7 files changed, 120 insertions, 63 deletions

diff --git a/test/plugs/authentication_plug_test.exs b/test/plugs/authentication_plug_test.exs
index ae2f3f8ec..777ae15ae 100644
--- a/test/plugs/authentication_plug_test.exs
+++ b/test/plugs/authentication_plug_test.exs
@@ -6,15 +6,18 @@ defmodule Pleroma.Plugs.AuthenticationPlugTest do
   use Pleroma.Web.ConnCase, async: true
 
   alias Pleroma.Plugs.AuthenticationPlug
+  alias Pleroma.Plugs.OAuthScopesPlug
+  alias Pleroma.Plugs.PlugHelper
   alias Pleroma.User
 
   import ExUnit.CaptureLog
+  import Pleroma.Factory
 
   setup %{conn: conn} do
     user = %User{
       id: 1,
       name: "dude",
-      password_hash: Comeonin.Pbkdf2.hashpwsalt("guy")
+      password_hash: Pbkdf2.hash_pwd_salt("guy")
     }
 
     conn =
@@ -36,25 +39,54 @@ defmodule Pleroma.Plugs.AuthenticationPlugTest do
     assert ret_conn == conn
   end
 
-  test "with a correct password in the credentials, it assigns the auth_user", %{conn: conn} do
+  test "with a correct password in the credentials, " <>
+         "it assigns the auth_user and marks OAuthScopesPlug as skipped",
+       %{conn: conn} do
     conn =
       conn
       |> assign(:auth_credentials, %{password: "guy"})
       |> AuthenticationPlug.call(%{})
 
     assert conn.assigns.user == conn.assigns.auth_user
+    assert PlugHelper.plug_skipped?(conn, OAuthScopesPlug)
   end
 
-  test "with a wrong password in the credentials, it does nothing", %{conn: conn} do
+  test "with a bcrypt hash, it updates to a pkbdf2 hash", %{conn: conn} do
+    user = insert(:user, password_hash: Bcrypt.hash_pwd_salt("123"))
+    assert "$2" <> _ = user.password_hash
+
     conn =
       conn
-      |> assign(:auth_credentials, %{password: "wrong"})
+      |> assign(:auth_user, user)
+      |> assign(:auth_credentials, %{password: "123"})
+      |> AuthenticationPlug.call(%{})
 
-    ret_conn =
+    assert conn.assigns.user.id == conn.assigns.auth_user.id
+    assert PlugHelper.plug_skipped?(conn, OAuthScopesPlug)
+
+    user = User.get_by_id(user.id)
+    assert "$pbkdf2" <> _ = user.password_hash
+  end
+
+  @tag :skip_on_mac
+  test "with a crypt hash, it updates to a pkbdf2 hash", %{conn: conn} do
+    user =
+      insert(:user,
+        password_hash:
+          "$6$9psBWV8gxkGOZWBz$PmfCycChoxeJ3GgGzwvhlgacb9mUoZ.KUXNCssekER4SJ7bOK53uXrHNb2e4i8yPFgSKyzaW9CcmrDXWIEMtD1"
+      )
+
+    conn =
       conn
+      |> assign(:auth_user, user)
+      |> assign(:auth_credentials, %{password: "password"})
       |> AuthenticationPlug.call(%{})
 
-    assert conn == ret_conn
+    assert conn.assigns.user.id == conn.assigns.auth_user.id
+    assert PlugHelper.plug_skipped?(conn, OAuthScopesPlug)
+
+    user = User.get_by_id(user.id)
+    assert "$pbkdf2" <> _ = user.password_hash
   end
 
   describe "checkpw/2" do
@@ -74,6 +106,13 @@ defmodule Pleroma.Plugs.AuthenticationPlugTest do
       assert AuthenticationPlug.checkpw("password", hash)
     end
 
