Introduce support for 3rd-party auth (OAuth2 & LDAP)

Signed-off-by: Thomas Citharel <tcit@tcit.fr>
2020-06-27 19:12:45 +02:00
parent 59a538feba
commit 9a080c1f10
48 changed files with 1380 additions and 240 deletions
--- a/test/graphql/resolvers/participant_test.exs
+++ b/test/graphql/resolvers/participant_test.exs
@@ -991,7 +991,7 @@ defmodule Mobilizon.GraphQL.Resolvers.ParticipantTest do
          }
    """

-    clear_config([:anonymous, :participation])
+    setup do: clear_config([:anonymous, :participation])

    setup %{conn: conn, actor: actor, user: user} do
      Mobilizon.Config.clear_config_cache()
--- a/test/graphql/resolvers/report_test.exs
+++ b/test/graphql/resolvers/report_test.exs
@@ -33,7 +33,7 @@ defmodule Mobilizon.GraphQL.Resolvers.ReportTest do
      }
    """

-    clear_config([:anonymous, :reports])
+    setup do: clear_config([:anonymous, :reports])

    setup %{conn: conn} do
      Mobilizon.Config.clear_config_cache()
--- a/test/graphql/resolvers/user_test.exs
+++ b/test/graphql/resolvers/user_test.exs
@@ -9,6 +9,7 @@ defmodule Mobilizon.GraphQL.Resolvers.UserTest do
  alias Mobilizon.Actors.Actor
  alias Mobilizon.Conversations.Comment
  alias Mobilizon.Events.{Event, Participant}
+  alias Mobilizon.Service.Auth.Authenticator
  alias Mobilizon.Users.User

  alias Mobilizon.GraphQL.AbsintheHelpers
@@ -45,8 +46,14 @@ defmodule Mobilizon.GraphQL.Resolvers.UserTest do
        }
  """

+  @send_reset_password_mutation """
+    mutation SendResetPassword($email: String!) {
+      sendResetPassword(email: $email)
+    }
+  """
+
  @delete_user_account_mutation """
-    mutation DeleteAccount($password: String!) {
+    mutation DeleteAccount($password: String) {
      deleteAccount (password: $password) {
        id
      }
@@ -712,45 +719,50 @@ defmodule Mobilizon.GraphQL.Resolvers.UserTest do
  end

  describe "Resolver: Send reset password" do
-    test "test send_reset_password/3 with valid email", context do
-      user = insert(:user)
-
-      mutation = """
-          mutation {
-            sendResetPassword(
-                  email: "#{user.email}"
-              )
-            }
-      """
+    test "test send_reset_password/3 with valid email", %{conn: conn} do
+      %User{email: email} = insert(:user)

      res =
-        context.conn
-        |> post("/api", AbsintheHelpers.mutation_skeleton(mutation))
+        conn
+        |> AbsintheHelpers.graphql_query(
+          query: @send_reset_password_mutation,
+          variables: %{email: email}
+        )

-      assert json_response(res, 200)["data"]["sendResetPassword"] == user.email
+      assert res["data"]["sendResetPassword"] == email
    end

-    test "test send_reset_password/3 with invalid email", context do
-      mutation = """
-          mutation {
-            sendResetPassword(
-                  email: "oh no"
-              )
-            }
-      """
+    test "test send_reset_password/3 with invalid email", %{conn: conn} do
+      res =
+        conn
+        |> AbsintheHelpers.graphql_query(
+          query: @send_reset_password_mutation,
+          variables: %{email: "not an email"}
+        )
+
+      assert hd(res["errors"])["message"] ==
+               "No user with this email was found"
+    end
+
+    test "test send_reset_password/3 for an LDAP user", %{conn: conn} do
+      {:ok, %User{email: email}} = Users.create_external("some@users.com", "ldap")

      res =
-        context.conn
-        |> post("/api", AbsintheHelpers.mutation_skeleton(mutation))
+        conn
+        |> AbsintheHelpers.graphql_query(
+          query: @send_reset_password_mutation,
+          variables: %{email: email}
+        )

