019-11-25 03:27:59 +07:00			`func NewTwoFactorScenario() *TwoFactorSuite {`
Declare suites as Go structs and bootstrap e2e test framework in Go. Some tests are not fully rewritten in Go, a typescript wrapper is called instead until we remove the remaining TS tests and dependencies. Also, dockerize every components (mainly Authelia backend, frontend and kind) so that the project does not interfere with user host anymore (open ports for instance). The only remaining intrusive change is the one done during bootstrap to add entries in /etc/hosts. It will soon be avoided using authelia.com domain that I own. 2019-11-02 21:32:58 +07:00			`return &TwoFactorSuite{`
			`SeleniumSuite: new(SeleniumSuite),`
			`}`
			`}`

			`func (s *TwoFactorSuite) SetupSuite() {`
			`wds, err := StartWebDriver()`

			`if err != nil {`
			`log.Fatal(err)`
			`}`

Rewrite and fix remaining suites in Go. 2019-11-25 03:27:59 +07:00			`s.WebDriverSession = wds`
Declare suites as Go structs and bootstrap e2e test framework in Go. Some tests are not fully rewritten in Go, a typescript wrapper is called instead until we remove the remaining TS tests and dependencies. Also, dockerize every components (mainly Authelia backend, frontend and kind) so that the project does not interfere with user host anymore (open ports for instance). The only remaining intrusive change is the one done during bootstrap to add entries in /etc/hosts. It will soon be avoided using authelia.com domain that I own. 2019-11-02 21:32:58 +07:00			`}`

			`func (s *TwoFactorSuite) TearDownSuite() {`
			`err := s.WebDriverSession.Stop()`

			`if err != nil {`
			`log.Fatal(err)`
			`}`
			`}`

			`func (s *TwoFactorSuite) SetupTest() {`
			`ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)`
			`defer cancel()`

Rewrite and fix remaining suites in Go. 2019-11-25 03:27:59 +07:00			`s.doLogout(ctx, s.T())`
			`s.doVisit(s.T(), HomeBaseURL)`
			`s.verifyIsHome(ctx, s.T())`
Declare suites as Go structs and bootstrap e2e test framework in Go. Some tests are not fully rewritten in Go, a typescript wrapper is called instead until we remove the remaining TS tests and dependencies. Also, dockerize every components (mainly Authelia backend, frontend and kind) so that the project does not interfere with user host anymore (open ports for instance). The only remaining intrusive change is the one done during bootstrap to add entries in /etc/hosts. It will soon be avoided using authelia.com domain that I own. 2019-11-02 21:32:58 +07:00			`}`

Test user does see the not registered message. When a user use Authelia for the first time no device is enrolled in DB. Now we test that the user does see the "not registered" message when no device is enrolled and see the standard 2FA method when a device is already enrolled. 2019-12-08 00:14:26 +07:00			`func (s *TwoFactorSuite) TestShouldCheckUserIsAskedToRegisterDevice() {`
			`ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)`
			`defer cancel()`

			`username := "john"`
			`password := "password"`

			`// Clean up any TOTP secret already in DB`
			`provider := storage.NewSQLiteProvider("/tmp/authelia/db.sqlite3")`
			`require.NoError(s.T(), provider.DeleteTOTPSecret(username))`

			`// Login one factor`
			`s.doLoginOneFactor(ctx, s.T(), username, password, false, "")`

			`// Check the user is asked to register a new device`
			`s.WaitElementLocatedByClassName(ctx, s.T(), "state-not-registered")`

			`// Then register the TOTP factor`
			`s.doRegisterTOTP(ctx, s.T())`
			`// And logout`
			`s.doLogout(ctx, s.T())`

			`// Login one factor again`
			`s.doLoginOneFactor(ctx, s.T(), username, password, false, "")`

			`// now the user should be asked to perform 2FA`
			`s.WaitElementLocatedByClassName(ctx, s.T(), "state-method")`
			`}`

Declare suites as Go structs and bootstrap e2e test framework in Go. Some tests are not fully rewritten in Go, a typescript wrapper is called instead until we remove the remaining TS tests and dependencies. Also, dockerize every components (mainly Authelia backend, frontend and kind) so that the project does not interfere with user host anymore (open ports for instance). The only remaining intrusive change is the one done during bootstrap to add entries in /etc/hosts. It will soon be avoided using authelia.com domain that I own. 2019-11-02 21:32:58 +07:00			`func (s *TwoFactorSuite) TestShouldAuthorizeSecretAfterTwoFactor() {`
Rewrite and fix remaining suites in Go. 2019-11-25 03:27:59 +07:00			`ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)`
Declare suites as Go structs and bootstrap e2e test framework in Go. Some tests are not fully rewritten in Go, a typescript wrapper is called instead until we remove the remaining TS tests and dependencies. Also, dockerize every components (mainly Authelia backend, frontend and kind) so that the project does not interfere with user host anymore (open ports for instance). The only remaining intrusive change is the one done during bootstrap to add entries in /etc/hosts. It will soon be avoided using authelia.com domain that I own. 2019-11-02 21:32:58 +07:00			`defer cancel()`

Test user does see the not registered message. When a user use Authelia for the first time no device is enrolled in DB. Now we test that the user does see the "not registered" message when no device is enrolled and see the standard 2FA method when a device is already enrolled. 2019-12-08 00:14:26 +07:00			`username := "john"`
			`password := "password"`

			`// Login one factor`
			`s.doLoginOneFactor(ctx, s.T(), username, password, false, "")`

