1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
|
require_relative 'spec_helper'
require 'open3'
describe 'bin/gitlab-shell 2fa_recovery_codes' do
include_context 'gitlab shell'
def mock_server(server)
server.mount_proc('/api/v4/internal/two_factor_recovery_codes') do |req, res|
res.content_type = 'application/json'
res.status = 200
key_id = req.query['key_id'] || req.query['user_id']
unless key_id
body = JSON.parse(req.body)
key_id = body['key_id'] || body['user_id'].to_s
end
if key_id == '100'
res.body = '{"success":true, "recovery_codes": ["1", "2"]}'
else
res.body = '{"success":false, "message": "Forbidden!"}'
end
end
server.mount_proc('/api/v4/internal/discover') do |req, res|
res.status = 200
res.content_type = 'application/json'
res.body = '{"id":100, "name": "Some User", "username": "someuser"}'
end
end
shared_examples 'dialog for regenerating recovery keys' do
context 'when the user agrees to regenerate keys' do
def verify_successful_regeneration!(cmd)
Open3.popen2(env, cmd) do |stdin, stdout|
expect(stdout.gets).to eq("Are you sure you want to generate new two-factor recovery codes?\n")
expect(stdout.gets).to eq("Any existing recovery codes you saved will be invalidated. (yes/no)\n")
stdin.puts('yes')
expect(stdout.flush.read).to eq(
"\nYour two-factor authentication recovery codes are:\n\n" \
"1\n2\n\n" \
"During sign in, use one of the codes above when prompted for\n" \
"your two-factor code. Then, visit your Profile Settings and add\n" \
"a new device so you do not lose access to your account again.\n"
)
end
end
context 'when key is provided' do
let(:cmd) { "#{gitlab_shell_path} key-100" }
it 'the recovery keys are regenerated' do
verify_successful_regeneration!(cmd)
end
end
context 'when username is provided' do
let(:cmd) { "#{gitlab_shell_path} username-someone" }
it 'the recovery keys are regenerated' do
verify_successful_regeneration!(cmd)
end
end
end
context 'when the user disagrees to regenerate keys' do
let(:cmd) { "#{gitlab_shell_path} key-100" }
it 'the recovery keys are not regenerated' do
Open3.popen2(env, cmd) do |stdin, stdout|
expect(stdout.gets).to eq("Are you sure you want to generate new two-factor recovery codes?\n")
expect(stdout.gets).to eq("Any existing recovery codes you saved will be invalidated. (yes/no)\n")
stdin.puts('no')
expect(stdout.flush.read).to eq(
"\nNew recovery codes have *not* been generated. Existing codes will remain valid.\n"
)
end
end
end
context 'when API error occurs' do
let(:cmd) { "#{gitlab_shell_path} key-101" }
context 'when the user agrees to regenerate keys' do
it 'the recovery keys are regenerated' do
Open3.popen2(env, cmd) do |stdin, stdout|
expect(stdout.gets).to eq("Are you sure you want to generate new two-factor recovery codes?\n")
expect(stdout.gets).to eq("Any existing recovery codes you saved will be invalidated. (yes/no)\n")
stdin.puts('yes')
expect(stdout.flush.read).to eq("\nAn error occurred while trying to generate new recovery codes.\nForbidden!\n")
end
end
end
end
end
let(:env) { {'SSH_CONNECTION' => 'fake', 'SSH_ORIGINAL_COMMAND' => '2fa_recovery_codes' } }
describe 'without go features' do
before(:context) do
write_config(
"gitlab_url" => "http+unix://#{CGI.escape(tmp_socket_path)}",
)
end
it_behaves_like 'dialog for regenerating recovery keys'
end
describe 'with go features' do
before(:context) do
write_config(
"gitlab_url" => "http+unix://#{CGI.escape(tmp_socket_path)}",
"migration" => { "enabled" => true,
"features" => ["2fa_recovery_codes"] }
)
end
it_behaves_like 'dialog for regenerating recovery keys'
end
end
|
