1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
|
# Pleroma: A lightweight social networking server
# Copyright © 2017-2018 Pleroma Authors <https://pleroma.social/>
# SPDX-License-Identifier: AGPL-3.0-only
defmodule Pleroma.Plugs.OAuthScopesPlugTest do
use Pleroma.Web.ConnCase, async: true
alias Pleroma.Plugs.OAuthScopesPlug
alias Pleroma.Repo
import Pleroma.Factory
test "proceeds with no op if `assigns[:token]` is nil", %{conn: conn} do
conn =
conn
|> assign(:user, insert(:user))
|> OAuthScopesPlug.call(%{scopes: ["read"]})
refute conn.halted
assert conn.assigns[:user]
end
test "proceeds with no op if `token.scopes` fulfill specified 'any of' conditions", %{
conn: conn
} do
token = insert(:oauth_token, scopes: ["read", "write"]) |> Repo.preload(:user)
conn =
conn
|> assign(:user, token.user)
|> assign(:token, token)
|> OAuthScopesPlug.call(%{scopes: ["read"]})
refute conn.halted
assert conn.assigns[:user]
end
test "proceeds with no op if `token.scopes` fulfill specified 'all of' conditions", %{
conn: conn
} do
token = insert(:oauth_token, scopes: ["scope1", "scope2", "scope3"]) |> Repo.preload(:user)
conn =
conn
|> assign(:user, token.user)
|> assign(:token, token)
|> OAuthScopesPlug.call(%{scopes: ["scope2", "scope3"], op: :&})
refute conn.halted
assert conn.assigns[:user]
end
test "proceeds with cleared `assigns[:user]` if `token.scopes` doesn't fulfill specified 'any of' conditions " <>
"and `fallback: :proceed_unauthenticated` option is specified",
%{conn: conn} do
token = insert(:oauth_token, scopes: ["read", "write"]) |> Repo.preload(:user)
conn =
conn
|> assign(:user, token.user)
|> assign(:token, token)
|> OAuthScopesPlug.call(%{scopes: ["follow"], fallback: :proceed_unauthenticated})
refute conn.halted
refute conn.assigns[:user]
end
test "proceeds with cleared `assigns[:user]` if `token.scopes` doesn't fulfill specified 'all of' conditions " <>
"and `fallback: :proceed_unauthenticated` option is specified",
%{conn: conn} do
token = insert(:oauth_token, scopes: ["read", "write"]) |> Repo.preload(:user)
conn =
conn
|> assign(:user, token.user)
|> assign(:token, token)
|> OAuthScopesPlug.call(%{
scopes: ["read", "follow"],
op: :&,
fallback: :proceed_unauthenticated
})
refute conn.halted
refute conn.assigns[:user]
end
test "returns 403 and halts " <>
"in case of no :fallback option and `token.scopes` not fulfilling specified 'any of' conditions",
%{conn: conn} do
token = insert(:oauth_token, scopes: ["read", "write"])
any_of_scopes = ["follow"]
conn =
conn
|> assign(:token, token)
|> OAuthScopesPlug.call(%{scopes: any_of_scopes})
assert conn.halted
assert 403 == conn.status
expected_error = "Insufficient permissions: #{Enum.join(any_of_scopes, ", ")}."
assert Jason.encode!(%{error: expected_error}) == conn.resp_body
end
test "returns 403 and halts " <>
"in case of no :fallback option and `token.scopes` not fulfilling specified 'all of' conditions",
%{conn: conn} do
token = insert(:oauth_token, scopes: ["read", "write"])
all_of_scopes = ["write", "follow"]
conn =
conn
|> assign(:token, token)
|> OAuthScopesPlug.call(%{scopes: all_of_scopes, op: :&})
assert conn.halted
assert 403 == conn.status
expected_error =
"Insufficient permissions: #{Enum.join(all_of_scopes -- token.scopes, ", ")}."
assert Jason.encode!(%{error: expected_error}) == conn.resp_body
end
describe "with hierarchical scopes, " do
test "proceeds with no op if `token.scopes` fulfill specified 'any of' conditions", %{
conn: conn
} do
token = insert(:oauth_token, scopes: ["read", "write"]) |> Repo.preload(:user)
conn =
conn
|> assign(:user, token.user)
|> assign(:token, token)
|> OAuthScopesPlug.call(%{scopes: ["read:something"]})
refute conn.halted
assert conn.assigns[:user]
end
test "proceeds with no op if `token.scopes` fulfill specified 'all of' conditions", %{
conn: conn
} do
token = insert(:oauth_token, scopes: ["scope1", "scope2", "scope3"]) |> Repo.preload(:user)
conn =
conn
|> assign(:user, token.user)
|> assign(:token, token)
|> OAuthScopesPlug.call(%{scopes: ["scope1:subscope", "scope2:subscope"], op: :&})
refute conn.halted
assert conn.assigns[:user]
end
end
end
|
