[#1234] Mastodon 2.4.3 hierarchical scopes initial support (WIP).

lib/pleroma/plugs/oauth_scopes_plug.ex

@@ -13,15 +13,16 @@ def init(%{scopes: _} = options), do: options
   def call(%Plug.Conn{assigns: assigns} = conn, %{scopes: scopes} = options) do
     op = options[:op] || :|
     token = assigns[:token]
+    matched_scopes = token && filter_descendants(scopes, token.scopes)
 
     cond do
       is_nil(token) ->
         conn
 
-      op == :| && scopes -- token.scopes != scopes ->
+      op == :| && Enum.any?(matched_scopes) ->
         conn
 
-      op == :& && scopes -- token.scopes == [] ->
+      op == :& && matched_scopes == scopes ->
         conn
 
       options[:fallback] == :proceed_unauthenticated ->
@@ -30,7 +31,7 @@ def call(%Plug.Conn{assigns: assigns} = conn, %{scopes: scopes} = options) do
         |> assign(:token, nil)
 
       true ->
-        missing_scopes = scopes -- token.scopes
+        missing_scopes = scopes -- matched_scopes
         permissions = Enum.join(missing_scopes, " #{op} ")
 
         error_message =
@@ -42,4 +43,17 @@ def call(%Plug.Conn{assigns: assigns} = conn, %{scopes: scopes} = options) do
         |> halt()
     end
   end
+
+  @doc "Filters descendants of supported scopes"
+  def filter_descendants(scopes, supported_scopes) do
+    Enum.filter(
+      scopes,
+      fn scope ->
+        Enum.find(
+          supported_scopes,
+          &(scope == &1 || String.starts_with?(scope, &1 <> ":"))
+        )
+      end
+    )
+  end
 end

lib/pleroma/web/mastodon_api/controllers/mastodon_api_controller.ex

@@ -19,6 +19,7 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
   alias Pleroma.Notification
   alias Pleroma.Object
   alias Pleroma.Pagination
+  alias Pleroma.Plugs.OAuthScopesPlug
   alias Pleroma.Plugs.RateLimiter
   alias Pleroma.Repo
   alias Pleroma.ScheduledActivity
@@ -52,6 +53,41 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
   require Logger
   require Pleroma.Constants
 
+  plug(
+    OAuthScopesPlug,
+    %{scopes: ["follow", "read:blocks"]} when action in [:blocks, :domain_blocks]
+  )
+
+  plug(
+    OAuthScopesPlug,
+    %{scopes: ["follow", "write:blocks"]}
+    when action in [:block, :unblock, :block_domain, :unblock_domain]
+  )
+
+  plug(OAuthScopesPlug, %{scopes: ["follow", "read:follows"]} when action == :follow_requests)
+
+  plug(
+    OAuthScopesPlug,
+    %{scopes: ["follow", "write:follows"]}
+    when action in [
+           :follow,
+           :unfollow,
+           :subscribe,
+           :unsubscribe,
+           :authorize_follow_request,
+           :reject_follow_request
+         ]
+  )
+
+  plug(OAuthScopesPlug, %{scopes: ["follow", "read:mutes"]} when action == :mutes)
+  plug(OAuthScopesPlug, %{scopes: ["follow", "write:mutes"]} when action in [:mute, :unmute])
+
+  plug(
+    OAuthScopesPlug,
+    %{scopes: ["write:mutes"]}
+    when action in [:mute_conversation, :unmute_conversation]
+  )
+
   @rate_limited_relations_actions ~w(follow unfollow)a
 
   @rate_limited_status_actions ~w(reblog_status unreblog_status fav_status unfav_status

lib/pleroma/web/oauth/oauth_controller.ex

@@ -451,7 +451,7 @@ defp put_session_registration_id(%Plug.Conn{} = conn, registration_id),
   defp validate_scopes(app, params) do
     params
     |> Scopes.fetch_scopes(app.scopes)
-    |> Scopes.validates(app.scopes)
+    |> Scopes.validate(app.scopes)
   end
 
   def default_redirect_uri(%App{} = app) do

lib/pleroma/web/oauth/scopes.ex

@@ -8,7 +8,7 @@ defmodule Pleroma.Web.OAuth.Scopes do
   """
 
   @doc """
-  Fetch scopes from requiest params.
+  Fetch scopes from request params.
 
