123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439 |
- # Copyright 2021 The Matrix.org Foundation C.I.C.
- #
- # Licensed under the Apache License, Version 2.0 (the "License");
- # you may not use this file except in compliance with the License.
- # You may obtain a copy of the License at
- #
- # http://www.apache.org/licenses/LICENSE-2.0
- #
- # Unless required by applicable law or agreed to in writing, software
- # distributed under the License is distributed on an "AS IS" BASIS,
- # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- # See the License for the specific language governing permissions and
- # limitations under the License
- import urllib.parse
- from http import HTTPStatus
- from unittest.mock import patch
- from signedjson.key import (
- encode_verify_key_base64,
- generate_signing_key,
- get_verify_key,
- )
- from signedjson.sign import sign_json
- from synapse.api.errors import Codes
- from synapse.rest import admin
- from synapse.rest.client import keys, login
- from synapse.types import JsonDict, Requester, create_requester
- from tests import unittest
- from tests.http.server._base import make_request_with_cancellation_test
- from tests.unittest import override_config
- from tests.utils import HAS_AUTHLIB
- class KeyQueryTestCase(unittest.HomeserverTestCase):
- servlets = [
- keys.register_servlets,
- admin.register_servlets_for_client_rest_resource,
- login.register_servlets,
- ]
- def test_rejects_device_id_ice_key_outside_of_list(self) -> None:
- self.register_user("alice", "wonderland")
- alice_token = self.login("alice", "wonderland")
- bob = self.register_user("bob", "uncle")
- channel = self.make_request(
- "POST",
- "/_matrix/client/r0/keys/query",
- {
- "device_keys": {
- bob: "device_id1",
- },
- },
- alice_token,
- )
- self.assertEqual(channel.code, HTTPStatus.BAD_REQUEST, channel.result)
- self.assertEqual(
- channel.json_body["errcode"],
- Codes.BAD_JSON,
- channel.result,
- )
- def test_rejects_device_key_given_as_map_to_bool(self) -> None:
- self.register_user("alice", "wonderland")
- alice_token = self.login("alice", "wonderland")
- bob = self.register_user("bob", "uncle")
- channel = self.make_request(
- "POST",
- "/_matrix/client/r0/keys/query",
- {
- "device_keys": {
- bob: {
- "device_id1": True,
- },
- },
- },
- alice_token,
- )
- self.assertEqual(channel.code, HTTPStatus.BAD_REQUEST, channel.result)
- self.assertEqual(
- channel.json_body["errcode"],
- Codes.BAD_JSON,
- channel.result,
- )
- def test_requires_device_key(self) -> None:
- """`device_keys` is required. We should complain if it's missing."""
- self.register_user("alice", "wonderland")
- alice_token = self.login("alice", "wonderland")
- channel = self.make_request(
- "POST",
- "/_matrix/client/r0/keys/query",
- {},
- alice_token,
- )
- self.assertEqual(channel.code, HTTPStatus.BAD_REQUEST, channel.result)
- self.assertEqual(
- channel.json_body["errcode"],
- Codes.BAD_JSON,
- channel.result,
- )
- def test_key_query_cancellation(self) -> None:
- """
- Tests that /keys/query is cancellable and does not swallow the
- CancelledError.
- """
- self.register_user("alice", "wonderland")
- alice_token = self.login("alice", "wonderland")
- bob = self.register_user("bob", "uncle")
- channel = make_request_with_cancellation_test(
- "test_key_query_cancellation",
- self.reactor,
- self.site,
- "POST",
- "/_matrix/client/r0/keys/query",
- {
- "device_keys": {
- # Empty list means we request keys for all bob's devices
- bob: [],
- },
- },
- token=alice_token,
- )
- self.assertEqual(200, channel.code, msg=channel.result["body"])
- self.assertIn(bob, channel.json_body["device_keys"])
- def make_device_keys(self, user_id: str, device_id: str) -> JsonDict:
- # We only generate a master key to simplify the test.
- master_signing_key = generate_signing_key(device_id)
- master_verify_key = encode_verify_key_base64(get_verify_key(master_signing_key))
- return {
- "master_key": sign_json(
- {
- "user_id": user_id,
- "usage": ["master"],
- "keys": {"ed25519:" + master_verify_key: master_verify_key},
- },
- user_id,
- master_signing_key,
- ),
- }
- def test_device_signing_with_uia(self) -> None:
- """Device signing key upload requires UIA."""
- password = "wonderland"
- device_id = "ABCDEFGHI"
- alice_id = self.register_user("alice", password)
- alice_token = self.login("alice", password, device_id=device_id)
- content = self.make_device_keys(alice_id, device_id)
- channel = self.make_request(
- "POST",
- "/_matrix/client/v3/keys/device_signing/upload",
- content,
- alice_token,
- )
- self.assertEqual(channel.code, HTTPStatus.UNAUTHORIZED, channel.result)
- # Grab the session
- session = channel.json_body["session"]
- # Ensure that flows are what is expected.
