Remove :auth, :enforce_oauth_admin_scope_usage

`admin` scope has been required by default for more than a year now
and all apps that use the API seems to request a proper scope by now.
This commit is contained in:
rinpatch 2021-02-17 20:47:38 +03:00
parent 679a2e799e
commit 6d66fadea7
9 changed files with 70 additions and 239 deletions

View file

@ -6,6 +6,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
## Unreleased ## Unreleased
### Removed
- `:auth, :enforce_oauth_admin_scope_usage` configuration option.
### Changed ### Changed
- **Breaking**: Changed `mix pleroma.user toggle_confirmed` to `mix pleroma.user confirm` - **Breaking**: Changed `mix pleroma.user toggle_confirmed` to `mix pleroma.user confirm`

View file

@ -611,10 +611,7 @@
base_path: "/oauth", base_path: "/oauth",
providers: ueberauth_providers providers: ueberauth_providers
config :pleroma, config :pleroma, :auth, oauth_consumer_strategies: oauth_consumer_strategies
:auth,
enforce_oauth_admin_scope_usage: true,
oauth_consumer_strategies: oauth_consumer_strategies
config :pleroma, Pleroma.Emails.Mailer, adapter: Swoosh.Adapters.Sendmail, enabled: false config :pleroma, Pleroma.Emails.Mailer, adapter: Swoosh.Adapters.Sendmail, enabled: false

View file

@ -2,13 +2,6 @@
Authentication is required and the user must be an admin. Authentication is required and the user must be an admin.
Configuration options:
* `[:auth, :enforce_oauth_admin_scope_usage]` — OAuth admin scope requirement toggle.
If `true`, admin actions explicitly demand admin OAuth scope(s) presence in OAuth token (client app must support admin scopes).
If `false` and token doesn't have admin scope(s), `is_admin` user flag grants access to admin-specific actions.
Note that client app needs to explicitly support admin scopes and request them when obtaining auth token.
## `GET /api/pleroma/admin/users` ## `GET /api/pleroma/admin/users`
### List users ### List users

View file

@ -100,15 +100,7 @@ def oauth_consumer_strategies, do: get([:auth, :oauth_consumer_strategies], [])
def oauth_consumer_enabled?, do: oauth_consumer_strategies() != [] def oauth_consumer_enabled?, do: oauth_consumer_strategies() != []
def enforce_oauth_admin_scope_usage?, do: !!get([:auth, :enforce_oauth_admin_scope_usage])
def oauth_admin_scopes(scopes) when is_list(scopes) do def oauth_admin_scopes(scopes) when is_list(scopes) do
Enum.flat_map( Enum.map(scopes, fn scope -> "admin:#{scope}" end)
scopes,
fn scope ->
["admin:#{scope}"] ++
if enforce_oauth_admin_scope_usage?(), do: [], else: [scope]
end
)
end end
end end

