Merge branch 'develop' of https://git.pleroma.social/pleroma/pleroma into develop
[akkoma] / test / plugs / oauth_scopes_plug_test.exs
1 # Pleroma: A lightweight social networking server
2 # Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>
3 # SPDX-License-Identifier: AGPL-3.0-only
4
5 defmodule Pleroma.Plugs.OAuthScopesPlugTest do
6 use Pleroma.Web.ConnCase, async: true
7
8 alias Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug
9 alias Pleroma.Plugs.OAuthScopesPlug
10 alias Pleroma.Repo
11
12 import Mock
13 import Pleroma.Factory
14
15 setup_with_mocks([{EnsurePublicOrAuthenticatedPlug, [], [call: fn conn, _ -> conn end]}]) do
16 :ok
17 end
18
19 describe "when `assigns[:token]` is nil, " do
20 test "with :skip_instance_privacy_check option, proceeds with no op", %{conn: conn} do
21 conn =
22 conn
23 |> assign(:user, insert(:user))
24 |> OAuthScopesPlug.call(%{scopes: ["read"], skip_instance_privacy_check: true})
25
26 refute conn.halted
27 assert conn.assigns[:user]
28
29 refute called(EnsurePublicOrAuthenticatedPlug.call(conn, :_))
30 end
31
32 test "without :skip_instance_privacy_check option, calls EnsurePublicOrAuthenticatedPlug", %{
33 conn: conn
34 } do
35 conn =
36 conn
37 |> assign(:user, insert(:user))
38 |> OAuthScopesPlug.call(%{scopes: ["read"]})
39
40 refute conn.halted
41 assert conn.assigns[:user]
42
43 assert called(EnsurePublicOrAuthenticatedPlug.call(conn, :_))
44 end
45 end
46
47 test "if `token.scopes` fulfills specified 'any of' conditions, " <>
48 "proceeds with no op",
49 %{conn: conn} do
50 token = insert(:oauth_token, scopes: ["read", "write"]) |> Repo.preload(:user)
51
52 conn =
53 conn
54 |> assign(:user, token.user)
55 |> assign(:token, token)
56 |> OAuthScopesPlug.call(%{scopes: ["read"]})
57
58 refute conn.halted
59 assert conn.assigns[:user]
60 end
61
62 test "if `token.scopes` fulfills specified 'all of' conditions, " <>
63 "proceeds with no op",
64 %{conn: conn} do
65 token = insert(:oauth_token, scopes: ["scope1", "scope2", "scope3"]) |> Repo.preload(:user)
66
67 conn =
68 conn
69 |> assign(:user, token.user)
70 |> assign(:token, token)
71 |> OAuthScopesPlug.call(%{scopes: ["scope2", "scope3"], op: :&})
72
73 refute conn.halted
74 assert conn.assigns[:user]
75 end
76
77 describe "with `fallback: :proceed_unauthenticated` option, " do
78 test "if `token.scopes` doesn't fulfill specified 'any of' conditions, " <>
79 "clears `assigns[:user]` and calls EnsurePublicOrAuthenticatedPlug",
80 %{conn: conn} do
81 token = insert(:oauth_token, scopes: ["read", "write"]) |> Repo.preload(:user)
82
83 conn =
84 conn
85 |> assign(:user, token.user)
86 |> assign(:token, token)
87 |> OAuthScopesPlug.call(%{scopes: ["follow"], fallback: :proceed_unauthenticated})
88
89 refute conn.halted
90 refute conn.assigns[:user]
91
92 assert called(EnsurePublicOrAuthenticatedPlug.call(conn, :_))
93 end
94
95 test "if `token.scopes` doesn't fulfill specified 'all of' conditions, " <>
96 "clears `assigns[:user] and calls EnsurePublicOrAuthenticatedPlug",
97 %{conn: conn} do
98 token = insert(:oauth_token, scopes: ["read", "write"]) |> Repo.preload(:user)
99
100 conn =
101 conn
102 |> assign(:user, token.user)
103 |> assign(:token, token)
104 |> OAuthScopesPlug.call(%{
105 scopes: ["read", "follow"],
106 op: :&,
107 fallback: :proceed_unauthenticated
108 })
109
110 refute conn.halted
111 refute conn.assigns[:user]
112
113 assert called(EnsurePublicOrAuthenticatedPlug.call(conn, :_))
