summaryrefslogtreecommitdiff
path: root/test/plugs
diff options
context:
space:
mode:
Diffstat (limited to 'test/plugs')
-rw-r--r--test/plugs/admin_secret_authentication_plug_test.exs2
-rw-r--r--test/plugs/http_security_plug_test.exs1
-rw-r--r--test/plugs/oauth_scopes_plug_test.exs169
-rw-r--r--test/plugs/rate_limiter_test.exs49
-rw-r--r--test/plugs/remote_ip_test.exs4
-rw-r--r--test/plugs/user_enabled_plug_test.exs5
6 files changed, 114 insertions, 116 deletions
diff --git a/test/plugs/admin_secret_authentication_plug_test.exs b/test/plugs/admin_secret_authentication_plug_test.exs
index 506b1f609..e41ce1825 100644
--- a/test/plugs/admin_secret_authentication_plug_test.exs
+++ b/test/plugs/admin_secret_authentication_plug_test.exs
@@ -23,6 +23,8 @@ defmodule Pleroma.Plugs.AdminSecretAuthenticationPlugTest do
end
describe "when secret set it assigns an admin user" do
+ clear_config([:admin_token])
+
test "with `admin_token` query parameter", %{conn: conn} do
Pleroma.Config.put(:admin_token, "password123")
diff --git a/test/plugs/http_security_plug_test.exs b/test/plugs/http_security_plug_test.exs
index 9c1c20541..aa285d827 100644
--- a/test/plugs/http_security_plug_test.exs
+++ b/test/plugs/http_security_plug_test.exs
@@ -9,6 +9,7 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlugTest do
clear_config([:http_securiy, :enabled])
clear_config([:http_security, :sts])
+ clear_config([:http_security, :referrer_policy])
describe "http security enabled" do
setup do
diff --git a/test/plugs/oauth_scopes_plug_test.exs b/test/plugs/oauth_scopes_plug_test.exs
index 89f32f43a..ce426677b 100644
--- a/test/plugs/oauth_scopes_plug_test.exs
+++ b/test/plugs/oauth_scopes_plug_test.exs
@@ -16,34 +16,6 @@ defmodule Pleroma.Plugs.OAuthScopesPlugTest do
:ok
end
- describe "when `assigns[:token]` is nil, " do
- test "with :skip_instance_privacy_check option, proceeds with no op", %{conn: conn} do
- conn =
- conn
- |> assign(:user, insert(:user))
- |> OAuthScopesPlug.call(%{scopes: ["read"], skip_instance_privacy_check: true})
-
- refute conn.halted
- assert conn.assigns[:user]
-
- refute called(EnsurePublicOrAuthenticatedPlug.call(conn, :_))
- end
-
- test "without :skip_instance_privacy_check option, calls EnsurePublicOrAuthenticatedPlug", %{
- conn: conn
- } do
- conn =
- conn
- |> assign(:user, insert(:user))
- |> OAuthScopesPlug.call(%{scopes: ["read"]})
-
- refute conn.halted
- assert conn.assigns[:user]
-
- assert called(EnsurePublicOrAuthenticatedPlug.call(conn, :_))
- end
- end
-
test "if `token.scopes` fulfills specified 'any of' conditions, " <>
"proceeds with no op",
%{conn: conn} do
@@ -75,64 +47,56 @@ defmodule Pleroma.Plugs.OAuthScopesPlugTest do
end
describe "with `fallback: :proceed_unauthenticated` option, " do
- test "if `token.scopes` doesn't fulfill specified 'any of' conditions, " <>
- "clears `assigns[:user]` and calls EnsurePublicOrAuthenticatedPlug",
- %{conn: conn} do
- token = insert(:oauth_token, scopes: ["read", "write"]) |> Repo.preload(:user)
-
- conn =
- conn
- |> assign(:user, token.user)
- |> assign(:token, token)
- |> OAuthScopesPlug.call(%{scopes: ["follow"], fallback: :proceed_unauthenticated})
-
- refute conn.halted
- refute conn.assigns[:user]
-
- assert called(EnsurePublicOrAuthenticatedPlug.call(conn, :_))
- end
-
- test "if `token.scopes` doesn't fulfill specified 'all of' conditions, " <>
- "clears `assigns[:user] and calls EnsurePublicOrAuthenticatedPlug",
+ test "if `token.scopes` doesn't fulfill specified conditions, " <>
+ "clears :user and :token assigns and calls EnsurePublicOrAuthenticatedPlug",
%{conn: conn} do
- token = insert(:oauth_token, scopes: ["read", "write"]) |> Repo.preload(:user)
-
- conn =
- conn
- |> assign(:user, token.user)
- |> assign(:token, token)
- |> OAuthScopesPlug.call(%{
- scopes: ["read", "follow"],
- op: :&,
- fallback: :proceed_unauthenticated
- })
-
- refute conn.halted
- refute conn.assigns[:user]
-
- assert called(EnsurePublicOrAuthenticatedPlug.call(conn, :_))
+ user = insert(:user)
+ token1 = insert(:oauth_token, scopes: ["read", "write"], user: user)
+
+ for token <- [token1, nil], op <- [:|, :&] do
+ ret_conn =
+ conn
+ |> assign(:user, user)
+ |> assign(:token, token)
+ |> OAuthScopesPlug.call(%{
+ scopes: ["follow"],
+ op: op,
+ fallback: :proceed_unauthenticated
+ })
+
+ refute ret_conn.halted
+ refute ret_conn.assigns[:user]
+ refute ret_conn.assigns[:token]
+
+ assert called(EnsurePublicOrAuthenticatedPlug.call(ret_conn, :_))
+ end
end
test "with :skip_instance_privacy_check option, " <>
"if `token.scopes` doesn't fulfill specified conditions, " <>
- "clears `assigns[:user]` and does not call EnsurePublicOrAuthenticatedPlug",
+ "clears :user and :token assigns and does NOT call EnsurePublicOrAuthenticatedPlug",
%{conn: conn} do
- token = insert(:oauth_token, scopes: ["read:statuses", "write"]) |> Repo.preload(:user)
-
- conn =
- conn
- |> assign(:user, token.user)
- |> assign(:token, token)
- |> OAuthScopesPlug.call(%{
- scopes: ["read"],
- fallback: :proceed_unauthenticated,
- skip_instance_privacy_check: true
- })
-
- refute conn.halted
- refute conn.assigns[:user]
-
- refute called(EnsurePublicOrAuthenticatedPlug.call(conn, :_))
+ user = insert(:user)
+ token1 = insert(:oauth_token, scopes: ["read:statuses", "write"], user: user)
+
+ for token <- [token1, nil], op <- [:|, :&] do
+ ret_conn =
+ conn
+ |> assign(:user, user)
+ |> assign(:token, token)
+ |> OAuthScopesPlug.call(%{
+ scopes: ["read"],
+ op: op,
+ fallback: :proceed_unauthenticated,
+ skip_instance_privacy_check: true
+ })
+
+ refute ret_conn.halted
+ refute ret_conn.assigns[:user]
+ refute ret_conn.assigns[:token]
+
+ refute called(EnsurePublicOrAuthenticatedPlug.call(ret_conn, :_))
+ end
end
end
@@ -140,39 +104,42 @@ defmodule Pleroma.Plugs.OAuthScopesPlugTest do
test "if `token.scopes` does not fulfill specified 'any of' conditions, " <>
"returns 403 and halts",
%{conn: conn} do
- token = insert(:oauth_token, scopes: ["read", "write"])
- any_of_scopes = ["follow"]
+ for token <- [insert(:oauth_token, scopes: ["read", "write"]), nil] do
+ any_of_scopes = ["follow", "push"]
- conn =
- conn
- |> assign(:token, token)
- |> OAuthScopesPlug.call(%{scopes: any_of_scopes})
+ ret_conn =
+ conn
+ |> assign(:token, token)
+ |> OAuthScopesPlug.call(%{scopes: any_of_scopes})
- assert conn.halted
- assert 403 == conn.status
+ assert ret_conn.halted
+ assert 403 == ret_conn.status
- expected_error = "Insufficient permissions: #{Enum.join(any_of_scopes, ", ")}."
- assert Jason.encode!(%{error: expected_error}) == conn.resp_body
+ expected_error = "Insufficient permissions: #{Enum.join(any_of_scopes, " | ")}."
+ assert Jason.encode!(%{error: expected_error}) == ret_conn.resp_body
+ end
end
test "if `token.scopes` does not fulfill specified 'all of' conditions, " <>
"returns 403 and halts",
%{conn: conn} do
- token = insert(:oauth_token, scopes: ["read", "write"])
- all_of_scopes = ["write", "follow"]
+ for token <- [insert(:oauth_token, scopes: ["read", "write"]), nil] do
+ token_scopes = (token && token.scopes) || []
+ all_of_scopes = ["write", "follow"]
- conn =
- conn
- |> assign(:token, token)
- |> OAuthScopesPlug.call(%{scopes: all_of_scopes, op: :&})
+ conn =
+ conn
+ |> assign(:token, token)
+ |> OAuthScopesPlug.call(%{scopes: all_of_scopes, op: :&})
- assert conn.halted
- assert 403 == conn.status
+ assert conn.halted
+ assert 403 == conn.status
- expected_error =
- "Insufficient permissions: #{Enum.join(all_of_scopes -- token.scopes, ", ")}."
+ expected_error =
+ "Insufficient permissions: #{Enum.join(all_of_scopes -- token_scopes, " & ")}."
- assert Jason.encode!(%{error: expected_error}) == conn.resp_body
+ assert Jason.encode!(%{error: expected_error}) == conn.resp_body
+ end
end
end
diff --git a/test/plugs/rate_limiter_test.exs b/test/plugs/rate_limiter_test.exs
index 49f63c424..06ffa7b70 100644
--- a/test/plugs/rate_limiter_test.exs
+++ b/test/plugs/rate_limiter_test.exs
@@ -16,6 +16,7 @@ defmodule Pleroma.Plugs.RateLimiterTest do
test "config is required for plug to work" do
limiter_name = :test_init
Pleroma.Config.put([:rate_limit, limiter_name], {1, 1})
+ Pleroma.Config.put([Pleroma.Web.Endpoint, :http, :ip], {8, 8, 8, 8})
assert %{limits: {1, 1}, name: :test_init, opts: [name: :test_init]} ==
RateLimiter.init(name: limiter_name)
@@ -23,11 +24,39 @@ defmodule Pleroma.Plugs.RateLimiterTest do
assert nil == RateLimiter.init(name: :foo)
end
+ test "it is disabled for localhost" do
+ limiter_name = :test_init
+ Pleroma.Config.put([:rate_limit, limiter_name], {1, 1})
+ Pleroma.Config.put([Pleroma.Web.Endpoint, :http, :ip], {127, 0, 0, 1})
+ Pleroma.Config.put([Pleroma.Plugs.RemoteIp, :enabled], false)
+
+ assert RateLimiter.disabled?() == true
+ end
+
+ test "it is disabled for socket" do
+ limiter_name = :test_init
+ Pleroma.Config.put([:rate_limit, limiter_name], {1, 1})
+ Pleroma.Config.put([Pleroma.Web.Endpoint, :http, :ip], {:local, "/path/to/pleroma.sock"})
+ Pleroma.Config.put([Pleroma.Plugs.RemoteIp, :enabled], false)
+
+ assert RateLimiter.disabled?() == true
+ end
+
+ test "it is enabled for socket when remote ip is enabled" do
+ limiter_name = :test_init
+ Pleroma.Config.put([:rate_limit, limiter_name], {1, 1})
+ Pleroma.Config.put([Pleroma.Web.Endpoint, :http, :ip], {:local, "/path/to/pleroma.sock"})
+ Pleroma.Config.put([Pleroma.Plugs.RemoteIp, :enabled], true)
+
+ assert RateLimiter.disabled?() == false
+ end
+
test "it restricts based on config values" do
limiter_name = :test_opts
scale = 80
limit = 5
+ Pleroma.Config.put([Pleroma.Web.Endpoint, :http, :ip], {8, 8, 8, 8})
Pleroma.Config.put([:rate_limit, limiter_name], {scale, limit})
opts = RateLimiter.init(name: limiter_name)
@@ -61,6 +90,7 @@ defmodule Pleroma.Plugs.RateLimiterTest do
limiter_name = :test_bucket_name
Pleroma.Config.put([:rate_limit, limiter_name], {1000, 5})
+ Pleroma.Config.put([Pleroma.Web.Endpoint, :http, :ip], {8, 8, 8, 8})
base_bucket_name = "#{limiter_name}:group1"
opts = RateLimiter.init(name: limiter_name, bucket_name: base_bucket_name)
@@ -75,6 +105,7 @@ defmodule Pleroma.Plugs.RateLimiterTest do
test "`params` option allows different queries to be tracked independently" do
limiter_name = :test_params
Pleroma.Config.put([:rate_limit, limiter_name], {1000, 5})
+ Pleroma.Config.put([Pleroma.Web.Endpoint, :http, :ip], {8, 8, 8, 8})
opts = RateLimiter.init(name: limiter_name, params: ["id"])
@@ -90,6 +121,7 @@ defmodule Pleroma.Plugs.RateLimiterTest do
test "it supports combination of options modifying bucket name" do
limiter_name = :test_options_combo
Pleroma.Config.put([:rate_limit, limiter_name], {1000, 5})
+ Pleroma.Config.put([Pleroma.Web.Endpoint, :http, :ip], {8, 8, 8, 8})
base_bucket_name = "#{limiter_name}:group1"
opts = RateLimiter.init(name: limiter_name, bucket_name: base_bucket_name, params: ["id"])
@@ -109,6 +141,7 @@ defmodule Pleroma.Plugs.RateLimiterTest do
test "are restricted based on remote IP" do
limiter_name = :test_unauthenticated
Pleroma.Config.put([:rate_limit, limiter_name], [{1000, 5}, {1, 10}])
+ Pleroma.Config.put([Pleroma.Web.Endpoint, :http, :ip], {8, 8, 8, 8})
opts = RateLimiter.init(name: limiter_name)
@@ -145,9 +178,10 @@ defmodule Pleroma.Plugs.RateLimiterTest do
test "can have limits seperate from unauthenticated connections" do
limiter_name = :test_authenticated
- scale = 1000
+ scale = 50
limit = 5
- Pleroma.Config.put([:rate_limit, limiter_name], [{1, 10}, {scale, limit}])
+ Pleroma.Config.put([Pleroma.Web.Endpoint, :http, :ip], {8, 8, 8, 8})
+ Pleroma.Config.put([:rate_limit, limiter_name], [{1000, 1}, {scale, limit}])
opts = RateLimiter.init(name: limiter_name)
@@ -164,21 +198,12 @@ defmodule Pleroma.Plugs.RateLimiterTest do
assert %{"error" => "Throttled"} = Phoenix.ConnTest.json_response(conn, :too_many_requests)
assert conn.halted
-
- Process.sleep(1550)
-
- conn = conn(:get, "/") |> assign(:user, user)
- conn = RateLimiter.call(conn, opts)
- assert {1, 4} = RateLimiter.inspect_bucket(conn, limiter_name, opts)
-
- refute conn.status == Plug.Conn.Status.code(:too_many_requests)
- refute conn.resp_body
- refute conn.halted
end
test "diffrerent users are counted independently" do
limiter_name = :test_authenticated
Pleroma.Config.put([:rate_limit, limiter_name], [{1, 10}, {1000, 5}])
+ Pleroma.Config.put([Pleroma.Web.Endpoint, :http, :ip], {8, 8, 8, 8})
opts = RateLimiter.init(name: limiter_name)
diff --git a/test/plugs/remote_ip_test.exs b/test/plugs/remote_ip_test.exs
index d120c588b..93e276454 100644
--- a/test/plugs/remote_ip_test.exs
+++ b/test/plugs/remote_ip_test.exs
@@ -8,6 +8,10 @@ defmodule Pleroma.Plugs.RemoteIpTest do
alias Pleroma.Plugs.RemoteIp
+ import Pleroma.Tests.Helpers, only: [clear_config: 1, clear_config: 2]
+
+ clear_config(RemoteIp)
+
test "disabled" do
Pleroma.Config.put(RemoteIp, enabled: false)
diff --git a/test/plugs/user_enabled_plug_test.exs b/test/plugs/user_enabled_plug_test.exs
index a4035bf0e..b6f297552 100644
--- a/test/plugs/user_enabled_plug_test.exs
+++ b/test/plugs/user_enabled_plug_test.exs
@@ -8,6 +8,8 @@ defmodule Pleroma.Plugs.UserEnabledPlugTest do
alias Pleroma.Plugs.UserEnabledPlug
import Pleroma.Factory
+ clear_config([:instance, :account_activation_required])
+
test "doesn't do anything if the user isn't set", %{conn: conn} do
ret_conn =
conn
@@ -18,7 +20,6 @@ defmodule Pleroma.Plugs.UserEnabledPlugTest do
test "with a user that's not confirmed and a config requiring confirmation, it removes that user",
%{conn: conn} do
- old = Pleroma.Config.get([:instance, :account_activation_required])
Pleroma.Config.put([:instance, :account_activation_required], true)
user = insert(:user, confirmation_pending: true)
@@ -29,8 +30,6 @@ defmodule Pleroma.Plugs.UserEnabledPlugTest do
|> UserEnabledPlug.call(%{})
assert conn.assigns.user == nil
-
- Pleroma.Config.put([:instance, :account_activation_required], old)
end
test "with a user that is deactivated, it removes that user", %{conn: conn} do
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-09 14:17:01 +0000