mirror of
https://github.com/0rangebananaspy/authelia.git
synced 2024-09-14 22:47:21 +07:00
bc3b0fda35
This adds additional logging to the authentication logs such as type, remote IP, request method, redirect URL, and if the attempt was done during a ban. This also means we log attempts that occur when the attempt was blocked by the regulator for record keeping purposes, as well as record 2FA attempts which can be used to inform admins and later to regulate based on other factors. Fixes #116, Fixes #1293.
282 lines
7.9 KiB
Go
282 lines
7.9 KiB
Go
package handlers
|
|
|
|
import (
|
|
"encoding/json"
|
|
"fmt"
|
|
"net/url"
|
|
"regexp"
|
|
"testing"
|
|
|
|
"github.com/golang/mock/gomock"
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
"github.com/stretchr/testify/suite"
|
|
|
|
"github.com/authelia/authelia/v4/internal/duo"
|
|
"github.com/authelia/authelia/v4/internal/mocks"
|
|
"github.com/authelia/authelia/v4/internal/models"
|
|
"github.com/authelia/authelia/v4/internal/regulation"
|
|
)
|
|
|
|
type SecondFactorDuoPostSuite struct {
|
|
suite.Suite
|
|
|
|
mock *mocks.MockAutheliaCtx
|
|
}
|
|
|
|
func (s *SecondFactorDuoPostSuite) SetupTest() {
|
|
s.mock = mocks.NewMockAutheliaCtx(s.T())
|
|
userSession := s.mock.Ctx.GetSession()
|
|
userSession.Username = testUsername
|
|
err := s.mock.Ctx.SaveSession(userSession)
|
|
require.NoError(s.T(), err)
|
|
}
|
|
|
|
func (s *SecondFactorDuoPostSuite) TearDownTest() {
|
|
s.mock.Close()
|
|
}
|
|
|
|
func (s *SecondFactorDuoPostSuite) TestShouldCallDuoAPIAndAllowAccess() {
|
|
duoMock := mocks.NewMockAPI(s.mock.Ctrl)
|
|
|
|
values := url.Values{}
|
|
values.Set("username", "john")
|
|
values.Set("ipaddr", s.mock.Ctx.RemoteIP().String())
|
|
values.Set("factor", "push")
|
|
values.Set("device", "auto")
|
|
values.Set("pushinfo", "target%20url=https://target.example.com")
|
|
|
|
response := duo.Response{}
|
|
response.Response.Result = testResultAllow
|
|
|
|
s.mock.StorageProviderMock.
|
|
EXPECT().
|
|
AppendAuthenticationLog(s.mock.Ctx, gomock.Eq(models.AuthenticationAttempt{
|
|
Username: "john",
|
|
Successful: true,
|
|
Banned: false,
|
|
Time: s.mock.Clock.Now(),
|
|
Type: regulation.AuthTypeDUO,
|
|
RemoteIP: models.NewIPAddressFromString("0.0.0.0"),
|
|
}))
|
|
|
|
duoMock.EXPECT().Call(gomock.Eq(values), s.mock.Ctx).Return(&response, nil)
|
|
|
|
s.mock.Ctx.Request.SetBodyString("{\"targetURL\": \"https://target.example.com\"}")
|
|
|
|
SecondFactorDuoPost(duoMock)(s.mock.Ctx)
|
|
|
|
assert.Equal(s.T(), s.mock.Ctx.Response.StatusCode(), 200)
|
|
}
|
|
|
|
func (s *SecondFactorDuoPostSuite) TestShouldCallDuoAPIAndDenyAccess() {
|
|
duoMock := mocks.NewMockAPI(s.mock.Ctrl)
|
|
|
|
values := url.Values{}
|
|
values.Set("username", "john")
|
|
values.Set("ipaddr", s.mock.Ctx.RemoteIP().String())
|
|
values.Set("factor", "push")
|
|
values.Set("device", "auto")
|
|
values.Set("pushinfo", "target%20url=https://target.example.com")
|
|
|
|
response := duo.Response{}
|
|
response.Response.Result = "deny"
|
|
|
|
s.mock.StorageProviderMock.
|
|
EXPECT().
