[#2409] Tested all auth setup configs in AuthTestControllerTest. Adjusted :skip_plug definitions for some endpoints.

2020-04-24 16:52:38 +03:00 · 2020-04-24 16:52:38 +03:00 · 00e62161f6
commit 00e62161f6
parent 89f38d94c7
13 changed files with 392 additions and 121 deletions
--- a/lib/pleroma/web/masto_fe_controller.ex
+++ b/lib/pleroma/web/masto_fe_controller.ex
@ -5,12 +5,15 @@
 defmodule Pleroma.Web.MastoFEController do
  use Pleroma.Web, :controller

+  alias Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug
  alias Pleroma.Plugs.OAuthScopesPlug
  alias Pleroma.User

  plug(OAuthScopesPlug, %{scopes: ["write:accounts"]} when action == :put_settings)

  # Note: :index action handles attempt of unauthenticated access to private instance with redirect
+  plug(:skip_plug, EnsurePublicOrAuthenticatedPlug when action == :index)
+
  plug(
    OAuthScopesPlug,
    %{scopes: ["read"], fallback: :proceed_unauthenticated}
@ -19,7 +22,7 @@ defmodule Pleroma.Web.MastoFEController do

  plug(
    :skip_plug,
-    Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug when action in [:index, :manifest]
+    [OAuthScopesPlug, EnsurePublicOrAuthenticatedPlug] when action == :manifest
  )

  @doc "GET /web/*path"
--- a/lib/pleroma/web/mastodon_api/controllers/account_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/account_controller.ex
@ -14,6 +14,7 @@ defmodule Pleroma.Web.MastodonAPI.AccountController do
      skip_relationships?: 1
    ]

+  alias Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug
  alias Pleroma.Plugs.OAuthScopesPlug
  alias Pleroma.Plugs.RateLimiter
  alias Pleroma.User
@ -26,18 +27,14 @@ defmodule Pleroma.Web.MastodonAPI.AccountController do
  alias Pleroma.Web.OAuth.Token
  alias Pleroma.Web.TwitterAPI.TwitterAPI

-  plug(:skip_plug, OAuthScopesPlug when action in [:create, :identity_proofs])
+  plug(:skip_plug, [OAuthScopesPlug, EnsurePublicOrAuthenticatedPlug] when action == :create)

-  plug(
-    :skip_plug,
-    Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug
-    when action in [:create, :show, :statuses]
-  )
+  plug(:skip_plug, EnsurePublicOrAuthenticatedPlug when action in [:show, :statuses])

  plug(
    OAuthScopesPlug,
    %{fallback: :proceed_unauthenticated, scopes: ["read:accounts"]}
-    when action in [:show, :followers, :following, :endorsements]
+    when action in [:show, :followers, :following]
  )

  plug(
@ -49,7 +46,7 @@ defmodule Pleroma.Web.MastodonAPI.AccountController do
  plug(
    OAuthScopesPlug,
    %{scopes: ["read:accounts"]}
-    when action in [:endorsements, :verify_credentials]
+    when action in [:verify_credentials, :endorsements, :identity_proofs]
  )

  plug(OAuthScopesPlug, %{scopes: ["write:accounts"]} when action == :update_credentials)
--- a/lib/pleroma/web/mastodon_api/controllers/status_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/status_controller.ex
@ -24,6 +24,8 @@ defmodule Pleroma.Web.MastodonAPI.StatusController do
  alias Pleroma.Web.MastodonAPI.AccountView
  alias Pleroma.Web.MastodonAPI.ScheduledActivityView

+  plug(:skip_plug, Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug when action in [:index, :show])
+
  @unauthenticated_access %{fallback: :proceed_unauthenticated, scopes: []}

  plug(
@ -77,8 +79,6 @@ defmodule Pleroma.Web.MastodonAPI.StatusController do
    %{scopes: ["write:bookmarks"]} when action in [:bookmark, :unbookmark]
  )

-  plug(:skip_plug, Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug when action in [:index, :show])
-
  @rate_limited_status_actions ~w(reblog unreblog favourite unfavourite create delete)a

  plug(
--- a/lib/pleroma/web/mastodon_api/controllers/timeline_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/timeline_controller.ex
@ -15,6 +15,8 @@ defmodule Pleroma.Web.MastodonAPI.TimelineController do
  alias Pleroma.User
  alias Pleroma.Web.ActivityPub.ActivityPub

