1: -module(graphql_token_SUITE). 2: 3: -compile([export_all, nowarn_export_all]). 4: 5: -import(common_helper, [unprep/1]). 6: -import(distributed_helper, [require_rpc_nodes/1, mim/0]). 7: -import(graphql_helper, [execute_command/4, execute_user_command/5, user_to_bin/1, 8: get_ok_value/2, get_err_code/1, get_err_msg/1, get_unauthorized/1, get_not_loaded/1]). 9: 10: -include_lib("eunit/include/eunit.hrl"). 11: 12: suite() -> 13: require_rpc_nodes([mim]) ++ escalus:suite(). 14: 15: all() -> 16: [{group, user}, 17: {group, domain_admin}, 18: {group, admin_http}, 19: {group, admin_cli}]. 20: 21: groups() -> 22: [{user, [], user_groups()}, 23: {domain_admin, domain_admin_tests()}, 24: {admin_http, [], admin_groups()}, 25: {admin_cli, [], admin_groups()}, 26: {user_token_configured, [], user_tests()}, 27: {user_token_not_configured, [], user_token_not_configured_tests()}, 28: {admin_token_configured, [], admin_tests()}, 29: {admin_token_not_configured, [], admin_token_not_configured_tests()}]. 30: 31: user_groups() -> 32: [{group, user_token_configured}, 33: {group, user_token_not_configured}]. 34: 35: admin_groups() -> 36: [{group, admin_token_configured}, 37: {group, admin_token_not_configured}]. 38: 39: user_tests() -> 40: [user_request_token_test, 41: user_revoke_token_no_token_before_test, 42: user_revoke_token_test]. 43: 44: user_token_not_configured_tests() -> 45: [user_request_token_test_not_configured, 46: user_revoke_token_test_not_configured]. 47: 48: domain_admin_tests() -> 49: [admin_request_token_test, 50: admin_request_token_test_unprep, 51: domain_admin_request_token_no_permission_test, 52: domain_admin_revoke_token_no_permission_test, 53: admin_revoke_token_no_token_test, 54: admin_revoke_token_test, 55: admin_revoke_token_test_unprep]. 56: 57: admin_tests() -> 58: [admin_request_token_test, 59: admin_request_token_test_unprep, 60: admin_request_token_no_host_test, 61: admin_revoke_token_no_host_test, 62: admin_revoke_token_no_token_test, 63: admin_revoke_token_test, 64: admin_revoke_token_test_unprep]. 65: 66: admin_token_not_configured_tests() -> 67: [admin_request_token_test_not_configured, 68: admin_revoke_token_test_not_configured]. 69: 70: init_per_suite(Config0) -> 71: case mongoose_helper:is_rdbms_enabled(domain_helper:host_type()) of 72: true -> 73: HostType = domain_helper:host_type(), 74: Config = dynamic_modules:save_modules(HostType, Config0), 75: Config1 = escalus:init_per_suite(Config), 76: ejabberd_node_utils:init(mim(), Config1); 77: false -> 78: {skip, "RDBMS not available"} 79: end. 80: 81: end_per_suite(Config) -> 82: dynamic_modules:restore_modules(Config), 83: escalus:end_per_suite(Config). 84: 85: required_modules() -> 86: KeyOpts = #{keys => #{token_secret => ram, 87: provision_pre_shared => ram}, 88: backend => ct_helper:get_internal_database()}, 89: KeyStoreOpts = config_parser_helper:mod_config(mod_keystore, KeyOpts), 90: [{mod_keystore, KeyStoreOpts}, 91: {mod_auth_token, auth_token_opts()}]. 92: 93: auth_token_opts() -> 94: Defaults = config_parser_helper:default_mod_config(mod_auth_token), 95: Defaults#{validity_period => #{access => #{value => 60, unit => minutes}, 96: refresh => #{value => 1, unit => days}}}. 97: 98: init_per_group(admin_http, Config) -> 99: graphql_helper:init_admin_handler(Config); 100: init_per_group(admin_cli, Config) -> 101: graphql_helper:init_admin_cli(Config); 102: init_per_group(domain_admin, Config) -> 103: Config1 = ensure_token_started(Config), 104: graphql_helper:init_domain_admin_handler(Config1); 105: init_per_group(Group, Config) when Group =:= admin_token_configured; 106: Group =:= user_token_configured -> 107: ensure_token_started(Config); 108: init_per_group(Group, Config) when Group =:= admin_token_not_configured; 109: Group =:= user_token_not_configured -> 110: ensure_token_stopped(Config); 111: init_per_group(user, Config) -> 112: graphql_helper:init_user(Config). 