gitlord
/
synapse
mirror of https://github.com/matrix-org/synapse.git
1
0
Fork 0
Code Issues 0 Releases 671 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
23376 Commits
842 Branches
407 MiB
 
 
 
 
 
 
Tree: 32a59a6495
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '32a59a6495'
${ noResults }
synapse/tests/rest/client/test_keys.py

440 lines
16 KiB
Raw Blame History 

  1. #  Copyright 2021 The Matrix.org Foundation C.I.C.

  2. #

  3. #  Licensed under the Apache License, Version 2.0 (the "License");

  4. #  you may not use this file except in compliance with the License.

  5. #  You may obtain a copy of the License at

  6. #

  7. #      http://www.apache.org/licenses/LICENSE-2.0

  8. #

  9. #  Unless required by applicable law or agreed to in writing, software

  10. #  distributed under the License is distributed on an "AS IS" BASIS,

  11. #  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  12. #  See the License for the specific language governing permissions and

  13. #  limitations under the License

  14. import urllib.parse

  15. from http import HTTPStatus

  16. from unittest.mock import patch

  17. 

  18. from signedjson.key import (

  19.     encode_verify_key_base64,

  20.     generate_signing_key,

  21.     get_verify_key,

  22. )

  23. from signedjson.sign import sign_json

  24. 

  25. from synapse.api.errors import Codes

  26. from synapse.rest import admin

  27. from synapse.rest.client import keys, login

  28. from synapse.types import JsonDict, Requester, create_requester

  29. 

  30. from tests import unittest

  31. from tests.http.server._base import make_request_with_cancellation_test

  32. from tests.unittest import override_config

  33. from tests.utils import HAS_AUTHLIB

  34. 

  35. 

  36. class KeyQueryTestCase(unittest.HomeserverTestCase):

  37.     servlets = [

  38.         keys.register_servlets,

  39.         admin.register_servlets_for_client_rest_resource,

  40.         login.register_servlets,

  41.     ]

  42. 

  43.     def test_rejects_device_id_ice_key_outside_of_list(self) -> None:

  44.         self.register_user("alice", "wonderland")

  45.         alice_token = self.login("alice", "wonderland")

  46.         bob = self.register_user("bob", "uncle")

  47.         channel = self.make_request(

  48.             "POST",

  49.             "/_matrix/client/r0/keys/query",

  50.             {

  51.                 "device_keys": {

  52.                     bob: "device_id1",

  53.                 },

  54.             },

  55.             alice_token,

  56.         )

  57.         self.assertEqual(channel.code, HTTPStatus.BAD_REQUEST, channel.result)

  58.         self.assertEqual(

  59.             channel.json_body["errcode"],

  60.             Codes.BAD_JSON,

  61.             channel.result,

  62.         )

  63. 

  64.     def test_rejects_device_key_given_as_map_to_bool(self) -> None:

  65.         self.register_user("alice", "wonderland")

  66.         alice_token = self.login("alice", "wonderland")

  67.         bob = self.register_user("bob", "uncle")

  68.         channel = self.make_request(

  69.             "POST",

  70.             "/_matrix/client/r0/keys/query",

  71.             {

  72.                 "device_keys": {

  73.                     bob: {

  74.                         "device_id1": True,

  75.                     },

  76.                 },

  77.             },

  78.             alice_token,

  79.         )

  80. 

  81.         self.assertEqual(channel.code, HTTPStatus.BAD_REQUEST, channel.result)

  82.         self.assertEqual(

  83.             channel.json_body["errcode"],

  84.             Codes.BAD_JSON,

  85.             channel.result,

  86.         )

  87. 

  88.     def test_requires_device_key(self) -> None:

  89.         """`device_keys` is required. We should complain if it's missing."""

  90.         self.register_user("alice", "wonderland")

  91.         alice_token = self.login("alice", "wonderland")

  92.         channel = self.make_request(

  93.             "POST",

  94.             "/_matrix/client/r0/keys/query",

  95.             {},

  96.             alice_token,

  97.         )

  98.         self.assertEqual(channel.code, HTTPStatus.BAD_REQUEST, channel.result)

  99.         self.assertEqual(

  100.             channel.json_body["errcode"],

  101.             Codes.BAD_JSON,

  102.             channel.result,

  103.         )

  104. 

  105.     def test_key_query_cancellation(self) -> None:

  106.         """

  107.         Tests that /keys/query is cancellable and does not swallow the

  108.         CancelledError.

  109.         """

  110.         self.register_user("alice", "wonderland")

  111.         alice_token = self.login("alice", "wonderland")

  112. 

