Skip to content
Snippets Groups Projects
Normal view Permalink
test_oauth_delegation.py 27.8 KiB
Newer Older
  • Learn to ignore specific revisions
    • Hugh Nimmo-Smith's avatar
    Initial tests for OAuth delegation
    Hugh Nimmo-Smith committed
    1 2 3 4 5 6 7 8 9 10 11 12 13 
    # Copyright 2022 Matrix.org Foundation C.I.C.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
    Quentin Gliech's avatar
    Disable account related endpoints when using OAuth delegation  
    Quentin Gliech committed
    14 15 16 
    
from http import HTTPStatus
from typing import Any, Dict, Union
    Shay's avatar
    Add an admin endpoint to allow authorizing server to signal token revocations (#16125)  
    Shay committed
    17 
    from unittest.mock import ANY, AsyncMock, Mock
    Hugh Nimmo-Smith's avatar
    Initial tests for OAuth delegation
    Hugh Nimmo-Smith committed
    18 19 
    from urllib.parse import parse_qs
    Quentin Gliech's avatar
    Disable account related endpoints when using OAuth delegation  
    Quentin Gliech committed
    20 21 22 23 24 25 26 
    from signedjson.key import (
    encode_verify_key_base64,
    generate_signing_key,
    get_verify_key,
)
from signedjson.sign import sign_json
    Hugh Nimmo-Smith's avatar
    Initial tests for OAuth delegation
    Hugh Nimmo-Smith committed
    27 28 
    from twisted.test.proto_helpers import MemoryReactor
    Quentin Gliech's avatar
    Disable account related endpoints when using OAuth delegation  
    Quentin Gliech committed
    29 
    from synapse.api.errors import (
    Quentin Gliech's avatar
    Reject tokens with multiple device scopes  
    Quentin Gliech committed
    30 
        AuthError,
    Quentin Gliech's avatar
    Disable account related endpoints when using OAuth delegation  
    Quentin Gliech committed
    31 32 33 
        Codes,
    InvalidClientTokenError,
    OAuthInsufficientScopeError,
    Quentin Gliech's avatar
    Handle errors when introspecting tokens  
    Quentin Gliech committed
    34 
        SynapseError,
    Quentin Gliech's avatar
    Disable account related endpoints when using OAuth delegation  
    Quentin Gliech committed
    35 
    )
    Quentin Gliech's avatar
    Disable incompatible Admin API endpoints  
    Quentin Gliech committed
    36 
    from synapse.rest import admin
    Quentin Gliech's avatar
    Disable account related endpoints when using OAuth delegation  
    Quentin Gliech committed
    37 
    from synapse.rest.client import account, devices, keys, login, logout, register
    Hugh Nimmo-Smith's avatar
    Initial tests for OAuth delegation
    Hugh Nimmo-Smith committed
    38 39 40 41 
    from synapse.server import HomeServer
from synapse.types import JsonDict
from synapse.util import Clock
    Patrick Cloke's avatar
    Replace simple_async_mock with AsyncMock (#16180)  
    Patrick Cloke committed
    42 
    from tests.test_utils import FakeResponse, get_awaitable_result
    Hugh Nimmo-Smith's avatar
    Initial tests for OAuth delegation
    Hugh Nimmo-Smith committed
    43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 
    from tests.unittest import HomeserverTestCase, skip_unless
from tests.utils import mock_getRawHeaders

try:
    import authlib  # noqa: F401

    HAS_AUTHLIB = True
except ImportError:
    HAS_AUTHLIB = False


# These are a few constants that are used as config parameters in the tests.
SERVER_NAME = "test"
ISSUER = "https://issuer/"
CLIENT_ID = "test-client-id"
CLIENT_SECRET = "test-client-secret"
BASE_URL = "https://synapse/"
SCOPES = ["openid"]

AUTHORIZATION_ENDPOINT = ISSUER + "authorize"
TOKEN_ENDPOINT = ISSUER + "token"
USERINFO_ENDPOINT = ISSUER + "userinfo"
WELL_KNOWN = ISSUER + ".well-known/openid-configuration"
JWKS_URI = ISSUER + ".well-known/jwks.json"
INTROSPECTION_ENDPOINT = ISSUER + "introspect"

