diff options
| author | Ivan Tashkinov <ivantashkinov@gmail.com> | 2019-09-08 15:00:03 +0300 | 
|---|---|---|
| committer | Ivan Tashkinov <ivantashkinov@gmail.com> | 2019-09-08 15:00:03 +0300 | 
| commit | b63faf9819c2c49d2e9b63e7f37136eb03d8b4e8 (patch) | |
| tree | d25b45e591b65becf796c08b6004e23c1be67a3c | |
| parent | c45013df8e53334bcc1afb8cd1df673c290037ee (diff) | |
| download | pleroma-b63faf9819c2c49d2e9b63e7f37136eb03d8b4e8.tar.gz pleroma-b63faf9819c2c49d2e9b63e7f37136eb03d8b4e8.zip | |
[#1234] Mastodon 2.4.3 hierarchical scopes initial support (WIP).
| -rw-r--r-- | lib/pleroma/plugs/oauth_scopes_plug.ex | 20 | ||||
| -rw-r--r-- | lib/pleroma/web/mastodon_api/controllers/mastodon_api_controller.ex | 36 | ||||
| -rw-r--r-- | lib/pleroma/web/oauth/oauth_controller.ex | 2 | ||||
| -rw-r--r-- | lib/pleroma/web/oauth/scopes.ex | 14 | ||||
| -rw-r--r-- | lib/pleroma/web/router.ex | 14 | ||||
| -rw-r--r-- | lib/pleroma/web/twitter_api/controllers/util_controller.ex | 9 | ||||
| -rw-r--r-- | test/plugs/oauth_scopes_plug_test.exs | 38 | ||||
| -rw-r--r-- | test/web/twitter_api/util_controller_test.exs | 10 | 
8 files changed, 113 insertions, 30 deletions
| diff --git a/lib/pleroma/plugs/oauth_scopes_plug.ex b/lib/pleroma/plugs/oauth_scopes_plug.ex index b508628a9..41403047e 100644 --- a/lib/pleroma/plugs/oauth_scopes_plug.ex +++ b/lib/pleroma/plugs/oauth_scopes_plug.ex @@ -13,15 +13,16 @@ defmodule Pleroma.Plugs.OAuthScopesPlug do    def call(%Plug.Conn{assigns: assigns} = conn, %{scopes: scopes} = options) do      op = options[:op] || :|      token = assigns[:token] +    matched_scopes = token && filter_descendants(scopes, token.scopes)      cond do        is_nil(token) ->          conn -      op == :| && scopes -- token.scopes != scopes -> +      op == :| && Enum.any?(matched_scopes) ->          conn -      op == :& && scopes -- token.scopes == [] -> +      op == :& && matched_scopes == scopes ->          conn        options[:fallback] == :proceed_unauthenticated -> @@ -30,7 +31,7 @@ defmodule Pleroma.Plugs.OAuthScopesPlug do          |> assign(:token, nil)        true -> -        missing_scopes = scopes -- token.scopes +        missing_scopes = scopes -- matched_scopes          permissions = Enum.join(missing_scopes, " #{op} ")          error_message = @@ -42,4 +43,17 @@ defmodule Pleroma.Plugs.OAuthScopesPlug do          |> halt()      end    end + +  @doc "Filters descendants of supported scopes" +  def filter_descendants(scopes, supported_scopes) do +    Enum.filter( +      scopes, +      fn scope -> +        Enum.find( +          supported_scopes, +          &(scope == &1 || String.starts_with?(scope, &1 <> ":")) +        ) +      end +    ) +  end  end diff --git a/lib/pleroma/web/mastodon_api/controllers/mastodon_api_controller.ex b/lib/pleroma/web/mastodon_api/controllers/mastodon_api_controller.ex index 8dfad7a54..118446c85 100644 --- a/lib/pleroma/web/mastodon_api/controllers/mastodon_api_controller.ex +++ b/lib/pleroma/web/mastodon_api/controllers/mastodon_api_controller.ex @@ -19,6 +19,7 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do    alias Pleroma.Notification    alias Pleroma.Object    alias Pleroma.Pagination +  alias Pleroma.Plugs.OAuthScopesPlug    alias Pleroma.Plugs.RateLimiter    alias Pleroma.Repo    alias Pleroma.ScheduledActivity @@ -52,6 +53,41 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do    require Logger    require Pleroma.Constants +  plug( +    OAuthScopesPlug, +    %{scopes: ["follow", "read:blocks"]} when action in [:blocks, :domain_blocks] +  ) + +  plug( +    OAuthScopesPlug, +    %{scopes: ["follow", "write:blocks"]} +    when action in [:block, :unblock, :block_domain, :unblock_domain] +  ) + +  plug(OAuthScopesPlug, %{scopes: ["follow", "read:follows"]} when action == :follow_requests) + +  plug( +    OAuthScopesPlug, +    %{scopes: ["follow", "write:follows"]} +    when action in [ +           :follow, +           :unfollow, +           :subscribe, +           :unsubscribe, +           :authorize_follow_request, +           :reject_follow_request +         ] +  ) + +  plug(OAuthScopesPlug, %{scopes: ["follow", "read:mutes"]} when