Remove :auth, :enforce_oauth_admin_scope_usage
`admin` scope has been required by default for more than a year now and all apps that use the API seems to request a proper scope by now.
This commit is contained in:
parent
679a2e799e
commit
6d66fadea7
9 changed files with 70 additions and 239 deletions
|
@ -6,6 +6,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
|
|||
|
||||
## Unreleased
|
||||
|
||||
### Removed
|
||||
|
||||
- `:auth, :enforce_oauth_admin_scope_usage` configuration option.
|
||||
|
||||
### Changed
|
||||
|
||||
- **Breaking**: Changed `mix pleroma.user toggle_confirmed` to `mix pleroma.user confirm`
|
||||
|
|
|
@ -611,10 +611,7 @@
|
|||
base_path: "/oauth",
|
||||
providers: ueberauth_providers
|
||||
|
||||
config :pleroma,
|
||||
:auth,
|
||||
enforce_oauth_admin_scope_usage: true,
|
||||
oauth_consumer_strategies: oauth_consumer_strategies
|
||||
config :pleroma, :auth, oauth_consumer_strategies: oauth_consumer_strategies
|
||||
|
||||
config :pleroma, Pleroma.Emails.Mailer, adapter: Swoosh.Adapters.Sendmail, enabled: false
|
||||
|
||||
|
|
|
@ -2,13 +2,6 @@
|
|||
|
||||
Authentication is required and the user must be an admin.
|
||||
|
||||
Configuration options:
|
||||
|
||||
* `[:auth, :enforce_oauth_admin_scope_usage]` — OAuth admin scope requirement toggle.
|
||||
If `true`, admin actions explicitly demand admin OAuth scope(s) presence in OAuth token (client app must support admin scopes).
|
||||
If `false` and token doesn't have admin scope(s), `is_admin` user flag grants access to admin-specific actions.
|
||||
Note that client app needs to explicitly support admin scopes and request them when obtaining auth token.
|
||||
|
||||
## `GET /api/pleroma/admin/users`
|
||||
|
||||
### List users
|
||||
|
|
|
@ -100,15 +100,7 @@ def oauth_consumer_strategies, do: get([:auth, :oauth_consumer_strategies], [])
|
|||
|
||||
def oauth_consumer_enabled?, do: oauth_consumer_strategies() != []
|
||||
|
||||
def enforce_oauth_admin_scope_usage?, do: !!get([:auth, :enforce_oauth_admin_scope_usage])
|
||||
|
||||
def oauth_admin_scopes(scopes) when is_list(scopes) do
|
||||
Enum.flat_map(
|
||||
scopes,
|
||||
fn scope ->
|
||||
["admin:#{scope}"] ++
|
||||
if enforce_oauth_admin_scope_usage?(), do: [], else: [scope]
|
||||
end
|
||||
)
|
||||
Enum.map(scopes, fn scope -> "admin:#{scope}" end)
|
||||
end
|
||||
end
|
||||
|
|
|
@ -46,104 +46,47 @@ test "with valid `admin_token` query parameter, skips OAuth scopes check" do
|
|||
assert json_response(conn, 200)
|
||||
end
|
||||
|
||||
describe "with [:auth, :enforce_oauth_admin_scope_usage]," do
|
||||
setup do: clear_config([:auth, :enforce_oauth_admin_scope_usage], true)
|
||||
test "GET /api/pleroma/admin/users/:nickname requires admin:read:accounts or broader scope",
|
||||
%{admin: admin} do
|
||||
user = insert(:user)
|
||||
url = "/api/pleroma/admin/users/#{user.nickname}"
|
||||
|
||||
test "GET /api/pleroma/admin/users/:nickname requires admin:read:accounts or broader scope",
|
||||
%{admin: admin} do
|
||||
user = insert(:user)
|
||||
url = "/api/pleroma/admin/users/#{user.nickname}"
|
||||
good_token1 = insert(:oauth_token, user: admin, scopes: ["admin"])
|
||||
good_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read"])
|
||||
good_token3 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts"])
|
||||
|
||||
good_token1 = insert(:oauth_token, user: admin, scopes: ["admin"])
|
||||
good_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read"])
|
||||
good_token3 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts"])
|
||||
