3 files changed, 142 insertions, 34 deletions

diff --git a/test/plugs/oauth_scopes_plug_test.exs b/test/plugs/oauth_scopes_plug_test.exs
index be6d1340b..89f32f43a 100644
--- a/test/plugs/oauth_scopes_plug_test.exs
+++ b/test/plugs/oauth_scopes_plug_test.exs
@@ -224,4 +224,42 @@ defmodule Pleroma.Plugs.OAuthScopesPlugTest do
       assert f.(["admin:read"], ["write", "admin"]) == ["admin:read"]
     end
   end
+
+  describe "transform_scopes/2" do
+    clear_config([:auth, :enforce_oauth_admin_scope_usage])
+
+    setup do
+      {:ok, %{f: &OAuthScopesPlug.transform_scopes/2}}
+    end
+
+    test "with :admin option, prefixes all requested scopes with `admin:` " <>
+           "and [optionally] keeps only prefixed scopes, " <>
+           "depending on `[:auth, :enforce_oauth_admin_scope_usage]` setting",
+         %{f: f} do
+      Pleroma.Config.put([:auth, :enforce_oauth_admin_scope_usage], false)
+
+      assert f.(["read"], %{admin: true}) == ["admin:read", "read"]
+
+      assert f.(["read", "write"], %{admin: true}) == [
+               "admin:read",
+               "read",
+               "admin:write",
+               "write"
+             ]
+
+      Pleroma.Config.put([:auth, :enforce_oauth_admin_scope_usage], true)
+
+      assert f.(["read:accounts"], %{admin: true}) == ["admin:read:accounts"]
+
+      assert f.(["read", "write:reports"], %{admin: true}) == [
+               "admin:read",
+               "admin:write:reports"
+             ]
+    end
+
+    test "with no supported options, returns unmodified scopes", %{f: f} do
+      assert f.(["read"], %{}) == ["read"]
+      assert f.(["read", "write"], %{}) == ["read", "write"]
+    end
+  end
 end
diff --git a/test/plugs/rate_limiter_test.exs b/test/plugs/rate_limiter_test.exs
index 49f63c424..78f1ea9e4 100644
--- a/test/plugs/rate_limiter_test.exs
+++ b/test/plugs/rate_limiter_test.exs
@@ -145,9 +145,9 @@ defmodule Pleroma.Plugs.RateLimiterTest do
     test "can have limits seperate from unauthenticated connections" do
       limiter_name = :test_authenticated
 
-      scale = 1000
+      scale = 50
       limit = 5
-      Pleroma.Config.put([:rate_limit, limiter_name], [{1, 10}, {scale, limit}])
+      Pleroma.Config.put([:rate_limit, limiter_name], [{1000, 1}, {scale, limit}])
 
       opts = RateLimiter.init(name: limiter_name)
 
@@ -164,16 +164,6 @@ defmodule Pleroma.Plugs.RateLimiterTest do
 
       assert %{"error" => "Throttled"} = Phoenix.ConnTest.json_response(conn, :too_many_requests)
       assert conn.halted
-
-      Process.sleep(1550)
-
-      conn = conn(:get, "/") |> assign(:user, user)
-      conn = RateLimiter.call(conn, opts)
-      assert {1, 4} = RateLimiter.inspect_bucket(conn, limiter_name, opts)
-
-      refute conn.status == Plug.Conn.Status.code(:too_many_requests)
-      refute conn.resp_body
-      refute conn.halted
     end
 
     test "diffrerent users are counted independently" do
diff --git a/test/plugs/user_is_admin_plug_test.exs b/test/plugs/user_is_admin_plug_test.exs
index 136dcc54e..bc6fcd73c 100644
--- a/test/plugs/user_is_admin_plug_test.exs
+++ b/test/plugs/user_is_admin_plug_test.exs
@@ -8,36 +8,116 @@ defmodule Pleroma.Plugs.UserIsAdminPlugTest do
   alias Pleroma.Plugs.UserIsAdminPlug
   import Pleroma.Factory
 
-  test "accepts a user that is admin" do
-    user = insert(:user, is_admin: true)
+  describe "unless [:auth, :enforce_oauth_admin_scope_usage]," do
+    clear_config([:auth, :enforce_oauth_admin_scope_usage]) do
+      Pleroma.Config.put([:auth, :enforce_oauth_admin_scope_usage], false)
+    end
 
-    conn =
-      build_conn()
-      |> assign(:user, user)
+    test "accepts a user that is an admin" do
+      user = insert(:user, is_admin: true)
 
-    ret_conn =
-      conn
-      |> UserIsAdminPlug.call(%{})
+      conn = assign(build_conn(), :user, user)
 
-    assert conn == ret_conn
-  end
+      ret_conn = UserIsAdminPlug.call(conn, %{})
+
+      assert conn == ret_conn
+    end
+
+    test "denies a user that isn't an admin" do
+      user = insert(:user)
 
-  test "denies a user that isn't admin" do
-    user = insert(:user)
+      conn =
+        build_conn()
+        |> assign(:user, user)
+        |> UserIsAdminPlug.call(%{})
 
-    conn =
-      build_conn()
-      |> assign(:user, user)
-      |> UserIsAdminPlug.call(%{})
+      assert conn.status == 403
+    end
 
-    assert conn.status == 403
+    test "denies when a user isn't set" do
+      conn = UserIsAdminPlug.call(build_conn(), %{})
+
+      assert conn.status == 403
+    end
   end
 
-  test "denies when a user isn't set" do
-    conn =
-      build_conn()
-      |> UserIsAdminPlug.call(%{})
+  describe "with [:auth, :enforce_oauth_admin_scope_usage]," do
+    clear_config([:auth, :enforce_oauth_admin_scope_usage]) do
+      Pleroma.Config.put([:auth, :enforce_oauth_admin_scope_usage], true)
+    end
+
+    setup do
+      admin_user = insert(:user, is_admin: true)
+      non_admin_user = insert(:user, is_admin: false)
+      blank_user = nil
+
+      {:ok, %{users: [admin_user, non_admin_user, blank_user]}}
+    end
+
+    test "if token has any of admin scopes, accepts a user that is an admin", %{conn: conn} do
+      user = insert(:user, is_admin: true)
+      token = insert(:oauth_token, user: user, scopes: ["admin:something"])
+
+      conn =
+        conn
+        |> assign(:user, user)
+        |> assign(:token, token)
+
+      ret_conn = UserIsAdminPlug.call(conn, %{})
+
+      assert conn == ret_conn
+    end
+
+    test "if token has any of admin scopes, denies a user that isn't an admin", %{conn: conn} do
+      user = insert(:user, is_admin: false)
+      token = insert(:oauth_token, user: user, scopes: ["admin:something"])
+
+      conn =
+        conn
+        |> assign(:user, user)
+        |> assign(:token, token)
+        |> UserIsAdminPlug.call(%{})
+
+      assert conn.status == 403
+    end
+
+    test "if token has any of admin scopes, denies when a user isn't set", %{conn: conn} do
+      token = insert(:oauth_token, scopes: ["admin:something"])
+
+      conn =
+        conn
+        |> assign(:user, nil)
+        |> assign(:token, token)
+        |> UserIsAdminPlug.call(%{})
+
+      assert conn.status == 403
+    end
+
+    test "if token lacks admin scopes, denies users regardless of is_admin flag",
+         %{users: users} do
+      for user <- users do
+        token = insert(:oauth_token, user: user)
+
+        conn =
+          build_conn()
+          |> assign(:user, user)
+          |> assign(:token, token)
+          |> UserIsAdminPlug.call(%{})
+
+        assert conn.status == 403
+      end
+    end
+
+    test "if token is missing, denies users regardless of is_admin flag", %{users: users} do
+      for user <- users do
+        conn =
+          build_conn()
+          |> assign(:user, user)
+          |> assign(:token, nil)
+          |> UserIsAdminPlug.call(%{})
 
-    assert conn.status == 403
+        assert conn.status == 403
+      end
+    end
   end
 end