MirrorHub/synapse
0
0
Fork 1
mirror of https://mau.dev/maunium/synapse.git synced 2024-06-21 03:58:22 +02:00
Code Issues Projects Releases Wiki Activity
synapse/tests/handlers/test_auth.py

208 lines
7.3 KiB
Python
Raw Normal View History

Issue macaroons as opaque auth tokens This just replaces random bytes with macaroons. The macaroons are not inspected by the client or server. In particular, they claim to have an expiry time, but nothing verifies that they have not expired. Follow-up commits will actually enforce the expiration, and allow for token refresh. See https://bit.ly/matrix-auth for more information
2015-08-18 15:22:02 +02:00
# -*- coding: utf-8 -*-
copyrights
2016-01-07 05:26:29 +01:00
# Copyright 2015, 2016 OpenMarket Ltd
Issue macaroons as opaque auth tokens This just replaces random bytes with macaroons. The macaroons are not inspected by the client or server. In particular, they claim to have an expiry time, but nothing verifies that they have not expired. Follow-up commits will actually enforce the expiration, and allow for token refresh. See https://bit.ly/matrix-auth for more information
2015-08-18 15:22:02 +02:00
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
limit register and sign in on number of monthly users
2018-07-30 16:55:57 +02:00
from mock import Mock
coding style
2018-07-31 14:16:20 +02:00
Issue macaroons as opaque auth tokens This just replaces random bytes with macaroons. The macaroons are not inspected by the client or server. In particular, they claim to have an expiry time, but nothing verifies that they have not expired. Follow-up commits will actually enforce the expiration, and allow for token refresh. See https://bit.ly/matrix-auth for more information
2015-08-18 15:22:02 +02:00
import pymacaroons
run isort
2018-07-09 08:09:20 +02:00
Convert some test cases to use HomeserverTestCase. (#9377) This has the side-effect of being able to remove use of `inlineCallbacks` in the test-cases for cleaner tracebacks.
2021-02-11 16:29:09 +01:00
from synapse.api.errors import AuthError, ResourceLimitError
run isort
2018-07-09 08:09:20 +02:00
Issue macaroons as opaque auth tokens This just replaces random bytes with macaroons. The macaroons are not inspected by the client or server. In particular, they claim to have an expiry time, but nothing verifies that they have not expired. Follow-up commits will actually enforce the expiration, and allow for token refresh. See https://bit.ly/matrix-auth for more information
2015-08-18 15:22:02 +02:00
from tests import unittest
Convert stats and related calls to async/await (#8192)
2020-08-27 23:24:37 +02:00
from tests.test_utils import make_awaitable
Issue macaroons as opaque auth tokens This just replaces random bytes with macaroons. The macaroons are not inspected by the client or server. In particular, they claim to have an expiry time, but nothing verifies that they have not expired. Follow-up commits will actually enforce the expiration, and allow for token refresh. See https://bit.ly/matrix-auth for more information
2015-08-18 15:22:02 +02:00
PEP8
2016-08-08 18:20:38 +02:00
Convert some test cases to use HomeserverTestCase. (#9377) This has the side-effect of being able to remove use of `inlineCallbacks` in the test-cases for cleaner tracebacks.
2021-02-11 16:29:09 +01:00
class AuthTestCase(unittest.HomeserverTestCase):
def prepare(self, reactor, clock, hs):
self.auth_handler = hs.get_auth_handler()
self.macaroon_generator = hs.get_macaroon_generator()
Stop Auth methods from polling the config on every req. (#7420)
2020-05-06 16:54:58 +02:00
limit register and sign in on number of monthly users
2018-07-30 16:55:57 +02:00
# MAU tests
Stop Auth methods from polling the config on every req. (#7420)
2020-05-06 16:54:58 +02:00
# AuthBlocking reads from the hs' config on initialization. We need to
# modify its config instead of the hs'
Convert some test cases to use HomeserverTestCase. (#9377) This has the side-effect of being able to remove use of `inlineCallbacks` in the test-cases for cleaner tracebacks.
2021-02-11 16:29:09 +01:00
self.auth_blocking = hs.get_auth()._auth_blocking
Stop Auth methods from polling the config on every req. (#7420)
2020-05-06 16:54:58 +02:00
self.auth_blocking._max_mau_value = 50
limit register and sign in on number of monthly users
2018-07-30 16:55:57 +02:00
self.small_number_of_users = 1
self.large_number_of_users = 100
Issue macaroons as opaque auth tokens This just replaces random bytes with macaroons. The macaroons are not inspected by the client or server. In particular, they claim to have an expiry time, but nothing verifies that they have not expired. Follow-up commits will actually enforce the expiration, and allow for token refresh. See https://bit.ly/matrix-auth for more information
2015-08-18 15:22:02 +02:00
def test_token_is_a_macaroon(self):
Fix email push in pusher worker This was broken when device list updates were implemented, as Mailer could no longer instantiate an AuthHandler due to a dependency on federation sending.