View file

@ -46,104 +46,47 @@ test "with valid `admin_token` query parameter, skips OAuth scopes check" do
assert json_response(conn, 200) assert json_response(conn, 200)
end end
describe "with [:auth, :enforce_oauth_admin_scope_usage]," do test "GET /api/pleroma/admin/users/:nickname requires admin:read:accounts or broader scope",
setup do: clear_config([:auth, :enforce_oauth_admin_scope_usage], true) %{admin: admin} do
user = insert(:user)
url = "/api/pleroma/admin/users/#{user.nickname}"
test "GET /api/pleroma/admin/users/:nickname requires admin:read:accounts or broader scope", good_token1 = insert(:oauth_token, user: admin, scopes: ["admin"])
%{admin: admin} do good_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read"])
user = insert(:user) good_token3 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts"])
url = "/api/pleroma/admin/users/#{user.nickname}"
good_token1 = insert(:oauth_token, user: admin, scopes: ["admin"]) bad_token1 = insert(:oauth_token, user: admin, scopes: ["read:accounts"])
good_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read"]) bad_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts:partial"])
good_token3 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts"]) bad_token3 = nil
bad_token1 = insert(:oauth_token, user: admin, scopes: ["read:accounts"]) for good_token <- [good_token1, good_token2, good_token3] do
bad_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts:partial"]) conn =
bad_token3 = nil build_conn()
|> assign(:user, admin)
|> assign(:token, good_token)
|> get(url)
for good_token <- [good_token1, good_token2, good_token3] do assert json_response(conn, 200)
conn =
build_conn()
|> assign(:user, admin)
|> assign(:token, good_token)
|> get(url)
assert json_response(conn, 200)
end
for good_token <- [good_token1, good_token2, good_token3] do
conn =
build_conn()
|> assign(:user, nil)
|> assign(:token, good_token)
|> get(url)
assert json_response(conn, :forbidden)
end
for bad_token <- [bad_token1, bad_token2, bad_token3] do
conn =
build_conn()
|> assign(:user, admin)
|> assign(:token, bad_token)
|> get(url)
assert json_response(conn, :forbidden)
end
end end
end
describe "unless [:auth, :enforce_oauth_admin_scope_usage]," do for good_token <- [good_token1, good_token2, good_token3] do
setup do: clear_config([:auth, :enforce_oauth_admin_scope_usage], false) conn =
build_conn()
|> assign(:user, nil)
|> assign(:token, good_token)
|> get(url)
test "GET /api/pleroma/admin/users/:nickname requires " <> assert json_response(conn, :forbidden)
"read:accounts or admin:read:accounts or broader scope", end
%{admin: admin} do
user = insert(:user)
url = "/api/pleroma/admin/users/#{user.nickname}"
good_token1 = insert(:oauth_token, user: admin, scopes: ["admin"]) for bad_token <- [bad_token1, bad_token2, bad_token3] do
good_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read"]) conn =
good_token3 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts"]) build_conn()
good_token4 = insert(:oauth_token, user: admin, scopes: ["read:accounts"]) |> assign(:user, admin)
good_token5 = insert(:oauth_token, user: admin, scopes: ["read"]) |> assign(:token, bad_token)
|> get(url)
good_tokens = [good_token1, good_token2, good_token3, good_token4, good_token5] assert json_response(conn, :forbidden)
bad_token1 = insert(:oauth_token, user: admin, scopes: ["read:accounts:partial"])
bad_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts:partial"])
bad_token3 = nil
for good_token <- good_tokens do
conn =
build_conn()
|> assign(:user, admin)
|> assign(:token, good_token)
|> get(url)
assert json_response(conn, 200)
end
for good_token <- good_tokens do
conn =
build_conn()
|> assign(:user, nil)
|> assign(:token, good_token)
|> get(url)
assert json_response(conn, :forbidden)
end
for bad_token <- [bad_token1, bad_token2, bad_token3] do
conn =
build_conn()
|> assign(:user, admin)
|> assign(:token, bad_token)
|> get(url)
assert json_response(conn, :forbidden)
end
end end
end end

View file

@ -47,104 +47,47 @@ test "with valid `admin_token` query parameter, skips OAuth scopes check" do
assert json_response(conn, 200) assert json_response(conn, 200)
end end
describe "with [:auth, :enforce_oauth_admin_scope_usage]," do test "GET /api/pleroma/admin/users/:nickname requires admin:read:accounts or broader scope",
setup do: clear_config([:auth, :enforce_oauth_admin_scope_usage], true) %{admin: admin} do
user = insert(:user)
url = "/api/pleroma/admin/users/#{user.nickname}"
test "GET /api/pleroma/admin/users/:nickname requires admin:read:accounts or broader scope", good_token1 = insert(:oauth_token, user: admin, scopes: ["admin"])
%{admin: admin} do good_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read"])
user = insert(:user) good_token3 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts"])
url = "/api/pleroma/admin/users/#{user.nickname}"
good_token1 = insert(:oauth_token, user: admin, scopes: ["admin"]) bad_token1 = insert(:oauth_token, user: admin, scopes: ["read:accounts"])
good_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read"]) bad_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts:partial"])
good_token3 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts"]) bad_token3 = nil
bad_token1 = insert(:oauth_token, user: admin, scopes: ["read:accounts"]) for good_token <- [good_token1, good_token2, good_token3] do
bad_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts:partial"]) conn =
bad_token3 = nil build_conn()
|> assign(:user, admin)
|> assign(:token, good_token)
|> get(url)
for good_token <- [good_token1, good_token2, good_token3] do assert json_response(conn, 200)
conn =
build_conn()
|> assign(:user, admin)
|> assign(:token, good_token)
|> get(url)
assert json_response(conn, 200)
end
for good_token <- [good_token1, good_token2, good_token3] do
conn =
build_conn()
|> assign(:user, nil)
|> assign(:token, good_token)
|> get(url)
assert json_response(conn, :forbidden)
end
for bad_token <- [bad_token1, bad_token2, bad_token3] do
conn =
build_conn()
|> assign(:user, admin)
|> assign(:token, bad_token)
|> get(url)
assert json_response(conn, :forbidden)
end
end end
end
describe "unless [:auth, :enforce_oauth_admin_scope_usage]," do for good_token <- [good_token1, good_token2, good_token3] do
setup do: clear_config([:auth, :enforce_oauth_admin_scope_usage], false) conn =
build_conn()
|> assign(:user, nil)
|> assign(:token, good_token)
|> get(url)
test "GET /api/pleroma/admin/users/:nickname requires " <> assert json_response(conn, :forbidden)
"read:accounts or admin:read:accounts or broader scope", end
%{admin: admin} do
user = insert(:user)
url = "/api/pleroma/admin/users/#{user.nickname}"
good_token1 = insert(:oauth_token, user: admin, scopes: ["admin"]) for bad_token <- [bad_token1, bad_token2, bad_token3] do
good_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read"]) conn =
good_token3 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts"]) build_conn()
good_token4 = insert(:oauth_token, user: admin, scopes: ["read:accounts"]) |> assign(:user, admin)
good_token5 = insert(:oauth_token, user: admin, scopes: ["read"]) |> assign(:token, bad_token)
|> get(url)
good_tokens = [good_token1, good_token2, good_token3, good_token4, good_token5] assert json_response(conn, :forbidden)
bad_token1 = insert(:oauth_token, user: admin, scopes: ["read:accounts:partial"])
bad_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts:partial"])
bad_token3 = nil
for good_token <- good_tokens do
conn =
build_conn()
|> assign(:user, admin)
|> assign(:token, good_token)
|> get(url)
assert json_response(conn, 200)
end
for good_token <- good_tokens do
conn =
build_conn()
|> assign(:user, nil)
|> assign(:token, good_token)
|> get(url)
assert json_response(conn, :forbidden)
end
for bad_token <- [bad_token1, bad_token2, bad_token3] do
conn =
build_conn()
|> assign(:user, admin)
|> assign(:token, bad_token)
|> get(url)
assert json_response(conn, :forbidden)
end
end end
end end

View file

@ -13,8 +13,6 @@ defmodule Pleroma.Web.PleromaAPI.EmojiFileControllerTest do
Pleroma.Config.get!([:instance, :static_dir]), Pleroma.Config.get!([:instance, :static_dir]),
"emoji" "emoji"
) )
setup do: clear_config([:auth, :enforce_oauth_admin_scope_usage], false)
setup do: clear_config([:instance, :public], true) setup do: clear_config([:instance, :public], true)
setup do setup do

View file

@ -13,7 +13,6 @@ defmodule Pleroma.Web.PleromaAPI.EmojiPackControllerTest do
Pleroma.Config.get!([:instance, :static_dir]), Pleroma.Config.get!([:instance, :static_dir]),
"emoji" "emoji"
) )
setup do: clear_config([:auth, :enforce_oauth_admin_scope_usage], false)
setup do: clear_config([:instance, :public], true) setup do: clear_config([:instance, :public], true)

View file

@ -169,42 +169,4 @@ test "filters scopes which directly match or are ancestors of supported scopes"
assert f.(["admin:read"], ["write", "admin"]) == ["admin:read"] assert f.(["admin:read"], ["write", "admin"]) == ["admin:read"]
end end
end end
describe "transform_scopes/2" do
setup do: clear_config([:auth, :enforce_oauth_admin_scope_usage])
setup do
{:ok, %{f: &OAuthScopesPlug.transform_scopes/2}}
end
test "with :admin option, prefixes all requested scopes with `admin:` " <>
"and [optionally] keeps only prefixed scopes, " <>
"depending on `[:auth, :enforce_oauth_admin_scope_usage]` setting",
%{f: f} do
clear_config([:auth, :enforce_oauth_admin_scope_usage], false)
assert f.(["read"], %{admin: true}) == ["admin:read", "read"]
assert f.(["read", "write"], %{admin: true}) == [
"admin:read",
"read",
"admin:write",
"write"
]
clear_config([:auth, :enforce_oauth_admin_scope_usage], true)
assert f.(["read:accounts"], %{admin: true}) == ["admin:read:accounts"]
assert f.(["read", "write:reports"], %{admin: true}) == [
"admin:read",
"admin:write:reports"
]
end
test "with no supported options, returns unmodified scopes", %{f: f} do
assert f.(["read"], %{}) == ["read"]
assert f.(["read", "write"], %{}) == ["read", "write"]
end
end
end end