123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704 |
- <?php
- /**
- * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors
- * SPDX-FileCopyrightText: 2016 ownCloud, Inc.
- * SPDX-License-Identifier: AGPL-3.0-only
- */
- namespace Test\Authentication\TwoFactorAuth;
- use OC;
- use OC\Authentication\Token\IProvider as TokenProvider;
- use OC\Authentication\TwoFactorAuth\Manager;
- use OC\Authentication\TwoFactorAuth\MandatoryTwoFactor;
- use OC\Authentication\TwoFactorAuth\ProviderLoader;
- use OCP\Activity\IEvent;
- use OCP\Activity\IManager;
- use OCP\AppFramework\Utility\ITimeFactory;
- use OCP\Authentication\TwoFactorAuth\IActivatableAtLogin;
- use OCP\Authentication\TwoFactorAuth\IProvider;
- use OCP\Authentication\TwoFactorAuth\IRegistry;
- use OCP\EventDispatcher\IEventDispatcher;
- use OCP\IConfig;
- use OCP\ISession;
- use OCP\IUser;
- use PHPUnit\Framework\MockObject\MockObject;
- use Psr\Log\LoggerInterface;
- use Test\TestCase;
- use function reset;
- class ManagerTest extends TestCase {
- /** @var IUser|MockObject */
- private $user;
- /** @var ProviderLoader|MockObject */
- private $providerLoader;
- /** @var IRegistry|MockObject */
- private $providerRegistry;
- /** @var MandatoryTwoFactor|MockObject */
- private $mandatoryTwoFactor;
- /** @var ISession|MockObject */
- private $session;
- /** @var Manager */
- private $manager;
- /** @var IConfig|MockObject */
- private $config;
- /** @var IManager|MockObject */
- private $activityManager;
- /** @var LoggerInterface|MockObject */
- private $logger;
- /** @var IProvider|MockObject */
- private $fakeProvider;
- /** @var IProvider|MockObject */
- private $backupProvider;
- /** @var TokenProvider|MockObject */
- private $tokenProvider;
- /** @var ITimeFactory|MockObject */
- private $timeFactory;
- /** @var IEventDispatcher|MockObject */
- private $dispatcher;
- protected function setUp(): void {
- parent::setUp();
- $this->user = $this->createMock(IUser::class);
- $this->providerLoader = $this->createMock(ProviderLoader::class);
- $this->providerRegistry = $this->createMock(IRegistry::class);
- $this->mandatoryTwoFactor = $this->createMock(MandatoryTwoFactor::class);
- $this->session = $this->createMock(ISession::class);
- $this->config = $this->createMock(IConfig::class);
- $this->activityManager = $this->createMock(IManager::class);
- $this->logger = $this->createMock(LoggerInterface::class);
- $this->tokenProvider = $this->createMock(TokenProvider::class);
- $this->timeFactory = $this->createMock(ITimeFactory::class);
- $this->dispatcher = $this->createMock(IEventDispatcher::class);
- $this->manager = new Manager(
- $this->providerLoader,
- $this->providerRegistry,
- $this->mandatoryTwoFactor,
- $this->session,
- $this->config,
- $this->activityManager,
- $this->logger,
- $this->tokenProvider,
- $this->timeFactory,
- $this->dispatcher,
- );
- $this->fakeProvider = $this->createMock(IProvider::class);
- $this->fakeProvider->method('getId')->willReturn('email');
- $this->backupProvider = $this->getMockBuilder('\OCP\Authentication\TwoFactorAuth\IProvider')->getMock();
- $this->backupProvider->method('getId')->willReturn('backup_codes');
- $this->backupProvider->method('isTwoFactorAuthEnabledForUser')->willReturn(true);
- }
- private function prepareNoProviders() {
- $this->providerLoader->method('getProviders')
- ->with($this->user)
- ->willReturn([]);
- }
- private function prepareProviders() {
- $this->providerRegistry->expects($this->once())
- ->method('getProviderStates')
- ->with($this->user)
- ->willReturn([
- $this->fakeProvider->getId() => true,
- ]);
- $this->providerLoader->expects($this->once())
- ->method('getProviders')
- ->with($this->user)
- ->willReturn([$this->fakeProvider]);
- }
- private function prepareProvidersWitBackupProvider() {
- $this->providerLoader->method('getProviders')
- ->with($this->user)
- ->willReturn([
- $this->fakeProvider,
- $this->backupProvider,
- ]);
- }
- public function testIsTwoFactorAuthenticatedEnforced() {
- $this->mandatoryTwoFactor->expects($this->once())
- ->method('isEnforcedFor')
- ->with($this->user)
- ->willReturn(true);
- $enabled = $this->manager->isTwoFactorAuthenticated($this->user);
- $this->assertTrue($enabled);
- }
- public function testIsTwoFactorAuthenticatedNoProviders() {
- $this->mandatoryTwoFactor->expects($this->once())
- ->method('isEnforcedFor')
- ->with($this->user)
- ->willReturn(false);
- $this->providerRegistry->expects($this->once())
- ->method('getProviderStates')
- ->willReturn([]); // No providers registered
- $this->providerLoader->expects($this->once())
- ->method('getProviders')
- ->willReturn([]); // No providers loadable
- $this->assertFalse($this->manager->isTwoFactorAuthenticated($this->user));
- }
- public function testIsTwoFactorAuthenticatedOnlyBackupCodes() {
- $this->mandatoryTwoFactor->expects($this->once())
- ->method('isEnforcedFor')
- ->with($this->user)
- ->willReturn(false);
- $this->providerRegistry->expects($this->once())
- ->method('getProviderStates')
- ->willReturn([
- 'backup_codes' => true,
- ]);
- $backupCodesProvider = $this->createMock(IProvider::class);
- $backupCodesProvider
- ->method('getId')
- ->willReturn('backup_codes');
- $this->providerLoader->expects($this->once())
- ->method('getProviders')
- ->willReturn([
- $backupCodesProvider,
- ]);
- $this->assertFalse($this->manager->isTwoFactorAuthenticated($this->user));
- }
- public function testIsTwoFactorAuthenticatedFailingProviders() {
- $this->mandatoryTwoFactor->expects($this->once())
- ->method('isEnforcedFor')
- ->with($this->user)
- ->willReturn(false);
- $this->providerRegistry->expects($this->once())
- ->method('getProviderStates')
- ->willReturn([
- 'twofactor_totp' => true,
- 'twofactor_u2f' => false,
- ]); // Two providers registered, but …
- $this->providerLoader->expects($this->once())
- ->method('getProviders')
- ->willReturn([]); // … none of them is able to load, however …
- // … 2FA is still enforced
- $this->assertTrue($this->manager->isTwoFactorAuthenticated($this->user));
- }
- public function providerStatesFixData(): array {
- return [
- [false, false],
- [true, true],
- ];
- }
- /**
- * If the 2FA registry has not been populated when a user logs in,
- * the 2FA manager has to first fix the state before it checks for
- * enabled providers.
- *
- * If any of these providers is active, 2FA is enabled
- *
- * @dataProvider providerStatesFixData
- */
- public function testIsTwoFactorAuthenticatedFixesProviderStates(bool $providerEnabled, bool $expected) {
- $this->providerRegistry->expects($this->once())
- ->method('getProviderStates')
- ->willReturn([]); // Nothing registered yet
- $this->providerLoader->expects($this->once())
- ->method('getProviders')
- ->willReturn([
- $this->fakeProvider
- ]);
- $this->fakeProvider->expects($this->once())
- ->method('isTwoFactorAuthEnabledForUser')
- ->with($this->user)
- ->willReturn($providerEnabled);
- if ($providerEnabled) {
- $this->providerRegistry->expects($this->once())
- ->method('enableProviderFor')
- ->with(
- $this->fakeProvider,
- $this->user
- );
- } else {
- $this->providerRegistry->expects($this->once())
- ->method('disableProviderFor')
- ->with(
- $this->fakeProvider,
- $this->user
- );
- }
- $this->assertEquals($expected, $this->manager->isTwoFactorAuthenticated($this->user));
- }
- public function testGetProvider() {
- $this->providerRegistry->expects($this->once())
- ->method('getProviderStates')
- ->with($this->user)
- ->willReturn([
- $this->fakeProvider->getId() => true,
- ]);
- $this->providerLoader->expects($this->once())
- ->method('getProviders')
- ->with($this->user)
- ->willReturn([$this->fakeProvider]);
- $provider = $this->manager->getProvider($this->user, $this->fakeProvider->getId());
- $this->assertSame($this->fakeProvider, $provider);
