diff options
| author | Mark Felder <feld@FreeBSD.org> | 2020-10-13 10:08:38 -0500 | 
|---|---|---|
| committer | Mark Felder <feld@FreeBSD.org> | 2020-10-13 10:08:38 -0500 | 
| commit | b738f709532ff18845f5d8cc3888d0bd67f750ab (patch) | |
| tree | 87596ad2bf711bdbc3dc75293996157c3c99d955 /test/web/auth | |
| parent | c4fae2611ff4da7c418de236fa643021ddc778c8 (diff) | |
| parent | 8b6221d4ecd1d7e354e7de831dd46e285cb85077 (diff) | |
| download | pleroma-b738f709532ff18845f5d8cc3888d0bd67f750ab.tar.gz pleroma-b738f709532ff18845f5d8cc3888d0bd67f750ab.zip | |
Merge branch 'develop' into feature/gen-magic
Diffstat (limited to 'test/web/auth')
| -rw-r--r-- | test/web/auth/auth_test_controller_test.exs | 242 | ||||
| -rw-r--r-- | test/web/auth/authenticator_test.exs | 42 | ||||
| -rw-r--r-- | test/web/auth/basic_auth_test.exs | 46 | ||||
| -rw-r--r-- | test/web/auth/pleroma_authenticator_test.exs | 48 | ||||
| -rw-r--r-- | test/web/auth/totp_authenticator_test.exs | 51 | 
5 files changed, 0 insertions, 429 deletions
| diff --git a/test/web/auth/auth_test_controller_test.exs b/test/web/auth/auth_test_controller_test.exs deleted file mode 100644 index fed52b7f3..000000000 --- a/test/web/auth/auth_test_controller_test.exs +++ /dev/null @@ -1,242 +0,0 @@ -# Pleroma: A lightweight social networking server -# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/> -# SPDX-License-Identifier: AGPL-3.0-only - -defmodule Pleroma.Tests.AuthTestControllerTest do -  use Pleroma.Web.ConnCase - -  import Pleroma.Factory - -  describe "do_oauth_check" do -    test "serves with proper OAuth token (fulfilling requested scopes)" do -      %{conn: good_token_conn, user: user} = oauth_access(["read"]) - -      assert %{"user_id" => user.id} == -               good_token_conn -               |> get("/test/authenticated_api/do_oauth_check") -               |> json_response(200) - -      # Unintended usage (:api) — use with :authenticated_api instead -      assert %{"user_id" => user.id} == -               good_token_conn -               |> get("/test/api/do_oauth_check") -               |> json_response(200) -    end - -    test "fails on no token / missing scope(s)" do -      %{conn: bad_token_conn} = oauth_access(["irrelevant_scope"]) - -      bad_token_conn -      |> get("/test/authenticated_api/do_oauth_check") -      |> json_response(403) - -      bad_token_conn -      |> assign(:token, nil) -      |> get("/test/api/do_oauth_check") -      |> json_response(403) -    end -  end - -  describe "fallback_oauth_check" do -    test "serves with proper OAuth token (fulfilling requested scopes)" do -      %{conn: good_token_conn, user: user} = oauth_access(["read"]) - -      assert %{"user_id" => user.id} == -               good_token_conn -               |> get("/test/api/fallback_oauth_check") -               |> json_response(200) - -      # Unintended usage (:authenticated_api) — use with :api instead -      assert %{"user_id" => user.id} == -               good_token_conn -               |> get("/test/authenticated_api/fallback_oauth_check") -               |> json_response(200) -    end - -    test "for :api on public instance, drops :user and renders on no token / missing scope(s)" do -      clear_config([:instance, :public], true) - -      %{conn: bad_token_conn} = oauth_access(["irrelevant_scope"]) - -      assert %{"user_id" => nil} == -               bad_token_conn -               |> get("/test/api/fallback_oauth_check") -               |> json_response(200) - -      assert %{"user_id" => nil} == -               bad_token_conn -               |> assign(:token, nil) -               |> get("/test/api/fallback_oauth_check") -               |> json_response(200) -    end - -    test "for :api on private instance, fails on no token / missing scope(s)" do -      clear_config([:instance, :public], false) - -      %{conn: bad_token_conn} = oauth_access(["irrelevant_scope"]) - -      bad_token_conn -      |> get("/test/api/fallback_oauth_check") -      |> json_response(403) - -      bad_token_conn -      |> assign(:token, nil) -      |> get("/test/api/fallback_oauth_check") -      |> json_response(403) -    end -  