squeegily
/
pleroma
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 42 Wiki Activity
Fork of Pleroma with site-specific changes and feature branches https://git.pleroma.social/pleroma/pleroma
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7206 Commits
154 Branches
503MB
Tree: 52ed2f8f2d
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '52ed2f8f2d'
${ noResults }
pleroma/test/plugs/oauth_scopes_plug_test.exs

228 lines
6.9KB
Raw Blame History 

  1. # Pleroma: A lightweight social networking server

  2. # Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>

  3. # SPDX-License-Identifier: AGPL-3.0-only

  4. 

  5. defmodule Pleroma.Plugs.OAuthScopesPlugTest do

  6.   use Pleroma.Web.ConnCase, async: true

  7. 

  8.   alias Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug

  9.   alias Pleroma.Plugs.OAuthScopesPlug

  10.   alias Pleroma.Repo

  11. 

  12.   import Mock

  13.   import Pleroma.Factory

  14. 

  15.   setup_with_mocks([{EnsurePublicOrAuthenticatedPlug, [], [call: fn conn, _ -> conn end]}]) do

  16.     :ok

  17.   end

  18. 

  19.   describe "when `assigns[:token]` is nil, " do

  20.     test "with :skip_instance_privacy_check option, proceeds with no op", %{conn: conn} do

  21.       conn =

  22.         conn

  23.         |> assign(:user, insert(:user))

  24.         |> OAuthScopesPlug.call(%{scopes: ["read"], skip_instance_privacy_check: true})

  25. 

  26.       refute conn.halted

  27.       assert conn.assigns[:user]

  28. 

  29.       refute called(EnsurePublicOrAuthenticatedPlug.call(conn, :_))

  30.     end

  31. 

  32.     test "without :skip_instance_privacy_check option, calls EnsurePublicOrAuthenticatedPlug", %{

  33.       conn: conn

  34.     } do

  35.       conn =

  36.         conn

  37.         |> assign(:user, insert(:user))

  38.         |> OAuthScopesPlug.call(%{scopes: ["read"]})

  39. 

  40.       refute conn.halted

  41.       assert conn.assigns[:user]

  42. 

  43.       assert called(EnsurePublicOrAuthenticatedPlug.call(conn, :_))

  44.     end

  45.   end

  46. 

  47.   test "if `token.scopes` fulfills specified 'any of' conditions, " <>

  48.          "proceeds with no op",

  49.        %{conn: conn} do

  50.     token = insert(:oauth_token, scopes: ["read", "write"]) |> Repo.preload(:user)

  51. 

  52.     conn =

  53.       conn

  54.       |> assign(:user, token.user)

  55.       |> assign(:token, token)

  56.       |> OAuthScopesPlug.call(%{scopes: ["read"]})

  57. 

  58.     refute conn.halted

  59.     assert conn.assigns[:user]

  60.   end

  61. 

  62.   test "if `token.scopes` fulfills specified 'all of' conditions, " <>

  63.          "proceeds with no op",

  64.        %{conn: conn} do

  65.     token = insert(:oauth_token, scopes: ["scope1", "scope2", "scope3"]) |> Repo.preload(:user)

  66. 

  67.     conn =

  68.       conn

  69.       |> assign(:user, token.user)

  70.       |> assign(:token, token)

  71.       |> OAuthScopesPlug.call(%{scopes: ["scope2", "scope3"], op: :&})

  72. 

  73.     refute conn.halted

  74.     assert conn.assigns[:user]

  75.   end

  76. 

  77.   describe "with `fallback: :proceed_unauthenticated` option, " do

  78.     test "if `token.scopes` doesn't fulfill specified 'any of' conditions, " <>

  79.            "clears `assigns[:user]` and calls EnsurePublicOrAuthenticatedPlug",

  80.          %{conn: conn} do

  81.       token = insert(:oauth_token, scopes: ["read", "write"]) |> Repo.preload(:user)

  82. 

  83.       conn =

  84.         conn

  85.         |> assign(:user, token.user)

  86.         |> assign(:token, token)

  87.         |> OAuthScopesPlug.call(%{scopes: ["follow"], fallback: :proceed_unauthenticated})

  88. 

  89.       refute conn.halted

  90.       refute conn.assigns[:user]

  91. 

  92.       assert called(EnsurePublicOrAuthenticatedPlug.call(conn, :_))

  93.     end

  94. 

  95.     test "if `token.scopes` doesn't fulfill specified 'all of' conditions, " <>

  96.            "clears `assigns[:user] and calls EnsurePublicOrAuthenticatedPlug",

  97.          %{conn: conn} do

  98.       token = insert(:oauth_token, scopes: ["read", "write"]) |> Repo.preload(:user)

  99. 

  100.       conn =

  101.         conn

  102.         |> assign(:user, token.user)

  103.         |> assign(:token, token)

  104.         |> OAuthScopesPlug.call(%{

  105.           scopes: ["read", "follow"],

  106.           op: :&,

  107.           fallback: :proceed_unauthenticated

  108.         })

  109. 

  110.       refute conn.halted

  111.       refute conn.assigns[:user]

  112. 

  113.       assert called(EnsurePublicOrAuthenticatedPlug.call(conn, :_))

  114.     end

  115. 

  116.     test "with :skip_instance_privacy_check option, " <>

  117.            "if `token.scopes` doesn't fulfill specified conditions, " <>

  118.            "clears `assigns[:user]` and does not call EnsurePublicOrAuthenticatedPlug",

  119.          %{conn: conn} do

  120.       token = insert(:oauth_token, scopes: ["read:statuses", "write"]) |> Repo.preload(:user)

  121. 

  122.       conn =

  123.         conn

  124.         |> assign(:user, token.user)

  125.         |> assign(:token, token)

  126.         |> OAuthScopesPlug.call(%{

  127.           scopes: ["read"],

  128.           fallback: :proceed_unauthenticated,

  129.           skip_instance_privacy_check: true

  130.         })

  131. 

  132.       refute conn.halted

  133.       refute conn.assigns[:user]

  134. 

  135.       refute called(EnsurePublicOrAuthenticatedPlug.call(conn, :_))

  136.     end

  137.   end

  138. 

  139.   describe "without :fallback option, " do

  140.     test "if `token.scopes` does not fulfill specified 'any of' conditions, " <>

  141.            "returns 403 and halts",

  142.          %{conn: conn} do

  143.       token = insert(:oauth_token, scopes: ["read", "write"])

  144.       any_of_scopes = ["follow"]

  145. 

  146.       conn =

  147.         conn

  148.         |> assign(:token, token)

  149.         |> OAuthScopesPlug.call(%{scopes: any_of_scopes})

  150. 

  151.       assert conn.halted

  152.       assert 403 == conn.status

  153. 

  154.       expected_error = "Insufficient permissions: #{Enum.join(any_of_scopes, ", ")}."

  155.       assert Jason.encode!(%{error: expected_error}) == conn.resp_body

  156.     end

  157. 

  158.     test "if `token.scopes` does not fulfill specified 'all of' conditions, " <>

  159.            "returns 403 and halts",

  160.          %{conn: conn} do

  161.       token = insert(:oauth_token, scopes: ["read", "write"])

  162.       all_of_scopes = ["write", "follow"]

  163. 

  164.       conn =

  165.         conn

  166.         |> assign(:token, token)

  167.         |> OAuthScopesPlug.call(%{scopes: all_of_scopes, op: :&})

  168. 

  169.       assert conn.halted

  170.       assert 403 == conn.status

  171. 

  172.       expected_error =

  173.         "Insufficient permissions: #{Enum.join(all_of_scopes -- token.scopes, ", ")}."

  174. 

  175.       assert Jason.encode!(%{error: expected_error}) == conn.resp_body

  176.     end

  177.   end

  178. 

  179.   describe "with hierarchical scopes, " do

  180.     test "if `token.scopes` fulfills specified 'any of' conditions, " <>

  181.            "proceeds with no op",

  182.          %{conn: conn} do

  183.       token = insert(:oauth_token, scopes: ["read", "write"]) |> Repo.preload(:user)

  184. 

  185.       conn =

  186.         conn

  187.         |> assign(:user, token.user)

  188.         |> assign(:token, token)

  189.         |> OAuthScopesPlug.call(%{scopes: ["read:something"]})

  190. 

  191.       refute conn.halted

  192.       assert conn.assigns[:user]

  193.     end

  194. 

  195.     test "if `token.scopes` fulfills specified 'all of' conditions, " <>

  196.            "proceeds with no op",

  197.          %{conn: conn} do

  198.       token = insert(:oauth_token, scopes: ["scope1", "scope2", "scope3"]) |> Repo.preload(:user)

  199. 

  200.       conn =

  201.         conn

  202.         |> assign(:user, token.user)

  203.         |> assign(:token, token)

  204.         |> OAuthScopesPlug.call(%{scopes: ["scope1:subscope", "scope2:subscope"], op: :&})

  205. 

  206.       refute conn.halted

  207.       assert conn.assigns[:user]

  208.     end

  209.   end

  210. 

  211.   describe "filter_descendants/2" do

  212.     test "filters scopes which directly match or are ancestors of supported scopes" do

  213.       f = fn scopes, supported_scopes ->

  214.         OAuthScopesPlug.filter_descendants(scopes, supported_scopes)

  215.       end

  216. 

  217.       assert f.(["read", "follow"], ["write", "read"]) == ["read"]

  218. 

  219.       assert f.(["read", "write:something", "follow"], ["write", "read"]) ==

  220.                ["read", "write:something"]

  221. 

  222.       assert f.(["admin:read"], ["write", "read"]) == []

  223. 

  224.       assert f.(["admin:read"], ["write", "admin"]) == ["admin:read"]

  225.     end

  226.   end

  227. end