gitlord
/
synapse
mirror of https://github.com/matrix-org/synapse.git
1
0
Fork 0
Code Issues 0 Releases 671 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
22225 Commits
842 Branches
432 MiB
 
 
 
 
 
 
Tree: 42aea0d8af
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '42aea0d8af'
${ noResults }
synapse/tests/handlers/test_e2e_keys.py

944 lines
36 KiB
Raw Blame History 

  1. # Copyright 2016 OpenMarket Ltd

  2. # Copyright 2019 New Vector Ltd

  3. # Copyright 2019 The Matrix.org Foundation C.I.C.

  4. #

  5. # Licensed under the Apache License, Version 2.0 (the "License");

  6. # you may not use this file except in compliance with the License.

  7. # You may obtain a copy of the License at

  8. #

  9. #     http://www.apache.org/licenses/LICENSE-2.0

  10. #

  11. # Unless required by applicable law or agreed to in writing, software

  12. # distributed under the License is distributed on an "AS IS" BASIS,

  13. # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  14. # See the License for the specific language governing permissions and

  15. # limitations under the License.

  16. from typing import Iterable

  17. from unittest import mock

  18. 

  19. from parameterized import parameterized

  20. from signedjson import key as key, sign as sign

  21. 

  22. from twisted.test.proto_helpers import MemoryReactor

  23. 

  24. from synapse.api.constants import RoomEncryptionAlgorithms

  25. from synapse.api.errors import Codes, SynapseError

  26. from synapse.handlers.device import DeviceHandler

  27. from synapse.server import HomeServer

  28. from synapse.types import JsonDict

  29. from synapse.util import Clock

  30. 

  31. from tests import unittest

  32. from tests.test_utils import make_awaitable

  33. 

  34. 

  35. class E2eKeysHandlerTestCase(unittest.HomeserverTestCase):

  36.     def make_homeserver(self, reactor: MemoryReactor, clock: Clock) -> HomeServer:

  37.         return self.setup_test_homeserver(federation_client=mock.Mock())

  38. 

  39.     def prepare(self, reactor: MemoryReactor, clock: Clock, hs: HomeServer) -> None:

  40.         self.handler = hs.get_e2e_keys_handler()

  41.         self.store = self.hs.get_datastores().main

  42. 

  43.     def test_query_local_devices_no_devices(self) -> None:

  44.         """If the user has no devices, we expect an empty list."""

  45.         local_user = "@boris:" + self.hs.hostname

  46.         res = self.get_success(self.handler.query_local_devices({local_user: None}))

  47.         self.assertDictEqual(res, {local_user: {}})

  48. 

  49.     def test_reupload_one_time_keys(self) -> None:

  50.         """we should be able to re-upload the same keys"""

  51.         local_user = "@boris:" + self.hs.hostname

  52.         device_id = "xyz"

  53.         keys: JsonDict = {

  54.             "alg1:k1": "key1",

  55.             "alg2:k2": {"key": "key2", "signatures": {"k1": "sig1"}},

  56.             "alg2:k3": {"key": "key3"},

  57.         }

  58. 

  59.         # Note that "signed_curve25519" is always returned in key count responses. This is necessary until

  60.         # https://github.com/matrix-org/matrix-doc/issues/3298 is fixed.

  61.         res = self.get_success(

  62.             self.handler.upload_keys_for_user(

  63.                 local_user, device_id, {"one_time_keys": keys}

  64.             )

  65.         )

  66.         self.assertDictEqual(

  67.             res, {"one_time_key_counts": {"alg1": 1, "alg2": 2, "signed_curve25519": 0}}

  68.         )

  69. 

  70.         # we should be able to change the signature without a problem

  71.         keys["alg2:k2"]["signatures"]["k1"] = "sig2"

  72.         res = self.get_success(

  73.             self.handler.upload_keys_for_user(

  74.                 local_user, device_id, {"one_time_keys": keys}

  75.             )

  76.         )

  77.         self.assertDictEqual(

  78.             res, {"one_time_key_counts": {"alg1": 1, "alg2": 2, "signed_curve25519": 0}}

  79.         )

  80. 

  81.     def test_change_one_time_keys(self) -> None:

  82.         """attempts to change one-time-keys should be rejected"""

  83. 

  84.         local_user = "@boris:" + self.hs.hostname

  85.         device_id = "xyz"

  86.         keys = {

  87.             "alg1:k1": "key1",

  88.             "alg2:k2": {"key": "key2", "signatures": {"k1": "sig1"}},

  89.             "alg2:k3": {"key": "key3"},

  90.         }

  91. 

  92.         res = self.get_success(

  93.             self.handler.upload_keys_for_user(

  94.                 local_user, device_id, {"one_time_keys": keys}

  95.             )

  96.         )

  97.         self.assertDictEqual(

  98.             res, {"one_time_key_counts": {"alg1": 1, "alg2": 2, "signed_curve25519": 0}}

  99.         )

  100. 

  101.         # Error when changing string key

  102.         self.get_failure(

  103.             self.handler.upload_keys_for_user(

  104.                 local_user, device_id, {"one_time_keys": {"alg1:k1": "key2"}}

  105.             ),

  106.             SynapseError,

  107.         )

  108. 