end - -  describe "skip_oauth_check" do -    test "for :authenticated_api, serves if :user is set (regardless of token / token scopes)" do -      user = insert(:user) - -      assert %{"user_id" => user.id} == -               build_conn() -               |> assign(:user, user) -               |> get("/test/authenticated_api/skip_oauth_check") -               |> json_response(200) - -      %{conn: bad_token_conn, user: user} = oauth_access(["irrelevant_scope"]) - -      assert %{"user_id" => user.id} == -               bad_token_conn -               |> get("/test/authenticated_api/skip_oauth_check") -               |> json_response(200) -    end - -    test "serves via :api on public instance if :user is not set" do -      clear_config([:instance, :public], true) - -      assert %{"user_id" => nil} == -               build_conn() -               |> get("/test/api/skip_oauth_check") -               |> json_response(200) - -      build_conn() -      |> get("/test/authenticated_api/skip_oauth_check") -      |> json_response(403) -    end - -    test "fails on private instance if :user is not set" do -      clear_config([:instance, :public], false) - -      build_conn() -      |> get("/test/api/skip_oauth_check") -      |> json_response(403) - -      build_conn() -      |> get("/test/authenticated_api/skip_oauth_check") -      |> json_response(403) -    end -  end - -  describe "fallback_oauth_skip_publicity_check" do -    test "serves with proper OAuth token (fulfilling requested scopes)" do -      %{conn: good_token_conn, user: user} = oauth_access(["read"]) - -      assert %{"user_id" => user.id} == -               good_token_conn -               |> get("/test/api/fallback_oauth_skip_publicity_check") -               |> json_response(200) - -      # Unintended usage (:authenticated_api) -      assert %{"user_id" => user.id} == -               good_token_conn -               |> get("/test/authenticated_api/fallback_oauth_skip_publicity_check") -               |> json_response(200) -    end - -    test "for :api on private / public instance, drops :user and renders on token issue" do -      %{conn: bad_token_conn} = oauth_access(["irrelevant_scope"]) - -      for is_public <- [true, false] do -        clear_config([:instance, :public], is_public) - -        assert %{"user_id" => nil} == -                 bad_token_conn -                 |> get("/test/api/fallback_oauth_skip_publicity_check") -                 |> json_response(200) - -        assert %{"user_id" => nil} == -                 bad_token_conn -                 |> assign(:token, nil) -                 |> get("/test/api/fallback_oauth_skip_publicity_check") -                 |> json_response(200) -      end -    end -  end - -  describe "skip_oauth_skip_publicity_check" do -    test "for :authenticated_api, serves if :user is set (regardless of token / token scopes)" do -      user = insert(:user) - -      assert %{"user_id" => user.id} == -               build_conn() -               |> assign(:user, user) -               |> get("/test/authenticated_api/skip_oauth_skip_publicity_check") -               |> json_response(200) - -      %{conn: bad_token_conn, user: user} = oauth_access(["irrelevant_scope"]) - -      assert %{"user_id" => user.id} == -               bad_token_conn -               |> get("/test/authenticated_api/skip_oauth_skip_publicity_check") -               |> json_response(200) -    end - -    test "for :api, serves on private and public instances regardless of whether :user is set" do -      user = insert(:user) - -      for is_public <- [true, false] do -        clear_config([:instance, :public], is_public) - -        assert %{"user_id" => nil} == -                 build_conn() -                 |> get("/test/api/skip_oauth_skip_publicity_check") -                 |> json_response(200) - -        assert %{"user_id" => user.id} == -                 build_conn() -                 |> assign(:user, user) -                 |> get("/test/api/skip_oauth_skip_publicity_check") -                 |> json_response(200) -      end -    end -  end - -  describe "missing_oauth_check_definition" do -    def