logo

pleroma

My custom branche(s) on git.pleroma.social/pleroma/pleroma
commit: 045953225e04862c914b51808907cc86b11fcaf4
parent: 530561a091f6f82e27ef3d5011b929b00e2da964
Author: lambda <pleromagit@rogerbraun.net>
Date:   Sat,  8 Sep 2018 09:20:34 +0000

Merge branch 'moonman/pleroma-sha512-crypt' into 'develop'

auth overhaul and legacy GS auth

See merge request pleroma/pleroma!331

Diffstat:

Mlib/pleroma/plugs/authentication_plug.ex64++++++++++++++++++++++------------------------------------------
Alib/pleroma/plugs/basic_auth_decoder_plug.ex21+++++++++++++++++++++
Alib/pleroma/plugs/ensure_authenticated_plug.ex19+++++++++++++++++++
Alib/pleroma/plugs/ensure_user_key_plug.ex14++++++++++++++
Alib/pleroma/plugs/legacy_authentication_plug.ex35+++++++++++++++++++++++++++++++++++
Alib/pleroma/plugs/session_authentication_plug.ex18++++++++++++++++++
Alib/pleroma/plugs/set_user_session_id_plug.ex15+++++++++++++++
Alib/pleroma/plugs/user_enabled_plug.ex17+++++++++++++++++
Alib/pleroma/plugs/user_fetcher_plug.ex34++++++++++++++++++++++++++++++++++
Mlib/pleroma/web/router.ex48+++++++++++++++++++++++++++++-------------------
Mmix.exs4+++-
Mmix.lock1+
Mtest/plugs/authentication_plug_test.exs210++++++++++++-------------------------------------------------------------------
Atest/plugs/basic_auth_decoder_plug_test.exs31+++++++++++++++++++++++++++++++
Atest/plugs/ensure_authenticated_plug_test.exs27+++++++++++++++++++++++++++
Atest/plugs/ensure_user_key_plug_test.exs25+++++++++++++++++++++++++
Atest/plugs/legacy_authentication_plug_test.exs82+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Atest/plugs/session_authentication_plug_test.exs59+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Atest/plugs/set_user_session_id_plug_test.exs39+++++++++++++++++++++++++++++++++++++++
Atest/plugs/user_enabled_plug_test.exs35+++++++++++++++++++++++++++++++++++
Atest/plugs/user_fetcher_plug_test.exs37+++++++++++++++++++++++++++++++++++++
21 files changed, 595 insertions(+), 240 deletions(-)

diff --git a/lib/pleroma/plugs/authentication_plug.ex b/lib/pleroma/plugs/authentication_plug.ex @@ -9,54 +9,34 @@ defmodule Pleroma.Plugs.AuthenticationPlug do def call(%{assigns: %{user: %User{}}} = conn, _), do: conn - def call(conn, opts) do - with {:ok, username, password} <- decode_header(conn), - {:ok, user} <- opts[:fetcher].(username), - false <- !!user.info["deactivated"], - saved_user_id <- get_session(conn, :user_id), - {:ok, verified_user} <- verify(user, password, saved_user_id) do + def call( + %{ + assigns: %{ + auth_user: %{password_hash: password_hash} = auth_user, + auth_credentials: %{password: password} + } + } = conn, + _ + ) do + if Pbkdf2.checkpw(password, password_hash) do conn - |> assign(:user, verified_user) - |> put_session(:user_id, verified_user.id) + |> assign(:user, auth_user) else - _ -> conn |> halt_or_continue(opts) + conn end end - # Short-circuit if we have a cookie with the id for the given user. - defp verify(%{id: id} = user, _password, id) do - {:ok, user} - end - - defp verify(nil, _password, _user_id) do + def call( + %{ + assigns: %{ + auth_credentials: %{password: password} + } + } = conn, + _ + ) do Pbkdf2.dummy_checkpw() - :error - end - - defp verify(user, password, _user_id) do - if Pbkdf2.checkpw(password, user.password_hash) do - {:ok, user} - else - :error - end - end - - defp decode_header(conn) do - with ["Basic " <> header] <- get_req_header(conn, "authorization"), - {:ok, userinfo} <- Base.decode64(header), - [username, password] <- String.split(userinfo, ":", parts: 2) do - {:ok, username, password} - end - end - - defp halt_or_continue(conn, %{optional: true}) do - conn |> assign(:user, nil) - end - - defp halt_or_continue(conn, _) do conn - |> put_resp_content_type("application/json") - |> send_resp(403, Jason.encode!(%{error: "Invalid credentials."})) - |> halt end + + def call(conn, _), do: conn end diff --git a/lib/pleroma/plugs/basic_auth_decoder_plug.ex b/lib/pleroma/plugs/basic_auth_decoder_plug.ex @@ -0,0 +1,21 @@ +defmodule Pleroma.Plugs.BasicAuthDecoderPlug do + import Plug.Conn + + def init(options) do + options + end + + def call(conn, opts) do + with ["Basic " <> header] <- get_req_header(conn, "authorization"), + {:ok, userinfo} <- Base.decode64(header), + [username, password] <- String.split(userinfo, ":", parts: 2) do + conn + |> assign(:auth_credentials, %{ + username: username, + password: password + }) + else + _ -> conn + end + end +end diff --git a/lib/pleroma/plugs/ensure_authenticated_plug.ex b/lib/pleroma/plugs/ensure_authenticated_plug.ex @@ -0,0 +1,19 @@ +defmodule Pleroma.Plugs.EnsureAuthenticatedPlug do + import Plug.Conn + alias Pleroma.User + + def init(options) do + options + end + + def call(%{assigns: %{user: %User{}}} = conn, _) do + conn + end + + def call(conn, _) do + conn + |> put_resp_content_type("application/json") + |> send_resp(403, Jason.encode!(%{error: "Invalid credentials."})) + |> halt + end +end diff --git a/lib/pleroma/plugs/ensure_user_key_plug.ex b/lib/pleroma/plugs/ensure_user_key_plug.ex @@ -0,0 +1,14 @@ +defmodule Pleroma.Plugs.EnsureUserKeyPlug do + import Plug.Conn + + def init(opts) do + opts + end + + def call(%{assigns: %{user: _}} = conn, _), do: conn + + def call(conn, _) do + conn + |> assign(:user, nil) + end +end diff --git a/lib/pleroma/plugs/legacy_authentication_plug.ex b/lib/pleroma/plugs/legacy_authentication_plug.ex @@ -0,0 +1,35 @@ +defmodule Pleroma.Plugs.LegacyAuthenticationPlug do + import Plug.Conn + alias Pleroma.User + + def init(options) do + options + end + + def call(%{assigns: %{user: %User{}}} = conn, _), do: conn + + def call( + %{ + assigns: %{ + auth_user: %{password_hash: "$6$" <> _ = password_hash} = auth_user, + auth_credentials: %{password: password} + } + } = conn, + _ + ) do + with ^password_hash <- :crypt.crypt(password, password_hash), + {:ok, user} <- + User.reset_password(auth_user, %{password: password, password_confirmation: password}) do + conn + |> assign(:auth_user, user) + |> assign(:user, user) + else + _ -> + conn + end + end + + def call(conn, _) do + conn + end +end diff --git a/lib/pleroma/plugs/session_authentication_plug.ex b/lib/pleroma/plugs/session_authentication_plug.ex @@ -0,0 +1,18 @@ +defmodule Pleroma.Plugs.SessionAuthenticationPlug do + import Plug.Conn + alias Pleroma.User + + def init(options) do + options + end + + def call(conn, _) do + with saved_user_id <- get_session(conn, :user_id), + %{auth_user: %{id: ^saved_user_id}} <- conn.assigns do + conn + |> assign(:user, conn.assigns.auth_user) + else + _ -> conn + end + end +end diff --git a/lib/pleroma/plugs/set_user_session_id_plug.ex b/lib/pleroma/plugs/set_user_session_id_plug.ex @@ -0,0 +1,15 @@ +defmodule Pleroma.Plugs.SetUserSessionIdPlug do + import Plug.Conn + alias Pleroma.User + + def init(opts) do + opts + end + + def call(%{assigns: %{user: %User{id: id}}} = conn, _) do + conn + |> put_session(:user_id, id) + end + + def call(conn, _), do: conn +end diff --git a/lib/pleroma/plugs/user_enabled_plug.ex b/lib/pleroma/plugs/user_enabled_plug.ex @@ -0,0 +1,17 @@ +defmodule Pleroma.Plugs.UserEnabledPlug do + import Plug.Conn + alias Pleroma.User + + def init(options) do + options + end + + def call(%{assigns: %{user: %User{info: %{"deactivated" => true}}}} = conn, _) do + conn + |> assign(:user, nil) + end + + def call(conn, _) do + conn + end +end diff --git a/lib/pleroma/plugs/user_fetcher_plug.ex b/lib/pleroma/plugs/user_fetcher_plug.ex @@ -0,0 +1,34 @@ +defmodule Pleroma.Plugs.UserFetcherPlug do + import Plug.Conn + alias Pleroma.Repo + alias Pleroma.User + + def init(options) do + options + end + + def call(conn, options) do + with %{auth_credentials: %{username: username}} <- conn.assigns, + {:ok, %User{} = user} <- user_fetcher(username) do + conn + |> assign(:auth_user, user) + else + _ -> conn + end + end + + defp user_fetcher(username_or_email) do + { + :ok, + cond do + # First, try logging in as if it was a name + user = Repo.get_by(User, %{nickname: username_or_email}) -> + user + + # If we get nil, we try using it as an email + user = Repo.get_by(User, %{email: username_or_email}) -> + user + end + } + end +end diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex @@ -9,47 +9,57 @@ defmodule Pleroma.Web.Router do @public Keyword.get(@instance, :public) @registrations_open Keyword.get(@instance, :registrations_open) - def user_fetcher(username_or_email) do - { - :ok, - cond do - # First, try logging in as if it was a name - user = Repo.get_by(User, %{nickname: username_or_email}) -> - user - - # If we get nil, we try using it as an email - user = Repo.get_by(User, %{email: username_or_email}) -> - user - end - } - end - pipeline :api do plug(:accepts, ["json"]) plug(:fetch_session) plug(Pleroma.Plugs.OAuthPlug) - plug(Pleroma.Plugs.AuthenticationPlug, %{fetcher: &Router.user_fetcher/1, optional: true}) + plug(Pleroma.Plugs.BasicAuthDecoderPlug) + plug(Pleroma.Plugs.UserFetcherPlug) + plug(Pleroma.Plugs.SessionAuthenticationPlug) + plug(Pleroma.Plugs.LegacyAuthenticationPlug) + plug(Pleroma.Plugs.AuthenticationPlug) + plug(Pleroma.Plugs.UserEnabledPlug) + plug(Pleroma.Plugs.SetUserSessionIdPlug) + plug(Pleroma.Plugs.EnsureUserKeyPlug) end pipeline :authenticated_api do plug(:accepts, ["json"]) plug(:fetch_session) plug(Pleroma.Plugs.OAuthPlug) - plug(Pleroma.Plugs.AuthenticationPlug, %{fetcher: &Router.user_fetcher/1}) + plug(Pleroma.Plugs.BasicAuthDecoderPlug) + plug(Pleroma.Plugs.UserFetcherPlug) + plug(Pleroma.Plugs.SessionAuthenticationPlug) + plug(Pleroma.Plugs.LegacyAuthenticationPlug) + plug(Pleroma.Plugs.AuthenticationPlug) + plug(Pleroma.Plugs.UserEnabledPlug) + plug(Pleroma.Plugs.SetUserSessionIdPlug) + plug(Pleroma.Plugs.EnsureAuthenticatedPlug) end pipeline :mastodon_html do plug(:accepts, ["html"]) plug(:fetch_session) plug(Pleroma.Plugs.OAuthPlug) - plug(Pleroma.Plugs.AuthenticationPlug, %{fetcher: &Router.user_fetcher/1, optional: true}) + plug(Pleroma.Plugs.BasicAuthDecoderPlug) + plug(Pleroma.Plugs.UserFetcherPlug) + plug(Pleroma.Plugs.SessionAuthenticationPlug) + plug(Pleroma.Plugs.LegacyAuthenticationPlug) + plug(Pleroma.Plugs.AuthenticationPlug) + plug(Pleroma.Plugs.UserEnabledPlug) + plug(Pleroma.Plugs.SetUserSessionIdPlug) + plug(Pleroma.Plugs.EnsureUserKeyPlug) end pipeline :pleroma_html do plug(:accepts, ["html"]) plug(:fetch_session) plug(Pleroma.Plugs.OAuthPlug) - plug(Pleroma.Plugs.AuthenticationPlug, %{fetcher: &Router.user_fetcher/1, optional: true}) + plug(Pleroma.Plugs.BasicAuthDecoderPlug) + plug(Pleroma.Plugs.UserFetcherPlug) + plug(Pleroma.Plugs.SessionAuthenticationPlug) + plug(Pleroma.Plugs.AuthenticationPlug) + plug(Pleroma.Plugs.EnsureUserKeyPlug) end pipeline :well_known do diff --git a/mix.exs b/mix.exs @@ -50,7 +50,9 @@ defmodule Pleroma.Mixfile do {:ex_aws_s3, "~> 2.0"}, {:ex_machina, "~> 2.2", only: :test}, {:credo, "~> 0.9.3", only: [:dev, :test]}, - {:mock, "~> 0.3.1", only: :test} + {:mock, "~> 0.3.1", only: :test}, + {:crypt, + git: "https://github.com/msantos/crypt", ref: "1f2b58927ab57e72910191a7ebaeff984382a1d3"} ] end diff --git a/mix.lock b/mix.lock @@ -8,6 +8,7 @@ "cowboy": {:hex, :cowboy, "1.1.2", "61ac29ea970389a88eca5a65601460162d370a70018afe6f949a29dca91f3bb0", [:rebar3], [{:cowlib, "~> 1.0.2", [hex: :cowlib, repo: "hexpm", optional: false]}, {:ranch, "~> 1.3.2", [hex: :ranch, repo: "hexpm", optional: false]}], "hexpm"}, "cowlib": {:hex, :cowlib, "1.0.2", "9d769a1d062c9c3ac753096f868ca121e2730b9a377de23dec0f7e08b1df84ee", [:make], [], "hexpm"}, "credo": {:hex, :credo, "0.9.3", "76fa3e9e497ab282e0cf64b98a624aa11da702854c52c82db1bf24e54ab7c97a", [:mix], [{:bunt, "~> 0.2.0", [hex: :bunt, repo: "hexpm", optional: false]}, {:poison, ">= 0.0.0", [hex: :poison, repo: "hexpm", optional: false]}], "hexpm"}, + "crypt": {:git, "https://github.com/msantos/crypt", "1f2b58927ab57e72910191a7ebaeff984382a1d3", [ref: "1f2b58927ab57e72910191a7ebaeff984382a1d3"]}, "db_connection": {:hex, :db_connection, "1.1.3", "89b30ca1ef0a3b469b1c779579590688561d586694a3ce8792985d4d7e575a61", [:mix], [{:connection, "~> 1.0.2", [hex: :connection, repo: "hexpm", optional: false]}, {:poolboy, "~> 1.5", [hex: :poolboy, repo: "hexpm", optional: true]}, {:sbroker, "~> 1.0", [hex: :sbroker, repo: "hexpm", optional: true]}], "hexpm"}, "decimal": {:hex, :decimal, "1.5.0", "b0433a36d0e2430e3d50291b1c65f53c37d56f83665b43d79963684865beab68", [:mix], [], "hexpm"}, "ecto": {:hex, :ecto, "2.2.10", "e7366dc82f48f8dd78fcbf3ab50985ceeb11cb3dc93435147c6e13f2cda0992e", [:mix], [{:db_connection, "~> 1.1", [hex: :db_connection, repo: "hexpm", optional: true]}, {:decimal, "~> 1.2", [hex: :decimal, repo: "hexpm", optional: false]}, {:mariaex, "~> 0.8.0", [hex: :mariaex, repo: "hexpm", optional: true]}, {:poison, "~> 2.2 or ~> 3.0", [hex: :poison, repo: "hexpm", optional: true]}, {:poolboy, "~> 1.5", [hex: :poolboy, repo: "hexpm", optional: false]}, {:postgrex, "~> 0.13.0", [hex: :postgrex, repo: "hexpm", optional: true]}, {:sbroker, "~> 1.0", [hex: :sbroker, repo: "hexpm", optional: true]}], "hexpm"}, diff --git a/test/plugs/authentication_plug_test.exs b/test/plugs/authentication_plug_test.exs @@ -4,196 +4,50 @@ defmodule Pleroma.Plugs.AuthenticationPlugTest do alias Pleroma.Plugs.AuthenticationPlug alias Pleroma.User - defp fetch_nil(_name) do - {:ok, nil} - end - - @user %User{ - id: 1, - name: "dude", - password_hash: Comeonin.Pbkdf2.hashpwsalt("guy") - } - - @deactivated %User{ - id: 1, - name: "dude", - password_hash: Comeonin.Pbkdf2.hashpwsalt("guy"), - info: %{"deactivated" => true} - } - - @session_opts [ - store: :cookie, - key: "_test", - signing_salt: "cooldude" - ] - - defp fetch_user(_name) do - {:ok, @user} - end - - defp basic_auth_enc(username, password) do - "Basic " <> Base.encode64("#{username}:#{password}") - end - - describe "without an authorization header" do - test "it halts the application" do - conn = - build_conn() - |> Plug.Session.call(Plug.Session.init(@session_opts)) - |> fetch_session - |> AuthenticationPlug.call(%{}) - - assert conn.status == 403 - assert conn.halted == true - end - - test "it assigns a nil user if the 'optional' option is used" do - conn = - build_conn() - |> Plug.Session.call(Plug.Session.init(@session_opts)) - |> fetch_session - |> AuthenticationPlug.call(%{optional: true}) - - assert %{user: nil} == conn.assigns - end - end - - describe "with an authorization header for a nonexisting user" do - test "it halts the application" do - conn = - build_conn() - |> Plug.Session.call(Plug.Session.init(@session_opts)) - |> fetch_session - |> AuthenticationPlug.call(%{fetcher: &fetch_nil/1}) - - assert conn.status == 403 - assert conn.halted == true - end - - test "it assigns a nil user if the 'optional' option is used" do - conn = - build_conn() - |> Plug.Session.call(Plug.Session.init(@session_opts)) - |> fetch_session - |> AuthenticationPlug.call(%{optional: true, fetcher: &fetch_nil/1}) + setup %{conn: conn} do + user = %User{ + id: 1, + name: "dude", + password_hash: Comeonin.Pbkdf2.hashpwsalt("guy") + } - assert %{user: nil} == conn.assigns - end - end - - describe "with an incorrect authorization header for a enxisting user" do - test "it halts the application" do - opts = %{ - fetcher: &fetch_user/1 - } - - header = basic_auth_enc("dude", "man") - - conn = - build_conn() - |> Plug.Session.call(Plug.Session.init(@session_opts)) - |> fetch_session - |> put_req_header("authorization", header) - |> AuthenticationPlug.call(opts) - - assert conn.status == 403 - assert conn.halted == true - end - - test "it assigns a nil user if the 'optional' option is used" do - opts = %{ - optional: true, - fetcher: &fetch_user/1 - } - - header = basic_auth_enc("dude", "man") - - conn = - build_conn() - |> Plug.Session.call(Plug.Session.init(@session_opts)) - |> fetch_session - |> put_req_header("authorization", header) - |> AuthenticationPlug.call(opts) + conn = + conn + |> assign(:auth_user, user) - assert %{user: nil} == conn.assigns - end + %{user: user, conn: conn} end - describe "with a correct authorization header for an existing user" do - test "it assigns the user", %{conn: conn} do - opts = %{ - optional: true, - fetcher: &fetch_user/1 - } + test "it does nothing if a user is assigned", %{conn: conn} do + conn = + conn + |> assign(:user, %User{}) - header = basic_auth_enc("dude", "guy") + ret_conn = + conn + |> AuthenticationPlug.call(%{}) - conn = - conn - |> Plug.Session.call(Plug.Session.init(@session_opts)) - |> fetch_session - |> put_req_header("authorization", header) - |> AuthenticationPlug.call(opts) - - assert %{user: @user} == conn.assigns - assert get_session(conn, :user_id) == @user.id - assert conn.halted == false - end - end - - describe "with a correct authorization header for an deactiviated user" do - test "it halts the appication", %{conn: conn} do - opts = %{ - optional: false, - fetcher: fn _ -> @deactivated end - } - - header = basic_auth_enc("dude", "guy") - - conn = - conn - |> Plug.Session.call(Plug.Session.init(@session_opts)) - |> fetch_session - |> put_req_header("authorization", header) - |> AuthenticationPlug.call(opts) - - assert conn.status == 403 - assert conn.halted == true - end + assert ret_conn == conn end - describe "with a user_id in the session for an existing user" do - test "it assigns the user", %{conn: conn} do - opts = %{ - optional: true, - fetcher: &fetch_user/1 - } - - header = basic_auth_enc("dude", "THIS IS WRONG") - - conn = - conn - |> Plug.Session.call(Plug.Session.init(@session_opts)) - |> fetch_session - |> put_session(:user_id, @user.id) - |> put_req_header("authorization", header) - |> AuthenticationPlug.call(opts) + test "with a correct password in the credentials, it assigns the auth_user", %{conn: conn} do + conn = + conn + |> assign(:auth_credentials, %{password: "guy"}) + |> AuthenticationPlug.call(%{}) - assert %{user: @user} == conn.assigns - assert get_session(conn, :user_id) == @user.id - assert conn.halted == false - end + assert conn.assigns.user == conn.assigns.auth_user end - describe "with an assigned user" do - test "it does nothing, returning the incoming conn", %{conn: conn} do - conn = - conn - |> assign(:user, @user) + test "with a wrong password in the credentials, it does nothing", %{conn: conn} do + conn = + conn + |> assign(:auth_credentials, %{password: "wrong"}) - conn_result = AuthenticationPlug.call(conn, %{}) + ret_conn = + conn + |> AuthenticationPlug.call(%{}) - assert conn == conn_result - end + assert conn == ret_conn end end diff --git a/test/plugs/basic_auth_decoder_plug_test.exs b/test/plugs/basic_auth_decoder_plug_test.exs @@ -0,0 +1,31 @@ +defmodule Pleroma.Plugs.BasicAuthDecoderPlugTest do + use Pleroma.Web.ConnCase, async: true + + alias Pleroma.Plugs.BasicAuthDecoderPlug + + defp basic_auth_enc(username, password) do + "Basic " <> Base.encode64("#{username}:#{password}") + end + + test "it puts the decoded credentials into the assigns", %{conn: conn} do + header = basic_auth_enc("moonman", "iloverobek") + + conn = + conn + |> put_req_header("authorization", header) + |> BasicAuthDecoderPlug.call(%{}) + + assert conn.assigns[:auth_credentials] == %{ + username: "moonman", + password: "iloverobek" + } + end + + test "without a authorization header it doesn't do anything", %{conn: conn} do + ret_conn = + conn + |> BasicAuthDecoderPlug.call(%{}) + + assert conn == ret_conn + end +end diff --git a/test/plugs/ensure_authenticated_plug_test.exs b/test/plugs/ensure_authenticated_plug_test.exs @@ -0,0 +1,27 @@ +defmodule Pleroma.Plugs.EnsureAuthenticatedPlugTest do + use Pleroma.Web.ConnCase, async: true + + alias Pleroma.Plugs.EnsureAuthenticatedPlug + alias Pleroma.User + + test "it halts if no user is assigned", %{conn: conn} do + conn = + conn + |> EnsureAuthenticatedPlug.call(%{}) + + assert conn.status == 403 + assert conn.halted == true + end + + test "it continues if a user is assigned", %{conn: conn} do + conn = + conn + |> assign(:user, %User{}) + + ret_conn = + conn + |> EnsureAuthenticatedPlug.call(%{}) + + assert ret_conn == conn + end +end diff --git a/test/plugs/ensure_user_key_plug_test.exs b/test/plugs/ensure_user_key_plug_test.exs @@ -0,0 +1,25 @@ +defmodule Pleroma.Plugs.EnsureUserKeyPlugTest do + use Pleroma.Web.ConnCase, async: true + + alias Pleroma.Plugs.EnsureUserKeyPlug + + test "if the conn has a user key set, it does nothing", %{conn: conn} do + conn = + conn + |> assign(:user, 1) + + ret_conn = + conn + |> EnsureUserKeyPlug.call(%{}) + + assert conn == ret_conn + end + + test "if the conn has no key set, it sets it to nil", %{conn: conn} do + conn = + conn + |> EnsureUserKeyPlug.call(%{}) + + assert Map.has_key?(conn.assigns, :user) + end +end diff --git a/test/plugs/legacy_authentication_plug_test.exs b/test/plugs/legacy_authentication_plug_test.exs @@ -0,0 +1,82 @@ +defmodule Pleroma.Plugs.LegacyAuthenticationPlugTest do + use Pleroma.Web.ConnCase, async: true + + alias Pleroma.Plugs.LegacyAuthenticationPlug + alias Pleroma.User + + import Mock + + setup do + # password is "password" + user = %User{ + id: 1, + name: "dude", + password_hash: + "$6$9psBWV8gxkGOZWBz$PmfCycChoxeJ3GgGzwvhlgacb9mUoZ.KUXNCssekER4SJ7bOK53uXrHNb2e4i8yPFgSKyzaW9CcmrDXWIEMtD1" + } + + %{user: user} + end + + test "it does nothing if a user is assigned", %{conn: conn, user: user} do + conn = + conn + |> assign(:auth_credentials, %{username: "dude", password: "password"}) + |> assign(:auth_user, user) + |> assign(:user, %User{}) + + ret_conn = + conn + |> LegacyAuthenticationPlug.call(%{}) + + assert ret_conn == conn + end + + test "it authenticates the auth_user if present and password is correct and resets the password", + %{ + conn: conn, + user: user + } do + conn = + conn + |> assign(:auth_credentials, %{username: "dude", password: "password"}) + |> assign(:auth_user, user) + + conn = + with_mock User, + reset_password: fn user, %{password: password, password_confirmation: password} -> + send(self(), :reset_password) + {:ok, user} + end do + conn + |> LegacyAuthenticationPlug.call(%{}) + end + + assert_received :reset_password + assert conn.assigns.user == user + end + + test "it does nothing if the password is wrong", %{ + conn: conn, + user: user + } do + conn = + conn + |> assign(:auth_credentials, %{username: "dude", password: "wrong_password"}) + |> assign(:auth_user, user) + + ret_conn = + conn + |> LegacyAuthenticationPlug.call(%{}) + + assert conn == ret_conn + end + + test "with no credentials or user it does nothing", %{conn: conn} do + ret_conn = + conn + |> LegacyAuthenticationPlug.call(%{}) + + assert ret_conn == conn + end +end diff --git a/test/plugs/session_authentication_plug_test.exs b/test/plugs/session_authentication_plug_test.exs @@ -0,0 +1,59 @@ +defmodule Pleroma.Plugs.SessionAuthenticationPlugTest do + use Pleroma.Web.ConnCase, async: true + + alias Pleroma.Plugs.SessionAuthenticationPlug + alias Pleroma.User + + setup %{conn: conn} do + session_opts = [ + store: :cookie, + key: "_test", + signing_salt: "cooldude" + ] + + conn = + conn + |> Plug.Session.call(Plug.Session.init(session_opts)) + |> fetch_session + |> assign(:auth_user, %User{id: 1}) + + %{conn: conn} + end + + test "it does nothing if a user is