-      assert hd(json_response(res, 200)["errors"])["message"] ==
-               "No user with this email was found"
+      assert hd(res["errors"])["message"] ==
+               "This user can't reset their password"
    end
  end

  describe "Resolver: Reset user's password" do
    test "test reset_password/3 with valid email", context do
      {:ok, %User{} = user} = Users.register(%{email: "toto@tata.tld", password: "p4ssw0rd"})
+      Users.update_user(user, %{confirmed_at: DateTime.utc_now()})
      %Actor{} = insert(:actor, user: user)
      {:ok, _email_sent} = Email.User.send_password_reset_email(user)
      %User{reset_password_token: reset_password_token} = Users.get_user!(user.id)
@@ -772,6 +784,7 @@ defmodule Mobilizon.GraphQL.Resolvers.UserTest do
        context.conn
        |> post("/api", AbsintheHelpers.mutation_skeleton(mutation))

+      assert is_nil(json_response(res, 200)["errors"])
      assert json_response(res, 200)["data"]["resetPassword"]["user"]["id"] == to_string(user.id)
    end

@@ -829,7 +842,7 @@ defmodule Mobilizon.GraphQL.Resolvers.UserTest do
  end

  describe "Resolver: Login a user" do
-    test "test login_user/3 with valid credentials", context do
+    test "test login_user/3 with valid credentials", %{conn: conn} do
      {:ok, %User{} = user} = Users.register(%{email: "toto@tata.tld", password: "p4ssw0rd"})

      {:ok, %User{} = _user} =
@@ -839,30 +852,18 @@ defmodule Mobilizon.GraphQL.Resolvers.UserTest do
          "confirmation_token" => nil
        })

-      mutation = """
-          mutation {
-            login(
-                  email: "#{user.email}",
-                  password: "#{user.password}",
-              ) {
-                accessToken,
-                refreshToken,
-                user {
-                  id
-                }
-              }
-            }
-      """
-
      res =
-        context.conn
-        |> post("/api", AbsintheHelpers.mutation_skeleton(mutation))
+        conn
+        |> AbsintheHelpers.graphql_query(
+          query: @login_mutation,
+          variables: %{email: user.email, password: user.password}
+        )

-      assert login = json_response(res, 200)["data"]["login"]
+      assert login = res["data"]["login"]
      assert Map.has_key?(login, "accessToken") && not is_nil(login["accessToken"])
    end

-    test "test login_user/3 with invalid password", context do
+    test "test login_user/3 with invalid password", %{conn: conn} do
      {:ok, %User{} = user} = Users.register(%{email: "toto@tata.tld", password: "p4ssw0rd"})

      {:ok, %User{} = _user} =
@@ -872,79 +873,40 @@ defmodule Mobilizon.GraphQL.Resolvers.UserTest do
          "confirmation_token" => nil
        })

-      mutation = """
-          mutation {
-            login(
-                  email: "#{user.email}",
-                  password: "bad password",
-              ) {
-                accessToken,
-                user {
-                  default_actor {
-                    preferred_username,
-                  }
-                }
-              }
-            }
-      """
-
      res =
-        context.conn
-        |> post("/api", AbsintheHelpers.mutation_skeleton(mutation))
+        conn
+        |> AbsintheHelpers.graphql_query(
+          query: @login_mutation,
+          variables: %{email: user.email, password: "bad password"}
+        )

-      assert hd(json_response(res, 200)["errors"])["message"] ==
+      assert hd(res["errors"])["message"] ==
               "Impossible to authenticate, either your email or password are invalid."
    end

-    test "test login_user/3 with invalid email", context do
-      mutation = """
-          mutation {
-            login(
-                  email: "bad email",
-                  password: "bad password",
-              ) {
-                accessToken,
-                user {
-                  default_actor {
-                    preferred_username,
-                  }
-                }
-              }
-            }
-      """
-
+    test "test login_user/3 with invalid email", %{conn: conn} do
      res =
-        context.conn
-        |> post("/api", AbsintheHelpers.mutation_skeleton(mutation))
+        conn
+        |> AbsintheHelpers.graphql_query(
+          query: @login_mutation,
+          variables: %{email: "bad email", password: "bad password"}
+        )

-      assert hd(json_response(res, 200)["errors"])["message"] ==
+      assert hd(res["errors"])["message"] ==
               "No user with this email was found"
    end

