From d6838462b8a018f01c9208cbe3855b36c0c69c4e Mon Sep 17 00:00:00 2001 From: zokki Date: Fri, 15 Aug 2025 10:56:45 +0200 Subject: [PATCH] feat: Global 2FA enforcement (#8753) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit resolves #8549 This PR add a config to enforce 2FA for the whole Forgejo instance. It can be configured to `none`, `admin` or `all`. A user who is required to enable 2FA is like a disabled user. He can only see the `/user/settings/security`-Page to enable 2FA, this should be similar to a user which needs to change his password. Also api and git-commands are not allowed. ## Checklist The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org). ### Tests - I added test coverage for Go changes... - [x] in their respective `*_test.go` for unit tests. - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server. - I added test coverage for JavaScript changes... - [ ] in `web_src/js/*.test.js` if it can be unit tested. - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)). ### Documentation - [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change. - [ ] I did not document these changes and I do not expect someone else to do it. I will do it, if the general idea of this PR is a good feature. ### Release notes - [ ] I do not want this change to show in the release notes. - [x] I want the title to show in the release notes with a link to this pull request. - [ ] I want the content of the `release-notes/.md` to be be used for the release notes instead of the title. ## Release notes - Security features - [PR](https://codeberg.org/forgejo/forgejo/pulls/8753): Global 2FA enforcement Co-authored-by: 0ko <0ko@noreply.codeberg.org> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8753 Reviewed-by: 0ko <0ko@noreply.codeberg.org> Reviewed-by: Ellen Εμιλία Άννα Zscheile Reviewed-by: Gusted Co-authored-by: zokki Co-committed-by: zokki --- custom/conf/app.example.ini | 3 + models/user/user.go | 27 ++++ models/user/user_test.go | 139 +++++++++++++++++ modules/setting/security.go | 39 +++++ options/locale_next/locale_en-US.json | 10 ++ routers/api/shared/middleware.go | 21 +++ routers/private/serv.go | 33 ++++ routers/web/admin/config.go | 1 + routers/web/auth/password.go | 2 +- routers/web/home.go | 28 +++- routers/web/user/setting/security/2fa.go | 69 ++++++++- routers/web/web.go | 33 +++- services/context/context_response.go | 18 +++ services/context/package.go | 2 +- templates/admin/config.tmpl | 10 ++ templates/base/head_navbar.tmpl | 4 +- templates/user/settings/navbar.tmpl | 2 + .../user/settings/security/security.tmpl | 13 +- templates/user/settings/security/twofa.tmpl | 18 ++- .../user/settings/security/twofa_enroll.tmpl | 8 +- tests/integration/api_packages_test.go | 96 ++++++++++++ tests/integration/api_private_serv_test.go | 94 ++++++++++++ tests/integration/api_twofa_test.go | 129 ++++++++++++++++ tests/integration/devtest_error_test.go | 12 +- tests/integration/html_helper.go | 21 ++- tests/integration/integration_test.go | 60 ++++++++ tests/integration/setting_test.go | 73 +++++++++ tests/integration/signin_test.go | 135 +++++++++++++++++ tests/integration/user_test.go | 141 ++++++++++++++---- 29 files changed, 1179 insertions(+), 62 deletions(-) diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini index ec65b3382e..267696872d 100644 --- a/custom/conf/app.example.ini +++ b/custom/conf/app.example.ini @@ -449,6 +449,9 @@ INTERNAL_TOKEN = ;; How long to remember that a user is logged in before requiring relogin (in days) ;LOGIN_REMEMBER_DAYS = 31 ;; +;; Require 2FA globally for none|all|admin. +;GLOBAL_TWO_FACTOR_REQUIREMENT = none +;; ;; Name of cookie used to store authentication information. ;COOKIE_REMEMBER_NAME = gitea_incredible ;; diff --git a/models/user/user.go b/models/user/user.go index e3d725677f..5f413ba136 100644 --- a/models/user/user.go +++ b/models/user/user.go @@ -234,6 +234,33 @@ func GetAllAdmins(ctx context.Context) ([]*User, error) { return users, db.GetEngine(ctx).OrderBy("id").Where("type = ?", UserTypeIndividual).And("is_admin = ?", true).Find(&users) } +// MustHaveTwoFactor returns true if the user is a individual and requires 2fa +func (u *User) MustHaveTwoFactor() bool { + if !u.IsIndividual() || setting.GlobalTwoFactorRequirement.IsNone() { + return false + } + + return setting.GlobalTwoFactorRequirement.IsAll() || (u.IsAdmin && setting.GlobalTwoFactorRequirement.IsAdmin()) +} + +// IsAccessAllowed determines whether the user is permitted to log in based on +// their activation status, login prohibition, 2FA requirement and 2FA enrollment status. +func (u *User) IsAccessAllowed(ctx context.Context) bool { + if !u.IsActive || u.ProhibitLogin { + return false + } + if !u.MustHaveTwoFactor() { + return true + } + + hasTwoFactor, err := auth.HasTwoFactorByUID(ctx, u.ID) + if err != nil { + log.Error("Error getting 2fa: %s", err) + return false + } + return hasTwoFactor +} + // IsLocal returns true if user login type is LoginPlain. func (u *User) IsLocal() bool { return u.LoginType <= auth.Plain diff --git a/models/user/user_test.go b/models/user/user_test.go index 71190751da..5b0c9676de 100644 --- a/models/user/user_test.go +++ b/models/user/user_test.go @@ -637,6 +637,145 @@ func TestGetAllAdmins(t *testing.T) { assert.Equal(t, int64(1), admins[0].ID) } +func TestMustHaveTwoFactor(t *testing.T) { + require.NoError(t, unittest.PrepareTestDatabase()) + + adminUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1}) + normalUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4}) + org := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 17}) + restrictedUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 29}) + ghostUser := user_model.NewGhostUser() + + t.Run("NoneTwoFactorRequirement", func(t *testing.T) { + // this should be the default, so don't have to set the variable + assert.False(t, adminUser.MustHaveTwoFactor()) + assert.False(t, normalUser.MustHaveTwoFactor()) + assert.False(t, restrictedUser.MustHaveTwoFactor()) + assert.False(t, org.MustHaveTwoFactor()) + assert.False(t, ghostUser.MustHaveTwoFactor()) + }) + + t.Run("AllTwoFactorRequirement", func(t *testing.T) { + defer test.MockVariableValue(&setting.GlobalTwoFactorRequirement, setting.AllTwoFactorRequirement)() + + assert.True(t, adminUser.MustHaveTwoFactor()) + assert.True(t, normalUser.MustHaveTwoFactor()) + assert.True(t, restrictedUser.MustHaveTwoFactor()) + assert.False(t, org.MustHaveTwoFactor()) + assert.True(t, ghostUser.MustHaveTwoFactor()) + }) + + t.Run("AdminTwoFactorRequirement", func(t *testing.T) { + defer test.MockVariableValue(&setting.GlobalTwoFactorRequirement, setting.AdminTwoFactorRequirement)() + + assert.True(t, adminUser.MustHaveTwoFactor()) + assert.False(t, normalUser.MustHaveTwoFactor()) + assert.False(t, restrictedUser.MustHaveTwoFactor()) + assert.False(t, org.MustHaveTwoFactor()) + assert.False(t, ghostUser.MustHaveTwoFactor()) + }) +} + +func TestIsAccessAllowed(t *testing.T) { + require.NoError(t, unittest.PrepareTestDatabase()) + + runTest := func(t *testing.T, user *user_model.User, useTOTP, accessAllowed bool) { + t.Helper() + if useTOTP { + unittest.AssertSuccessfulInsert(t, &auth.TwoFactor{UID: user.ID}) + defer unittest.AssertSuccessfulDelete(t, &auth.TwoFactor{UID: user.ID}) + } + + assert.Equal(t, accessAllowed, user.IsAccessAllowed(t.Context())) + } + + adminUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1}) + normalUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4}) + inactiveUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 9}) + org := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 17}) + restrictedUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 29}) + prohibitLoginUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 37}) + ghostUser := user_model.NewGhostUser() + + // users with enabled WebAuthn + normalWebAuthnUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 32}) + + t.Run("NoneTwoFactorRequirement", func(t *testing.T) { + // this should be the default, so don't have to set the variable + + t.Run("no 2fa", func(t *testing.T) { + runTest(t, adminUser, false, true) + runTest(t, normalUser, false, true) + runTest(t, inactiveUser, false, false) + runTest(t, org, false, true) + runTest(t, restrictedUser, false, true) + runTest(t, prohibitLoginUser, false, false) + runTest(t, ghostUser, false, false) + }) + + t.Run("enabled 2fa", func(t *testing.T) { + runTest(t, normalWebAuthnUser, false, true) + + runTest(t, adminUser, true, true) + runTest(t, normalUser, true, true) + runTest(t, inactiveUser, true, false) + runTest(t, org, true, true) + runTest(t, restrictedUser, true, true) + runTest(t, prohibitLoginUser, true, false) + }) + }) + + t.Run("AllTwoFactorRequirement", func(t *testing.T) { + defer test.MockVariableValue(&setting.GlobalTwoFactorRequirement, setting.AllTwoFactorRequirement)() + + t.Run("no 2fa", func(t *testing.T) { + runTest(t, adminUser, false, false) + runTest(t, normalUser, false, false) + runTest(t, inactiveUser, false, false) + runTest(t, org, false, true) + runTest(t, restrictedUser, false, false) + runTest(t, prohibitLoginUser, false, false) + runTest(t, ghostUser, false, false) + }) + + t.Run("enabled 2fa", func(t *testing.T) { + runTest(t, normalWebAuthnUser, false, true) + + runTest(t, adminUser, true, true) + runTest(t, normalUser, true, true) + runTest(t, inactiveUser, true, false) + runTest(t, org, true, true) + runTest(t, restrictedUser, true, true) + runTest(t, prohibitLoginUser, true, false) + }) + }) + + t.Run("AdminTwoFactorRequirement", func(t *testing.T) { + defer test.MockVariableValue(&setting.GlobalTwoFactorRequirement, setting.AdminTwoFactorRequirement)() + + t.Run("no 2fa", func(t *testing.T) { + runTest(t, adminUser, false, false) + runTest(t, normalUser, false, true) + runTest(t, inactiveUser, false, false) + runTest(t, org, false, true) + runTest(t, restrictedUser, false, true) + runTest(t, prohibitLoginUser, false, false) + runTest(t, ghostUser, false, false) + }) + + t.Run("enabled 2fa", func(t *testing.T) { + runTest(t, normalWebAuthnUser, false, true) + + runTest(t, adminUser, true, true) + runTest(t, normalUser, true, true) + runTest(t, inactiveUser, true, false) + runTest(t, org, true, true) + runTest(t, restrictedUser, true, true) + runTest(t, prohibitLoginUser, true, false) + }) + }) +} + func Test_ValidateUser(t *testing.T) { defer test.MockVariableValue(&setting.Service.AllowedUserVisibilityModesSlice, []bool{true, false, true})() diff --git a/modules/setting/security.go b/modules/setting/security.go index 1f38857af6..c591a7c90a 100644 --- a/modules/setting/security.go +++ b/modules/setting/security.go @@ -20,6 +20,7 @@ var ( SecretKey string InternalToken string // internal access token LogInRememberDays int + GlobalTwoFactorRequirement TwoFactorRequirementType CookieRememberName string ReverseProxyAuthUser string ReverseProxyAuthEmail string @@ -113,6 +114,8 @@ func loadSecurityFrom(rootCfg ConfigProvider) { } keying.Init([]byte(SecretKey)) + GlobalTwoFactorRequirement = NewTwoFactorRequirementType(sec.Key("GLOBAL_TWO_FACTOR_REQUIREMENT").String()) + CookieRememberName = sec.Key("COOKIE_REMEMBER_NAME").MustString("gitea_incredible") ReverseProxyAuthUser = sec.Key("REVERSE_PROXY_AUTHENTICATION_USER").MustString("X-WEBAUTH-USER") @@ -171,3 +174,39 @@ func loadSecurityFrom(rootCfg ConfigProvider) { log.Warn("Enabling Query API Auth tokens is not recommended. DISABLE_QUERY_AUTH_TOKEN will be removed in Forgejo v13.0.0.") } } + +type TwoFactorRequirementType string + +// llu:TrKeysSuffix admin.config.global_2fa_requirement. +const ( + NoneTwoFactorRequirement TwoFactorRequirementType = "none" + AllTwoFactorRequirement TwoFactorRequirementType = "all" + AdminTwoFactorRequirement TwoFactorRequirementType = "admin" +) + +func NewTwoFactorRequirementType(twoFactorRequirement string) TwoFactorRequirementType { + switch twoFactorRequirement { + case AllTwoFactorRequirement.String(): + return AllTwoFactorRequirement + case AdminTwoFactorRequirement.String(): + return AdminTwoFactorRequirement + default: + return NoneTwoFactorRequirement + } +} + +func (r TwoFactorRequirementType) String() string { + return string(r) +} + +func (r TwoFactorRequirementType) IsNone() bool { + return r == NoneTwoFactorRequirement +} + +func (r TwoFactorRequirementType) IsAll() bool { + return r == AllTwoFactorRequirement +} + +func (r TwoFactorRequirementType) IsAdmin() bool { + return r == AdminTwoFactorRequirement +} diff --git a/options/locale_next/locale_en-US.json b/options/locale_next/locale_en-US.json index 6cbfb34a60..24c0835256 100644 --- a/options/locale_next/locale_en-US.json +++ b/options/locale_next/locale_en-US.json @@ -112,7 +112,17 @@ "admin.auths.allow_username_change.description": "Allow users to change their username in the profile settings", "admin.dashboard.cleanup_offline_runners": "Cleanup offline runners", "admin.dashboard.remove_resolved_reports": "Remove resolved reports", + "admin.config.security": "Security configuration", + "admin.config.global_2fa_requirement.title": "Global two-factor requirement", + "admin.config.global_2fa_requirement.none": "No", + "admin.config.global_2fa_requirement.all": "All users", + "admin.config.global_2fa_requirement.admin": "Administrators", "settings.visibility.description": "Profile visibility affects others' ability to access your non-private repositories. Learn more.", + "settings.twofa_unroll_unavailable": "Two-factor authentication is required for your account and cannot be disabled.", + "settings.twofa_reenroll": "Re-enroll two-factor authentication", + "settings.twofa_reenroll.description": "Re-enroll your two-factor authentication", + "settings.must_enable_2fa": "This Forgejo instance requires users to enable two-factor authentication before they can access their accounts.", + "error.must_enable_2fa": "This Forgejo instance requires users to enable two-factor authentication before they can access their accounts. Enable it at: %s", "avatar.constraints_hint": "Custom avatar may not exceed %[1]s in size or be larger than %[2]dx%[3]d pixels", "og.repo.summary_card.alt_description": "Summary card of repository %[1]s, described as: %[2]s", "repo.commit.load_tags_failed": "Load tags failed because of internal error", diff --git a/routers/api/shared/middleware.go b/routers/api/shared/middleware.go index b57fabac0e..59d9f28d60 100644 --- a/routers/api/shared/middleware.go +++ b/routers/api/shared/middleware.go @@ -4,8 +4,10 @@ package shared import ( + "fmt" "net/http" + auth_model "forgejo.org/models/auth" "forgejo.org/modules/log" "forgejo.org/modules/setting" "forgejo.org/routers/common" @@ -92,6 +94,25 @@ func verifyAuthWithOptions(options *common.VerifyOptions) func(ctx *context.APIC }) return } + + if ctx.Doer.MustHaveTwoFactor() { + hasTwoFactor, err := auth_model.HasTwoFactorByUID(ctx, ctx.Doer.ID) + if err != nil { + ctx.Data["Title"] = ctx.Tr("auth.prohibit_login") + log.Error("Error getting 2fa: %s", err) + ctx.JSON(http.StatusInternalServerError, map[string]string{ + "message": fmt.Sprintf("Error getting 2fa: %s", err), + }) + return + } + if !hasTwoFactor { + ctx.Data["Title"] = ctx.Tr("auth.prohibit_login") + ctx.JSON(http.StatusForbidden, map[string]string{ + "message": ctx.Locale.TrString("error.must_enable_2fa", fmt.Sprintf("%suser/settings/security", setting.AppURL)), + }) + return + } + } } // Redirect to dashboard if user tries to visit any non-login page. diff --git a/routers/private/serv.go b/routers/private/serv.go index a4029e354c..7f08d4ca34 100644 --- a/routers/private/serv.go +++ b/routers/private/serv.go @@ -9,6 +9,7 @@ import ( "strings" asymkey_model "forgejo.org/models/asymkey" + "forgejo.org/models/auth" "forgejo.org/models/perm" access_model "forgejo.org/models/perm/access" repo_model "forgejo.org/models/repo" @@ -22,6 +23,27 @@ import ( wiki_service "forgejo.org/services/wiki" ) +func checkTwoFactor(ctx *context.PrivateContext, user *user_model.User) { + if !user.MustHaveTwoFactor() { + return + } + + hasTwoFactor, err := auth.HasTwoFactorByUID(ctx, user.ID) + if err != nil { + log.Error("Error getting 2fa: %s", err) + ctx.JSON(http.StatusInternalServerError, private.Response{ + Err: fmt.Sprintf("Error getting 2fa: %s", err), + }) + return + } + if !hasTwoFactor { + ctx.JSON(http.StatusForbidden, private.Response{ + UserMsg: ctx.Locale.TrString("error.must_enable_2fa", fmt.Sprintf("%suser/settings/security", setting.AppURL)), + }) + return + } +} + // ServNoCommand returns information about the provided keyid func ServNoCommand(ctx *context.PrivateContext) { keyID := ctx.ParamsInt64(":keyid") @@ -69,6 +91,12 @@ func ServNoCommand(ctx *context.PrivateContext) { }) return } + + checkTwoFactor(ctx, user) + if ctx.Written() { + return + } + results.Owner = user } ctx.JSON(http.StatusOK, &results) @@ -266,6 +294,11 @@ func ServCommand(ctx *context.PrivateContext) { return } + checkTwoFactor(ctx, user) + if ctx.Written() { + return + } + results.UserName = user.Name if !user.KeepEmailPrivate { results.UserEmail = user.Email diff --git a/routers/web/admin/config.go b/routers/web/admin/config.go index dcc99ff1a8..e1c3a5f9ee 100644 --- a/routers/web/admin/config.go +++ b/routers/web/admin/config.go @@ -128,6 +128,7 @@ func Config(ctx *context.Context) { ctx.Data["AppBuiltWith"] = setting.AppBuiltWith ctx.Data["Domain"] = setting.Domain ctx.Data["OfflineMode"] = setting.OfflineMode + ctx.Data["GlobalTwoFactorRequirement"] = setting.GlobalTwoFactorRequirement ctx.Data["RunUser"] = setting.RunUser ctx.Data["RunMode"] = util.ToTitleCase(setting.RunMode) ctx.Data["GitVersion"] = git.VersionInfo() diff --git a/routers/web/auth/password.go b/routers/web/auth/password.go index cb6b22e5b7..c645bbdede 100644 --- a/routers/web/auth/password.go +++ b/routers/web/auth/password.go @@ -264,7 +264,7 @@ func ResetPasswdPost(ctx *context.Context) { func MustChangePassword(ctx *context.Context) { ctx.Data["Title"] = ctx.Tr("auth.must_change_password") ctx.Data["ChangePasscodeLink"] = setting.AppSubURL + "/user/settings/change_password" - ctx.Data["MustChangePassword"] = true + ctx.Data["HideNavbarLinks"] = true ctx.HTML(http.StatusOK, tplMustChangePassword) } diff --git a/routers/web/home.go b/routers/web/home.go index bd9942748a..55dfe2538e 100644 --- a/routers/web/home.go +++ b/routers/web/home.go @@ -9,6 +9,7 @@ import ( "net/http" "strconv" + auth_model "forgejo.org/models/auth" "forgejo.org/models/db" repo_model "forgejo.org/models/repo" user_model "forgejo.org/models/user" @@ -35,18 +36,37 @@ func Home(ctx *context.Context) { if !ctx.Doer.IsActive && setting.Service.RegisterEmailConfirm { ctx.Data["Title"] = ctx.Tr("auth.active_your_account") ctx.HTML(http.StatusOK, auth.TplActivate) - } else if !ctx.Doer.IsActive || ctx.Doer.ProhibitLogin { + return + } + if !ctx.Doer.IsActive || ctx.Doer.ProhibitLogin { log.Info("Failed authentication attempt for %s from %s", ctx.Doer.Name, ctx.RemoteAddr()) ctx.Data["Title"] = ctx.Tr("auth.prohibit_login") ctx.HTML(http.StatusOK, "user/auth/prohibit_login") - } else if ctx.Doer.MustChangePassword { + return + } + if ctx.Doer.MustChangePassword { ctx.Data["Title"] = ctx.Tr("auth.must_change_password") ctx.Data["ChangePasscodeLink"] = setting.AppSubURL + "/user/change_password" middleware.SetRedirectToCookie(ctx.Resp, setting.AppSubURL+ctx.Req.URL.RequestURI()) ctx.Redirect(setting.AppSubURL + "/user/settings/change_password") - } else { - user.Dashboard(ctx) + return } + if ctx.Doer.MustHaveTwoFactor() { + hasTwoFactor, err := auth_model.HasTwoFactorByUID(ctx, ctx.Doer.ID) + if err != nil { + ctx.Data["Title"] = ctx.Tr("auth.prohibit_login") + log.Error("Error getting 2fa: %s", err) + ctx.Error(http.StatusInternalServerError, "HasTwoFactorByUID", err.Error()) + return + } + if !hasTwoFactor { + ctx.Data["Title"] = ctx.Tr("auth.prohibit_login") + ctx.Redirect(setting.AppSubURL + "/user/settings/security") + return + } + } + + user.Dashboard(ctx) return // Check non-logged users landing page. } else if setting.LandingPageURL != setting.LandingPageHome { diff --git a/routers/web/user/setting/security/2fa.go b/routers/web/user/setting/security/2fa.go index 8b362c4f08..d23917f8b2 100644 --- a/routers/web/user/setting/security/2fa.go +++ b/routers/web/user/setting/security/2fa.go @@ -56,6 +56,21 @@ func DisableTwoFactor(ctx *context.Context) { ctx.Data["Title"] = ctx.Tr("settings") ctx.Data["PageIsSettingsSecurity"] = true + if ctx.Doer.MustHaveTwoFactor() { + ctx.NotFound("DisableTwoFactor", nil) + return + } + + disableTwoFactor(ctx) + if ctx.Written() { + return + } + + ctx.Flash.Success(ctx.Tr("settings.twofa_disabled")) + ctx.Redirect(setting.AppSubURL + "/user/settings/security") +} + +func disableTwoFactor(ctx *context.Context) { t, err := auth.GetTwoFactorByUID(ctx, ctx.Doer.ID) if err != nil { if auth.IsErrTwoFactorNotEnrolled(err) { @@ -82,9 +97,6 @@ func DisableTwoFactor(ctx *context.Context) { ctx.ServerError("SendDisabledTOTP", err) return } - - ctx.Flash.Success(ctx.Tr("settings.twofa_disabled")) - ctx.Redirect(setting.AppSubURL + "/user/settings/security") } func twofaGenerateSecretAndQr(ctx *context.Context) bool { @@ -172,7 +184,6 @@ func EnrollTwoFactor(ctx *context.Context) { // EnrollTwoFactorPost handles enrolling the user into 2FA. func EnrollTwoFactorPost(ctx *context.Context) { - form := web.GetForm(ctx).(*forms.TwoFactorAuthForm) ctx.Data["Title"] = ctx.Tr("settings") ctx.Data["PageIsSettingsSecurity"] = true @@ -188,6 +199,12 @@ func EnrollTwoFactorPost(ctx *context.Context) { return } + enrollTwoFactor(ctx) +} + +func enrollTwoFactor(ctx *context.Context) { + form := web.GetForm(ctx).(*forms.TwoFactorAuthForm) + if ctx.HasError() { if !twofaGenerateSecretAndQr(ctx) { return @@ -213,10 +230,10 @@ func EnrollTwoFactorPost(ctx *context.Context) { return } - t = &auth.TwoFactor{ + twoFactor := &auth.TwoFactor{ UID: ctx.Doer.ID, } - token := t.GenerateScratchToken() + token := twoFactor.GenerateScratchToken() // Now we have to delete the secrets - because if we fail to insert then it's highly likely that they have already been used // If we can detect the unique constraint failure below we can move this to after the NewTwoFactor @@ -238,7 +255,7 @@ func EnrollTwoFactorPost(ctx *context.Context) { return } - if err = auth.NewTwoFactor(ctx, t, secret); err != nil { + if err := auth.NewTwoFactor(ctx, twoFactor, secret); err != nil { // FIXME: We need to handle a unique constraint fail here it's entirely possible that another request has beaten us. // If there is a unique constraint fail we should just tolerate the error ctx.ServerError("SettingsTwoFactor: Failed to save two factor", err) @@ -248,3 +265,41 @@ func EnrollTwoFactorPost(ctx *context.Context) { ctx.Flash.Success(ctx.Tr("settings.twofa_enrolled", token)) ctx.Redirect(setting.AppSubURL + "/user/settings/security") } + +// ReenrollTwoFactor shows the page where the user can reenroll 2FA. +func ReenrollTwoFactor(ctx *context.Context) { + ctx.Data["Title"] = ctx.Tr("settings") + ctx.Data["PageIsSettingsSecurity"] = true + ctx.Data["ReenrollTwofa"] = true + + _, err := auth.GetTwoFactorByUID(ctx, ctx.Doer.ID) + if auth.IsErrTwoFactorNotEnrolled(err) { + ctx.Flash.Error(ctx.Tr("settings.twofa_not_enrolled")) + ctx.Redirect(setting.AppSubURL + "/user/settings/security") + return + } + if err != nil { + ctx.ServerError("SettingsTwoFactor: GetTwoFactorByUID", err) + return + } + + if !twofaGenerateSecretAndQr(ctx) { + return + } + + ctx.HTML(http.StatusOK, tplSettingsTwofaEnroll) +} + +// ReenrollTwoFactorPost handles reenrolling the user 2FA. +func ReenrollTwoFactorPost(ctx *context.Context) { + ctx.Data["Title"] = ctx.Tr("settings") + ctx.Data["PageIsSettingsSecurity"] = true + ctx.Data["ReenrollTwofa"] = true + + disableTwoFactor(ctx) + if ctx.Written() { + return + } + + enrollTwoFactor(ctx) +} diff --git a/routers/web/web.go b/routers/web/web.go index 497352cdc7..f1cbc6b7ad 100644 --- a/routers/web/web.go +++ b/routers/web/web.go @@ -6,9 +6,11 @@ package web import ( gocontext "context" + "fmt" "net/http" "strings" + auth_model "forgejo.org/models/auth" "forgejo.org/models/perm" quota_model "forgejo.org/models/quota" "forgejo.org/models/unit" @@ -169,6 +171,19 @@ func verifyAuthWithOptions(options *common.VerifyOptions) func(ctx *context.Cont ctx.Redirect(setting.AppSubURL + "/") return } + + if ctx.Doer.MustHaveTwoFactor() && !strings.HasPrefix(ctx.Req.URL.Path, "/user/settings/security") { + hasTwoFactor, err := auth_model.HasTwoFactorByUID(ctx, ctx.Doer.ID) + if err != nil { + log.Error("Error getting 2fa: %s", err) + ctx.Error(http.StatusInternalServerError, "HasTwoFactorByUID", err.Error()) + return + } + if !hasTwoFactor { + ctx.Redirect(setting.AppSubURL + "/user/settings/security") + return + } + } } // Redirect to dashboard (or alternate location) if user tries to visit any non-login page. @@ -309,6 +324,20 @@ func registerRoutes(m *web.Route) { } } + requiredTwoFactor := func(ctx *context.Context) { + if !ctx.Doer.MustHaveTwoFactor() { + return + } + + hasTwoFactor, err := auth_model.HasTwoFactorByUID(ctx, ctx.Doer.ID) + if err != nil { + ctx.Error(http.StatusInternalServerError, fmt.Sprintf("Error getting 2fa: %s", err)) + return + } + ctx.Data["MustEnableTwoFactor"] = !hasTwoFactor + ctx.Data["HideNavbarLinks"] = !hasTwoFactor + } + openIDSignInEnabled := func(ctx *context.Context) { if !setting.Service.EnableOpenIDSignIn { ctx.Error(http.StatusForbidden) @@ -564,6 +593,8 @@ func registerRoutes(m *web.Route) { m.Post("/disable", security.DisableTwoFactor) m.Get("/enroll", security.EnrollTwoFactor) m.Post("/enroll", web.Bind(forms.TwoFactorAuthForm{}), security.EnrollTwoFactorPost) + m.Get("/reenroll", security.ReenrollTwoFactor) + m.Post("/reenroll", web.Bind(forms.TwoFactorAuthForm{}), security.ReenrollTwoFactorPost) }) m.Group("/webauthn", func() { m.Post("/request_register", web.Bind(forms.WebauthnRegistrationForm{}), security.WebAuthnRegister) @@ -576,7 +607,7 @@ func registerRoutes(m *web.Route) { m.Post("/toggle_visibility", security.ToggleOpenIDVisibility) }, openIDSignInEnabled) m.Post("/account_link", linkAccountEnabled, security.DeleteAccountLink) - }) + }, requiredTwoFactor) m.Group("/applications", func() { // oauth2 applications diff --git a/services/context/context_response.go b/services/context/context_response.go index e64f478420..386bdd2652 100644 --- a/services/context/context_response.go +++ b/services/context/context_response.go @@ -17,6 +17,7 @@ import ( "syscall" "time" + "forgejo.org/models/auth" user_model "forgejo.org/models/user" "forgejo.org/modules/base" "forgejo.org/modules/httplib" @@ -129,6 +130,21 @@ func (ctx *Context) RenderWithErr(msg any, tpl base.TplName, form any) { ctx.HTML(http.StatusOK, tpl) } +// validateTwoFactorRequirement sets ctx-data to hide/show ui-elements depending on the GlobalTwoFactorRequirement +func (ctx *Context) validateTwoFactorRequirement() { + if ctx.Doer == nil || !ctx.Doer.MustHaveTwoFactor() { + return + } + + hasTwoFactor, err := auth.HasTwoFactorByUID(ctx, ctx.Doer.ID) + if err != nil { + log.ErrorWithSkip(2, "Error getting 2fa: %s", err) + // fallthrough to set the variables + } + ctx.Data["MustEnableTwoFactor"] = !hasTwoFactor + ctx.Data["HideNavbarLinks"] = !hasTwoFactor +} + // NotFound displays a 404 (Not Found) page and prints the given error, if any. func (ctx *Context) NotFound(logMsg string, logErr error) { ctx.notFoundInternal(logMsg, logErr) @@ -156,6 +172,7 @@ func (ctx *Context) notFoundInternal(logMsg string, logErr error) { return } + ctx.validateTwoFactorRequirement() ctx.Data["IsRepo"] = ctx.Repo.Repository != nil ctx.Data["Title"] = ctx.Locale.TrString("error.not_found.title") ctx.HTML(http.StatusNotFound, tplStatus404) @@ -181,6 +198,7 @@ func (ctx *Context) serverErrorInternal(logMsg string, logErr error) { } } + ctx.validateTwoFactorRequirement() ctx.HTML(http.StatusInternalServerError, tplStatus500) } diff --git a/services/context/package.go b/services/context/package.go index b95e02a882..50ffa8eb7c 100644 --- a/services/context/package.go +++ b/services/context/package.go @@ -97,7 +97,7 @@ func determineAccessMode(ctx *Base, pkg *Package, doer *user_model.User) (perm.A return perm.AccessModeNone, nil } - if doer != nil && !doer.IsGhost() && (!doer.IsActive || doer.ProhibitLogin) { + if doer != nil && !doer.IsGhost() && !doer.IsAccessAllowed(ctx) { return perm.AccessModeNone, nil } diff --git a/templates/admin/config.tmpl b/templates/admin/config.tmpl index 12504b8824..36d44f21f3 100644 --- a/templates/admin/config.tmpl +++ b/templates/admin/config.tmpl @@ -51,6 +51,16 @@ +

