cheerfulstoic/akkoma
1
0
Fork 0
forked from AkkomaGang/akkoma
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge branch 'feat/enforce-admin-scope-unconditionally' into 'develop'

Browse source 
Remove `:auth, :enforce_oauth_admin_scope_usage`

See merge request pleroma/pleroma!3327
This commit is contained in:
Haelwenn 2021-02-17 22:31:11 +00:00
commit c0437d1244
37 changed files with 153 additions and 337 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
CHANGELOG.md
View file

@ -6,6 +6,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
## Unreleased ## Unreleased
### Removed
- `:auth, :enforce_oauth_admin_scope_usage` configuration option.
### Changed ### Changed
- **Breaking**: Changed `mix pleroma.user toggle_confirmed` to `mix pleroma.user confirm` - **Breaking**: Changed `mix pleroma.user toggle_confirmed` to `mix pleroma.user confirm`

5
config/config.exs
View file

@ -611,10 +611,7 @@
base_path: "/oauth", base_path: "/oauth",
providers: ueberauth_providers providers: ueberauth_providers
config :pleroma, config :pleroma, :auth, oauth_consumer_strategies: oauth_consumer_strategies
:auth,
enforce_oauth_admin_scope_usage: true,
oauth_consumer_strategies: oauth_consumer_strategies
config :pleroma, Pleroma.Emails.Mailer, adapter: Swoosh.Adapters.Sendmail, enabled: false config :pleroma, Pleroma.Emails.Mailer, adapter: Swoosh.Adapters.Sendmail, enabled: false

7
docs/development/API/admin_api.md
View file

@ -2,13 +2,6 @@
Authentication is required and the user must be an admin. Authentication is required and the user must be an admin.
Configuration options:
* `[:auth, :enforce_oauth_admin_scope_usage]` — OAuth admin scope requirement toggle.
If `true`, admin actions explicitly demand admin OAuth scope(s) presence in OAuth token (client app must support admin scopes).
If `false` and token doesn't have admin scope(s), `is_admin` user flag grants access to admin-specific actions.
Note that client app needs to explicitly support admin scopes and request them when obtaining auth token.
## `GET /api/pleroma/admin/users` ## `GET /api/pleroma/admin/users`
### List users ### List users

12
lib/pleroma/config.ex
View file

@ -99,16 +99,4 @@ def restrict_unauthenticated_access?(resource, kind) do
def oauth_consumer_strategies, do: get([:auth, :oauth_consumer_strategies], []) def oauth_consumer_strategies, do: get([:auth, :oauth_consumer_strategies], [])
def oauth_consumer_enabled?, do: oauth_consumer_strategies() != [] def oauth_consumer_enabled?, do: oauth_consumer_strategies() != []
def enforce_oauth_admin_scope_usage?, do: !!get([:auth, :enforce_oauth_admin_scope_usage])
def oauth_admin_scopes(scopes) when is_list(scopes) do
Enum.flat_map(
scopes,
fn scope ->
["admin:#{scope}"] ++
if enforce_oauth_admin_scope_usage?(), do: [], else: [scope]
end
)
end
end end

12
lib/pleroma/web/admin_api/controllers/admin_api_controller.ex
View file

@ -25,13 +25,13 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIController do
plug( plug(
OAuthScopesPlug, OAuthScopesPlug,
%{scopes: ["read:accounts"], admin: true} %{scopes: ["admin:read:accounts"]}
when action in [:right_get, :show_user_credentials, :create_backup] when action in [:right_get, :show_user_credentials, :create_backup]
) )
plug( plug(
OAuthScopesPlug, OAuthScopesPlug,
%{scopes: ["write:accounts"], admin: true} %{scopes: ["admin:write:accounts"]}
when action in [ when action in [
:get_password_reset, :get_password_reset,
:force_password_reset, :force_password_reset,
@ -48,19 +48,19 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIController do
plug( plug(
OAuthScopesPlug, OAuthScopesPlug,
%{scopes: ["read:statuses"], admin: true} %{scopes: ["admin:read:statuses"]}
when action in [:list_user_statuses, :list_instance_statuses] when action in [:list_user_statuses, :list_instance_statuses]
) )
plug( plug(
OAuthScopesPlug, OAuthScopesPlug,
%{scopes: ["read:chats"], admin: true} %{scopes: ["admin:read:chats"]}
when action in [:list_user_chats] when action in [:list_user_chats]
) )
plug( plug(
OAuthScopesPlug, OAuthScopesPlug,
%{scopes: ["read"], admin: true} %{scopes: ["admin:read"]}
when action in [ when action in [
:list_log, :list_log,
:stats, :stats,
@ -70,7 +70,7 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIController do
plug( plug(
OAuthScopesPlug, OAuthScopesPlug,
%{scopes: ["write"], admin: true} %{scopes: ["admin:write"]}
when action in [ when action in [
:restart, :restart,
:resend_confirmation_email, :resend_confirmation_email,

4
lib/pleroma/web/admin_api/controllers/chat_controller.ex
View file

@ -21,12 +21,12 @@ defmodule Pleroma.Web.AdminAPI.ChatController do
plug( plug(
OAuthScopesPlug, OAuthScopesPlug,
%{scopes: ["read:chats"], admin: true} when action in [:show, :messages] %{scopes: ["admin:read:chats"]} when action in [:show, :messages]
) )
plug( plug(
OAuthScopesPlug, OAuthScopesPlug,
%{scopes: ["write:chats"], admin: true} when action in [:delete_message] %{scopes: ["admin:write:chats"]} when action in [:delete_message]
) )
action_fallback(Pleroma.Web.AdminAPI.FallbackController) action_fallback(Pleroma.Web.AdminAPI.FallbackController)

4
lib/pleroma/web/admin_api/controllers/config_controller.ex
View file

@ -10,11 +10,11 @@ defmodule Pleroma.Web.AdminAPI.ConfigController do
alias Pleroma.Web.Plugs.OAuthScopesPlug alias Pleroma.Web.Plugs.OAuthScopesPlug
plug(Pleroma.Web.ApiSpec.CastAndValidate) plug(Pleroma.Web.ApiSpec.CastAndValidate)
plug(OAuthScopesPlug, %{scopes: ["write"], admin: true} when action == :update) plug(OAuthScopesPlug, %{scopes: ["admin:write"]} when action == :update)
plug( plug(
OAuthScopesPlug, OAuthScopesPlug,
%{scopes: ["read"], admin: true} %{scopes: ["admin:read"]}
when action in [:show, :descriptions] when action in [:show, :descriptions]
) )