SYNAPSE_ADMIN_SCOPE = "urn:synapse:admin:*"
MATRIX_USER_SCOPE = "urn:matrix:org.matrix.msc2967.client:api:*"
MATRIX_GUEST_SCOPE = "urn:matrix:org.matrix.msc2967.client:api:guest"
    Quentin Gliech's avatar
    Reject tokens with multiple device scopes  
    Quentin Gliech committed
    72 
    MATRIX_DEVICE_SCOPE_PREFIX = "urn:matrix:org.matrix.msc2967.client:device:"
    Hugh Nimmo-Smith's avatar
    Initial tests for OAuth delegation
    Hugh Nimmo-Smith committed
    73 
    DEVICE = "AABBCCDD"
    Quentin Gliech's avatar
    Reject tokens with multiple device scopes  
    Quentin Gliech committed
    74 
    MATRIX_DEVICE_SCOPE = MATRIX_DEVICE_SCOPE_PREFIX + DEVICE
    Hugh Nimmo-Smith's avatar
    Initial tests for OAuth delegation
    Hugh Nimmo-Smith committed
    75 76 
    SUBJECT = "abc-def-ghi"
USERNAME = "test-user"
    Quentin Gliech's avatar
    Disable account related endpoints when using OAuth delegation  
    Quentin Gliech committed
    77 
    USER_ID = "@" + USERNAME + ":" + SERVER_NAME
    Hugh Nimmo-Smith's avatar
    Initial tests for OAuth delegation
    Hugh Nimmo-Smith committed
    78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 
    

async def get_json(url: str) -> JsonDict:
    # Mock get_json calls to handle jwks & oidc discovery endpoints
    if url == WELL_KNOWN:
        # Minimal discovery document, as defined in OpenID.Discovery
        # https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
        return {
            "issuer": ISSUER,
            "authorization_endpoint": AUTHORIZATION_ENDPOINT,
            "token_endpoint": TOKEN_ENDPOINT,
            "jwks_uri": JWKS_URI,
            "userinfo_endpoint": USERINFO_ENDPOINT,
            "introspection_endpoint": INTROSPECTION_ENDPOINT,
            "response_types_supported": ["code"],
            "subject_types_supported": ["public"],
            "id_token_signing_alg_values_supported": ["RS256"],
        }
    elif url == JWKS_URI:
        return {"keys": []}

    return {}


@skip_unless(HAS_AUTHLIB, "requires authlib")
class MSC3861OAuthDelegation(HomeserverTestCase):
    Hugh Nimmo-Smith's avatar
    Actually enforce guest + return www-authenticate header  
    Hugh Nimmo-Smith committed
    104 
        servlets = [
    Quentin Gliech's avatar
    Disable account related endpoints when using OAuth delegation  
    Quentin Gliech committed
    105 
            account.register_servlets,
    Hugh Nimmo-Smith's avatar
    Actually enforce guest + return www-authenticate header  
    Hugh Nimmo-Smith committed
    106 
            devices.register_servlets,
    Quentin Gliech's avatar
    Disable account related endpoints when using OAuth delegation  
    Quentin Gliech committed
    107 108 109 110 
            keys.register_servlets,
        register.register_servlets,
        login.register_servlets,
        logout.register_servlets,
    Quentin Gliech's avatar
    Disable incompatible Admin API endpoints  
    Quentin Gliech committed
    111 
            admin.register_servlets,
    Hugh Nimmo-Smith's avatar
    Actually enforce guest + return www-authenticate header  
    Hugh Nimmo-Smith committed
    112 113 
        ]
    Hugh Nimmo-Smith's avatar
    Initial tests for OAuth delegation
    Hugh Nimmo-Smith committed
    114 115 116 
        def default_config(self) -> Dict[str, Any]:
        config = super().default_config()
        config["public_baseurl"] = BASE_URL
    Hugh Nimmo-Smith's avatar
    Refactor config to be an experimental feature  
    Hugh Nimmo-Smith committed
    117 118 119 120 121 122 123 124 
            config["disable_registration"] = True
        config["experimental_features"] = {
            "msc3861": {
                "enabled": True,
                "issuer": ISSUER,
                "client_id": CLIENT_ID,
                "client_auth_method": "client_secret_post",
                "client_secret": CLIENT_SECRET,
    Quentin Gliech's avatar
    Revert MSC3861 introspection cache, admin impersonation and account lock (#16258)  
    Quentin Gliech committed
    125 
                    "admin_token": "admin_token_value",
    Hugh Nimmo-Smith's avatar
    Refactor config to be an experimental feature  
    Hugh Nimmo-Smith committed
    126 
                }
    Hugh Nimmo-Smith's avatar
    Initial tests for OAuth delegation
    Hugh Nimmo-Smith committed
    127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 
            }
        return config

    def make_homeserver(self, reactor: MemoryReactor, clock: Clock) -> HomeServer:
        self.http_client = Mock(spec=["get_json"])
        self.http_client.get_json.side_effect = get_json
        self.http_client.user_agent = b"Synapse Test"

        hs = self.setup_test_homeserver(proxied_http_client=self.http_client)

        self.auth = hs.get_auth()

        return hs

    def _assertParams(self) -> None:
        """Assert that the request parameters are correct."""
        params = parse_qs(self.http_client.request.call_args[1]["data"].decode("utf-8"))
        self.assertEqual(params["token"], ["mockAccessToken"])
        self.assertEqual(params["client_id"], [CLIENT_ID])
        self.assertEqual(params["client_secret"], [CLIENT_SECRET])

