gitlord
/
synapse
mirror of https://github.com/matrix-org/synapse.git
1
0
Fork 0
Code Issues 0 Releases 671 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
23441 Commits
842 Branches
407 MiB
 
 
 
 
 
 
Branch: develop
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'develop'
${ noResults }
synapse/tests/config/test_oauth_delegation.py

271 lines
11 KiB
Raw Permalink Blame History 

  1. # Copyright 2023 Matrix.org Foundation C.I.C.

  2. #

  3. # Licensed under the Apache License, Version 2.0 (the "License");

  4. # you may not use this file except in compliance with the License.

  5. # You may obtain a copy of the License at

  6. #

  7. #     http://www.apache.org/licenses/LICENSE-2.0

  8. #

  9. # Unless required by applicable law or agreed to in writing, software

  10. # distributed under the License is distributed on an "AS IS" BASIS,

  11. # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  12. # See the License for the specific language governing permissions and

  13. # limitations under the License.

  14. 

  15. import os

  16. from unittest.mock import Mock

  17. 

  18. from synapse.config import ConfigError

  19. from synapse.config.homeserver import HomeServerConfig

  20. from synapse.module_api import ModuleApi

  21. from synapse.types import JsonDict

  22. 

  23. from tests.server import get_clock, setup_test_homeserver

  24. from tests.unittest import TestCase, skip_unless

  25. from tests.utils import HAS_AUTHLIB, default_config

  26. 

  27. # These are a few constants that are used as config parameters in the tests.

  28. SERVER_NAME = "test"

  29. ISSUER = "https://issuer/"

  30. CLIENT_ID = "test-client-id"

  31. CLIENT_SECRET = "test-client-secret"

  32. BASE_URL = "https://synapse/"

  33. 

  34. 

  35. class CustomAuthModule:

  36.     """A module which registers a password auth provider."""

  37. 

  38.     @staticmethod

  39.     def parse_config(config: JsonDict) -> None:

  40.         pass

  41. 

  42.     def __init__(self, config: None, api: ModuleApi):

  43.         api.register_password_auth_provider_callbacks(

  44.             auth_checkers={("m.login.password", ("password",)): Mock()},

  45.         )

  46. 

  47. 

  48. @skip_unless(HAS_AUTHLIB, "requires authlib")

  49. class MSC3861OAuthDelegation(TestCase):

  50.     """Test that the Homeserver fails to initialize if the config is invalid."""

  51. 

  52.     def setUp(self) -> None:

  53.         self.config_dict: JsonDict = {

  54.             **default_config("test"),

  55.             "public_baseurl": BASE_URL,

  56.             "enable_registration": False,

  57.             "experimental_features": {

  58.                 "msc3861": {

  59.                     "enabled": True,

  60.                     "issuer": ISSUER,

  61.                     "client_id": CLIENT_ID,

  62.                     "client_auth_method": "client_secret_post",

  63.                     "client_secret": CLIENT_SECRET,

  64.                 }

  65.             },

  66.         }

  67. 

  68.     def parse_config(self) -> HomeServerConfig:

  69.         config = HomeServerConfig()

  70.         config.parse_config_dict(self.config_dict, "", "")

  71.         return config

  72. 

  73.     def test_client_secret_post_works(self) -> None:

  74.         self.config_dict["experimental_features"]["msc3861"].update(

  75.             client_auth_method="client_secret_post",

  76.             client_secret=CLIENT_SECRET,

  77.         )

  78. 

  79.         self.parse_config()

  80. 

  81.     def test_client_secret_post_requires_client_secret(self) -> None:

  82.         self.config_dict["experimental_features"]["msc3861"].update(

  83.             client_auth_method="client_secret_post",

  84.             client_secret=None,

  85.         )

  86. 

  87.         with self.assertRaises(ConfigError):

  88.             self.parse_config()

  89. 

  90.     def test_client_secret_basic_works(self) -> None:

  91.         self.config_dict["experimental_features"]["msc3861"].update(

  92.             client_auth_method="client_secret_basic",

  93.             client_secret=CLIENT_SECRET,

  94.         )

  95. 

  96.         self.parse_config()

  97. 

  98.     def test_client_secret_basic_requires_client_secret(self) -> None:

  99.         self.config_dict["experimental_features"]["msc3861"].update(

  100.             client_auth_method="client_secret_basic",

  101.             client_secret=None,

  102.         )

  103. 

  104.         with self.assertRaises(ConfigError):

  105.             self.parse_config()

  106. 

  107.     def test_client_secret_jwt_works(self) -> None:

  108.         self.config_dict["experimental_features"]["msc3861"].update(

  109.             client_auth_method="client_secret_jwt",

  110.             client_secret=CLIENT_SECRET,

  111.         )

  112. 

  113.         self.parse_config()

  114. 

  115.     def test_client_secret_jwt_requires_client_secret(self) -> None:

  116.         self.config_dict["experimental_features"]["msc3861"].update(

  117.             client_auth_method="client_secret_jwt",

  118.             client_secret=None,

  119.         )

  120. 

