[#1478] OAuth admin tweaks: enforced OAuth admin scopes usage by default, migrated existing OAuth records. Adjusted tests.
This commit is contained in:
parent
e8b0c7689a
commit
6c94b7498b
|
@ -11,6 +11,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
|
||||||
### Changed
|
### Changed
|
||||||
- **Breaking:** Elixir >=1.8 is now required (was >= 1.7)
|
- **Breaking:** Elixir >=1.8 is now required (was >= 1.7)
|
||||||
- **Breaking:** attachment links (`config :pleroma, :instance, no_attachment_links` and `config :pleroma, Pleroma.Upload, link_name`) disabled by default
|
- **Breaking:** attachment links (`config :pleroma, :instance, no_attachment_links` and `config :pleroma, Pleroma.Upload, link_name`) disabled by default
|
||||||
|
- **Breaking:** OAuth: defaulted `[:auth, :enforce_oauth_admin_scope_usage]` setting to `true` which demands `admin` OAuth scope to perform admin actions (in addition to `is_admin` flag on User); make sure to use bundled or newer versions of AdminFE & PleromaFE to access admin / moderator features.
|
||||||
- Replaced [pleroma_job_queue](https://git.pleroma.social/pleroma/pleroma_job_queue) and `Pleroma.Web.Federator.RetryQueue` with [Oban](https://github.com/sorentwo/oban) (see [`docs/config.md`](docs/config.md) on migrating customized worker / retry settings)
|
- Replaced [pleroma_job_queue](https://git.pleroma.social/pleroma/pleroma_job_queue) and `Pleroma.Web.Federator.RetryQueue` with [Oban](https://github.com/sorentwo/oban) (see [`docs/config.md`](docs/config.md) on migrating customized worker / retry settings)
|
||||||
- Introduced [quantum](https://github.com/quantum-elixir/quantum-core) job scheduler
|
- Introduced [quantum](https://github.com/quantum-elixir/quantum-core) job scheduler
|
||||||
- Enabled `:instance, extended_nickname_format` in the default config
|
- Enabled `:instance, extended_nickname_format` in the default config
|
||||||
|
|
|
@ -565,7 +565,7 @@
|
||||||
|
|
||||||
config :pleroma,
|
config :pleroma,
|
||||||
:auth,
|
:auth,
|
||||||
enforce_oauth_admin_scope_usage: false,
|
enforce_oauth_admin_scope_usage: true,
|
||||||
oauth_consumer_strategies: oauth_consumer_strategies
|
oauth_consumer_strategies: oauth_consumer_strategies
|
||||||
|
|
||||||
config :pleroma, Pleroma.Emails.Mailer, adapter: Swoosh.Adapters.Sendmail, enabled: false
|
config :pleroma, Pleroma.Emails.Mailer, adapter: Swoosh.Adapters.Sendmail, enabled: false
|
||||||
|
|
|
@ -23,6 +23,7 @@ def call(%{assigns: %{user: %User{is_admin: true}} = assigns} = conn, _) do
|
||||||
token && OAuth.Scopes.contains_admin_scopes?(token.scopes) ->
|
token && OAuth.Scopes.contains_admin_scopes?(token.scopes) ->
|
||||||
# Note: checking for _any_ admin scope presence, not necessarily fitting requested action.
|
# Note: checking for _any_ admin scope presence, not necessarily fitting requested action.
|
||||||
# Thus, controller must explicitly invoke OAuthScopesPlug to verify scope requirements.
|
# Thus, controller must explicitly invoke OAuthScopesPlug to verify scope requirements.
|
||||||
|
# Admin might opt out of admin scope for some apps to block any admin actions from them.
|
||||||
conn
|
conn
|
||||||
|
|
||||||
true ->
|
true ->
|
||||||
|
|
|
@ -1847,22 +1847,13 @@ defp truncate_field(%{"name" => name, "value" => value}) do
|
||||||
end
|
end
|
||||||
|
|
||||||
def admin_api_update(user, params) do
|
def admin_api_update(user, params) do
|
||||||
changeset =
|
user
|
||||||
cast(user, params, [
|
|> cast(params, [
|
||||||
:is_moderator,
|
:is_moderator,
|
||||||
:is_admin,
|
:is_admin,
|
||||||
:show_role
|
:show_role
|
||||||
])
|
])
|
||||||
|
|> update_and_set_cache()
|
||||||
with {:ok, updated_user} <- update_and_set_cache(changeset) do
|
|
||||||
if user.is_admin && !updated_user.is_admin do
|
|
||||||
# Tokens & authorizations containing any admin scopes must be revoked (revoking all).
|
|
||||||
# This is an extra safety measure (tokens' admin scopes won't be accepted for non-admins).
|
|
||||||
global_sign_out(user)
|
|
||||||
end
|
|
||||||
|
|
||||||
{:ok, updated_user}
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
|
|
||||||
@doc "Signs user out of all applications"
|
@doc "Signs user out of all applications"
|
||||||
|
|
|
@ -222,7 +222,7 @@ def token_exchange(
|
||||||
{:user_active, true} <- {:user_active, !user.deactivated},
|
{:user_active, true} <- {:user_active, !user.deactivated},
|
||||||
{:password_reset_pending, false} <-
|
{:password_reset_pending, false} <-
|
||||||
{:password_reset_pending, user.password_reset_pending},
|
{:password_reset_pending, user.password_reset_pending},
|
||||||
{:ok, scopes} <- validate_scopes(app, params, user),
|
{:ok, scopes} <- validate_scopes(app, params),
|
||||||
{:ok, auth} <- Authorization.create_authorization(app, user, scopes),
|
{:ok, auth} <- Authorization.create_authorization(app, user, scopes),
|
||||||
{:ok, token} <- Token.exchange_token(app, auth) do
|
{:ok, token} <- Token.exchange_token(app, auth) do
|
||||||
json(conn, Token.Response.build(user, token))
|
json(conn, Token.Response.build(user, token))
|
||||||
|
@ -471,7 +471,7 @@ defp do_create_authorization(
|
||||||
{:get_user, (user && {:ok, user}) || Authenticator.get_user(conn)},
|
{:get_user, (user && {:ok, user}) || Authenticator.get_user(conn)},
|
||||||
%App{} = app <- Repo.get_by(App, client_id: client_id),
|
%App{} = app <- Repo.get_by(App, client_id: client_id),
|
||||||
true <- redirect_uri in String.split(app.redirect_uris),
|
true <- redirect_uri in String.split(app.redirect_uris),
|
||||||
{:ok, scopes} <- validate_scopes(app, auth_attrs, user),
|
{:ok, scopes} <- validate_scopes(app, auth_attrs),
|
||||||
{:auth_active, true} <- {:auth_active, User.auth_active?(user)} do
|
{:auth_active, true} <- {:auth_active, User.auth_active?(user)} do
|
||||||
Authorization.create_authorization(app, user, scopes)
|
Authorization.create_authorization(app, user, scopes)
|
||||||
end
|
end
|
||||||
|
@ -487,12 +487,12 @@ defp get_session_registration_id(%Plug.Conn{} = conn), do: get_session(conn, :re
|
||||||
defp put_session_registration_id(%Plug.Conn{} = conn, registration_id),
|
defp put_session_registration_id(%Plug.Conn{} = conn, registration_id),
|
||||||
do: put_session(conn, :registration_id, registration_id)
|
do: put_session(conn, :registration_id, registration_id)
|
||||||
|
|
||||||
@spec validate_scopes(App.t(), map(), User.t()) ::
|
@spec validate_scopes(App.t(), map()) ::
|
||||||
{:ok, list()} | {:error, :missing_scopes | :unsupported_scopes}
|
{:ok, list()} | {:error, :missing_scopes | :unsupported_scopes}
|
||||||
defp validate_scopes(%App{} = app, params, %User{} = user) do
|
defp validate_scopes(%App{} = app, params) do
|
||||||
params
|
params
|
||||||
|> Scopes.fetch_scopes(app.scopes)
|
|> Scopes.fetch_scopes(app.scopes)
|
||||||
|> Scopes.validate(app.scopes, user)
|
|> Scopes.validate(app.scopes)
|
||||||
end
|
end
|
||||||
|
|
||||||
def default_redirect_uri(%App{} = app) do
|
def default_redirect_uri(%App{} = app) do
|
||||||
|
|
|
@ -8,7 +8,6 @@ defmodule Pleroma.Web.OAuth.Scopes do
|
||||||
"""
|
"""
|
||||||
|
|
||||||
alias Pleroma.Plugs.OAuthScopesPlug
|
alias Pleroma.Plugs.OAuthScopesPlug
|
||||||
alias Pleroma.User
|
|
||||||
|
|
||||||
@doc """
|
@doc """
|
||||||
Fetch scopes from request params.
|
Fetch scopes from request params.
|
||||||
|
@ -56,35 +55,18 @@ def to_string(scopes), do: Enum.join(scopes, " ")
|
||||||
@doc """
|
@doc """
|
||||||
Validates scopes.
|
Validates scopes.
