diff options
| author | Alex Gleason <alex@alexgleason.me> | 2020-10-13 19:20:00 -0500 |
|---|---|---|
| committer | Alex Gleason <alex@alexgleason.me> | 2020-10-13 19:20:00 -0500 |
| commit | c3112fd13a6af239b9dff0813e93266ec58f571e (patch) | |
| tree | 7f2252d7a08e4a59b66e392b2732a1cdd8745758 /test/web/auth/auth_test_controller_test.exs | |
| parent | 66e00ace7c0708f2f9361bc6e1008ccea08cb6ef (diff) | |
| parent | 481906207e6d803e5c4d3e455c7b93119e392177 (diff) | |
| download | pleroma-c3112fd13a6af239b9dff0813e93266ec58f571e.tar.gz pleroma-c3112fd13a6af239b9dff0813e93266ec58f571e.zip | |
Merge remote-tracking branch 'upstream/develop' into registration-workflow
Diffstat (limited to 'test/web/auth/auth_test_controller_test.exs')
| -rw-r--r-- | test/web/auth/auth_test_controller_test.exs | 242 |
1 files changed, 0 insertions, 242 deletions
diff --git a/test/web/auth/auth_test_controller_test.exs b/test/web/auth/auth_test_controller_test.exs deleted file mode 100644 index fed52b7f3..000000000 --- a/test/web/auth/auth_test_controller_test.exs +++ /dev/null @@ -1,242 +0,0 @@ -# Pleroma: A lightweight social networking server -# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/> -# SPDX-License-Identifier: AGPL-3.0-only - -defmodule Pleroma.Tests.AuthTestControllerTest do - use Pleroma.Web.ConnCase - - import Pleroma.Factory - - describe "do_oauth_check" do - test "serves with proper OAuth token (fulfilling requested scopes)" do - %{conn: good_token_conn, user: user} = oauth_access(["read"]) - - assert %{"user_id" => user.id} == - good_token_conn - |> get("/test/authenticated_api/do_oauth_check") - |> json_response(200) - - # Unintended usage (:api) — use with :authenticated_api instead - assert %{"user_id" => user.id} == - good_token_conn - |> get("/test/api/do_oauth_check") - |> json_response(200) - end - - test "fails on no token / missing scope(s)" do - %{conn: bad_token_conn} = oauth_access(["irrelevant_scope"]) - - bad_token_conn - |> get("/test/authenticated_api/do_oauth_check") - |> json_response(403) - - bad_token_conn - |> assign(:token, nil) - |> get("/test/api/do_oauth_check") - |> json_response(403) - end - end - - describe "fallback_oauth_check" do - test "serves with proper OAuth token (fulfilling requested scopes)" do - %{conn: good_token_conn, user: user} = oauth_access(["read"]) - - assert %{"user_id" => user.id} == - good_token_conn - |> get("/test/api/fallback_oauth_check") - |> json_response(200) - - # Unintended usage (:authenticated_api) — use with :api instead - assert %{"user_id" => user.id} == - good_token_conn - |> get("/test/authenticated_api/fallback_oauth_check") - |> json_response(200) - end - - test "for :api on public instance, drops :user and renders on no token / missing scope(s)" do - clear_config([:instance, :public], true) - - %{conn: bad_token_conn} = oauth_access(["irrelevant_scope"]) - - assert %{"user_id" => nil} == - bad_token_conn - |> get("/test/api/fallback_oauth_check") - |> json_response(200) - - assert %{"user_id" => nil} == - bad_token_conn - |> assign(:token, nil) - |> get("/test/api/fallback_oauth_check") - |> json_response(200) - end - - test "for :api on private instance, fails on no token / missing scope(s)" do - clear_config([:instance, :public], false) - - %{conn: bad_token_conn} = oauth_access(["irrelevant_scope"]) - - bad_token_conn - |> get("/test/api/fallback_oauth_check") - |> json_response(403) - - bad_token_conn - |> assign(:token, nil) - |> get("/test/api/fallback_oauth_check") - |> json_response(403) - end - end - - describe "skip_oauth_check" do - test "for :authenticated_api, serves if :user is set (regardless of token / token scopes)" do - user = insert(:user) - - assert %{"user_id" => user.id} == - build_conn() - |> assign(:user, user) - |> get("/test/authenticated_api/skip_oauth_check") - |> json_response(200) - - %{conn: bad_token_conn, user: user} = oauth_access(["irrelevant_scope"]) - - assert %{"user_id" => user.id} == - bad_token_conn - |> get("/test/authenticated_api/skip_oauth_check") - |> json_response(200) - end - - test "serves via :api on public instance if :user is not set" do - clear_config([:instance, :public], true) - - assert %{"user_id" => nil} == - build_conn() - |> get("/test/api/skip_oauth_check") - |> json_response(200) - - build_conn() - |> get("/test/authenticated_api/skip_oauth_check") - |> json_response(403) - end - - test "fails on private instance if :user is not set" do - clear_config([:instance, :public], false) - - build_conn() - |> get("/test/api/skip_oauth_check") - |> json_response(403) - - build_conn() - |> get("/test/authenticated_api/skip_oauth_check") - |> json_response(403) - end - end - - describe "fallback_oauth_skip_publicity_check" do - test "serves with proper OAuth token (fulfilling requested scopes)" do - %{conn: good_token_conn, user: user} = oauth_access(["read"]) - - assert %{"user_id" => user.id} == - good_token_conn - |> get("/test/api/fallback_oauth_skip_publicity_check") - |> json_response(200) - - # Unintended usage (:authenticated_api) - assert %{"user_id" => user.id} == - good_token_conn - |> get("/test/authenticated_api/fallback_oauth_skip_publicity_check") - |> json_response(200) - end - - test "for :api on private / public instance, drops :user and renders on token issue" do - %{conn: bad_token_conn} = oauth_access(["irrelevant_scope"]) - - for is_public <- [true, false] do - clear_config([:instance, :public], is_public) - - assert %{"user_id" => nil} == - bad_token_conn - |> get("/test/api/fallback_oauth_skip_publicity_check") - |> json_response(200) - - assert %{"user_id" => nil} == - bad_token_conn - |> assign(:token, nil) - |> get("/test/api/fallback_oauth_skip_publicity_check") - |> json_response(200) - end - end - end - - describe "skip_oauth_skip_publicity_check" do - test "for :authenticated_api, serves if :user is set (regardless of token / token scopes)" do - user = insert(:user) - - assert %{"user_id" => user.id} == - build_conn() - |> assign(:user, user) - |> get("/test/authenticated_api/skip_oauth_skip_publicity_check") - |> json_response(200) - - %{conn: bad_token_conn, user: user} = oauth_access(["irrelevant_scope"]) - - assert %{"user_id" => user.id} == - bad_token_conn - |> get("/test/authenticated_api/skip_oauth_skip_publicity_check") - |> json_response(200) - end - - test "for :api, serves on private and public instances regardless of whether :user is set" do - user = insert(:user) - - for is_public <- [true, false] do - clear_config([:instance, :public], is_public) - - assert %{"user_id" => nil} == - build_conn() - |> get("/test/api/skip_oauth_skip_publicity_check") - |> json_response(200) - - assert %{"user_id" => user.id} == - build_conn() - |> assign(:user, user) - |> get("/test/api/skip_oauth_skip_publicity_check") - |> json_response(200) - end - end - end - - describe "missing_oauth_check_definition" do - def test_missing_oauth_check_definition_failure(endpoint, expected_error) do - %{conn: conn} = oauth_access(["read", "write", "follow", "push", "admin"]) - - assert %{"error" => expected_error} == - conn - |> get(endpoint) - |> json_response(403) - end - - test "fails if served via :authenticated_api" do - test_missing_oauth_check_definition_failure( - "/test/authenticated_api/missing_oauth_check_definition", - "Security violation: OAuth scopes check was neither handled nor explicitly skipped." - ) - end - - test "fails if served via :api and the instance is private" do - clear_config([:instance, :public], false) - - test_missing_oauth_check_definition_failure( - "/test/api/missing_oauth_check_definition", - "This resource requires authentication." - ) - end - - test "succeeds with dropped :user if served via :api on public instance" do - %{conn: conn} = oauth_access(["read", "write", "follow", "push", "admin"]) - - assert %{"user_id" => nil} == - conn - |> get("/test/api/missing_oauth_check_definition") - |> json_response(200) - end - end -end |