Add cuke for brute force prevention; also add timecop

pull/240/head
Michael Frister 12 years ago committed by Michael Frister
parent d01ec32b3d
commit bd41eacb10
  1. 1
      Gemfile
  2. 2
      Gemfile.lock
  3. 12
      features/step_definitions/password_steps.rb
  4. 5
      features/step_definitions/settings_steps.rb
  5. 20
      features/step_definitions/timecop_steps.rb
  6. 35
      features/users/brute_force_prevention.feature

@ -77,6 +77,7 @@ group :test do
gem 'capybara' gem 'capybara'
gem 'capybara-screenshot' gem 'capybara-screenshot'
gem 'selenium-webdriver' gem 'selenium-webdriver'
gem 'timecop', "~> 0.6.1"
gem 'rb-readline' # ruby on CI needs this gem 'rb-readline' # ruby on CI needs this
# why in Gemfile? see: https://github.com/guard/guard-test # why in Gemfile? see: https://github.com/guard/guard-test

@ -342,6 +342,7 @@ GEM
rack (>= 1.0.0) rack (>= 1.0.0)
thor (0.18.1) thor (0.18.1)
tilt (1.4.1) tilt (1.4.1)
timecop (0.6.1)
tinymce-rails (3.5.8.2) tinymce-rails (3.5.8.2)
railties (>= 3.1.1) railties (>= 3.1.1)
tinymce-rails-langs (0.1) tinymce-rails-langs (0.1)
@ -434,6 +435,7 @@ DEPENDENCIES
strong_parameters strong_parameters
therubyracer therubyracer
thin thin
timecop (~> 0.6.1)
tinymce-rails tinymce-rails
tinymce-rails-langs tinymce-rails-langs
uglifier (>= 1.0.3) uglifier (>= 1.0.3)

@ -76,12 +76,12 @@ end
Given /^I try to log in with user "([^"]*)"$/ do |login| Given /^I try to log in with user "([^"]*)"$/ do |login|
step 'I go to the logout page' step 'I go to the logout page'
step 'I go to the login page' login(login, @password || 'adminADMIN!')
with_scope('#main') do end
fill_in('Login', :with => login)
fill_in('Password', :with => (@new_password || 'adminADMIN!')) Given /^I try to log in with user "([^"]*)" and a wrong password$/ do |login|
click_link_or_button('Login') step 'I go to the logout page'
end login(login, 'Wrong password')
end end
When /^I activate the ([a-z, ]+) password rules$/ do |rules| When /^I activate the ([a-z, ]+) password rules$/ do |rules|

@ -43,3 +43,8 @@ end
Given /^I save the settings$/ do Given /^I save the settings$/ do
click_button('Save', :visible => true) click_button('Save', :visible => true)
end end
Given /^users are blocked for ([0-9]+) minutes after ([0-9]+) failed login attempts$/ do |duration, attempts|
Setting.brute_force_block_minutes = duration
Setting.brute_force_block_after_failed_logins = attempts
end

@ -0,0 +1,20 @@
#encoding: utf-8
#-- copyright
# OpenProject is a project management system.
#
# Copyright (C) 2012-2013 the OpenProject Team
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License version 3.
#
# See doc/COPYRIGHT.rdoc for more details.
#++
Given /^the time is ([0-9]+) minutes later$/ do |duration|
Timecop.travel(Time.now + duration.to_i.minutes)
end
After do
Timecop.return
end

@ -0,0 +1,35 @@
#encoding: utf-8
#-- copyright
# OpenProject is a project management system.
#
# Copyright (C) 2012-2013 the OpenProject Team
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License version 3.
#
# See doc/COPYRIGHT.rdoc for more details.
#++
Feature: Prevent brute force attacks
Background:
Given users are blocked for 5 minutes after 2 failed login attempts
And there is a user named "bob"
Scenario: A user failing to login on the first time can login on second attempt
When I try to log in with user "bob" and a wrong password
Then I should not see "Bob Bobbit"
When I try to log in with user "bob"
Then I should see "Bob Bobbit"
Scenario: A user can't login after two failed attempts, but can after waiting 5 minutes
When I try to log in with user "bob" and a wrong password
Then I should not see "Bob Bobbit"
When I try to log in with user "bob" and a wrong password
Then I should not see "Bob Bobbit"
When I try to log in with user "bob"
Then I should not see "Bob Bobbit"
When the time is 6 minutes later
And I try to log in with user "bob"
Then I should see "Bob Bobbit"
Loading…
Cancel
Save