114 end
115
116 test "with :skip_instance_privacy_check option, " <>
117 "if `token.scopes` doesn't fulfill specified conditions, " <>
118 "clears `assigns[:user]` and does not call EnsurePublicOrAuthenticatedPlug",
119 %{conn: conn} do
120 token = insert(:oauth_token, scopes: ["read:statuses", "write"]) |> Repo.preload(:user)
121
122 conn =
123 conn
124 |> assign(:user, token.user)
125 |> assign(:token, token)
126 |> OAuthScopesPlug.call(%{
127 scopes: ["read"],
128 fallback: :proceed_unauthenticated,
129 skip_instance_privacy_check: true
130 })
131
132 refute conn.halted
133 refute conn.assigns[:user]
134
135 refute called(EnsurePublicOrAuthenticatedPlug.call(conn, :_))
136 end
137 end
138
139 describe "without :fallback option, " do
140 test "if `token.scopes` does not fulfill specified 'any of' conditions, " <>
141 "returns 403 and halts",
142 %{conn: conn} do
143 token = insert(:oauth_token, scopes: ["read", "write"])
144 any_of_scopes = ["follow"]
145
146 conn =
147 conn
148 |> assign(:token, token)
149 |> OAuthScopesPlug.call(%{scopes: any_of_scopes})
150
151 assert conn.halted
152 assert 403 == conn.status
153
154 expected_error = "Insufficient permissions: #{Enum.join(any_of_scopes, ", ")}."
155 assert Jason.encode!(%{error: expected_error}) == conn.resp_body
156 end
157
158 test "if `token.scopes` does not fulfill specified 'all of' conditions, " <>
159 "returns 403 and halts",
160 %{conn: conn} do
161 token = insert(:oauth_token, scopes: ["read", "write"])
162 all_of_scopes = ["write", "follow"]
163
164 conn =
165 conn
166 |> assign(:token, token)
167 |> OAuthScopesPlug.call(%{scopes: all_of_scopes, op: :&})
168
169 assert conn.halted
170 assert 403 == conn.status
171
172 expected_error =
173 "Insufficient permissions: #{Enum.join(all_of_scopes -- token.scopes, ", ")}."
174
175 assert Jason.encode!(%{error: expected_error}) == conn.resp_body
176 end
177 end
178
179 describe "with hierarchical scopes, " do
180 test "if `token.scopes` fulfills specified 'any of' conditions, " <>
181 "proceeds with no op",
182 %{conn: conn} do
183 token = insert(:oauth_token, scopes: ["read", "write"]) |> Repo.preload(:user)
184
185 conn =
186 conn
187 |> assign(:user, token.user)
188 |> assign(:token, token)
189 |> OAuthScopesPlug.call(%{scopes: ["read:something"]})
190
191 refute conn.halted
192 assert conn.assigns[:user]
193 end
194
195 test "if `token.scopes` fulfills specified 'all of' conditions, " <>
196 "proceeds with no op",
197 %{conn: conn} do
198 token = insert(:oauth_token, scopes: ["scope1", "scope2", "scope3"]) |> Repo.preload(:user)
199
200 conn =
201 conn
202 |> assign(:user, token.user)
203 |> assign(:token, token)
204 |> OAuthScopesPlug.call(%{scopes: ["scope1:subscope", "scope2:subscope"], op: :&})
205
206 refute conn.halted
207 assert conn.assigns[:user]
208 end
209 end
210
211 describe "filter_descendants/2" do
212 test "filters scopes which directly match or are ancestors of supported scopes" do
213 f = fn scopes, supported_scopes ->
214 OAuthScopesPlug.filter_descendants(scopes, supported_scopes)
215 end
216
217 assert f.(["read", "follow"], ["write", "read"]) == ["read"]
218
219 assert f.(["read", "write:something", "follow"], ["write", "read"]) ==
220 ["read", "write:something"]
221
222 assert f.(["admin:read"], ["write", "read"]) == []
223
224 assert f.(["admin:read"], ["write", "admin"]) == ["admin:read"]
225 end
226 end
227 end