2019-03-15 18:46:16 +01:00
|
|
|
import json
|
|
|
|
|
2019-05-01 16:32:38 +02:00
|
|
|
import synapse.rest.admin
|
|
|
|
from synapse.rest.client.v1 import login
|
2019-03-15 18:46:16 +01:00
|
|
|
|
|
|
|
from tests import unittest
|
|
|
|
|
|
|
|
LOGIN_URL = b"/_matrix/client/r0/login"
|
|
|
|
|
|
|
|
|
|
|
|
class LoginRestServletTestCase(unittest.HomeserverTestCase):
|
|
|
|
|
|
|
|
servlets = [
|
2019-05-02 12:59:16 +02:00
|
|
|
synapse.rest.admin.register_servlets_for_client_rest_resource,
|
2019-03-15 18:46:16 +01:00
|
|
|
login.register_servlets,
|
|
|
|
]
|
|
|
|
|
|
|
|
def make_homeserver(self, reactor, clock):
|
|
|
|
|
|
|
|
self.hs = self.setup_test_homeserver()
|
|
|
|
self.hs.config.enable_registration = True
|
|
|
|
self.hs.config.registrations_require_3pid = []
|
|
|
|
self.hs.config.auto_join_rooms = []
|
|
|
|
self.hs.config.enable_registration_captcha = False
|
|
|
|
|
|
|
|
return self.hs
|
|
|
|
|
|
|
|
def test_POST_ratelimiting_per_address(self):
|
|
|
|
self.hs.config.rc_login_address.burst_count = 5
|
|
|
|
self.hs.config.rc_login_address.per_second = 0.17
|
|
|
|
|
|
|
|
# Create different users so we're sure not to be bothered by the per-user
|
|
|
|
# ratelimiter.
|
|
|
|
for i in range(0, 6):
|
|
|
|
self.register_user("kermit" + str(i), "monkey")
|
|
|
|
|
|
|
|
for i in range(0, 6):
|
|
|
|
params = {
|
|
|
|
"type": "m.login.password",
|
2019-05-10 07:12:11 +02:00
|
|
|
"identifier": {"type": "m.id.user", "user": "kermit" + str(i)},
|
2019-03-15 18:46:16 +01:00
|
|
|
"password": "monkey",
|
|
|
|
}
|
|
|
|
request_data = json.dumps(params)
|
|
|
|
request, channel = self.make_request(b"POST", LOGIN_URL, request_data)
|
|
|
|
self.render(request)
|
|
|
|
|
|
|
|
if i == 5:
|
|
|
|
self.assertEquals(channel.result["code"], b"429", channel.result)
|
|
|
|
retry_after_ms = int(channel.json_body["retry_after_ms"])
|
|
|
|
else:
|
|
|
|
self.assertEquals(channel.result["code"], b"200", channel.result)
|
|
|
|
|
|
|
|
# Since we're ratelimiting at 1 request/min, retry_after_ms should be lower
|
|
|
|
# than 1min.
|
|
|
|
self.assertTrue(retry_after_ms < 6000)
|
|
|
|
|
2019-05-10 07:12:11 +02:00
|
|
|
self.reactor.advance(retry_after_ms / 1000.0)
|
2019-03-15 18:46:16 +01:00
|
|
|
|
|
|
|
params = {
|
|
|
|
"type": "m.login.password",
|
2019-05-10 07:12:11 +02:00
|
|
|
"identifier": {"type": "m.id.user", "user": "kermit" + str(i)},
|
2019-03-15 18:46:16 +01:00
|
|
|
"password": "monkey",
|
|
|
|
}
|
|
|
|
request_data = json.dumps(params)
|
|
|
|
request, channel = self.make_request(b"POST", LOGIN_URL, params)
|
|
|
|
self.render(request)
|
|
|
|
|
|
|
|
self.assertEquals(channel.result["code"], b"200", channel.result)
|
|
|
|
|
|
|
|
def test_POST_ratelimiting_per_account(self):
|
|
|
|
self.hs.config.rc_login_account.burst_count = 5
|
|
|
|
self.hs.config.rc_login_account.per_second = 0.17
|
|
|
|
|
|
|
|
self.register_user("kermit", "monkey")
|
|
|
|
|
|
|
|
for i in range(0, 6):
|
|
|
|
params = {
|
|
|
|
"type": "m.login.password",
|
2019-05-10 07:12:11 +02:00
|
|
|
"identifier": {"type": "m.id.user", "user": "kermit"},
|
2019-03-15 18:46:16 +01:00
|
|
|
"password": "monkey",
|
|
|
|
}
|
|
|
|
request_data = json.dumps(params)
|
|
|
|
request, channel = self.make_request(b"POST", LOGIN_URL, request_data)
|
|
|
|
self.render(request)
|
|
|
|
|
|
|
|
if i == 5:
|
|
|
|
self.assertEquals(channel.result["code"], b"429", channel.result)
|
|
|
|
retry_after_ms = int(channel.json_body["retry_after_ms"])
|
|
|
|
else:
|
|
|
|
self.assertEquals(channel.result["code"], b"200", channel.result)
