2020-07-28 15:23:17 +01:00
|
|
|
// Copyright (C) 2020 Storj Labs, Inc.
|
|
|
|
// See LICENSE for copying information.
|
|
|
|
|
|
|
|
package consoleapi_test
|
|
|
|
|
|
|
|
import (
|
|
|
|
"bytes"
|
|
|
|
"encoding/json"
|
2021-05-14 16:05:42 +01:00
|
|
|
"errors"
|
2020-10-21 11:52:24 +01:00
|
|
|
"fmt"
|
|
|
|
"io"
|
2020-07-28 15:23:17 +01:00
|
|
|
"io/ioutil"
|
2020-10-21 11:52:24 +01:00
|
|
|
"math/rand"
|
2020-07-28 15:23:17 +01:00
|
|
|
"net/http"
|
2020-10-21 11:52:24 +01:00
|
|
|
"net/http/httptest"
|
|
|
|
"net/url"
|
|
|
|
"reflect"
|
2020-07-28 15:23:17 +01:00
|
|
|
"strconv"
|
2020-10-21 11:52:24 +01:00
|
|
|
"strings"
|
2020-07-28 15:23:17 +01:00
|
|
|
"testing"
|
2020-10-21 11:52:24 +01:00
|
|
|
"testing/quick"
|
2021-07-13 18:21:16 +01:00
|
|
|
"time"
|
2020-07-28 15:23:17 +01:00
|
|
|
|
|
|
|
"github.com/stretchr/testify/require"
|
|
|
|
"go.uber.org/zap"
|
|
|
|
|
|
|
|
"storj.io/common/testcontext"
|
|
|
|
"storj.io/common/uuid"
|
|
|
|
"storj.io/storj/private/testplanet"
|
|
|
|
"storj.io/storj/satellite"
|
2021-07-13 18:21:16 +01:00
|
|
|
"storj.io/storj/satellite/console"
|
2020-10-21 11:52:24 +01:00
|
|
|
"storj.io/storj/satellite/console/consoleweb/consoleapi"
|
2020-07-28 15:23:17 +01:00
|
|
|
)
|
|
|
|
|
|
|
|
func TestAuth_Register(t *testing.T) {
|
|
|
|
testplanet.Run(t, testplanet.Config{
|
|
|
|
SatelliteCount: 1, StorageNodeCount: 0, UplinkCount: 0,
|
|
|
|
Reconfigure: testplanet.Reconfigure{
|
|
|
|
Satellite: func(log *zap.Logger, index int, config *satellite.Config) {
|
|
|
|
config.Console.OpenRegistrationEnabled = true
|
|
|
|
config.Console.RateLimit.Burst = 10
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}, func(t *testing.T, ctx *testcontext.Context, planet *testplanet.Planet) {
|
|
|
|
for i, test := range []struct {
|
|
|
|
Partner string
|
|
|
|
ValidPartner bool
|
|
|
|
}{
|
|
|
|
{Partner: "minio", ValidPartner: true},
|
|
|
|
{Partner: "Minio", ValidPartner: true},
|
|
|
|
{Partner: "Raiden Network", ValidPartner: true},
|
|
|
|
{Partner: "Raiden nEtwork", ValidPartner: true},
|
|
|
|
{Partner: "invalid-name", ValidPartner: false},
|
|
|
|
} {
|
2020-11-02 12:21:55 +00:00
|
|
|
func() {
|
|
|
|
registerData := struct {
|
|
|
|
FullName string `json:"fullName"`
|
|
|
|
ShortName string `json:"shortName"`
|
|
|
|
Email string `json:"email"`
|
|
|
|
Partner string `json:"partner"`
|
|
|
|
PartnerID string `json:"partnerId"`
|
|
|
|
Password string `json:"password"`
|
|
|
|
SecretInput string `json:"secret"`
|
|
|
|
ReferrerUserID string `json:"referrerUserId"`
|
2021-02-10 15:55:38 +00:00
|
|
|
IsProfessional bool `json:"isProfessional"`
|
|
|
|
Position string `json:"Position"`
|
|
|
|
CompanyName string `json:"CompanyName"`
|
|
|
|
EmployeeCount string `json:"EmployeeCount"`
|
2020-11-02 12:21:55 +00:00
|
|
|
}{
|
2021-02-10 15:55:38 +00:00
|
|
|
FullName: "testuser" + strconv.Itoa(i),
|
|
|
|
ShortName: "test",
|
|
|
|
Email: "user@test" + strconv.Itoa(i),
