gitlord
/
synapse
mirror of https://github.com/matrix-org/synapse.git
1
0
Fork 0
Code Issues 0 Releases 671 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
23107 Commits
842 Branches
474 MiB
 
 
 
 
 
 
Tree: 954921736b
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '954921736b'
${ noResults }
synapse/tests/api/test_auth.py

530 lines
23 KiB
Raw Blame History 

  1. # Copyright 2015 - 2016 OpenMarket Ltd

  2. #

  3. # Licensed under the Apache License, Version 2.0 (the "License");

  4. # you may not use this file except in compliance with the License.

  5. # You may obtain a copy of the License at

  6. #

  7. #     http://www.apache.org/licenses/LICENSE-2.0

  8. #

  9. # Unless required by applicable law or agreed to in writing, software

  10. # distributed under the License is distributed on an "AS IS" BASIS,

  11. # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  12. # See the License for the specific language governing permissions and

  13. # limitations under the License.

  14. 

  15. from unittest.mock import AsyncMock, Mock

  16. 

  17. import pymacaroons

  18. 

  19. from twisted.test.proto_helpers import MemoryReactor

  20. 

  21. from synapse.api.auth.internal import InternalAuth

  22. from synapse.api.auth_blocking import AuthBlocking

  23. from synapse.api.constants import UserTypes

  24. from synapse.api.errors import (

  25.     AuthError,

  26.     Codes,

  27.     InvalidClientTokenError,

  28.     MissingClientTokenError,

  29.     ResourceLimitError,

  30. )

  31. from synapse.appservice import ApplicationService

  32. from synapse.server import HomeServer

  33. from synapse.storage.databases.main.registration import TokenLookupResult

  34. from synapse.types import Requester, UserID

  35. from synapse.util import Clock

  36. 

  37. from tests import unittest

  38. from tests.unittest import override_config

  39. from tests.utils import mock_getRawHeaders

  40. 

  41. 

  42. class AuthTestCase(unittest.HomeserverTestCase):

  43.     def prepare(self, reactor: MemoryReactor, clock: Clock, hs: HomeServer) -> None:

  44.         self.store = Mock()

  45. 

  46.         # type-ignore: datastores is None until hs.setup() is called---but it'll

  47.         # have been called by the HomeserverTestCase machinery.

  48.         hs.datastores.main = self.store  # type: ignore[union-attr]

  49.         hs.get_auth_handler().store = self.store

  50.         self.auth = InternalAuth(hs)

  51. 

  52.         # AuthBlocking reads from the hs' config on initialization. We need to

  53.         # modify its config instead of the hs'

  54.         self.auth_blocking = AuthBlocking(hs)

  55. 

  56.         self.test_user = "@foo:bar"

  57.         self.test_token = b"_test_token_"

  58. 

  59.         # this is overridden for the appservice tests

  60.         self.store.get_app_service_by_token = Mock(return_value=None)

  61. 

  62.         self.store.insert_client_ip = AsyncMock(return_value=None)

  63.         self.store.is_support_user = AsyncMock(return_value=False)

  64. 

  65.     def test_get_user_by_req_user_valid_token(self) -> None:

  66.         user_info = TokenLookupResult(

  67.             user_id=self.test_user, token_id=5, device_id="device"

  68.         )

  69.         self.store.get_user_by_access_token = AsyncMock(return_value=user_info)

  70.         self.store.mark_access_token_as_used = AsyncMock(return_value=None)

  71.         self.store.get_user_locked_status = AsyncMock(return_value=False)

  72. 

  73.         request = Mock(args={})

  74.         request.args[b"access_token"] = [self.test_token]

  75.         request.requestHeaders.getRawHeaders = mock_getRawHeaders()

  76.         requester = self.get_success(self.auth.get_user_by_req(request))

  77.         self.assertEqual(requester.user.to_string(), self.test_user)

  78. 

