diff options
Diffstat (limited to 'store/sqlstore/oauth_store_test.go')
| -rw-r--r-- | store/sqlstore/oauth_store_test.go | 446 |
1 files changed, 446 insertions, 0 deletions
diff --git a/store/sqlstore/oauth_store_test.go b/store/sqlstore/oauth_store_test.go new file mode 100644 index 000000000..1e4aacfe5 --- /dev/null +++ b/store/sqlstore/oauth_store_test.go @@ -0,0 +1,446 @@ +// Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved. +// See License.txt for license information. + +package sqlstore + +import ( + "testing" + + "github.com/mattermost/mattermost-server/model" +"github.com/mattermost/mattermost-server/store" +) + +func TestOAuthStoreSaveApp(t *testing.T) { + ss := Setup() + + a1 := model.OAuthApp{} + a1.CreatorId = model.NewId() + a1.CallbackUrls = []string{"https://nowhere.com"} + a1.Homepage = "https://nowhere.com" + + // Try to save an app that already has an Id + a1.Id = model.NewId() + if err := (<-ss.OAuth().SaveApp(&a1)).Err; err == nil { + t.Fatal("Should have failed, cannot add an OAuth app cannot be save with an Id, it has to be updated") + } + + // Try to save an Invalid App + a1.Id = "" + if err := (<-ss.OAuth().SaveApp(&a1)).Err; err == nil { + t.Fatal("Should have failed, app should be invalid cause it doesn' have a name set") + } + + // Save the app + a1.Id = "" + a1.Name = "TestApp" + model.NewId() + if err := (<-ss.OAuth().SaveApp(&a1)).Err; err != nil { + t.Fatal(err) + } +} + +func TestOAuthStoreGetApp(t *testing.T) { + ss := Setup() + + a1 := model.OAuthApp{} + a1.CreatorId = model.NewId() + a1.Name = "TestApp" + model.NewId() + a1.CallbackUrls = []string{"https://nowhere.com"} + a1.Homepage = "https://nowhere.com" + store.Must(ss.OAuth().SaveApp(&a1)) + + // Lets try to get and app that does not exists + if err := (<-ss.OAuth().GetApp("fake0123456789abcderfgret1")).Err; err == nil { + t.Fatal("Should have failed. App does not exists") + } + + if err := (<-ss.OAuth().GetApp(a1.Id)).Err; err != nil { + t.Fatal(err) + } + + // Lets try and get the app from a user that hasn't created any apps + if result := (<-ss.OAuth().GetAppByUser("fake0123456789abcderfgret1", 0, 1000)); result.Err == nil { + if len(result.Data.([]*model.OAuthApp)) > 0 { + t.Fatal("Should have failed. Fake user hasn't created any apps") + } + } else { + t.Fatal(result.Err) + } + + if err := (<-ss.OAuth().GetAppByUser(a1.CreatorId, 0, 1000)).Err; err != nil { + t.Fatal(err) + } + + if err := (<-ss.OAuth().GetApps(0, 1000)).Err; err != nil { + t.Fatal(err) + } +} + +func TestOAuthStoreUpdateApp(t *testing.T) { + ss := Setup() + + a1 := model.OAuthApp{} + a1.CreatorId = model.NewId() + a1.Name = "TestApp" + model.NewId() + a1.CallbackUrls = []string{"https://nowhere.com"} + a1.Homepage = "https://nowhere.com" + store.Must(ss.OAuth().SaveApp(&a1)) + + // temporarily save the created app id + id := a1.Id + + a1.CreateAt = 1 + a1.ClientSecret = "pwd" + a1.CreatorId = "12345678901234567890123456" + + // Lets update the app by removing the name + a1.Name = "" + if result := <-ss.OAuth().UpdateApp(&a1); result.Err == nil { + t.Fatal("Should have failed. App name is not set") + } + + // Lets not find the app that we are trying to update + a1.Id = "fake0123456789abcderfgret1" + a1.Name = "NewName" + if result := <-ss.OAuth().UpdateApp(&a1); result.Err == nil { + t.Fatal("Should have failed. Not able to find the app") + } + + a1.Id = id + if result := <-ss.OAuth().UpdateApp(&a1); result.Err != nil { + t.Fatal(result.Err) + } else { + ua1 := (result.Data.