oidc.py 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348
  1. # Copyright 2022 The Matrix.org Foundation C.I.C.
  2. #
  3. # Licensed under the Apache License, Version 2.0 (the "License");
  4. # you may not use this file except in compliance with the License.
  5. # You may obtain a copy of the License at
  6. #
  7. # http://www.apache.org/licenses/LICENSE-2.0
  8. #
  9. # Unless required by applicable law or agreed to in writing, software
  10. # distributed under the License is distributed on an "AS IS" BASIS,
  11. # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  12. # See the License for the specific language governing permissions and
  13. # limitations under the License.
  14. import json
  15. from typing import Any, ContextManager, Dict, List, Optional, Tuple
  16. from unittest.mock import Mock, patch
  17. from urllib.parse import parse_qs
  18. import attr
  19. from twisted.web.http_headers import Headers
  20. from twisted.web.iweb import IResponse
  21. from synapse.server import HomeServer
  22. from synapse.util import Clock
  23. from synapse.util.stringutils import random_string
  24. from tests.test_utils import FakeResponse
  25. @attr.s(slots=True, frozen=True, auto_attribs=True)
  26. class FakeAuthorizationGrant:
  27. userinfo: dict
  28. client_id: str
  29. redirect_uri: str
  30. scope: str
  31. nonce: Optional[str]
  32. sid: Optional[str]
  33. class FakeOidcServer:
  34. """A fake OpenID Connect Provider."""
  35. # All methods here are mocks, so we can track when they are called, and override
  36. # their values
  37. request: Mock
  38. get_jwks_handler: Mock
  39. get_metadata_handler: Mock
  40. get_userinfo_handler: Mock
  41. post_token_handler: Mock
  42. sid_counter: int = 0
  43. def __init__(self, clock: Clock, issuer: str):
  44. from authlib.jose import ECKey, KeySet
  45. self._clock = clock
  46. self.issuer = issuer
  47. self.request = Mock(side_effect=self._request)
  48. self.get_jwks_handler = Mock(side_effect=self._get_jwks_handler)
  49. self.get_metadata_handler = Mock(side_effect=self._get_metadata_handler)
  50. self.get_userinfo_handler = Mock(side_effect=self._get_userinfo_handler)
  51. self.post_token_handler = Mock(side_effect=self._post_token_handler)
  52. # A code -> grant mapping
  53. self._authorization_grants: Dict[str, FakeAuthorizationGrant] = {}
  54. # An access token -> grant mapping
  55. self._sessions: Dict[str, FakeAuthorizationGrant] = {}
  56. # We generate here an ECDSA key with the P-256 curve (ES256 algorithm) used for
  57. # signing JWTs. ECDSA keys are really quick to generate compared to RSA.
  58. self._key = ECKey.generate_key(crv="P-256", is_private=True)
  59. self._jwks = KeySet([ECKey.import_key(self._key.as_pem(is_private=False))])
  60. self._id_token_overrides: Dict[str, Any] = {}
  61. def reset_mocks(self) -> None:
  62. self.request.reset_mock()
  63. self.get_jwks_handler.reset_mock()
  64. self.get_metadata_handler.reset_mock()
  65. self.get_userinfo_handler.reset_mock()
  66. self.post_token_handler.reset_mock()
  67. def patch_homeserver(self, hs: HomeServer) -> ContextManager[Mock]:
  68. """Patch the ``HomeServer`` HTTP client to handle requests through the ``FakeOidcServer``.
