-
Notifications
You must be signed in to change notification settings - Fork 24
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: acr can be used to force identity with IAL=2
- Loading branch information
Showing
20 changed files
with
519 additions
and
46 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
DO_NOT_SEND_MAIL="True" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
INSERT INTO users | ||
(id, email, email_verified, email_verified_at, encrypted_password, created_at, updated_at, | ||
given_name, family_name, phone_number, job, encrypted_totp_key, totp_key_verified_at, force_2fa) | ||
VALUES | ||
(1, '[email protected]', true, CURRENT_TIMESTAMP, | ||
'$2a$10$kzY3LINL6..50Fy9shWCcuNlRfYq0ft5lS.KCcJ5PzrhlWfKK4NIO', CURRENT_TIMESTAMP, CURRENT_TIMESTAMP, | ||
'Jean', 'IAL2 AAL2', '0123456789', 'Sbire', | ||
'kuOSXGk68H2B3pYnph0uyXAHrmpbWaWyX/iX49xVaUc=.VMPBZSO+eAng7mjS.cI2kRY9rwhXchcKiiaMZIg==', | ||
CURRENT_TIMESTAMP, false | ||
), | ||
(2, '[email protected]', true, CURRENT_TIMESTAMP, | ||
'$2a$10$kzY3LINL6..50Fy9shWCcuNlRfYq0ft5lS.KCcJ5PzrhlWfKK4NIO', CURRENT_TIMESTAMP, CURRENT_TIMESTAMP, | ||
'Jean', 'IAL1 AAL2', '0123456789', 'Sbire', | ||
'kuOSXGk68H2B3pYnph0uyXAHrmpbWaWyX/iX49xVaUc=.VMPBZSO+eAng7mjS.cI2kRY9rwhXchcKiiaMZIg==', | ||
CURRENT_TIMESTAMP, false | ||
), | ||
(3, '[email protected]', true, CURRENT_TIMESTAMP, | ||
'$2a$10$kzY3LINL6..50Fy9shWCcuNlRfYq0ft5lS.KCcJ5PzrhlWfKK4NIO', CURRENT_TIMESTAMP, CURRENT_TIMESTAMP, | ||
'Jean', 'IAL2 AAL1', '0123456789', 'Sbire', | ||
null, null, false), | ||
(4, '[email protected]', true, CURRENT_TIMESTAMP, | ||
'$2a$10$kzY3LINL6..50Fy9shWCcuNlRfYq0ft5lS.KCcJ5PzrhlWfKK4NIO', CURRENT_TIMESTAMP, CURRENT_TIMESTAMP, | ||
'Jean', 'IAL1 AAL1', '0123456789', 'Sbire', | ||
null, null, false); | ||
|
||
INSERT INTO organizations | ||
(id, siret, created_at, updated_at) | ||
VALUES | ||
(1, '21340126800130', CURRENT_TIMESTAMP, CURRENT_TIMESTAMP); | ||
|
||
INSERT INTO users_organizations | ||
(user_id, organization_id, is_external, verification_type, has_been_greeted) | ||
VALUES | ||
(1, 1, false, 'domain', true), | ||
(2, 1, false, null, true), | ||
(3, 1, false, 'domain', true), | ||
(4, 1, false, null, true); | ||
|
||
INSERT INTO oidc_clients | ||
(client_name, client_id, client_secret, redirect_uris, | ||
post_logout_redirect_uris, scope, client_uri, client_description, | ||
userinfo_signed_response_alg, id_token_signed_response_alg, | ||
authorization_signed_response_alg, introspection_signed_response_alg) | ||
VALUES | ||
('Oidc Test Client', | ||
'acr_client_id', | ||
'acr_client_secret', | ||
ARRAY [ | ||
'http://localhost:4003/login-callback' | ||
], | ||
ARRAY [ | ||
'http://localhost:4003/' | ||
], | ||
'openid email profile organization', | ||
'http://localhost:4003/', | ||
'MonComptePro test client. More info: https://github.com/numerique-gouv/moncomptepro-test-client.', | ||
null, 'RS256', null, null); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
// | ||
|
||
describe("sign-in with a client requiring consistency-checked identity", () => { | ||
it("should sign-in an return the right acr value", function () { | ||
cy.visit("http://localhost:4003"); | ||
cy.get("button#force-2fa").click(); | ||
|
||
cy.login("[email protected]"); | ||
|
||
cy.contains('"acr": "urn:dinum:ac:classes:consistency-checked"'); | ||
}); | ||
it("should return an error with ial1", function () { | ||
cy.visit("http://localhost:4003"); | ||
cy.get("button#force-2fa").click(); | ||
|
||
cy.login("[email protected]"); | ||
|
||
cy.contains("access_denied (none of the requested ACRs could be obtained)"); | ||
}); | ||
|
||
// TODO add tests: | ||
// - log with a client requiring consistency-checked and consistency-checked-mfa | ||
// - with a consistency checked user and MFA => see the right acr returned | ||
// - with a self-asserted user and MFA => see an error | ||
// - log with a client not requiring any acr | ||
// - with a self-asserted user => see acr self-asserted | ||
// - with a consistency checked user => see acr consistency-checked | ||
// - log with acr_values=eidas1 and ENABLE_FIXED_ACR=True | ||
// - with all type of acr => see the right acr | ||
// these tests required the mcp-test-client to be modifiable like fc-mock | ||
}); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,2 @@ | ||
FEATURE_AUTHENTICATE_BROWSER=True | ||
FEATURE_SEND_MAIL=False | ||
FEATURE_RATE_LIMIT=True |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -8,11 +8,17 @@ VALUES | |
'kuOSXGk68H2B3pYnph0uyXAHrmpbWaWyX/iX49xVaUc=.VMPBZSO+eAng7mjS.cI2kRY9rwhXchcKiiaMZIg==', | ||
CURRENT_TIMESTAMP, true | ||
), | ||
(2, 'unused2@yopmail.com', true, CURRENT_TIMESTAMP, | ||
(2, '181eb568-ca3d-4995-8b06-a717a83421fd@mailslurp.com', true, CURRENT_TIMESTAMP, | ||
'$2a$10$kzY3LINL6..50Fy9shWCcuNlRfYq0ft5lS.KCcJ5PzrhlWfKK4NIO', CURRENT_TIMESTAMP, CURRENT_TIMESTAMP, | ||
'Jean', 'Jean', '0123456789', 'Sbire', | ||
'kuOSXGk68H2B3pYnph0uyXAHrmpbWaWyX/iX49xVaUc=.VMPBZSO+eAng7mjS.cI2kRY9rwhXchcKiiaMZIg==', | ||
CURRENT_TIMESTAMP, false | ||
), | ||
(3, '[email protected]', true, CURRENT_TIMESTAMP, | ||
'$2a$10$kzY3LINL6..50Fy9shWCcuNlRfYq0ft5lS.KCcJ5PzrhlWfKK4NIO', CURRENT_TIMESTAMP, CURRENT_TIMESTAMP, | ||
'Jean', 'Jean', '0123456789', 'Sbire', | ||
'kuOSXGk68H2B3pYnph0uyXAHrmpbWaWyX/iX49xVaUc=.VMPBZSO+eAng7mjS.cI2kRY9rwhXchcKiiaMZIg==', | ||
CURRENT_TIMESTAMP, true | ||
); | ||
|
||
INSERT INTO organizations | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,13 @@ | ||
import { getVerificationCodeFromEmail } from "#cypress/support/get-from-email"; | ||
|
||
describe("sign-in with TOTP on untrusted browser", () => { | ||
beforeEach(() => { | ||
cy.mailslurp().then((mailslurp) => | ||
mailslurp.inboxController.deleteAllInboxEmails({ | ||
inboxId: "181eb568-ca3d-4995-8b06-a717a83421fd", | ||
}), | ||
); | ||
}); | ||
it("should sign-in with password and TOTP", function () { | ||
cy.visit("http://localhost:4000"); | ||
cy.get("button.proconnect-button").click(); | ||
|
@@ -12,26 +21,77 @@ describe("sign-in with TOTP on untrusted browser", () => { | |
cy.visit("http://localhost:4000"); | ||
cy.get("button.proconnect-button").click(); | ||
|
||
cy.login("[email protected]"); | ||
cy.login("[email protected]"); | ||
|
||
cy.contains( | ||
"Information : pour garantir la sécurité de votre compte, nous avons besoin d’authentifier votre navigateur.", | ||
); | ||
|
||
cy.contains("Vérifier votre email"); | ||
cy.mailslurp() | ||
.then((mailslurp) => | ||
mailslurp.waitForLatestEmail( | ||
"181eb568-ca3d-4995-8b06-a717a83421fd", | ||
60000, | ||
true, | ||
), | ||
) | ||
.then(getVerificationCodeFromEmail) | ||
// fill out the verification form and submit | ||
.then((code) => { | ||
cy.get('[name="verify_email_token"]').type(code); | ||
cy.get('[type="submit"]').click(); | ||
}); | ||
|
||
cy.contains("moncomptepro-standard-client"); | ||
}); | ||
|
||
it("should sign-in with password and TOTP when forced by SP", function () { | ||
cy.visit("http://localhost:4000"); | ||
cy.get("button#force-2fa").click(); | ||
|
||
cy.mfaLogin("[email protected]"); | ||
cy.mfaLogin("[email protected]"); | ||
|
||
cy.contains('"amr": [\n "pwd",\n "totp",\n "mfa"\n ],'); | ||
}); | ||
|
||
it("should only show totp step when already logged", function () { | ||
cy.visit("http://localhost:4000"); | ||
cy.get("button.proconnect-button").click(); | ||
|
||
cy.login("[email protected]"); | ||
|
||
cy.mailslurp() | ||
.then((mailslurp) => | ||
mailslurp.waitForLatestEmail( | ||
"181eb568-ca3d-4995-8b06-a717a83421fd", | ||
60000, | ||
true, | ||
), | ||
) | ||
.then(getVerificationCodeFromEmail) | ||
// fill out the verification form and submit | ||
.then((code) => { | ||
cy.get('[name="verify_email_token"]').type(code); | ||
cy.get('[type="submit"]').click(); | ||
}); | ||
|
||
cy.contains("moncomptepro-standard-client"); | ||
|
||
cy.get("button#force-2fa").click(); | ||
|
||
cy.contains("Valider en deux étapes"); | ||
|
||
cy.fillTotpFields(); | ||
|
||
cy.contains('"amr": [\n "pwd",\n "totp",\n "mfa"\n ],'); | ||
}); | ||
|
||
it("should trigger totp rate limiting", function () { | ||
cy.visit("/users/start-sign-in"); | ||
|
||
cy.login("unused1@yopmail.com"); | ||
cy.login("unused3@yopmail.com"); | ||
|
||
for (let i = 0; i < 4; i++) { | ||
for (let i = 0; i < 5; i++) { | ||
cy.get("[name=totpToken]").type("123456"); | ||
cy.get( | ||
'[action="/users/2fa-sign-in-with-authenticator-app"] [type="submit"]', | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.