Fix tests for argon2

lib/mix/tasks/pleroma/config.ex

@@ -87,13 +87,15 @@ def run(["dump_to_file", group, key, fname]) do
       key = maybe_atomize(key)
 
       config = ConfigDB.get_by_group_and_key(group, key)
-      json = %{
-        group: ConfigDB.to_json_types(config.group),
-        key: ConfigDB.to_json_types(config.key),
-        value: ConfigDB.to_json_types(config.value),
-      }
-      |> Jason.encode!()
-      |> Jason.Formatter.pretty_print()
+
+      json =
+        %{
+          group: ConfigDB.to_json_types(config.group),
+          key: ConfigDB.to_json_types(config.key),
+          value: ConfigDB.to_json_types(config.value)
+        }
+        |> Jason.encode!()
+        |> Jason.Formatter.pretty_print()
 
       File.write(fname, json)
       shell_info("Wrote #{group}_#{key}.json")

lib/pleroma/password.ex

@@ -7,10 +7,12 @@ defmodule Pleroma.Password do
 
   alias Pleroma.User
   alias Pleroma.Password.Pbkdf2
+  require Logger
 
   @hashing_module Argon2
 
-  defdelegate hash_pwd_salt, to: @hashing_module
+  @spec hash_pwd_salt(String.t()) :: String.t()
+  defdelegate hash_pwd_salt(pass), to: @hashing_module
 
   @spec checkpw(String.t(), String.t()) :: boolean()
   def checkpw(password, "$2" <> _ = password_hash) do

lib/pleroma/web/auth/pleroma_authenticator.ex

@@ -6,7 +6,6 @@ defmodule Pleroma.Web.Auth.PleromaAuthenticator do
   alias Pleroma.Registration
   alias Pleroma.Repo
   alias Pleroma.User
-  alias Pleroma.Web.Plugs.AuthenticationPlug
 
   import Pleroma.Web.Auth.Helpers, only: [fetch_credentials: 1, fetch_user: 1]
 
@@ -15,8 +14,8 @@ defmodule Pleroma.Web.Auth.PleromaAuthenticator do
   def get_user(%Plug.Conn{} = conn) do
     with {:ok, {name, password}} <- fetch_credentials(conn),
          {_, %User{} = user} <- {:user, fetch_user(name)},
-         {_, true} <- {:checkpw, AuthenticationPlug.checkpw(password, user.password_hash)},
-         {:ok, user} <- AuthenticationPlug.maybe_update_password(user, password) do
+         {_, true} <- {:checkpw, Pleroma.Password.checkpw(password, user.password_hash)},
+         {:ok, user} <- Pleroma.Password.maybe_update_password(user, password) do
       {:ok, user}
     else
       {:error, _reason} = error -> error

lib/pleroma/web/auth/totp_authenticator.ex

@@ -6,7 +6,6 @@ defmodule Pleroma.Web.Auth.TOTPAuthenticator do
   alias Pleroma.MFA
   alias Pleroma.MFA.TOTP
   alias Pleroma.User
-  alias Pleroma.Web.Plugs.AuthenticationPlug
 
   @doc "Verify code or check backup code."
   @spec verify(String.t(), User.t()) ::
@@ -31,7 +30,7 @@ def verify_recovery_code(
         code
       )
       when is_list(codes) and is_binary(code) do
-    hash_code = Enum.find(codes, fn hash -> AuthenticationPlug.checkpw(code, hash) end)
+    hash_code = Enum.find(codes, fn hash -> Pleroma.Password.checkpw(code, hash) end)
 
     if hash_code do
       MFA.invalidate_backup_code(user, hash_code)

lib/pleroma/web/common_api/utils.ex

@@ -17,7 +17,6 @@ defmodule Pleroma.Web.CommonAPI.Utils do
   alias Pleroma.Web.ActivityPub.Visibility
   alias Pleroma.Web.CommonAPI.ActivityDraft
   alias Pleroma.Web.MediaProxy
-  alias Pleroma.Web.Plugs.AuthenticationPlug
   alias Pleroma.Web.Utils.Params
 
