mirror of
https://github.com/0rangebananaspy/authelia.git
synced 2024-09-14 22:47:21 +07:00
Implement session inactivity timeout
This timeout will prevent an attacker from using a session that has been inactive for too long. This inactivity timeout combined with the timeout before expiration makes a good combination of security mechanisms to prevent session theft. If no activity timeout is provided, then the feature is disabled and only session expiration remains as a protection.
This commit is contained in:
parent
b9fa786df6
commit
dacdce6c50
1
.gitignore
vendored
1
.gitignore
vendored
|
@ -29,6 +29,7 @@ dist/
|
|||
|
||||
# Specific files
|
||||
/config.yml
|
||||
/config.test.yml
|
||||
|
||||
example/ldap/private.ldif
|
||||
|
||||
|
|
|
@ -42,8 +42,8 @@ module.exports = function (grunt) {
|
|||
args: ['--colors', '--compilers', 'ts:ts-node/register', '--recursive', 'client/test']
|
||||
},
|
||||
"test-int": {
|
||||
cmd: "./node_modules/.bin/cucumber-js",
|
||||
args: ["--colors", "--compiler", "ts:ts-node/register", "./test/features"]
|
||||
cmd: "./scripts/run-cucumber.sh",
|
||||
args: ["./test/features"]
|
||||
},
|
||||
"docker-build": {
|
||||
cmd: "docker",
|
||||
|
|
|
@ -156,6 +156,9 @@ session:
|
|||
# The time in ms before the cookie expires and session is reset.
|
||||
expiration: 3600000 # 1 hour
|
||||
|
||||
# The inactivity time in ms before the session is reset.
|
||||
inactivity: 300000 # 5 minutes
|
||||
|
||||
# The domain to protect.
|
||||
# Note: the authenticator must also be in that domain. If empty, the cookie
|
||||
# is restricted to the subdomain of the issuer.
|
||||
|
|
196
config.test.yml
196
config.test.yml
|
@ -1,196 +0,0 @@
|
|||
###############################################################
|
||||
# Authelia configuration #
|
||||
###############################################################
|
||||
|
||||
# The port to listen on
|
||||
port: 80
|
||||
|
||||
# Log level
|
||||
#
|
||||
# Level of verbosity for logs
|
||||
logs_level: debug
|
||||
|
||||
# LDAP configuration
|
||||
#
|
||||
# Example: for user john, the DN will be cn=john,ou=users,dc=example,dc=com
|
||||
ldap:
|
||||
# The url of the ldap server
|
||||
url: ldap://openldap
|
||||
|
||||
# The base dn for every entries
|
||||
base_dn: dc=example,dc=com
|
||||
|
||||
# An additional dn to define the scope to all users
|
||||
additional_users_dn: ou=users
|
||||
|
||||
# The users filter.
|
||||
# {0} is the matcher replaced by username.
|
||||
# 'cn={0}' by default.
|
||||
users_filter: cn={0}
|
||||
|
||||
# An additional dn to define the scope of groups
|
||||
additional_groups_dn: ou=groups
|
||||
|
||||
# The groups filter used for retrieving groups of a given user.
|
||||
# {0} is a matcher replaced by username.
|
||||
# {dn} is a matcher replaced by user DN.
|
||||
# 'member={dn}' by default.
|
||||
groups_filter: (&(member={dn})(objectclass=groupOfNames))