test_missing_oauth_check_definition_failure(endpoint, expected_error) do -      %{conn: conn} = oauth_access(["read", "write", "follow", "push", "admin"]) - -      assert %{"error" => expected_error} == -               conn -               |> get(endpoint) -               |> json_response(403) -    end - -    test "fails if served via :authenticated_api" do -      test_missing_oauth_check_definition_failure( -        "/test/authenticated_api/missing_oauth_check_definition", -        "Security violation: OAuth scopes check was neither handled nor explicitly skipped." -      ) -    end - -    test "fails if served via :api and the instance is private" do -      clear_config([:instance, :public], false) - -      test_missing_oauth_check_definition_failure( -        "/test/api/missing_oauth_check_definition", -        "This resource requires authentication." -      ) -    end - -    test "succeeds with dropped :user if served via :api on public instance" do -      %{conn: conn} = oauth_access(["read", "write", "follow", "push", "admin"]) - -      assert %{"user_id" => nil} == -               conn -               |> get("/test/api/missing_oauth_check_definition") -               |> json_response(200) -    end -  end -end diff --git a/test/web/auth/authenticator_test.exs b/test/web/auth/authenticator_test.exs deleted file mode 100644 index d54253343..000000000 --- a/test/web/auth/authenticator_test.exs +++ /dev/null @@ -1,42 +0,0 @@ -# Pleroma: A lightweight social networking server -# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/> -# SPDX-License-Identifier: AGPL-3.0-only - -defmodule Pleroma.Web.Auth.AuthenticatorTest do -  use Pleroma.Web.ConnCase - -  alias Pleroma.Web.Auth.Authenticator -  import Pleroma.Factory - -  describe "fetch_user/1" do -    test "returns user by name" do -      user = insert(:user) -      assert Authenticator.fetch_user(user.nickname) == user -    end - -    test "returns user by email" do -      user = insert(:user) -      assert Authenticator.fetch_user(user.email) == user -    end - -    test "returns nil" do -      assert Authenticator.fetch_user("email") == nil -    end -  end - -  describe "fetch_credentials/1" do -    test "returns name and password from authorization params" do -      params = %{"authorization" => %{"name" => "test", "password" => "test-pass"}} -      assert Authenticator.fetch_credentials(params) == {:ok, {"test", "test-pass"}} -    end - -    test "returns name and password with grant_type 'password'" do -      params = %{"grant_type" => "password", "username" => "test", "password" => "test-pass"} -      assert Authenticator.fetch_credentials(params) == {:ok, {"test", "test-pass"}} -    end - -    test "returns error" do -      assert Authenticator.fetch_credentials(%{}) == {:error, :invalid_credentials} -    end -  end -end diff --git a/test/web/auth/basic_auth_test.exs b/test/web/auth/basic_auth_test.exs deleted file mode 100644 index bf6e3d2fc..000000000 --- a/test/web/auth/basic_auth_test.exs +++ /dev/null @@ -1,46 +0,0 @@ -# Pleroma: A lightweight social networking server -# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/> -# SPDX-License-Identifier: AGPL-3.0-only - -defmodule Pleroma.Web.Auth.BasicAuthTest do -  use Pleroma.Web.ConnCase - -  import Pleroma.Factory - -  test "with HTTP Basic Auth used, grants access to OAuth scope-restricted endpoints", %{ -    conn: conn -  } do -    user = insert(:user) -    assert Pbkdf2.verify_pass("test", user.password_hash) - -    basic_auth_contents = -      (URI.encode_www_form(user.nickname) <> ":" <> URI.encode_www_form("test")) -      |> Base.encode64() - -    # Succeeds with HTTP Basic Auth -    response = -      conn -      |> put_req_header("authorization", "Basic " <> basic_auth_contents) -      |> get("/api/v1/accounts/verify_credentials") -      |> json_response(200) - -    user_nickname = user.nickname -    assert %{"username" => ^user_nickname} = response - -    # Succeeds with a properly scoped OAuth token -    valid_token = insert(:oauth_token, scopes: ["read:accounts"]) - -    conn -    |> put_req_header("authorization", "Bearer #{valid_token.token}") -    |> get("/api/v1/accounts/verify_credentials") -    |> json_response(200) - -    # Fails with a wrong-scoped OAuth token (proof of restriction) -    invalid_token = insert(:oauth_token, scopes: ["read:something"]) - -    conn -    |> put_req_header("authorization", "Bearer #{invalid_token.token}") -    |> get("/api/v1/accounts/verify_credentials") -    |> json_response(403) -  end -end diff --git a/test/web/auth/pleroma_authenticator_test.exs b/test/web/auth/pleroma_authenticator_test.exs deleted file mode 100644 index 1ba0dfecc..000000000 --- a/test/web/auth/pleroma_authenticator_test.exs +++ /dev/null @@ -1,48 +0,0 @@ -# Pleroma: A lightweight social networking server -# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/> -# SPDX-License-Identifier: AGPL-3.0-only - -defmodule Pleroma.Web.Auth.PleromaAuthenticatorTest do -  use Pleroma.Web.ConnCase - -  alias Pleroma.Web.Auth.PleromaAuthenticator -  import Pleroma.Factory - -  setup do -    password = "testpassword" -    name = "AgentSmith" -    user = insert(:user, nickname: name, password_hash: Pbkdf2.hash_pwd_salt(password)) -    {:ok, [user: user, name: name, password: password]} -  end - -  test "get_user/authorization", %{name: name, password: password} do -    name = name <> "1" -    user = insert(:user, nickname: name, password_hash: Bcrypt.hash_pwd_salt(password)) - -    params = %{"authorization" => %{"name" => name, "password" => password}} -    res = PleromaAuthenticator.get_user(%Plug.Conn{params: params}) - -    assert {:ok, returned_user} = res -    assert returned_user.id == user.id -    assert "$pbkdf2" <> _ = returned_user.password_hash -  end - -  test "get_user/authorization with invalid password", %{name: name} do -    params = %{"authorization" => %{"name" => name, "password" => "password"}} -    res = PleromaAuthenticator.get_user(%Plug.Conn{params: params}) - -    assert {:error, {:checkpw, false}} == res -  end - -  test "get_user/grant_type_password", %{user: user, name: name, password: password} do -    params = %{"grant_type" => "password", "username" => name, "password" => password} -    res = PleromaAuthenticator.get_user(%Plug.Conn{params: params}) - -    assert {:ok, user} == res -  end - -  test "error credintails" do -    res = PleromaAuthenticator.get_user(%Plug.Conn{params: %{}}) -    assert {:error, :invalid_credentials} == res -  end -end diff --git a/test/web/auth/totp_authenticator_test.exs b/test/web/auth/totp_authenticator_test.exs deleted file mode 100644 index 84d4cd840..000000000 --- a/test/web/auth/totp_authenticator_test.exs +++ /dev/null @@ -1,51 +0,0 @@ -# Pleroma: A lightweight social networking server -# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/> -# SPDX-License-Identifier: AGPL-3.0-only - -defmodule Pleroma.Web.Auth.TOTPAuthenticatorTest do -  use Pleroma.Web.ConnCase - -  alias Pleroma.MFA -  alias Pleroma.MFA.BackupCodes -  alias Pleroma.MFA.TOTP -  alias Pleroma.Web.Auth.TOTPAuthenticator - -  import Pleroma.Factory - -  test "verify token" do -    otp_secret = TOTP.generate_secret() -    otp_token = TOTP.generate_token(otp_secret) - -    user = -      insert(:user, -        multi_factor_authentication_settings: %MFA.Settings{ -          enabled: true, -          totp: %MFA.Settings.TOTP{secret: otp_secret, confirmed: true} -        } -      ) - -    assert TOTPAuthenticator.verify(otp_token, user) == {:ok, :pass} -    assert TOTPAuthenticator.verify(nil, user) == {:error, :invalid_token} -    assert TOTPAuthenticator.verify("", user) == {:error, :invalid_token} -  end - -  test "checks backup codes" do -    [code | _] = backup_codes = BackupCodes.generate() - -    hashed_codes = -      backup_codes -      |> Enum.map(&Pbkdf2.hash_pwd_salt(&1)) - -    user = -      insert(:user, -        multi_factor_authentication_settings: %MFA.Settings{ -          enabled: true, -          backup_codes: hashed_codes, -          totp: %MFA.Settings.TOTP{secret: "otp_secret", confirmed: true} -        } -      ) - -    assert TOTPAuthenticator.verify_recovery_code(user, code) == {:ok, :pass} -    refute TOTPAuthenticator.verify_recovery_code(code, refresh_record(user)) == {:ok, :pass} -  end -end | 
