Merge branch 'issue/209' into 'develop'

[akkoma] / test / web / oauth / oauth_controller_test.exs
diff --git a/test/web/oauth/oauth_controller_test.exs b/test/web/oauth/oauth_controller_test.exs

index 92e1563470c10bcdfd43c29f7413fa250779ccec..7a107584d61fdad35b7ee4264e2ac579b1dba279 100644 (file)
--- a/test/web/oauth/oauth_controller_test.exs
+++ b/test/web/oauth/oauth_controller_test.exs
@@ -1,33 +1,28 @@
  # Pleroma: A lightweight social networking server
  # Pleroma: A lightweight social networking server
-# Copyright © 2017-2018 Pleroma Authors <https://pleroma.social/>
+# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
  # SPDX-License-Identifier: AGPL-3.0-only
  
  defmodule Pleroma.Web.OAuth.OAuthControllerTest do
    use Pleroma.Web.ConnCase
    import Pleroma.Factory
  
  # SPDX-License-Identifier: AGPL-3.0-only
  
  defmodule Pleroma.Web.OAuth.OAuthControllerTest do
    use Pleroma.Web.ConnCase
    import Pleroma.Factory
  
+  alias Pleroma.MFA
+  alias Pleroma.MFA.TOTP
    alias Pleroma.Repo
    alias Pleroma.Repo
+  alias Pleroma.User
    alias Pleroma.Web.OAuth.Authorization
    alias Pleroma.Web.OAuth.OAuthController
    alias Pleroma.Web.OAuth.Token
  
    alias Pleroma.Web.OAuth.Authorization
    alias Pleroma.Web.OAuth.OAuthController
    alias Pleroma.Web.OAuth.Token
  
-  @oauth_config_path [:oauth2, :issue_new_refresh_token]
    @session_opts [
      store: :cookie,
      key: "_test",
      signing_salt: "cooldude"
    ]
    @session_opts [
      store: :cookie,
      key: "_test",
      signing_salt: "cooldude"
    ]
+  setup do: clear_config([:instance, :account_activation_required])
  
    describe "in OAuth consumer mode, " do
      setup do
  
    describe "in OAuth consumer mode, " do
      setup do
-      oauth_consumer_strategies_path = [:auth, :oauth_consumer_strategies]
-      oauth_consumer_strategies = Pleroma.Config.get(oauth_consumer_strategies_path)
-      Pleroma.Config.put(oauth_consumer_strategies_path, ~w(twitter facebook))
-
-      on_exit(fn ->
-        Pleroma.Config.put(oauth_consumer_strategies_path, oauth_consumer_strategies)
-      end)
-
        [
          app: insert(:oauth_app),
          conn:
        [
          app: insert(:oauth_app),
          conn:
@@ -37,6 +32,8 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
        ]
      end
  
        ]
      end
  
+    setup do: clear_config([:auth, :oauth_consumer_strategies], ~w(twitter facebook))
+
      test "GET /oauth/authorize renders auth forms, including OAuth consumer form", %{
        app: app,
        conn: conn
      test "GET /oauth/authorize renders auth forms, including OAuth consumer form", %{
        app: app,
        conn: conn
@@ -450,7 +447,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
  
      test "renders authentication page if user is already authenticated but `force_login` is tru-ish",
           %{app: app, conn: conn} do
  
      test "renders authentication page if user is already authenticated but `force_login` is tru-ish",
           %{app: app, conn: conn} do
-      token = insert(:oauth_token, app_id: app.id)
+      token = insert(:oauth_token, app: app)
  
        conn =
          conn
  
        conn =
          conn
@@ -469,12 +466,35 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
        assert html_response(conn, 200) =~ ~s(type="submit")
      end
  
        assert html_response(conn, 200) =~ ~s(type="submit")
      end
  
+    test "renders authentication page if user is already authenticated but user request with another client",
+         %{
+           app: app,
+           conn: conn
+         } do
+      token = insert(:oauth_token, app: app)
+
+      conn =
+        conn
+        |> put_session(:oauth_token, token.token)
+        |> get(
+          "/oauth/authorize",
+          %{
+            "response_type" => "code",
+            "client_id" => "another_client_id",
+            "redirect_uri" => OAuthController.default_redirect_uri(app),
+            "scope" => "read"
+          }
+        )
+
+      assert html_response(conn, 200) =~ ~s(type="submit")
+    end
+
      test "with existing authentication and non-OOB `redirect_uri`, redirects to app with `token` and `state` params",
           %{
             app: app,
             conn: conn
           } do
      test "with existing authentication and non-OOB `redirect_uri`, redirects to app with `token` and `state` params",
           %{
             app: app,
             conn: conn
           } do
-      token = insert(:oauth_token, app_id: app.id)
+      token = insert(:oauth_token, app: app)
  