|
|
|
|
|
|
|
|
# Since we're ratelimiting at 1 request/min, retry_after_ms should be lower
|
|
|
|
# than 1min.
|
|
|
|
self.assertTrue(retry_after_ms < 6000)
|
|
|
|
|
2019-05-10 07:12:11 +02:00
|
|
|
self.reactor.advance(retry_after_ms / 1000.0)
|
2019-03-15 18:46:16 +01:00
|
|
|
|
|
|
|
params = {
|
|
|
|
"type": "m.login.password",
|
2019-05-10 07:12:11 +02:00
|
|
|
"identifier": {"type": "m.id.user", "user": "kermit"},
|
2019-03-15 18:46:16 +01:00
|
|
|
"password": "monkey",
|
|
|
|
}
|
|
|
|
request_data = json.dumps(params)
|
|
|
|
request, channel = self.make_request(b"POST", LOGIN_URL, params)
|
|
|
|
self.render(request)
|
|
|
|
|
|
|
|
self.assertEquals(channel.result["code"], b"200", channel.result)
|
2019-03-18 13:57:20 +01:00
|
|
|
|
|
|
|
def test_POST_ratelimiting_per_account_failed_attempts(self):
|
|
|
|
self.hs.config.rc_login_failed_attempts.burst_count = 5
|
|
|
|
self.hs.config.rc_login_failed_attempts.per_second = 0.17
|
|
|
|
|
|
|
|
self.register_user("kermit", "monkey")
|
|
|
|
|
|
|
|
for i in range(0, 6):
|
|
|
|
params = {
|
|
|
|
"type": "m.login.password",
|
2019-05-10 07:12:11 +02:00
|
|
|
"identifier": {"type": "m.id.user", "user": "kermit"},
|
2019-03-18 13:57:20 +01:00
|
|
|
"password": "notamonkey",
|
|
|
|
}
|
|
|
|
request_data = json.dumps(params)
|
|
|
|
request, channel = self.make_request(b"POST", LOGIN_URL, request_data)
|
|
|
|
self.render(request)
|
|
|
|
|
|
|
|
if i == 5:
|
|
|
|
self.assertEquals(channel.result["code"], b"429", channel.result)
|
|
|
|
retry_after_ms = int(channel.json_body["retry_after_ms"])
|
|
|
|
else:
|
|
|
|
self.assertEquals(channel.result["code"], b"403", channel.result)
|
|
|
|
|
|
|
|
# Since we're ratelimiting at 1 request/min, retry_after_ms should be lower
|
|
|
|
# than 1min.
|
|
|
|
self.assertTrue(retry_after_ms < 6000)
|
|
|
|
|
2019-05-10 07:12:11 +02:00
|
|
|
self.reactor.advance(retry_after_ms / 1000.0)
|
2019-03-18 13:57:20 +01:00
|
|
|
|
|
|
|
params = {
|
|
|
|
"type": "m.login.password",
|
2019-05-10 07:12:11 +02:00
|
|
|
"identifier": {"type": "m.id.user", "user": "kermit"},
|
2019-03-18 13:57:20 +01:00
|
|
|
"password": "notamonkey",
|
|
|
|
}
|
|
|
|
request_data = json.dumps(params)
|
|
|
|
request, channel = self.make_request(b"POST", LOGIN_URL, params)
|
|
|
|
self.render(request)
|
|
|
|
|
|
|
|
self.assertEquals(channel.result["code"], b"403", channel.result)
|