  109.         # Error when replacing dict key with string

  110.         self.get_failure(

  111.             self.handler.upload_keys_for_user(

  112.                 local_user, device_id, {"one_time_keys": {"alg2:k3": "key2"}}

  113.             ),

  114.             SynapseError,

  115.         )

  116. 

  117.         # Error when replacing string key with dict

  118.         self.get_failure(

  119.             self.handler.upload_keys_for_user(

  120.                 local_user,

  121.                 device_id,

  122.                 {"one_time_keys": {"alg1:k1": {"key": "key"}}},

  123.             ),

  124.             SynapseError,

  125.         )

  126. 

  127.         # Error when replacing dict key

  128.         self.get_failure(

  129.             self.handler.upload_keys_for_user(

  130.                 local_user,

  131.                 device_id,

  132.                 {

  133.                     "one_time_keys": {

  134.                         "alg2:k2": {"key": "key3", "signatures": {"k1": "sig1"}}

  135.                     }

  136.                 },

  137.             ),

  138.             SynapseError,

  139.         )

  140. 

  141.     def test_claim_one_time_key(self) -> None:

  142.         local_user = "@boris:" + self.hs.hostname

  143.         device_id = "xyz"

  144.         keys = {"alg1:k1": "key1"}

  145. 

  146.         res = self.get_success(

  147.             self.handler.upload_keys_for_user(

  148.                 local_user, device_id, {"one_time_keys": keys}

  149.             )

  150.         )

  151.         self.assertDictEqual(

  152.             res, {"one_time_key_counts": {"alg1": 1, "signed_curve25519": 0}}

  153.         )

  154. 

  155.         res2 = self.get_success(

  156.             self.handler.claim_one_time_keys(

  157.                 {"one_time_keys": {local_user: {device_id: "alg1"}}}, timeout=None

  158.             )

  159.         )

  160.         self.assertEqual(

  161.             res2,

  162.             {

  163.                 "failures": {},

  164.                 "one_time_keys": {local_user: {device_id: {"alg1:k1": "key1"}}},

  165.             },

  166.         )

  167. 

  168.     def test_fallback_key(self) -> None:

  169.         local_user = "@boris:" + self.hs.hostname

  170.         device_id = "xyz"

  171.         fallback_key = {"alg1:k1": "fallback_key1"}

  172.         fallback_key2 = {"alg1:k2": "fallback_key2"}

  173.         fallback_key3 = {"alg1:k2": "fallback_key3"}

  174.         otk = {"alg1:k2": "key2"}

  175. 

  176.         # we shouldn't have any unused fallback keys yet

  177.         res = self.get_success(

  178.             self.store.get_e2e_unused_fallback_key_types(local_user, device_id)

  179.         )

  180.         self.assertEqual(res, [])

  181. 

  182.         self.get_success(

  183.             self.handler.upload_keys_for_user(

  184.                 local_user,

  185.                 device_id,

  186.                 {"fallback_keys": fallback_key},

  187.             )

  188.         )

  189. 

  190.         # we should now have an unused alg1 key

  191.         fallback_res = self.get_success(

  192.             self.store.get_e2e_unused_fallback_key_types(local_user, device_id)

  193.         )

  194.         self.assertEqual(fallback_res, ["alg1"])

  195. 

  196.         # claiming an OTK when no OTKs are available should return the fallback

  197.         # key

  198.         claim_res = self.get_success(

  199.             self.handler.claim_one_time_keys(

  200.                 {"one_time_keys": {local_user: {device_id: "alg1"}}}, timeout=None

  201.             )

  202.         )

  203.         self.assertEqual(

  204.             claim_res,

  205.             {"failures": {}, "one_time_keys": {local_user: {device_id: fallback_key}}},

  206.         )

  207. 

  208.         # we shouldn't have any unused fallback keys again

  209.         unused_res = self.get_success(

  210.             self.store.get_e2e_unused_fallback_key_types(local_user, device_id)

  211.         )

  212.         self.assertEqual(unused_res, [])

  213. 

  214.         # claiming an OTK again should return the same fallback key

  215.         claim_res = self.get_success(

  216.             self.handler.claim_one_time_keys(

  217.                 {"one_time_keys": {local_user: {device_id: "alg1"}}}, timeout=None

  218.             )

  219.         )

  220.         self.assertEqual(

  221.             claim_res,

  222.             {"failures": {}, "one_time_keys": {local_user: {device_id: fallback_key}}},

  223.         )

  224. 

  225.         # re-uploading the same fallback key should still result in no unused fallback

  226.         # keys

  227.         self.get_success(

  228.             self.handler.upload_keys_for_user(

  229.                 local_user,

  230.                 device_id,

  231.                 {"fallback_keys": fallback_key},

  232.             )

  233.         )

  234. 

  235.         unused_res = self.get_success(

  236.             self.store.get_e2e_unused_fallback_key_types(local_user, device_id)

  237.         )

  238.         self.assertEqual(unused_res, [])

  239. 

  240.         # uploading a new fallback key should result in an unused fallback key

  241.         self.get_success(

  242.             self.handler.upload_keys_for_user(

  243.                 local_user,

  244.                 device_id,

  245.                 {"fallback_keys": fallback_key2},

  246.             )

  247.         )

  248. 