  121.         with self.assertRaises(ConfigError):

  122.             self.parse_config()

  123. 

  124.     def test_invalid_client_auth_method(self) -> None:

  125.         self.config_dict["experimental_features"]["msc3861"].update(

  126.             client_auth_method="invalid",

  127.         )

  128. 

  129.         with self.assertRaises(ConfigError):

  130.             self.parse_config()

  131. 

  132.     def test_private_key_jwt_requires_jwk(self) -> None:

  133.         self.config_dict["experimental_features"]["msc3861"].update(

  134.             client_auth_method="private_key_jwt",

  135.         )

  136. 

  137.         with self.assertRaises(ConfigError):

  138.             self.parse_config()

  139. 

  140.     def test_private_key_jwt_works(self) -> None:

  141.         self.config_dict["experimental_features"]["msc3861"].update(

  142.             client_auth_method="private_key_jwt",

  143.             jwk={

  144.                 "p": "-frVdP_tZ-J_nIR6HNMDq1N7aunwm51nAqNnhqIyuA8ikx7LlQED1tt2LD3YEvYyW8nxE2V95HlCRZXQPMiRJBFOsbmYkzl2t-MpavTaObB_fct_JqcRtdXddg4-_ihdjRDwUOreq_dpWh6MIKsC3UyekfkHmeEJg5YpOTL15j8",

  145.                 "kty": "RSA",

  146.                 "q": "oFw-Enr_YozQB1ab-kawn4jY3yHi8B1nSmYT0s8oTCflrmps5BFJfCkHL5ij3iY15z0o2m0N-jjB1oSJ98O4RayEEYNQlHnTNTl0kRIWzpoqblHUIxVcahIpP_xTovBJzwi8XXoLGqHOOMA-r40LSyVgP2Ut8D9qBwV6_UfT0LU",

  147.                 "d": "WFkDPYo4b4LIS64D_QtQfGGuAObPvc3HFfp9VZXyq3SJR58XZRHE0jqtlEMNHhOTgbMYS3w8nxPQ_qVzY-5hs4fIanwvB64mAoOGl0qMHO65DTD_WsGFwzYClJPBVniavkLE2Hmpu8IGe6lGliN8vREC6_4t69liY-XcN_ECboVtC2behKkLOEASOIMuS7YcKAhTJFJwkl1dqDlliEn5A4u4xy7nuWQz3juB1OFdKlwGA5dfhDNglhoLIwNnkLsUPPFO-WB5ZNEW35xxHOToxj4bShvDuanVA6mJPtTKjz0XibjB36bj_nF_j7EtbE2PdGJ2KevAVgElR4lqS4ISgQ",

  148.                 "e": "AQAB",

  149.                 "kid": "test",

  150.                 "qi": "cPfNk8l8W5exVNNea4d7QZZ8Qr8LgHghypYAxz8PQh1fNa8Ya1SNUDVzC2iHHhszxxA0vB9C7jGze8dBrvnzWYF1XvQcqNIVVgHhD57R1Nm3dj2NoHIKe0Cu4bCUtP8xnZQUN4KX7y4IIcgRcBWG1hT6DEYZ4BxqicnBXXNXAUI",

  151.                 "dp": "dKlMHvslV1sMBQaKWpNb3gPq0B13TZhqr3-E2_8sPlvJ3fD8P4CmwwnOn50JDuhY3h9jY5L06sBwXjspYISVv8hX-ndMLkEeF3lrJeA5S70D8rgakfZcPIkffm3tlf1Ok3v5OzoxSv3-67Df4osMniyYwDUBCB5Oq1tTx77xpU8",

  152.                 "dq": "S4ooU1xNYYcjl9FcuJEEMqKsRrAXzzSKq6laPTwIp5dDwt2vXeAm1a4eDHXC-6rUSZGt5PbqVqzV4s-cjnJMI8YYkIdjNg4NSE1Ac_YpeDl3M3Colb5CQlU7yUB7xY2bt0NOOFp9UJZYJrOo09mFMGjy5eorsbitoZEbVqS3SuE",

  153.                 "n": "nJbYKqFwnURKimaviyDFrNLD3gaKR1JW343Qem25VeZxoMq1665RHVoO8n1oBm4ClZdjIiZiVdpyqzD5-Ow12YQgQEf1ZHP3CCcOQQhU57Rh5XvScTe5IxYVkEW32IW2mp_CJ6WfjYpfeL4azarVk8H3Vr59d1rSrKTVVinVdZer9YLQyC_rWAQNtHafPBMrf6RYiNGV9EiYn72wFIXlLlBYQ9Fx7bfe1PaL6qrQSsZP3_rSpuvVdLh1lqGeCLR0pyclA9uo5m2tMyCXuuGQLbA_QJm5xEc7zd-WFdux2eXF045oxnSZ_kgQt-pdN7AxGWOVvwoTf9am6mSkEdv6iw",

  154.             },

  155.         )

  156.         self.parse_config()

  157. 

