1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
|
require_relative 'spec_helper'
require 'open3'
require 'json'
describe 'bin/gitlab-shell 2fa_verify' do
include_context 'gitlab shell'
let(:env) do
{ 'SSH_CONNECTION' => 'fake',
'SSH_ORIGINAL_COMMAND' => '2fa_verify' }
end
let(:correct_otp) { '123456' }
before(:context) do
write_config('gitlab_url' => "http+unix://#{CGI.escape(tmp_socket_path)}")
end
def mock_server(server)
server.mount_proc('/api/v4/internal/two_factor_manual_otp_check') do |req, res|
res.content_type = 'application/json'
res.status = 200
params = JSON.parse(req.body)
res.body = if params['otp_attempt'] == correct_otp
{ success: true }.to_json
else
{ success: false, message: 'boom!' }.to_json
end
end
server.mount_proc('/api/v4/internal/two_factor_push_otp_check') do |req, res|
res.content_type = 'application/json'
res.status = 200
params = JSON.parse(req.body)
id = params['key_id'] || params['user_id'].to_s
if id == '100'
res.body = { success: false, message: 'boom!' }.to_json
else
res.body = { success: true }.to_json
end
end
server.mount_proc('/api/v4/internal/discover') do |req, res|
res.status = 200
res.content_type = 'application/json'
if req.query['username'] == 'someone'
res.body = { id: 100, name: 'Some User', username: 'someuser' }.to_json
else
res.body = { id: 101, name: 'Another User', username: 'another' }.to_json
end
end
end
describe 'entering OTP manually' do
let(:cmd) { "#{gitlab_shell_path} key-100" }
context 'when key is provided' do
it 'asks a user for a correct OTP' do
verify_successful_otp_verification!(cmd)
end
end
context 'when username is provided' do
let(:cmd) { "#{gitlab_shell_path} username-someone" }
it 'asks a user for a correct OTP' do
verify_successful_otp_verification!(cmd)
end
end
it 'shows an error when an invalid otp is provided' do
Open3.popen2(env, cmd) do |stdin, stdout|
asks_for_otp(stdout)
stdin.puts('000000')
expect(stdout.flush.read).to eq("\nOTP validation failed: boom!\n")
end
end
end
describe 'authorizing via push' do
context 'when key is provided' do
let(:cmd) { "#{gitlab_shell_path} key-101" }
it 'asks a user for a correct OTP' do
verify_successful_push_verification!(cmd)
end
end
context 'when username is provided' do
let(:cmd) { "#{gitlab_shell_path} username-another" }
it 'asks a user for a correct OTP' do
verify_successful_push_verification!(cmd)
end
end
end
def verify_successful_otp_verification!(cmd)
Open3.popen2(env, cmd) do |stdin, stdout|
asks_for_otp(stdout)
stdin.puts(correct_otp)
expect(stdout.flush.read).to eq("\nOTP validation successful. Git operations are now allowed.\n")
end
end
def verify_successful_push_verification!(cmd)
Open3.popen2(env, cmd) do |stdin, stdout|
asks_for_otp(stdout)
expect(stdout.flush.read).to eq("\nOTP has been validated by Push Authentication. Git operations are now allowed.\n")
end
end
def asks_for_otp(stdout)
expect(stdout.gets(5)).to eq('OTP: ')
end
end
|
