fix: allow other users to set up MFAs (#7914)

* fix: allow other users to set up MFAs * update tests * update integration tests
2025-08-12 01:47:33 +00:00 · 2024-05-07 07:38:26 +02:00
parent 016e5e5da1
commit 5bf195d374
20 changed files with 701 additions and 193 deletions
--- a/internal/api/grpc/user/v2/otp_integration_test.go
+++ b/internal/api/grpc/user/v2/otp_integration_test.go
@@ -19,12 +19,26 @@ func TestServer_AddOTPSMS(t *testing.T) {
 	Tester.RegisterUserPasskey(CTX, userID)
 	_, sessionToken, _, _ := Tester.CreateVerifiedWebAuthNSession(t, CTX, userID)

-	// TODO: add when phone can be added to user
-	/*
-		userIDPhone := Tester.CreateHumanUser(CTX).GetUserId()
-		Tester.RegisterUserPasskey(CTX, userIDPhone)
-		_, sessionTokenPhone, _, _ := Tester.CreateVerifiedWebAuthNSession(t, CTX, userIDPhone)
-	*/
+	otherUser := Tester.CreateHumanUser(CTX).GetUserId()
+	Tester.RegisterUserPasskey(CTX, otherUser)
+	_, sessionTokenOtherUser, _, _ := Tester.CreateVerifiedWebAuthNSession(t, CTX, otherUser)
+
+	userVerified := Tester.CreateHumanUser(CTX)
+	_, err := Tester.Client.UserV2.VerifyPhone(CTX, &user.VerifyPhoneRequest{
+		UserId:           userVerified.GetUserId(),
+		VerificationCode: userVerified.GetPhoneCode(),
+	})
+	require.NoError(t, err)
+	Tester.RegisterUserPasskey(CTX, userVerified.GetUserId())
+	_, sessionTokenVerified, _, _ := Tester.CreateVerifiedWebAuthNSession(t, CTX, userVerified.GetUserId())
+
+	userVerified2 := Tester.CreateHumanUser(CTX)
+	_, err = Tester.Client.UserV2.VerifyPhone(CTX, &user.VerifyPhoneRequest{
+		UserId:           userVerified2.GetUserId(),
+		VerificationCode: userVerified2.GetPhoneCode(),
+	})
+	require.NoError(t, err)
+
 	type args struct {
 		ctx context.Context
 		req *user.AddOTPSMSRequest
@@ -46,9 +60,9 @@ func TestServer_AddOTPSMS(t *testing.T) {
 		{
 			name: "user mismatch",
 			args: args{
-				ctx: CTX,
+				ctx: Tester.WithAuthorizationToken(context.Background(), sessionTokenOtherUser),
 				req: &user.AddOTPSMSRequest{
-					UserId: "wrong",
+					UserId: userID,
 				},
 			},
 			wantErr: true,
@@ -63,23 +77,34 @@ func TestServer_AddOTPSMS(t *testing.T) {
 			},
 			wantErr: true,
 		},
-		// TODO: add when phone can be added to user
-		/*
-			{
-				name: "add success",
-				args: args{
-					ctx: Tester.WithAuthorizationToken(context.Background(), sessionTokenPhone),
-					req: &user.AddOTPSMSRequest{
-						UserId: userID,
-					},
-				},
-				want: &user.AddOTPSMSResponse{
-					Details: &object.Details{
-						ResourceOwner: Tester.Organisation.ID,
-					},
+		{
+			name: "add success",
+			args: args{
+				ctx: Tester.WithAuthorizationToken(context.Background(), sessionTokenVerified),
+				req: &user.AddOTPSMSRequest{
+					UserId: userVerified.GetUserId(),
 				},
 			},
-		*/
+			want: &user.AddOTPSMSResponse{
+				Details: &object.Details{
+					ResourceOwner: Tester.Organisation.ID,
+				},
+			},
+		},
+		{
+			name: "add success, admin",
+			args: args{
+				ctx: CTX,
+				req: &user.AddOTPSMSRequest{
+					UserId: userVerified2.GetUserId(),
+				},
+			},
+			want: &user.AddOTPSMSResponse{
+				Details: &object.Details{
+					ResourceOwner: Tester.Organisation.ID,
+				},
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -96,12 +121,21 @@ func TestServer_AddOTPSMS(t *testing.T) {
 }