- self.assertIn({"stages": ["m.login.password"]}, channel.json_body["flows"])
- # add UI auth
- content["auth"] = {
- "type": "m.login.password",
- "identifier": {"type": "m.id.user", "user": alice_id},
- "password": password,
- "session": session,
- }
- channel = self.make_request(
- "POST",
- "/_matrix/client/v3/keys/device_signing/upload",
- content,
- alice_token,
- )
- self.assertEqual(channel.code, HTTPStatus.OK, channel.result)
- @override_config({"ui_auth": {"session_timeout": "15m"}})
- def test_device_signing_with_uia_session_timeout(self) -> None:
- """Device signing key upload requires UIA buy passes with grace period."""
- password = "wonderland"
- device_id = "ABCDEFGHI"
- alice_id = self.register_user("alice", password)
- alice_token = self.login("alice", password, device_id=device_id)
- content = self.make_device_keys(alice_id, device_id)
- channel = self.make_request(
- "POST",
- "/_matrix/client/v3/keys/device_signing/upload",
- content,
- alice_token,
- )
- self.assertEqual(channel.code, HTTPStatus.OK, channel.result)
- @override_config(
- {
- "experimental_features": {"msc3967_enabled": True},
- "ui_auth": {"session_timeout": "15s"},
- }
- )
- def test_device_signing_with_msc3967(self) -> None:
- """Device signing key follows MSC3967 behaviour when enabled."""
- password = "wonderland"
- device_id = "ABCDEFGHI"
- alice_id = self.register_user("alice", password)
- alice_token = self.login("alice", password, device_id=device_id)
- keys1 = self.make_device_keys(alice_id, device_id)
- # Initial request should succeed as no existing keys are present.
- channel = self.make_request(
- "POST",
- "/_matrix/client/v3/keys/device_signing/upload",
- keys1,
- alice_token,
- )
- self.assertEqual(channel.code, HTTPStatus.OK, channel.result)
- keys2 = self.make_device_keys(alice_id, device_id)
- # Subsequent request should require UIA as keys already exist even though session_timeout is set.
- channel = self.make_request(
- "POST",
- "/_matrix/client/v3/keys/device_signing/upload",
- keys2,
- alice_token,
- )
- self.assertEqual(channel.code, HTTPStatus.UNAUTHORIZED, channel.result)
- # Grab the session
- session = channel.json_body["session"]
- # Ensure that flows are what is expected.
- self.assertIn({"stages": ["m.login.password"]}, channel.json_body["flows"])
- # add UI auth
- keys2["auth"] = {
- "type": "m.login.password",
- "identifier": {"type": "m.id.user", "user": alice_id},
- "password": password,
- "session": session,
- }
- # Request should complete
- channel = self.make_request(
- "POST",
- "/_matrix/client/v3/keys/device_signing/upload",
- keys2,
- alice_token,
- )
- self.assertEqual(channel.code, HTTPStatus.OK, channel.result)
- class SigningKeyUploadServletTestCase(unittest.HomeserverTestCase):
- servlets = [
- admin.register_servlets,
- keys.register_servlets,
- ]
- OIDC_ADMIN_TOKEN = "_oidc_admin_token"
- @unittest.skip_unless(HAS_AUTHLIB, "requires authlib")
- @override_config(
- {
- "enable_registration": False,
- "experimental_features": {
- "msc3861": {
- "enabled": True,
- "issuer": "https://issuer",
- "account_management_url": "https://my-account.issuer",
- "client_id": "id",
- "client_auth_method": "client_secret_post",
- "client_secret": "secret",
- "admin_token": OIDC_ADMIN_TOKEN,
- },
- },
- }
- )
- def test_master_cross_signing_key_replacement_msc3861(self) -> None:
- # Provision a user like MAS would, cribbing from
- # https://github.com/matrix-org/matrix-authentication-service/blob/08d46a79a4adb22819ac9d55e15f8375dfe2c5c7/crates/matrix-synapse/src/lib.rs#L224-L229
- alice = "@alice:test"
- channel = self.make_request(
- "PUT",
- f"/_synapse/admin/v2/users/{urllib.parse.quote(alice)}",
- access_token=self.OIDC_ADMIN_TOKEN,
- content={},
- )
- self.assertEqual(channel.code, HTTPStatus.CREATED, channel.json_body)
- # Provision a device like MAS would, cribbing from
- # https://github.com/matrix-org/matrix-authentication-service/blob/08d46a79a4adb22819ac9d55e15f8375dfe2c5c7/crates/matrix-synapse/src/lib.rs#L260-L262
- alice_device = "alice_device"
- channel = self.make_request(
- "POST",
- f"/_synapse/admin/v2/users/{urllib.parse.quote(alice)}/devices",
- access_token=self.OIDC_ADMIN_TOKEN,
- content={"device_id": alice_device},
- )
- self.assertEqual(channel.code, HTTPStatus.CREATED, channel.json_body)
- # Prepare a mock MAS access token.
