gitlord
/
synapse
mirror of https://github.com/matrix-org/synapse.git
1
0
Fork 0
Code Issues 0 Releases 671 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
23441 Commits
842 Branches
342 MiB
 
 
 
 
 
 
Branch: develop
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'develop'
${ noResults }
synapse/tests/handlers/test_auth.py

243 lines
8.1 KiB
Raw Permalink Blame History 

  1. # Copyright 2015, 2016 OpenMarket Ltd

  2. #

  3. # Licensed under the Apache License, Version 2.0 (the "License");

  4. # you may not use this file except in compliance with the License.

  5. # You may obtain a copy of the License at

  6. #

  7. #     http://www.apache.org/licenses/LICENSE-2.0

  8. #

  9. # Unless required by applicable law or agreed to in writing, software

  10. # distributed under the License is distributed on an "AS IS" BASIS,

  11. # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  12. # See the License for the specific language governing permissions and

  13. # limitations under the License.

  14. from typing import Optional

  15. from unittest.mock import AsyncMock

  16. 

  17. import pymacaroons

  18. 

  19. from twisted.test.proto_helpers import MemoryReactor

  20. 

  21. from synapse.api.errors import AuthError, ResourceLimitError

  22. from synapse.rest import admin

  23. from synapse.rest.client import login

  24. from synapse.server import HomeServer

  25. from synapse.util import Clock

  26. 

  27. from tests import unittest

  28. 

  29. 

  30. class AuthTestCase(unittest.HomeserverTestCase):

  31.     servlets = [

  32.         admin.register_servlets,

  33.         login.register_servlets,

  34.     ]

  35. 

  36.     def prepare(self, reactor: MemoryReactor, clock: Clock, hs: HomeServer) -> None:

  37.         self.auth_handler = hs.get_auth_handler()

  38.         self.macaroon_generator = hs.get_macaroon_generator()

  39. 

  40.         # MAU tests

  41.         # AuthBlocking reads from the hs' config on initialization. We need to

  42.         # modify its config instead of the hs'

  43.         self.auth_blocking = hs.get_auth_blocking()

  44.         self.auth_blocking._max_mau_value = 50

  45. 

  46.         self.small_number_of_users = 1

  47.         self.large_number_of_users = 100

  48. 

  49.         self.user1 = self.register_user("a_user", "pass")

  50. 

  51.     def token_login(self, token: str) -> Optional[str]:

  52.         body = {

  53.             "type": "m.login.token",

  54.             "token": token,

  55.         }

  56. 

  57.         channel = self.make_request(

  58.             "POST",

  59.             "/_matrix/client/v3/login",

  60.             body,

  61.         )

  62. 

  63.         if channel.code == 200:

  64.             return channel.json_body["user_id"]

  65. 

  66.         return None

  67. 

  68.     def test_macaroon_caveats(self) -> None:

  69.         token = self.macaroon_generator.generate_guest_access_token("a_user")

  70.         macaroon = pymacaroons.Macaroon.deserialize(token)

  71. 

  72.         def verify_gen(caveat: str) -> bool:

  73.             return caveat == "gen = 1"

  74. 

  75.         def verify_user(caveat: str) -> bool:

  76.             return caveat == "user_id = a_user"

  77. 

  78.         def verify_type(caveat: str) -> bool:

  79.             return caveat == "type = access"

  80. 

  81.         def verify_nonce(caveat: str) -> bool:

  82.             return caveat.startswith("nonce =")

  83. 

  84.         def verify_guest(caveat: str) -> bool:

  85.             return caveat == "guest = true"

  86. 

  87.         v = pymacaroons.Verifier()

  88.         v.satisfy_general(verify_gen)

  89.         v.satisfy_general(verify_user)

  90.         v.satisfy_general(verify_type)

  91.         v.satisfy_general(verify_nonce)

  92.         v.satisfy_general(verify_guest)

  93.         v.verify(macaroon, self.hs.config.key.macaroon_secret_key)

  94. 

  95.     def test_login_token_gives_user_id(self) -> None:

  96.         token = self.get_success(

  97.             self.auth_handler.create_login_token_for_user_id(

  98.                 self.user1,

  99.                 duration_ms=(5 * 1000),

  100.             )

  101.         )

  102. 

  103.         res = self.get_success(self.auth_handler.consume_login_token(token))

  104.         self.assertEqual(self.user1, res.user_id)

  105.         self.assertEqual(None, res.auth_provider_id)

  106. 

  107.     def test_login_token_reuse_fails(self) -> None:

  108.         token = self.get_success(

  109.             self.auth_handler.create_login_token_for_user_id(

  110.                 self.user1,

  111.                 duration_ms=(5 * 1000),

  112.             )

  113.         )

  114. 

  115.         self.get_success(self.auth_handler.consume_login_token(token))

  116. 

  117.         self.get_failure(

  118.             self.auth_handler.consume_login_token(token),

  119.             AuthError,

  120.         )

  121. 

