[#1478] OAuth admin tweaks: enforced OAuth admin scopes usage by default, migrated existing OAuth records. Adjusted tests.

This commit is contained in:
Ivan Tashkinov 2020-01-10 10:52:21 +03:00
parent e8b0c7689a
commit 6c94b7498b
9 changed files with 79 additions and 81 deletions

View File

@ -11,6 +11,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
### Changed ### Changed
- **Breaking:** Elixir >=1.8 is now required (was >= 1.7) - **Breaking:** Elixir >=1.8 is now required (was >= 1.7)
- **Breaking:** attachment links (`config :pleroma, :instance, no_attachment_links` and `config :pleroma, Pleroma.Upload, link_name`) disabled by default - **Breaking:** attachment links (`config :pleroma, :instance, no_attachment_links` and `config :pleroma, Pleroma.Upload, link_name`) disabled by default
- **Breaking:** OAuth: defaulted `[:auth, :enforce_oauth_admin_scope_usage]` setting to `true` which demands `admin` OAuth scope to perform admin actions (in addition to `is_admin` flag on User); make sure to use bundled or newer versions of AdminFE & PleromaFE to access admin / moderator features.
- Replaced [pleroma_job_queue](https://git.pleroma.social/pleroma/pleroma_job_queue) and `Pleroma.Web.Federator.RetryQueue` with [Oban](https://github.com/sorentwo/oban) (see [`docs/config.md`](docs/config.md) on migrating customized worker / retry settings) - Replaced [pleroma_job_queue](https://git.pleroma.social/pleroma/pleroma_job_queue) and `Pleroma.Web.Federator.RetryQueue` with [Oban](https://github.com/sorentwo/oban) (see [`docs/config.md`](docs/config.md) on migrating customized worker / retry settings)
- Introduced [quantum](https://github.com/quantum-elixir/quantum-core) job scheduler - Introduced [quantum](https://github.com/quantum-elixir/quantum-core) job scheduler
- Enabled `:instance, extended_nickname_format` in the default config - Enabled `:instance, extended_nickname_format` in the default config

View File

@ -565,7 +565,7 @@
config :pleroma, config :pleroma,
:auth, :auth,
enforce_oauth_admin_scope_usage: false, enforce_oauth_admin_scope_usage: true,
oauth_consumer_strategies: oauth_consumer_strategies oauth_consumer_strategies: oauth_consumer_strategies
config :pleroma, Pleroma.Emails.Mailer, adapter: Swoosh.Adapters.Sendmail, enabled: false config :pleroma, Pleroma.Emails.Mailer, adapter: Swoosh.Adapters.Sendmail, enabled: false

View File

@ -23,6 +23,7 @@ def call(%{assigns: %{user: %User{is_admin: true}} = assigns} = conn, _) do
token && OAuth.Scopes.contains_admin_scopes?(token.scopes) -> token && OAuth.Scopes.contains_admin_scopes?(token.scopes) ->
# Note: checking for _any_ admin scope presence, not necessarily fitting requested action. # Note: checking for _any_ admin scope presence, not necessarily fitting requested action.
# Thus, controller must explicitly invoke OAuthScopesPlug to verify scope requirements. # Thus, controller must explicitly invoke OAuthScopesPlug to verify scope requirements.
# Admin might opt out of admin scope for some apps to block any admin actions from them.
conn conn
true -> true ->

View File

@ -1847,22 +1847,13 @@ defp truncate_field(%{"name" => name, "value" => value}) do
end end
def admin_api_update(user, params) do def admin_api_update(user, params) do
changeset = user
cast(user, params, [ |> cast(params, [
:is_moderator, :is_moderator,
:is_admin, :is_admin,
:show_role :show_role
]) ])
|> update_and_set_cache()
with {:ok, updated_user} <- update_and_set_cache(changeset) do
if user.is_admin && !updated_user.is_admin do
# Tokens & authorizations containing any admin scopes must be revoked (revoking all).
# This is an extra safety measure (tokens' admin scopes won't be accepted for non-admins).
global_sign_out(user)
end
{:ok, updated_user}
end
end end
@doc "Signs user out of all applications" @doc "Signs user out of all applications"

