Merge pull request #5570 from Turbo87/token-scope-tests

Turbo87 · web-flow · commit 80b4e1f0050c · 2022-12-01T15:18:26.000+01:00
tests/owners: Add tests with token scopes
diff --git a/src/models.rs b/src/models.rs
@@ -28,6 +28,6 @@ pub mod krate;
 mod owner;
 mod rights;
 mod team;
-mod token;
+pub mod token;
 pub mod user;
 mod version;
diff --git a/src/models/token.rs b/src/models/token.rs
@@ -3,6 +3,7 @@ mod scopes;
 use chrono::NaiveDateTime;
 use diesel::prelude::*;
 
+pub use self::scopes::{CrateScope, EndpointScope};
 use crate::models::User;
 use crate::schema::api_tokens;
 use crate::util::errors::{AppResult, InsecurelyGeneratedTokenRevoked};
@@ -27,22 +28,34 @@ pub struct ApiToken {
     pub revoked: bool,
     /// `None` or a list of crate scope patterns (see RFC #2947)
     #[serde(skip)]
-    pub crate_scopes: Option<Vec<scopes::CrateScope>>,
+    pub crate_scopes: Option<Vec<CrateScope>>,
     /// A list of endpoint scopes or `None` for the `legacy` endpoint scope (see RFC #2947)
     #[serde(skip)]
-    pub endpoint_scopes: Option<Vec<scopes::EndpointScope>>,
+    pub endpoint_scopes: Option<Vec<EndpointScope>>,
 }
 
 impl ApiToken {
     /// Generates a new named API token for a user
     pub fn insert(conn: &PgConnection, user_id: i32, name: &str) -> AppResult<CreatedApiToken> {
+        Self::insert_with_scopes(conn, user_id, name, None, None)
+    }
+
+    pub fn insert_with_scopes(
+        conn: &PgConnection,
+        user_id: i32,
+        name: &str,
+        crate_scopes: Option<Vec<CrateScope>>,
+        endpoint_scopes: Option<Vec<EndpointScope>>,
+    ) -> AppResult<CreatedApiToken> {
         let token = SecureToken::generate(SecureTokenKind::Api);
 
         let model: ApiToken = diesel::insert_into(api_tokens::table)
             .values((
                 api_tokens::user_id.eq(user_id),
                 api_tokens::name.eq(name),
                 api_tokens::token.eq(&*token),
+                api_tokens::crate_scopes.eq(crate_scopes),
+                api_tokens::endpoint_scopes.eq(endpoint_scopes),
             ))
             .get_result(conn)?;
 
diff --git a/src/tests/owners.rs b/src/tests/owners.rs
@@ -14,6 +14,7 @@ use cargo_registry::{
     Emails,
 };
 
+use cargo_registry::models::token::{CrateScope, EndpointScope};
 use chrono::{Duration, Utc};
 use conduit::StatusCode;
 use diesel::prelude::*;
@@ -305,6 +306,108 @@ fn owner_change_via_token() {
     );
 }
 