    def test_inactive_token(self) -> None:
        """The handler should return a 403 where the token is inactive."""
    Patrick Cloke's avatar
    Replace simple_async_mock with AsyncMock (#16180)  
    Patrick Cloke committed
    151 
            self.http_client.request = AsyncMock(
    Hugh Nimmo-Smith's avatar
    Initial tests for OAuth delegation
    Hugh Nimmo-Smith committed
    152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 
                return_value=FakeResponse.json(
                code=200,
                payload={"active": False},
            )
        )
        request = Mock(args={})
        request.args[b"access_token"] = [b"mockAccessToken"]
        request.requestHeaders.getRawHeaders = mock_getRawHeaders()
        self.get_failure(self.auth.get_user_by_req(request), InvalidClientTokenError)
        self.http_client.get_json.assert_called_once_with(WELL_KNOWN)
        self.http_client.request.assert_called_once_with(
            method="POST", uri=INTROSPECTION_ENDPOINT, data=ANY, headers=ANY
        )
        self._assertParams()

    def test_active_no_scope(self) -> None:
        """The handler should return a 403 where no scope is given."""
    Patrick Cloke's avatar
    Replace simple_async_mock with AsyncMock (#16180)  
    Patrick Cloke committed
    170 
            self.http_client.request = AsyncMock(
    Hugh Nimmo-Smith's avatar
    Initial tests for OAuth delegation
    Hugh Nimmo-Smith committed
    171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 
                return_value=FakeResponse.json(
                code=200,
                payload={"active": True},
            )
        )
        request = Mock(args={})
        request.args[b"access_token"] = [b"mockAccessToken"]
        request.requestHeaders.getRawHeaders = mock_getRawHeaders()
        self.get_failure(self.auth.get_user_by_req(request), InvalidClientTokenError)
        self.http_client.get_json.assert_called_once_with(WELL_KNOWN)
        self.http_client.request.assert_called_once_with(
            method="POST", uri=INTROSPECTION_ENDPOINT, data=ANY, headers=ANY
        )
        self._assertParams()

    def test_active_user_no_subject(self) -> None:
        """The handler should return a 500 when no subject is present."""
    Patrick Cloke's avatar
    Replace simple_async_mock with AsyncMock (#16180)  
    Patrick Cloke committed
    189 
            self.http_client.request = AsyncMock(
    Hugh Nimmo-Smith's avatar
    Initial tests for OAuth delegation
    Hugh Nimmo-Smith committed
    190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 
                return_value=FakeResponse.json(
                code=200,
                payload={"active": True, "scope": " ".join([MATRIX_USER_SCOPE])},
            )
        )
        request = Mock(args={})
        request.args[b"access_token"] = [b"mockAccessToken"]
        request.requestHeaders.getRawHeaders = mock_getRawHeaders()
        self.get_failure(self.auth.get_user_by_req(request), InvalidClientTokenError)
        self.http_client.get_json.assert_called_once_with(WELL_KNOWN)
        self.http_client.request.assert_called_once_with(
            method="POST", uri=INTROSPECTION_ENDPOINT, data=ANY, headers=ANY
        )
        self._assertParams()

