X-Git-Url: http://git.squeep.com/?a=blobdiff_plain;f=test%2Fplugs%2Fauthentication_plug_test.exs;h=777ae15aeb076f47b6a64a7da634dac1df950b77;hb=9c672ecbb5d4477cd16d2139a2cb66d3923ac5c8;hp=5480dab43019921356b9e17f9a80dc347eb0c28f;hpb=30e9b22f96f2bf1cd895e993190f40afba159bb6;p=akkoma diff --git a/test/plugs/authentication_plug_test.exs b/test/plugs/authentication_plug_test.exs index 5480dab43..777ae15ae 100644 --- a/test/plugs/authentication_plug_test.exs +++ b/test/plugs/authentication_plug_test.exs @@ -1,193 +1,125 @@ +# Pleroma: A lightweight social networking server +# Copyright © 2017-2020 Pleroma Authors +# SPDX-License-Identifier: AGPL-3.0-only + defmodule Pleroma.Plugs.AuthenticationPlugTest do use Pleroma.Web.ConnCase, async: true alias Pleroma.Plugs.AuthenticationPlug + alias Pleroma.Plugs.OAuthScopesPlug + alias Pleroma.Plugs.PlugHelper alias Pleroma.User - defp fetch_nil(_name) do - {:ok, nil} - end - - @user %User{ - id: 1, - name: "dude", - password_hash: Comeonin.Pbkdf2.hashpwsalt("guy") - } - - @deactivated %User{ - id: 1, - name: "dude", - password_hash: Comeonin.Pbkdf2.hashpwsalt("guy"), - info: %{"deactivated" => true} - } - - @session_opts [ - store: :cookie, - key: "_test", - signing_salt: "cooldude" - ] - - defp fetch_user(_name) do - {:ok, @user} - end - - defp basic_auth_enc(username, password) do - "Basic " <> Base.encode64("#{username}:#{password}") - end + import ExUnit.CaptureLog + import Pleroma.Factory - describe "without an authorization header" do - test "it halts the application" do - conn = build_conn() - |> Plug.Session.call(Plug.Session.init(@session_opts)) - |> fetch_session - |> AuthenticationPlug.call(%{}) + setup %{conn: conn} do + user = %User{ + id: 1, + name: "dude", + password_hash: Pbkdf2.hash_pwd_salt("guy") + } - assert conn.status == 403 - assert conn.halted == true - end + conn = + conn + |> assign(:auth_user, user) - test "it assigns a nil user if the 'optional' option is used" do - conn = build_conn() - |> Plug.Session.call(Plug.Session.init(@session_opts)) - |> fetch_session - |> AuthenticationPlug.call(%{optional: true}) - - assert %{ user: nil } == conn.assigns - end + %{user: user, conn: conn} end - describe "with an authorization header for a nonexisting user" do - test "it halts the application" do - conn = - build_conn() - |> Plug.Session.call(Plug.Session.init(@session_opts)) - |> fetch_session - |> AuthenticationPlug.call(%{fetcher: &fetch_nil/1}) - - assert conn.status == 403 - assert conn.halted == true - end + test "it does nothing if a user is assigned", %{conn: conn} do + conn = + conn + |> assign(:user, %User{}) - test "it assigns a nil user if the 'optional' option is used" do - conn = - build_conn() - |> Plug.Session.call(Plug.Session.init(@session_opts)) - |> fetch_session - |> AuthenticationPlug.call(%{optional: true, fetcher: &fetch_nil/1 }) + ret_conn = + conn + |> AuthenticationPlug.call(%{}) - assert %{ user: nil } == conn.assigns - end + assert ret_conn == conn end - describe "with an incorrect authorization header for a enxisting user" do - test "it halts the application" do - opts = %{ - fetcher: &fetch_user/1 - } - - header = basic_auth_enc("dude", "man") - - conn = - build_conn() - |> Plug.Session.call(Plug.Session.init(@session_opts)) - |> fetch_session - |> put_req_header("authorization", header) - |> AuthenticationPlug.call(opts) + test "with a correct password in the credentials, " <> + "it assigns the auth_user and marks OAuthScopesPlug as skipped", + %{conn: conn} do + conn = + conn + |> assign(:auth_credentials, %{password: "guy"}) + |> AuthenticationPlug.call(%{}) - assert conn.status == 403 - assert conn.halted == true - end + assert conn.assigns.user == conn.assigns.auth_user + assert PlugHelper.plug_skipped?(conn, OAuthScopesPlug) + end - test "it assigns a nil user if the 'optional' option is used" do - opts = %{ - optional: true, - fetcher: &fetch_user/1 - } + test "with a bcrypt hash, it updates to a pkbdf2 hash", %{conn: conn} do + user = insert(:user, password_hash: Bcrypt.hash_pwd_salt("123")) + assert "$2" <> _ = user.password_hash - header = basic_auth_enc("dude", "man") + conn = + conn + |> assign(:auth_user, user) + |> assign(:auth_credentials, %{password: "123"}) + |> AuthenticationPlug.call(%{}) - conn = - build_conn() - |> Plug.Session.call(Plug.Session.init(@session_opts)) - |> fetch_session - |> put_req_header("authorization", header) - |> AuthenticationPlug.call(opts) + assert conn.assigns.user.id == conn.assigns.auth_user.id + assert PlugHelper.plug_skipped?(conn, OAuthScopesPlug) - assert %{ user: nil } == conn.assigns - end + user = User.get_by_id(user.id) + assert "$pbkdf2" <> _ = user.password_hash end - describe "with a correct authorization header for an existing user" do - test "it assigns the user", %{conn: conn} do - opts = %{ - optional: true, - fetcher: &fetch_user/1 - } - - header = basic_auth_enc("dude", "guy") + @tag :skip_on_mac + test "with a crypt hash, it updates to a pkbdf2 hash", %{conn: conn} do + user = + insert(:user, + password_hash: + "$6$9psBWV8gxkGOZWBz$PmfCycChoxeJ3GgGzwvhlgacb9mUoZ.KUXNCssekER4SJ7bOK53uXrHNb2e4i8yPFgSKyzaW9CcmrDXWIEMtD1" + ) + + conn = + conn + |> assign(:auth_user, user) + |> assign(:auth_credentials, %{password: "password"}) + |> AuthenticationPlug.call(%{}) - conn = conn - |> Plug.Session.call(Plug.Session.init(@session_opts)) - |> fetch_session - |> put_req_header("authorization", header) - |> AuthenticationPlug.call(opts) + assert conn.assigns.user.id == conn.assigns.auth_user.id + assert PlugHelper.plug_skipped?(conn, OAuthScopesPlug) - assert %{ user: @user } == conn.assigns - assert get_session(conn, :user_id) == @user.id - assert conn.halted == false - end + user = User.get_by_id(user.id) + assert "$pbkdf2" <> _ = user.password_hash end - describe "with a correct authorization header for an deactiviated user" do - test "it halts the appication", %{conn: conn} do - opts = %{ - optional: false, - fetcher: fn _ -> @deactivated end - } + describe "checkpw/2" do + test "check pbkdf2 hash" do + hash = + "$pbkdf2-sha512$160000$loXqbp8GYls43F0i6lEfIw$AY.Ep.2pGe57j2hAPY635sI/6w7l9Q9u9Bp02PkPmF3OrClDtJAI8bCiivPr53OKMF7ph6iHhN68Rom5nEfC2A" - header = basic_auth_enc("dude", "guy") + assert AuthenticationPlug.checkpw("test-password", hash) + refute AuthenticationPlug.checkpw("test-password1", hash) + end - conn = conn - |> Plug.Session.call(Plug.Session.init(@session_opts)) - |> fetch_session - |> put_req_header("authorization", header) - |> AuthenticationPlug.call(opts) + @tag :skip_on_mac + test "check sha512-crypt hash" do + hash = + "$6$9psBWV8gxkGOZWBz$PmfCycChoxeJ3GgGzwvhlgacb9mUoZ.KUXNCssekER4SJ7bOK53uXrHNb2e4i8yPFgSKyzaW9CcmrDXWIEMtD1" - assert conn.status == 403 - assert conn.halted == true + assert AuthenticationPlug.checkpw("password", hash) end - end - describe "with a user_id in the session for an existing user" do - test "it assigns the user", %{conn: conn} do - opts = %{ - optional: true, - fetcher: &fetch_user/1 - } - - header = basic_auth_enc("dude", "THIS IS WRONG") - - conn = conn - |> Plug.Session.call(Plug.Session.init(@session_opts)) - |> fetch_session - |> put_session(:user_id, @user.id) - |> put_req_header("authorization", header) - |> AuthenticationPlug.call(opts) - - assert %{ user: @user } == conn.assigns - assert get_session(conn, :user_id) == @user.id - assert conn.halted == false - end - end + test "check bcrypt hash" do + hash = "$2a$10$uyhC/R/zoE1ndwwCtMusK.TLVzkQ/Ugsbqp3uXI.CTTz0gBw.24jS" - describe "with an assigned user" do - test "it does nothing, returning the incoming conn", %{conn: conn} do - conn = conn - |> assign(:user, @user) + assert AuthenticationPlug.checkpw("password", hash) + refute AuthenticationPlug.checkpw("password1", hash) + end - conn_result = AuthenticationPlug.call(conn, %{}) + test "it returns false when hash invalid" do + hash = + "psBWV8gxkGOZWBz$PmfCycChoxeJ3GgGzwvhlgacb9mUoZ.KUXNCssekER4SJ7bOK53uXrHNb2e4i8yPFgSKyzaW9CcmrDXWIEMtD1" - assert conn == conn_result + assert capture_log(fn -> + refute Pleroma.Plugs.AuthenticationPlug.checkpw("password", hash) + end) =~ "[error] Password hash not recognized" end end end