|
|
|
|
Partner: test.Partner,
|
|
|
|
Password: "abc123",
|
|
|
|
IsProfessional: true,
|
|
|
|
Position: "testposition",
|
|
|
|
CompanyName: "companytestname",
|
|
|
|
EmployeeCount: "0",
|
2020-11-02 12:21:55 +00:00
|
|
|
}
|
2020-07-28 15:23:17 +01:00
|
|
|
|
2020-11-02 12:21:55 +00:00
|
|
|
jsonBody, err := json.Marshal(registerData)
|
|
|
|
require.NoError(t, err)
|
2020-07-28 15:23:17 +01:00
|
|
|
|
2021-08-26 17:48:24 +01:00
|
|
|
url := planet.Satellites[0].ConsoleURL() + "/api/v0/auth/register"
|
2021-05-14 16:05:42 +01:00
|
|
|
req, err := http.NewRequestWithContext(ctx, http.MethodPost, url, bytes.NewBuffer(jsonBody))
|
|
|
|
require.NoError(t, err)
|
|
|
|
req.Header.Set("Content-Type", "application/json")
|
|
|
|
result, err := http.DefaultClient.Do(req)
|
2020-07-28 15:23:17 +01:00
|
|
|
require.NoError(t, err)
|
2020-11-02 12:21:55 +00:00
|
|
|
require.Equal(t, http.StatusOK, result.StatusCode)
|
2020-07-28 15:23:17 +01:00
|
|
|
|
2020-11-02 12:21:55 +00:00
|
|
|
defer func() {
|
|
|
|
err = result.Body.Close()
|
|
|
|
require.NoError(t, err)
|
|
|
|
}()
|
2020-07-28 15:23:17 +01:00
|
|
|
|
2020-11-02 12:21:55 +00:00
|
|
|
body, err := ioutil.ReadAll(result.Body)
|
|
|
|
require.NoError(t, err)
|
2020-07-28 15:23:17 +01:00
|
|
|
|
2020-11-02 12:21:55 +00:00
|
|
|
var userID uuid.UUID
|
|
|
|
err = json.Unmarshal(body, &userID)
|
|
|
|
require.NoError(t, err)
|
2020-07-28 15:23:17 +01:00
|
|
|
|
2020-11-02 12:21:55 +00:00
|
|
|
user, err := planet.Satellites[0].API.Console.Service.GetUser(ctx, userID)
|
2020-07-28 15:23:17 +01:00
|
|
|
require.NoError(t, err)
|
2020-11-02 12:21:55 +00:00
|
|
|
|
|
|
|
if test.ValidPartner {
|
|
|
|
info, err := planet.Satellites[0].API.Marketing.PartnersService.ByName(ctx, test.Partner)
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.Equal(t, info.UUID, user.PartnerID)
|
|
|
|
} else {
|
|
|
|
require.Equal(t, uuid.UUID{}, user.PartnerID)
|
|
|
|
}
|
|
|
|
}()
|
2020-07-28 15:23:17 +01:00
|
|
|
}
|
|
|
|
})
|
|
|
|
}
|
2020-10-21 11:52:24 +01:00
|
|
|
|
2021-08-26 17:48:24 +01:00
|
|
|
func TestAuth_Register_CORS(t *testing.T) {
|
|
|
|
testplanet.Run(t, testplanet.Config{
|
|
|
|
SatelliteCount: 1, StorageNodeCount: 0, UplinkCount: 0,
|
|
|
|
Reconfigure: testplanet.Reconfigure{
|
|
|
|
Satellite: func(log *zap.Logger, index int, config *satellite.Config) {
|
|
|
|
config.Console.OpenRegistrationEnabled = true
|
|
|
|
config.Console.RateLimit.Burst = 10
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}, func(t *testing.T, ctx *testcontext.Context, planet *testplanet.Planet) {
|
|
|
|
jsonBody := []byte(`{"email":"user@test.com","fullName":"testuser","password":"abc123","shortName":"test"}`)
|
|
|
|
|
|
|
|
url := planet.Satellites[0].ConsoleURL() + "/api/v0/auth/register"
|
|
|
|
req, err := http.NewRequestWithContext(ctx, http.MethodPost, url, bytes.NewBuffer(jsonBody))
|
|
|
|
require.NoError(t, err)
|
|
|
|
