test_auth.py 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295
  1. # -*- coding: utf-8 -*-
  2. # Copyright 2015 - 2016 OpenMarket Ltd
  3. #
  4. # Licensed under the Apache License, Version 2.0 (the "License");
  5. # you may not use this file except in compliance with the License.
  6. # You may obtain a copy of the License at
  7. #
  8. # http://www.apache.org/licenses/LICENSE-2.0
  9. #
  10. # Unless required by applicable law or agreed to in writing, software
  11. # distributed under the License is distributed on an "AS IS" BASIS,
  12. # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13. # See the License for the specific language governing permissions and
  14. # limitations under the License.
  15. from tests import unittest
  16. from twisted.internet import defer
  17. from mock import Mock
  18. from synapse.api.auth import Auth
  19. from synapse.api.errors import AuthError
  20. from synapse.types import UserID
  21. from tests.utils import setup_test_homeserver
  22. import pymacaroons
  23. class AuthTestCase(unittest.TestCase):
  24. @defer.inlineCallbacks
  25. def setUp(self):
  26. self.state_handler = Mock()
  27. self.store = Mock()
  28. self.hs = yield setup_test_homeserver(handlers=None)
  29. self.hs.get_datastore = Mock(return_value=self.store)
  30. self.auth = Auth(self.hs)
  31. self.test_user = "@foo:bar"
  32. self.test_token = "_test_token_"
  33. @defer.inlineCallbacks
  34. def test_get_user_by_req_user_valid_token(self):
  35. self.store.get_app_service_by_token = Mock(return_value=None)
  36. user_info = {
  37. "name": self.test_user,
  38. "token_id": "ditto",
  39. }
  40. self.store.get_user_by_access_token = Mock(return_value=user_info)
  41. request = Mock(args={})
  42. request.args["access_token"] = [self.test_token]
  43. request.requestHeaders.getRawHeaders = Mock(return_value=[""])
  44. requester = yield self.auth.get_user_by_req(request)
  45. self.assertEquals(requester.user.to_string(), self.test_user)
  46. def test_get_user_by_req_user_bad_token(self):
  47. self.store.get_app_service_by_token = Mock(return_value=None)
  48. self.store.get_user_by_access_token = Mock(return_value=None)
  49. request = Mock(args={})
  50. request.args["access_token"] = [self.test_token]
  51. request.requestHeaders.getRawHeaders = Mock(return_value=[""])
  52. d = self.auth.get_user_by_req(request)
  53. self.failureResultOf(d, AuthError)
  54. def test_get_user_by_req_user_missing_token(self):
  55. self.store.get_app_service_by_token = Mock(return_value=None)
  56. user_info = {
  57. "name": self.test_user,
  58. "token_id": "ditto",
  59. }
  60. self.store.get_user_by_access_token = Mock(return_value=user_info)
  61. request = Mock(args={})
  62. request.requestHeaders.getRawHeaders = Mock(return_value=[""])
  63. d = self.auth.get_user_by_req(request)
  64. self.failureResultOf(d, AuthError)
  65. @defer.inlineCallbacks
  66. def test_get_user_by_req_appservice_valid_token(self):
  67. app_service = Mock(token="foobar", url="a_url", sender=self.test_user)
  68. self.store.get_app_service_by_token = Mock(return_value=app_service)
  69. self.store.get_user_by_access_token = Mock(return_value=None)
  70. request = Mock(args={})
  71. request.args["access_token"] = [self.test_token]
  72. request.requestHeaders.getRawHeaders = Mock(return_value=[""])
  73. requester = yield self.auth.get_user_by_req(request)
  74. self.assertEquals(requester.user.to_string(), self.test_user)
  75. def test_get_user_by_req_appservice_bad_token(self):
  76. self.store.get_app_service_by_token = Mock(return_value=None)
  77. self.store.get_user_by_access_token = Mock(return_value=None)
  78. request = Mock(args={})
  79. request.args["access_token"] = [self.test_token]
  80. request.requestHeaders.getRawHeaders = Mock(return_value=[""])
  81. d = self.auth.get_user_by_req(request)
  82. self.failureResultOf(d, AuthError)
  83. def test_get_user_by_req_appservice_missing_token(self):
  84. app_service = Mock(token="foobar", url="a_url", sender=self.test_user)
  85. self.store.get_app_service_by_token = Mock(return_value=app_service)
  86. self.store.get_user_by_access_token = Mock(return_value=None)
  87. request = Mock(args={})
