Fix tests for argon2
Some checks are pending
ci/woodpecker/push/woodpecker Pipeline is pending
ci/woodpecker/pr/woodpecker Pipeline is pending

This commit is contained in:
FloatingGhost 2022-12-30 02:19:44 +00:00
parent baa118a74f
commit 2b25522a5e
20 changed files with 55 additions and 81 deletions

View file

@ -87,13 +87,15 @@ def run(["dump_to_file", group, key, fname]) do
key = maybe_atomize(key) key = maybe_atomize(key)
config = ConfigDB.get_by_group_and_key(group, key) config = ConfigDB.get_by_group_and_key(group, key)
json = %{
group: ConfigDB.to_json_types(config.group), json =
key: ConfigDB.to_json_types(config.key), %{
value: ConfigDB.to_json_types(config.value), group: ConfigDB.to_json_types(config.group),
} key: ConfigDB.to_json_types(config.key),
|> Jason.encode!() value: ConfigDB.to_json_types(config.value)
|> Jason.Formatter.pretty_print() }
|> Jason.encode!()
|> Jason.Formatter.pretty_print()
File.write(fname, json) File.write(fname, json)
shell_info("Wrote #{group}_#{key}.json") shell_info("Wrote #{group}_#{key}.json")

View file

@ -7,10 +7,12 @@ defmodule Pleroma.Password do
alias Pleroma.User alias Pleroma.User
alias Pleroma.Password.Pbkdf2 alias Pleroma.Password.Pbkdf2
require Logger
@hashing_module Argon2 @hashing_module Argon2
defdelegate hash_pwd_salt, to: @hashing_module @spec hash_pwd_salt(String.t()) :: String.t()
defdelegate hash_pwd_salt(pass), to: @hashing_module
@spec checkpw(String.t(), String.t()) :: boolean() @spec checkpw(String.t(), String.t()) :: boolean()
def checkpw(password, "$2" <> _ = password_hash) do def checkpw(password, "$2" <> _ = password_hash) do

View file

@ -6,7 +6,6 @@ defmodule Pleroma.Web.Auth.PleromaAuthenticator do
alias Pleroma.Registration alias Pleroma.Registration
alias Pleroma.Repo alias Pleroma.Repo
alias Pleroma.User alias Pleroma.User
alias Pleroma.Web.Plugs.AuthenticationPlug
import Pleroma.Web.Auth.Helpers, only: [fetch_credentials: 1, fetch_user: 1] import Pleroma.Web.Auth.Helpers, only: [fetch_credentials: 1, fetch_user: 1]
@ -15,8 +14,8 @@ defmodule Pleroma.Web.Auth.PleromaAuthenticator do
def get_user(%Plug.Conn{} = conn) do def get_user(%Plug.Conn{} = conn) do
with {:ok, {name, password}} <- fetch_credentials(conn), with {:ok, {name, password}} <- fetch_credentials(conn),
{_, %User{} = user} <- {:user, fetch_user(name)}, {_, %User{} = user} <- {:user, fetch_user(name)},
{_, true} <- {:checkpw, AuthenticationPlug.checkpw(password, user.password_hash)}, {_, true} <- {:checkpw, Pleroma.Password.checkpw(password, user.password_hash)},
{:ok, user} <- AuthenticationPlug.maybe_update_password(user, password) do {:ok, user} <- Pleroma.Password.maybe_update_password(user, password) do
{:ok, user} {:ok, user}
else else
{:error, _reason} = error -> error {:error, _reason} = error -> error

View file

@ -6,7 +6,6 @@ defmodule Pleroma.Web.Auth.TOTPAuthenticator do
alias Pleroma.MFA alias Pleroma.MFA
alias Pleroma.MFA.TOTP alias Pleroma.MFA.TOTP
alias Pleroma.User alias Pleroma.User
alias Pleroma.Web.Plugs.AuthenticationPlug
@doc "Verify code or check backup code." @doc "Verify code or check backup code."
@spec verify(String.t(), User.t()) :: @spec verify(String.t(), User.t()) ::
@ -31,7 +30,7 @@ def verify_recovery_code(
code code
) )
when is_list(codes) and is_binary(code) do when is_list(codes) and is_binary(code) do
hash_code = Enum.find(codes, fn hash -> AuthenticationPlug.checkpw(code, hash) end) hash_code = Enum.find(codes, fn hash -> Pleroma.Password.checkpw(code, hash) end)
if hash_code do if hash_code do
MFA.invalidate_backup_code(user, hash_code) MFA.invalidate_backup_code(user, hash_code)