|
|
AppendAuthenticationLog(s.mock.Ctx, gomock.Eq(models.AuthenticationAttempt{
|
|
Username: "john",
|
|
Successful: false,
|
|
Banned: false,
|
|
Time: s.mock.Clock.Now(),
|
|
Type: regulation.AuthTypeDUO,
|
|
RemoteIP: models.NewIPAddressFromString("0.0.0.0"),
|
|
}))
|
|
|
|
duoMock.EXPECT().Call(gomock.Eq(values), s.mock.Ctx).Return(&response, nil)
|
|
|
|
s.mock.Ctx.Request.SetBodyString("{\"targetURL\": \"https://target.example.com\"}")
|
|
|
|
SecondFactorDuoPost(duoMock)(s.mock.Ctx)
|
|
|
|
assert.Equal(s.T(), s.mock.Ctx.Response.StatusCode(), 401)
|
|
}
|
|
|
|
func (s *SecondFactorDuoPostSuite) TestShouldCallDuoAPIAndFail() {
|
|
duoMock := mocks.NewMockAPI(s.mock.Ctrl)
|
|
|
|
values := url.Values{}
|
|
values.Set("username", "john")
|
|
values.Set("ipaddr", s.mock.Ctx.RemoteIP().String())
|
|
values.Set("factor", "push")
|
|
values.Set("device", "auto")
|
|
values.Set("pushinfo", "target%20url=https://target.example.com")
|
|
|
|
duoMock.EXPECT().Call(gomock.Eq(values), s.mock.Ctx).Return(nil, fmt.Errorf("connnection error"))
|
|
|
|
s.mock.Ctx.Request.SetBodyString("{\"targetURL\": \"https://target.example.com\"}")
|
|
|
|
SecondFactorDuoPost(duoMock)(s.mock.Ctx)
|
|
|
|
s.mock.Assert401KO(s.T(), "Authentication failed, please retry later.")
|
|
}
|
|
|
|
func (s *SecondFactorDuoPostSuite) TestShouldRedirectUserToDefaultURL() {
|
|
duoMock := mocks.NewMockAPI(s.mock.Ctrl)
|
|
|
|
response := duo.Response{}
|
|
response.Response.Result = testResultAllow
|
|
|
|
duoMock.EXPECT().Call(gomock.Any(), s.mock.Ctx).Return(&response, nil)
|
|
|
|
s.mock.StorageProviderMock.
|
|
EXPECT().
|
|
AppendAuthenticationLog(s.mock.Ctx, gomock.Eq(models.AuthenticationAttempt{
|
|
Username: "john",
|
|
Successful: true,
|
|
Banned: false,
|
|
Time: s.mock.Clock.Now(),
|
|
Type: regulation.AuthTypeDUO,
|
|
RemoteIP: models.NewIPAddressFromString("0.0.0.0"),
|
|
}))
|
|
|
|
s.mock.Ctx.Configuration.DefaultRedirectionURL = testRedirectionURL
|
|
|
|
bodyBytes, err := json.Marshal(signDuoRequestBody{})
|
|
s.Require().NoError(err)
|
|
s.mock.Ctx.Request.SetBody(bodyBytes)
|
|
|
|
SecondFactorDuoPost(duoMock)(s.mock.Ctx)
|
|
s.mock.Assert200OK(s.T(), redirectResponse{
|
|
Redirect: testRedirectionURL,
|
|
})
|
|
}
|
|
|
|
func (s *SecondFactorDuoPostSuite) TestShouldNotReturnRedirectURL() {
|
|
duoMock := mocks.NewMockAPI(s.mock.Ctrl)
|
|
|
|
response := duo.Response{}
|
|
response.Response.Result = testResultAllow
|
|
|
|
duoMock.EXPECT().Call(gomock.Any(), s.mock.Ctx).Return(&response, nil)
|
|
|
|
s.mock.StorageProviderMock.
|
|
EXPECT().
|
|
AppendAuthenticationLog(s.mock.Ctx, gomock.Eq(models.AuthenticationAttempt{
|
|
Username: "john",
|
|
Successful: true,
|
|
Banned: false,
|
|
Time: s.mock.Clock.Now(),
|
|
Type: regulation.AuthTypeDUO,
|
|
RemoteIP: models.NewIPAddressFromString("0.0.0.0"),
|
|
}))
|
|
|
|
bodyBytes, err := json.Marshal(signDuoRequestBody{})
|
|
s.Require().NoError(err)
|
|
s.mock.Ctx.Request.SetBody(bodyBytes)
|
|
|
|
SecondFactorDuoPost(duoMock)(s.mock.Ctx)
|
|
s.mock.Assert200OK(s.T(), nil)
|
|
}
|
|
|
|
func (s *SecondFactorDuoPostSuite) TestShouldRedirectUserToSafeTargetURL() {
|
|
duoMock := mocks.NewMockAPI(s.mock.Ctrl)
|
|
|
|
response := duo.Response{}
|
|
response.Response.Result = testResultAllow
|
|
|
|
duoMock.EXPECT().Call(gomock.Any(), s.mock.Ctx).Return(&response, nil)
|
|
|
|
s.mock.StorageProviderMock.
