gitlord
/
synapse
mirror of https://github.com/matrix-org/synapse.git
1
0
Fork 0
Code Issues 0 Releases 671 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
23339 Commits
842 Branches
288 MiB
 
 
 
 
 
 
Tree: f2f2c7c1f0
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'f2f2c7c1f0'
${ noResults }
synapse/tests/rest/client/test_profile.py

460 lines
16 KiB
Raw Blame History 

  1. # Copyright 2014-2016 OpenMarket Ltd

  2. #

  3. # Licensed under the Apache License, Version 2.0 (the "License");

  4. # you may not use this file except in compliance with the License.

  5. # You may obtain a copy of the License at

  6. #

  7. #     http://www.apache.org/licenses/LICENSE-2.0

  8. #

  9. # Unless required by applicable law or agreed to in writing, software

  10. # distributed under the License is distributed on an "AS IS" BASIS,

  11. # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  12. # See the License for the specific language governing permissions and

  13. # limitations under the License.

  14. 

  15. """Tests REST events for /profile paths."""

  16. import urllib.parse

  17. from http import HTTPStatus

  18. from typing import Any, Dict, Optional

  19. 

  20. from twisted.test.proto_helpers import MemoryReactor

  21. 

  22. from synapse.api.errors import Codes

  23. from synapse.rest import admin

  24. from synapse.rest.client import login, profile, room

  25. from synapse.server import HomeServer

  26. from synapse.types import UserID

  27. from synapse.util import Clock

  28. 

  29. from tests import unittest

  30. 

  31. 

  32. class ProfileTestCase(unittest.HomeserverTestCase):

  33.     servlets = [

  34.         admin.register_servlets_for_client_rest_resource,

  35.         login.register_servlets,

  36.         profile.register_servlets,

  37.         room.register_servlets,

  38.     ]

  39. 

  40.     def make_homeserver(self, reactor: MemoryReactor, clock: Clock) -> HomeServer:

  41.         self.hs = self.setup_test_homeserver()

  42.         return self.hs

  43. 

  44.     def prepare(self, reactor: MemoryReactor, clock: Clock, hs: HomeServer) -> None:

  45.         self.owner = self.register_user("owner", "pass")

  46.         self.owner_tok = self.login("owner", "pass")

  47.         self.other = self.register_user("other", "pass", displayname="Bob")

  48. 

  49.     def test_get_displayname(self) -> None:

  50.         res = self._get_displayname()

  51.         self.assertEqual(res, "owner")

  52. 

  53.     def test_get_displayname_rejects_bad_username(self) -> None:

  54.         channel = self.make_request(

  55.             "GET", f"/profile/{urllib.parse.quote('@alice:')}/displayname"

  56.         )

  57.         self.assertEqual(channel.code, HTTPStatus.BAD_REQUEST, channel.result)

  58. 

  59.     def test_set_displayname(self) -> None:

  60.         channel = self.make_request(

  61.             "PUT",

  62.             "/profile/%s/displayname" % (self.owner,),

  63.             content={"displayname": "test"},

  64.             access_token=self.owner_tok,

  65.         )

  66.         self.assertEqual(channel.code, 200, channel.result)

  67. 

  68.         res = self._get_displayname()

  69.         self.assertEqual(res, "test")

  70. 

  71.     def test_set_displayname_with_extra_spaces(self) -> None:

  72.         channel = self.make_request(

  73.             "PUT",

  74.             "/profile/%s/displayname" % (self.owner,),

  75.             content={"displayname": "  test  "},

  76.             access_token=self.owner_tok,

  77.         )

  78.         self.assertEqual(channel.code, 200, channel.result)

  79. 

  80.         res = self._get_displayname()

  81.         self.assertEqual(res, "test")

  82. 

  83.     def test_set_displayname_noauth(self) -> None:

  84.         channel = self.make_request(

  85.             "PUT",

  86.             "/profile/%s/displayname" % (self.owner,),

  87.             content={"displayname": "test"},

  88.         )

  89.         self.assertEqual(channel.code, 401, channel.result)

  90. 