- }
- public function testGetInvalidProvider() {
- $this->providerRegistry->expects($this->once())
- ->method('getProviderStates')
- ->with($this->user)
- ->willReturn([]);
- $this->providerLoader->expects($this->once())
- ->method('getProviders')
- ->with($this->user)
- ->willReturn([]);
- $provider = $this->manager->getProvider($this->user, 'nonexistent');
- $this->assertNull($provider);
- }
- public function testGetLoginSetupProviders() {
- $provider1 = $this->createMock(IProvider::class);
- $provider2 = $this->createMock(IActivatableAtLogin::class);
- $this->providerLoader->expects($this->once())
- ->method('getProviders')
- ->with($this->user)
- ->willReturn([
- $provider1,
- $provider2,
- ]);
- $providers = $this->manager->getLoginSetupProviders($this->user);
- $this->assertCount(1, $providers);
- $this->assertSame($provider2, reset($providers));
- }
- public function testGetProviders() {
- $this->providerRegistry->expects($this->once())
- ->method('getProviderStates')
- ->with($this->user)
- ->willReturn([
- $this->fakeProvider->getId() => true,
- ]);
- $this->providerLoader->expects($this->once())
- ->method('getProviders')
- ->with($this->user)
- ->willReturn([$this->fakeProvider]);
- $expectedProviders = [
- 'email' => $this->fakeProvider,
- ];
- $providerSet = $this->manager->getProviderSet($this->user);
- $providers = $providerSet->getProviders();
- $this->assertEquals($expectedProviders, $providers);
- $this->assertFalse($providerSet->isProviderMissing());
- }
- public function testGetProvidersOneMissing() {
- $this->providerRegistry->expects($this->once())
- ->method('getProviderStates')
- ->with($this->user)
- ->willReturn([
- $this->fakeProvider->getId() => true,
- ]);
- $this->providerLoader->expects($this->once())
- ->method('getProviders')
- ->with($this->user)
- ->willReturn([]);
- $expectedProviders = [
- 'email' => $this->fakeProvider,
- ];
- $providerSet = $this->manager->getProviderSet($this->user);
- $this->assertTrue($providerSet->isProviderMissing());
- }
- public function testVerifyChallenge() {
- $this->prepareProviders();
- $challenge = 'passme';
- $event = $this->createMock(IEvent::class);
- $this->fakeProvider->expects($this->once())
- ->method('verifyChallenge')
- ->with($this->user, $challenge)
- ->willReturn(true);
- $this->session->expects($this->once())
- ->method('get')
- ->with('two_factor_remember_login')
- ->willReturn(false);
- $this->session->expects($this->exactly(2))
- ->method('remove')
- ->withConsecutive(
- ['two_factor_auth_uid'],
- ['two_factor_remember_login']
- );
- $this->session->expects($this->once())
- ->method('set')
- ->with(Manager::SESSION_UID_DONE, 'jos');
- $this->session->method('getId')
- ->willReturn('mysessionid');
- $this->activityManager->expects($this->once())
- ->method('generateEvent')
- ->willReturn($event);
- $this->user->expects($this->any())
- ->method('getUID')
- ->willReturn('jos');
- $event->expects($this->once())
- ->method('setApp')
- ->with($this->equalTo('core'))
- ->willReturnSelf();
- $event->expects($this->once())
- ->method('setType')
- ->with($this->equalTo('security'))
- ->willReturnSelf();
- $event->expects($this->once())
- ->method('setAuthor')
- ->with($this->equalTo('jos'))
- ->willReturnSelf();
- $event->expects($this->once())
- ->method('setAffectedUser')
- ->with($this->equalTo('jos'))
- ->willReturnSelf();
- $this->fakeProvider
- ->method('getDisplayName')
- ->willReturn('Fake 2FA');
- $event->expects($this->once())
- ->method('setSubject')
- ->with($this->equalTo('twofactor_success'), $this->equalTo([
- 'provider' => 'Fake 2FA',
- ]))
- ->willReturnSelf();
- $token = $this->createMock(OC\Authentication\Token\IToken::class);
- $this->tokenProvider->method('getToken')
- ->with('mysessionid')
- ->willReturn($token);
- $token->method('getId')
- ->willReturn(42);
- $this->config->expects($this->once())
- ->method('deleteUserValue')
- ->with('jos', 'login_token_2fa', '42');
- $result = $this->manager->verifyChallenge('email', $this->user, $challenge);
- $this->assertTrue($result);
- }
- public function testVerifyChallengeInvalidProviderId() {
- $this->prepareProviders();
- $challenge = 'passme';
- $this->fakeProvider->expects($this->never())
- ->method('verifyChallenge')
- ->with($this->user, $challenge);
- $this->session->expects($this->never())
- ->method('remove');
- $this->assertFalse($this->manager->verifyChallenge('dontexist', $this->user, $challenge));
- }
- public function testVerifyInvalidChallenge() {
- $this->prepareProviders();
- $challenge = 'dontpassme';
- $event = $this->createMock(IEvent::class);
- $this->fakeProvider->expects($this->once())
- ->method('verifyChallenge')
- ->with($this->user, $challenge)
- ->willReturn(false);
- $this->session->expects($this->never())
- ->method('remove');
- $this->activityManager->expects($this->once())
- ->method('generateEvent')
- ->willReturn($event);
- $this->user->expects($this->any())
- ->method('getUID')
- ->willReturn('jos');
- $event->expects($this->once())
- ->method('setApp')
- ->with($this->equalTo('core'))
- ->willReturnSelf();
- $event->expects($this->once())
- ->method('setType')
- ->with($this->equalTo('security'))
- ->willReturnSelf();
- $event->expects($this->once())
- ->method('setAuthor')
- ->with($this->equalTo('jos'))
- ->willReturnSelf();
- $event->expects($this->once())
- ->method('setAffectedUser')
- ->with($this->equalTo('jos'))
- ->willReturnSelf();
- $this->fakeProvider
- ->method('getDisplayName')
- ->willReturn('Fake 2FA');
- $event->expects($this->once())
- ->method('setSubject')
- ->with($this->equalTo('twofactor_failed'), $this->equalTo([
- 'provider' => 'Fake 2FA',
- ]))
- ->willReturnSelf();
- $this->assertFalse($this->manager->verifyChallenge('email', $this->user, $challenge));
- }
- public function testNeedsSecondFactor() {
- $user = $this->createMock(IUser::class);
- $this->session->expects($this->exactly(3))
- ->method('exists')
- ->withConsecutive(
- ['app_password'],
- ['two_factor_auth_uid'],
- [Manager::SESSION_UID_DONE],
- )
- ->willReturn(false);
- $this->session->method('getId')
- ->willReturn('mysessionid');
- $token = $this->createMock(OC\Authentication\Token\IToken::class);
- $this->tokenProvider->method('getToken')
- ->with('mysessionid')
- ->willReturn($token);
- $token->method('getId')
- ->willReturn(42);
- $user->method('getUID')
- ->willReturn('user');
- $this->config->method('getUserKeys')
- ->with('user', 'login_token_2fa')
- ->willReturn([
- '42'
- ]);
- $manager = $this->getMockBuilder(Manager::class)
- ->setConstructorArgs([
- $this->providerLoader,
- $this->providerRegistry,
- $this->mandatoryTwoFactor,
- $this->session,
- $this->config,
- $this->activityManager,
- $this->logger,
- $this->tokenProvider,
- $this->timeFactory,
- $this->dispatcher,
- ])
- ->setMethods(['loadTwoFactorApp', 'isTwoFactorAuthenticated'])// Do not actually load the apps
- ->getMock();
- $manager->method('isTwoFactorAuthenticated')
- ->with($user)
- ->willReturn(true);
- $this->assertTrue($manager->needsSecondFactor($user));
- }
- public function testNeedsSecondFactorUserIsNull() {
- $user = null;
- $this->session->expects($this->never())
- ->method('exists');
- $this->assertFalse($this->manager->needsSecondFactor($user));
- }
- public function testNeedsSecondFactorWithNoProviderAvailableAnymore() {
- $this->prepareNoProviders();
- $user = null;
- $this->session->expects($this->never())
- ->method('exists')
- ->with('two_factor_auth_uid')
- ->willReturn(true);
- $this->session->expects($this->never())
- ->method('remove')
- ->with('two_factor_auth_uid');
- $this->assertFalse($this->manager->needsSecondFactor($user));
- }
- public function testPrepareTwoFactorLogin() {
- $this->user->method('getUID')
- ->willReturn('ferdinand');
