2020-09-02 15:10:54 +00:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
|
|
|
require 'spec_helper'
|
|
|
|
|
|
|
|
RSpec.describe Gitlab::Auth::TwoFactorAuthVerifier do
|
2021-09-30 18:11:31 +00:00
|
|
|
using RSpec::Parameterized::TableSyntax
|
2020-09-02 15:10:54 +00:00
|
|
|
|
2021-09-30 18:11:31 +00:00
|
|
|
subject(:verifier) { described_class.new(user) }
|
2020-09-02 15:10:54 +00:00
|
|
|
|
2021-09-30 18:11:31 +00:00
|
|
|
let(:user) { build_stubbed(:user, otp_grace_period_started_at: Time.zone.now) }
|
2020-09-02 15:10:54 +00:00
|
|
|
|
2021-09-30 18:11:31 +00:00
|
|
|
describe '#two_factor_authentication_enforced?' do
|
|
|
|
subject { verifier.two_factor_authentication_enforced? }
|
2020-09-02 15:10:54 +00:00
|
|
|
|
2021-09-30 18:11:31 +00:00
|
|
|
where(:instance_level_enabled, :group_level_enabled, :grace_period_expired, :should_be_enforced) do
|
|
|
|
false | false | true | false
|
|
|
|
true | false | false | false
|
|
|
|
true | false | true | true
|
|
|
|
false | true | false | false
|
|
|
|
false | true | true | true
|
|
|
|
end
|
2020-09-02 15:10:54 +00:00
|
|
|
|
2021-09-30 18:11:31 +00:00
|
|
|
with_them do
|
|
|
|
before do
|
|
|
|
stub_application_setting(require_two_factor_authentication: instance_level_enabled)
|
|
|
|
allow(user).to receive(:require_two_factor_authentication_from_group?).and_return(group_level_enabled)
|
|
|
|
stub_application_setting(two_factor_grace_period: grace_period_expired ? 0 : 1.month.in_hours)
|
2020-09-02 15:10:54 +00:00
|
|
|
end
|
2021-09-30 18:11:31 +00:00
|
|
|
|
|
|
|
it { is_expected.to eq(should_be_enforced) }
|
2020-09-02 15:10:54 +00:00
|
|
|
end
|
2021-09-30 18:11:31 +00:00
|
|
|
end
|
2020-09-02 15:10:54 +00:00
|
|
|
|
2021-09-30 18:11:31 +00:00
|
|
|
describe '#two_factor_authentication_required?' do
|
|
|
|
subject { verifier.two_factor_authentication_required? }
|
|
|
|
|
|
|
|
where(:instance_level_enabled, :group_level_enabled, :should_be_required) do
|
|
|
|
true | false | true
|
|
|
|
false | true | true
|
|
|
|
false | false | false
|
|
|
|
end
|
2020-09-02 15:10:54 +00:00
|
|
|
|
2021-09-30 18:11:31 +00:00
|
|
|
with_them do
|
|
|
|
before do
|
|
|
|
stub_application_setting(require_two_factor_authentication: instance_level_enabled)
|
|
|
|
allow(user).to receive(:require_two_factor_authentication_from_group?).and_return(group_level_enabled)
|
2020-09-02 15:10:54 +00:00
|
|
|
end
|
2021-09-30 18:11:31 +00:00
|
|
|
|
|
|
|
it { is_expected.to eq(should_be_required) }
|
2020-09-02 15:10:54 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
describe '#current_user_needs_to_setup_two_factor?' do
|
|
|
|
it 'returns false when current_user is nil' do
|
|
|
|
expect(described_class.new(nil).current_user_needs_to_setup_two_factor?).to be_falsey
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'returns false when current_user does not have temp email' do
|
|
|
|
allow(user).to receive(:two_factor_enabled?).and_return(false)
|
|
|
|
allow(user).to receive(:temp_oauth_email?).and_return(true)
|
|
|
|
|
|
|
|
expect(subject.current_user_needs_to_setup_two_factor?).to be_falsey
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'returns false when current_user has 2fa disabled' do
|
|
|
|
allow(user).to receive(:temp_oauth_email?).and_return(false)
|
|
|
|
allow(user).to receive(:two_factor_enabled?).and_return(true)
|
|
|
|
|
|
|
|
expect(subject.current_user_needs_to_setup_two_factor?).to be_falsey
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'returns true when user requires 2fa authentication' do
|
|
|
|
allow(user).to receive(:two_factor_enabled?).and_return(false)
|
|
|
|
allow(user).to receive(:temp_oauth_email?).and_return(false)
|
|
|
|
|
|
|
|
expect(subject.current_user_needs_to_setup_two_factor?).to be_truthy
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
describe '#two_factor_grace_period' do
|
|
|
|
it 'returns grace period from settings if there is no period from groups' do
|
|
|
|
stub_application_setting two_factor_grace_period: 2
|
|
|
|
allow(user).to receive(:require_two_factor_authentication_from_group?).and_return(false)
|
|
|
|
|
|
|
|
expect(subject.two_factor_grace_period).to eq(2)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'returns grace period from groups if there is no period from settings' do
|
|
|
|
allow(user).to receive(:require_two_factor_authentication_from_group?).and_return(true)
|
|
|
|
allow(user).to receive(:two_factor_grace_period).and_return(3)
|
|
|
|
|
|
|
|
expect(subject.two_factor_grace_period).to eq(3)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'returns minimal grace period if there is grace period from settings and from group' do
|
|
|
|
allow(user).to receive(:require_two_factor_authentication_from_group?).and_return(true)
|
|
|
|
allow(user).to receive(:two_factor_grace_period).and_return(3)
|
|
|
|
stub_application_setting two_factor_grace_period: 2
|
|
|
|
|
|
|
|
expect(subject.two_factor_grace_period).to eq(2)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
describe '#two_factor_grace_period_expired?' do
|
|
|
|
it 'returns true if the grace period has expired' do
|
2021-09-30 18:11:31 +00:00
|
|
|
stub_application_setting two_factor_grace_period: 0
|
2020-09-02 15:10:54 +00:00
|
|
|
|
|
|
|
expect(subject.two_factor_grace_period_expired?).to be_truthy
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'returns false if the grace period has not expired' do
|
2021-09-30 18:11:31 +00:00
|
|
|
stub_application_setting two_factor_grace_period: 1.month.in_hours
|
2020-09-02 15:10:54 +00:00
|
|
|
|
|
|
|
expect(subject.two_factor_grace_period_expired?).to be_falsey
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when otp_grace_period_started_at is nil' do
|
|
|
|
it 'returns false' do
|
2021-09-30 18:11:31 +00:00
|
|
|
user.otp_grace_period_started_at = nil
|
2020-09-02 15:10:54 +00:00
|
|
|
|
|
|
|
expect(subject.two_factor_grace_period_expired?).to be_falsey
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|