tests consistency

test/pleroma/web/o_auth/app_test.exs

@@ -0,0 +1,44 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Web.OAuth.AppTest do
+  use Pleroma.DataCase
+
+  alias Pleroma.Web.OAuth.App
+  import Pleroma.Factory
+
+  describe "get_or_make/2" do
+    test "gets exist app" do
+      attrs = %{client_name: "Mastodon-Local", redirect_uris: "."}
+      app = insert(:oauth_app, Map.merge(attrs, %{scopes: ["read", "write"]}))
+      {:ok, %App{} = exist_app} = App.get_or_make(attrs, [])
+      assert exist_app == app
+    end
+
+    test "make app" do
+      attrs = %{client_name: "Mastodon-Local", redirect_uris: "."}
+      {:ok, %App{} = app} = App.get_or_make(attrs, ["write"])
+      assert app.scopes == ["write"]
+    end
+
+    test "gets exist app and updates scopes" do
+      attrs = %{client_name: "Mastodon-Local", redirect_uris: "."}
+      app = insert(:oauth_app, Map.merge(attrs, %{scopes: ["read", "write"]}))
+      {:ok, %App{} = exist_app} = App.get_or_make(attrs, ["read", "write", "follow", "push"])
+      assert exist_app.id == app.id
+      assert exist_app.scopes == ["read", "write", "follow", "push"]
+    end
+
+    test "has unique client_id" do
+      insert(:oauth_app, client_name: "", redirect_uris: "", client_id: "boop")
+
+      error =
+        catch_error(insert(:oauth_app, client_name: "", redirect_uris: "", client_id: "boop"))
+
+      assert %Ecto.ConstraintError{} = error
+      assert error.constraint == "apps_client_id_index"
+      assert error.type == :unique
+    end
+  end
+end

test/pleroma/web/o_auth/authorization_test.exs

@@ -0,0 +1,77 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Web.OAuth.AuthorizationTest do
+  use Pleroma.DataCase
+  alias Pleroma.Web.OAuth.App
+  alias Pleroma.Web.OAuth.Authorization
+  import Pleroma.Factory
+
+  setup do
+    {:ok, app} =
+      Repo.insert(
+        App.register_changeset(%App{}, %{
+          client_name: "client",
+          scopes: ["read", "write"],
+          redirect_uris: "url"
+        })
+      )
+
+    %{app: app}
+  end
+
+  test "create an authorization token for a valid app", %{app: app} do
+    user = insert(:user)
+
+    {:ok, auth1} = Authorization.create_authorization(app, user)
+    assert auth1.scopes == app.scopes
+
+    {:ok, auth2} = Authorization.create_authorization(app, user, ["read"])
+    assert auth2.scopes == ["read"]
+
+    for auth <- [auth1, auth2] do
+      assert auth.user_id == user.id
+      assert auth.app_id == app.id
+      assert String.length(auth.token) > 10
+      assert auth.used == false
+    end
+  end
+
+  test "use up a token", %{app: app} do
+    user = insert(:user)
+
+    {:ok, auth} = Authorization.create_authorization(app, user)
+
+    {:ok, auth} = Authorization.use_token(auth)
+
+    assert auth.used == true
+
+    assert {:error, "already used"} == Authorization.use_token(auth)
+
+    expired_auth = %Authorization{
+      user_id: user.id,
+      app_id: app.id,
+      valid_until: NaiveDateTime.add(NaiveDateTime.utc_now(), -10),
+      token: "mytoken",
+      used: false
+    }
+
+    {:ok, expired_auth} = Repo.insert(expired_auth)
+
+    assert {:error, "token expired"} == Authorization.use_token(expired_auth)
+  end
+
+  test "delete authorizations", %{app: app} do
+    user = insert(:user)
+
+    {:ok, auth} = Authorization.create_authorization(app, user)
+    {:ok, auth} = Authorization.use_token(auth)
+
+    Authorization.delete_user_authorizations(user)
+
+    {_, invalid} = Authorization.use_token(auth)
+
+    assert auth != invalid
+  end
+end