action == :mutes) +  plug(OAuthScopesPlug, %{scopes: ["follow", "write:mutes"]} when action in [:mute, :unmute]) + +  plug( +    OAuthScopesPlug, +    %{scopes: ["write:mutes"]} +    when action in [:mute_conversation, :unmute_conversation] +  ) +    @rate_limited_relations_actions ~w(follow unfollow)a    @rate_limited_status_actions ~w(reblog_status unreblog_status fav_status unfav_status diff --git a/lib/pleroma/web/oauth/oauth_controller.ex b/lib/pleroma/web/oauth/oauth_controller.ex index 81eae2c8b..130ec7895 100644 --- a/lib/pleroma/web/oauth/oauth_controller.ex +++ b/lib/pleroma/web/oauth/oauth_controller.ex @@ -451,7 +451,7 @@ defmodule Pleroma.Web.OAuth.OAuthController do    defp validate_scopes(app, params) do      params      |> Scopes.fetch_scopes(app.scopes) -    |> Scopes.validates(app.scopes) +    |> Scopes.validate(app.scopes)    end    def default_redirect_uri(%App{} = app) do diff --git a/lib/pleroma/web/oauth/scopes.ex b/lib/pleroma/web/oauth/scopes.ex index ad9dfb260..48bd14407 100644 --- a/lib/pleroma/web/oauth/scopes.ex +++ b/lib/pleroma/web/oauth/scopes.ex @@ -8,7 +8,7 @@ defmodule Pleroma.Web.OAuth.Scopes do    """    @doc """ -  Fetch scopes from requiest params. +  Fetch scopes from request params.    Note: `scopes` is used by Mastodon — supporting it but sticking to    OAuth's standard `scope` wherever we control it @@ -53,14 +53,14 @@ defmodule Pleroma.Web.OAuth.Scopes do    @doc """    Validates scopes.    """ -  @spec validates(list() | nil, list()) :: +  @spec validate(list() | nil, list()) ::            {:ok, list()} | {:error, :missing_scopes | :unsupported_scopes} -  def validates([], _app_scopes), do: {:error, :missing_scopes} -  def validates(nil, _app_scopes), do: {:error, :missing_scopes} +  def validate([], _app_scopes), do: {:error, :missing_scopes} +  def validate(nil, _app_scopes), do: {:error, :missing_scopes} -  def validates(scopes, app_scopes) do -    case scopes -- app_scopes do -      [] -> {:ok, scopes} +  def validate(scopes, app_scopes) do +    case Pleroma.Plugs.OAuthScopesPlug.filter_descendants(scopes, app_scopes) do +      ^scopes -> {:ok, scopes}        _ -> {:error, :unsupported_scopes}      end    end diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex index cfb973f53..8c93e535e 100644 --- a/lib/pleroma/web/router.ex +++ b/lib/pleroma/web/router.ex @@ -104,10 +104,6 @@ defmodule Pleroma.Web.Router do      plug(Pleroma.Plugs.OAuthScopesPlug, %{scopes: ["write"]})    end -  pipeline :oauth_follow do -    plug(Pleroma.Plugs.OAuthScopesPlug, %{scopes: ["follow"]}) -  end -    pipeline :oauth_push do      plug(Pleroma.Plugs.OAuthScopesPlug, %{scopes: ["push"]})    end @@ -211,11 +207,7 @@ defmodule Pleroma.Web.Router do      post("/main/ostatus", UtilController, :remote_subscribe)      get("/ostatus_subscribe", UtilController, :remote_follow) - -    scope [] do -      pipe_through(:oauth_follow) -      post("/ostatus_subscribe", UtilController, :do_remote_follow) -    end +    post("/ostatus_subscribe", UtilController, :do_remote_follow)    end    scope "/api/pleroma", Pleroma.Web.TwitterAPI do @@ -231,8 +223,6 @@ defmodule Pleroma.Web.Router do      end      scope [] do -      pipe_through(:oauth_follow) -        post("/blocks_import", UtilController, :blocks_import)        post("/follow_import", UtilController, :follow_import)      end @@ -373,8 +363,6 @@ defmodule Pleroma.Web.Router do      end      scope [] do -      pipe_through(:oauth_follow) -        post("/follows", MastodonAPIController, :follow)        post("/accounts/:id/follow", MastodonAPIController, :follow) diff --git a/lib/pleroma/web/twitter_api/controllers/util_controller.ex b/lib/pleroma/web/twitter_api/controllers/util_controller.ex index 3405bd3b7..1c6ad5057 100644 --- a/lib/pleroma/web/twitter_api/controllers/util_controller.ex +++ b/lib/pleroma/web/twitter_api/controllers/util_controller.ex @@ -13,11 +13,20 @@ defmodule Pleroma.Web.TwitterAPI.UtilController do    alias Pleroma.Healthcheck    alias Pleroma.Notification    alias Pleroma.Plugs.AuthenticationPlug +  alias Pleroma.Plugs.OAuthScopesPlug    alias Pleroma.User    alias