Merge branch 'develop' into openapi/reports

test/plugs/ensure_authenticated_plug_test.exs

@@ -20,7 +20,7 @@ defmodule Pleroma.Plugs.EnsureAuthenticatedPlugTest do
       conn = assign(conn, :user, %User{})
       ret_conn = EnsureAuthenticatedPlug.call(conn, %{})
 
-      assert ret_conn == conn
+      refute ret_conn.halted
     end
   end
 
@@ -34,20 +34,22 @@ defmodule Pleroma.Plugs.EnsureAuthenticatedPlugTest do
 
     test "it continues if a user is assigned", %{conn: conn, true_fn: true_fn, false_fn: false_fn} do
       conn = assign(conn, :user, %User{})
-      assert EnsureAuthenticatedPlug.call(conn, if_func: true_fn) == conn
-      assert EnsureAuthenticatedPlug.call(conn, if_func: false_fn) == conn
-      assert EnsureAuthenticatedPlug.call(conn, unless_func: true_fn) == conn
-      assert EnsureAuthenticatedPlug.call(conn, unless_func: false_fn) == conn
+      refute EnsureAuthenticatedPlug.call(conn, if_func: true_fn).halted
+      refute EnsureAuthenticatedPlug.call(conn, if_func: false_fn).halted
+      refute EnsureAuthenticatedPlug.call(conn, unless_func: true_fn).halted
+      refute EnsureAuthenticatedPlug.call(conn, unless_func: false_fn).halted
     end
 
     test "it continues if a user is NOT assigned but :if_func evaluates to `false`",
          %{conn: conn, false_fn: false_fn} do
-      assert EnsureAuthenticatedPlug.call(conn, if_func: false_fn) == conn
+      ret_conn = EnsureAuthenticatedPlug.call(conn, if_func: false_fn)
+      refute ret_conn.halted
     end
 
     test "it continues if a user is NOT assigned but :unless_func evaluates to `true`",
          %{conn: conn, true_fn: true_fn} do
-      assert EnsureAuthenticatedPlug.call(conn, unless_func: true_fn) == conn
+      ret_conn = EnsureAuthenticatedPlug.call(conn, unless_func: true_fn)
+      refute ret_conn.halted
     end
 
     test "it halts if a user is NOT assigned and :if_func evaluates to `true`",

test/plugs/ensure_public_or_authenticated_plug_test.exs

@@ -29,7 +29,7 @@ defmodule Pleroma.Plugs.EnsurePublicOrAuthenticatedPlugTest do
       conn
       |> EnsurePublicOrAuthenticatedPlug.call(%{})
 
-    assert ret_conn == conn
+    refute ret_conn.halted
   end
 
   test "it continues if a user is assigned, even if not public", %{conn: conn} do
@@ -43,6 +43,6 @@ defmodule Pleroma.Plugs.EnsurePublicOrAuthenticatedPlugTest do
       conn
       |> EnsurePublicOrAuthenticatedPlug.call(%{})
 
-    assert ret_conn == conn
+    refute ret_conn.halted
   end
 end

test/plugs/oauth_scopes_plug_test.exs

@@ -5,17 +5,12 @@
 defmodule Pleroma.Plugs.OAuthScopesPlugTest do
   use Pleroma.Web.ConnCase, async: true
 
-  alias Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug
   alias Pleroma.Plugs.OAuthScopesPlug
   alias Pleroma.Repo
 
   import Mock
   import Pleroma.Factory
 
-  setup_with_mocks([{EnsurePublicOrAuthenticatedPlug, [], [call: fn conn, _ -> conn end]}]) do
-    :ok
-  end
-
   test "is not performed if marked as skipped", %{conn: conn} do
     with_mock OAuthScopesPlug, [:passthrough], perform: &passthrough([&1, &2]) do
       conn =
@@ -60,7 +55,7 @@ defmodule Pleroma.Plugs.OAuthScopesPlugTest do
 
