git.squeep.com Git - akkoma/blob - test/plugs/oauth_scopes_plug_test.exs

   1 # Pleroma: A lightweight social networking server
   2 # Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>
   3 # SPDX-License-Identifier: AGPL-3.0-only
   4
   5 defmodule Pleroma.Plugs.OAuthScopesPlugTest do
   6   use Pleroma.Web.ConnCase, async: true
   7
   8   alias Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug
   9   alias Pleroma.Plugs.OAuthScopesPlug
  10   alias Pleroma.Repo
  11
  12   import Mock
  13   import Pleroma.Factory
  14
  15   setup_with_mocks([{EnsurePublicOrAuthenticatedPlug, [], [call: fn conn, _ -> conn end]}]) do
  16     :ok
  17   end
  18
  19   describe "when `assigns[:token]` is nil, " do
  20     test "with :skip_instance_privacy_check option, proceeds with no op", %{conn: conn} do
  21       conn =
  22         conn
  23         |> assign(:user, insert(:user))
  24         |> OAuthScopesPlug.call(%{scopes: ["read"], skip_instance_privacy_check: true})
  25
  26       refute conn.halted
  27       assert conn.assigns[:user]
  28
  29       refute called(EnsurePublicOrAuthenticatedPlug.call(conn, :_))
  30     end
  31
  32     test "without :skip_instance_privacy_check option, calls EnsurePublicOrAuthenticatedPlug", %{
  33       conn: conn
  34     } do
  35       conn =
  36         conn
  37         |> assign(:user, insert(:user))
  38         |> OAuthScopesPlug.call(%{scopes: ["read"]})
  39
  40       refute conn.halted
  41       assert conn.assigns[:user]
  42
  43       assert called(EnsurePublicOrAuthenticatedPlug.call(conn, :_))
  44     end
  45   end
  46
  47   test "if `token.scopes` fulfills specified 'any of' conditions, " <>
  48          "proceeds with no op",
  49        %{conn: conn} do
  50     token = insert(:oauth_token, scopes: ["read", "write"]) |> Repo.preload(:user)
  51
  52     conn =
  53       conn
  54       |> assign(:user, token.user)
  55       |> assign(:token, token)
  56       |> OAuthScopesPlug.call(%{scopes: ["read"]})
  57
  58     refute conn.halted
  59     assert conn.assigns[:user]
  60   end
  61
  62   test "if `token.scopes` fulfills specified 'all of' conditions, " <>
  63          "proceeds with no op",
  64        %{conn: conn} do
  65     token = insert(:oauth_token, scopes: ["scope1", "scope2", "scope3"]) |> Repo.preload(:user)
  66
  67     conn =
  68       conn
  69       |> assign(:user, token.user)
  70       |> assign(:token, token)
  71       |> OAuthScopesPlug.call(%{scopes: ["scope2", "scope3"], op: :&})
  72
  73     refute conn.halted
  74     assert conn.assigns[:user]
  75   end
  76
  77   describe "with `fallback: :proceed_unauthenticated` option, " do
  78     test "if `token.scopes` doesn't fulfill specified 'any of' conditions, " <>
  79            "clears `assigns[:user]` and calls EnsurePublicOrAuthenticatedPlug",
  80          %{conn: conn} do
  81       token = insert(:oauth_token, scopes: ["read", "write"]) |> Repo.preload(:user)
  82
  83       conn =
  84         conn
  85         |> assign(:user, token.user)
  86         |> assign(:token, token)
  87         |> OAuthScopesPlug.call(%{scopes: ["follow"], fallback: :proceed_unauthenticated})
  88
  89       refute conn.halted
  90       refute conn.assigns[:user]
  91
  92       assert called(EnsurePublicOrAuthenticatedPlug.call(conn, :_))
  93     end
  94
  95     test "if `token.scopes` doesn't fulfill specified 'all of' conditions, " <>
  96            "clears `assigns[:user] and calls EnsurePublicOrAuthenticatedPlug",
  97          %{conn: conn} do
  98       token = insert(:oauth_token, scopes: ["read", "write"]) |> Repo.preload(:user)
  99
 100       conn =
 101         conn
 102         |> assign(:user, token.user)
 103         |> assign(:token, token)
 104         |> OAuthScopesPlug.call(%{
 105           scopes: ["read", "follow"],
 106           op: :&,
 107           fallback: :proceed_unauthenticated
 108         })
 109
 110       refute conn.halted
 111       refute conn.assigns[:user]
 112
 113       assert called(EnsurePublicOrAuthenticatedPlug.call(conn, :_))
 114     end
 115
 116     test "with :skip_instance_privacy_check option, " <>
 117            "if `token.scopes` doesn't fulfill specified conditions, " <>
 118            "clears `assigns[:user]` and does not call EnsurePublicOrAuthenticatedPlug",
 119          %{conn: conn} do
 120       token = insert(:oauth_token, scopes: ["read:statuses", "write"]) |> Repo.preload(:user)
 121
 122       conn =
 123         conn
 124         |> assign(:user, token.user)
 125         |> assign(:token, token)
 126         |> OAuthScopesPlug.call(%{
 127           scopes: ["read"],
 128           fallback: :proceed_unauthenticated,
 129           skip_instance_privacy_check: true
 130         })
 131
 132       refute conn.halted
 133       refute conn.assigns[:user]
 134
 135       refute called(EnsurePublicOrAuthenticatedPlug.call(conn, :_))
 136     end
 137   end
 138
 139   describe "without :fallback option, " do
 140     test "if `token.scopes` does not fulfill specified 'any of' conditions, " <>
 141            "returns 403 and halts",
 142          %{conn: conn} do
 143       token = insert(:oauth_token, scopes: ["read", "write"])
 144       any_of_scopes = ["follow"]
 145
 146       conn =
 147         conn
 148         |> assign(:token, token)
 149         |> OAuthScopesPlug.call(%{scopes: any_of_scopes})
 150
 151       assert conn.halted
 152       assert 403 == conn.status
 153
 154       expected_error = "Insufficient permissions: #{Enum.join(any_of_scopes, ", ")}."
 155       assert Jason.encode!(%{error: expected_error}) == conn.resp_body
 156     end
 157
 158     test "if `token.scopes` does not fulfill specified 'all of' conditions, " <>
 159            "returns 403 and halts",
 160          %{conn: conn} do
 161       token = insert(:oauth_token, scopes: ["read", "write"])
 162       all_of_scopes = ["write", "follow"]
 163
 164       conn =
 165         conn
 166         |> assign(:token, token)
 167         |> OAuthScopesPlug.call(%{scopes: all_of_scopes, op: :&})
 168
 169       assert conn.halted
 170       assert 403 == conn.status
 171
 172       expected_error =
 173         "Insufficient permissions: #{Enum.join(all_of_scopes -- token.scopes, ", ")}."
 174
 175       assert Jason.encode!(%{error: expected_error}) == conn.resp_body
 176     end
 177   end
 178
 179   describe "with hierarchical scopes, " do
 180     test "if `token.scopes` fulfills specified 'any of' conditions, " <>
 181            "proceeds with no op",
 182          %{conn: conn} do
 183       token = insert(:oauth_token, scopes: ["read", "write"]) |> Repo.preload(:user)
 184
 185       conn =
 186         conn
 187         |> assign(:user, token.user)
 188         |> assign(:token, token)
 189         |> OAuthScopesPlug.call(%{scopes: ["read:something"]})
 190
 191       refute conn.halted
 192       assert conn.assigns[:user]
 193     end
 194
 195     test "if `token.scopes` fulfills specified 'all of' conditions, " <>
 196            "proceeds with no op",
 197          %{conn: conn} do
 198       token = insert(:oauth_token, scopes: ["scope1", "scope2", "scope3"]) |> Repo.preload(:user)
 199
 200       conn =
 201         conn
 202         |> assign(:user, token.user)
 203         |> assign(:token, token)
 204         |> OAuthScopesPlug.call(%{scopes: ["scope1:subscope", "scope2:subscope"], op: :&})
 205
 206       refute conn.halted
 207       assert conn.assigns[:user]
 208     end
 209   end
 210
 211   describe "filter_descendants/2" do
 212     test "filters scopes which directly match or are ancestors of supported scopes" do
 213       f = fn scopes, supported_scopes ->
 214         OAuthScopesPlug.filter_descendants(scopes, supported_scopes)
 215       end
 216
 217       assert f.(["read", "follow"], ["write", "read"]) == ["read"]
 218
 219       assert f.(["read", "write:something", "follow"], ["write", "read"]) ==
 220                ["read", "write:something"]
 221
 222       assert f.(["admin:read"], ["write", "read"]) == []
 223
 224       assert f.(["admin:read"], ["write", "admin"]) == ["admin:read"]
 225     end
 226   end
 227
 228   describe "transform_scopes/2" do
 229     clear_config([:auth, :enforce_oauth_admin_scope_usage])
 230
 231     setup do
 232       {:ok, %{f: &OAuthScopesPlug.transform_scopes/2}}
 233     end
 234
 235     test "with :admin option, prefixes all requested scopes with `admin:` " <>
 236            "and [optionally] keeps only prefixed scopes, " <>
 237            "depending on `[:auth, :enforce_oauth_admin_scope_usage]` setting",
 238          %{f: f} do
 239       Pleroma.Config.put([:auth, :enforce_oauth_admin_scope_usage], false)
 240
 241       assert f.(["read"], %{admin: true}) == ["admin:read", "read"]
 242
 243       assert f.(["read", "write"], %{admin: true}) == [
 244                "admin:read",
 245                "read",
 246                "admin:write",
 247                "write"
 248              ]
 249
 250       Pleroma.Config.put([:auth, :enforce_oauth_admin_scope_usage], true)
 251
 252       assert f.(["read:accounts"], %{admin: true}) == ["admin:read:accounts"]
 253
 254       assert f.(["read", "write:reports"], %{admin: true}) == [
 255                "admin:read",
 256                "admin:write:reports"
 257              ]
 258     end
 259
 260     test "with no supported options, returns unmodified scopes", %{f: f} do
 261       assert f.(["read"], %{}) == ["read"]
 262       assert f.(["read", "write"], %{}) == ["read", "write"]
 263     end
 264   end
 265 end