Home Explore Help
Sign In
RISCI_ATOM
/
synapse
mirror of https://github.com/matrix-org/synapse.git
1
0
Fork 0
Files Issues 3 Wiki
Tree: 055dc16d49
Branches Tags
synapse
/
tests
/
rest
/
client
/
test_profile.py

test_profile.py 15 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436 
  1. # Copyright 2014-2016 OpenMarket Ltd
    2. 

  2. #
    3. 

  3. # Licensed under the Apache License, Version 2.0 (the "License");
    4. 

  4. # you may not use this file except in compliance with the License.
    5. 

  5. # You may obtain a copy of the License at
    6. 

  6. #
    7. 

  7. #     http://www.apache.org/licenses/LICENSE-2.0
    8. 

  8. #
    9. 

  9. # Unless required by applicable law or agreed to in writing, software
    10. 

  10. # distributed under the License is distributed on an "AS IS" BASIS,
    11. 

  11. # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12. 

  12. # See the License for the specific language governing permissions and
    13. 

  13. # limitations under the License.
    14. 

  14. 

  15. """Tests REST events for /profile paths."""
    16. 

  16. from typing import Any, Dict, Optional
    17. 

  17. 

  18. from twisted.test.proto_helpers import MemoryReactor
    19. 

  19. 

  20. from synapse.api.errors import Codes
    21. 

  21. from synapse.rest import admin
    22. 

  22. from synapse.rest.client import login, profile, room
    23. 

  23. from synapse.server import HomeServer
    24. 

  24. from synapse.types import UserID
    25. 

  25. from synapse.util import Clock
    26. 

  26. 

  27. from tests import unittest
    28. 

  28. 

  29. 

  30. class ProfileTestCase(unittest.HomeserverTestCase):
    31. 

  31. 

  32.     servlets = [
    33. 

  33.         admin.register_servlets_for_client_rest_resource,
    34. 

  34.         login.register_servlets,
    35. 

  35.         profile.register_servlets,
    36. 

  36.         room.register_servlets,
    37. 

  37.     ]
    38. 

  38. 

  39.     def make_homeserver(self, reactor: MemoryReactor, clock: Clock) -> HomeServer:
    40. 

  40.         self.hs = self.setup_test_homeserver()
    41. 

  41.         return self.hs
    42. 

  42. 

  43.     def prepare(self, reactor: MemoryReactor, clock: Clock, hs: HomeServer) -> None:
    44. 

  44.         self.owner = self.register_user("owner", "pass")
    45. 

  45.         self.owner_tok = self.login("owner", "pass")
    46. 

  46.         self.other = self.register_user("other", "pass", displayname="Bob")
    47. 

  47. 

  48.     def test_get_displayname(self) -> None:
    49. 

  49.         res = self._get_displayname()
    50. 

  50.         self.assertEqual(res, "owner")
    51. 

  51. 

  52.     def test_set_displayname(self) -> None:
    53. 

  53.         channel = self.make_request(
    54. 

  54.             "PUT",
    55. 

  55.             "/profile/%s/displayname" % (self.owner,),
    56. 

  56.             content={"displayname": "test"},
    57. 

  57.             access_token=self.owner_tok,
    58. 

  58.         )
    59. 

  59.         self.assertEqual(channel.code, 200, channel.result)
    60. 

  60. 

  61.         res = self._get_displayname()
    62. 

  62.         self.assertEqual(res, "test")
    63. 

  63. 

  64.     def test_set_displayname_noauth(self) -> None:
    65. 

  65.         channel = self.make_request(
    66. 

  66.             "PUT",
    67. 

  67.             "/profile/%s/displayname" % (self.owner,),
    68. 

  68.             content={"displayname": "test"},
    69. 

  69.         )
    70. 

  70.         self.assertEqual(channel.code, 401, channel.result)
    71. 

  71. 

  72.     def test_set_displayname_too_long(self) -> None:
    73. 

  73.         """Attempts to set a stupid displayname should get a 400"""
    74. 

  74.         channel = self.make_request(
    75. 

  75.             "PUT",
    76. 

  76.             "/profile/%s/displayname" % (self.owner,),
    77. 

  77.             content={"displayname": "test" * 100},
    78. 

  78.             access_token=self.owner_tok,
    79. 

  79.         )
    80. 

  80.         self.assertEqual(channel.code, 400, channel.result)
    81. 

  81. 

  82.         res = self._get_displayname()
    83. 

  83.         self.assertEqual(res, "owner")
    84. 

  84. 

  85.     def test_get_displayname_other(self) -> None:
    86. 