   require Logger
@@ -356,7 +355,7 @@ defp shortname(name) do
   @spec confirm_current_password(User.t(), String.t()) :: {:ok, User.t()} | {:error, String.t()}
   def confirm_current_password(user, password) do
     with %User{local: true} = db_user <- User.get_cached_by_id(user.id),
-         true <- AuthenticationPlug.checkpw(password, db_user.password_hash) do
+         true <- Pleroma.Password.checkpw(password, db_user.password_hash) do
       {:ok, db_user}
     else
       _ -> {:error, dgettext("errors", "Invalid password.")}

lib/pleroma/web/mongoose_im/mongoose_im_controller.ex

@@ -7,7 +7,6 @@ defmodule Pleroma.Web.MongooseIM.MongooseIMController do
 
   alias Pleroma.Repo
   alias Pleroma.User
-  alias Pleroma.Web.Plugs.AuthenticationPlug
   alias Pleroma.Web.Plugs.RateLimiter
 
   plug(RateLimiter, [name: :authentication] when action in [:user_exists, :check_password])
@@ -28,7 +27,7 @@ def user_exists(conn, %{"user" => username}) do
   def check_password(conn, %{"user" => username, "pass" => password}) do
     with %User{password_hash: password_hash, is_active: true} <-
            Repo.get_by(User, nickname: username, local: true),
-         true <- AuthenticationPlug.checkpw(password, password_hash) do
+         true <- Pleroma.Password.checkpw(password, password_hash) do
       conn
       |> json(true)
     else

lib/pleroma/web/plugs/authentication_plug.ex

@@ -7,6 +7,7 @@ defmodule Pleroma.Web.Plugs.AuthenticationPlug do
 
   alias Pleroma.Helpers.AuthHelper
   alias Pleroma.User
+  alias Pleroma.Password
 
   import Plug.Conn
 
@@ -25,8 +26,8 @@ def call(
         } = conn,
         _
       ) do
-    if checkpw(password, password_hash) do
-      {:ok, auth_user} = maybe_update_password(auth_user, password)
+    if Password.checkpw(password, password_hash) do
+      {:ok, auth_user} = Password.maybe_update_password(auth_user, password)
 
       conn
       |> assign(:user, auth_user)
@@ -38,39 +39,6 @@ def call(
 
   def call(conn, _), do: conn
 
-  def checkpw(password, "$2" <> _ = password_hash) do
-    # Handle bcrypt passwords for Mastodon migration
-    Bcrypt.verify_pass(password, password_hash)
-  end
-
-  def checkpw(password, "$pbkdf2" <> _ = password_hash) do
-    Pleroma.Password.Pbkdf2.verify_pass(password, password_hash)
-  end
-
-  def checkpw(password, "$argon2" <> _ = password_hash) do
-    Argon2.verify_pass(password, password_hash)
-  end
-
-  def checkpw(_password, _password_hash) do
-    Logger.error("Password hash not recognized")
-    false
-  end
-
-  def maybe_update_password(%User{password_hash: "$2" <> _} = user, password) do
-    do_update_password(user, password)
-  end
-
-  def maybe_update_password(%User{password_hash: "$6" <> _} = user, password) do
-    do_update_password(user, password)
-  end
-
-  def maybe_update_password(%User{password_hash: "$pbkdf2" <> _} = user, password) do
-    do_update_password(user, password)
-  end
-
-  def maybe_update_password(user, _), do: {:ok, user}
-
-  defp do_update_password(user, password) do
-    User.reset_password(user, %{password: password, password_confirmation: password})
-  end
+  @spec checkpw(String.t(), String.t()) :: boolean
+  defdelegate checkpw(password, hash), to: Password
 end

