gitlord
/
synapse
mirror da https://github.com/matrix-org/synapse.git
1
0
Forka 0
Codice Problemi 0 Rilasci 671 Wiki Attività
Non puoi selezionare più di 25 argomenti Gli argomenti devono iniziare con una lettera o un numero, possono includere trattini ('-') e possono essere lunghi fino a 35 caratteri.
23180 Commit
842 Rami (Branch)
328 MiB
 
 
 
 
 
 
Albero (Tree): 5725712d47
Rami (Branch) Tag
${ item.name }
Crea branch ${ searchTerm }
da '5725712d47'
${ noResults }
synapse/tests/rest/admin/test_admin.py

496 righe
17 KiB
Originale Blame Cronologia 

  1. # Copyright 2018-2021 The Matrix.org Foundation C.I.C.

  2. #

  3. # Licensed under the Apache License, Version 2.0 (the "License");

  4. # you may not use this file except in compliance with the License.

  5. # You may obtain a copy of the License at

  6. #

  7. #     http://www.apache.org/licenses/LICENSE-2.0

  8. #

  9. # Unless required by applicable law or agreed to in writing, software

  10. # distributed under the License is distributed on an "AS IS" BASIS,

  11. # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  12. # See the License for the specific language governing permissions and

  13. # limitations under the License.

  14. 

  15. import urllib.parse

  16. 

  17. from parameterized import parameterized

  18. 

  19. from twisted.test.proto_helpers import MemoryReactor

  20. 

  21. import synapse.rest.admin

  22. from synapse.http.server import JsonResource

  23. from synapse.rest.admin import VersionServlet

  24. from synapse.rest.client import login, room

  25. from synapse.server import HomeServer

  26. from synapse.util import Clock

  27. 

  28. from tests import unittest

  29. from tests.server import FakeSite, make_request

  30. from tests.test_utils import SMALL_PNG

  31. 

  32. 

  33. class VersionTestCase(unittest.HomeserverTestCase):

  34.     url = "/_synapse/admin/v1/server_version"

  35. 

  36.     def create_test_resource(self) -> JsonResource:

  37.         resource = JsonResource(self.hs)

  38.         VersionServlet(self.hs).register(resource)

  39.         return resource

  40. 

  41.     def test_version_string(self) -> None:

  42.         channel = self.make_request("GET", self.url, shorthand=False)

  43. 

  44.         self.assertEqual(200, channel.code, msg=channel.json_body)

  45.         self.assertEqual({"server_version"}, set(channel.json_body.keys()))

  46. 

  47. 

  48. class QuarantineMediaTestCase(unittest.HomeserverTestCase):

  49.     """Test /quarantine_media admin API."""

  50. 

  51.     servlets = [

  52.         synapse.rest.admin.register_servlets,

  53.         synapse.rest.admin.register_servlets_for_media_repo,

  54.         login.register_servlets,

  55.         room.register_servlets,

  56.     ]

  57. 

  58.     def prepare(self, reactor: MemoryReactor, clock: Clock, hs: HomeServer) -> None:

  59.         # Allow for uploading and downloading to/from the media repo

  60.         self.media_repo = hs.get_media_repository_resource()

  61.         self.download_resource = self.media_repo.children[b"download"]

  62.         self.upload_resource = self.media_repo.children[b"upload"]

  63. 

  64.     def _ensure_quarantined(

  65.         self, admin_user_tok: str, server_and_media_id: str

  66.     ) -> None:

  67.         """Ensure a piece of media is quarantined when trying to access it."""

  68.         channel = make_request(

  69.             self.reactor,

  70.             FakeSite(self.download_resource, self.reactor),

  71.             "GET",

  72.             server_and_media_id,

  73.             shorthand=False,

  74.             access_token=admin_user_tok,

  75.         )

  76. 

  77.         # Should be quarantined

  78.         self.assertEqual(

  79.             404,

  80.             channel.code,

  81.             msg=(

  82.                 "Expected to receive a 404 on accessing quarantined media: %s"

  83.                 % server_and_media_id

  84.             ),

  85.         )

  86. 