req.Header.Set("Content-Type", "application/json")
|
|
|
|
|
|
|
|
// 1. OPTIONS request
|
|
|
|
// 1.1 CORS headers should not be set with origin other than storj.io or www.storj.io
|
|
|
|
req.Header.Set("Origin", "https://someexternalorigin.test")
|
|
|
|
req.Method = http.MethodOptions
|
|
|
|
resp, err := http.DefaultClient.Do(req)
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.Equal(t, http.StatusOK, resp.StatusCode)
|
|
|
|
require.Equal(t, "", resp.Header.Get("Access-Control-Allow-Origin"))
|
|
|
|
require.Equal(t, "", resp.Header.Get("Access-Control-Allow-Methods"))
|
|
|
|
require.Equal(t, "", resp.Header.Get("Access-Control-Allow-Headers"))
|
|
|
|
require.NoError(t, resp.Body.Close())
|
|
|
|
|
|
|
|
// 1.2 CORS headers should be set with a domain of storj.io
|
|
|
|
req.Header.Set("Origin", "https://storj.io")
|
|
|
|
resp, err = http.DefaultClient.Do(req)
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.Equal(t, http.StatusOK, resp.StatusCode)
|
|
|
|
require.Equal(t, "https://storj.io", resp.Header.Get("Access-Control-Allow-Origin"))
|
|
|
|
require.Equal(t, "POST, OPTIONS", resp.Header.Get("Access-Control-Allow-Methods"))
|
|
|
|
allowedHeaders := strings.Split(resp.Header.Get("Access-Control-Allow-Headers"), ", ")
|
|
|
|
require.ElementsMatch(t, allowedHeaders, []string{
|
|
|
|
"Content-Type",
|
|
|
|
"Content-Length",
|
|
|
|
"Accept",
|
|
|
|
"Accept-Encoding",
|
|
|
|
"X-CSRF-Token",
|
|
|
|
"Authorization",
|
|
|
|
})
|
|
|
|
require.NoError(t, resp.Body.Close())
|
|
|
|
|
|
|
|
// 1.3 CORS headers should be set with a domain of www.storj.io
|
|
|
|
req.Header.Set("Origin", "https://www.storj.io")
|
|
|
|
resp, err = http.DefaultClient.Do(req)
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.Equal(t, http.StatusOK, resp.StatusCode)
|
|
|
|
require.Equal(t, "https://www.storj.io", resp.Header.Get("Access-Control-Allow-Origin"))
|
|
|
|
require.Equal(t, "POST, OPTIONS", resp.Header.Get("Access-Control-Allow-Methods"))
|
|
|
|
allowedHeaders = strings.Split(resp.Header.Get("Access-Control-Allow-Headers"), ", ")
|
|
|
|
require.ElementsMatch(t, allowedHeaders, []string{
|
|
|
|
"Content-Type",
|
|
|
|
"Content-Length",
|
|
|
|
"Accept",
|
|
|
|
"Accept-Encoding",
|
|
|
|
"X-CSRF-Token",
|
|
|
|
"Authorization",
|
|
|
|
})
|
|
|
|
require.NoError(t, resp.Body.Close())
|
|
|
|
|
|
|
|
// 2. POST request with origin www.storj.io
|
|
|
|
req.Method = http.MethodPost
|
|
|
|
resp, err = http.DefaultClient.Do(req)
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.Equal(t, http.StatusOK, resp.StatusCode)
|
|
|
|
require.Equal(t, "https://www.storj.io", resp.Header.Get("Access-Control-Allow-Origin"))
|
|
|
|
require.Equal(t, "POST, OPTIONS", resp.Header.Get("Access-Control-Allow-Methods"))
|
|
|
|
allowedHeaders = strings.Split(resp.Header.Get("Access-Control-Allow-Headers"), ", ")
|
|
|
|
require.ElementsMatch(t, allowedHeaders, []string{
|
|
|
|
"Content-Type",
|
|
|
|
"Content-Length",
|
|
|