    def test_active_no_user_scope(self) -> None:
        """The handler should return a 500 when no subject is present."""
    Patrick Cloke's avatar
    Replace simple_async_mock with AsyncMock (#16180)  
    Patrick Cloke committed
    208 
            self.http_client.request = AsyncMock(
    Hugh Nimmo-Smith's avatar
    Initial tests for OAuth delegation
    Hugh Nimmo-Smith committed
    209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 
                return_value=FakeResponse.json(
                code=200,
                payload={
                    "active": True,
                    "sub": SUBJECT,
                    "scope": " ".join([MATRIX_DEVICE_SCOPE]),
                },
            )
        )
        request = Mock(args={})
        request.args[b"access_token"] = [b"mockAccessToken"]
        request.requestHeaders.getRawHeaders = mock_getRawHeaders()
        self.get_failure(self.auth.get_user_by_req(request), InvalidClientTokenError)
        self.http_client.get_json.assert_called_once_with(WELL_KNOWN)
        self.http_client.request.assert_called_once_with(
            method="POST", uri=INTROSPECTION_ENDPOINT, data=ANY, headers=ANY
        )
        self._assertParams()
    Quentin Gliech's avatar
    Enforce that an admin token also has the basic Matrix API scope  
    Quentin Gliech committed
    228 229 230 
        def test_active_admin_not_user(self) -> None:
        """The handler should raise when the scope has admin right but not user."""
    Patrick Cloke's avatar
    Replace simple_async_mock with AsyncMock (#16180)  
    Patrick Cloke committed
    231 
            self.http_client.request = AsyncMock(
    Quentin Gliech's avatar
    Enforce that an admin token also has the basic Matrix API scope  
    Quentin Gliech committed
    232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 
                return_value=FakeResponse.json(
                code=200,
                payload={
                    "active": True,
                    "sub": SUBJECT,
                    "scope": " ".join([SYNAPSE_ADMIN_SCOPE]),
                    "username": USERNAME,
                },
            )
        )
        request = Mock(args={})
        request.args[b"access_token"] = [b"mockAccessToken"]
        request.requestHeaders.getRawHeaders = mock_getRawHeaders()
        self.get_failure(self.auth.get_user_by_req(request), InvalidClientTokenError)
        self.http_client.get_json.assert_called_once_with(WELL_KNOWN)
        self.http_client.request.assert_called_once_with(
            method="POST", uri=INTROSPECTION_ENDPOINT, data=ANY, headers=ANY
        )
        self._assertParams()
    Hugh Nimmo-Smith's avatar
    Initial tests for OAuth delegation
    Hugh Nimmo-Smith committed
    252 253 254 
        def test_active_admin(self) -> None:
        """The handler should return a requester with admin rights."""
    Patrick Cloke's avatar
    Replace simple_async_mock with AsyncMock (#16180)  
    Patrick Cloke committed
    255 
            self.http_client.request = AsyncMock(
    Hugh Nimmo-Smith's avatar
    Initial tests for OAuth delegation
    Hugh Nimmo-Smith committed
    256 257 258 259 260 
                return_value=FakeResponse.json(
                code=200,
                payload={
                    "active": True,
                    "sub": SUBJECT,
    Quentin Gliech's avatar
    Enforce that an admin token also has the basic Matrix API scope  
    Quentin Gliech committed
    261 
                        "scope": " ".join([SYNAPSE_ADMIN_SCOPE, MATRIX_USER_SCOPE]),
    Hugh Nimmo-Smith's avatar
    Initial tests for OAuth delegation
    Hugh Nimmo-Smith committed
    262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 
                        "username": USERNAME,
                },
            )
        )
        request = Mock(args={})
        request.args[b"access_token"] = [b"mockAccessToken"]
        request.requestHeaders.getRawHeaders = mock_getRawHeaders()
        requester = self.get_success(self.auth.get_user_by_req(request))
        self.http_client.get_json.assert_called_once_with(WELL_KNOWN)
        self.http_client.request.assert_called_once_with(
            method="POST", uri=INTROSPECTION_ENDPOINT, data=ANY, headers=ANY
        )
        self._assertParams()
        self.assertEqual(requester.user.to_string(), "@%s:%s" % (USERNAME, SERVER_NAME))
        self.assertEqual(requester.is_guest, False)
        self.assertEqual(requester.device_id, None)
        self.assertEqual(
            get_awaitable_result(self.auth.is_server_admin(requester)), True
        )

    def test_active_admin_highest_privilege(self) -> None:
        """The handler should resolve to the most permissive scope."""
    Patrick Cloke's avatar
    Replace simple_async_mock with AsyncMock (#16180)  
    Patrick Cloke committed
    285 
            self.http_client.request = AsyncMock(
    Hugh Nimmo-Smith's avatar
    Initial tests for OAuth delegation
    Hugh Nimmo-Smith committed
    286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 
                return_value=FakeResponse.json(
                code=200,
                payload={
                    "active": True,
                    "sub": SUBJECT,
                    "scope": " ".join(
                        [SYNAPSE_ADMIN_SCOPE, MATRIX_USER_SCOPE, MATRIX_GUEST_SCOPE]
                    ),
                    "username": USERNAME,
                },
            )
        )
        request = Mock(args={})
        request.args[b"access_token"] = [b"mockAccessToken"]
        request.requestHeaders.getRawHeaders = mock_getRawHeaders()
        requester = self.get_success(self.auth.get_user_by_req(request))
        self.http_client.get_json.assert_called_once_with(WELL_KNOWN)
        self.http_client.request.assert_called_once_with(
            method="POST", uri=INTROSPECTION_ENDPOINT, data=ANY, headers=ANY
        )
        self._assertParams()
        self.assertEqual(requester.user.to_string(), "@%s:%s" % (USERNAME, SERVER_NAME))
        self.assertEqual(requester.is_guest, False)
        self.assertEqual(requester.device_id, None)
        self.assertEqual(
            get_awaitable_result(self.auth.is_server_admin(requester)), True
        )

