pleroma/test/plugs/oauth_scopes_plug_test.exs

# Pleroma: A lightweight social networking server
# Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>
# SPDX-License-Identifier: AGPL-3.0-only

defmodule Pleroma.Plugs.OAuthScopesPlugTest do
  use Pleroma.Web.ConnCase, async: true

  alias Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug
  alias Pleroma.Plugs.OAuthScopesPlug
  alias Pleroma.Repo

  import Mock
  import Pleroma.Factory

  setup_with_mocks([{EnsurePublicOrAuthenticatedPlug, [], [call: fn conn, _ -> conn end]}]) do
    :ok
  end

  describe "when `assigns[:token]` is nil, " do
    test "with :skip_instance_privacy_check option, proceeds with no op", %{conn: conn} do
      conn =
        conn
        |> assign(:user, insert(:user))
        |> OAuthScopesPlug.call(%{scopes: ["read"], skip_instance_privacy_check: true})

      refute conn.halted
      assert conn.assigns[:user]

      refute called(EnsurePublicOrAuthenticatedPlug.call(conn, :_))
    end

    test "without :skip_instance_privacy_check option, calls EnsurePublicOrAuthenticatedPlug", %{
      conn: conn
    } do
      conn =
        conn
        |> assign(:user, insert(:user))
        |> OAuthScopesPlug.call(%{scopes: ["read"]})

      refute conn.halted
      assert conn.assigns[:user]

      assert called(EnsurePublicOrAuthenticatedPlug.call(conn, :_))
    end
  end

  test "if `token.scopes` fulfills specified 'any of' conditions, " <>
         "proceeds with no op",
       %{conn: conn} do
    token = insert(:oauth_token, scopes: ["read", "write"]) |> Repo.preload(:user)

    conn =
      conn
      |> assign(:user, token.user)
      |> assign(:token, token)
      |> OAuthScopesPlug.call(%{scopes: ["read"]})

    refute conn.halted
    assert conn.assigns[:user]
  end

  test "if `token.scopes` fulfills specified 'all of' conditions, " <>
         "proceeds with no op",
       %{conn: conn} do
    token = insert(:oauth_token, scopes: ["scope1", "scope2", "scope3"]) |> Repo.preload(:user)

    conn =
      conn
      |> assign(:user, token.user)
      |> assign(:token, token)
      |> OAuthScopesPlug.call(%{scopes: ["scope2", "scope3"], op: :&})

    refute conn.halted
    assert conn.assigns[:user]
  end

  describe "with `fallback: :proceed_unauthenticated` option, " do
    test "if `token.scopes` doesn't fulfill specified 'any of' conditions, " <>
           "clears `assigns[:user]` and calls EnsurePublicOrAuthenticatedPlug",
         %{conn: conn} do
      token = insert(:oauth_token, scopes: ["read", "write"]) |> Repo.preload(:user)

      conn =
        conn
        |> assign(:user, token.user)
        |> assign(:token, token)
        |> OAuthScopesPlug.call(%{scopes: ["follow"], fallback: :proceed_unauthenticated})

      refute conn.halted
      refute conn.assigns[:user]

      assert called(EnsurePublicOrAuthenticatedPlug.call(conn, :_))
    end

    test "if `token.scopes` doesn't fulfill specified 'all of' conditions, " <>
           "clears `assigns[:user] and calls EnsurePublicOrAuthenticatedPlug",
         %{conn: conn} do
      token = insert(:oauth_token, scopes: ["read", "write"]) |> Repo.preload(:user)

      conn =
        conn
        |> assign(:user, token.user)
        |> assign(:token, token)
        |> OAuthScopesPlug.call(%{
          scopes: ["read", "follow"],
          op: :&,
          fallback: :proceed_unauthenticated
        })

      refute conn.halted
      refute conn.assigns[:user]

      assert called(EnsurePublicOrAuthenticatedPlug.call(conn, :_))
    end

    test "with :skip_instance_privacy_check option, " <>
           "if `token.scopes` doesn't fulfill specified conditions, " <>
           "clears `assigns[:user]` and does not call EnsurePublicOrAuthenticatedPlug",
         %{conn: conn} do
      token = insert(:oauth_token, scopes: ["read:statuses", "write"]) |> Repo.preload(:user)

