Remove :auth, :enforce_oauth_admin_scope_usage
`admin` scope has been required by default for more than a year now and all apps that use the API seems to request a proper scope by now.
This commit is contained in:
parent
679a2e799e
commit
6d66fadea7
9 changed files with 70 additions and 239 deletions
|
@ -6,6 +6,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
|
||||||
|
|
||||||
## Unreleased
|
## Unreleased
|
||||||
|
|
||||||
|
### Removed
|
||||||
|
|
||||||
|
- `:auth, :enforce_oauth_admin_scope_usage` configuration option.
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
|
|
||||||
- **Breaking**: Changed `mix pleroma.user toggle_confirmed` to `mix pleroma.user confirm`
|
- **Breaking**: Changed `mix pleroma.user toggle_confirmed` to `mix pleroma.user confirm`
|
||||||
|
|
|
@ -611,10 +611,7 @@
|
||||||
base_path: "/oauth",
|
base_path: "/oauth",
|
||||||
providers: ueberauth_providers
|
providers: ueberauth_providers
|
||||||
|
|
||||||
config :pleroma,
|
config :pleroma, :auth, oauth_consumer_strategies: oauth_consumer_strategies
|
||||||
:auth,
|
|
||||||
enforce_oauth_admin_scope_usage: true,
|
|
||||||
oauth_consumer_strategies: oauth_consumer_strategies
|
|
||||||
|
|
||||||
config :pleroma, Pleroma.Emails.Mailer, adapter: Swoosh.Adapters.Sendmail, enabled: false
|
config :pleroma, Pleroma.Emails.Mailer, adapter: Swoosh.Adapters.Sendmail, enabled: false
|
||||||
|
|
||||||
|
|
|
@ -2,13 +2,6 @@
|
||||||
|
|
||||||
Authentication is required and the user must be an admin.
|
Authentication is required and the user must be an admin.
|
||||||
|
|
||||||
Configuration options:
|
|
||||||
|
|
||||||
* `[:auth, :enforce_oauth_admin_scope_usage]` — OAuth admin scope requirement toggle.
|
|
||||||
If `true`, admin actions explicitly demand admin OAuth scope(s) presence in OAuth token (client app must support admin scopes).
|
|
||||||
If `false` and token doesn't have admin scope(s), `is_admin` user flag grants access to admin-specific actions.
|
|
||||||
Note that client app needs to explicitly support admin scopes and request them when obtaining auth token.
|
|
||||||
|
|
||||||
## `GET /api/pleroma/admin/users`
|
## `GET /api/pleroma/admin/users`
|
||||||
|
|
||||||
### List users
|
### List users
|
||||||
|
|
|
@ -100,15 +100,7 @@ def oauth_consumer_strategies, do: get([:auth, :oauth_consumer_strategies], [])
|
||||||
|
|
||||||
def oauth_consumer_enabled?, do: oauth_consumer_strategies() != []
|
def oauth_consumer_enabled?, do: oauth_consumer_strategies() != []
|
||||||
|
|
||||||
def enforce_oauth_admin_scope_usage?, do: !!get([:auth, :enforce_oauth_admin_scope_usage])
|
|
||||||
|
|
||||||
def oauth_admin_scopes(scopes) when is_list(scopes) do
|
def oauth_admin_scopes(scopes) when is_list(scopes) do
|
||||||
Enum.flat_map(
|
Enum.map(scopes, fn scope -> "admin:#{scope}" end)
|
||||||
scopes,
|
|
||||||
fn scope ->
|
|
||||||
["admin:#{scope}"] ++
|
|
||||||
if enforce_oauth_admin_scope_usage?(), do: [], else: [scope]
|
|
||||||
end
|
|
||||||
)
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -46,9 +46,6 @@ test "with valid `admin_token` query parameter, skips OAuth scopes check" do
|
||||||
assert json_response(conn, 200)
|
assert json_response(conn, 200)
|
||||||
end
|
end
|
||||||
|
|
||||||
describe "with [:auth, :enforce_oauth_admin_scope_usage]," do
|
|
||||||
setup do: clear_config([:auth, :enforce_oauth_admin_scope_usage], true)
|
|
||||||
|
|
||||||
test "GET /api/pleroma/admin/users/:nickname requires admin:read:accounts or broader scope",
|
test "GET /api/pleroma/admin/users/:nickname requires admin:read:accounts or broader scope",
|
||||||
%{admin: admin} do
|
%{admin: admin} do
|
||||||
user = insert(:user)
|
user = insert(:user)
|
||||||
|
@ -92,60 +89,6 @@ test "GET /api/pleroma/admin/users/:nickname requires admin:read:accounts or bro
|
||||||
assert json_response(conn, :forbidden)
|
assert json_response(conn, :forbidden)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
|
||||||
|
|
||||||
