X-Git-Url: https://git.squeep.com/?a=blobdiff_plain;f=test%2Fplugs%2Fauthentication_plug_test.exs;h=7ca04561638e7f1b9dc3e6802dac179e9910ae47;hb=8292331b35f088a19a4d14eff69b74a6d1ed4746;hp=3f2f769e73e1125ce13d5d425c004db252894306;hpb=e32dbfc9a5477830dba7bf3e99621161e4454a29;p=akkoma

diff --git a/test/plugs/authentication_plug_test.exs b/test/plugs/authentication_plug_test.exs
index 3f2f769e7..7ca045616 100644
--- a/test/plugs/authentication_plug_test.exs
+++ b/test/plugs/authentication_plug_test.exs
@@ -1,110 +1,88 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2018 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
 defmodule Pleroma.Plugs.AuthenticationPlugTest do
   use Pleroma.Web.ConnCase, async: true
 
   alias Pleroma.Plugs.AuthenticationPlug
+  alias Pleroma.User
 
-  defp fetch_nil(_name) do
-    {:ok, nil}
-  end
+  import ExUnit.CaptureLog
+  import Mock
 
-  @user %{
-    id: 1,
-    name: "dude",
-    password_hash: Comeonin.Pbkdf2.hashpwsalt("guy")
-  }
+  setup %{conn: conn} do
+    user = %User{
+      id: 1,
+      name: "dude",
+      password_hash: Comeonin.Pbkdf2.hashpwsalt("guy")
+    }
 
-  defp fetch_user(_name) do
-    {:ok, @user}
-  end
+    conn =
+      conn
+      |> assign(:auth_user, user)
 
-  defp basic_auth_enc(username, password) do
-    "Basic " <> Base.encode64("#{username}:#{password}")
+    %{user: user, conn: conn}
   end
 
-  describe "without an authorization header" do
-    test "it halts the application" do
-      conn = build_conn() |> AuthenticationPlug.call(%{})
-
-      assert conn.status == 403
-      assert conn.halted == true
-    end
+  test "it does nothing if a user is assigned", %{conn: conn} do
+    conn =
+      conn
+      |> assign(:user, %User{})
 
-    test "it assigns a nil user if the 'optional' option is used" do
-      conn = build_conn() |> AuthenticationPlug.call(%{optional: true})
+    ret_conn =
+      conn
+      |> AuthenticationPlug.call(%{})
 
-      assert %{ user: nil } == conn.assigns
-    end
+    assert ret_conn == conn
   end
 
-  describe "with an authorization header for a nonexisting user" do
-    test "it halts the application" do
-      conn =
-        build_conn()
-        |> AuthenticationPlug.call(%{fetcher: &fetch_nil/1})
-
-      assert conn.status == 403
-      assert conn.halted == true
-    end
-
-    test "it assigns a nil user if the 'optional' option is used" do
-      conn =
-        build_conn()
-        |> AuthenticationPlug.call(%{optional: true, fetcher: &fetch_nil/1 })
+  test "with a correct password in the credentials, it assigns the auth_user", %{conn: conn} do
+    conn =
+      conn
+      |> assign(:auth_credentials, %{password: "guy"})
+      |> AuthenticationPlug.call(%{})
 
-      assert %{ user: nil } == conn.assigns
-    end
+    assert conn.assigns.user == conn.assigns.auth_user
   end
 
-  describe "with an incorrect authorization header for a enxisting user" do
-    test "it halts the application" do
-      opts = %{
-        fetcher: &fetch_user/1
-      }
-
-      header = basic_auth_enc("dude", "man")
-
-      conn =
-        build_conn()
-        |> put_req_header("authorization", header)
-        |> AuthenticationPlug.call(opts)
-
-      assert conn.status == 403
-      assert conn.halted == true
-    end
+  test "with a wrong password in the credentials, it does nothing", %{conn: conn} do
+    conn =
+      conn
+      |> assign(:auth_credentials, %{password: "wrong"})
 
-    test "it assigns a nil user if the 'optional' option is used" do
-      opts = %{
-        optional: true,
-        fetcher: &fetch_user/1
-      }
+    ret_conn =
+      conn
+      |> AuthenticationPlug.call(%{})
 
-      header = basic_auth_enc("dude", "man")
+    assert conn == ret_conn
+  end
 
-      conn =
-        build_conn()
-        |> put_req_header("authorization", header)
-        |> AuthenticationPlug.call(opts)
+  describe "checkpw/2" do
+    test "check pbkdf2 hash" do
+      hash =
+        "$pbkdf2-sha512$160000$loXqbp8GYls43F0i6lEfIw$AY.Ep.2pGe57j2hAPY635sI/6w7l9Q9u9Bp02PkPmF3OrClDtJAI8bCiivPr53OKMF7ph6iHhN68Rom5nEfC2A"
 
-      assert %{ user: nil } == conn.assigns
+      assert AuthenticationPlug.checkpw("test-password", hash)
+      refute AuthenticationPlug.checkpw("test-password1", hash)
     end
-  end
 
-  describe "with a correct authorization header for an existing user" do
-    test "it assigns the user" do
-      opts = %{
-        optional: true,
-        fetcher: &fetch_user/1
-      }
+    test "check sha512-crypt hash" do
+      hash =
+        "$6$9psBWV8gxkGOZWBz$PmfCycChoxeJ3GgGzwvhlgacb9mUoZ.KUXNCssekER4SJ7bOK53uXrHNb2e4i8yPFgSKyzaW9CcmrDXWIEMtD1"
 
-      header = basic_auth_enc("dude", "guy")
+      with_mock :crypt, crypt: fn _password, password_hash -> password_hash end do
+        assert AuthenticationPlug.checkpw("password", hash)
+      end
+    end
 
-      conn =
-        build_conn()
-        |> put_req_header("authorization", header)
-        |> AuthenticationPlug.call(opts)
+    test "it returns false when hash invalid" do
+      hash =
+        "psBWV8gxkGOZWBz$PmfCycChoxeJ3GgGzwvhlgacb9mUoZ.KUXNCssekER4SJ7bOK53uXrHNb2e4i8yPFgSKyzaW9CcmrDXWIEMtD1"
 
-      assert %{ user: @user } == conn.assigns
-      assert conn.halted == false
+      assert capture_log(fn ->
+               refute Pleroma.Plugs.AuthenticationPlug.checkpw("password", hash)
+             end) =~ "[error] Password hash not recognized"
     end
   end
 end