  86.         res = self._get_displayname(self.other)
    87. 

  87.         self.assertEqual(res, "Bob")
    88. 

  88. 

  89.     def test_set_displayname_other(self) -> None:
    90. 

  90.         channel = self.make_request(
    91. 

  91.             "PUT",
    92. 

  92.             "/profile/%s/displayname" % (self.other,),
    93. 

  93.             content={"displayname": "test"},
    94. 

  94.             access_token=self.owner_tok,
    95. 

  95.         )
    96. 

  96.         self.assertEqual(channel.code, 400, channel.result)
    97. 

  97. 

  98.     def test_get_avatar_url(self) -> None:
    99. 

  99.         res = self._get_avatar_url()
    100. 

  100.         self.assertIsNone(res)
    101. 

  101. 

  102.     def test_set_avatar_url(self) -> None:
    103. 

  103.         channel = self.make_request(
    104. 

  104.             "PUT",
    105. 

  105.             "/profile/%s/avatar_url" % (self.owner,),
    106. 

  106.             content={"avatar_url": "http://my.server/pic.gif"},
    107. 

  107.             access_token=self.owner_tok,
    108. 

  108.         )
    109. 

  109.         self.assertEqual(channel.code, 200, channel.result)
    110. 

  110. 

  111.         res = self._get_avatar_url()
    112. 

  112.         self.assertEqual(res, "http://my.server/pic.gif")
    113. 

  113. 

  114.     def test_set_avatar_url_noauth(self) -> None:
    115. 

  115.         channel = self.make_request(
    116. 

  116.             "PUT",
    117. 

  117.             "/profile/%s/avatar_url" % (self.owner,),
    118. 

  118.             content={"avatar_url": "http://my.server/pic.gif"},
    119. 

  119.         )
    120. 

  120.         self.assertEqual(channel.code, 401, channel.result)
    121. 

  121. 

  122.     def test_set_avatar_url_too_long(self) -> None:
    123. 

  123.         """Attempts to set a stupid avatar_url should get a 400"""
    124. 

  124.         channel = self.make_request(
    125. 

  125.             "PUT",
    126. 

  126.             "/profile/%s/avatar_url" % (self.owner,),
    127. 

  127.             content={"avatar_url": "http://my.server/pic.gif" * 100},
    128. 

  128.             access_token=self.owner_tok,
    129. 

  129.         )
    130. 

  130.         self.assertEqual(channel.code, 400, channel.result)
    131. 

  131. 

  132.         res = self._get_avatar_url()
    133. 

  133.         self.assertIsNone(res)
    134. 

  134. 

  135.     def test_get_avatar_url_other(self) -> None:
    136. 

  136.         res = self._get_avatar_url(self.other)
    137. 

  137.         self.assertIsNone(res)
    138. 

  138. 

  139.     def test_set_avatar_url_other(self) -> None:
    140. 

  140.         channel = self.make_request(
    141. 

  141.             "PUT",
    142. 

  142.             "/profile/%s/avatar_url" % (self.other,),
    143. 

  143.             content={"avatar_url": "http://my.server/pic.gif"},
    144. 

  144.             access_token=self.owner_tok,
    145. 

  145.         )
    146. 

  146.         self.assertEqual(channel.code, 400, channel.result)
    147. 

  147. 

  148.     def _get_displayname(self, name: Optional[str] = None) -> str:
    149. 

  149.         channel = self.make_request(
    150. 

  150.             "GET", "/profile/%s/displayname" % (name or self.owner,)
    151. 

  151.         )
    152. 

  152.         self.assertEqual(channel.code, 200, channel.result)
    153. 

  153.         return channel.json_body["displayname"]
    154. 

  154. 

  155.     def _get_avatar_url(self, name: Optional[str] = None) -> str:
    156. 

  156.         channel = self.make_request(
    157. 

  157.             "GET", "/profile/%s/avatar_url" % (name or self.owner,)
    158. 

  158.         )
    159. 

  159.         self.assertEqual(channel.code, 200, channel.result)
    160. 

  160.         return channel.json_body.get("avatar_url")
    161. 

  161. 

  162.     @unittest.override_config({"max_avatar_size": 50})
    163. 

  163.     def test_avatar_size_limit_global(self) -> None:
    164. 

  164.         """Tests that the maximum size limit for avatars is enforced when updating a
    165. 

  165.         global profile.
    166. 

  166.         """
    167. 

  167.         self._setup_local_files(
    168. 

  168.             {
    169. 

  169.                 "small": {"size": 40},
    170. 

  170.                 "big": {"size": 60},
    171. 

  171.             }
    172. 

