From f7cd9131d4aa0da3c4c0174acc56ce1bbdbd284c Mon Sep 17 00:00:00 2001 From: Ivan Tashkinov Date: Thu, 4 Apr 2019 22:41:03 +0300 Subject: [#923] OAuth consumer controller tests. Misc. improvements. --- test/web/oauth/oauth_controller_test.exs | 327 ++++++++++++++++++++++++++++++- 1 file changed, 321 insertions(+), 6 deletions(-) (limited to 'test/web/oauth/oauth_controller_test.exs') diff --git a/test/web/oauth/oauth_controller_test.exs b/test/web/oauth/oauth_controller_test.exs index a9a0b9ed4..e13f4700d 100644 --- a/test/web/oauth/oauth_controller_test.exs +++ b/test/web/oauth/oauth_controller_test.exs @@ -5,24 +5,339 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do use Pleroma.Web.ConnCase import Pleroma.Factory + import Mock + alias Pleroma.Registration alias Pleroma.Repo alias Pleroma.Web.OAuth.Authorization alias Pleroma.Web.OAuth.Token - describe "GET /oauth/authorize" do + @session_opts [ + store: :cookie, + key: "_test", + signing_salt: "cooldude" + ] + + describe "in OAuth consumer mode, " do setup do - session_opts = [ - store: :cookie, - key: "_test", - signing_salt: "cooldude" + oauth_consumer_enabled_path = [:auth, :oauth_consumer_enabled] + oauth_consumer_strategies_path = [:auth, :oauth_consumer_strategies] + oauth_consumer_enabled = Pleroma.Config.get(oauth_consumer_enabled_path) + oauth_consumer_strategies = Pleroma.Config.get(oauth_consumer_strategies_path) + + Pleroma.Config.put(oauth_consumer_enabled_path, true) + Pleroma.Config.put(oauth_consumer_strategies_path, ~w(twitter facebook)) + + on_exit(fn -> + Pleroma.Config.put(oauth_consumer_enabled_path, oauth_consumer_enabled) + Pleroma.Config.put(oauth_consumer_strategies_path, oauth_consumer_strategies) + end) + + [ + app: insert(:oauth_app), + conn: + build_conn() + |> Plug.Session.call(Plug.Session.init(@session_opts)) + |> fetch_session() ] + end + + test "GET /oauth/authorize also renders OAuth consumer form", %{ + app: app, + conn: conn + } do + conn = + get( + conn, + "/oauth/authorize", + %{ + "response_type" => "code", + "client_id" => app.client_id, + "redirect_uri" => app.redirect_uris, + "scope" => "read" + } + ) + + assert response = html_response(conn, 200) + assert response =~ "Sign in with Twitter" + assert response =~ o_auth_path(conn, :prepare_request) + end + + test "GET /oauth/prepare_request encodes parameters as `state` and redirects", %{ + app: app, + conn: conn + } do + conn = + get( + conn, + "/oauth/prepare_request", + %{ + "provider" => "twitter", + "scope" => app.scopes, + "client_id" => app.client_id, + "redirect_uri" => app.redirect_uris, + "state" => "a_state" + } + ) + + assert response = html_response(conn, 302) + redirected_to = redirected_to(conn) + [state] = Regex.run(~r/(?<=state=).*?(?=\Z|&)/, redirected_to) + state = URI.decode(state) + assert {:ok, state_params} = Poison.decode(state) + + expected_scope_param = Enum.join(app.scopes, "+") + expected_client_id_param = app.client_id + expected_redirect_uri_param = app.redirect_uris + + assert %{ + "scope" => ^expected_scope_param, + "client_id" => ^expected_client_id_param, + "redirect_uri" => ^expected_redirect_uri_param, + "state" => "a_state" + } = state_params + end + + test "on authentication error, redirects to `redirect_uri`", %{app: app, conn: conn} do + state_params = %{ + "scope" => Enum.join(app.scopes, " "), + "client_id" => app.client_id, + "redirect_uri" => app.redirect_uris, + "state" => "" + } + + conn = + conn + |> assign(:ueberauth_failure, %{errors: [%{message: "unknown error"}]}) + |> get( + "/oauth/twitter/callback", + %{ + "oauth_token" => "G-5a3AAAAAAAwMH9AAABaektfSM", + "oauth_verifier" => "QZl8vUqNvXMTKpdmUnGejJxuHG75WWWs", + "provider" => "twitter", + "state" => Poison.encode!