gitea/nas
1
0
Fork 2
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

Merge remote-tracking branch 'parent/main' into upstream-20240524

Browse source
This commit is contained in:
KMY 2024-05-24 08:33:49 +09:00
commit c546939a40
213 changed files with 2260 additions and 986 deletions
Download patch file Download diff file Expand all files Collapse all files

23
spec/requests/api/v1/apps/credentials_spec.rb
View file

@ -20,14 +20,26 @@ describe 'Credentials' do
expect(body_as_json).to match(
a_hash_including(
id: token.application.id.to_s,
name: token.application.name,
website: token.application.website,
vapid_key: Rails.configuration.x.vapid_public_key,
scopes: token.application.scopes.map(&:to_s),
client_id: token.application.uid
redirect_uris: token.application.redirect_uris,
# Deprecated properties as of 4.3:
redirect_uri: token.application.redirect_uri.split.first,
vapid_key: Rails.configuration.x.vapid_public_key
)
)
end
it 'does not expose the client_id or client_secret' do
subject
expect(response).to have_http_status(200)
expect(body_as_json[:client_id]).to_not be_present
expect(body_as_json[:client_secret]).to_not be_present
end
end
context 'with a non-read scoped oauth token' do
@ -46,11 +58,14 @@ describe 'Credentials' do
expect(body_as_json).to match(
a_hash_including(
id: token.application.id.to_s,
name: token.application.name,
website: token.application.website,
vapid_key: Rails.configuration.x.vapid_public_key,
scopes: token.application.scopes.map(&:to_s),
client_id: token.application.uid
redirect_uris: token.application.redirect_uris,
# Deprecated properties as of 4.3:
redirect_uri: token.application.redirect_uri.split.first,
vapid_key: Rails.configuration.x.vapid_public_key
)
)
end

164
spec/requests/api/v1/apps_spec.rb
View file

@ -9,8 +9,9 @@ RSpec.describe 'Apps' do
end
let(:client_name) { 'Test app' }
let(:scopes) { nil }
let(:redirect_uris) { 'urn:ietf:wg:oauth:2.0:oob' }
let(:scopes) { 'read write' }
let(:redirect_uri) { 'urn:ietf:wg:oauth:2.0:oob' }
let(:redirect_uris) { [redirect_uri] }
let(:website) { nil }
let(:params) do
@ -26,13 +27,63 @@ RSpec.describe 'Apps' do
it 'creates an OAuth app', :aggregate_failures do
subject
expect(response).to have_http_status(200)
app = Doorkeeper::Application.find_by(name: client_name)
expect(app).to be_present
expect(app.scopes.to_s).to eq scopes
expect(app.redirect_uris).to eq redirect_uris
expect(body_as_json).to match(
a_hash_including(
id: app.id.to_s,
client_id: app.uid,
client_secret: app.secret,
name: client_name,
website: website,
scopes: ['read', 'write'],
redirect_uris: redirect_uris,
# Deprecated properties as of 4.3:
redirect_uri: redirect_uri,
vapid_key: Rails.configuration.x.vapid_public_key
)
)
end
end
context 'without scopes being supplied' do
let(:scopes) { nil }
it 'creates an OAuth App with the default scope' do
subject
expect(response).to have_http_status(200)
expect(Doorkeeper::Application.find_by(name: client_name)).to be_present
body = body_as_json
expect(body[:client_id]).to be_present
expect(body[:client_secret]).to be_present
expect(body[:scopes]).to eq Doorkeeper.config.default_scopes.to_a
end
end
# FIXME: This is a bug: https://github.com/mastodon/mastodon/issues/30152
context 'with scopes as an array' do
let(:scopes) { %w(read write follow) }
it 'creates an OAuth App with the default scope' do
subject
expect(response).to have_http_status(200)
app = Doorkeeper::Application.find_by(name: client_name)
expect(app).to be_present
expect(app.scopes.to_s).to eq 'read'
body = body_as_json
expect(body[:scopes]).to eq ['read']
end
end
@ -77,8 +128,8 @@ RSpec.describe 'Apps' do
end
end
context 'with a too-long redirect_uris' do
let(:redirect_uris) { "https://foo.bar/#{'hoge' * 2_000}" }
context 'with a too-long redirect_uri' do
let(:redirect_uris) { "https://app.example/#{'hoge' * 2_000}" }
it 'returns http unprocessable entity' do
subject
@ -87,8 +138,80 @@ RSpec.describe 'Apps' do
end
end
context 'without required params' do
let(:client_name) { '' }
# NOTE: This spec currently tests the same as the "with a too-long redirect_uri test case"
context 'with too many redirect_uris' do
let(:redirect_uris) { (0...500).map { |i| "https://app.example/#{i}/callback" } }
it 'returns http unprocessable entity' do
subject
expect(response).to have_http_status(422)
end
end
context 'with multiple redirect_uris as a string' do
let(:redirect_uris) { "https://redirect1.example/\napp://redirect2.example/" }
it 'creates an OAuth application with multiple redirect URIs' do
subject
expect(response).to have_http_status(200)
app = Doorkeeper::Application.find_by(name: client_name)
expect(app).to be_present
expect(app.redirect_uri).to eq redirect_uris
expect(app.redirect_uris).to eq redirect_uris.split
body = body_as_json
expect(body[:redirect_uri]).to eq redirect_uris
expect(body[:redirect_uris]).to eq redirect_uris.split
end
end
context 'with multiple redirect_uris as an array' do
let(:redirect_uris) { ['https://redirect1.example/', 'app://redirect2.example/'] }
it 'creates an OAuth application with multiple redirect URIs' do
subject
expect(response).to have_http_status(200)
app = Doorkeeper::Application.find_by(name: client_name)
expect(app).to be_present
expect(app.redirect_uri).to eq redirect_uris.join "\n"
expect(app.redirect_uris).to eq redirect_uris
body = body_as_json
expect(body[:redirect_uri]).to eq redirect_uris.join "\n"
expect(body[:redirect_uris]).to eq redirect_uris
end
end
context 'with an empty redirect_uris array' do
let(:redirect_uris) { [] }
it 'returns http unprocessable entity' do
subject
expect(response).to have_http_status(422)
end
end
context 'with just a newline as the redirect_uris string' do
let(:redirect_uris) { "\n" }
it 'returns http unprocessable entity' do
subject
expect(response).to have_http_status(422)
end
end
context 'with an empty redirect_uris string' do
let(:redirect_uris) { '' }
it 'returns http unprocessable entity' do
@ -97,5 +220,30 @@ RSpec.describe 'Apps' do
expect(response).to have_http_status(422)
end
end
context 'without a required param' do
let(:client_name) { '' }
it 'returns http unprocessable entity' do
subject
expect(response).to have_http_status(422)
end
end
context 'with a website' do
let(:website) { 'https://app.example/' }
it 'creates an OAuth application with the website specified' do
subject
expect(response).to have_http_status(200)
app = Doorkeeper::Application.find_by(name: client_name)
expect(app).to be_present
expect(app.website).to eq website
end
end
end
end