+#[test]
+fn owner_change_via_change_owner_token() {
+    let (app, _, _, token) =
+        TestApp::full().with_scoped_token(None, Some(vec![EndpointScope::ChangeOwners]));
+
+    let user2 = app.db_new_user("user-2");
+    let user2 = user2.as_model();
+
+    let krate =
+        app.db(|conn| CrateBuilder::new("foo_crate", token.as_model().user_id).expect_build(conn));
+
+    let url = format!("/api/v1/crates/{}/owners", krate.name);
+    let body = json!({ "owners": [user2.gh_login] });
+    let body = serde_json::to_vec(&body).unwrap();
+    let response = token.put::<()>(&url, &body);
+    assert_eq!(response.status(), StatusCode::OK);
+    assert_eq!(
+        response.into_json(),
+        json!({ "ok": true, "msg": "user user-2 has been invited to be an owner of crate foo_crate" })
+    );
+}
+
+#[test]
+fn owner_change_via_change_owner_token_with_matching_crate_scope() {
+    let crate_scopes = Some(vec![CrateScope::try_from("foo_crate").unwrap()]);
+    let endpoint_scopes = Some(vec![EndpointScope::ChangeOwners]);
+    let (app, _, _, token) = TestApp::full().with_scoped_token(crate_scopes, endpoint_scopes);
+
+    let user2 = app.db_new_user("user-2");
+    let user2 = user2.as_model();
+
+    let krate =
+        app.db(|conn| CrateBuilder::new("foo_crate", token.as_model().user_id).expect_build(conn));
+
+    let url = format!("/api/v1/crates/{}/owners", krate.name);
+    let body = json!({ "owners": [user2.gh_login] });
+    let body = serde_json::to_vec(&body).unwrap();
+    let response = token.put::<()>(&url, &body);
+    assert_eq!(response.status(), StatusCode::OK);
+    assert_eq!(
+        response.into_json(),
+        json!({ "ok": true, "msg": "user user-2 has been invited to be an owner of crate foo_crate" })
+    );
+}
+
+#[test]
+fn owner_change_via_change_owner_token_with_wrong_crate_scope() {
+    let crate_scopes = Some(vec![CrateScope::try_from("bar").unwrap()]);
+    let endpoint_scopes = Some(vec![EndpointScope::ChangeOwners]);
+    let (app, _, _, token) = TestApp::full().with_scoped_token(crate_scopes, endpoint_scopes);
+
+    let user2 = app.db_new_user("user-2");
+    let user2 = user2.as_model();
+
+    let krate =
+        app.db(|conn| CrateBuilder::new("foo_crate", token.as_model().user_id).expect_build(conn));
+
+    let url = format!("/api/v1/crates/{}/owners", krate.name);
+    let body = json!({ "owners": [user2.gh_login] });
+    let body = serde_json::to_vec(&body).unwrap();
+    let response = token.put::<()>(&url, &body);
+    assert_eq!(response.status(), StatusCode::OK);
+    assert_eq!(
+        response.into_json(),
+        json!({ "ok": true, "msg": "user user-2 has been invited to be an owner of crate foo_crate" })
+    );
+    // TODO this should return "403 Forbidden" once token scopes are implemented for this endpoint
+    // assert_eq!(response.status(), StatusCode::FORBIDDEN);
+    // assert_eq!(
+    //     response.into_json(),
+    //     json!({ "errors": [{ "detail": "must be logged in to perform that action" }] })
+    // );
+}
+
+#[test]
+fn owner_change_via_publish_token() {
+    let (app, _, _, token) =
+        TestApp::full().with_scoped_token(None, Some(vec![EndpointScope::PublishUpdate]));
+
+    let user2 = app.db_new_user("user-2");
+    let user2 = user2.as_model();
+
+    let krate =
+        app.db(|conn| CrateBuilder::new("foo_crate", token.as_model().user_id).expect_build(conn));
+
+    let url = format!("/api/v1/crates/{}/owners", krate.name);
+    let body = json!({ "owners": [user2.gh_login] });
+    let body = serde_json::to_vec(&body).unwrap();
+    let response = token.put::<()>(&url, &body);
+    assert_eq!(response.status(), StatusCode::OK);
+    assert_eq!(
+        response.into_json(),
+        json!({ "ok": true, "msg": "user user-2 has been invited to be an owner of crate foo_crate" })
+    );
+    // TODO this should return "403 Forbidden" once token scopes are implemented for this endpoint
+    // assert_eq!(response.status(), StatusCode::FORBIDDEN);
+    // assert_eq!(
+    //     response.into_json(),
+    //     json!({ "errors": [{ "detail": "must be logged in to perform that action" }] })
+    // );
+}
+
 #[test]
 fn owner_change_without_auth() {
     let (app, anon, cookie) = TestApp::full().with_user();
diff --git a/src/tests/util.rs b/src/tests/util.rs
@@ -29,6 +29,7 @@ use conduit::{BoxError, Handler, Method};
 use conduit_cookie::SessionMiddleware;
 use conduit_test::MockRequest;
 
+use cargo_registry::models::token::{CrateScope, EndpointScope};
 use conduit::header;
 use cookie::Cookie;
 use std::collections::HashMap;
@@ -263,9 +264,22 @@ impl MockCookieUser {
     ///
     /// This method updates the database directly
     pub fn db_new_token(&self, name: &str) -> MockTokenUser {
-        let token = self
-            .app
-            .db(|conn| ApiToken::insert(conn, self.user.id, name).unwrap());
+        self.db_new_scoped_token(name, None, None)
+    }
+
+    /// Creates a scoped token and wraps it in a helper struct
+    ///
+    /// This method updates the database directly
+    pub fn db_new_scoped_token(
+        &self,
+        name: &str,
+        crate_scopes: Option<Vec<CrateScope>>,
+        endpoint_scopes: Option<Vec<EndpointScope>>,
+    ) -> MockTokenUser {
+        let token = self.app.db(|conn| {
+            ApiToken::insert_with_scopes(conn, self.user.id, name, crate_scopes, endpoint_scopes)
+                .unwrap()
+        });
         MockTokenUser {
             app: self.app.clone(),
             token,
diff --git a/src/tests/util/test_app.rs b/src/tests/util/test_app.rs
@@ -8,6 +8,7 @@ use cargo_registry_index::{Credentials, Repository as WorkerRepository, Reposito
 use std::{rc::Rc, sync::Arc, time::Duration};
 
 use crate::util::github::{MockGitHubClient, MOCK_GITHUB_DATA};
+use cargo_registry::models::token::{CrateScope, EndpointScope};
 use diesel::PgConnection;
 use reqwest::{blocking::Client, Proxy};
 use std::collections::HashSet;
@@ -292,6 +293,17 @@ impl TestAppBuilder {
         (app, anon, user, token)
     }
 
+    pub fn with_scoped_token(
+        self,
+        crate_scopes: Option<Vec<CrateScope>>,
+        endpoint_scopes: Option<Vec<EndpointScope>>,
+    ) -> (TestApp, MockAnonymousUser, MockCookieUser, MockTokenUser) {
+        let (app, anon) = self.empty();
+        let user = app.db_new_user("foo");
+        let token = user.db_new_scoped_token("bar", crate_scopes, endpoint_scopes);
+        (app, anon, user, token)
+    }
+
     pub fn with_config(mut self, f: impl FnOnce(&mut config::Server)) -> Self {
         f(&mut self.config);
         self
