forked from mirrors/akkoma
123 lines
3.6 KiB
Elixir
123 lines
3.6 KiB
Elixir
# Pleroma: A lightweight social networking server
|
|
# Copyright © 2017-2018 Pleroma Authors <https://pleroma.social/>
|
|
# SPDX-License-Identifier: AGPL-3.0-only
|
|
|
|
defmodule Pleroma.Plugs.OAuthScopesPlugTest do
|
|
use Pleroma.Web.ConnCase, async: true
|
|
|
|
alias Pleroma.Plugs.OAuthScopesPlug
|
|
alias Pleroma.Repo
|
|
|
|
import Pleroma.Factory
|
|
|
|
test "proceeds with no op if `assigns[:token]` is nil", %{conn: conn} do
|
|
conn =
|
|
conn
|
|
|> assign(:user, insert(:user))
|
|
|> OAuthScopesPlug.call(%{scopes: ["read"]})
|
|
|
|
refute conn.halted
|
|
assert conn.assigns[:user]
|
|
end
|
|
|
|
test "proceeds with no op if `token.scopes` fulfill specified 'any of' conditions", %{
|
|
conn: conn
|
|
} do
|
|
token = insert(:oauth_token, scopes: ["read", "write"]) |> Repo.preload(:user)
|
|
|
|
conn =
|
|
conn
|
|
|> assign(:user, token.user)
|
|
|> assign(:token, token)
|
|
|> OAuthScopesPlug.call(%{scopes: ["read"]})
|
|
|
|
refute conn.halted
|
|
assert conn.assigns[:user]
|
|
end
|
|
|
|
test "proceeds with no op if `token.scopes` fulfill specified 'all of' conditions", %{
|
|
conn: conn
|
|
} do
|
|
token = insert(:oauth_token, scopes: ["scope1", "scope2", "scope3"]) |> Repo.preload(:user)
|
|
|
|
conn =
|
|
conn
|
|
|> assign(:user, token.user)
|
|
|> assign(:token, token)
|
|
|> OAuthScopesPlug.call(%{scopes: ["scope2", "scope3"], op: :&})
|
|
|
|
refute conn.halted
|
|
assert conn.assigns[:user]
|
|
end
|
|
|
|
test "proceeds with cleared `assigns[:user]` if `token.scopes` doesn't fulfill specified 'any of' conditions " <>
|
|
"and `fallback: :proceed_unauthenticated` option is specified",
|
|
%{conn: conn} do
|
|
token = insert(:oauth_token, scopes: ["read", "write"]) |> Repo.preload(:user)
|
|
|
|
conn =
|
|
conn
|
|
|> assign(:user, token.user)
|
|
|> assign(:token, token)
|
|
|> OAuthScopesPlug.call(%{scopes: ["follow"], fallback: :proceed_unauthenticated})
|
|
|
|
refute conn.halted
|
|
refute conn.assigns[:user]
|
|
end
|
|
|
|
test "proceeds with cleared `assigns[:user]` if `token.scopes` doesn't fulfill specified 'all of' conditions " <>
|
|
"and `fallback: :proceed_unauthenticated` option is specified",
|
|
%{conn: conn} do
|
|
token = insert(:oauth_token, scopes: ["read", "write"]) |> Repo.preload(:user)
|
|
|
|
conn =
|
|
conn
|
|
|> assign(:user, token.user)
|
|
|> assign(:token, token)
|
|
|> OAuthScopesPlug.call(%{
|
|
scopes: ["read", "follow"],
|
|
op: :&,
|
|
fallback: :proceed_unauthenticated
|
|
})
|
|
|
|
refute conn.halted
|
|
refute conn.assigns[:user]
|
|
end
|
|
|
|
test "returns 403 and halts in case of no :fallback option and `token.scopes` not fulfilling specified 'any of' conditions",
|
|
%{conn: conn} do
|
|
token = insert(:oauth_token, scopes: ["read", "write"])
|
|
any_of_scopes = ["follow"]
|
|
|
|
conn =
|
|
conn
|
|
|> assign(:token, token)
|
|
|> OAuthScopesPlug.call(%{scopes: any_of_scopes})
|
|
|
|
assert conn.halted
|
|
assert 403 == conn.status
|
|
|
|
expected_error = "Insufficient permissions: #{Enum.join(any_of_scopes, ", ")}."
|
|
assert Jason.encode!(%{error: expected_error}) == conn.resp_body
|
|
end
|
|
|
|
test "returns 403 and halts in case of no :fallback option and `token.scopes` not fulfilling specified 'all of' conditions",
|
|
%{conn: conn} do
|
|
token = insert(:oauth_token, scopes: ["read", "write"])
|
|
all_of_scopes = ["write", "follow"]
|
|
|
|
conn =
|
|
conn
|
|
|> assign(:token, token)
|
|
|> OAuthScopesPlug.call(%{scopes: all_of_scopes, op: :&})
|
|
|
|
assert conn.halted
|
|
assert 403 == conn.status
|
|
|
|
expected_error =
|
|
"Insufficient permissions: #{Enum.join(all_of_scopes -- token.scopes, ", ")}."
|
|
|
|
assert Jason.encode!(%{error: expected_error}) == conn.resp_body
|
|
end
|
|
end
|