|
"Accept",
|
|
|
|
"Accept-Encoding",
|
|
|
|
"X-CSRF-Token",
|
|
|
|
"Authorization",
|
|
|
|
})
|
|
|
|
|
|
|
|
defer func() {
|
|
|
|
err = resp.Body.Close()
|
|
|
|
require.NoError(t, err)
|
|
|
|
}()
|
|
|
|
|
|
|
|
body, err := ioutil.ReadAll(resp.Body)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
var userID uuid.UUID
|
|
|
|
err = json.Unmarshal(body, &userID)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
_, err = planet.Satellites[0].API.Console.Service.GetUser(ctx, userID)
|
|
|
|
require.NoError(t, err)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2020-10-21 11:52:24 +01:00
|
|
|
func TestDeleteAccount(t *testing.T) {
|
2021-05-14 16:05:42 +01:00
|
|
|
ctx := testcontext.New(t)
|
|
|
|
|
2020-10-21 11:52:24 +01:00
|
|
|
// We do a black box testing because currently we don't allow to delete
|
|
|
|
// accounts through the API hence we must always return an error response.
|
|
|
|
|
|
|
|
config := &quick.Config{
|
|
|
|
Values: func(values []reflect.Value, rnd *rand.Rand) {
|
|
|
|
// TODO: use or implement a better and thorough HTTP Request random generator
|
|
|
|
|
|
|
|
var method string
|
|
|
|
switch rnd.Intn(9) {
|
|
|
|
case 0:
|
|
|
|
method = http.MethodGet
|
|
|
|
case 1:
|
|
|
|
method = http.MethodHead
|
|
|
|
case 2:
|
|
|
|
method = http.MethodPost
|
|
|
|
case 3:
|
|
|
|
method = http.MethodPut
|
|
|
|
case 4:
|
|
|
|
method = http.MethodPatch
|
|
|
|
case 5:
|
|
|
|
method = http.MethodDelete
|
|
|
|
case 6:
|
|
|
|
method = http.MethodConnect
|
|
|
|
case 7:
|
|
|
|
method = http.MethodOptions
|
|
|
|
case 8:
|
|
|
|
method = http.MethodTrace
|
|
|
|
default:
|
|
|
|
t.Fatal("unexpected random value for HTTP method selection")
|
|
|
|
}
|
|
|
|
|
|
|
|
var path string
|
|
|
|
{
|
|
|
|
|
|
|
|
val, ok := quick.Value(reflect.TypeOf(""), rnd)
|
|
|
|
require.True(t, ok, "quick.Values generator function couldn't generate a string")
|
|
|
|
path = url.PathEscape(val.String())
|
|
|
|
}
|
|
|
|
|
|
|
|
var query string
|
|
|
|
{
|
|
|
|
nparams := rnd.Intn(27)
|
|
|
|
params := make([]string, nparams)
|
|
|
|
|
|
|
|
for i := 0; i < nparams; i++ {
|
|
|
|
val, ok := quick.Value(reflect.TypeOf(""), rnd)
|
|
|
|
require.True(t, ok, "quick.Values generator function couldn't generate a string")
|
|
|
|
param := val.String()
|
|
|
|
|
|
|
|
val, ok = quick.Value(reflect.TypeOf(""), rnd)
|
|
|
|
require.True(t, ok, "quick.Values generator function couldn't generate a string")
|
|
|
|
param += "=" + val.String()
|
|
|
|
|
|
|
|
params[i] = param
|
|
|
|
}
|
|
|
|
|
|
|
|
query = url.QueryEscape(strings.Join(params, "&"))
|
|
|
|
}
|
|
|
|
|
|
|
|
var body io.Reader
|
|
|
|
{
|
|
|
|
val, ok := quick.Value(reflect.TypeOf([]byte(nil)), rnd)
|
|
|
|
require.True(t, ok, "quick.Values generator function couldn't generate a byte slice")
|
|
|
|
body = bytes.NewReader(val.Bytes())
|
|
|
|
}
|
|
|
|
|
|
|
|
withQuery := ""
|
|
|
|
if len(query) > 0 {
|
|
|
|
withQuery = "?"