(state_params) + } + ) + + assert response = html_response(conn, 302) + assert redirected_to(conn) == app.redirect_uris + end + + test "with user-bound registration, GET /oauth//callback redirects to `redirect_uri` with `code`", + %{app: app, conn: conn} do + registration = insert(:registration) + + state_params = %{ + "scope" => Enum.join(app.scopes, " "), + "client_id" => app.client_id, + "redirect_uri" => app.redirect_uris, + "state" => "" + } + + with_mock Pleroma.Web.Auth.Authenticator, + get_registration: fn _, _ -> {:ok, registration} end do + conn = + get( + conn, + "/oauth/twitter/callback", + %{ + "oauth_token" => "G-5a3AAAAAAAwMH9AAABaektfSM", + "oauth_verifier" => "QZl8vUqNvXMTKpdmUnGejJxuHG75WWWs", + "provider" => "twitter", + "state" => Poison.encode!(state_params) + } + ) + + assert response = html_response(conn, 302) + assert redirected_to(conn) =~ ~r/#{app.redirect_uris}\?code=.+/ + end + end + + test "with user-unbound registration, GET /oauth//callback redirects to registration_details page", + %{app: app, conn: conn} do + registration = insert(:registration, user: nil) + + state_params = %{ + "scope" => "read", + "client_id" => app.client_id, + "redirect_uri" => app.redirect_uris, + "state" => "a_state" + } + + with_mock Pleroma.Web.Auth.Authenticator, + get_registration: fn _, _ -> {:ok, registration} end do + conn = + get( + conn, + "/oauth/twitter/callback", + %{ + "oauth_token" => "G-5a3AAAAAAAwMH9AAABaektfSM", + "oauth_verifier" => "QZl8vUqNvXMTKpdmUnGejJxuHG75WWWs", + "provider" => "twitter", + "state" => Poison.encode!(state_params) + } + ) + + expected_redirect_params = + state_params + |> Map.delete("scope") + |> Map.merge(%{ + "scopes" => ["read"], + "email" => Registration.email(registration), + "nickname" => Registration.nickname(registration) + }) + + assert response = html_response(conn, 302) + + assert redirected_to(conn) == + o_auth_path(conn, :registration_details, expected_redirect_params) + end + end + + test "GET /oauth/registration_details renders registration details form", %{ + app: app, + conn: conn + } do + conn = + get( + conn, + "/oauth/registration_details", + %{ + "scopes" => app.scopes, + "client_id" => app.client_id, + "redirect_uri" => app.redirect_uris, + "state" => "a_state", + "nickname" => nil, + "email" => "john@doe.com" + } + ) + + assert response = html_response(conn, 200) + assert response =~ ~r/name="op" type="submit" value="register"/ + assert response =~ ~r/name="op" type="submit" value="connect"/ + end + + test "with valid params, POST /oauth/register?op=register redirects to `redirect_uri` with `code`", + %{ + app: app, + conn: conn + } do + registration = insert(:registration, user: nil, info: %{"nickname" => nil, "email" => nil}) + + conn = + conn + |> put_session(:registration_id, registration.id) + |> post( + "/oauth/register", + %{ + "op" => "register", + "scopes" => app.scopes, + "client_id" => app.client_id, + "redirect_uri" => app.redirect_uris, + "state" => "a_state", + "nickname" => "availablenick", + "email" => "available@email.com" + } + ) + + assert response = html_response(conn, 302) + assert redirected_to(conn) =~ ~r/#{app.redirect_uris}\?code=.+/ + end + + test "with invalid params, POST /oauth/register?op=register redirects to registration_details page", + %{ + app: app, + conn: conn + } do + another_user = insert(:user) + registration = insert(:registration, user: nil, info: %{"nickname" => nil, "email" => nil}) + + params = %{ + "op" => "register", + "scopes" => app.scopes, + "client_id" => app.client_id, + "redirect_uri" => app.redirect_uris, + "state" => "a_state", + "nickname" => another_user.nickname, + "email" => another_user.email + } + + conn = + conn + |> put_session(:registration_id, registration.id) + |> post("/oauth/register", params) + + assert response = html_response(conn, 302) + + assert redirected_to(conn) == + o_auth_path(conn, :registration_details, params) + end + + test "with valid params, POST /oauth/register?op=connect redirects to `redirect_uri` with `code`", + %{ + app: app, + conn: conn + } do + user = insert(:user, password_hash: Comeonin.Pbkdf2.hashpwsalt("testpassword")) + registration = insert(:registration, user: nil) + + conn = + conn + |> put_session(:registration_id, registration.id) + |> post( + "/oauth/register", + %{ + "op" => "connect", + "scopes" => app.scopes, + "client_id" => app.client_id, + "redirect_uri" => app.redirect_uris, + "state" => "a_state", + "auth_name" => user.nickname, + "password" => "testpassword" + } + ) + assert response = html_response(conn, 302) + assert redirected_to(conn) =~ ~r/#{app.redirect_uris}\?code=.