1 # Pleroma: A lightweight social networking server
2 # Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
3 # SPDX-License-Identifier: AGPL-3.0-only
5 defmodule Pleroma.Web.OAuth.LDAPAuthorizationTest do
6 use Pleroma.Web.ConnCase
8 alias Pleroma.Web.OAuth.Token
10 import ExUnit.CaptureLog
13 @skip if !Code.ensure_loaded?(:eldap), do: :skip
15 setup_all do: clear_config([:ldap, :enabled], true)
17 setup_all do: clear_config(Pleroma.Web.Auth.Authenticator, Pleroma.Web.Auth.LDAPAuthenticator)
20 test "authorizes the existing user using LDAP credentials" do
21 password = "testpassword"
22 user = insert(:user, password_hash: Pbkdf2.hash_pwd_salt(password))
23 app = insert(:oauth_app, scopes: ["read", "write"])
25 host = Pleroma.Config.get([:ldap, :host]) |> to_charlist
26 port = Pleroma.Config.get([:ldap, :port])
31 open: fn [^host], [{:port, ^port}, {:ssl, false} | _] -> {:ok, self()} end,
32 simple_bind: fn _connection, _dn, ^password -> :ok end,
33 close: fn _connection ->
34 send(self(), :close_connection)
41 |> post("/oauth/token", %{
42 "grant_type" => "password",
43 "username" => user.nickname,
44 "password" => password,
45 "client_id" => app.client_id,
46 "client_secret" => app.client_secret
49 assert %{"access_token" => token} = json_response(conn, 200)
51 token = Repo.get_by(Token, token: token)
53 assert token.user_id == user.id
54 assert_received :close_connection
59 test "creates a new user after successful LDAP authorization" do
60 password = "testpassword"
62 app = insert(:oauth_app, scopes: ["read", "write"])
64 host = Pleroma.Config.get([:ldap, :host]) |> to_charlist
65 port = Pleroma.Config.get([:ldap, :port])
70 open: fn [^host], [{:port, ^port}, {:ssl, false} | _] -> {:ok, self()} end,
71 simple_bind: fn _connection, _dn, ^password -> :ok end,
72 equalityMatch: fn _type, _value -> :ok end,
73 wholeSubtree: fn -> :ok end,
74 search: fn _connection, _options ->
76 {:eldap_search_result, [{:eldap_entry, '', [{'mail', [to_charlist(user.email)]}]}],
79 close: fn _connection ->
80 send(self(), :close_connection)
87 |> post("/oauth/token", %{
88 "grant_type" => "password",
89 "username" => user.nickname,
90 "password" => password,
91 "client_id" => app.client_id,
92 "client_secret" => app.client_secret
95 assert %{"access_token" => token} = json_response(conn, 200)
97 token = Repo.get_by(Token, token: token) |> Repo.preload(:user)
99 assert token.user.nickname == user.nickname
100 assert_received :close_connection
105 test "falls back to the default authorization when LDAP is unavailable" do
106 password = "testpassword"
107 user = insert(:user, password_hash: Pbkdf2.hash_pwd_salt(password))
108 app = insert(:oauth_app, scopes: ["read", "write"])
110 host = Pleroma.Config.get([:ldap, :host]) |> to_charlist
111 port = Pleroma.Config.get([:ldap, :port])
116 open: fn [^host], [{:port, ^port}, {:ssl, false} | _] -> {:error, 'connect failed'} end,
117 simple_bind: fn _connection, _dn, ^password -> :ok end,
118 close: fn _connection ->
119 send(self(), :close_connection)
128 |> post("/oauth/token", %{
129 "grant_type" => "password",
130 "username" => user.nickname,
131 "password" => password,
132 "client_id" => app.client_id,
133 "client_secret" => app.client_secret
136 assert %{"access_token" => token} = json_response(conn, 200)
138 token = Repo.get_by(Token, token: token)
140 assert token.user_id == user.id
143 assert log =~ "Could not open LDAP connection: 'connect failed'"
144 refute_received :close_connection
149 test "disallow authorization for wrong LDAP credentials" do
150 password = "testpassword"
151 user = insert(:user, password_hash: Pbkdf2.hash_pwd_salt(password))
152 app = insert(:oauth_app, scopes: ["read", "write"])
154 host = Pleroma.Config.get([:ldap, :host]) |> to_charlist
155 port = Pleroma.Config.get([:ldap, :port])
160 open: fn [^host], [{:port, ^port}, {:ssl, false} | _] -> {:ok, self()} end,
161 simple_bind: fn _connection, _dn, ^password -> {:error, :invalidCredentials} end,
162 close: fn _connection ->
163 send(self(), :close_connection)
170 |> post("/oauth/token", %{
171 "grant_type" => "password",
172 "username" => user.nickname,
173 "password" => password,
174 "client_id" => app.client_id,
175 "client_secret" => app.client_secret
178 assert %{"error" => "Invalid credentials"} = json_response(conn, 400)
179 assert_received :close_connection