gitlord
/
synapse
mirror of https://github.com/matrix-org/synapse.git
1
0
Fork 0
Code Issues 0 Releases 671 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
23441 Commits
842 Branches
311 MiB
 
 
 
 
 
 
Branch: develop
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'develop'
${ noResults }
synapse/tests/http/test_client.py

252 lines
8.9 KiB
Raw Permalink Blame History 

  1. #  Copyright 2021 The Matrix.org Foundation C.I.C.

  2. #

  3. #  Licensed under the Apache License, Version 2.0 (the "License");

  4. #  you may not use this file except in compliance with the License.

  5. #  You may obtain a copy of the License at

  6. #

  7. #      http://www.apache.org/licenses/LICENSE-2.0

  8. #

  9. #  Unless required by applicable law or agreed to in writing, software

  10. #  distributed under the License is distributed on an "AS IS" BASIS,

  11. #  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  12. #  See the License for the specific language governing permissions and

  13. #  limitations under the License.

  14. 

  15. from io import BytesIO

  16. from typing import Tuple, Union

  17. from unittest.mock import Mock

  18. 

  19. from netaddr import IPSet

  20. 

  21. from twisted.internet.defer import Deferred

  22. from twisted.internet.error import DNSLookupError

  23. from twisted.python.failure import Failure

  24. from twisted.test.proto_helpers import AccumulatingProtocol

  25. from twisted.web.client import Agent, ResponseDone

  26. from twisted.web.iweb import UNKNOWN_LENGTH

  27. 

  28. from synapse.api.errors import SynapseError

  29. from synapse.http.client import (

  30.     BlocklistingAgentWrapper,

  31.     BlocklistingReactorWrapper,

  32.     BodyExceededMaxSize,

  33.     _DiscardBodyWithMaxSizeProtocol,

  34.     read_body_with_max_size,

  35. )

  36. 

  37. from tests.server import FakeTransport, get_clock

  38. from tests.unittest import TestCase

  39. 

  40. 

  41. class ReadBodyWithMaxSizeTests(TestCase):

  42.     def _build_response(

  43.         self, length: Union[int, str] = UNKNOWN_LENGTH

  44.     ) -> Tuple[BytesIO, "Deferred[int]", _DiscardBodyWithMaxSizeProtocol]:

  45.         """Start reading the body, returns the response, result and proto"""

  46.         response = Mock(length=length)

  47.         result = BytesIO()

  48.         deferred = read_body_with_max_size(response, result, 6)

  49. 

  50.         # Fish the protocol out of the response.

  51.         protocol = response.deliverBody.call_args[0][0]

  52.         protocol.transport = Mock()

  53. 

  54.         return result, deferred, protocol

  55. 

  56.     def _assert_error(

  57.         self, deferred: "Deferred[int]", protocol: _DiscardBodyWithMaxSizeProtocol

  58.     ) -> None:

  59.         """Ensure that the expected error is received."""

  60.         assert isinstance(deferred.result, Failure)

  61.         self.assertIsInstance(deferred.result.value, BodyExceededMaxSize)

  62.         assert protocol.transport is not None

  63.         # type-ignore: presumably abortConnection has been replaced with a Mock.

  64.         protocol.transport.abortConnection.assert_called_once()  # type: ignore[attr-defined]

  65. 

  66.     def _cleanup_error(self, deferred: "Deferred[int]") -> None:

  67.         """Ensure that the error in the Deferred is handled gracefully."""

  68.         called = [False]

  69. 

  70.         def errback(f: Failure) -> None:

  71.             called[0] = True

  72. 

  73.         deferred.addErrback(errback)

  74.         self.assertTrue(called[0])

  75. 

  76.     def test_no_error(self) -> None:

  77.         """A response that is NOT too large."""

  78.         result, deferred, protocol = self._build_response()

  79. 

  80.         # Start sending data.

  81.         protocol.dataReceived(b"12345")

  82.         # Close the connection.

  83.         protocol.connectionLost(Failure(ResponseDone()))

  84. 

  85.         self.assertEqual(result.getvalue(), b"12345")

  86.         self.assertEqual(deferred.result, 5)

  87. 

  88.     def test_too_large(self) -> None:

  89.         """A response which is too large raises an exception."""

  90.         result, deferred, protocol = self._build_response()

  91. 

  92.         # Start sending data.

  93.         protocol.dataReceived(b"1234567890")

  94. 

  95.         self.assertEqual(result.getvalue(), b"1234567890")

  96.         self._assert_error(deferred, protocol)

  97.         self._cleanup_error(deferred)

  98. 

  99.     def test_multiple_packets(self) -> None:

  100.         """Data should be accumulated through mutliple packets."""

  101.         result, deferred, protocol = self._build_response()

  102. 

  103.         # Start sending data.

  104.         protocol.dataReceived(b"12")

  105.         protocol.dataReceived(b"34")

  106.         # Close the connection.

  107.         protocol.connectionLost(Failure(ResponseDone()))

  108. 

  109.         self.assertEqual(result.getvalue(), b"1234")

  110.         self.assertEqual(deferred.result, 4)

  111. 

  112.     def test_additional_data(self) -> None:

  113.         """A connection can receive data after being closed."""

  114.         result, deferred, protocol = self._build_response()

  115. 

  116.         # Start sending data.

  117.         protocol.dataReceived(b"1234567890")

  118.         self._assert_error(deferred, protocol)

  119. 

  120.         # More data might have come in.

  121.         protocol.dataReceived(b"1234567890")

  122. 