      conn =
        conn
        |> assign(:user, token.user)
        |> assign(:token, token)
        |> OAuthScopesPlug.call(%{
          scopes: ["read"],
          fallback: :proceed_unauthenticated,
          skip_instance_privacy_check: true
        })

      refute conn.halted
      refute conn.assigns[:user]

      refute called(EnsurePublicOrAuthenticatedPlug.call(conn, :_))
    end
  end

  describe "without :fallback option, " do
    test "if `token.scopes` does not fulfill specified 'any of' conditions, " <>
           "returns 403 and halts",
         %{conn: conn} do
      token = insert(:oauth_token, scopes: ["read", "write"])
      any_of_scopes = ["follow"]

      conn =
        conn
        |> assign(:token, token)
        |> OAuthScopesPlug.call(%{scopes: any_of_scopes})

      assert conn.halted
      assert 403 == conn.status

      expected_error = "Insufficient permissions: #{Enum.join(any_of_scopes, ", ")}."
      assert Jason.encode!(%{error: expected_error}) == conn.resp_body
    end

    test "if `token.scopes` does not fulfill specified 'all of' conditions, " <>
           "returns 403 and halts",
         %{conn: conn} do
      token = insert(:oauth_token, scopes: ["read", "write"])
      all_of_scopes = ["write", "follow"]

      conn =
        conn
        |> assign(:token, token)
        |> OAuthScopesPlug.call(%{scopes: all_of_scopes, op: :&})

      assert conn.halted
      assert 403 == conn.status

      expected_error =
        "Insufficient permissions: #{Enum.join(all_of_scopes -- token.scopes, ", ")}."

      assert Jason.encode!(%{error: expected_error}) == conn.resp_body
    end
  end

  describe "with hierarchical scopes, " do
    test "if `token.scopes` fulfills specified 'any of' conditions, " <>
           "proceeds with no op",
         %{conn: conn} do
      token = insert(:oauth_token, scopes: ["read", "write"]) |> Repo.preload(:user)

      conn =
        conn
        |> assign(:user, token.user)
        |> assign(:token, token)
        |> OAuthScopesPlug.call(%{scopes: ["read:something"]})

      refute conn.halted
      assert conn.assigns[:user]
    end

    test "if `token.scopes` fulfills specified 'all of' conditions, " <>
           "proceeds with no op",
         %{conn: conn} do
      token = insert(:oauth_token, scopes: ["scope1", "scope2", "scope3"]) |> Repo.preload(:user)

      conn =
        conn
        |> assign(:user, token.user)
        |> assign(:token, token)
        |> OAuthScopesPlug.call(%{scopes: ["scope1:subscope", "scope2:subscope"], op: :&})

      refute conn.halted
      assert conn.assigns[:user]
    end
  end

  describe "filter_descendants/2" do
    test "filters scopes which directly match or are ancestors of supported scopes" do
      f = fn scopes, supported_scopes ->
        OAuthScopesPlug.filter_descendants(scopes, supported_scopes)
      end

      assert f.(["read", "follow"], ["write", "read"]) == ["read"]

      assert f.(["read", "write:something", "follow"], ["write", "read"]) ==
               ["read", "write:something"]

      assert f.(["admin:read"], ["write", "read"]) == []

      assert f.(["admin:read"], ["write", "admin"]) == ["admin:read"]
    end
  end

  describe "transform_scopes/2" do
    clear_config([:auth, :enforce_oauth_admin_scope_usage])

    setup do
      {:ok, %{f: &OAuthScopesPlug.transform_scopes/2}}
    end

    test "with :admin option, prefixes all requested scopes with `admin:` " <>
           "and [optionally] keeps only prefixed scopes, " <>
           "depending on `[:auth, :enforce_oauth_admin_scope_usage]` setting",
         %{f: f} do
      Pleroma.Config.put([:auth, :enforce_oauth_admin_scope_usage], false)

      assert f.(["read"], %{admin: true}) == ["admin:read", "read"]

      assert f.(["read", "write"], %{admin: true}) == [
               "admin:read",
               "read",
               "admin:write",
               "write"
             ]