    def test_active_user(self) -> None:
        """The handler should return a requester with normal user rights."""
    Patrick Cloke's avatar
    Replace simple_async_mock with AsyncMock (#16180)  
    Patrick Cloke committed
    317 
            self.http_client.request = AsyncMock(
    Hugh Nimmo-Smith's avatar
    Initial tests for OAuth delegation
    Hugh Nimmo-Smith committed
    318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 
                return_value=FakeResponse.json(
                code=200,
                payload={
                    "active": True,
                    "sub": SUBJECT,
                    "scope": " ".join([MATRIX_USER_SCOPE]),
                    "username": USERNAME,
                },
            )
        )
        request = Mock(args={})
        request.args[b"access_token"] = [b"mockAccessToken"]
        request.requestHeaders.getRawHeaders = mock_getRawHeaders()
        requester = self.get_success(self.auth.get_user_by_req(request))
        self.http_client.get_json.assert_called_once_with(WELL_KNOWN)
        self.http_client.request.assert_called_once_with(
            method="POST", uri=INTROSPECTION_ENDPOINT, data=ANY, headers=ANY
        )
        self._assertParams()
        self.assertEqual(requester.user.to_string(), "@%s:%s" % (USERNAME, SERVER_NAME))
        self.assertEqual(requester.is_guest, False)
        self.assertEqual(requester.device_id, None)
        self.assertEqual(
            get_awaitable_result(self.auth.is_server_admin(requester)), False
        )
    Mathieu Velten's avatar
    MSC3861: allow impersonation by an admin using a query param (#16132)  
    Mathieu Velten committed
    343
    Hugh Nimmo-Smith's avatar
    Initial tests for OAuth delegation
    Hugh Nimmo-Smith committed
    344 345 346 
        def test_active_user_with_device(self) -> None:
        """The handler should return a requester with normal user rights and a device ID."""
    Patrick Cloke's avatar
    Replace simple_async_mock with AsyncMock (#16180)  
    Patrick Cloke committed
    347 
            self.http_client.request = AsyncMock(
    Hugh Nimmo-Smith's avatar
    Initial tests for OAuth delegation
    Hugh Nimmo-Smith committed
    348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 
                return_value=FakeResponse.json(
                code=200,
                payload={
                    "active": True,
                    "sub": SUBJECT,
                    "scope": " ".join([MATRIX_USER_SCOPE, MATRIX_DEVICE_SCOPE]),
                    "username": USERNAME,
                },
            )
        )
        request = Mock(args={})
        request.args[b"access_token"] = [b"mockAccessToken"]
        request.requestHeaders.getRawHeaders = mock_getRawHeaders()
        requester = self.get_success(self.auth.get_user_by_req(request))
        self.http_client.get_json.assert_called_once_with(WELL_KNOWN)
        self.http_client.request.assert_called_once_with(
            method="POST", uri=INTROSPECTION_ENDPOINT, data=ANY, headers=ANY
        )
        self._assertParams()
        self.assertEqual(requester.user.to_string(), "@%s:%s" % (USERNAME, SERVER_NAME))
        self.assertEqual(requester.is_guest, False)
        self.assertEqual(
            get_awaitable_result(self.auth.is_server_admin(requester)), False
        )
        self.assertEqual(requester.device_id, DEVICE)
    Quentin Gliech's avatar
    Reject tokens with multiple device scopes  
    Quentin Gliech committed
    374 375 376 
        def test_multiple_devices(self) -> None:
        """The handler should raise an error if multiple devices are found in the scope."""
    Patrick Cloke's avatar
    Replace simple_async_mock with AsyncMock (#16180)  
    Patrick Cloke committed
    377 
            self.http_client.request = AsyncMock(
    Quentin Gliech's avatar
    Reject tokens with multiple device scopes  
    Quentin Gliech committed
    378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 
                return_value=FakeResponse.json(
                code=200,
                payload={
                    "active": True,
                    "sub": SUBJECT,
                    "scope": " ".join(
                        [
                            MATRIX_USER_SCOPE,
                            f"{MATRIX_DEVICE_SCOPE_PREFIX}AABBCC",
                            f"{MATRIX_DEVICE_SCOPE_PREFIX}DDEEFF",
                        ]
                    ),
                    "username": USERNAME,
                },
            )
        )
        request = Mock(args={})
        request.args[b"access_token"] = [b"mockAccessToken"]
        request.requestHeaders.getRawHeaders = mock_getRawHeaders()
        self.get_failure(self.auth.get_user_by_req(request), AuthError)
    Hugh Nimmo-Smith's avatar
    Actually enforce guest + return www-authenticate header  
    Hugh Nimmo-Smith committed
    399 400 401 
        def test_active_guest_not_allowed(self) -> None:
        """The handler should return an insufficient scope error."""
    Patrick Cloke's avatar
    Replace simple_async_mock with AsyncMock (#16180)  
    Patrick Cloke committed
    402 
            self.http_client.request = AsyncMock(
    Hugh Nimmo-Smith's avatar
    Actually enforce guest + return www-authenticate header  
    Hugh Nimmo-Smith committed
    403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 
                return_value=FakeResponse.json(
                code=200,
                payload={
                    "active": True,
                    "sub": SUBJECT,
                    "scope": " ".join([MATRIX_GUEST_SCOPE, MATRIX_DEVICE_SCOPE]),
                    "username": USERNAME,
                },
            )
        )
        request = Mock(args={})
        request.args[b"access_token"] = [b"mockAccessToken"]
        request.requestHeaders.getRawHeaders = mock_getRawHeaders()
        error = self.get_failure(
            self.auth.get_user_by_req(request), OAuthInsufficientScopeError
        )
        self.http_client.get_json.assert_called_once_with(WELL_KNOWN)
        self.http_client.request.assert_called_once_with(
            method="POST", uri=INTROSPECTION_ENDPOINT, data=ANY, headers=ANY
        )
        self._assertParams()
        self.assertEqual(
            getattr(error.value, "headers", {})["WWW-Authenticate"],
            'Bearer error="insufficient_scope", scope="urn:matrix:org.matrix.msc2967.client:api:*"',
        )