  249.         unused_res = self.get_success(

  250.             self.store.get_e2e_unused_fallback_key_types(local_user, device_id)

  251.         )

  252.         self.assertEqual(unused_res, ["alg1"])

  253. 

  254.         # if the user uploads a one-time key, the next claim should fetch the

  255.         # one-time key, and then go back to the fallback

  256.         self.get_success(

  257.             self.handler.upload_keys_for_user(

  258.                 local_user, device_id, {"one_time_keys": otk}

  259.             )

  260.         )

  261. 

  262.         claim_res = self.get_success(

  263.             self.handler.claim_one_time_keys(

  264.                 {"one_time_keys": {local_user: {device_id: "alg1"}}}, timeout=None

  265.             )

  266.         )

  267.         self.assertEqual(

  268.             claim_res,

  269.             {"failures": {}, "one_time_keys": {local_user: {device_id: otk}}},

  270.         )

  271. 

  272.         claim_res = self.get_success(

  273.             self.handler.claim_one_time_keys(

  274.                 {"one_time_keys": {local_user: {device_id: "alg1"}}}, timeout=None

  275.             )

  276.         )

  277.         self.assertEqual(

  278.             claim_res,

  279.             {"failures": {}, "one_time_keys": {local_user: {device_id: fallback_key2}}},

  280.         )

  281. 

  282.         # using the unstable prefix should also set the fallback key

  283.         self.get_success(

  284.             self.handler.upload_keys_for_user(

  285.                 local_user,

  286.                 device_id,

  287.                 {"org.matrix.msc2732.fallback_keys": fallback_key3},

  288.             )

  289.         )

  290. 

  291.         claim_res = self.get_success(

  292.             self.handler.claim_one_time_keys(

  293.                 {"one_time_keys": {local_user: {device_id: "alg1"}}}, timeout=None

  294.             )

  295.         )

  296.         self.assertEqual(

  297.             claim_res,

  298.             {"failures": {}, "one_time_keys": {local_user: {device_id: fallback_key3}}},

  299.         )

  300. 

  301.     def test_replace_master_key(self) -> None:

  302.         """uploading a new signing key should make the old signing key unavailable"""

  303.         local_user = "@boris:" + self.hs.hostname

  304.         keys1 = {

  305.             "master_key": {

  306.                 # private key: 2lonYOM6xYKdEsO+6KrC766xBcHnYnim1x/4LFGF8B0

  307.                 "user_id": local_user,

  308.                 "usage": ["master"],

  309.                 "keys": {

  310.                     "ed25519:nqOvzeuGWT/sRx3h7+MHoInYj3Uk2LD/unI9kDYcHwk": "nqOvzeuGWT/sRx3h7+MHoInYj3Uk2LD/unI9kDYcHwk"

  311.                 },

  312.             }

  313.         }

  314.         self.get_success(self.handler.upload_signing_keys_for_user(local_user, keys1))

  315. 

  316.         keys2 = {

  317.             "master_key": {

  318.                 # private key: 4TL4AjRYwDVwD3pqQzcor+ez/euOB1/q78aTJ+czDNs

  319.                 "user_id": local_user,

  320.                 "usage": ["master"],

  321.                 "keys": {

  322.                     "ed25519:Hq6gL+utB4ET+UvD5ci0kgAwsX6qP/zvf8v6OInU5iw": "Hq6gL+utB4ET+UvD5ci0kgAwsX6qP/zvf8v6OInU5iw"

  323.                 },

  324.             }

  325.         }

  326.         self.get_success(self.handler.upload_signing_keys_for_user(local_user, keys2))

  327. 

  328.         devices = self.get_success(

  329.             self.handler.query_devices(

  330.                 {"device_keys": {local_user: []}}, 0, local_user, "device123"

  331.             )

  332.         )

  333.         self.assertDictEqual(devices["master_keys"], {local_user: keys2["master_key"]})

  334. 

  335.     def test_reupload_signatures(self) -> None:

  336.         """re-uploading a signature should not fail"""

  337.         local_user = "@boris:" + self.hs.hostname

  338.         keys1 = {

  339.             "master_key": {

  340.                 # private key: HvQBbU+hc2Zr+JP1sE0XwBe1pfZZEYtJNPJLZJtS+F8

  341.                 "user_id": local_user,

  342.                 "usage": ["master"],

  343.                 "keys": {

  344.                     "ed25519:EmkqvokUn8p+vQAGZitOk4PWjp7Ukp3txV2TbMPEiBQ": "EmkqvokUn8p+vQAGZitOk4PWjp7Ukp3txV2TbMPEiBQ"

  345.                 },

  346.             },

  347.             "self_signing_key": {

  348.                 # private key: 2lonYOM6xYKdEsO+6KrC766xBcHnYnim1x/4LFGF8B0

  349.                 "user_id": local_user,

  350.                 "usage": ["self_signing"],

  351.                 "keys": {

  352.                     "ed25519:nqOvzeuGWT/sRx3h7+MHoInYj3Uk2LD/unI9kDYcHwk": "nqOvzeuGWT/sRx3h7+MHoInYj3Uk2LD/unI9kDYcHwk"