test/pleroma/mfa_test.exs

@@ -30,8 +30,8 @@ test "returns backup codes" do
       {:ok, [code1, code2]} = MFA.generate_backup_codes(user)
       updated_user = refresh_record(user)
       [hash1, hash2] = updated_user.multi_factor_authentication_settings.backup_codes
-      assert Pleroma.Password.Pbkdf2.verify_pass(code1, hash1)
-      assert Pleroma.Password.Pbkdf2.verify_pass(code2, hash2)
+      assert Pleroma.Password.checkpw(code1, hash1)
+      assert Pleroma.Password.checkpw(code2, hash2)
     end
   end
 

test/pleroma/web/auth/basic_auth_test.exs

@@ -11,7 +11,7 @@ test "with HTTP Basic Auth used, grants access to OAuth scope-restricted endpoin
     conn: conn
   } do
     user = insert(:user)
-    assert Pleroma.Password.Pbkdf2.verify_pass("test", user.password_hash)
+    assert Pleroma.Password.checkpw("test", user.password_hash)
 
     basic_auth_contents =
       (URI.encode_www_form(user.nickname) <> ":" <> URI.encode_www_form("test"))

test/pleroma/web/auth/pleroma_authenticator_test.exs

@@ -15,7 +15,7 @@ defmodule Pleroma.Web.Auth.PleromaAuthenticatorTest do
     user =
       insert(:user,
         nickname: name,
-        password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password)
+        password_hash: Pleroma.Password.hash_pwd_salt(password)
       )
 
     {:ok, [user: user, name: name, password: password]}
@@ -30,7 +30,7 @@ test "get_user/authorization", %{name: name, password: password} do
 
     assert {:ok, returned_user} = res
     assert returned_user.id == user.id
-    assert "$pbkdf2" <> _ = returned_user.password_hash
+    assert "$argon2" <> _ = returned_user.password_hash
   end
 
   test "get_user/authorization with invalid password", %{name: name} do

test/pleroma/web/auth/totp_authenticator_test.exs

@@ -34,7 +34,7 @@ test "checks backup codes" do
 
     hashed_codes =
       backup_codes
-      |> Enum.map(&Pleroma.Password.Pbkdf2.hash_pwd_salt(&1))
+      |> Enum.map(&Pleroma.Password.hash_pwd_salt(&1))
 
     user =
       insert(:user,

test/pleroma/web/mongoose_im_controller_test.exs

@@ -41,13 +41,13 @@ test "/user_exists", %{conn: conn} do
   end
 
   test "/check_password", %{conn: conn} do
-    user = insert(:user, password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt("cool"))
+    user = insert(:user, password_hash: Pleroma.Password.hash_pwd_salt("cool"))
 
     _deactivated_user =
       insert(:user,
         nickname: "konata",
         is_active: false,
-        password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt("cool")
+        password_hash: Pleroma.Password.hash_pwd_salt("cool")
       )
 
     res =

test/pleroma/web/o_auth/ldap_authorization_test.exs

@@ -18,7 +18,7 @@ defmodule Pleroma.Web.OAuth.LDAPAuthorizationTest do
   @tag @skip
   test "authorizes the existing user using LDAP credentials" do
     password = "testpassword"
-    user = insert(:user, password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password))
+    user = insert(:user, password_hash: Pleroma.Password.hash_pwd_salt(password))
     app = insert(:oauth_app, scopes: ["read", "write"])
 
     host = Pleroma.Config.get([:ldap, :host]) |> to_charlist
@@ -101,7 +101,7 @@ test "creates a new user after successful LDAP authorization" do
   @tag @skip
   test "disallow authorization for wrong LDAP credentials" do
     password = "testpassword"
-    user = insert(:user, password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password))
+    user = insert(:user, password_hash: Pleroma.Password.hash_pwd_salt(password))
     app = insert(:oauth_app, scopes: ["read", "write"])
 