4
lib/pleroma/web/admin_api/controllers/frontend_controller.ex
View file

@ -9,8 +9,8 @@ defmodule Pleroma.Web.AdminAPI.FrontendController do
alias Pleroma.Web.Plugs.OAuthScopesPlug alias Pleroma.Web.Plugs.OAuthScopesPlug
plug(Pleroma.Web.ApiSpec.CastAndValidate) plug(Pleroma.Web.ApiSpec.CastAndValidate)
plug(OAuthScopesPlug, %{scopes: ["write"], admin: true} when action == :install) plug(OAuthScopesPlug, %{scopes: ["admin:write"]} when action == :install)
plug(OAuthScopesPlug, %{scopes: ["read"], admin: true} when action == :index) plug(OAuthScopesPlug, %{scopes: ["admin:read"]} when action == :index)
action_fallback(Pleroma.Web.AdminAPI.FallbackController) action_fallback(Pleroma.Web.AdminAPI.FallbackController)
defdelegate open_api_operation(action), to: Pleroma.Web.ApiSpec.Admin.FrontendOperation defdelegate open_api_operation(action), to: Pleroma.Web.ApiSpec.Admin.FrontendOperation

4
lib/pleroma/web/admin_api/controllers/instance_document_controller.ex
View file

@ -15,8 +15,8 @@ defmodule Pleroma.Web.AdminAPI.InstanceDocumentController do
defdelegate open_api_operation(action), to: Pleroma.Web.ApiSpec.Admin.InstanceDocumentOperation defdelegate open_api_operation(action), to: Pleroma.Web.ApiSpec.Admin.InstanceDocumentOperation
plug(OAuthScopesPlug, %{scopes: ["read"], admin: true} when action == :show) plug(OAuthScopesPlug, %{scopes: ["admin:read"]} when action == :show)
plug(OAuthScopesPlug, %{scopes: ["write"], admin: true} when action in [:update, :delete]) plug(OAuthScopesPlug, %{scopes: ["admin:write"]} when action in [:update, :delete])
def show(conn, %{name: document_name}) do def show(conn, %{name: document_name}) do
with {:ok, url} <- InstanceDocument.get(document_name), with {:ok, url} <- InstanceDocument.get(document_name),

4
lib/pleroma/web/admin_api/controllers/invite_controller.ex
View file

@ -14,11 +14,11 @@ defmodule Pleroma.Web.AdminAPI.InviteController do
require Logger require Logger
plug(Pleroma.Web.ApiSpec.CastAndValidate) plug(Pleroma.Web.ApiSpec.CastAndValidate)
plug(OAuthScopesPlug, %{scopes: ["read:invites"], admin: true} when action == :index) plug(OAuthScopesPlug, %{scopes: ["admin:read:invites"]} when action == :index)
plug( plug(
OAuthScopesPlug, OAuthScopesPlug,
%{scopes: ["write:invites"], admin: true} when action in [:create, :revoke, :email] %{scopes: ["admin:write:invites"]} when action in [:create, :revoke, :email]
) )
action_fallback(Pleroma.Web.AdminAPI.FallbackController) action_fallback(Pleroma.Web.AdminAPI.FallbackController)

4
lib/pleroma/web/admin_api/controllers/media_proxy_cache_controller.ex
View file

@ -15,12 +15,12 @@ defmodule Pleroma.Web.AdminAPI.MediaProxyCacheController do
plug( plug(
OAuthScopesPlug, OAuthScopesPlug,
%{scopes: ["read:media_proxy_caches"], admin: true} when action in [:index] %{scopes: ["admin:read:media_proxy_caches"]} when action in [:index]
) )
plug( plug(
OAuthScopesPlug, OAuthScopesPlug,
%{scopes: ["write:media_proxy_caches"], admin: true} when action in [:purge, :delete] %{scopes: ["admin:write:media_proxy_caches"]} when action in [:purge, :delete]
) )
action_fallback(Pleroma.Web.AdminAPI.FallbackController) action_fallback(Pleroma.Web.AdminAPI.FallbackController)

2
lib/pleroma/web/admin_api/controllers/o_auth_app_controller.ex
View file

@ -17,7 +17,7 @@ defmodule Pleroma.Web.AdminAPI.OAuthAppController do
plug( plug(
OAuthScopesPlug, OAuthScopesPlug,
%{scopes: ["write"], admin: true} %{scopes: ["admin:write"]}
when action in [:create, :index, :update, :delete] when action in [:create, :index, :update, :delete]
) )

4
lib/pleroma/web/admin_api/controllers/relay_controller.ex
View file

@ -15,11 +15,11 @@ defmodule Pleroma.Web.AdminAPI.RelayController do
plug( plug(
OAuthScopesPlug, OAuthScopesPlug,
%{scopes: ["write:follows"], admin: true} %{scopes: ["admin:write:follows"]}
when action in [:follow, :unfollow] when action in [:follow, :unfollow]
) )
plug(OAuthScopesPlug, %{scopes: ["read"], admin: true} when action == :index) plug(OAuthScopesPlug, %{scopes: ["admin:read"]} when action == :index)
action_fallback(Pleroma.Web.AdminAPI.FallbackController) action_fallback(Pleroma.Web.AdminAPI.FallbackController)

4
lib/pleroma/web/admin_api/controllers/report_controller.ex
View file

@ -19,11 +19,11 @@ defmodule Pleroma.Web.AdminAPI.ReportController do
require Logger require Logger
plug(Pleroma.Web.ApiSpec.CastAndValidate) plug(Pleroma.Web.ApiSpec.CastAndValidate)
plug(OAuthScopesPlug, %{scopes: ["read:reports"], admin: true} when action in [:index, :show]) plug(OAuthScopesPlug, %{scopes: ["admin:read:reports"]} when action in [:index, :show])
plug( plug(
OAuthScopesPlug, OAuthScopesPlug,
%{scopes: ["write:reports"], admin: true} %{scopes: ["admin:write:reports"]}
when action in [:update, :notes_create, :notes_delete] when action in [:update, :notes_create, :notes_delete]
) )

4
lib/pleroma/web/admin_api/controllers/status_controller.ex
View file

@ -15,11 +15,11 @@ defmodule Pleroma.Web.AdminAPI.StatusController do
require Logger require Logger
plug(Pleroma.Web.ApiSpec.CastAndValidate) plug(Pleroma.Web.ApiSpec.CastAndValidate)
plug(OAuthScopesPlug, %{scopes: ["read:statuses"], admin: true} when action in [:index, :show]) plug(OAuthScopesPlug, %{scopes: ["admin:read:statuses"]} when action in [:index, :show])
plug( plug(
OAuthScopesPlug, OAuthScopesPlug,
%{scopes: ["write:statuses"], admin: true} when action in [:update, :delete] %{scopes: ["admin:write:statuses"]} when action in [:update, :delete]
) )
action_fallback(Pleroma.Web.AdminAPI.FallbackController) action_fallback(Pleroma.Web.AdminAPI.FallbackController)