   describe "with `fallback: :proceed_unauthenticated` option, " do
     test "if `token.scopes` doesn't fulfill specified conditions, " <>
-           "clears :user and :token assigns and calls EnsurePublicOrAuthenticatedPlug",
+           "clears :user and :token assigns",
          %{conn: conn} do
       user = insert(:user)
       token1 = insert(:oauth_token, scopes: ["read", "write"], user: user)
@@ -79,35 +74,6 @@ defmodule Pleroma.Plugs.OAuthScopesPlugTest do
         refute ret_conn.halted
         refute ret_conn.assigns[:user]
         refute ret_conn.assigns[:token]
-
-        assert called(EnsurePublicOrAuthenticatedPlug.call(ret_conn, :_))
-      end
-    end
-
-    test "with :skip_instance_privacy_check option, " <>
-           "if `token.scopes` doesn't fulfill specified conditions, " <>
-           "clears :user and :token assigns and does NOT call EnsurePublicOrAuthenticatedPlug",
-         %{conn: conn} do
-      user = insert(:user)
-      token1 = insert(:oauth_token, scopes: ["read:statuses", "write"], user: user)
-
-      for token <- [token1, nil], op <- [:|, :&] do
-        ret_conn =
-          conn
-          |> assign(:user, user)
-          |> assign(:token, token)
-          |> OAuthScopesPlug.call(%{
-            scopes: ["read"],
-            op: op,
-            fallback: :proceed_unauthenticated,
-            skip_instance_privacy_check: true
-          })
-
-        refute ret_conn.halted
-        refute ret_conn.assigns[:user]
-        refute ret_conn.assigns[:token]
-
-        refute called(EnsurePublicOrAuthenticatedPlug.call(ret_conn, :_))
       end
     end
   end

test/web/activity_pub/activity_pub_controller_test.exs

@@ -766,7 +766,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
   end
 
   describe "POST /users/:nickname/outbox" do
-    test "it rejects posts from other users / unauuthenticated users", %{conn: conn} do
+    test "it rejects posts from other users / unauthenticated users", %{conn: conn} do
       data = File.read!("test/fixtures/activitypub-client-post-activity.json") |> Poison.decode!()
       user = insert(:user)
       other_user = insert(:user)