+    test "check bcrypt hash" do
+      hash = "$2a$10$uyhC/R/zoE1ndwwCtMusK.TLVzkQ/Ugsbqp3uXI.CTTz0gBw.24jS"
+
+      assert AuthenticationPlug.checkpw("password", hash)
+      refute AuthenticationPlug.checkpw("password1", hash)
+    end
+
     test "it returns false when hash invalid" do
       hash =
         "psBWV8gxkGOZWBz$PmfCycChoxeJ3GgGzwvhlgacb9mUoZ.KUXNCssekER4SJ7bOK53uXrHNb2e4i8yPFgSKyzaW9CcmrDXWIEMtD1"
diff --git a/test/plugs/ensure_authenticated_plug_test.exs b/test/plugs/ensure_authenticated_plug_test.exs
index 7f3559b83..a0667c5e0 100644
--- a/test/plugs/ensure_authenticated_plug_test.exs
+++ b/test/plugs/ensure_authenticated_plug_test.exs
@@ -20,34 +20,61 @@ defmodule Pleroma.Plugs.EnsureAuthenticatedPlugTest do
       conn = assign(conn, :user, %User{})
       ret_conn = EnsureAuthenticatedPlug.call(conn, %{})
 
-      assert ret_conn == conn
+      refute ret_conn.halted
     end
   end
 
+  test "it halts if user is assigned and MFA enabled", %{conn: conn} do
+    conn =
+      conn
+      |> assign(:user, %User{multi_factor_authentication_settings: %{enabled: true}})
+      |> assign(:auth_credentials, %{password: "xd-42"})
+      |> EnsureAuthenticatedPlug.call(%{})
+
+    assert conn.status == 403
+    assert conn.halted == true
+
+    assert conn.resp_body ==
+             "{\"error\":\"Two-factor authentication enabled, you must use a access token.\"}"
+  end
+
+  test "it continues if user is assigned and MFA disabled", %{conn: conn} do
+    conn =
+      conn
+      |> assign(:user, %User{multi_factor_authentication_settings: %{enabled: false}})
+      |> assign(:auth_credentials, %{password: "xd-42"})
+      |> EnsureAuthenticatedPlug.call(%{})
+
+    refute conn.status == 403
+    refute conn.halted
+  end
+
   describe "with :if_func / :unless_func options" do
     setup do
       %{
-        true_fn: fn -> true end,
-        false_fn: fn -> false end
+        true_fn: fn _conn -> true end,
+        false_fn: fn _conn -> false end
       }
     end
 
     test "it continues if a user is assigned", %{conn: conn, true_fn: true_fn, false_fn: false_fn} do
       conn = assign(conn, :user, %User{})
-      assert EnsureAuthenticatedPlug.call(conn, if_func: true_fn) == conn
-      assert EnsureAuthenticatedPlug.call(conn, if_func: false_fn) == conn
-      assert EnsureAuthenticatedPlug.call(conn, unless_func: true_fn) == conn
-      assert EnsureAuthenticatedPlug.call(conn, unless_func: false_fn) == conn
+      refute EnsureAuthenticatedPlug.call(conn, if_func: true_fn).halted
+      refute EnsureAuthenticatedPlug.call(conn, if_func: false_fn).halted
+      refute EnsureAuthenticatedPlug.call(conn, unless_func: true_fn).halted
+      refute EnsureAuthenticatedPlug.call(conn, unless_func: false_fn).halted
     end
 
     test "it continues if a user is NOT assigned but :if_func evaluates to `false`",
          %{conn: conn, false_fn: false_fn} do
-      assert EnsureAuthenticatedPlug.call(conn, if_func: false_fn) == conn
+      ret_conn = EnsureAuthenticatedPlug.call(conn, if_func: false_fn)
+      refute ret_conn.halted
     end
 
     test "it continues if a user is NOT assigned but :unless_func evaluates to `true`",
          %{conn: conn, true_fn: true_fn} do
-      assert EnsureAuthenticatedPlug.call(conn, unless_func: true_fn) == conn
+      ret_conn = EnsureAuthenticatedPlug.call(conn, unless_func: true_fn)
+      refute ret_conn.halted
     end
 