  158.     def test_registration_cannot_be_enabled(self) -> None:

  159.         self.config_dict["enable_registration"] = True

  160.         with self.assertRaises(ConfigError):

  161.             self.parse_config()

  162. 

  163.     def test_user_consent_cannot_be_enabled(self) -> None:

  164.         tmpdir = self.mktemp()

  165.         os.mkdir(tmpdir)

  166.         self.config_dict["user_consent"] = {

  167.             "require_at_registration": True,

  168.             "version": "1",

  169.             "template_dir": tmpdir,

  170.             "server_notice_content": {

  171.                 "msgtype": "m.text",

  172.                 "body": "foo",

  173.             },

  174.         }

  175.         with self.assertRaises(ConfigError):

  176.             self.parse_config()

  177. 

  178.     def test_password_config_cannot_be_enabled(self) -> None:

  179.         self.config_dict["password_config"] = {"enabled": True}

  180.         with self.assertRaises(ConfigError):

  181.             self.parse_config()

  182. 

  183.     def test_oidc_sso_cannot_be_enabled(self) -> None:

  184.         self.config_dict["oidc_providers"] = [

  185.             {

  186.                 "idp_id": "microsoft",

  187.                 "idp_name": "Microsoft",

  188.                 "issuer": "https://login.microsoftonline.com/<tenant id>/v2.0",

  189.                 "client_id": "<client id>",

  190.                 "client_secret": "<client secret>",

  191.                 "scopes": ["openid", "profile"],

  192.                 "authorization_endpoint": "https://login.microsoftonline.com/<tenant id>/oauth2/v2.0/authorize",

  193.                 "token_endpoint": "https://login.microsoftonline.com/<tenant id>/oauth2/v2.0/token",

  194.                 "userinfo_endpoint": "https://graph.microsoft.com/oidc/userinfo",

  195.             }

  196.         ]

  197. 

  198.         with self.assertRaises(ConfigError):

  199.             self.parse_config()

  200. 

  201.     def test_cas_sso_cannot_be_enabled(self) -> None:

  202.         self.config_dict["cas_config"] = {

  203.             "enabled": True,

  204.             "server_url": "https://cas-server.com",

  205.             "displayname_attribute": "name",

  206.             "required_attributes": {"userGroup": "staff", "department": "None"},

  207.         }

  208. 

  209.         with self.assertRaises(ConfigError):

  210.             self.parse_config()

  211. 

  212.     def test_auth_providers_cannot_be_enabled(self) -> None:

  213.         self.config_dict["modules"] = [

  214.             {

  215.                 "module": f"{__name__}.{CustomAuthModule.__qualname__}",

  216.                 "config": {},

  217.             }

  218.         ]

  219. 

  220.         # This requires actually setting up an HS, as the module will be run on setup,

  221.         # which should raise as the module tries to register an auth provider

  222.         config = self.parse_config()

  223.         reactor, clock = get_clock()

  224.         with self.assertRaises(ConfigError):

  225.             setup_test_homeserver(

  226.                 self.addCleanup, reactor=reactor, clock=clock, config=config

  227.             )

  228. 

  229.     def test_jwt_auth_cannot_be_enabled(self) -> None:

  230.         self.config_dict["jwt_config"] = {

  231.             "enabled": True,

  232.             "secret": "my-secret-token",

  233.             "algorithm": "HS256",

  234.         }

  235. 

  236.         with self.assertRaises(ConfigError):

  237.             self.parse_config()

  238. 

  239.     def test_login_via_existing_session_cannot_be_enabled(self) -> None:

  240.         self.config_dict["login_via_existing_session"] = {"enabled": True}

  241.         with self.assertRaises(ConfigError):

  242.             self.parse_config()

  243. 

  244.     def test_captcha_cannot_be_enabled(self) -> None:

  245.         self.config_dict.update(

  246.             enable_registration_captcha=True,

  247.             recaptcha_public_key="test",

  248.             recaptcha_private_key="test",

  249.         )

  250.         with self.assertRaises(ConfigError):

  251.             self.parse_config()

  252. 

  253.     def test_refreshable_tokens_cannot_be_enabled(self) -> None:

  254.         self.config_dict.update(

  255.             refresh_token_lifetime="24h",

  256.             refreshable_access_token_lifetime="10m",

  257.             nonrefreshable_access_token_lifetime="24h",

  258.         )

  259.         with self.assertRaises(ConfigError):

  260.             self.parse_config()

  261. 

  262.     def test_session_lifetime_cannot_be_set(self) -> None:

  263.         self.config_dict["session_lifetime"] = "24h"

  264.         with self.assertRaises(ConfigError):

  265.             self.parse_config()

  266. 

  267.     def test_enable_3pid_changes_cannot_be_enabled(self) -> None:

  268.         self.config_dict["enable_3pid_changes"] = True

  269.         with self.assertRaises(ConfigError):

  270.             self.parse_config()