bad_token1 = insert(:oauth_token, user: admin, scopes: ["read:accounts"])
|
||||
bad_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts:partial"])
|
||||
bad_token3 = nil
|
||||
|
||||
bad_token1 = insert(:oauth_token, user: admin, scopes: ["read:accounts"])
|
||||
bad_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts:partial"])
|
||||
bad_token3 = nil
|
||||
for good_token <- [good_token1, good_token2, good_token3] do
|
||||
conn =
|
||||
build_conn()
|
||||
|> assign(:user, admin)
|
||||
|> assign(:token, good_token)
|
||||
|> get(url)
|
||||
|
||||
for good_token <- [good_token1, good_token2, good_token3] do
|
||||
conn =
|
||||
build_conn()
|
||||
|> assign(:user, admin)
|
||||
|> assign(:token, good_token)
|
||||
|> get(url)
|
||||
|
||||
assert json_response(conn, 200)
|
||||
end
|
||||
|
||||
for good_token <- [good_token1, good_token2, good_token3] do
|
||||
conn =
|
||||
build_conn()
|
||||
|> assign(:user, nil)
|
||||
|> assign(:token, good_token)
|
||||
|> get(url)
|
||||
|
||||
assert json_response(conn, :forbidden)
|
||||
end
|
||||
|
||||
for bad_token <- [bad_token1, bad_token2, bad_token3] do
|
||||
conn =
|
||||
build_conn()
|
||||
|> assign(:user, admin)
|
||||
|> assign(:token, bad_token)
|
||||
|> get(url)
|
||||
|
||||
assert json_response(conn, :forbidden)
|
||||
end
|
||||
assert json_response(conn, 200)
|
||||
end
|
||||
end
|
||||
|
||||
describe "unless [:auth, :enforce_oauth_admin_scope_usage]," do
|
||||
setup do: clear_config([:auth, :enforce_oauth_admin_scope_usage], false)
|
||||
for good_token <- [good_token1, good_token2, good_token3] do
|
||||
conn =
|
||||
build_conn()
|
||||
|> assign(:user, nil)
|
||||
|> assign(:token, good_token)
|
||||
|> get(url)
|
||||
|
||||
test "GET /api/pleroma/admin/users/:nickname requires " <>
|
||||
"read:accounts or admin:read:accounts or broader scope",
|
||||
%{admin: admin} do
|
||||
user = insert(:user)
|
||||
url = "/api/pleroma/admin/users/#{user.nickname}"
|
||||
assert json_response(conn, :forbidden)
|
||||
end
|
||||
|
||||
good_token1 = insert(:oauth_token, user: admin, scopes: ["admin"])
|
||||
good_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read"])
|
||||
good_token3 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts"])
|
||||
good_token4 = insert(:oauth_token, user: admin, scopes: ["read:accounts"])
|
||||
good_token5 = insert(:oauth_token, user: admin, scopes: ["read"])
|
||||
for bad_token <- [bad_token1, bad_token2, bad_token3] do
|
||||
conn =
|
||||
build_conn()
|
||||
|> assign(:user, admin)
|
||||
|> assign(:token, bad_token)
|
||||
|> get(url)
|
||||
|
||||
good_tokens = [good_token1, good_token2, good_token3, good_token4, good_token5]
|
||||
|
||||
bad_token1 = insert(:oauth_token, user: admin, scopes: ["read:accounts:partial"])
|
||||
bad_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts:partial"])
|
||||
bad_token3 = nil
|
||||
|
||||
for good_token <- good_tokens do
|
||||
conn =
|
||||
build_conn()
|
||||
|> assign(:user, admin)
|
||||
|> assign(:token, good_token)
|
||||
|> get(url)
|
||||
|
||||
assert json_response(conn, 200)
|
||||
end
|
||||
|
||||
for good_token <- good_tokens do
|
||||
conn =
|
||||
build_conn()
|
||||
|> assign(:user, nil)
|
||||
|> assign(:token, good_token)
|
||||
|> get(url)
|
||||
|
||||
assert json_response(conn, :forbidden)
|
||||
end
|
||||
|
||||
for bad_token <- [bad_token1, bad_token2, bad_token3] do
|
||||
conn =
|
||||
build_conn()
|
||||
|> assign(:user, admin)
|
||||
|> assign(:token, bad_token)
|
||||
|> get(url)
|
||||
|
||||
assert json_response(conn, :forbidden)
|
||||
end
|
||||
assert json_response(conn, :forbidden)
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -47,104 +47,47 @@ test "with valid `admin_token` query parameter, skips OAuth scopes check" do
|
|||
assert json_response(conn, 200)
|
||||
end
|
||||
|
||||
describe "with [:auth, :enforce_oauth_admin_scope_usage]," do
|
||||
setup do: clear_config([:auth, :enforce_oauth_admin_scope_usage], true)
|
||||
test "GET /api/pleroma/admin/users/:nickname requires admin:read:accounts or broader scope",
|
||||
%{admin: admin} do
|
||||
user = insert(:user)
|
||||
url = "/api/pleroma/admin/users/#{user.nickname}"
|
||||
|
||||
test "GET /api/pleroma/admin/users/:nickname requires admin:read:accounts or broader scope",
|
||||
%{admin: admin} do
|
||||
user = insert(:user)
|
||||
url = "/api/pleroma/admin/users/#{user.nickname}"
|
||||
good_token1 = insert(:oauth_token, user: admin, scopes: ["admin"])
|
||||
good_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read"])
|
||||
good_token3 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts"])
|
||||
|
||||
good_token1 = insert(:oauth_token, user: admin, scopes: ["admin"])
|
||||
good_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read"])
|
||||
good_token3 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts"])
|
||||
bad_token1 = insert(:oauth_token, user: admin, scopes: ["read:accounts"])
|
||||
bad_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts:partial"])
|
||||
bad_token3 = nil
|
||||
|
||||
bad_token1 = insert(:oauth_token, user: admin, scopes: ["read:accounts"])
|
||||
bad_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts:partial"])
|
||||
bad_token3 = nil
|
||||
for good_token <- [good_token1, good_token2, good_token3] do
|
||||
conn =
|
||||
build_conn()
|
||||
|> assign(:user, admin)
|
||||
|> assign(:token, good_token)
|
||||
|> get(url)
|
||||
|
||||
for good_token <- [good_token1, good_token2, good_token3] do
|
||||
conn =
|
||||
build_conn()
|
||||
|> assign(:user, admin)
|
||||
|> assign(:token, good_token)
|
||||
|> get(url)
|
||||
|
||||
assert json_response(conn, 200)
|
||||
end
|
||||
|
||||
for good_token <- [good_token1, good_token2, good_token3] do
|
||||
conn =
|
||||
build_conn()
|
||||
|> assign(:user, nil)
|
||||
|> assign(:token, good_token)
|
||||
|> get(url)
|
||||
|
||||
assert json_response(conn, :forbidden)
|
||||
end
|
||||
|
||||
for bad_token <- [bad_token1, bad_token2, bad_token3] do
|
||||
conn =
|
||||
build_conn()
|
||||
|> assign(:user, admin)
|
||||
|> assign(:token, bad_token)
|
||||
|> get(url)
|
||||
|
||||
assert json_response(conn, :forbidden)
|
||||
end
|
||||
assert json_response(conn, 200)
|
||||
end
|
||||
end
|
||||
|
||||
describe "unless [:auth, :enforce_oauth_admin_scope_usage]," do
|
||||
setup do: clear_config([:auth, :enforce_oauth_admin_scope_usage], false)
|
||||
for good_token <- [good_token1, good_token2, good_token3] do
|
||||
conn =
|
||||
build_conn()
|
||||
|> assign(:user, nil)
|
||||
|> assign(:token, good_token)
|
||||
|> get(url)
|
||||
|
||||
test "GET /api/pleroma/admin/users/:nickname requires " <>
|
||||
"read:accounts or admin:read:accounts or broader scope",
|
||||
%{admin: admin} do
|
||||
user = insert(:user)
|
||||
url = "/api/pleroma/admin/users/#{user.nickname}"
|
||||
assert json_response(conn, :forbidden)
|
||||
end
|
||||
|
||||
good_token1 = insert(:oauth_token, user: admin, scopes: ["admin"])
|
||||
good_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read"])
|
||||
good_token3 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts"])
|
||||
good_token4 = insert(:oauth_token, user: admin, scopes: ["read:accounts"])
|
||||
good_token5 = insert(:oauth_token, user: admin, scopes: ["read"])
|
||||
for bad_token <- [bad_token1, bad_token2, bad_token3] do
|
||||
conn =
|
||||
build_conn()
|
||||
|> assign(:user, admin)
|
||||
|> assign(:token, bad_token)
|
||||
|> get(url)
|
||||
|
||||
good_tokens = [good_token1, good_token2, good_token3, good_token4, good_token5]
|
||||
|
||||
bad_token1 = insert(:oauth_token, user: admin, scopes: ["read:accounts:partial"])
|
||||
bad_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts:partial"])
|
||||
bad_token3 = nil
|
||||
|
||||
for good_token <- good_tokens do
|
||||
conn =
|
||||
build_conn()
|
||||
|> assign(:user, admin)
|
||||
|> assign(:token, good_token)
|
||||
|> get(url)
|
||||
|
||||
assert json_response(conn, 200)
|
||||
end
|
||||
|
||||
for good_token <- good_tokens do
|
||||
conn =
|
||||
build_conn()
|
||||
|> assign(:user, nil)
|
||||
|> assign(:token, good_token)
|
||||
|> get(url)
|
||||
|
||||
assert json_response(conn, :forbidden)
|
||||
end
|
||||
|
||||
for bad_token <- [bad_token1, bad_token2, bad_token3] do
|
||||
conn =
|
||||
build_conn()
|
||||
|> assign(:user, admin)
|
||||
|> assign(:token, bad_token)
|
||||
|> get(url)
|
||||
|
||||
assert json_response(conn, :forbidden)
|
||||
end
|
||||
assert json_response(conn, :forbidden)
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -13,8 +13,6 @@ defmodule Pleroma.Web.PleromaAPI.EmojiFileControllerTest do
|
|||
Pleroma.Config.get!([:instance, :static_dir]),
|
||||
"emoji"
|
||||
)
|
||||
setup do: clear_config([:auth, :enforce_oauth_admin_scope_usage], false)
|
||||
|
||||
setup do: clear_config([:instance, :public], true)
|
||||
|
||||
setup do
|
||||
|
|
|
@ -13,7 +13,6 @@ defmodule Pleroma.Web.PleromaAPI.EmojiPackControllerTest do
|
|||
Pleroma.Config.get!([:instance, :static_dir]),
|
||||
"emoji"
|
||||
)
|
||||
setup do: clear_config([:auth, :enforce_oauth_admin_scope_usage], false)
|
||||
|
||||
setup do: clear_config([:instance, :public], true)
|
||||
|
||||
|
|
|
@ -169,42 +169,4 @@ test "filters scopes which directly match or are ancestors of supported scopes"
|
|||
assert f.(["admin:read"], ["write", "admin"]) == ["admin:read"]
|
||||
end
|
||||
end
|
||||
|
||||
describe "transform_scopes/2" do
|
||||
setup do: clear_config([:auth, :enforce_oauth_admin_scope_usage])
|
||||
|
||||
setup do
|
||||
{:ok, %{f: &OAuthScopesPlug.transform_scopes/2}}
|
||||
end
|
||||
|
||||
test "with :admin option, prefixes all requested scopes with `admin:` " <>
|
||||
"and [optionally] keeps only prefixed scopes, " <>
|
||||
"depending on `[:auth, :enforce_oauth_admin_scope_usage]` setting",
|
||||
%{f: f} do
|
||||
clear_config([:auth, :enforce_oauth_admin_scope_usage], false)
|
||||
|
||||
assert f.(["read"], %{admin: true}) == ["admin:read", "read"]
|
||||
|
||||
assert f.(["read", "write"], %{admin: true}) == [
|
||||
"admin:read",
|
||||
"read",
|
||||
"admin:write",
|
||||
"write"
|
||||
]
|
||||
|
||||
clear_config([:auth, :enforce_oauth_admin_scope_usage], true)
|
||||
|
||||
assert f.(["read:accounts"], %{admin: true}) == ["admin:read:accounts"]
|
||||
|
||||
assert f.(["read", "write:reports"], %{admin: true}) == [
|
||||
"admin:read",
|
||||
"admin:write:reports"
|
||||
]
|
||||
end
|
||||
|
||||
test "with no supported options, returns unmodified scopes", %{f: f} do
|
||||
assert f.(["read"], %{}) == ["read"]
|
||||
assert f.(["read", "write"], %{}) == ["read", "write"]
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in a new issue