+ {{ctx.Locale.Tr "admin.config.security"}} +

+
+
+
{{ctx.Locale.Tr "admin.config.global_2fa_requirement.title"}}
+
{{ctx.Locale.Tr (print "admin.config.global_2fa_requirement." .GlobalTwoFactorRequirement)}}
+
+
+

{{ctx.Locale.Tr "admin.config.ssh_config"}}

diff --git a/templates/base/head_navbar.tmpl b/templates/base/head_navbar.tmpl index 0c13f9e844..dc3ca33712 100644 --- a/templates/base/head_navbar.tmpl +++ b/templates/base/head_navbar.tmpl @@ -24,7 +24,7 @@ - {{if and .IsSigned .MustChangePassword}} + {{if and .IsSigned .HideNavbarLinks}} {{/* No links */}} {{else if .IsSigned}} {{if not .UnitIssuesGlobalDisabled}} @@ -54,7 +54,7 @@
- {{if and .IsSigned .MustChangePassword}} + {{if and .IsSigned .HideNavbarLinks}}
{{ctx.AvatarUtils.Avatar .SignedUser 24 "tw-mr-1"}} diff --git a/templates/user/settings/navbar.tmpl b/templates/user/settings/navbar.tmpl index eadf2ee9e5..325fdada7d 100644 --- a/templates/user/settings/navbar.tmpl +++ b/templates/user/settings/navbar.tmpl @@ -1,3 +1,4 @@ +{{if not .HideNavbarLinks}}
{{ctx.Locale.Tr "user.settings"}}
@@ -61,3 +62,4 @@
+{{end}} diff --git a/templates/user/settings/security/security.tmpl b/templates/user/settings/security/security.tmpl index aee0456b8f..9c85beab3e 100644 --- a/templates/user/settings/security/security.tmpl +++ b/templates/user/settings/security/security.tmpl @@ -1,10 +1,15 @@ -{{template "user/settings/layout_head" (dict "ctxData" . "pageClass" "user settings security")}} +{{template "user/settings/layout_head" (dict "ctxData" . "pageClass" "user settings security" "HideNavbarLinks" .HideNavbarLinks)}}
+ {{if .MustEnableTwoFactor}} +
{{ctx.Locale.Tr "settings.must_enable_2fa"}}
+ {{end}} {{template "user/settings/security/twofa" .}} {{template "user/settings/security/webauthn" .}} - {{template "user/settings/security/accountlinks" .}} - {{if .EnableOpenIDSignIn}} - {{template "user/settings/security/openid" .}} + {{if not .MustEnableTwoFactor}} + {{template "user/settings/security/accountlinks" .}} + {{if .EnableOpenIDSignIn}} + {{template "user/settings/security/openid" .}} + {{end}} {{end}}
diff --git a/templates/user/settings/security/twofa.tmpl b/templates/user/settings/security/twofa.tmpl index adebce4265..bee15f17ef 100644 --- a/templates/user/settings/security/twofa.tmpl +++ b/templates/user/settings/security/twofa.tmpl @@ -5,16 +5,24 @@

{{ctx.Locale.Tr "settings.twofa_desc"}}

{{if .TOTPEnrolled}}

{{ctx.Locale.Tr "settings.twofa_is_enrolled"}}

+
+

{{ctx.Locale.Tr "settings.twofa_reenroll.description"}}

+ {{ctx.Locale.Tr "settings.twofa_reenroll"}} +
{{.CsrfTokenHtml}}

{{ctx.Locale.Tr "settings.regenerate_scratch_token_desc"}}

-
- {{.CsrfTokenHtml}} -

{{ctx.Locale.Tr "settings.twofa_disable_note"}}

- -
+ {{if .SignedUser.MustHaveTwoFactor}} +

{{ctx.Locale.Tr "settings.twofa_unroll_unavailable"}}

+ {{else}} +
+ {{.CsrfTokenHtml}} +

{{ctx.Locale.Tr "settings.twofa_disable_note"}}

+ +
+ {{end}} {{else}} {{/* The recovery tip is there as a means of encouraging a user to enroll */}}

{{ctx.Locale.Tr "settings.twofa_recovery_tip"}}

diff --git a/templates/user/settings/security/twofa_enroll.tmpl b/templates/user/settings/security/twofa_enroll.tmpl index cac88ee1d0..3987b2258d 100644 --- a/templates/user/settings/security/twofa_enroll.tmpl +++ b/templates/user/settings/security/twofa_enroll.tmpl @@ -1,7 +1,11 @@ -{{template "user/settings/layout_head" (dict "ctxData" . "pageClass" "user settings twofa")}} +{{template "user/settings/layout_head" (dict "ctxData" . "pageClass" "user settings twofa" "HideNavbarLinks" .HideNavbarLinks)}}

- {{ctx.Locale.Tr "settings.twofa_enroll"}} + {{if .ReenrollTwofa}} + {{ctx.Locale.Tr "settings.twofa_reenroll"}} + {{else}} + {{ctx.Locale.Tr "settings.twofa_enroll"}} + {{end}}