View file

@ -17,7 +17,6 @@ defmodule Pleroma.Web.CommonAPI.Utils do
alias Pleroma.Web.ActivityPub.Visibility alias Pleroma.Web.ActivityPub.Visibility
alias Pleroma.Web.CommonAPI.ActivityDraft alias Pleroma.Web.CommonAPI.ActivityDraft
alias Pleroma.Web.MediaProxy alias Pleroma.Web.MediaProxy
alias Pleroma.Web.Plugs.AuthenticationPlug
alias Pleroma.Web.Utils.Params alias Pleroma.Web.Utils.Params
require Logger require Logger
@ -356,7 +355,7 @@ defp shortname(name) do
@spec confirm_current_password(User.t(), String.t()) :: {:ok, User.t()} | {:error, String.t()} @spec confirm_current_password(User.t(), String.t()) :: {:ok, User.t()} | {:error, String.t()}
def confirm_current_password(user, password) do def confirm_current_password(user, password) do
with %User{local: true} = db_user <- User.get_cached_by_id(user.id), with %User{local: true} = db_user <- User.get_cached_by_id(user.id),
true <- AuthenticationPlug.checkpw(password, db_user.password_hash) do true <- Pleroma.Password.checkpw(password, db_user.password_hash) do
{:ok, db_user} {:ok, db_user}
else else
_ -> {:error, dgettext("errors", "Invalid password.")} _ -> {:error, dgettext("errors", "Invalid password.")}

View file

@ -7,7 +7,6 @@ defmodule Pleroma.Web.MongooseIM.MongooseIMController do
alias Pleroma.Repo alias Pleroma.Repo
alias Pleroma.User alias Pleroma.User
alias Pleroma.Web.Plugs.AuthenticationPlug
alias Pleroma.Web.Plugs.RateLimiter alias Pleroma.Web.Plugs.RateLimiter
plug(RateLimiter, [name: :authentication] when action in [:user_exists, :check_password]) plug(RateLimiter, [name: :authentication] when action in [:user_exists, :check_password])
@ -28,7 +27,7 @@ def user_exists(conn, %{"user" => username}) do
def check_password(conn, %{"user" => username, "pass" => password}) do def check_password(conn, %{"user" => username, "pass" => password}) do
with %User{password_hash: password_hash, is_active: true} <- with %User{password_hash: password_hash, is_active: true} <-
Repo.get_by(User, nickname: username, local: true), Repo.get_by(User, nickname: username, local: true),
true <- AuthenticationPlug.checkpw(password, password_hash) do true <- Pleroma.Password.checkpw(password, password_hash) do
conn conn
|> json(true) |> json(true)
else else

View file

@ -7,6 +7,7 @@ defmodule Pleroma.Web.Plugs.AuthenticationPlug do
alias Pleroma.Helpers.AuthHelper alias Pleroma.Helpers.AuthHelper
alias Pleroma.User alias Pleroma.User
alias Pleroma.Password
import Plug.Conn import Plug.Conn
@ -25,8 +26,8 @@ def call(
} = conn, } = conn,
_ _
) do ) do
if checkpw(password, password_hash) do if Password.checkpw(password, password_hash) do
{:ok, auth_user} = maybe_update_password(auth_user, password) {:ok, auth_user} = Password.maybe_update_password(auth_user, password)
conn conn
|> assign(:user, auth_user) |> assign(:user, auth_user)
@ -38,39 +39,6 @@ def call(
def call(conn, _), do: conn def call(conn, _), do: conn
def checkpw(password, "$2" <> _ = password_hash) do @spec checkpw(String.t(), String.t()) :: boolean
# Handle bcrypt passwords for Mastodon migration defdelegate checkpw(password, hash), to: Password
Bcrypt.verify_pass(password, password_hash)
end
def checkpw(password, "$pbkdf2" <> _ = password_hash) do
Pleroma.Password.Pbkdf2.verify_pass(password, password_hash)
end
def checkpw(password, "$argon2" <> _ = password_hash) do
Argon2.verify_pass(password, password_hash)
end
def checkpw(_password, _password_hash) do
Logger.error("Password hash not recognized")
false
end
def maybe_update_password(%User{password_hash: "$2" <> _} = user, password) do
do_update_password(user, password)
end
def maybe_update_password(%User{password_hash: "$6" <> _} = user, password) do
do_update_password(user, password)
end
def maybe_update_password(%User{password_hash: "$pbkdf2" <> _} = user, password) do
do_update_password(user, password)
end
def maybe_update_password(user, _), do: {:ok, user}
defp do_update_password(user, password) do
User.reset_password(user, %{password: password, password_confirmation: password})
end
end end

View file

@ -30,8 +30,8 @@ test "returns backup codes" do
{:ok, [code1, code2]} = MFA.generate_backup_codes(user) {:ok, [code1, code2]} = MFA.generate_backup_codes(user)
updated_user = refresh_record(user) updated_user = refresh_record(user)
[hash1, hash2] = updated_user.multi_factor_authentication_settings.backup_codes [hash1, hash2] = updated_user.multi_factor_authentication_settings.backup_codes
assert Pleroma.Password.Pbkdf2.verify_pass(code1, hash1) assert Pleroma.Password.checkpw(code1, hash1)
assert Pleroma.Password.Pbkdf2.verify_pass(code2, hash2) assert Pleroma.Password.checkpw(code2, hash2)
end end
end end

View file

@ -11,7 +11,7 @@ test "with HTTP Basic Auth used, grants access to OAuth scope-restricted endpoin
conn: conn conn: conn
} do } do
user = insert(:user) user = insert(:user)
assert Pleroma.Password.Pbkdf2.verify_pass("test", user.password_hash) assert Pleroma.Password.checkpw("test", user.password_hash)
basic_auth_contents = basic_auth_contents =
(URI.encode_www_form(user.nickname) <> ":" <> URI.encode_www_form("test")) (URI.encode_www_form(user.nickname) <> ":" <> URI.encode_www_form("test"))

View file

@ -15,7 +15,7 @@ defmodule Pleroma.Web.Auth.PleromaAuthenticatorTest do
user = user =
insert(:user, insert(:user,
nickname: name, nickname: name,
password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password) password_hash: Pleroma.Password.hash_pwd_salt(password)
) )
{:ok, [user: user, name: name, password: password]} {:ok, [user: user, name: name, password: password]}
@ -30,7 +30,7 @@ test "get_user/authorization", %{name: name, password: password} do
assert {:ok, returned_user} = res assert {:ok, returned_user} = res
assert returned_user.id == user.id assert returned_user.id == user.id
assert "$pbkdf2" <> _ = returned_user.password_hash assert "$argon2" <> _ = returned_user.password_hash
end end
test "get_user/authorization with invalid password", %{name: name} do test "get_user/authorization with invalid password", %{name: name} do

View file

@ -34,7 +34,7 @@ test "checks backup codes" do
hashed_codes = hashed_codes =
backup_codes backup_codes
|> Enum.map(&Pleroma.Password.Pbkdf2.hash_pwd_salt(&1)) |> Enum.map(&Pleroma.Password.hash_pwd_salt(&1))
user = user =
insert(:user, insert(:user,

View file

@ -41,13 +41,13 @@ test "/user_exists", %{conn: conn} do
end end
test "/check_password", %{conn: conn} do test "/check_password", %{conn: conn} do
user = insert(:user, password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt("cool")) user = insert(:user, password_hash: Pleroma.Password.hash_pwd_salt("cool"))
_deactivated_user = _deactivated_user =
insert(:user, insert(:user,
nickname: "konata", nickname: "konata",
is_active: false, is_active: false,
password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt("cool") password_hash: Pleroma.Password.hash_pwd_salt("cool")
) )
res = res =

View file

@ -18,7 +18,7 @@ defmodule Pleroma.Web.OAuth.LDAPAuthorizationTest do
@tag @skip @tag @skip
test "authorizes the existing user using LDAP credentials" do test "authorizes the existing user using LDAP credentials" do
password = "testpassword" password = "testpassword"
user = insert(:user, password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password)) user = insert(:user, password_hash: Pleroma.Password.hash_pwd_salt(password))
app = insert(:oauth_app, scopes: ["read", "write"]) app = insert(:oauth_app, scopes: ["read", "write"])
host = Pleroma.Config.get([:ldap, :host]) |> to_charlist host = Pleroma.Config.get([:ldap, :host]) |> to_charlist
@ -101,7 +101,7 @@ test "creates a new user after successful LDAP authorization" do
@tag @skip @tag @skip
test "disallow authorization for wrong LDAP credentials" do test "disallow authorization for wrong LDAP credentials" do
password = "testpassword" password = "testpassword"
user = insert(:user, password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password)) user = insert(:user, password_hash: Pleroma.Password.hash_pwd_salt(password))
app = insert(:oauth_app, scopes: ["read", "write"]) app = insert(:oauth_app, scopes: ["read", "write"])
host = Pleroma.Config.get([:ldap, :host]) |> to_charlist host = Pleroma.Config.get([:ldap, :host]) |> to_charlist