			`// Check he reaches the 2FA stage`
			`s.verifyIsSecondFactorPage(ctx, s.T())`

			`// Then register the TOTP factor`
			`secret := s.doRegisterTOTP(ctx, s.T())`
Declare suites as Go structs and bootstrap e2e test framework in Go. Some tests are not fully rewritten in Go, a typescript wrapper is called instead until we remove the remaining TS tests and dependencies. Also, dockerize every components (mainly Authelia backend, frontend and kind) so that the project does not interfere with user host anymore (open ports for instance). The only remaining intrusive change is the one done during bootstrap to add entries in /etc/hosts. It will soon be avoided using authelia.com domain that I own. 2019-11-02 21:32:58 +07:00
Test user does see the not registered message. When a user use Authelia for the first time no device is enrolled in DB. Now we test that the user does see the "not registered" message when no device is enrolled and see the standard 2FA method when a device is already enrolled. 2019-12-08 00:14:26 +07:00			`// And logout`
			`s.doLogout(ctx, s.T())`

			`// Login again with 1FA & 2FA`
Declare suites as Go structs and bootstrap e2e test framework in Go. Some tests are not fully rewritten in Go, a typescript wrapper is called instead until we remove the remaining TS tests and dependencies. Also, dockerize every components (mainly Authelia backend, frontend and kind) so that the project does not interfere with user host anymore (open ports for instance). The only remaining intrusive change is the one done during bootstrap to add entries in /etc/hosts. It will soon be avoided using authelia.com domain that I own. 2019-11-02 21:32:58 +07:00			`targetURL := fmt.Sprintf("%s/secret.html", AdminBaseURL)`
Rewrite and fix remaining suites in Go. 2019-11-25 03:27:59 +07:00			`s.doLoginTwoFactor(ctx, s.T(), "john", "password", false, secret, targetURL)`
Test user does see the not registered message. When a user use Authelia for the first time no device is enrolled in DB. Now we test that the user does see the "not registered" message when no device is enrolled and see the standard 2FA method when a device is already enrolled. 2019-12-08 00:14:26 +07:00
			`// And check if the user is redirected to the secret.`
Rewrite and fix remaining suites in Go. 2019-11-25 03:27:59 +07:00			`s.verifySecretAuthorized(ctx, s.T())`

Test user does see the not registered message. When a user use Authelia for the first time no device is enrolled in DB. Now we test that the user does see the "not registered" message when no device is enrolled and see the standard 2FA method when a device is already enrolled. 2019-12-08 00:14:26 +07:00			`// Leave the secret`
Rewrite and fix remaining suites in Go. 2019-11-25 03:27:59 +07:00			`s.doVisit(s.T(), HomeBaseURL)`
			`s.verifyIsHome(ctx, s.T())`

Test user does see the not registered message. When a user use Authelia for the first time no device is enrolled in DB. Now we test that the user does see the "not registered" message when no device is enrolled and see the standard 2FA method when a device is already enrolled. 2019-12-08 00:14:26 +07:00			`// And try to reload it again to check the session is kept`
Rewrite and fix remaining suites in Go. 2019-11-25 03:27:59 +07:00			`s.doVisit(s.T(), targetURL)`
			`s.verifySecretAuthorized(ctx, s.T())`
			`}`

			`func (s *TwoFactorSuite) TestShouldFailTwoFactor() {`
			`ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)`
			`defer cancel()`

			`// Register TOTP secret and logout.`
			`s.doRegisterThenLogout(ctx, s.T(), "john", "password")`

			`wrongPasscode := "123456"`
			`s.doLoginOneFactor(ctx, s.T(), "john", "password", false, "")`
			`s.verifyIsSecondFactorPage(ctx, s.T())`
			`s.doEnterOTP(ctx, s.T(), wrongPasscode)`
Declare suites as Go structs and bootstrap e2e test framework in Go. Some tests are not fully rewritten in Go, a typescript wrapper is called instead until we remove the remaining TS tests and dependencies. Also, dockerize every components (mainly Authelia backend, frontend and kind) so that the project does not interfere with user host anymore (open ports for instance). The only remaining intrusive change is the one done during bootstrap to add entries in /etc/hosts. It will soon be avoided using authelia.com domain that I own. 2019-11-02 21:32:58 +07:00
Rewrite and fix remaining suites in Go. 2019-11-25 03:27:59 +07:00			`s.verifyNotificationDisplayed(ctx, s.T(), "The one-time password might be wrong")`
Declare suites as Go structs and bootstrap e2e test framework in Go. Some tests are not fully rewritten in Go, a typescript wrapper is called instead until we remove the remaining TS tests and dependencies. Also, dockerize every components (mainly Authelia backend, frontend and kind) so that the project does not interfere with user host anymore (open ports for instance). The only remaining intrusive change is the one done during bootstrap to add entries in /etc/hosts. It will soon be avoided using authelia.com domain that I own. 2019-11-02 21:32:58 +07:00			`}`

			`func TestRunTwoFactor(t *testing.T) {`
Rewrite and fix remaining suites in Go. 2019-11-25 03:27:59 +07:00			`suite.Run(t, NewTwoFactorScenario())`
Declare suites as Go structs and bootstrap e2e test framework in Go. Some tests are not fully rewritten in Go, a typescript wrapper is called instead until we remove the remaining TS tests and dependencies. Also, dockerize every components (mainly Authelia backend, frontend and kind) so that the project does not interfere with user host anymore (open ports for instance). The only remaining intrusive change is the one done during bootstrap to add entries in /etc/hosts. It will soon be avoided using authelia.com domain that I own. 2019-11-02 21:32:58 +07:00			`}`