2019-02-09 14:09:08 +00:00
|
|
|
# Pleroma: A lightweight social networking server
|
2020-03-02 05:08:45 +00:00
|
|
|
# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
|
2019-02-09 14:09:08 +00:00
|
|
|
# SPDX-License-Identifier: AGPL-3.0-only
|
|
|
|
|
2020-06-24 06:57:27 +00:00
|
|
|
defmodule Pleroma.Web.Plugs.OAuthScopesPlug do
|
2019-02-09 14:09:08 +00:00
|
|
|
import Plug.Conn
|
2019-07-10 09:25:58 +00:00
|
|
|
import Pleroma.Web.Gettext
|
2019-02-09 14:09:08 +00:00
|
|
|
|
2019-12-06 17:33:47 +00:00
|
|
|
alias Pleroma.Config
|
2019-09-15 15:22:08 +00:00
|
|
|
|
2020-04-15 18:19:16 +00:00
|
|
|
use Pleroma.Web, :plug
|
|
|
|
|
2019-02-15 16:54:37 +00:00
|
|
|
def init(%{scopes: _} = options), do: options
|
2019-02-09 14:09:08 +00:00
|
|
|
|
2020-04-21 13:29:19 +00:00
|
|
|
@impl true
|
2020-04-15 18:19:16 +00:00
|
|
|
def perform(%Plug.Conn{assigns: assigns} = conn, %{scopes: scopes} = options) do
|
2019-02-15 16:54:37 +00:00
|
|
|
op = options[:op] || :|
|
2019-02-09 14:09:08 +00:00
|
|
|
token = assigns[:token]
|
2019-12-06 17:33:47 +00:00
|
|
|
|
2019-12-11 08:42:02 +00:00
|
|
|
scopes = transform_scopes(scopes, options)
|
2019-12-15 19:32:42 +00:00
|
|
|
matched_scopes = (token && filter_descendants(scopes, token.scopes)) || []
|
2019-02-15 16:54:37 +00:00
|
|
|
|
|
|
|
cond do
|
2019-12-15 19:32:42 +00:00
|
|
|
token && op == :| && Enum.any?(matched_scopes) ->
|
2019-02-15 16:54:37 +00:00
|
|
|
conn
|
|
|
|
|
2019-12-15 19:32:42 +00:00
|
|
|
token && op == :& && matched_scopes == scopes ->
|
2019-02-15 16:54:37 +00:00
|
|
|
conn
|
|
|
|
|
|
|
|
options[:fallback] == :proceed_unauthenticated ->
|
2020-04-22 15:50:25 +00:00
|
|
|
drop_auth_info(conn)
|
2019-02-15 16:54:37 +00:00
|
|
|
|
|
|
|
true ->
|
2019-09-08 12:00:03 +00:00
|
|
|
missing_scopes = scopes -- matched_scopes
|
2019-07-10 09:25:58 +00:00
|
|
|
permissions = Enum.join(missing_scopes, " #{op} ")
|
|
|
|
|
|
|
|
error_message =
|
|
|
|
dgettext("errors", "Insufficient permissions: %{permissions}.", permissions: permissions)
|
2019-02-15 16:54:37 +00:00
|
|
|
|
|
|
|
conn
|
|
|
|
|> put_resp_content_type("application/json")
|
2019-07-10 09:25:58 +00:00
|
|
|
|> send_resp(:forbidden, Jason.encode!(%{error: error_message}))
|
2019-02-15 16:54:37 +00:00
|
|
|
|> halt()
|
2019-02-09 14:09:08 +00:00
|
|
|
end
|
|
|
|
end
|
2019-09-08 12:00:03 +00:00
|
|
|
|
2020-04-22 15:50:25 +00:00
|
|
|
@doc "Drops authentication info from connection"
|
|
|
|
def drop_auth_info(conn) do
|
|
|
|
# To simplify debugging, setting a private variable on `conn` if auth info is dropped
|
|
|
|
conn
|
|
|
|
|> put_private(:authentication_ignored, true)
|
|
|
|
|> assign(:user, nil)
|
|
|
|
|> assign(:token, nil)
|
|
|
|
end
|
|
|
|
|
2020-09-19 16:16:55 +00:00
|
|
|
@doc "Keeps those of `scopes` which are descendants of `supported_scopes`"
|
2019-09-08 12:00:03 +00:00
|
|
|
def filter_descendants(scopes, supported_scopes) do
|
|
|
|
Enum.filter(
|
|
|
|
scopes,
|
|
|
|
fn scope ->
|
|
|
|
Enum.find(
|
|
|
|
supported_scopes,
|
|
|
|
&(scope == &1 || String.starts_with?(scope, &1 <> ":"))
|
|
|
|
)
|
|
|
|
end
|
|
|
|
)
|
|
|
|
end
|
2019-09-15 15:22:08 +00:00
|
|
|
|
2019-12-11 08:42:02 +00:00
|
|
|
@doc "Transforms scopes by applying supported options (e.g. :admin)"
|
|
|
|
def transform_scopes(scopes, options) do
|
|
|
|
if options[:admin] do
|
|
|
|
Config.oauth_admin_scopes(scopes)
|
|
|
|
else
|
|
|
|
scopes
|
|
|
|
end
|
|
|
|
end
|
2019-02-09 14:09:08 +00:00
|
|
|
end
|