test/web/auth/auth_test_controller_test.exs

@@ -0,0 +1,242 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Tests.AuthTestControllerTest do
+  use Pleroma.Web.ConnCase
+
+  import Pleroma.Factory
+
+  describe "do_oauth_check" do
+    test "serves with proper OAuth token (fulfilling requested scopes)" do
+      %{conn: good_token_conn, user: user} = oauth_access(["read"])
+
+      assert %{"user_id" => user.id} ==
+               good_token_conn
+               |> get("/test/authenticated_api/do_oauth_check")
+               |> json_response(200)
+
+      # Unintended usage (:api) — use with :authenticated_api instead
+      assert %{"user_id" => user.id} ==
+               good_token_conn
+               |> get("/test/api/do_oauth_check")
+               |> json_response(200)
+    end
+
+    test "fails on no token / missing scope(s)" do
+      %{conn: bad_token_conn} = oauth_access(["irrelevant_scope"])
+
+      bad_token_conn
+      |> get("/test/authenticated_api/do_oauth_check")
+      |> json_response(403)
+
+      bad_token_conn
+      |> assign(:token, nil)
+      |> get("/test/api/do_oauth_check")
+      |> json_response(403)
+    end
+  end
+
+  describe "fallback_oauth_check" do
+    test "serves with proper OAuth token (fulfilling requested scopes)" do
+      %{conn: good_token_conn, user: user} = oauth_access(["read"])
+
+      assert %{"user_id" => user.id} ==
+               good_token_conn
+               |> get("/test/api/fallback_oauth_check")
+               |> json_response(200)
+
+      # Unintended usage (:authenticated_api) — use with :api instead
+      assert %{"user_id" => user.id} ==
+               good_token_conn
+               |> get("/test/authenticated_api/fallback_oauth_check")
+               |> json_response(200)
+    end
+
+    test "for :api on public instance, drops :user and renders on no token / missing scope(s)" do
+      clear_config([:instance, :public], true)
+
+      %{conn: bad_token_conn} = oauth_access(["irrelevant_scope"])
+
+      assert %{"user_id" => nil} ==
+               bad_token_conn
+               |> get("/test/api/fallback_oauth_check")
+               |> json_response(200)
+
+      assert %{"user_id" => nil} ==
+               bad_token_conn
+               |> assign(:token, nil)
+               |> get("/test/api/fallback_oauth_check")
+               |> json_response(200)
+    end
+
+    test "for :api on private instance, fails on no token / missing scope(s)" do
+      clear_config([:instance, :public], false)
+
+      %{conn: bad_token_conn} = oauth_access(["irrelevant_scope"])
+
+      bad_token_conn
+      |> get("/test/api/fallback_oauth_check")
+      |> json_response(403)
+
+      bad_token_conn
+      |> assign(:token, nil)
+      |> get("/test/api/fallback_oauth_check")
+      |> json_response(403)
+    end
+  end
+
+  describe "skip_oauth_check" do
+    test "for :authenticated_api, serves if :user is set (regardless of token / token scopes)" do
+      user = insert(:user)
+
+      assert %{"user_id" => user.id} ==
+               build_conn()
+               |> assign(:user, user)
+               |> get("/test/authenticated_api/skip_oauth_check")
+               |> json_response(200)
+
+      %{conn: bad_token_conn, user: user} = oauth_access(["irrelevant_scope"])
+
+      assert %{"user_id" => user.id} ==
+               bad_token_conn
+               |> get("/test/authenticated_api/skip_oauth_check")
+               |> json_response(200)
+    end
+
+    test "serves via :api on public instance if :user is not set" do
+      clear_config([:instance, :public], true)
+
+      assert %{"user_id" => nil} ==
+               build_conn()
+               |> get("/test/api/skip_oauth_check")
+               |> json_response(200)
+
+      build_conn()
+      |> get("/test/authenticated_api/skip_oauth_check")
+      |> json_response(403)
+    end
+
+    test "fails on private instance if :user is not set" do
+      clear_config([:instance, :public], false)
+
+      build_conn()
+      |> get("/test/api/skip_oauth_check")
+      |> json_response(403)
+
+      build_conn()
+      |> get("/test/authenticated_api/skip_oauth_check")
+      |> json_response(403)
+    end
+  end
+
+  describe "fallback_oauth_skip_publicity_check" do
+    test "serves with proper OAuth token (fulfilling requested scopes)" do
+      %{conn: good_token_conn, user: user} = oauth_access(["read"])
+
+      assert %{"user_id" => user.id} ==
+               good_token_conn
+               |> get("/test/api/fallback_oauth_skip_publicity_check")
+               |> json_response(200)
+
+      # Unintended usage (:authenticated_api)
+      assert %{"user_id" => user.id} ==
+               good_token_conn
+               |> get("/test/authenticated_api/fallback_oauth_skip_publicity_check")
+               |> json_response(200)
+    end
+
+    test "for :api on private / public instance, drops :user and renders on token issue" do
+      %{conn: bad_token_conn} = oauth_access(["irrelevant_scope"])
+
+      for is_public <- [true, false] do
+        clear_config([:instance, :public], is_public)
+
+        assert %{"user_id" => nil} ==
+                 bad_token_conn
+                 |> get("/test/api/fallback_oauth_skip_publicity_check")
+                 |> json_response(200)
+
+        assert %{"user_id" => nil} ==
+                 bad_token_conn
+                 |> assign(:token, nil)
+                 |> get("/test/api/fallback_oauth_skip_publicity_check")
+                 |> json_response(200)
+      end
+    end
+  end
+
+  describe "skip_oauth_skip_publicity_check" do
+    test "for :authenticated_api, serves if :user is set (regardless of token / token scopes)" do
+      user = insert(:user)
+
+      assert %{"user_id" => user.id} ==
+               build_conn()
+               |> assign(:user, user)
+               |> get("/test/authenticated_api/skip_oauth_skip_publicity_check")
+               |> json_response(200)
+
+      %{conn: bad_token_conn, user: user} = oauth_access(["irrelevant_scope"])
+
+      assert %{"user_id" => user.id} ==
+               bad_token_conn
+               |> get("/test/authenticated_api/skip_oauth_skip_publicity_check")
+               |> json_response(200)
+    end
+
+    test "for :api, serves on private and public instances regardless of whether :user is set" do
+      user = insert(:user)
+
+      for is_public <- [true, false] do
+        clear_config([:instance, :public], is_public)
+
+        assert %{"user_id" => nil} ==
+                 build_conn()
+                 |> get("/test/api/skip_oauth_skip_publicity_check")
+                 |> json_response(200)
+
+        assert %{"user_id" => user.id} ==
+                 build_conn()
+                 |> assign(:user, user)
+                 |> get("/test/api/skip_oauth_skip_publicity_check")
+                 |> json_response(200)
+      end
+    end
+  end
+
+  describe "missing_oauth_check_definition" do
+    def test_missing_oauth_check_definition_failure(endpoint, expected_error) do
+      %{conn: conn} = oauth_access(["read", "write", "follow", "push", "admin"])
+
+      assert %{"error" => expected_error} ==
+               conn
+               |> get(endpoint)
+               |> json_response(403)
+    end
+
+    test "fails if served via :authenticated_api" do
+      test_missing_oauth_check_definition_failure(
+        "/test/authenticated_api/missing_oauth_check_definition",
+        "Security violation: OAuth scopes check was neither handled nor explicitly skipped."
+      )
+    end
+
+    test "fails if served via :api and the instance is private" do
+      clear_config([:instance, :public], false)
+
+      test_missing_oauth_check_definition_failure(
+        "/test/api/missing_oauth_check_definition",
+        "This resource requires authentication."
+      )
+    end
+
+    test "succeeds with dropped :user if served via :api on public instance" do
+      %{conn: conn} = oauth_access(["read", "write", "follow", "push", "admin"])
+
+      assert %{"user_id" => nil} ==
+               conn
+               |> get("/test/api/missing_oauth_check_definition")
+               |> json_response(200)
+    end
+  end
+end

