2019-02-20 02:27:28 -07:00
|
|
|
# Pleroma: A lightweight social networking server
|
2019-09-18 15:20:54 -06:00
|
|
|
# Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>
|
2019-02-20 02:27:28 -07:00
|
|
|
# SPDX-License-Identifier: AGPL-3.0-only
|
|
|
|
|
|
|
|
defmodule Pleroma.Plugs.OAuthScopesPlugTest do
|
|
|
|
use Pleroma.Web.ConnCase, async: true
|
|
|
|
|
2019-09-17 13:19:39 -06:00
|
|
|
alias Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug
|
2019-09-17 14:31:05 -06:00
|
|
|
alias Pleroma.Plugs.OAuthScopesPlug
|
2019-02-20 02:27:28 -07:00
|
|
|
alias Pleroma.Repo
|
|
|
|
|
2019-09-17 13:19:39 -06:00
|
|
|
import Mock
|
2019-02-20 02:27:28 -07:00
|
|
|
import Pleroma.Factory
|
|
|
|
|
2019-09-17 13:19:39 -06:00
|
|
|
setup_with_mocks([{EnsurePublicOrAuthenticatedPlug, [], [call: fn conn, _ -> conn end]}]) do
|
|
|
|
:ok
|
|
|
|
end
|
2019-02-20 02:27:28 -07:00
|
|
|
|
2019-09-17 13:19:39 -06:00
|
|
|
describe "when `assigns[:token]` is nil, " do
|
|
|
|
test "with :skip_instance_privacy_check option, proceeds with no op", %{conn: conn} do
|
|
|
|
conn =
|
|
|
|
conn
|
|
|
|
|> assign(:user, insert(:user))
|
|
|
|
|> OAuthScopesPlug.call(%{scopes: ["read"], skip_instance_privacy_check: true})
|
|
|
|
|
|
|
|
refute conn.halted
|
|
|
|
assert conn.assigns[:user]
|
|
|
|
|
|
|
|
refute called(EnsurePublicOrAuthenticatedPlug.call(conn, :_))
|
|
|
|
end
|
|
|
|
|
|
|
|
test "without :skip_instance_privacy_check option, calls EnsurePublicOrAuthenticatedPlug", %{
|
|
|
|
conn: conn
|
|
|
|
} do
|
|
|
|
conn =
|
|
|
|
conn
|
|
|
|
|> assign(:user, insert(:user))
|
|
|
|
|> OAuthScopesPlug.call(%{scopes: ["read"]})
|
|
|
|
|
|
|
|
refute conn.halted
|
|
|
|
assert conn.assigns[:user]
|
|
|
|
|
|
|
|
assert called(EnsurePublicOrAuthenticatedPlug.call(conn, :_))
|
|
|
|
end
|
2019-02-20 02:27:28 -07:00
|
|
|
end
|
|
|
|
|
2019-09-17 13:19:39 -06:00
|
|
|
test "if `token.scopes` fulfills specified 'any of' conditions, " <>
|
|
|
|
"proceeds with no op",
|
|
|
|
%{conn: conn} do
|
2019-02-20 02:27:28 -07:00
|
|
|
token = insert(:oauth_token, scopes: ["read", "write"]) |> Repo.preload(:user)
|
|
|
|
|
|
|
|
conn =
|
|
|
|
conn
|
|
|
|
|> assign(:user, token.user)
|
|
|
|
|> assign(:token, token)
|
|
|
|
|> OAuthScopesPlug.call(%{scopes: ["read"]})
|
|
|
|
|
|
|
|
refute conn.halted
|
|
|
|
assert conn.assigns[:user]
|
|
|
|
end
|
|
|
|
|
