1
0

test_user.py 26 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724
  1. # -*- coding: utf-8 -*-
  2. # Copyright 2018 New Vector Ltd
  3. #
  4. # Licensed under the Apache License, Version 2.0 (the "License");
  5. # you may not use this file except in compliance with the License.
  6. # You may obtain a copy of the License at
  7. #
  8. # http://www.apache.org/licenses/LICENSE-2.0
  9. #
  10. # Unless required by applicable law or agreed to in writing, software
  11. # distributed under the License is distributed on an "AS IS" BASIS,
  12. # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13. # See the License for the specific language governing permissions and
  14. # limitations under the License.
  15. import hashlib
  16. import hmac
  17. import json
  18. import urllib.parse
  19. from mock import Mock
  20. import synapse.rest.admin
  21. from synapse.api.constants import UserTypes
  22. from synapse.rest.client.v1 import login
  23. from tests import unittest
  24. class UserRegisterTestCase(unittest.HomeserverTestCase):
  25. servlets = [synapse.rest.admin.register_servlets_for_client_rest_resource]
  26. def make_homeserver(self, reactor, clock):
  27. self.url = "/_matrix/client/r0/admin/register"
  28. self.registration_handler = Mock()
  29. self.identity_handler = Mock()
  30. self.login_handler = Mock()
  31. self.device_handler = Mock()
  32. self.device_handler.check_device_registered = Mock(return_value="FAKE")
  33. self.datastore = Mock(return_value=Mock())
  34. self.datastore.get_current_state_deltas = Mock(return_value=(0, []))
  35. self.secrets = Mock()
  36. self.hs = self.setup_test_homeserver()
  37. self.hs.config.registration_shared_secret = "shared"
  38. self.hs.get_media_repository = Mock()
  39. self.hs.get_deactivate_account_handler = Mock()
  40. return self.hs
  41. def test_disabled(self):
  42. """
  43. If there is no shared secret, registration through this method will be
  44. prevented.
  45. """
  46. self.hs.config.registration_shared_secret = None
  47. request, channel = self.make_request("POST", self.url, b"{}")
  48. self.render(request)
  49. self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
  50. self.assertEqual(
  51. "Shared secret registration is not enabled", channel.json_body["error"]
  52. )
  53. def test_get_nonce(self):
  54. """
  55. Calling GET on the endpoint will return a randomised nonce, using the
  56. homeserver's secrets provider.
  57. """
  58. secrets = Mock()
  59. secrets.token_hex = Mock(return_value="abcd")
  60. self.hs.get_secrets = Mock(return_value=secrets)
  61. request, channel = self.make_request("GET", self.url)
  62. self.render(request)
  63. self.assertEqual(channel.json_body, {"nonce": "abcd"})
  64. def test_expired_nonce(self):
  65. """
  66. Calling GET on the endpoint will return a randomised nonce, which will
  67. only last for SALT_TIMEOUT (60s).
  68. """
  69. request, channel = self.make_request("GET", self.url)
  70. self.render(request)
  71. nonce = channel.json_body["nonce"]
  72. # 59 seconds
  73. self.reactor.advance(59)
  74. body = json.dumps({"nonce": nonce})
  75. request, channel = self.make_request("POST", self.url, body.encode("utf8"))
  76. self.render(request)
  77. self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
  78. self.assertEqual("username must be specified", channel.json_body["error"])
  79. # 61 seconds
  80. self.reactor.advance(2)
  81. request, channel = self.make_request("POST", self.url, body.encode("utf8"))
  82. self.render(request)
  83. self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
  84. self.assertEqual("unrecognised nonce", channel.json_body["error"])
  85. def test_register_incorrect_nonce(self):
  86. """
  87. Only the provided nonce can be used, as it's checked in the MAC.
  88. """
  89. request, channel = self.make_request("GET", self.url)
  90. self.render(request)
  91. nonce = channel.json_body["nonce"]
  92. want_mac = hmac.new(key=b"shared", digestmod=hashlib.sha1)
  93. want_mac.update(b"notthenonce\x00bob\x00abc123\x00admin")
  94. want_mac = want_mac.hexdigest()
  95. body = json.dumps(
  96. {
  97. "nonce": nonce,
  98. "username": "bob",
  99. "password": "abc123",
  100. "admin": True,
  101. "mac": want_mac,
  102. }
  103. )
  104. request, channel = self.make_request("POST", self.url, body.encode("utf8"))
  105. self.render(request)
  106. self.assertEqual(403, int(channel.result["code"]), msg=channel.result["body"])
  107. self.assertEqual("HMAC incorrect", channel.json_body["error"])
  108. def test_register_correct_nonce(self):
  109. """
  110. When the correct nonce is provided, and the right key is provided, the
  111. user is registered.