View file

@ -20,7 +20,7 @@ defmodule Pleroma.Web.OAuth.MFAControllerTest do
insert(:user, insert(:user,
multi_factor_authentication_settings: %MFA.Settings{ multi_factor_authentication_settings: %MFA.Settings{
enabled: true, enabled: true,
backup_codes: [Pleroma.Password.Pbkdf2.hash_pwd_salt("test-code")], backup_codes: [Pleroma.Password.hash_pwd_salt("test-code")],
totp: %MFA.Settings.TOTP{secret: otp_secret, confirmed: true} totp: %MFA.Settings.TOTP{secret: otp_secret, confirmed: true}
} }
) )
@ -246,7 +246,7 @@ test "returns access token with valid code", %{conn: conn, app: app} do
hashed_codes = hashed_codes =
backup_codes backup_codes
|> Enum.map(&Pleroma.Password.Pbkdf2.hash_pwd_salt(&1)) |> Enum.map(&Pleroma.Password.hash_pwd_salt(&1))
user = user =
insert(:user, insert(:user,

View file

@ -316,7 +316,7 @@ test "with valid params, POST /oauth/register?op=connect redirects to `redirect_
app: app, app: app,
conn: conn conn: conn
} do } do
user = insert(:user, password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt("testpassword")) user = insert(:user, password_hash: Pleroma.Password.hash_pwd_salt("testpassword"))
registration = insert(:registration, user: nil) registration = insert(:registration, user: nil)
redirect_uri = OAuthController.default_redirect_uri(app) redirect_uri = OAuthController.default_redirect_uri(app)
@ -347,7 +347,7 @@ test "with unlisted `redirect_uri`, POST /oauth/register?op=connect results in H
app: app, app: app,
conn: conn conn: conn
} do } do
user = insert(:user, password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt("testpassword")) user = insert(:user, password_hash: Pleroma.Password.hash_pwd_salt("testpassword"))
registration = insert(:registration, user: nil) registration = insert(:registration, user: nil)
unlisted_redirect_uri = "http://cross-site-request.com" unlisted_redirect_uri = "http://cross-site-request.com"
@ -917,7 +917,7 @@ test "issues a token for an all-body request" do
test "issues a token for `password` grant_type with valid credentials, with full permissions by default" do test "issues a token for `password` grant_type with valid credentials, with full permissions by default" do
password = "testpassword" password = "testpassword"
user = insert(:user, password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password)) user = insert(:user, password_hash: Pleroma.Password.hash_pwd_salt(password))
app = insert(:oauth_app, scopes: ["read", "write"]) app = insert(:oauth_app, scopes: ["read", "write"])
@ -947,7 +947,7 @@ test "issues a mfa token for `password` grant_type, when MFA enabled" do
user = user =
insert(:user, insert(:user,
password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password), password_hash: Pleroma.Password.hash_pwd_salt(password),
multi_factor_authentication_settings: %MFA.Settings{ multi_factor_authentication_settings: %MFA.Settings{
enabled: true, enabled: true,
totp: %MFA.Settings.TOTP{secret: otp_secret, confirmed: true} totp: %MFA.Settings.TOTP{secret: otp_secret, confirmed: true}
@ -1056,7 +1056,7 @@ test "rejects token exchange for valid credentials belonging to unconfirmed user
password = "testpassword" password = "testpassword"
{:ok, user} = {:ok, user} =
insert(:user, password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password)) insert(:user, password_hash: Pleroma.Password.hash_pwd_salt(password))
|> User.confirmation_changeset(set_confirmation: false) |> User.confirmation_changeset(set_confirmation: false)
|> User.update_and_set_cache() |> User.update_and_set_cache()
@ -1084,7 +1084,7 @@ test "rejects token exchange for valid credentials belonging to deactivated user
user = user =
insert(:user, insert(:user,
password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password), password_hash: Pleroma.Password.hash_pwd_salt(password),
is_active: false is_active: false
) )
@ -1112,7 +1112,7 @@ test "rejects token exchange for user with password_reset_pending set to true" d
user = user =
insert(:user, insert(:user,
password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password), password_hash: Pleroma.Password.hash_pwd_salt(password),
password_reset_pending: true password_reset_pending: true
) )
@ -1141,7 +1141,7 @@ test "rejects token exchange for user with confirmation_pending set to true" do
user = user =
insert(:user, insert(:user,
password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password), password_hash: Pleroma.Password.hash_pwd_salt(password),
is_confirmed: false is_confirmed: false
) )
@ -1169,7 +1169,7 @@ test "rejects token exchange for valid credentials belonging to an unapproved us
user = user =
insert(:user, insert(:user,
password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password), password_hash: Pleroma.Password.hash_pwd_salt(password),
is_approved: false is_approved: false
) )

View file

@ -17,7 +17,7 @@ defmodule Pleroma.Web.Plugs.AuthenticationPlugTest do
user = %User{ user = %User{
id: 1, id: 1,
name: "dude", name: "dude",
password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt("guy") password_hash: Pleroma.Password.hash_pwd_salt("guy")
} }
conn = conn =
@ -105,7 +105,9 @@ test "check bcrypt hash" do
end end
test "check argon2 hash" do test "check argon2 hash" do
hash = "$argon2id$v=19$m=65536,t=8,p=2$zEMMsTuK5KkL5AFWbX7jyQ$VyaQD7PF6e9btz0oH1YiAkWwIGZ7WNDZP8l+a/O171g" hash =
"$argon2id$v=19$m=65536,t=8,p=2$zEMMsTuK5KkL5AFWbX7jyQ$VyaQD7PF6e9btz0oH1YiAkWwIGZ7WNDZP8l+a/O171g"
assert AuthenticationPlug.checkpw("password", hash) assert AuthenticationPlug.checkpw("password", hash)
refute AuthenticationPlug.checkpw("password1", hash) refute AuthenticationPlug.checkpw("password1", hash)
end end

View file

@ -96,7 +96,7 @@ test "it returns HTTP 200", %{conn: conn} do
assert response =~ "<h2>Password changed!</h2>" assert response =~ "<h2>Password changed!</h2>"
user = refresh_record(user) user = refresh_record(user)
assert Pleroma.Password.Pbkdf2.verify_pass("test", user.password_hash) assert Pleroma.Password.checkpw("test", user.password_hash)
assert Enum.empty?(Token.get_user_tokens(user)) assert Enum.empty?(Token.get_user_tokens(user))
end end

View file

@ -553,7 +553,7 @@ test "with proper permissions, valid password and matching new password and conf
assert json_response_and_validate_schema(conn, 200) == %{"status" => "success"} assert json_response_and_validate_schema(conn, 200) == %{"status" => "success"}
fetched_user = User.get_cached_by_id(user.id) fetched_user = User.get_cached_by_id(user.id)
assert Pleroma.Password.Pbkdf2.verify_pass("newpass", fetched_user.password_hash) == true assert Pleroma.Password.checkpw("newpass", fetched_user.password_hash) == true
end end
end end

View file

@ -7,7 +7,7 @@ def build(data \\ %{}) do
email: "test@example.org", email: "test@example.org",
name: "Test Name", name: "Test Name",
nickname: "testname", nickname: "testname",
password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt("test"), password_hash: Pleroma.Password.hash_pwd_salt("test"),
bio: "A tester.", bio: "A tester.",
ap_id: "some id", ap_id: "some id",
last_digest_emailed_at: NaiveDateTime.truncate(NaiveDateTime.utc_now(), :second), last_digest_emailed_at: NaiveDateTime.truncate(NaiveDateTime.utc_now(), :second),

View file

@ -47,12 +47,16 @@ def instance_factory(attrs \\ %{}) do
def user_factory(attrs \\ %{}) do def user_factory(attrs \\ %{}) do
pem = Enum.random(@rsa_keys) pem = Enum.random(@rsa_keys)
# Argon2.hash_pwd_salt("test")
# it really eats CPU time, so we use a precomputed hash
password_hash =
"$argon2id$v=19$m=65536,t=8,p=2$FEAarFuiOsROO24NHIHMYw$oxdaz2fTPpuU+dYCl60FsqE65T1Tjy6lGikKfmql4xo"
user = %User{ user = %User{
name: sequence(:name, &"Test テスト User #{&1}"), name: sequence(:name, &"Test テスト User #{&1}"),
email: sequence(:email, &"user#{&1}@example.com"), email: sequence(:email, &"user#{&1}@example.com"),
nickname: sequence(:nickname, &"nick#{&1}"), nickname: sequence(:nickname, &"nick#{&1}"),
password_hash: Argon2.hash_pwd_salt("test"), password_hash: password_hash,
bio: sequence(:bio, &"Tester Number #{&1}"), bio: sequence(:bio, &"Tester Number #{&1}"),
is_discoverable: true, is_discoverable: true,
last_digest_emailed_at: NaiveDateTime.utc_now(), last_digest_emailed_at: NaiveDateTime.utc_now(),