  88. request.requestHeaders.getRawHeaders = Mock(return_value=[""])
  89. d = self.auth.get_user_by_req(request)
  90. self.failureResultOf(d, AuthError)
  91. @defer.inlineCallbacks
  92. def test_get_user_by_req_appservice_valid_token_valid_user_id(self):
  93. masquerading_user_id = "@doppelganger:matrix.org"
  94. app_service = Mock(token="foobar", url="a_url", sender=self.test_user)
  95. app_service.is_interested_in_user = Mock(return_value=True)
  96. self.store.get_app_service_by_token = Mock(return_value=app_service)
  97. self.store.get_user_by_access_token = Mock(return_value=None)
  98. request = Mock(args={})
  99. request.args["access_token"] = [self.test_token]
  100. request.args["user_id"] = [masquerading_user_id]
  101. request.requestHeaders.getRawHeaders = Mock(return_value=[""])
  102. requester = yield self.auth.get_user_by_req(request)
  103. self.assertEquals(requester.user.to_string(), masquerading_user_id)
  104. def test_get_user_by_req_appservice_valid_token_bad_user_id(self):
  105. masquerading_user_id = "@doppelganger:matrix.org"
  106. app_service = Mock(token="foobar", url="a_url", sender=self.test_user)
  107. app_service.is_interested_in_user = Mock(return_value=False)
  108. self.store.get_app_service_by_token = Mock(return_value=app_service)
  109. self.store.get_user_by_access_token = Mock(return_value=None)
  110. request = Mock(args={})
  111. request.args["access_token"] = [self.test_token]
  112. request.args["user_id"] = [masquerading_user_id]
  113. request.requestHeaders.getRawHeaders = Mock(return_value=[""])
  114. d = self.auth.get_user_by_req(request)
  115. self.failureResultOf(d, AuthError)
  116. @defer.inlineCallbacks
  117. def test_get_user_from_macaroon(self):
  118. # TODO(danielwh): Remove this mock when we remove the
  119. # get_user_by_access_token fallback.
  120. self.store.get_user_by_access_token = Mock(
  121. return_value={"name": "@baldrick:matrix.org"}
  122. )
  123. user_id = "@baldrick:matrix.org"
  124. macaroon = pymacaroons.Macaroon(
  125. location=self.hs.config.server_name,
  126. identifier="key",
  127. key=self.hs.config.macaroon_secret_key)
  128. macaroon.add_first_party_caveat("gen = 1")
  129. macaroon.add_first_party_caveat("type = access")
  130. macaroon.add_first_party_caveat("user_id = %s" % (user_id,))
  131. user_info = yield self.auth.get_user_from_macaroon(macaroon.serialize())
  132. user = user_info["user"]
  133. self.assertEqual(UserID.from_string(user_id), user)
  134. @defer.inlineCallbacks
  135. def test_get_guest_user_from_macaroon(self):
  136. user_id = "@baldrick:matrix.org"
  137. macaroon = pymacaroons.Macaroon(
  138. location=self.hs.config.server_name,
  139. identifier="key",
  140. key=self.hs.config.macaroon_secret_key)
  141. macaroon.add_first_party_caveat("gen = 1")
  142. macaroon.add_first_party_caveat("type = access")
  143. macaroon.add_first_party_caveat("user_id = %s" % (user_id,))
  144. macaroon.add_first_party_caveat("guest = true")
  145. serialized = macaroon.serialize()
  146. user_info = yield self.auth.get_user_from_macaroon(serialized)
  147. user = user_info["user"]
  148. is_guest = user_info["is_guest"]
  149. self.assertEqual(UserID.from_string(user_id), user)
  150. self.assertTrue(is_guest)
  151. @defer.inlineCallbacks
  152. def test_get_user_from_macaroon_user_db_mismatch(self):
  153. self.store.get_user_by_access_token = Mock(
  154. return_value={"name": "@percy:matrix.org"}
  155. )
  156. user = "@baldrick:matrix.org"
  157. macaroon = pymacaroons.Macaroon(
  158. location=self.hs.config.server_name,
  159. identifier="key",
  160. key=self.hs.config.macaroon_secret_key)
  161. macaroon.add_first_party_caveat("gen = 1")
  162. macaroon.add_first_party_caveat("type = access")
  163. macaroon.add_first_party_caveat("user_id = %s" % (user,))
  164. with self.assertRaises(AuthError) as cm:
  165. yield self.auth.get_user_from_macaroon(macaroon.serialize())
  166. self.assertEqual(401, cm.exception.code)
  167. self.assertIn("User mismatch", cm.exception.msg)
  168. @defer.inlineCallbacks
  169. def test_get_user_from_macaroon_missing_caveat(self):
  170. # TODO(danielwh): Remove this mock when we remove the
  171. # get_user_by_access_token fallback.