  353.                 },

  354.             },

  355.         }

  356.         master_signing_key = key.decode_signing_key_base64(

  357.             "ed25519",

  358.             "EmkqvokUn8p+vQAGZitOk4PWjp7Ukp3txV2TbMPEiBQ",

  359.             "HvQBbU+hc2Zr+JP1sE0XwBe1pfZZEYtJNPJLZJtS+F8",

  360.         )

  361.         sign.sign_json(keys1["self_signing_key"], local_user, master_signing_key)

  362.         signing_key = key.decode_signing_key_base64(

  363.             "ed25519",

  364.             "nqOvzeuGWT/sRx3h7+MHoInYj3Uk2LD/unI9kDYcHwk",

  365.             "2lonYOM6xYKdEsO+6KrC766xBcHnYnim1x/4LFGF8B0",

  366.         )

  367.         self.get_success(self.handler.upload_signing_keys_for_user(local_user, keys1))

  368. 

  369.         # upload two device keys, which will be signed later by the self-signing key

  370.         device_key_1: JsonDict = {

  371.             "user_id": local_user,

  372.             "device_id": "abc",

  373.             "algorithms": [

  374.                 "m.olm.curve25519-aes-sha2",

  375.                 RoomEncryptionAlgorithms.MEGOLM_V1_AES_SHA2,

  376.             ],

  377.             "keys": {

  378.                 "ed25519:abc": "base64+ed25519+key",

  379.                 "curve25519:abc": "base64+curve25519+key",

  380.             },

  381.             "signatures": {local_user: {"ed25519:abc": "base64+signature"}},

  382.         }

  383.         device_key_2: JsonDict = {

  384.             "user_id": local_user,

  385.             "device_id": "def",

  386.             "algorithms": [

  387.                 "m.olm.curve25519-aes-sha2",

  388.                 RoomEncryptionAlgorithms.MEGOLM_V1_AES_SHA2,

  389.             ],

  390.             "keys": {

  391.                 "ed25519:def": "base64+ed25519+key",

  392.                 "curve25519:def": "base64+curve25519+key",

  393.             },

  394.             "signatures": {local_user: {"ed25519:def": "base64+signature"}},

  395.         }

  396. 

  397.         self.get_success(

  398.             self.handler.upload_keys_for_user(

  399.                 local_user, "abc", {"device_keys": device_key_1}

  400.             )

  401.         )

  402.         self.get_success(

  403.             self.handler.upload_keys_for_user(

  404.                 local_user, "def", {"device_keys": device_key_2}

  405.             )

  406.         )

  407. 

  408.         # sign the first device key and upload it

  409.         del device_key_1["signatures"]

  410.         sign.sign_json(device_key_1, local_user, signing_key)

  411.         self.get_success(

  412.             self.handler.upload_signatures_for_device_keys(

  413.                 local_user, {local_user: {"abc": device_key_1}}

  414.             )

  415.         )

  416. 

  417.         # sign the second device key and upload both device keys.  The server

  418.         # should ignore the first device key since it already has a valid

  419.         # signature for it

  420.         del device_key_2["signatures"]

  421.         sign.sign_json(device_key_2, local_user, signing_key)

  422.         self.get_success(

  423.             self.handler.upload_signatures_for_device_keys(

  424.                 local_user, {local_user: {"abc": device_key_1, "def": device_key_2}}

  425.             )

  426.         )

  427. 

  428.         device_key_1["signatures"][local_user]["ed25519:abc"] = "base64+signature"

  429.         device_key_2["signatures"][local_user]["ed25519:def"] = "base64+signature"

  430.         devices = self.get_success(

  431.             self.handler.query_devices(

  432.                 {"device_keys": {local_user: []}}, 0, local_user, "device123"

  433.             )

  434.         )

  435.         del devices["device_keys"][local_user]["abc"]["unsigned"]

  436.         del devices["device_keys"][local_user]["def"]["unsigned"]

  437.         self.assertDictEqual(devices["device_keys"][local_user]["abc"], device_key_1)

  438.         self.assertDictEqual(devices["device_keys"][local_user]["def"], device_key_2)

  439. 

  440.     def test_self_signing_key_doesnt_show_up_as_device(self) -> None:

  441.         """signing keys should be hidden when fetching a user's devices"""

  442.         local_user = "@boris:" + self.hs.hostname

  443.         keys1 = {

  444.             "master_key": {

  445.                 # private key: 2lonYOM6xYKdEsO+6KrC766xBcHnYnim1x/4LFGF8B0

  446.                 "user_id": local_user,

  447.                 "usage": ["master"],

  448.                 "keys": {

  449.                     "ed25519:nqOvzeuGWT/sRx3h7+MHoInYj3Uk2LD/unI9kDYcHwk": "nqOvzeuGWT/sRx3h7+MHoInYj3Uk2LD/unI9kDYcHwk"

  450.                 },

  451.             }

  452.         }

  453.         self.get_success(self.handler.upload_signing_keys_for_user(local_user, keys1))

  454. 

