gitlord
/
synapse
mirror of https://github.com/matrix-org/synapse.git
1
0
Fork 0
Code Issues 0 Releases 671 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
11670 Commits
842 Branches
324 MiB
 
 
 
 
 
 
Tree: 99dd975dae
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '99dd975dae'
${ noResults }
synapse/tests/api/test_auth.py

475 lines
19 KiB
Raw Blame History 

  1. # -*- coding: utf-8 -*-

  2. # Copyright 2015 - 2016 OpenMarket Ltd

  3. #

  4. # Licensed under the Apache License, Version 2.0 (the "License");

  5. # you may not use this file except in compliance with the License.

  6. # You may obtain a copy of the License at

  7. #

  8. #     http://www.apache.org/licenses/LICENSE-2.0

  9. #

  10. # Unless required by applicable law or agreed to in writing, software

  11. # distributed under the License is distributed on an "AS IS" BASIS,

  12. # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  13. # See the License for the specific language governing permissions and

  14. # limitations under the License.

  15. 

  16. from mock import Mock

  17. 

  18. import pymacaroons

  19. 

  20. from twisted.internet import defer

  21. 

  22. import synapse.handlers.auth

  23. from synapse.api.auth import Auth

  24. from synapse.api.errors import AuthError, Codes

  25. from synapse.types import UserID

  26. 

  27. from tests import unittest

  28. from tests.utils import mock_getRawHeaders, setup_test_homeserver

  29. 

  30. 

  31. class TestHandlers(object):

  32.     def __init__(self, hs):

  33.         self.auth_handler = synapse.handlers.auth.AuthHandler(hs)

  34. 

  35. 

  36. class AuthTestCase(unittest.TestCase):

  37.     @defer.inlineCallbacks

  38.     def setUp(self):

  39.         self.state_handler = Mock()

  40.         self.store = Mock()

  41. 

  42.         self.hs = yield setup_test_homeserver(self.addCleanup, handlers=None)

  43.         self.hs.get_datastore = Mock(return_value=self.store)

  44.         self.hs.handlers = TestHandlers(self.hs)

  45.         self.auth = Auth(self.hs)

  46. 

  47.         self.test_user = "@foo:bar"

  48.         self.test_token = b"_test_token_"

  49. 

  50.         # this is overridden for the appservice tests

  51.         self.store.get_app_service_by_token = Mock(return_value=None)

  52. 

  53.     @defer.inlineCallbacks

  54.     def test_get_user_by_req_user_valid_token(self):

  55.         user_info = {"name": self.test_user, "token_id": "ditto", "device_id": "device"}

  56.         self.store.get_user_by_access_token = Mock(return_value=user_info)

  57. 

  58.         request = Mock(args={})

  59.         request.args[b"access_token"] = [self.test_token]

  60.         request.requestHeaders.getRawHeaders = mock_getRawHeaders()

  61.         requester = yield self.auth.get_user_by_req(request)

  62.         self.assertEquals(requester.user.to_string(), self.test_user)

  63. 

  64.     def test_get_user_by_req_user_bad_token(self):

  65.         self.store.get_user_by_access_token = Mock(return_value=None)

  66. 

  67.         request = Mock(args={})

  68.         request.args[b"access_token"] = [self.test_token]

  69.         request.requestHeaders.getRawHeaders = mock_getRawHeaders()

  70.         d = self.auth.get_user_by_req(request)

  71.         self.failureResultOf(d, AuthError)

  72. 

  73.     def test_get_user_by_req_user_missing_token(self):

  74.         user_info = {"name": self.test_user, "token_id": "ditto"}

  75.         self.store.get_user_by_access_token = Mock(return_value=user_info)

  76. 

  77.         request = Mock(args={})

  78.         request.requestHeaders.getRawHeaders = mock_getRawHeaders()

  79.         d = self.auth.get_user_by_req(request)

  80.         self.failureResultOf(d, AuthError)

  81. 

  82.     @defer.inlineCallbacks

  83.     def test_get_user_by_req_appservice_valid_token(self):

  84.         app_service = Mock(

  85.             token="foobar", url="a_url", sender=self.test_user, ip_range_whitelist=None

  86.         )

  87.         self.store.get_app_service_by_token = Mock(return_value=app_service)

  88.         self.store.get_user_by_access_token = Mock(return_value=None)

  89. 

  90.         request = Mock(args={})

  91.         request.getClientIP.return_value = "127.0.0.1"

  92.         request.args[b"access_token"] = [self.test_token]

  93.         request.requestHeaders.getRawHeaders = mock_getRawHeaders()

  94.         requester = yield self.auth.get_user_by_req(request)

  95.         self.assertEquals(requester.user.to_string(), self.test_user)

  96. 