([2]*model.OAuthApp)[0]) + if ua1.Name != "NewName" { + t.Fatal("name did not update") + } + if ua1.CreateAt == 1 { + t.Fatal("create at should not have updated") + } + if ua1.CreatorId == "12345678901234567890123456" { + t.Fatal("creator id should not have updated") + } + } +} + +func TestOAuthStoreSaveAccessData(t *testing.T) { + ss := Setup() + + a1 := model.AccessData{} + a1.ClientId = model.NewId() + a1.UserId = model.NewId() + + // Lets try and save an incomplete access data + if err := (<-ss.OAuth().SaveAccessData(&a1)).Err; err == nil { + t.Fatal("Should have failed. Access data needs the token") + } + + a1.Token = model.NewId() + a1.RefreshToken = model.NewId() + a1.RedirectUri = "http://example.com" + + if err := (<-ss.OAuth().SaveAccessData(&a1)).Err; err != nil { + t.Fatal(err) + } +} + +func TestOAuthUpdateAccessData(t *testing.T) { + ss := Setup() + + a1 := model.AccessData{} + a1.ClientId = model.NewId() + a1.UserId = model.NewId() + a1.Token = model.NewId() + a1.RefreshToken = model.NewId() + a1.ExpiresAt = model.GetMillis() + a1.RedirectUri = "http://example.com" + store.Must(ss.OAuth().SaveAccessData(&a1)) + + //Try to update to invalid Refresh Token + refreshToken := a1.RefreshToken + a1.RefreshToken = model.NewId() + "123" + if err := (<-ss.OAuth().UpdateAccessData(&a1)).Err; err == nil { + t.Fatal("Should have failed with invalid token") + } + + //Try to update to invalid RedirectUri + a1.RefreshToken = model.NewId() + a1.RedirectUri = "" + if err := (<-ss.OAuth().UpdateAccessData(&a1)).Err; err == nil { + t.Fatal("Should have failed with invalid Redirect URI") + } + + // Should update fine + a1.RedirectUri = "http://example.com" + if result := <-ss.OAuth().UpdateAccessData(&a1); result.Err != nil { + t.Fatal(result.Err) + } else { + ra1 := result.Data.(*model.AccessData) + if ra1.RefreshToken == refreshToken { + t.Fatal("refresh tokens didn't match") + } + } +} + +func TestOAuthStoreGetAccessData(t *testing.T) { + ss := Setup() + + a1 := model.AccessData{} + a1.ClientId = model.NewId() + a1.UserId = model.NewId() + a1.Token = model.NewId() + a1.RefreshToken = model.NewId() + a1.ExpiresAt = model.GetMillis() + a1.RedirectUri = "http://example.com" + store.Must(ss.OAuth().SaveAccessData(&a1)) + + if err := (<-ss.OAuth().GetAccessData("invalidToken")).Err; err == nil { + t.Fatal("Should have failed. There is no data with an invalid token") + } + + if result := <-ss.OAuth().GetAccessData(a1.Token); result.Err != nil { + t.Fatal(result.Err) + } else { + ra1 := result.Data.