2019-09-17 13:19:39 -06:00
|
|
|
test "if `token.scopes` fulfills specified 'all of' conditions, " <>
|
|
|
|
"proceeds with no op",
|
|
|
|
%{conn: conn} do
|
2019-02-20 02:27:28 -07:00
|
|
|
token = insert(:oauth_token, scopes: ["scope1", "scope2", "scope3"]) |> Repo.preload(:user)
|
|
|
|
|
|
|
|
conn =
|
|
|
|
conn
|
|
|
|
|> assign(:user, token.user)
|
|
|
|
|> assign(:token, token)
|
|
|
|
|> OAuthScopesPlug.call(%{scopes: ["scope2", "scope3"], op: :&})
|
|
|
|
|
|
|
|
refute conn.halted
|
|
|
|
assert conn.assigns[:user]
|
|
|
|
end
|
|
|
|
|
2019-09-17 13:19:39 -06:00
|
|
|
describe "with `fallback: :proceed_unauthenticated` option, " do
|
|
|
|
test "if `token.scopes` doesn't fulfill specified 'any of' conditions, " <>
|
|
|
|
"clears `assigns[:user]` and calls EnsurePublicOrAuthenticatedPlug",
|
|
|
|
%{conn: conn} do
|
|
|
|
token = insert(:oauth_token, scopes: ["read", "write"]) |> Repo.preload(:user)
|
2019-02-20 02:27:28 -07:00
|
|
|
|
2019-09-17 13:19:39 -06:00
|
|
|
conn =
|
|
|
|
conn
|
|
|
|
|> assign(:user, token.user)
|
|
|
|
|> assign(:token, token)
|
|
|
|
|> OAuthScopesPlug.call(%{scopes: ["follow"], fallback: :proceed_unauthenticated})
|
2019-02-20 02:27:28 -07:00
|
|
|
|
2019-09-17 13:19:39 -06:00
|
|
|
refute conn.halted
|
|
|
|
refute conn.assigns[:user]
|
2019-02-20 02:27:28 -07:00
|
|
|
|
2019-09-17 13:19:39 -06:00
|
|
|
assert called(EnsurePublicOrAuthenticatedPlug.call(conn, :_))
|
|
|
|
end
|
2019-02-20 02:27:28 -07:00
|
|
|
|
2019-09-17 13:19:39 -06:00
|
|
|
test "if `token.scopes` doesn't fulfill specified 'all of' conditions, " <>
|
|
|
|
"clears `assigns[:user] and calls EnsurePublicOrAuthenticatedPlug",
|
|
|
|
%{conn: conn} do
|
|
|
|
token = insert(:oauth_token, scopes: ["read", "write"]) |> Repo.preload(:user)
|
2019-02-20 02:27:28 -07:00
|
|
|
|
2019-09-17 13:19:39 -06:00
|
|
|
conn =
|
|
|
|
conn
|
|
|
|
|> assign(:user, token.user)
|
|
|
|
|> assign(:token, token)
|
|
|
|
|> OAuthScopesPlug.call(%{
|
|
|
|
scopes: ["read", "follow"],
|
|
|
|
op: :&,
|
|
|
|
fallback: :proceed_unauthenticated
|
|
|
|
})
|
2019-02-20 02:27:28 -07:00
|
|
|
|
2019-09-17 13:19:39 -06:00
|
|
|
refute conn.halted
|
|
|
|
refute conn.assigns[:user]
|
2019-02-20 02:27:28 -07:00
|
|
|
|
2019-09-17 13:19:39 -06:00
|
|
|
assert called(EnsurePublicOrAuthenticatedPlug.call(conn, :_))
|
|
|
|
end
|
2019-02-20 02:27:28 -07:00
|
|
|