{{ctx.Locale.Tr "settings.scan_this_image"}}

diff --git a/tests/integration/api_packages_test.go b/tests/integration/api_packages_test.go index 0db203dce0..183c5ef4a4 100644 --- a/tests/integration/api_packages_test.go +++ b/tests/integration/api_packages_test.go @@ -21,11 +21,13 @@ import ( user_model "forgejo.org/models/user" "forgejo.org/modules/setting" api "forgejo.org/modules/structs" + "forgejo.org/modules/test" "forgejo.org/modules/util" packages_service "forgejo.org/services/packages" packages_cleanup_service "forgejo.org/services/packages/cleanup" "forgejo.org/tests" + "github.com/pquerna/otp/totp" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) @@ -673,3 +675,97 @@ func TestPackageCleanup(t *testing.T) { } }) } + +func TestPackageWithTwoFactor(t *testing.T) { + defer tests.PrepareTestEnv(t)() + + adminUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1}) + normalUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4}) + + runTest := func(t *testing.T, doer *user_model.User, useTOTP bool, expectedStatus int) { + t.Helper() + if doer != nil { + defer unittest.AssertSuccessfulDelete(t, &auth_model.TwoFactor{UID: doer.ID}) + } + + passcode := func() string { + if !useTOTP { + return "" + } + + otpKey, err := totp.Generate(totp.GenerateOpts{ + SecretSize: 40, + Issuer: "forgejo-test", + AccountName: doer.Name, + }) + require.NoError(t, err) + + require.NoError(t, auth_model.NewTwoFactor(t.Context(), &auth_model.TwoFactor{UID: doer.ID}, otpKey.Secret())) + + passcode, err := totp.GenerateCode(otpKey.Secret(), time.Now()) + require.NoError(t, err) + return passcode + }() + + url := fmt.Sprintf("/api/v1/packages/%s", normalUser.Name) // a public packge to test + req := NewRequest(t, "GET", url) + if doer != nil { + req.AddBasicAuth(doer.Name) + } + + if useTOTP { + MakeRequest(t, req, http.StatusUnauthorized) + + req = NewRequest(t, "GET", url). + AddBasicAuth(doer.Name) + req.Header.Set("X-Forgejo-OTP", passcode) + } + + MakeRequest(t, req, expectedStatus) + } + + t.Run("NoneTwoFactorRequirement", func(t *testing.T) { + // this should be the default, so don't have to set the variable + + t.Run("no 2fa", func(t *testing.T) { + runTest(t, adminUser, false, http.StatusOK) + runTest(t, normalUser, false, http.StatusOK) + runTest(t, nil, false, http.StatusOK) // anonymous + }) + + t.Run("enabled 2fa", func(t *testing.T) { + runTest(t, adminUser, true, http.StatusOK) + runTest(t, normalUser, true, http.StatusOK) + }) + }) + + t.Run("AllTwoFactorRequirement", func(t *testing.T) { + defer test.MockVariableValue(&setting.GlobalTwoFactorRequirement, setting.AllTwoFactorRequirement)() + + t.Run("no 2fa", func(t *testing.T) { + runTest(t, adminUser, false, http.StatusForbidden) + runTest(t, normalUser, false, http.StatusForbidden) + runTest(t, nil, false, http.StatusOK) // anonymous + }) + + t.Run("enabled 2fa", func(t *testing.T) { + runTest(t, adminUser, true, http.StatusOK) + runTest(t, normalUser, true, http.StatusOK) + }) + }) + + t.Run("AdminTwoFactorRequirement", func(t *testing.T) { + defer test.MockVariableValue(&setting.GlobalTwoFactorRequirement, setting.AdminTwoFactorRequirement)() + + t.Run("no 2fa", func(t *testing.T) { + runTest(t, adminUser, false, http.StatusForbidden) + runTest(t, normalUser, false, http.StatusOK) + runTest(t, nil, false, http.StatusOK) // anonymous + }) + + t.Run("enabled 2fa", func(t *testing.T) { + runTest(t, adminUser, true, http.StatusOK) + runTest(t, normalUser, true, http.StatusOK) + }) + }) +} diff --git a/tests/integration/api_private_serv_test.go b/tests/integration/api_private_serv_test.go index a7dc59a611..6a62169b40 100644 --- a/tests/integration/api_private_serv_test.go +++ b/tests/integration/api_private_serv_test.go @@ -5,12 +5,19 @@ package integration import ( "context" + "net/http" "net/url" "testing" asymkey_model "forgejo.org/models/asymkey" + "forgejo.org/models/auth" "forgejo.org/models/perm" + "forgejo.org/models/unittest" + user_model "forgejo.org/models/user" "forgejo.org/modules/private" + "forgejo.org/modules/setting" + "forgejo.org/modules/test" + "forgejo.org/tests" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" @@ -152,3 +159,90 @@ func TestAPIPrivateServ(t *testing.T) { assert.Equal(t, int64(20), results.RepoID) }) } + +func TestAPIPrivateServAndNoServWithRequiredTwoFactor(t *testing.T) { + onGiteaRun(t, func(*testing.T, *url.URL) { + ctx, cancel := context.WithCancel(t.Context()) + defer cancel() + + runTest := func(t *testing.T, user *user_model.User, useTOTP, servAllowed bool) { + t.Helper() + repo, _, reset := tests.CreateDeclarativeRepoWithOptions(t, user, tests.DeclarativeRepoOptions{}) + defer reset() + + pubKey, err := asymkey_model.AddPublicKey(ctx, user.ID, "tmp-key-"+user.Name, "sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBGXEEzWmm1dxb+57RoK5KVCL0w2eNv9cqJX2AGGVlkFsVDhOXHzsadS3LTK4VlEbbrDMJdoti9yM8vclA8IeRacAAAAEc3NoOg== nocomment", 0) + require.NoError(t, err) + defer unittest.AssertSuccessfulDelete(t, &asymkey_model.PublicKey{ID: pubKey.ID}) + + if useTOTP { + session := loginUser(t, user.Name) + session.EnrollTOTP(t) + session.MakeRequest(t, NewRequest(t, "POST", "/user/logout"), http.StatusOK) + defer unittest.AssertSuccessfulDelete(t, &auth.TwoFactor{UID: user.ID}) + } + + // Can push to a repo + _, extra := private.ServCommand(ctx, pubKey.ID, user.Name, repo.Name, perm.AccessModeWrite, "git-upload-pack", "") + _, _, err = private.ServNoCommand(ctx, pubKey.ID) + if servAllowed { + require.NoError(t, extra.Error) + require.NoError(t, err) + } else { + require.Error(t, extra.Error) + require.Error(t, err) + } + } + + adminUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1}) + normalUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4}) + restrictedUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 29}) + + t.Run("NoneTwoFactorRequirement", func(t *testing.T) { + // this should be the default, so don't have to set the variable + + t.Run("no 2fa", func(t *testing.T) { + runTest(t, adminUser, false, true) + runTest(t, normalUser, false, true) + runTest(t, restrictedUser, false, true) + }) + + t.Run("enabled 2fa", func(t *testing.T) { + runTest(t, adminUser, true, true) + runTest(t, normalUser, true, true) + runTest(t, restrictedUser, true, true) + }) + }) + + t.Run("AllTwoFactorRequirement", func(t *testing.T) { + defer test.MockVariableValue(&setting.GlobalTwoFactorRequirement, setting.AllTwoFactorRequirement)() + + t.Run("no 2fa", func(t *testing.T) { + runTest(t, adminUser, false, false) + runTest(t, normalUser, false, false) + runTest(t, restrictedUser, false, false) + }) + + t.Run("enabled 2fa", func(t *testing.T) { + runTest(t, adminUser, true, true) + runTest(t, normalUser, true, true) + runTest(t, restrictedUser, true, true) + }) + }) + + t.Run("AdminTwoFactorRequirement", func(t *testing.T) { + defer test.MockVariableValue(&setting.GlobalTwoFactorRequirement, setting.AdminTwoFactorRequirement)() + + t.Run("no 2fa", func(t *testing.T) { + runTest(t, adminUser, false, false) + runTest(t, normalUser, false, true) + runTest(t, restrictedUser, false, true) + }) + + t.Run("enabled 2fa", func(t *testing.T) { + runTest(t, adminUser, true, true) + runTest(t, normalUser, true, true) + runTest(t, restrictedUser, true, true) + }) + }) + }) +} diff --git a/tests/integration/api_twofa_test.go b/tests/integration/api_twofa_test.go index b1b5829685..ab173fc9f9 100644 --- a/tests/integration/api_twofa_test.go +++ b/tests/integration/api_twofa_test.go @@ -4,7 +4,9 @@ package integration import ( + "fmt" "net/http" + "strings" "testing" "time" @@ -12,6 +14,9 @@ import ( "forgejo.org/models/db" "forgejo.org/models/unittest" user_model "forgejo.org/models/user" + "forgejo.org/modules/setting" + "forgejo.org/modules/test" + "forgejo.org/modules/translation" "forgejo.org/tests" "github.com/pquerna/otp/totp" @@ -79,3 +84,127 @@ func TestAPIWebAuthn(t *testing.T) { assert.Equal(t, "Basic authorization is not allowed while having security keys enrolled", userParsed.Message) } + +func TestAPIWithRequiredTwoFactor(t *testing.T) { + defer tests.PrepareTestEnv(t)() + + type userResponse struct { + Message string `json:"message"` + } + + locale := translation.NewLocale("en-US") + + adminUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1}) + normalUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4}) + inactiveUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 