     test "it halts if a user is NOT assigned and :if_func evaluates to `true`",
diff --git a/test/plugs/ensure_public_or_authenticated_plug_test.exs b/test/plugs/ensure_public_or_authenticated_plug_test.exs
index 411252274..fc2934369 100644
--- a/test/plugs/ensure_public_or_authenticated_plug_test.exs
+++ b/test/plugs/ensure_public_or_authenticated_plug_test.exs
@@ -29,7 +29,7 @@ defmodule Pleroma.Plugs.EnsurePublicOrAuthenticatedPlugTest do
       conn
       |> EnsurePublicOrAuthenticatedPlug.call(%{})
 
-    assert ret_conn == conn
+    refute ret_conn.halted
   end
 
   test "it continues if a user is assigned, even if not public", %{conn: conn} do
@@ -43,6 +43,6 @@ defmodule Pleroma.Plugs.EnsurePublicOrAuthenticatedPlugTest do
       conn
       |> EnsurePublicOrAuthenticatedPlug.call(%{})
 
-    assert ret_conn == conn
+    refute ret_conn.halted
   end
 end
diff --git a/test/plugs/http_security_plug_test.exs b/test/plugs/http_security_plug_test.exs
index 84e4c274f..63b4d3f31 100644
--- a/test/plugs/http_security_plug_test.exs
+++ b/test/plugs/http_security_plug_test.exs
@@ -67,7 +67,7 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlugTest do
 
       [csp] = Conn.get_resp_header(conn, "content-security-policy")
 
-      assert csp =~ ~r|report-uri https://endpoint.com; report-to csp-endpoint;|
+      assert csp =~ ~r|report-uri https://endpoint.com;report-to csp-endpoint;|
 
       [reply_to] = Conn.get_resp_header(conn, "reply-to")
 
diff --git a/test/plugs/legacy_authentication_plug_test.exs b/test/plugs/legacy_authentication_plug_test.exs
index 7559de7d3..3b8c07627 100644
--- a/test/plugs/legacy_authentication_plug_test.exs
+++ b/test/plugs/legacy_authentication_plug_test.exs
@@ -8,6 +8,8 @@ defmodule Pleroma.Plugs.LegacyAuthenticationPlugTest do
   import Pleroma.Factory
 
   alias Pleroma.Plugs.LegacyAuthenticationPlug
+  alias Pleroma.Plugs.OAuthScopesPlug
+  alias Pleroma.Plugs.PlugHelper
   alias Pleroma.User
 
   setup do
@@ -36,7 +38,8 @@ defmodule Pleroma.Plugs.LegacyAuthenticationPlugTest do
   end
 
   @tag :skip_on_mac
-  test "it authenticates the auth_user if present and password is correct and resets the password",
+  test "if `auth_user` is present and password is correct, " <>
+         "it authenticates the user, resets the password, marks OAuthScopesPlug as skipped",
        %{
          conn: conn,
          user: user
@@ -49,6 +52,7 @@ defmodule Pleroma.Plugs.LegacyAuthenticationPlugTest do
     conn = LegacyAuthenticationPlug.call(conn, %{})
 
     assert conn.assigns.user.id == user.id
+    assert PlugHelper.plug_skipped?(conn, OAuthScopesPlug)
   end
 
   @tag :skip_on_mac
diff --git a/test/plugs/oauth_scopes_plug_test.exs b/test/plugs/oauth_scopes_plug_test.exs
index e79ecf263..884de7b4d 100644
--- a/test/plugs/oauth_scopes_plug_test.exs
+++ b/test/plugs/oauth_scopes_plug_test.exs
@@ -5,15 +5,22 @@
 defmodule Pleroma.Plugs.OAuthScopesPlugTest do
   use Pleroma.Web.ConnCase, async: true
 
