Skip to content
Snippets Groups Projects
Commit 9b1d9560 authored by Mingsong Hu's avatar Mingsong Hu
Browse files

Add TFA reset password test

parent fb8865cd
No related branches found
Tags 8.x-1.7
No related merge requests found
<?php
namespace Drupal\Tests\tfa\Functional;
use Drupal\Core\Test\AssertMailTrait;
use Drupal\user\Entity\User;
/**
* Tests for the tfa login process.
*
* @group Tfa
*/
class TfaPasswordResetTest extends TfaTestBase {
use AssertMailTrait {
getMails as drupalGetMails;
}
/**
* User doing the TFA Validation.
*
* @var \Drupal\user\Entity\User
*/
protected $webUser;
/**
* Administrator to handle configurations.
*
* @var \Drupal\user\Entity\User
*/
protected $adminUser;
/**
* Super administrator to edit other users TFA.
*
* @var \Drupal\user\Entity\User
*/
protected $superAdmin;
/**
* {@inheritdoc}
*/
public function setUp(): void {
parent::setUp();
// Enable page caching.
$config = $this->config('system.performance');
$config->set('cache.page.max_age', 3600);
$config->save();
$this->webUser = $this->drupalCreateUser(['setup own tfa']);
$this->adminUser = $this->drupalCreateUser(['admin tfa settings']);
$this->superAdmin = $this->drupalCreateUser(
['administer tfa for other users',
'admin tfa settings',
'setup own tfa',
]
);
$this->canEnableValidationPlugin('tfa_test_plugins_validation');
// Activate user by logging in.
$this->drupalLogin($this->superAdmin);
$this->drupalLogout();
}
/**
* Tests the tfa one time login process.
*/
public function testTfaOneTimeLogin() {
$assert_session = $this->assertSession();
// Enable TFA for the webUser role only.
$this->drupalLogin($this->adminUser);
$web_user_roles = $this->webUser->getRoles(TRUE);
$super_user_roles = $this->superAdmin->getRoles(TRUE);
$edit = [
'tfa_required_roles[' . $web_user_roles[0] . ']' => TRUE,
'tfa_required_roles[' . $super_user_roles[0] . ']' => TRUE,
];
$this->drupalGet('admin/config/people/tfa');
$this->submitForm($edit, 'Save configuration');
$assert_session->statusCodeEquals(200);
$assert_session->pageTextContains('The configuration options have been saved.');
// Check that tfa is presented via a normal login.
$this->drupalLogout();
$edit = [
'name' => $this->webUser->getAccountName(),
'pass' => $this->webUser->passRaw,
];
$this->drupalGet('user/login');
$this->submitForm($edit, 'Log in');
$assert_session->statusCodeEquals(200);
$assert_session->addressMatches('/\/tfa\/' . $this->webUser->id() . '/');
$this->drupalLogout();
// Check that tfa is presented via one time password reset login.
// Reset the password by username via the password reset page.
// login via the one time login URL.
$this->resetPassword($this->webUser);
// And check if the TFA presented.
$assert_session->addressMatches('/\/tfa\/' . $this->webUser->id() . '/');
// Check that TFA admin user can bypass TFA
// when resetting the password,
// If Admin TFA exemption is enabled by default.
$this->drupalLogout();
// Login via the one time login URL.
$this->resetPassword($this->superAdmin);
// Change the password.
$password = \Drupal::service('password_generator')->generate();
$edit = ['pass[pass1]' => $password, 'pass[pass2]' => $password];
$this->submitForm($edit, 'Save');
$assert_session->pageTextContains('The changes have been saved.');
// Check that TFA admin user can not bypass TFA
// when resetting the password.
// If Admin TFA exemption is disabled.
$this->drupalLogout();
// Enable TFA for the suer admin role,
// and disable admin bypass TFA while resetting password.
$this->drupalLogin($this->adminUser);
$edit = [
'admin_uli_skip' => 0,
];
$this->drupalGet('admin/config/people/tfa');
$this->submitForm($edit, 'Save configuration');
$assert_session->statusCodeEquals(200);
$assert_session->pageTextContains('The configuration options have been saved.');
$this->drupalLogout();
// Login via the one time login URL.
$this->resetPassword($this->superAdmin);
// And check if the TFA and pass-reset-token are presented.
$current_url = $this->getUrl();
$match = preg_match('/\/tfa\/' . $this->superAdmin->id() . '\/.+?pass-reset-token=.+/', $current_url) ? TRUE : FALSE;
$this->assertTrue($match, 'It is not a valid tfa path or pass-reset-token is missing in the path.');
}
/**
* Retrieves password reset email and extracts the login link.
*/
public function getResetUrl() {
// Assume the most recent email.
$_emails = $this->drupalGetMails();
$email = end($_emails);
$urls = [];
preg_match('#.+user/reset/.+#', $email['body'], $urls);
$path = parse_url($urls[0], PHP_URL_PATH);
return $path;
}
/**
* Reset password login process.
*
* @param \Drupal\user\Entity\User $user
* The user who need to reset the password.
*/
public function resetPassword(User $user) {
$this->drupalGet('user/password');
$edit = ['name' => $user->getAccountName()];
$this->submitForm($edit, 'Submit');
// Get the one time reset URL form the email.
$resetURL = $this->getResetURL() . '/login';
// Login via one time login URL
// and check if the TFA presented.
$this->drupalGet($resetURL);
}
}
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment