pleroma/test/pleroma/web/plugs/authentication_plug_test.exs

# Pleroma: A lightweight social networking server
# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
# SPDX-License-Identifier: AGPL-3.0-only

defmodule Pleroma.Web.Plugs.AuthenticationPlugTest do
  use Pleroma.Web.ConnCase, async: true

  alias Pleroma.User
  alias Pleroma.Web.Plugs.AuthenticationPlug
  alias Pleroma.Web.Plugs.OAuthScopesPlug
  alias Pleroma.Web.Plugs.PlugHelper

  import ExUnit.CaptureLog
  import Pleroma.Factory

  setup %{conn: conn} do
    user = %User{
      id: 1,
      name: "dude",
      password_hash: Pbkdf2.hash_pwd_salt("guy")
    }

    conn =
      conn
      |> assign(:auth_user, user)

    %{user: user, conn: conn}
  end

  test "it does nothing if a user is assigned", %{conn: conn} do
    conn =
      conn
      |> assign(:user, %User{})

    ret_conn =
      conn
      |> AuthenticationPlug.call(%{})

    assert ret_conn == conn
  end

  test "with a correct password in the credentials, " <>
         "it assigns the auth_user and marks OAuthScopesPlug as skipped",
       %{conn: conn} do
    conn =
      conn
      |> assign(:auth_credentials, %{password: "guy"})
      |> AuthenticationPlug.call(%{})

    assert conn.assigns.user == conn.assigns.auth_user
    assert conn.assigns.token == nil
    assert PlugHelper.plug_skipped?(conn, OAuthScopesPlug)
  end

  test "with a bcrypt hash, it updates to a pkbdf2 hash", %{conn: conn} do
    user = insert(:user, password_hash: Bcrypt.hash_pwd_salt("123"))
    assert "$2" <> _ = user.password_hash

    conn =
      conn
      |> assign(:auth_user, user)
      |> assign(:auth_credentials, %{password: "123"})
      |> AuthenticationPlug.call(%{})

    assert conn.assigns.user.id == conn.assigns.auth_user.id
    assert conn.assigns.token == nil
    assert PlugHelper.plug_skipped?(conn, OAuthScopesPlug)

    user = User.get_by_id(user.id)
    assert "$pbkdf2" <> _ = user.password_hash
  end

  @tag :skip_on_mac
  test "with a crypt hash, it updates to a pkbdf2 hash", %{conn: conn} do
    user =
      insert(:user,
        password_hash:
          "$6$9psBWV8gxkGOZWBz$PmfCycChoxeJ3GgGzwvhlgacb9mUoZ.KUXNCssekER4SJ7bOK53uXrHNb2e4i8yPFgSKyzaW9CcmrDXWIEMtD1"
      )

    conn =
      conn
      |> assign(:auth_user, user)
      |> assign(:auth_credentials, %{password: "password"})
      |> AuthenticationPlug.call(%{})

    assert conn.assigns.user.id == conn.assigns.auth_user.id
    assert conn.assigns.token == nil
    assert PlugHelper.plug_skipped?(conn, OAuthScopesPlug)

    user = User.get_by_id(user.id)
    assert "$pbkdf2" <> _ = user.password_hash
  end

  describe "checkpw/2" do
    test "check pbkdf2 hash" do
      hash =
        "$pbkdf2-sha512$160000$loXqbp8GYls43F0i6lEfIw$AY.Ep.2pGe57j2hAPY635sI/6w7l9Q9u9Bp02PkPmF3OrClDtJAI8bCiivPr53OKMF7ph6iHhN68Rom5nEfC2A"

      assert AuthenticationPlug.checkpw("test-password", hash)
      refute AuthenticationPlug.checkpw("test-password1", hash)
    end

    @tag :skip_on_mac
    test "check sha512-crypt hash" do
      hash =
        "$6$9psBWV8gxkGOZWBz$PmfCycChoxeJ3GgGzwvhlgacb9mUoZ.KUXNCssekER4SJ7bOK53uXrHNb2e4i8yPFgSKyzaW9CcmrDXWIEMtD1"

      assert AuthenticationPlug.checkpw("password", hash)
    end

    test "check bcrypt hash" do
      hash = "$2a$10$uyhC/R/zoE1ndwwCtMusK.TLVzkQ/Ugsbqp3uXI.CTTz0gBw.24jS"

      assert AuthenticationPlug.checkpw("password", hash)
      refute AuthenticationPlug.checkpw("password1", hash)
    end

    test "it returns false when hash invalid" do
      hash =
        "psBWV8gxkGOZWBz$PmfCycChoxeJ3GgGzwvhlgacb9mUoZ.KUXNCssekER4SJ7bOK53uXrHNb2e4i8yPFgSKyzaW9CcmrDXWIEMtD1"

      assert capture_log(fn ->
               refute AuthenticationPlug.checkpw("password", hash)
             end) =~ "[error] Password hash not recognized"
    end
  end
end
tests: add legal boilerplate 2018-12-23 21:11:29 +01:00			`# Pleroma: A lightweight social networking server`
Update Copyrights 2020-03-03 23:44:49 +01:00			`# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>`
tests: add legal boilerplate 2018-12-23 21:11:29 +01:00			`# SPDX-License-Identifier: AGPL-3.0-only`

tests consistency 2020-06-23 17:16:47 +02:00			`defmodule Pleroma.Web.Plugs.AuthenticationPlugTest do`
Add basic auth. 2017-03-20 17:45:47 +01:00			`use Pleroma.Web.ConnCase, async: true`

alias alphabetically order 2020-06-24 12:07:47 +02:00			`alias Pleroma.User`
AuthenticationPlug module name 2020-06-24 10:16:09 +02:00			`alias Pleroma.Web.Plugs.AuthenticationPlug`
OAuthScopesPlug module name 2020-06-24 08:57:27 +02:00			`alias Pleroma.Web.Plugs.OAuthScopesPlug`
PlugHelper module name 2020-06-24 08:42:36 +02:00			`alias Pleroma.Web.Plugs.PlugHelper`
Add basic auth. 2017-03-20 17:45:47 +01:00
[tests] Mock :crypt.crypt/2 function in AuthenticationPlugTest 2019-07-20 15:07:51 +02:00			`import ExUnit.CaptureLog`
Authentication Plug: Update bcrypt password on login. 2020-05-17 10:31:01 +02:00			`import Pleroma.Factory`
[tests] Mock :crypt.crypt/2 function in AuthenticationPlugTest 2019-07-20 15:07:51 +02:00
Simplify AuthenticationPlug 2018-09-05 18:53:38 +02:00			`setup %{conn: conn} do`
			`user = %User{`
			`id: 1,`
			`name: "dude",`
Upgrade Comeonin to v5 https://github.com/riverrun/comeonin/blob/master/UPGRADE_v5.md 2020-05-12 23:42:24 +02:00			`password_hash: Pbkdf2.hash_pwd_salt("guy")`
Simplify AuthenticationPlug 2018-09-05 18:53:38 +02:00			`}`
Short circuit user verification if cookie is present. 2017-03-30 15:29:49 +02:00
Simplify AuthenticationPlug 2018-09-05 18:53:38 +02:00			`conn =`
			`conn`
			`\|> assign(:auth_user, user)`
Add basic auth. 2017-03-20 17:45:47 +01:00
Simplify AuthenticationPlug 2018-09-05 18:53:38 +02:00			`%{user: user, conn: conn}`
Add basic auth. 2017-03-20 17:45:47 +01:00			`end`

Simplify AuthenticationPlug 2018-09-05 18:53:38 +02:00			`test "it does nothing if a user is assigned", %{conn: conn} do`
			`conn =`
			`conn`
			`\|> assign(:user, %User{})`
Add basic auth. 2017-03-20 17:45:47 +01:00
Simplify AuthenticationPlug 2018-09-05 18:53:38 +02:00			`ret_conn =`
			`conn`
			`\|> AuthenticationPlug.call(%{})`
Add basic auth. 2017-03-20 17:45:47 +01:00
Simplify AuthenticationPlug 2018-09-05 18:53:38 +02:00			`assert ret_conn == conn`
Add basic auth. 2017-03-20 17:45:47 +01:00			`end`

[#1682] Fixed Basic Auth permissions issue by disabling OAuth scopes checks when password is provided. Refactored plugs skipping functionality. 2020-04-17 20:21:10 +02:00			`test "with a correct password in the credentials, " <>`
			`"it assigns the auth_user and marks OAuthScopesPlug as skipped",`
			`%{conn: conn} do`
Simplify AuthenticationPlug 2018-09-05 18:53:38 +02:00			`conn =`
			`conn`
			`\|> assign(:auth_credentials, %{password: "guy"})`
			`\|> AuthenticationPlug.call(%{})`
Add basic auth. 2017-03-20 17:45:47 +01:00
Simplify AuthenticationPlug 2018-09-05 18:53:38 +02:00			`assert conn.assigns.user == conn.assigns.auth_user`
Auth subsystem refactoring and tweaks. Added proper OAuth skipping for SessionAuthenticationPlug. Integrated LegacyAuthenticationPlug into AuthenticationPlug. Adjusted tests & docs. 2020-10-31 11:38:35 +01:00			`assert conn.assigns.token == nil`
[#1682] Fixed Basic Auth permissions issue by disabling OAuth scopes checks when password is provided. Refactored plugs skipping functionality. 2020-04-17 20:21:10 +02:00			`assert PlugHelper.plug_skipped?(conn, OAuthScopesPlug)`
Add basic auth. 2017-03-20 17:45:47 +01:00			`end`
AP refactoring. 2017-05-16 15:31:11 +02:00
Authentication Plug: Update bcrypt password on login. 2020-05-17 10:31:01 +02:00			`test "with a bcrypt hash, it updates to a pkbdf2 hash", %{conn: conn} do`
			`user = insert(:user, password_hash: Bcrypt.hash_pwd_salt("123"))`
			`assert "$2" <> _ = user.password_hash`
AP refactoring. 2017-05-16 15:31:11 +02:00
Authentication Plug: Update bcrypt password on login. 2020-05-17 10:31:01 +02:00			`conn =`
Simplify AuthenticationPlug 2018-09-05 18:53:38 +02:00			`conn`
Authentication Plug: Update bcrypt password on login. 2020-05-17 10:31:01 +02:00			`\|> assign(:auth_user, user)`
			`\|> assign(:auth_credentials, %{password: "123"})`
Simplify AuthenticationPlug 2018-09-05 18:53:38 +02:00			`\|> AuthenticationPlug.call(%{})`
AP refactoring. 2017-05-16 15:31:11 +02:00
Authentication Plug: Update bcrypt password on login. 2020-05-17 10:31:01 +02:00			`assert conn.assigns.user.id == conn.assigns.auth_user.id`
Auth subsystem refactoring and tweaks. Added proper OAuth skipping for SessionAuthenticationPlug. Integrated LegacyAuthenticationPlug into AuthenticationPlug. Adjusted tests & docs. 2020-10-31 11:38:35 +01:00			`assert conn.assigns.token == nil`
Authentication Plug: Update bcrypt password on login. 2020-05-17 10:31:01 +02:00			`assert PlugHelper.plug_skipped?(conn, OAuthScopesPlug)`

			`user = User.get_by_id(user.id)`
			`assert "$pbkdf2" <> _ = user.password_hash`
AP refactoring. 2017-05-16 15:31:11 +02:00			`end`
tests for Plugs.AuthenticationPlug 2019-07-18 22:29:51 +02:00
Skip failing `:crypt` test on mac 2020-05-25 21:01:37 +02:00			`@tag :skip_on_mac`
AuthenticationPlug: Also update crypt passwords. 2020-05-17 11:40:25 +02:00			`test "with a crypt hash, it updates to a pkbdf2 hash", %{conn: conn} do`
			`user =`
			`insert(:user,`
			`password_hash:`
			`"$6$9psBWV8gxkGOZWBz$PmfCycChoxeJ3GgGzwvhlgacb9mUoZ.KUXNCssekER4SJ7bOK53uXrHNb2e4i8yPFgSKyzaW9CcmrDXWIEMtD1"`
			`)`