  79.     def test_get_user_by_req_user_bad_token(self) -> None:

  80.         self.store.get_user_by_access_token = AsyncMock(return_value=None)

  81. 

  82.         request = Mock(args={})

  83.         request.args[b"access_token"] = [self.test_token]

  84.         request.requestHeaders.getRawHeaders = mock_getRawHeaders()

  85.         f = self.get_failure(

  86.             self.auth.get_user_by_req(request), InvalidClientTokenError

  87.         ).value

  88.         self.assertEqual(f.code, 401)

  89.         self.assertEqual(f.errcode, "M_UNKNOWN_TOKEN")

  90. 

  91.     def test_get_user_by_req_user_missing_token(self) -> None:

  92.         user_info = TokenLookupResult(user_id=self.test_user, token_id=5)

  93.         self.store.get_user_by_access_token = AsyncMock(return_value=user_info)

  94. 

  95.         request = Mock(args={})

  96.         request.requestHeaders.getRawHeaders = mock_getRawHeaders()

  97.         f = self.get_failure(

  98.             self.auth.get_user_by_req(request), MissingClientTokenError

  99.         ).value

  100.         self.assertEqual(f.code, 401)

  101.         self.assertEqual(f.errcode, "M_MISSING_TOKEN")

  102. 

  103.     def test_get_user_by_req_appservice_valid_token(self) -> None:

  104.         app_service = Mock(

  105.             token="foobar", url="a_url", sender=self.test_user, ip_range_whitelist=None

  106.         )

  107.         self.store.get_app_service_by_token = Mock(return_value=app_service)

  108.         self.store.get_user_by_access_token = AsyncMock(return_value=None)

  109. 

  110.         request = Mock(args={})

  111.         request.getClientAddress.return_value.host = "127.0.0.1"

  112.         request.args[b"access_token"] = [self.test_token]

  113.         request.requestHeaders.getRawHeaders = mock_getRawHeaders()

  114.         requester = self.get_success(self.auth.get_user_by_req(request))

  115.         self.assertEqual(requester.user.to_string(), self.test_user)

  116. 

  117.     def test_get_user_by_req_appservice_valid_token_good_ip(self) -> None:

  118.         from netaddr import IPSet

  119. 

  120.         app_service = Mock(

  121.             token="foobar",

  122.             url="a_url",

  123.             sender=self.test_user,

  124.             ip_range_whitelist=IPSet(["192.168/16"]),

  125.         )

  126.         self.store.get_app_service_by_token = Mock(return_value=app_service)

  127.         self.store.get_user_by_access_token = AsyncMock(return_value=None)

  128. 

  129.         request = Mock(args={})

  130.         request.getClientAddress.return_value.host = "192.168.10.10"

  131.         request.args[b"access_token"] = [self.test_token]

  132.         request.requestHeaders.getRawHeaders = mock_getRawHeaders()

  133.         requester = self.get_success(self.auth.get_user_by_req(request))

  134.         self.assertEqual(requester.user.to_string(), self.test_user)

  135. 

  136.     def test_get_user_by_req_appservice_valid_token_bad_ip(self) -> None:

  137.         from netaddr import IPSet

  138. 

  139.         app_service = Mock(

  140.             token="foobar",

  141.             url="a_url",

  142.             sender=self.test_user,

  143.             ip_range_whitelist=IPSet(["192.168/16"]),

  144.         )

  145.         self.store.get_app_service_by_token = Mock(return_value=app_service)

  146.         self.store.get_user_by_access_token = AsyncMock(return_value=None)

  147. 

  148.         request = Mock(args={})

  149.         request.getClientAddress.return_value.host = "131.111.8.42"

  150.         request.args[b"access_token"] = [self.test_token]

  151.         request.requestHeaders.getRawHeaders = mock_getRawHeaders()

  152.         f = self.get_failure(

  153.             self.auth.get_user_by_req(request), InvalidClientTokenError

  154.         ).value

  155.         self.assertEqual(f.code, 401)

  156.         self.assertEqual(f.errcode, "M_UNKNOWN_TOKEN")

  157. 