  455.         device_handler = self.hs.get_device_handler()

  456.         assert isinstance(device_handler, DeviceHandler)

  457.         e = self.get_failure(

  458.             device_handler.check_device_registered(

  459.                 user_id=local_user,

  460.                 device_id="nqOvzeuGWT/sRx3h7+MHoInYj3Uk2LD/unI9kDYcHwk",

  461.                 initial_device_display_name="new display name",

  462.             ),

  463.             SynapseError,

  464.         )

  465.         res = e.value.code

  466.         self.assertEqual(res, 400)

  467. 

  468.         query_res = self.get_success(

  469.             self.handler.query_local_devices({local_user: None})

  470.         )

  471.         self.assertDictEqual(query_res, {local_user: {}})

  472. 

  473.     def test_upload_signatures(self) -> None:

  474.         """should check signatures that are uploaded"""

  475.         # set up a user with cross-signing keys and a device.  This user will

  476.         # try uploading signatures

  477.         local_user = "@boris:" + self.hs.hostname

  478.         device_id = "xyz"

  479.         # private key: OMkooTr76ega06xNvXIGPbgvvxAOzmQncN8VObS7aBA

  480.         device_pubkey = "NnHhnqiMFQkq969szYkooLaBAXW244ZOxgukCvm2ZeY"

  481.         device_key: JsonDict = {

  482.             "user_id": local_user,

  483.             "device_id": device_id,

  484.             "algorithms": [

  485.                 "m.olm.curve25519-aes-sha2",

  486.                 RoomEncryptionAlgorithms.MEGOLM_V1_AES_SHA2,

  487.             ],

  488.             "keys": {"curve25519:xyz": "curve25519+key", "ed25519:xyz": device_pubkey},

  489.             "signatures": {local_user: {"ed25519:xyz": "something"}},

  490.         }

  491.         device_signing_key = key.decode_signing_key_base64(

  492.             "ed25519", "xyz", "OMkooTr76ega06xNvXIGPbgvvxAOzmQncN8VObS7aBA"

  493.         )

  494. 

  495.         self.get_success(

  496.             self.handler.upload_keys_for_user(

  497.                 local_user, device_id, {"device_keys": device_key}

  498.             )

  499.         )

  500. 

  501.         # private key: 2lonYOM6xYKdEsO+6KrC766xBcHnYnim1x/4LFGF8B0

  502.         master_pubkey = "nqOvzeuGWT/sRx3h7+MHoInYj3Uk2LD/unI9kDYcHwk"

  503.         master_key: JsonDict = {

  504.             "user_id": local_user,

  505.             "usage": ["master"],

  506.             "keys": {"ed25519:" + master_pubkey: master_pubkey},

  507.         }

  508.         master_signing_key = key.decode_signing_key_base64(

  509.             "ed25519", master_pubkey, "2lonYOM6xYKdEsO+6KrC766xBcHnYnim1x/4LFGF8B0"

  510.         )

  511.         usersigning_pubkey = "Hq6gL+utB4ET+UvD5ci0kgAwsX6qP/zvf8v6OInU5iw"

  512.         usersigning_key = {

  513.             # private key: 4TL4AjRYwDVwD3pqQzcor+ez/euOB1/q78aTJ+czDNs

  514.             "user_id": local_user,

  515.             "usage": ["user_signing"],

  516.             "keys": {"ed25519:" + usersigning_pubkey: usersigning_pubkey},

  517.         }

  518.         usersigning_signing_key = key.decode_signing_key_base64(

  519.             "ed25519", usersigning_pubkey, "4TL4AjRYwDVwD3pqQzcor+ez/euOB1/q78aTJ+czDNs"

  520.         )

  521.         sign.sign_json(usersigning_key, local_user, master_signing_key)

  522.         # private key: HvQBbU+hc2Zr+JP1sE0XwBe1pfZZEYtJNPJLZJtS+F8

  523.         selfsigning_pubkey = "EmkqvokUn8p+vQAGZitOk4PWjp7Ukp3txV2TbMPEiBQ"

  524.         selfsigning_key = {

  525.             "user_id": local_user,

  526.             "usage": ["self_signing"],

  527.             "keys": {"ed25519:" + selfsigning_pubkey: selfsigning_pubkey},

  528.         }

  529.         selfsigning_signing_key = key.decode_signing_key_base64(

  530.             "ed25519", selfsigning_pubkey, "HvQBbU+hc2Zr+JP1sE0XwBe1pfZZEYtJNPJLZJtS+F8"

  531.         )

  532.         sign.sign_json(selfsigning_key, local_user, master_signing_key)

  533.         cross_signing_keys = {

  534.             "master_key": master_key,

  535.             "user_signing_key": usersigning_key,

  536.             "self_signing_key": selfsigning_key,

  537.         }

  538.         self.get_success(

  539.             self.handler.upload_signing_keys_for_user(local_user, cross_signing_keys)

  540.         )

  541. 

