1 # Pleroma: A lightweight social networking server
2 # Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
3 # SPDX-License-Identifier: AGPL-3.0-only
5 defmodule Pleroma.Plugs.OAuthScopesPlugTest do
6 use Pleroma.Web.ConnCase, async: true
8 alias Pleroma.Plugs.OAuthScopesPlug
12 import Pleroma.Factory
14 test "is not performed if marked as skipped", %{conn: conn} do
15 with_mock OAuthScopesPlug, [:passthrough], perform: &passthrough([&1, &2]) do
18 |> OAuthScopesPlug.skip_plug()
19 |> OAuthScopesPlug.call(%{scopes: ["random_scope"]})
21 refute called(OAuthScopesPlug.perform(:_, :_))
26 test "if `token.scopes` fulfills specified 'any of' conditions, " <>
27 "proceeds with no op",
29 token = insert(:oauth_token, scopes: ["read", "write"]) |> Repo.preload(:user)
33 |> assign(:user, token.user)
34 |> assign(:token, token)
35 |> OAuthScopesPlug.call(%{scopes: ["read"]})
38 assert conn.assigns[:user]
41 test "if `token.scopes` fulfills specified 'all of' conditions, " <>
42 "proceeds with no op",
44 token = insert(:oauth_token, scopes: ["scope1", "scope2", "scope3"]) |> Repo.preload(:user)
48 |> assign(:user, token.user)
49 |> assign(:token, token)
50 |> OAuthScopesPlug.call(%{scopes: ["scope2", "scope3"], op: :&})
53 assert conn.assigns[:user]
56 describe "with `fallback: :proceed_unauthenticated` option, " do
57 test "if `token.scopes` doesn't fulfill specified conditions, " <>
58 "clears :user and :token assigns",
61 token1 = insert(:oauth_token, scopes: ["read", "write"], user: user)
63 for token <- [token1, nil], op <- [:|, :&] do
66 |> assign(:user, user)
67 |> assign(:token, token)
68 |> OAuthScopesPlug.call(%{
71 fallback: :proceed_unauthenticated
74 refute ret_conn.halted
75 refute ret_conn.assigns[:user]
76 refute ret_conn.assigns[:token]
81 describe "without :fallback option, " do
82 test "if `token.scopes` does not fulfill specified 'any of' conditions, " <>
83 "returns 403 and halts",
85 for token <- [insert(:oauth_token, scopes: ["read", "write"]), nil] do
86 any_of_scopes = ["follow", "push"]
90 |> assign(:token, token)
91 |> OAuthScopesPlug.call(%{scopes: any_of_scopes})
93 assert ret_conn.halted
94 assert 403 == ret_conn.status
96 expected_error = "Insufficient permissions: #{Enum.join(any_of_scopes, " | ")}."
97 assert Jason.encode!(%{error: expected_error}) == ret_conn.resp_body
101 test "if `token.scopes` does not fulfill specified 'all of' conditions, " <>
102 "returns 403 and halts",
104 for token <- [insert(:oauth_token, scopes: ["read", "write"]), nil] do
105 token_scopes = (token && token.scopes) || []
106 all_of_scopes = ["write", "follow"]
110 |> assign(:token, token)
111 |> OAuthScopesPlug.call(%{scopes: all_of_scopes, op: :&})
114 assert 403 == conn.status
117 "Insufficient permissions: #{Enum.join(all_of_scopes -- token_scopes, " & ")}."
119 assert Jason.encode!(%{error: expected_error}) == conn.resp_body
124 describe "with hierarchical scopes, " do
125 test "if `token.scopes` fulfills specified 'any of' conditions, " <>
126 "proceeds with no op",
128 token = insert(:oauth_token, scopes: ["read", "write"]) |> Repo.preload(:user)
132 |> assign(:user, token.user)
133 |> assign(:token, token)
134 |> OAuthScopesPlug.call(%{scopes: ["read:something"]})
137 assert conn.assigns[:user]
140 test "if `token.scopes` fulfills specified 'all of' conditions, " <>
141 "proceeds with no op",
143 token = insert(:oauth_token, scopes: ["scope1", "scope2", "scope3"]) |> Repo.preload(:user)
147 |> assign(:user, token.user)
148 |> assign(:token, token)
149 |> OAuthScopesPlug.call(%{scopes: ["scope1:subscope", "scope2:subscope"], op: :&})
152 assert conn.assigns[:user]
156 describe "filter_descendants/2" do
157 test "filters scopes which directly match or are ancestors of supported scopes" do
158 f = fn scopes, supported_scopes ->
159 OAuthScopesPlug.filter_descendants(scopes, supported_scopes)
162 assert f.(["read", "follow"], ["write", "read"]) == ["read"]
164 assert f.(["read", "write:something", "follow"], ["write", "read"]) ==
165 ["read", "write:something"]
167 assert f.(["admin:read"], ["write", "read"]) == []
169 assert f.(["admin:read"], ["write", "admin"]) == ["admin:read"]
173 describe "transform_scopes/2" do
174 setup do: clear_config([:auth, :enforce_oauth_admin_scope_usage])
177 {:ok, %{f: &OAuthScopesPlug.transform_scopes/2}}
180 test "with :admin option, prefixes all requested scopes with `admin:` " <>
181 "and [optionally] keeps only prefixed scopes, " <>
182 "depending on `[:auth, :enforce_oauth_admin_scope_usage]` setting",
184 Pleroma.Config.put([:auth, :enforce_oauth_admin_scope_usage], false)
186 assert f.(["read"], %{admin: true}) == ["admin:read", "read"]
188 assert f.(["read", "write"], %{admin: true}) == [
195 Pleroma.Config.put([:auth, :enforce_oauth_admin_scope_usage], true)
197 assert f.(["read:accounts"], %{admin: true}) == ["admin:read:accounts"]
199 assert f.(["read", "write:reports"], %{admin: true}) == [
201 "admin:write:reports"
205 test "with no supported options, returns unmodified scopes", %{f: f} do
206 assert f.(["read"], %{}) == ["read"]
207 assert f.(["read", "write"], %{}) == ["read", "write"]