diff options
| author | James Elliott <james-d-elliott@users.noreply.github.com> | 2022-03-03 22:20:43 +1100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-03-03 22:20:43 +1100 |
| commit | 8f05846e214df843ad8b996525b65ebef02a5686 (patch) | |
| tree | 7da518dd4a78ebaac2920add5e1163e7f7eb447c /internal/handlers/handler_configuration_test.go | |
| parent | 3c0d9b3b5785de86801c3d839a4999d3ecbf37fb (diff) | |
feat: webauthn (#2707)
This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
Diffstat (limited to 'internal/handlers/handler_configuration_test.go')
| -rw-r--r-- | internal/handlers/handler_configuration_test.go | 201 |
1 files changed, 133 insertions, 68 deletions
diff --git a/internal/handlers/handler_configuration_test.go b/internal/handlers/handler_configuration_test.go index ab69e87fd..f1f11e080 100644 --- a/internal/handlers/handler_configuration_test.go +++ b/internal/handlers/handler_configuration_test.go @@ -28,106 +28,171 @@ func (s *SecondFactorAvailableMethodsFixture) TearDownTest() { s.mock.Close() } -func (s *SecondFactorAvailableMethodsFixture) TestShouldServeDefaultMethods() { - expectedBody := configurationBody{ - AvailableMethods: []string{"totp", "u2f"}, - SecondFactorEnabled: false, - } +func (s *SecondFactorAvailableMethodsFixture) TestShouldHaveAllConfiguredMethods() { + s.mock.Ctx.Configuration = schema.Configuration{ + DuoAPI: &schema.DuoAPIConfiguration{}, + TOTP: schema.TOTPConfiguration{ + Disable: false, + }, + Webauthn: schema.WebauthnConfiguration{ + Disable: false, + }, + AccessControl: schema.AccessControlConfiguration{ + DefaultPolicy: "deny", + Rules: []schema.ACLRule{ + { + Domains: []string{"example.com"}, + Policy: "two_factor", + }, + }, + }} + + s.mock.Ctx.Providers.Authorizer = authorization.NewAuthorizer(&s.mock.Ctx.Configuration) ConfigurationGet(s.mock.Ctx) - s.mock.Assert200OK(s.T(), expectedBody) + + s.mock.Assert200OK(s.T(), configurationBody{ + AvailableMethods: []string{"totp", "webauthn", "mobile_push"}, + }) } -func (s *SecondFactorAvailableMethodsFixture) TestShouldServeDefaultMethodsAndMobilePush() { +func (s *SecondFactorAvailableMethodsFixture) TestShouldRemoveTOTPFromAvailableMethodsWhenDisabled() { s.mock.Ctx.Configuration = schema.Configuration{ DuoAPI: &schema.DuoAPIConfiguration{}, - } - expectedBody := configurationBody{ - AvailableMethods: []string{"totp", "u2f", "mobile_push"}, - SecondFactorEnabled: false, - } + TOTP: schema.TOTPConfiguration{ + Disable: true, + }, + Webauthn: schema.WebauthnConfiguration{ + Disable: false, + }, + AccessControl: schema.AccessControlConfiguration{ + DefaultPolicy: "deny", + Rules: []schema.ACLRule{ + { + Domains: []string{"example.com"}, + Policy: "two_factor", + }, + }, + }} + + s.mock.Ctx.Providers.Authorizer = authorization.NewAuthorizer(&s.mock.Ctx.Configuration) ConfigurationGet(s.mock.Ctx) - s.mock.Assert200OK(s.T(), expectedBody) + + s.mock.Assert200OK(s.T(), configurationBody{ + AvailableMethods: []string{"webauthn", "mobile_push"}, + }) } -func (s *SecondFactorAvailableMethodsFixture) TestShouldCheckSecondFactorIsDisabledWhenNoRuleIsSetToTwoFactor() { - s.mock.Ctx.Providers.Authorizer = authorization.NewAuthorizer( - &schema.Configuration{ - AccessControl: schema.AccessControlConfiguration{ - DefaultPolicy: "bypass", - Rules: []schema.ACLRule{ - { - Domains: []string{"example.com"}, - Policy: "deny", - }, - { - Domains: []string{"abc.example.com"}, - Policy: "single_factor", - }, - { - Domains: []string{"def.example.com"}, - Policy: "bypass", - }, +func (s *SecondFactorAvailableMethodsFixture) TestShouldRemoveWebauthnFromAvailableMethodsWhenDisabled() { + s.mock.Ctx.Configuration = schema.Configuration{ + DuoAPI: &schema.DuoAPIConfiguration{}, + TOTP: schema.TOTPConfiguration{ + Disable: false, + }, + Webauthn: schema.WebauthnConfiguration{ + Disable: true, + }, + AccessControl: schema.AccessControlConfiguration{ + DefaultPolicy: "deny", + Rules: []schema.ACLRule{ + { + Domains: []string{"example.com"}, + Policy: "two_factor", }, - }}) + }, + }} + + s.mock.Ctx.Providers.Authorizer = authorization.NewAuthorizer(&s.mock.Ctx.Configuration) + ConfigurationGet(s.mock.Ctx) + s.mock.Assert200OK(s.T(), configurationBody{ - AvailableMethods: []string{"totp", "u2f"}, - SecondFactorEnabled: false, + AvailableMethods: []string{"totp", "mobile_push"}, }) } -func (s *SecondFactorAvailableMethodsFixture) TestShouldCheckSecondFactorIsEnabledWhenDefaultPolicySetToTwoFactor() { - s.mock.Ctx.Providers.Authorizer = authorization.NewAuthorizer(&schema.Configuration{ +func (s *SecondFactorAvailableMethodsFixture) TestShouldRemoveDuoFromAvailableMethodsWhenNotConfigured() { + s.mock.Ctx.Configuration = schema.Configuration{ + DuoAPI: nil, + TOTP: schema.TOTPConfiguration{ + Disable: false, + }, + Webauthn: schema.WebauthnConfiguration{ + Disable: false, + }, AccessControl: schema.AccessControlConfiguration{ - DefaultPolicy: "two_factor", + DefaultPolicy: "deny", Rules: []schema.ACLRule{ { Domains: []string{"example.com"}, - Policy: "deny", - }, - { - Domains: []string{"abc.example.com"}, - Policy: "single_factor", + Policy: "two_factor", }, + }, + }} + + s.mock.Ctx.Providers.Authorizer = authorization.NewAuthorizer(&s.mock.Ctx.Configuration) + + ConfigurationGet(s.mock.Ctx) + + s.mock.Assert200OK(s.T(), configurationBody{ + AvailableMethods: []string{"totp", "webauthn"}, + }) +} + +func (s *SecondFactorAvailableMethodsFixture) TestShouldRemoveAllMethodsWhenNoTwoFactorACLRulesConfigured() { + s.mock.Ctx.Configuration = schema.Configuration{ + DuoAPI: &schema.DuoAPIConfiguration{}, + TOTP: schema.TOTPConfiguration{ + Disable: false, + }, + Webauthn: schema.WebauthnConfiguration{ + Disable: false, + }, + AccessControl: schema.AccessControlConfiguration{ + DefaultPolicy: "deny", + Rules: []schema.ACLRule{ { - Domains: []string{"def.example.com"}, - Policy: "bypass", + Domains: []string{"example.com"}, + Policy: "one_factor", }, }, - }}) + }} + + s.mock.Ctx.Providers.Authorizer = authorization.NewAuthorizer(&s.mock.Ctx.Configuration) + ConfigurationGet(s.mock.Ctx) + s.mock.Assert200OK(s.T(), configurationBody{ - AvailableMethods: []string{"totp", "u2f"}, - SecondFactorEnabled: true, + AvailableMethods: []string{}, }) } -func (s *SecondFactorAvailableMethodsFixture) TestShouldCheckSecondFactorIsEnabledWhenSomePolicySetToTwoFactor() { - s.mock.Ctx.Providers.Authorizer = authorization.NewAuthorizer( - &schema.Configuration{ - AccessControl: schema.AccessControlConfiguration{ - DefaultPolicy: "bypass", - Rules: []schema.ACLRule{ - { - Domains: []string{"example.com"}, - Policy: "deny", - }, - { - Domains: []string{"abc.example.com"}, - Policy: "two_factor", - }, - { - Domains: []string{"def.example.com"}, - Policy: "bypass", - }, +func (s *SecondFactorAvailableMethodsFixture) TestShouldRemoveAllMethodsWhenAllDisabledOrNotConfigured() { + s.mock.Ctx.Configuration = schema.Configuration{ + DuoAPI: nil, + TOTP: schema.TOTPConfiguration{ + Disable: true, + }, + Webauthn: schema.WebauthnConfiguration{ + Disable: true, + }, + AccessControl: schema.AccessControlConfiguration{ + DefaultPolicy: "deny", + Rules: []schema.ACLRule{ + { + Domains: []string{"example.com"}, + Policy: "two_factor", }, - }}) + }, + }} + + s.mock.Ctx.Providers.Authorizer = authorization.NewAuthorizer(&s.mock.Ctx.Configuration) + ConfigurationGet(s.mock.Ctx) + s.mock.Assert200OK(s.T(), configurationBody{ - AvailableMethods: []string{"totp", "u2f"}, - SecondFactorEnabled: true, + AvailableMethods: []string{}, }) } |