gitlord
/
synapse
mirror of https://github.com/matrix-org/synapse.git
1
0
Fork 0
Code Issues 0 Releases 671 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
22225 Commits
842 Branches
432 MiB
 
 
 
 
 
 
Tree: 42aea0d8af
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '42aea0d8af'
${ noResults }
synapse/tests/handlers/test_saml.py

376 lines
13 KiB
Raw Blame History 

  1. #  Copyright 2020 The Matrix.org Foundation C.I.C.

  2. #

  3. #  Licensed under the Apache License, Version 2.0 (the "License");

  4. #  you may not use this file except in compliance with the License.

  5. #  You may obtain a copy of the License at

  6. #

  7. #      http://www.apache.org/licenses/LICENSE-2.0

  8. #

  9. #  Unless required by applicable law or agreed to in writing, software

  10. #  distributed under the License is distributed on an "AS IS" BASIS,

  11. #  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  12. #  See the License for the specific language governing permissions and

  13. #  limitations under the License.

  14. 

  15. from typing import Any, Dict, Optional, Set, Tuple

  16. from unittest.mock import Mock

  17. 

  18. import attr

  19. 

  20. from twisted.test.proto_helpers import MemoryReactor

  21. 

  22. from synapse.api.errors import RedirectException

  23. from synapse.module_api import ModuleApi

  24. from synapse.server import HomeServer

  25. from synapse.types import JsonDict

  26. from synapse.util import Clock

  27. 

  28. from tests.test_utils import simple_async_mock

  29. from tests.unittest import HomeserverTestCase, override_config

  30. 

  31. # Check if we have the dependencies to run the tests.

  32. try:

  33.     import saml2.config

  34.     import saml2.response

  35.     from saml2.sigver import SigverError

  36. 

  37.     has_saml2 = True

  38. 

  39.     # pysaml2 can be installed and imported, but might not be able to find xmlsec1.

  40.     config = saml2.config.SPConfig()

  41.     try:

  42.         config.load({"metadata": {}})

  43.         has_xmlsec1 = True

  44.     except SigverError:

  45.         has_xmlsec1 = False

  46. except ImportError:

  47.     has_saml2 = False

  48.     has_xmlsec1 = False

  49. 

  50. # These are a few constants that are used as config parameters in the tests.

  51. BASE_URL = "https://synapse/"

  52. 

  53. 

  54. @attr.s

  55. class FakeAuthnResponse:

  56.     ava = attr.ib(type=dict)

  57.     assertions = attr.ib(type=list, factory=list)

  58.     in_response_to = attr.ib(type=Optional[str], default=None)

  59. 

  60. 

  61. class TestMappingProvider:

  62.     def __init__(self, config: None, module: ModuleApi):

  63.         pass

  64. 

  65.     @staticmethod

  66.     def parse_config(config: JsonDict) -> None:

  67.         return None

  68. 

  69.     @staticmethod

  70.     def get_saml_attributes(config: None) -> Tuple[Set[str], Set[str]]:

  71.         return {"uid"}, {"displayName"}

  72. 

  73.     def get_remote_user_id(

  74.         self, saml_response: "saml2.response.AuthnResponse", client_redirect_url: str

  75.     ) -> str:

  76.         return saml_response.ava["uid"]

  77. 

  78.     def saml_response_to_user_attributes(

  79.         self,

  80.         saml_response: "saml2.response.AuthnResponse",

  81.         failures: int,

  82.         client_redirect_url: str,

  83.     ) -> dict:

  84.         localpart = saml_response.ava["username"] + (str(failures) if failures else "")

  85.         return {"mxid_localpart": localpart, "displayname": None}

  86. 

  87. 

  88. class TestRedirectMappingProvider(TestMappingProvider):

  89.     def saml_response_to_user_attributes(

  90.         self,

  91.         saml_response: "saml2.response.AuthnResponse",

  92.         failures: int,

  93.         client_redirect_url: str,

  94.     ) -> dict:

  95.         raise RedirectException(b"https://custom-saml-redirect/")

  96. 

  97. 

  98. class SamlHandlerTestCase(HomeserverTestCase):

  99.     def default_config(self) -> Dict[str, Any]:

  100.         config = super().default_config()

  101.         config["public_baseurl"] = BASE_URL

  102.         saml_config: Dict[str, Any] = {

  103.             "sp_config": {"metadata": {}},

  104.             # Disable grandfathering.

  105.             "grandfathered_mxid_source_attribute": None,

  106.             "user_mapping_provider": {"module": __name__ + ".TestMappingProvider"},

  107.         }

  108. 

  109.         # Update this config with what's in the default config so that

  110.         # override_config works as expected.

  111.         saml_config.update(config.get("saml2_config", {}))

  112.         config["saml2_config"] = saml_config

  113. 

  114.         return config

  115. 

  116.     def make_homeserver(self, reactor: MemoryReactor, clock: Clock) -> HomeServer:

  117.         hs = self.setup_test_homeserver()

  118. 

  119.         self.handler = hs.get_saml_handler()

  120. 

  121.         # Reduce the number of attempts when generating MXIDs.

