require_relative '../acceptance_helper' require_relative '../factories/visualization_creation_helpers' feature "Sessions" do before do Capybara.current_driver = :rack_test @banned_user_agents = [ "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 1.0.3705; .NET CLR 1.1.4322)", "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 2.0.50727; Media Center PC 6.0)", "Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.0; Trident/4.0; FBSMTWB; .NET CLR 2.0.34861; .NET CLR 3.0.3746.3218; .NET CLR 3.5.33652; msn OptimizedIE8;ENUS)", "Mozilla/4.0(compatible; MSIE 7.0b; Windows NT 6.0)", "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)", "Mozilla/4.0 (compatible; MSIE 6.01; Windows NT 6.0)", "Mozilla/4.0 (compatible; MSIE 5.5b1; Mac_PowerPC)", "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; de-de) AppleWebKit/412.7 (KHTML, like Gecko) Safari/412.5" ] @allowed_user_agents = [ "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)", "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2", "Mozilla/5.0 (Windows NT 5.1; rv:8.0; en_us) Gecko/20100101 Firefox/8.0", "Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10", "Opera/9.80 (Windows NT 6.1; U; es-ES) Presto/2.9.181 Version/12.00", "Opera/9.80 (X11; Linux x86_64; U; fr) Presto/2.9.168 Version/11.50" ] end describe 'valid user' do before(:all) do @user = create_user :email => 'fernando.blat@vizzuality.com', :username => 'blat' end after(:all) do @user.destroy end scenario "Login in the application" do # we use this to avoid generating the static assets in CI Admin::VisualizationsController.any_instance.stubs(:render).returns('') SessionsController.any_instance.stubs(:central_enabled?).returns(false) visit login_path fill_in 'email', :with => @user.email fill_in 'password', :with => 'blablapassword' click_link_or_button 'Log in' page.should have_css(".Sessions-fieldError.js-Sessions-fieldError") page.should have_css("[@data-content='Your account or your password is not ok']") fill_in 'email', :with => @user.email fill_in 'password', :with => @user.email.split('@').first click_link_or_button 'Log in' page.status_code.should eq 200 page.should_not have_css(".Sessions-fieldError.js-Sessions-fieldError") page.should_not have_css("[@data-content='Your account or your password is not ok']") end scenario "Get the session information via OAuth" do # TODO: migrate this factory to AR (only used here) sequel_client_application = create_client_application(user: @user, url: CartoDB.hostname, callback_url: CartoDB.hostname) client_application = Carto::ClientApplication.find(sequel_client_application.id) oauth_consumer = OAuth::Consumer.new(client_application.key, client_application.secret, { :site => client_application.url, :scheme => :query_string, :http_method => :post }) access_token = create_access_token(client_application: client_application, user: @user.carto_user) identity_uri = "http://vizzuality.testhost.lan/oauth/identity.json" req = prepare_oauth_request(oauth_consumer, identity_uri, :token => access_token) get_json identity_uri, {}, {'Authorization' => req["Authorization"]} do |response| response.status.should be_success response.body.should == { :uid => @user.id, :email => @user.email, :username => @user.username } end end end scenario "should redirect you to the user login page if unauthorized", :js => true do @user = FactoryGirl.create(:user_with_private_tables, :username => 'test') visit api_key_credentials_url(:host => 'test.localhost.lan', :port => Capybara.server_port) current_url.should be == login_url(:host => 'test.localhost.lan', :port => Capybara.server_port) end scenario "should show error page when trying to connect with unsupported browser" do options = page.driver.instance_variable_get("@options") old_headers = options[:headers] begin @banned_user_agents.each do |user_agent| options[:headers] = {"HTTP_USER_AGENT" => user_agent} page.driver.instance_variable_set "@options", options visit '/login' page.should have_content("We recommend that you install the latest version of any") end ensure options[:headers] = old_headers end end scenario "shouldn't show error page when trying to connect with supported browser" do @allowed_user_agents.each do |user_agent| options = page.driver.instance_variable_get("@options") options[:headers] = {"HTTP_USER_AGENT" => user_agent} page.driver.instance_variable_set "@options", options visit '/login' page.should have_content("Log in") end end describe 'Multifactor Authentication' do before(:each) do @user_mfa_setup.user_multifactor_auths.each(&:destroy) @user_mfa_setup.user_multifactor_auths << FactoryGirl.create(:totp, :needs_setup, user_id: @user_mfa_setup.id) @user_mfa_setup.reload @user_mfa.user_multifactor_auths.each(&:destroy) @user_mfa.user_multifactor_auths << FactoryGirl.create(:totp, :active, user_id: @user_mfa.id) @user_mfa.reload @user_mfa.reset_password_rate_limit @user_mfa_setup.reset_password_rate_limit end shared_examples_for 'login with MFA setup' do scenario "Login in the application with MFA that needs setup" do # we use this to avoid generating the static assets in CI Admin::VisualizationsController.any_instance.stubs(:render).returns('') mfa = @user_mfa_setup.active_multifactor_authentication mfa.enabled = false mfa.save! @user_mfa_setup.reload SessionsController.any_instance.stubs(:central_enabled?).returns(false) visit login_path fill_in 'email', with: @user_mfa_setup.email fill_in 'password', with: @user_mfa_setup.email.split('@').first click_link_or_button 'Log in' page.status_code.should eq 200 page.body.should include(@user_mfa_setup.active_multifactor_authentication.shared_secret) page.body.should include("data:image/png;base64") page.body.should include("Verification code") page.body.should include("Use Google Authenticator app to scan the QR code") fill_in 'code', with: ROTP::TOTP.new(@user_mfa_setup.active_multifactor_authentication.shared_secret).now click_link_or_button 'Verify' page.status_code.should eq 200 page.body.should_not include(@user_mfa_setup.active_multifactor_authentication.shared_secret) page.body.should_not