  542.         # set up another user with a master key.  This user will be signed by

  543.         # the first user

  544.         other_user = "@otherboris:" + self.hs.hostname

  545.         other_master_pubkey = "fHZ3NPiKxoLQm5OoZbKa99SYxprOjNs4TwJUKP+twCM"

  546.         other_master_key: JsonDict = {

  547.             # private key: oyw2ZUx0O4GifbfFYM0nQvj9CL0b8B7cyN4FprtK8OI

  548.             "user_id": other_user,

  549.             "usage": ["master"],

  550.             "keys": {"ed25519:" + other_master_pubkey: other_master_pubkey},

  551.         }

  552.         self.get_success(

  553.             self.handler.upload_signing_keys_for_user(

  554.                 other_user, {"master_key": other_master_key}

  555.             )

  556.         )

  557. 

  558.         # test various signature failures (see below)

  559.         ret = self.get_success(

  560.             self.handler.upload_signatures_for_device_keys(

  561.                 local_user,

  562.                 {

  563.                     local_user: {

  564.                         # fails because the signature is invalid

  565.                         # should fail with INVALID_SIGNATURE

  566.                         device_id: {

  567.                             "user_id": local_user,

  568.                             "device_id": device_id,

  569.                             "algorithms": [

  570.                                 "m.olm.curve25519-aes-sha2",

  571.                                 RoomEncryptionAlgorithms.MEGOLM_V1_AES_SHA2,

  572.                             ],

  573.                             "keys": {

  574.                                 "curve25519:xyz": "curve25519+key",

  575.                                 # private key: OMkooTr76ega06xNvXIGPbgvvxAOzmQncN8VObS7aBA

  576.                                 "ed25519:xyz": device_pubkey,

  577.                             },

  578.                             "signatures": {

  579.                                 local_user: {

  580.                                     "ed25519:" + selfsigning_pubkey: "something"

  581.                                 }

  582.                             },

  583.                         },

  584.                         # fails because device is unknown

  585.                         # should fail with NOT_FOUND

  586.                         "unknown": {

  587.                             "user_id": local_user,

  588.                             "device_id": "unknown",

  589.                             "signatures": {

  590.                                 local_user: {

  591.                                     "ed25519:" + selfsigning_pubkey: "something"

  592.                                 }

  593.                             },

  594.                         },

  595.                         # fails because the signature is invalid

  596.                         # should fail with INVALID_SIGNATURE

  597.                         master_pubkey: {

  598.                             "user_id": local_user,

  599.                             "usage": ["master"],

  600.                             "keys": {"ed25519:" + master_pubkey: master_pubkey},

  601.                             "signatures": {

  602.                                 local_user: {"ed25519:" + device_pubkey: "something"}

  603.                             },

  604.                         },

  605.                     },

  606.                     other_user: {

  607.                         # fails because the device is not the user's master-signing key

  608.                         # should fail with NOT_FOUND

  609.                         "unknown": {

  610.                             "user_id": other_user,

  611.                             "device_id": "unknown",

  612.                             "signatures": {

  613.                                 local_user: {

  614.                                     "ed25519:" + usersigning_pubkey: "something"

  615.                                 }

  616.                             },

  617.                         },

  618.                         other_master_pubkey: {

  619.                             # fails because the key doesn't match what the server has

  620.                             # should fail with UNKNOWN

  621.                             "user_id": other_user,

  622.                             "usage": ["master"],

  623.                             "keys": {

  624.                                 "ed25519:" + other_master_pubkey: other_master_pubkey

  625.                             },

  626.                             "something": "random",

  627.                             "signatures": {

  628.                                 local_user: {

  629.                                     "ed25519:" + usersigning_pubkey: "something"

  630.                                 }

  631.                             },

  632.                         },

  633.                     },

  634.                 },

  635.             )

  636.         )

  637. 

  638.         user_failures = ret["failures"][local_user]

  639.         self.assertEqual(user_failures[device_id]["errcode"], Codes.INVALID_SIGNATURE)

  640.         self.assertEqual(

  641.             user_failures[master_pubkey]["errcode"], Codes.INVALID_SIGNATURE

  642.         )

  643.         self.assertEqual(user_failures["unknown"]["errcode"], Codes.NOT_FOUND)

  644. 

  645.         other_user_failures = ret["failures"][other_user]

  646.         self.assertEqual(other_user_failures["unknown"]["errcode"], Codes.NOT_FOUND)

  647.         self.assertEqual(

  648.             other_user_failures[other_master_pubkey]["errcode"], Codes.UNKNOWN

  649.         )

  650. 

  651.         # test successful signatures

  652.         del device_key["signatures"]

  653.         sign.sign_json(device_key, local_user, selfsigning_signing_key)

  654.         sign.sign_json(master_key, local_user, device_signing_key)

  655.         sign.sign_json(other_master_key, local_user, usersigning_signing_key)

  656.         ret = self.get_success(

  657.             self.handler.upload_signatures_for_device_keys(

  658.                 local_user,

  659.                 {

  660.                     local_user: {device_id: device_key, master_pubkey: master_key},

  661.                     other_user: {other_master_pubkey: other_master_key},

  662.                 },

  663.             )

  664.         )

  665. 

  666.         self.assertEqual(ret["failures"], {})

  667. 

  668.         # fetch the signed keys/devices and make sure that the signatures are there

  669.         ret = self.get_success(

  670.             self.handler.query_devices(

  671.                 {"device_keys": {local_user: [], other_user: []}},

  672.                 0,

  673.                 local_user,

  674.                 "device123",

  675.             )

  676.         )

  677. 