-    test "test login_user/3 with unconfirmed user", context do
+    test "test login_user/3 with unconfirmed user", %{conn: conn} do
      {:ok, %User{} = user} = Users.register(%{email: "toto@tata.tld", password: "p4ssw0rd"})

-      mutation = """
-          mutation {
-            login(
-                  email: "#{user.email}",
-                  password: "#{user.password}",
-              ) {
-                accessToken,
-                user {
-                  default_actor {
-                    preferred_username,
-                  }
-                }
-              }
-            }
-      """
-
      res =
-        context.conn
-        |> post("/api", AbsintheHelpers.mutation_skeleton(mutation))
+        conn
+        |> AbsintheHelpers.graphql_query(
+          query: @login_mutation,
+          variables: %{email: user.email, password: user.password}
+        )

-      assert hd(json_response(res, 200)["errors"])["message"] == "User account not confirmed"
+      assert hd(res["errors"])["message"] == "No user with this email was found"
    end
  end

@@ -970,7 +932,7 @@ defmodule Mobilizon.GraphQL.Resolvers.UserTest do

    test "test refresh_token/3 with an appropriate token", context do
      user = insert(:user)
-      {:ok, refresh_token} = Users.generate_refresh_token(user)
+      {:ok, refresh_token} = Authenticator.generate_refresh_token(user)

      mutation = """
          mutation {
@@ -1441,6 +1403,18 @@ defmodule Mobilizon.GraphQL.Resolvers.UserTest do
      assert is_nil(Events.get_participant(participant_id))
    end

+    test "delete_account/3 with 3rd-party auth login", %{conn: conn} do
+      {:ok, %User{} = user} = Users.create_external(@email, "keycloak")
+
+      res =
+        conn
+        |> auth_conn(user)
+        |> AbsintheHelpers.graphql_query(query: @delete_user_account_mutation)
+
+      assert is_nil(res["errors"])
+      assert res["data"]["deleteAccount"]["id"] == to_string(user.id)
+    end
+
    test "delete_account/3 with invalid password", %{conn: conn} do
      {:ok, %User{} = user} = Users.register(%{email: @email, password: @password})

--- a/test/mobilizon/users/users_test.exs
+++ b/test/mobilizon/users/users_test.exs
@@ -72,14 +72,6 @@ defmodule Mobilizon.UsersTest do

    @email "email@domain.tld"
    @password "password"
-    test "authenticate/1 checks the user's password" do
-      {:ok, %User{} = user} = Users.register(%{email: @email, password: @password})
-
-      assert {:ok, _} = Users.authenticate(%{user: user, password: @password})
-
-      assert {:error, :unauthorized} ==
-               Users.authenticate(%{user: user, password: "bad password"})
-    end