assigned", %{conn: conn} do + conn = + conn + |> assign(:user, %User{}) + + ret_conn = + conn + |> SessionAuthenticationPlug.call(%{}) + + assert ret_conn == conn + end + + test "if the auth_user has the same id as the user_id in the session, it assigns the user", %{ + conn: conn + } do + conn = + conn + |> put_session(:user_id, conn.assigns.auth_user.id) + |> SessionAuthenticationPlug.call(%{}) + + assert conn.assigns.user == conn.assigns.auth_user + end + + test "if the auth_user has a different id as the user_id in the session, it does nothing", %{ + conn: conn + } do + conn = + conn + |> put_session(:user_id, -1) + + ret_conn = + conn + |> SessionAuthenticationPlug.call(%{}) + + assert ret_conn == conn + end +end diff --git a/test/plugs/set_user_session_id_plug_test.exs b/test/plugs/set_user_session_id_plug_test.exs @@ -0,0 +1,39 @@ +defmodule Pleroma.Plugs.SetUserSessionIdPlugTest do + use Pleroma.Web.ConnCase, async: true + + alias Pleroma.Plugs.SetUserSessionIdPlug + alias Pleroma.User + + setup %{conn: conn} do + session_opts = [ + store: :cookie, + key: "_test", + signing_salt: "cooldude" + ] + + conn = + conn + |> Plug.Session.call(Plug.Session.init(session_opts)) + |> fetch_session + + %{conn: conn} + end + + test "doesn't do anything if the user isn't set", %{conn: conn} do + ret_conn = + conn + |> SetUserSessionIdPlug.call(%{}) + + assert ret_conn == conn + end + + test "sets the user_id in the session to the user id of the user assign", %{conn: conn} do + conn = + conn + |> assign(:user, %User{id: 1}) + |> SetUserSessionIdPlug.call(%{}) + + id = get_session(conn, :user_id) + assert id == 1 + end +end diff --git a/test/plugs/user_enabled_plug_test.exs b/test/plugs/user_enabled_plug_test.exs @@ -0,0 +1,35 @@ +defmodule Pleroma.Plugs.UserEnabledPlugTest do + use Pleroma.Web.ConnCase, async: true + + alias Pleroma.Plugs.UserEnabledPlug + alias Pleroma.User + + test "doesn't do anything if the user isn't set", %{conn: conn} do + ret_conn = + conn + |> UserEnabledPlug.call(%{}) + + assert ret_conn == conn + end + + test "with a user that is deactivated, it removes that user", %{conn: conn} do + conn = + conn + |> assign(:user, %User{info: %{"deactivated" => true}}) + |> UserEnabledPlug.call(%{}) + + assert conn.assigns.user == nil + end + + test "with a user that is not deactivated, it does nothing", %{conn: conn} do + conn = + conn + |> assign(:user, %User{}) + + ret_conn = + conn + |> UserEnabledPlug.call(%{}) + + assert conn == ret_conn + end +end diff --git a/test/plugs/user_fetcher_plug_test.exs b/test/plugs/user_fetcher_plug_test.exs @@ -0,0 +1,37 @@ +defmodule Pleroma.Plugs.UserFetcherPlugTest do + use Pleroma.Web.ConnCase, async: true + + alias Pleroma.Plugs.UserFetcherPlug + import Pleroma.Factory + + setup do + user = insert(:user) + %{user: user} + end + + test "if an auth_credentials assign is present, it tries to fetch the user and assigns it", %{ + conn: conn, + user: user + } do + conn = + conn + |> assign(:auth_credentials, %{ + username: user.nickname, + password: nil + }) + + conn = + conn + |> UserFetcherPlug.call(%{}) + + assert conn.assigns[:auth_user] == user + end + + test "without a credential assign it doesn't do anything", %{conn: conn} do + ret_conn = + conn + |> UserFetcherPlug.call(%{}) + + assert conn == ret_conn + end +end