  172.         )
    173. 

  173. 

  174.         channel = self.make_request(
    175. 

  175.             "PUT",
    176. 

  176.             f"/profile/{self.owner}/avatar_url",
    177. 

  177.             content={"avatar_url": "mxc://test/big"},
    178. 

  178.             access_token=self.owner_tok,
    179. 

  179.         )
    180. 

  180.         self.assertEqual(channel.code, 403, channel.result)
    181. 

  181.         self.assertEqual(
    182. 

  182.             channel.json_body["errcode"], Codes.FORBIDDEN, channel.json_body
    183. 

  183.         )
    184. 

  184. 

  185.         channel = self.make_request(
    186. 

  186.             "PUT",
    187. 

  187.             f"/profile/{self.owner}/avatar_url",
    188. 

  188.             content={"avatar_url": "mxc://test/small"},
    189. 

  189.             access_token=self.owner_tok,
    190. 

  190.         )
    191. 

  191.         self.assertEqual(channel.code, 200, channel.result)
    192. 

  192. 

  193.     @unittest.override_config({"max_avatar_size": 50})
    194. 

  194.     def test_avatar_size_limit_per_room(self) -> None:
    195. 

  195.         """Tests that the maximum size limit for avatars is enforced when updating a
    196. 

  196.         per-room profile.
    197. 

  197.         """
    198. 

  198.         self._setup_local_files(
    199. 

  199.             {
    200. 

  200.                 "small": {"size": 40},
    201. 

  201.                 "big": {"size": 60},
    202. 

  202.             }
    203. 

  203.         )
    204. 

  204. 

  205.         room_id = self.helper.create_room_as(tok=self.owner_tok)
    206. 

  206. 

  207.         channel = self.make_request(
    208. 

  208.             "PUT",
    209. 

  209.             f"/rooms/{room_id}/state/m.room.member/{self.owner}",
    210. 

  210.             content={"membership": "join", "avatar_url": "mxc://test/big"},
    211. 

  211.             access_token=self.owner_tok,
    212. 

  212.         )
    213. 

  213.         self.assertEqual(channel.code, 403, channel.result)
    214. 

  214.         self.assertEqual(
    215. 

  215.             channel.json_body["errcode"], Codes.FORBIDDEN, channel.json_body
    216. 

  216.         )
    217. 

  217. 

  218.         channel = self.make_request(
    219. 

  219.             "PUT",
    220. 

  220.             f"/rooms/{room_id}/state/m.room.member/{self.owner}",
    221. 

  221.             content={"membership": "join", "avatar_url": "mxc://test/small"},
    222. 

  222.             access_token=self.owner_tok,
    223. 

  223.         )
    224. 

  224.         self.assertEqual(channel.code, 200, channel.result)
    225. 

  225. 

  226.     @unittest.override_config({"allowed_avatar_mimetypes": ["image/png"]})
    227. 

  227.     def test_avatar_allowed_mime_type_global(self) -> None:
    228. 

  228.         """Tests that the MIME type whitelist for avatars is enforced when updating a
    229. 

  229.         global profile.
    230. 

  230.         """
    231. 

  231.         self._setup_local_files(
    232. 

  232.             {
    233. 

  233.                 "good": {"mimetype": "image/png"},
    234. 

  234.                 "bad": {"mimetype": "application/octet-stream"},
    235. 

  235.             }
    236. 

  236.         )
    237. 

  237. 

  238.         channel = self.make_request(
    239. 

  239.             "PUT",
    240. 

  240.             f"/profile/{self.owner}/avatar_url",
    241. 

  241.             content={"avatar_url": "mxc://test/bad"},
    242. 

  242.             access_token=self.owner_tok,
    243. 

  243.         )
    244. 

  244.         self.assertEqual(channel.code, 403, channel.result)
    245. 

  245.         self.assertEqual(
    246. 

  246.             channel.json_body["errcode"], Codes.FORBIDDEN, channel.json_body
    247. 

  247.         )
    248. 

  248. 

  249.         channel = self.make_request(
    250. 

  250.             "PUT",
    251. 

  251.             f"/profile/{self.owner}/avatar_url",
    252. 

  252.             content={"avatar_url": "mxc://test/good"},
    253. 

  253.             access_token=self.owner_tok,
    254. 

  254.         )
    255. 

  255.         self.assertEqual(channel.code, 200, channel.result)
    256. 

  256. 

  257.     @unittest.override_config({"allowed_avatar_mimetypes": ["image/png"]})
    258. 

  258.     def test_avatar_allowed_mime_type_per_room(self) -> None:
    259. 