    test "get_user_by_email/1 finds an user by its email" do
      {:ok, %User{email: email} = user} = Users.register(%{email: @email, password: @password})
--- a/test/service/auth/authentificator_test.exs
+++ b/test/service/auth/authentificator_test.exs
@@ -0,0 +1,34 @@
+defmodule Mobilizon.Service.Auth.AuthenticatorTest do
+  use Mobilizon.DataCase
+
+  alias Mobilizon.Service.Auth.Authenticator
+  alias Mobilizon.Users
+  alias Mobilizon.Users.User
+  import Mobilizon.Factory
+
+  @email "email@domain.tld"
+  @password "password"
+
+  describe "test authentification" do
+    test "authenticate/1 checks the user's password" do
+      {:ok, %User{} = user} = Users.register(%{email: @email, password: @password})
+      Users.update_user(user, %{confirmed_at: DateTime.utc_now()})
+
+      assert {:ok, _} = Authenticator.authenticate(@email, @password)
+
+      assert {:error, :bad_password} ==
+               Authenticator.authenticate(@email, "completely wrong password")
+    end
+  end
+
+  describe "fetch_user/1" do
+    test "returns user by email" do
+      user = insert(:user)
+      assert Authenticator.fetch_user(user.email).id == user.id
+    end
+
+    test "returns nil" do
+      assert Authenticator.fetch_user("email") == {:error, :user_not_found}
+    end
+  end
+end
--- a/test/service/auth/ldap_authentificator_test.exs
+++ b/test/service/auth/ldap_authentificator_test.exs
@@ -0,0 +1,238 @@
+defmodule Mobilizon.Service.Auth.LDAPAuthenticatorTest do
+  use Mobilizon.Web.ConnCase
+  use Mobilizon.Tests.Helpers
+
+  alias Mobilizon.GraphQL.AbsintheHelpers
+  alias Mobilizon.Service.Auth.{Authenticator, LDAPAuthenticator}
+  alias Mobilizon.Users.User
+  alias Mobilizon.Web.Auth.Guardian
+
+  import Mobilizon.Factory
+  import ExUnit.CaptureLog
+  import Mock
+
+  @skip if !Code.ensure_loaded?(:eldap), do: :skip
+  @admin_password "admin_password"
+
+  setup_all do
+    clear_config([:ldap, :enabled], true)
+    clear_config([:ldap, :bind_uid], "admin")
+    clear_config([:ldap, :bind_password], @admin_password)
+  end
+
+  setup_all do:
+              clear_config(
+                Authenticator,
+                LDAPAuthenticator
+              )
+
+  @login_mutation """
+  mutation Login($email: String!, $password: String!) {
+    login(email: $email, password: $password) {
+        accessToken,
+        refreshToken,
+        user {
+          id
+        }
+      }
+    }
+  """
+
+  describe "login" do
+    @tag @skip
+    test "authorizes the existing user using LDAP credentials", %{conn: conn} do
+      user_password = "testpassword"
+      admin_password = "admin_password"
+      user = insert(:user, password_hash: Argon2.hash_pwd_salt(user_password))
+
+      host = [:ldap, :host] |> Mobilizon.Config.get() |> to_charlist
+      port = Mobilizon.Config.get([:ldap, :port])
+
+      with_mocks [
+        {:eldap, [],
+         [
+           open: fn [^host], [{:port, ^port}, {:ssl, false} | _] -> {:ok, self()} end,
+           simple_bind: fn _connection, _dn, password ->
+             case password do
+               ^admin_password -> :ok
+               ^user_password -> :ok
+             end
+           end,
+           equalityMatch: fn _type, _value -> :ok end,
+           wholeSubtree: fn -> :ok end,
+           search: fn _connection, _options ->
+             {:ok,
+              {:eldap_search_result, [{:eldap_entry, '', [{'cn', [to_charlist("MyUser")]}]}], []}}
+           end,
+           close: fn _connection ->
+             send(self(), :close_connection)
+             :ok
+           end
+         ]}
+      ] do
+        res =
+          conn
+          |> AbsintheHelpers.graphql_query(
+            query: @login_mutation,
+            variables: %{email: user.email, password: user_password}
+          )
+
+        assert is_nil(res["error"])
+        assert token = res["data"]["login"]["accessToken"]
+
+        {:ok, %User{} = user_from_token, _claims} = Guardian.resource_from_token(token)
+
+        assert user_from_token.id == user.id
+        assert_received :close_connection
+      end
+    end
+
+    @tag @skip
+    test "creates a new user after successful LDAP authorization", %{conn: conn} do
+      user_password = "testpassword"
+      admin_password = "admin_password"
+      user = build(:user)
+
+      host = [:ldap, :host] |> Mobilizon.Config.get() |> to_charlist
+      port = Mobilizon.Config.get([:ldap, :port])
+
+      with_mocks [
+        {:eldap, [],
+         [
+           open: fn [^host], [{:port, ^port}, {:ssl, false} | _] -> {:ok, self()} end,
+           simple_bind: fn _connection, _dn, password ->
+             case password do
+               ^admin_password -> :ok
+               ^user_password -> :ok
+             end
+           end,
+           equalityMatch: fn _type, _value -> :ok end,
+           wholeSubtree: fn -> :ok end,
+           search: fn _connection, _options ->
+             {:ok,
+              {:eldap_search_result, [{:eldap_entry, '', [{'cn', [to_charlist("MyUser")]}]}], []}}
+           end,
+           close: fn _connection ->
+             send(self(), :close_connection)
+             :ok
+           end
+         ]}
+      ] do
+        res =
+          conn
+          |> AbsintheHelpers.graphql_query(
+            query: @login_mutation,
+            variables: %{email: user.email, password: user_password}