describe "unless [:auth, :enforce_oauth_admin_scope_usage]," do
|
|
||||||
setup do: clear_config([:auth, :enforce_oauth_admin_scope_usage], false)
|
|
||||||
|
|
||||||
test "GET /api/pleroma/admin/users/:nickname requires " <>
|
|
||||||
"read:accounts or admin:read:accounts or broader scope",
|
|
||||||
%{admin: admin} do
|
|
||||||
user = insert(:user)
|
|
||||||
url = "/api/pleroma/admin/users/#{user.nickname}"
|
|
||||||
|
|
||||||
good_token1 = insert(:oauth_token, user: admin, scopes: ["admin"])
|
|
||||||
good_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read"])
|
|
||||||
good_token3 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts"])
|
|
||||||
good_token4 = insert(:oauth_token, user: admin, scopes: ["read:accounts"])
|
|
||||||
good_token5 = insert(:oauth_token, user: admin, scopes: ["read"])
|
|
||||||
|
|
||||||
good_tokens = [good_token1, good_token2, good_token3, good_token4, good_token5]
|
|
||||||
|
|
||||||
bad_token1 = insert(:oauth_token, user: admin, scopes: ["read:accounts:partial"])
|
|
||||||
bad_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts:partial"])
|
|
||||||
bad_token3 = nil
|
|
||||||
|
|
||||||
for good_token <- good_tokens do
|
|
||||||
conn =
|
|
||||||
build_conn()
|
|
||||||
|> assign(:user, admin)
|
|
||||||
|> assign(:token, good_token)
|
|
||||||
|> get(url)
|
|
||||||
|
|
||||||
assert json_response(conn, 200)
|
|
||||||
end
|
|
||||||
|
|
||||||
for good_token <- good_tokens do
|
|
||||||
conn =
|
|
||||||
build_conn()
|
|
||||||
|> assign(:user, nil)
|
|
||||||
|> assign(:token, good_token)
|
|
||||||
|> get(url)
|
|
||||||
|
|
||||||
assert json_response(conn, :forbidden)
|
|
||||||
end
|
|
||||||
|
|
||||||
for bad_token <- [bad_token1, bad_token2, bad_token3] do
|
|
||||||
conn =
|
|
||||||
build_conn()
|
|
||||||
|> assign(:user, admin)
|
|
||||||
|> assign(:token, bad_token)
|
|
||||||
|> get(url)
|
|
||||||
|
|
||||||
assert json_response(conn, :forbidden)
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
describe "PUT /api/pleroma/admin/users/tag" do
|
describe "PUT /api/pleroma/admin/users/tag" do
|
||||||
setup %{conn: conn} do
|
setup %{conn: conn} do
|
||||||
|
|
|
@ -47,9 +47,6 @@ test "with valid `admin_token` query parameter, skips OAuth scopes check" do
|
||||||
assert json_response(conn, 200)
|
assert json_response(conn, 200)
|
||||||
end
|
end
|
||||||
|
|
||||||
describe "with [:auth, :enforce_oauth_admin_scope_usage]," do
|
|
||||||
setup do: clear_config([:auth, :enforce_oauth_admin_scope_usage], true)
|
|
||||||
|
|
||||||
test "GET /api/pleroma/admin/users/:nickname requires admin:read:accounts or broader scope",
|
test "GET /api/pleroma/admin/users/:nickname requires admin:read:accounts or broader scope",
|
||||||
%{admin: admin} do
|
%{admin: admin} do
|
||||||
user = insert(:user)
|
user = insert(:user)
|
||||||
|
@ -93,60 +90,6 @@ test "GET /api/pleroma/admin/users/:nickname requires admin:read:accounts or bro
|
||||||
assert json_response(conn, :forbidden)
|
assert json_response(conn, :forbidden)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
|
||||||
|
|
||||||
describe "unless [:auth, :enforce_oauth_admin_scope_usage]," do
|
|
||||||
setup do: clear_config([:auth, :enforce_oauth_admin_scope_usage], false)
|
|
||||||
|
|
||||||
test "GET /api/pleroma/admin/users/:nickname requires " <>
|
|
||||||
"read:accounts or admin:read:accounts or broader scope",
|
|
||||||
%{admin: admin} do
|
|
||||||
user = insert(:user)
|
|
||||||
url = "/api/pleroma/admin/users/#{user.nickname}"
|
|
||||||
|
|
||||||
good_token1 = insert(:oauth_token, user: admin, scopes: ["admin"])
|
|
||||||
good_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read"])
|
|
||||||
good_token3 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts"])
|
|
||||||
good_token4 = insert(:oauth_token, user: admin, scopes: ["read:accounts"])
|
|
||||||
good_token5 = insert(:oauth_token, user: admin, scopes: ["read"])
|
|
||||||
|
|
||||||