  97.     @defer.inlineCallbacks

  98.     def test_get_user_by_req_appservice_valid_token_good_ip(self):

  99.         from netaddr import IPSet

  100. 

  101.         app_service = Mock(

  102.             token="foobar",

  103.             url="a_url",

  104.             sender=self.test_user,

  105.             ip_range_whitelist=IPSet(["192.168/16"]),

  106.         )

  107.         self.store.get_app_service_by_token = Mock(return_value=app_service)

  108.         self.store.get_user_by_access_token = Mock(return_value=None)

  109. 

  110.         request = Mock(args={})

  111.         request.getClientIP.return_value = "192.168.10.10"

  112.         request.args[b"access_token"] = [self.test_token]

  113.         request.requestHeaders.getRawHeaders = mock_getRawHeaders()

  114.         requester = yield self.auth.get_user_by_req(request)

  115.         self.assertEquals(requester.user.to_string(), self.test_user)

  116. 

  117.     def test_get_user_by_req_appservice_valid_token_bad_ip(self):

  118.         from netaddr import IPSet

  119. 

  120.         app_service = Mock(

  121.             token="foobar",

  122.             url="a_url",

  123.             sender=self.test_user,

  124.             ip_range_whitelist=IPSet(["192.168/16"]),

  125.         )

  126.         self.store.get_app_service_by_token = Mock(return_value=app_service)

  127.         self.store.get_user_by_access_token = Mock(return_value=None)

  128. 

  129.         request = Mock(args={})

  130.         request.getClientIP.return_value = "131.111.8.42"

  131.         request.args[b"access_token"] = [self.test_token]

  132.         request.requestHeaders.getRawHeaders = mock_getRawHeaders()

  133.         d = self.auth.get_user_by_req(request)

  134.         self.failureResultOf(d, AuthError)

  135. 

  136.     def test_get_user_by_req_appservice_bad_token(self):

  137.         self.store.get_app_service_by_token = Mock(return_value=None)

  138.         self.store.get_user_by_access_token = Mock(return_value=None)

  139. 

  140.         request = Mock(args={})

  141.         request.args[b"access_token"] = [self.test_token]

  142.         request.requestHeaders.getRawHeaders = mock_getRawHeaders()

  143.         d = self.auth.get_user_by_req(request)

  144.         self.failureResultOf(d, AuthError)

  145. 

  146.     def test_get_user_by_req_appservice_missing_token(self):

  147.         app_service = Mock(token="foobar", url="a_url", sender=self.test_user)

  148.         self.store.get_app_service_by_token = Mock(return_value=app_service)

  149.         self.store.get_user_by_access_token = Mock(return_value=None)

  150. 

  151.         request = Mock(args={})

  152.         request.requestHeaders.getRawHeaders = mock_getRawHeaders()

  153.         d = self.auth.get_user_by_req(request)

  154.         self.failureResultOf(d, AuthError)

  155. 

  156.     @defer.inlineCallbacks

  157.     def test_get_user_by_req_appservice_valid_token_valid_user_id(self):

  158.         masquerading_user_id = b"@doppelganger:matrix.org"

  159.         app_service = Mock(

  160.             token="foobar", url="a_url", sender=self.test_user, ip_range_whitelist=None

  161.         )

  162.         app_service.is_interested_in_user = Mock(return_value=True)

  163.         self.store.get_app_service_by_token = Mock(return_value=app_service)

  164.         self.store.get_user_by_access_token = Mock(return_value=None)

  165. 

  166.         request = Mock(args={})

  167.         request.getClientIP.return_value = "127.0.0.1"

  168.         request.args[b"access_token"] = [self.test_token]

  169.         request.args[b"user_id"] = [masquerading_user_id]

  170.         request.requestHeaders.getRawHeaders = mock_getRawHeaders()

  171.         requester = yield self.auth.get_user_by_req(request)

  172.         self.assertEquals(

  173.             requester.user.to_string(), masquerading_user_id.decode('utf8')

  174.         )

  175. 

  176.     def test_get_user_by_req_appservice_valid_token_bad_user_id(self):

  177.         masquerading_user_id = b"@doppelganger:matrix.org"

  178.         app_service = Mock(

  179.             token="foobar", url="a_url", sender=self.test_user, ip_range_whitelist=None

  180.         )

  181.         app_service.is_interested_in_user = Mock(return_value=False)

  182.         self.store.get_app_service_by_token = Mock(return_value=app_service)

  183.         self.store.get_user_by_access_token = Mock(return_value=None)

  184. 