- alice_token = "alice_token_1234_oidcwhatyoudidthere"
- async def mocked_get_user_by_access_token(
- token: str, allow_expired: bool = False
- ) -> Requester:
- self.assertEqual(token, alice_token)
- return create_requester(
- user_id=alice,
- device_id=alice_device,
- scope=[],
- is_guest=False,
- )
- patch_get_user_by_access_token = patch.object(
- self.hs.get_auth(),
- "get_user_by_access_token",
- wraps=mocked_get_user_by_access_token,
- )
- # Copied from E2eKeysHandlerTestCase
- master_pubkey = "nqOvzeuGWT/sRx3h7+MHoInYj3Uk2LD/unI9kDYcHwk"
- master_pubkey2 = "fHZ3NPiKxoLQm5OoZbKa99SYxprOjNs4TwJUKP+twCM"
- master_pubkey3 = "85T7JXPFBAySB/jwby4S3lBPTqY3+Zg53nYuGmu1ggY"
- master_key: JsonDict = {
- "user_id": alice,
- "usage": ["master"],
- "keys": {"ed25519:" + master_pubkey: master_pubkey},
- }
- master_key2: JsonDict = {
- "user_id": alice,
- "usage": ["master"],
- "keys": {"ed25519:" + master_pubkey2: master_pubkey2},
- }
- master_key3: JsonDict = {
- "user_id": alice,
- "usage": ["master"],
- "keys": {"ed25519:" + master_pubkey3: master_pubkey3},
- }
- with patch_get_user_by_access_token:
- # Upload an initial cross-signing key.
- channel = self.make_request(
- "POST",
- "/_matrix/client/v3/keys/device_signing/upload",
- access_token=alice_token,
- content={
- "master_key": master_key,
- },
- )
- self.assertEqual(channel.code, HTTPStatus.OK, channel.json_body)
- # Should not be able to upload another master key.
- channel = self.make_request(
- "POST",
- "/_matrix/client/v3/keys/device_signing/upload",
- access_token=alice_token,
- content={
- "master_key": master_key2,
- },
- )
- self.assertEqual(
- channel.code, HTTPStatus.NOT_IMPLEMENTED, channel.json_body
- )
- # Pretend that MAS did UIA and allowed us to replace the master key.
- channel = self.make_request(
- "POST",
- f"/_synapse/admin/v1/users/{urllib.parse.quote(alice)}/_allow_cross_signing_replacement_without_uia",
- access_token=self.OIDC_ADMIN_TOKEN,
- )
- self.assertEqual(HTTPStatus.OK, channel.code, msg=channel.json_body)
- with patch_get_user_by_access_token:
- # Should now be able to upload master key2.
- channel = self.make_request(
- "POST",
- "/_matrix/client/v3/keys/device_signing/upload",
- access_token=alice_token,
- content={
- "master_key": master_key2,
- },
- )
- self.assertEqual(channel.code, HTTPStatus.OK, channel.json_body)
- # Even though we're still in the grace period, we shouldn't be able to
- # upload master key 3 immediately after uploading key 2.
- channel = self.make_request(
- "POST",
- "/_matrix/client/v3/keys/device_signing/upload",
- access_token=alice_token,
- content={
- "master_key": master_key3,
- },
- )
- self.assertEqual(
- channel.code, HTTPStatus.NOT_IMPLEMENTED, channel.json_body
- )
- # Pretend that MAS did UIA and allowed us to replace the master key.
- channel = self.make_request(
- "POST",
- f"/_synapse/admin/v1/users/{urllib.parse.quote(alice)}/_allow_cross_signing_replacement_without_uia",
- access_token=self.OIDC_ADMIN_TOKEN,
- )
- self.assertEqual(HTTPStatus.OK, channel.code, msg=channel.json_body)
- timestamp_ms = channel.json_body["updatable_without_uia_before_ms"]
- # Advance to 1 second after the replacement period ends.
- self.reactor.advance(timestamp_ms - self.clock.time_msec() + 1000)
- with patch_get_user_by_access_token:
- # We should not be able to upload master key3 because the replacement has
- # expired.
- channel = self.make_request(
- "POST",
- "/_matrix/client/v3/keys/device_signing/upload",
- access_token=alice_token,
- content={
- "master_key": master_key3,
- },
- )
- self.assertEqual(
- channel.code, HTTPStatus.NOT_IMPLEMENTED, channel.json_body
- )
|