  158.     def test_get_user_by_req_appservice_bad_token(self) -> None:

  159.         self.store.get_app_service_by_token = Mock(return_value=None)

  160.         self.store.get_user_by_access_token = AsyncMock(return_value=None)

  161. 

  162.         request = Mock(args={})

  163.         request.args[b"access_token"] = [self.test_token]

  164.         request.requestHeaders.getRawHeaders = mock_getRawHeaders()

  165.         f = self.get_failure(

  166.             self.auth.get_user_by_req(request), InvalidClientTokenError

  167.         ).value

  168.         self.assertEqual(f.code, 401)

  169.         self.assertEqual(f.errcode, "M_UNKNOWN_TOKEN")

  170. 

  171.     def test_get_user_by_req_appservice_missing_token(self) -> None:

  172.         app_service = Mock(token="foobar", url="a_url", sender=self.test_user)

  173.         self.store.get_app_service_by_token = Mock(return_value=app_service)

  174.         self.store.get_user_by_access_token = AsyncMock(return_value=None)

  175. 

  176.         request = Mock(args={})

  177.         request.requestHeaders.getRawHeaders = mock_getRawHeaders()

  178.         f = self.get_failure(

  179.             self.auth.get_user_by_req(request), MissingClientTokenError

  180.         ).value

  181.         self.assertEqual(f.code, 401)

  182.         self.assertEqual(f.errcode, "M_MISSING_TOKEN")

  183. 

  184.     def test_get_user_by_req_appservice_valid_token_valid_user_id(self) -> None:

  185.         masquerading_user_id = b"@doppelganger:matrix.org"

  186.         app_service = Mock(

  187.             token="foobar", url="a_url", sender=self.test_user, ip_range_whitelist=None

  188.         )

  189.         app_service.is_interested_in_user = Mock(return_value=True)

  190.         self.store.get_app_service_by_token = Mock(return_value=app_service)

  191. 

  192.         class FakeUserInfo:

  193.             is_guest = False

  194. 

  195.         self.store.get_user_by_id = AsyncMock(return_value=FakeUserInfo())

  196.         self.store.get_user_by_access_token = AsyncMock(return_value=None)

  197. 

  198.         request = Mock(args={})

  199.         request.getClientAddress.return_value.host = "127.0.0.1"

  200.         request.args[b"access_token"] = [self.test_token]

  201.         request.args[b"user_id"] = [masquerading_user_id]

  202.         request.requestHeaders.getRawHeaders = mock_getRawHeaders()

  203.         requester = self.get_success(self.auth.get_user_by_req(request))

  204.         self.assertEqual(

  205.             requester.user.to_string(), masquerading_user_id.decode("utf8")

  206.         )

  207. 

  208.     def test_get_user_by_req_appservice_valid_token_bad_user_id(self) -> None:

  209.         masquerading_user_id = b"@doppelganger:matrix.org"

  210.         app_service = Mock(

  211.             token="foobar", url="a_url", sender=self.test_user, ip_range_whitelist=None

  212.         )

  213.         app_service.is_interested_in_user = Mock(return_value=False)

  214.         self.store.get_app_service_by_token = Mock(return_value=app_service)

  215.         self.store.get_user_by_access_token = AsyncMock(return_value=None)

  216. 

  217.         request = Mock(args={})

  218.         request.getClientAddress.return_value.host = "127.0.0.1"

  219.         request.args[b"access_token"] = [self.test_token]

  220.         request.args[b"user_id"] = [masquerading_user_id]

  221.         request.requestHeaders.getRawHeaders = mock_getRawHeaders()

  222.         self.get_failure(self.auth.get_user_by_req(request), AuthError)

  223. 