Pleroma.Web    alias Pleroma.Web.CommonAPI    alias Pleroma.Web.WebFinger +  plug( +    OAuthScopesPlug, +    %{scopes: ["follow", "write:follows"]} +    when action in [:do_remote_follow, :follow_import] +  ) + +  plug(OAuthScopesPlug, %{scopes: ["follow", "write:blocks"]} when action == :blocks_import) +    plug(Pleroma.Plugs.SetFormatPlug when action in [:config, :version])    def help_test(conn, _params) do diff --git a/test/plugs/oauth_scopes_plug_test.exs b/test/plugs/oauth_scopes_plug_test.exs index f328026df..9b0a2e702 100644 --- a/test/plugs/oauth_scopes_plug_test.exs +++ b/test/plugs/oauth_scopes_plug_test.exs @@ -84,7 +84,8 @@ defmodule Pleroma.Plugs.OAuthScopesPlugTest do      refute conn.assigns[:user]    end -  test "returns 403 and halts in case of no :fallback option and `token.scopes` not fulfilling specified 'any of' conditions", +  test "returns 403 and halts " <> +         "in case of no :fallback option and `token.scopes` not fulfilling specified 'any of' conditions",         %{conn: conn} do      token = insert(:oauth_token, scopes: ["read", "write"])      any_of_scopes = ["follow"] @@ -101,7 +102,8 @@ defmodule Pleroma.Plugs.OAuthScopesPlugTest do      assert Jason.encode!(%{error: expected_error}) == conn.resp_body    end -  test "returns 403 and halts in case of no :fallback option and `token.scopes` not fulfilling specified 'all of' conditions", +  test "returns 403 and halts " <> +         "in case of no :fallback option and `token.scopes` not fulfilling specified 'all of' conditions",         %{conn: conn} do      token = insert(:oauth_token, scopes: ["read", "write"])      all_of_scopes = ["write", "follow"] @@ -119,4 +121,36 @@ defmodule Pleroma.Plugs.OAuthScopesPlugTest do      assert Jason.encode!(%{error: expected_error}) == conn.resp_body    end + +  describe "with hierarchical scopes, " do +    test "proceeds with no op if `token.scopes` fulfill specified 'any of' conditions", %{ +      conn: conn +    } do +      token = insert(:oauth_token, scopes: ["read", "write"]) |> Repo.preload(:user) + +      conn = +        conn +        |> assign(:user, token.user) +        |> assign(:token, token) +        |> OAuthScopesPlug.call(%{scopes: ["read:something"]}) + +      refute conn.halted +      assert conn.assigns[:user] +    end + +    test "proceeds with no op if `token.scopes` fulfill specified 'all of' conditions", %{ +      conn: conn +    } do +      token = insert(:oauth_token, scopes: ["scope1", "scope2", "scope3"]) |> Repo.preload(:user) + +      conn = +        conn +        |> assign(:user, token.user) +        |> assign(:token, token) +        |> OAuthScopesPlug.call(%{scopes: ["scope1:subscope", "scope2:subscope"], op: :&}) + +      refute conn.halted +      assert conn.assigns[:user] +    end +  end  end diff --git a/test/web/twitter_api/util_controller_test.exs b/test/web/twitter_api/util_controller_test.exs index cf8e69d2b..685e48270 100644 --- a/test/web/twitter_api/util_controller_test.exs +++ b/test/web/twitter_api/util_controller_test.exs @@ -78,19 +78,21 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do        assert response == "job started"      end -    test "requires 'follow' permission", %{conn: conn} do +    test "requires 'follow' or 'write:follows' permissions", %{conn: conn} do        token1 = insert(:oauth_token, scopes: ["read", "write"])        token2 = insert(:oauth_token, scopes: ["follow"]) +      token3 = insert(:oauth_token, scopes: ["something"])        another_user = insert(:user) -      for token <- [token1, token2] do +      for token <- [token1, token2, token3] do          conn =            conn            |> put_req_header("authorization", "Bearer #{token.token}")            |> post("/api/pleroma/follow_import", %{"list" => "#{another_user.ap_id}"}) -        if token == token1 do -          assert %{"error" => "Insufficient permissions: follow."} == json_response(conn, 403) +        if token == token3 do +          assert %{"error" => "Insufficient permissions: follow | write:follows."} == +                   json_response(conn, 403)          else            assert json_response(conn, 200)          end | 