 func TestServer_RemoveOTPSMS(t *testing.T) {
-	// TODO: add when phone can be added to user
-	/*
-		userID := Tester.CreateHumanUser(CTX).GetUserId()
-		Tester.RegisterUserPasskey(CTX, userID)
-		_, sessionToken, _, _ := Tester.CreateVerifiedWebAuthNSession(t, CTX, userID)
-	*/
+	userID := Tester.CreateHumanUser(CTX).GetUserId()
+	Tester.RegisterUserPasskey(CTX, userID)
+	_, sessionToken, _, _ := Tester.CreateVerifiedWebAuthNSession(t, CTX, userID)
+
+	userVerified := Tester.CreateHumanUser(CTX)
+	Tester.RegisterUserPasskey(CTX, userVerified.GetUserId())
+	_, sessionTokenVerified, _, _ := Tester.CreateVerifiedWebAuthNSession(t, CTX, userVerified.GetUserId())
+	userVerifiedCtx := Tester.WithAuthorizationToken(context.Background(), sessionTokenVerified)
+	_, err := Tester.Client.UserV2.VerifyPhone(userVerifiedCtx, &user.VerifyPhoneRequest{
+		UserId:           userVerified.GetUserId(),
+		VerificationCode: userVerified.GetPhoneCode(),
+	})
+	require.NoError(t, err)
+	_, err = Tester.Client.UserV2.AddOTPSMS(userVerifiedCtx, &user.AddOTPSMSRequest{UserId: userVerified.GetUserId()})
+	require.NoError(t, err)

 	type args struct {
 		ctx context.Context
@@ -116,30 +150,27 @@ func TestServer_RemoveOTPSMS(t *testing.T) {
 		{
 			name: "not added",
 			args: args{
-				ctx: CTX,
+				ctx: Tester.WithAuthorizationToken(context.Background(), sessionToken),
 				req: &user.RemoveOTPSMSRequest{
-					UserId: "wrong",
+					UserId: userID,
 				},
 			},
 			wantErr: true,
 		},
-		// TODO: add when phone can be added to user
-		/*
-			{
-				name: "success",
-				args: args{
-					ctx: Tester.WithAuthorizationToken(context.Background(), sessionToken),
-					req: &user.RemoveOTPSMSRequest{
-						UserId: userID,
-					},
-				},
-				want: &user.RemoveOTPSMSResponse{
-					Details: &object.Details{
-						ResourceOwner: Tester.Organisation.ResourceOwner,
-					},
+		{
+			name: "success",
+			args: args{
+				ctx: userVerifiedCtx,
+				req: &user.RemoveOTPSMSRequest{
+					UserId: userVerified.GetUserId(),
 				},
 			},
-		*/
+			want: &user.RemoveOTPSMSResponse{
+				Details: &object.Details{
+					ResourceOwner: Tester.Organisation.ResourceOwner,
+				},
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -160,6 +191,10 @@ func TestServer_AddOTPEmail(t *testing.T) {
 	Tester.RegisterUserPasskey(CTX, userID)
 	_, sessionToken, _, _ := Tester.CreateVerifiedWebAuthNSession(t, CTX, userID)

+	otherUser := Tester.CreateHumanUser(CTX).GetUserId()
+	Tester.RegisterUserPasskey(CTX, otherUser)
+	_, sessionTokenOtherUser, _, _ := Tester.CreateVerifiedWebAuthNSession(t, CTX, otherUser)
+
 	userVerified := Tester.CreateHumanUser(CTX)
 	_, err := Tester.Client.UserV2.VerifyEmail(CTX, &user.VerifyEmailRequest{
 		UserId:           userVerified.GetUserId(),
@@ -169,6 +204,13 @@ func TestServer_AddOTPEmail(t *testing.T) {
 	Tester.RegisterUserPasskey(CTX, userVerified.GetUserId())
 	_, sessionTokenVerified, _, _ := Tester.CreateVerifiedWebAuthNSession(t, CTX, userVerified.GetUserId())

+	userVerified2 := Tester.CreateHumanUser(CTX)
+	_, err = Tester.Client.UserV2.VerifyEmail(CTX, &user.VerifyEmailRequest{
+		UserId:           userVerified2.GetUserId(),
+		VerificationCode: userVerified2.GetEmailCode(),
+	})
+	require.NoError(t, err)
+
 	type args struct {
 		ctx context.Context
 		req *user.AddOTPEmailRequest
@@ -190,9 +232,9 @@ func TestServer_AddOTPEmail(t *testing.T) {
 		{
 			name: "user mismatch",
 			args: args{
-				ctx: CTX,
+				ctx: Tester.WithAuthorizationToken(context.Background(), sessionTokenOtherUser),
 				req: &user.AddOTPEmailRequest{
-					UserId: "wrong",
+					UserId: userID,
 				},
 			},
 			wantErr: true,
@@ -222,6 +264,21 @@ func TestServer_AddOTPEmail(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "add success, admin",
+			args: args{
+				ctx: CTX,
+				req: &user.AddOTPEmailRequest{
+					UserId: userVerified2.GetUserId(),
+				},
+			},
+			want: &user.AddOTPEmailResponse{
+				Details: &object.Details{
+					ChangeDate:    timestamppb.Now(),
+					ResourceOwner: Tester.Organisation.ID,
+				},
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
--- a/internal/api/grpc/user/v2/totp_integration_test.go
+++ b/internal/api/grpc/user/v2/totp_integration_test.go
@@ -23,6 +23,11 @@ func TestServer_RegisterTOTP(t *testing.T) {
 	_, sessionToken, _, _ := Tester.CreateVerifiedWebAuthNSession(t, CTX, userID)
 	ctx := Tester.WithAuthorizationToken(CTX, sessionToken)