  69. This patch should be used whenever the HS is expected to perform request to the
  70. OIDC provider, e.g.::
  71. fake_oidc_server = self.helper.fake_oidc_server()
  72. with fake_oidc_server.patch_homeserver(hs):
  73. self.make_request("GET", "/_matrix/client/r0/login/sso/redirect")
  74. """
  75. return patch.object(hs.get_proxied_http_client(), "request", self.request)
  76. @property
  77. def authorization_endpoint(self) -> str:
  78. return self.issuer + "authorize"
  79. @property
  80. def token_endpoint(self) -> str:
  81. return self.issuer + "token"
  82. @property
  83. def userinfo_endpoint(self) -> str:
  84. return self.issuer + "userinfo"
  85. @property
  86. def metadata_endpoint(self) -> str:
  87. return self.issuer + ".well-known/openid-configuration"
  88. @property
  89. def jwks_uri(self) -> str:
  90. return self.issuer + "jwks"
  91. def get_metadata(self) -> dict:
  92. return {
  93. "issuer": self.issuer,
  94. "authorization_endpoint": self.authorization_endpoint,
  95. "token_endpoint": self.token_endpoint,
  96. "jwks_uri": self.jwks_uri,
  97. "userinfo_endpoint": self.userinfo_endpoint,
  98. "response_types_supported": ["code"],
  99. "subject_types_supported": ["public"],
  100. "id_token_signing_alg_values_supported": ["ES256"],
  101. }
  102. def get_jwks(self) -> dict:
  103. return self._jwks.as_dict()
  104. def get_userinfo(self, access_token: str) -> Optional[dict]:
  105. """Given an access token, get the userinfo of the associated session."""
  106. session = self._sessions.get(access_token, None)
  107. if session is None:
  108. return None
  109. return session.userinfo
  110. def _sign(self, payload: dict) -> str:
  111. from authlib.jose import JsonWebSignature
  112. jws = JsonWebSignature()
  113. kid = self.get_jwks()["keys"][0]["kid"]
  114. protected = {"alg": "ES256", "kid": kid}
  115. json_payload = json.dumps(payload)
  116. return jws.serialize_compact(protected, json_payload, self._key).decode("utf-8")
  117. def generate_id_token(self, grant: FakeAuthorizationGrant) -> str:
  118. now = int(self._clock.time())
  119. id_token = {
  120. **grant.userinfo,
  121. "iss": self.issuer,
  122. "aud": grant.client_id,
  123. "iat": now,
  124. "nbf": now,
  125. "exp": now + 600,
  126. }
  127. if grant.nonce is not None:
  128. id_token["nonce"] = grant.nonce
  129. if grant.sid is not None:
  130. id_token["sid"] = grant.sid
  131. id_token.update(self._id_token_overrides)
  132. return self._sign(id_token)
  133. def generate_logout_token(self, grant: FakeAuthorizationGrant) -> str:
  134. now = int(self._clock.time())
  135. logout_token = {
  136. "iss": self.issuer,
  137. "aud": grant.client_id,
  138. "iat": now,
  139. "jti": random_string(10),
  140. "events": {
  141. "http://schemas.openid.net/event/backchannel-logout": {},
  142. },
  143. }
  144. if grant.sid is not None:
  145. logout_token["sid"] = grant.sid
  146. if "sub" in grant.userinfo:
  147. logout_token["sub"] = grant.userinfo["sub"]
  148. return self._sign(logout_token)
  149. def id_token_override(self, overrides: dict) -> ContextManager[dict]:
  150. """Temporarily patch the ID token generated by the token endpoint."""
  151. return patch.object(self, "_id_token_overrides", overrides)
  152. def start_authorization(
  153. self,
  154. client_id: str,
  155. scope: str,
  156. redirect_uri: str,
  157. userinfo: dict,
  158. nonce: Optional[str] = None,
  159. with_sid: bool = False,
  160. ) -> Tuple[str, FakeAuthorizationGrant]:
  161. """Start an authorization request, and get back the code to use on the authorization endpoint."""
  162. code = random_string(10)
  163. sid = None
  164. if with_sid:
  165. sid = str(self.sid_counter)
  166. self.sid_counter += 1
  167. grant = FakeAuthorizationGrant(
  168. userinfo=userinfo,
  169. scope=scope,
  170. redirect_uri=redirect_uri,
  171. nonce=nonce,
  172. client_id=client_id,
  173. sid=sid,
  174. )
  175. self._authorization_grants[code] = grant
  176. return code, grant
  177. def exchange_code(self, code: str) -> Optional[Dict[str, Any]]:
  178. grant = self._authorization_grants.pop(code, None)
  179. if grant is None:
  180. return None
  181. access_token = random_string(10)
  182. self._sessions[access_token] = grant
  183. token = {
  184. "token_type": "Bearer",
  185. "access_token": access_token,
  186. "expires_in": 3600,
  187. "scope": grant.scope,
  188. }
  189. if "openid" in grant.scope:
  190. token["id_token"] = self.generate_id_token(grant)
  191. return dict(token)
  192. def buggy_endpoint(
  193. self,
  194. *,
  195. jwks: bool = False,
  196. metadata: bool = False,
  197. token: bool = False,
  198. userinfo: bool = False,
  199. ) -> ContextManager[Dict[str, Mock]]:
  200. """A context which makes a set of endpoints return a 500 error.
