[feature] Implement Mastodon-compatible roles (#3136)

* Implement Mastodon-compatible roles

- `Account.role` should only be available through verify_credentials for checking current user's permissions
- `Account.role` now carries a Mastodon-compatible permissions bitmap and a marker for whether it should be shown to the public
- `Account.roles` added for *public* display roles (undocumented but stable since Mastodon 4.1)
- Web template now uses only public display roles (no user-visible change here, we already special-cased the `user` role)

* Handle verify_credentials case for default role

* Update JSON exact-match tests

* Address review comments

* Add blocks bit to admin permissions bitmap

2 files changed, 182 insertions, 8 deletions

diff --git a/internal/api/client/accounts/accountget_test.go b/internal/api/client/accounts/accountget_test.go
new file mode 100644
index 000000000..421de0d64
--- /dev/null
+++ b/internal/api/client/accounts/accountget_test.go
@@ -0,0 +1,118 @@
+// GoToSocial
+// Copyright (C) GoToSocial Authors admin@gotosocial.org
+// SPDX-License-Identifier: AGPL-3.0-or-later
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package accounts_test
+
+import (
+	"encoding/json"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/gin-gonic/gin"
+	"github.com/stretchr/testify/suite"
+	"github.com/superseriousbusiness/gotosocial/internal/api/client/accounts"
+	apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model"
+)
+
+type AccountGetTestSuite struct {
+	AccountStandardTestSuite
+}
+
+// accountVerifyGet calls the get account API method for a given account fixture name.
+func (suite *AccountGetTestSuite) getAccount(id string) *apimodel.Account {
+	recorder := httptest.NewRecorder()
+	ctx := suite.newContext(recorder, http.MethodGet, nil, accounts.BasePath+"/"+id, "")
+	ctx.Params = gin.Params{
+		gin.Param{
+			Key:   accounts.IDKey,
+			Value: id,
+		},
+	}
+
+	// call the handler
+	suite.accountsModule.AccountGETHandler(ctx)
+
+	// 1. we should have OK because our request was valid
+	suite.Equal(http.StatusOK, recorder.Code)
+
+	// 2. we should have no error message in the result body
+	result := recorder.Result()
+	defer result.Body.Close()
+
+	// check the response
+	b, err := io.ReadAll(result.Body)
+	if err != nil {
+		suite.FailNow(err.Error())
+	}
+
+	// unmarshal the returned account
+	apimodelAccount := &apimodel.Account{}
+	err = json.Unmarshal(b, apimodelAccount)
+	if err != nil {
+		suite.FailNow(err.Error())
+	}
+
+	return apimodelAccount
+}
+
+// Fetching the currently logged-in account shows extra info,
+// so we should see permissions, but this account is a regular user and should have no display role.
+func (suite *AccountGetTestSuite) TestGetDisplayRoleForSelf() {
+	apimodelAccount := suite.getAccount(suite.testAccounts["local_account_1"].ID)
+
+	// Role should be set, but permissions should be empty.
+	if suite.NotNil(apimodelAccount.Role) {
+		role := apimodelAccount.Role
+		suite.Equal("user", string(role.Name))
+		suite.Zero(role.Permissions)
+	}
+
+	// Roles should not have anything in it.
+	suite.Empty(apimodelAccount.Roles)
+}
+
+// We should not see a display role for an ordinary local account.
+func (suite *AccountGetTestSuite) TestGetDisplayRoleForUserAccount() {
+	apimodelAccount := suite.getAccount(suite.testAccounts["local_account_2"].ID)
+
+	// Role should not be set.
+	suite.Nil(apimodelAccount.Role)
+
+	// Roles should not have anything in it.
+	suite.Empty(apimodelAccount.Roles)
+}
+
+// We should be able to get a display role for an admin account.
+func (suite *AccountGetTestSuite) TestGetDisplayRoleForAdminAccount() {
+	apimodelAccount := suite.getAccount(suite.testAccounts["admin_account"].ID)
+
+	// Role should not be set.
+	suite.Nil(apimodelAccount.Role)
+
+	// Roles should have exactly one display role.
+	if suite.Len(apimodelAccount.Roles, 1) {
+		role := apimodelAccount.Roles[0]
+		suite.Equal("admin", string(role.Name))
+		suite.NotEmpty(role.ID)
+	}
+}
+
+func TestAccountGetTestSuite(t *testing.T) {
+	suite.Run(t, new(AccountGetTestSuite))
+}
diff --git a/internal/api/client/accounts/accountverify_test.go b/internal/api/client/accounts/accountverify_test.go
index 9308cc92a..af8c2346c 100644
--- a/internal/api/client/accounts/accountverify_test.go
+++ b/internal/api/client/accounts/accountverify_test.go
@@ -19,30 +19,35 @@ package accounts_test
 
 import (
 	"encoding/json"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"net/http/httptest"
 	"testing"
 	"time"
 