(*model.AccessData) + if a1.Token != ra1.Token { + t.Fatal("tokens didn't match") + } + } + + if err := (<-ss.OAuth().GetPreviousAccessData(a1.UserId, a1.ClientId)).Err; err != nil { + t.Fatal(err) + } + + if err := (<-ss.OAuth().GetPreviousAccessData("user", "junk")).Err; err != nil { + t.Fatal(err) + } + + // Try to get the Access data using an invalid refresh token + if err := (<-ss.OAuth().GetAccessDataByRefreshToken(a1.Token)).Err; err == nil { + t.Fatal("Should have failed. There is no data with an invalid token") + } + + // Get the Access Data using the refresh token + if result := <-ss.OAuth().GetAccessDataByRefreshToken(a1.RefreshToken); result.Err != nil { + t.Fatal(result.Err) + } else { + ra1 := result.Data.(*model.AccessData) + if a1.RefreshToken != ra1.RefreshToken { + t.Fatal("tokens didn't match") + } + } +} + +func TestOAuthStoreRemoveAccessData(t *testing.T) { + ss := Setup() + + a1 := model.AccessData{} + a1.ClientId = model.NewId() + a1.UserId = model.NewId() + a1.Token = model.NewId() + a1.RefreshToken = model.NewId() + a1.RedirectUri = "http://example.com" + store.Must(ss.OAuth().SaveAccessData(&a1)) + + if err := (<-ss.OAuth().RemoveAccessData(a1.Token)).Err; err != nil { + t.Fatal(err) + } + + if result := (<-ss.OAuth().GetPreviousAccessData(a1.UserId, a1.ClientId)); result.Err != nil { + } else { + if result.Data != nil { + t.Fatal("did not delete access token") + } + } +} + +func TestOAuthStoreSaveAuthData(t *testing.T) { + ss := Setup() + + a1 := model.AuthData{} + a1.ClientId = model.NewId() + a1.UserId = model.NewId() + a1.Code = model.NewId() + a1.RedirectUri = "http://example.com" + if err := (<-ss.OAuth().SaveAuthData(&a1)).Err; err != nil { + t.Fatal(err) + } +} + +func TestOAuthStoreGetAuthData(t *testing.T) { + ss := Setup() + + a1 := model.AuthData{} + a1.ClientId = model.NewId() + a1.UserId = model.NewId() + a1.Code = model.NewId() + a1.RedirectUri = "http://example.com" + store.Must(ss.OAuth().SaveAuthData(&a1)) + + if err := (<-ss.OAuth().GetAuthData(a1.Code)).Err; err != nil { + t.Fatal(err) + } +} + +func TestOAuthStoreRemoveAuthData(t *testing.T) { + ss := Setup() + + a1 := model.AuthData{} + a1.ClientId = model.NewId() + a1.UserId = model.NewId() + a1.Code = model.NewId() + a1.RedirectUri = "http://example.com" + store.Must(ss.OAuth().SaveAuthData(&a1)) + + if err := (<-ss.OAuth().RemoveAuthData(a1.Code)).Err; err != nil { + t.Fatal(err) + } + + if err := (<-ss.OAuth().GetAuthData(a1.Code)).Err; err == nil { + t.Fatal("should have errored - auth code removed") + } +} + +func TestOAuthStoreRemoveAuthDataByUser(t *testing.T) { + ss := Setup() + + a1 := model.AuthData{} + a1.ClientId = model.NewId() + a1.UserId = model.NewId() + a1.Code = model.NewId() + a1.RedirectUri = "http://example.com" + store.Must(ss.OAuth().SaveAuthData(&a1)) + + if err := (<-ss.OAuth().PermanentDeleteAuthDataByUser(a1.UserId)).Err; err != nil { + t.Fatal(err) + } +} + +func TestOAuthGetAuthorizedApps(t *testing.T) { + ss := Setup() + + a1 := model.OAuthApp{} + a1.CreatorId = model.NewId() + a1.Name = "TestApp" + model.NewId() + a1.CallbackUrls = []string{"https://nowhere.com"} + a1.Homepage = "https://nowhere.com" + store.Must(ss.OAuth().SaveApp(&a1)) + + // Lets try and get an Authorized app for a user who hasn't authorized it + if result := <-ss.OAuth().GetAuthorizedApps("fake0123456789abcderfgret1", 0, 1000); result.Err == nil { + if len(result.Data.