Merge branch '1940-admin-token-oauthless-auth' into 'develop'
[#1940] Reinstated OAuth-less `admin_token` authentication Closes #1940 See merge request pleroma/pleroma!2760
This commit is contained in:
feld
commit
2909dc873b
21 changed files with 234 additions and 254 deletions
|
|
@ -4,9 +4,14 @@
|
|||
|
||||
defmodule Pleroma.Plugs.AdminSecretAuthenticationPlugTest do
|
||||
use Pleroma.Web.ConnCase, async: true
|
||||
|
||||
import Mock
|
||||
import Pleroma.Factory
|
||||
|
||||
alias Pleroma.Plugs.AdminSecretAuthenticationPlug
|
||||
alias Pleroma.Plugs.OAuthScopesPlug
|
||||
alias Pleroma.Plugs.PlugHelper
|
||||
alias Pleroma.Plugs.RateLimiter
|
||||
|
||||
test "does nothing if a user is assigned", %{conn: conn} do
|
||||
user = insert(:user)
|
||||
|
|
@ -25,6 +30,10 @@ defmodule Pleroma.Plugs.AdminSecretAuthenticationPlugTest do
|
|||
describe "when secret set it assigns an admin user" do
|
||||
setup do: clear_config([:admin_token])
|
||||
|
||||
setup_with_mocks([{RateLimiter, [:passthrough], []}]) do
|
||||
:ok
|
||||
end
|
||||
|
||||
test "with `admin_token` query parameter", %{conn: conn} do
|
||||
Pleroma.Config.put(:admin_token, "password123")
|
||||
|
||||
|
|
@ -33,12 +42,14 @@ defmodule Pleroma.Plugs.AdminSecretAuthenticationPlugTest do
|
|||
|> AdminSecretAuthenticationPlug.call(%{})
|
||||
|
||||
refute conn.assigns[:user]
|
||||
assert called(RateLimiter.call(conn, name: :authentication))
|
||||
|
||||
conn =
|
||||
%{conn | params: %{"admin_token" => "password123"}}
|
||||
|> AdminSecretAuthenticationPlug.call(%{})
|
||||
|
||||
assert conn.assigns[:user].is_admin
|
||||
assert PlugHelper.plug_skipped?(conn, OAuthScopesPlug)
|
||||
end
|
||||
|
||||
test "with `x-admin-token` HTTP header", %{conn: conn} do
|
||||
|
|
@ -50,6 +61,7 @@ defmodule Pleroma.Plugs.AdminSecretAuthenticationPlugTest do
|
|||
|> AdminSecretAuthenticationPlug.call(%{})
|
||||
|
||||
refute conn.assigns[:user]
|
||||
assert called(RateLimiter.call(conn, name: :authentication))
|
||||
|
||||
conn =
|
||||
conn
|
||||
|
|
@ -57,6 +69,7 @@ defmodule Pleroma.Plugs.AdminSecretAuthenticationPlugTest do
|
|||
|> AdminSecretAuthenticationPlug.call(%{})
|
||||
|
||||
assert conn.assigns[:user].is_admin
|
||||
assert PlugHelper.plug_skipped?(conn, OAuthScopesPlug)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
|||
|
|
@ -8,112 +8,30 @@ defmodule Pleroma.Plugs.UserIsAdminPlugTest do
|
|||
alias Pleroma.Plugs.UserIsAdminPlug
|
||||
import Pleroma.Factory
|
||||
|
||||
describe "unless [:auth, :enforce_oauth_admin_scope_usage]," do
|
||||
setup do: clear_config([:auth, :enforce_oauth_admin_scope_usage], false)
|
||||
test "accepts a user that is an admin" do
|
||||
user = insert(:user, is_admin: true)
|
||||
|
||||
test "accepts a user that is an admin" do
|
||||
user = insert(:user, is_admin: true)
|
||||
conn = assign(build_conn(), :user, user)
|
||||
|
||||
conn = assign(build_conn(), :user, user)
|
||||
ret_conn = UserIsAdminPlug.call(conn, %{})
|
||||
|
||||
ret_conn = UserIsAdminPlug.call(conn, %{})
|
||||
|
||||
assert conn == ret_conn
|
||||
end
|
||||
|
||||
test "denies a user that isn't an admin" do
|
||||
user = insert(:user)
|
||||
|
||||
conn =
|
||||
build_conn()
|
||||
|> assign(:user, user)
|
||||
|> UserIsAdminPlug.call(%{})
|
||||
|
||||
assert conn.status == 403
|
||||
end
|
||||
|
||||
test "denies when a user isn't set" do
|
||||
conn = UserIsAdminPlug.call(build_conn(), %{})
|
||||
|
||||
assert conn.status == 403
|
||||
end
|
||||
assert conn == ret_conn
|
||||
end
|
||||
|
||||
describe "with [:auth, :enforce_oauth_admin_scope_usage]," do
|
||||
setup do: clear_config([:auth, :enforce_oauth_admin_scope_usage], true)
|
||||
test "denies a user that isn't an admin" do
|
||||
user = insert(:user)
|
||||
|
||||
setup do
|
||||
admin_user = insert(:user, is_admin: true)
|
||||
non_admin_user = insert(:user, is_admin: false)
|
||||
blank_user = nil
|
||||
conn =
|
||||
build_conn()
|
||||
|> assign(:user, user)
|
||||
|> UserIsAdminPlug.call(%{})
|
||||
|
||||
{:ok, %{users: [admin_user, non_admin_user, blank_user]}}
|
||||
end
|
||||
assert conn.status == 403
|
||||
end
|
||||
|
||||
test "if token has any of admin scopes, accepts a user that is an admin", %{conn: conn} do
|
||||
user = insert(:user, is_admin: true)
|
||||
token = insert(:oauth_token, user: user, scopes: ["admin:something"])
|
||||
test "denies when a user isn't set" do
|
||||
conn = UserIsAdminPlug.call(build_conn(), %{})
|
||||
|
||||
conn =
|
||||
conn
|
||||
|> assign(:user, user)
|
||||
|> assign(:token, token)
|
||||
|
||||
ret_conn = UserIsAdminPlug.call(conn, %{})
|
||||
|
||||
assert conn == ret_conn
|
||||
end
|
||||
|
||||
test "if token has any of admin scopes, denies a user that isn't an admin", %{conn: conn} do
|
||||
user = insert(:user, is_admin: false)
|
||||
token = insert(:oauth_token, user: user, scopes: ["admin:something"])
|
||||
|
||||
conn =
|
||||
conn
|
||||
|> assign(:user, user)
|
||||
|> assign(:token, token)
|
||||
|> UserIsAdminPlug.call(%{})
|
||||
|
||||
assert conn.status == 403
|
||||
end
|
||||
|
||||
test "if token has any of admin scopes, denies when a user isn't set", %{conn: conn} do
|
||||
token = insert(:oauth_token, scopes: ["admin:something"])
|
||||
|
||||
conn =
|
||||
conn
|
||||
|> assign(:user, nil)
|
||||
|> assign(:token, token)
|
||||
|> UserIsAdminPlug.call(%{})
|
||||
|
||||
assert conn.status == 403
|
||||
end
|
||||
|
||||
test "if token lacks admin scopes, denies users regardless of is_admin flag",
|
||||
%{users: users} do
|
||||
for user <- users do
|
||||
token = insert(:oauth_token, user: user)
|
||||
|
||||
conn =
|
||||
build_conn()
|
||||
|> assign(:user, user)
|
||||
|> assign(:token, token)
|
||||
|> UserIsAdminPlug.call(%{})
|
||||
|
||||
assert conn.status == 403
|
||||
end
|
||||
end
|
||||
|
||||
test "if token is missing, denies users regardless of is_admin flag", %{users: users} do
|
||||
for user <- users do
|
||||
conn =
|
||||
build_conn()
|
||||
|> assign(:user, user)
|
||||
|> assign(:token, nil)
|
||||
|> UserIsAdminPlug.call(%{})
|
||||
|
||||
assert conn.status == 403
|
||||
end
|
||||
end
|
||||
assert conn.status == 403
|
||||
end
|
||||
end
|
||||
|
|
|
|||
|
|
@ -41,6 +41,16 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do
|
|||
{:ok, %{admin: admin, token: token, conn: conn}}
|
||||
end
|
||||
|
||||
test "with valid `admin_token` query parameter, skips OAuth scopes check" do
|
||||
clear_config([:admin_token], "password123")
|
||||
|
||||
user = insert(:user)
|
||||
|
||||
conn = get(build_conn(), "/api/pleroma/admin/users/#{user.nickname}?admin_token=password123")
|
||||
|
||||
assert json_response(conn, 200)
|
||||
end
|
||||
|
||||
describe "with [:auth, :enforce_oauth_admin_scope_usage]," do
|
||||
setup do: clear_config([:auth, :enforce_oauth_admin_scope_usage], true)
|
||||
|
||||
|
|
|
|||
|
|
@ -152,6 +152,14 @@ defmodule Pleroma.Web.AdminAPI.ConfigControllerTest do
|
|||
assert emoji_val[:groups] == [a: 1, b: 2]
|
||||
assert assets_val[:mascots] == [a: 1, b: 2]
|
||||
end
|
||||
|
||||
test "with valid `admin_token` query parameter, skips OAuth scopes check" do
|
||||
clear_config([:admin_token], "password123")
|
||||
|
||||
build_conn()
|
||||
|> get("/api/pleroma/admin/config?admin_token=password123")
|
||||
|> json_response_and_validate_schema(200)
|
||||
end
|
||||
end
|
||||
|
||||
test "POST /api/pleroma/admin/config error", %{conn: conn} do
|
||||
|
|
|
|||
|
|
@ -297,7 +297,7 @@ defmodule Pleroma.Web.AdminAPI.ReportControllerTest do
|
|||
|> get("/api/pleroma/admin/reports")
|
||||
|
||||
assert json_response(conn, :forbidden) ==
|
||||
%{"error" => "User is not an admin or OAuth admin scope is not granted."}
|
||||
%{"error" => "User is not an admin."}
|
||||
end
|
||||
|
||||
test "returns 403 when requested by anonymous" do
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue