oauth_test.go 4.04 KB
Newer Older
1
// Copyright (c) 2017-present Mattermost, Inc. All Rights Reserved.
enahum's avatar
enahum committed
2 3 4 5 6 7 8
// See License.txt for license information.

package app

import (
	"testing"

Christopher Speller's avatar
Christopher Speller committed
9
	"github.com/mattermost/mattermost-server/model"
10 11
	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"
enahum's avatar
enahum committed
12 13
)

14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62
func TestGetOAuthAccessTokenForImplicitFlow(t *testing.T) {
	th := Setup().InitBasic()
	defer th.TearDown()

	th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableOAuthServiceProvider = true })

	oapp := &model.OAuthApp{
		Name:         "fakeoauthapp" + model.NewRandomString(10),
		CreatorId:    th.BasicUser2.Id,
		Homepage:     "https://nowhere.com",
		Description:  "test",
		CallbackUrls: []string{"https://nowhere.com"},
	}

	oapp, err := th.App.CreateOAuthApp(oapp)
	require.Nil(t, err)

	authRequest := &model.AuthorizeRequest{
		ResponseType: model.IMPLICIT_RESPONSE_TYPE,
		ClientId:     oapp.Id,
		RedirectUri:  oapp.CallbackUrls[0],
		Scope:        "",
		State:        "123",
	}

	session, err := th.App.GetOAuthAccessTokenForImplicitFlow(th.BasicUser.Id, authRequest)
	assert.Nil(t, err)
	assert.NotNil(t, session)

	th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableOAuthServiceProvider = false })

	session, err = th.App.GetOAuthAccessTokenForImplicitFlow(th.BasicUser.Id, authRequest)
	assert.NotNil(t, err, "should fail - oauth2 disabled")
	assert.Nil(t, session)

	th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableOAuthServiceProvider = true })
	authRequest.ClientId = "junk"

	session, err = th.App.GetOAuthAccessTokenForImplicitFlow(th.BasicUser.Id, authRequest)
	assert.NotNil(t, err, "should fail - bad client id")
	assert.Nil(t, session)

	authRequest.ClientId = oapp.Id

	session, err = th.App.GetOAuthAccessTokenForImplicitFlow("junk", authRequest)
	assert.NotNil(t, err, "should fail - bad user id")
	assert.Nil(t, session)
}

enahum's avatar
enahum committed
63
func TestOAuthRevokeAccessToken(t *testing.T) {
Chris's avatar
Chris committed
64
	th := Setup()
65 66
	defer th.TearDown()

Chris's avatar
Chris committed
67
	if err := th.App.RevokeAccessToken(model.NewRandomString(16)); err == nil {
enahum's avatar
enahum committed
68 69 70 71 72 73 74
		t.Fatal("Should have failed bad token")
	}

	session := &model.Session{}
	session.CreateAt = model.GetMillis()
	session.UserId = model.NewId()
	session.Token = model.NewId()
Chris's avatar
Chris committed
75
	session.Roles = model.SYSTEM_USER_ROLE_ID
enahum's avatar
enahum committed
76 77
	session.SetExpireInDays(1)

Chris's avatar
Chris committed
78 79
	session, _ = th.App.CreateSession(session)
	if err := th.App.RevokeAccessToken(session.Token); err == nil {
enahum's avatar
enahum committed
80 81 82 83 84 85 86 87 88 89
		t.Fatal("Should have failed does not have an access token")
	}

	accessData := &model.AccessData{}
	accessData.Token = session.Token
	accessData.UserId = session.UserId
	accessData.RedirectUri = "http://example.com"
	accessData.ClientId = model.NewId()
	accessData.ExpiresAt = session.ExpiresAt

Chris's avatar
Chris committed
90
	if result := <-th.App.Srv.Store.OAuth().SaveAccessData(accessData); result.Err != nil {
enahum's avatar
enahum committed
91 92 93
		t.Fatal(result.Err)
	}

Chris's avatar
Chris committed
94
	if err := th.App.RevokeAccessToken(accessData.Token); err != nil {
enahum's avatar
enahum committed
95 96 97
		t.Fatal(err)
	}
}
JoramWilander's avatar
JoramWilander committed
98 99

func TestOAuthDeleteApp(t *testing.T) {
Chris's avatar
Chris committed
100
	th := Setup()
101
	defer th.TearDown()
JoramWilander's avatar
JoramWilander committed
102

103
	th.App.Config().ServiceSettings.EnableOAuthServiceProvider = true
JoramWilander's avatar
JoramWilander committed
104 105 106 107 108 109 110 111

	a1 := &model.OAuthApp{}
	a1.CreatorId = model.NewId()
	a1.Name = "TestApp" + model.NewId()
	a1.CallbackUrls = []string{"https://nowhere.com"}
	a1.Homepage = "https://nowhere.com"

	var err *model.AppError
Chris's avatar
Chris committed
112
	a1, err = th.App.CreateOAuthApp(a1)
JoramWilander's avatar
JoramWilander committed
113 114 115 116 117 118 119 120
	if err != nil {
		t.Fatal(err)
	}

	session := &model.Session{}
	session.CreateAt = model.GetMillis()
	session.UserId = model.NewId()
	session.Token = model.NewId()
Chris's avatar
Chris committed
121
	session.Roles = model.SYSTEM_USER_ROLE_ID
JoramWilander's avatar
JoramWilander committed
122 123 124
	session.IsOAuth = true
	session.SetExpireInDays(1)

Chris's avatar
Chris committed
125
	session, _ = th.App.CreateSession(session)
JoramWilander's avatar
JoramWilander committed
126 127 128 129 130 131 132 133

	accessData := &model.AccessData{}
	accessData.Token = session.Token
	accessData.UserId = session.UserId
	accessData.RedirectUri = "http://example.com"
	accessData.ClientId = a1.Id
	accessData.ExpiresAt = session.ExpiresAt

Chris's avatar
Chris committed
134
	if result := <-th.App.Srv.Store.OAuth().SaveAccessData(accessData); result.Err != nil {
JoramWilander's avatar
JoramWilander committed
135 136 137
		t.Fatal(result.Err)
	}

Chris's avatar
Chris committed
138
	if err := th.App.DeleteOAuthApp(a1.Id); err != nil {
JoramWilander's avatar
JoramWilander committed
139 140 141
		t.Fatal(err)
	}

Chris's avatar
Chris committed
142
	if _, err := th.App.GetSession(session.Token); err == nil {
JoramWilander's avatar
JoramWilander committed
143 144 145
		t.Fatal("should not get session from cache or db")
	}
}