+          )
+
+        assert is_nil(res["error"])
+        assert token = res["data"]["login"]["accessToken"]
+
+        {:ok, %User{} = user_from_token, _claims} = Guardian.resource_from_token(token)
+
+        assert user_from_token.email == user.email
+        assert_received :close_connection
+      end
+    end
+
+    @tag @skip
+    test "falls back to the default authorization when LDAP is unavailable", %{conn: conn} do
+      user_password = "testpassword"
+      admin_password = "admin_password"
+      user = insert(:user, password_hash: Argon2.hash_pwd_salt(user_password))
+
+      host = [:ldap, :host] |> Mobilizon.Config.get() |> to_charlist
+      port = Mobilizon.Config.get([:ldap, :port])
+
+      with_mocks [
+        {:eldap, [],
+         [
+           open: fn [^host], [{:port, ^port}, {:ssl, false} | _] -> {:error, 'connect failed'} end,
+           simple_bind: fn _connection, _dn, password ->
+             case password do
+               ^admin_password -> :ok
+               ^user_password -> :ok
+             end
+           end,
+           equalityMatch: fn _type, _value -> :ok end,
+           wholeSubtree: fn -> :ok end,
+           search: fn _connection, _options ->
+             {:ok,
+              {:eldap_search_result, [{:eldap_entry, '', [{'cn', [to_charlist("MyUser")]}]}], []}}
+           end,
+           close: fn _connection ->
+             send(self(), :close_connection)
+             :ok
+           end
+         ]}
+      ] do
+        log =
+          capture_log(fn ->
+            res =
+              conn
+              |> AbsintheHelpers.graphql_query(
+                query: @login_mutation,
+                variables: %{email: user.email, password: user_password}
+              )
+
+            assert is_nil(res["error"])
+            assert token = res["data"]["login"]["accessToken"]
+
+            {:ok, %User{} = user_from_token, _claims} = Guardian.resource_from_token(token)
+
+            assert user_from_token.email == user.email
+          end)
+
+        assert log =~ "Could not open LDAP connection: 'connect failed'"
+        refute_received :close_connection
+      end
+    end
+
+    @tag @skip
+    test "disallow authorization for wrong LDAP credentials", %{conn: conn} do
+      user_password = "testpassword"
+      user = insert(:user, password_hash: Argon2.hash_pwd_salt(user_password))
+
+      host = [:ldap, :host] |> Mobilizon.Config.get() |> to_charlist
+      port = Mobilizon.Config.get([:ldap, :port])
+
+      with_mocks [
+        {:eldap, [],
+         [
+           open: fn [^host], [{:port, ^port}, {:ssl, false} | _] -> {:ok, self()} end,
+           simple_bind: fn _connection, _dn, _password -> {:error, :invalidCredentials} end,
+           close: fn _connection ->
+             send(self(), :close_connection)
+             :ok
+           end
+         ]}
+      ] do
+        res =
+          conn
+          |> AbsintheHelpers.graphql_query(
+            query: @login_mutation,
+            variables: %{email: user.email, password: user_password}
+          )
+
+        refute is_nil(res["errors"])
+
+        assert assert hd(res["errors"])["message"] ==
+                        "Impossible to authenticate, either your email or password are invalid."
+
+        assert_received :close_connection
+      end
+    end
+  end
+
+  describe "can change" do
+    test "password" do
+      assert LDAPAuthenticator.can_change_password?(%User{provider: "ldap"}) == false
+      assert LDAPAuthenticator.can_change_password?(%User{provider: nil}) == true
+    end
+
+    test "email" do
+      assert LDAPAuthenticator.can_change_password?(%User{provider: "ldap"}) == false
+      assert LDAPAuthenticator.can_change_password?(%User{provider: nil}) == true
+    end
+  end
+end
--- a/test/service/auth/mobilizon_authentificator_test.exs
+++ b/test/service/auth/mobilizon_authentificator_test.exs
@@ -0,0 +1,29 @@
+defmodule Mobilizon.Service.Auth.MobilizonAuthenticatorTest do
+  use Mobilizon.DataCase
+
+  alias Mobilizon.Service.Auth.MobilizonAuthenticator
+  alias Mobilizon.Users.User
+  import Mobilizon.Factory
+
+  setup do
+    password = "testpassword"
+    email = "someone@somewhere.tld"
+    user = insert(:user, email: email, password_hash: Argon2.hash_pwd_salt(password))
+    {:ok, [user: user, email: email, password: password]}
+  end
+
+  test "login", %{email: email, password: password, user: user} do
+    assert {:ok, %User{} = returned_user} = MobilizonAuthenticator.login(email, password)
+    assert returned_user.id == user.id
+  end
+
+  test "login with invalid password", %{email: email} do
+    assert {:error, :bad_password} == MobilizonAuthenticator.login(email, "invalid")
+    assert {:error, :bad_password} == MobilizonAuthenticator.login(email, nil)
+  end
+
+  test "login with no credentials" do
+    assert {:error, :user_not_found} == MobilizonAuthenticator.login("some@email.com", nil)
+    assert {:error, :user_not_found} == MobilizonAuthenticator.login(nil, nil)
+  end
+end
--- a/test/support/factory.ex
+++ b/test/support/factory.ex
@@ -18,7 +18,8 @@ defmodule Mobilizon.Factory do
      role: :user,
      confirmed_at: DateTime.utc_now() |> DateTime.truncate(:second),
      confirmation_sent_at: nil,
-      confirmation_token: nil
+      confirmation_token: nil,
+      provider: nil
    }
  end