- $this->session->expects($this->exactly(2))
- ->method('set')
- ->withConsecutive(
- ['two_factor_auth_uid', 'ferdinand'],
- ['two_factor_remember_login', true]
- );
- $this->session->method('getId')
- ->willReturn('mysessionid');
- $token = $this->createMock(OC\Authentication\Token\IToken::class);
- $this->tokenProvider->method('getToken')
- ->with('mysessionid')
- ->willReturn($token);
- $token->method('getId')
- ->willReturn(42);
- $this->timeFactory->method('getTime')
- ->willReturn(1337);
- $this->config->method('setUserValue')
- ->with('ferdinand', 'login_token_2fa', '42', '1337');
- $this->manager->prepareTwoFactorLogin($this->user, true);
- }
- public function testPrepareTwoFactorLoginDontRemember() {
- $this->user->method('getUID')
- ->willReturn('ferdinand');
- $this->session->expects($this->exactly(2))
- ->method('set')
- ->withConsecutive(
- ['two_factor_auth_uid', 'ferdinand'],
- ['two_factor_remember_login', false]
- );
- $this->session->method('getId')
- ->willReturn('mysessionid');
- $token = $this->createMock(OC\Authentication\Token\IToken::class);
- $this->tokenProvider->method('getToken')
- ->with('mysessionid')
- ->willReturn($token);
- $token->method('getId')
- ->willReturn(42);
- $this->timeFactory->method('getTime')
- ->willReturn(1337);
- $this->config->method('setUserValue')
- ->with('ferdinand', 'login_token_2fa', '42', '1337');
- $this->manager->prepareTwoFactorLogin($this->user, false);
- }
- public function testNeedsSecondFactorSessionAuth() {
- $user = $this->createMock(IUser::class);
- $user->method('getUID')
- ->willReturn('user');
- $this->session->method('exists')
- ->willReturnCallback(function ($var) {
- if ($var === Manager::SESSION_UID_KEY) {
- return false;
- } elseif ($var === 'app_password') {
- return false;
- } elseif ($var === 'app_api') {
- return false;
- }
- return true;
- });
- $this->session->method('get')
- ->willReturnCallback(function ($var) {
- if ($var === Manager::SESSION_UID_KEY) {
- return 'user';
- } elseif ($var === 'app_api') {
- return true;
- }
- return null;
- });
- $this->session->expects($this->once())
- ->method('get')
- ->willReturnMap([
- [Manager::SESSION_UID_DONE, 'user'],
- ['app_api', true]
- ]);
- $this->assertFalse($this->manager->needsSecondFactor($user));
- }
- public function testNeedsSecondFactorSessionAuthFailDBPass() {
- $user = $this->createMock(IUser::class);
- $user->method('getUID')
- ->willReturn('user');
- $this->session->method('exists')
- ->willReturn(false);
- $this->session->method('getId')
- ->willReturn('mysessionid');
- $token = $this->createMock(OC\Authentication\Token\IToken::class);
- $token->method('getId')
- ->willReturn(40);
- $this->tokenProvider->method('getToken')
- ->with('mysessionid')
- ->willReturn($token);
- $this->config->method('getUserKeys')
- ->with('user', 'login_token_2fa')
- ->willReturn([
- '42', '43', '44'
- ]);
- $this->session->expects($this->once())
- ->method('set')
- ->with(Manager::SESSION_UID_DONE, 'user');
- $this->assertFalse($this->manager->needsSecondFactor($user));
- }
- public function testNeedsSecondFactorInvalidToken() {
- $this->prepareNoProviders();
- $user = $this->createMock(IUser::class);
- $user->method('getUID')
- ->willReturn('user');
- $this->session->method('exists')
- ->willReturn(false);
- $this->session->method('getId')
- ->willReturn('mysessionid');
- $this->tokenProvider->method('getToken')
- ->with('mysessionid')
- ->willThrowException(new OC\Authentication\Exceptions\InvalidTokenException());
- $this->config->method('getUserKeys')->willReturn([]);
- $this->assertFalse($this->manager->needsSecondFactor($user));
- }
- public function testNeedsSecondFactorAppPassword() {
- $user = $this->createMock(IUser::class);
- $this->session->method('exists')
- ->willReturnMap([
- ['app_password', true],
- ['app_api', true]
- ]);
- $this->assertFalse($this->manager->needsSecondFactor($user));
- }
- }
|