1 # Pleroma: A lightweight social networking server
2 # Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
3 # SPDX-License-Identifier: AGPL-3.0-only
5 defmodule Pleroma.Plugs.OAuthScopesPlugTest do
6 use Pleroma.Web.ConnCase, async: true
8 alias Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug
9 alias Pleroma.Plugs.OAuthScopesPlug
13 import Pleroma.Factory
15 setup_with_mocks([{EnsurePublicOrAuthenticatedPlug, [], [call: fn conn, _ -> conn end]}]) do
19 test "is not performed if marked as skipped", %{conn: conn} do
20 with_mock OAuthScopesPlug, [:passthrough], perform: &passthrough([&1, &2]) do
23 |> OAuthScopesPlug.skip_plug()
24 |> OAuthScopesPlug.call(%{scopes: ["random_scope"]})
26 refute called(OAuthScopesPlug.perform(:_, :_))
31 test "if `token.scopes` fulfills specified 'any of' conditions, " <>
32 "proceeds with no op",
34 token = insert(:oauth_token, scopes: ["read", "write"]) |> Repo.preload(:user)
38 |> assign(:user, token.user)
39 |> assign(:token, token)
40 |> OAuthScopesPlug.call(%{scopes: ["read"]})
43 assert conn.assigns[:user]
46 test "if `token.scopes` fulfills specified 'all of' conditions, " <>
47 "proceeds with no op",
49 token = insert(:oauth_token, scopes: ["scope1", "scope2", "scope3"]) |> Repo.preload(:user)
53 |> assign(:user, token.user)
54 |> assign(:token, token)
55 |> OAuthScopesPlug.call(%{scopes: ["scope2", "scope3"], op: :&})
58 assert conn.assigns[:user]
61 describe "with `fallback: :proceed_unauthenticated` option, " do
62 test "if `token.scopes` doesn't fulfill specified conditions, " <>
63 "clears :user and :token assigns and calls EnsurePublicOrAuthenticatedPlug",
66 token1 = insert(:oauth_token, scopes: ["read", "write"], user: user)
68 for token <- [token1, nil], op <- [:|, :&] do
71 |> assign(:user, user)
72 |> assign(:token, token)
73 |> OAuthScopesPlug.call(%{
76 fallback: :proceed_unauthenticated
79 refute ret_conn.halted
80 refute ret_conn.assigns[:user]
81 refute ret_conn.assigns[:token]
83 assert called(EnsurePublicOrAuthenticatedPlug.call(ret_conn, :_))
87 test "with :skip_instance_privacy_check option, " <>
88 "if `token.scopes` doesn't fulfill specified conditions, " <>
89 "clears :user and :token assigns and does NOT call EnsurePublicOrAuthenticatedPlug",
92 token1 = insert(:oauth_token, scopes: ["read:statuses", "write"], user: user)
94 for token <- [token1, nil], op <- [:|, :&] do
97 |> assign(:user, user)
98 |> assign(:token, token)
99 |> OAuthScopesPlug.call(%{
102 fallback: :proceed_unauthenticated,
103 skip_instance_privacy_check: true
106 refute ret_conn.halted
107 refute ret_conn.assigns[:user]
108 refute ret_conn.assigns[:token]
110 refute called(EnsurePublicOrAuthenticatedPlug.call(ret_conn, :_))
115 describe "without :fallback option, " do
116 test "if `token.scopes` does not fulfill specified 'any of' conditions, " <>
117 "returns 403 and halts",
119 for token <- [insert(:oauth_token, scopes: ["read", "write"]), nil] do
120 any_of_scopes = ["follow", "push"]
124 |> assign(:token, token)
125 |> OAuthScopesPlug.call(%{scopes: any_of_scopes})
127 assert ret_conn.halted
128 assert 403 == ret_conn.status
130 expected_error = "Insufficient permissions: #{Enum.join(any_of_scopes, " | ")}."
131 assert Jason.encode!(%{error: expected_error}) == ret_conn.resp_body
135 test "if `token.scopes` does not fulfill specified 'all of' conditions, " <>
136 "returns 403 and halts",
138 for token <- [insert(:oauth_token, scopes: ["read", "write"]), nil] do
139 token_scopes = (token && token.scopes) || []
140 all_of_scopes = ["write", "follow"]
144 |> assign(:token, token)
145 |> OAuthScopesPlug.call(%{scopes: all_of_scopes, op: :&})
148 assert 403 == conn.status
151 "Insufficient permissions: #{Enum.join(all_of_scopes -- token_scopes, " & ")}."
153 assert Jason.encode!(%{error: expected_error}) == conn.resp_body
158 describe "with hierarchical scopes, " do
159 test "if `token.scopes` fulfills specified 'any of' conditions, " <>
160 "proceeds with no op",
162 token = insert(:oauth_token, scopes: ["read", "write"]) |> Repo.preload(:user)
166 |> assign(:user, token.user)
167 |> assign(:token, token)
168 |> OAuthScopesPlug.call(%{scopes: ["read:something"]})
171 assert conn.assigns[:user]
174 test "if `token.scopes` fulfills specified 'all of' conditions, " <>
175 "proceeds with no op",
177 token = insert(:oauth_token, scopes: ["scope1", "scope2", "scope3"]) |> Repo.preload(:user)
181 |> assign(:user, token.user)
182 |> assign(:token, token)
183 |> OAuthScopesPlug.call(%{scopes: ["scope1:subscope", "scope2:subscope"], op: :&})
186 assert conn.assigns[:user]
190 describe "filter_descendants/2" do
191 test "filters scopes which directly match or are ancestors of supported scopes" do
192 f = fn scopes, supported_scopes ->
193 OAuthScopesPlug.filter_descendants(scopes, supported_scopes)
196 assert f.(["read", "follow"], ["write", "read"]) == ["read"]
198 assert f.(["read", "write:something", "follow"], ["write", "read"]) ==
199 ["read", "write:something"]
201 assert f.(["admin:read"], ["write", "read"]) == []
203 assert f.(["admin:read"], ["write", "admin"]) == ["admin:read"]
207 describe "transform_scopes/2" do
208 setup do: clear_config([:auth, :enforce_oauth_admin_scope_usage])
211 {:ok, %{f: &OAuthScopesPlug.transform_scopes/2}}
214 test "with :admin option, prefixes all requested scopes with `admin:` " <>
215 "and [optionally] keeps only prefixed scopes, " <>
216 "depending on `[:auth, :enforce_oauth_admin_scope_usage]` setting",
218 Pleroma.Config.put([:auth, :enforce_oauth_admin_scope_usage], false)
220 assert f.(["read"], %{admin: true}) == ["admin:read", "read"]
222 assert f.(["read", "write"], %{admin: true}) == [
229 Pleroma.Config.put([:auth, :enforce_oauth_admin_scope_usage], true)
231 assert f.(["read:accounts"], %{admin: true}) == ["admin:read:accounts"]
233 assert f.(["read", "write:reports"], %{admin: true}) == [
235 "admin:write:reports"
239 test "with no supported options, returns unmodified scopes", %{f: f} do
240 assert f.(["read"], %{}) == ["read"]
241 assert f.(["read", "write"], %{}) == ["read", "write"]