  259.         """Tests that the MIME type whitelist for avatars is enforced when updating a
    260. 

  260.         per-room profile.
    261. 

  261.         """
    262. 

  262.         self._setup_local_files(
    263. 

  263.             {
    264. 

  264.                 "good": {"mimetype": "image/png"},
    265. 

  265.                 "bad": {"mimetype": "application/octet-stream"},
    266. 

  266.             }
    267. 

  267.         )
    268. 

  268. 

  269.         room_id = self.helper.create_room_as(tok=self.owner_tok)
    270. 

  270. 

  271.         channel = self.make_request(
    272. 

  272.             "PUT",
    273. 

  273.             f"/rooms/{room_id}/state/m.room.member/{self.owner}",
    274. 

  274.             content={"membership": "join", "avatar_url": "mxc://test/bad"},
    275. 

  275.             access_token=self.owner_tok,
    276. 

  276.         )
    277. 

  277.         self.assertEqual(channel.code, 403, channel.result)
    278. 

  278.         self.assertEqual(
    279. 

  279.             channel.json_body["errcode"], Codes.FORBIDDEN, channel.json_body
    280. 

  280.         )
    281. 

  281. 

  282.         channel = self.make_request(
    283. 

  283.             "PUT",
    284. 

  284.             f"/rooms/{room_id}/state/m.room.member/{self.owner}",
    285. 

  285.             content={"membership": "join", "avatar_url": "mxc://test/good"},
    286. 

  286.             access_token=self.owner_tok,
    287. 

  287.         )
    288. 

  288.         self.assertEqual(channel.code, 200, channel.result)
    289. 

  289. 

  290.     def _setup_local_files(self, names_and_props: Dict[str, Dict[str, Any]]) -> None:
    291. 

  291.         """Stores metadata about files in the database.
    292. 

  292. 

  293.         Args:
    294. 

  294.             names_and_props: A dictionary with one entry per file, with the key being the
    295. 

  295.                 file's name, and the value being a dictionary of properties. Supported
    296. 

  296.                 properties are "mimetype" (for the file's type) and "size" (for the
    297. 

  297.                 file's size).
    298. 

  298.         """
    299. 

  299.         store = self.hs.get_datastores().main
    300. 

  300. 

  301.         for name, props in names_and_props.items():
    302. 

  302.             self.get_success(
    303. 

  303.                 store.store_local_media(
    304. 

  304.                     media_id=name,
    305. 

  305.                     media_type=props.get("mimetype", "image/png"),
    306. 

  306.                     time_now_ms=self.clock.time_msec(),
    307. 

  307.                     upload_name=None,
    308. 

  308.                     media_length=props.get("size", 50),
    309. 

  309.                     user_id=UserID.from_string("@rin:test"),
    310. 

  310.                 )
    311. 

  311.             )
    312. 

  312. 

  313. 

  314. class ProfilesRestrictedTestCase(unittest.HomeserverTestCase):
    315. 

  315. 

  316.     servlets = [
    317. 

  317.         admin.register_servlets_for_client_rest_resource,
    318. 

  318.         login.register_servlets,
    319. 

  319.         profile.register_servlets,
    320. 

  320.         room.register_servlets,
    321. 

  321.     ]
    322. 

  322. 

  323.     def make_homeserver(self, reactor: MemoryReactor, clock: Clock) -> HomeServer:
    324. 

  324.         config = self.default_config()
    325. 

  325.         config["require_auth_for_profile_requests"] = True
    326. 

  326.         config["limit_profile_requests_to_users_who_share_rooms"] = True
    327. 

  327.         self.hs = self.setup_test_homeserver(config=config)
    328. 

  328. 

  329.         return self.hs
    330. 

  330. 

  331.     def prepare(self, reactor: MemoryReactor, clock: Clock, hs: HomeServer) -> None:
    332. 

  332.         # User owning the requested profile.
    333. 

  333.         self.owner = self.register_user("owner", "pass")
    334. 

  334.         self.owner_tok = self.login("owner", "pass")
    335. 

  335.         self.profile_url = "/profile/%s" % (self.owner)
    336. 

  336. 

  337.         # User requesting the profile.
    338. 

  338.         self.requester = self.register_user("requester", "pass")
    339. 

  339.         self.requester_tok = self.login("requester", "pass")
    340. 

  340. 

  341.         self.room_id = self.helper.create_room_as(self.owner, tok=self.owner_tok)
    342. 

  342. 

  343.     def test_no_auth(self) -> None:
    344. 

  344.         self.try_fetch_profile(401)
    345. 

  345. 