test/pleroma/web/o_auth/ldap_authorization_test.exs

@@ -0,0 +1,135 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Web.OAuth.LDAPAuthorizationTest do
+  use Pleroma.Web.ConnCase
+  alias Pleroma.Repo
+  alias Pleroma.Web.OAuth.Token
+  import Pleroma.Factory
+  import Mock
+
+  @skip if !Code.ensure_loaded?(:eldap), do: :skip
+
+  setup_all do: clear_config([:ldap, :enabled], true)
+
+  setup_all do: clear_config(Pleroma.Web.Auth.Authenticator, Pleroma.Web.Auth.LDAPAuthenticator)
+
+  @tag @skip
+  test "authorizes the existing user using LDAP credentials" do
+    password = "testpassword"
+    user = insert(:user, password_hash: Pbkdf2.hash_pwd_salt(password))
+    app = insert(:oauth_app, scopes: ["read", "write"])
+
+    host = Pleroma.Config.get([:ldap, :host]) |> to_charlist
+    port = Pleroma.Config.get([:ldap, :port])
+
+    with_mocks [
+      {:eldap, [],
+       [
+         open: fn [^host], [{:port, ^port}, {:ssl, false} | _] -> {:ok, self()} end,
+         simple_bind: fn _connection, _dn, ^password -> :ok end,
+         close: fn _connection ->
+           send(self(), :close_connection)
+           :ok
+         end
+       ]}
+    ] do
+      conn =
+        build_conn()
+        |> post("/oauth/token", %{
+          "grant_type" => "password",
+          "username" => user.nickname,
+          "password" => password,
+          "client_id" => app.client_id,
+          "client_secret" => app.client_secret
+        })
+
+      assert %{"access_token" => token} = json_response(conn, 200)
+
+      token = Repo.get_by(Token, token: token)
+
+      assert token.user_id == user.id
+      assert_received :close_connection
+    end
+  end
+
+  @tag @skip
+  test "creates a new user after successful LDAP authorization" do
+    password = "testpassword"
+    user = build(:user)
+    app = insert(:oauth_app, scopes: ["read", "write"])
+
+    host = Pleroma.Config.get([:ldap, :host]) |> to_charlist
+    port = Pleroma.Config.get([:ldap, :port])
+
+    with_mocks [
+      {:eldap, [],
+       [
+         open: fn [^host], [{:port, ^port}, {:ssl, false} | _] -> {:ok, self()} end,
+         simple_bind: fn _connection, _dn, ^password -> :ok end,
+         equalityMatch: fn _type, _value -> :ok end,
+         wholeSubtree: fn -> :ok end,
+         search: fn _connection, _options ->
+           {:ok, {:eldap_search_result, [{:eldap_entry, '', []}], []}}
+         end,
+         close: fn _connection ->
+           send(self(), :close_connection)
+           :ok
+         end
+       ]}
+    ] do
+      conn =
+        build_conn()
+        |> post("/oauth/token", %{
+          "grant_type" => "password",
+          "username" => user.nickname,
+          "password" => password,
+          "client_id" => app.client_id,
+          "client_secret" => app.client_secret
+        })
+
+      assert %{"access_token" => token} = json_response(conn, 200)
+
+      token = Repo.get_by(Token, token: token) |> Repo.preload(:user)
+
+      assert token.user.nickname == user.nickname
+      assert_received :close_connection
+    end
+  end
+
+  @tag @skip
+  test "disallow authorization for wrong LDAP credentials" do
+    password = "testpassword"
+    user = insert(:user, password_hash: Pbkdf2.hash_pwd_salt(password))
+    app = insert(:oauth_app, scopes: ["read", "write"])
+
+    host = Pleroma.Config.get([:ldap, :host]) |> to_charlist
+    port = Pleroma.Config.get([:ldap, :port])
+
+    with_mocks [
+      {:eldap, [],
+       [
+         open: fn [^host], [{:port, ^port}, {:ssl, false} | _] -> {:ok, self()} end,
+         simple_bind: fn _connection, _dn, ^password -> {:error, :invalidCredentials} end,
+         close: fn _connection ->
+           send(self(), :close_connection)
+           :ok
+         end
+       ]}
+    ] do
+      conn =
+        build_conn()
+        |> post("/oauth/token", %{
+          "grant_type" => "password",
+          "username" => user.nickname,
+          "password" => password,
+          "client_id" => app.client_id,
+          "client_secret" => app.client_secret
+        })
+
+      assert %{"error" => "Invalid credentials"} = json_response(conn, 400)
+      assert_received :close_connection
+    end
+  end
+end

