Merge branch '2fa-superuser'

3 files changed, 83 insertions, 10 deletions

diff --git a/t/app/controller/auth.t b/t/app/controller/auth.t
index bec8698d5..8cc7e4154 100644
--- a/t/app/controller/auth.t
+++ b/t/app/controller/auth.t
@@ -299,3 +299,26 @@ subtest 'check common password AJAX call' => sub {
     $mech->post_ok('/auth/common_password', { password_register => 'squirblewirble' });
     $mech->content_contains("true");
 };
+
+subtest "Test two-factor authentication login" => sub {
+    use Auth::GoogleAuth;
+    my $auth = Auth::GoogleAuth->new;
+    my $code = $auth->code;
+    my $wrong_code = $auth->code(undef, time() - 120);
+
+    my $user = FixMyStreet::App->model('DB::User')->find( { email => $test_email } );
+    $user->is_superuser(1);
+    $user->password('password');
+    $user->set_extra_metadata('2fa_secret', $auth->secret32);
+    $user->update;
+
+    $mech->get_ok('/auth');
+    $mech->submit_form_ok(
+        { with_fields => { username => $test_email, password_sign_in => 'password' } },
+        "sign in using form" );
+    $mech->content_contains('Please generate a two-factor code');
+    $mech->submit_form_ok({ with_fields => { '2fa_code' => $wrong_code } }, "provide wrong 2FA code" );
+    $mech->content_contains('Try again');
+    $mech->submit_form_ok({ with_fields => { '2fa_code' => $code } }, "provide correct 2FA code" );
+    $mech->logged_in_ok;
+};
diff --git a/t/app/controller/auth_profile.t b/t/app/controller/auth_profile.t
index de2ad6534..4be1be12c 100644
--- a/t/app/controller/auth_profile.t
+++ b/t/app/controller/auth_profile.t
@@ -347,7 +347,7 @@ subtest "Test superuser can access generate token page" => sub {
         },
     });
 
-    $mech->content_lacks('Generate token');
+    $mech->content_lacks('Security');
 
     $mech->get('/auth/generate_token');
     is $mech->res->code, 403, "access denied";
@@ -355,7 +355,7 @@ subtest "Test superuser can access generate token page" => sub {
     ok $user->update({ is_superuser => 1 }), 'user is superuser';
 
     $mech->get_ok('/my');
-    $mech->content_contains('Generate token');
+    $mech->content_contains('Security');
     $mech->get_ok('/auth/generate_token');
 };
 
@@ -372,7 +372,7 @@ subtest "Test staff user can access generate token page" => sub {
         },
     });
 
-    $mech->content_lacks('Generate token');
+    $mech->content_lacks('Security');
 
     my $body = $mech->create_body_ok(2237, 'Oxfordshire');
 
@@ -382,7 +382,7 @@ subtest "Test staff user can access generate token page" => sub {
     ok $user->update({ from_body => $body }), 'user is staff user';
 
     $mech->get_ok('/my');
-    $mech->content_contains('Generate token');
+    $mech->content_contains('Security');
     $mech->get_ok('/auth/generate_token');
 };
 