|
||||
|
||||
# The attribute holding the name of the group
|
||||
group_name_attribute: cn
|
||||
|
||||
# The attribute holding the mail address of the user
|
||||
mail_attribute: mail
|
||||
|
||||
# The username and password of the admin user.
|
||||
user: cn=admin,dc=example,dc=com
|
||||
password: password
|
||||
|
||||
# Authentication methods
|
||||
#
|
||||
# Authentication methods can be defined per subdomain.
|
||||
# There are currently two available methods: "basic_auth" and "two_factor"
|
||||
#
|
||||
# Note: by default a domain uses "two_factor" method.
|
||||
#
|
||||
# Note: 'per_subdomain_methods' is a dictionary where keys must be subdomains and
|
||||
# values must be one of the two possible methods.
|
||||
#
|
||||
# Note: 'per_subdomain_methods' is optional.
|
||||
authentication_methods:
|
||||
default_method: two_factor
|
||||
per_subdomain_methods:
|
||||
basicauth.test.local: basic_auth
|
||||
|
||||
# Access Control
|
||||
#
|
||||
# Access control is a set of rules you can use to restrict the user access.
|
||||
# Default (anyone), per-user or per-group rules can be defined.
|
||||
#
|
||||
# If 'access_control' is not defined, ACL rules are disabled and a default policy
|
||||
# is applied, i.e., access is allowed to anyone. Otherwise restrictions follow
|
||||
# the rules defined below.
|
||||
# If no rule is provided, all domains are denied.
|
||||
#
|
||||
# One can use the wildcard * to match any subdomain.
|
||||
# Note 1: It must stand at the beginning of the pattern. (example: *.mydomain.com)
|
||||
# Note 2: You must put the pattern in simple quotes when using the wildcard.
|
||||
access_control:
|
||||
# Default policy can either be `allow` or `deny`.
|
||||
# It is the policy applied to any resource if it has not been overriden
|
||||
# in the `any`, `groups` or `users` category.
|
||||
default_policy: deny
|
||||
|
||||
# The rules that apply to anyone.
|
||||
# The value is a list of rules.
|
||||
any:
|
||||
- domain: public.test.local
|
||||
policy: allow
|
||||
|
||||
# Group-based rules. The key is a group name and the value
|
||||
# is a list of rules.
|
||||
groups:
|
||||
admin:
|
||||
# All resources in all domains
|
||||
- domain: '*.test.local'
|
||||
policy: allow
|
||||
# Except mx2.mail.test.local (it restricts the first rule)
|
||||
- domain: 'mx2.mail.test.local'
|
||||
policy: deny
|
||||
dev:
|
||||
- domain: dev.test.local
|
||||
policy: allow
|
||||
resources:
|
||||
- '^/groups/dev/.*$'
|
||||
|
||||
# User-based rules. The key is a user name and the value
|
||||
# is a list of rules.
|
||||
users:
|
||||
john:
|
||||
- domain: dev.test.local
|
||||
policy: allow
|
||||
resources:
|
||||
- '^/users/john/.*$'
|
||||
harry:
|
||||
- domain: dev.test.local
|
||||
policy: allow
|
||||
resources:
|
||||
- '^/users/harry/.*$'
|
||||
bob:
|
||||
- domain: '*.mail.test.local'
|
||||
policy: allow
|
||||
- domain: 'dev.test.local'
|
||||
policy: allow
|
||||
resources:
|
||||
- '^/users/bob/.*$'
|
||||
|
||||
# Configuration of session cookies
|
||||
#
|
||||
# The session cookies identify the user once logged in.
|
||||
session:
|
||||
# The secret to encrypt the session cookie.
|
||||
secret: unsecure_secret
|
||||
|
||||
# The time before the cookie expires.
|
||||
expiration: 10000
|
||||
|
||||
# The domain to protect.
|
||||
# Note: the authenticator must also be in that domain. If empty, the cookie
|
||||
# is restricted to the subdomain of the issuer.
|
||||
domain: test.local
|
||||
|
||||
# The redis connection details
|
||||
redis:
|
||||
host: redis
|
||||
port: 6379
|
||||
|
||||
# Configuration of the authentication regulation mechanism.
|
||||
#
|
||||
# This mechanism prevents attackers from brute forcing the first factor.
|
||||
# It bans the user if too many attempts are done in a short period of
|
||||
# time.
|
||||
regulation:
|
||||
# The number of failed login attempts before user is banned.
|
||||
# Set it to 0 for disabling regulation.
|
||||
max_retries: 3
|
||||
|
||||
# The length of time between login attempts before user is banned.
|
||||
find_time: 15
|
||||
|
||||
# The length of time before a banned user can login again.
|
||||
ban_time: 4
|
||||
|
||||
# Configuration of the storage backend used to store data and secrets.
|
||||
#
|
||||
# You must use only an available configuration: local, mongo
|
||||
storage:
|
||||
# The directory where the DB files will be saved
|
||||
# local: /var/lib/authelia/store
|
||||
|
||||
# Settings to connect to mongo server
|
||||
mongo:
|
||||
url: mongodb://mongo/authelia
|
||||
|
||||
# Configuration of the notification system.
|
||||
#
|
||||
# Notifications are sent to users when they require a password reset, a u2f
|
||||
# registration or a TOTP registration.
|
||||
# Use only an available configuration: filesystem, gmail
|
||||
notifier:
|
||||
# Use your email account to send the notifications. You can use an app password.
|
||||
# List of valid services can be found here: https://nodemailer.com/smtp/well-known/
|
||||
# email:
|
||||
# username: user@example.com
|
||||
# password: yourpassword
|
||||
# sender: admin@example.com
|
||||
# service: gmail
|
||||
|
||||
# Use a SMTP server for sending notifications
|
||||
smtp:
|
||||
username: test
|
||||
password: test
|
||||
secure: false
|
||||
host: 'smtp'
|
||||
port: 1025
|
||||
sender: admin@example.com
|
3
scripts/run-cucumber.sh
Executable file
3
scripts/run-cucumber.sh
Executable file
|
@ -0,0 +1,3 @@
|
|||
#!/bin/bash
|
||||
|
||||
./node_modules/.bin/cucumber-js --colors --compiler ts:ts-node/register $*
|
|
@ -9,7 +9,7 @@ export interface AuthenticationSession {
|
|||
userid: string;
|
||||
first_factor: boolean;
|
||||
second_factor: boolean;
|
||||
last_activity_datetime: Date;
|
||||
last_activity_datetime: number;
|
||||
identity_check?: {
|
||||
challenge: string;
|
||||
userid: string;
|
||||
|
@ -40,7 +40,7 @@ export function reset(req: express.Request): void {
|
|||
req.session.auth = Object.assign({}, INITIAL_AUTHENTICATION_SESSION, {});
|
||||
|
||||
// Initialize last activity with current time
|
||||
req.session.auth.last_activity_datetime = new Date();
|
||||
req.session.auth.last_activity_datetime = new Date().getTime();
|
||||
}
|
||||
|
||||
export function get(req: express.Request): BluebirdPromise<AuthenticationSession> {
|
||||
|
|
|
@ -62,6 +62,7 @@ export interface SessionRedisOptions {
|
|||
interface SessionCookieConfiguration {
|
||||
secret: string;
|
||||
expiration?: number;
|
||||
inactivity?: number;
|
||||
domain?: string;
|
||||
redis?: SessionRedisOptions;
|
||||
}
|
||||
|
|
|
@ -71,6 +71,7 @@ function adaptFromUserConfiguration(userConfiguration: UserConfiguration)
|
|||
domain: ObjectPath.get<object, string>(userConfiguration, "session.domain"),
|
||||
secret: ObjectPath.get<object, string>(userConfiguration, "session.secret"),
|
||||
expiration: get_optional<number>(userConfiguration, "session.expiration", 3600000), // in ms
|
||||
inactivity: get_optional<number>(userConfiguration, "session.inactivity", undefined),
|
||||
redis: ObjectPath.get<object, SessionRedisOptions>(userConfiguration, "session.redis")
|
||||
},
|
||||
storage: {
|
||||
|
|
|
@ -13,6 +13,7 @@ import Util = require("util");
|
|||
import { DomainExtractor } from "../../utils/DomainExtractor";
|
||||
import { ServerVariables } from "../../ServerVariables";
|
||||
import { AuthenticationMethodCalculator } from "../../AuthenticationMethodCalculator";
|
||||
import { IRequestLogger } from "../../logging/IRequestLogger";
|
||||
|
||||
const FIRST_FACTOR_NOT_VALIDATED_MESSAGE = "First factor not yet validated";
|
||||
const SECOND_FACTOR_NOT_VALIDATED_MESSAGE = "Second factor not yet validated";
|
||||
|
@ -20,17 +21,48 @@ const SECOND_FACTOR_NOT_VALIDATED_MESSAGE = "Second factor not yet validated";
|
|||
const REMOTE_USER = "Remote-User";
|
||||
const REMOTE_GROUPS = "Remote-Groups";
|
||||
|
||||
function verify_inactivity(req: express.Request,
|
||||
authSession: AuthenticationSession.AuthenticationSession,
|
||||
configuration: AppConfiguration, logger: IRequestLogger)
|
||||
: BluebirdPromise<void> {
|
||||
|
||||
const lastActivityTime = authSession.last_activity_datetime;
|
||||
const currentTime = new Date().getTime();
|
||||
authSession.last_activity_datetime = currentTime;
|
||||
|
||||
// If inactivity is not specified, then inactivity timeout does not apply
|
||||
if (!configuration.session.inactivity) {
|
||||
return BluebirdPromise.resolve();
|
||||
}
|
||||
|
||||
const inactivityPeriodMs = currentTime - lastActivityTime;
|
||||
logger.debug(req, "Inactivity period was %s s and max period was %s.",
|
||||
inactivityPeriodMs / 1000, configuration.session.inactivity / 1000);
|
||||
if (inactivityPeriodMs < configuration.session.inactivity) {
|
||||
return BluebirdPromise.resolve();
|
||||
}
|
||||
|
||||
logger.debug(req, "Session has been reset after too long inactivity period.");
|
||||
AuthenticationSession.reset(req);
|
||||
return BluebirdPromise.reject(new Error("Inactivity period exceeded."));
|
||||
}
|
||||
|
||||
function verify_filter(req: express.Request, res: express.Response,
|
||||
vars: ServerVariables): BluebirdPromise<void> {
|
||||
let _authSession: AuthenticationSession.AuthenticationSession;
|
||||
let username: string;
|
||||
let groups: string[];
|
||||
|
||||
return AuthenticationSession.get(req)
|
||||
.then(function (authSession) {
|
||||
_authSession = authSession;
|
||||
username = _authSession.userid;
|
||||
groups = _authSession.groups;
|
||||
|
||||
res.set("Redirect", encodeURIComponent("https://" + req.headers["host"] +
|
||||
req.headers["x-original-uri"]));
|
||||
|
||||
const username = authSession.userid;
|
||||
const groups = authSession.groups;
|
||||
if (!authSession.userid)
|
||||
if (!_authSession.userid)
|
||||
return BluebirdPromise.reject(
|
||||
new exceptions.AccessDeniedError(FIRST_FACTOR_NOT_VALIDATED_MESSAGE));
|
||||
|
||||
|
@ -44,23 +76,27 @@ function verify_filter(req: express.Request, res: express.Response,
|
|||
vars.logger.debug(req, "domain=%s, path=%s, user=%s, groups=%s", domain, path,
|
||||
username, groups.join(","));
|
||||
|
||||
if (!authSession.first_factor)
|
||||
if (!_authSession.first_factor)
|
||||
return BluebirdPromise.reject(
|
||||
new exceptions.AccessDeniedError(FIRST_FACTOR_NOT_VALIDATED_MESSAGE));
|
||||
|
||||
if (authenticationMethod == "two_factor" && !_authSession.second_factor)
|
||||
return BluebirdPromise.reject(
|
||||
new exceptions.AccessDeniedError(SECOND_FACTOR_NOT_VALIDATED_MESSAGE));
|
||||
|
||||
const isAllowed = vars.accessController.isAccessAllowed(domain, path, username, groups);
|
||||
if (!isAllowed) return BluebirdPromise.reject(
|
||||
new exceptions.DomainAccessDenied(Util.format("User '%s' does not have access to '%s'",
|
||||
username, domain)));
|
||||
|
||||
if (authenticationMethod == "two_factor" && !authSession.second_factor)
|
||||
return BluebirdPromise.reject(
|
||||
new exceptions.AccessDeniedError(SECOND_FACTOR_NOT_VALIDATED_MESSAGE));
|
||||
|
||||
return BluebirdPromise.resolve();
|
||||
})
|
||||
.then(function () {
|
||||
return verify_inactivity(req, _authSession,
|
||||
vars.config, vars.logger);
|
||||
})
|
||||
.then(function () {
|
||||
res.setHeader(REMOTE_USER, username);
|
||||
res.setHeader(REMOTE_GROUPS, groups.join(","));
|
||||
|
||||
return BluebirdPromise.resolve();
|
||||
});
|
||||
}
|
||||
|
||||
|
|
|
@ -113,6 +113,7 @@ describe("test session configuration builder", function () {
|
|||
domain: "example.com",
|
||||
expiration: 3600,
|
||||
secret: "secret",
|
||||
inactivity: 4000,
|
||||
redis: {
|
||||
host: "redis.example.com",
|
||||
port: 6379
|
||||
|
|
|
@ -61,17 +61,35 @@ describe("test config parser", function () {
|
|||
});
|
||||
});
|
||||
|
||||
it("should get the session attributes", function () {
|
||||
const yaml_config = buildYamlConfig();
|
||||
yaml_config.session = {
|
||||
domain: "example.com",
|
||||
secret: "secret",
|
||||
expiration: 3600
|
||||
};
|
||||
const config = ConfigurationParser.parse(yaml_config);
|
||||
Assert.equal(config.session.domain, "example.com");
|
||||
Assert.equal(config.session.secret, "secret");
|
||||
Assert.equal(config.session.expiration, 3600);
|
||||
describe("test session configuration", function() {
|
||||
it("should get the session attributes", function () {
|
||||
const yaml_config = buildYamlConfig();
|
||||
yaml_config.session = {
|
||||
domain: "example.com",
|
||||
secret: "secret",
|
||||
expiration: 3600,
|
||||
inactivity: 4000
|
||||
};
|
||||
const config = ConfigurationParser.parse(yaml_config);
|
||||
Assert.equal(config.session.domain, "example.com");
|
||||
Assert.equal(config.session.secret, "secret");
|
||||
Assert.equal(config.session.expiration, 3600);
|
||||
Assert.equal(config.session.inactivity, 4000);
|
||||
});
|
||||
|
||||
it("should be ok not specifying inactivity", function () {
|
||||
const yaml_config = buildYamlConfig();
|
||||
yaml_config.session = {
|
||||
domain: "example.com",
|
||||
secret: "secret",
|
||||
expiration: 3600
|
||||
};
|
||||
const config = ConfigurationParser.parse(yaml_config);
|
||||
Assert.equal(config.session.domain, "example.com");
|
||||
Assert.equal(config.session.secret, "secret");
|
||||
Assert.equal(config.session.expiration, 3600);
|
||||
Assert.equal(config.session.inactivity, undefined);
|
||||
});
|
||||
});
|
||||
|
||||
it("should get the log level", function () {
|
||||
|
|
|
@ -79,7 +79,7 @@ describe("test /verify endpoint", function () {
|
|||
}
|
||||
|
||||
describe("given user tries to access a 2-factor endpoint", function () {
|
||||
before(function() {
|
||||
before(function () {
|
||||
mocks.accessController.isAccessAllowedMock.returns(true);
|
||||
});
|
||||
|
||||
|
@ -91,7 +91,7 @@ describe("test /verify endpoint", function () {
|
|||
second_factor: false,
|
||||
email: undefined,
|
||||
groups: [],
|
||||
last_activity_datetime: new Date()
|
||||
last_activity_datetime: new Date().getTime()
|
||||
});
|
||||
});
|
||||
|
||||
|
@ -102,7 +102,7 @@ describe("test /verify endpoint", function () {
|
|||
second_factor: true,
|
||||
email: undefined,
|
||||
groups: [],
|
||||
last_activity_datetime: new Date()
|
||||
last_activity_datetime: new Date().getTime()
|
||||
});
|
||||
});
|
||||
|
||||
|
@ -113,7 +113,7 @@ describe("test /verify endpoint", function () {
|
|||
second_factor: false,
|
||||
email: undefined,
|
||||
groups: [],
|
||||
last_activity_datetime: new Date()
|
||||
last_activity_datetime: new Date().getTime()
|
||||
});
|
||||
});
|
||||
|
||||
|
@ -124,7 +124,7 @@ describe("test /verify endpoint", function () {
|
|||
second_factor: false,
|
||||
email: undefined,
|
||||
groups: [],
|
||||
last_activity_datetime: new Date()
|
||||