  91.     def test_set_displayname_too_long(self) -> None:

  92.         """Attempts to set a stupid displayname should get a 400"""

  93.         channel = self.make_request(

  94.             "PUT",

  95.             "/profile/%s/displayname" % (self.owner,),

  96.             content={"displayname": "test" * 100},

  97.             access_token=self.owner_tok,

  98.         )

  99.         self.assertEqual(channel.code, 400, channel.result)

  100. 

  101.         res = self._get_displayname()

  102.         self.assertEqual(res, "owner")

  103. 

  104.     def test_get_displayname_other(self) -> None:

  105.         res = self._get_displayname(self.other)

  106.         self.assertEqual(res, "Bob")

  107. 

  108.     def test_set_displayname_other(self) -> None:

  109.         channel = self.make_request(

  110.             "PUT",

  111.             "/profile/%s/displayname" % (self.other,),

  112.             content={"displayname": "test"},

  113.             access_token=self.owner_tok,

  114.         )

  115.         self.assertEqual(channel.code, 400, channel.result)

  116. 

  117.     def test_get_avatar_url(self) -> None:

  118.         res = self._get_avatar_url()

  119.         self.assertIsNone(res)

  120. 

  121.     def test_set_avatar_url(self) -> None:

  122.         channel = self.make_request(

  123.             "PUT",

  124.             "/profile/%s/avatar_url" % (self.owner,),

  125.             content={"avatar_url": "http://my.server/pic.gif"},

  126.             access_token=self.owner_tok,

  127.         )

  128.         self.assertEqual(channel.code, 200, channel.result)

  129. 

  130.         res = self._get_avatar_url()

  131.         self.assertEqual(res, "http://my.server/pic.gif")

  132. 

  133.     def test_set_avatar_url_noauth(self) -> None:

  134.         channel = self.make_request(

  135.             "PUT",

  136.             "/profile/%s/avatar_url" % (self.owner,),

  137.             content={"avatar_url": "http://my.server/pic.gif"},

  138.         )

  139.         self.assertEqual(channel.code, 401, channel.result)

  140. 

  141.     def test_set_avatar_url_too_long(self) -> None:

  142.         """Attempts to set a stupid avatar_url should get a 400"""

  143.         channel = self.make_request(

  144.             "PUT",

  145.             "/profile/%s/avatar_url" % (self.owner,),

  146.             content={"avatar_url": "http://my.server/pic.gif" * 100},

  147.             access_token=self.owner_tok,

  148.         )

  149.         self.assertEqual(channel.code, 400, channel.result)

  150. 

  151.         res = self._get_avatar_url()

  152.         self.assertIsNone(res)

  153. 

  154.     def test_get_avatar_url_other(self) -> None:

  155.         res = self._get_avatar_url(self.other)

  156.         self.assertIsNone(res)

  157. 

  158.     def test_set_avatar_url_other(self) -> None:

  159.         channel = self.make_request(

  160.             "PUT",

  161.             "/profile/%s/avatar_url" % (self.other,),

  162.             content={"avatar_url": "http://my.server/pic.gif"},

  163.             access_token=self.owner_tok,

  164.         )

  165.         self.assertEqual(channel.code, 400, channel.result)

  166. 

  167.     def _get_displayname(self, name: Optional[str] = None) -> Optional[str]:

  168.         channel = self.make_request(

  169.             "GET", "/profile/%s/displayname" % (name or self.owner,)

  170.         )

  171.         self.assertEqual(channel.code, 200, channel.result)

  172.         # FIXME: If a user has no displayname set, Synapse returns 200 and omits a

  173.         # displayname from the response. This contradicts the spec, see

  174.         # https://github.com/matrix-org/synapse/issues/13137.

  175.         return channel.json_body.get("displayname")

  176. 

  177.     def _get_avatar_url(self, name: Optional[str] = None) -> Optional[str]:

  178.         channel = self.make_request(

  179.             "GET", "/profile/%s/avatar_url" % (name or self.owner,)

  180.         )

  181.         self.assertEqual(channel.code, 200, channel.result)

  182.         # FIXME: If a user has no avatar set, Synapse returns 200 and omits an

  183.         # avatar_url from the response. This contradicts the spec, see

  184.         # https://github.com/matrix-org/synapse/issues/13137.

  185.         return channel.json_body.get("avatar_url")

  186. 

  187.     @unittest.override_config({"max_avatar_size": 50})

  188.     def test_avatar_size_limit_global(self) -> None:

  189.         """Tests that the maximum size limit for avatars is enforced when updating a

  190.         global profile.

  191.         """

  192.         self._setup_local_files(

  193.             {

  194.                 "small": {"size": 40},

  195.                 "big": {"size": 60},

  196.             }

  197.         )

  198. 

  199.         channel = self.make_request(

  200.             "PUT",

  201.             f"/profile/{self.owner}/avatar_url",

  202.             content={"avatar_url": "mxc://test/big"},

  203.             access_token=self.owner_tok,

  204.         )

  205.         self.assertEqual(channel.code, 403, channel.result)

  206.         self.assertEqual(

  207.             channel.json_body["errcode"], Codes.FORBIDDEN, channel.json_body

  208.         )

  209. 

  210.         channel = self.make_request(

  211.             "PUT",

  212.             f"/profile/{self.owner}/avatar_url",

  213.             content={"avatar_url": "mxc://test/small"},

  214.             access_token=self.owner_tok,

  215.         )

  216.         self.assertEqual(channel.code, 200, channel.result)

  217. 

  218.     @unittest.override_config({"max_avatar_size": 50})

  219.     def test_avatar_size_limit_per_room(self) -> None:

  220.         """Tests that the maximum size limit for avatars is enforced when updating a

  221.         per-room profile.

  222.         """

  223.         self._setup_local_files(

  224.             {

  225.                 "small": {"size": 40},

  226.                 "big": {"size": 60},

  227.             }

  228.         )

  229. 

  230.         room_id = self.helper.create_room_as(tok=self.owner_tok)

  231. 

  232.         channel = self.make_request(

  233.             "PUT",

  234.             f"/rooms/{room_id}/state/m.room.member/{self.owner}",

  235.             content={"membership": "join", "avatar_url": "mxc://test/big"},

  236.             access_token=self.owner_tok,

  237.         )

  238.         self.assertEqual(channel.code, 403, channel.result)

  239.         self.assertEqual(

  240.             channel.json_body["errcode"], Codes.FORBIDDEN, channel.json_body

  241.         )

  242. 

  243.         channel = self.make_request(

  244.             "PUT",

  245.             f"/rooms/{room_id}/state/m.room.member/{self.owner}",

  246.             content={"membership": "join", "avatar_url": "mxc://test/small"},

  247.             access_token=self.owner_tok,

  248.         )

  249.         self.assertEqual(channel.code, 200, channel.result)

  250. 

  251.     @unittest.override_config({"allowed_avatar_mimetypes": ["image/png"]})

  252.     def test_avatar_allowed_mime_type_global(self) -> None:

  253.         """Tests that the MIME type whitelist for avatars is enforced when updating a

  254.         global profile.

  255.         """

  256.         self._setup_local_files(

  257.             {

  258.                 "good": {"mimetype": "image/png"},

  259.                 "bad": {"mimetype": "application/octet-stream"},

  260.             }

  261.         )

  262. 

  263.         channel = self.make_request(

  264.             "PUT",

  265.             f"/profile/{self.owner}/avatar_url",

  266.             content={"avatar_url": "mxc://test/bad"},

  267.             access_token=self.owner_tok,

  268.         )

  269.         self.assertEqual(channel.code, 403, channel.result)

  270.         self.assertEqual(

  271.             channel.json_body["errcode"], Codes.FORBIDDEN, channel.json_body

  272.         )

  273. 

  274.         channel = self.make_request(

  275.             "PUT",

  276.             f"/profile/{self.owner}/avatar_url",

  277.             content={"avatar_url": "mxc://test/good"},

  278.             access_token=self.owner_tok,

  279.         )

  280.         self.assertEqual(channel.code, 200, channel.result)

  281. 

  282.     @unittest.override_config({"allowed_avatar_mimetypes": ["image/png"]})

  283.     def test_avatar_allowed_mime_type_per_room(self) -> None:

  284.         """Tests that the MIME type whitelist for avatars is enforced when updating a

  285.         per-room profile.

  286.         """

  287.         self._setup_local_files(

  288.             {

  289.                 "good": {"mimetype": "image/png"},

  290.                 "bad": {"mimetype": "application/octet-stream"},

  291.             }

  292.         )

  293. 

  294.         room_id = self.helper.create_room_as(tok=self.owner_tok)

  295. 

  296.         channel = self.make_request(

  297.             "PUT",

  298.             f"/rooms/{room_id}/state/m.room.member/{self.owner}",

  299.             content={"membership": "join", "avatar_url": "mxc://test/bad"},

  300.             access_token=self.owner_tok,

  301.         )

  302.         self.assertEqual(channel.code, 403, channel.result)

  303.         self.assertEqual(

  304.             channel.json_body["errcode"], Codes.FORBIDDEN, channel.json_body

  305.         )

  306. 

  307.         channel = self.make_request(

  308.             "PUT",

  309.             f"/rooms/{room_id}/state/m.room.member/{self.owner}",

  310.             content={"membership": "join", "avatar_url": "mxc://test/good"},

  311.             access_token=self.owner_tok,

  312.         )

  313.         self.assertEqual(channel.code, 200, channel.result)

  314. 

  315.     def _setup_local_files(self, names_and_props: Dict[str, Dict[str, Any]]) -> None:

  316.         """Stores metadata about files in the database.

  317. 

  318.         Args:

  319.             names_and_props: A dictionary with one entry per file, with the key being the

  320.                 file's name, and the value being a dictionary of properties. Supported

  321.                 properties are "mimetype" (for the file's type) and "size" (for the

  322.                 file's size).

  323.         """

  324.         store = self.hs.get_datastores().main

  325. 

  326.         for name, props in names_and_props.items():

  327.             self.get_success(

  328.                 store.store_local_media(

  329.                     media_id=name,

  330.                     media_type=props.get("mimetype", "image/png"),

  331.                     time_now_ms=self.clock.time_msec(),

  332.                     upload_name=None,

  333.                     media_length=props.get("size", 50),

  334.                     user_id=UserID.from_string("@rin:test"),

  335.                 )

  336.             )

  337. 

  338. 

  339. class ProfilesRestrictedTestCase(unittest.HomeserverTestCase):

  340.     servlets = [

  341.         admin.register_servlets_for_client_rest_resource,

  342.         login.register_servlets,

  343.         profile.register_servlets,

  344.         room.register_servlets,

  345.     ]

  346. 

  347.     def make_homeserver(self, reactor: MemoryReactor, clock: Clock) -> HomeServer:

  348.         config = self.default_config()

  349.         config["require_auth_for_profile_requests"] = True

  350.         config["limit_profile_requests_to_users_who_share_rooms"] = True

  351.         self.hs = self.setup_test_homeserver(config=config)

  352. 

  353.         return self.hs

  354. 

  355.     def prepare(self, reactor: MemoryReactor, clock: Clock, hs: HomeServer) -> None:

  356.         # User owning the requested profile.

  357.         self.owner = self.register_user("owner", "pass")

  358.         self.owner_tok = self.login("owner", "pass")

  359.         self.profile_url = "/profile/%s" % (self.owner)

  360. 

  361.         # User requesting the profile.

  362.         self.requester = self.register_user("requester", "pass")

  363.         self.requester_tok = self.login("requester", "pass")

  364. 