      Pleroma.Config.put([:auth, :enforce_oauth_admin_scope_usage], true)

      assert f.(["read:accounts"], %{admin: true}) == ["admin:read:accounts"]

      assert f.(["read", "write:reports"], %{admin: true}) == [
               "admin:read",
               "admin:write:reports"
             ]
    end

    test "with no supported options, returns unmodified scopes", %{f: f} do
      assert f.(["read"], %{}) == ["read"]
      assert f.(["read", "write"], %{}) == ["read", "write"]
    end
  end
end
[#468] More OAuth scopes-specific tests. 2019-02-20 10:27:28 +01:00			`# Pleroma: A lightweight social networking server`
Bump copyright years of files changed in 2019 Done via the following command: git diff 1e6c102bfcfe0e4835a48f2483f2376f9bf86a20 --stat --name-only \| cat - \| xargs sed -i 's/2017-2018 Pleroma Authors/2017-2019 Pleroma Authors/' 2019-09-18 23:20:54 +02:00			`# Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>`
[#468] More OAuth scopes-specific tests. 2019-02-20 10:27:28 +01:00			`# SPDX-License-Identifier: AGPL-3.0-only`

			`defmodule Pleroma.Plugs.OAuthScopesPlugTest do`
			`use Pleroma.Web.ConnCase, async: true`

[#1234] Defined admin OAuth scopes, refined other scopes. Added tests. 2019-09-17 21:19:39 +02:00			`alias Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug`
[#1234] Addressed code analysis issue. 2019-09-17 22:31:05 +02:00			`alias Pleroma.Plugs.OAuthScopesPlug`
[#468] More OAuth scopes-specific tests. 2019-02-20 10:27:28 +01:00			`alias Pleroma.Repo`

[#1234] Defined admin OAuth scopes, refined other scopes. Added tests. 2019-09-17 21:19:39 +02:00			`import Mock`
[#468] More OAuth scopes-specific tests. 2019-02-20 10:27:28 +01:00			`import Pleroma.Factory`

[#1234] Defined admin OAuth scopes, refined other scopes. Added tests. 2019-09-17 21:19:39 +02:00			`setup_with_mocks([{EnsurePublicOrAuthenticatedPlug, [], [call: fn conn, _ -> conn end]}]) do`
			`:ok`
			`end`
[#468] More OAuth scopes-specific tests. 2019-02-20 10:27:28 +01:00
[#1234] Defined admin OAuth scopes, refined other scopes. Added tests. 2019-09-17 21:19:39 +02:00			describe "when `assigns[:token]` is nil, " do
			`test "with :skip_instance_privacy_check option, proceeds with no op", %{conn: conn} do`
			`conn =`
			`conn`
			`\|> assign(:user, insert(:user))`
			`\|> OAuthScopesPlug.call(%{scopes: ["read"], skip_instance_privacy_check: true})`

			`refute conn.halted`
			`assert conn.assigns[:user]`

			`refute called(EnsurePublicOrAuthenticatedPlug.call(conn, :_))`
			`end`

			`test "without :skip_instance_privacy_check option, calls EnsurePublicOrAuthenticatedPlug", %{`
			`conn: conn`
			`} do`
			`conn =`
			`conn`
			`\|> assign(:user, insert(:user))`
			`\|> OAuthScopesPlug.call(%{scopes: ["read"]})`

			`refute conn.halted`
			`assert conn.assigns[:user]`

			`assert called(EnsurePublicOrAuthenticatedPlug.call(conn, :_))`
			`end`
[#468] More OAuth scopes-specific tests. 2019-02-20 10:27:28 +01:00			`end`

[#1234] Defined admin OAuth scopes, refined other scopes. Added tests. 2019-09-17 21:19:39 +02:00			test "if `token.scopes` fulfills specified 'any of' conditions, " <>
			`"proceeds with no op",`
			`%{conn: conn} do`
[#468] More OAuth scopes-specific tests. 2019-02-20 10:27:28 +01:00			`token = insert(:oauth_token, scopes: ["read", "write"]) \|> Repo.preload(:user)`