  201. Args:
  202. jwks: If True, makes the JWKS endpoint return a 500 error.
  203. metadata: If True, makes the OIDC Discovery endpoint return a 500 error.
  204. token: If True, makes the token endpoint return a 500 error.
  205. userinfo: If True, makes the userinfo endpoint return a 500 error.
  206. """
  207. buggy = FakeResponse(code=500, body=b"Internal server error")
  208. patches = {}
  209. if jwks:
  210. patches["get_jwks_handler"] = Mock(return_value=buggy)
  211. if metadata:
  212. patches["get_metadata_handler"] = Mock(return_value=buggy)
  213. if token:
  214. patches["post_token_handler"] = Mock(return_value=buggy)
  215. if userinfo:
  216. patches["get_userinfo_handler"] = Mock(return_value=buggy)
  217. return patch.multiple(self, **patches)
  218. async def _request(
  219. self,
  220. method: str,
  221. uri: str,
  222. data: Optional[bytes] = None,
  223. headers: Optional[Headers] = None,
  224. ) -> IResponse:
  225. """The override of the SimpleHttpClient#request() method"""
  226. access_token: Optional[str] = None
  227. if headers is None:
  228. headers = Headers()
  229. # Try to find the access token in the headers if any
  230. auth_headers = headers.getRawHeaders(b"Authorization")
  231. if auth_headers:
  232. parts = auth_headers[0].split(b" ")
  233. if parts[0] == b"Bearer" and len(parts) == 2:
  234. access_token = parts[1].decode("ascii")
  235. if method == "POST":
  236. # If the method is POST, assume it has an url-encoded body
  237. if data is None or headers.getRawHeaders(b"Content-Type") != [
  238. b"application/x-www-form-urlencoded"
  239. ]:
  240. return FakeResponse.json(code=400, payload={"error": "invalid_request"})
  241. params = parse_qs(data.decode("utf-8"))
  242. if uri == self.token_endpoint:
  243. # Even though this endpoint should be protected, this does not check
  244. # for client authentication. We're not checking it for simplicity,
  245. # and because client authentication is tested in other standalone tests.
  246. return self.post_token_handler(params)
  247. elif method == "GET":
  248. if uri == self.jwks_uri:
  249. return self.get_jwks_handler()
  250. elif uri == self.metadata_endpoint:
  251. return self.get_metadata_handler()
  252. elif uri == self.userinfo_endpoint:
  253. return self.get_userinfo_handler(access_token=access_token)
  254. return FakeResponse(code=404, body=b"404 not found")
  255. # Request handlers
  256. def _get_jwks_handler(self) -> IResponse:
  257. """Handles requests to the JWKS URI."""
  258. return FakeResponse.json(payload=self.get_jwks())
  259. def _get_metadata_handler(self) -> IResponse:
  260. """Handles requests to the OIDC well-known document."""
  261. return FakeResponse.json(payload=self.get_metadata())
  262. def _get_userinfo_handler(self, access_token: Optional[str]) -> IResponse:
  263. """Handles requests to the userinfo endpoint."""
  264. if access_token is None:
  265. return FakeResponse(code=401)
  266. user_info = self.get_userinfo(access_token)
  267. if user_info is None:
  268. return FakeResponse(code=401)
  269. return FakeResponse.json(payload=user_info)
  270. def _post_token_handler(self, params: Dict[str, List[str]]) -> IResponse:
  271. """Handles requests to the token endpoint."""
  272. code = params.get("code", [])
  273. if len(code) != 1:
  274. return FakeResponse.json(code=400, payload={"error": "invalid_request"})
  275. grant = self.exchange_code(code=code[0])
  276. if grant is None:
  277. return FakeResponse.json(code=400, payload={"error": "invalid_grant"})
  278. return FakeResponse.json(payload=grant)