  122.     def test_login_token_expires(self) -> None:

  123.         token = self.get_success(

  124.             self.auth_handler.create_login_token_for_user_id(

  125.                 self.user1,

  126.                 duration_ms=(5 * 1000),

  127.             )

  128.         )

  129. 

  130.         # when we advance the clock, the token should be rejected

  131.         self.reactor.advance(6)

  132.         self.get_failure(

  133.             self.auth_handler.consume_login_token(token),

  134.             AuthError,

  135.         )

  136. 

  137.     def test_login_token_gives_auth_provider(self) -> None:

  138.         token = self.get_success(

  139.             self.auth_handler.create_login_token_for_user_id(

  140.                 self.user1,

  141.                 auth_provider_id="my_idp",

  142.                 auth_provider_session_id="11-22-33-44",

  143.                 duration_ms=(5 * 1000),

  144.             )

  145.         )

  146.         res = self.get_success(self.auth_handler.consume_login_token(token))

  147.         self.assertEqual(self.user1, res.user_id)

  148.         self.assertEqual("my_idp", res.auth_provider_id)

  149.         self.assertEqual("11-22-33-44", res.auth_provider_session_id)

  150. 

  151.     def test_mau_limits_disabled(self) -> None:

  152.         self.auth_blocking._limit_usage_by_mau = False

  153.         # Ensure does not throw exception

  154.         self.get_success(

  155.             self.auth_handler.create_access_token_for_user_id(

  156.                 self.user1, device_id=None, valid_until_ms=None

  157.             )

  158.         )

  159. 

  160.         token = self.get_success(

  161.             self.auth_handler.create_login_token_for_user_id(self.user1)

  162.         )

  163. 

  164.         self.assertIsNotNone(self.token_login(token))

  165. 

  166.     def test_mau_limits_exceeded_large(self) -> None:

  167.         self.auth_blocking._limit_usage_by_mau = True

  168.         self.hs.get_datastores().main.get_monthly_active_count = AsyncMock(

  169.             return_value=self.large_number_of_users

  170.         )

  171. 

  172.         self.get_failure(

  173.             self.auth_handler.create_access_token_for_user_id(

  174.                 self.user1, device_id=None, valid_until_ms=None

  175.             ),

  176.             ResourceLimitError,

  177.         )

  178. 

  179.         self.hs.get_datastores().main.get_monthly_active_count = AsyncMock(

  180.             return_value=self.large_number_of_users

  181.         )

  182.         token = self.get_success(

  183.             self.auth_handler.create_login_token_for_user_id(self.user1)

  184.         )

  185.         self.assertIsNone(self.token_login(token))

  186. 

  187.     def test_mau_limits_parity(self) -> None:

  188.         # Ensure we're not at the unix epoch.

  189.         self.reactor.advance(1)

  190.         self.auth_blocking._limit_usage_by_mau = True

  191. 

  192.         # Set the server to be at the edge of too many users.

  193.         self.hs.get_datastores().main.get_monthly_active_count = AsyncMock(

  194.             return_value=self.auth_blocking._max_mau_value

  195.         )

  196. 

  197.         # If not in monthly active cohort

  198.         self.get_failure(

  199.             self.auth_handler.create_access_token_for_user_id(

  200.                 self.user1, device_id=None, valid_until_ms=None

  201.             ),

  202.             ResourceLimitError,

  203.         )

  204.         token = self.get_success(

  205.             self.auth_handler.create_login_token_for_user_id(self.user1)

  206.         )

  207.         self.assertIsNone(self.token_login(token))

  208. 

  209.         # If in monthly active cohort

  210.         self.hs.get_datastores().main.user_last_seen_monthly_active = AsyncMock(

  211.             return_value=self.clock.time_msec()

  212.         )

  213.         self.get_success(

  214.             self.auth_handler.create_access_token_for_user_id(

  215.                 self.user1, device_id=None, valid_until_ms=None

  216.             )

  217.         )

  218.         token = self.get_success(

  219.             self.auth_handler.create_login_token_for_user_id(self.user1)

  220.         )

  221.         self.assertIsNotNone(self.token_login(token))

  222. 

  223.     def test_mau_limits_not_exceeded(self) -> None:

  224.         self.auth_blocking._limit_usage_by_mau = True

  225. 

  226.         self.hs.get_datastores().main.get_monthly_active_count = AsyncMock(

  227.             return_value=self.small_number_of_users

  228.         )

  229.         # Ensure does not raise exception

  230.         self.get_success(

  231.             self.auth_handler.create_access_token_for_user_id(

  232.                 self.user1, device_id=None, valid_until_ms=None

  233.             )

  234.         )

  235. 

  236.         self.hs.get_datastores().main.get_monthly_active_count = AsyncMock(

  237.             return_value=self.small_number_of_users

  238.         )

  239.         token = self.get_success(

  240.             self.auth_handler.create_login_token_for_user_id(self.user1)

  241.         )

  242.         self.assertIsNotNone(self.token_login(token))