     host = Pleroma.Config.get([:ldap, :host]) |> to_charlist

test/pleroma/web/o_auth/mfa_controller_test.exs

@@ -20,7 +20,7 @@ defmodule Pleroma.Web.OAuth.MFAControllerTest do
       insert(:user,
         multi_factor_authentication_settings: %MFA.Settings{
           enabled: true,
-          backup_codes: [Pleroma.Password.Pbkdf2.hash_pwd_salt("test-code")],
+          backup_codes: [Pleroma.Password.hash_pwd_salt("test-code")],
           totp: %MFA.Settings.TOTP{secret: otp_secret, confirmed: true}
         }
       )
@@ -246,7 +246,7 @@ test "returns access token with valid code", %{conn: conn, app: app} do
 
       hashed_codes =
         backup_codes
-        |> Enum.map(&Pleroma.Password.Pbkdf2.hash_pwd_salt(&1))
+        |> Enum.map(&Pleroma.Password.hash_pwd_salt(&1))
 
       user =
         insert(:user,

test/pleroma/web/o_auth/o_auth_controller_test.exs

@@ -316,7 +316,7 @@ test "with valid params, POST /oauth/register?op=connect redirects to `redirect_
            app: app,
            conn: conn
          } do
-      user = insert(:user, password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt("testpassword"))
+      user = insert(:user, password_hash: Pleroma.Password.hash_pwd_salt("testpassword"))
       registration = insert(:registration, user: nil)
       redirect_uri = OAuthController.default_redirect_uri(app)
 
@@ -347,7 +347,7 @@ test "with unlisted `redirect_uri`, POST /oauth/register?op=connect results in H
            app: app,
            conn: conn
          } do
-      user = insert(:user, password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt("testpassword"))
+      user = insert(:user, password_hash: Pleroma.Password.hash_pwd_salt("testpassword"))
       registration = insert(:registration, user: nil)
       unlisted_redirect_uri = "http://cross-site-request.com"
 
@@ -917,7 +917,7 @@ test "issues a token for an all-body request" do
 
     test "issues a token for `password` grant_type with valid credentials, with full permissions by default" do
       password = "testpassword"
-      user = insert(:user, password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password))
+      user = insert(:user, password_hash: Pleroma.Password.hash_pwd_salt(password))
 
       app = insert(:oauth_app, scopes: ["read", "write"])
 
@@ -947,7 +947,7 @@ test "issues a mfa token for `password` grant_type, when MFA enabled" do
 
       user =
         insert(:user,
-          password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password),
+          password_hash: Pleroma.Password.hash_pwd_salt(password),
           multi_factor_authentication_settings: %MFA.Settings{
             enabled: true,
             totp: %MFA.Settings.TOTP{secret: otp_secret, confirmed: true}
@@ -1056,7 +1056,7 @@ test "rejects token exchange for valid credentials belonging to unconfirmed user
       password = "testpassword"
 
       {:ok, user} =
-        insert(:user, password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password))
+        insert(:user, password_hash: Pleroma.Password.hash_pwd_salt(password))
         |> User.confirmation_changeset(set_confirmation: false)
         |> User.update_and_set_cache()
 
@@ -1084,7 +1084,7 @@ test "rejects token exchange for valid credentials belonging to deactivated user
 
       user =
         insert(:user,
-          password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password),
+          password_hash: Pleroma.Password.hash_pwd_salt(password),
           is_active: false
         )
 
@@ -1112,7 +1112,7 @@ test "rejects token exchange for user with password_reset_pending set to true" d
 
       user =
         insert(:user,
-          password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password),
+          password_hash: Pleroma.Password.hash_pwd_salt(password),
           password_reset_pending: true
         )
 
@@ -1141,7 +1141,7 @@ test "rejects token exchange for user with confirmation_pending set to true" do
 
       user =
         insert(:user,
-          password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password),
+          password_hash: Pleroma.Password.hash_pwd_salt(password),
           is_confirmed: false
         )
 