  678.         self.assertEqual(

  679.             ret["device_keys"][local_user]["xyz"]["signatures"][local_user][

  680.                 "ed25519:" + selfsigning_pubkey

  681.             ],

  682.             device_key["signatures"][local_user]["ed25519:" + selfsigning_pubkey],

  683.         )

  684.         self.assertEqual(

  685.             ret["master_keys"][local_user]["signatures"][local_user][

  686.                 "ed25519:" + device_id

  687.             ],

  688.             master_key["signatures"][local_user]["ed25519:" + device_id],

  689.         )

  690.         self.assertEqual(

  691.             ret["master_keys"][other_user]["signatures"][local_user][

  692.                 "ed25519:" + usersigning_pubkey

  693.             ],

  694.             other_master_key["signatures"][local_user]["ed25519:" + usersigning_pubkey],

  695.         )

  696. 

  697.     def test_query_devices_remote_no_sync(self) -> None:

  698.         """Tests that querying keys for a remote user that we don't share a room

  699.         with returns the cross signing keys correctly.

  700.         """

  701. 

  702.         remote_user_id = "@test:other"

  703.         local_user_id = "@test:test"

  704. 

  705.         remote_master_key = "85T7JXPFBAySB/jwby4S3lBPTqY3+Zg53nYuGmu1ggY"

  706.         remote_self_signing_key = "QeIiFEjluPBtI7WQdG365QKZcFs9kqmHir6RBD0//nQ"

  707. 

  708.         self.hs.get_federation_client().query_client_keys = mock.Mock(  # type: ignore[assignment]

  709.             return_value=make_awaitable(

  710.                 {

  711.                     "device_keys": {remote_user_id: {}},

  712.                     "master_keys": {

  713.                         remote_user_id: {

  714.                             "user_id": remote_user_id,

  715.                             "usage": ["master"],

  716.                             "keys": {"ed25519:" + remote_master_key: remote_master_key},

  717.                         },

  718.                     },

  719.                     "self_signing_keys": {

  720.                         remote_user_id: {

  721.                             "user_id": remote_user_id,

  722.                             "usage": ["self_signing"],

  723.                             "keys": {

  724.                                 "ed25519:"

  725.                                 + remote_self_signing_key: remote_self_signing_key

  726.                             },

  727.                         }

  728.                     },

  729.                 }

  730.             )

  731.         )

  732. 

  733.         e2e_handler = self.hs.get_e2e_keys_handler()

  734. 

  735.         query_result = self.get_success(

  736.             e2e_handler.query_devices(

  737.                 {

  738.                     "device_keys": {remote_user_id: []},

  739.                 },

  740.                 timeout=10,

  741.                 from_user_id=local_user_id,

  742.                 from_device_id="some_device_id",

  743.             )

  744.         )

  745. 

  746.         self.assertEqual(query_result["failures"], {})

  747.         self.assertEqual(

  748.             query_result["master_keys"],

  749.             {

  750.                 remote_user_id: {

  751.                     "user_id": remote_user_id,

  752.                     "usage": ["master"],

  753.                     "keys": {"ed25519:" + remote_master_key: remote_master_key},

  754.                 },

  755.             },

  756.         )

  757.         self.assertEqual(

  758.             query_result["self_signing_keys"],

  759.             {

  760.                 remote_user_id: {

  761.                     "user_id": remote_user_id,

  762.                     "usage": ["self_signing"],

  763.                     "keys": {

  764.                         "ed25519:" + remote_self_signing_key: remote_self_signing_key

  765.                     },

  766.                 }

  767.             },

  768.         )

  769. 

  770.     def test_query_devices_remote_sync(self) -> None:

  771.         """Tests that querying keys for a remote user that we share a room with,

  772.         but haven't yet fetched the keys for, returns the cross signing keys

  773.         correctly.

  774.         """

  775. 

  776.         remote_user_id = "@test:other"

  777.         local_user_id = "@test:test"

  778. 

  779.         # Pretend we're sharing a room with the user we're querying. If not,

  780.         # `_query_devices_for_destination` will return early.

  781.         self.store.get_rooms_for_user = mock.Mock(

  782.             return_value=make_awaitable({"some_room_id"})

  783.         )

  784. 

  785.         remote_master_key = "85T7JXPFBAySB/jwby4S3lBPTqY3+Zg53nYuGmu1ggY"

  786.         remote_self_signing_key = "QeIiFEjluPBtI7WQdG365QKZcFs9kqmHir6RBD0//nQ"

  787. 

  788.         self.hs.get_federation_client().query_user_devices = mock.Mock(  # type: ignore[assignment]

  789.             return_value=make_awaitable(

  790.                 {

  791.                     "user_id": remote_user_id,

  792.                     "stream_id": 1,

  793.                     "devices": [],

  794.                     "master_key": {

  795.                         "user_id": remote_user_id,

  796.                         "usage": ["master"],

  797.                         "keys": {"ed25519:" + remote_master_key: remote_master_key},

  798.                     },

  799.                     "self_signing_key": {

  800.                         "user_id": remote_user_id,

  801.                         "usage": ["self_signing"],

  802.                         "keys": {

  803.                             "ed25519:"

  804.                             + remote_self_signing_key: remote_self_signing_key

  805.                         },

  806.                     },

  807.                 }

  808.             )

  809.         )

  810. 