  87.     @parameterized.expand(

  88.         [

  89.             # Attempt quarantine media APIs as non-admin

  90.             "/_synapse/admin/v1/media/quarantine/example.org/abcde12345",

  91.             # And the roomID/userID endpoint

  92.             "/_synapse/admin/v1/room/!room%3Aexample.com/media/quarantine",

  93.         ]

  94.     )

  95.     def test_quarantine_media_requires_admin(self, url: str) -> None:

  96.         self.register_user("nonadmin", "pass", admin=False)

  97.         non_admin_user_tok = self.login("nonadmin", "pass")

  98. 

  99.         channel = self.make_request(

  100.             "POST",

  101.             url.encode("ascii"),

  102.             access_token=non_admin_user_tok,

  103.         )

  104. 

  105.         # Expect a forbidden error

  106.         self.assertEqual(

  107.             403,

  108.             channel.code,

  109.             msg="Expected forbidden on quarantining media as a non-admin",

  110.         )

  111. 

  112.     def test_quarantine_media_by_id(self) -> None:

  113.         self.register_user("id_admin", "pass", admin=True)

  114.         admin_user_tok = self.login("id_admin", "pass")

  115. 

  116.         self.register_user("id_nonadmin", "pass", admin=False)

  117.         non_admin_user_tok = self.login("id_nonadmin", "pass")

  118. 

  119.         # Upload some media into the room

  120.         response = self.helper.upload_media(

  121.             self.upload_resource, SMALL_PNG, tok=admin_user_tok

  122.         )

  123. 

  124.         # Extract media ID from the response

  125.         server_name_and_media_id = response["content_uri"][6:]  # Cut off 'mxc://'

  126.         server_name, media_id = server_name_and_media_id.split("/")

  127. 

  128.         # Attempt to access the media

  129.         channel = make_request(

  130.             self.reactor,

  131.             FakeSite(self.download_resource, self.reactor),

  132.             "GET",

  133.             server_name_and_media_id,

  134.             shorthand=False,

  135.             access_token=non_admin_user_tok,

  136.         )

  137. 

  138.         # Should be successful

  139.         self.assertEqual(200, channel.code)

  140. 

  141.         # Quarantine the media

  142.         url = "/_synapse/admin/v1/media/quarantine/%s/%s" % (

  143.             urllib.parse.quote(server_name),

  144.             urllib.parse.quote(media_id),

  145.         )

  146.         channel = self.make_request(

  147.             "POST",

  148.             url,

  149.             access_token=admin_user_tok,

  150.         )

  151.         self.pump(1.0)

  152.         self.assertEqual(200, channel.code, msg=channel.json_body)

  153. 

  154.         # Attempt to access the media

  155.         self._ensure_quarantined(admin_user_tok, server_name_and_media_id)

  156. 

  157.     @parameterized.expand(

  158.         [

  159.             # regular API path

  160.             "/_synapse/admin/v1/room/%s/media/quarantine",

  161.             # deprecated API path

  162.             "/_synapse/admin/v1/quarantine_media/%s",

  163.         ]

  164.     )

  165.     def test_quarantine_all_media_in_room(self, url: str) -> None:

  166.         self.register_user("room_admin", "pass", admin=True)

  167.         admin_user_tok = self.login("room_admin", "pass")

  168. 

  169.         non_admin_user = self.register_user("room_nonadmin", "pass", admin=False)

  170.         non_admin_user_tok = self.login("room_nonadmin", "pass")

  171. 

  172.         room_id = self.helper.create_room_as(non_admin_user, tok=admin_user_tok)

  173.         self.helper.join(room_id, non_admin_user, tok=non_admin_user_tok)

  174. 

  175.         # Upload some media

  176.         response_1 = self.helper.upload_media(

  177.             self.upload_resource, SMALL_PNG, tok=non_admin_user_tok

  178.         )

  179.         response_2 = self.helper.upload_media(

  180.             self.upload_resource, SMALL_PNG, tok=non_admin_user_tok

  181.         )

  182. 

  183.         # Extract mxcs

  184.         mxc_1 = response_1["content_uri"]

  185.         mxc_2 = response_2["content_uri"]

  186. 

