[#1478] OAuth admin tweaks: enforced OAuth admin scopes usage by default, migrated existing OAuth records. Adjusted tests.

author: Ivan Tashkinov <ivantashkinov@gmail.com> 2020-01-10 10:52:21 +0300
committer: Ivan Tashkinov <ivantashkinov@gmail.com> 2020-01-10 10:52:21 +0300
commit: 6c94b7498b889ffe13691123c94bbe5440786852 (patch)
tree: db72054fd2c820597c4ad9c90e225f7d4433b404 /test/web/oauth/oauth_controller_test.exs
parent: e8b0c7689a21e9cc83bc0907771662db702db709 (diff)
download: pleroma-6c94b7498b889ffe13691123c94bbe5440786852.tar.gz
pleroma-6c94b7498b889ffe13691123c94bbe5440786852.zip
1 files changed, 40 insertions, 38 deletions
diff --git a/test/web/oauth/oauth_controller_test.exs b/test/web/oauth/oauth_controller_test.exs
index 901f2ae41..7a629da4f 100644
--- a/test/web/oauth/oauth_controller_test.exs
+++ b/test/web/oauth/oauth_controller_test.exs
@@ -568,29 +568,34 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
 
   describe "POST /oauth/authorize" do
     test "redirects with oauth authorization, " <>
-           "keeping only non-admin scopes for non-admin user" do
-      app = insert(:oauth_app, scopes: ["read", "write", "admin"])
+           "granting requested app-supported scopes to both admin- and non-admin users" do
+      app_scopes = ["read", "write", "admin", "secret_scope"]
+      app = insert(:oauth_app, scopes: app_scopes)
       redirect_uri = OAuthController.default_redirect_uri(app)
 
       non_admin = insert(:user, is_admin: false)
       admin = insert(:user, is_admin: true)
+      scopes_subset = ["read:subscope", "write", "admin"]
 
-      for {user, expected_scopes} <- %{
-            non_admin => ["read:subscope", "write"],
-            admin => ["read:subscope", "write", "admin"]
-          } do
+      # In case scope param is missing, expecting _all_ app-supported scopes to be granted
+      for user <- [non_admin, admin],
+          {requested_scopes, expected_scopes} <-
+            %{scopes_subset => scopes_subset, nil => app_scopes} do
         conn =
-          build_conn()
-          |> post("/oauth/authorize", %{
-            "authorization" => %{
-              "name" => user.nickname,
-              "password" => "test",
-              "client_id" => app.client_id,
-              "redirect_uri" => redirect_uri,
-              "scope" => "read:subscope write admin",
-              "state" => "statepassed"
+          post(
+            build_conn(),
+            "/oauth/authorize",
+            %{
+              "authorization" => %{
+                "name" => user.nickname,
+                "password" => "test",
+                "client_id" => app.client_id,
+                "redirect_uri" => redirect_uri,
+                "scope" => requested_scopes,
+                "state" => "statepassed"
+              }
             }
-          })
+          )
 
         target = redirected_to(conn)
         assert target =~ redirect_uri
@@ -631,34 +636,31 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
       assert result =~ "Invalid Username/Password"
     end
 
-    test "returns 401 for missing scopes " <>
-           "(including all admin-only scopes for non-admin user)" do
+    test "returns 401 for missing scopes" do
       user = insert(:user, is_admin: false)
       app = insert(:oauth_app, scopes: ["read", "write", "admin"])
       redirect_uri = OAuthController.default_redirect_uri(app)
 
-      for scope_param <- ["", "admin:read admin:write"] do
-        result =
-          build_conn()
-          |> post("/oauth/authorize", %{
-            "authorization" => %{
-              "name" => user.nickname,
-              "password" => "test",
-              "client_id" => app.client_id,
-              "redirect_uri" => redirect_uri,
-              "state" => "statepassed",
-              "scope" => scope_param
-            }
-          })
-          |> html_response(:unauthorized)
+      result =
+        build_conn()
+        |> post("/oauth/authorize", %{
+          "authorization" => %{
+            "name" => user.nickname,
+            "password" => "test",
+            "client_id" => app.client_id,
+            "redirect_uri" => redirect_uri,
+            "state" => "statepassed",
+            "scope" => ""
+          }
+        })
+        |> html_response(:unauthorized)
 
-        # Keep the details
-        assert result =~ app.client_id
-        assert result =~ redirect_uri
+      # Keep the details
+      assert result =~ app.client_id
+      assert result =~ redirect_uri
 
-        # Error message
-        assert result =~ "This action is outside the authorized scopes"
-      end
+      # Error message
+      assert result =~ "This action is outside the authorized scopes"
     end
 
     test "returns 401 for scopes beyond app scopes hierarchy", %{conn: conn} do
author	Ivan Tashkinov <ivantashkinov@gmail.com>	2020-01-10 10:52:21 +0300
committer	Ivan Tashkinov <ivantashkinov@gmail.com>	2020-01-10 10:52:21 +0300
commit	6c94b7498b889ffe13691123c94bbe5440786852 (patch)
tree	db72054fd2c820597c4ad9c90e225f7d4433b404 /test/web/oauth/oauth_controller_test.exs
parent	e8b0c7689a21e9cc83bc0907771662db702db709 (diff)
download	pleroma-6c94b7498b889ffe13691123c94bbe5440786852.tar.gz pleroma-6c94b7498b889ffe13691123c94bbe5440786852.zip