        conn =
          conn
  
        conn =
          conn
@@ -500,7 +520,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
             conn: conn
           } do
        unlisted_redirect_uri = "http://cross-site-request.com"
             conn: conn
           } do
        unlisted_redirect_uri = "http://cross-site-request.com"
-      token = insert(:oauth_token, app_id: app.id)
+      token = insert(:oauth_token, app: app)
  
        conn =
          conn
  
        conn =
          conn
@@ -524,7 +544,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
             app: app,
             conn: conn
           } do
             app: app,
             conn: conn
           } do
-      token = insert(:oauth_token, app_id: app.id)
+      token = insert(:oauth_token, app: app)
  
        conn =
          conn
  
        conn =
          conn
@@ -544,11 +564,61 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
    end
  
    describe "POST /oauth/authorize" do
    end
  
    describe "POST /oauth/authorize" do
-    test "redirects with oauth authorization" do
-      user = insert(:user)
-      app = insert(:oauth_app, scopes: ["read", "write", "follow"])
+    test "redirects with oauth authorization, " <>
+           "granting requested app-supported scopes to both admin- and non-admin users" do
+      app_scopes = ["read", "write", "admin", "secret_scope"]
+      app = insert(:oauth_app, scopes: app_scopes)
        redirect_uri = OAuthController.default_redirect_uri(app)
  
        redirect_uri = OAuthController.default_redirect_uri(app)
  
+      non_admin = insert(:user, is_admin: false)
+      admin = insert(:user, is_admin: true)
+      scopes_subset = ["read:subscope", "write", "admin"]
+
+      # In case scope param is missing, expecting _all_ app-supported scopes to be granted
+      for user <- [non_admin, admin],
+          {requested_scopes, expected_scopes} <-
+            %{scopes_subset => scopes_subset, nil: app_scopes} do
+        conn =
+          post(
+            build_conn(),
+            "/oauth/authorize",
+            %{
+              "authorization" => %{
+                "name" => user.nickname,
+                "password" => "test",
+                "client_id" => app.client_id,
+                "redirect_uri" => redirect_uri,
+                "scope" => requested_scopes,
+                "state" => "statepassed"
+              }
+            }
+          )
+
+        target = redirected_to(conn)
+        assert target =~ redirect_uri
+
+        query = URI.parse(target).query |> URI.query_decoder() |> Map.new()
+
+        assert %{"state" => "statepassed", "code" => code} = query
+        auth = Repo.get_by(Authorization, token: code)
+        assert auth
+        assert auth.scopes == expected_scopes
+      end
+    end
+
+    test "redirect to on two-factor auth page" do
+      otp_secret = TOTP.generate_secret()
+
+      user =
+        insert(:user,
+          multi_factor_authentication_settings: %MFA.Settings{
+            enabled: true,
+            totp: %MFA.Settings.TOTP{secret: otp_secret, confirmed: true}
+          }
+        )
+
+      app = insert(:oauth_app, scopes: ["read", "write", "follow"])
+
        conn =
          build_conn()
          |> post("/oauth/authorize", %{
        conn =
          build_conn()
          |> post("/oauth/authorize", %{
@@ -556,21 +626,19 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
              "name" => user.nickname,
              "password" => "test",
              "client_id" => app.client_id,
              "name" => user.nickname,
              "password" => "test",
              "client_id" => app.client_id,
-            "redirect_uri" => redirect_uri,
+            "redirect_uri" => app.redirect_uris,
              "scope" => "read write",
              "state" => "statepassed"
            }
          })
  
              "scope" => "read write",
              "state" => "statepassed"
            }
          })
  
-      target = redirected_to(conn)
-      assert target =~ redirect_uri
-
-      query = URI.parse(target).query |> URI.query_decoder() |> Map.new()
+      result = html_response(conn, 200)
  