include("data:image/png;base64") page.body.should_not include("Verification code") page.body.should_not include("Use Google Authenticator app to scan the QR code") end scenario "MFA setup screen has skip link when mfa needs setup" do # we use this to avoid generating the static assets in CI Admin::VisualizationsController.any_instance.stubs(:render).returns('') mfa = @user_mfa_setup.active_multifactor_authentication mfa.enabled = false mfa.save! SessionsController.any_instance.stubs(:central_enabled?).returns(false) visit login_path fill_in 'email', with: @user_mfa_setup.email fill_in 'password', with: @user_mfa_setup.email.split('@').first click_link_or_button 'Log in' page.status_code.should eq 200 page.body.should include("Verification code") page.body.should include("skip this step") end end shared_examples_for 'login with MFA' do scenario "Login in the application with MFA that does not need setup" do # we use this to avoid generating the static assets in client_application Admin::VisualizationsController.any_instance.stubs(:render).returns('') SessionsController.any_instance.stubs(:central_enabled?).returns(false) visit login_path fill_in 'email', with: @user_mfa.email fill_in 'password', with: @user_mfa.email.split('@').first click_link_or_button 'Log in' page.status_code.should eq 200 page.body.should_not include(@user_mfa.active_multifactor_authentication.shared_secret) page.body.should_not include("data:image/png;base64") page.body.should include("Verification code") page.body.should_not include("Use Google Authenticator app to scan the QR code") fill_in 'code', with: ROTP::TOTP.new(@user_mfa.active_multifactor_authentication.shared_secret).now click_link_or_button 'Verify' page.status_code.should eq 200 page.body.should_not include(@user_mfa.active_multifactor_authentication.shared_secret) page.body.should_not include("data:image/png;base64") page.body.should_not include("Verification code") page.body.should_not include("Use Google Authenticator app to scan the QR code") end scenario "Failed login in the application with MFA that does not need setup" do # we use this to avoid generating the static assets in CI Admin::VisualizationsController.any_instance.stubs(:render).returns('') SessionsController.any_instance.stubs(:central_enabled?).returns(false) visit login_path fill_in 'email', with: @user_mfa.email fill_in 'password', with: @user_mfa.email.split('@').first click_link_or_button 'Log in' page.status_code.should eq 200 page.body.should_not include(@user_mfa.active_multifactor_authentication.shared_secret) page.body.should_not include("data:image/png;base64") page.body.should include("Verification code") page.body.should_not include("Use Google Authenticator app to scan the QR code") fill_in 'code', with: 'wrong_code' click_link_or_button 'Verify' page.status_code.should eq 200 page.body.should include("Verification code") page.should have_css(".Sessions-fieldError.js-Sessions-fieldError") page.should have_css("[@data-content='Verification code is not valid']") end scenario "MFA screen does not have skip link when mfa is active" do # we use this to avoid generating the static assets in CI Admin::VisualizationsController.any_instance.stubs(:render).returns('') SessionsController.any_instance.stubs(:central_enabled?).returns(false) visit login_path fill_in 'email', with: @user_mfa.email fill_in 'password', with: @user_mfa.email.split('@').first click_link_or_button 'Log in' page.status_code.should eq 200 page.body.should include("Verification code") page.body.should_not include("skip this step") end end describe 'valid user with MFA' do before(:all) do @user_mfa_setup = FactoryGirl.create(:carto_user_mfa_setup) @user_mfa = FactoryGirl.create(:carto_user_mfa) end after(:all) do @user_mfa_setup.destroy @user_mfa.destroy end it_behaves_like 'login with MFA' it_behaves_like 'login with MFA setup' end describe 'org owner with MFA' do before(:all) do @organization = FactoryGirl.create(:organization_with_users, :mfa_enabled) @user_mfa = @organization.owner @user_mfa_setup = @organization.users.last end after(:all) do @organization.destroy end it_behaves_like 'login with MFA' it_behaves_like 'login with MFA setup' end end describe "Organization login" do include_context 'organization with users helper' it 'allows login to organization users' do # we use this to avoid generating the static assets in CI Admin::VisualizationsController.any_instance.stubs(:render).returns('') visit org_login_url(@org_user_1.organization) send_login_form(@org_user_1) page.status_code.should eq 200 page.should_not have_css(".Sessions-fieldError.js-Sessions-fieldError") end it 'does not allow user+password login to organization users if auth_username_password_enabled is false' do @organization.auth_username_password_enabled = false @organization.save visit org_login_url(@org_user_1.organization) page.should_not have_css('#email') page.should_not have_css('#password') end it 'does not allow google login to organization users if auth_google_enabled is false' do @organization.auth_google_enabled = false @organization.save visit org_login_url(@org_user_1.organization) page.should_not have_css('#google_signup_access_token') page.should_not have_css('#google_login_button_iframe') end describe 'ldap login' do before(:all) do @ldap_configuration = FactoryGirl.create(:ldap_configuration, { organization_id: @organization.id }) end after(:all) do @ldap_configuration.destroy end it 'does not allow google login to organization users if they have ldap configuration' do visit org_login_url(@org_user_1.organization) page.should_not have_css('#google_signup_access_token') page.should_not have_css('#google_login_button_iframe') end end end def org_login_url(organization) login_url(:host => "#{organization.name}.localhost.lan", :port => Capybara.server_port) end def send_login_form(user) fill_in 'email', with: user.email fill_in 'password', with: user.password click_link_or_button 'Log in' end def be_dashboard have_css(".ContentController") end end