-  alias Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug
   alias Pleroma.Plugs.OAuthScopesPlug
   alias Pleroma.Repo
 
   import Mock
   import Pleroma.Factory
 
-  setup_with_mocks([{EnsurePublicOrAuthenticatedPlug, [], [call: fn conn, _ -> conn end]}]) do
-    :ok
+  test "is not performed if marked as skipped", %{conn: conn} do
+    with_mock OAuthScopesPlug, [:passthrough], perform: &passthrough([&1, &2]) do
+      conn =
+        conn
+        |> OAuthScopesPlug.skip_plug()
+        |> OAuthScopesPlug.call(%{scopes: ["random_scope"]})
+
+      refute called(OAuthScopesPlug.perform(:_, :_))
+      refute conn.halted
+    end
   end
 
   test "if `token.scopes` fulfills specified 'any of' conditions, " <>
@@ -48,7 +55,7 @@ defmodule Pleroma.Plugs.OAuthScopesPlugTest do
 
   describe "with `fallback: :proceed_unauthenticated` option, " do
     test "if `token.scopes` doesn't fulfill specified conditions, " <>
-           "clears :user and :token assigns and calls EnsurePublicOrAuthenticatedPlug",
+           "clears :user and :token assigns",
          %{conn: conn} do
       user = insert(:user)
       token1 = insert(:oauth_token, scopes: ["read", "write"], user: user)
@@ -67,35 +74,6 @@ defmodule Pleroma.Plugs.OAuthScopesPlugTest do
         refute ret_conn.halted
         refute ret_conn.assigns[:user]
         refute ret_conn.assigns[:token]
-
-        assert called(EnsurePublicOrAuthenticatedPlug.call(ret_conn, :_))
-      end
-    end
-
-    test "with :skip_instance_privacy_check option, " <>
-           "if `token.scopes` doesn't fulfill specified conditions, " <>
-           "clears :user and :token assigns and does NOT call EnsurePublicOrAuthenticatedPlug",
-         %{conn: conn} do
-      user = insert(:user)
-      token1 = insert(:oauth_token, scopes: ["read:statuses", "write"], user: user)
-
-      for token <- [token1, nil], op <- [:|, :&] do
-        ret_conn =
-          conn
-          |> assign(:user, user)
-          |> assign(:token, token)
-          |> OAuthScopesPlug.call(%{
-            scopes: ["read"],
-            op: op,
-            fallback: :proceed_unauthenticated,
-            skip_instance_privacy_check: true
-          })
-
-        refute ret_conn.halted
-        refute ret_conn.assigns[:user]
-        refute ret_conn.assigns[:token]
-
-        refute called(EnsurePublicOrAuthenticatedPlug.call(ret_conn, :_))
       end
     end
   end
diff --git a/test/plugs/rate_limiter_test.exs b/test/plugs/rate_limiter_test.exs
index 0ce9f3a0a..4d3d694f4 100644
--- a/test/plugs/rate_limiter_test.exs
+++ b/test/plugs/rate_limiter_test.exs
@@ -5,8 +5,10 @@
 defmodule Pleroma.Plugs.RateLimiterTest do
   use Pleroma.Web.ConnCase
 
+  alias Phoenix.ConnTest
   alias Pleroma.Config
   alias Pleroma.Plugs.RateLimiter
+  alias Plug.Conn
 
   import Pleroma.Factory
   import Pleroma.Tests.Helpers, only: [clear_config: 1, clear_config: 2]
@@ -36,8 +38,15 @@ defmodule Pleroma.Plugs.RateLimiterTest do
   end
 
   test "it is disabled if it remote ip plug is enabled but no remote ip is found" do
-    Config.put([Pleroma.Web.Endpoint, :http, :ip], {127, 0, 0, 1})
-    assert RateLimiter.disabled?(Plug.Conn.assign(build_conn(), :remote_ip_found, false))
+    assert RateLimiter.disabled?(Conn.assign(build_conn(), :remote_ip_found, false))
+  end
+
+  test "it is enabled if remote ip found" do
+    refute RateLimiter.disabled?(Conn.assign(build_conn(), :remote_ip_found, true))
+  end
+
+  test "it is enabled if remote_ip_found flag doesn't exist" do
+    refute RateLimiter.disabled?(build_conn())
   end
 
   test "it restricts based on config values" do
@@ -58,7 +67,7 @@ defmodule Pleroma.Plugs.RateLimiterTest do
     end
 
     conn = RateLimiter.call(conn, plug_opts)
-    assert %{"error" => "Throttled"} = Phoenix.ConnTest.json_response(conn, :too_many_requests)
+    assert %{"error" => "Throttled"} = ConnTest.json_response(conn, :too_many_requests)
     assert conn.halted
 
