[QA] 0.5.3 Testplan

[jnweiger]

Setup

Setup details (click to expand)

References: * https://github.com/owncloud/oauth2/wiki/OAuth-code-Flow-Sequence-Diagram

OAuth2 app Test Plan

This aims to be a client-agnostic testplan for the OAuth2 application, centered in the actions available in the webUI and/or occ commands and their impact on ownCloud's core behavior. To test the application from a client standpoint see:

• Desktop Sync client: OAuth2 Desktop Client's integration testplan QA#473
• Mobile client: OAuth2 QA#474

Testing functionality

Test Case	Expected Result	Result	Related Comment
CLI commands
Enable OAuth2 app via CLI using occ app:enable oauth2	- The apps gets enabled - Replies from the WebDAV endpoint includes a new WWW-Authenticate: Bearer... header	✔️
Disable OAuth2 app via CLI using occ app:disable oauth2	- The apps gets disabled - Previously mentioned header goes away in further requests	✔️
Registered Clients
Default clients	The default Registered clients are included among the "Settings > Admin > User Authentication" OAuth 2.0: Registered Clients	✔️	See #38 for the default values
Register new Client	64-character-length client_id and client_secret are generated together with a (required) Client Name and a (required) Redirection URL	✔️
Remove a Client	- Confirmation dialog is prompted before removal - All client sessions opened from those clients get removed	✔️
Unregistered Clients
Authentication flow from an unregistered client	Unsuccessful Authorization Request	✔️	Browser displays the "Request not valid" screen.
Authorized Applications
Login with a Registered Client	The Client Name is displayed amongst the "Personal > Security" OAuth 2.0 Authorized Applications	✔️
Session Revocation (i.e. delete Authorized Application)	All the sessions opened in the clients are revoked and must be re-authorized	✔️
User Account Handling
Password change	Open sessions are revoked and new credentials must be used in further login attempts	✔️
Authorization Flow
Successful Authorization Request without any session open in the browser	Login form with an additional informative note about the application requesting access to ownCloud is displayed	✔️
Successful Authorization Request with a valid session in the browser	The "Authorize" screen is displayed	✔️
Successful Authorization Request in a browser with a different user logged in	The "Switch User" screen is displayed, allowing to modify the current session	✔️	See use of the additional user parameter in: #67
Failed attempt in the authorization login form	The query parameters for the Authorization Request are preserved in next attempts	✔️	See original issue in: owncloud/core#28129
Relevant Smoke Tests
Unauthenticated Actions: Public File Drop	Files get uploaded normally	✔️	See #100
OAuth with new Web App
Register Web app via CLI	occ app:enable web client_id="$(tr -dc 'a-z0-9' < /dev/urandom | head -c 32)" client_secret="$(tr -dc 'a-z0-9' < /dev/urandom | head -c 32)" web_baseurl="https://$oc10_fqdn/index.php/apps/web" occ config:system:set web.baseUrl --value $web_baseurl occ oauth:add-client "ownCloud Web" $client_id $client_secret $web_baseurl/oidc-callback.html	✔️
Successful Authorization Request without any session open in the browser	Login form with an additional informative note about the application requesting access to ownCloud is displayed	✔️
Successful Authorization Request with a valid session in the browser	The "Authorize" screen is displayed	✔️

----

[jnweiger]

Changelog Testing

• Fill login_hint with username #328
• desktop clients cannot relogin #326
• Client receives code verifier error when the user has never logged in before #320
• add missing token index #331 fixes Add missing index on "oc_oauth2_access_tokens"("token") #325
• don't require client secret when using PKCE #337 / Fix passwordless PKCE #338 required by [full-ci] Rework auth handling web#7072
• Extra test: Sync client with a guest account and oauth.

[jnweiger]

release done. closing