2017-02-02 11:53:36 +01:00
token = self.macaroon_generator.generate_access_token("some_user")
Issue macaroons as opaque auth tokens This just replaces random bytes with macaroons. The macaroons are not inspected by the client or server. In particular, they claim to have an expiry time, but nothing verifies that they have not expired. Follow-up commits will actually enforce the expiration, and allow for token refresh. See https://bit.ly/matrix-auth for more information
2015-08-18 15:22:02 +02:00
# Check that we can parse the thing with pymacaroons
macaroon = pymacaroons.Macaroon.deserialize(token)
# The most basic of sanity checks
if "some_user" not in macaroon.inspect():
self.fail("some_user was not in %s" % macaroon.inspect())
def test_macaroon_caveats(self):
Fix email push in pusher worker This was broken when device list updates were implemented, as Mailer could no longer instantiate an AuthHandler due to a dependency on federation sending.
2017-02-02 11:53:36 +01:00
token = self.macaroon_generator.generate_access_token("a_user")
Issue macaroons as opaque auth tokens This just replaces random bytes with macaroons. The macaroons are not inspected by the client or server. In particular, they claim to have an expiry time, but nothing verifies that they have not expired. Follow-up commits will actually enforce the expiration, and allow for token refresh. See https://bit.ly/matrix-auth for more information
2015-08-18 15:22:02 +02:00
macaroon = pymacaroons.Macaroon.deserialize(token)
def verify_gen(caveat):
Re-add whitespace around caveat operators
2015-08-19 15:30:31 +02:00
return caveat == "gen = 1"
Issue macaroons as opaque auth tokens This just replaces random bytes with macaroons. The macaroons are not inspected by the client or server. In particular, they claim to have an expiry time, but nothing verifies that they have not expired. Follow-up commits will actually enforce the expiration, and allow for token refresh. See https://bit.ly/matrix-auth for more information
2015-08-18 15:22:02 +02:00
def verify_user(caveat):
Re-add whitespace around caveat operators
2015-08-19 15:30:31 +02:00
return caveat == "user_id = a_user"
Issue macaroons as opaque auth tokens This just replaces random bytes with macaroons. The macaroons are not inspected by the client or server. In particular, they claim to have an expiry time, but nothing verifies that they have not expired. Follow-up commits will actually enforce the expiration, and allow for token refresh. See https://bit.ly/matrix-auth for more information
2015-08-18 15:22:02 +02:00
def verify_type(caveat):
Re-add whitespace around caveat operators
2015-08-19 15:30:31 +02:00
return caveat == "type = access"
Issue macaroons as opaque auth tokens This just replaces random bytes with macaroons. The macaroons are not inspected by the client or server. In particular, they claim to have an expiry time, but nothing verifies that they have not expired. Follow-up commits will actually enforce the expiration, and allow for token refresh. See https://bit.ly/matrix-auth for more information
2015-08-18 15:22:02 +02:00
Stop putting a time caveat on access tokens The 'time' caveat on the access tokens was something of a lie, since we weren't enforcing it; more pertinently its presence stops us ever adding useful time caveats. Let's move in the right direction by not lying in our caveats.
2016-11-28 10:55:21 +01:00
def verify_nonce(caveat):
return caveat.startswith("nonce =")
Issue macaroons as opaque auth tokens This just replaces random bytes with macaroons. The macaroons are not inspected by the client or server. In particular, they claim to have an expiry time, but nothing verifies that they have not expired. Follow-up commits will actually enforce the expiration, and allow for token refresh. See https://bit.ly/matrix-auth for more information
2015-08-18 15:22:02 +02:00
v = pymacaroons.Verifier()
v.satisfy_general(verify_gen)
v.satisfy_general(verify_user)
v.satisfy_general(verify_type)
Stop putting a time caveat on access tokens The 'time' caveat on the access tokens was something of a lie, since we weren't enforcing it; more pertinently its presence stops us ever adding useful time caveats. Let's move in the right direction by not lying in our caveats.
2016-11-28 10:55:21 +01:00
v.satisfy_general(verify_nonce)
Fix some formatting to use tuples
2015-08-18 16:18:50 +02:00
v.verify(macaroon, self.hs.config.macaroon_secret_key)
Fix login with m.login.token login with token (as used by CAS auth) was broken by 067596d, such that it always returned a 401.