good_tokens = [good_token1, good_token2, good_token3, good_token4, good_token5]
|
|
||||||
|
|
||||||
bad_token1 = insert(:oauth_token, user: admin, scopes: ["read:accounts:partial"])
|
|
||||||
bad_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts:partial"])
|
|
||||||
bad_token3 = nil
|
|
||||||
|
|
||||||
for good_token <- good_tokens do
|
|
||||||
conn =
|
|
||||||
build_conn()
|
|
||||||
|> assign(:user, admin)
|
|
||||||
|> assign(:token, good_token)
|
|
||||||
|> get(url)
|
|
||||||
|
|
||||||
assert json_response(conn, 200)
|
|
||||||
end
|
|
||||||
|
|
||||||
for good_token <- good_tokens do
|
|
||||||
conn =
|
|
||||||
build_conn()
|
|
||||||
|> assign(:user, nil)
|
|
||||||
|> assign(:token, good_token)
|
|
||||||
|> get(url)
|
|
||||||
|
|
||||||
assert json_response(conn, :forbidden)
|
|
||||||
end
|
|
||||||
|
|
||||||
for bad_token <- [bad_token1, bad_token2, bad_token3] do
|
|
||||||
conn =
|
|
||||||
build_conn()
|
|
||||||
|> assign(:user, admin)
|
|
||||||
|> assign(:token, bad_token)
|
|
||||||
|> get(url)
|
|
||||||
|
|
||||||
assert json_response(conn, :forbidden)
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
describe "DELETE /api/pleroma/admin/users" do
|
describe "DELETE /api/pleroma/admin/users" do
|
||||||
test "single user", %{admin: admin, conn: conn} do
|
test "single user", %{admin: admin, conn: conn} do
|
||||||
|
|
|
@ -13,8 +13,6 @@ defmodule Pleroma.Web.PleromaAPI.EmojiFileControllerTest do
|
||||||
Pleroma.Config.get!([:instance, :static_dir]),
|
Pleroma.Config.get!([:instance, :static_dir]),
|
||||||
"emoji"
|
"emoji"
|
||||||
)
|
)
|
||||||
setup do: clear_config([:auth, :enforce_oauth_admin_scope_usage], false)
|
|
||||||
|
|
||||||
setup do: clear_config([:instance, :public], true)
|
setup do: clear_config([:instance, :public], true)
|
||||||
|
|
||||||
setup do
|
setup do
|
||||||
|
|
|
@ -13,7 +13,6 @@ defmodule Pleroma.Web.PleromaAPI.EmojiPackControllerTest do
|
||||||
Pleroma.Config.get!([:instance, :static_dir]),
|
Pleroma.Config.get!([:instance, :static_dir]),
|
||||||
"emoji"
|
"emoji"
|
||||||
)
|
)
|
||||||
setup do: clear_config([:auth, :enforce_oauth_admin_scope_usage], false)
|
|
||||||
|
|
||||||
setup do: clear_config([:instance, :public], true)
|
setup do: clear_config([:instance, :public], true)
|
||||||
|
|
||||||
|
|
|
@ -169,42 +169,4 @@ test "filters scopes which directly match or are ancestors of supported scopes"
|
||||||
assert f.(["admin:read"], ["write", "admin"]) == ["admin:read"]
|
assert f.(["admin:read"], ["write", "admin"]) == ["admin:read"]
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
describe "transform_scopes/2" do
|
|
||||||
setup do: clear_config([:auth, :enforce_oauth_admin_scope_usage])
|
|
||||||
|
|
||||||
setup do
|
|
||||||
{:ok, %{f: &OAuthScopesPlug.transform_scopes/2}}
|
|
||||||
end
|
|
||||||
|
|
||||||
test "with :admin option, prefixes all requested scopes with `admin:` " <>
|
|
||||||
"and [optionally] keeps only prefixed scopes, " <>
|
|
||||||
"depending on `[:auth, :enforce_oauth_admin_scope_usage]` setting",
|
|
||||||
%{f: f} do
|
|
||||||
clear_config([:auth, :enforce_oauth_admin_scope_usage], false)
|
|
||||||
|
|
||||||
assert f.(["read"], %{admin: true}) == ["admin:read", "read"]
|
|
||||||
|
|
||||||
assert f.(["read", "write"], %{admin: true}) == [
|
|
||||||
"admin:read",
|
|
||||||
"read",
|
|
||||||
"admin:write",
|
|
||||||
"write"
|
|
||||||
]
|
|
||||||
|
|
||||||
clear_config([:auth, :enforce_oauth_admin_scope_usage], true)
|
|
||||||
|
|
||||||
assert f.(["read:accounts"], %{admin: true}) == ["admin:read:accounts"]
|
|
||||||
|
|
||||||
assert f.(["read", "write:reports"], %{admin: true}) == [
|
|
||||||
"admin:read",
|
|
||||||
"admin:write:reports"
|
|
||||||
]
|
|
||||||
end
|
|
||||||
|
|
||||||
test "with no supported options, returns unmodified scopes", %{f: f} do
|
|
||||||
assert f.(["read"], %{}) == ["read"]
|
|
||||||
assert f.(["read", "write"], %{}) == ["read", "write"]
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in a new issue