  811.         e2e_handler = self.hs.get_e2e_keys_handler()

  812. 

  813.         query_result = self.get_success(

  814.             e2e_handler.query_devices(

  815.                 {

  816.                     "device_keys": {remote_user_id: []},

  817.                 },

  818.                 timeout=10,

  819.                 from_user_id=local_user_id,

  820.                 from_device_id="some_device_id",

  821.             )

  822.         )

  823. 

  824.         self.assertEqual(query_result["failures"], {})

  825.         self.assertEqual(

  826.             query_result["master_keys"],

  827.             {

  828.                 remote_user_id: {

  829.                     "user_id": remote_user_id,

  830.                     "usage": ["master"],

  831.                     "keys": {"ed25519:" + remote_master_key: remote_master_key},

  832.                 }

  833.             },

  834.         )

  835.         self.assertEqual(

  836.             query_result["self_signing_keys"],

  837.             {

  838.                 remote_user_id: {

  839.                     "user_id": remote_user_id,

  840.                     "usage": ["self_signing"],

  841.                     "keys": {

  842.                         "ed25519:" + remote_self_signing_key: remote_self_signing_key

  843.                     },

  844.                 }

  845.             },

  846.         )

  847. 

  848.     @parameterized.expand(

  849.         [

  850.             # The remote homeserver's response indicates that this user has 0/1/2 devices.

  851.             ([],),

  852.             (["device_1"],),

  853.             (["device_1", "device_2"],),

  854.         ]

  855.     )

  856.     def test_query_all_devices_caches_result(self, device_ids: Iterable[str]) -> None:

  857.         """Test that requests for all of a remote user's devices are cached.

  858. 

  859.         We do this by asserting that only one call over federation was made, and that

  860.         the two queries to the local homeserver produce the same response.

  861.         """

  862.         local_user_id = "@test:test"

  863.         remote_user_id = "@test:other"

  864.         request_body: JsonDict = {"device_keys": {remote_user_id: []}}

  865. 

  866.         response_devices = [

  867.             {

  868.                 "device_id": device_id,

  869.                 "keys": {

  870.                     "algorithms": ["dummy"],

  871.                     "device_id": device_id,

  872.                     "keys": {f"dummy:{device_id}": "dummy"},

  873.                     "signatures": {device_id: {f"dummy:{device_id}": "dummy"}},

  874.                     "unsigned": {},

  875.                     "user_id": "@test:other",

  876.                 },

  877.             }

  878.             for device_id in device_ids

  879.         ]

  880. 

  881.         response_body = {

  882.             "devices": response_devices,

  883.             "user_id": remote_user_id,

  884.             "stream_id": 12345,  # an integer, according to the spec

  885.         }

  886. 

  887.         e2e_handler = self.hs.get_e2e_keys_handler()

  888. 

  889.         # Pretend we're sharing a room with the user we're querying. If not,

  890.         # `_query_devices_for_destination` will return early.

  891.         mock_get_rooms = mock.patch.object(

  892.             self.store,

  893.             "get_rooms_for_user",

  894.             new_callable=mock.MagicMock,

  895.             return_value=make_awaitable(["some_room_id"]),

  896.         )

  897.         mock_get_users = mock.patch.object(

  898.             self.store,

  899.             "get_users_server_still_shares_room_with",

  900.             new_callable=mock.MagicMock,

  901.             return_value=make_awaitable({remote_user_id}),

  902.         )

  903.         mock_request = mock.patch.object(

  904.             self.hs.get_federation_client(),

  905.             "query_user_devices",

  906.             new_callable=mock.MagicMock,

  907.             return_value=make_awaitable(response_body),

  908.         )

  909. 

  910.         with mock_get_rooms, mock_get_users, mock_request as mocked_federation_request:

  911.             # Make the first query and sanity check it succeeds.

  912.             response_1 = self.get_success(

  913.                 e2e_handler.query_devices(

  914.                     request_body,

  915.                     timeout=10,

  916.                     from_user_id=local_user_id,

  917.                     from_device_id="some_device_id",

  918.                 )

  919.             )

  920.             self.assertEqual(response_1["failures"], {})

  921. 

  922.             # We should have made a federation request to do so.

  923.             mocked_federation_request.assert_called_once()

  924. 

  925.             # Reset the mock so we can prove we don't make a second federation request.

  926.             mocked_federation_request.reset_mock()

  927. 

  928.             # Repeat the query.

  929.             response_2 = self.get_success(

  930.                 e2e_handler.query_devices(

  931.                     request_body,

  932.                     timeout=10,

  933.                     from_user_id=local_user_id,

  934.                     from_device_id="some_device_id",

  935.                 )

  936.             )

  937.             self.assertEqual(response_2["failures"], {})

  938. 

  939.             # We should not have made a second federation request.

  940.             mocked_federation_request.assert_not_called()

  941. 

  942.             # The two requests to the local homeserver should be identical.

  943.             self.assertEqual(response_1, response_2)