2016-08-08 17:34:07 +02:00
def test_short_term_login_token_gives_user_id(self):
Run black.
2018-08-10 15:54:09 +02:00
token = self.macaroon_generator.generate_short_term_login_token("a_user", 5000)
Convert some test cases to use HomeserverTestCase. (#9377) This has the side-effect of being able to remove use of `inlineCallbacks` in the test-cases for cleaner tracebacks.
2021-02-11 16:29:09 +01:00
user_id = self.get_success(
Convert auth handler to async/await (#7261)
2020-04-15 18:40:18 +02:00
self.auth_handler.validate_short_term_login_token_and_get_user_id(token)
Fix login with m.login.token login with token (as used by CAS auth) was broken by 067596d, such that it always returned a 401.
2016-08-08 17:34:07 +02:00
)
make count_monthly_users async synapse/handlers/auth.py
2018-08-01 11:21:56 +02:00
self.assertEqual("a_user", user_id)
Fix login with m.login.token login with token (as used by CAS auth) was broken by 067596d, such that it always returned a 401.
2016-08-08 17:34:07 +02:00
# when we advance the clock, the token should be rejected
Convert some test cases to use HomeserverTestCase. (#9377) This has the side-effect of being able to remove use of `inlineCallbacks` in the test-cases for cleaner tracebacks.
2021-02-11 16:29:09 +01:00
self.reactor.advance(6)
self.get_failure(
self.auth_handler.validate_short_term_login_token_and_get_user_id(token),
AuthError,
)
Fix login with m.login.token login with token (as used by CAS auth) was broken by 067596d, such that it always returned a 401.
2016-08-08 17:34:07 +02:00
def test_short_term_login_token_cannot_replace_user_id(self):
Run black.
2018-08-10 15:54:09 +02:00
token = self.macaroon_generator.generate_short_term_login_token("a_user", 5000)
Fix login with m.login.token login with token (as used by CAS auth) was broken by 067596d, such that it always returned a 401.
2016-08-08 17:34:07 +02:00
macaroon = pymacaroons.Macaroon.deserialize(token)
Convert some test cases to use HomeserverTestCase. (#9377) This has the side-effect of being able to remove use of `inlineCallbacks` in the test-cases for cleaner tracebacks.
2021-02-11 16:29:09 +01:00
user_id = self.get_success(
Convert auth handler to async/await (#7261)
2020-04-15 18:40:18 +02:00
self.auth_handler.validate_short_term_login_token_and_get_user_id(
macaroon.serialize()
)
make count_monthly_users async synapse/handlers/auth.py
2018-08-01 11:21:56 +02:00
)
Run black.
2018-08-10 15:54:09 +02:00
self.assertEqual("a_user", user_id)
Fix login with m.login.token login with token (as used by CAS auth) was broken by 067596d, such that it always returned a 401.
2016-08-08 17:34:07 +02:00
# add another "user_id" caveat, which might allow us to override the
# user_id.
macaroon.add_first_party_caveat("user_id = b_user")
Convert some test cases to use HomeserverTestCase. (#9377) This has the side-effect of being able to remove use of `inlineCallbacks` in the test-cases for cleaner tracebacks.
2021-02-11 16:29:09 +01:00
self.get_failure(
self.auth_handler.validate_short_term_login_token_and_get_user_id(
macaroon.serialize()
),
AuthError,
)
limit register and sign in on number of monthly users
2018-07-30 16:55:57 +02:00
def test_mau_limits_disabled(self):
Stop Auth methods from polling the config on every req. (#7420)
2020-05-06 16:54:58 +02:00
self.auth_blocking._limit_usage_by_mau = False
limit register and sign in on number of monthly users
2018-07-30 16:55:57 +02:00
# Ensure does not throw exception
Convert some test cases to use HomeserverTestCase. (#9377) This has the side-effect of being able to remove use of `inlineCallbacks` in the test-cases for cleaner tracebacks.
2021-02-11 16:29:09 +01:00
self.get_success(
Convert auth handler to async/await (#7261)
2020-04-15 18:40:18 +02:00
self.auth_handler.get_access_token_for_user_id(
"user_a", device_id=None, valid_until_ms=None
)
Implement access token expiry (#5660) Record how long an access token is valid for, and raise a soft-logout once it expires.