test/web/auth/oauth_test_controller_test.exs

@@ -1,49 +0,0 @@
-# Pleroma: A lightweight social networking server
-# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
-# SPDX-License-Identifier: AGPL-3.0-only
-
-defmodule Pleroma.Tests.OAuthTestControllerTest do
-  use Pleroma.Web.ConnCase
-
-  import Pleroma.Factory
-
-  setup %{conn: conn} do
-    user = insert(:user)
-    conn = assign(conn, :user, user)
-    %{conn: conn, user: user}
-  end
-
-  test "missed_oauth", %{conn: conn} do
-    res =
-      conn
-      |> get("/test/authenticated_api/missed_oauth")
-      |> json_response(403)
-
-    assert res ==
-             %{
-               "error" =>
-                 "Security violation: OAuth scopes check was neither handled nor explicitly skipped."
-             }
-  end
-
-  test "skipped_oauth", %{conn: conn} do
-    conn
-    |> assign(:token, nil)
-    |> get("/test/authenticated_api/skipped_oauth")
-    |> json_response(200)
-  end
-
-  test "performed_oauth", %{user: user} do
-    %{conn: good_token_conn} = oauth_access(["read"], user: user)
-
-    good_token_conn
-    |> get("/test/authenticated_api/performed_oauth")
-    |> json_response(200)
-
-    %{conn: bad_token_conn} = oauth_access(["follow"], user: user)
-
-    bad_token_conn
-    |> get("/test/authenticated_api/performed_oauth")
-    |> json_response(403)
-  end
-end

test/web/mastodon_api/mastodon_api_controller_test.exs

@@ -7,35 +7,28 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIControllerTest do
 
   describe "empty_array/2 (stubs)" do
     test "GET /api/v1/accounts/:id/identity_proofs" do
-      %{user: user, conn: conn} = oauth_access(["n/a"])
+      %{user: user, conn: conn} = oauth_access(["read:accounts"])
 
-      res =
-        conn
-        |> assign(:user, user)
-        |> get("/api/v1/accounts/#{user.id}/identity_proofs")
-        |> json_response(200)
-
-      assert res == []
+      assert [] ==
+               conn
+               |> get("/api/v1/accounts/#{user.id}/identity_proofs")
+               |> json_response(200)
     end
 
     test "GET /api/v1/endorsements" do
       %{conn: conn} = oauth_access(["read:accounts"])
 
-      res =
-        conn
-        |> get("/api/v1/endorsements")
-        |> json_response(200)
-
-      assert res == []
+      assert [] ==
+               conn
+               |> get("/api/v1/endorsements")
+               |> json_response(200)
     end
 
     test "GET /api/v1/trends", %{conn: conn} do
-      res =
-        conn
-        |> get("/api/v1/trends")
-        |> json_response(200)
-
-      assert res == []
+      assert [] ==
+               conn
+               |> get("/api/v1/trends")
+               |> json_response(200)
     end
   end
 end

test/web/pleroma_api/controllers/account_controller_test.exs

@@ -151,15 +151,18 @@ defmodule Pleroma.Web.PleromaAPI.AccountControllerTest do
       assert like["id"] == activity.id
     end
 
-    test "does not return favorites for specified user_id when user is not logged in", %{
+    test "returns favorites for specified user_id when requester is not logged in", %{
       user: user
     } do
       activity = insert(:note_activity)
       CommonAPI.favorite(user, activity.id)
 
-      build_conn()
-      |> get("/api/v1/pleroma/accounts/#{user.id}/favourites")
-      |> json_response(403)
+      response =
+        build_conn()
+        |> get("/api/v1/pleroma/accounts/#{user.id}/favourites")
+        |> json_response(200)
+
+      assert length(response) == 1
     end
 
     test "returns favorited DM only when user is logged in and he is one of recipients", %{
@@ -185,9 +188,12 @@ defmodule Pleroma.Web.PleromaAPI.AccountControllerTest do
         assert length(response) == 1
       end
 
-      build_conn()
-      |> get("/api/v1/pleroma/accounts/#{user.id}/favourites")
-      |> json_response(403)
+      response =
+        build_conn()
+        |> get("/api/v1/pleroma/accounts/#{user.id}/favourites")
+        |> json_response(200)
+
+      assert length(response) == 0
     end
 
     test "does not return others' favorited DM when user is not one of recipients", %{

test/web/pleroma_api/controllers/emoji_api_controller_test.exs

@@ -38,8 +38,7 @@ defmodule Pleroma.Web.PleromaAPI.EmojiAPIControllerTest do
   end
 
   test "listing remote packs" do
-    admin = insert(:user, is_admin: true)
-    %{conn: conn} = oauth_access(["admin:write"], user: admin)
+    conn = build_conn()
 
     resp =
       build_conn()
@@ -76,7 +75,7 @@ defmodule Pleroma.Web.PleromaAPI.EmojiAPIControllerTest do
     assert Enum.find(arch, fn {n, _} -> n == 'blank.png' end)
   end
 
-  test "downloading shared & unshared packs from another instance via download_from, deleting them" do
+  test "downloading shared & unshared packs from another instance, deleting them" do
     on_exit(fn ->
       File.rm_rf!("#{@emoji_dir_path}/test_pack2")
       File.rm_rf!("#{@emoji_dir_path}/test_pack_nonshared2")
@@ -136,7 +135,7 @@ defmodule Pleroma.Web.PleromaAPI.EmojiAPIControllerTest do
             |> post(
               emoji_api_path(
                 conn,
-                :download_from
+                :save_from
               ),
               %{
                 instance_address: "https://old-instance",
@@ -152,7 +151,7 @@ defmodule Pleroma.Web.PleromaAPI.EmojiAPIControllerTest do
            |> post(
              emoji_api_path(
                conn,
-               :download_from
+               :save_from
              ),
              %{
                instance_address: "https://example.com",
@@ -179,7 +178,7 @@ defmodule Pleroma.Web.PleromaAPI.EmojiAPIControllerTest do
            |> post(
              emoji_api_path(
                conn,
-               :download_from
+               :save_from
              ),
              %{
                instance_address: "https://example.com",

test/web/twitter_api/twitter_api_controller_test.exs

@@ -19,13 +19,9 @@ defmodule Pleroma.Web.TwitterAPI.ControllerTest do
     end
 
     test "with credentials, without any params" do
-      %{user: current_user, conn: conn} =
-        oauth_access(["read:notifications", "write:notifications"])
+      %{conn: conn} = oauth_access(["write:notifications"])
 
-      conn =
-        conn
-        |> assign(:user, current_user)
-        |> post("/api/qvitter/statuses/notifications/read")
+      conn = post(conn, "/api/qvitter/statuses/notifications/read")
 
       assert json_response(conn, 400) == %{
                "error" => "You need to specify latest_id",