  113.         bob = self.register_user("bob", "uncle")

  114. 

  115.         channel = make_request_with_cancellation_test(

  116.             "test_key_query_cancellation",

  117.             self.reactor,

  118.             self.site,

  119.             "POST",

  120.             "/_matrix/client/r0/keys/query",

  121.             {

  122.                 "device_keys": {

  123.                     # Empty list means we request keys for all bob's devices

  124.                     bob: [],

  125.                 },

  126.             },

  127.             token=alice_token,

  128.         )

  129. 

  130.         self.assertEqual(200, channel.code, msg=channel.result["body"])

  131.         self.assertIn(bob, channel.json_body["device_keys"])

  132. 

  133.     def make_device_keys(self, user_id: str, device_id: str) -> JsonDict:

  134.         # We only generate a master key to simplify the test.

  135.         master_signing_key = generate_signing_key(device_id)

  136.         master_verify_key = encode_verify_key_base64(get_verify_key(master_signing_key))

  137. 

  138.         return {

  139.             "master_key": sign_json(

  140.                 {

  141.                     "user_id": user_id,

  142.                     "usage": ["master"],

  143.                     "keys": {"ed25519:" + master_verify_key: master_verify_key},

  144.                 },

  145.                 user_id,

  146.                 master_signing_key,

  147.             ),

  148.         }

  149. 

  150.     def test_device_signing_with_uia(self) -> None:

  151.         """Device signing key upload requires UIA."""

  152.         password = "wonderland"

  153.         device_id = "ABCDEFGHI"

  154.         alice_id = self.register_user("alice", password)

  155.         alice_token = self.login("alice", password, device_id=device_id)

  156. 

  157.         content = self.make_device_keys(alice_id, device_id)

  158. 

  159.         channel = self.make_request(

  160.             "POST",

  161.             "/_matrix/client/v3/keys/device_signing/upload",

  162.             content,

  163.             alice_token,

  164.         )

  165. 

  166.         self.assertEqual(channel.code, HTTPStatus.UNAUTHORIZED, channel.result)

  167.         # Grab the session

  168.         session = channel.json_body["session"]

  169.         # Ensure that flows are what is expected.

  170.         self.assertIn({"stages": ["m.login.password"]}, channel.json_body["flows"])

  171. 

  172.         # add UI auth

  173.         content["auth"] = {

  174.             "type": "m.login.password",

  175.             "identifier": {"type": "m.id.user", "user": alice_id},

  176.             "password": password,

  177.             "session": session,

  178.         }

  179. 

  180.         channel = self.make_request(

  181.             "POST",

  182.             "/_matrix/client/v3/keys/device_signing/upload",

  183.             content,

  184.             alice_token,

  185.         )

  186. 

  187.         self.assertEqual(channel.code, HTTPStatus.OK, channel.result)

  188. 

  189.     @override_config({"ui_auth": {"session_timeout": "15m"}})

  190.     def test_device_signing_with_uia_session_timeout(self) -> None:

  191.         """Device signing key upload requires UIA buy passes with grace period."""

  192.         password = "wonderland"

  193.         device_id = "ABCDEFGHI"

  194.         alice_id = self.register_user("alice", password)

  195.         alice_token = self.login("alice", password, device_id=device_id)

  196. 

  197.         content = self.make_device_keys(alice_id, device_id)

  198. 

  199.         channel = self.make_request(

  200.             "POST",

  201.             "/_matrix/client/v3/keys/device_signing/upload",

  202.             content,

  203.             alice_token,

  204.         )

  205. 

  206.         self.assertEqual(channel.code, HTTPStatus.OK, channel.result)

  207. 

  208.     @override_config(

  209.         {

  210.             "experimental_features": {"msc3967_enabled": True},

  211.             "ui_auth": {"session_timeout": "15s"},

  212.         }

  213.     )

  214.     def test_device_signing_with_msc3967(self) -> None:

  215.         """Device signing key follows MSC3967 behaviour when enabled."""

  216.         password = "wonderland"

  217.         device_id = "ABCDEFGHI"

  218.         alice_id = self.register_user("alice", password)

  219.         alice_token = self.login("alice", password, device_id=device_id)

  220. 

  221.         keys1 = self.make_device_keys(alice_id, device_id)

  222. 

  223.         # Initial request should succeed as no existing keys are present.

  224.         channel = self.make_request(

  225.             "POST",

  226.             "/_matrix/client/v3/keys/device_signing/upload",

  227.             keys1,

  228.             alice_token,

  229.         )

  230.         self.assertEqual(channel.code, HTTPStatus.OK, channel.result)

  231. 

