Merge branch '1427-oauth-admin-scopes' into 'develop'

[#1427] Fixed `:admin` option handling in OAuthScopesPlug, added tests Closes #1427 See merge request pleroma/pleroma!2053
2019-12-11 08:50:43 +00:00 · 2019-12-11 08:50:43 +00:00 · 1f498ba2bb
parent 67a478d709 3920244be5
commit 1f498ba2bb
3 changed files with 56 additions and 10 deletions
--- a/lib/pleroma/config.ex
+++ b/lib/pleroma/config.ex
@ -68,8 +68,13 @@ defmodule Pleroma.Config do

  def enforce_oauth_admin_scope_usage?, do: !!get([:auth, :enforce_oauth_admin_scope_usage])

-  def oauth_admin_scopes(scope) do
-    ["admin:#{scope}"] ++
-      if enforce_oauth_admin_scope_usage?(), do: [], else: [scope]
+  def oauth_admin_scopes(scopes) when is_list(scopes) do
+    Enum.flat_map(
+      scopes,
+      fn scope ->
+        ["admin:#{scope}"] ++
+          if enforce_oauth_admin_scope_usage?(), do: [], else: [scope]
+      end
+    )
  end
 end
--- a/lib/pleroma/plugs/oauth_scopes_plug.ex
+++ b/lib/pleroma/plugs/oauth_scopes_plug.ex
@ -17,13 +17,7 @@ defmodule Pleroma.Plugs.OAuthScopesPlug do
    op = options[:op] || :|
    token = assigns[:token]

-    scopes =
-      if options[:admin] do
-        Config.oauth_admin_scopes(scopes)
-      else
-        scopes
-      end
-
+    scopes = transform_scopes(scopes, options)
    matched_scopes = token && filter_descendants(scopes, token.scopes)

    cond do
@ -69,6 +63,15 @@ defmodule Pleroma.Plugs.OAuthScopesPlug do
    )
  end

+  @doc "Transforms scopes by applying supported options (e.g. :admin)"
+  def transform_scopes(scopes, options) do
+    if options[:admin] do
+      Config.oauth_admin_scopes(scopes)
+    else
+      scopes
+    end
+  end
+
  defp maybe_perform_instance_privacy_check(%Plug.Conn{} = conn, options) do
    if options[:skip_instance_privacy_check] do
      conn
--- a/test/plugs/oauth_scopes_plug_test.exs
+++ b/test/plugs/oauth_scopes_plug_test.exs
@ -224,4 +224,42 @@ defmodule Pleroma.Plugs.OAuthScopesPlugTest do
      assert f.(["admin:read"], ["write", "admin"]) == ["admin:read"]
    end
  end
+
+  describe "transform_scopes/2" do
+    clear_config([:auth, :enforce_oauth_admin_scope_usage])
+
+    setup do
+      {:ok, %{f: &OAuthScopesPlug.transform_scopes/2}}
+    end
+
+    test "with :admin option, prefixes all requested scopes with `admin:` " <>
+           "and [optionally] keeps only prefixed scopes, " <>
+           "depending on `[:auth, :enforce_oauth_admin_scope_usage]` setting",
+         %{f: f} do
+      Pleroma.Config.put([:auth, :enforce_oauth_admin_scope_usage], false)
+
+      assert f.(["read"], %{admin: true}) == ["admin:read", "read"]
+
+      assert f.(["read", "write"], %{admin: true}) == [
+               "admin:read",
+               "read",
+               "admin:write",
+               "write"
+             ]
+
+      Pleroma.Config.put([:auth, :enforce_oauth_admin_scope_usage], true)
+
+      assert f.(["read:accounts"], %{admin: true}) == ["admin:read:accounts"]
+
+      assert f.(["read", "write:reports"], %{admin: true}) == [
+               "admin:read",
+               "admin:write:reports"
+             ]
+    end
+
+    test "with no supported options, returns unmodified scopes", %{f: f} do
+      assert f.(["read"], %{}) == ["read"]
+      assert f.(["read", "write"], %{}) == ["read", "write"]
+    end
+  end
 end