			`conn =`
			`conn`
			`\|> assign(:user, token.user)`
			`\|> assign(:token, token)`
			`\|> OAuthScopesPlug.call(%{scopes: ["read"]})`

			`refute conn.halted`
			`assert conn.assigns[:user]`
			`end`

[#1234] Defined admin OAuth scopes, refined other scopes. Added tests. 2019-09-17 21:19:39 +02:00			test "if `token.scopes` fulfills specified 'all of' conditions, " <>
			`"proceeds with no op",`
			`%{conn: conn} do`
[#468] More OAuth scopes-specific tests. 2019-02-20 10:27:28 +01:00			`token = insert(:oauth_token, scopes: ["scope1", "scope2", "scope3"]) \|> Repo.preload(:user)`

			`conn =`
			`conn`
			`\|> assign(:user, token.user)`
			`\|> assign(:token, token)`
			`\|> OAuthScopesPlug.call(%{scopes: ["scope2", "scope3"], op: :&})`

			`refute conn.halted`
			`assert conn.assigns[:user]`
			`end`

[#1234] Defined admin OAuth scopes, refined other scopes. Added tests. 2019-09-17 21:19:39 +02:00			describe "with `fallback: :proceed_unauthenticated` option, " do
			test "if `token.scopes` doesn't fulfill specified 'any of' conditions, " <>
			"clears `assigns[:user]` and calls EnsurePublicOrAuthenticatedPlug",
			`%{conn: conn} do`
			`token = insert(:oauth_token, scopes: ["read", "write"]) \|> Repo.preload(:user)`
[#468] More OAuth scopes-specific tests. 2019-02-20 10:27:28 +01:00
[#1234] Defined admin OAuth scopes, refined other scopes. Added tests. 2019-09-17 21:19:39 +02:00			`conn =`
			`conn`
			`\|> assign(:user, token.user)`
			`\|> assign(:token, token)`
			`\|> OAuthScopesPlug.call(%{scopes: ["follow"], fallback: :proceed_unauthenticated})`
[#468] More OAuth scopes-specific tests. 2019-02-20 10:27:28 +01:00
[#1234] Defined admin OAuth scopes, refined other scopes. Added tests. 2019-09-17 21:19:39 +02:00			`refute conn.halted`
			`refute conn.assigns[:user]`
[#468] More OAuth scopes-specific tests. 2019-02-20 10:27:28 +01:00
[#1234] Defined admin OAuth scopes, refined other scopes. Added tests. 2019-09-17 21:19:39 +02:00			`assert called(EnsurePublicOrAuthenticatedPlug.call(conn, :_))`
			`end`
[#468] More OAuth scopes-specific tests. 2019-02-20 10:27:28 +01:00
[#1234] Defined admin OAuth scopes, refined other scopes. Added tests. 2019-09-17 21:19:39 +02:00			test "if `token.scopes` doesn't fulfill specified 'all of' conditions, " <>
			"clears `assigns[:user] and calls EnsurePublicOrAuthenticatedPlug",
			`%{conn: conn} do`
			`token = insert(:oauth_token, scopes: ["read", "write"]) \|> Repo.preload(:user)`
[#468] More OAuth scopes-specific tests. 2019-02-20 10:27:28 +01:00
[#1234] Defined admin OAuth scopes, refined other scopes. Added tests. 2019-09-17 21:19:39 +02:00			`conn =`
			`conn`
			`\|> assign(:user, token.user)`
			`\|> assign(:token, token)`
			`\|> OAuthScopesPlug.call(%{`
			`scopes: ["read", "follow"],`
			`op: :&,`
			`fallback: :proceed_unauthenticated`
			`})`
[#468] More OAuth scopes-specific tests. 2019-02-20 10:27:28 +01:00
[#1234] Defined admin OAuth scopes, refined other scopes. Added tests. 2019-09-17 21:19:39 +02:00			`refute conn.halted`
			`refute conn.assigns[:user]`
[#468] More OAuth scopes-specific tests. 2019-02-20 10:27:28 +01:00
[#1234] Defined admin OAuth scopes, refined other scopes. Added tests. 2019-09-17 21:19:39 +02:00			`assert called(EnsurePublicOrAuthenticatedPlug.call(conn, :_))`
			`end`
[#468] More OAuth scopes-specific tests. 2019-02-20 10:27:28 +01:00
[#1234] Defined admin OAuth scopes, refined other scopes. Added tests. 2019-09-17 21:19:39 +02:00			`test "with :skip_instance_privacy_check option, " <>`
			"if `token.scopes` doesn't fulfill specified conditions, " <>
			"clears `assigns[:user]` and does not call EnsurePublicOrAuthenticatedPlug",
			`%{conn: conn} do`
			`token = insert(:oauth_token, scopes: ["read:statuses", "write"]) \|> Repo.preload(:user)`
[#468] More OAuth scopes-specific tests. 2019-02-20 10:27:28 +01:00
[#1234] Defined admin OAuth scopes, refined other scopes. Added tests. 2019-09-17 21:19:39 +02:00			`conn =`
			`conn`
			`\|> assign(:user, token.user)`
			`\|> assign(:token, token)`
			`\|> OAuthScopesPlug.call(%{`
			`scopes: ["read"],`
			`fallback: :proceed_unauthenticated,`
			`skip_instance_privacy_check: true`
			`})`

			`refute conn.halted`
			`refute conn.assigns[:user]`

			`refute called(EnsurePublicOrAuthenticatedPlug.call(conn, :_))`
			`end`
[#468] More OAuth scopes-specific tests. 2019-02-20 10:27:28 +01:00			`end`

[#1234] Defined admin OAuth scopes, refined other scopes. Added tests. 2019-09-17 21:19:39 +02:00			`describe "without :fallback option, " do`
			test "if `token.scopes` does not fulfill specified 'any of' conditions, " <>
			`"returns 403 and halts",`
			`%{conn: conn} do`
			`token = insert(:oauth_token, scopes: ["read", "write"])`
			`any_of_scopes = ["follow"]`
[#468] More OAuth scopes-specific tests. 2019-02-20 10:27:28 +01:00
[#1234] Defined admin OAuth scopes, refined other scopes. Added tests. 2019-09-17 21:19:39 +02:00			`conn =`
			`conn`
			`\|> assign(:token, token)`
			`\|> OAuthScopesPlug.call(%{scopes: any_of_scopes})`

			`assert conn.halted`
			`assert 403 == conn.status`

			`expected_error = "Insufficient permissions: #{Enum.join(any_of_scopes, ", ")}."`
			`assert Jason.encode!(%{error: expected_error}) == conn.resp_body`
			`end`
[#468] More OAuth scopes-specific tests. 2019-02-20 10:27:28 +01:00
[#1234] Defined admin OAuth scopes, refined other scopes. Added tests. 2019-09-17 21:19:39 +02:00			test "if `token.scopes` does not fulfill specified 'all of' conditions, " <>
			`"returns 403 and halts",`
			`%{conn: conn} do`
			`token = insert(:oauth_token, scopes: ["read", "write"])`
			`all_of_scopes = ["write", "follow"]`
[#468] More OAuth scopes-specific tests. 2019-02-20 10:27:28 +01:00
[#1234] Defined admin OAuth scopes, refined other scopes. Added tests. 2019-09-17 21:19:39 +02:00			`conn =`
			`conn`
			`\|> assign(:token, token)`
			`\|> OAuthScopesPlug.call(%{scopes: all_of_scopes, op: :&})`
[#468] More OAuth scopes-specific tests. 2019-02-20 10:27:28 +01:00
[#1234] Defined admin OAuth scopes, refined other scopes. Added tests. 2019-09-17 21:19:39 +02:00			`assert conn.halted`
			`assert 403 == conn.status`

			`expected_error =`
			`"Insufficient permissions: #{Enum.join(all_of_scopes -- token.scopes, ", ")}."`

			`assert Jason.encode!(%{error: expected_error}) == conn.resp_body`
			`end`
[#468] More OAuth scopes-specific tests. 2019-02-20 10:27:28 +01:00			`end`
[#1234] Mastodon 2.4.3 hierarchical scopes initial support (WIP). 2019-09-08 14:00:03 +02:00
			`describe "with hierarchical scopes, " do`
[#1234] Defined admin OAuth scopes, refined other scopes. Added tests. 2019-09-17 21:19:39 +02:00			test "if `token.scopes` fulfills specified 'any of' conditions, " <>
			`"proceeds with no op",`
			`%{conn: conn} do`
[#1234] Mastodon 2.4.3 hierarchical scopes initial support (WIP). 2019-09-08 14:00:03 +02:00			`token = insert(:oauth_token, scopes: ["read", "write"]) \|> Repo.preload(:user)`

			`conn =`
			`conn`
			`\|> assign(:user, token.user)`
			`\|> assign(:token, token)`
			`\|> OAuthScopesPlug.call(%{scopes: ["read:something"]})`

			`refute conn.halted`
			`assert conn.assigns[:user]`
			`end`

[#1234] Defined admin OAuth scopes, refined other scopes. Added tests. 2019-09-17 21:19:39 +02:00			test "if `token.scopes` fulfills specified 'all of' conditions, " <>
			`"proceeds with no op",`
			`%{conn: conn} do`
[#1234] Mastodon 2.4.3 hierarchical scopes initial support (WIP). 2019-09-08 14:00:03 +02:00			`token = insert(:oauth_token, scopes: ["scope1", "scope2", "scope3"]) \|> Repo.preload(:user)`

			`conn =`
			`conn`
			`\|> assign(:user, token.user)`
			`\|> assign(:token, token)`
			`\|> OAuthScopesPlug.call(%{scopes: ["scope1:subscope", "scope2:subscope"], op: :&})`

			`refute conn.halted`
			`assert conn.assigns[:user]`
			`end`
			`end`
[#1234] Defined admin OAuth scopes, refined other scopes. Added tests. 2019-09-17 21:19:39 +02:00
			`describe "filter_descendants/2" do`
			`test "filters scopes which directly match or are ancestors of supported scopes" do`
			`f = fn scopes, supported_scopes ->`
			`OAuthScopesPlug.filter_descendants(scopes, supported_scopes)`
			`end`

			`assert f.(["read", "follow"], ["write", "read"]) == ["read"]`

			`assert f.(["read", "write:something", "follow"], ["write", "read"]) ==`
			`["read", "write:something"]`

			`assert f.(["admin:read"], ["write", "read"]) == []`

			`assert f.(["admin:read"], ["write", "admin"]) == ["admin:read"]`
			`end`
			`end`
[#1427] Fixed `:admin` option handling in OAuthScopesPlug, added tests. 2019-12-11 09:42:02 +01:00
			`describe "transform_scopes/2" do`
			`clear_config([:auth, :enforce_oauth_admin_scope_usage])`

			`setup do`
			`{:ok, %{f: &OAuthScopesPlug.transform_scopes/2}}`
			`end`

			test "with :admin option, prefixes all requested scopes with `admin:` " <>
			`"and [optionally] keeps only prefixed scopes, " <>`
			"depending on `[:auth, :enforce_oauth_admin_scope_usage]` setting",
			`%{f: f} do`
			`Pleroma.Config.put([:auth, :enforce_oauth_admin_scope_usage], false)`

			`assert f.(["read"], %{admin: true}) == ["admin:read", "read"]`

			`assert f.(["read", "write"], %{admin: true}) == [`
			`"admin:read",`
			`"read",`
			`"admin:write",`
			`"write"`
			`]`

			`Pleroma.Config.put([:auth, :enforce_oauth_admin_scope_usage], true)`

			`assert f.(["read:accounts"], %{admin: true}) == ["admin:read:accounts"]`

			`assert f.(["read", "write:reports"], %{admin: true}) == [`
			`"admin:read",`
			`"admin:write:reports"`
			`]`
			`end`

			`test "with no supported options, returns unmodified scopes", %{f: f} do`
			`assert f.(["read"], %{}) == ["read"]`
			`assert f.(["read", "write"], %{}) == ["read", "write"]`
			`end`
			`end`
[#468] More OAuth scopes-specific tests. 2019-02-20 10:27:28 +01:00			`end`