  232.         keys2 = self.make_device_keys(alice_id, device_id)

  233. 

  234.         # Subsequent request should require UIA as keys already exist even though session_timeout is set.

  235.         channel = self.make_request(

  236.             "POST",

  237.             "/_matrix/client/v3/keys/device_signing/upload",

  238.             keys2,

  239.             alice_token,

  240.         )

  241.         self.assertEqual(channel.code, HTTPStatus.UNAUTHORIZED, channel.result)

  242. 

  243.         # Grab the session

  244.         session = channel.json_body["session"]

  245.         # Ensure that flows are what is expected.

  246.         self.assertIn({"stages": ["m.login.password"]}, channel.json_body["flows"])

  247. 

  248.         # add UI auth

  249.         keys2["auth"] = {

  250.             "type": "m.login.password",

  251.             "identifier": {"type": "m.id.user", "user": alice_id},

  252.             "password": password,

  253.             "session": session,

  254.         }

  255. 

  256.         # Request should complete

  257.         channel = self.make_request(

  258.             "POST",

  259.             "/_matrix/client/v3/keys/device_signing/upload",

  260.             keys2,

  261.             alice_token,

  262.         )

  263.         self.assertEqual(channel.code, HTTPStatus.OK, channel.result)

  264. 

  265. 

  266. class SigningKeyUploadServletTestCase(unittest.HomeserverTestCase):

  267.     servlets = [

  268.         admin.register_servlets,

  269.         keys.register_servlets,

  270.     ]

  271. 

  272.     OIDC_ADMIN_TOKEN = "_oidc_admin_token"

  273. 

  274.     @unittest.skip_unless(HAS_AUTHLIB, "requires authlib")

  275.     @override_config(

  276.         {

  277.             "enable_registration": False,

  278.             "experimental_features": {

  279.                 "msc3861": {

  280.                     "enabled": True,

  281.                     "issuer": "https://issuer",

  282.                     "account_management_url": "https://my-account.issuer",

  283.                     "client_id": "id",

  284.                     "client_auth_method": "client_secret_post",

  285.                     "client_secret": "secret",

  286.                     "admin_token": OIDC_ADMIN_TOKEN,

  287.                 },

  288.             },

  289.         }

  290.     )

  291.     def test_master_cross_signing_key_replacement_msc3861(self) -> None:

  292.         # Provision a user like MAS would, cribbing from

  293.         # https://github.com/matrix-org/matrix-authentication-service/blob/08d46a79a4adb22819ac9d55e15f8375dfe2c5c7/crates/matrix-synapse/src/lib.rs#L224-L229

  294.         alice = "@alice:test"

  295.         channel = self.make_request(

  296.             "PUT",

  297.             f"/_synapse/admin/v2/users/{urllib.parse.quote(alice)}",

  298.             access_token=self.OIDC_ADMIN_TOKEN,

  299.             content={},

  300.         )

  301.         self.assertEqual(channel.code, HTTPStatus.CREATED, channel.json_body)

  302. 

  303.         # Provision a device like MAS would, cribbing from

  304.         # https://github.com/matrix-org/matrix-authentication-service/blob/08d46a79a4adb22819ac9d55e15f8375dfe2c5c7/crates/matrix-synapse/src/lib.rs#L260-L262

  305.         alice_device = "alice_device"

  306.         channel = self.make_request(

  307.             "POST",

  308.             f"/_synapse/admin/v2/users/{urllib.parse.quote(alice)}/devices",

  309.             access_token=self.OIDC_ADMIN_TOKEN,

  310.             content={"device_id": alice_device},

  311.         )

  312.         self.assertEqual(channel.code, HTTPStatus.CREATED, channel.json_body)

  313. 

  314.         # Prepare a mock MAS access token.

  315.         alice_token = "alice_token_1234_oidcwhatyoudidthere"

  316. 

  317.         async def mocked_get_user_by_access_token(

  318.             token: str, allow_expired: bool = False

  319.         ) -> Requester:

  320.             self.assertEqual(token, alice_token)

  321.             return create_requester(

  322.                 user_id=alice,

  323.                 device_id=alice_device,

  324.                 scope=[],

  325.                 is_guest=False,

  326.             )

  327. 

  328.         patch_get_user_by_access_token = patch.object(

  329.             self.hs.get_auth(),

  330.             "get_user_by_access_token",

  331.             wraps=mocked_get_user_by_access_token,

  332.         )

  333. 