test/pleroma/web/o_auth/mfa_controller_test.exs

@@ -0,0 +1,306 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2018 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Web.OAuth.MFAControllerTest do
+  use Pleroma.Web.ConnCase
+  import Pleroma.Factory
+
+  alias Pleroma.MFA
+  alias Pleroma.MFA.BackupCodes
+  alias Pleroma.MFA.TOTP
+  alias Pleroma.Repo
+  alias Pleroma.Web.OAuth.Authorization
+  alias Pleroma.Web.OAuth.OAuthController
+
+  setup %{conn: conn} do
+    otp_secret = TOTP.generate_secret()
+
+    user =
+      insert(:user,
+        multi_factor_authentication_settings: %MFA.Settings{
+          enabled: true,
+          backup_codes: [Pbkdf2.hash_pwd_salt("test-code")],
+          totp: %MFA.Settings.TOTP{secret: otp_secret, confirmed: true}
+        }
+      )
+
+    app = insert(:oauth_app)
+    {:ok, conn: conn, user: user, app: app}
+  end
+
+  describe "show" do
+    setup %{conn: conn, user: user, app: app} do
+      mfa_token =
+        insert(:mfa_token,
+          user: user,
+          authorization: build(:oauth_authorization, app: app, scopes: ["write"])
+        )
+
+      {:ok, conn: conn, mfa_token: mfa_token}
+    end
+
+    test "GET /oauth/mfa renders mfa forms", %{conn: conn, mfa_token: mfa_token} do
+      conn =
+        get(
+          conn,
+          "/oauth/mfa",
+          %{
+            "mfa_token" => mfa_token.token,
+            "state" => "a_state",
+            "redirect_uri" => "http://localhost:8080/callback"
+          }
+        )
+
+      assert response = html_response(conn, 200)
+      assert response =~ "Two-factor authentication"
+      assert response =~ mfa_token.token
+      assert response =~ "http://localhost:8080/callback"
+    end
+
+    test "GET /oauth/mfa renders mfa recovery forms", %{conn: conn, mfa_token: mfa_token} do
+      conn =
+        get(
+          conn,
+          "/oauth/mfa",
+          %{
+            "mfa_token" => mfa_token.token,
+            "state" => "a_state",
+            "redirect_uri" => "http://localhost:8080/callback",
+            "challenge_type" => "recovery"
+          }
+        )
+
+      assert response = html_response(conn, 200)
+      assert response =~ "Two-factor recovery"
+      assert response =~ mfa_token.token
+      assert response =~ "http://localhost:8080/callback"
+    end
+  end
+
+  describe "verify" do
+    setup %{conn: conn, user: user, app: app} do
+      mfa_token =
+        insert(:mfa_token,
+          user: user,
+          authorization: build(:oauth_authorization, app: app, scopes: ["write"])
+        )
+
+      {:ok, conn: conn, user: user, mfa_token: mfa_token, app: app}
+    end
+
+    test "POST /oauth/mfa/verify, verify totp code", %{
+      conn: conn,
+      user: user,
+      mfa_token: mfa_token,
+      app: app
+    } do
+      otp_token = TOTP.generate_token(user.multi_factor_authentication_settings.totp.secret)
+
+      conn =
+        conn
+        |> post("/oauth/mfa/verify", %{
+          "mfa" => %{
+            "mfa_token" => mfa_token.token,
+            "challenge_type" => "totp",
+            "code" => otp_token,
+            "state" => "a_state",
+            "redirect_uri" => OAuthController.default_redirect_uri(app)
+          }
+        })
+
+      target = redirected_to(conn)
+      target_url = %URI{URI.parse(target) | query: nil} |> URI.to_string()
+      query = URI.parse(target).query |> URI.query_decoder() |> Map.new()
+      assert %{"state" => "a_state", "code" => code} = query
+      assert target_url == OAuthController.default_redirect_uri(app)
+      auth = Repo.get_by(Authorization, token: code)
+      assert auth.scopes == ["write"]
+    end
+
+    test "POST /oauth/mfa/verify, verify recovery code", %{
+      conn: conn,
+      mfa_token: mfa_token,
+      app: app
+    } do
+      conn =
+        conn
+        |> post("/oauth/mfa/verify", %{
+          "mfa" => %{
+            "mfa_token" => mfa_token.token,
+            "challenge_type" => "recovery",
+            "code" => "test-code",
+            "state" => "a_state",
+            "redirect_uri" => OAuthController.default_redirect_uri(app)
+          }
+        })
+
+      target = redirected_to(conn)
+      target_url = %URI{URI.parse(target) | query: nil} |> URI.to_string()
+      query = URI.parse(target).query |> URI.query_decoder() |> Map.new()
+      assert %{"state" => "a_state", "code" => code} = query
+      assert target_url == OAuthController.default_redirect_uri(app)
+      auth = Repo.get_by(Authorization, token: code)
+      assert auth.scopes == ["write"]
+    end
+  end
+
+  describe "challenge/totp" do