|
|
|
|
}
|
|
|
|
|
|
|
|
reqURL, err := url.Parse("//storj.io/" + path + withQuery + query)
|
|
|
|
require.NoError(t, err, "error when generating a random URL")
|
2021-05-14 16:05:42 +01:00
|
|
|
req, err := http.NewRequestWithContext(ctx, method, reqURL.String(), body)
|
2020-10-21 11:52:24 +01:00
|
|
|
require.NoError(t, err, "error when geneating a random request")
|
|
|
|
values[0] = reflect.ValueOf(req)
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
expectedHandler := func(_ *http.Request) (status int, body []byte) {
|
2021-07-15 22:06:23 +01:00
|
|
|
return http.StatusNotImplemented, []byte("{\"error\":\"The server is incapable of fulfilling the request\"}\n")
|
2020-10-21 11:52:24 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
actualHandler := func(r *http.Request) (status int, body []byte) {
|
|
|
|
rr := httptest.NewRecorder()
|
2021-06-28 18:34:33 +01:00
|
|
|
authController := consoleapi.NewAuth(zap.L(), nil, nil, nil, nil, nil, "", "", "", "")
|
|
|
|
authController.DeleteAccount(rr, r)
|
2020-10-21 11:52:24 +01:00
|
|
|
|
|
|
|
//nolint:bodyclose
|
|
|
|
result := rr.Result()
|
|
|
|
defer func() {
|
|
|
|
err := result.Body.Close()
|
|
|
|
require.NoError(t, err)
|
|
|
|
}()
|
|
|
|
|
|
|
|
body, err := ioutil.ReadAll(result.Body)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
return result.StatusCode, body
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
err := quick.CheckEqual(expectedHandler, actualHandler, config)
|
|
|
|
if err != nil {
|
|
|
|
fmt.Printf("%+v\n", err)
|
2021-05-14 16:05:42 +01:00
|
|
|
var cerr *quick.CheckEqualError
|
|
|
|
require.True(t, errors.As(err, &cerr))
|
2020-10-21 11:52:24 +01:00
|
|
|
|
|
|
|
t.Fatalf(`DeleteAccount handler has returned a different response:
|
|
|
|
round: %d
|
|
|
|
input args: %+v
|
|
|
|
expected response:
|
|
|
|
status code: %d
|
|
|
|
response body: %s
|
|
|
|
returned response:
|
|
|
|
status code: %d
|
|
|
|
response body: %s
|
|
|
|
`, cerr.Count, cerr.In, cerr.Out1[0], cerr.Out1[1], cerr.Out2[0], cerr.Out2[1])
|
|
|
|
}
|
|
|
|
}
|
2021-07-13 18:21:16 +01:00
|
|
|
|
|
|
|
func TestMFAEndpoints(t *testing.T) {
|
|
|
|
testplanet.Run(t, testplanet.Config{
|
|
|
|
SatelliteCount: 1, StorageNodeCount: 0, UplinkCount: 0,
|
|
|
|
}, func(t *testing.T, ctx *testcontext.Context, planet *testplanet.Planet) {
|
|
|
|
sat := planet.Satellites[0]
|
|
|
|
|
|
|
|
user, err := sat.AddUser(ctx, console.CreateUser{
|
|
|
|
FullName: "MFA Test User",
|
|
|
|
Email: "mfauser@mail.test",
|
|
|
|
}, 1)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
token, err := sat.API.Console.Service.Token(ctx, console.AuthUser{Email: user.Email, Password: user.FullName})
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.NotEmpty(t, token)
|
|
|
|
|
2021-07-20 12:34:40 +01:00
|
|
|
type data struct {
|
2021-08-16 22:23:06 +01:00
|
|
|
Passcode string `json:"passcode"`
|
|
|
|
RecoveryCode string `json:"recoveryCode"`
|
2021-07-20 12:34:40 +01:00