+  plug(:skip_plug, EnsurePublicOrAuthenticatedPlug when action in [:public, :hashtag])
+
  # TODO: Replace with a macro when there is a Phoenix release with the following commit in it:
  # https://github.com/phoenixframework/phoenix/commit/2e8c63c01fec4dde5467dbbbf9705ff9e780735e

@ -33,8 +35,6 @@ defmodule Pleroma.Web.MastodonAPI.TimelineController do
    when action in [:public, :hashtag]
  )

-  plug(:skip_plug, EnsurePublicOrAuthenticatedPlug when action in [:public, :hashtag])
-
  plug(:put_view, Pleroma.Web.MastodonAPI.StatusView)

  # GET /api/v1/timelines/home
--- a/lib/pleroma/web/oauth/oauth_controller.ex
+++ b/lib/pleroma/web/oauth/oauth_controller.ex
@ -25,9 +25,10 @@ defmodule Pleroma.Web.OAuth.OAuthController do

  plug(:fetch_session)
  plug(:fetch_flash)
-  plug(RateLimiter, [name: :authentication] when action == :create_authorization)

-  plug(:skip_plug, Pleroma.Plugs.OAuthScopesPlug)
+  plug(:skip_plug, [Pleroma.Plugs.OAuthScopesPlug, Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug])
+
+  plug(RateLimiter, [name: :authentication] when action == :create_authorization)

  action_fallback(Pleroma.Web.OAuth.FallbackController)

--- a/lib/pleroma/web/pleroma_api/controllers/account_controller.ex
+++ b/lib/pleroma/web/pleroma_api/controllers/account_controller.ex
@ -9,6 +9,7 @@ defmodule Pleroma.Web.PleromaAPI.AccountController do
    only: [json_response: 3, add_link_headers: 2, assign_account_by_id: 2, skip_relationships?: 1]

  alias Ecto.Changeset
+  alias Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug
  alias Pleroma.Plugs.OAuthScopesPlug
  alias Pleroma.Plugs.RateLimiter
  alias Pleroma.User
@ -17,11 +18,9 @@ defmodule Pleroma.Web.PleromaAPI.AccountController do

  require Pleroma.Constants

-  plug(:skip_plug, OAuthScopesPlug when action == :confirmation_resend)
-
  plug(
    :skip_plug,
-    Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug when action == :confirmation_resend
+    [OAuthScopesPlug, EnsurePublicOrAuthenticatedPlug] when action == :confirmation_resend
  )

  plug(
--- a/lib/pleroma/web/router.ex
+++ b/lib/pleroma/web/router.ex
@ -655,11 +655,28 @@ defmodule Pleroma.Web.Router do

  # Test-only routes needed to test action dispatching and plug chain execution
  if Pleroma.Config.get(:env) == :test do
+    @test_actions [
+      :do_oauth_check,
+      :fallback_oauth_check,
+      :skip_oauth_check,
+      :fallback_oauth_skip_publicity_check,
+      :skip_oauth_skip_publicity_check,
+      :missing_oauth_check_definition
+    ]
+
+    scope "/test/api", Pleroma.Tests do
+      pipe_through(:api)
+
+      for action <- @test_actions do
+        get("/#{action}", AuthTestController, action)
+      end
+    end
+
    scope "/test/authenticated_api", Pleroma.Tests do
      pipe_through(:authenticated_api)

-      for action <- [:skipped_oauth, :performed_oauth, :missed_oauth] do
-        get("/#{action}", OAuthTestController, action)
+      for action <- @test_actions do
+        get("/#{action}", AuthTestController, action)
      end
    end
  end
--- a/lib/pleroma/web/twitter_api/twitter_api_controller.ex
+++ b/lib/pleroma/web/twitter_api/twitter_api_controller.ex
@ -6,6 +6,7 @@ defmodule Pleroma.Web.TwitterAPI.Controller do
  use Pleroma.Web, :controller

  alias Pleroma.Notification
+  alias Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug
  alias Pleroma.Plugs.OAuthScopesPlug
  alias Pleroma.User
  alias Pleroma.Web.OAuth.Token
@ -18,7 +19,12 @@ defmodule Pleroma.Web.TwitterAPI.Controller do
    %{scopes: ["write:notifications"]} when action == :mark_notifications_as_read
  )

-  plug(:skip_plug, OAuthScopesPlug when action in [:confirm_email, :oauth_tokens, :revoke_token])
+  plug(
+    :skip_plug,
+    [OAuthScopesPlug, EnsurePublicOrAuthenticatedPlug] when action == :confirm_email
+  )
+
+  plug(:skip_plug, OAuthScopesPlug when action in [:oauth_tokens, :revoke_token])

  action_fallback(:errors)