  346.     def test_not_in_shared_room(self) -> None:
    347. 

  347.         self.ensure_requester_left_room()
    348. 

  348. 

  349.         self.try_fetch_profile(403, access_token=self.requester_tok)
    350. 

  350. 

  351.     def test_in_shared_room(self) -> None:
    352. 

  352.         self.ensure_requester_left_room()
    353. 

  353. 

  354.         self.helper.join(room=self.room_id, user=self.requester, tok=self.requester_tok)
    355. 

  355. 

  356.         self.try_fetch_profile(200, self.requester_tok)
    357. 

  357. 

  358.     def try_fetch_profile(
    359. 

  359.         self, expected_code: int, access_token: Optional[str] = None
    360. 

  360.     ) -> None:
    361. 

  361.         self.request_profile(expected_code, access_token=access_token)
    362. 

  362. 

  363.         self.request_profile(
    364. 

  364.             expected_code, url_suffix="/displayname", access_token=access_token
    365. 

  365.         )
    366. 

  366. 

  367.         self.request_profile(
    368. 

  368.             expected_code, url_suffix="/avatar_url", access_token=access_token
    369. 

  369.         )
    370. 

  370. 

  371.     def request_profile(
    372. 

  372.         self,
    373. 

  373.         expected_code: int,
    374. 

  374.         url_suffix: str = "",
    375. 

  375.         access_token: Optional[str] = None,
    376. 

  376.     ) -> None:
    377. 

  377.         channel = self.make_request(
    378. 

  378.             "GET", self.profile_url + url_suffix, access_token=access_token
    379. 

  379.         )
    380. 

  380.         self.assertEqual(channel.code, expected_code, channel.result)
    381. 

  381. 

  382.     def ensure_requester_left_room(self) -> None:
    383. 

  383.         try:
    384. 

  384.             self.helper.leave(
    385. 

  385.                 room=self.room_id, user=self.requester, tok=self.requester_tok
    386. 

  386.             )
    387. 

  387.         except AssertionError:
    388. 

  388.             # We don't care whether the leave request didn't return a 200 (e.g.
    389. 

  389.             # if the user isn't already in the room), because we only want to
    390. 

  390.             # make sure the user isn't in the room.
    391. 

  391.             pass
    392. 

  392. 

  393. 

  394. class OwnProfileUnrestrictedTestCase(unittest.HomeserverTestCase):
    395. 

  395. 

  396.     servlets = [
    397. 

  397.         admin.register_servlets_for_client_rest_resource,
    398. 

  398.         login.register_servlets,
    399. 

  399.         profile.register_servlets,
    400. 

  400.     ]
    401. 

  401. 

  402.     def make_homeserver(self, reactor: MemoryReactor, clock: Clock) -> HomeServer:
    403. 

  403.         config = self.default_config()
    404. 

  404.         config["require_auth_for_profile_requests"] = True
    405. 

  405.         config["limit_profile_requests_to_users_who_share_rooms"] = True
    406. 

  406.         self.hs = self.setup_test_homeserver(config=config)
    407. 

  407. 

  408.         return self.hs
    409. 

  409. 

  410.     def prepare(self, reactor: MemoryReactor, clock: Clock, hs: HomeServer) -> None:
    411. 

  411.         # User requesting the profile.
    412. 

  412.         self.requester = self.register_user("requester", "pass")
    413. 

  413.         self.requester_tok = self.login("requester", "pass")
    414. 

  414. 

  415.     def test_can_lookup_own_profile(self) -> None:
    416. 

  416.         """Tests that a user can lookup their own profile without having to be in a room
    417. 

  417.         if 'require_auth_for_profile_requests' is set to true in the server's config.
    418. 

  418.         """
    419. 

  419.         channel = self.make_request(
    420. 

  420.             "GET", "/profile/" + self.requester, access_token=self.requester_tok
    421. 

  421.         )
    422. 

  422.         self.assertEqual(channel.code, 200, channel.result)
    423. 

  423. 

  424.         channel = self.make_request(
    425. 

  425.             "GET",
    426. 

  426.             "/profile/" + self.requester + "/displayname",
    427. 

  427.             access_token=self.requester_tok,
    428. 

  428.         )
    429. 

  429.         self.assertEqual(channel.code, 200, channel.result)
    430. 

  430. 

  431.         channel = self.make_request(
    432. 

  432.             "GET",
    433. 

  433.             "/profile/" + self.requester + "/avatar_url",
    434. 

  434.             access_token=self.requester_tok,
    435. 

  435.         )
    436. 

  436.         self.assertEqual(channel.code, 200, channel.result)
    437.