+/ + end + + test "with invalid params, POST /oauth/register?op=connect redirects to registration_details page", + %{ + app: app, + conn: conn + } do + user = insert(:user) + registration = insert(:registration, user: nil) + + params = %{ + "op" => "connect", + "scopes" => app.scopes, + "client_id" => app.client_id, + "redirect_uri" => app.redirect_uris, + "state" => "a_state", + "auth_name" => user.nickname, + "password" => "wrong password" + } + + conn = + conn + |> put_session(:registration_id, registration.id) + |> post("/oauth/register", params) + + assert response = html_response(conn, 302) + + assert redirected_to(conn) == + o_auth_path(conn, :registration_details, Map.delete(params, "password")) + end + end + + describe "GET /oauth/authorize" do + setup do [ app: insert(:oauth_app, redirect_uris: "https://redirect.url"), conn: build_conn() - |> Plug.Session.call(Plug.Session.init(session_opts)) + |> Plug.Session.call(Plug.Session.init(@session_opts)) |> fetch_session() ] end -- cgit v1.2.3 From 3e7f2bfc2f4769af3cedea3126fa0b3cab3f2b7b Mon Sep 17 00:00:00 2001 From: Ivan Tashkinov Date: Fri, 5 Apr 2019 09:19:17 +0300 Subject: [#923] OAuthController#callback adjustments (with tests). --- test/web/oauth/oauth_controller_test.exs | 27 +++++++++++++-------------- 1 file changed, 13 insertions(+), 14 deletions(-) (limited to 'test/web/oauth/oauth_controller_test.exs') diff --git a/test/web/oauth/oauth_controller_test.exs b/test/web/oauth/oauth_controller_test.exs index e13f4700d..75333f2d5 100644 --- a/test/web/oauth/oauth_controller_test.exs +++ b/test/web/oauth/oauth_controller_test.exs @@ -73,7 +73,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do "/oauth/prepare_request", %{ "provider" => "twitter", - "scope" => app.scopes, + "scope" => "read follow", "client_id" => app.client_id, "redirect_uri" => app.redirect_uris, "state" => "a_state" @@ -81,21 +81,20 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do ) assert response = html_response(conn, 302) - redirected_to = redirected_to(conn) - [state] = Regex.run(~r/(?<=state=).*?(?=\Z|&)/, redirected_to) - state = URI.decode(state) - assert {:ok, state_params} = Poison.decode(state) - expected_scope_param = Enum.join(app.scopes, "+") - expected_client_id_param = app.client_id - expected_redirect_uri_param = app.redirect_uris + redirect_query = URI.parse(redirected_to(conn)).query + assert %{"state" => state_param} = URI.decode_query(redirect_query) + assert {:ok, state_components} = Poison.decode(state_param) + + expected_client_id = app.client_id + expected_redirect_uri = app.redirect_uris assert %{ - "scope" => ^expected_scope_param, - "client_id" => ^expected_client_id_param, - "redirect_uri" => ^expected_redirect_uri_param, + "scope" => "read follow", + "client_id" => ^expected_client_id, + "redirect_uri" => ^expected_redirect_uri, "state" => "a_state" - } = state_params + } = state_components end test "on authentication error, redirects to `redirect_uri`", %{app: app, conn: conn} do @@ -158,7 +157,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do registration = insert(:registration, user: nil) state_params = %{ - "scope" => "read", + "scope" => "read write", "client_id" => app.client_id, "redirect_uri" => app.redirect_uris, "state" => "a_state" @@ -182,7 +181,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do state_params |> Map.delete("scope") |> Map.merge(%{ - "scopes" => ["read"], + "scope" => "read write", "email" => Registration.email(registration), "nickname" => Registration.nickname(registration) }) -- cgit v1.2.3 From 47a236f7537ad4366d07361d184c84f3912648f1 Mon Sep 17 00:00:00 2001 From: Ivan Tashkinov Date: Fri, 5 Apr 2019 15:12:02 +0300 Subject: [#923] OAuth consumer mode refactoring, new tests, tests adjustments, readme. --- test/web/oauth/oauth_controller_test.exs | 110 ++++++++++++++----------------- 1 file changed, 51 insertions(+), 59 deletions(-) (limited to 'test/web/oauth/oauth_controller_test.exs') diff --git a/test/web/oauth/oauth_controller_test.exs b/test/web/oauth/oauth_controller_test.exs index 75333f2d5..385896dc6 100644 --- a/test/web/oauth/oauth_controller_test.exs +++ b/test/web/oauth/oauth_controller_test.exs @@ -20,16 +20,11 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do describe "in OAuth consumer mode, " do setup do - oauth_consumer_enabled_path = [:auth, :oauth_consumer_enabled] oauth_consumer_strategies_path = [:auth, :oauth_consumer_strategies] - oauth_consumer_enabled = Pleroma.Config.get(oauth_consumer_enabled_path) oauth_consumer_strategies = Pleroma.Config.get(oauth_consumer_strategies_path) - - Pleroma.Config.put(oauth_consumer_enabled_path, true) Pleroma.Config.put(oauth_consumer_strategies_path, ~w(twitter facebook)) on_exit(fn -> - Pleroma.Config.put(oauth_consumer_enabled_path, oauth_consumer_enabled) Pleroma.Config.put(oauth_consumer_strategies_path, oauth_consumer_strategies) end) @@ -42,7 +37,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do ] end - test "GET /oauth/authorize also renders OAuth consumer form", %{ + test "GET /oauth/authorize renders auth forms, including OAuth consumer form", %{ app: app, conn: conn } do @@ -97,31 +92,6 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do } = state_components end - test "on authentication error, redirects to `redirect_uri`", %{app: app, conn: conn} do - state_params = %{ - "scope" => Enum.join(app.scopes, " "), - "client_id" => app.client_id, - "redirect_uri" => app.redirect_uris, - "state" => "" - } - - conn = - conn - |> assign(:ueberauth_failure, %{errors: [%{message: "unknown error"}]}) - |> get( - "/oauth/twitter/callback", - %{ - "oauth_token" => "G-5a3AAAAAAAwMH9AAABaektfSM", - "oauth_verifier" => "QZl8vUqNvXMTKpdmUnGejJxuHG75WWWs", - "provider" => "twitter", - "state" => Poison.encode!(state_params) - } - ) - - assert response = html_response(conn, 302) - assert redirected_to(conn) == app.redirect_uris - end - test "with user-bound registration, GET /oauth//callback redirects to `redirect_uri` with `code`", %{app: app, conn: conn} do registration = insert(:registration) @@ -152,7 +122,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do end end - test "with user-unbound registration, GET /oauth//callback redirects to registration_details page", + test "with user-unbound registration, GET /oauth//callback renders registration_details page", %{app: app, conn: conn} do registration = insert(:registration, user: nil) @@ -177,20 +147,41 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do } ) - expected_redirect_params = - state_params - |> Map.delete("scope") - |> Map.merge(%{ - "scope" => "read write", - "email" => Registration.email(registration), - "nickname" => Registration.nickname(registration) - }) + assert response = html_response(conn, 200) + assert response =~ ~r/name="op" type="submit" value="register"/ + assert response =~ ~r/name="op" type="submit" value="connect"/ + assert response =~ Registration.email(registration) + assert response =~ Registration.nickname(registration) + end + end - assert response = html_response(conn, 302) + test "on authentication error, GET /oauth//callback redirects to `redirect_uri`", %{ + app: app, + conn: conn + } do + state_params = %{ + "scope" => Enum.join(app.scopes, " "), + "client_id" => app.client_id, + "redirect_uri" => app.redirect_uris, + "state" => "" + } - assert redirected_to(conn) == - o_auth_path(conn, :registration_details, expected_redirect_params) - end + conn = + conn + |> assign(:ueberauth_failure, %{errors: [%{message: "(error description)"}]}) + |> get( + "/oauth/twitter/callback", + %{ + "oauth_token" => "G-5a3AAAAAAAwMH9AAABaektfSM", + "oauth_verifier" => "QZl8vUqNvXMTKpdmUnGejJxuHG75WWWs", + "provider" => "twitter", + "state" => Poison.encode!