last_activity_datetime: new Date().getTime()
|
||||
});
|
||||
});
|
||||
|
||||
|
@ -147,7 +147,7 @@ describe("test /verify endpoint", function () {
|
|||
userid: "user",
|
||||
groups: ["group1", "group2"],
|
||||
email: undefined,
|
||||
last_activity_datetime: new Date()
|
||||
last_activity_datetime: new Date().getTime()
|
||||
});
|
||||
});
|
||||
});
|
||||
|
@ -191,5 +191,53 @@ describe("test /verify endpoint", function () {
|
|||
});
|
||||
});
|
||||
});
|
||||
|
||||
describe("inactivity period", function () {
|
||||
it("should update last inactivity period on requests on /verify", function () {
|
||||
mocks.config.session.inactivity = 200000;
|
||||
mocks.accessController.isAccessAllowedMock.returns(true);
|
||||
const currentTime = new Date().getTime() - 1000;
|
||||
AuthenticationSession.reset(req as any);
|
||||
return AuthenticationSession.get(req as any)
|
||||
.then(function (authSession: AuthenticationSession.AuthenticationSession) {
|
||||
authSession.first_factor = true;
|
||||
authSession.second_factor = true;
|
||||
authSession.userid = "myuser";
|
||||
authSession.groups = ["mygroup", "othergroup"];
|
||||
authSession.last_activity_datetime = currentTime;
|
||||
return VerifyGet.default(vars)(req as express.Request, res as any);
|
||||
})
|
||||
.then(function () {
|
||||
return AuthenticationSession.get(req as any);
|
||||
})
|
||||
.then(function (authSession) {
|
||||
Assert(authSession.last_activity_datetime > currentTime);
|
||||
});
|
||||
});
|
||||
|
||||
it("should reset session when max inactivity period has been reached", function () {
|
||||
mocks.config.session.inactivity = 1;
|
||||
mocks.accessController.isAccessAllowedMock.returns(true);
|
||||
const currentTime = new Date().getTime() - 1000;
|
||||
AuthenticationSession.reset(req as any);
|
||||
return AuthenticationSession.get(req as any)
|
||||
.then(function (authSession: AuthenticationSession.AuthenticationSession) {
|
||||
authSession.first_factor = true;
|
||||
authSession.second_factor = true;
|
||||
authSession.userid = "myuser";
|
||||
authSession.groups = ["mygroup", "othergroup"];
|
||||
authSession.last_activity_datetime = currentTime;
|
||||
return VerifyGet.default(vars)(req as express.Request, res as any);
|
||||
})
|
||||
.then(function () {
|
||||
return AuthenticationSession.get(req as any);
|
||||
})
|
||||
.then(function (authSession) {
|
||||
Assert.equal(authSession.first_factor, false);
|
||||
Assert.equal(authSession.second_factor, false);
|
||||
Assert.equal(authSession.userid, undefined);
|
||||
});
|
||||
});
|
||||
});
|
||||
});
|
||||
|
||||
|
|
|
@ -20,8 +20,6 @@ Feature: User is correctly redirected
|
|||
And I visit "https://admin.test.local:8080/secret.html"
|
||||
Then I get an error 403
|
||||
|
||||
|
||||
|
||||
Scenario: Redirection URL is propagated from restricted page to first factor
|
||||
When I visit "https://public.test.local:8080/secret.html"
|
||||
Then I'm redirected to "https://auth.test.local:8080/?redirect=https%3A%2F%2Fpublic.test.local%3A8080%2Fsecret.html"
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
@needs-regulation-config
|
||||
Feature: Authelia regulates authentication to avoid brute force
|
||||
|
||||
@needs-test-config
|
||||
@need-registered-user-blackhat
|
||||
Scenario: Attacker tries too many authentication in a short period of time and get banned
|
||||
Given I visit "https://auth.test.local:8080/"
|
||||
|
@ -18,7 +18,6 @@ Feature: Authelia regulates authentication to avoid brute force
|
|||
And I click on "Sign in"
|
||||
Then I get a notification of type "error" with message "Authentication failed. Please check your credentials."