|
|
|
}
|
|
|
|
|
2021-08-16 22:23:06 +01:00
|
|
|
doRequest := func(urlSuffix string, passcode string, recoveryCode string) *http.Response {
|
2021-08-26 17:48:24 +01:00
|
|
|
urlLink := sat.ConsoleURL() + "/api/v0/auth/mfa" + urlSuffix
|
2021-07-13 18:21:16 +01:00
|
|
|
var buf io.Reader
|
|
|
|
|
2021-07-20 12:34:40 +01:00
|
|
|
body := &data{
|
2021-08-16 22:23:06 +01:00
|
|
|
Passcode: passcode,
|
|
|
|
RecoveryCode: recoveryCode,
|
2021-07-13 18:21:16 +01:00
|
|
|
}
|
|
|
|
|
2021-07-20 12:34:40 +01:00
|
|
|
bodyBytes, err := json.Marshal(body)
|
|
|
|
require.NoError(t, err)
|
|
|
|
buf = bytes.NewBuffer(bodyBytes)
|
|
|
|
|
|
|
|
req, err := http.NewRequestWithContext(ctx, http.MethodPost, urlLink, buf)
|
2021-07-13 18:21:16 +01:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
req.AddCookie(&http.Cookie{
|
|
|
|
Name: "_tokenKey",
|
|
|
|
Path: "/",
|
|
|
|
Value: token,
|
|
|
|
Expires: time.Now().AddDate(0, 0, 1),
|
|
|
|
})
|
|
|
|
|
2021-07-20 12:34:40 +01:00
|
|
|
req.Header.Set("Content-Type", "application/json")
|
2021-07-13 18:21:16 +01:00
|
|
|
|
|
|
|
result, err := http.DefaultClient.Do(req)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
return result
|
|
|
|
}
|
|
|
|
|
|
|
|
// Expect failure because MFA is not enabled.
|
2021-08-16 22:23:06 +01:00
|
|
|
result := doRequest("/generate-recovery-codes", "", "")
|
2021-07-13 18:21:16 +01:00
|
|
|
require.Equal(t, http.StatusUnauthorized, result.StatusCode)
|
|
|
|
require.NoError(t, result.Body.Close())
|
|
|
|
|
|
|
|
// Expect failure due to not having generated a secret key.
|
2021-08-16 22:23:06 +01:00
|
|
|
result = doRequest("/enable", "123456", "")
|
2021-07-13 18:21:16 +01:00
|
|
|
require.Equal(t, http.StatusBadRequest, result.StatusCode)
|
|
|
|
require.NoError(t, result.Body.Close())
|
|
|
|
|
|
|
|
// Expect success when generating a secret key.
|
2021-08-16 22:23:06 +01:00
|
|
|
result = doRequest("/generate-secret-key", "", "")
|
2021-07-13 18:21:16 +01:00
|
|
|
require.Equal(t, http.StatusOK, result.StatusCode)
|
|
|
|
|
|
|
|
var key string
|
|
|
|
err = json.NewDecoder(result.Body).Decode(&key)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
require.NoError(t, result.Body.Close())
|
|
|
|
|
|
|
|
// Expect failure due to prodiving empty passcode.
|
2021-08-16 22:23:06 +01:00
|
|
|
result = doRequest("/enable", "", "")
|
2021-07-13 18:21:16 +01:00
|
|
|
require.Equal(t, http.StatusBadRequest, result.StatusCode)
|
|
|
|
require.NoError(t, result.Body.Close())
|
|
|
|
|
|
|
|
// Expect failure due to providing invalid passcode.
|
|
|
|
badCode, err := console.NewMFAPasscode(key, time.Now().Add(time.Hour))
|
|
|
|
require.NoError(t, err)
|
2021-08-16 22:23:06 +01:00
|
|
|
result = doRequest("/enable", badCode, "")
|
2021-07-13 18:21:16 +01:00
|
|
|
require.Equal(t, http.StatusBadRequest, result.StatusCode)
|
|
|
|
require.NoError(t, result.Body.Close())
|
|
|
|
|
|
|
|
// Expect success when providing valid passcode.
