akkoma/test/web/oauth/ldap_authorization_test.exs

# Pleroma: A lightweight social networking server
# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
# SPDX-License-Identifier: AGPL-3.0-only

defmodule Pleroma.Web.OAuth.LDAPAuthorizationTest do
  use Pleroma.Web.ConnCase
  alias Pleroma.Repo
  alias Pleroma.Web.OAuth.Token
  import Pleroma.Factory
  import ExUnit.CaptureLog
  import Mock

  @skip if !Code.ensure_loaded?(:eldap), do: :skip

  setup_all do: clear_config([:ldap, :enabled], true)

  setup_all do: clear_config(Pleroma.Web.Auth.Authenticator, Pleroma.Web.Auth.LDAPAuthenticator)

  @tag @skip
  test "authorizes the existing user using LDAP credentials" do
    password = "testpassword"
    user = insert(:user, password_hash: Pbkdf2.hash_pwd_salt(password))
    app = insert(:oauth_app, scopes: ["read", "write"])

    host = Pleroma.Config.get([:ldap, :host]) |> to_charlist
    port = Pleroma.Config.get([:ldap, :port])

    with_mocks [
      {:eldap, [],
       [
         open: fn [^host], [{:port, ^port}, {:ssl, false} | _] -> {:ok, self()} end,
         simple_bind: fn _connection, _dn, ^password -> :ok end,
         close: fn _connection ->
           send(self(), :close_connection)
           :ok
         end
       ]}
    ] do
      conn =
        build_conn()
        |> post("/oauth/token", %{
          "grant_type" => "password",
          "username" => user.nickname,
          "password" => password,
          "client_id" => app.client_id,
          "client_secret" => app.client_secret
        })

      assert %{"access_token" => token} = json_response(conn, 200)

      token = Repo.get_by(Token, token: token)

      assert token.user_id == user.id
      assert_received :close_connection
    end
  end

  @tag @skip
  test "creates a new user after successful LDAP authorization" do
    password = "testpassword"
    user = build(:user)
    app = insert(:oauth_app, scopes: ["read", "write"])

    host = Pleroma.Config.get([:ldap, :host]) |> to_charlist
    port = Pleroma.Config.get([:ldap, :port])

    with_mocks [
      {:eldap, [],
       [
         open: fn [^host], [{:port, ^port}, {:ssl, false} | _] -> {:ok, self()} end,
         simple_bind: fn _connection, _dn, ^password -> :ok end,
         equalityMatch: fn _type, _value -> :ok end,
         wholeSubtree: fn -> :ok end,
         search: fn _connection, _options ->
           {:ok,
            {:eldap_search_result, [{:eldap_entry, '', [{'mail', [to_charlist(user.email)]}]}],
             []}}
         end,
         close: fn _connection ->
           send(self(), :close_connection)
           :ok
         end
       ]}
    ] do
      conn =
        build_conn()
        |> post("/oauth/token", %{
          "grant_type" => "password",
          "username" => user.nickname,
          "password" => password,
          "client_id" => app.client_id,
          "client_secret" => app.client_secret
        })

      assert %{"access_token" => token} = json_response(conn, 200)

      token = Repo.get_by(Token, token: token) |> Repo.preload(:user)

      assert token.user.nickname == user.nickname
      assert_received :close_connection
    end
  end

  @tag @skip
  test "falls back to the default authorization when LDAP is unavailable" do
    password = "testpassword"
    user = insert(:user, password_hash: Pbkdf2.hash_pwd_salt(password))
    app = insert(:oauth_app, scopes: ["read", "write"])

    host = Pleroma.Config.get([:ldap, :host]) |> to_charlist
    port = Pleroma.Config.get([:ldap, :port])

    with_mocks [
      {:eldap, [],
       [
         open: fn [^host], [{:port, ^port}, {:ssl, false} | _] -> {:error, 'connect failed'} end,
         simple_bind: fn _connection, _dn, ^password -> :ok end,
         close: fn _connection ->
           send(self(), :close_connection)
           :ok
         end
       ]}
    ] do
      log =
        capture_log(fn ->
          conn =
            build_conn()
            |> post("/oauth/token", %{
              "grant_type" => "password",
              "username" => user.nickname,
              "password" => password,
              "client_id" => app.client_id,
              "client_secret" => app.client_secret
            })

          assert %{"access_token" => token} = json_response(conn, 200)

          token = Repo.get_by(Token, token: token)

          assert token.user_id == user.id
        end)

      assert log =~ "Could not open LDAP connection: 'connect failed'"
      refute_received :close_connection
    end
  end

  @tag @skip
  test "disallow authorization for wrong LDAP credentials" do
    password = "testpassword"
    user = insert(:user, password_hash: Pbkdf2.hash_pwd_salt(password))
    app = insert(:oauth_app, scopes: ["read", "write"])

    host = Pleroma.Config.get([:ldap, :host]) |> to_charlist
    port = Pleroma.Config.get([:ldap, :port])

    with_mocks [
      {:eldap, [],
       [
         open: fn [^host], [{:port, ^port}, {:ssl, false} | _] -> {:ok, self()} end,
         simple_bind: fn _connection, _dn, ^password -> {:error, :invalidCredentials} end,
         close: fn _connection ->
           send(self(), :close_connection)
           :ok
         end
       ]}
    ] do
      conn =
        build_conn()
        |> post("/oauth/token", %{
          "grant_type" => "password",
          "username" => user.nickname,
          "password" => password,
          "client_id" => app.client_id,
          "client_secret" => app.client_secret
        })

      assert %{"error" => "Invalid credentials"} = json_response(conn, 400)
      assert_received :close_connection
    end
  end
end
Add tests for LDAP authorization 2019-03-15 14:28:46 +00:00			`# Pleroma: A lightweight social networking server`
Update Copyrights 2020-03-03 22:44:49 +00:00			`# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>`
Add tests for LDAP authorization 2019-03-15 14:28:46 +00:00			`# SPDX-License-Identifier: AGPL-3.0-only`

			`defmodule Pleroma.Web.OAuth.LDAPAuthorizationTest do`
			`use Pleroma.Web.ConnCase`
			`alias Pleroma.Repo`
			`alias Pleroma.Web.OAuth.Token`
			`import Pleroma.Factory`
			`import ExUnit.CaptureLog`
			`import Mock`

Skip tests in LDAPAuthorizationTest if :eldap module is unavailable 2019-03-21 10:31:16 +00:00			`@skip if !Code.ensure_loaded?(:eldap), do: :skip`

Improved in-test `clear_config/n` applicability (setup / setup_all / in-test usage). 2020-03-20 15:33:00 +00:00			`setup_all do: clear_config([:ldap, :enabled], true)`
Add tests for LDAP authorization 2019-03-15 14:28:46 +00:00
Improved in-test `clear_config/n` applicability (setup / setup_all / in-test usage). 2020-03-20 15:33:00 +00:00			`setup_all do: clear_config(Pleroma.Web.Auth.Authenticator, Pleroma.Web.Auth.LDAPAuthenticator)`
Add tests for LDAP authorization 2019-03-15 14:28:46 +00:00
Skip tests in LDAPAuthorizationTest if :eldap module is unavailable 2019-03-21 10:31:16 +00:00			`@tag @skip`
Add tests for LDAP authorization 2019-03-15 14:28:46 +00:00			`test "authorizes the existing user using LDAP credentials" do`
			`password = "testpassword"`
Upgrade Comeonin to v5 https://github.com/riverrun/comeonin/blob/master/UPGRADE_v5.md 2020-05-12 21:42:24 +00:00			`user = insert(:user, password_hash: Pbkdf2.hash_pwd_salt(password))`
Add tests for LDAP authorization 2019-03-15 14:28:46 +00:00			`app = insert(:oauth_app, scopes: ["read", "write"])`

			`host = Pleroma.Config.get([:ldap, :host]) \|> to_charlist`
			`port = Pleroma.Config.get([:ldap, :port])`

			`with_mocks [`
			`{:eldap, [],`
			`[`
			`open: fn [^host], [{:port, ^port}, {:ssl, false} \| _] -> {:ok, self()} end,`
			`simple_bind: fn _connection, _dn, ^password -> :ok end,`
			`close: fn _connection ->`
			`send(self(), :close_connection)`
			`:ok`
			`end`
			`]}`
			`] do`
			`conn =`
			`build_conn()`
			`\|> post("/oauth/token", %{`
			`"grant_type" => "password",`
			`"username" => user.nickname,`
			`"password" => password,`
			`"client_id" => app.client_id,`
			`"client_secret" => app.client_secret`
			`})`

			`assert %{"access_token" => token} = json_response(conn, 200)`

			`token = Repo.get_by(Token, token: token)`

			`assert token.user_id == user.id`
			`assert_received :close_connection`
			`end`
			`end`

Skip tests in LDAPAuthorizationTest if :eldap module is unavailable 2019-03-21 10:31:16 +00:00			`@tag @skip`
Add tests for LDAP authorization 2019-03-15 14:28:46 +00:00			`test "creates a new user after successful LDAP authorization" do`
			`password = "testpassword"`
			`user = build(:user)`
			`app = insert(:oauth_app, scopes: ["read", "write"])`

			`host = Pleroma.Config.get([:ldap, :host]) \|> to_charlist`
			`port = Pleroma.Config.get([:ldap, :port])`

