force 2fa for group of users (#456)

Authored-by: Antonio Cordeddu <coranto@yetopen.com>
2022-08-10 09:22:35 +02:00
parent 43b2d76ec6
commit a0ad86d53d
39 changed files with 409 additions and 50 deletions
--- a/tests/_app/config/db.php
+++ b/tests/_app/config/db.php
@ -12,4 +12,4 @@ if (file_exists(__DIR__.'/db.local.php')) {
    $db = array_merge($db, require(__DIR__.'/db.local.php'));
 }

-return $db;
+return $db;
--- a/tests/_app/config/test.php
+++ b/tests/_app/config/test.php
@ -1,5 +1,7 @@
 <?php

+use Da\User\Filter\TwoFactorAuthenticationEnforceFilter;
+
 return [
    'id' => 'yii2-user-tests',
    'basePath' => dirname(__DIR__),
@ -47,4 +49,12 @@ return [
        ],
    ],
    'params' => [],
+    'on beforeAction' => function() {
+        Yii::$app->controller->attachBehavior(
+            'enforceTwoFactorAuthentication',[
+                'class' => TwoFactorAuthenticationEnforceFilter::class,
+                'except' => ['login', 'logout','account','two-factor', 'two-factor-enable'],
+            ]
+        );
+    },
 ];
--- a/tests/_fixtures/AssignmentFixture.php
+++ b/tests/_fixtures/AssignmentFixture.php
@ -0,0 +1,11 @@
+<?php
+
+namespace tests\_fixtures;
+
+use yii\test\ActiveFixture;
+
+class AssignmentFixture extends ActiveFixture
+{
+    public $modelClass = 'Da\User\Model\Assignment';
+    public $tableName = 'auth_assignment';
+}
--- a/tests/_fixtures/PermissionFixture.php
+++ b/tests/_fixtures/PermissionFixture.php
@ -0,0 +1,11 @@
+<?php
+
+namespace tests\_fixtures;
+
+use yii\test\ActiveFixture;
+
+class PermissionFixture extends ActiveFixture
+{
+    public $modelClass = 'Da\User\Model\Permission';
+    public $tableName = 'auth_item';
+}
--- a/tests/_fixtures/data/auth_assignment.php
+++ b/tests/_fixtures/data/auth_assignment.php
@ -0,0 +1,8 @@
+<?php
+
+return [
+    'auth_assignment' => [
+        'item_name' => 'admin',
+        'user_id' => '1',
+    ],
+];
--- a/tests/_fixtures/data/auth_item.php
+++ b/tests/_fixtures/data/auth_item.php
@ -0,0 +1,9 @@
+<?php
+
+return [
+    'auth_item' => [
+        'name' => 'admin',
+        'type' => 1,
+        'description' => 'test admin',
+    ],
+];
--- a/tests/_fixtures/data/user.php
+++ b/tests/_fixtures/data/user.php
@ -73,4 +73,17 @@ return [
        'updated_at' => $time,
        'confirmed_at' => $time,
    ],
+    'user_with_2fa_enabled' => [
+        'id' => 7,
+        'username' => 'user2fa',
+        'email' => 'user2faenabled@example.com',
+        'password_hash' => '$2y$13$qY.ImaYBppt66qez6B31QO92jc5DYVRzo5NxM1ivItkW74WsSG6Ui',
+        'auth_key' => '39HU0m5lpjWtqstFVGFjj6lFb7UZDeRq',
+        'auth_tf_key' => '',
+        'auth_tf_enabled' => true,
+        'created_at' => $time,
+        'updated_at' => $time,
+        'confirmed_at' => $time,
+        'gdpr_consent' => false,
+    ],
 ];
--- a/tests/functional/TwoFactorAuthenticationCept.php
+++ b/tests/functional/TwoFactorAuthenticationCept.php
@ -0,0 +1,55 @@
+<?php
+
+/**
+ * @var Codeception\Scenario
+ */
+
+use tests\_fixtures\UserFixture;
+use tests\_fixtures\PermissionFixture;
+use tests\_fixtures\AssignmentFixture;
+use tests\_fixtures\ProfileFixture;
+
+
+$I = new FunctionalTester($scenario);
+$I->wantTo('ensure that two factor authentication check works');
+$I->haveFixtures(['user' => UserFixture::className()]);
+$I->haveFixtures(['permission' => PermissionFixture::className()]);
+$I->haveFixtures(['assignment' => AssignmentFixture::className()]);
+
+$I->amGoingTo('try to login with user having two factor authentication enabled');
+Yii::$app->getModule('user')->enableTwoFactorAuthentication = true;
+$I->amOnRoute('/user/security/login');
+$user = $I->grabFixture('user', 'user_with_2fa_enabled');
+$I->fillField('#loginform-login', $user->email);
+$I->fillField('#loginform-password', 'qwerty');
+$I->click('Sign in');
+$I->expectTo('See form to insert two factor authentication code');
+$I->see('Two factor authentication code');
+
+
+$I->amGoingTo('try to login with user permission admin, having two factor authentication disabled');
+Yii::$app->getModule('user')->enableTwoFactorAuthentication = true;
+Yii::$app->getModule('user')->twoFactorAuthenticationForcedPermissions = ['admin'];
+$I->haveFixtures(['user' => UserFixture::className(), 'profile' => ProfileFixture::className()]);
+$I->amOnRoute('/user/security/login');
+$user = $I->grabFixture('user', 'user');
+$I->fillField('#loginform-login', $user->email);
+$I->fillField('#loginform-password', 'qwerty');
+$I->click('Sign in');
+$I->expectTo('The user must be forced to enable two factor authentication');
+$I->see('Your role requires 2FA, you won\'t be able to use the application until you enable it');
+Yii::$app->user->logout();
+
+$I->amGoingTo('try to login with correct credentials when two factor authentication is disabled on the module');
+Yii::$app->getModule('user')->enableTwoFactorAuthentication = false;
+$I->amOnRoute('/user/security/login');
+$I->amGoingTo('try to login with correct credentials');
+$user = $I->grabFixture('user', 'user');
+$I->fillField('#loginform-login', $user->email);
+$I->fillField('#loginform-password', 'qwerty');
+$I->click('Sign in');
+$I->dontSee('Login');
+$I->see('Logout');
+
+
+