1
spec/requests/api/v2/admin/accounts_spec.rb
View file

@ -8,7 +8,6 @@ RSpec.describe 'API V2 Admin Accounts' do
let(:scopes) { 'admin:read admin:write' }
let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: scopes) }
let(:headers) { { 'Authorization' => "Bearer #{token.token}" } }
let(:account) { Fabricate(:account) }
describe 'GET #index' do
let!(:remote_account) { Fabricate(:account, domain: 'example.org') }

92
spec/requests/self_destruct_spec.rb Normal file
View file

@ -0,0 +1,92 @@
# frozen_string_literal: true
require 'rails_helper'
describe 'Self-destruct mode' do
before do
allow(SelfDestructHelper).to receive(:self_destruct?).and_return(true)
end
shared_examples 'generic logged out request' do |path|
it 'returns 410 gone and mentions self-destruct' do
get path, headers: { 'Accept' => 'text/html' }
expect(response).to have_http_status(410)
expect(response.body).to include(I18n.t('self_destruct.title'))
end
end
shared_examples 'accessible logged-in endpoint' do |path|
it 'returns 200 ok' do
get path
expect(response).to have_http_status(200)
end
end
shared_examples 'ActivityPub request' do |path|
context 'without signature' do
it 'returns 410 gone' do
get path, headers: {
'Accept' => 'application/activity+json, application/ld+json; profile="https://www.w3.org/ns/activitystreams"',
}
expect(response).to have_http_status(410)
end
end
context 'with invalid signature' do
it 'returns 410 gone' do
get path, headers: {
'Accept' => 'application/activity+json, application/ld+json; profile="https://www.w3.org/ns/activitystreams"',
'Signature' => 'keyId="https://remote.domain/users/bob#main-key",algorithm="rsa-sha256",headers="date host (request-target)",signature="bar"',
}
expect(response).to have_http_status(410)
end
end
end
context 'when requesting various unavailable endpoints' do
it_behaves_like 'generic logged out request', '/'
it_behaves_like 'generic logged out request', '/about'
it_behaves_like 'generic logged out request', '/public'
end
context 'when requesting a suspended account' do
let(:suspended) { Fabricate(:account, username: 'suspended') }
before do
suspended.suspend!
end
it_behaves_like 'generic logged out request', '/@suspended'
it_behaves_like 'ActivityPub request', '/users/suspended'
it_behaves_like 'ActivityPub request', '/users/suspended/followers'
it_behaves_like 'ActivityPub request', '/users/suspended/outbox'
end
context 'when requesting a non-suspended account' do
before do
Fabricate(:account, username: 'bob')
end
it_behaves_like 'generic logged out request', '/@bob'
it_behaves_like 'ActivityPub request', '/users/bob'
it_behaves_like 'ActivityPub request', '/users/bob/followers'
it_behaves_like 'ActivityPub request', '/users/bob/outbox'
end
context 'when accessing still-enabled endpoints when logged in' do
let(:user) { Fabricate(:user) }
before do
sign_in(user)
end
it_behaves_like 'accessible logged-in endpoint', '/auth/edit'
it_behaves_like 'accessible logged-in endpoint', '/settings/export'
it_behaves_like 'accessible logged-in endpoint', '/settings/login_activities'
it_behaves_like 'accessible logged-in endpoint', '/settings/exports/follows.csv'
end
end