|
2019-09-17 13:19:39 -06:00
|
|
|
test "with :skip_instance_privacy_check option, " <>
|
|
|
|
"if `token.scopes` doesn't fulfill specified conditions, " <>
|
|
|
|
"clears `assigns[:user]` and does not call EnsurePublicOrAuthenticatedPlug",
|
|
|
|
%{conn: conn} do
|
|
|
|
token = insert(:oauth_token, scopes: ["read:statuses", "write"]) |> Repo.preload(:user)
|
2019-02-20 02:27:28 -07:00
|
|
|
|
2019-09-17 13:19:39 -06:00
|
|
|
conn =
|
|
|
|
conn
|
|
|
|
|> assign(:user, token.user)
|
|
|
|
|> assign(:token, token)
|
|
|
|
|> OAuthScopesPlug.call(%{
|
|
|
|
scopes: ["read"],
|
|
|
|
fallback: :proceed_unauthenticated,
|
|
|
|
skip_instance_privacy_check: true
|
|
|
|
})
|
|
|
|
|
|
|
|
refute conn.halted
|
|
|
|
refute conn.assigns[:user]
|
|
|
|
|
|
|
|
refute called(EnsurePublicOrAuthenticatedPlug.call(conn, :_))
|
|
|
|
end
|
2019-02-20 02:27:28 -07:00
|
|
|
end
|
|
|
|
|
2019-09-17 13:19:39 -06:00
|
|
|
describe "without :fallback option, " do
|
|
|
|
test "if `token.scopes` does not fulfill specified 'any of' conditions, " <>
|
|
|
|
"returns 403 and halts",
|
|
|
|
%{conn: conn} do
|
|
|
|
token = insert(:oauth_token, scopes: ["read", "write"])
|
|
|
|
any_of_scopes = ["follow"]
|
2019-02-20 02:27:28 -07:00
|
|
|
|
2019-09-17 13:19:39 -06:00
|
|
|
conn =
|
|
|
|
conn
|
|
|
|
|> assign(:token, token)
|
|
|
|
|> OAuthScopesPlug.call(%{scopes: any_of_scopes})
|
|
|
|
|
|
|
|
assert conn.halted
|
|
|
|
assert 403 == conn.status
|
|
|
|
|
|
|
|
expected_error = "Insufficient permissions: #{Enum.join(any_of_scopes, ", ")}."
|
|
|
|
assert Jason.encode!(%{error: expected_error}) == conn.resp_body
|
|
|
|
end
|
2019-02-20 02:27:28 -07:00
|
|
|
|
2019-09-17 13:19:39 -06:00
|
|
|
test "if `token.scopes` does not fulfill specified 'all of' conditions, " <>
|
|
|
|
"returns 403 and halts",
|
|
|
|
%{conn: conn} do
|
|
|
|
token = insert(:oauth_token, scopes: ["read", "write"])
|
|
|
|
all_of_scopes = ["write", "follow"]
|
2019-02-20 02:27:28 -07:00
|
|
|
|
2019-09-17 13:19:39 -06:00
|
|
|
conn =
|
|
|
|
conn
|
|
|
|
|> assign(:token, token)
|
|
|
|
|> OAuthScopesPlug.call(%{scopes: all_of_scopes, op: :&})
|
2019-02-20 02:27:28 -07:00
|
|
|
|
2019-09-17 13:19:39 -06:00
|
|
|
assert conn.halted
|
|
|
|
assert 403 == conn.status
|
|
|
|
|
|
|
|
expected_error =
|
|
|
|
"Insufficient permissions: #{Enum.join(all_of_scopes -- token.scopes, ", ")}."