  365.         self.room_id = self.helper.create_room_as(self.owner, tok=self.owner_tok)

  366. 

  367.     def test_no_auth(self) -> None:

  368.         self.try_fetch_profile(401)

  369. 

  370.     def test_not_in_shared_room(self) -> None:

  371.         self.ensure_requester_left_room()

  372. 

  373.         self.try_fetch_profile(403, access_token=self.requester_tok)

  374. 

  375.     def test_in_shared_room(self) -> None:

  376.         self.ensure_requester_left_room()

  377. 

  378.         self.helper.join(room=self.room_id, user=self.requester, tok=self.requester_tok)

  379. 

  380.         self.try_fetch_profile(200, self.requester_tok)

  381. 

  382.     def try_fetch_profile(

  383.         self, expected_code: int, access_token: Optional[str] = None

  384.     ) -> None:

  385.         self.request_profile(expected_code, access_token=access_token)

  386. 

  387.         self.request_profile(

  388.             expected_code, url_suffix="/displayname", access_token=access_token

  389.         )

  390. 

  391.         self.request_profile(

  392.             expected_code, url_suffix="/avatar_url", access_token=access_token

  393.         )

  394. 

  395.     def request_profile(

  396.         self,

  397.         expected_code: int,

  398.         url_suffix: str = "",

  399.         access_token: Optional[str] = None,

  400.     ) -> None:

  401.         channel = self.make_request(

  402.             "GET", self.profile_url + url_suffix, access_token=access_token

  403.         )

  404.         self.assertEqual(channel.code, expected_code, channel.result)

  405. 

  406.     def ensure_requester_left_room(self) -> None:

  407.         try:

  408.             self.helper.leave(

  409.                 room=self.room_id, user=self.requester, tok=self.requester_tok

  410.             )

  411.         except AssertionError:

  412.             # We don't care whether the leave request didn't return a 200 (e.g.

  413.             # if the user isn't already in the room), because we only want to

  414.             # make sure the user isn't in the room.

  415.             pass

  416. 

  417. 

  418. class OwnProfileUnrestrictedTestCase(unittest.HomeserverTestCase):

  419.     servlets = [

  420.         admin.register_servlets_for_client_rest_resource,

  421.         login.register_servlets,

  422.         profile.register_servlets,

  423.     ]

  424. 

  425.     def make_homeserver(self, reactor: MemoryReactor, clock: Clock) -> HomeServer:

  426.         config = self.default_config()

  427.         config["require_auth_for_profile_requests"] = True

  428.         config["limit_profile_requests_to_users_who_share_rooms"] = True

  429.         self.hs = self.setup_test_homeserver(config=config)

  430. 

  431.         return self.hs

  432. 

  433.     def prepare(self, reactor: MemoryReactor, clock: Clock, hs: HomeServer) -> None:

  434.         # User requesting the profile.

  435.         self.requester = self.register_user("requester", "pass")

  436.         self.requester_tok = self.login("requester", "pass")

  437. 

  438.     def test_can_lookup_own_profile(self) -> None:

  439.         """Tests that a user can lookup their own profile without having to be in a room

  440.         if 'require_auth_for_profile_requests' is set to true in the server's config.

  441.         """

  442.         channel = self.make_request(

  443.             "GET", "/profile/" + self.requester, access_token=self.requester_tok

  444.         )

  445.         self.assertEqual(channel.code, 200, channel.result)

  446. 

  447.         channel = self.make_request(

  448.             "GET",

  449.             "/profile/" + self.requester + "/displayname",

  450.             access_token=self.requester_tok,

  451.         )

  452.         self.assertEqual(channel.code, 200, channel.result)

  453. 

  454.         channel = self.make_request(

  455.             "GET",

  456.             "/profile/" + self.requester + "/avatar_url",

  457.             access_token=self.requester_tok,

  458.         )

  459.         self.assertEqual(channel.code, 200, channel.result)