  224.     @override_config({"experimental_features": {"msc3202_device_masquerading": True}})

  225.     def test_get_user_by_req_appservice_valid_token_valid_device_id(self) -> None:

  226.         """

  227.         Tests that when an application service passes the device_id URL parameter

  228.         with the ID of a valid device for the user in question,

  229.         the requester instance tracks that device ID.

  230.         """

  231.         masquerading_user_id = b"@doppelganger:matrix.org"

  232.         masquerading_device_id = b"DOPPELDEVICE"

  233.         app_service = Mock(

  234.             token="foobar", url="a_url", sender=self.test_user, ip_range_whitelist=None

  235.         )

  236.         app_service.is_interested_in_user = Mock(return_value=True)

  237.         self.store.get_app_service_by_token = Mock(return_value=app_service)

  238.         # This just needs to return a truth-y value.

  239.         self.store.get_user_by_id = AsyncMock(return_value={"is_guest": False})

  240.         self.store.get_user_by_access_token = AsyncMock(return_value=None)

  241.         # This also needs to just return a truth-y value

  242.         self.store.get_device = AsyncMock(return_value={"hidden": False})

  243. 

  244.         request = Mock(args={})

  245.         request.getClientAddress.return_value.host = "127.0.0.1"

  246.         request.args[b"access_token"] = [self.test_token]

  247.         request.args[b"user_id"] = [masquerading_user_id]

  248.         request.args[b"org.matrix.msc3202.device_id"] = [masquerading_device_id]

  249.         request.requestHeaders.getRawHeaders = mock_getRawHeaders()

  250.         requester = self.get_success(self.auth.get_user_by_req(request))

  251.         self.assertEqual(

  252.             requester.user.to_string(), masquerading_user_id.decode("utf8")

  253.         )

  254.         self.assertEqual(requester.device_id, masquerading_device_id.decode("utf8"))

  255. 

  256.     @override_config({"experimental_features": {"msc3202_device_masquerading": True}})

  257.     def test_get_user_by_req_appservice_valid_token_invalid_device_id(self) -> None:

  258.         """

  259.         Tests that when an application service passes the device_id URL parameter

  260.         with an ID that is not a valid device ID for the user in question,

  261.         the request fails with the appropriate error code.

  262.         """

  263.         masquerading_user_id = b"@doppelganger:matrix.org"

  264.         masquerading_device_id = b"NOT_A_REAL_DEVICE_ID"

  265.         app_service = Mock(

  266.             token="foobar", url="a_url", sender=self.test_user, ip_range_whitelist=None

  267.         )

  268.         app_service.is_interested_in_user = Mock(return_value=True)

  269.         self.store.get_app_service_by_token = Mock(return_value=app_service)

  270.         # This just needs to return a truth-y value.

  271.         self.store.get_user_by_id = AsyncMock(return_value={"is_guest": False})

  272.         self.store.get_user_by_access_token = AsyncMock(return_value=None)

  273.         # This also needs to just return a falsey value

  274.         self.store.get_device = AsyncMock(return_value=None)

  275. 

  276.         request = Mock(args={})

  277.         request.getClientAddress.return_value.host = "127.0.0.1"

  278.         request.args[b"access_token"] = [self.test_token]

  279.         request.args[b"user_id"] = [masquerading_user_id]

  280.         request.args[b"org.matrix.msc3202.device_id"] = [masquerading_device_id]

  281.         request.requestHeaders.getRawHeaders = mock_getRawHeaders()

  282. 

  283.         failure = self.get_failure(self.auth.get_user_by_req(request), AuthError)

  284.         self.assertEqual(failure.value.code, 400)

  285.         self.assertEqual(failure.value.errcode, Codes.EXCLUSIVE)

  286. 