     Process.sleep(50)
@@ -68,7 +77,7 @@ defmodule Pleroma.Plugs.RateLimiterTest do
     conn = RateLimiter.call(conn, plug_opts)
     assert {1, 4} = RateLimiter.inspect_bucket(conn, limiter_name, plug_opts)
 
-    refute conn.status == Plug.Conn.Status.code(:too_many_requests)
+    refute conn.status == Conn.Status.code(:too_many_requests)
     refute conn.resp_body
     refute conn.halted
   end
@@ -98,7 +107,7 @@ defmodule Pleroma.Plugs.RateLimiterTest do
       plug_opts = RateLimiter.init(name: limiter_name, params: ["id"])
 
       conn = build_conn(:get, "/?id=1")
-      conn = Plug.Conn.fetch_query_params(conn)
+      conn = Conn.fetch_query_params(conn)
       conn_2 = build_conn(:get, "/?id=2")
 
       RateLimiter.call(conn, plug_opts)
@@ -119,7 +128,7 @@ defmodule Pleroma.Plugs.RateLimiterTest do
       id = "100"
 
       conn = build_conn(:get, "/?id=#{id}")
-      conn = Plug.Conn.fetch_query_params(conn)
+      conn = Conn.fetch_query_params(conn)
       conn_2 = build_conn(:get, "/?id=#{101}")
 
       RateLimiter.call(conn, plug_opts)
@@ -147,13 +156,13 @@ defmodule Pleroma.Plugs.RateLimiterTest do
 
       conn = RateLimiter.call(conn, plug_opts)
 
-      assert %{"error" => "Throttled"} = Phoenix.ConnTest.json_response(conn, :too_many_requests)
+      assert %{"error" => "Throttled"} = ConnTest.json_response(conn, :too_many_requests)
       assert conn.halted
 
       conn_2 = RateLimiter.call(conn_2, plug_opts)
       assert {1, 4} = RateLimiter.inspect_bucket(conn_2, limiter_name, plug_opts)
 
-      refute conn_2.status == Plug.Conn.Status.code(:too_many_requests)
+      refute conn_2.status == Conn.Status.code(:too_many_requests)
       refute conn_2.resp_body
       refute conn_2.halted
     end
@@ -187,7 +196,7 @@ defmodule Pleroma.Plugs.RateLimiterTest do
 
       conn = RateLimiter.call(conn, plug_opts)
 
-      assert %{"error" => "Throttled"} = Phoenix.ConnTest.json_response(conn, :too_many_requests)
+      assert %{"error" => "Throttled"} = ConnTest.json_response(conn, :too_many_requests)
       assert conn.halted
     end
 
@@ -210,12 +219,12 @@ defmodule Pleroma.Plugs.RateLimiterTest do
       end
 
       conn = RateLimiter.call(conn, plug_opts)
-      assert %{"error" => "Throttled"} = Phoenix.ConnTest.json_response(conn, :too_many_requests)
+      assert %{"error" => "Throttled"} = ConnTest.json_response(conn, :too_many_requests)
       assert conn.halted
 
       conn_2 = RateLimiter.call(conn_2, plug_opts)
       assert {1, 4} = RateLimiter.inspect_bucket(conn_2, limiter_name, plug_opts)
-      refute conn_2.status == Plug.Conn.Status.code(:too_many_requests)
+      refute conn_2.status == Conn.Status.code(:too_many_requests)
       refute conn_2.resp_body
       refute conn_2.halted
     end