[#1940] Reinstated OAuth-less admin_token authentication. Refactored UserIsAdminPlug (freed from checking admin scopes presence).

test/plugs/admin_secret_authentication_plug_test.exs

@@ -7,6 +7,8 @@ defmodule Pleroma.Plugs.AdminSecretAuthenticationPlugTest do
   import Pleroma.Factory
 
   alias Pleroma.Plugs.AdminSecretAuthenticationPlug
+  alias Pleroma.Plugs.OAuthScopesPlug
+  alias Pleroma.Plugs.PlugHelper
 
   test "does nothing if a user is assigned", %{conn: conn} do
     user = insert(:user)
@@ -39,6 +41,7 @@ defmodule Pleroma.Plugs.AdminSecretAuthenticationPlugTest do
         |> AdminSecretAuthenticationPlug.call(%{})
 
       assert conn.assigns[:user].is_admin
+      assert PlugHelper.plug_skipped?(conn, OAuthScopesPlug)
     end
 
     test "with `x-admin-token` HTTP header", %{conn: conn} do
@@ -57,6 +60,7 @@ defmodule Pleroma.Plugs.AdminSecretAuthenticationPlugTest do
         |> AdminSecretAuthenticationPlug.call(%{})
 
       assert conn.assigns[:user].is_admin
+      assert PlugHelper.plug_skipped?(conn, OAuthScopesPlug)
     end
   end
 end

test/plugs/user_is_admin_plug_test.exs

@@ -8,112 +8,30 @@ defmodule Pleroma.Plugs.UserIsAdminPlugTest do
   alias Pleroma.Plugs.UserIsAdminPlug
   import Pleroma.Factory
 
-  describe "unless [:auth, :enforce_oauth_admin_scope_usage]," do
-    setup do: clear_config([:auth, :enforce_oauth_admin_scope_usage], false)
+  test "accepts a user that is an admin" do
+    user = insert(:user, is_admin: true)
 
-    test "accepts a user that is an admin" do
-      user = insert(:user, is_admin: true)
+    conn = assign(build_conn(), :user, user)
 
-      conn = assign(build_conn(), :user, user)
+    ret_conn = UserIsAdminPlug.call(conn, %{})
 
-      ret_conn = UserIsAdminPlug.call(conn, %{})
-
-      assert conn == ret_conn
-    end
-
-    test "denies a user that isn't an admin" do
-      user = insert(:user)
-
-      conn =
-        build_conn()
-        |> assign(:user, user)
-        |> UserIsAdminPlug.call(%{})
-
-      assert conn.status == 403
-    end
-
-    test "denies when a user isn't set" do
-      conn = UserIsAdminPlug.call(build_conn(), %{})
-
-      assert conn.status == 403
-    end
+    assert conn == ret_conn
   end
 
-  describe "with [:auth, :enforce_oauth_admin_scope_usage]," do
-    setup do: clear_config([:auth, :enforce_oauth_admin_scope_usage], true)
+  test "denies a user that isn't an admin" do
+    user = insert(:user)
 
-    setup do
-      admin_user = insert(:user, is_admin: true)
-      non_admin_user = insert(:user, is_admin: false)
-      blank_user = nil
+    conn =
+      build_conn()
+      |> assign(:user, user)
+      |> UserIsAdminPlug.call(%{})
 
-      {:ok, %{users: [admin_user, non_admin_user, blank_user]}}
-    end
+    assert conn.status == 403
+  end
 
-    test "if token has any of admin scopes, accepts a user that is an admin", %{conn: conn} do
-      user = insert(:user, is_admin: true)
-      token = insert(:oauth_token, user: user, scopes: ["admin:something"])
+  test "denies when a user isn't set" do
+    conn = UserIsAdminPlug.call(build_conn(), %{})
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> assign(:token, token)
-
-      ret_conn = UserIsAdminPlug.call(conn, %{})
-
-      assert conn == ret_conn
-    end
-
-    test "if token has any of admin scopes, denies a user that isn't an admin", %{conn: conn} do
-      user = insert(:user, is_admin: false)
-      token = insert(:oauth_token, user: user, scopes: ["admin:something"])
-
-      conn =
-        conn
-        |> assign(:user, user)
-        |> assign(:token, token)
-        |> UserIsAdminPlug.call(%{})
-
-      assert conn.status == 403
-    end
-
-    test "if token has any of admin scopes, denies when a user isn't set", %{conn: conn} do
-      token = insert(:oauth_token, scopes: ["admin:something"])
-
-      conn =
-        conn
-        |> assign(:user, nil)
-        |> assign(:token, token)
-        |> UserIsAdminPlug.call(%{})
-
-      assert conn.status == 403
-    end
-
-    test "if token lacks admin scopes, denies users regardless of is_admin flag",
-         %{users: users} do
-      for user <- users do
-        token = insert(:oauth_token, user: user)
-
-        conn =
-          build_conn()
-          |> assign(:user, user)
-          |> assign(:token, token)
-          |> UserIsAdminPlug.call(%{})
-
-        assert conn.status == 403
-      end
-    end
-
-    test "if token is missing, denies users regardless of is_admin flag", %{users: users} do
-      for user <- users do
-        conn =
-          build_conn()
-          |> assign(:user, user)
-          |> assign(:token, nil)
-          |> UserIsAdminPlug.call(%{})
-
-        assert conn.status == 403
-      end
-    end
+    assert conn.status == 403
   end
 end

test/web/admin_api/controllers/admin_api_controller_test.exs

@@ -41,6 +41,16 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do
     {:ok, %{admin: admin, token: token, conn: conn}}
   end
 
+  test "with valid `admin_token` query parameter, skips OAuth scopes check" do
+    clear_config([:admin_token], "password123")
+
+    user = insert(:user)
+
+    conn = get(build_conn(), "/api/pleroma/admin/users/#{user.nickname}?admin_token=password123")
+
+    assert json_response(conn, 200)
+  end
+
   describe "with [:auth, :enforce_oauth_admin_scope_usage]," do
     setup do: clear_config([:auth, :enforce_oauth_admin_scope_usage], true)
 

test/web/admin_api/controllers/report_controller_test.exs

@@ -297,7 +297,7 @@ defmodule Pleroma.Web.AdminAPI.ReportControllerTest do
         |> get("/api/pleroma/admin/reports")
 
       assert json_response(conn, :forbidden) ==
-               %{"error" => "User is not an admin or OAuth admin scope is not granted."}
+               %{"error" => "User is not an admin."}
     end
 
     test "returns 403 when requested by anonymous" do