  287.     def test_get_user_by_req__puppeted_token__not_tracking_puppeted_mau(self) -> None:

  288.         self.store.get_user_by_access_token = AsyncMock(

  289.             return_value=TokenLookupResult(

  290.                 user_id="@baldrick:matrix.org",

  291.                 device_id="device",

  292.                 token_id=5,

  293.                 token_owner="@admin:matrix.org",

  294.                 token_used=True,

  295.             )

  296.         )

  297.         self.store.insert_client_ip = AsyncMock(return_value=None)

  298.         self.store.mark_access_token_as_used = AsyncMock(return_value=None)

  299.         self.store.get_user_locked_status = AsyncMock(return_value=False)

  300.         request = Mock(args={})

  301.         request.getClientAddress.return_value.host = "127.0.0.1"

  302.         request.args[b"access_token"] = [self.test_token]

  303.         request.requestHeaders.getRawHeaders = mock_getRawHeaders()

  304.         self.get_success(self.auth.get_user_by_req(request))

  305.         self.store.insert_client_ip.assert_called_once()

  306. 

  307.     def test_get_user_by_req__puppeted_token__tracking_puppeted_mau(self) -> None:

  308.         self.auth._track_puppeted_user_ips = True

  309.         self.store.get_user_by_access_token = AsyncMock(

  310.             return_value=TokenLookupResult(

  311.                 user_id="@baldrick:matrix.org",

  312.                 device_id="device",

  313.                 token_id=5,

  314.                 token_owner="@admin:matrix.org",

  315.                 token_used=True,

  316.             )

  317.         )

  318.         self.store.get_user_locked_status = AsyncMock(return_value=False)

  319.         self.store.insert_client_ip = AsyncMock(return_value=None)

  320.         self.store.mark_access_token_as_used = AsyncMock(return_value=None)

  321.         request = Mock(args={})

  322.         request.getClientAddress.return_value.host = "127.0.0.1"

  323.         request.args[b"access_token"] = [self.test_token]

  324.         request.requestHeaders.getRawHeaders = mock_getRawHeaders()

  325.         self.get_success(self.auth.get_user_by_req(request))

  326.         self.assertEqual(self.store.insert_client_ip.call_count, 2)

  327. 

  328.     def test_get_user_from_macaroon(self) -> None:

  329.         self.store.get_user_by_access_token = AsyncMock(return_value=None)

  330. 

  331.         user_id = "@baldrick:matrix.org"

  332.         macaroon = pymacaroons.Macaroon(

  333.             location=self.hs.config.server.server_name,

  334.             identifier="key",

  335.             key=self.hs.config.key.macaroon_secret_key,

  336.         )

  337.         # "Legacy" macaroons should not work for regular users not in the database

  338.         macaroon.add_first_party_caveat("gen = 1")

  339.         macaroon.add_first_party_caveat("type = access")

  340.         macaroon.add_first_party_caveat("user_id = %s" % (user_id,))

  341.         serialized = macaroon.serialize()

  342.         self.get_failure(

  343.             self.auth.get_user_by_access_token(serialized), InvalidClientTokenError

  344.         )

  345. 

  346.     def test_get_guest_user_from_macaroon(self) -> None:

  347.         class FakeUserInfo:

  348.             is_guest = True

  349. 

  350.         self.store.get_user_by_id = AsyncMock(return_value=FakeUserInfo())

  351.         self.store.get_user_by_access_token = AsyncMock(return_value=None)

  352. 

  353.         user_id = "@baldrick:matrix.org"

  354.         macaroon = pymacaroons.Macaroon(

  355.             location=self.hs.config.server.server_name,

  356.             identifier="key",

  357.             key=self.hs.config.key.macaroon_secret_key,

  358.         )

  359.         macaroon.add_first_party_caveat("gen = 1")

  360.         macaroon.add_first_party_caveat("type = access")

  361.         macaroon.add_first_party_caveat("user_id = %s" % (user_id,))

  362.         macaroon.add_first_party_caveat("guest = true")

  363.         serialized = macaroon.serialize()

  364. 

  365.         user_info = self.get_success(self.auth.get_user_by_access_token(serialized))

  366.         self.assertEqual(user_id, user_info.user.to_string())

  367.         self.assertTrue(user_info.is_guest)

  368.         self.store.get_user_by_id.assert_called_with(user_id)

  369. 