--- a/test/support/helpers.ex
+++ b/test/support/helpers.ex
@@ -7,6 +7,7 @@ defmodule Mobilizon.Tests.Helpers do
  @moduledoc """
  Helpers for use in tests.
  """
+  alias Mobilizon.Config

  defmacro clear_config(config_path) do
    quote do
@@ -17,11 +18,17 @@ defmodule Mobilizon.Tests.Helpers do

  defmacro clear_config(config_path, do: yield) do
    quote do
-      setup do
-        initial_setting = Mobilizon.Config.get(unquote(config_path))
-        unquote(yield)
-        on_exit(fn -> Mobilizon.Config.put(unquote(config_path), initial_setting) end)
-        :ok
+      initial_setting = Config.get(unquote(config_path))
+      unquote(yield)
+      on_exit(fn -> Config.put(unquote(config_path), initial_setting) end)
+      :ok
+    end
+  end
+
+  defmacro clear_config(config_path, temp_setting) do
+    quote do
+      clear_config(unquote(config_path)) do
+        Config.put(unquote(config_path), unquote(temp_setting))
      end
    end
  end
--- a/test/web/controllers/auth_controller_test.exs
+++ b/test/web/controllers/auth_controller_test.exs
@@ -0,0 +1,54 @@
+defmodule Mobilizon.Web.AuthControllerTest do
+  use Mobilizon.Web.ConnCase
+  alias Mobilizon.Service.Auth.Authenticator
+  alias Mobilizon.Users.User
+
+  @email "someone@somewhere.tld"
+
+  test "login and registration",
+       %{conn: conn} do
+    conn =
+      conn
+      |> assign(:ueberauth_auth, %Ueberauth.Auth{
+        strategy: Ueberauth.Strategy.Twitter,
+        extra: %Ueberauth.Auth.Extra{raw_info: %{user: %{"email" => @email}}}
+      })
+      |> get("/auth/twitter/callback")
+
+    assert html_response(conn, 200) =~ "auth-access-token"
+
+    assert %User{confirmed_at: confirmed_at, email: @email} = Authenticator.fetch_user(@email)
+
+    refute is_nil(confirmed_at)
+  end
+
+  test "on bad provider error", %{
+    conn: conn
+  } do
+    conn =
+      conn
+      |> assign(:ueberauth_failure, %{errors: [%{message: "Some error"}]})
+      |> get("/auth/nothing")
+
+    assert "/login?code=Login Provider not found&provider=nothing" =
+             redirection = redirected_to(conn, 302)
+
+    conn = get(recycle(conn), redirection)
+    assert html_response(conn, 200)
+  end
+
+  test "on authentication error", %{
+    conn: conn
+  } do
+    conn =
+      conn
+      |> assign(:ueberauth_failure, %{errors: [%{message: "Some error"}]})
+      |> get("/auth/twitter/callback")
+
+    assert "/login?code=Error with Login Provider&provider=twitter" =
+             redirection = redirected_to(conn, 302)
+
+    conn = get(recycle(conn), redirection)
+    assert html_response(conn, 200)
+  end
+end