  
-      assert %{"state" => "statepassed", "code" => code} = query
-      auth = Repo.get_by(Authorization, token: code)
-      assert auth
-      assert auth.scopes == ["read", "write"]
+      mfa_token = Repo.get_by(MFA.Token, user_id: user.id)
+      assert result =~ app.redirect_uris
+      assert result =~ "statepassed"
+      assert result =~ mfa_token.token
+      assert result =~ "Two-factor authentication"
      end
  
      test "returns 401 for wrong credentials", %{conn: conn} do
      end
  
      test "returns 401 for wrong credentials", %{conn: conn} do
@@ -600,13 +668,13 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
        assert result =~ "Invalid Username/Password"
      end
  
        assert result =~ "Invalid Username/Password"
      end
  
-    test "returns 401 for missing scopes", %{conn: conn} do
-      user = insert(:user)
-      app = insert(:oauth_app)
+    test "returns 401 for missing scopes" do
+      user = insert(:user, is_admin: false)
+      app = insert(:oauth_app, scopes: ["read", "write", "admin"])
        redirect_uri = OAuthController.default_redirect_uri(app)
  
        result =
        redirect_uri = OAuthController.default_redirect_uri(app)
  
        result =
-        conn
+        build_conn()
          |> post("/oauth/authorize", %{
            "authorization" => %{
              "name" => user.nickname,
          |> post("/oauth/authorize", %{
            "authorization" => %{
              "name" => user.nickname,
@@ -627,7 +695,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
        assert result =~ "This action is outside the authorized scopes"
      end
  
        assert result =~ "This action is outside the authorized scopes"
      end
  
-    test "returns 401 for scopes beyond app scopes", %{conn: conn} do
+    test "returns 401 for scopes beyond app scopes hierarchy", %{conn: conn} do
        user = insert(:user)
        app = insert(:oauth_app, scopes: ["read", "write"])
        redirect_uri = OAuthController.default_redirect_uri(app)
        user = insert(:user)
        app = insert(:oauth_app, scopes: ["read", "write"])
        redirect_uri = OAuthController.default_redirect_uri(app)
@@ -704,6 +772,46 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
        assert token.scopes == app.scopes
      end
  
        assert token.scopes == app.scopes
      end
  
+    test "issues a mfa token for `password` grant_type, when MFA enabled" do
+      password = "testpassword"
+      otp_secret = TOTP.generate_secret()
+
+      user =
+        insert(:user,
+          password_hash: Comeonin.Pbkdf2.hashpwsalt(password),
+          multi_factor_authentication_settings: %MFA.Settings{
+            enabled: true,
+            totp: %MFA.Settings.TOTP{secret: otp_secret, confirmed: true}
+          }
+        )
+
+      app = insert(:oauth_app, scopes: ["read", "write"])
+
+      response =
+        build_conn()
+        |> post("/oauth/token", %{
+          "grant_type" => "password",
+          "username" => user.nickname,
+          "password" => password,
+          "client_id" => app.client_id,
+          "client_secret" => app.client_secret
+        })
+        |> json_response(403)
+
+      assert match?(
+               %{
+                 "supported_challenge_types" => "totp",
+                 "mfa_token" => _,
+                 "error" => "mfa_required"
+               },
+               response
+             )
+
+      token = Repo.get_by(MFA.Token, token: response["mfa_token"])
+      assert token.user_id == user.id
+      assert token.authorization_id
+    end
+
      test "issues a token for request with HTTP basic auth client credentials" do
        user = insert(:user)
        app = insert(:oauth_app, scopes: ["scope1", "scope2", "scope3"])
      test "issues a token for request with HTTP basic auth client credentials" do
        user = insert(:user)
        app = insert(:oauth_app, scopes: ["scope1", "scope2", "scope3"])
@@ -775,24 +883,15 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
      end
  
      test "rejects token exchange for valid credentials belonging to unconfirmed user and confirmation is required" do
      end
  
      test "rejects token exchange for valid credentials belonging to unconfirmed user and confirmation is required" do
-      setting = Pleroma.Config.get([:instance, :account_activation_required])
-
-      unless setting do
-        Pleroma.Config.put([:instance, :account_activation_required], true)
-        on_exit(fn -> Pleroma.Config.put([:instance, :account_activation_required], setting) end)
-      end
-
+      Pleroma.Config.put([:instance, :account_activation_required], true)
        password = "testpassword"
        password = "testpassword"
-      user = insert(:user, password_hash: Comeonin.Pbkdf2.hashpwsalt(password))
-      info_change = Pleroma.User.Info.confirmation_changeset(user.info, need_confirmation: true)
  
        {:ok, user} =
  
        {:ok, user} =
-        user
-        |> Ecto.Changeset.change()
-        |> Ecto.Changeset.put_embed(:info, info_change)
-        |> Repo.update()
+        insert(:user, password_hash: Comeonin.Pbkdf2.hashpwsalt(password))
+        |> User.confirmation_changeset(need_confirmation: true)
+        |> User.update_and_set_cache()
  