2019-07-12 18:26:02 +02:00
)
limit register and sign in on number of monthly users
2018-07-30 16:55:57 +02:00
Convert some test cases to use HomeserverTestCase. (#9377) This has the side-effect of being able to remove use of `inlineCallbacks` in the test-cases for cleaner tracebacks.
2021-02-11 16:29:09 +01:00
self.get_success(
Convert auth handler to async/await (#7261)
2020-04-15 18:40:18 +02:00
self.auth_handler.validate_short_term_login_token_and_get_user_id(
self._get_macaroon().serialize()
)
limit register and sign in on number of monthly users
2018-07-30 16:55:57 +02:00
)
fix off by 1s on mau
2018-08-14 16:04:48 +02:00
def test_mau_limits_exceeded_large(self):
Stop Auth methods from polling the config on every req. (#7420)
2020-05-06 16:54:58 +02:00
self.auth_blocking._limit_usage_by_mau = True
do mau checks based on monthly_active_users table
2018-08-02 17:57:35 +02:00
self.hs.get_datastore().get_monthly_active_count = Mock(
Allow for make_awaitable's return value to be re-used. (#8261)
2020-09-08 13:26:55 +02:00
return_value=make_awaitable(self.large_number_of_users)
limit register and sign in on number of monthly users
2018-07-30 16:55:57 +02:00
)
make count_monthly_users async synapse/handlers/auth.py
2018-08-01 11:21:56 +02:00
Convert some test cases to use HomeserverTestCase. (#9377) This has the side-effect of being able to remove use of `inlineCallbacks` in the test-cases for cleaner tracebacks.
2021-02-11 16:29:09 +01:00
self.get_failure(
self.auth_handler.get_access_token_for_user_id(
"user_a", device_id=None, valid_until_ms=None
),
ResourceLimitError,
)
make count_monthly_users async synapse/handlers/auth.py
2018-08-01 11:21:56 +02:00
do mau checks based on monthly_active_users table
2018-08-02 17:57:35 +02:00
self.hs.get_datastore().get_monthly_active_count = Mock(
Allow for make_awaitable's return value to be re-used. (#8261)
2020-09-08 13:26:55 +02:00
return_value=make_awaitable(self.large_number_of_users)
make count_monthly_users async synapse/handlers/auth.py
2018-08-01 11:21:56 +02:00
)
Convert some test cases to use HomeserverTestCase. (#9377) This has the side-effect of being able to remove use of `inlineCallbacks` in the test-cases for cleaner tracebacks.
2021-02-11 16:29:09 +01:00
self.get_failure(
self.auth_handler.validate_short_term_login_token_and_get_user_id(
self._get_macaroon().serialize()
),
ResourceLimitError,
)
limit register and sign in on number of monthly users
2018-07-30 16:55:57 +02:00
fix off by 1s on mau
2018-08-14 16:04:48 +02:00
def test_mau_limits_parity(self):
Convert some test cases to use HomeserverTestCase. (#9377) This has the side-effect of being able to remove use of `inlineCallbacks` in the test-cases for cleaner tracebacks.
2021-02-11 16:29:09 +01:00
# Ensure we're not at the unix epoch.
self.reactor.advance(1)
Stop Auth methods from polling the config on every req. (#7420)
2020-05-06 16:54:58 +02:00
self.auth_blocking._limit_usage_by_mau = True
fix off by 1s on mau
2018-08-14 16:04:48 +02:00
Convert some test cases to use HomeserverTestCase. (#9377) This has the side-effect of being able to remove use of `inlineCallbacks` in the test-cases for cleaner tracebacks.
2021-02-11 16:29:09 +01:00
# Set the server to be at the edge of too many users.
fix off by 1s on mau
2018-08-14 16:04:48 +02:00
self.hs.get_datastore().get_monthly_active_count = Mock(
Allow for make_awaitable's return value to be re-used. (#8261)
2020-09-08 13:26:55 +02:00
return_value=make_awaitable(self.auth_blocking._max_mau_value)
fix off by 1s on mau
2018-08-14 16:04:48 +02:00
)
Convert some test cases to use HomeserverTestCase. (#9377) This has the side-effect of being able to remove use of `inlineCallbacks` in the test-cases for cleaner tracebacks.
2021-02-11 16:29:09 +01:00
# If not in monthly active cohort
self.get_failure(
self.auth_handler.get_access_token_for_user_id(
"user_a", device_id=None, valid_until_ms=None
),
ResourceLimitError,
fix off by 1s on mau
2018-08-14 16:04:48 +02:00
)
Convert some test cases to use HomeserverTestCase. (#9377) This has the side-effect of being able to remove use of `inlineCallbacks` in the test-cases for cleaner tracebacks.
2021-02-11 16:29:09 +01:00
self.get_failure(
self.auth_handler.validate_short_term_login_token_and_get_user_id(
self._get_macaroon().serialize()
),
ResourceLimitError,
)
fix off by 1s on mau
2018-08-14 16:04:48 +02:00
# If in monthly active cohort
self.hs.get_datastore().user_last_seen_monthly_active = Mock(
Convert some test cases to use HomeserverTestCase. (#9377) This has the side-effect of being able to remove use of `inlineCallbacks` in the test-cases for cleaner tracebacks.
2021-02-11 16:29:09 +01:00
return_value=make_awaitable(self.clock.time_msec())
fix off by 1s on mau
2018-08-14 16:04:48 +02:00
)
Convert some test cases to use HomeserverTestCase. (#9377) This has the side-effect of being able to remove use of `inlineCallbacks` in the test-cases for cleaner tracebacks.
2021-02-11 16:29:09 +01:00
self.get_success(
Convert auth handler to async/await (#7261)
2020-04-15 18:40:18 +02:00
self.auth_handler.get_access_token_for_user_id(
"user_a", device_id=None, valid_until_ms=None
)
Implement access token expiry (#5660) Record how long an access token is valid for, and raise a soft-logout once it expires.
2019-07-12 18:26:02 +02:00
)
Convert some test cases to use HomeserverTestCase. (#9377) This has the side-effect of being able to remove use of `inlineCallbacks` in the test-cases for cleaner tracebacks.
2021-02-11 16:29:09 +01:00
self.get_success(
Convert auth handler to async/await (#7261)
2020-04-15 18:40:18 +02:00
self.auth_handler.validate_short_term_login_token_and_get_user_id(
self._get_macaroon().serialize()
)
fix off by 1s on mau
2018-08-14 16:04:48 +02:00
)
limit register and sign in on number of monthly users
2018-07-30 16:55:57 +02:00
def test_mau_limits_not_exceeded(self):
Stop Auth methods from polling the config on every req. (#7420)
2020-05-06 16:54:58 +02:00
self.auth_blocking._limit_usage_by_mau = True
make count_monthly_users async synapse/handlers/auth.py
2018-08-01 11:21:56 +02:00
do mau checks based on monthly_active_users table
2018-08-02 17:57:35 +02:00
self.hs.get_datastore().get_monthly_active_count = Mock(
Allow for make_awaitable's return value to be re-used. (#8261)
2020-09-08 13:26:55 +02:00
return_value=make_awaitable(self.small_number_of_users)
limit register and sign in on number of monthly users
2018-07-30 16:55:57 +02:00
)
# Ensure does not raise exception
Convert some test cases to use HomeserverTestCase. (#9377) This has the side-effect of being able to remove use of `inlineCallbacks` in the test-cases for cleaner tracebacks.
2021-02-11 16:29:09 +01:00
self.get_success(
Convert auth handler to async/await (#7261)
2020-04-15 18:40:18 +02:00
self.auth_handler.get_access_token_for_user_id(
"user_a", device_id=None, valid_until_ms=None
)
Implement access token expiry (#5660) Record how long an access token is valid for, and raise a soft-logout once it expires.
2019-07-12 18:26:02 +02:00
)
fix test for py3
2018-08-01 15:02:10 +02:00
do mau checks based on monthly_active_users table
2018-08-02 17:57:35 +02:00
self.hs.get_datastore().get_monthly_active_count = Mock(
Allow for make_awaitable's return value to be re-used. (#8261)
2020-09-08 13:26:55 +02:00
return_value=make_awaitable(self.small_number_of_users)
fix test for py3
2018-08-01 15:02:10 +02:00
)
Convert some test cases to use HomeserverTestCase. (#9377) This has the side-effect of being able to remove use of `inlineCallbacks` in the test-cases for cleaner tracebacks.
2021-02-11 16:29:09 +01:00
self.get_success(
Convert auth handler to async/await (#7261)
2020-04-15 18:40:18 +02:00
self.auth_handler.validate_short_term_login_token_and_get_user_id(
self._get_macaroon().serialize()
)
limit register and sign in on number of monthly users
2018-07-30 16:55:57 +02:00
)
def _get_macaroon(self):
Run black.
2018-08-10 15:54:09 +02:00
token = self.macaroon_generator.generate_short_term_login_token("user_a", 5000)
limit register and sign in on number of monthly users
2018-07-30 16:55:57 +02:00
return pymacaroons.Macaroon.deserialize(token)
Reference in a new issue Copy permalink