  122.         sso_handler = hs.get_sso_handler()

  123.         sso_handler._MAP_USERNAME_RETRIES = 3

  124. 

  125.         return hs

  126. 

  127.     if not has_saml2:

  128.         skip = "Requires pysaml2"

  129.     elif not has_xmlsec1:

  130.         skip = "Requires xmlsec1"

  131. 

  132.     def test_map_saml_response_to_user(self) -> None:

  133.         """Ensure that mapping the SAML response returned from a provider to an MXID works properly."""

  134. 

  135.         # stub out the auth handler

  136.         auth_handler = self.hs.get_auth_handler()

  137.         auth_handler.complete_sso_login = simple_async_mock()  # type: ignore[assignment]

  138. 

  139.         # send a mocked-up SAML response to the callback

  140.         saml_response = FakeAuthnResponse({"uid": "test_user", "username": "test_user"})

  141.         request = _mock_request()

  142.         self.get_success(

  143.             self.handler._handle_authn_response(request, saml_response, "redirect_uri")

  144.         )

  145. 

  146.         # check that the auth handler got called as expected

  147.         auth_handler.complete_sso_login.assert_called_once_with(

  148.             "@test_user:test",

  149.             "saml",

  150.             request,

  151.             "redirect_uri",

  152.             None,

  153.             new_user=True,

  154.             auth_provider_session_id=None,

  155.         )

  156. 

  157.     @override_config({"saml2_config": {"grandfathered_mxid_source_attribute": "mxid"}})

  158.     def test_map_saml_response_to_existing_user(self) -> None:

  159.         """Existing users can log in with SAML account."""

  160.         store = self.hs.get_datastores().main

  161.         self.get_success(

  162.             store.register_user(user_id="@test_user:test", password_hash=None)

  163.         )

  164. 

  165.         # stub out the auth handler

  166.         auth_handler = self.hs.get_auth_handler()

  167.         auth_handler.complete_sso_login = simple_async_mock()  # type: ignore[assignment]

  168. 

  169.         # Map a user via SSO.

  170.         saml_response = FakeAuthnResponse(

  171.             {"uid": "tester", "mxid": ["test_user"], "username": "test_user"}

  172.         )

  173.         request = _mock_request()

  174.         self.get_success(

  175.             self.handler._handle_authn_response(request, saml_response, "")

  176.         )

  177. 

  178.         # check that the auth handler got called as expected

  179.         auth_handler.complete_sso_login.assert_called_once_with(

  180.             "@test_user:test",

  181.             "saml",

  182.             request,

  183.             "",

  184.             None,

  185.             new_user=False,

  186.             auth_provider_session_id=None,

  187.         )

  188. 

  189.         # Subsequent calls should map to the same mxid.

  190.         auth_handler.complete_sso_login.reset_mock()

  191.         self.get_success(

  192.             self.handler._handle_authn_response(request, saml_response, "")

  193.         )

  194.         auth_handler.complete_sso_login.assert_called_once_with(

  195.             "@test_user:test",

  196.             "saml",

  197.             request,

  198.             "",

  199.             None,

  200.             new_user=False,

  201.             auth_provider_session_id=None,

  202.         )

  203. 

  204.     def test_map_saml_response_to_invalid_localpart(self) -> None:

  205.         """If the mapping provider generates an invalid localpart it should be rejected."""

  206. 

  207.         # stub out the auth handler

  208.         auth_handler = self.hs.get_auth_handler()

  209.         auth_handler.complete_sso_login = simple_async_mock()  # type: ignore[assignment]

  210. 

  211.         # mock out the error renderer too

  212.         sso_handler = self.hs.get_sso_handler()

  213.         sso_handler.render_error = Mock(return_value=None)  # type: ignore[assignment]

  214. 

  215.         saml_response = FakeAuthnResponse({"uid": "test", "username": "föö"})

  216.         request = _mock_request()

  217.         self.get_success(

  218.             self.handler._handle_authn_response(request, saml_response, ""),

  219.         )

  220.         sso_handler.render_error.assert_called_once_with(

  221.             request, "mapping_error", "localpart is invalid: föö"

  222.         )

  223.         auth_handler.complete_sso_login.assert_not_called()

  224. 

  225.     def test_map_saml_response_to_user_retries(self) -> None:

  226.         """The mapping provider can retry generating an MXID if the MXID is already in use."""

  227. 

  228.         # stub out the auth handler and error renderer

  229.         auth_handler = self.hs.get_auth_handler()

  230.         auth_handler.complete_sso_login = simple_async_mock()  # type: ignore[assignment]

  231.         sso_handler = self.hs.get_sso_handler()

  232.         sso_handler.render_error = Mock(return_value=None)  # type: ignore[assignment]

  233. 

  234.         # register a user to occupy the first-choice MXID

  235.         store = self.hs.get_datastores().main

  236.         self.get_success(

  237.             store.register_user(user_id="@test_user:test", password_hash=None)

  238.         )

  239. 

  240.         # send the fake SAML response

  241.         saml_response = FakeAuthnResponse({"uid": "test", "username": "test_user"})

  242.         request = _mock_request()

  243.         self.get_success(

  244.             self.handler._handle_authn_response(request, saml_response, ""),

  245.         )

  246. 

  247.         # test_user is already taken, so test_user1 gets registered instead.

  248.         auth_handler.complete_sso_login.assert_called_once_with(

  249.             "@test_user1:test",

  250.             "saml",

  251.             request,

  252.             "",

  253.             None,

  254.             new_user=True,

  255.             auth_provider_session_id=None,

  256.         )

  257.         auth_handler.complete_sso_login.reset_mock()

  258. 

  259.         # Register all of the potential mxids for a particular SAML username.

  260.         self.get_success(

  261.             store.register_user(user_id="@tester:test", password_hash=None)

  262.         )

  263.         for i in range(1, 3):

  264.             self.get_success(

  265.                 store.register_user(user_id="@tester%d:test" % i, password_hash=None)

  266.             )

  267. 

  268.         # Now attempt to map to a username, this will fail since all potential usernames are taken.

  269.         saml_response = FakeAuthnResponse({"uid": "tester", "username": "tester"})

  270.         self.get_success(

  271.             self.handler._handle_authn_response(request, saml_response, ""),

  272.         )

  273.         sso_handler.render_error.assert_called_once_with(

  274.             request,

  275.             "mapping_error",

  276.             "Unable to generate a Matrix ID from the SSO response",

  277.         )

  278.         auth_handler.complete_sso_login.assert_not_called()

  279. 

  280.     @override_config(

  281.         {

  282.             "saml2_config": {

  283.                 "user_mapping_provider": {

  284.                     "module": __name__ + ".TestRedirectMappingProvider"

  285.                 },

  286.             }

  287.         }

  288.     )

  289.     def test_map_saml_response_redirect(self) -> None:

  290.         """Test a mapping provider that raises a RedirectException"""

  291. 

  292.         saml_response = FakeAuthnResponse({"uid": "test", "username": "test_user"})

  293.         request = _mock_request()

  294.         e = self.get_failure(

  295.             self.handler._handle_authn_response(request, saml_response, ""),

  296.             RedirectException,

  297.         )

  298.         self.assertEqual(e.value.location, b"https://custom-saml-redirect/")

  299. 

  300.     @override_config(

  301.         {

  302.             "saml2_config": {

  303.                 "attribute_requirements": [

  304.                     {"attribute": "userGroup", "value": "staff"},

  305.                     {"attribute": "department", "value": "sales"},

  306.                 ],

  307.             },

  308.         }

  309.     )

  310.     def test_attribute_requirements(self) -> None:

  311.         """The required attributes must be met from the SAML response."""

  312. 

  313.         # stub out the auth handler

  314.         auth_handler = self.hs.get_auth_handler()

  315.         auth_handler.complete_sso_login = simple_async_mock()  # type: ignore[assignment]

  316. 

  317.         # The response doesn't have the proper userGroup or department.

  318.         saml_response = FakeAuthnResponse({"uid": "test_user", "username": "test_user"})

  319.         request = _mock_request()

  320.         self.get_success(

  321.             self.handler._handle_authn_response(request, saml_response, "redirect_uri")

  322.         )

  323.         auth_handler.complete_sso_login.assert_not_called()

  324. 

  325.         # The response doesn't have the proper department.

  326.         saml_response = FakeAuthnResponse(

  327.             {"uid": "test_user", "username": "test_user", "userGroup": ["staff"]}

  328.         )

  329.         request = _mock_request()

  330.         self.get_success(

  331.             self.handler._handle_authn_response(request, saml_response, "redirect_uri")

  332.         )

  333.         auth_handler.complete_sso_login.assert_not_called()

  334. 

  335.         # Add the proper attributes and it should succeed.

  336.         saml_response = FakeAuthnResponse(

  337.             {

  338.                 "uid": "test_user",

  339.                 "username": "test_user",

  340.                 "userGroup": ["staff", "admin"],

  341.                 "department": ["sales"],

  342.             }

  343.         )

  344.         request.reset_mock()

  345.         self.get_success(

  346.             self.handler._handle_authn_response(request, saml_response, "redirect_uri")

  347.         )

  348. 

  349.         # check that the auth handler got called as expected

  350.         auth_handler.complete_sso_login.assert_called_once_with(

  351.             "@test_user:test",

  352.             "saml",

  353.             request,

  354.             "redirect_uri",

  355.             None,

  356.             new_user=True,

  357.             auth_provider_session_id=None,

  358.         )

  359. 

  360. 

  361. def _mock_request() -> Mock:

  362.     """Returns a mock which will stand in as a SynapseRequest"""

  363.     mock = Mock(

  364.         spec=[

  365.             "finish",

  366.             "getClientAddress",

  367.             "getHeader",

  368.             "setHeader",

  369.             "setResponseCode",

  370.             "write",

  371.         ]

  372.     )

  373.     # `_disconnected` musn't be another `Mock`, otherwise it will be truthy.

  374.     mock._disconnected = False

  375.     return mock