  187.         # Send it into the room

  188.         self.helper.send_event(

  189.             room_id,

  190.             "m.room.message",

  191.             content={"body": "image-1", "msgtype": "m.image", "url": mxc_1},

  192.             txn_id="111",

  193.             tok=non_admin_user_tok,

  194.         )

  195.         self.helper.send_event(

  196.             room_id,

  197.             "m.room.message",

  198.             content={"body": "image-2", "msgtype": "m.image", "url": mxc_2},

  199.             txn_id="222",

  200.             tok=non_admin_user_tok,

  201.         )

  202. 

  203.         channel = self.make_request(

  204.             "POST",

  205.             url % urllib.parse.quote(room_id),

  206.             access_token=admin_user_tok,

  207.         )

  208.         self.pump(1.0)

  209.         self.assertEqual(200, channel.code, msg=channel.json_body)

  210.         self.assertEqual(

  211.             channel.json_body, {"num_quarantined": 2}, "Expected 2 quarantined items"

  212.         )

  213. 

  214.         # Convert mxc URLs to server/media_id strings

  215.         server_and_media_id_1 = mxc_1[6:]

  216.         server_and_media_id_2 = mxc_2[6:]

  217. 

  218.         # Test that we cannot download any of the media anymore

  219.         self._ensure_quarantined(admin_user_tok, server_and_media_id_1)

  220.         self._ensure_quarantined(admin_user_tok, server_and_media_id_2)

  221. 

  222.     def test_quarantine_all_media_by_user(self) -> None:

  223.         self.register_user("user_admin", "pass", admin=True)

  224.         admin_user_tok = self.login("user_admin", "pass")

  225. 

  226.         non_admin_user = self.register_user("user_nonadmin", "pass", admin=False)

  227.         non_admin_user_tok = self.login("user_nonadmin", "pass")

  228. 

  229.         # Upload some media

  230.         response_1 = self.helper.upload_media(

  231.             self.upload_resource, SMALL_PNG, tok=non_admin_user_tok

  232.         )

  233.         response_2 = self.helper.upload_media(

  234.             self.upload_resource, SMALL_PNG, tok=non_admin_user_tok

  235.         )

  236. 

  237.         # Extract media IDs

  238.         server_and_media_id_1 = response_1["content_uri"][6:]

  239.         server_and_media_id_2 = response_2["content_uri"][6:]

  240. 

  241.         # Quarantine all media by this user

  242.         url = "/_synapse/admin/v1/user/%s/media/quarantine" % urllib.parse.quote(

  243.             non_admin_user

  244.         )

  245.         channel = self.make_request(

  246.             "POST",

  247.             url.encode("ascii"),

  248.             access_token=admin_user_tok,

  249.         )

  250.         self.pump(1.0)

  251.         self.assertEqual(200, channel.code, msg=channel.json_body)

  252.         self.assertEqual(

  253.             channel.json_body, {"num_quarantined": 2}, "Expected 2 quarantined items"

  254.         )

  255. 

  256.         # Attempt to access each piece of media

  257.         self._ensure_quarantined(admin_user_tok, server_and_media_id_1)

  258.         self._ensure_quarantined(admin_user_tok, server_and_media_id_2)

  259. 

  260.     def test_cannot_quarantine_safe_media(self) -> None:

  261.         self.register_user("user_admin", "pass", admin=True)

  262.         admin_user_tok = self.login("user_admin", "pass")

  263. 

  264.         non_admin_user = self.register_user("user_nonadmin", "pass", admin=False)

  265.         non_admin_user_tok = self.login("user_nonadmin", "pass")

  266. 

  267.         # Upload some media

  268.         response_1 = self.helper.upload_media(

  269.             self.upload_resource, SMALL_PNG, tok=non_admin_user_tok

  270.         )

  271.         response_2 = self.helper.upload_media(

  272.             self.upload_resource, SMALL_PNG, tok=non_admin_user_tok

  273.         )

  274. 

  275.         # Extract media IDs

  276.         server_and_media_id_1 = response_1["content_uri"][6:]

  277.         server_and_media_id_2 = response_2["content_uri"][6:]

  278. 

  279.         # Mark the second item as safe from quarantine.

  280.         _, media_id_2 = server_and_media_id_2.split("/")

  281.         # Quarantine the media

  282.         url = "/_synapse/admin/v1/media/protect/%s" % (urllib.parse.quote(media_id_2),)

  283.         channel = self.make_request("POST", url, access_token=admin_user_tok)

  284.         self.pump(1.0)

  285.         self.assertEqual(200, channel.code, msg=channel.json_body)

  286. 

  287.         # Quarantine all media by this user

  288.         url = "/_synapse/admin/v1/user/%s/media/quarantine" % urllib.parse.quote(

  289.             non_admin_user

  290.         )

  291.         channel = self.make_request(

  292.             "POST",

  293.             url.encode("ascii"),

  294.             access_token=admin_user_tok,

  295.         )

  296.         self.pump(1.0)

  297.         self.assertEqual(200, channel.code, msg=channel.json_body)

  298.         self.assertEqual(

  299.             channel.json_body, {"num_quarantined": 1}, "Expected 1 quarantined item"

  300.         )

  301. 

  302.         # Attempt to access each piece of media, the first should fail, the

  303.         # second should succeed.

  304.         self._ensure_quarantined(admin_user_tok, server_and_media_id_1)

  305. 

  306.         # Attempt to access each piece of media

  307.         channel = make_request(

  308.             self.reactor,

  309.             FakeSite(self.download_resource, self.reactor),

  310.             "GET",

  311.             server_and_media_id_2,

  312.             shorthand=False,

  313.             access_token=non_admin_user_tok,

  314.         )

  315. 

  316.         # Shouldn't be quarantined

  317.         self.assertEqual(

  318.             200,

  319.             channel.code,

  320.             msg=(

  321.                 "Expected to receive a 200 on accessing not-quarantined media: %s"

  322.                 % server_and_media_id_2

  323.             ),

  324.         )

  325. 

  326. 

  327. class PurgeHistoryTestCase(unittest.HomeserverTestCase):

  328.     servlets = [

  329.         synapse.rest.admin.register_servlets,

  330.         login.register_servlets,

  331.         room.register_servlets,

  332.     ]

  333. 

  334.     def prepare(self, reactor: MemoryReactor, clock: Clock, hs: HomeServer) -> None:

  335.         self.admin_user = self.register_user("admin", "pass", admin=True)

  336.         self.admin_user_tok = self.login("admin", "pass")

  337. 

  338.         self.other_user = self.register_user("user", "pass")

  339.         self.other_user_tok = self.login("user", "pass")

  340. 

  341.         self.room_id = self.helper.create_room_as(

  342.             self.other_user, tok=self.other_user_tok

  343.         )

  344.         self.url = f"/_synapse/admin/v1/purge_history/{self.room_id}"

  345.         self.url_status = "/_synapse/admin/v1/purge_history_status/"

  346. 

  347.     def test_purge_history(self) -> None:

  348.         """

  349.         Simple test of purge history API.

  350.         Test only that is is possible to call, get status 200 and purge_id.

  351.         """

  352. 

  353.         channel = self.make_request(

  354.             "POST",

  355.             self.url,

  356.             content={"delete_local_events": True, "purge_up_to_ts": 0},

  357.             access_token=self.admin_user_tok,

  358.         )

  359. 

  360.         self.assertEqual(200, channel.code, msg=channel.json_body)

  361.         self.assertIn("purge_id", channel.json_body)

  362.         purge_id = channel.json_body["purge_id"]

  363. 

  364.         # get status

  365.         channel = self.make_request(

  366.             "GET",

  367.             self.url_status + purge_id,

  368.             access_token=self.admin_user_tok,

  369.         )

  370. 

  371.         self.assertEqual(200, channel.code, msg=channel.json_body)

  372.         self.assertEqual("complete", channel.json_body["status"])

  373. 

  374. 

  375. class ExperimentalFeaturesTestCase(unittest.HomeserverTestCase):

  376.     servlets = [

  377.         synapse.rest.admin.register_servlets,

  378.         login.register_servlets,

  379.     ]

  380. 

  381.     def prepare(self, reactor: MemoryReactor, clock: Clock, hs: HomeServer) -> None:

  382.         self.admin_user = self.register_user("admin", "pass", admin=True)

  383.         self.admin_user_tok = self.login("admin", "pass")

  384. 

  385.         self.other_user = self.register_user("user", "pass")

  386.         self.other_user_tok = self.login("user", "pass")

  387. 

  388.         self.url = "/_synapse/admin/v1/experimental_features"

  389. 

  390.     def test_enable_and_disable(self) -> None:

  391.         """

  392.         Test basic functionality of ExperimentalFeatures endpoint

  393.         """

  394.         # test enabling features works

  395.         url = f"{self.url}/{self.other_user}"

  396.         channel = self.make_request(

  397.             "PUT",

  398.             url,

  399.             content={

  400.                 "features": {"msc3026": True, "msc3881": True},

  401.             },

  402.             access_token=self.admin_user_tok,

  403.         )

  404.         self.assertEqual(channel.code, 200)

  405. 

  406.         # list which features are enabled and ensure the ones we enabled are listed

  407.         self.assertEqual(channel.code, 200)

  408.         url = f"{self.url}/{self.other_user}"

  409.         channel = self.make_request(

  410.             "GET",

  411.             url,

  412.             access_token=self.admin_user_tok,

  413.         )

  414.         self.assertEqual(channel.code, 200)

  415.         self.assertEqual(

  416.             True,

  417.             channel.json_body["features"]["msc3026"],

  418.         )

  419.         self.assertEqual(

  420.             True,

  421.             channel.json_body["features"]["msc3881"],

  422.         )

  423. 

  424.         # test disabling a feature works

  425.         url = f"{self.url}/{self.other_user}"

  426.         channel = self.make_request(

  427.             "PUT",

  428.             url,

  429.             content={"features": {"msc3026": False}},

  430.             access_token=self.admin_user_tok,

  431.         )

  432.         self.assertEqual(channel.code, 200)

  433. 

  434.         # list the features enabled/disabled and ensure they are still are correct

  435.         self.assertEqual(channel.code, 200)

  436.         url = f"{self.url}/{self.other_user}"

  437.         channel = self.make_request(

  438.             "GET",

  439.             url,

  440.             access_token=self.admin_user_tok,

  441.         )

  442.         self.assertEqual(channel.code, 200)

  443.         self.assertEqual(

  444.             False,

  445.             channel.json_body["features"]["msc3026"],

  446.         )

  447.         self.assertEqual(

  448.             True,

  449.             channel.json_body["features"]["msc3881"],

  450.         )

  451.         self.assertEqual(

  452.             False,

  453.             channel.json_body["features"]["msc3967"],

  454.         )

  455. 

  456.         # test nothing blows up if you try to disable a feature that isn't already enabled

  457.         url = f"{self.url}/{self.other_user}"

  458.         channel = self.make_request(

  459.             "PUT",

  460.             url,

  461.             content={"features": {"msc3026": False}},

  462.             access_token=self.admin_user_tok,

  463.         )

  464.         self.assertEqual(channel.code, 200)

  465. 

  466.         # test trying to enable a feature without an admin access token is denied

  467.         url = f"{self.url}/f{self.other_user}"

  468.         channel = self.make_request(

  469.             "PUT",

  470.             url,

  471.             content={"features": {"msc3881": True}},

  472.             access_token=self.other_user_tok,

  473.         )

  474.         self.assertEqual(channel.code, 403)

  475.         self.assertEqual(

  476.             channel.json_body,

  477.             {"errcode": "M_FORBIDDEN", "error": "You are not a server admin"},

  478.         )

  479. 

  480.         # test trying to enable a bogus msc is denied

  481.         url = f"{self.url}/{self.other_user}"

  482.         channel = self.make_request(

  483.             "PUT",

  484.             url,

  485.             content={"features": {"msc6666": True}},

  486.             access_token=self.admin_user_tok,

  487.         )

  488.         self.assertEqual(channel.code, 400)

  489.         self.assertEqual(

  490.             channel.json_body,

  491.             {

  492.                 "errcode": "M_UNKNOWN",

  493.                 "error": "'msc6666' is not recognised as a valid experimental feature.",

  494.             },

  495.         )