  185.         request = Mock(args={})

  186.         request.getClientIP.return_value = "127.0.0.1"

  187.         request.args[b"access_token"] = [self.test_token]

  188.         request.args[b"user_id"] = [masquerading_user_id]

  189.         request.requestHeaders.getRawHeaders = mock_getRawHeaders()

  190.         d = self.auth.get_user_by_req(request)

  191.         self.failureResultOf(d, AuthError)

  192. 

  193.     @defer.inlineCallbacks

  194.     def test_get_user_from_macaroon(self):

  195.         # TODO(danielwh): Remove this mock when we remove the

  196.         # get_user_by_access_token fallback.

  197.         self.store.get_user_by_access_token = Mock(

  198.             return_value={"name": "@baldrick:matrix.org", "device_id": "device"}

  199.         )

  200. 

  201.         user_id = "@baldrick:matrix.org"

  202.         macaroon = pymacaroons.Macaroon(

  203.             location=self.hs.config.server_name,

  204.             identifier="key",

  205.             key=self.hs.config.macaroon_secret_key,

  206.         )

  207.         macaroon.add_first_party_caveat("gen = 1")

  208.         macaroon.add_first_party_caveat("type = access")

  209.         macaroon.add_first_party_caveat("user_id = %s" % (user_id,))

  210.         user_info = yield self.auth.get_user_by_access_token(macaroon.serialize())

  211.         user = user_info["user"]

  212.         self.assertEqual(UserID.from_string(user_id), user)

  213. 

  214.         # TODO: device_id should come from the macaroon, but currently comes

  215.         # from the db.

  216.         self.assertEqual(user_info["device_id"], "device")

  217. 

  218.     @defer.inlineCallbacks

  219.     def test_get_guest_user_from_macaroon(self):

  220.         self.store.get_user_by_id = Mock(return_value={"is_guest": True})

  221. 

  222.         user_id = "@baldrick:matrix.org"

  223.         macaroon = pymacaroons.Macaroon(

  224.             location=self.hs.config.server_name,

  225.             identifier="key",

  226.             key=self.hs.config.macaroon_secret_key,

  227.         )

  228.         macaroon.add_first_party_caveat("gen = 1")

  229.         macaroon.add_first_party_caveat("type = access")

  230.         macaroon.add_first_party_caveat("user_id = %s" % (user_id,))

  231.         macaroon.add_first_party_caveat("guest = true")

  232.         serialized = macaroon.serialize()

  233. 

  234.         user_info = yield self.auth.get_user_by_access_token(serialized)

  235.         user = user_info["user"]

  236.         is_guest = user_info["is_guest"]

  237.         self.assertEqual(UserID.from_string(user_id), user)

  238.         self.assertTrue(is_guest)

  239.         self.store.get_user_by_id.assert_called_with(user_id)

  240. 

  241.     @defer.inlineCallbacks

  242.     def test_get_user_from_macaroon_user_db_mismatch(self):

  243.         self.store.get_user_by_access_token = Mock(

  244.             return_value={"name": "@percy:matrix.org"}

  245.         )

  246. 

  247.         user = "@baldrick:matrix.org"

  248.         macaroon = pymacaroons.Macaroon(

  249.             location=self.hs.config.server_name,

  250.             identifier="key",

  251.             key=self.hs.config.macaroon_secret_key,

  252.         )

  253.         macaroon.add_first_party_caveat("gen = 1")

  254.         macaroon.add_first_party_caveat("type = access")

  255.         macaroon.add_first_party_caveat("user_id = %s" % (user,))

  256.         with self.assertRaises(AuthError) as cm:

  257.             yield self.auth.get_user_by_access_token(macaroon.serialize())

  258.         self.assertEqual(401, cm.exception.code)

  259.         self.assertIn("User mismatch", cm.exception.msg)

  260. 

  261.     @defer.inlineCallbacks

  262.     def test_get_user_from_macaroon_missing_caveat(self):

  263.         # TODO(danielwh): Remove this mock when we remove the

  264.         # get_user_by_access_token fallback.

  265.         self.store.get_user_by_access_token = Mock(

  266.             return_value={"name": "@baldrick:matrix.org"}

  267.         )

  268. 

  269.         macaroon = pymacaroons.Macaroon(

  270.             location=self.hs.config.server_name,

  271.             identifier="key",

  272.             key=self.hs.config.macaroon_secret_key,

  273.         )

  274.         macaroon.add_first_party_caveat("gen = 1")

  275.         macaroon.add_first_party_caveat("type = access")

  276. 

  277.         with self.assertRaises(AuthError) as cm:

  278.             yield self.auth.get_user_by_access_token(macaroon.serialize())

  279.         self.assertEqual(401, cm.exception.code)

  280.         self.assertIn("No user caveat", cm.exception.msg)

  281. 

  282.     @defer.inlineCallbacks

  283.     def test_get_user_from_macaroon_wrong_key(self):

  284.         # TODO(danielwh): Remove this mock when we remove the

  285.         # get_user_by_access_token fallback.

  286.         self.store.get_user_by_access_token = Mock(

  287.             return_value={"name": "@baldrick:matrix.org"}

  288.         )

  289. 

  290.         user = "@baldrick:matrix.org"

  291.         macaroon = pymacaroons.Macaroon(

  292.             location=self.hs.config.server_name,

  293.             identifier="key",

  294.             key=self.hs.config.macaroon_secret_key + "wrong",

  295.         )

  296.         macaroon.add_first_party_caveat("gen = 1")

  297.         macaroon.add_first_party_caveat("type = access")

  298.         macaroon.add_first_party_caveat("user_id = %s" % (user,))

  299. 

  300.         with self.assertRaises(AuthError) as cm:

  301.             yield self.auth.get_user_by_access_token(macaroon.serialize())

  302.         self.assertEqual(401, cm.exception.code)

  303.         self.assertIn("Invalid macaroon", cm.exception.msg)

  304. 

  305.     @defer.inlineCallbacks

  306.     def test_get_user_from_macaroon_unknown_caveat(self):

  307.         # TODO(danielwh): Remove this mock when we remove the

  308.         # get_user_by_access_token fallback.

  309.         self.store.get_user_by_access_token = Mock(

  310.             return_value={"name": "@baldrick:matrix.org"}

  311.         )

  312. 

  313.         user = "@baldrick:matrix.org"

  314.         macaroon = pymacaroons.Macaroon(

  315.             location=self.hs.config.server_name,

  316.             identifier="key",

  317.             key=self.hs.config.macaroon_secret_key,

  318.         )

  319.         macaroon.add_first_party_caveat("gen = 1")

  320.         macaroon.add_first_party_caveat("type = access")

  321.         macaroon.add_first_party_caveat("user_id = %s" % (user,))

  322.         macaroon.add_first_party_caveat("cunning > fox")

  323. 

  324.         with self.assertRaises(AuthError) as cm:

  325.             yield self.auth.get_user_by_access_token(macaroon.serialize())

  326.         self.assertEqual(401, cm.exception.code)

  327.         self.assertIn("Invalid macaroon", cm.exception.msg)

  328. 

  329.     @defer.inlineCallbacks

  330.     def test_get_user_from_macaroon_expired(self):

  331.         # TODO(danielwh): Remove this mock when we remove the

  332.         # get_user_by_access_token fallback.

  333.         self.store.get_user_by_access_token = Mock(

  334.             return_value={"name": "@baldrick:matrix.org"}

  335.         )

  336. 

  337.         self.store.get_user_by_access_token = Mock(

  338.             return_value={"name": "@baldrick:matrix.org"}

  339.         )

  340. 

  341.         user = "@baldrick:matrix.org"

  342.         macaroon = pymacaroons.Macaroon(

  343.             location=self.hs.config.server_name,

  344.             identifier="key",

  345.             key=self.hs.config.macaroon_secret_key,

  346.         )

  347.         macaroon.add_first_party_caveat("gen = 1")

  348.         macaroon.add_first_party_caveat("type = access")

  349.         macaroon.add_first_party_caveat("user_id = %s" % (user,))

  350.         macaroon.add_first_party_caveat("time < -2000")  # ms

  351. 

  352.         self.hs.clock.now = 5000  # seconds

  353.         self.hs.config.expire_access_token = True

  354.         # yield self.auth.get_user_by_access_token(macaroon.serialize())

  355.         # TODO(daniel): Turn on the check that we validate expiration, when we

  356.         # validate expiration (and remove the above line, which will start

  357.         # throwing).

  358.         with self.assertRaises(AuthError) as cm:

  359.             yield self.auth.get_user_by_access_token(macaroon.serialize())

  360.         self.assertEqual(401, cm.exception.code)

  361.         self.assertIn("Invalid macaroon", cm.exception.msg)

  362. 

  363.     @defer.inlineCallbacks

  364.     def test_get_user_from_macaroon_with_valid_duration(self):

  365.         # TODO(danielwh): Remove this mock when we remove the

  366.         # get_user_by_access_token fallback.

  367.         self.store.get_user_by_access_token = Mock(

  368.             return_value={"name": "@baldrick:matrix.org"}

  369.         )

  370. 

