mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2025-08-19 17:01:12 +00:00
feat: Global 2FA enforcement (#8753)
resolves #8549 This PR add a config to enforce 2FA for the whole Forgejo instance. It can be configured to `none`, `admin` or `all`. A user who is required to enable 2FA is like a disabled user. He can only see the `/user/settings/security`-Page to enable 2FA, this should be similar to a user which needs to change his password. Also api and git-commands are not allowed. ## Checklist The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org). ### Tests - I added test coverage for Go changes... - [x] in their respective `*_test.go` for unit tests. - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server. - I added test coverage for JavaScript changes... - [ ] in `web_src/js/*.test.js` if it can be unit tested. - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)). ### Documentation - [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change. - [ ] I did not document these changes and I do not expect someone else to do it. I will do it, if the general idea of this PR is a good feature. ### Release notes - [ ] I do not want this change to show in the release notes. - [x] I want the title to show in the release notes with a link to this pull request. - [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title. <!--start release-notes-assistant--> ## Release notes <!--URL:https://codeberg.org/forgejo/forgejo--> - Security features - [PR](https://codeberg.org/forgejo/forgejo/pulls/8753): <!--number 8753 --><!--line 0 --><!--description R2xvYmFsIDJGQSBlbmZvcmNlbWVudA==-->Global 2FA enforcement<!--description--> <!--end release-notes-assistant--> Co-authored-by: 0ko <0ko@noreply.codeberg.org> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8753 Reviewed-by: 0ko <0ko@noreply.codeberg.org> Reviewed-by: Ellen Εμιλία Άννα Zscheile <fogti@noreply.codeberg.org> Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: zokki <zokki.softwareschmiede@gmail.com> Co-committed-by: zokki <zokki.softwareschmiede@gmail.com>
This commit is contained in:
zokki
Earl Warren
parent
ff99331225
commit
d6838462b8
29 changed files with 1179 additions and 62 deletions
|
|
@ -5,12 +5,19 @@ package integration
|
|||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"testing"
|
||||
|
||||
asymkey_model "forgejo.org/models/asymkey"
|
||||
"forgejo.org/models/auth"
|
||||
"forgejo.org/models/perm"
|
||||
"forgejo.org/models/unittest"
|
||||
user_model "forgejo.org/models/user"
|
||||
"forgejo.org/modules/private"
|
||||
"forgejo.org/modules/setting"
|
||||
"forgejo.org/modules/test"
|
||||
"forgejo.org/tests"
|
||||
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
|
|
@ -152,3 +159,90 @@ func TestAPIPrivateServ(t *testing.T) {
|
|||
assert.Equal(t, int64(20), results.RepoID)
|
||||
})
|
||||
}
|
||||
|
||||
func TestAPIPrivateServAndNoServWithRequiredTwoFactor(t *testing.T) {
|
||||
onGiteaRun(t, func(*testing.T, *url.URL) {
|
||||
ctx, cancel := context.WithCancel(t.Context())
|
||||
defer cancel()
|
||||
|
||||
runTest := func(t *testing.T, user *user_model.User, useTOTP, servAllowed bool) {
|
||||
t.Helper()
|
||||
repo, _, reset := tests.CreateDeclarativeRepoWithOptions(t, user, tests.DeclarativeRepoOptions{})
|
||||
defer reset()
|
||||
|
||||
pubKey, err := asymkey_model.AddPublicKey(ctx, user.ID, "tmp-key-"+user.Name, "sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBGXEEzWmm1dxb+57RoK5KVCL0w2eNv9cqJX2AGGVlkFsVDhOXHzsadS3LTK4VlEbbrDMJdoti9yM8vclA8IeRacAAAAEc3NoOg== nocomment", 0)
|
||||
require.NoError(t, err)
|
||||
defer unittest.AssertSuccessfulDelete(t, &asymkey_model.PublicKey{ID: pubKey.ID})
|
||||
|
||||
if useTOTP {
|
||||
session := loginUser(t, user.Name)
|
||||
session.EnrollTOTP(t)
|
||||
session.MakeRequest(t, NewRequest(t, "POST", "/user/logout"), http.StatusOK)
|
||||
defer unittest.AssertSuccessfulDelete(t, &auth.TwoFactor{UID: user.ID})
|
||||
}
|
||||
|
||||
// Can push to a repo
|
||||
_, extra := private.ServCommand(ctx, pubKey.ID, user.Name, repo.Name, perm.AccessModeWrite, "git-upload-pack", "")
|
||||
_, _, err = private.ServNoCommand(ctx, pubKey.ID)
|
||||
if servAllowed {
|
||||
require.NoError(t, extra.Error)
|
||||
require.NoError(t, err)
|
||||
} else {
|
||||
require.Error(t, extra.Error)
|
||||
require.Error(t, err)
|
||||
}
|
||||
}
|
||||
|
||||
adminUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
|
||||
normalUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4})
|
||||
restrictedUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 29})
|
||||
|
||||
t.Run("NoneTwoFactorRequirement", func(t *testing.T) {
|
||||
// this should be the default, so don't have to set the variable
|
||||
|
||||
t.Run("no 2fa", func(t *testing.T) {
|
||||
runTest(t, adminUser, false, true)
|
||||
runTest(t, normalUser, false, true)
|
||||
runTest(t, restrictedUser, false, true)
|
||||
})
|
||||
|
||||
t.Run("enabled 2fa", func(t *testing.T) {
|
||||
runTest(t, adminUser, true, true)
|
||||
runTest(t, normalUser, true, true)
|
||||
runTest(t, restrictedUser, true, true)
|
||||
})
|
||||
})
|
||||
|
||||
t.Run("AllTwoFactorRequirement", func(t *testing.T) {
|
||||
defer test.MockVariableValue(&setting.GlobalTwoFactorRequirement, setting.AllTwoFactorRequirement)()
|
||||
|
||||
t.Run("no 2fa", func(t *testing.T) {
|
||||
runTest(t, adminUser, false, false)
|
||||
runTest(t, normalUser, false, false)
|
||||
runTest(t, restrictedUser, false, false)
|
||||
})
|
||||
|
||||
t.Run("enabled 2fa", func(t *testing.T) {
|
||||
runTest(t, adminUser, true, true)
|
||||
runTest(t, normalUser, true, true)
|
||||
runTest(t, restrictedUser, true, true)
|
||||
})
|
||||
})
|
||||
|
||||
t.Run("AdminTwoFactorRequirement", func(t *testing.T) {
|
||||
defer test.MockVariableValue(&setting.GlobalTwoFactorRequirement, setting.AdminTwoFactorRequirement)()
|
||||
|
||||
t.Run("no 2fa", func(t *testing.T) {
|
||||
runTest(t, adminUser, false, false)
|
||||
runTest(t, normalUser, false, true)
|
||||
runTest(t, restrictedUser, false, true)
|
||||
})
|
||||
|
||||
t.Run("enabled 2fa", func(t *testing.T) {
|
||||
runTest(t, adminUser, true, true)
|
||||
runTest(t, normalUser, true, true)
|
||||
runTest(t, restrictedUser, true, true)
|
||||
})
|
||||
})
|
||||
})
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue