Allow whitelisting whole groups

[akkoma] / test / web / admin_api / admin_api_controller_test.exs
diff --git a/test/web/admin_api/admin_api_controller_test.exs b/test/web/admin_api/admin_api_controller_test.exs

index f80dbf8dd9058d750c81a8eb1a79362130111c68..e573220ba3deeab2b6a93bed01db2456eca143c6 100644 (file)
--- a/test/web/admin_api/admin_api_controller_test.exs
+++ b/test/web/admin_api/admin_api_controller_test.exs
@@ -6,19 +6,22 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do
    use Pleroma.Web.ConnCase
    use Oban.Testing, repo: Pleroma.Repo
  
-  import Pleroma.Factory
    import ExUnit.CaptureLog
+  import Mock
+  import Pleroma.Factory
  
    alias Pleroma.Activity
    alias Pleroma.Config
    alias Pleroma.ConfigDB
    alias Pleroma.HTML
+  alias Pleroma.MFA
    alias Pleroma.ModerationLog
    alias Pleroma.Repo
    alias Pleroma.ReportNote
    alias Pleroma.Tests.ObanHelpers
    alias Pleroma.User
    alias Pleroma.UserInviteToken
+  alias Pleroma.Web
    alias Pleroma.Web.ActivityPub.Relay
    alias Pleroma.Web.CommonAPI
    alias Pleroma.Web.MediaProxy
@@ -146,17 +149,26 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do
      test "single user", %{admin: admin, conn: conn} do
        user = insert(:user)
  
-      conn =
-        conn
-        |> put_req_header("accept", "application/json")
-        |> delete("/api/pleroma/admin/users?nickname=#{user.nickname}")
+      with_mock Pleroma.Web.Federator,
+        publish: fn _ -> nil end do
+        conn =
+          conn
+          |> put_req_header("accept", "application/json")
+          |> delete("/api/pleroma/admin/users?nickname=#{user.nickname}")
  
-      log_entry = Repo.one(ModerationLog)
+        ObanHelpers.perform_all()
  
-      assert ModerationLog.get_log_entry_message(log_entry) ==
-               "@#{admin.nickname} deleted users: @#{user.nickname}"
+        assert User.get_by_nickname(user.nickname).deactivated
+
+        log_entry = Repo.one(ModerationLog)
  
-      assert json_response(conn, 200) == user.nickname
+        assert ModerationLog.get_log_entry_message(log_entry) ==
+                 "@#{admin.nickname} deleted users: @#{user.nickname}"
+
+        assert json_response(conn, 200) == [user.nickname]
+
+        assert called(Pleroma.Web.Federator.publish(:_))
+      end
      end
  
      test "multiple users", %{admin: admin, conn: conn} do
@@ -737,6 +749,39 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do
               }
      end
  
+    test "pagination works correctly with service users", %{conn: conn} do
+      service1 = insert(:user, ap_id: Web.base_url() <> "/relay")
+      service2 = insert(:user, ap_id: Web.base_url() <> "/internal/fetch")
+      insert_list(25, :user)
+
+      assert %{"count" => 26, "page_size" => 10, "users" => users1} =
+               conn
+               |> get("/api/pleroma/admin/users?page=1&filters=", %{page_size: "10"})
+               |> json_response(200)
+
+      assert Enum.count(users1) == 10
+      assert service1 not in [users1]
+      assert service2 not in [users1]
+
+      assert %{"count" => 26, "page_size" => 10, "users" => users2} =
+               conn
+               |> get("/api/pleroma/admin/users?page=2&filters=", %{page_size: "10"})
+               |> json_response(200)
+
+      assert Enum.count(users2) == 10
+      assert service1 not in [users2]
+      assert service2 not in [users2]
+
+      assert %{"count" => 26, "page_size" => 10, "users" => users3} =
+               conn
+               |> get("/api/pleroma/admin/users?page=3&filters=", %{page_size: "10"})
+               |> json_response(200)
+
+      assert Enum.count(users3) == 6
+      assert service1 not in [users3]
+      assert service2 not in [users3]
+    end
+
      test "renders empty array for the second page", %{conn: conn} do
        insert(:user)
  
@@ -1234,6 +1279,38 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do
               "@#{admin.nickname} deactivated users: @#{user.nickname}"
    end
  
+  describe "PUT disable_mfa" do
+    test "returns 200 and disable 2fa", %{conn: conn} do
+      user =
+        insert(:user,
+          multi_factor_authentication_settings: %MFA.Settings{
+            enabled: true,
+            totp: %MFA.Settings.TOTP{secret: "otp_secret", confirmed: true}
+          }
+        )
+
+      response =
+        conn
+        |> put("/api/pleroma/admin/users/disable_mfa", %{nickname: user.nickname})
+        |> json_response(200)
+
+      assert response == user.nickname
+      mfa_settings = refresh_record(user).multi_factor_authentication_settings
+
+      refute mfa_settings.enabled
+      refute mfa_settings.totp.confirmed
+    end
+
+    test "returns 404 if user not found", %{conn: conn} do
+      response =
+        conn
+        |> put("/api/pleroma/admin/users/disable_mfa", %{nickname: "nickname"})
+        |> json_response(404)
+
+      assert response == "Not found"
+    end
+  end
+
    describe "POST /api/pleroma/admin/users/invite_token" do
      test "without options", %{conn: conn} do
        conn = post(conn, "/api/pleroma/admin/users/invite_token")
@@ -1347,9 +1424,9 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do
  
        {:ok, %{id: report_id}} =
          CommonAPI.report(reporter, %{
-          "account_id" => target_user.id,
-          "comment" => "I feel offended",
-          "status_ids" => [activity.id]
+          account_id: target_user.id,
+          comment: "I feel offended",
+          status_ids: [activity.id]
          })
  
        response =
@@ -1374,16 +1451,16 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do
  
        {:ok, %{id: report_id}} =
          CommonAPI.report(reporter, %{
-          "account_id" => target_user.id,
-          "comment" => "I feel offended",
-          "status_ids" => [activity.id]
+          account_id: target_user.id,
+          comment: "I feel offended",
+          status_ids: [activity.id]
          })
  
        {:ok, %{id: second_report_id}} =
          CommonAPI.report(reporter, %{
-          "account_id" => target_user.id,
-          "comment" => "I feel very offended",
-          "status_ids" => [activity.id]
+          account_id: target_user.id,
+          comment: "I feel very offended",
+          status_ids: [activity.id]
          })
  
        %{
@@ -1523,9 +1600,9 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do
  
        {:ok, %{id: report_id}} =
          CommonAPI.report(reporter, %{
-          "account_id" => target_user.id,
-          "comment" => "I feel offended",
-          "status_ids" => [activity.id]
+          account_id: target_user.id,
+          comment: "I feel offended",
+          status_ids: [activity.id]
          })
  
        response =
@@ -1547,15 +1624,15 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do
  
        {:ok, %{id: first_report_id}} =
          CommonAPI.report(reporter, %{
-          "account_id" => target_user.id,
-          "comment" => "I feel offended",
-          "status_ids" => [activity.id]
+          account_id: target_user.id,
+          comment: "I feel offended",
+          status_ids: [activity.id]
          })
  
        {:ok, %{id: second_report_id}} =
          CommonAPI.report(reporter, %{
-          "account_id" => target_user.id,
-          "comment" => "I don't like this user"
+          account_id: target_user.id,
+          comment: "I don't like this user"
          })
  
        CommonAPI.update_report_state(second_report_id, "closed")
@@ -1620,6 +1697,25 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do
      end
    end
  
