@openparachute/hub 0.5.2 → 0.5.9-rc.6

package/src/__tests__/expose-2fa-warning.test.ts

@@ -0,0 +1,123 @@
+import { describe, expect, test } from "bun:test";
+import { mkdtempSync, rmSync, writeFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { is2FAEnrolled, printPublic2FAWarning } from "../commands/expose-2fa-warning.ts";
+import type { VaultAuthStatus } from "../vault/auth-status.ts";
+
+function status(partial: Partial<VaultAuthStatus> = {}): VaultAuthStatus {
+  return {
+    hasOwnerPassword: false,
+    hasTotp: false,
+    tokenCount: 0,
+    vaultNames: [],
+    ...partial,
+  };
+}
+
+describe("is2FAEnrolled", () => {
+  test("returns true when status carries hasTotp: true", () => {
+    expect(is2FAEnrolled({ status: status({ hasTotp: true }) })).toBe(true);
+  });
+
+  test("returns false when status carries hasTotp: false", () => {
+    expect(is2FAEnrolled({ status: status({ hasTotp: false }) })).toBe(false);
+  });
+
+  test("reads totp_secret from vaultHome's config.yaml when status not supplied", () => {
+    const dir = mkdtempSync(join(tmpdir(), "pcli-2fa-warn-"));
+    try {
+      writeFileSync(join(dir, "config.yaml"), 'totp_secret: "JBSWY3DPEHPK3PXP"\n');
+      expect(is2FAEnrolled({ vaultHome: dir })).toBe(true);
+    } finally {
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
+
+  test("missing config.yaml → not enrolled (false)", () => {
+    const dir = mkdtempSync(join(tmpdir(), "pcli-2fa-warn-"));
+    try {
+      // No config.yaml written.
+      expect(is2FAEnrolled({ vaultHome: dir })).toBe(false);
+    } finally {
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
+
+  test("empty totp_secret value → not enrolled (matches vault's readGlobalConfig)", () => {
+    const dir = mkdtempSync(join(tmpdir(), "pcli-2fa-warn-"));
+    try {
+      writeFileSync(join(dir, "config.yaml"), 'totp_secret: ""\n');
+      expect(is2FAEnrolled({ vaultHome: dir })).toBe(false);
+    } finally {
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
+
+  test("malformed config.yaml → not enrolled (safer fail mode, fires warning)", () => {
+    // The probe parses config.yaml with a line-anchored regex (no YAML
+    // dependency), so junk content simply doesn't match `totp_secret: "..."`
+    // and resolves to `hasTotp: false` — which fires the public-exposure
+    // warning rather than silently suppressing it. Pin that contract so a
+    // future refactor of auth-status.ts can't quietly invert it.
+    const dir = mkdtempSync(join(tmpdir(), "pcli-2fa-warn-"));
+    try {
+      writeFileSync(join(dir, "config.yaml"), "totp_secret: [unbalanced\n  ::: not yaml\n");
+      expect(is2FAEnrolled({ vaultHome: dir })).toBe(false);
+    } finally {
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
+});
+
+describe("printPublic2FAWarning", () => {
+  test("not enrolled → fires warning, returns true", () => {
+    const logs: string[] = [];
+    const fired = printPublic2FAWarning({
+      status: status({ hasTotp: false }),
+      log: (l) => logs.push(l),
+      publicUrl: "https://vault.example.com",
+    });
+    expect(fired).toBe(true);
+    const joined = logs.join("\n");
+    expect(joined).toContain("2FA is not enrolled");
+    expect(joined).toContain("https://vault.example.com/login");
+    expect(joined).toContain("parachute auth 2fa enroll");
+  });
+
+  test("enrolled → suppressed, returns false, logs nothing", () => {
+    const logs: string[] = [];
+    const fired = printPublic2FAWarning({
+      status: status({ hasTotp: true }),
+      log: (l) => logs.push(l),
+      publicUrl: "https://vault.example.com",
+    });
+    expect(fired).toBe(false);
+    expect(logs).toEqual([]);
+  });
+
+  test("password-also-missing case still fires (warning is layer-independent of password state)", () => {
+    // The wide-open state (no password, no 2FA) hits this branch too — the
+    // hub's own `printAuthGuidance` (cloudflare) and `runAuthPreflight`
+    // (interactive wizard) cover the password remediation; this warning is
+    // strictly about 2FA.
+    const logs: string[] = [];
+    const fired = printPublic2FAWarning({
+      status: status({ hasOwnerPassword: false, hasTotp: false }),
+      log: (l) => logs.push(l),
+      publicUrl: "https://vault.example.com",
+    });
+    expect(fired).toBe(true);
+    expect(logs.some((l) => l.includes("2FA is not enrolled"))).toBe(true);
+  });
+
+  test("embeds the supplied publicUrl into the /login pointer", () => {
+    const logs: string[] = [];
+    printPublic2FAWarning({
+      status: status({ hasTotp: false }),
+      log: (l) => logs.push(l),
+      publicUrl: "https://parachute.taildf9ce2.ts.net",
+    });
+    expect(logs.some((l) => l.includes("https://parachute.taildf9ce2.ts.net/login"))).toBe(true);
+  });
+});

package/src/__tests__/expose-cloudflare.test.ts

@@ -511,6 +511,107 @@ describe("exposeCloudflareUp", () => {
       env.cleanup();
     }
   });
+
+  // 2FA-enrollment warning (#186). The cloudflare path is always public —
+  // every successful bringup makes /admin/login reachable on the open
+  // internet, where 2FA is the primary defense beyond #188's rate-limit floor.
+  describe("2FA-enrollment warning", () => {
+    test("not enrolled → warning fires after the success block", async () => {
+      const env = makeEnv();
+      try {
+        const uuid = "cccccccc-0000-0000-0000-000000000003";
+        const { runner } = queueRunner([
+          { code: 0, stdout: "cloudflared 2024.1.0\n", stderr: "" },
+          { code: 0, stdout: "[]", stderr: "" },
+          {
+            code: 0,
+            stdout: `Tunnel credentials written to ${env.cloudflaredHome}/${uuid}.json.\nCreated tunnel parachute with id ${uuid}\n`,
+            stderr: "",
+          },
+          { code: 0, stdout: "", stderr: "" },
+        ]);
+        const { spawner } = fakeSpawner(42100);
+        const logs: string[] = [];
+
+        const code = await exposeCloudflareUp("vault.example.com", {
+          runner,
+          spawner,
+          alive: () => false,
+          kill: () => {},
+          log: (l) => logs.push(l),
+          manifestPath: env.manifestPath,
+          statePath: env.statePath,
+          configPath: env.configPath,
+          logPath: env.logPath,
+          cloudflaredHome: env.cloudflaredHome,
+          // No password, no 2FA — fully wide open. The warning should still
+          // fire; password-recovery copy already lives in `printAuthGuidance`.
+          vaultAuthStatus: {
+            hasOwnerPassword: false,
+            hasTotp: false,
+            tokenCount: 0,
+            vaultNames: [],
+          },
+        });
+
+        expect(code).toBe(0);
+        const joined = logs.join("\n");
+        expect(joined).toContain("2FA is not enrolled");
+        expect(joined).toContain("https://vault.example.com/login");
+        expect(joined).toContain("parachute auth 2fa enroll");
+      } finally {
+        env.cleanup();
+      }
+    });
+
+    test("enrolled → warning suppressed (no '2FA is not enrolled' line)", async () => {
+      const env = makeEnv();
+      try {
+        const uuid = "dddddddd-0000-0000-0000-000000000004";
+        const { runner } = queueRunner([
+          { code: 0, stdout: "cloudflared 2024.1.0\n", stderr: "" },
+          { code: 0, stdout: "[]", stderr: "" },
+          {
+            code: 0,
+            stdout: `Tunnel credentials written to ${env.cloudflaredHome}/${uuid}.json.\nCreated tunnel parachute with id ${uuid}\n`,
+            stderr: "",
+          },
+          { code: 0, stdout: "", stderr: "" },
+        ]);
+        const { spawner } = fakeSpawner(42101);
+        const logs: string[] = [];
+
+        const code = await exposeCloudflareUp("vault.example.com", {
+          runner,
+          spawner,
+          alive: () => false,
+          kill: () => {},
+          log: (l) => logs.push(l),
+          manifestPath: env.manifestPath,
+          statePath: env.statePath,
+          configPath: env.configPath,
+          logPath: env.logPath,
+          cloudflaredHome: env.cloudflaredHome,
+          vaultAuthStatus: {
+            hasOwnerPassword: true,
+            hasTotp: true,
+            tokenCount: 1,
+            vaultNames: ["default"],
+          },
+        });
+
+        expect(code).toBe(0);
+        const joined = logs.join("\n");
+        expect(joined).not.toContain("2FA is not enrolled");
+        // The existing `printAuthGuidance` 2FA-recommend bullet is unrelated
+        // to the new contextual warning and stays in place — assert it on a
+        // shape that doesn't collide with the warning text.
+        expect(joined).toContain("(recommended) TOTP + backup codes");
+      } finally {
+        env.cleanup();
+      }
+    });
+  });
 });
 
 describe("exposeCloudflareOff", () => {