    def test_active_guest_allowed(self) -> None:
    Hugh Nimmo-Smith's avatar
    Initial tests for OAuth delegation
    Hugh Nimmo-Smith committed
    430 431 
            """The handler should return a requester with guest user rights and a device ID."""
    Patrick Cloke's avatar
    Replace simple_async_mock with AsyncMock (#16180)  
    Patrick Cloke committed
    432 
            self.http_client.request = AsyncMock(
    Hugh Nimmo-Smith's avatar
    Initial tests for OAuth delegation
    Hugh Nimmo-Smith committed
    433 434 435 436 437 438 439 440 441 442 443 444 445 
                return_value=FakeResponse.json(
                code=200,
                payload={
                    "active": True,
                    "sub": SUBJECT,
                    "scope": " ".join([MATRIX_GUEST_SCOPE, MATRIX_DEVICE_SCOPE]),
                    "username": USERNAME,
                },
            )
        )
        request = Mock(args={})
        request.args[b"access_token"] = [b"mockAccessToken"]
        request.requestHeaders.getRawHeaders = mock_getRawHeaders()
    Hugh Nimmo-Smith's avatar
    Actually enforce guest + return www-authenticate header  
    Hugh Nimmo-Smith committed
    446 447 448 
            requester = self.get_success(
            self.auth.get_user_by_req(request, allow_guest=True)
        )
    Hugh Nimmo-Smith's avatar
    Initial tests for OAuth delegation
    Hugh Nimmo-Smith committed
    449 450 451 452 453 454 455 456 457 458 459 
            self.http_client.get_json.assert_called_once_with(WELL_KNOWN)
        self.http_client.request.assert_called_once_with(
            method="POST", uri=INTROSPECTION_ENDPOINT, data=ANY, headers=ANY
        )
        self._assertParams()
        self.assertEqual(requester.user.to_string(), "@%s:%s" % (USERNAME, SERVER_NAME))
        self.assertEqual(requester.is_guest, True)
        self.assertEqual(
            get_awaitable_result(self.auth.is_server_admin(requester)), False
        )
        self.assertEqual(requester.device_id, DEVICE)
    Quentin Gliech's avatar
    Disable account related endpoints when using OAuth delegation  
    Quentin Gliech committed
    460
    Quentin Gliech's avatar
    Handle errors when introspecting tokens  
    Quentin Gliech committed
    461 462 463 464 465 466 467 
        def test_unavailable_introspection_endpoint(self) -> None:
        """The handler should return an internal server error."""
        request = Mock(args={})
        request.args[b"access_token"] = [b"mockAccessToken"]
        request.requestHeaders.getRawHeaders = mock_getRawHeaders()

        # The introspection endpoint is returning an error.
    Patrick Cloke's avatar
    Replace simple_async_mock with AsyncMock (#16180)  
    Patrick Cloke committed
    468 
            self.http_client.request = AsyncMock(
    Quentin Gliech's avatar
    Handle errors when introspecting tokens  
    Quentin Gliech committed
    469 470 471 472 473 474 
                return_value=FakeResponse(code=500, body=b"Internal Server Error")
        )
        error = self.get_failure(self.auth.get_user_by_req(request), SynapseError)
        self.assertEqual(error.value.code, 503)

        # The introspection endpoint request fails.
    Patrick Cloke's avatar
    Replace simple_async_mock with AsyncMock (#16180)  
    Patrick Cloke committed
    475 
            self.http_client.request = AsyncMock(side_effect=Exception())
    Quentin Gliech's avatar
    Handle errors when introspecting tokens  
    Quentin Gliech committed
    476 477 478 479 
            error = self.get_failure(self.auth.get_user_by_req(request), SynapseError)
        self.assertEqual(error.value.code, 503)

        # The introspection endpoint does not return a JSON object.
    Patrick Cloke's avatar
    Replace simple_async_mock with AsyncMock (#16180)  
    Patrick Cloke committed
    480 
            self.http_client.request = AsyncMock(
    Quentin Gliech's avatar
    Handle errors when introspecting tokens  
    Quentin Gliech committed
    481 482 483 484 485 486 487 488 
                return_value=FakeResponse.json(
                code=200, payload=["this is an array", "not an object"]
            )
        )
        error = self.get_failure(self.auth.get_user_by_req(request), SynapseError)
        self.assertEqual(error.value.code, 503)