|
|
|
|
goodCode, err := console.NewMFAPasscode(key, time.Now())
|
|
|
|
require.NoError(t, err)
|
2021-08-16 22:23:06 +01:00
|
|
|
result = doRequest("/enable", goodCode, "")
|
2021-07-13 18:21:16 +01:00
|
|
|
require.Equal(t, http.StatusOK, result.StatusCode)
|
|
|
|
require.NoError(t, result.Body.Close())
|
|
|
|
|
|
|
|
// Expect 10 recovery codes to be generated.
|
2021-08-16 22:23:06 +01:00
|
|
|
result = doRequest("/generate-recovery-codes", "", "")
|
2021-07-13 18:21:16 +01:00
|
|
|
require.Equal(t, http.StatusOK, result.StatusCode)
|
|
|
|
|
|
|
|
var codes []string
|
|
|
|
err = json.NewDecoder(result.Body).Decode(&codes)
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.Len(t, codes, console.MFARecoveryCodeCount)
|
|
|
|
require.NoError(t, result.Body.Close())
|
|
|
|
|
|
|
|
// Expect no token due to missing passcode.
|
|
|
|
newToken, err := sat.API.Console.Service.Token(ctx, console.AuthUser{Email: user.Email, Password: user.FullName})
|
2021-08-16 22:23:06 +01:00
|
|
|
require.True(t, console.ErrMFAMissing.Has(err))
|
2021-07-13 18:21:16 +01:00
|
|
|
require.Empty(t, newToken)
|
|
|
|
|
|
|
|
// Expect token when providing valid passcode.
|
|
|
|
newToken, err = sat.API.Console.Service.Token(ctx, console.AuthUser{
|
|
|
|
Email: user.Email,
|
|
|
|
Password: user.FullName,
|
|
|
|
MFAPasscode: goodCode,
|
|
|
|
})
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.NotEmpty(t, newToken)
|
|
|
|
|
|
|
|
// Expect no token when providing invalid recovery code.
|
|
|
|
newToken, err = sat.API.Console.Service.Token(ctx, console.AuthUser{
|
|
|
|
Email: user.Email,
|
|
|
|
Password: user.FullName,
|
|
|
|
MFARecoveryCode: "BADCODE",
|
|
|
|
})
|
|
|
|
require.True(t, console.ErrUnauthorized.Has(err))
|
|
|
|
require.Empty(t, newToken)
|
|
|
|
|
|
|
|
for _, code := range codes {
|
|
|
|
opts := console.AuthUser{
|
|
|
|
Email: user.Email,
|
|
|
|
Password: user.FullName,
|
|
|
|
MFARecoveryCode: code,
|
|
|
|
}
|
|
|
|
|
|
|
|
// Expect token when providing valid recovery code.
|
|
|
|
newToken, err = sat.API.Console.Service.Token(ctx, opts)
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.NotEmpty(t, newToken)
|
|
|
|
|
|
|
|
// Expect error when providing expired recovery code.
|
|
|
|
newToken, err = sat.API.Console.Service.Token(ctx, opts)
|
|
|
|
require.True(t, console.ErrUnauthorized.Has(err))
|
|
|
|
require.Empty(t, newToken)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Expect failure due to disabling MFA with no passcode.
|
2021-08-16 22:23:06 +01:00
|
|
|
result = doRequest("/disable", "", "")
|
2021-07-13 18:21:16 +01:00
|
|
|
require.Equal(t, http.StatusBadRequest, result.StatusCode)
|
|
|
|
require.NoError(t, result.Body.Close())
|
|
|
|
|
|
|
|
// Expect failure due to disabling MFA with invalid passcode.
|
2021-08-16 22:23:06 +01:00
|
|
|
result = doRequest("/disable", badCode, "")
|
2021-07-13 18:21:16 +01:00
|
|
|
require.Equal(t, http.StatusBadRequest, result.StatusCode)
|
|
|
|
require.NoError(t, result.Body.Close())
|
|
|
|
|
2021-08-16 22:23:06 +01:00
|
|
|
// Expect failure when disabling due to providing both passcode and recovery code.