|
|
EXPECT().
|
|
AppendAuthenticationLog(s.mock.Ctx, gomock.Eq(models.AuthenticationAttempt{
|
|
Username: "john",
|
|
Successful: true,
|
|
Banned: false,
|
|
Time: s.mock.Clock.Now(),
|
|
Type: regulation.AuthTypeDUO,
|
|
RemoteIP: models.NewIPAddressFromString("0.0.0.0"),
|
|
}))
|
|
|
|
bodyBytes, err := json.Marshal(signDuoRequestBody{
|
|
TargetURL: "https://mydomain.local",
|
|
})
|
|
s.Require().NoError(err)
|
|
s.mock.Ctx.Request.SetBody(bodyBytes)
|
|
|
|
SecondFactorDuoPost(duoMock)(s.mock.Ctx)
|
|
s.mock.Assert200OK(s.T(), redirectResponse{
|
|
Redirect: "https://mydomain.local",
|
|
})
|
|
}
|
|
|
|
func (s *SecondFactorDuoPostSuite) TestShouldNotRedirectToUnsafeURL() {
|
|
duoMock := mocks.NewMockAPI(s.mock.Ctrl)
|
|
|
|
response := duo.Response{}
|
|
response.Response.Result = testResultAllow
|
|
|
|
duoMock.EXPECT().Call(gomock.Any(), s.mock.Ctx).Return(&response, nil)
|
|
|
|
s.mock.StorageProviderMock.
|
|
EXPECT().
|
|
AppendAuthenticationLog(s.mock.Ctx, gomock.Eq(models.AuthenticationAttempt{
|
|
Username: "john",
|
|
Successful: true,
|
|
Banned: false,
|
|
Time: s.mock.Clock.Now(),
|
|
Type: regulation.AuthTypeDUO,
|
|
RemoteIP: models.NewIPAddressFromString("0.0.0.0"),
|
|
}))
|
|
|
|
bodyBytes, err := json.Marshal(signDuoRequestBody{
|
|
TargetURL: "http://mydomain.local",
|
|
})
|
|
s.Require().NoError(err)
|
|
s.mock.Ctx.Request.SetBody(bodyBytes)
|
|
|
|
SecondFactorDuoPost(duoMock)(s.mock.Ctx)
|
|
s.mock.Assert200OK(s.T(), nil)
|
|
}
|
|
|
|
func (s *SecondFactorDuoPostSuite) TestShouldRegenerateSessionForPreventingSessionFixation() {
|
|
duoMock := mocks.NewMockAPI(s.mock.Ctrl)
|
|
|
|
response := duo.Response{}
|
|
response.Response.Result = testResultAllow
|
|
|
|
duoMock.EXPECT().Call(gomock.Any(), s.mock.Ctx).Return(&response, nil)
|
|
|
|
s.mock.StorageProviderMock.
|
|
EXPECT().
|
|
AppendAuthenticationLog(s.mock.Ctx, gomock.Eq(models.AuthenticationAttempt{
|
|
Username: "john",
|
|
Successful: true,
|
|
Banned: false,
|
|
Time: s.mock.Clock.Now(),
|
|
Type: regulation.AuthTypeDUO,
|
|
RemoteIP: models.NewIPAddressFromString("0.0.0.0"),
|
|
}))
|
|
|
|
bodyBytes, err := json.Marshal(signDuoRequestBody{
|
|
TargetURL: "http://mydomain.local",
|
|
})
|
|
s.Require().NoError(err)
|
|
s.mock.Ctx.Request.SetBody(bodyBytes)
|
|
|
|
r := regexp.MustCompile("^authelia_session=(.*); path=")
|
|
res := r.FindAllStringSubmatch(string(s.mock.Ctx.Response.Header.PeekCookie("authelia_session")), -1)
|
|
|
|
SecondFactorDuoPost(duoMock)(s.mock.Ctx)
|
|
s.mock.Assert200OK(s.T(), nil)
|
|
|
|
s.Assert().NotEqual(
|
|
res[0][1],
|
|
string(s.mock.Ctx.Request.Header.Cookie("authelia_session")))
|
|
}
|
|
|
|
func TestRunSecondFactorDuoPostSuite(t *testing.T) {
|
|
s := new(SecondFactorDuoPostSuite)
|
|
suite.Run(t, s)
|
|
}
|