        # The introspection endpoint does not return valid JSON.
    Patrick Cloke's avatar
    Replace simple_async_mock with AsyncMock (#16180)  
    Patrick Cloke committed
    489 
            self.http_client.request = AsyncMock(
    Quentin Gliech's avatar
    Handle errors when introspecting tokens  
    Quentin Gliech committed
    490 491 492 493 494 
                return_value=FakeResponse(code=200, body=b"this is not valid JSON")
        )
        error = self.get_failure(self.auth.get_user_by_req(request), SynapseError)
        self.assertEqual(error.value.code, 503)
    Quentin Gliech's avatar
    Disable account related endpoints when using OAuth delegation  
    Quentin Gliech committed
    495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 
        def make_device_keys(self, user_id: str, device_id: str) -> JsonDict:
        # We only generate a master key to simplify the test.
        master_signing_key = generate_signing_key(device_id)
        master_verify_key = encode_verify_key_base64(get_verify_key(master_signing_key))

        return {
            "master_key": sign_json(
                {
                    "user_id": user_id,
                    "usage": ["master"],
                    "keys": {"ed25519:" + master_verify_key: master_verify_key},
                },
                user_id,
                master_signing_key,
            ),
        }

    def test_cross_signing(self) -> None:
        """Try uploading device keys with OAuth delegation enabled."""
    Patrick Cloke's avatar
    Replace simple_async_mock with AsyncMock (#16180)  
    Patrick Cloke committed
    515 
            self.http_client.request = AsyncMock(
    Quentin Gliech's avatar
    Disable account related endpoints when using OAuth delegation  
    Quentin Gliech committed
    516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 
                return_value=FakeResponse.json(
                code=200,
                payload={
                    "active": True,
                    "sub": SUBJECT,
                    "scope": " ".join([MATRIX_USER_SCOPE, MATRIX_DEVICE_SCOPE]),
                    "username": USERNAME,
                },
            )
        )
        keys_upload_body = self.make_device_keys(USER_ID, DEVICE)
        channel = self.make_request(
            "POST",
            "/_matrix/client/v3/keys/device_signing/upload",
            keys_upload_body,
            access_token="mockAccessToken",
        )

        self.assertEqual(channel.code, 200, channel.json_body)

        channel = self.make_request(
            "POST",
            "/_matrix/client/v3/keys/device_signing/upload",
            keys_upload_body,
            access_token="mockAccessToken",
        )

        self.assertEqual(channel.code, HTTPStatus.NOT_IMPLEMENTED, channel.json_body)

    def expect_unauthorized(
        self, method: str, path: str, content: Union[bytes, str, JsonDict] = ""
    ) -> None:
        channel = self.make_request(method, path, content, shorthand=False)

        self.assertEqual(channel.code, 401, channel.json_body)

    def expect_unrecognized(
        self, method: str, path: str, content: Union[bytes, str, JsonDict] = ""
    ) -> None:
        channel = self.make_request(method, path, content)

        self.assertEqual(channel.code, 404, channel.json_body)
        self.assertEqual(
            channel.json_body["errcode"], Codes.UNRECOGNIZED, channel.json_body
        )

    def test_uia_endpoints(self) -> None:
        """Test that endpoints that were removed in MSC2964 are no longer available."""

        # This is just an endpoint that should remain visible (but requires auth):
        self.expect_unauthorized("GET", "/_matrix/client/v3/devices")

        # This remains usable, but will require a uia scope:
        self.expect_unauthorized(
            "POST", "/_matrix/client/v3/keys/device_signing/upload"
        )

    def test_3pid_endpoints(self) -> None:
        """Test that 3pid account management endpoints that were removed in MSC2964 are no longer available."""

        # Remains and requires auth:
        self.expect_unauthorized("GET", "/_matrix/client/v3/account/3pid")
        self.expect_unauthorized(
            "POST",
            "/_matrix/client/v3/account/3pid/bind",
            {
                "client_secret": "foo",
                "id_access_token": "bar",
                "id_server": "foo",
                "sid": "bar",
            },
        )
        self.expect_unauthorized("POST", "/_matrix/client/v3/account/3pid/unbind", {})

        # These are gone:
        self.expect_unrecognized(
            "POST", "/_matrix/client/v3/account/3pid"
        )  # deprecated
        self.expect_unrecognized("POST", "/_matrix/client/v3/account/3pid/add")
        self.expect_unrecognized("POST", "/_matrix/client/v3/account/3pid/delete")
        self.expect_unrecognized(
            "POST", "/_matrix/client/v3/account/3pid/email/requestToken"
        )
        self.expect_unrecognized(
            "POST", "/_matrix/client/v3/account/3pid/msisdn/requestToken"
        )

    def test_account_management_endpoints_removed(self) -> None:
        """Test that account management endpoints that were removed in MSC2964 are no longer available."""
        self.expect_unrecognized("POST", "/_matrix/client/v3/account/deactivate")
        self.expect_unrecognized("POST", "/_matrix/client/v3/account/password")
        self.expect_unrecognized(
            "POST", "/_matrix/client/v3/account/password/email/requestToken"
        )
        self.expect_unrecognized(
            "POST", "/_matrix/client/v3/account/password/msisdn/requestToken"
        )

