// Copyright 2017 The Gitea Authors. All rights reserved. // Copyright 2024 The Forgejo Authors. All rights reserved. // SPDX-License-Identifier: MIT package integration import ( "fmt" "net/http" "net/url" "strings" "testing" "forgejo.org/models/auth" "forgejo.org/models/unittest" user_model "forgejo.org/models/user" "forgejo.org/modules/setting" "forgejo.org/modules/test" "forgejo.org/modules/translation" "forgejo.org/tests" "github.com/stretchr/testify/assert" ) func testLoginFailed(t *testing.T, username, password, message string) { session := emptyTestSession(t) req := NewRequestWithValues(t, "POST", "/user/login", map[string]string{ "_csrf": GetCSRF(t, session, "/user/login"), "user_name": username, "password": password, }) resp := session.MakeRequest(t, req, http.StatusOK) htmlDoc := NewHTMLParser(t, resp.Body) resultMsg := htmlDoc.doc.Find(".ui.message>p").Text() assert.Equal(t, message, resultMsg) } func TestSignin(t *testing.T) { defer tests.PrepareTestEnv(t)() user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2}) // add new user with user2's email user.Name = "testuser" user.LowerName = strings.ToLower(user.Name) user.ID = 0 unittest.AssertSuccessfulInsert(t, user) samples := []struct { username string password string message string }{ {username: "wrongUsername", password: "wrongPassword", message: translation.NewLocale("en-US").TrString("form.username_password_incorrect")}, {username: "wrongUsername", password: "password", message: translation.NewLocale("en-US").TrString("form.username_password_incorrect")}, {username: "user15", password: "wrongPassword", message: translation.NewLocale("en-US").TrString("form.username_password_incorrect")}, {username: "user1@example.com", password: "wrongPassword", message: translation.NewLocale("en-US").TrString("form.username_password_incorrect")}, } for _, s := range samples { testLoginFailed(t, s.username, s.password, s.message) } } func TestSigninWithRememberMe(t *testing.T) { defer tests.PrepareTestEnv(t)() user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2}) baseURL, _ := url.Parse(setting.AppURL) session := emptyTestSession(t) req := NewRequestWithValues(t, "POST", "/user/login", map[string]string{ "_csrf": GetCSRF(t, session, "/user/login"), "user_name": user.Name, "password": userPassword, "remember": "on", }) session.MakeRequest(t, req, http.StatusSeeOther) c := session.GetCookie(setting.CookieRememberName) assert.NotNil(t, c) session = emptyTestSession(t) // Without session the settings page should not be reachable req = NewRequest(t, "GET", "/user/settings") session.MakeRequest(t, req, http.StatusSeeOther) req = NewRequest(t, "GET", "/user/login") // Set the remember me cookie for the login GET request session.jar.SetCookies(baseURL, []*http.Cookie{c}) session.MakeRequest(t, req, http.StatusSeeOther) // With session the settings page should be reachable req = NewRequest(t, "GET", "/user/settings") session.MakeRequest(t, req, http.StatusOK) } func TestDisableSignin(t *testing.T) { defer tests.PrepareTestEnv(t)() // Mock alternative auth ways as enabled defer test.MockVariableValue(&setting.Service.EnableOpenIDSignIn, true)() defer test.MockVariableValue(&setting.Service.EnableOpenIDSignUp, true)() t.Run("Disabled", func(t *testing.T) { defer test.MockVariableValue(&setting.Service.EnableInternalSignIn, false)() t.Run("UI", func(t *testing.T) { defer tests.PrintCurrentTest(t)() req := NewRequest(t, "GET", "/user/login") resp := MakeRequest(t, req, http.StatusOK) htmlDoc := NewHTMLParser(t, resp.Body) htmlDoc.AssertElement(t, "form[action='/user/login']", false) htmlDoc.AssertElement(t, ".divider-text", false) }) t.Run("Signin", func(t *testing.T) { defer tests.PrintCurrentTest(t)() req := NewRequest(t, "POST", "/user/login") MakeRequest(t, req, http.StatusForbidden) }) }) t.Run("Enabled", func(t *testing.T) { defer test.MockVariableValue(&setting.Service.EnableInternalSignIn, true)() t.Run("UI", func(t *testing.T) { defer tests.PrintCurrentTest(t)() req := NewRequest(t, "GET", "/user/login") resp := MakeRequest(t, req, http.StatusOK) htmlDoc := NewHTMLParser(t, resp.Body) htmlDoc.AssertElement(t, "form[action='/user/login']", true) htmlDoc.AssertElement(t, ".divider-text", true) }) t.Run("Signin", func(t *testing.T) { defer tests.PrintCurrentTest(t)() req := NewRequest(t, "POST", "/user/login") MakeRequest(t, req, http.StatusOK) }) }) } func TestGlobalTwoFactorRequirement(t *testing.T) { defer tests.PrepareTestEnv(t)() locale := translation.NewLocale("en-US") adminUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1}) normalUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4}) restrictedUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 29}) runTest := func(t *testing.T, user *user_model.User, useTOTP, loginAllowed bool) { t.Helper() defer unittest.AssertSuccessfulDelete(t, &auth.TwoFactor{UID: user.ID}) session := loginUserMaybeTOTP(t, user, useTOTP) req := NewRequest(t, "GET", fmt.Sprintf("/%s", user.Name)) if loginAllowed { session.MakeRequest(t, req, http.StatusOK) // not found page req = NewRequest(t, "GET", "/absolutly/not/found") req.Header.Add("Accept", "text/html") resp := session.MakeRequest(t, req, http.StatusNotFound) htmlDoc := NewHTMLParser(t, resp.Body) assert.Greater(t, htmlDoc.Find(".navbar-left > a.item").Length(), 1) // show the Logo, and other links assert.Greater(t, htmlDoc.Find(".navbar-right .user-menu a.item").Length(), 1) // 500 page reset := enableDevtest() req = NewRequest(t, "GET", "/devtest/error/500") req.Header.Add("Accept", "text/html") resp = session.MakeRequest(t, req, http.StatusInternalServerError) htmlDoc = NewHTMLParser(t, resp.Body) assert.Equal(t, 1, htmlDoc.Find(".navbar-left > a.item").Length()) htmlDoc.AssertElement(t, ".navbar-right", false) reset() } else { resp := session.MakeRequest(t, req, http.StatusSeeOther) assert.Equal(t, "/user/settings/security", resp.Header().Get("Location")) // not found page req = NewRequest(t, "GET", "/absolutly/not/found") req.Header.Add("Accept", "text/html") resp = session.MakeRequest(t, req, http.StatusNotFound) htmlDoc := NewHTMLParser(t, resp.Body) assert.Equal(t, 1, htmlDoc.Find(".navbar-left > a.item").Length()) // only show the Logo, no other links userLinks := htmlDoc.Find(".navbar-right .user-menu a.item") assert.Equal(t, 1, userLinks.Length()) // only logout link assert.Equal(t, "Sign out", strings.TrimSpace(userLinks.Text())) // 500 page reset := enableDevtest() req = NewRequest(t, "GET", "/devtest/error/500") req.Header.Add("Accept", "text/html") resp = session.MakeRequest(t, req, http.StatusInternalServerError) htmlDoc = NewHTMLParser(t, resp.Body) assert.Equal(t, 1, htmlDoc.Find(".navbar-left > a.item").Length()) htmlDoc.AssertElement(t, ".navbar-right", false) reset() // 2fa page req = NewRequest(t, "GET", "/user/settings/security") resp = session.MakeRequest(t, req, http.StatusOK) htmlDoc = NewHTMLParser(t, resp.Body) assert.Equal(t, locale.TrString("settings.must_enable_2fa"), htmlDoc.Find(".ui.red.message").Text()) assert.Equal(t, 1, htmlDoc.Find(".navbar-left > a.item").Length()) // only show the Logo, no other links userLinks = htmlDoc.Find(".navbar-right .user-menu a.item") assert.Equal(t, 1, userLinks.Length()) // only logout link assert.Equal(t, "Sign out", strings.TrimSpace(userLinks.Text())) assert.Equal(t, 0, htmlDoc.FindByText("a", locale.TrString("settings.twofa_reenroll")).Length()) headings := htmlDoc.Find(".user-setting-content h4.attached.header") assert.Equal(t, 2, headings.Length()) assert.Equal(t, locale.TrString("settings.twofa"), strings.TrimSpace(headings.First().Text())) assert.Equal(t, locale.TrString("settings.webauthn"), strings.TrimSpace(headings.Last().Text())) } } t.Run("NoneTwoFactorRequirement", func(t *testing.T) { defer tests.PrintCurrentTest(t)() t.Run("no 2fa", func(t *testing.T) { runTest(t, adminUser, false, true) runTest(t, normalUser, false, true) runTest(t, restrictedUser, false, true) }) t.Run("enabled 2fa", func(t *testing.T) { runTest(t, adminUser, true, true) runTest(t, normalUser, true, true) runTest(t, restrictedUser, true, true) }) }) t.Run("AllTwoFactorRequirement", func(t *testing.T) { defer tests.PrintCurrentTest(t)() defer test.MockVariableValue(&setting.GlobalTwoFactorRequirement, setting.AllTwoFactorRequirement)() t.Run("no 2fa", func(t *testing.T) { runTest(t, adminUser, false, false) runTest(t, normalUser, false, false) runTest(t, restrictedUser, false, false) }) t.Run("enabled 2fa", func(t *testing.T) { runTest(t, adminUser, true, true) runTest(t, normalUser, true, true) runTest(t, restrictedUser, true, true) }) }) t.Run("AdminTwoFactorRequirement", func(t *testing.T) { defer tests.PrintCurrentTest(t)() defer test.MockVariableValue(&setting.GlobalTwoFactorRequirement, setting.AdminTwoFactorRequirement)() t.Run("no 2fa", func(t *testing.T) { runTest(t, adminUser, false, false) runTest(t, normalUser, false, true) runTest(t, restrictedUser, false, true) }) t.Run("enabled 2fa", func(t *testing.T) { runTest(t, adminUser, true, true) runTest(t, normalUser, true, true) runTest(t, restrictedUser, true, true) }) }) }