|
|
|
|
|
|
|
|
assert Jason.encode!(%{error: expected_error}) == conn.resp_body
|
|
|
|
end
|
2019-02-20 02:27:28 -07:00
|
|
|
end
|
2019-09-08 06:00:03 -06:00
|
|
|
|
|
|
|
describe "with hierarchical scopes, " do
|
2019-09-17 13:19:39 -06:00
|
|
|
test "if `token.scopes` fulfills specified 'any of' conditions, " <>
|
|
|
|
"proceeds with no op",
|
|
|
|
%{conn: conn} do
|
2019-09-08 06:00:03 -06:00
|
|
|
token = insert(:oauth_token, scopes: ["read", "write"]) |> Repo.preload(:user)
|
|
|
|
|
|
|
|
conn =
|
|
|
|
conn
|
|
|
|
|> assign(:user, token.user)
|
|
|
|
|> assign(:token, token)
|
|
|
|
|> OAuthScopesPlug.call(%{scopes: ["read:something"]})
|
|
|
|
|
|
|
|
refute conn.halted
|
|
|
|
assert conn.assigns[:user]
|
|
|
|
end
|
|
|
|
|
2019-09-17 13:19:39 -06:00
|
|
|
test "if `token.scopes` fulfills specified 'all of' conditions, " <>
|
|
|
|
"proceeds with no op",
|
|
|
|
%{conn: conn} do
|
2019-09-08 06:00:03 -06:00
|
|
|
token = insert(:oauth_token, scopes: ["scope1", "scope2", "scope3"]) |> Repo.preload(:user)
|
|
|
|
|
|
|
|
conn =
|
|
|
|
conn
|
|
|
|
|> assign(:user, token.user)
|
|
|
|
|> assign(:token, token)
|
|
|
|
|> OAuthScopesPlug.call(%{scopes: ["scope1:subscope", "scope2:subscope"], op: :&})
|
|
|
|
|
|
|
|
refute conn.halted
|
|
|
|
assert conn.assigns[:user]
|
|
|
|
end
|
|
|
|
end
|
2019-09-17 13:19:39 -06:00
|
|
|
|
|
|
|
describe "filter_descendants/2" do
|
|
|
|
test "filters scopes which directly match or are ancestors of supported scopes" do
|
|
|
|
f = fn scopes, supported_scopes ->
|
|
|
|
OAuthScopesPlug.filter_descendants(scopes, supported_scopes)
|
|
|
|
end
|
|
|
|
|
|
|
|
assert f.(["read", "follow"], ["write", "read"]) == ["read"]
|
|
|
|
|
|
|
|
assert f.(["read", "write:something", "follow"], ["write", "read"]) ==
|
|
|
|
["read", "write:something"]
|
|
|
|
|
|
|
|
assert f.(["admin:read"], ["write", "read"]) == []
|
|
|
|
|
|
|
|
assert f.(["admin:read"], ["write", "admin"]) == ["admin:read"]
|
|
|
|
end
|
|
|
|
end
|
2019-12-11 01:42:02 -07:00
|
|
|
|
|
|
|
describe "transform_scopes/2" do
|
|
|
|
clear_config([:auth, :enforce_oauth_admin_scope_usage])
|
|
|
|
|
|
|
|
setup do
|
|
|
|
{:ok, %{f: &OAuthScopesPlug.transform_scopes/2}}
|
|
|
|
end
|
|
|
|
|
|
|
|
test "with :admin option, prefixes all requested scopes with `admin:` " <>
|
|
|
|
"and [optionally] keeps only prefixed scopes, " <>
|
|
|
|
"depending on `[:auth, :enforce_oauth_admin_scope_usage]` setting",
|
|
|
|
%{f: f} do
|
|
|
|
Pleroma.Config.put([:auth, :enforce_oauth_admin_scope_usage], false)
|
|
|
|
|
|
|
|
assert f.(["read"], %{admin: true}) == ["admin:read", "read"]
|
|
|
|
|
|
|
|
assert f.(["read", "write"], %{admin: true}) == [
|
|
|
|
"admin:read",
|
|
|
|
"read",
|
|
|
|
"admin:write",
|
|
|
|
"write"
|
|
|
|
]
|
|
|
|
|
|
|
|
Pleroma.Config.put([:auth, :enforce_oauth_admin_scope_usage], true)
|
|
|
|
|
|
|
|
assert f.(["read:accounts"], %{admin: true}) == ["admin:read:accounts"]
|
|
|
|
|
|
|
|
assert f.(["read", "write:reports"], %{admin: true}) == [
|
|
|
|
"admin:read",
|
|
|
|
"admin:write:reports"
|
|
|
|
]
|
|
|
|
end
|
|
|
|
|
|
|
|
test "with no supported options, returns unmodified scopes", %{f: f} do
|
|
|
|
assert f.(["read"], %{}) == ["read"]
|
|
|
|
assert f.(["read", "write"], %{}) == ["read", "write"]
|
|
|
|
end
|
|
|
|
end
|
2019-02-20 02:27:28 -07:00
|
|
|
end
|