  370.     def test_blocking_mau(self) -> None:

  371.         self.auth_blocking._limit_usage_by_mau = False

  372.         self.auth_blocking._max_mau_value = 50

  373.         lots_of_users = 100

  374.         small_number_of_users = 1

  375. 

  376.         # Ensure no error thrown

  377.         self.get_success(self.auth_blocking.check_auth_blocking())

  378. 

  379.         self.auth_blocking._limit_usage_by_mau = True

  380. 

  381.         self.store.get_monthly_active_count = AsyncMock(return_value=lots_of_users)

  382. 

  383.         e = self.get_failure(

  384.             self.auth_blocking.check_auth_blocking(), ResourceLimitError

  385.         )

  386.         self.assertEqual(e.value.admin_contact, self.hs.config.server.admin_contact)

  387.         self.assertEqual(e.value.errcode, Codes.RESOURCE_LIMIT_EXCEEDED)

  388.         self.assertEqual(e.value.code, 403)

  389. 

  390.         # Ensure does not throw an error

  391.         self.store.get_monthly_active_count = AsyncMock(

  392.             return_value=small_number_of_users

  393.         )

  394.         self.get_success(self.auth_blocking.check_auth_blocking())

  395. 

  396.     def test_blocking_mau__depending_on_user_type(self) -> None:

  397.         self.auth_blocking._max_mau_value = 50

  398.         self.auth_blocking._limit_usage_by_mau = True

  399. 

  400.         self.store.get_monthly_active_count = AsyncMock(return_value=100)

  401.         # Support users allowed

  402.         self.get_success(

  403.             self.auth_blocking.check_auth_blocking(user_type=UserTypes.SUPPORT)

  404.         )

  405.         self.store.get_monthly_active_count = AsyncMock(return_value=100)

  406.         # Bots not allowed

  407.         self.get_failure(

  408.             self.auth_blocking.check_auth_blocking(user_type=UserTypes.BOT),

  409.             ResourceLimitError,

  410.         )

  411.         self.store.get_monthly_active_count = AsyncMock(return_value=100)

  412.         # Real users not allowed

  413.         self.get_failure(self.auth_blocking.check_auth_blocking(), ResourceLimitError)

  414. 

  415.     def test_blocking_mau__appservice_requester_allowed_when_not_tracking_ips(

  416.         self,

  417.     ) -> None:

  418.         self.auth_blocking._max_mau_value = 50

  419.         self.auth_blocking._limit_usage_by_mau = True

  420.         self.auth_blocking._track_appservice_user_ips = False

  421. 

  422.         self.store.get_monthly_active_count = AsyncMock(return_value=100)

  423.         self.store.user_last_seen_monthly_active = AsyncMock(return_value=None)

  424.         self.store.is_trial_user = AsyncMock(return_value=False)

  425. 

  426.         appservice = ApplicationService(

  427.             "abcd",

  428.             id="1234",

  429.             namespaces={

  430.                 "users": [{"regex": "@_appservice.*:sender", "exclusive": True}]

  431.             },

  432.             sender="@appservice:sender",

  433.         )

  434.         requester = Requester(

  435.             user=UserID.from_string("@appservice:server"),

  436.             access_token_id=None,

  437.             device_id="FOOBAR",

  438.             is_guest=False,

  439.             scope=set(),

  440.             shadow_banned=False,

  441.             app_service=appservice,

  442.             authenticated_entity="@appservice:server",

  443.         )

  444.         self.get_success(self.auth_blocking.check_auth_blocking(requester=requester))

  445. 

  446.     def test_blocking_mau__appservice_requester_disallowed_when_tracking_ips(

  447.         self,

  448.     ) -> None:

  449.         self.auth_blocking._max_mau_value = 50

  450.         self.auth_blocking._limit_usage_by_mau = True

  451.         self.auth_blocking._track_appservice_user_ips = True

  452. 