(state_params) + } + ) + + assert response = html_response(conn, 302) + assert redirected_to(conn) == app.redirect_uris + assert get_flash(conn, :error) == "Failed to authenticate: (error description)." end test "GET /oauth/registration_details renders registration details form", %{ @@ -243,7 +234,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do assert redirected_to(conn) =~ ~r/#{app.redirect_uris}\?code=.+/ end - test "with invalid params, POST /oauth/register?op=register redirects to registration_details page", + test "with invalid params, POST /oauth/register?op=register renders registration_details page", %{ app: app, conn: conn @@ -257,19 +248,22 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do "client_id" => app.client_id, "redirect_uri" => app.redirect_uris, "state" => "a_state", - "nickname" => another_user.nickname, - "email" => another_user.email + "nickname" => "availablenickname", + "email" => "available@email.com" } - conn = - conn - |> put_session(:registration_id, registration.id) - |> post("/oauth/register", params) + for {bad_param, bad_param_value} <- + [{"nickname", another_user.nickname}, {"email", another_user.email}] do + bad_params = Map.put(params, bad_param, bad_param_value) - assert response = html_response(conn, 302) + conn = + conn + |> put_session(:registration_id, registration.id) + |> post("/oauth/register", bad_params) - assert redirected_to(conn) == - o_auth_path(conn, :registration_details, params) + assert html_response(conn, 403) =~ ~r/name="op" type="submit" value="register"/ + assert get_flash(conn, :error) == "Error: #{bad_param} has already been taken." + end end test "with valid params, POST /oauth/register?op=connect redirects to `redirect_uri` with `code`", @@ -300,7 +294,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do assert redirected_to(conn) =~ ~r/#{app.redirect_uris}\?code=.+/ end - test "with invalid params, POST /oauth/register?op=connect redirects to registration_details page", + test "with invalid params, POST /oauth/register?op=connect renders registration_details page", %{ app: app, conn: conn @@ -323,10 +317,8 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do |> put_session(:registration_id, registration.id) |> post("/oauth/register", params) - assert response = html_response(conn, 302) - - assert redirected_to(conn) == - o_auth_path(conn, :registration_details, Map.delete(params, "password")) + assert html_response(conn, 401) =~ ~r/name="op" type="submit" value="connect"/ + assert get_flash(conn, :error) == "Invalid Username/Password" end end -- cgit v1.2.3 From 7aa53d52bd982b5ab233a65048f5fb1823127d4a Mon Sep 17 00:00:00 2001 From: eugenijm Date: Sat, 6 Apr 2019 00:22:42 +0300 Subject: Return 403 on oauth token exchange for a deactivated user --- test/web/oauth/oauth_controller_test.exs | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) (limited to 'test/web/oauth/oauth_controller_test.exs') diff --git a/test/web/oauth/oauth_controller_test.exs b/test/web/oauth/oauth_controller_test.exs index a9a0b9ed4..a68528420 100644 --- a/test/web/oauth/oauth_controller_test.exs +++ b/test/web/oauth/oauth_controller_test.exs @@ -327,6 +327,32 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do refute Map.has_key?(resp, "access_token") end + test "rejects token exchange for valid credentials belonging to deactivated user" do + password = "testpassword" + + user = + insert(:user, + password_hash: Comeonin.Pbkdf2.hashpwsalt(password), + info: %{deactivated: true} + ) + + app = insert(:oauth_app) + + conn = + build_conn() + |> post("/oauth/token", %{ + "grant_type" => "password", + "username" => user.nickname, + "password" => password, + "client_id" => app.client_id, + "client_secret" => app.client_secret + }) + + assert resp = json_response(conn, 403) + assert %{"error" => _} = resp + refute Map.has_key?(resp, "access_token") + end + test "rejects an invalid authorization code" do app = insert(:oauth_app) -- cgit v1.2.3