[#1427] Fixes / improvements of admin scopes support. Added tests.

2019-12-06 20:33:47 +03:00 · 2019-12-06 20:33:47 +03:00 · 40e1817f70
commit 40e1817f70
parent 93a80ee915
6 changed files with 162 additions and 58 deletions
--- a/lib/pleroma/plugs/oauth_scopes_plug.ex
+++ b/lib/pleroma/plugs/oauth_scopes_plug.ex
@ -6,6 +6,7 @@ defmodule Pleroma.Plugs.OAuthScopesPlug do
  import Plug.Conn
  import Pleroma.Web.Gettext

+  alias Pleroma.Config
  alias Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug

  @behaviour Plug
@ -15,6 +16,14 @@ defmodule Pleroma.Plugs.OAuthScopesPlug do
  def call(%Plug.Conn{assigns: assigns} = conn, %{scopes: scopes} = options) do
    op = options[:op] || :|
    token = assigns[:token]
+
+    scopes =
+      if options[:admin] do
+        Config.oauth_admin_scopes(scopes)
+      else
+        scopes
+      end
+
    matched_scopes = token && filter_descendants(scopes, token.scopes)

    cond do
--- a/lib/pleroma/plugs/user_is_admin_plug.ex
+++ b/lib/pleroma/plugs/user_is_admin_plug.ex
@ -12,31 +12,23 @@ defmodule Pleroma.Plugs.UserIsAdminPlug do
    options
  end

-  unless Pleroma.Config.enforce_oauth_admin_scope_usage?() do
-    # To do: once AdminFE makes use of "admin" scope, disable the following func definition
-    #   (fail on no admin scope(s) in token even if `is_admin` is true)
-    def call(%Plug.Conn{assigns: %{user: %Pleroma.User{is_admin: true}}} = conn, _) do
-      conn
+  def call(%Plug.Conn{assigns: assigns} = conn, _) do
+    token = assigns[:token]
+    user = assigns[:user]
+
+    cond do
+      token && OAuth.Scopes.contains_admin_scopes?(token.scopes) ->
+        # Note: checking for _any_ admin scope presence, not necessarily fitting requested action.
+        #   Thus, controller must explicitly invoke OAuthScopesPlug to verify scope requirements.
+        conn
+
+      user && user.is_admin && !Pleroma.Config.enforce_oauth_admin_scope_usage?() ->
+        conn
+
+      true ->
+        conn
+        |> render_error(:forbidden, "User is not an admin or OAuth admin scope is not granted.")
+        |> halt()
    end
  end
-
-  def call(%Plug.Conn{assigns: %{token: %OAuth.Token{scopes: oauth_scopes} = _token}} = conn, _) do
-    if OAuth.Scopes.contains_admin_scopes?(oauth_scopes) do
-      # Note: checking for _any_ admin scope presence, not necessarily fitting requested action.
-      #   Thus, controller must explicitly invoke OAuthScopesPlug to verify scope requirements.
-      conn
-    else
-      fail(conn)
-    end
-  end
-
-  def call(conn, _) do
-    fail(conn)
-  end
-
-  defp fail(conn) do
-    conn
-    |> render_error(:forbidden, "User is not an admin or OAuth admin scope is not granted.")
-    |> halt()
-  end
 end
--- a/lib/pleroma/web/admin_api/admin_api_controller.ex
+++ b/lib/pleroma/web/admin_api/admin_api_controller.ex
@ -30,13 +30,13 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIController do

  plug(
    OAuthScopesPlug,
-    %{scopes: Pleroma.Config.oauth_admin_scopes("read:accounts")}
+    %{scopes: ["read:accounts"], admin: true}
    when action in [:list_users, :user_show, :right_get, :invites]
  )

  plug(
    OAuthScopesPlug,
-    %{scopes: Pleroma.Config.oauth_admin_scopes("write:accounts")}
+    %{scopes: ["write:accounts"], admin: true}
    when action in [
           :get_invite_token,
           :revoke_invite,
@ -58,37 +58,37 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIController do

  plug(
    OAuthScopesPlug,
-    %{scopes: Pleroma.Config.oauth_admin_scopes("read:reports")}
+    %{scopes: ["read:reports"], admin: true}
    when action in [:list_reports, :report_show]
  )

  plug(
    OAuthScopesPlug,
-    %{scopes: Pleroma.Config.oauth_admin_scopes("write:reports")}
+    %{scopes: ["write:reports"], admin: true}
    when action in [:report_update_state, :report_respond]
  )

  plug(
    OAuthScopesPlug,
-    %{scopes: Pleroma.Config.oauth_admin_scopes("read:statuses")}
+    %{scopes: ["read:statuses"], admin: true}
    when action == :list_user_statuses
  )

  plug(
    OAuthScopesPlug,
-    %{scopes: Pleroma.Config.oauth_admin_scopes("write:statuses")}
+    %{scopes: ["write:statuses"], admin: true}
    when action in [:status_update, :status_delete]
  )

  plug(
    OAuthScopesPlug,
-    %{scopes: Pleroma.Config.oauth_admin_scopes("read")}
+    %{scopes: ["read"], admin: true}
    when action in [:config_show, :migrate_to_db, :migrate_from_db, :list_log]
  )

  plug(
    OAuthScopesPlug,
-    %{scopes: Pleroma.Config.oauth_admin_scopes("write")}
+    %{scopes: ["write"], admin: true}
    when action in [:relay_follow, :relay_unfollow, :config_update]
  )

--- a/lib/pleroma/web/pleroma_api/controllers/emoji_api_controller.ex
+++ b/lib/pleroma/web/pleroma_api/controllers/emoji_api_controller.ex
@ -7,7 +7,7 @@ defmodule Pleroma.Web.PleromaAPI.EmojiAPIController do

  plug(
    OAuthScopesPlug,
-    %{scopes: Pleroma.Config.oauth_admin_scopes("write")}
+    %{scopes: ["write"], admin: true}
    when action in [
           :create,
           :delete,