  123.         self.assertEqual(result.getvalue(), b"1234567890")

  124.         self._assert_error(deferred, protocol)

  125.         self._cleanup_error(deferred)

  126. 

  127.     def test_content_length(self) -> None:

  128.         """The body shouldn't be read (at all) if the Content-Length header is too large."""

  129.         result, deferred, protocol = self._build_response(length=10)

  130. 

  131.         # Deferred shouldn't be called yet.

  132.         self.assertFalse(deferred.called)

  133. 

  134.         # Start sending data.

  135.         protocol.dataReceived(b"12345")

  136.         self._assert_error(deferred, protocol)

  137.         self._cleanup_error(deferred)

  138. 

  139.         # The data is never consumed.

  140.         self.assertEqual(result.getvalue(), b"")

  141. 

  142. 

  143. class BlocklistingAgentTest(TestCase):

  144.     def setUp(self) -> None:

  145.         self.reactor, self.clock = get_clock()

  146. 

  147.         self.safe_domain, self.safe_ip = b"safe.test", b"1.2.3.4"

  148.         self.unsafe_domain, self.unsafe_ip = b"danger.test", b"5.6.7.8"

  149.         self.allowed_domain, self.allowed_ip = b"allowed.test", b"5.1.1.1"

  150. 

  151.         # Configure the reactor's DNS resolver.

  152.         for domain, ip in (

  153.             (self.safe_domain, self.safe_ip),

  154.             (self.unsafe_domain, self.unsafe_ip),

  155.             (self.allowed_domain, self.allowed_ip),

  156.         ):

  157.             self.reactor.lookups[domain.decode()] = ip.decode()

  158.             self.reactor.lookups[ip.decode()] = ip.decode()

  159. 

  160.         self.ip_allowlist = IPSet([self.allowed_ip.decode()])

  161.         self.ip_blocklist = IPSet(["5.0.0.0/8"])

  162. 

  163.     def test_reactor(self) -> None:

  164.         """Apply the blocklisting reactor and ensure it properly blocks connections to particular domains and IPs."""

  165.         agent = Agent(

  166.             BlocklistingReactorWrapper(

  167.                 self.reactor,

  168.                 ip_allowlist=self.ip_allowlist,

  169.                 ip_blocklist=self.ip_blocklist,

  170.             ),

  171.         )

  172. 

  173.         # The unsafe domains and IPs should be rejected.

  174.         for domain in (self.unsafe_domain, self.unsafe_ip):

  175.             self.failureResultOf(

  176.                 agent.request(b"GET", b"http://" + domain), DNSLookupError

  177.             )

  178. 

  179.         # The safe domains IPs should be accepted.

  180.         for domain in (

  181.             self.safe_domain,

  182.             self.allowed_domain,

  183.             self.safe_ip,

  184.             self.allowed_ip,

  185.         ):

  186.             d = agent.request(b"GET", b"http://" + domain)

  187. 

  188.             # Grab the latest TCP connection.

  189.             (

  190.                 host,

  191.                 port,

  192.                 client_factory,

  193.                 _timeout,

  194.                 _bindAddress,

  195.             ) = self.reactor.tcpClients[-1]

  196. 

  197.             # Make the connection and pump data through it.

  198.             client = client_factory.buildProtocol(None)

  199.             server = AccumulatingProtocol()

  200.             server.makeConnection(FakeTransport(client, self.reactor))

  201.             client.makeConnection(FakeTransport(server, self.reactor))

  202.             client.dataReceived(

  203.                 b"HTTP/1.0 200 OK\r\nContent-Length: 0\r\nContent-Type: text/html\r\n\r\n"

  204.             )

  205. 

  206.             response = self.successResultOf(d)

  207.             self.assertEqual(response.code, 200)

  208. 

  209.     def test_agent(self) -> None:

  210.         """Apply the blocklisting agent and ensure it properly blocks connections to particular IPs."""

  211.         agent = BlocklistingAgentWrapper(

  212.             Agent(self.reactor),

  213.             ip_blocklist=self.ip_blocklist,

  214.             ip_allowlist=self.ip_allowlist,

  215.         )

  216. 

  217.         # The unsafe IPs should be rejected.

  218.         self.failureResultOf(

  219.             agent.request(b"GET", b"http://" + self.unsafe_ip), SynapseError

  220.         )

  221. 

  222.         # The safe and unsafe domains and safe IPs should be accepted.

  223.         for domain in (

  224.             self.safe_domain,

  225.             self.unsafe_domain,

  226.             self.allowed_domain,

  227.             self.safe_ip,

  228.             self.allowed_ip,

  229.         ):

  230.             d = agent.request(b"GET", b"http://" + domain)

  231. 

  232.             # Grab the latest TCP connection.

  233.             (

  234.                 host,

  235.                 port,

  236.                 client_factory,

  237.                 _timeout,

  238.                 _bindAddress,

  239.             ) = self.reactor.tcpClients[-1]

  240. 

  241.             # Make the connection and pump data through it.

  242.             client = client_factory.buildProtocol(None)

  243.             server = AccumulatingProtocol()

  244.             server.makeConnection(FakeTransport(client, self.reactor))

  245.             client.makeConnection(FakeTransport(server, self.reactor))

  246.             client.dataReceived(

  247.                 b"HTTP/1.0 200 OK\r\nContent-Length: 0\r\nContent-Type: text/html\r\n\r\n"

  248.             )

  249. 

  250.             response = self.successResultOf(d)

  251.             self.assertEqual(response.code, 200)