@@ -406,7 +406,7 @@ subtest "Test generate token page" => sub {
     $mech->follow_link_ok({url => '/auth/generate_token'});
     $mech->content_lacks('Token:');
     $mech->submit_form_ok(
-        { with_fields => { generate_token => 'Generate token' } },
+        { button => 'generate_token' },
         "submit generate token form"
     );
     $mech->content_contains( 'Your token has been generated', "token generated" );
@@ -425,4 +425,28 @@ subtest "Test generate token page" => sub {
     $mech->log_out_ok;
     $mech->add_header('Authorization', "Bearer $token");
     $mech->logged_in_ok;
-}
+};
+
+subtest "Test two-factor authentication admin" => sub {
+    my $user = FixMyStreet::App->model('DB::User')->find( { email => $test_email } );
+    ok $user->update({ is_superuser => 1 }), 'user set to superuser';
+
+    $mech->log_in_ok($test_email);
+    $mech->get_ok('/auth/generate_token');
+    ok !$user->get_extra_metadata('2fa_secret');
+
+    $mech->submit_form_ok({ button => 'toggle_2fa' }, "submit 2FA activation");
+    $mech->content_contains('has been activated', "2FA activated");
+
+    $user->discard_changes();
+    my $token = $user->get_extra_metadata('2fa_secret');
+    ok $token, '2FA secret set';
+
+    $mech->content_contains($token, 'secret displayed');
+
+    $mech->get_ok('/auth/generate_token');
+    $mech->content_lacks($token, 'secret no longer displayed');
+
+    $mech->submit_form_ok({ button => 'toggle_2fa' }, "submit 2FA deactivation");
+    $mech->content_contains('has been deactivated', "2FA deactivated");
+};
diff --git a/t/app/controller/report_new.t b/t/app/controller/report_new.t
index 95461fa8f..3c120b0b0 100644
--- a/t/app/controller/report_new.t
+++ b/t/app/controller/report_new.t
@@ -705,7 +705,11 @@ subtest "test password errors for a user who is signing in as they report" => su
     ], "check there were errors";
 };
 
-subtest "test report creation for a user who is signing in as they report" => sub {
+foreach my $test (
+  { two_factor => 0, desc => '', },
+  { two_factor => 1, desc => ' with two-factor', },
+) {
+  subtest "test report creation for a user who is signing in as they report$test->{desc}" => sub {
     $mech->log_out_ok;
     $mech->cookie_jar({});
     $mech->clear_emails_ok;
@@ -722,6 +726,15 @@ subtest "test report creation for a user who is signing in as they report" => su
         password => 'secret2',
     } ), "set user details";
 
+    my $auth;
+    if ($test->{two_factor}) {
+        use Auth::GoogleAuth;
+        $auth = Auth::GoogleAuth->new;
+        $user->is_superuser(1);
+        $user->set_extra_metadata('2fa_secret', $auth->generate_secret32);
+        $user->update;
+    }
+
     # submit initial pc form
     $mech->get_ok('/around');
     FixMyStreet::override_config {
@@ -742,7 +755,7 @@ subtest "test report creation for a user who is signing in as they report" => su
                     title         => 'Test Report',
                     detail        => 'Test report details.',
                     photo1        => '',
-                    username      => 'test-2@example.com',
+                    username      => $test_email,
                     password_sign_in => 'secret2',
                     category      => 'Street lighting',
                 }
@@ -750,6 +763,15 @@ subtest "test report creation for a user who is signing in as they report" => su
             "submit good details"
         );
 
+        if ($test->{two_factor}) {
+            my $code = $auth->code;
+            my $wrong_code = $auth->code(undef, time() - 120);
+            $mech->content_contains('Please generate a two-factor code');
+            $mech->submit_form_ok({ with_fields => { '2fa_code' => $wrong_code } }, "provide wrong 2FA code" );
+            $mech->content_contains('Try again');
+            $mech->submit_form_ok({ with_fields => { '2fa_code' => $code } }, "provide correct 2FA code" );
+        }
+
         # check that we got the message expected
         $mech->content_contains( 'You have successfully signed in; please check and confirm your details are accurate:' );
 
@@ -768,7 +790,10 @@ subtest "test report creation for a user who is signing in as they report" => su
     my $report = $user->problems->first;
     ok $report, "Found the report";
 
-    $mech->content_contains('Thank you for reporting this issue');
+    if (!$test->{two_factor}) {
+        # The superuser account will be immediately redirected
+        $mech->content_contains('Thank you for reporting this issue');
+    }
 
     # Check the report has been assigned appropriately
     is $report->bodies_str, $body_ids{2651};
@@ -793,7 +818,8 @@ subtest "test report creation for a user who is signing in as they report" => su
 
     # cleanup
     $mech->delete_user($user)
-};
+  };
+}
 
 #### test report creation for user with account and logged in
 my ($saved_lat, $saved_lon);