# Pleroma: A lightweight social networking server # Copyright © 2017-2018 Pleroma Authors # SPDX-License-Identifier: AGPL-3.0-only defmodule Pleroma.Plugs.OAuthScopesPlugTest do use Pleroma.Web.ConnCase, async: true alias Pleroma.Plugs.OAuthScopesPlug alias Pleroma.Repo import Pleroma.Factory test "proceeds with no op if `assigns[:token]` is nil", %{conn: conn} do conn = conn |> assign(:user, insert(:user)) |> OAuthScopesPlug.call(%{scopes: ["read"]}) refute conn.halted assert conn.assigns[:user] end test "proceeds with no op if `token.scopes` fulfill specified 'any of' conditions", %{ conn: conn } do token = insert(:oauth_token, scopes: ["read", "write"]) |> Repo.preload(:user) conn = conn |> assign(:user, token.user) |> assign(:token, token) |> OAuthScopesPlug.call(%{scopes: ["read"]}) refute conn.halted assert conn.assigns[:user] end test "proceeds with no op if `token.scopes` fulfill specified 'all of' conditions", %{ conn: conn } do token = insert(:oauth_token, scopes: ["scope1", "scope2", "scope3"]) |> Repo.preload(:user) conn = conn |> assign(:user, token.user) |> assign(:token, token) |> OAuthScopesPlug.call(%{scopes: ["scope2", "scope3"], op: :&}) refute conn.halted assert conn.assigns[:user] end test "proceeds with cleared `assigns[:user]` if `token.scopes` doesn't fulfill specified 'any of' conditions " <> "and `fallback: :proceed_unauthenticated` option is specified", %{conn: conn} do token = insert(:oauth_token, scopes: ["read", "write"]) |> Repo.preload(:user) conn = conn |> assign(:user, token.user) |> assign(:token, token) |> OAuthScopesPlug.call(%{scopes: ["follow"], fallback: :proceed_unauthenticated}) refute conn.halted refute conn.assigns[:user] end test "proceeds with cleared `assigns[:user]` if `token.scopes` doesn't fulfill specified 'all of' conditions " <> "and `fallback: :proceed_unauthenticated` option is specified", %{conn: conn} do token = insert(:oauth_token, scopes: ["read", "write"]) |> Repo.preload(:user) conn = conn |> assign(:user, token.user) |> assign(:token, token) |> OAuthScopesPlug.call(%{ scopes: ["read", "follow"], op: :&, fallback: :proceed_unauthenticated }) refute conn.halted refute conn.assigns[:user] end test "returns 403 and halts in case of no :fallback option and `token.scopes` not fulfilling specified 'any of' conditions", %{conn: conn} do token = insert(:oauth_token, scopes: ["read", "write"]) any_of_scopes = ["follow"] conn = conn |> assign(:token, token) |> OAuthScopesPlug.call(%{scopes: any_of_scopes}) assert conn.halted assert 403 == conn.status expected_error = "Insufficient permissions: #{Enum.join(any_of_scopes, ", ")}." assert Jason.encode!(%{error: expected_error}) == conn.resp_body end test "returns 403 and halts in case of no :fallback option and `token.scopes` not fulfilling specified 'all of' conditions", %{conn: conn} do token = insert(:oauth_token, scopes: ["read", "write"]) all_of_scopes = ["write", "follow"] conn = conn |> assign(:token, token) |> OAuthScopesPlug.call(%{scopes: all_of_scopes, op: :&}) assert conn.halted assert 403 == conn.status expected_error = "Insufficient permissions: #{Enum.join(all_of_scopes -- token.scopes, ", ")}." assert Jason.encode!(%{error: expected_error}) == conn.resp_body end end