6
lib/pleroma/web/admin_api/controllers/user_controller.ex
View file

@ -21,13 +21,13 @@ defmodule Pleroma.Web.AdminAPI.UserController do
plug( plug(
OAuthScopesPlug, OAuthScopesPlug,
%{scopes: ["read:accounts"], admin: true} %{scopes: ["admin:read:accounts"]}
when action in [:list, :show] when action in [:list, :show]
) )
plug( plug(
OAuthScopesPlug, OAuthScopesPlug,
%{scopes: ["write:accounts"], admin: true} %{scopes: ["admin:write:accounts"]}
when action in [ when action in [
:delete, :delete,
:create, :create,
@ -40,7 +40,7 @@ defmodule Pleroma.Web.AdminAPI.UserController do
plug( plug(
OAuthScopesPlug, OAuthScopesPlug,
%{scopes: ["write:follows"], admin: true} %{scopes: ["admin:write:follows"]}
when action in [:follow, :unfollow] when action in [:follow, :unfollow]
) )

4
lib/pleroma/web/api_spec.ex
View file

@ -85,7 +85,7 @@ def spec(opts \\ []) do
"name" => "Administration", "name" => "Administration",
"tags" => [ "tags" => [
"Chat administration", "Chat administration",
"Emoji packs", "Emoji pack administration",
"Frontend managment", "Frontend managment",
"Instance configuration", "Instance configuration",
"Instance documents", "Instance documents",
@ -127,7 +127,7 @@ def spec(opts \\ []) do
"Status actions" "Status actions"
] ]
}, },
%{"name" => "Miscellaneous", "tags" => ["Reports", "Suggestions"]} %{"name" => "Miscellaneous", "tags" => ["Emoji packs", "Reports", "Suggestions"]}
] ]
} }
} }

6
lib/pleroma/web/api_spec/operations/admin/chat_operation.ex
View file

@ -33,7 +33,7 @@ def delete_message_operation do
}, },
security: [ security: [
%{ %{
"oAuth" => ["write:chats"] "oAuth" => ["admin:write:chats"]
} }
] ]
} }
@ -57,7 +57,7 @@ def messages_operation do
}, },
security: [ security: [
%{ %{
"oAuth" => ["read:chats"] "oAuth" => ["admin:read:chats"]
} }
] ]
} }
@ -88,7 +88,7 @@ def show_operation do
}, },
security: [ security: [
%{ %{
"oAuth" => ["read"] "oAuth" => ["admin:read"]
} }
] ]
} }

6
lib/pleroma/web/api_spec/operations/admin/config_operation.ex
View file

@ -28,7 +28,7 @@ def show_operation do
) )
| admin_api_params() | admin_api_params()
], ],
security: [%{"oAuth" => ["read"]}], security: [%{"oAuth" => ["admin:read"]}],
responses: %{ responses: %{
200 => Operation.response("Config", "application/json", config_response()), 200 => Operation.response("Config", "application/json", config_response()),
400 => Operation.response("Bad Request", "application/json", ApiError) 400 => Operation.response("Bad Request", "application/json", ApiError)
@ -41,7 +41,7 @@ def update_operation do
tags: ["Instance configuration"], tags: ["Instance configuration"],
summary: "Update instance configuration", summary: "Update instance configuration",
operationId: "AdminAPI.ConfigController.update", operationId: "AdminAPI.ConfigController.update",
security: [%{"oAuth" => ["write"]}], security: [%{"oAuth" => ["admin:write"]}],
parameters: admin_api_params(), parameters: admin_api_params(),
requestBody: requestBody:
request_body("Parameters", %Schema{ request_body("Parameters", %Schema{
@ -74,7 +74,7 @@ def descriptions_operation do
tags: ["Instance configuration"], tags: ["Instance configuration"],
summary: "Retrieve config description", summary: "Retrieve config description",
operationId: "AdminAPI.ConfigController.descriptions", operationId: "AdminAPI.ConfigController.descriptions",
security: [%{"oAuth" => ["read"]}], security: [%{"oAuth" => ["admin:read"]}],
parameters: admin_api_params(), parameters: admin_api_params(),
responses: %{ responses: %{
200 => 200 =>

4
lib/pleroma/web/api_spec/operations/admin/frontend_operation.ex
View file

@ -19,7 +19,7 @@ def index_operation do
tags: ["Frontend managment"], tags: ["Frontend managment"],
summary: "Retrieve a list of available frontends", summary: "Retrieve a list of available frontends",
operationId: "AdminAPI.FrontendController.index", operationId: "AdminAPI.FrontendController.index",
security: [%{"oAuth" => ["read"]}], security: [%{"oAuth" => ["admin:read"]}],
responses: %{ responses: %{
200 => Operation.response("Response", "application/json", list_of_frontends()), 200 => Operation.response("Response", "application/json", list_of_frontends()),
403 => Operation.response("Forbidden", "application/json", ApiError) 403 => Operation.response("Forbidden", "application/json", ApiError)
@ -32,7 +32,7 @@ def install_operation do
tags: ["Frontend managment"], tags: ["Frontend managment"],
summary: "Install a frontend", summary: "Install a frontend",
operationId: "AdminAPI.FrontendController.install", operationId: "AdminAPI.FrontendController.install",
security: [%{"oAuth" => ["read"]}], security: [%{"oAuth" => ["admin:read"]}],
requestBody: request_body("Parameters", install_request(), required: true), requestBody: request_body("Parameters", install_request(), required: true),
responses: %{ responses: %{
200 => Operation.response("Response", "application/json", list_of_frontends()), 200 => Operation.response("Response", "application/json", list_of_frontends()),

6
lib/pleroma/web/api_spec/operations/admin/instance_document_operation.ex
View file

@ -18,7 +18,7 @@ def show_operation do
tags: ["Instance documents"], tags: ["Instance documents"],
summary: "Retrieve an instance document", summary: "Retrieve an instance document",
operationId: "AdminAPI.InstanceDocumentController.show", operationId: "AdminAPI.InstanceDocumentController.show",
security: [%{"oAuth" => ["read"]}], security: [%{"oAuth" => ["admin:read"]}],
parameters: [ parameters: [
Operation.parameter(:name, :path, %Schema{type: :string}, "The document name", Operation.parameter(:name, :path, %Schema{type: :string}, "The document name",
required: true required: true
@ -39,7 +39,7 @@ def update_operation do
tags: ["Instance documents"], tags: ["Instance documents"],
summary: "Update an instance document", summary: "Update an instance document",
operationId: "AdminAPI.InstanceDocumentController.update", operationId: "AdminAPI.InstanceDocumentController.update",
security: [%{"oAuth" => ["write"]}], security: [%{"oAuth" => ["admin:write"]}],
requestBody: Helpers.request_body("Parameters", update_request()), requestBody: Helpers.request_body("Parameters", update_request()),
parameters: [ parameters: [
Operation.parameter(:name, :path, %Schema{type: :string}, "The document name", Operation.parameter(:name, :path, %Schema{type: :string}, "The document name",
@ -77,7 +77,7 @@ def delete_operation do
tags: ["Instance documents"], tags: ["Instance documents"],
summary: "Delete an instance document", summary: "Delete an instance document",
operationId: "AdminAPI.InstanceDocumentController.delete", operationId: "AdminAPI.InstanceDocumentController.delete",
security: [%{"oAuth" => ["write"]}], security: [%{"oAuth" => ["admin:write"]}],
parameters: [ parameters: [
Operation.parameter(:name, :path, %Schema{type: :string}, "The document name", Operation.parameter(:name, :path, %Schema{type: :string}, "The document name",
required: true required: true

8
lib/pleroma/web/api_spec/operations/admin/invite_operation.ex
View file

@ -19,7 +19,7 @@ def index_operation do
tags: ["Invites"], tags: ["Invites"],
summary: "Get a list of generated invites", summary: "Get a list of generated invites",
operationId: "AdminAPI.InviteController.index", operationId: "AdminAPI.InviteController.index",
security: [%{"oAuth" => ["read:invites"]}], security: [%{"oAuth" => ["admin:read:invites"]}],
parameters: admin_api_params(), parameters: admin_api_params(),
responses: %{ responses: %{
200 => 200 =>
@ -51,7 +51,7 @@ def create_operation do
tags: ["Invites"], tags: ["Invites"],
summary: "Create an account registration invite token", summary: "Create an account registration invite token",
operationId: "AdminAPI.InviteController.create", operationId: "AdminAPI.InviteController.create",
security: [%{"oAuth" => ["write:invites"]}], security: [%{"oAuth" => ["admin:write:invites"]}],
parameters: admin_api_params(), parameters: admin_api_params(),
requestBody: requestBody:
request_body("Parameters", %Schema{ request_body("Parameters", %Schema{
@ -72,7 +72,7 @@ def revoke_operation do
tags: ["Invites"], tags: ["Invites"],
summary: "Revoke invite by token", summary: "Revoke invite by token",
operationId: "AdminAPI.InviteController.revoke", operationId: "AdminAPI.InviteController.revoke",
security: [%{"oAuth" => ["write:invites"]}], security: [%{"oAuth" => ["admin:write:invites"]}],
parameters: admin_api_params(), parameters: admin_api_params(),
requestBody: requestBody:
request_body( request_body(
@ -99,7 +99,7 @@ def email_operation do
tags: ["Invites"], tags: ["Invites"],
summary: "Sends registration invite via email", summary: "Sends registration invite via email",
operationId: "AdminAPI.InviteController.email", operationId: "AdminAPI.InviteController.email",
security: [%{"oAuth" => ["write:invites"]}], security: [%{"oAuth" => ["admin:write:invites"]}],
parameters: admin_api_params(), parameters: admin_api_params(),
requestBody: requestBody:
request_body( request_body(

6
lib/pleroma/web/api_spec/operations/admin/media_proxy_cache_operation.ex
View file

@ -19,7 +19,7 @@ def index_operation do
tags: ["MediaProxy cache"], tags: ["MediaProxy cache"],
summary: "Retrieve a list of banned MediaProxy URLs", summary: "Retrieve a list of banned MediaProxy URLs",
operationId: "AdminAPI.MediaProxyCacheController.index", operationId: "AdminAPI.MediaProxyCacheController.index",
security: [%{"oAuth" => ["read:media_proxy_caches"]}], security: [%{"oAuth" => ["admin:read:media_proxy_caches"]}],
parameters: [ parameters: [
Operation.parameter( Operation.parameter(
:query, :query,
@ -71,7 +71,7 @@ def delete_operation do
tags: ["MediaProxy cache"], tags: ["MediaProxy cache"],
summary: "Remove a banned MediaProxy URL", summary: "Remove a banned MediaProxy URL",
operationId: "AdminAPI.MediaProxyCacheController.delete", operationId: "AdminAPI.MediaProxyCacheController.delete",
security: [%{"oAuth" => ["write:media_proxy_caches"]}], security: [%{"oAuth" => ["admin:write:media_proxy_caches"]}],
parameters: admin_api_params(), parameters: admin_api_params(),
requestBody: requestBody:
request_body( request_body(
@ -97,7 +97,7 @@ def purge_operation do
tags: ["MediaProxy cache"], tags: ["MediaProxy cache"],
summary: "Purge a URL from MediaProxy cache and optionally ban it", summary: "Purge a URL from MediaProxy cache and optionally ban it",
operationId: "AdminAPI.MediaProxyCacheController.purge", operationId: "AdminAPI.MediaProxyCacheController.purge",
security: [%{"oAuth" => ["write:media_proxy_caches"]}], security: [%{"oAuth" => ["admin:write:media_proxy_caches"]}],
parameters: admin_api_params(), parameters: admin_api_params(),
requestBody: requestBody:
request_body( request_body(

8
lib/pleroma/web/api_spec/operations/admin/o_auth_app_operation.ex
View file

@ -19,7 +19,7 @@ def index_operation do
summary: "Retrieve a list of OAuth applications", summary: "Retrieve a list of OAuth applications",
tags: ["OAuth application managment"], tags: ["OAuth application managment"],
operationId: "AdminAPI.OAuthAppController.index", operationId: "AdminAPI.OAuthAppController.index",
security: [%{"oAuth" => ["write"]}], security: [%{"oAuth" => ["admin:write"]}],
parameters: [ parameters: [
Operation.parameter(:name, :query, %Schema{type: :string}, "App name"), Operation.parameter(:name, :query, %Schema{type: :string}, "App name"),
Operation.parameter(:client_id, :query, %Schema{type: :string}, "Client ID"), Operation.parameter(:client_id, :query, %Schema{type: :string}, "Client ID"),
@ -74,7 +74,7 @@ def create_operation do
operationId: "AdminAPI.OAuthAppController.create", operationId: "AdminAPI.OAuthAppController.create",
requestBody: request_body("Parameters", create_request()), requestBody: request_body("Parameters", create_request()),
parameters: admin_api_params(), parameters: admin_api_params(),
security: [%{"oAuth" => ["write"]}], security: [%{"oAuth" => ["admin:write"]}],
responses: %{ responses: %{
200 => Operation.response("App", "application/json", oauth_app()), 200 => Operation.response("App", "application/json", oauth_app()),
400 => Operation.response("Bad Request", "application/json", ApiError) 400 => Operation.response("Bad Request", "application/json", ApiError)
@ -88,7 +88,7 @@ def update_operation do
summary: "Update OAuth application", summary: "Update OAuth application",
operationId: "AdminAPI.OAuthAppController.update", operationId: "AdminAPI.OAuthAppController.update",
parameters: [id_param() | admin_api_params()], parameters: [id_param() | admin_api_params()],
security: [%{"oAuth" => ["write"]}], security: [%{"oAuth" => ["admin:write"]}],
requestBody: request_body("Parameters", update_request()), requestBody: request_body("Parameters", update_request()),
responses: %{ responses: %{
200 => Operation.response("App", "application/json", oauth_app()), 200 => Operation.response("App", "application/json", oauth_app()),
@ -106,7 +106,7 @@ def delete_operation do
summary: "Delete OAuth application", summary: "Delete OAuth application",
operationId: "AdminAPI.OAuthAppController.delete", operationId: "AdminAPI.OAuthAppController.delete",
parameters: [id_param() | admin_api_params()], parameters: [id_param() | admin_api_params()],
security: [%{"oAuth" => ["write"]}], security: [%{"oAuth" => ["admin:write"]}],
responses: %{ responses: %{
204 => no_content_response(), 204 => no_content_response(),
400 => no_content_response() 400 => no_content_response()

6
lib/pleroma/web/api_spec/operations/admin/relay_operation.ex
View file

@ -18,7 +18,7 @@ def index_operation do
tags: ["Relays"], tags: ["Relays"],
summary: "Retrieve a list of relays", summary: "Retrieve a list of relays",
operationId: "AdminAPI.RelayController.index", operationId: "AdminAPI.RelayController.index",
security: [%{"oAuth" => ["read"]}], security: [%{"oAuth" => ["admin:read"]}],
parameters: admin_api_params(), parameters: admin_api_params(),
responses: %{ responses: %{
200 => 200 =>
@ -40,7 +40,7 @@ def follow_operation do
tags: ["Relays"], tags: ["Relays"],
summary: "Follow a relay", summary: "Follow a relay",
operationId: "AdminAPI.RelayController.follow", operationId: "AdminAPI.RelayController.follow",
security: [%{"oAuth" => ["write:follows"]}], security: [%{"oAuth" => ["admin:write:follows"]}],
parameters: admin_api_params(), parameters: admin_api_params(),
requestBody: request_body("Parameters", relay_url()), requestBody: request_body("Parameters", relay_url()),
responses: %{ responses: %{
@ -54,7 +54,7 @@ def unfollow_operation do
tags: ["Relays"], tags: ["Relays"],
summary: "Unfollow a relay", summary: "Unfollow a relay",
operationId: "AdminAPI.RelayController.unfollow", operationId: "AdminAPI.RelayController.unfollow",
security: [%{"oAuth" => ["write:follows"]}], security: [%{"oAuth" => ["admin:write:follows"]}],
parameters: admin_api_params(), parameters: admin_api_params(),
requestBody: request_body("Parameters", relay_unfollow()), requestBody: request_body("Parameters", relay_unfollow()),
responses: %{ responses: %{

10
lib/pleroma/web/api_spec/operations/admin/report_operation.ex
View file

@ -22,7 +22,7 @@ def index_operation do
tags: ["Report managment"], tags: ["Report managment"],
summary: "Retrieve a list of reports", summary: "Retrieve a list of reports",
operationId: "AdminAPI.ReportController.index", operationId: "AdminAPI.ReportController.index",
security: [%{"oAuth" => ["read:reports"]}], security: [%{"oAuth" => ["admin:read:reports"]}],
parameters: [ parameters: [
Operation.parameter( Operation.parameter(
:state, :state,
@ -73,7 +73,7 @@ def show_operation do
summary: "Retrieve a report", summary: "Retrieve a report",
operationId: "AdminAPI.ReportController.show", operationId: "AdminAPI.ReportController.show",
parameters: [id_param() | admin_api_params()], parameters: [id_param() | admin_api_params()],
security: [%{"oAuth" => ["read:reports"]}], security: [%{"oAuth" => ["admin:read:reports"]}],
responses: %{ responses: %{
200 => Operation.response("Report", "application/json", report()), 200 => Operation.response("Report", "application/json", report()),
404 => Operation.response("Not Found", "application/json", ApiError) 404 => Operation.response("Not Found", "application/json", ApiError)
@ -86,7 +86,7 @@ def update_operation do
tags: ["Report managment"], tags: ["Report managment"],
summary: "Change state of specified reports", summary: "Change state of specified reports",
operationId: "AdminAPI.ReportController.update", operationId: "AdminAPI.ReportController.update",
security: [%{"oAuth" => ["write:reports"]}], security: [%{"oAuth" => ["admin:write:reports"]}],
parameters: admin_api_params(), parameters: admin_api_params(),
requestBody: request_body("Parameters", update_request(), required: true), requestBody: request_body("Parameters", update_request(), required: true),
responses: %{ responses: %{
@ -110,7 +110,7 @@ def notes_create_operation do
content: %Schema{type: :string, description: "The message"} content: %Schema{type: :string, description: "The message"}
} }
}), }),
security: [%{"oAuth" => ["write:reports"]}], security: [%{"oAuth" => ["admin:write:reports"]}],
responses: %{ responses: %{
204 => no_content_response(), 204 => no_content_response(),
404 => Operation.response("Not Found", "application/json", ApiError) 404 => Operation.response("Not Found", "application/json", ApiError)
@ -128,7 +128,7 @@ def notes_delete_operation do
Operation.parameter(:id, :path, :string, "Note ID") Operation.parameter(:id, :path, :string, "Note ID")
| admin_api_params() | admin_api_params()
], ],
security: [%{"oAuth" => ["write:reports"]}], security: [%{"oAuth" => ["admin:write:reports"]}],
responses: %{ responses: %{
204 => no_content_response(), 204 => no_content_response(),
404 => Operation.response("Not Found", "application/json", ApiError) 404 => Operation.response("Not Found", "application/json", ApiError)

8
lib/pleroma/web/api_spec/operations/admin/status_operation.ex
View file

@ -24,7 +24,7 @@ def index_operation do
tags: ["Status administration"], tags: ["Status administration"],
operationId: "AdminAPI.StatusController.index", operationId: "AdminAPI.StatusController.index",
summary: "Get all statuses", summary: "Get all statuses",
security: [%{"oAuth" => ["read:statuses"]}], security: [%{"oAuth" => ["admin:read:statuses"]}],
parameters: [ parameters: [
Operation.parameter( Operation.parameter(
:godmode, :godmode,
@ -74,7 +74,7 @@ def show_operation do
summary: "Get status", summary: "Get status",
operationId: "AdminAPI.StatusController.show", operationId: "AdminAPI.StatusController.show",
parameters: [id_param() | admin_api_params()], parameters: [id_param() | admin_api_params()],
security: [%{"oAuth" => ["read:statuses"]}], security: [%{"oAuth" => ["admin:read:statuses"]}],
responses: %{ responses: %{
200 => Operation.response("Status", "application/json", status()), 200 => Operation.response("Status", "application/json", status()),
404 => Operation.response("Not Found", "application/json", ApiError) 404 => Operation.response("Not Found", "application/json", ApiError)
@ -88,7 +88,7 @@ def update_operation do
summary: "Change the scope of a status", summary: "Change the scope of a status",
operationId: "AdminAPI.StatusController.update", operationId: "AdminAPI.StatusController.update",
parameters: [id_param() | admin_api_params()], parameters: [id_param() | admin_api_params()],
security: [%{"oAuth" => ["write:statuses"]}], security: [%{"oAuth" => ["admin:write:statuses"]}],
requestBody: request_body("Parameters", update_request(), required: true), requestBody: request_body("Parameters", update_request(), required: true),
responses: %{ responses: %{
200 => Operation.response("Status", "application/json", Status), 200 => Operation.response("Status", "application/json", Status),
@ -103,7 +103,7 @@ def delete_operation do
summary: "Delete status", summary: "Delete status",
operationId: "AdminAPI.StatusController.delete", operationId: "AdminAPI.StatusController.delete",
parameters: [id_param() | admin_api_params()], parameters: [id_param() | admin_api_params()],
security: [%{"oAuth" => ["write:statuses"]}], security: [%{"oAuth" => ["admin:write:statuses"]}],
responses: %{ responses: %{
200 => empty_object_response(), 200 => empty_object_response(),
404 => Operation.response("Not Found", "application/json", ApiError) 404 => Operation.response("Not Found", "application/json", ApiError)

12
lib/pleroma/web/api_spec/operations/pleroma_emoji_file_operation.ex
View file

@ -16,10 +16,10 @@ def open_api_operation(action) do
def create_operation do def create_operation do
%Operation{ %Operation{
tags: ["Emoji packs"], tags: ["Emoji pack administration"],
summary: "Add new file to the pack", summary: "Add new file to the pack",
operationId: "PleromaAPI.EmojiPackController.add_file", operationId: "PleromaAPI.EmojiPackController.add_file",
security: [%{"oAuth" => ["write"]}], security: [%{"oAuth" => ["admin:write"]}],
requestBody: request_body("Parameters", create_request(), required: true), requestBody: request_body("Parameters", create_request(), required: true),
parameters: [name_param()], parameters: [name_param()],
responses: %{ responses: %{
@ -62,10 +62,10 @@ defp create_request do
def update_operation do def update_operation do
%Operation{ %Operation{
tags: ["Emoji packs"], tags: ["Emoji pack administration"],
summary: "Add new file to the pack", summary: "Add new file to the pack",
operationId: "PleromaAPI.EmojiPackController.update_file", operationId: "PleromaAPI.EmojiPackController.update_file",
security: [%{"oAuth" => ["write"]}], security: [%{"oAuth" => ["admin:write"]}],
requestBody: request_body("Parameters", update_request(), required: true), requestBody: request_body("Parameters", update_request(), required: true),
parameters: [name_param()], parameters: [name_param()],
responses: %{ responses: %{
@ -106,10 +106,10 @@ defp update_request do
def delete_operation do def delete_operation do
%Operation{ %Operation{
tags: ["Emoji packs"], tags: ["Emoji pack administration"],
summary: "Delete emoji file from pack", summary: "Delete emoji file from pack",
operationId: "PleromaAPI.EmojiPackController.delete_file", operationId: "PleromaAPI.EmojiPackController.delete_file",
security: [%{"oAuth" => ["write"]}], security: [%{"oAuth" => ["admin:write"]}],
parameters: [ parameters: [
name_param(), name_param(),
Operation.parameter(:shortcode, :query, :string, "File shortcode", Operation.parameter(:shortcode, :query, :string, "File shortcode",

24
lib/pleroma/web/api_spec/operations/pleroma_emoji_pack_operation.ex
View file

@ -16,9 +16,9 @@ def open_api_operation(action) do
def remote_operation do def remote_operation do
%Operation{ %Operation{
tags: ["Emoji packs"], tags: ["Emoji pack administration"],
summary: "Make request to another instance for emoji packs list", summary: "Make request to another instance for emoji packs list",
security: [%{"oAuth" => ["write"]}], security: [%{"oAuth" => ["admin:write"]}],
parameters: [ parameters: [
url_param(), url_param(),
Operation.parameter( Operation.parameter(
@ -115,10 +115,10 @@ def archive_operation do
def download_operation do def download_operation do
%Operation{ %Operation{
tags: ["Emoji packs"], tags: ["Emoji pack administration"],
summary: "Download pack from another instance", summary: "Download pack from another instance",
operationId: "PleromaAPI.EmojiPackController.download", operationId: "PleromaAPI.EmojiPackController.download",
security: [%{"oAuth" => ["write"]}], security: [%{"oAuth" => ["admin:write"]}],
requestBody: request_body("Parameters", download_request(), required: true), requestBody: request_body("Parameters", download_request(), required: true),
responses: %{ responses: %{
200 => ok_response(), 200 => ok_response(),
@ -145,10 +145,10 @@ defp download_request do
def create_operation do def create_operation do
%Operation{ %Operation{
tags: ["Emoji packs"], tags: ["Emoji pack administration"],
summary: "Create an empty pack", summary: "Create an empty pack",
operationId: "PleromaAPI.EmojiPackController.create", operationId: "PleromaAPI.EmojiPackController.create",
security: [%{"oAuth" => ["write"]}], security: [%{"oAuth" => ["admin:write"]}],
parameters: [name_param()], parameters: [name_param()],
responses: %{ responses: %{
200 => ok_response(), 200 => ok_response(),
@ -161,10 +161,10 @@ def create_operation do
def delete_operation do def delete_operation do
%Operation{ %Operation{
tags: ["Emoji packs"], tags: ["Emoji pack administration"],
summary: "Delete a custom emoji pack", summary: "Delete a custom emoji pack",
operationId: "PleromaAPI.EmojiPackController.delete", operationId: "PleromaAPI.EmojiPackController.delete",
security: [%{"oAuth" => ["write"]}], security: [%{"oAuth" => ["admin:write"]}],
parameters: [name_param()], parameters: [name_param()],
responses: %{ responses: %{
200 => ok_response(), 200 => ok_response(),
@ -177,10 +177,10 @@ def delete_operation do
def update_operation do def update_operation do
%Operation{ %Operation{
tags: ["Emoji packs"], tags: ["Emoji pack administration"],
summary: "Updates (replaces) pack metadata", summary: "Updates (replaces) pack metadata",
operationId: "PleromaAPI.EmojiPackController.update", operationId: "PleromaAPI.EmojiPackController.update",
security: [%{"oAuth" => ["write"]}], security: [%{"oAuth" => ["admin:write"]}],
requestBody: request_body("Parameters", update_request(), required: true), requestBody: request_body("Parameters", update_request(), required: true),
parameters: [name_param()], parameters: [name_param()],
responses: %{ responses: %{
@ -193,10 +193,10 @@ def update_operation do
def import_from_filesystem_operation do def import_from_filesystem_operation do
%Operation{ %Operation{
tags: ["Emoji packs"], tags: ["Emoji pack administration"],
summary: "Imports packs from filesystem", summary: "Imports packs from filesystem",
operationId: "PleromaAPI.EmojiPackController.import", operationId: "PleromaAPI.EmojiPackController.import",
security: [%{"oAuth" => ["write"]}], security: [%{"oAuth" => ["admin:write"]}],
responses: %{ responses: %{
200 => 200 =>
Operation.response("Array of imported pack names", "application/json", %Schema{ Operation.response("Array of imported pack names", "application/json", %Schema{

2
lib/pleroma/web/pleroma_api/controllers/emoji_file_controller.ex
View file

@ -12,7 +12,7 @@ defmodule Pleroma.Web.PleromaAPI.EmojiFileController do
plug( plug(
Pleroma.Web.Plugs.OAuthScopesPlug, Pleroma.Web.Plugs.OAuthScopesPlug,
%{scopes: ["write"], admin: true} %{scopes: ["admin:write"]}
when action in [ when action in [
:create, :create,
:update, :update,

2
lib/pleroma/web/pleroma_api/controllers/emoji_pack_controller.ex
View file

@ -11,7 +11,7 @@ defmodule Pleroma.Web.PleromaAPI.EmojiPackController do
plug( plug(
Pleroma.Web.Plugs.OAuthScopesPlug, Pleroma.Web.Plugs.OAuthScopesPlug,
%{scopes: ["write"], admin: true} %{scopes: ["admin:write"]}
when action in [ when action in [
:import_from_filesystem, :import_from_filesystem,
:remote, :remote,

11
lib/pleroma/web/plugs/o_auth_scopes_plug.ex
View file

@ -6,7 +6,6 @@ defmodule Pleroma.Web.Plugs.OAuthScopesPlug do
import Plug.Conn import Plug.Conn
import Pleroma.Web.Gettext import Pleroma.Web.Gettext
alias Pleroma.Config
alias Pleroma.Helpers.AuthHelper alias Pleroma.Helpers.AuthHelper
use Pleroma.Web, :plug use Pleroma.Web, :plug
@ -18,7 +17,6 @@ def perform(%Plug.Conn{assigns: assigns} = conn, %{scopes: scopes} = options) do
op = options[:op] || :| op = options[:op] || :|
token = assigns[:token] token = assigns[:token]
scopes = transform_scopes(scopes, options)
matched_scopes = (token && filter_descendants(scopes, token.scopes)) || [] matched_scopes = (token && filter_descendants(scopes, token.scopes)) || []
cond do cond do
@ -57,13 +55,4 @@ def filter_descendants(scopes, supported_scopes) do
end end
) )
end end
@doc "Transforms scopes by applying supported options (e.g. :admin)"
def transform_scopes(scopes, options) do
if options[:admin] do
Config.oauth_admin_scopes(scopes)
else
scopes
end
end
end end

121
test/pleroma/web/admin_api/controllers/admin_api_controller_test.exs
View file

@ -46,104 +46,47 @@ test "with valid `admin_token` query parameter, skips OAuth scopes check" do
assert json_response(conn, 200) assert json_response(conn, 200)
end end
describe "with [:auth, :enforce_oauth_admin_scope_usage]," do test "GET /api/pleroma/admin/users/:nickname requires admin:read:accounts or broader scope",
setup do: clear_config([:auth, :enforce_oauth_admin_scope_usage], true) %{admin: admin} do
user = insert(:user)
url = "/api/pleroma/admin/users/#{user.nickname}"
test "GET /api/pleroma/admin/users/:nickname requires admin:read:accounts or broader scope", good_token1 = insert(:oauth_token, user: admin, scopes: ["admin"])
%{admin: admin} do good_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read"])
user = insert(:user) good_token3 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts"])
url = "/api/pleroma/admin/users/#{user.nickname}"
good_token1 = insert(:oauth_token, user: admin, scopes: ["admin"]) bad_token1 = insert(:oauth_token, user: admin, scopes: ["read:accounts"])
good_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read"]) bad_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts:partial"])
good_token3 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts"]) bad_token3 = nil
bad_token1 = insert(:oauth_token, user: admin, scopes: ["read:accounts"]) for good_token <- [good_token1, good_token2, good_token3] do
bad_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts:partial"]) conn =
bad_token3 = nil build_conn()
|> assign(:user, admin)
|> assign(:token, good_token)
|> get(url)
for good_token <- [good_token1, good_token2, good_token3] do assert json_response(conn, 200)
conn =
build_conn()
|> assign(:user, admin)
|> assign(:token, good_token)
|> get(url)
assert json_response(conn, 200)
end
for good_token <- [good_token1, good_token2, good_token3] do
conn =
build_conn()
|> assign(:user, nil)
|> assign(:token, good_token)
|> get(url)
assert json_response(conn, :forbidden)
end
for bad_token <- [bad_token1, bad_token2, bad_token3] do
conn =
build_conn()
|> assign(:user, admin)
|> assign(:token, bad_token)
|> get(url)
assert json_response(conn, :forbidden)
end
end end
end
describe "unless [:auth, :enforce_oauth_admin_scope_usage]," do for good_token <- [good_token1, good_token2, good_token3] do
setup do: clear_config([:auth, :enforce_oauth_admin_scope_usage], false) conn =
build_conn()
|> assign(:user, nil)
|> assign(:token, good_token)
|> get(url)
test "GET /api/pleroma/admin/users/:nickname requires " <> assert json_response(conn, :forbidden)
"read:accounts or admin:read:accounts or broader scope", end
%{admin: admin} do
user = insert(:user)
url = "/api/pleroma/admin/users/#{user.nickname}"
good_token1 = insert(:oauth_token, user: admin, scopes: ["admin"]) for bad_token <- [bad_token1, bad_token2, bad_token3] do
good_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read"]) conn =
good_token3 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts"]) build_conn()
good_token4 = insert(:oauth_token, user: admin, scopes: ["read:accounts"]) |> assign(:user, admin)
good_token5 = insert(:oauth_token, user: admin, scopes: ["read"]) |> assign(:token, bad_token)
|> get(url)
good_tokens = [good_token1, good_token2, good_token3, good_token4, good_token5] assert json_response(conn, :forbidden)
bad_token1 = insert(:oauth_token, user: admin, scopes: ["read:accounts:partial"])
bad_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts:partial"])
bad_token3 = nil
for good_token <- good_tokens do
conn =
build_conn()
|> assign(:user, admin)
|> assign(:token, good_token)
|> get(url)
assert json_response(conn, 200)
end
for good_token <- good_tokens do
conn =
build_conn()
|> assign(:user, nil)
|> assign(:token, good_token)
|> get(url)
assert json_response(conn, :forbidden)
end
for bad_token <- [bad_token1, bad_token2, bad_token3] do
conn =
build_conn()
|> assign(:user, admin)
|> assign(:token, bad_token)
|> get(url)
assert json_response(conn, :forbidden)
end
end end
end end

121
test/pleroma/web/admin_api/controllers/user_controller_test.exs
View file

@ -47,104 +47,47 @@ test "with valid `admin_token` query parameter, skips OAuth scopes check" do
assert json_response(conn, 200) assert json_response(conn, 200)
end end
describe "with [:auth, :enforce_oauth_admin_scope_usage]," do test "GET /api/pleroma/admin/users/:nickname requires admin:read:accounts or broader scope",
setup do: clear_config([:auth, :enforce_oauth_admin_scope_usage], true) %{admin: admin} do
user = insert(:user)
url = "/api/pleroma/admin/users/#{user.nickname}"
test "GET /api/pleroma/admin/users/:nickname requires admin:read:accounts or broader scope", good_token1 = insert(:oauth_token, user: admin, scopes: ["admin"])
%{admin: admin} do good_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read"])
user = insert(:user) good_token3 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts"])
url = "/api/pleroma/admin/users/#{user.nickname}"
good_token1 = insert(:oauth_token, user: admin, scopes: ["admin"]) bad_token1 = insert(:oauth_token, user: admin, scopes: ["read:accounts"])
good_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read"]) bad_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts:partial"])
good_token3 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts"]) bad_token3 = nil
bad_token1 = insert(:oauth_token, user: admin, scopes: ["read:accounts"]) for good_token <- [good_token1, good_token2, good_token3] do
bad_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts:partial"]) conn =
bad_token3 = nil build_conn()
|> assign(:user, admin)
|> assign(:token, good_token)
|> get(url)
for good_token <- [good_token1, good_token2, good_token3] do assert json_response(conn, 200)
conn =
build_conn()
|> assign(:user, admin)
|> assign(:token, good_token)
|> get(url)
assert json_response(conn, 200)
end
for good_token <- [good_token1, good_token2, good_token3] do
conn =
build_conn()
|> assign(:user, nil)
|> assign(:token, good_token)
|> get(url)
assert json_response(conn, :forbidden)
end
for bad_token <- [bad_token1, bad_token2, bad_token3] do
conn =
build_conn()
|> assign(:user, admin)
|> assign(:token, bad_token)
|> get(url)
assert json_response(conn, :forbidden)
end
end end
end
describe "unless [:auth, :enforce_oauth_admin_scope_usage]," do for good_token <- [good_token1, good_token2, good_token3] do
setup do: clear_config([:auth, :enforce_oauth_admin_scope_usage], false) conn =
build_conn()
|> assign(:user, nil)
|> assign(:token, good_token)
|> get(url)
test "GET /api/pleroma/admin/users/:nickname requires " <> assert json_response(conn, :forbidden)
"read:accounts or admin:read:accounts or broader scope", end
%{admin: admin} do
user = insert(:user)
url = "/api/pleroma/admin/users/#{user.nickname}"
good_token1 = insert(:oauth_token, user: admin, scopes: ["admin"]) for bad_token <- [bad_token1, bad_token2, bad_token3] do
good_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read"]) conn =
good_token3 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts"]) build_conn()
good_token4 = insert(:oauth_token, user: admin, scopes: ["read:accounts"]) |> assign(:user, admin)
good_token5 = insert(:oauth_token, user: admin, scopes: ["read"]) |> assign(:token, bad_token)
|> get(url)
good_tokens = [good_token1, good_token2, good_token3, good_token4, good_token5] assert json_response(conn, :forbidden)
bad_token1 = insert(:oauth_token, user: admin, scopes: ["read:accounts:partial"])
bad_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts:partial"])
bad_token3 = nil
for good_token <- good_tokens do
conn =
build_conn()
|> assign(:user, admin)
|> assign(:token, good_token)
|> get(url)
assert json_response(conn, 200)
end
for good_token <- good_tokens do
conn =
build_conn()
|> assign(:user, nil)
|> assign(:token, good_token)
|> get(url)
assert json_response(conn, :forbidden)
end
for bad_token <- [bad_token1, bad_token2, bad_token3] do
conn =
build_conn()
|> assign(:user, admin)
|> assign(:token, bad_token)
|> get(url)
assert json_response(conn, :forbidden)
end
end end
end end

2
test/pleroma/web/pleroma_api/controllers/emoji_file_controller_test.exs
View file

@ -13,8 +13,6 @@ defmodule Pleroma.Web.PleromaAPI.EmojiFileControllerTest do
Pleroma.Config.get!([:instance, :static_dir]), Pleroma.Config.get!([:instance, :static_dir]),
"emoji" "emoji"
) )
setup do: clear_config([:auth, :enforce_oauth_admin_scope_usage], false)
setup do: clear_config([:instance, :public], true) setup do: clear_config([:instance, :public], true)
setup do setup do

1
test/pleroma/web/pleroma_api/controllers/emoji_pack_controller_test.exs
View file

@ -13,7 +13,6 @@ defmodule Pleroma.Web.PleromaAPI.EmojiPackControllerTest do
Pleroma.Config.get!([:instance, :static_dir]), Pleroma.Config.get!([:instance, :static_dir]),
"emoji" "emoji"
) )
setup do: clear_config([:auth, :enforce_oauth_admin_scope_usage], false)
setup do: clear_config([:instance, :public], true) setup do: clear_config([:instance, :public], true)

38
test/pleroma/web/plugs/o_auth_scopes_plug_test.exs
View file

@ -169,42 +169,4 @@ test "filters scopes which directly match or are ancestors of supported scopes"
assert f.(["admin:read"], ["write", "admin"]) == ["admin:read"] assert f.(["admin:read"], ["write", "admin"]) == ["admin:read"]
end end
end end
describe "transform_scopes/2" do
setup do: clear_config([:auth, :enforce_oauth_admin_scope_usage])
setup do
{:ok, %{f: &OAuthScopesPlug.transform_scopes/2}}
end
test "with :admin option, prefixes all requested scopes with `admin:` " <>
"and [optionally] keeps only prefixed scopes, " <>
"depending on `[:auth, :enforce_oauth_admin_scope_usage]` setting",
%{f: f} do
clear_config([:auth, :enforce_oauth_admin_scope_usage], false)
assert f.(["read"], %{admin: true}) == ["admin:read", "read"]
assert f.(["read", "write"], %{admin: true}) == [
"admin:read",
"read",
"admin:write",
"write"
]
clear_config([:auth, :enforce_oauth_admin_scope_usage], true)
assert f.(["read:accounts"], %{admin: true}) == ["admin:read:accounts"]
assert f.(["read", "write:reports"], %{admin: true}) == [
"admin:read",
"admin:write:reports"
]
end
test "with no supported options, returns unmodified scopes", %{f: f} do
assert f.(["read"], %{}) == ["read"]
assert f.(["read", "write"], %{}) == ["read", "write"]
end
end
end end