+  describe "GET /api/pleroma/admin/statuses/:id" do
+    test "not found", %{conn: conn} do
+      assert conn
+             |> get("/api/pleroma/admin/statuses/not_found")
+             |> json_response(:not_found)
+    end
+
+    test "shows activity", %{conn: conn} do
+      activity = insert(:note_activity)
+
+      response =
+        conn
+        |> get("/api/pleroma/admin/statuses/#{activity.id}")
+        |> json_response(200)
+
+      assert response["id"] == activity.id
+    end
+  end
+
    describe "PUT /api/pleroma/admin/statuses/:id" do
      setup do
        activity = insert(:note_activity)
@@ -2847,6 +2943,33 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do
                 ]
               }
      end
+
+    test "doesn't set keys not in the whitelist", %{conn: conn} do
+      clear_config(:database_config_whitelist, [
+        {:pleroma, :key1},
+        {:pleroma, :key2},
+        {:pleroma, Pleroma.Captcha.NotReal},
+        {:not_real}
+      ])
+
+      post(conn, "/api/pleroma/admin/config", %{
+        configs: [
+          %{group: ":pleroma", key: ":key1", value: "value1"},
+          %{group: ":pleroma", key: ":key2", value: "value2"},
+          %{group: ":pleroma", key: ":key3", value: "value3"},
+          %{group: ":pleroma", key: "Pleroma.Web.Endpoint.NotReal", value: "value4"},
+          %{group: ":pleroma", key: "Pleroma.Captcha.NotReal", value: "value5"},
+          %{group: ":not_real", key: ":anything", value: "value6"}
+        ]
+      })
+
+      assert Application.get_env(:pleroma, :key1) == "value1"
+      assert Application.get_env(:pleroma, :key2) == "value2"
+      assert Application.get_env(:pleroma, :key3) == nil
+      assert Application.get_env(:pleroma, Pleroma.Web.Endpoint.NotReal) == nil
+      assert Application.get_env(:pleroma, Pleroma.Captcha.NotReal) == "value5"
+      assert Application.get_env(:not_real, :anything) == "value6"
+    end
    end
  
    describe "GET /api/pleroma/admin/restart" do
@@ -3431,9 +3554,9 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do
  
        {:ok, %{id: report_id}} =
          CommonAPI.report(reporter, %{
-          "account_id" => target_user.id,
-          "comment" => "I feel offended",
-          "status_ids" => [activity.id]
+          account_id: target_user.id,
+          comment: "I feel offended",
+          status_ids: [activity.id]
          })
  
        post(conn, "/api/pleroma/admin/reports/#{report_id}/notes", %{
@@ -3484,19 +3607,54 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do
      end
    end
  
-  test "GET /api/pleroma/admin/config/descriptions", %{conn: conn} do
-    admin = insert(:user, is_admin: true)
+  describe "GET /api/pleroma/admin/config/descriptions" do
+    test "structure", %{conn: conn} do
+      admin = insert(:user, is_admin: true)
  
-    conn =
-      assign(conn, :user, admin)
-      |> get("/api/pleroma/admin/config/descriptions")
+      conn =
+        assign(conn, :user, admin)
+        |> get("/api/pleroma/admin/config/descriptions")
  
-    assert [child | _others] = json_response(conn, 200)
+      assert [child | _others] = json_response(conn, 200)
+
+      assert child["children"]
+      assert child["key"]
+      assert String.starts_with?(child["group"], ":")
+      assert child["description"]
+    end
  
-    assert child["children"]
-    assert child["key"]
-    assert String.starts_with?(child["group"], ":")
-    assert child["description"]
+    test "filters by database configuration whitelist", %{conn: conn} do
+      clear_config(:database_config_whitelist, [
+        {:pleroma, :instance},
+        {:pleroma, :activitypub},
+        {:pleroma, Pleroma.Upload},
+        {:esshd}
+      ])
+
+      admin = insert(:user, is_admin: true)
+
+      conn =
+        assign(conn, :user, admin)
+        |> get("/api/pleroma/admin/config/descriptions")
+
+      children = json_response(conn, 200)
+
+      assert length(children) == 4
+
+      assert Enum.count(children, fn c -> c["group"] == ":pleroma" end) == 3
+
+      instance = Enum.find(children, fn c -> c["key"] == ":instance" end)
+      assert instance["children"]
+
+      activitypub = Enum.find(children, fn c -> c["key"] == ":activitypub" end)
+      assert activitypub["children"]
+
+      web_endpoint = Enum.find(children, fn c -> c["key"] == "Pleroma.Upload" end)
+      assert web_endpoint["children"]
+
+      esshd = Enum.find(children, fn c -> c["group"] == ":esshd" end)
+      assert esshd["children"]
+    end
    end
  
    describe "/api/pleroma/admin/stats" do
@@ -3526,7 +3684,7 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do
      end
  
      test "success", %{conn: conn} do
-      base_url = Pleroma.Web.base_url()
+      base_url = Web.base_url()
        app_name = "Trusted app"
  
        response =
@@ -3547,7 +3705,7 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do
      end
  
      test "with trusted", %{conn: conn} do
-      base_url = Pleroma.Web.base_url()
+      base_url = Web.base_url()
        app_name = "Trusted app"
  
        response =