  
-      refute Pleroma.User.auth_active?(user)
+      refute Pleroma.User.account_status(user) == :active
  
        app = insert(:oauth_app)
  
  
        app = insert(:oauth_app)
  
@@ -817,12 +916,12 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
        user =
          insert(:user,
            password_hash: Comeonin.Pbkdf2.hashpwsalt(password),
        user =
          insert(:user,
            password_hash: Comeonin.Pbkdf2.hashpwsalt(password),
-          info: %{deactivated: true}
+          deactivated: true
          )
  
        app = insert(:oauth_app)
  
          )
  
        app = insert(:oauth_app)
  
-      conn =
+      resp =
          build_conn()
          |> post("/oauth/token", %{
            "grant_type" => "password",
          build_conn()
          |> post("/oauth/token", %{
            "grant_type" => "password",
@@ -831,10 +930,69 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
            "client_id" => app.client_id,
            "client_secret" => app.client_secret
          })
            "client_id" => app.client_id,
            "client_secret" => app.client_secret
          })
+        |> json_response(403)
  
  
-      assert resp = json_response(conn, 403)
-      assert %{"error" => _} = resp
-      refute Map.has_key?(resp, "access_token")
+      assert resp == %{
+               "error" => "Your account is currently disabled",
+               "identifier" => "account_is_disabled"
+             }
+    end
+
+    test "rejects token exchange for user with password_reset_pending set to true" do
+      password = "testpassword"
+
+      user =
+        insert(:user,
+          password_hash: Comeonin.Pbkdf2.hashpwsalt(password),
+          password_reset_pending: true
+        )
+
+      app = insert(:oauth_app, scopes: ["read", "write"])
+
+      resp =
+        build_conn()
+        |> post("/oauth/token", %{
+          "grant_type" => "password",
+          "username" => user.nickname,
+          "password" => password,
+          "client_id" => app.client_id,
+          "client_secret" => app.client_secret
+        })
+        |> json_response(403)
+
+      assert resp == %{
+               "error" => "Password reset is required",
+               "identifier" => "password_reset_required"
+             }
+    end
+
+    test "rejects token exchange for user with confirmation_pending set to true" do
+      Pleroma.Config.put([:instance, :account_activation_required], true)
+      password = "testpassword"
+
+      user =
+        insert(:user,
+          password_hash: Comeonin.Pbkdf2.hashpwsalt(password),
+          confirmation_pending: true
+        )
+
+      app = insert(:oauth_app, scopes: ["read", "write"])
+
+      resp =
+        build_conn()
+        |> post("/oauth/token", %{
+          "grant_type" => "password",
+          "username" => user.nickname,
+          "password" => password,
+          "client_id" => app.client_id,
+          "client_secret" => app.client_secret
+        })
+        |> json_response(403)
+
+      assert resp == %{
+               "error" => "Your login is missing a confirmed e-mail address",
+               "identifier" => "missing_confirmed_email"
+             }
      end
  
      test "rejects an invalid authorization code" do
      end
  
      test "rejects an invalid authorization code" do
@@ -857,16 +1015,10 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
    end
  
    describe "POST /oauth/token - refresh token" do
    end
  
    describe "POST /oauth/token - refresh token" do
-    setup do
-      oauth_token_config = Pleroma.Config.get(@oauth_config_path)
-
-      on_exit(fn ->
-        Pleroma.Config.get(@oauth_config_path, oauth_token_config)
-      end)
-    end
+    setup do: clear_config([:oauth2, :issue_new_refresh_token])
  
      test "issues a new access token with keep fresh token" do
  
      test "issues a new access token with keep fresh token" do
-      Pleroma.Config.put(@oauth_config_path, true)
+      Pleroma.Config.put([:oauth2, :issue_new_refresh_token], true)
        user = insert(:user)
        app = insert(:oauth_app, scopes: ["read", "write"])
  
        user = insert(:user)
        app = insert(:oauth_app, scopes: ["read", "write"])
  
@@ -906,7 +1058,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
      end
  
      test "issues a new access token with new fresh token" do
      end
  
      test "issues a new access token with new fresh token" do
-      Pleroma.Config.put(@oauth_config_path, false)
+      Pleroma.Config.put([:oauth2, :issue_new_refresh_token], false)
        user = insert(:user)
        app = insert(:oauth_app, scopes: ["read", "write"])
  
        user = insert(:user)
        app = insert(:oauth_app, scopes: ["read", "write"])