1 # Pleroma: A lightweight social networking server
2 # Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>
3 # SPDX-License-Identifier: AGPL-3.0-only
5 defmodule Pleroma.Web.OAuth.LDAPAuthorizationTest do
6 use Pleroma.Web.ConnCase
8 alias Pleroma.Web.OAuth.Token
10 import ExUnit.CaptureLog
15 Pleroma.Config.get(Pleroma.Web.Auth.Authenticator, Pleroma.Web.Auth.PleromaAuthenticator)
17 ldap_enabled = Pleroma.Config.get([:ldap, :enabled])
20 Pleroma.Config.put(Pleroma.Web.Auth.Authenticator, ldap_authenticator)
21 Pleroma.Config.put([:ldap, :enabled], ldap_enabled)
24 Pleroma.Config.put(Pleroma.Web.Auth.Authenticator, Pleroma.Web.Auth.LDAPAuthenticator)
25 Pleroma.Config.put([:ldap, :enabled], true)
30 test "authorizes the existing user using LDAP credentials" do
31 password = "testpassword"
32 user = insert(:user, password_hash: Comeonin.Pbkdf2.hashpwsalt(password))
33 app = insert(:oauth_app, scopes: ["read", "write"])
35 host = Pleroma.Config.get([:ldap, :host]) |> to_charlist
36 port = Pleroma.Config.get([:ldap, :port])
41 open: fn [^host], [{:port, ^port}, {:ssl, false} | _] -> {:ok, self()} end,
42 simple_bind: fn _connection, _dn, ^password -> :ok end,
43 close: fn _connection ->
44 send(self(), :close_connection)
51 |> post("/oauth/token", %{
52 "grant_type" => "password",
53 "username" => user.nickname,
54 "password" => password,
55 "client_id" => app.client_id,
56 "client_secret" => app.client_secret
59 assert %{"access_token" => token} = json_response(conn, 200)
61 token = Repo.get_by(Token, token: token)
63 assert token.user_id == user.id
64 assert_received :close_connection
68 test "creates a new user after successful LDAP authorization" do
69 password = "testpassword"
71 app = insert(:oauth_app, scopes: ["read", "write"])
73 host = Pleroma.Config.get([:ldap, :host]) |> to_charlist
74 port = Pleroma.Config.get([:ldap, :port])
79 open: fn [^host], [{:port, ^port}, {:ssl, false} | _] -> {:ok, self()} end,
80 simple_bind: fn _connection, _dn, ^password -> :ok end,
81 equalityMatch: fn _type, _value -> :ok end,
82 wholeSubtree: fn -> :ok end,
83 search: fn _connection, _options ->
85 {:eldap_search_result, [{:eldap_entry, '', [{'mail', [to_charlist(user.email)]}]}],
88 close: fn _connection ->
89 send(self(), :close_connection)
96 |> post("/oauth/token", %{
97 "grant_type" => "password",
98 "username" => user.nickname,
99 "password" => password,
100 "client_id" => app.client_id,
101 "client_secret" => app.client_secret
104 assert %{"access_token" => token} = json_response(conn, 200)
106 token = Repo.get_by(Token, token: token) |> Repo.preload(:user)
108 assert token.user.nickname == user.nickname
109 assert_received :close_connection
113 test "falls back to the default authorization when LDAP is unavailable" do
114 password = "testpassword"
115 user = insert(:user, password_hash: Comeonin.Pbkdf2.hashpwsalt(password))
116 app = insert(:oauth_app, scopes: ["read", "write"])
118 host = Pleroma.Config.get([:ldap, :host]) |> to_charlist
119 port = Pleroma.Config.get([:ldap, :port])
124 open: fn [^host], [{:port, ^port}, {:ssl, false} | _] -> {:error, 'connect failed'} end,
125 simple_bind: fn _connection, _dn, ^password -> :ok end,
126 close: fn _connection ->
127 send(self(), :close_connection)
136 |> post("/oauth/token", %{
137 "grant_type" => "password",
138 "username" => user.nickname,
139 "password" => password,
140 "client_id" => app.client_id,
141 "client_secret" => app.client_secret
144 assert %{"access_token" => token} = json_response(conn, 200)
146 token = Repo.get_by(Token, token: token)
148 assert token.user_id == user.id
151 assert log =~ "Could not open LDAP connection: 'connect failed'"
152 refute_received :close_connection
156 test "disallow authorization for wrong LDAP credentials" do
157 password = "testpassword"
158 user = insert(:user, password_hash: Comeonin.Pbkdf2.hashpwsalt(password))
159 app = insert(:oauth_app, scopes: ["read", "write"])
161 host = Pleroma.Config.get([:ldap, :host]) |> to_charlist
162 port = Pleroma.Config.get([:ldap, :port])
167 open: fn [^host], [{:port, ^port}, {:ssl, false} | _] -> {:ok, self()} end,
168 simple_bind: fn _connection, _dn, ^password -> {:error, :invalidCredentials} end,
169 close: fn _connection ->
170 send(self(), :close_connection)
177 |> post("/oauth/token", %{
178 "grant_type" => "password",
179 "username" => user.nickname,
180 "password" => password,
181 "client_id" => app.client_id,
182 "client_secret" => app.client_secret
185 assert %{"error" => "Invalid credentials"} = json_response(conn, 400)
186 assert_received :close_connection