  172. self.store.get_user_by_access_token = Mock(
  173. return_value={"name": "@baldrick:matrix.org"}
  174. )
  175. macaroon = pymacaroons.Macaroon(
  176. location=self.hs.config.server_name,
  177. identifier="key",
  178. key=self.hs.config.macaroon_secret_key)
  179. macaroon.add_first_party_caveat("gen = 1")
  180. macaroon.add_first_party_caveat("type = access")
  181. with self.assertRaises(AuthError) as cm:
  182. yield self.auth.get_user_from_macaroon(macaroon.serialize())
  183. self.assertEqual(401, cm.exception.code)
  184. self.assertIn("No user caveat", cm.exception.msg)
  185. @defer.inlineCallbacks
  186. def test_get_user_from_macaroon_wrong_key(self):
  187. # TODO(danielwh): Remove this mock when we remove the
  188. # get_user_by_access_token fallback.
  189. self.store.get_user_by_access_token = Mock(
  190. return_value={"name": "@baldrick:matrix.org"}
  191. )
  192. user = "@baldrick:matrix.org"
  193. macaroon = pymacaroons.Macaroon(
  194. location=self.hs.config.server_name,
  195. identifier="key",
  196. key=self.hs.config.macaroon_secret_key + "wrong")
  197. macaroon.add_first_party_caveat("gen = 1")
  198. macaroon.add_first_party_caveat("type = access")
  199. macaroon.add_first_party_caveat("user_id = %s" % (user,))
  200. with self.assertRaises(AuthError) as cm:
  201. yield self.auth.get_user_from_macaroon(macaroon.serialize())
  202. self.assertEqual(401, cm.exception.code)
  203. self.assertIn("Invalid macaroon", cm.exception.msg)
  204. @defer.inlineCallbacks
  205. def test_get_user_from_macaroon_unknown_caveat(self):
  206. # TODO(danielwh): Remove this mock when we remove the
  207. # get_user_by_access_token fallback.
  208. self.store.get_user_by_access_token = Mock(
  209. return_value={"name": "@baldrick:matrix.org"}
  210. )
  211. user = "@baldrick:matrix.org"
  212. macaroon = pymacaroons.Macaroon(
  213. location=self.hs.config.server_name,
  214. identifier="key",
  215. key=self.hs.config.macaroon_secret_key)
  216. macaroon.add_first_party_caveat("gen = 1")
  217. macaroon.add_first_party_caveat("type = access")
  218. macaroon.add_first_party_caveat("user_id = %s" % (user,))
  219. macaroon.add_first_party_caveat("cunning > fox")
  220. with self.assertRaises(AuthError) as cm:
  221. yield self.auth.get_user_from_macaroon(macaroon.serialize())
  222. self.assertEqual(401, cm.exception.code)
  223. self.assertIn("Invalid macaroon", cm.exception.msg)
  224. @defer.inlineCallbacks
  225. def test_get_user_from_macaroon_expired(self):
  226. # TODO(danielwh): Remove this mock when we remove the
  227. # get_user_by_access_token fallback.
  228. self.store.get_user_by_access_token = Mock(
  229. return_value={"name": "@baldrick:matrix.org"}
  230. )
  231. self.store.get_user_by_access_token = Mock(
  232. return_value={"name": "@baldrick:matrix.org"}
  233. )
  234. user = "@baldrick:matrix.org"
  235. macaroon = pymacaroons.Macaroon(
  236. location=self.hs.config.server_name,
  237. identifier="key",
  238. key=self.hs.config.macaroon_secret_key)
  239. macaroon.add_first_party_caveat("gen = 1")
  240. macaroon.add_first_party_caveat("type = access")
  241. macaroon.add_first_party_caveat("user_id = %s" % (user,))
  242. macaroon.add_first_party_caveat("time < 1") # ms
  243. self.hs.clock.now = 5000 # seconds
  244. yield self.auth.get_user_from_macaroon(macaroon.serialize())
  245. # TODO(daniel): Turn on the check that we validate expiration, when we
  246. # validate expiration (and remove the above line, which will start
  247. # throwing).
  248. # with self.assertRaises(AuthError) as cm:
  249. # yield self.auth.get_user_from_macaroon(macaroon.serialize())
  250. # self.assertEqual(401, cm.exception.code)
  251. # self.assertIn("Invalid macaroon", cm.exception.msg)