   Note: `scopes` is used by Mastodon — supporting it but sticking to
   OAuth's standard `scope` wherever we control it
@@ -53,14 +53,14 @@ def to_string(scopes), do: Enum.join(scopes, " ")
   @doc """
   Validates scopes.
   """
-  @spec validates(list() | nil, list()) ::
+  @spec validate(list() | nil, list()) ::
           {:ok, list()} | {:error, :missing_scopes | :unsupported_scopes}
-  def validates([], _app_scopes), do: {:error, :missing_scopes}
+  def validate([], _app_scopes), do: {:error, :missing_scopes}
-  def validates(nil, _app_scopes), do: {:error, :missing_scopes}
+  def validate(nil, _app_scopes), do: {:error, :missing_scopes}
 
-  def validates(scopes, app_scopes) do
+  def validate(scopes, app_scopes) do
-    case scopes -- app_scopes do
+    case Pleroma.Plugs.OAuthScopesPlug.filter_descendants(scopes, app_scopes) do
-      [] -> {:ok, scopes}
+      ^scopes -> {:ok, scopes}
       _ -> {:error, :unsupported_scopes}
     end
   end

lib/pleroma/web/router.ex

@@ -104,10 +104,6 @@ defmodule Pleroma.Web.Router do
     plug(Pleroma.Plugs.OAuthScopesPlug, %{scopes: ["write"]})
   end
 
-  pipeline :oauth_follow do
-    plug(Pleroma.Plugs.OAuthScopesPlug, %{scopes: ["follow"]})
-  end
-
   pipeline :oauth_push do
     plug(Pleroma.Plugs.OAuthScopesPlug, %{scopes: ["push"]})
   end
@@ -211,11 +207,7 @@ defmodule Pleroma.Web.Router do
 
     post("/main/ostatus", UtilController, :remote_subscribe)
     get("/ostatus_subscribe", UtilController, :remote_follow)
-
+    post("/ostatus_subscribe", UtilController, :do_remote_follow)
-    scope [] do
-      pipe_through(:oauth_follow)
-      post("/ostatus_subscribe", UtilController, :do_remote_follow)
-    end
   end
 
   scope "/api/pleroma", Pleroma.Web.TwitterAPI do
@@ -231,8 +223,6 @@ defmodule Pleroma.Web.Router do
     end
 
     scope [] do
-      pipe_through(:oauth_follow)
-
       post("/blocks_import", UtilController, :blocks_import)
       post("/follow_import", UtilController, :follow_import)
     end
@@ -373,8 +363,6 @@ defmodule Pleroma.Web.Router do
     end
 
     scope [] do
-      pipe_through(:oauth_follow)
-
       post("/follows", MastodonAPIController, :follow)
       post("/accounts/:id/follow", MastodonAPIController, :follow)
 

lib/pleroma/web/twitter_api/controllers/util_controller.ex

@@ -13,11 +13,20 @@ defmodule Pleroma.Web.TwitterAPI.UtilController do
   alias Pleroma.Healthcheck
   alias Pleroma.Notification
   alias Pleroma.Plugs.AuthenticationPlug
+  alias Pleroma.Plugs.OAuthScopesPlug
   alias Pleroma.User
   alias Pleroma.Web
   alias Pleroma.Web.CommonAPI
   alias Pleroma.Web.WebFinger
 