  334.         # Copied from E2eKeysHandlerTestCase

  335.         master_pubkey = "nqOvzeuGWT/sRx3h7+MHoInYj3Uk2LD/unI9kDYcHwk"

  336.         master_pubkey2 = "fHZ3NPiKxoLQm5OoZbKa99SYxprOjNs4TwJUKP+twCM"

  337.         master_pubkey3 = "85T7JXPFBAySB/jwby4S3lBPTqY3+Zg53nYuGmu1ggY"

  338. 

  339.         master_key: JsonDict = {

  340.             "user_id": alice,

  341.             "usage": ["master"],

  342.             "keys": {"ed25519:" + master_pubkey: master_pubkey},

  343.         }

  344.         master_key2: JsonDict = {

  345.             "user_id": alice,

  346.             "usage": ["master"],

  347.             "keys": {"ed25519:" + master_pubkey2: master_pubkey2},

  348.         }

  349.         master_key3: JsonDict = {

  350.             "user_id": alice,

  351.             "usage": ["master"],

  352.             "keys": {"ed25519:" + master_pubkey3: master_pubkey3},

  353.         }

  354. 

  355.         with patch_get_user_by_access_token:

  356.             # Upload an initial cross-signing key.

  357.             channel = self.make_request(

  358.                 "POST",

  359.                 "/_matrix/client/v3/keys/device_signing/upload",

  360.                 access_token=alice_token,

  361.                 content={

  362.                     "master_key": master_key,

  363.                 },

  364.             )

  365.             self.assertEqual(channel.code, HTTPStatus.OK, channel.json_body)

  366. 

  367.             # Should not be able to upload another master key.

  368.             channel = self.make_request(

  369.                 "POST",

  370.                 "/_matrix/client/v3/keys/device_signing/upload",

  371.                 access_token=alice_token,

  372.                 content={

  373.                     "master_key": master_key2,

  374.                 },

  375.             )

  376.             self.assertEqual(

  377.                 channel.code, HTTPStatus.NOT_IMPLEMENTED, channel.json_body

  378.             )

  379. 

  380.         # Pretend that MAS did UIA and allowed us to replace the master key.

  381.         channel = self.make_request(

  382.             "POST",

  383.             f"/_synapse/admin/v1/users/{urllib.parse.quote(alice)}/_allow_cross_signing_replacement_without_uia",

  384.             access_token=self.OIDC_ADMIN_TOKEN,

  385.         )

  386.         self.assertEqual(HTTPStatus.OK, channel.code, msg=channel.json_body)

  387. 

  388.         with patch_get_user_by_access_token:

  389.             # Should now be able to upload master key2.

  390.             channel = self.make_request(

  391.                 "POST",

  392.                 "/_matrix/client/v3/keys/device_signing/upload",

  393.                 access_token=alice_token,

  394.                 content={

  395.                     "master_key": master_key2,

  396.                 },

  397.             )

  398.             self.assertEqual(channel.code, HTTPStatus.OK, channel.json_body)

  399. 

  400.             # Even though we're still in the grace period, we shouldn't be able to

  401.             # upload master key 3 immediately after uploading key 2.

  402.             channel = self.make_request(

  403.                 "POST",

  404.                 "/_matrix/client/v3/keys/device_signing/upload",

  405.                 access_token=alice_token,

  406.                 content={

  407.                     "master_key": master_key3,

  408.                 },

  409.             )

  410.             self.assertEqual(

  411.                 channel.code, HTTPStatus.NOT_IMPLEMENTED, channel.json_body

  412.             )

  413. 

  414.         # Pretend that MAS did UIA and allowed us to replace the master key.

  415.         channel = self.make_request(

  416.             "POST",

  417.             f"/_synapse/admin/v1/users/{urllib.parse.quote(alice)}/_allow_cross_signing_replacement_without_uia",

  418.             access_token=self.OIDC_ADMIN_TOKEN,

  419.         )

  420.         self.assertEqual(HTTPStatus.OK, channel.code, msg=channel.json_body)

  421.         timestamp_ms = channel.json_body["updatable_without_uia_before_ms"]

  422. 

  423.         # Advance to 1 second after the replacement period ends.

  424.         self.reactor.advance(timestamp_ms - self.clock.time_msec() + 1000)

  425. 

  426.         with patch_get_user_by_access_token:

  427.             # We should not be able to upload master key3 because the replacement has

  428.             # expired.

  429.             channel = self.make_request(

  430.                 "POST",

  431.                 "/_matrix/client/v3/keys/device_signing/upload",

  432.                 access_token=alice_token,

  433.                 content={

  434.                     "master_key": master_key3,

  435.                 },

  436.             )

  437.             self.assertEqual(

  438.                 channel.code, HTTPStatus.NOT_IMPLEMENTED, channel.json_body

  439.             )