View File

@ -222,7 +222,7 @@ def token_exchange(
{:user_active, true} <- {:user_active, !user.deactivated}, {:user_active, true} <- {:user_active, !user.deactivated},
{:password_reset_pending, false} <- {:password_reset_pending, false} <-
{:password_reset_pending, user.password_reset_pending}, {:password_reset_pending, user.password_reset_pending},
{:ok, scopes} <- validate_scopes(app, params, user), {:ok, scopes} <- validate_scopes(app, params),
{:ok, auth} <- Authorization.create_authorization(app, user, scopes), {:ok, auth} <- Authorization.create_authorization(app, user, scopes),
{:ok, token} <- Token.exchange_token(app, auth) do {:ok, token} <- Token.exchange_token(app, auth) do
json(conn, Token.Response.build(user, token)) json(conn, Token.Response.build(user, token))
@ -471,7 +471,7 @@ defp do_create_authorization(
{:get_user, (user && {:ok, user}) || Authenticator.get_user(conn)}, {:get_user, (user && {:ok, user}) || Authenticator.get_user(conn)},
%App{} = app <- Repo.get_by(App, client_id: client_id), %App{} = app <- Repo.get_by(App, client_id: client_id),
true <- redirect_uri in String.split(app.redirect_uris), true <- redirect_uri in String.split(app.redirect_uris),
{:ok, scopes} <- validate_scopes(app, auth_attrs, user), {:ok, scopes} <- validate_scopes(app, auth_attrs),
{:auth_active, true} <- {:auth_active, User.auth_active?(user)} do {:auth_active, true} <- {:auth_active, User.auth_active?(user)} do
Authorization.create_authorization(app, user, scopes) Authorization.create_authorization(app, user, scopes)
end end
@ -487,12 +487,12 @@ defp get_session_registration_id(%Plug.Conn{} = conn), do: get_session(conn, :re
defp put_session_registration_id(%Plug.Conn{} = conn, registration_id), defp put_session_registration_id(%Plug.Conn{} = conn, registration_id),
do: put_session(conn, :registration_id, registration_id) do: put_session(conn, :registration_id, registration_id)
@spec validate_scopes(App.t(), map(), User.t()) :: @spec validate_scopes(App.t(), map()) ::
{:ok, list()} | {:error, :missing_scopes | :unsupported_scopes} {:ok, list()} | {:error, :missing_scopes | :unsupported_scopes}
defp validate_scopes(%App{} = app, params, %User{} = user) do defp validate_scopes(%App{} = app, params) do
params params
|> Scopes.fetch_scopes(app.scopes) |> Scopes.fetch_scopes(app.scopes)
|> Scopes.validate(app.scopes, user) |> Scopes.validate(app.scopes)
end end
def default_redirect_uri(%App{} = app) do def default_redirect_uri(%App{} = app) do

View File

@ -8,7 +8,6 @@ defmodule Pleroma.Web.OAuth.Scopes do
""" """
alias Pleroma.Plugs.OAuthScopesPlug alias Pleroma.Plugs.OAuthScopesPlug
alias Pleroma.User
@doc """ @doc """
Fetch scopes from request params. Fetch scopes from request params.
@ -56,35 +55,18 @@ def to_string(scopes), do: Enum.join(scopes, " ")
@doc """ @doc """
Validates scopes. Validates scopes.
""" """
@spec validate(list() | nil, list(), User.t()) :: @spec validate(list() | nil, list()) ::
{:ok, list()} | {:error, :missing_scopes | :unsupported_scopes} {:ok, list()} | {:error, :missing_scopes | :unsupported_scopes}
def validate(blank_scopes, _app_scopes, _user) when blank_scopes in [nil, []], def validate(blank_scopes, _app_scopes) when blank_scopes in [nil, []],
do: {:error, :missing_scopes} do: {:error, :missing_scopes}
def validate(scopes, app_scopes, %User{} = user) do def validate(scopes, app_scopes) do
with {:ok, _} <- ensure_scopes_support(scopes, app_scopes),
{:ok, scopes} <- authorize_admin_scopes(scopes, app_scopes, user) do
{:ok, scopes}
end
end
defp ensure_scopes_support(scopes, app_scopes) do
case OAuthScopesPlug.filter_descendants(scopes, app_scopes) do case OAuthScopesPlug.filter_descendants(scopes, app_scopes) do
^scopes -> {:ok, scopes} ^scopes -> {:ok, scopes}
_ -> {:error, :unsupported_scopes} _ -> {:error, :unsupported_scopes}
end end
end end
defp authorize_admin_scopes(scopes, app_scopes, %User{} = user) do
if user.is_admin || !contains_admin_scopes?(scopes) || !contains_admin_scopes?(app_scopes) do
{:ok, scopes}
else
# Gracefully dropping admin scopes from requested scopes if user isn't an admin (not raising)
scopes = scopes -- OAuthScopesPlug.filter_descendants(scopes, ["admin"])
validate(scopes, app_scopes, user)
end
end
def contains_admin_scopes?(scopes) do def contains_admin_scopes?(scopes) do
scopes scopes
|> OAuthScopesPlug.filter_descendants(["admin"]) |> OAuthScopesPlug.filter_descendants(["admin"])