|
|
|
|
result = doRequest("/generate-recovery-codes", "", "")
|
|
|
|
err = json.NewDecoder(result.Body).Decode(&codes)
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.NoError(t, result.Body.Close())
|
|
|
|
|
|
|
|
result = doRequest("/disable", goodCode, codes[0])
|
|
|
|
require.Equal(t, http.StatusConflict, result.StatusCode)
|
|
|
|
require.NoError(t, result.Body.Close())
|
|
|
|
|
2021-07-13 18:21:16 +01:00
|
|
|
// Expect success when disabling MFA with valid passcode.
|
2021-08-16 22:23:06 +01:00
|
|
|
result = doRequest("/disable", goodCode, "")
|
|
|
|
require.Equal(t, http.StatusOK, result.StatusCode)
|
|
|
|
require.NoError(t, result.Body.Close())
|
|
|
|
|
|
|
|
// Expect success when disabling MFA with valid recovery code.
|
|
|
|
result = doRequest("/generate-secret-key", "", "")
|
|
|
|
err = json.NewDecoder(result.Body).Decode(&key)
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.NoError(t, result.Body.Close())
|
|
|
|
|
|
|
|
goodCode, err = console.NewMFAPasscode(key, time.Now())
|
|
|
|
require.NoError(t, err)
|
|
|
|
result = doRequest("/enable", goodCode, "")
|
|
|
|
require.NoError(t, result.Body.Close())
|
|
|
|
|
|
|
|
result = doRequest("/generate-recovery-codes", "", "")
|
|
|
|
err = json.NewDecoder(result.Body).Decode(&codes)
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.NoError(t, result.Body.Close())
|
|
|
|
|
|
|
|
result = doRequest("/disable", "", codes[0])
|
2021-07-13 18:21:16 +01:00
|
|
|
require.Equal(t, http.StatusOK, result.StatusCode)
|
|
|
|
require.NoError(t, result.Body.Close())
|
|
|
|
})
|
|
|
|
}
|
2021-07-23 21:53:19 +01:00
|
|
|
|
|
|
|
func TestResetPasswordEndpoint(t *testing.T) {
|
|
|
|
testplanet.Run(t, testplanet.Config{
|
|
|
|
SatelliteCount: 1, StorageNodeCount: 0, UplinkCount: 0,
|
|
|
|
}, func(t *testing.T, ctx *testcontext.Context, planet *testplanet.Planet) {
|
|
|
|
newPass := "123a123"
|
|
|
|
sat := planet.Satellites[0]
|
|
|
|
|
|
|
|
user, err := sat.AddUser(ctx, console.CreateUser{
|
|
|
|
FullName: "Test User",
|
|
|
|
Email: "test@mail.test",
|
|
|
|
}, 1)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
token, err := sat.DB.Console().ResetPasswordTokens().Create(ctx, user.ID)
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.NotNil(t, token)
|
|
|
|
tokenStr := token.Secret.String()
|
|
|
|
|
|
|
|
tryReset := func(token, password string) int {
|
2021-08-26 17:48:24 +01:00
|
|
|
url := sat.ConsoleURL() + "/api/v0/auth/reset-password"
|
2021-07-23 21:53:19 +01:00
|
|
|
|
|
|
|
bodyBytes, err := json.Marshal(map[string]string{
|
|
|
|
"password": password,
|
|
|
|
"token": token,
|
|
|
|
})
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
req, err := http.NewRequestWithContext(ctx, http.MethodPost, url, bytes.NewBuffer(bodyBytes))
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
req.Header.Set("Content-Type", "application/json")
|
|
|
|
|
|
|
|
result, err := http.DefaultClient.Do(req)
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.NoError(t, result.Body.Close())
|
|
|
|
return result.StatusCode
|
|
|
|
}
|
|
|
|
|
|
|
|
require.Equal(t, http.StatusUnauthorized, tryReset("badToken", newPass))
|
|
|
|
require.Equal(t, http.StatusBadRequest, tryReset(tokenStr, "bad"))
|
|
|
|
require.Equal(t, http.StatusOK, tryReset(tokenStr, newPass))
|
|
|
|
})
|
|
|
|
}
|