github.com/gravitational/teleport/api@v0.0.0-20240507183017-3110591cbafc/mfa/ceremony_test.go

github.com/gravitational/teleport/api@v0.0.0-20240507183017-3110591cbafc/mfa/ceremony_test.go (about)

     1  /*
     2  Copyright 2024 Gravitational, Inc.
     3  
     4  Licensed under the Apache License, Version 2.0 (the "License");
     5  you may not use this file except in compliance with the License.
     6  You may obtain a copy of the License at
     7  
     8      http://www.apache.org/licenses/LICENSE-2.0
     9  
    10  Unless required by applicable law or agreed to in writing, software
    11  distributed under the License is distributed on an "AS IS" BASIS,
    12  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  See the License for the specific language governing permissions and
    14  limitations under the License.
    15  */
    16  
    17  package mfa_test
    18  
    19  import (
    20  	"context"
    21  	"errors"
    22  	"testing"
    23  
    24  	"github.com/stretchr/testify/assert"
    25  
    26  	"github.com/gravitational/teleport/api/client/proto"
    27  	mfav1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/mfa/v1"
    28  	"github.com/gravitational/teleport/api/mfa"
    29  )
    30  
    31  func TestPerformMFACeremony(t *testing.T) {
    32  	t.Parallel()
    33  	ctx := context.Background()
    34  
    35  	testMFAResponse := &proto.MFAAuthenticateResponse{
    36  		Response: &proto.MFAAuthenticateResponse_TOTP{
    37  			TOTP: &proto.TOTPResponse{
    38  				Code: "otp-test-code",
    39  			},
    40  		},
    41  	}
    42  
    43  	for _, tt := range []struct {
    44  		name                   string
    45  		ceremonyClient         *fakeMFACeremonyClient
    46  		assertCeremonyResponse func(*testing.T, *proto.MFAAuthenticateResponse, error, ...interface{})
    47  	}{
    48  		{
    49  			name: "OK ceremony success",
    50  			ceremonyClient: &fakeMFACeremonyClient{
    51  				challengeResponse: testMFAResponse,
    52  			},
    53  			assertCeremonyResponse: func(t *testing.T, mr *proto.MFAAuthenticateResponse, err error, i ...interface{}) {
    54  				assert.NoError(t, err)
    55  				assert.Equal(t, testMFAResponse, mr)
    56  			},
    57  		}, {
    58  			name: "OK ceremony not required",
    59  			ceremonyClient: &fakeMFACeremonyClient{
    60  				challengeResponse: testMFAResponse,
    61  				mfaRequired:       proto.MFARequired_MFA_REQUIRED_NO,
    62  			},
    63  			assertCeremonyResponse: func(t *testing.T, mr *proto.MFAAuthenticateResponse, err error, i ...interface{}) {
    64  				assert.Error(t, err, mfa.ErrMFANotRequired)
    65  				assert.Nil(t, mr)
    66  			},
    67  		}, {
    68  			name: "NOK create challenge fail",
    69  			ceremonyClient: &fakeMFACeremonyClient{
    70  				challengeResponse:              testMFAResponse,
    71  				createAuthenticateChallengeErr: errors.New("create authenticate challenge failure"),
    72  			},
    73  			assertCeremonyResponse: func(t *testing.T, mr *proto.MFAAuthenticateResponse, err error, i ...interface{}) {
    74  				assert.ErrorContains(t, err, "create authenticate challenge failure")
    75  				assert.Nil(t, mr)
    76  			},
    77  		}, {
    78  			name: "NOK prompt mfa fail",
    79  			ceremonyClient: &fakeMFACeremonyClient{
    80  				challengeResponse: testMFAResponse,
    81  				promptMFAErr:      errors.New("prompt mfa failure"),
    82  			},
    83  			assertCeremonyResponse: func(t *testing.T, mr *proto.MFAAuthenticateResponse, err error, i ...interface{}) {
    84  				assert.ErrorContains(t, err, "prompt mfa failure")
    85  				assert.Nil(t, mr)
    86  			},
    87  		},
    88  	} {
    89  		t.Run(tt.name, func(t *testing.T) {
    90  			resp, err := mfa.PerformMFACeremony(ctx, tt.ceremonyClient, &proto.CreateAuthenticateChallengeRequest{
    91  				ChallengeExtensions: &mfav1.ChallengeExtensions{
    92  					Scope: mfav1.ChallengeScope_CHALLENGE_SCOPE_ADMIN_ACTION,
    93  				},
    94  				MFARequiredCheck: &proto.IsMFARequiredRequest{},
    95  			})
    96  			tt.assertCeremonyResponse(t, resp, err)
    97  		})
    98  	}
    99  }
   100  
   101  type fakeMFACeremonyClient struct {
   102  	createAuthenticateChallengeErr error
   103  	promptMFAErr                   error
   104  	mfaRequired                    proto.MFARequired
   105  	challengeResponse              *proto.MFAAuthenticateResponse
   106  }
   107  
   108  func (c *fakeMFACeremonyClient) CreateAuthenticateChallenge(ctx context.Context, in *proto.CreateAuthenticateChallengeRequest) (*proto.MFAAuthenticateChallenge, error) {
   109  	if c.createAuthenticateChallengeErr != nil {
   110  		return nil, c.createAuthenticateChallengeErr
   111  	}
   112  
   113  	chal := &proto.MFAAuthenticateChallenge{
   114  		TOTP: &proto.TOTPChallenge{},
   115  	}
   116  
   117  	if in.MFARequiredCheck != nil {
   118  		chal.MFARequired = c.mfaRequired
   119  	}
   120  
   121  	return chal, nil
   122  }
   123  
   124  func (c *fakeMFACeremonyClient) PromptMFA(ctx context.Context, chal *proto.MFAAuthenticateChallenge, promptOpts ...mfa.PromptOpt) (*proto.MFAAuthenticateResponse, error) {
   125  	if c.promptMFAErr != nil {
   126  		return nil, c.promptMFAErr
   127  	}
   128  
   129  	return c.challengeResponse, nil
   130  }