X-Git-Url: http://git.squeep.com/?a=blobdiff_plain;f=test%2Fpleroma%2Fweb%2Fo_auth%2Fo_auth_controller_test.exs;h=c996a403ce30560af0fa4fc9f5f93bfdea4af4fc;hb=8a4437d2bee6ae5f07935a8a6471e8c8dac7f3b1;hp=9f984b26fad02a21af581c362443bea9e0a84ea5;hpb=aa681d7e15f6170e7e92d86146d5ba96be6433bc;p=akkoma diff --git a/test/pleroma/web/o_auth/o_auth_controller_test.exs b/test/pleroma/web/o_auth/o_auth_controller_test.exs index 9f984b26f..c996a403c 100644 --- a/test/pleroma/web/o_auth/o_auth_controller_test.exs +++ b/test/pleroma/web/o_auth/o_auth_controller_test.exs @@ -7,6 +7,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do import Pleroma.Factory + alias Pleroma.Helpers.AuthHelper alias Pleroma.MFA alias Pleroma.MFA.TOTP alias Pleroma.Repo @@ -315,7 +316,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do app: app, conn: conn } do - user = insert(:user, password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt("testpassword")) + user = insert(:user, password_hash: Pleroma.Password.hash_pwd_salt("testpassword")) registration = insert(:registration, user: nil) redirect_uri = OAuthController.default_redirect_uri(app) @@ -346,7 +347,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do app: app, conn: conn } do - user = insert(:user, password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt("testpassword")) + user = insert(:user, password_hash: Pleroma.Password.hash_pwd_salt("testpassword")) registration = insert(:registration, user: nil) unlisted_redirect_uri = "http://cross-site-request.com" @@ -455,7 +456,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do conn = conn - |> put_req_header("authorization", "Bearer #{token.token}") + |> AuthHelper.put_session_token(token.token) |> get( "/oauth/authorize", %{ @@ -470,21 +471,45 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do assert html_response(conn, 200) =~ ~s(type="submit") end - test "reuses authentication if the user is authenticated with another client", + test "renders authentication page if user is already authenticated but user request with another client", %{ + app: app, conn: conn } do - user = insert(:user) + token = insert(:oauth_token, app: app) + + conn = + conn + |> AuthHelper.put_session_token(token.token) + |> get( + "/oauth/authorize", + %{ + "response_type" => "code", + "client_id" => "another_client_id", + "redirect_uri" => OAuthController.default_redirect_uri(app), + "scope" => "read" + } + ) - app = insert(:oauth_app, redirect_uris: "https://redirect.url") - other_app = insert(:oauth_app, redirect_uris: "https://redirect.url") + assert html_response(conn, 200) =~ ~s(type="submit") + end + + test "allows access if the user has a prior authorization but is authenticated with another client", + %{ + app: app, + conn: conn + } do + user = insert(:user) + token = insert(:oauth_token, app: app, user: user) - token = insert(:oauth_token, user: user, app: app) - reusable_token = insert(:oauth_token, app: other_app, user: user) + other_app = insert(:oauth_app, redirect_uris: "https://other_redirect.url") + authorization = insert(:oauth_authorization, user: user, app: other_app) + _reusable_token = insert(:oauth_token, app: other_app, user: user) conn = conn - |> put_req_header("authorization", "Bearer #{token.token}") + |> AuthHelper.put_session_token(token.token) + |> AuthHelper.put_session_user(user.id) |> get( "/oauth/authorize", %{ @@ -496,25 +521,24 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do ) assert URI.decode(redirected_to(conn)) == - "https://redirect.url?access_token=#{reusable_token.token}" + "https://other_redirect.url?code=#{authorization.token}" end - test "does not reuse other people's tokens", + test "renders login page if the user has an authorization but no token", %{ + app: app, conn: conn } do user = insert(:user) - other_user = insert(:user) + token = insert(:oauth_token, app: app, user: user) - app = insert(:oauth_app, redirect_uris: "https://redirect.url") - other_app = insert(:oauth_app, redirect_uris: "https://redirect.url") - - token = insert(:oauth_token, user: user, app: app) - _not_reusable_token = insert(:oauth_token, app: other_app, user: other_user) + other_app = insert(:oauth_app, redirect_uris: "https://other_redirect.url") + _authorization = insert(:oauth_authorization, user: user, app: other_app) conn = conn - |> put_req_header("authorization", "Bearer #{token.token}") + |> AuthHelper.put_session_token(token.token) + |> AuthHelper.put_session_user(user.id) |> get( "/oauth/authorize", %{ @@ -528,28 +552,23 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do assert html_response(conn, 200) =~ ~s(type="submit") end - test "does not reuse expired tokens", + test "does not reuse other people's tokens", %{ + app: app, conn: conn } do user = insert(:user) + other_user = insert(:user) + token = insert(:oauth_token, app: app, user: user) - app = insert(:oauth_app, redirect_uris: "https://redirect.url") - - other_app = insert(:oauth_app, redirect_uris: "https://redirect.url") - - token = insert(:oauth_token, user: user, app: app) - - _not_reusable_token = - insert(:oauth_token, - app: other_app, - user: user, - valid_until: NaiveDateTime.add(NaiveDateTime.utc_now(), -60 * 100) - ) + other_app = insert(:oauth_app, redirect_uris: "https://other_redirect.url") + _authorization = insert(:oauth_authorization, user: other_user, app: other_app) + _reusable_token = insert(:oauth_token, app: other_app, user: other_user) conn = conn - |> put_req_header("authorization", "Bearer #{token.token}") + |> AuthHelper.put_session_token(token.token) + |> AuthHelper.put_session_user(user.id) |> get( "/oauth/authorize", %{ @@ -563,34 +582,35 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do assert html_response(conn, 200) =~ ~s(type="submit") end - test "does not reuse tokens with the wrong scopes", + test "does not reuse expired tokens", %{ + app: app, conn: conn } do user = insert(:user) + token = insert(:oauth_token, app: app, user: user) - app = insert(:oauth_app, redirect_uris: "https://redirect.url") - - other_app = insert(:oauth_app, redirect_uris: "https://redirect.url") - - token = insert(:oauth_token, user: user, app: app, scopes: ["read"]) + other_app = insert(:oauth_app, redirect_uris: "https://other_redirect.url") + _authorization = insert(:oauth_authorization, user: user, app: other_app) - _not_reusable_token = + _reusable_token = insert(:oauth_token, app: other_app, - user: user + user: user, + valid_until: NaiveDateTime.add(NaiveDateTime.utc_now(), -100) ) conn = conn - |> put_req_header("authorization", "Bearer #{token.token}") + |> AuthHelper.put_session_token(token.token) + |> AuthHelper.put_session_user(user.id) |> get( "/oauth/authorize", %{ "response_type" => "code", "client_id" => other_app.client_id, "redirect_uri" => OAuthController.default_redirect_uri(other_app), - "scope" => "read write" + "scope" => "read" } ) @@ -606,7 +626,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do conn = conn - |> put_req_header("authorization", "Bearer #{token.token}") + |> AuthHelper.put_session_token(token.token) |> get( "/oauth/authorize", %{ @@ -632,7 +652,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do conn = conn - |> put_req_header("authorization", "Bearer #{token.token}") + |> AuthHelper.put_session_token(token.token) |> get( "/oauth/authorize", %{ @@ -656,7 +676,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do conn = conn - |> put_req_header("authorization", "Bearer #{token.token}") + |> AuthHelper.put_session_token(token.token) |> get( "/oauth/authorize", %{ @@ -673,45 +693,147 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do describe "POST /oauth/authorize" do test "redirects with oauth authorization, " <> - "granting requested app-supported scopes to both admin- and non-admin users" do + "granting requested app-supported scopes to admin users" do app_scopes = ["read", "write", "admin", "secret_scope"] app = insert(:oauth_app, scopes: app_scopes) redirect_uri = OAuthController.default_redirect_uri(app) - - non_admin = insert(:user, is_admin: false) + scopes_subset = ["read:subscope", "write", "admin"] admin = insert(:user, is_admin: true) + + # In case scope param is missing, expecting _all_ app-supported scopes to be granted + conn = + post( + build_conn(), + "/oauth/authorize", + %{ + "authorization" => %{ + "name" => admin.nickname, + "password" => "test", + "client_id" => app.client_id, + "redirect_uri" => redirect_uri, + "scope" => scopes_subset, + "state" => "statepassed" + } + } + ) + + target = redirected_to(conn) + assert target =~ redirect_uri + + query = URI.parse(target).query |> URI.query_decoder() |> Map.new() + + assert %{"state" => "statepassed", "code" => code} = query + auth = Repo.get_by(Authorization, token: code) + assert auth + assert auth.scopes == scopes_subset + end + + test "redirects with oauth authorization, " <> + "granting requested app-supported scopes to moderators" do + app_scopes = ["read", "write", "admin", "secret_scope"] + app = insert(:oauth_app, scopes: app_scopes) + redirect_uri = OAuthController.default_redirect_uri(app) scopes_subset = ["read:subscope", "write", "admin"] + admin = insert(:user, is_moderator: true) # In case scope param is missing, expecting _all_ app-supported scopes to be granted - for user <- [non_admin, admin], - {requested_scopes, expected_scopes} <- - %{scopes_subset => scopes_subset, nil: app_scopes} do - conn = - post( - build_conn(), - "/oauth/authorize", - %{ - "authorization" => %{ - "name" => user.nickname, - "password" => "test", - "client_id" => app.client_id, - "redirect_uri" => redirect_uri, - "scope" => requested_scopes, - "state" => "statepassed" - } + conn = + post( + build_conn(), + "/oauth/authorize", + %{ + "authorization" => %{ + "name" => admin.nickname, + "password" => "test", + "client_id" => app.client_id, + "redirect_uri" => redirect_uri, + "scope" => scopes_subset, + "state" => "statepassed" } - ) + } + ) - target = redirected_to(conn) - assert target =~ redirect_uri + target = redirected_to(conn) + assert target =~ redirect_uri - query = URI.parse(target).query |> URI.query_decoder() |> Map.new() + query = URI.parse(target).query |> URI.query_decoder() |> Map.new() - assert %{"state" => "statepassed", "code" => code} = query - auth = Repo.get_by(Authorization, token: code) - assert auth - assert auth.scopes == expected_scopes - end + assert %{"state" => "statepassed", "code" => code} = query + auth = Repo.get_by(Authorization, token: code) + assert auth + assert auth.scopes == scopes_subset + end + + test "redirects with oauth authorization, " <> + "granting requested app-supported scopes for non-admin users" do + app_scopes = ["read", "write", "secret_scope", "admin"] + app = insert(:oauth_app, scopes: app_scopes) + redirect_uri = OAuthController.default_redirect_uri(app) + + non_admin = insert(:user, is_admin: false) + scopes_subset = ["read:subscope", "write", "admin", "admin:metrics"] + + # In case scope param is missing, expecting _all_ app-supported scopes to be granted + conn = + post( + build_conn(), + "/oauth/authorize", + %{ + "authorization" => %{ + "name" => non_admin.nickname, + "password" => "test", + "client_id" => app.client_id, + "redirect_uri" => redirect_uri, + "scope" => scopes_subset, + "state" => "statepassed" + } + } + ) + + target = redirected_to(conn) + assert target =~ redirect_uri + + query = URI.parse(target).query |> URI.query_decoder() |> Map.new() + + assert %{"state" => "statepassed", "code" => code} = query + auth = Repo.get_by(Authorization, token: code) + assert auth + assert auth.scopes == ["read:subscope", "write"] + end + + test "authorize from cookie" do + user = insert(:user) + app = insert(:oauth_app) + oauth_token = insert(:oauth_token, user: user, app: app) + redirect_uri = OAuthController.default_redirect_uri(app) + + conn = + build_conn() + |> Plug.Session.call(Plug.Session.init(@session_opts)) + |> fetch_session() + |> AuthHelper.put_session_token(oauth_token.token) + |> post( + "/oauth/authorize", + %{ + "authorization" => %{ + "name" => user.nickname, + "client_id" => app.client_id, + "redirect_uri" => redirect_uri, + "scope" => app.scopes, + "state" => "statepassed" + } + } + ) + + target = redirected_to(conn) + assert target =~ redirect_uri + + query = URI.parse(target).query |> URI.query_decoder() |> Map.new() + + assert %{"state" => "statepassed", "code" => code} = query + auth = Repo.get_by(Authorization, token: code) + assert auth + assert auth.scopes == app.scopes end test "redirect to on two-factor auth page" do @@ -776,33 +898,6 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do assert result =~ "Invalid Username/Password" end - test "returns 401 for missing scopes" do - user = insert(:user, is_admin: false) - app = insert(:oauth_app, scopes: ["read", "write", "admin"]) - redirect_uri = OAuthController.default_redirect_uri(app) - - result = - build_conn() - |> post("/oauth/authorize", %{ - "authorization" => %{ - "name" => user.nickname, - "password" => "test", - "client_id" => app.client_id, - "redirect_uri" => redirect_uri, - "state" => "statepassed", - "scope" => "" - } - }) - |> html_response(:unauthorized) - - # Keep the details - assert result =~ app.client_id - assert result =~ redirect_uri - - # Error message - assert result =~ "This action is outside the authorized scopes" - end - test "returns 401 for scopes beyond app scopes hierarchy", %{conn: conn} do user = insert(:user) app = insert(:oauth_app, scopes: ["read", "write"]) @@ -827,7 +922,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do assert result =~ redirect_uri # Error message - assert result =~ "This action is outside the authorized scopes" + assert result =~ "This action is outside of authorized scopes" end end @@ -858,7 +953,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do test "issues a token for `password` grant_type with valid credentials, with full permissions by default" do password = "testpassword" - user = insert(:user, password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password)) + user = insert(:user, password_hash: Pleroma.Password.hash_pwd_salt(password)) app = insert(:oauth_app, scopes: ["read", "write"]) @@ -888,7 +983,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do user = insert(:user, - password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password), + password_hash: Pleroma.Password.hash_pwd_salt(password), multi_factor_authentication_settings: %MFA.Settings{ enabled: true, totp: %MFA.Settings.TOTP{secret: otp_secret, confirmed: true} @@ -997,7 +1092,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do password = "testpassword" {:ok, user} = - insert(:user, password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password)) + insert(:user, password_hash: Pleroma.Password.hash_pwd_salt(password)) |> User.confirmation_changeset(set_confirmation: false) |> User.update_and_set_cache() @@ -1025,7 +1120,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do user = insert(:user, - password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password), + password_hash: Pleroma.Password.hash_pwd_salt(password), is_active: false ) @@ -1053,7 +1148,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do user = insert(:user, - password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password), + password_hash: Pleroma.Password.hash_pwd_salt(password), password_reset_pending: true ) @@ -1082,7 +1177,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do user = insert(:user, - password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password), + password_hash: Pleroma.Password.hash_pwd_salt(password), is_confirmed: false ) @@ -1110,7 +1205,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do user = insert(:user, - password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password), + password_hash: Pleroma.Password.hash_pwd_salt(password), is_approved: false ) @@ -1286,7 +1381,6 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do response = build_conn() - |> put_req_header("authorization", "Bearer #{access_token.token}") |> post("/oauth/token", %{ "grant_type" => "refresh_token", "refresh_token" => access_token.refresh_token, @@ -1336,11 +1430,12 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do build_conn() |> Plug.Session.call(Plug.Session.init(@session_opts)) |> fetch_session() - |> put_req_header("authorization", "Bearer #{oauth_token.token}") + |> AuthHelper.put_session_token(oauth_token.token) |> post("/oauth/revoke", %{"token" => oauth_token.token}) assert json_response(conn, 200) + refute AuthHelper.get_session_token(conn) assert Token.get_by_token(oauth_token.token) == {:error, :not_found} end @@ -1354,11 +1449,12 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do build_conn() |> Plug.Session.call(Plug.Session.init(@session_opts)) |> fetch_session() - |> put_req_header("authorization", "Bearer #{oauth_token.token}") + |> AuthHelper.put_session_token(oauth_token.token) |> post("/oauth/revoke", %{"token" => other_app_oauth_token.token}) assert json_response(conn, 200) + assert AuthHelper.get_session_token(conn) == oauth_token.token assert Token.get_by_token(other_app_oauth_token.token) == {:error, :not_found} end