			`conn =`
			`conn`
			`\|> assign(:auth_user, user)`
			`\|> assign(:auth_credentials, %{password: "password"})`
			`\|> AuthenticationPlug.call(%{})`

			`assert conn.assigns.user.id == conn.assigns.auth_user.id`
Auth subsystem refactoring and tweaks. Added proper OAuth skipping for SessionAuthenticationPlug. Integrated LegacyAuthenticationPlug into AuthenticationPlug. Adjusted tests & docs. 2020-10-31 11:38:35 +01:00			`assert conn.assigns.token == nil`
AuthenticationPlug: Also update crypt passwords. 2020-05-17 11:40:25 +02:00			`assert PlugHelper.plug_skipped?(conn, OAuthScopesPlug)`

			`user = User.get_by_id(user.id)`
			`assert "$pbkdf2" <> _ = user.password_hash`
			`end`

tests for Plugs.AuthenticationPlug 2019-07-18 22:29:51 +02:00			`describe "checkpw/2" do`
			`test "check pbkdf2 hash" do`
			`hash =`
			`"$pbkdf2-sha512$160000$loXqbp8GYls43F0i6lEfIw$AY.Ep.2pGe57j2hAPY635sI/6w7l9Q9u9Bp02PkPmF3OrClDtJAI8bCiivPr53OKMF7ph6iHhN68Rom5nEfC2A"`

			`assert AuthenticationPlug.checkpw("test-password", hash)`
			`refute AuthenticationPlug.checkpw("test-password1", hash)`
			`end`

Exclude tests that use :crypt.crypt/2 on macOS 2019-07-22 21:54:22 +02:00			`@tag :skip_on_mac`
tests for Plugs.AuthenticationPlug 2019-07-18 22:29:51 +02:00			`test "check sha512-crypt hash" do`
			`hash =`
			`"$6$9psBWV8gxkGOZWBz$PmfCycChoxeJ3GgGzwvhlgacb9mUoZ.KUXNCssekER4SJ7bOK53uXrHNb2e4i8yPFgSKyzaW9CcmrDXWIEMtD1"`

Exclude tests that use :crypt.crypt/2 on macOS 2019-07-22 21:54:22 +02:00			`assert AuthenticationPlug.checkpw("password", hash)`
tests for Plugs.AuthenticationPlug 2019-07-18 22:29:51 +02:00			`end`

Handle bcrypt passwords for Mastodon migration 2020-05-12 23:57:01 +02:00			`test "check bcrypt hash" do`
			`hash = "$2a$10$uyhC/R/zoE1ndwwCtMusK.TLVzkQ/Ugsbqp3uXI.CTTz0gBw.24jS"`

			`assert AuthenticationPlug.checkpw("password", hash)`
			`refute AuthenticationPlug.checkpw("password1", hash)`
			`end`

tests for Plugs.AuthenticationPlug 2019-07-18 22:29:51 +02:00			`test "it returns false when hash invalid" do`
			`hash =`
			`"psBWV8gxkGOZWBz$PmfCycChoxeJ3GgGzwvhlgacb9mUoZ.KUXNCssekER4SJ7bOK53uXrHNb2e4i8yPFgSKyzaW9CcmrDXWIEMtD1"`

[tests] Mock :crypt.crypt/2 function in AuthenticationPlugTest 2019-07-20 15:07:51 +02:00			`assert capture_log(fn ->`
alias alphabetically order 2020-06-24 12:07:47 +02:00			`refute AuthenticationPlug.checkpw("password", hash)`
[tests] Mock :crypt.crypt/2 function in AuthenticationPlugTest 2019-07-20 15:07:51 +02:00			`end) =~ "[error] Password hash not recognized"`
tests for Plugs.AuthenticationPlug 2019-07-18 22:29:51 +02:00			`end`
			`end`
Add basic auth. 2017-03-20 17:45:47 +01:00			`end`