|
||||
|
||||
@needs-test-config
|
||||
@need-registered-user-blackhat
|
||||
Scenario: User is unbanned after a configured amount of time
|
||||
Given I visit "https://auth.test.local:8080/?redirect=https%3A%2F%2Fpublic.test.local%3A8080%2Fsecret.html"
|
||||
|
|
24
test/features/session-timeout.feature
Normal file
24
test/features/session-timeout.feature
Normal file
|
@ -0,0 +1,24 @@
|
|||
@needs-inactivity-config
|
||||
Feature: Session is closed after a certain amount of time
|
||||
|
||||
@need-authenticated-user-john
|
||||
Scenario: An authenticated user is disconnected after a certain inactivity period
|
||||
Given I have access to:
|
||||
| url |
|
||||
| https://public.test.local:8080/secret.html |
|
||||
When I sleep for 6 seconds
|
||||
And I visit "https://public.test.local:8080/secret.html"
|
||||
Then I'm redirected to "https://auth.test.local:8080/?redirect=https%3A%2F%2Fpublic.test.local%3A8080%2Fsecret.html"
|
||||
|
||||
@need-authenticated-user-john
|
||||
Scenario: An authenticated user is disconnected after session expiration period
|
||||
Given I have access to:
|
||||
| url |
|
||||
| https://public.test.local:8080/secret.html |
|
||||
When I sleep for 4 seconds
|
||||
And I visit "https://public.test.local:8080/secret.html"
|
||||
And I sleep for 4 seconds
|
||||
And I visit "https://public.test.local:8080/secret.html"
|
||||
And I sleep for 4 seconds
|
||||
And I visit "https://public.test.local:8080/secret.html"
|
||||
Then I'm redirected to "https://auth.test.local:8080/?redirect=https%3A%2F%2Fpublic.test.local%3A8080%2Fsecret.html"
|
|
@ -6,7 +6,7 @@ import { UserDataStore } from "../../../server/src/lib/storage/UserDataStore";
|
|||
import { CollectionFactoryFactory } from "../../../server/src/lib/storage/CollectionFactoryFactory";
|
||||
import { MongoConnector } from "../../../server/src/lib/connectors/mongo/MongoConnector";
|
||||
import { IMongoClient } from "../../../server/src/lib/connectors/mongo/IMongoClient";
|
||||
import { TOTPGenerator } from "../../../server/src/lib/TOTPGenerator";
|
||||
import { TotpHandler } from "../../../server/src/lib/authentication/totp/TotpHandler";
|
||||
import Speakeasy = require("speakeasy");
|
||||
|
||||
Cucumber.defineSupportCode(function ({ setDefaultTimeout }) {
|
||||
|
@ -14,19 +14,46 @@ Cucumber.defineSupportCode(function ({ setDefaultTimeout }) {
|
|||
});
|
||||
|
||||
Cucumber.defineSupportCode(function ({ After, Before }) {
|
||||
const exec = BluebirdPromise.promisify(ChildProcess.exec);
|
||||
const exec = BluebirdPromise.promisify<any, any>(ChildProcess.exec);
|
||||
|
||||
After(function () {
|
||||
return this.driver.quit();
|
||||
});
|
||||
|
||||
Before({ tags: "@needs-test-config", timeout: 20 * 1000 }, function () {
|
||||
return exec("./scripts/example-commit/dc-example.sh -f docker-compose.test.yml up -d authelia && sleep 2");
|
||||
});
|
||||
function createRegulationConfiguration(): BluebirdPromise<void> {
|
||||
return exec("\
|
||||
cat config.template.yml | \
|
||||
sed 's/find_time: [0-9]\\+/find_time: 15/' | \
|
||||
sed 's/ban_time: [0-9]\\+/ban_time: 4/' > config.test.yml \
|
||||
");
|
||||
}
|
||||
|
||||
After({ tags: "@needs-test-config", timeout: 20 * 1000 }, function () {
|
||||
return exec("./scripts/example-commit/dc-example.sh up -d authelia && sleep 2");
|
||||
});
|
||||
function createInactivityConfiguration(): BluebirdPromise<void> {