-	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/suite"
 	"github.com/superseriousbusiness/gotosocial/internal/api/client/accounts"
 	apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model"
 	"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
+	"github.com/superseriousbusiness/gotosocial/internal/oauth"
 )
 
 type AccountVerifyTestSuite struct {
 	AccountStandardTestSuite
 }
 
-func (suite *AccountVerifyTestSuite) TestAccountVerifyGet() {
-	testAccount := suite.testAccounts["local_account_1"]
-
+// accountVerifyGet calls the verify_credentials API method for a given account fixture name.
+// Assumes token and user fixture names are the same as the account fixture name.
+func (suite *AccountVerifyTestSuite) accountVerifyGet(fixtureName string) *apimodel.Account {
 	// set up the request
 	recorder := httptest.NewRecorder()
 	ctx := suite.newContext(recorder, http.MethodGet, nil, accounts.VerifyPath, "")
 
+	// override the account that we're authenticated as
+	ctx.Set(oauth.SessionAuthorizedAccount, suite.testAccounts[fixtureName])
+	ctx.Set(oauth.SessionAuthorizedToken, oauth.DBTokenToToken(suite.testTokens[fixtureName]))
+	ctx.Set(oauth.SessionAuthorizedUser, suite.testUsers[fixtureName])
+
 	// call the handler
 	suite.accountsModule.AccountVerifyGETHandler(ctx)
 
@@ -54,13 +59,27 @@ func (suite *AccountVerifyTestSuite) TestAccountVerifyGet() {
 	defer result.Body.Close()
 
 	// check the response
-	b, err := ioutil.ReadAll(result.Body)
-	assert.NoError(suite.T(), err)
+	b, err := io.ReadAll(result.Body)
+	if err != nil {
+		suite.FailNow(err.Error())
+	}
 
 	// unmarshal the returned account
 	apimodelAccount := &apimodel.Account{}
 	err = json.Unmarshal(b, apimodelAccount)
-	suite.NoError(err)
+	if err != nil {
+		suite.FailNow(err.Error())
+	}
+
+	return apimodelAccount
+}
+
+// We should see public account information and profile source for a normal user.
+func (suite *AccountVerifyTestSuite) TestAccountVerifyGet() {
+	fixtureName := "local_account_1"
+	testAccount := suite.testAccounts[fixtureName]
+
+	apimodelAccount := suite.accountVerifyGet(fixtureName)
 
 	createdAt, err := time.Parse(time.RFC3339, apimodelAccount.CreatedAt)
 	suite.NoError(err)
@@ -85,6 +104,43 @@ func (suite *AccountVerifyTestSuite) TestAccountVerifyGet() {
 	suite.Equal(testAccount.NoteRaw, apimodelAccount.Source.Note)
 }
 
+// testAccountVerifyGetRole calls the verify_credentials API method for a given account fixture name,
+// and checks the response for permissions appropriate to the role.
+func (suite *AccountVerifyTestSuite) testAccountVerifyGetRole(fixtureName string) {
+	testUser := suite.testUsers[fixtureName]
+
+	apimodelAccount := suite.accountVerifyGet(fixtureName)
+
+	if suite.NotNil(apimodelAccount.Role) {
+		switch {
+		case *testUser.Admin:
+			suite.Equal("admin", string(apimodelAccount.Role.Name))
+			suite.NotZero(apimodelAccount.Role.Permissions)
+			suite.True(apimodelAccount.Role.Highlighted)
+
+		case *testUser.Moderator:
+			suite.Equal("moderator", string(apimodelAccount.Role.Name))
+			suite.Zero(apimodelAccount.Role.Permissions)
+			suite.True(apimodelAccount.Role.Highlighted)
+
+		default:
+			suite.Equal("user", string(apimodelAccount.Role.Name))
+			suite.Zero(apimodelAccount.Role.Permissions)
+			suite.False(apimodelAccount.Role.Highlighted)
+		}
+	}
+}
+
+// We should see a role for a normal user, and that role should not have any permissions.
+func (suite *AccountVerifyTestSuite) TestAccountVerifyGetRoleUser() {
+	suite.testAccountVerifyGetRole("local_account_1")
+}
+
+// We should see a role for an admin user, and that role should have some permissions.
+func (suite *AccountVerifyTestSuite) TestAccountVerifyGetRoleAdmin() {
+	suite.testAccountVerifyGetRole("admin_account")
+}
+
 func TestAccountVerifyTestSuite(t *testing.T) {
 	suite.Run(t, new(AccountVerifyTestSuite))
 }