			`with_mocks [`
			`{:eldap, [],`
			`[`
			`open: fn [^host], [{:port, ^port}, {:ssl, false} \| _] -> {:ok, self()} end,`
			`simple_bind: fn _connection, _dn, ^password -> :ok end,`
			`equalityMatch: fn _type, _value -> :ok end,`
			`wholeSubtree: fn -> :ok end,`
			`search: fn _connection, _options ->`
			`{:ok,`
			`{:eldap_search_result, [{:eldap_entry, '', [{'mail', [to_charlist(user.email)]}]}],`
			`[]}}`
			`end,`
			`close: fn _connection ->`
			`send(self(), :close_connection)`
			`:ok`
			`end`
			`]}`
			`] do`
			`conn =`
			`build_conn()`
			`\|> post("/oauth/token", %{`
			`"grant_type" => "password",`
			`"username" => user.nickname,`
			`"password" => password,`
			`"client_id" => app.client_id,`
			`"client_secret" => app.client_secret`
			`})`

			`assert %{"access_token" => token} = json_response(conn, 200)`

			`token = Repo.get_by(Token, token: token) \|> Repo.preload(:user)`

			`assert token.user.nickname == user.nickname`
			`assert_received :close_connection`
			`end`
			`end`

Skip tests in LDAPAuthorizationTest if :eldap module is unavailable 2019-03-21 10:31:16 +00:00			`@tag @skip`
Add tests for LDAP authorization 2019-03-15 14:28:46 +00:00			`test "falls back to the default authorization when LDAP is unavailable" do`
			`password = "testpassword"`
Upgrade Comeonin to v5 https://github.com/riverrun/comeonin/blob/master/UPGRADE_v5.md 2020-05-12 21:42:24 +00:00			`user = insert(:user, password_hash: Pbkdf2.hash_pwd_salt(password))`
Add tests for LDAP authorization 2019-03-15 14:28:46 +00:00			`app = insert(:oauth_app, scopes: ["read", "write"])`

			`host = Pleroma.Config.get([:ldap, :host]) \|> to_charlist`
			`port = Pleroma.Config.get([:ldap, :port])`

			`with_mocks [`
			`{:eldap, [],`
			`[`
			`open: fn [^host], [{:port, ^port}, {:ssl, false} \| _] -> {:error, 'connect failed'} end,`
			`simple_bind: fn _connection, _dn, ^password -> :ok end,`
			`close: fn _connection ->`
			`send(self(), :close_connection)`
			`:ok`
			`end`
			`]}`
			`] do`
			`log =`
			`capture_log(fn ->`
			`conn =`
			`build_conn()`
			`\|> post("/oauth/token", %{`
			`"grant_type" => "password",`
			`"username" => user.nickname,`
			`"password" => password,`
			`"client_id" => app.client_id,`
			`"client_secret" => app.client_secret`
			`})`

			`assert %{"access_token" => token} = json_response(conn, 200)`

			`token = Repo.get_by(Token, token: token)`

			`assert token.user_id == user.id`
			`end)`

			`assert log =~ "Could not open LDAP connection: 'connect failed'"`
			`refute_received :close_connection`
			`end`
			`end`

Skip tests in LDAPAuthorizationTest if :eldap module is unavailable 2019-03-21 10:31:16 +00:00			`@tag @skip`
Add tests for LDAP authorization 2019-03-15 14:28:46 +00:00			`test "disallow authorization for wrong LDAP credentials" do`
			`password = "testpassword"`
Upgrade Comeonin to v5 https://github.com/riverrun/comeonin/blob/master/UPGRADE_v5.md 2020-05-12 21:42:24 +00:00			`user = insert(:user, password_hash: Pbkdf2.hash_pwd_salt(password))`
Add tests for LDAP authorization 2019-03-15 14:28:46 +00:00			`app = insert(:oauth_app, scopes: ["read", "write"])`

			`host = Pleroma.Config.get([:ldap, :host]) \|> to_charlist`
			`port = Pleroma.Config.get([:ldap, :port])`

			`with_mocks [`
			`{:eldap, [],`
			`[`
			`open: fn [^host], [{:port, ^port}, {:ssl, false} \| _] -> {:ok, self()} end,`
			`simple_bind: fn _connection, _dn, ^password -> {:error, :invalidCredentials} end,`
			`close: fn _connection ->`
			`send(self(), :close_connection)`
			`:ok`
			`end`
			`]}`
			`] do`
			`conn =`
			`build_conn()`
			`\|> post("/oauth/token", %{`
			`"grant_type" => "password",`
			`"username" => user.nickname,`
			`"password" => password,`
			`"client_id" => app.client_id,`
			`"client_secret" => app.client_secret`
			`})`

			`assert %{"error" => "Invalid credentials"} = json_response(conn, 400)`
			`assert_received :close_connection`
			`end`
			`end`
			`end`