113: 114: ensure_token_started(Config) -> 115: HostType = domain_helper:host_type(), 116: dynamic_modules:ensure_modules(HostType, required_modules()), 117: Config. 118: 119: ensure_token_stopped(Config) -> 120: HostType = domain_helper:host_type(), 121: dynamic_modules:ensure_modules(HostType, [{mod_auth_token, stopped}]), 122: Config. 123: 124: end_per_group(GroupName, _Config) when GroupName =:= admin_http; 125: GroupName =:= admin_cli; 126: GroupName =:= user; 127: GroupName =:= domain_admin -> 128: graphql_helper:clean(); 129: end_per_group(_GroupName, _Config) -> 130: escalus_fresh:clean(). 131: 132: init_per_testcase(CaseName, Config) -> 133: escalus:init_per_testcase(CaseName, Config). 134: 135: end_per_testcase(CaseName, Config) -> 136: escalus:end_per_testcase(CaseName, Config). 137: 138: % User tests 139: 140: user_request_token_test(Config) -> 141: escalus:fresh_story_with_config(Config, [{alice, 1}], fun user_request_token_test/2). 142: 143: user_request_token_test(Config, Alice) -> 144: Res = user_request_token(Alice, Config), 145: #{<<"refresh">> := Refresh, <<"access">> := Access} = 146: get_ok_value([data, token, requestToken], Res), 147: ?assert(is_binary(Refresh)), 148: ?assert(is_binary(Access)). 149: 150: user_revoke_token_no_token_before_test(Config) -> 151: escalus:fresh_story_with_config(Config, [{alice, 1}], fun user_revoke_token_no_token_before_test/2). 152: 153: user_revoke_token_no_token_before_test(Config, Alice) -> 154: Res = user_revoke_token(Alice, Config), 155: ?assertEqual(<<"not_found">>, get_err_code(Res)). 156: 157: user_revoke_token_test(Config) -> 158: escalus:fresh_story_with_config(Config, [{alice, 1}], fun user_revoke_token_test/2). 159: 160: user_revoke_token_test(Config, Alice) -> 161: user_request_token(Alice, Config), 162: Res2 = user_revoke_token(Alice, Config), 163: ParsedRes = get_ok_value([data, token, revokeToken], Res2), 164: ?assertEqual(<<"Revoked">>, ParsedRes). 165: 166: % User test cases mod_token not configured 167: 168: user_request_token_test_not_configured(Config) -> 169: escalus:fresh_story_with_config(Config, [{alice, 1}], 170: fun user_request_token_test_not_configured/2). 171: 172: user_request_token_test_not_configured(Config, Alice) -> 173: Res = user_request_token(Alice, Config), 174: get_not_loaded(Res). 175: 176: user_revoke_token_test_not_configured(Config) -> 177: escalus:fresh_story_with_config(Config, [{alice, 1}], 178: fun user_revoke_token_test_not_configured/2). 179: 180: user_revoke_token_test_not_configured(Config, Alice) -> 181: Res = user_revoke_token(Alice, Config), 182: get_not_loaded(Res). 183: 184: % Domain admin tests 185: 186: domain_admin_request_token_no_permission_test(Config) -> 187: escalus:fresh_story_with_config(Config, [{alice_bis, 1}], 188: fun domain_admin_request_token_no_permission_test/2). 189: 190: domain_admin_request_token_no_permission_test(Config, AliceBis) -> 191: % External domain user 192: Res = admin_request_token(user_to_bin(AliceBis), Config), 193: get_unauthorized(Res), 194: % Non-existing domain 195: Res2 = admin_request_token(<<"eddie@otherhost">>, Config), 196: get_unauthorized(Res2). 197: 198: domain_admin_revoke_token_no_permission_test(Config) -> 199: escalus:fresh_story_with_config(Config, [{alice_bis, 1}], 200: fun domain_admin_revoke_token_no_permission_test/2). 201: 202: domain_admin_revoke_token_no_permission_test(Config, AliceBis) -> 203: % External domain user 204: Res = admin_revoke_token(user_to_bin(AliceBis), Config), 205: get_unauthorized(Res), 206: % Non-existing domain 207: Res2 = admin_revoke_token(<<"eddie@otherhost">>, Config), 208: get_unauthorized(Res2). 