([]*model.OAuthApp)) > 0 { + t.Fatal("Should have failed. Fake user hasn't authorized the app") + } + } else { + t.Fatal(result.Err) + } + + // allow the app + p := model.Preference{} + p.UserId = a1.CreatorId + p.Category = model.PREFERENCE_CATEGORY_AUTHORIZED_OAUTH_APP + p.Name = a1.Id + p.Value = "true" + store.Must(ss.Preference().Save(&model.Preferences{p})) + + if result := <-ss.OAuth().GetAuthorizedApps(a1.CreatorId, 0, 1000); result.Err != nil { + t.Fatal(result.Err) + } else { + apps := result.Data.([]*model.OAuthApp) + if len(apps) == 0 { + t.Fatal("It should have return apps") + } + } +} + +func TestOAuthGetAccessDataByUserForApp(t *testing.T) { + ss := Setup() + + a1 := model.OAuthApp{} + a1.CreatorId = model.NewId() + a1.Name = "TestApp" + model.NewId() + a1.CallbackUrls = []string{"https://nowhere.com"} + a1.Homepage = "https://nowhere.com" + store.Must(ss.OAuth().SaveApp(&a1)) + + // allow the app + p := model.Preference{} + p.UserId = a1.CreatorId + p.Category = model.PREFERENCE_CATEGORY_AUTHORIZED_OAUTH_APP + p.Name = a1.Id + p.Value = "true" + store.Must(ss.Preference().Save(&model.Preferences{p})) + + if result := <-ss.OAuth().GetAuthorizedApps(a1.CreatorId, 0, 1000); result.Err != nil { + t.Fatal(result.Err) + } else { + apps := result.Data.([]*model.OAuthApp) + if len(apps) == 0 { + t.Fatal("It should have return apps") + } + } + + // save the token + ad1 := model.AccessData{} + ad1.ClientId = a1.Id + ad1.UserId = a1.CreatorId + ad1.Token = model.NewId() + ad1.RefreshToken = model.NewId() + ad1.RedirectUri = "http://example.com" + + if err := (<-ss.OAuth().SaveAccessData(&ad1)).Err; err != nil { + t.Fatal(err) + } + + if result := <-ss.OAuth().GetAccessDataByUserForApp(a1.CreatorId, a1.Id); result.Err != nil { + t.Fatal(result.Err) + } else { + accessData := result.Data.([]*model.AccessData) + if len(accessData) == 0 { + t.Fatal("It should have return access data") + } + } +} + +func TestOAuthStoreDeleteApp(t *testing.T) { + ss := Setup() + + a1 := model.OAuthApp{} + a1.CreatorId = model.NewId() + a1.Name = "TestApp" + model.NewId() + a1.CallbackUrls = []string{"https://nowhere.com"} + a1.Homepage = "https://nowhere.com" + store.Must(ss.OAuth().SaveApp(&a1)) + + // delete a non-existent app + if err := (<-ss.OAuth().DeleteApp("fakeclientId")).Err; err != nil { + t.Fatal(err) + } + + s1 := model.Session{} + s1.UserId = model.NewId() + s1.Token = model.NewId() + s1.IsOAuth = true + + store.Must(ss.Session().Save(&s1)) + + ad1 := model.AccessData{} + ad1.ClientId = a1.Id + ad1.UserId = a1.CreatorId + ad1.Token = s1.Token + ad1.RefreshToken = model.NewId() + ad1.RedirectUri = "http://example.com" + + store.Must(ss.OAuth().SaveAccessData(&ad1)) + + if err := (<-ss.OAuth().DeleteApp(a1.Id)).Err; err != nil { + t.Fatal(err) + } + + if err := (<-ss.Session().Get(s1.Token)).Err; err == nil { + t.Fatal("should error - session should be deleted") + } + + if err := (<-ss.OAuth().GetAccessData(s1.Token)).Err; err == nil { + t.Fatal("should error - access data should be deleted") + } +} |