  453.         self.store.get_monthly_active_count = AsyncMock(return_value=100)

  454.         self.store.user_last_seen_monthly_active = AsyncMock(return_value=None)

  455.         self.store.is_trial_user = AsyncMock(return_value=False)

  456. 

  457.         appservice = ApplicationService(

  458.             "abcd",

  459.             id="1234",

  460.             namespaces={

  461.                 "users": [{"regex": "@_appservice.*:sender", "exclusive": True}]

  462.             },

  463.             sender="@appservice:sender",

  464.         )

  465.         requester = Requester(

  466.             user=UserID.from_string("@appservice:server"),

  467.             access_token_id=None,

  468.             device_id="FOOBAR",

  469.             is_guest=False,

  470.             scope=set(),

  471.             shadow_banned=False,

  472.             app_service=appservice,

  473.             authenticated_entity="@appservice:server",

  474.         )

  475.         self.get_failure(

  476.             self.auth_blocking.check_auth_blocking(requester=requester),

  477.             ResourceLimitError,

  478.         )

  479. 

  480.     def test_reserved_threepid(self) -> None:

  481.         self.auth_blocking._limit_usage_by_mau = True

  482.         self.auth_blocking._max_mau_value = 1

  483.         self.store.get_monthly_active_count = AsyncMock(return_value=2)

  484.         threepid = {"medium": "email", "address": "reserved@server.com"}

  485.         unknown_threepid = {"medium": "email", "address": "unreserved@server.com"}

  486.         self.auth_blocking._mau_limits_reserved_threepids = [threepid]

  487. 

  488.         self.get_failure(self.auth_blocking.check_auth_blocking(), ResourceLimitError)

  489. 

  490.         self.get_failure(

  491.             self.auth_blocking.check_auth_blocking(threepid=unknown_threepid),

  492.             ResourceLimitError,

  493.         )

  494. 

  495.         self.get_success(self.auth_blocking.check_auth_blocking(threepid=threepid))

  496. 

  497.     def test_hs_disabled(self) -> None:

  498.         self.auth_blocking._hs_disabled = True

  499.         self.auth_blocking._hs_disabled_message = "Reason for being disabled"

  500.         e = self.get_failure(

  501.             self.auth_blocking.check_auth_blocking(), ResourceLimitError

  502.         )

  503.         self.assertEqual(e.value.admin_contact, self.hs.config.server.admin_contact)

  504.         self.assertEqual(e.value.errcode, Codes.RESOURCE_LIMIT_EXCEEDED)

  505.         self.assertEqual(e.value.code, 403)

  506. 

  507.     def test_hs_disabled_no_server_notices_user(self) -> None:

  508.         """Check that 'hs_disabled_message' works correctly when there is no

  509.         server_notices user.

  510.         """

  511.         # this should be the default, but we had a bug where the test was doing the wrong

  512.         # thing, so let's make it explicit

  513.         self.auth_blocking._server_notices_mxid = None

  514. 

  515.         self.auth_blocking._hs_disabled = True

  516.         self.auth_blocking._hs_disabled_message = "Reason for being disabled"

  517.         e = self.get_failure(

  518.             self.auth_blocking.check_auth_blocking(), ResourceLimitError

  519.         )

  520.         self.assertEqual(e.value.admin_contact, self.hs.config.server.admin_contact)

  521.         self.assertEqual(e.value.errcode, Codes.RESOURCE_LIMIT_EXCEEDED)

  522.         self.assertEqual(e.value.code, 403)

  523. 

  524.     def test_server_notices_mxid_special_cased(self) -> None:

  525.         self.auth_blocking._hs_disabled = True

  526.         user = "@user:server"

  527.         self.auth_blocking._server_notices_mxid = user

  528.         self.auth_blocking._hs_disabled_message = "Reason for being disabled"

  529.         self.get_success(self.auth_blocking.check_auth_blocking(user))