  371.         self.store.get_user_by_access_token = Mock(

  372.             return_value={"name": "@baldrick:matrix.org"}

  373.         )

  374. 

  375.         user_id = "@baldrick:matrix.org"

  376.         macaroon = pymacaroons.Macaroon(

  377.             location=self.hs.config.server_name,

  378.             identifier="key",

  379.             key=self.hs.config.macaroon_secret_key,

  380.         )

  381.         macaroon.add_first_party_caveat("gen = 1")

  382.         macaroon.add_first_party_caveat("type = access")

  383.         macaroon.add_first_party_caveat("user_id = %s" % (user_id,))

  384.         macaroon.add_first_party_caveat("time < 900000000")  # ms

  385. 

  386.         self.hs.clock.now = 5000  # seconds

  387.         self.hs.config.expire_access_token = True

  388. 

  389.         user_info = yield self.auth.get_user_by_access_token(macaroon.serialize())

  390.         user = user_info["user"]

  391.         self.assertEqual(UserID.from_string(user_id), user)

  392. 

  393.     @defer.inlineCallbacks

  394.     def test_cannot_use_regular_token_as_guest(self):

  395.         USER_ID = "@percy:matrix.org"

  396.         self.store.add_access_token_to_user = Mock()

  397. 

  398.         token = yield self.hs.handlers.auth_handler.issue_access_token(

  399.             USER_ID, "DEVICE"

  400.         )

  401.         self.store.add_access_token_to_user.assert_called_with(USER_ID, token, "DEVICE")

  402. 

  403.         def get_user(tok):

  404.             if token != tok:

  405.                 return None

  406.             return {

  407.                 "name": USER_ID,

  408.                 "is_guest": False,

  409.                 "token_id": 1234,

  410.                 "device_id": "DEVICE",

  411.             }

  412. 

  413.         self.store.get_user_by_access_token = get_user

  414.         self.store.get_user_by_id = Mock(return_value={"is_guest": False})

  415. 

  416.         # check the token works

  417.         request = Mock(args={})

  418.         request.args[b"access_token"] = [token.encode('ascii')]

  419.         request.requestHeaders.getRawHeaders = mock_getRawHeaders()

  420.         requester = yield self.auth.get_user_by_req(request, allow_guest=True)

  421.         self.assertEqual(UserID.from_string(USER_ID), requester.user)

  422.         self.assertFalse(requester.is_guest)

  423. 

  424.         # add an is_guest caveat

  425.         mac = pymacaroons.Macaroon.deserialize(token)

  426.         mac.add_first_party_caveat("guest = true")

  427.         guest_tok = mac.serialize()

  428. 

  429.         # the token should *not* work now

  430.         request = Mock(args={})

  431.         request.args[b"access_token"] = [guest_tok.encode('ascii')]

  432.         request.requestHeaders.getRawHeaders = mock_getRawHeaders()

  433. 

  434.         with self.assertRaises(AuthError) as cm:

  435.             yield self.auth.get_user_by_req(request, allow_guest=True)

  436. 

  437.         self.assertEqual(401, cm.exception.code)

  438.         self.assertEqual("Guest access token used for regular user", cm.exception.msg)

  439. 

  440.         self.store.get_user_by_id.assert_called_with(USER_ID)

  441. 

  442.     @defer.inlineCallbacks

  443.     def test_blocking_mau(self):

  444.         self.hs.config.limit_usage_by_mau = False

  445.         self.hs.config.max_mau_value = 50

  446.         lots_of_users = 100

  447.         small_number_of_users = 1

  448. 

  449.         # Ensure no error thrown

  450.         yield self.auth.check_auth_blocking()

  451. 

  452.         self.hs.config.limit_usage_by_mau = True

  453. 

  454.         self.store.get_monthly_active_count = Mock(

  455.             return_value=defer.succeed(lots_of_users)

  456.         )

  457. 

  458.         with self.assertRaises(AuthError):

  459.             yield self.auth.check_auth_blocking()

  460. 

  461.         # Ensure does not throw an error

  462.         self.store.get_monthly_active_count = Mock(

  463.             return_value=defer.succeed(small_number_of_users)

  464.         )

  465.         yield self.auth.check_auth_blocking()

  466. 

  467.     @defer.inlineCallbacks

  468.     def test_hs_disabled(self):

  469.         self.hs.config.hs_disabled = True

  470.         self.hs.config.hs_disabled_message = "Reason for being disabled"

  471.         with self.assertRaises(AuthError) as e:

  472.             yield self.auth.check_auth_blocking()

  473.         self.assertEquals(e.exception.errcode, Codes.HS_DISABLED)

  474.         self.assertEquals(e.exception.code, 403)