[#2409] Tested all auth setup configs in AuthTestControllerTest. Adjusted :skip_plug definitions for some endpoints.

2020-04-24 16:52:38 +03:00 · 2020-04-24 16:52:38 +03:00 · 00e62161f6
commit 00e62161f6
parent 89f38d94c7
13 changed files with 392 additions and 121 deletions
--- a/test/web/auth/auth_test_controller_test.exs
+++ b/test/web/auth/auth_test_controller_test.exs
@ -0,0 +1,242 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Tests.AuthTestControllerTest do
+  use Pleroma.Web.ConnCase
+
+  import Pleroma.Factory
+
+  describe "do_oauth_check" do
+    test "serves with proper OAuth token (fulfilling requested scopes)" do
+      %{conn: good_token_conn, user: user} = oauth_access(["read"])
+
+      assert %{"user_id" => user.id} ==
+               good_token_conn
+               |> get("/test/authenticated_api/do_oauth_check")
+               |> json_response(200)
+
+      # Unintended usage (:api) — use with :authenticated_api instead
+      assert %{"user_id" => user.id} ==
+               good_token_conn
+               |> get("/test/api/do_oauth_check")
+               |> json_response(200)
+    end
+
+    test "fails on no token / missing scope(s)" do
+      %{conn: bad_token_conn} = oauth_access(["irrelevant_scope"])
+
+      bad_token_conn
+      |> get("/test/authenticated_api/do_oauth_check")
+      |> json_response(403)
+
+      bad_token_conn
+      |> assign(:token, nil)
+      |> get("/test/api/do_oauth_check")
+      |> json_response(403)
+    end
+  end
+
+  describe "fallback_oauth_check" do
+    test "serves with proper OAuth token (fulfilling requested scopes)" do
+      %{conn: good_token_conn, user: user} = oauth_access(["read"])
+
+      assert %{"user_id" => user.id} ==
+               good_token_conn
+               |> get("/test/api/fallback_oauth_check")
+               |> json_response(200)
+
+      # Unintended usage (:authenticated_api) — use with :api instead
+      assert %{"user_id" => user.id} ==
+               good_token_conn
+               |> get("/test/authenticated_api/fallback_oauth_check")
+               |> json_response(200)
+    end
+
+    test "for :api on public instance, drops :user and renders on no token / missing scope(s)" do
+      clear_config([:instance, :public], true)
+
+      %{conn: bad_token_conn} = oauth_access(["irrelevant_scope"])
+
+      assert %{"user_id" => nil} ==
+               bad_token_conn
+               |> get("/test/api/fallback_oauth_check")
+               |> json_response(200)
+
+      assert %{"user_id" => nil} ==
+               bad_token_conn
+               |> assign(:token, nil)
+               |> get("/test/api/fallback_oauth_check")
+               |> json_response(200)
+    end
+
+    test "for :api on private instance, fails on no token / missing scope(s)" do
+      clear_config([:instance, :public], false)
+
+      %{conn: bad_token_conn} = oauth_access(["irrelevant_scope"])
+
+      bad_token_conn
+      |> get("/test/api/fallback_oauth_check")
+      |> json_response(403)
+
+      bad_token_conn
+      |> assign(:token, nil)
+      |> get("/test/api/fallback_oauth_check")
+      |> json_response(403)
+    end
+  end
+
+  describe "skip_oauth_check" do
+    test "for :authenticated_api, serves if :user is set (regardless of token / token scopes)" do
+      user = insert(:user)
+
+      assert %{"user_id" => user.id} ==
+               build_conn()
+               |> assign(:user, user)
+               |> get("/test/authenticated_api/skip_oauth_check")
+               |> json_response(200)
+
+      %{conn: bad_token_conn, user: user} = oauth_access(["irrelevant_scope"])
+
+      assert %{"user_id" => user.id} ==
+               bad_token_conn
+               |> get("/test/authenticated_api/skip_oauth_check")
+               |> json_response(200)
+    end
+
+    test "serves via :api on public instance if :user is not set" do
+      clear_config([:instance, :public], true)
+
+      assert %{"user_id" => nil} ==
+               build_conn()
+               |> get("/test/api/skip_oauth_check")
+               |> json_response(200)
+
+      build_conn()
+      |> get("/test/authenticated_api/skip_oauth_check")
+      |> json_response(403)
+    end
+
+    test "fails on private instance if :user is not set" do
+      clear_config([:instance, :public], false)
+
+      build_conn()
+      |> get("/test/api/skip_oauth_check")
+      |> json_response(403)
+
+      build_conn()
+      |> get("/test/authenticated_api/skip_oauth_check")
+      |> json_response(403)
+    end
+  end
+
+  describe "fallback_oauth_skip_publicity_check" do
+    test "serves with proper OAuth token (fulfilling requested scopes)" do
+      %{conn: good_token_conn, user: user} = oauth_access(["read"])
+
+      assert %{"user_id" => user.id} ==
+               good_token_conn
+               |> get("/test/api/fallback_oauth_skip_publicity_check")
+               |> json_response(200)
+
+      # Unintended usage (:authenticated_api)
+      assert %{"user_id" => user.id} ==
+               good_token_conn
+               |> get("/test/authenticated_api/fallback_oauth_skip_publicity_check")
+               |> json_response(200)
+    end
+
+    test "for :api on private / public instance, drops :user and renders on token issue" do
+      %{conn: bad_token_conn} = oauth_access(["irrelevant_scope"])
+
+      for is_public <- [true, false] do
+        clear_config([:instance, :public], is_public)
+
+        assert %{"user_id" => nil} ==
+                 bad_token_conn
+                 |> get("/test/api/fallback_oauth_skip_publicity_check")
+                 |> json_response(200)
+
+        assert %{"user_id" => nil} ==
+                 bad_token_conn
+                 |> assign(:token, nil)
+                 |> get("/test/api/fallback_oauth_skip_publicity_check")
+                 |> json_response(200)
+      end
+    end
+  end
+
+  describe "skip_oauth_skip_publicity_check" do
+    test "for :authenticated_api, serves if :user is set (regardless of token / token scopes)" do
+      user = insert(:user)
+
+      assert %{"user_id" => user.id} ==
+               build_conn()
+               |> assign(:user, user)
+               |> get("/test/authenticated_api/skip_oauth_skip_publicity_check")
+               |> json_response(200)
+
+      %{conn: bad_token_conn, user: user} = oauth_access(["irrelevant_scope"])
+
+      assert %{"user_id" => user.id} ==
+               bad_token_conn
+               |> get("/test/authenticated_api/skip_oauth_skip_publicity_check")
+               |> json_response(200)
+    end
+
+    test "for :api, serves on private and public instances regardless of whether :user is set" do
+      user = insert(:user)
+
+      for is_public <- [true, false] do
+        clear_config([:instance, :public], is_public)
+
+        assert %{"user_id" => nil} ==
+                 build_conn()
+                 |> get("/test/api/skip_oauth_skip_publicity_check")
+                 |> json_response(200)
+
+        assert %{"user_id" => user.id} ==
+                 build_conn()
+                 |> assign(:user, user)
+                 |> get("/test/api/skip_oauth_skip_publicity_check")
+                 |> json_response(200)
+      end
+    end
+  end
+
+  describe "missing_oauth_check_definition" do
+    def test_missing_oauth_check_definition_failure(endpoint, expected_error) do
+      %{conn: conn} = oauth_access(["read", "write", "follow", "push", "admin"])
+
+      assert %{"error" => expected_error} ==
+               conn
+               |> get(endpoint)
+               |> json_response(403)
+    end
+
+    test "fails if served via :authenticated_api" do
+      test_missing_oauth_check_definition_failure(
+        "/test/authenticated_api/missing_oauth_check_definition",
+        "Security violation: OAuth scopes check was neither handled nor explicitly skipped."
+      )
+    end
+
+    test "fails if served via :api and the instance is private" do
+      clear_config([:instance, :public], false)
+
+      test_missing_oauth_check_definition_failure(
+        "/test/api/missing_oauth_check_definition",
+        "This resource requires authentication."
+      )
+    end
+
+    test "succeeds with dropped :user if served via :api on public instance" do
+      %{conn: conn} = oauth_access(["read", "write", "follow", "push", "admin"])
+
+      assert %{"user_id" => nil} ==
+               conn
+               |> get("/test/api/missing_oauth_check_definition")
+               |> json_response(200)
+    end
+  end
+end
--- a/test/web/auth/oauth_test_controller_test.exs
+++ b/test/web/auth/oauth_test_controller_test.exs
@ -1,49 +0,0 @@
-# Pleroma: A lightweight social networking server
-# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
-# SPDX-License-Identifier: AGPL-3.0-only
-
-defmodule Pleroma.Tests.OAuthTestControllerTest do
-  use Pleroma.Web.ConnCase
-
-  import Pleroma.Factory
-
-  setup %{conn: conn} do
-    user = insert(:user)
-    conn = assign(conn, :user, user)
-    %{conn: conn, user: user}
-  end
-
-  test "missed_oauth", %{conn: conn} do
-    res =
-      conn
-      |> get("/test/authenticated_api/missed_oauth")
-      |> json_response(403)
-
-    assert res ==
-             %{
-               "error" =>
-                 "Security violation: OAuth scopes check was neither handled nor explicitly skipped."
-             }
-  end
-
-  test "skipped_oauth", %{conn: conn} do
-    conn
-    |> assign(:token, nil)
-    |> get("/test/authenticated_api/skipped_oauth")
-    |> json_response(200)
-  end
-
-  test "performed_oauth", %{user: user} do
-    %{conn: good_token_conn} = oauth_access(["read"], user: user)
-
-    good_token_conn
-    |> get("/test/authenticated_api/performed_oauth")
-    |> json_response(200)
-
-    %{conn: bad_token_conn} = oauth_access(["follow"], user: user)
-
-    bad_token_conn
-    |> get("/test/authenticated_api/performed_oauth")
-    |> json_response(403)
-  end
-end
--- a/test/web/mastodon_api/mastodon_api_controller_test.exs
+++ b/test/web/mastodon_api/mastodon_api_controller_test.exs
@ -7,35 +7,28 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIControllerTest do

  describe "empty_array/2 (stubs)" do
    test "GET /api/v1/accounts/:id/identity_proofs" do
-      %{user: user, conn: conn} = oauth_access(["n/a"])
+      %{user: user, conn: conn} = oauth_access(["read:accounts"])

-      res =
-        conn
-        |> assign(:user, user)
-        |> get("/api/v1/accounts/#{user.id}/identity_proofs")
-        |> json_response(200)
-
-      assert res == []
+      assert [] ==
+               conn
+               |> get("/api/v1/accounts/#{user.id}/identity_proofs")
+               |> json_response(200)
    end

    test "GET /api/v1/endorsements" do
      %{conn: conn} = oauth_access(["read:accounts"])

-      res =
-        conn
-        |> get("/api/v1/endorsements")
-        |> json_response(200)
-
-      assert res == []
+      assert [] ==
+               conn
+               |> get("/api/v1/endorsements")
+               |> json_response(200)
    end

    test "GET /api/v1/trends", %{conn: conn} do
-      res =
-        conn
-        |> get("/api/v1/trends")
-        |> json_response(200)
-
-      assert res == []
+      assert [] ==
+               conn
+               |> get("/api/v1/trends")
+               |> json_response(200)
    end
  end
 end