+	otherUser := Tester.CreateHumanUser(CTX).GetUserId()
+	Tester.RegisterUserPasskey(CTX, otherUser)
+	_, sessionTokenOtherUser, _, _ := Tester.CreateVerifiedWebAuthNSession(t, CTX, otherUser)
+	ctxOtherUser := Tester.WithAuthorizationToken(CTX, sessionTokenOtherUser)
+
 	type args struct {
 		ctx context.Context
 		req *user.RegisterTOTPRequest
@@ -44,13 +49,28 @@ func TestServer_RegisterTOTP(t *testing.T) {
 		{
 			name: "user mismatch",
 			args: args{
-				ctx: ctx,
+				ctx: ctxOtherUser,
 				req: &user.RegisterTOTPRequest{
-					UserId: "wrong",
+					UserId: userID,
 				},
 			},
 			wantErr: true,
 		},
+		{
+			name: "admin",
+			args: args{
+				ctx: CTX,
+				req: &user.RegisterTOTPRequest{
+					UserId: userID,
+				},
+			},
+			want: &user.RegisterTOTPResponse{
+				Details: &object.Details{
+					ChangeDate:    timestamppb.Now(),
+					ResourceOwner: Tester.Organisation.ID,
+				},
+			},
+		},
 		{
 			name: "success",
 			args: args{
@@ -96,6 +116,18 @@ func TestServer_VerifyTOTPRegistration(t *testing.T) {
 	code, err := totp.GenerateCode(reg.Secret, time.Now())
 	require.NoError(t, err)

+	otherUser := Tester.CreateHumanUser(CTX).GetUserId()
+	Tester.RegisterUserPasskey(CTX, otherUser)
+	_, sessionTokenOtherUser, _, _ := Tester.CreateVerifiedWebAuthNSession(t, CTX, otherUser)
+	ctxOtherUser := Tester.WithAuthorizationToken(CTX, sessionTokenOtherUser)
+
+	regOtherUser, err := Client.RegisterTOTP(CTX, &user.RegisterTOTPRequest{
+		UserId: otherUser,
+	})
+	require.NoError(t, err)
+	codeOtherUser, err := totp.GenerateCode(regOtherUser.Secret, time.Now())
+	require.NoError(t, err)
+
 	type args struct {
 		ctx context.Context
 		req *user.VerifyTOTPRegistrationRequest
@@ -109,9 +141,9 @@ func TestServer_VerifyTOTPRegistration(t *testing.T) {
 		{
 			name: "user mismatch",
 			args: args{
-				ctx: ctx,
+				ctx: ctxOtherUser,
 				req: &user.VerifyTOTPRegistrationRequest{
-					UserId: "wrong",
+					UserId: userID,
 				},
 			},
 			wantErr: true,
@@ -143,6 +175,22 @@ func TestServer_VerifyTOTPRegistration(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "success, admin",
+			args: args{
+				ctx: CTX,
+				req: &user.VerifyTOTPRegistrationRequest{
+					UserId: otherUser,
+					Code:   codeOtherUser,
+				},
+			},
+			want: &user.VerifyTOTPRegistrationResponse{
+				Details: &object.Details{
+					ChangeDate:    timestamppb.Now(),
+					ResourceOwner: Tester.Organisation.ResourceOwner,
+				},
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
--- a/internal/api/grpc/user/v2/u2f_integration_test.go
+++ b/internal/api/grpc/user/v2/u2f_integration_test.go
@@ -18,10 +18,13 @@ import (

 func TestServer_RegisterU2F(t *testing.T) {
 	userID := Tester.CreateHumanUser(CTX).GetUserId()
+	otherUser := Tester.CreateHumanUser(CTX).GetUserId()

 	// We also need a user session
 	Tester.RegisterUserPasskey(CTX, userID)
 	_, sessionToken, _, _ := Tester.CreateVerifiedWebAuthNSession(t, CTX, userID)
+	Tester.RegisterUserPasskey(CTX, otherUser)
+	_, sessionTokenOtherUser, _, _ := Tester.CreateVerifiedWebAuthNSession(t, CTX, otherUser)

 	type args struct {
 		ctx context.Context
@@ -42,13 +45,28 @@ func TestServer_RegisterU2F(t *testing.T) {
 			wantErr: true,
 		},
 		{
-			name: "user mismatch",
+			name: "admin user",
 			args: args{
 				ctx: CTX,
 				req: &user.RegisterU2FRequest{
 					UserId: userID,
 				},
 			},
+			want: &user.RegisterU2FResponse{
+				Details: &object.Details{
+					ChangeDate:    timestamppb.Now(),
+					ResourceOwner: Tester.Organisation.ID,
+				},
+			},
+		},
+		{
+			name: "other user, no permission",
+			args: args{
+				ctx: Tester.WithAuthorizationToken(CTX, sessionTokenOtherUser),
+				req: &user.RegisterU2FRequest{
+					UserId: userID,
+				},
+			},
 			wantErr: true,
 		},
 		{