209: 210: % Admin tests 211: 212: admin_request_token_test(Config) -> 213: escalus:fresh_story_with_config(Config, [{alice, 1}], fun admin_request_token_test/2). 214: 215: admin_request_token_test(Config, Alice) -> 216: Res = admin_request_token(user_to_bin(Alice), Config), 217: #{<<"refresh">> := Refresh, <<"access">> := Access} = 218: get_ok_value([data, token, requestToken], Res), 219: ?assert(is_binary(Refresh)), 220: ?assert(is_binary(Access)). 221: 222: admin_request_token_test_unprep(Config) -> 223: escalus:fresh_story_with_config(Config, [{alice, 1}], fun admin_request_token_test_unprep/2). 224: 225: admin_request_token_test_unprep(Config, Alice) -> 226: Res = admin_request_token(unprep(user_to_bin(Alice)), Config), 227: #{<<"refresh">> := Refresh, <<"access">> := Access} = 228: get_ok_value([data, token, requestToken], Res), 229: ?assert(is_binary(Refresh)), 230: ?assert(is_binary(Access)). 231: 232: admin_request_token_no_host_test(Config) -> 233: Res = admin_request_token(<<"eddie@otherhost">>, Config), 234: ?assertEqual(<<"Unknown domain">>, get_err_msg(Res)). 235: 236: admin_revoke_token_no_host_test(Config) -> 237: Res = admin_revoke_token(<<"eddie@otherhost">>, Config), 238: ?assertEqual(<<"Unknown domain">>, get_err_msg(Res)). 239: 240: admin_revoke_token_no_token_test(Config) -> 241: escalus:fresh_story_with_config(Config, [{alice, 1}], fun admin_revoke_token_no_token_test/2). 242: 243: admin_revoke_token_no_token_test(Config, Alice) -> 244: Res = admin_revoke_token(user_to_bin(Alice), Config), 245: ?assertEqual(<<"not_found">>, get_err_code(Res)). 246: 247: admin_revoke_token_test(Config) -> 248: escalus:fresh_story_with_config(Config, [{alice, 1}], fun admin_revoke_token_test/2). 249: 250: admin_revoke_token_test(Config, Alice) -> 251: admin_request_token(user_to_bin(Alice), Config), 252: Res2 = admin_revoke_token(user_to_bin(Alice), Config), 253: ParsedRes = get_ok_value([data, token, revokeToken], Res2), 254: ?assertEqual(<<"Revoked">>, ParsedRes). 255: 256: admin_revoke_token_test_unprep(Config) -> 257: escalus:fresh_story_with_config(Config, [{alice, 1}], fun admin_revoke_token_test_unprep/2). 258: 259: admin_revoke_token_test_unprep(Config, Alice) -> 260: admin_request_token(unprep(user_to_bin(Alice)), Config), 261: Res2 = admin_revoke_token(unprep(user_to_bin(Alice)), Config), 262: ParsedRes = get_ok_value([data, token, revokeToken], Res2), 263: ?assertEqual(<<"Revoked">>, ParsedRes). 264: 265: % Admin test cases token not configured 266: 267: admin_request_token_test_not_configured(Config) -> 268: escalus:fresh_story_with_config(Config, [{alice, 1}], 269: fun admin_request_token_test_not_configured/2). 270: 271: admin_request_token_test_not_configured(Config, Alice) -> 272: Res = admin_request_token(user_to_bin(Alice), Config), 273: get_not_loaded(Res). 274: 275: admin_revoke_token_test_not_configured(Config) -> 276: escalus:fresh_story_with_config(Config, [{alice, 1}], 277: fun admin_revoke_token_test_not_configured/2). 278: 279: admin_revoke_token_test_not_configured(Config, Alice) -> 280: Res = admin_request_token(user_to_bin(Alice), Config), 281: get_not_loaded(Res). 282: 283: % Commands 284: 285: user_request_token(User, Config) -> 286: execute_user_command(<<"token">>, <<"requestToken">>, User, #{}, Config). 287: 288: user_revoke_token(User, Config) -> 289: execute_user_command(<<"token">>, <<"revokeToken">>, User, #{}, Config). 290: 291: admin_request_token(User, Config) -> 292: execute_command(<<"token">>, <<"requestToken">>, #{user => User}, Config). 293: 294: admin_revoke_token(User, Config) -> 295: execute_command(<<"token">>, <<"revokeToken">>, #{user => User}, Config).