9}) + restrictedUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 29}) + prohibitLoginUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 37}) + + require2FaMessage := locale.TrString("error.must_enable_2fa", fmt.Sprintf("%suser/settings/security", setting.AppURL)) + const prohibitedMessage = "This account is prohibited from signing in, please contact your site administrator." + const loginNotAllowedMessage = "user is not allowed login" + + runTest := func(t *testing.T, user *user_model.User, useTOTP bool, status int, messagePrefix string) { + t.Helper() + defer unittest.AssertSuccessfulDelete(t, &auth_model.TwoFactor{UID: user.ID}) + + passcode := func() string { + if !useTOTP { + return "" + } + + otpKey, err := totp.Generate(totp.GenerateOpts{ + SecretSize: 40, + Issuer: "forgejo-test", + AccountName: user.Name, + }) + require.NoError(t, err) + + require.NoError(t, auth_model.NewTwoFactor(t.Context(), &auth_model.TwoFactor{UID: user.ID}, otpKey.Secret())) + + passcode, err := totp.GenerateCode(otpKey.Secret(), time.Now()) + require.NoError(t, err) + return passcode + }() + + req := NewRequest(t, "GET", "/api/v1/user"). + AddBasicAuth(user.Name) + + if useTOTP { + MakeRequest(t, req, http.StatusUnauthorized) + + req = NewRequestf(t, "GET", "/api/v1/user"). + AddBasicAuth(user.Name) + req.Header.Set("X-Forgejo-OTP", passcode) + } + + resp := MakeRequest(t, req, status) + + if messagePrefix != "" { + var response userResponse + DecodeJSON(t, resp, &response) + + assert.True(t, strings.HasPrefix(response.Message, messagePrefix)) + } + } + + t.Run("NoneTwoFactorRequirement", func(t *testing.T) { + // this should be the default, so don't have to set the variable + + t.Run("no 2fa", func(t *testing.T) { + runTest(t, adminUser, false, http.StatusOK, "") + runTest(t, normalUser, false, http.StatusOK, "") + runTest(t, inactiveUser, false, http.StatusForbidden, prohibitedMessage) + runTest(t, restrictedUser, false, http.StatusOK, "") + runTest(t, prohibitLoginUser, false, http.StatusUnauthorized, loginNotAllowedMessage) + }) + + t.Run("enabled 2fa", func(t *testing.T) { + runTest(t, adminUser, true, http.StatusOK, "") + runTest(t, normalUser, true, http.StatusOK, "") + runTest(t, inactiveUser, true, http.StatusForbidden, prohibitedMessage) + runTest(t, restrictedUser, true, http.StatusOK, "") + runTest(t, prohibitLoginUser, true, http.StatusUnauthorized, loginNotAllowedMessage) + }) + }) + + t.Run("AllTwoFactorRequirement", func(t *testing.T) { + defer test.MockVariableValue(&setting.GlobalTwoFactorRequirement, setting.AllTwoFactorRequirement)() + + t.Run("no 2fa", func(t *testing.T) { + runTest(t, adminUser, false, http.StatusForbidden, require2FaMessage) + runTest(t, normalUser, false, http.StatusForbidden, require2FaMessage) + runTest(t, inactiveUser, false, http.StatusForbidden, prohibitedMessage) + runTest(t, restrictedUser, false, http.StatusForbidden, require2FaMessage) + runTest(t, prohibitLoginUser, false, http.StatusUnauthorized, loginNotAllowedMessage) + }) + + t.Run("enabled 2fa", func(t *testing.T) { + runTest(t, adminUser, true, http.StatusOK, "") + runTest(t, normalUser, true, http.StatusOK, "") + runTest(t, inactiveUser, true, http.StatusForbidden, prohibitedMessage) + runTest(t, restrictedUser, true, http.StatusOK, "") + runTest(t, prohibitLoginUser, true, http.StatusUnauthorized, loginNotAllowedMessage) + }) + }) + + t.Run("AdminTwoFactorRequirement", func(t *testing.T) { + defer test.MockVariableValue(&setting.GlobalTwoFactorRequirement, setting.AdminTwoFactorRequirement)() + + t.Run("no 2fa", func(t *testing.T) { + runTest(t, adminUser, false, http.StatusForbidden, require2FaMessage) + runTest(t, normalUser, false, http.StatusOK, "") + runTest(t, inactiveUser, false, http.StatusForbidden, prohibitedMessage) + runTest(t, restrictedUser, false, http.StatusOK, "") + runTest(t, prohibitLoginUser, false, http.StatusUnauthorized, loginNotAllowedMessage) + }) + + t.Run("enabled 2fa", func(t *testing.T) { + runTest(t, adminUser, true, http.StatusOK, "") + runTest(t, normalUser, true, http.StatusOK, "") + runTest(t, inactiveUser, true, http.StatusForbidden, prohibitedMessage) + runTest(t, restrictedUser, true, http.StatusOK, "") + runTest(t, prohibitLoginUser, true, http.StatusUnauthorized, loginNotAllowedMessage) + }) + }) +} diff --git a/tests/integration/devtest_error_test.go b/tests/integration/devtest_error_test.go index 9aa0341fe5..b0148b3fd1 100644 --- a/tests/integration/devtest_error_test.go +++ b/tests/integration/devtest_error_test.go @@ -18,9 +18,17 @@ import ( // error pages sometimes which can be hard to reach otherwise. // This file is a test of various attributes on those pages. +func enableDevtest() func() { + resetIsProd := test.MockVariableValue(&setting.IsProd, false) + resetRoutes := test.MockVariableValue(&testWebRoutes, routers.NormalRoutes()) + return func() { + resetIsProd() + resetRoutes() + } +} + func TestDevtestErrorpages(t *testing.T) { - defer test.MockVariableValue(&setting.IsProd, false)() - defer test.MockVariableValue(&testWebRoutes, routers.NormalRoutes())() + defer enableDevtest()() t.Run("Server error", func(t *testing.T) { // `/devtest/error/x` returns 500 for any x by default. diff --git a/tests/integration/html_helper.go b/tests/integration/html_helper.go index dc65842dd7..0caa50d0c0 100644 --- a/tests/integration/html_helper.go +++ b/tests/integration/html_helper.go @@ -76,17 +76,28 @@ func (doc *HTMLDoc) Find(selector string) *goquery.Selection { return doc.doc.Find(selector) } +// FindByText gets all elements by selector that also has the given text +func (doc *HTMLDoc) FindByText(selector, text string) *goquery.Selection { + return doc.doc.Find(selector).FilterFunction(func(i int, s *goquery.Selection) bool { + return s.Text() == text + }) +} + // GetCSRF for getting CSRF token value from input func (doc *HTMLDoc) GetCSRF() string { return doc.GetInputValueByName("_csrf") } -// AssertElement check if element by selector exists or does not exist depending on checkExists -func (doc *HTMLDoc) AssertElement(t testing.TB, selector string, checkExists bool) { - sel := doc.doc.Find(selector) +// AssertSelection check if selection exists or does not exist depending on checkExists +func (doc *HTMLDoc) AssertSelection(t testing.TB, selection *goquery.Selection, checkExists bool) { if checkExists { - assert.Equal(t, 1, sel.Length()) + assert.Equal(t, 1, selection.Length()) } else { - assert.Equal(t, 0, sel.Length()) + assert.Equal(t, 0, selection.Length()) } } + +// AssertElement check if element by selector exists or does not exist depending on checkExists +func (doc *HTMLDoc) AssertElement(t testing.TB, selector string, checkExists bool) { + doc.AssertSelection(t, doc.doc.Find(selector), checkExists) +} diff --git a/tests/integration/integration_test.go b/tests/integration/integration_test.go index 34a975de44..ac3c86e332 100644 --- a/tests/integration/integration_test.go +++ b/tests/integration/integration_test.go @@ -33,6 +33,7 @@ import ( user_model "forgejo.org/models/user" "forgejo.org/modules/graceful" "forgejo.org/modules/json" + "forgejo.org/modules/keying" "forgejo.org/modules/log" "forgejo.org/modules/setting" "forgejo.org/modules/testlogger" @@ -50,6 +51,7 @@ import ( "github.com/markbates/goth/gothic" goth_github "github.com/markbates/goth/providers/github" goth_gitlab "github.com/markbates/goth/providers/gitlab" + "github.com/pquerna/otp/totp" "github.com/santhosh-tekuri/jsonschema/v6" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" @@ -276,6 +278,30 @@ func (s *TestSession) MakeRequestNilResponseHashSumRecorder(t testing.TB, rw *Re return resp } +func (s *TestSession) EnrollTOTP(t testing.TB) { + t.Helper() + + req := NewRequest(t, "GET", "/user/settings/security/two_factor/enroll") + resp := s.MakeRequest(t, req, http.StatusOK) + + htmlDoc := NewHTMLParser(t, resp.Body) + totpSecretKey, has := htmlDoc.Find(".twofa img[src^='data:image/png;base64']").Attr("alt") + assert.True(t, has) + + currentTOTP, err := totp.GenerateCode(totpSecretKey, time.Now()) + require.NoError(t, err) + + req = NewRequestWithValues(t, "POST", "/user/settings/security/two_factor/enroll", map[string]string{ + "_csrf": htmlDoc.GetCSRF(), + "passcode": currentTOTP, + }) + s.MakeRequest(t, req, http.StatusSeeOther) + + flashCookie := s.GetCookie(gitea_context.CookieNameFlash) + assert.NotNil(t, flashCookie) + assert.Contains(t, flashCookie.Value, "success%3DYour%2Baccount%2Bhas%2Bbeen%2Bsuccessfully%2Benrolled.") +} + const userPassword = "password" func emptyTestSession(t testing.TB) *TestSession { @@ -418,6 +444,40 @@ func loginUserWithPasswordRemember(t testing.TB, userName, password string, reme return session } +func loginUserWithTOTP(t testing.TB, user *user_model.User) *TestSession { + t.Helper() + session := loginUser(t, user.Name) + + twoFactor, err := auth.GetTwoFactorByUID(db.DefaultContext, user.ID) + require.NoError(t, err) + + key := keying.DeriveKey(keying.ContextTOTP) + code, err := key.Decrypt(twoFactor.Secret, keying.ColumnAndID("secret", twoFactor.ID)) + require.NoError(t, err) + + passcode, err := totp.GenerateCode(string(code), time.Now()) + require.NoError(t, err) + + req := NewRequestWithValues(t, "POST", "/user/two_factor", map[string]string{ + "_csrf": GetCSRF(t, session, "/user/two_factor"), + "passcode": passcode, + }) + session.MakeRequest(t, req, http.StatusSeeOther) + + return session +} + +func loginUserMaybeTOTP(t testing.TB, user *user_model.User, useTOTP bool) *TestSession { + if useTOTP { + sess := loginUser(t, user.Name) + sess.EnrollTOTP(t) + sess.MakeRequest(t, NewRequest(t, "POST", "/user/logout"), http.StatusOK) + + return loginUserWithTOTP(t, user) + } + return loginUser(t, user.Name) +} + // token has to be unique this counter take care of var tokenCounter int64 diff --git a/tests/integration/setting_test.go b/tests/integration/setting_test.go index 0456d5cfff..4a65a8d44e 100644 --- a/tests/integration/setting_test.go +++ b/tests/integration/setting_test.go @@ -14,6 +14,7 @@ import ( user_model "forgejo.org/models/user" "forgejo.org/modules/setting" "forgejo.org/modules/test" + "forgejo.org/modules/translation" "forgejo.org/tests" "github.com/stretchr/testify/assert" @@ -156,6 +157,78 @@ func TestSettingSecurityAuthSource(t *testing.T) { assert.Contains(t, resp.Body.String(), `gitlab-inactive`) } +func TestSettingSecurityTwoFactorRequirement(t *testing.T) { + defer tests.PrepareTestEnv(t)() + + locale := translation.NewLocale("en-US") + + runTest := func(t *testing.T, user *user_model.User, forceTOTP, showReroll, showUnroll bool) { + t.Helper() + defer unittest.AssertSuccessfulDelete(t, &auth_model.TwoFactor{UID: user.ID}) + + useTOTP := forceTOTP || user.MustHaveTwoFactor() + session := loginUserMaybeTOTP(t, user, useTOTP) + + resp := session.MakeRequest(t, NewRequest(t, "GET", "user/settings/security"), http.StatusOK) + htmlDoc := NewHTMLParser(t, resp.Body) + htmlDoc.AssertSelection(t, htmlDoc.FindByText("a", locale.TrString("settings.twofa_reenroll")), showReroll) + htmlDoc.AssertElement(t, "#disable-form", showUnroll) + htmlDoc.AssertSelection(t, htmlDoc.FindByText("p", locale.TrString("settings.twofa_unroll_unavailable")), showReroll && !showUnroll) + + req := NewRequestWithValues(t, "POST", "user/settings/security/two_factor/disable", map[string]string{ + "_csrf": htmlDoc.GetCSRF(), + }) + if user.MustHaveTwoFactor() { + session.MakeRequest(t, req, http.StatusNotFound) + } else { + resp := session.MakeRequest(t, req, http.StatusSeeOther) + assert.Equal(t, "/user/settings/security", resp.Header().Get("Location")) + } + } + + adminUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1}) + normalUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4}) + restrictedUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 29}) + + t.Run("NoneTwoFactorRequirement", func(t *testing.T) { + t.Run("no 2fa", func(t *testing.T) { + runTest(t, adminUser, false, false, false) + runTest(t, normalUser, false, false, false) + runTest(t, restrictedUser, false, false, false) + }) + + t.Run("enabled 2fa", func(t *testing.T) { + runTest(t, adminUser, true, true, true) + runTest(t, normalUser, true, true, true) + runTest(t, restrictedUser, true, true, true) + }) + }) + + t.Run("AllTwoFactorRequirement", func(t *testing.T) { + defer test.MockVariableValue(&setting.GlobalTwoFactorRequirement, setting.AllTwoFactorRequirement)() + + runTest(t, adminUser, false, true, false) + runTest(t, normalUser, false, true, false) + runTest(t, restrictedUser, false, true, false) + }) + + t.Run("AdminTwoFactorRequirement", func(t *testing.T) { + defer test.MockVariableValue(&setting.GlobalTwoFactorRequirement, setting.AdminTwoFactorRequirement)() + + t.Run("no 2fa", func(t *testing.T) { + runTest(t, adminUser, false, true, false) + runTest(t, normalUser, false, false, false) + runTest(t, restrictedUser, false, false, false) + }) + + t.Run("enabled 2fa", func(t *testing.T) { + runTest(t, adminUser, true, true, false) + runTest(t, normalUser, true, true, true) + runTest(t, restrictedUser, true, true, true) + }) + }) +} + func TestUserAvatarSizeNotice(t *testing.T) { defer tests.PrepareTestEnv(t)() diff --git a/tests/integration/signin_test.go b/tests/integration/signin_test.go index 60cd5424a7..5e8dead5b7 100644 --- a/tests/integration/signin_test.go +++ b/tests/integration/signin_test.go @@ -5,11 +5,13 @@ package integration import ( + "fmt" "net/http" "net/url" "strings" "testing" + "forgejo.org/models/auth" "forgejo.org/models/unittest" user_model "forgejo.org/models/user" "forgejo.org/modules/setting" @@ -141,3 +143,136 @@ func TestDisableSignin(t *testing.T) { }) }) } + +func TestGlobalTwoFactorRequirement(t *testing.T) { + defer tests.PrepareTestEnv(t)() + + locale := translation.NewLocale("en-US") + + adminUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1}) + normalUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4}) + restrictedUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 29}) + + runTest := func(t *testing.T, user *user_model.User, useTOTP, loginAllowed bool) { + t.Helper() + defer unittest.AssertSuccessfulDelete(t, &auth.TwoFactor{UID: user.ID}) + + session := loginUserMaybeTOTP(t, user, useTOTP) + + req := NewRequest(t, "GET", fmt.Sprintf("/%s", user.Name)) + + if loginAllowed { + session.MakeRequest(t, req, http.StatusOK) + + // not found page + req = NewRequest(t, "GET", "/absolutly/not/found") + req.Header.Add("Accept", "text/html") + resp := session.MakeRequest(t, req, http.StatusNotFound) + htmlDoc := NewHTMLParser(t, resp.Body) + assert.Greater(t, htmlDoc.Find(".navbar-left > a.item").Length(), 1) // show the Logo, and other links + assert.Greater(t, htmlDoc.Find(".navbar-right .user-menu a.item").Length(), 1) + + // 500 page + reset := enableDevtest() + req = NewRequest(t, "GET", "/devtest/error/500") + req.Header.Add("Accept", "text/html") + resp = session.MakeRequest(t, req, http.StatusInternalServerError) + htmlDoc = NewHTMLParser(t, resp.Body) + assert.Equal(t, 1, htmlDoc.Find(".navbar-left > a.item").Length()) + htmlDoc.AssertElement(t, ".navbar-right", false) + reset() + } else { + resp := session.MakeRequest(t, req, http.StatusSeeOther) + assert.Equal(t, "/user/settings/security", resp.Header().Get("Location")) + + // not found page + req = NewRequest(t, "GET", "/absolutly/not/found") + req.Header.Add("Accept", "text/html") + resp = session.MakeRequest(t, req, http.StatusNotFound) + htmlDoc := NewHTMLParser(t, resp.Body) + assert.Equal(t, 1, htmlDoc.Find(".navbar-left > a.item").Length()) // only show the Logo, no other links + + userLinks := htmlDoc.Find(".navbar-right .user-menu a.item") + assert.Equal(t, 1, userLinks.Length()) // only logout link + assert.Equal(t, "Sign out", strings.TrimSpace(userLinks.Text())) + + // 500 page + reset := enableDevtest() + req = NewRequest(t, "GET", "/devtest/error/500") + req.Header.Add("Accept", "text/html") + resp = session.MakeRequest(t, req, http.StatusInternalServerError) + htmlDoc = NewHTMLParser(t, resp.Body) + assert.Equal(t, 1, htmlDoc.Find(".navbar-left > a.item").Length()) + htmlDoc.AssertElement(t, ".navbar-right", false) + reset() + + // 2fa page + req = NewRequest(t, "GET", "/user/settings/security") + resp = session.MakeRequest(t, req, http.StatusOK) + htmlDoc = NewHTMLParser(t, resp.Body) + assert.Equal(t, locale.TrString("settings.must_enable_2fa"), htmlDoc.Find(".ui.red.message").Text()) + assert.Equal(t, 1, htmlDoc.Find(".navbar-left > a.item").Length()) // only show the Logo, no other links + + userLinks = htmlDoc.Find(".navbar-right .user-menu a.item") + assert.Equal(t, 1, userLinks.Length()) // only logout link + assert.Equal(t, "Sign out", strings.TrimSpace(userLinks.Text())) + + assert.Equal(t, 0, htmlDoc.FindByText("a", locale.TrString("settings.twofa_reenroll")).Length()) + + headings := htmlDoc.Find(".user-setting-content h4.attached.header") + assert.Equal(t, 2, headings.Length()) + assert.Equal(t, locale.TrString("settings.twofa"), strings.TrimSpace(headings.First().Text())) + assert.Equal(t, locale.TrString("settings.webauthn"), strings.TrimSpace(headings.Last().Text())) + } + } + + t.Run("NoneTwoFactorRequirement", func(t *testing.T) { + defer tests.PrintCurrentTest(t)() + + t.Run("no 2fa", func(t *testing.T) { + runTest(t, adminUser, false, true) + runTest(t, normalUser, false, true) + runTest(t, restrictedUser, false, true) + }) + + t.Run("enabled 2fa", func(t *testing.T) { + runTest(t, adminUser, true, true) + runTest(t, normalUser, true, true) + runTest(t, restrictedUser, true, true) + }) + }) + + t.Run("AllTwoFactorRequirement", func(t *testing.T) { + defer tests.PrintCurrentTest(t)() + defer test.MockVariableValue(&setting.GlobalTwoFactorRequirement, setting.AllTwoFactorRequirement)() + + t.Run("no 2fa", func(t *testing.T) { + runTest(t, adminUser, false, false) + runTest(t, normalUser, false, false) + runTest(t, restrictedUser, false, false) + }) + + t.Run("enabled 2fa", func(t *testing.T) { + runTest(t, adminUser, true, true) + runTest(t, normalUser, true, true) + runTest(t, restrictedUser, true, true) + }) + }) + + t.Run("AdminTwoFactorRequirement", func(t *testing.T) { + defer tests.PrintCurrentTest(t)() + defer test.MockVariableValue(&setting.GlobalTwoFactorRequirement, setting.AdminTwoFactorRequirement)() + + t.Run("no 2fa", func(t *testing.T) { + runTest(t, adminUser, false, false) + runTest(t, normalUser, false, true) + runTest(t, restrictedUser, false, true) + }) + + t.Run("enabled 2fa", func(t *testing.T) { + runTest(t, adminUser, true, true) + runTest(t, normalUser, true, true) + runTest(t, restrictedUser, true, true) + }) + }) +} diff --git a/tests/integration/user_test.go b/tests/integration/user_test.go index 0f659e6b02..de59a16e89 100644 --- a/tests/integration/user_test.go +++ b/tests/integration/user_test.go @@ -853,32 +853,6 @@ func TestUserTOTPEnrolled(t *testing.T) { user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2}) session := loginUser(t, user.Name) - enrollTOTP := func(t *testing.T) { - t.Helper() - - req := NewRequest(t, "GET", "/user/settings/security/two_factor/enroll") - resp := session.MakeRequest(t, req, http.StatusOK) - - htmlDoc := NewHTMLParser(t, resp.Body) - totpSecretKey, has := htmlDoc.Find(".twofa img[src^='data:image/png;base64']").Attr("alt") - assert.True(t, has) - - currentTOTP, err := totp.GenerateCode(totpSecretKey, time.Now()) - require.NoError(t, err) - - req = NewRequestWithValues(t, "POST", "/user/settings/security/two_factor/enroll", map[string]string{ - "_csrf": htmlDoc.GetCSRF(), - "passcode": currentTOTP, - }) - session.MakeRequest(t, req, http.StatusSeeOther) - - flashCookie := session.GetCookie(gitea_context.CookieNameFlash) - assert.NotNil(t, flashCookie) - assert.Contains(t, flashCookie.Value, "success%3DYour%2Baccount%2Bhas%2Bbeen%2Bsuccessfully%2Benrolled.") - - unittest.AssertSuccessfulDelete(t, &auth_model.TwoFactor{UID: user.ID}) - } - t.Run("No WebAuthn enabled", func(t *testing.T) { defer tests.PrintCurrentTest(t)() @@ -891,7 +865,8 @@ func TestUserTOTPEnrolled(t *testing.T) { called = true })() - enrollTOTP(t) + session.EnrollTOTP(t) + unittest.AssertSuccessfulDelete(t, &auth_model.TwoFactor{UID: user.ID}) assert.True(t, called) }) @@ -909,12 +884,122 @@ func TestUserTOTPEnrolled(t *testing.T) { })() unittest.AssertSuccessfulInsert(t, &auth_model.WebAuthnCredential{UserID: user.ID, Name: "Cueball's primary key"}) - enrollTOTP(t) + session.EnrollTOTP(t) + unittest.AssertSuccessfulDelete(t, &auth_model.TwoFactor{UID: user.ID}) assert.True(t, called) }) } +func TestUserTOTPReenroll(t *testing.T) { + defer tests.PrepareTestEnv(t)() + + user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4}) + session := loginUser(t, user.Name) + + resp := session.MakeRequest(t, NewRequest(t, "GET", "/user/settings/security/two_factor/reenroll"), http.StatusSeeOther) + assert.Equal(t, "/user/settings/security", resp.Header().Get("Location")) + + session.EnrollTOTP(t) + + resp = session.MakeRequest(t, NewRequest(t, "GET", "/user/settings/security/two_factor/reenroll"), http.StatusOK) + htmlDoc := NewHTMLParser(t, resp.Body) + + totpSecretKey, has := htmlDoc.Find(".twofa img[src^='data:image/png;base64']").Attr("alt") + assert.True(t, has) + + currentTOTP, err := totp.GenerateCode(totpSecretKey, time.Now()) + require.NoError(t, err) + + req := NewRequestWithValues(t, "POST", "/user/settings/security/two_factor/reenroll", map[string]string{ + "_csrf": htmlDoc.GetCSRF(), + "passcode": currentTOTP, + }) + session.MakeRequest(t, req, http.StatusSeeOther) + + flashCookie := session.GetCookie(gitea_context.CookieNameFlash) + assert.NotNil(t, flashCookie) + assert.Contains(t, flashCookie.Value, "success%3DYour%2Baccount%2Bhas%2Bbeen%2Bsuccessfully%2Benrolled.") +} + +func TestUserTOTPDisable(t *testing.T) { + defer tests.PrepareTestEnv(t)() + + runTest := func(t *testing.T, user *user_model.User, useTOTP, disableAllowed bool, status int, flashMessage string) { + t.Helper() + defer unittest.AssertSuccessfulDelete(t, &auth_model.TwoFactor{UID: user.ID}) + + session := loginUserMaybeTOTP(t, user, useTOTP) + + resp := session.MakeRequest(t, NewRequest(t, "GET", "user/settings/security"), http.StatusOK) + htmlDoc := NewHTMLParser(t, resp.Body) + htmlDoc.AssertElement(t, "#disable-form", disableAllowed) + + req := NewRequestWithValues(t, "POST", "user/settings/security/two_factor/disable", map[string]string{ + "_csrf": htmlDoc.GetCSRF(), + }) + if status == http.StatusSeeOther { + resp := session.MakeRequest(t, req, http.StatusSeeOther) + assert.Equal(t, "/user/settings/security", resp.Header().Get("Location")) + } else { + session.MakeRequest(t, req, status) + } + if flashMessage != "" { + flashCookie := session.GetCookie(gitea_context.CookieNameFlash) + assert.NotNil(t, flashCookie) + if disableAllowed { + assert.Contains(t, flashCookie.Value, fmt.Sprintf("success%%3D%s", flashMessage)) + } else { + assert.Contains(t, flashCookie.Value, fmt.Sprintf("error%%3D%s", flashMessage)) + } + } + } + + adminUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1}) + normalUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4}) + restrictedUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 29}) + + const twofaNotEnrolled = "Your%2Baccount%2Bis%2Bnot%2Bcurrently%2Benrolled%2Bin%2Btwo-factor%2Bauthentication." + const twofaDisabled = "Two-factor%2Bauthentication%2Bhas%2Bbeen%2Bdisabled." + + t.Run("NoneTwoFactorRequirement", func(t *testing.T) { + t.Run("no 2fa", func(t *testing.T) { + runTest(t, adminUser, false, false, http.StatusSeeOther, twofaNotEnrolled) + runTest(t, normalUser, false, false, http.StatusSeeOther, twofaNotEnrolled) + runTest(t, restrictedUser, false, false, http.StatusSeeOther, twofaNotEnrolled) + }) + + t.Run("enabled 2fa", func(t *testing.T) { + runTest(t, adminUser, true, true, http.StatusSeeOther, twofaDisabled) + runTest(t, normalUser, true, true, http.StatusSeeOther, twofaDisabled) + runTest(t, restrictedUser, true, true, http.StatusSeeOther, twofaDisabled) + }) + }) + + t.Run("AllTwoFactorRequirement", func(t *testing.T) { + defer test.MockVariableValue(&setting.GlobalTwoFactorRequirement, setting.AllTwoFactorRequirement)() + + runTest(t, adminUser, true, false, http.StatusNotFound, "") + runTest(t, normalUser, true, false, http.StatusNotFound, "") + runTest(t, restrictedUser, true, false, http.StatusNotFound, "") + }) + + t.Run("AdminTwoFactorRequirement", func(t *testing.T) { + defer test.MockVariableValue(&setting.GlobalTwoFactorRequirement, setting.AdminTwoFactorRequirement)() + + t.Run("no 2fa", func(t *testing.T) { + runTest(t, normalUser, false, false, http.StatusSeeOther, twofaNotEnrolled) + runTest(t, restrictedUser, false, false, http.StatusSeeOther, twofaNotEnrolled) + }) + + t.Run("enabled 2fa", func(t *testing.T) { + runTest(t, adminUser, true, false, http.StatusNotFound, "") + runTest(t, normalUser, true, true, http.StatusSeeOther, twofaDisabled) + runTest(t, restrictedUser, true, true, http.StatusSeeOther, twofaDisabled) + }) + }) +} + func TestUserRepos(t *testing.T) { defer tests.PrepareTestEnv(t)()