1 # Pleroma: A lightweight social networking server
2 # Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
3 # SPDX-License-Identifier: AGPL-3.0-only
5 defmodule Pleroma.Plugs.OAuthScopesPlugTest do
6 use Pleroma.Web.ConnCase, async: true
8 alias Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug
9 alias Pleroma.Plugs.OAuthScopesPlug
13 import Pleroma.Factory
15 setup_with_mocks([{EnsurePublicOrAuthenticatedPlug, [], [call: fn conn, _ -> conn end]}]) do
19 test "if `token.scopes` fulfills specified 'any of' conditions, " <>
20 "proceeds with no op",
22 token = insert(:oauth_token, scopes: ["read", "write"]) |> Repo.preload(:user)
26 |> assign(:user, token.user)
27 |> assign(:token, token)
28 |> OAuthScopesPlug.call(%{scopes: ["read"]})
31 assert conn.assigns[:user]
34 test "if `token.scopes` fulfills specified 'all of' conditions, " <>
35 "proceeds with no op",
37 token = insert(:oauth_token, scopes: ["scope1", "scope2", "scope3"]) |> Repo.preload(:user)
41 |> assign(:user, token.user)
42 |> assign(:token, token)
43 |> OAuthScopesPlug.call(%{scopes: ["scope2", "scope3"], op: :&})
46 assert conn.assigns[:user]
49 describe "with `fallback: :proceed_unauthenticated` option, " do
50 test "if `token.scopes` doesn't fulfill specified conditions, " <>
51 "clears :user and :token assigns and calls EnsurePublicOrAuthenticatedPlug",
54 token1 = insert(:oauth_token, scopes: ["read", "write"], user: user)
56 for token <- [token1, nil], op <- [:|, :&] do
59 |> assign(:user, user)
60 |> assign(:token, token)
61 |> OAuthScopesPlug.call(%{
64 fallback: :proceed_unauthenticated
67 refute ret_conn.halted
68 refute ret_conn.assigns[:user]
69 refute ret_conn.assigns[:token]
71 assert called(EnsurePublicOrAuthenticatedPlug.call(ret_conn, :_))
75 test "with :skip_instance_privacy_check option, " <>
76 "if `token.scopes` doesn't fulfill specified conditions, " <>
77 "clears :user and :token assigns and does NOT call EnsurePublicOrAuthenticatedPlug",
80 token1 = insert(:oauth_token, scopes: ["read:statuses", "write"], user: user)
82 for token <- [token1, nil], op <- [:|, :&] do
85 |> assign(:user, user)
86 |> assign(:token, token)
87 |> OAuthScopesPlug.call(%{
90 fallback: :proceed_unauthenticated,
91 skip_instance_privacy_check: true
94 refute ret_conn.halted
95 refute ret_conn.assigns[:user]
96 refute ret_conn.assigns[:token]
98 refute called(EnsurePublicOrAuthenticatedPlug.call(ret_conn, :_))
103 describe "without :fallback option, " do
104 test "if `token.scopes` does not fulfill specified 'any of' conditions, " <>
105 "returns 403 and halts",
107 for token <- [insert(:oauth_token, scopes: ["read", "write"]), nil] do
108 any_of_scopes = ["follow", "push"]
112 |> assign(:token, token)
113 |> OAuthScopesPlug.call(%{scopes: any_of_scopes})
115 assert ret_conn.halted
116 assert 403 == ret_conn.status
118 expected_error = "Insufficient permissions: #{Enum.join(any_of_scopes, " | ")}."
119 assert Jason.encode!(%{error: expected_error}) == ret_conn.resp_body
123 test "if `token.scopes` does not fulfill specified 'all of' conditions, " <>
124 "returns 403 and halts",
126 for token <- [insert(:oauth_token, scopes: ["read", "write"]), nil] do
127 token_scopes = (token && token.scopes) || []
128 all_of_scopes = ["write", "follow"]
132 |> assign(:token, token)
133 |> OAuthScopesPlug.call(%{scopes: all_of_scopes, op: :&})
136 assert 403 == conn.status
139 "Insufficient permissions: #{Enum.join(all_of_scopes -- token_scopes, " & ")}."
141 assert Jason.encode!(%{error: expected_error}) == conn.resp_body
146 describe "with hierarchical scopes, " do
147 test "if `token.scopes` fulfills specified 'any of' conditions, " <>
148 "proceeds with no op",
150 token = insert(:oauth_token, scopes: ["read", "write"]) |> Repo.preload(:user)
154 |> assign(:user, token.user)
155 |> assign(:token, token)
156 |> OAuthScopesPlug.call(%{scopes: ["read:something"]})
159 assert conn.assigns[:user]
162 test "if `token.scopes` fulfills specified 'all of' conditions, " <>
163 "proceeds with no op",
165 token = insert(:oauth_token, scopes: ["scope1", "scope2", "scope3"]) |> Repo.preload(:user)
169 |> assign(:user, token.user)
170 |> assign(:token, token)
171 |> OAuthScopesPlug.call(%{scopes: ["scope1:subscope", "scope2:subscope"], op: :&})
174 assert conn.assigns[:user]
178 describe "filter_descendants/2" do
179 test "filters scopes which directly match or are ancestors of supported scopes" do
180 f = fn scopes, supported_scopes ->
181 OAuthScopesPlug.filter_descendants(scopes, supported_scopes)
184 assert f.(["read", "follow"], ["write", "read"]) == ["read"]
186 assert f.(["read", "write:something", "follow"], ["write", "read"]) ==
187 ["read", "write:something"]
189 assert f.(["admin:read"], ["write", "read"]) == []
191 assert f.(["admin:read"], ["write", "admin"]) == ["admin:read"]
195 describe "transform_scopes/2" do
196 clear_config([:auth, :enforce_oauth_admin_scope_usage])
199 {:ok, %{f: &OAuthScopesPlug.transform_scopes/2}}
202 test "with :admin option, prefixes all requested scopes with `admin:` " <>
203 "and [optionally] keeps only prefixed scopes, " <>
204 "depending on `[:auth, :enforce_oauth_admin_scope_usage]` setting",
206 Pleroma.Config.put([:auth, :enforce_oauth_admin_scope_usage], false)
208 assert f.(["read"], %{admin: true}) == ["admin:read", "read"]
210 assert f.(["read", "write"], %{admin: true}) == [
217 Pleroma.Config.put([:auth, :enforce_oauth_admin_scope_usage], true)
219 assert f.(["read:accounts"], %{admin: true}) == ["admin:read:accounts"]
221 assert f.(["read", "write:reports"], %{admin: true}) == [
223 "admin:write:reports"
227 test "with no supported options, returns unmodified scopes", %{f: f} do
228 assert f.(["read"], %{}) == ["read"]
229 assert f.(["read", "write"], %{}) == ["read", "write"]