+    test "returns access token with valid code", %{conn: conn, user: user, app: app} do
+      otp_token = TOTP.generate_token(user.multi_factor_authentication_settings.totp.secret)
+
+      mfa_token =
+        insert(:mfa_token,
+          user: user,
+          authorization: build(:oauth_authorization, app: app, scopes: ["write"])
+        )
+
+      response =
+        conn
+        |> post("/oauth/mfa/challenge", %{
+          "mfa_token" => mfa_token.token,
+          "challenge_type" => "totp",
+          "code" => otp_token,
+          "client_id" => app.client_id,
+          "client_secret" => app.client_secret
+        })
+        |> json_response(:ok)
+
+      ap_id = user.ap_id
+
+      assert match?(
+               %{
+                 "access_token" => _,
+                 "expires_in" => 600,
+                 "me" => ^ap_id,
+                 "refresh_token" => _,
+                 "scope" => "write",
+                 "token_type" => "Bearer"
+               },
+               response
+             )
+    end
+
+    test "returns errors when mfa token invalid", %{conn: conn, user: user, app: app} do
+      otp_token = TOTP.generate_token(user.multi_factor_authentication_settings.totp.secret)
+
+      response =
+        conn
+        |> post("/oauth/mfa/challenge", %{
+          "mfa_token" => "XXX",
+          "challenge_type" => "totp",
+          "code" => otp_token,
+          "client_id" => app.client_id,
+          "client_secret" => app.client_secret
+        })
+        |> json_response(400)
+
+      assert response == %{"error" => "Invalid code"}
+    end
+
+    test "returns error when otp code is invalid", %{conn: conn, user: user, app: app} do
+      mfa_token = insert(:mfa_token, user: user)
+
+      response =
+        conn
+        |> post("/oauth/mfa/challenge", %{
+          "mfa_token" => mfa_token.token,
+          "challenge_type" => "totp",
+          "code" => "XXX",
+          "client_id" => app.client_id,
+          "client_secret" => app.client_secret
+        })
+        |> json_response(400)
+
+      assert response == %{"error" => "Invalid code"}
+    end
+
+    test "returns error when client credentails is wrong ", %{conn: conn, user: user} do
+      otp_token = TOTP.generate_token(user.multi_factor_authentication_settings.totp.secret)
+      mfa_token = insert(:mfa_token, user: user)
+
+      response =
+        conn
+        |> post("/oauth/mfa/challenge", %{
+          "mfa_token" => mfa_token.token,
+          "challenge_type" => "totp",
+          "code" => otp_token,
+          "client_id" => "xxx",
+          "client_secret" => "xxx"
+        })
+        |> json_response(400)
+
+      assert response == %{"error" => "Invalid code"}
+    end
+  end
+
+  describe "challenge/recovery" do
+    setup %{conn: conn} do
+      app = insert(:oauth_app)
+      {:ok, conn: conn, app: app}
+    end
+
+    test "returns access token with valid code", %{conn: conn, app: app} do
+      otp_secret = TOTP.generate_secret()
+
+      [code | _] = backup_codes = BackupCodes.generate()
+
+      hashed_codes =
+        backup_codes
+        |> Enum.map(&Pbkdf2.hash_pwd_salt(&1))
+
+      user =
+        insert(:user,
+          multi_factor_authentication_settings: %MFA.Settings{
+            enabled: true,
+            backup_codes: hashed_codes,
+            totp: %MFA.Settings.TOTP{secret: otp_secret, confirmed: true}
+          }
+        )
+
+      mfa_token =
+        insert(:mfa_token,
+          user: user,
+          authorization: build(:oauth_authorization, app: app, scopes: ["write"])
+        )
+
+      response =
+        conn
+        |> post("/oauth/mfa/challenge", %{
+          "mfa_token" => mfa_token.token,
+          "challenge_type" => "recovery",
+          "code" => code,
+          "client_id" => app.client_id,
+          "client_secret" => app.client_secret
+        })
+        |> json_response(:ok)
+
+      ap_id = user.ap_id
+
+      assert match?(
+               %{
+                 "access_token" => _,
+                 "expires_in" => 600,
+                 "me" => ^ap_id,
+                 "refresh_token" => _,
+                 "scope" => "write",
+                 "token_type" => "Bearer"
+               },
+               response
+             )
+
+      error_response =
+        conn
+        |> post("/oauth/mfa/challenge", %{
+          "mfa_token" => mfa_token.token,
+          "challenge_type" => "recovery",
+          "code" => code,
+          "client_id" => app.client_id,
+          "client_secret" => app.client_secret
+        })
+        |> json_response(400)
+
+      assert error_response == %{"error" => "Invalid code"}
+    end
+  end
+end

test/pleroma/web/o_auth/token/utils_test.exs

@@ -0,0 +1,53 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Web.OAuth.Token.UtilsTest do
+  use Pleroma.DataCase
+  alias Pleroma.Web.OAuth.Token.Utils
+  import Pleroma.Factory
+
+  describe "fetch_app/1" do
+    test "returns error when credentials is invalid" do
+      assert {:error, :not_found} =
+               Utils.fetch_app(%Plug.Conn{params: %{"client_id" => 1, "client_secret" => "x"}})
+    end
+
+    test "returns App by params credentails" do
+      app = insert(:oauth_app)
+
+      assert {:ok, load_app} =
+               Utils.fetch_app(%Plug.Conn{
+                 params: %{"client_id" => app.client_id, "client_secret" => app.client_secret}
+               })
+
+      assert load_app == app
+    end
+
+    test "returns App by header credentails" do
+      app = insert(:oauth_app)
+      header = "Basic " <> Base.encode64("#{app.client_id}:#{app.client_secret}")
+
+      conn =
+        %Plug.Conn{}
+        |> Plug.Conn.put_req_header("authorization", header)
+
+      assert {:ok, load_app} = Utils.fetch_app(conn)
+      assert load_app == app
+    end
+  end
+
+  describe "format_created_at/1" do
+    test "returns formatted created at" do
+      token = insert(:oauth_token)
+      date = Utils.format_created_at(token)
+
+      token_date =
+        token.inserted_at
+        |> DateTime.from_naive!("Etc/UTC")
+        |> DateTime.to_unix()
+
+      assert token_date == date
+    end
+  end
+end

test/pleroma/web/o_auth/token_test.exs

@@ -0,0 +1,72 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Web.OAuth.TokenTest do
+  use Pleroma.DataCase
+  alias Pleroma.Repo
+  alias Pleroma.Web.OAuth.App
+  alias Pleroma.Web.OAuth.Authorization
+  alias Pleroma.Web.OAuth.Token
+
+  import Pleroma.Factory
+
+  test "exchanges a auth token for an access token, preserving `scopes`" do
+    {:ok, app} =
+      Repo.insert(
+        App.register_changeset(%App{}, %{
+          client_name: "client",
+          scopes: ["read", "write"],
+          redirect_uris: "url"
+        })
+      )
+
+    user = insert(:user)
+
+    {:ok, auth} = Authorization.create_authorization(app, user, ["read"])
+    assert auth.scopes == ["read"]
+
+    {:ok, token} = Token.exchange_token(app, auth)
+
+    assert token.app_id == app.id
+    assert token.user_id == user.id
+    assert token.scopes == auth.scopes
+    assert String.length(token.token) > 10
+    assert String.length(token.refresh_token) > 10
+
+    auth = Repo.get(Authorization, auth.id)
+    {:error, "already used"} = Token.exchange_token(app, auth)
+  end
+
+  test "deletes all tokens of a user" do
+    {:ok, app1} =
+      Repo.insert(
+        App.register_changeset(%App{}, %{
+          client_name: "client1",
+          scopes: ["scope"],
+          redirect_uris: "url"
+        })
+      )
+
+    {:ok, app2} =
+      Repo.insert(
+        App.register_changeset(%App{}, %{
+          client_name: "client2",
+          scopes: ["scope"],
+          redirect_uris: "url"
+        })
+      )
+
+    user = insert(:user)
+
+    {:ok, auth1} = Authorization.create_authorization(app1, user)
+    {:ok, auth2} = Authorization.create_authorization(app2, user)
+
+    {:ok, _token1} = Token.exchange_token(app1, auth1)
+    {:ok, _token2} = Token.exchange_token(app2, auth2)
+
+    {tokens, _} = Token.delete_user_tokens(user)
+
+    assert tokens == 2
+  end
+end