|
||||||
"""
|
"""
|
||||||
@spec validate(list() | nil, list(), User.t()) ::
|
@spec validate(list() | nil, list()) ::
|
||||||
{:ok, list()} | {:error, :missing_scopes | :unsupported_scopes}
|
{:ok, list()} | {:error, :missing_scopes | :unsupported_scopes}
|
||||||
def validate(blank_scopes, _app_scopes, _user) when blank_scopes in [nil, []],
|
def validate(blank_scopes, _app_scopes) when blank_scopes in [nil, []],
|
||||||
do: {:error, :missing_scopes}
|
do: {:error, :missing_scopes}
|
||||||
|
|
||||||
def validate(scopes, app_scopes, %User{} = user) do
|
def validate(scopes, app_scopes) do
|
||||||
with {:ok, _} <- ensure_scopes_support(scopes, app_scopes),
|
|
||||||
{:ok, scopes} <- authorize_admin_scopes(scopes, app_scopes, user) do
|
|
||||||
{:ok, scopes}
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
defp ensure_scopes_support(scopes, app_scopes) do
|
|
||||||
case OAuthScopesPlug.filter_descendants(scopes, app_scopes) do
|
case OAuthScopesPlug.filter_descendants(scopes, app_scopes) do
|
||||||
^scopes -> {:ok, scopes}
|
^scopes -> {:ok, scopes}
|
||||||
_ -> {:error, :unsupported_scopes}
|
_ -> {:error, :unsupported_scopes}
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
defp authorize_admin_scopes(scopes, app_scopes, %User{} = user) do
|
|
||||||
if user.is_admin || !contains_admin_scopes?(scopes) || !contains_admin_scopes?(app_scopes) do
|
|
||||||
{:ok, scopes}
|
|
||||||
else
|
|
||||||
# Gracefully dropping admin scopes from requested scopes if user isn't an admin (not raising)
|
|
||||||
scopes = scopes -- OAuthScopesPlug.filter_descendants(scopes, ["admin"])
|
|
||||||
validate(scopes, app_scopes, user)
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
def contains_admin_scopes?(scopes) do
|
def contains_admin_scopes?(scopes) do
|
||||||
scopes
|
scopes
|
||||||
|> OAuthScopesPlug.filter_descendants(["admin"])
|
|> OAuthScopesPlug.filter_descendants(["admin"])
|
||||||
|
|
|
@ -0,0 +1,17 @@
|
||||||
|
defmodule Pleroma.Repo.Migrations.AddScopesToPleromaFEOAuthRecords do
|
||||||
|
use Ecto.Migration
|
||||||
|
|
||||||
|
def up do
|
||||||
|
update_scopes_clause = "SET scopes = '{read,write,follow,push,admin}'"
|
||||||
|
apps_where = "WHERE apps.client_name like 'PleromaFE_%' or apps.client_name like 'AdminFE_%'"
|
||||||
|
app_id_subquery_where = "WHERE app_id IN (SELECT apps.id FROM apps #{apps_where})"
|
||||||
|
|
||||||
|
execute("UPDATE apps #{update_scopes_clause} #{apps_where}")
|
||||||
|
|
||||||
|
for table <- ["oauth_authorizations", "oauth_tokens"] do
|
||||||
|
execute("UPDATE #{table} #{update_scopes_clause} #{app_id_subquery_where}")
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def down, do: :noop
|
||||||
|
end
|
|
@ -568,29 +568,34 @@ test "with existing authentication and OOB `redirect_uri`, redirects to app with
|
||||||
|
|
||||||
describe "POST /oauth/authorize" do
|
describe "POST /oauth/authorize" do
|
||||||
test "redirects with oauth authorization, " <>
|
test "redirects with oauth authorization, " <>
|
||||||
"keeping only non-admin scopes for non-admin user" do
|
"granting requested app-supported scopes to both admin- and non-admin users" do
|
||||||
app = insert(:oauth_app, scopes: ["read", "write", "admin"])
|
app_scopes = ["read", "write", "admin", "secret_scope"]
|
||||||
|
app = insert(:oauth_app, scopes: app_scopes)
|
||||||
redirect_uri = OAuthController.default_redirect_uri(app)
|
redirect_uri = OAuthController.default_redirect_uri(app)
|
||||||
|
|
||||||
non_admin = insert(:user, is_admin: false)
|
non_admin = insert(:user, is_admin: false)
|
||||||
admin = insert(:user, is_admin: true)
|
admin = insert(:user, is_admin: true)
|
||||||
|
scopes_subset = ["read:subscope", "write", "admin"]
|
||||||
|
|
||||||
for {user, expected_scopes} <- %{
|
# In case scope param is missing, expecting _all_ app-supported scopes to be granted
|
||||||
non_admin => ["read:subscope", "write"],
|
for user <- [non_admin, admin],
|
||||||
admin => ["read:subscope", "write", "admin"]
|
{requested_scopes, expected_scopes} <-
|
||||||
} do
|
%{scopes_subset => scopes_subset, nil => app_scopes} do
|
||||||
conn =
|
conn =
|
||||||
build_conn()
|
post(
|
||||||
|> post("/oauth/authorize", %{
|
build_conn(),
|
||||||
"authorization" => %{
|
"/oauth/authorize",
|
||||||
"name" => user.nickname,
|
%{
|
||||||
"password" => "test",
|
"authorization" => %{
|
||||||
"client_id" => app.client_id,
|
"name" => user.nickname,
|
||||||
"redirect_uri" => redirect_uri,
|
"password" => "test",
|
||||||
"scope" => "read:subscope write admin",
|
"client_id" => app.client_id,
|
||||||
"state" => "statepassed"
|
"redirect_uri" => redirect_uri,
|
||||||
|
"scope" => requested_scopes,
|
||||||
|
"state" => "statepassed"
|
||||||
|
}
|
||||||
}
|
}
|
||||||
})
|
)
|
||||||
|
|
||||||
target = redirected_to(conn)
|
target = redirected_to(conn)
|
||||||
assert target =~ redirect_uri
|
assert target =~ redirect_uri
|
||||||
|
@ -631,34 +636,31 @@ test "returns 401 for wrong credentials", %{conn: conn} do
|
||||||
assert result =~ "Invalid Username/Password"
|
assert result =~ "Invalid Username/Password"
|
||||||
end
|
end
|
||||||
|
|
||||||
test "returns 401 for missing scopes " <>
|
test "returns 401 for missing scopes" do
|
||||||
"(including all admin-only scopes for non-admin user)" do
|
|
||||||
user = insert(:user, is_admin: false)
|
user = insert(:user, is_admin: false)
|
||||||
app = insert(:oauth_app, scopes: ["read", "write", "admin"])
|
app = insert(:oauth_app, scopes: ["read", "write", "admin"])
|
||||||
redirect_uri = OAuthController.default_redirect_uri(app)
|
redirect_uri = OAuthController.default_redirect_uri(app)
|
||||||
|
|
||||||
for scope_param <- ["", "admin:read admin:write"] do
|
result =
|
||||||
result =
|
build_conn()
|
||||||
build_conn()
|
|> post("/oauth/authorize", %{
|
||||||
|> post("/oauth/authorize", %{
|
"authorization" => %{
|
||||||
"authorization" => %{
|
"name" => user.nickname,
|
||||||
"name" => user.nickname,
|
"password" => "test",
|
||||||
"password" => "test",
|
"client_id" => app.client_id,
|
||||||
"client_id" => app.client_id,
|
"redirect_uri" => redirect_uri,
|
||||||
"redirect_uri" => redirect_uri,
|
"state" => "statepassed",
|
||||||
"state" => "statepassed",
|
"scope" => ""
|
||||||
"scope" => scope_param
|
}
|
||||||
}
|
})
|
||||||
})
|
|> html_response(:unauthorized)
|
||||||
|> html_response(:unauthorized)
|
|
||||||
|
|
||||||
# Keep the details
|
# Keep the details
|
||||||
assert result =~ app.client_id
|
assert result =~ app.client_id
|
||||||
assert result =~ redirect_uri
|
assert result =~ redirect_uri
|
||||||
|
|
||||||
# Error message
|
# Error message
|
||||||
assert result =~ "This action is outside the authorized scopes"
|
assert result =~ "This action is outside the authorized scopes"
|
||||||
end
|
|
||||||
end
|
end
|
||||||
|
|
||||||
test "returns 401 for scopes beyond app scopes hierarchy", %{conn: conn} do
|
test "returns 401 for scopes beyond app scopes hierarchy", %{conn: conn} do
|
||||||
|
|
|
@ -14,6 +14,10 @@ defmodule Pleroma.Web.PleromaAPI.EmojiAPIControllerTest do
|
||||||
"emoji"
|
"emoji"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
clear_config([:auth, :enforce_oauth_admin_scope_usage]) do
|
||||||
|
Pleroma.Config.put([:auth, :enforce_oauth_admin_scope_usage], false)
|
||||||
|
end
|
||||||
|
|
||||||
test "shared & non-shared pack information in list_packs is ok" do
|
test "shared & non-shared pack information in list_packs is ok" do
|
||||||
conn = build_conn()
|
conn = build_conn()
|
||||||
resp = conn |> get(emoji_api_path(conn, :list_packs)) |> json_response(200)
|
resp = conn |> get(emoji_api_path(conn, :list_packs)) |> json_response(200)
|
||||||
|
|
Loading…
Reference in a new issue