    def test_registration_endpoints_removed(self) -> None:
        """Test that registration endpoints that were removed in MSC2964 are no longer available."""
        self.expect_unrecognized(
            "GET", "/_matrix/client/v1/register/m.login.registration_token/validity"
        )
    Quentin Gliech's avatar
    Make AS tokens work & allow ASes to /register  
    Quentin Gliech committed
    619 620 
            # This is still available for AS registrations
        # self.expect_unrecognized("POST", "/_matrix/client/v3/register")
    Quentin Gliech's avatar
    Disable account related endpoints when using OAuth delegation  
    Quentin Gliech committed
    621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 
            self.expect_unrecognized("GET", "/_matrix/client/v3/register/available")
        self.expect_unrecognized(
            "POST", "/_matrix/client/v3/register/email/requestToken"
        )
        self.expect_unrecognized(
            "POST", "/_matrix/client/v3/register/msisdn/requestToken"
        )

    def test_session_management_endpoints_removed(self) -> None:
        """Test that session management endpoints that were removed in MSC2964 are no longer available."""
        self.expect_unrecognized("GET", "/_matrix/client/v3/login")
        self.expect_unrecognized("POST", "/_matrix/client/v3/login")
        self.expect_unrecognized("GET", "/_matrix/client/v3/login/sso/redirect")
        self.expect_unrecognized("POST", "/_matrix/client/v3/logout")
        self.expect_unrecognized("POST", "/_matrix/client/v3/logout/all")
        self.expect_unrecognized("POST", "/_matrix/client/v3/refresh")
        self.expect_unrecognized("GET", "/_matrix/static/client/login")

    def test_device_management_endpoints_removed(self) -> None:
        """Test that device management endpoints that were removed in MSC2964 are no longer available."""
        self.expect_unrecognized("POST", "/_matrix/client/v3/delete_devices")
        self.expect_unrecognized("DELETE", "/_matrix/client/v3/devices/{DEVICE}")

    def test_openid_endpoints_removed(self) -> None:
        """Test that OpenID id_token endpoints that were removed in MSC2964 are no longer available."""
        self.expect_unrecognized(
            "POST", "/_matrix/client/v3/user/{USERNAME}/openid/request_token"
        )
    Quentin Gliech's avatar
    Disable incompatible Admin API endpoints  
    Quentin Gliech committed
    649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 
    
    def test_admin_api_endpoints_removed(self) -> None:
        """Test that admin API endpoints that were removed in MSC2964 are no longer available."""
        self.expect_unrecognized("GET", "/_synapse/admin/v1/registration_tokens")
        self.expect_unrecognized("POST", "/_synapse/admin/v1/registration_tokens/new")
        self.expect_unrecognized("GET", "/_synapse/admin/v1/registration_tokens/abcd")
        self.expect_unrecognized("PUT", "/_synapse/admin/v1/registration_tokens/abcd")
        self.expect_unrecognized(
            "DELETE", "/_synapse/admin/v1/registration_tokens/abcd"
        )
        self.expect_unrecognized("POST", "/_synapse/admin/v1/reset_password/foo")
        self.expect_unrecognized("POST", "/_synapse/admin/v1/users/foo/login")
        self.expect_unrecognized("GET", "/_synapse/admin/v1/register")
        self.expect_unrecognized("POST", "/_synapse/admin/v1/register")
        self.expect_unrecognized("GET", "/_synapse/admin/v1/users/foo/admin")
        self.expect_unrecognized("PUT", "/_synapse/admin/v1/users/foo/admin")
        self.expect_unrecognized("POST", "/_synapse/admin/v1/account_validity/validity")
    Quentin Gliech's avatar
    Revert MSC3861 introspection cache, admin impersonation and account lock (#16258)  
    Quentin Gliech committed
    666 667 668 
    
    def test_admin_token(self) -> None:
        """The handler should return a requester with admin rights when admin_token is used."""
    Patrick Cloke's avatar
    Merge remote-tracking branch 'origin/release-v1.91' into release-v1.92  
    Patrick Cloke committed
    669 
            self.http_client.request = AsyncMock(
    Quentin Gliech's avatar
    Revert MSC3861 introspection cache, admin impersonation and account lock (#16258)  
    Quentin Gliech committed
    670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 
                return_value=FakeResponse.json(code=200, payload={"active": False}),
        )

        request = Mock(args={})
        request.args[b"access_token"] = [b"admin_token_value"]
        request.requestHeaders.getRawHeaders = mock_getRawHeaders()
        requester = self.get_success(self.auth.get_user_by_req(request))
        self.assertEqual(
            requester.user.to_string(), "@%s:%s" % ("__oidc_admin", SERVER_NAME)
        )
        self.assertEqual(requester.is_guest, False)
        self.assertEqual(requester.device_id, None)
        self.assertEqual(
            get_awaitable_result(self.auth.is_server_admin(requester)), True
        )

        # There should be no call to the introspection endpoint
        self.http_client.request.assert_not_called()