@@ -1169,7 +1169,7 @@ test "rejects token exchange for valid credentials belonging to an unapproved us
 
       user =
         insert(:user,
-          password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password),
+          password_hash: Pleroma.Password.hash_pwd_salt(password),
           is_approved: false
         )
 

test/pleroma/web/plugs/authentication_plug_test.exs

@@ -17,7 +17,7 @@ defmodule Pleroma.Web.Plugs.AuthenticationPlugTest do
     user = %User{
       id: 1,
       name: "dude",
-      password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt("guy")
+      password_hash: Pleroma.Password.hash_pwd_salt("guy")
     }
 
     conn =
@@ -105,7 +105,9 @@ test "check bcrypt hash" do
     end
 
     test "check argon2 hash" do
-      hash = "$argon2id$v=19$m=65536,t=8,p=2$zEMMsTuK5KkL5AFWbX7jyQ$VyaQD7PF6e9btz0oH1YiAkWwIGZ7WNDZP8l+a/O171g"
+      hash =
+        "$argon2id$v=19$m=65536,t=8,p=2$zEMMsTuK5KkL5AFWbX7jyQ$VyaQD7PF6e9btz0oH1YiAkWwIGZ7WNDZP8l+a/O171g"
+
       assert AuthenticationPlug.checkpw("password", hash)
       refute AuthenticationPlug.checkpw("password1", hash)
     end

test/pleroma/web/twitter_api/password_controller_test.exs

@@ -96,7 +96,7 @@ test "it returns HTTP 200", %{conn: conn} do
       assert response =~ "<h2>Password changed!</h2>"
 
       user = refresh_record(user)
-      assert Pleroma.Password.Pbkdf2.verify_pass("test", user.password_hash)
+      assert Pleroma.Password.checkpw("test", user.password_hash)
       assert Enum.empty?(Token.get_user_tokens(user))
     end
 

test/pleroma/web/twitter_api/util_controller_test.exs

@@ -553,7 +553,7 @@ test "with proper permissions, valid password and matching new password and conf
 
       assert json_response_and_validate_schema(conn, 200) == %{"status" => "success"}
       fetched_user = User.get_cached_by_id(user.id)
-      assert Pleroma.Password.Pbkdf2.verify_pass("newpass", fetched_user.password_hash) == true
+      assert Pleroma.Password.checkpw("newpass", fetched_user.password_hash) == true
     end
   end
 

test/support/builders/user_builder.ex

@@ -7,7 +7,7 @@ def build(data \\ %{}) do
       email: "test@example.org",
       name: "Test Name",
       nickname: "testname",
-      password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt("test"),
+      password_hash: Pleroma.Password.hash_pwd_salt("test"),
       bio: "A tester.",
       ap_id: "some id",
       last_digest_emailed_at: NaiveDateTime.truncate(NaiveDateTime.utc_now(), :second),

test/support/factory.ex

@@ -47,12 +47,16 @@ def instance_factory(attrs \\ %{}) do
 
   def user_factory(attrs \\ %{}) do
     pem = Enum.random(@rsa_keys)
+    # Argon2.hash_pwd_salt("test")
+    # it really eats CPU time, so we use a precomputed hash
+    password_hash =
+      "$argon2id$v=19$m=65536,t=8,p=2$FEAarFuiOsROO24NHIHMYw$oxdaz2fTPpuU+dYCl60FsqE65T1Tjy6lGikKfmql4xo"
 
     user = %User{
       name: sequence(:name, &"Test テスト User #{&1}"),
       email: sequence(:email, &"user#{&1}@example.com"),
       nickname: sequence(:nickname, &"nick#{&1}"),
-      password_hash: Argon2.hash_pwd_salt("test"),
+      password_hash: password_hash,
       bio: sequence(:bio, &"Tester Number #{&1}"),
       is_discoverable: true,
       last_digest_emailed_at: NaiveDateTime.utc_now(),