Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
T
tfa-2930355
Manage
Activity
Members
Labels
Plan
Custom issue tracker
Code
Merge requests
0
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Locked files
Build
Pipelines
Jobs
Pipeline schedules
Artifacts
Deploy
Model registry
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Code review analytics
Insights
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Terms and privacy
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
Issue forks
tfa-2930355
Commits
9b1d9560
Commit
9b1d9560
authored
2 years ago
by
Mingsong Hu
Browse files
Options
Downloads
Patches
Plain Diff
Add TFA reset password test
parent
fb8865cd
No related branches found
Branches containing commit
Tags
8.x-1.7
Tags containing commit
No related merge requests found
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
tests/src/Functional/TfaPasswordResetTest.php
+169
-0
169 additions, 0 deletions
tests/src/Functional/TfaPasswordResetTest.php
with
169 additions
and
0 deletions
tests/src/Functional/TfaPasswordResetTest.php
0 → 100644
+
169
−
0
View file @
9b1d9560
<?php
namespace
Drupal\Tests\tfa\Functional
;
use
Drupal\Core\Test\AssertMailTrait
;
use
Drupal\user\Entity\User
;
/**
* Tests for the tfa login process.
*
* @group Tfa
*/
class
TfaPasswordResetTest
extends
TfaTestBase
{
use
AssertMailTrait
{
getMails
as
drupalGetMails
;
}
/**
* User doing the TFA Validation.
*
* @var \Drupal\user\Entity\User
*/
protected
$webUser
;
/**
* Administrator to handle configurations.
*
* @var \Drupal\user\Entity\User
*/
protected
$adminUser
;
/**
* Super administrator to edit other users TFA.
*
* @var \Drupal\user\Entity\User
*/
protected
$superAdmin
;
/**
* {@inheritdoc}
*/
public
function
setUp
():
void
{
parent
::
setUp
();
// Enable page caching.
$config
=
$this
->
config
(
'system.performance'
);
$config
->
set
(
'cache.page.max_age'
,
3600
);
$config
->
save
();
$this
->
webUser
=
$this
->
drupalCreateUser
([
'setup own tfa'
]);
$this
->
adminUser
=
$this
->
drupalCreateUser
([
'admin tfa settings'
]);
$this
->
superAdmin
=
$this
->
drupalCreateUser
(
[
'administer tfa for other users'
,
'admin tfa settings'
,
'setup own tfa'
,
]
);
$this
->
canEnableValidationPlugin
(
'tfa_test_plugins_validation'
);
// Activate user by logging in.
$this
->
drupalLogin
(
$this
->
superAdmin
);
$this
->
drupalLogout
();
}
/**
* Tests the tfa one time login process.
*/
public
function
testTfaOneTimeLogin
()
{
$assert_session
=
$this
->
assertSession
();
// Enable TFA for the webUser role only.
$this
->
drupalLogin
(
$this
->
adminUser
);
$web_user_roles
=
$this
->
webUser
->
getRoles
(
TRUE
);
$super_user_roles
=
$this
->
superAdmin
->
getRoles
(
TRUE
);
$edit
=
[
'tfa_required_roles['
.
$web_user_roles
[
0
]
.
']'
=>
TRUE
,
'tfa_required_roles['
.
$super_user_roles
[
0
]
.
']'
=>
TRUE
,
];
$this
->
drupalGet
(
'admin/config/people/tfa'
);
$this
->
submitForm
(
$edit
,
'Save configuration'
);
$assert_session
->
statusCodeEquals
(
200
);
$assert_session
->
pageTextContains
(
'The configuration options have been saved.'
);
// Check that tfa is presented via a normal login.
$this
->
drupalLogout
();
$edit
=
[
'name'
=>
$this
->
webUser
->
getAccountName
(),
'pass'
=>
$this
->
webUser
->
passRaw
,
];
$this
->
drupalGet
(
'user/login'
);
$this
->
submitForm
(
$edit
,
'Log in'
);
$assert_session
->
statusCodeEquals
(
200
);
$assert_session
->
addressMatches
(
'/\/tfa\/'
.
$this
->
webUser
->
id
()
.
'/'
);
$this
->
drupalLogout
();
// Check that tfa is presented via one time password reset login.
// Reset the password by username via the password reset page.
// login via the one time login URL.
$this
->
resetPassword
(
$this
->
webUser
);
// And check if the TFA presented.
$assert_session
->
addressMatches
(
'/\/tfa\/'
.
$this
->
webUser
->
id
()
.
'/'
);
// Check that TFA admin user can bypass TFA
// when resetting the password,
// If Admin TFA exemption is enabled by default.
$this
->
drupalLogout
();
// Login via the one time login URL.
$this
->
resetPassword
(
$this
->
superAdmin
);
// Change the password.
$password
=
\Drupal
::
service
(
'password_generator'
)
->
generate
();
$edit
=
[
'pass[pass1]'
=>
$password
,
'pass[pass2]'
=>
$password
];
$this
->
submitForm
(
$edit
,
'Save'
);
$assert_session
->
pageTextContains
(
'The changes have been saved.'
);
// Check that TFA admin user can not bypass TFA
// when resetting the password.
// If Admin TFA exemption is disabled.
$this
->
drupalLogout
();
// Enable TFA for the suer admin role,
// and disable admin bypass TFA while resetting password.
$this
->
drupalLogin
(
$this
->
adminUser
);
$edit
=
[
'admin_uli_skip'
=>
0
,
];
$this
->
drupalGet
(
'admin/config/people/tfa'
);
$this
->
submitForm
(
$edit
,
'Save configuration'
);
$assert_session
->
statusCodeEquals
(
200
);
$assert_session
->
pageTextContains
(
'The configuration options have been saved.'
);
$this
->
drupalLogout
();
// Login via the one time login URL.
$this
->
resetPassword
(
$this
->
superAdmin
);
// And check if the TFA and pass-reset-token are presented.
$current_url
=
$this
->
getUrl
();
$match
=
preg_match
(
'/\/tfa\/'
.
$this
->
superAdmin
->
id
()
.
'\/.+?pass-reset-token=.+/'
,
$current_url
)
?
TRUE
:
FALSE
;
$this
->
assertTrue
(
$match
,
'It is not a valid tfa path or pass-reset-token is missing in the path.'
);
}
/**
* Retrieves password reset email and extracts the login link.
*/
public
function
getResetUrl
()
{
// Assume the most recent email.
$_emails
=
$this
->
drupalGetMails
();
$email
=
end
(
$_emails
);
$urls
=
[];
preg_match
(
'#.+user/reset/.+#'
,
$email
[
'body'
],
$urls
);
$path
=
parse_url
(
$urls
[
0
],
PHP_URL_PATH
);
return
$path
;
}
/**
* Reset password login process.
*
* @param \Drupal\user\Entity\User $user
* The user who need to reset the password.
*/
public
function
resetPassword
(
User
$user
)
{
$this
->
drupalGet
(
'user/password'
);
$edit
=
[
'name'
=>
$user
->
getAccountName
()];
$this
->
submitForm
(
$edit
,
'Submit'
);
// Get the one time reset URL form the email.
$resetURL
=
$this
->
getResetURL
()
.
'/login'
;
// Login via one time login URL
// and check if the TFA presented.
$this
->
drupalGet
(
$resetURL
);
}
}
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment