pleroma/test/plugs/oauth_scopes_plug_test.exs
rinpatch da4923f2e5 Merge branch 'authenticated-api-oauth-check-enforcement' into 'develop'
Enforcement of OAuth scopes check for authenticated API endpoints

See merge request pleroma/pleroma!2349
2020-05-01 00:58:40 +03:00

246 lines
7.6 KiB
Elixir

# Pleroma: A lightweight social networking server
# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
# SPDX-License-Identifier: AGPL-3.0-only
defmodule Pleroma.Plugs.OAuthScopesPlugTest do
use Pleroma.Web.ConnCase, async: true
alias Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug
alias Pleroma.Plugs.OAuthScopesPlug
alias Pleroma.Plugs.PlugHelper
alias Pleroma.Repo
import Mock
import Pleroma.Factory
setup_with_mocks([{EnsurePublicOrAuthenticatedPlug, [], [call: fn conn, _ -> conn end]}]) do
:ok
end
test "is not performed if marked as skipped", %{conn: conn} do
with_mock OAuthScopesPlug, [:passthrough], perform: &passthrough([&1, &2]) do
conn =
conn
|> PlugHelper.append_to_skipped_plugs(OAuthScopesPlug)
|> OAuthScopesPlug.call(%{scopes: ["random_scope"]})
refute called(OAuthScopesPlug.perform(:_, :_))
refute conn.halted
end
end
test "if `token.scopes` fulfills specified 'any of' conditions, " <>
"proceeds with no op",
%{conn: conn} do
token = insert(:oauth_token, scopes: ["read", "write"]) |> Repo.preload(:user)
conn =
conn
|> assign(:user, token.user)
|> assign(:token, token)
|> OAuthScopesPlug.call(%{scopes: ["read"]})
refute conn.halted
assert conn.assigns[:user]
end
test "if `token.scopes` fulfills specified 'all of' conditions, " <>
"proceeds with no op",
%{conn: conn} do
token = insert(:oauth_token, scopes: ["scope1", "scope2", "scope3"]) |> Repo.preload(:user)
conn =
conn
|> assign(:user, token.user)
|> assign(:token, token)
|> OAuthScopesPlug.call(%{scopes: ["scope2", "scope3"], op: :&})
refute conn.halted
assert conn.assigns[:user]
end
describe "with `fallback: :proceed_unauthenticated` option, " do
test "if `token.scopes` doesn't fulfill specified conditions, " <>
"clears :user and :token assigns and calls EnsurePublicOrAuthenticatedPlug",
%{conn: conn} do
user = insert(:user)
token1 = insert(:oauth_token, scopes: ["read", "write"], user: user)
for token <- [token1, nil], op <- [:|, :&] do
ret_conn =
conn
|> assign(:user, user)
|> assign(:token, token)
|> OAuthScopesPlug.call(%{
scopes: ["follow"],
op: op,
fallback: :proceed_unauthenticated
})
refute ret_conn.halted
refute ret_conn.assigns[:user]
refute ret_conn.assigns[:token]
assert called(EnsurePublicOrAuthenticatedPlug.call(ret_conn, :_))
end
end
test "with :skip_instance_privacy_check option, " <>
"if `token.scopes` doesn't fulfill specified conditions, " <>
"clears :user and :token assigns and does NOT call EnsurePublicOrAuthenticatedPlug",
%{conn: conn} do
user = insert(:user)
token1 = insert(:oauth_token, scopes: ["read:statuses", "write"], user: user)
for token <- [token1, nil], op <- [:|, :&] do
ret_conn =
conn
|> assign(:user, user)
|> assign(:token, token)
|> OAuthScopesPlug.call(%{
scopes: ["read"],
op: op,
fallback: :proceed_unauthenticated,
skip_instance_privacy_check: true
})
refute ret_conn.halted
refute ret_conn.assigns[:user]
refute ret_conn.assigns[:token]
refute called(EnsurePublicOrAuthenticatedPlug.call(ret_conn, :_))
end
end
end
describe "without :fallback option, " do
test "if `token.scopes` does not fulfill specified 'any of' conditions, " <>
"returns 403 and halts",
%{conn: conn} do
for token <- [insert(:oauth_token, scopes: ["read", "write"]), nil] do
any_of_scopes = ["follow", "push"]
ret_conn =
conn
|> assign(:token, token)
|> OAuthScopesPlug.call(%{scopes: any_of_scopes})
assert ret_conn.halted
assert 403 == ret_conn.status
expected_error = "Insufficient permissions: #{Enum.join(any_of_scopes, " | ")}."
assert Jason.encode!(%{error: expected_error}) == ret_conn.resp_body
end
end
test "if `token.scopes` does not fulfill specified 'all of' conditions, " <>
"returns 403 and halts",
%{conn: conn} do
for token <- [insert(:oauth_token, scopes: ["read", "write"]), nil] do
token_scopes = (token && token.scopes) || []
all_of_scopes = ["write", "follow"]
conn =
conn
|> assign(:token, token)
|> OAuthScopesPlug.call(%{scopes: all_of_scopes, op: :&})
assert conn.halted
assert 403 == conn.status
expected_error =
"Insufficient permissions: #{Enum.join(all_of_scopes -- token_scopes, " & ")}."
assert Jason.encode!(%{error: expected_error}) == conn.resp_body
end
end
end
describe "with hierarchical scopes, " do
test "if `token.scopes` fulfills specified 'any of' conditions, " <>
"proceeds with no op",
%{conn: conn} do
token = insert(:oauth_token, scopes: ["read", "write"]) |> Repo.preload(:user)
conn =
conn
|> assign(:user, token.user)
|> assign(:token, token)
|> OAuthScopesPlug.call(%{scopes: ["read:something"]})
refute conn.halted
assert conn.assigns[:user]
end
test "if `token.scopes` fulfills specified 'all of' conditions, " <>
"proceeds with no op",
%{conn: conn} do
token = insert(:oauth_token, scopes: ["scope1", "scope2", "scope3"]) |> Repo.preload(:user)
conn =
conn
|> assign(:user, token.user)
|> assign(:token, token)
|> OAuthScopesPlug.call(%{scopes: ["scope1:subscope", "scope2:subscope"], op: :&})
refute conn.halted
assert conn.assigns[:user]
end
end
describe "filter_descendants/2" do
test "filters scopes which directly match or are ancestors of supported scopes" do
f = fn scopes, supported_scopes ->
OAuthScopesPlug.filter_descendants(scopes, supported_scopes)
end
assert f.(["read", "follow"], ["write", "read"]) == ["read"]
assert f.(["read", "write:something", "follow"], ["write", "read"]) ==
["read", "write:something"]
assert f.(["admin:read"], ["write", "read"]) == []
assert f.(["admin:read"], ["write", "admin"]) == ["admin:read"]
end
end
describe "transform_scopes/2" do
clear_config([:auth, :enforce_oauth_admin_scope_usage])
setup do
{:ok, %{f: &OAuthScopesPlug.transform_scopes/2}}
end
test "with :admin option, prefixes all requested scopes with `admin:` " <>
"and [optionally] keeps only prefixed scopes, " <>
"depending on `[:auth, :enforce_oauth_admin_scope_usage]` setting",
%{f: f} do
Pleroma.Config.put([:auth, :enforce_oauth_admin_scope_usage], false)
assert f.(["read"], %{admin: true}) == ["admin:read", "read"]
assert f.(["read", "write"], %{admin: true}) == [
"admin:read",
"read",
"admin:write",
"write"
]
Pleroma.Config.put([:auth, :enforce_oauth_admin_scope_usage], true)
assert f.(["read:accounts"], %{admin: true}) == ["admin:read:accounts"]
assert f.(["read", "write:reports"], %{admin: true}) == [
"admin:read",
"admin:write:reports"
]
end
test "with no supported options, returns unmodified scopes", %{f: f} do
assert f.(["read"], %{}) == ["read"]
assert f.(["read", "write"], %{}) == ["read", "write"]
end
end
end