View File

@ -0,0 +1,17 @@
defmodule Pleroma.Repo.Migrations.AddScopesToPleromaFEOAuthRecords do
use Ecto.Migration
def up do
update_scopes_clause = "SET scopes = '{read,write,follow,push,admin}'"
apps_where = "WHERE apps.client_name like 'PleromaFE_%' or apps.client_name like 'AdminFE_%'"
app_id_subquery_where = "WHERE app_id IN (SELECT apps.id FROM apps #{apps_where})"
execute("UPDATE apps #{update_scopes_clause} #{apps_where}")
for table <- ["oauth_authorizations", "oauth_tokens"] do
execute("UPDATE #{table} #{update_scopes_clause} #{app_id_subquery_where}")
end
end
def down, do: :noop
end

View File

@ -568,29 +568,34 @@ test "with existing authentication and OOB `redirect_uri`, redirects to app with
describe "POST /oauth/authorize" do describe "POST /oauth/authorize" do
test "redirects with oauth authorization, " <> test "redirects with oauth authorization, " <>
"keeping only non-admin scopes for non-admin user" do "granting requested app-supported scopes to both admin- and non-admin users" do
app = insert(:oauth_app, scopes: ["read", "write", "admin"]) app_scopes = ["read", "write", "admin", "secret_scope"]
app = insert(:oauth_app, scopes: app_scopes)
redirect_uri = OAuthController.default_redirect_uri(app) redirect_uri = OAuthController.default_redirect_uri(app)
non_admin = insert(:user, is_admin: false) non_admin = insert(:user, is_admin: false)
admin = insert(:user, is_admin: true) admin = insert(:user, is_admin: true)
scopes_subset = ["read:subscope", "write", "admin"]
for {user, expected_scopes} <- %{ # In case scope param is missing, expecting _all_ app-supported scopes to be granted
non_admin => ["read:subscope", "write"], for user <- [non_admin, admin],
admin => ["read:subscope", "write", "admin"] {requested_scopes, expected_scopes} <-
} do %{scopes_subset => scopes_subset, nil => app_scopes} do
conn = conn =
build_conn() post(
|> post("/oauth/authorize", %{ build_conn(),
"authorization" => %{ "/oauth/authorize",
"name" => user.nickname, %{
"password" => "test", "authorization" => %{
"client_id" => app.client_id, "name" => user.nickname,
"redirect_uri" => redirect_uri, "password" => "test",
"scope" => "read:subscope write admin", "client_id" => app.client_id,
"state" => "statepassed" "redirect_uri" => redirect_uri,
"scope" => requested_scopes,
"state" => "statepassed"
}
} }
}) )
target = redirected_to(conn) target = redirected_to(conn)
assert target =~ redirect_uri assert target =~ redirect_uri
@ -631,34 +636,31 @@ test "returns 401 for wrong credentials", %{conn: conn} do
assert result =~ "Invalid Username/Password" assert result =~ "Invalid Username/Password"
end end
test "returns 401 for missing scopes " <> test "returns 401 for missing scopes" do
"(including all admin-only scopes for non-admin user)" do
user = insert(:user, is_admin: false) user = insert(:user, is_admin: false)
app = insert(:oauth_app, scopes: ["read", "write", "admin"]) app = insert(:oauth_app, scopes: ["read", "write", "admin"])
redirect_uri = OAuthController.default_redirect_uri(app) redirect_uri = OAuthController.default_redirect_uri(app)
for scope_param <- ["", "admin:read admin:write"] do result =
result = build_conn()
build_conn() |> post("/oauth/authorize", %{
|> post("/oauth/authorize", %{ "authorization" => %{
"authorization" => %{ "name" => user.nickname,
"name" => user.nickname, "password" => "test",
"password" => "test", "client_id" => app.client_id,
"client_id" => app.client_id, "redirect_uri" => redirect_uri,
"redirect_uri" => redirect_uri, "state" => "statepassed",
"state" => "statepassed", "scope" => ""
"scope" => scope_param }
} })
}) |> html_response(:unauthorized)
|> html_response(:unauthorized)
# Keep the details # Keep the details
assert result =~ app.client_id assert result =~ app.client_id
assert result =~ redirect_uri assert result =~ redirect_uri
# Error message # Error message
assert result =~ "This action is outside the authorized scopes" assert result =~ "This action is outside the authorized scopes"
end
end end
test "returns 401 for scopes beyond app scopes hierarchy", %{conn: conn} do test "returns 401 for scopes beyond app scopes hierarchy", %{conn: conn} do

View File

@ -14,6 +14,10 @@ defmodule Pleroma.Web.PleromaAPI.EmojiAPIControllerTest do
"emoji" "emoji"
) )
clear_config([:auth, :enforce_oauth_admin_scope_usage]) do
Pleroma.Config.put([:auth, :enforce_oauth_admin_scope_usage], false)
end
test "shared & non-shared pack information in list_packs is ok" do test "shared & non-shared pack information in list_packs is ok" do
conn = build_conn() conn = build_conn()
resp = conn |> get(emoji_api_path(conn, :list_packs)) |> json_response(200) resp = conn |> get(emoji_api_path(conn, :list_packs)) |> json_response(200)