|
||||
return exec("\
|
||||
cat config.template.yml | \
|
||||
sed 's/expiration: [0-9]\\+/expiration: 10000/' | \
|
||||
sed 's/inactivity: [0-9]\\+/inactivity: 5000/' > config.test.yml \
|
||||
");
|
||||
}
|
||||
|
||||
function declareNeedsConfiguration(tag: string, cb: () => BluebirdPromise<void>) {
|
||||
Before({ tags: "@needs-" + tag + "-config", timeout: 20 * 1000 }, function () {
|
||||
return cb()
|
||||
.then(function () {
|
||||
return exec("./scripts/example-commit/dc-example.sh -f docker-compose.test.yml up -d authelia && sleep 1");
|
||||
})
|
||||
});
|
||||
|
||||
After({ tags: "@needs-" + tag + "-config", timeout: 20 * 1000 }, function () {
|
||||
return exec("rm config.test.yml")
|
||||
.then(function () {
|
||||
return exec("./scripts/example-commit/dc-example.sh up -d authelia && sleep 1");
|
||||
});
|
||||
});
|
||||
}
|
||||
|
||||
declareNeedsConfiguration("regulation", createRegulationConfiguration);
|
||||
declareNeedsConfiguration("inactivity", createInactivityConfiguration);
|
||||
|
||||
function registerUser(context: any, username: string) {
|
||||
let secret: Speakeasy.Key;
|
||||
|
@ -36,7 +63,7 @@ Cucumber.defineSupportCode(function ({ After, Before }) {
|
|||
const collectionFactory = CollectionFactoryFactory.createMongo(mongoClient);
|
||||
const userDataStore = new UserDataStore(collectionFactory);
|
||||
|
||||
const generator = new TOTPGenerator(Speakeasy);
|
||||
const generator = new TotpHandler(Speakeasy);
|
||||
secret = generator.generate();
|
||||
return userDataStore.saveTOTPSecret(username, secret);
|
||||
})
|
||||
|
@ -56,7 +83,10 @@ Cucumber.defineSupportCode(function ({ After, Before }) {
|
|||
}
|
||||
|
||||
function needAuthenticatedUser(context: any, username: string): BluebirdPromise<void> {
|
||||
return context.visit("https://auth.test.local:8080/")
|
||||
return context.visit("https://auth.test.local:8080/logout")
|
||||
.then(function () {
|
||||
return context.visit("https://auth.test.local:8080/");
|
||||
})
|
||||
.then(function () {
|
||||
return registerUser(context, username);
|
||||
})
|
||||
|
@ -66,7 +96,7 @@ Cucumber.defineSupportCode(function ({ After, Before }) {
|
|||
.then(function () {
|
||||
return context.useTotpTokenHandle("REGISTERED");
|
||||
})
|
||||
.then(function() {
|
||||
.then(function () {
|
||||
return context.clickOnButton("TOTP");
|
||||
});
|
||||
}
|
||||
|
|
|
@ -7,6 +7,6 @@ import BluebirdPromise = require("bluebird");
|
|||
Cucumber.defineSupportCode(function ({ Given, When, Then }) {
|
||||
When(/^the application restarts$/, {timeout: 15 * 1000}, function () {
|
||||
const exec = BluebirdPromise.promisify(ChildProcess.exec);
|
||||
return exec("./scripts/example-commit/dc-example.sh restart authelia && sleep 2");
|
||||
return exec("./scripts/example-commit/dc-example.sh restart authelia && sleep 1");
|
||||
});
|
||||
});
|
8
test/features/step_definitions/session-timeout.ts
Normal file
8
test/features/step_definitions/session-timeout.ts
Normal file
|
@ -0,0 +1,8 @@
|
|||
import Cucumber = require("cucumber");
|
||||
import seleniumWebdriver = require("selenium-webdriver");
|
||||
|
||||
Cucumber.defineSupportCode(function ({ Given, When, Then }) {
|
||||
When("I sleep for {number} seconds", function (seconds: number) {
|
||||
return this.driver.sleep(seconds * 1000);
|
||||
});
|
||||
});
|
Loading…
Reference in New Issue
Block a user