+  plug(
+    OAuthScopesPlug,
+    %{scopes: ["follow", "write:follows"]}
+    when action in [:do_remote_follow, :follow_import]
+  )
+
+  plug(OAuthScopesPlug, %{scopes: ["follow", "write:blocks"]} when action == :blocks_import)
+
   plug(Pleroma.Plugs.SetFormatPlug when action in [:config, :version])
 
   def help_test(conn, _params) do

test/plugs/oauth_scopes_plug_test.exs

@@ -84,7 +84,8 @@ test "proceeds with cleared `assigns[:user]` if `token.scopes` doesn't fulfill s
     refute conn.assigns[:user]
   end
 
-  test "returns 403 and halts in case of no :fallback option and `token.scopes` not fulfilling specified 'any of' conditions",
+  test "returns 403 and halts " <>
+         "in case of no :fallback option and `token.scopes` not fulfilling specified 'any of' conditions",
        %{conn: conn} do
     token = insert(:oauth_token, scopes: ["read", "write"])
     any_of_scopes = ["follow"]
@@ -101,7 +102,8 @@ test "returns 403 and halts in case of no :fallback option and `token.scopes` no
     assert Jason.encode!(%{error: expected_error}) == conn.resp_body
   end
 
-  test "returns 403 and halts in case of no :fallback option and `token.scopes` not fulfilling specified 'all of' conditions",
+  test "returns 403 and halts " <>
+         "in case of no :fallback option and `token.scopes` not fulfilling specified 'all of' conditions",
        %{conn: conn} do
     token = insert(:oauth_token, scopes: ["read", "write"])
     all_of_scopes = ["write", "follow"]
@@ -119,4 +121,36 @@ test "returns 403 and halts in case of no :fallback option and `token.scopes` no
 
     assert Jason.encode!(%{error: expected_error}) == conn.resp_body
   end
+
+  describe "with hierarchical scopes, " do
+    test "proceeds with no op if `token.scopes` fulfill specified 'any of' conditions", %{
+      conn: conn
+    } do
+      token = insert(:oauth_token, scopes: ["read", "write"]) |> Repo.preload(:user)
+
+      conn =
+        conn
+        |> assign(:user, token.user)
+        |> assign(:token, token)
+        |> OAuthScopesPlug.call(%{scopes: ["read:something"]})
+
+      refute conn.halted
+      assert conn.assigns[:user]
+    end
+
+    test "proceeds with no op if `token.scopes` fulfill specified 'all of' conditions", %{
+      conn: conn
+    } do
+      token = insert(:oauth_token, scopes: ["scope1", "scope2", "scope3"]) |> Repo.preload(:user)
+
+      conn =
+        conn
+        |> assign(:user, token.user)
+        |> assign(:token, token)
+        |> OAuthScopesPlug.call(%{scopes: ["scope1:subscope", "scope2:subscope"], op: :&})
+
+      refute conn.halted
+      assert conn.assigns[:user]
+    end
+  end
 end

test/web/twitter_api/util_controller_test.exs

@@ -78,19 +78,21 @@ test "it imports new-style mastodon follow lists", %{conn: conn} do
       assert response == "job started"
     end
 
-    test "requires 'follow' permission", %{conn: conn} do
+    test "requires 'follow' or 'write:follows' permissions", %{conn: conn} do
       token1 = insert(:oauth_token, scopes: ["read", "write"])
       token2 = insert(:oauth_token, scopes: ["follow"])
+      token3 = insert(:oauth_token, scopes: ["something"])
       another_user = insert(:user)
 
-      for token <- [token1, token2] do
+      for token <- [token1, token2, token3] do
         conn =
           conn
           |> put_req_header("authorization", "Bearer #{token.token}")
           |> post("/api/pleroma/follow_import", %{"list" => "#{another_user.ap_id}"})
 
-        if token == token1 do
+        if token == token3 do
-          assert %{"error" => "Insufficient permissions: follow."} == json_response(conn, 403)
+          assert %{"error" => "Insufficient permissions: follow | write:follows."} ==
+                   json_response(conn, 403)
         else
           assert json_response(conn, 200)
         end