1
0

test_invites.py 7.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213
  1. from unittest.mock import Mock, patch
  2. from twisted.trial import unittest
  3. from twisted.web.client import Response
  4. from sydent.db.invite_tokens import JoinTokenStore
  5. from sydent.http.httpclient import FederationHttpClient
  6. from sydent.http.servlets.store_invite_servlet import StoreInviteServlet
  7. from tests.utils import make_request, make_sydent
  8. class ThreepidInvitesTestCase(unittest.TestCase):
  9. """Tests features related to storing and delivering 3PID invites."""
  10. def setUp(self):
  11. # Create a new sydent
  12. config = {
  13. "email": {
  14. # Used by test_invited_email_address_obfuscation
  15. "email.third_party_invite_username_obfuscate_characters": "6",
  16. "email.third_party_invite_domain_obfuscate_characters": "8",
  17. "email.third_party_invite_keyword_blocklist": "evil\nbad\nhttps://",
  18. },
  19. }
  20. self.sydent = make_sydent(test_config=config)
  21. def test_delete_on_bind(self):
  22. """Tests that 3PID invite tokens are deleted upon delivery after a successful
  23. bind.
  24. """
  25. self.sydent.run()
  26. # The 3PID we're working with.
  27. medium = "email"
  28. address = "john@example.com"
  29. # Mock post_json_get_nothing so the /onBind call doesn't fail.
  30. async def post_json_get_nothing(uri, post_json, opts):
  31. return Response((b"HTTP", 1, 1), 200, b"OK", None, None)
  32. FederationHttpClient.post_json_get_nothing = Mock(
  33. side_effect=post_json_get_nothing,
  34. )
  35. # Manually insert an invite token, we'll check later that it's been deleted.
  36. join_token_store = JoinTokenStore(self.sydent)
  37. join_token_store.storeToken(
  38. medium,
  39. address,
  40. "!someroom:example.com",
  41. "@jane:example.com",
  42. "sometoken",
  43. )
  44. # Make sure the token still exists and can be retrieved.
  45. tokens = join_token_store.getTokens(medium, address)
  46. self.assertEqual(len(tokens), 1, tokens)
  47. # Bind the 3PID
  48. self.sydent.threepidBinder.addBinding(
  49. medium,
  50. address,
  51. "@john:example.com",
  52. )
  53. # Give Sydent some time to call /onBind and delete the token.
  54. self.sydent.reactor.advance(1000)
  55. cur = self.sydent.db.cursor()
  56. # Manually retrieve the tokens for this 3PID. We don't use getTokens because it
  57. # filters out sent tokens, so would return nothing even if the token hasn't been
  58. # deleted.
  59. res = cur.execute(
  60. "SELECT medium, address, room_id, sender, token FROM invite_tokens"
  61. " WHERE medium = ? AND address = ?",
  62. (
  63. medium,
  64. address,
  65. ),
  66. )
  67. rows = res.fetchall()
  68. # Check that we didn't get any result.
  69. self.assertEqual(len(rows), 0, rows)
  70. def test_invited_email_address_obfuscation(self):
  71. """Test that email addresses included in third-party invites are properly
  72. obfuscated according to the relevant config options
  73. """
  74. store_invite_servlet = StoreInviteServlet(self.sydent)
  75. email_address = "1234567890@1234567890.com"
  76. redacted_address = store_invite_servlet.redact_email_address(email_address)
  77. self.assertEqual(redacted_address, "123456...@12345678...")
  78. # Even short addresses are redacted
  79. short_email_address = "1@1.com"
  80. redacted_address = store_invite_servlet.redact_email_address(
  81. short_email_address
  82. )
  83. self.assertEqual(redacted_address, "...@1...")
  84. def test_third_party_invite_keyword_block_works(self):
  85. invite_config = {
  86. "medium": "email",
  87. "address": "foo@example.com",
  88. "room_id": "!bar",
  89. "sender": "@foo:example.com",
  90. "room_name": "This is an EVIL room name.",
  91. }
  92. request, channel = make_request(
  93. self.sydent.reactor,
  94. self.sydent.clientApiHttpServer.factory,
  95. "POST",
  96. "/_matrix/identity/api/v1/store-invite",
  97. invite_config,
  98. )
  99. self.assertEqual(channel.code, 403)
  100. def test_third_party_invite_keyword_blocklist_exempts_web_client_location_url(
  101. self,
  102. ):
  103. invite_config = {
  104. "medium": "email",
  105. "address": "foo@example.com",
  106. "room_id": "!bar",
  107. "sender": "@foo:example.com",
  108. "room_name": "This is a fine room name.",
  109. "org.matrix.web_client_location": "https://example.com",
  110. }
  111. # don't actually send the email
  112. with patch("sydent.util.emailutils.smtplib") as smtplib:
  113. request, channel = make_request(
  114. self.sydent.reactor,
  115. self.sydent.clientApiHttpServer.factory,
  116. "POST",
  117. "/_matrix/identity/api/v1/store-invite",
  118. invite_config,
  119. )
  120. self.assertEqual(channel.code, 200)
  121. smtp = smtplib.SMTP.return_value
  122. # but make sure we did try to send it
  123. smtp.sendmail.assert_called_once()
  124. class ThreepidInvitesNoDeleteTestCase(unittest.TestCase):
  125. """Test that invite tokens are not deleted when that is disabled."""
  126. def setUp(self):
  127. # Create a new sydent
  128. config = {"general": {"delete_tokens_on_bind": "false"}}
  129. self.sydent = make_sydent(test_config=config)
  130. def test_no_delete_on_bind(self):
  131. self.sydent.run()
  132. # The 3PID we're working with.
  133. medium = "email"
  134. address = "john@example.com"
  135. # Mock post_json_get_nothing so the /onBind call doesn't fail.
  136. async def post_json_get_nothing(uri, post_json, opts):
  137. return Response((b"HTTP", 1, 1), 200, b"OK", None, None)
  138. FederationHttpClient.post_json_get_nothing = Mock(
  139. side_effect=post_json_get_nothing,
  140. )
  141. # Manually insert an invite token, we'll check later that it's been deleted.
  142. join_token_store = JoinTokenStore(self.sydent)
  143. join_token_store.storeToken(
  144. medium,
  145. address,
  146. "!someroom:example.com",
  147. "@jane:example.com",
  148. "sometoken",
  149. )
  150. # Make sure the token still exists and can be retrieved.
  151. tokens = join_token_store.getTokens(medium, address)
  152. self.assertEqual(len(tokens), 1, tokens)
  153. # Bind the 3PID
  154. self.sydent.threepidBinder.addBinding(
  155. medium,
  156. address,
  157. "@john:example.com",
  158. )
  159. # Give Sydent some time to call /onBind and delete the token.
  160. self.sydent.reactor.advance(1000)
  161. cur = self.sydent.db.cursor()
  162. # Manually retrieve the tokens for this 3PID. We don't use getTokens because it
  163. # filters out sent tokens, so would return nothing even if the token hasn't been
  164. # deleted.
  165. res = cur.execute(
  166. "SELECT medium, address, room_id, sender, token FROM invite_tokens"
  167. " WHERE medium = ? AND address = ?",
  168. (
  169. medium,
  170. address,
  171. ),
  172. )
  173. rows = res.fetchall()
  174. # Check that we didn't get any result.
  175. self.assertEqual(len(rows), 1, rows)