  112. """
  113. request, channel = self.make_request("GET", self.url)
  114. self.render(request)
  115. nonce = channel.json_body["nonce"]
  116. want_mac = hmac.new(key=b"shared", digestmod=hashlib.sha1)
  117. want_mac.update(
  118. nonce.encode("ascii") + b"\x00bob\x00abc123\x00admin\x00support"
  119. )
  120. want_mac = want_mac.hexdigest()
  121. body = json.dumps(
  122. {
  123. "nonce": nonce,
  124. "username": "bob",
  125. "password": "abc123",
  126. "admin": True,
  127. "user_type": UserTypes.SUPPORT,
  128. "mac": want_mac,
  129. }
  130. )
  131. request, channel = self.make_request("POST", self.url, body.encode("utf8"))
  132. self.render(request)
  133. self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
  134. self.assertEqual("@bob:test", channel.json_body["user_id"])
  135. def test_nonce_reuse(self):
  136. """
  137. A valid unrecognised nonce.
  138. """
  139. request, channel = self.make_request("GET", self.url)
  140. self.render(request)
  141. nonce = channel.json_body["nonce"]
  142. want_mac = hmac.new(key=b"shared", digestmod=hashlib.sha1)
  143. want_mac.update(nonce.encode("ascii") + b"\x00bob\x00abc123\x00admin")
  144. want_mac = want_mac.hexdigest()
  145. body = json.dumps(
  146. {
  147. "nonce": nonce,
  148. "username": "bob",
  149. "password": "abc123",
  150. "admin": True,
  151. "mac": want_mac,
  152. }
  153. )
  154. request, channel = self.make_request("POST", self.url, body.encode("utf8"))
  155. self.render(request)
  156. self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
  157. self.assertEqual("@bob:test", channel.json_body["user_id"])
  158. # Now, try and reuse it
  159. request, channel = self.make_request("POST", self.url, body.encode("utf8"))
  160. self.render(request)
  161. self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
  162. self.assertEqual("unrecognised nonce", channel.json_body["error"])
  163. def test_missing_parts(self):
  164. """
  165. Synapse will complain if you don't give nonce, username, password, and
  166. mac. Admin and user_types are optional. Additional checks are done for length
  167. and type.
  168. """
  169. def nonce():
  170. request, channel = self.make_request("GET", self.url)
  171. self.render(request)
  172. return channel.json_body["nonce"]
  173. #
  174. # Nonce check
  175. #
  176. # Must be present
  177. body = json.dumps({})
  178. request, channel = self.make_request("POST", self.url, body.encode("utf8"))
  179. self.render(request)
  180. self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
  181. self.assertEqual("nonce must be specified", channel.json_body["error"])
  182. #
  183. # Username checks
  184. #
  185. # Must be present
  186. body = json.dumps({"nonce": nonce()})
  187. request, channel = self.make_request("POST", self.url, body.encode("utf8"))
  188. self.render(request)
  189. self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
  190. self.assertEqual("username must be specified", channel.json_body["error"])
  191. # Must be a string
  192. body = json.dumps({"nonce": nonce(), "username": 1234})
  193. request, channel = self.make_request("POST", self.url, body.encode("utf8"))
  194. self.render(request)
  195. self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
  196. self.assertEqual("Invalid username", channel.json_body["error"])
  197. # Must not have null bytes
  198. body = json.dumps({"nonce": nonce(), "username": "abcd\u0000"})
  199. request, channel = self.make_request("POST", self.url, body.encode("utf8"))
  200. self.render(request)
  201. self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
  202. self.assertEqual("Invalid username", channel.json_body["error"])
  203. # Must not have null bytes
  204. body = json.dumps({"nonce": nonce(), "username": "a" * 1000})
  205. request, channel = self.make_request("POST", self.url, body.encode("utf8"))
  206. self.render(request)
  207. self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
  208. self.assertEqual("Invalid username", channel.json_body["error"])
  209. #
  210. # Password checks
  211. #
  212. # Must be present
  213. body = json.dumps({"nonce": nonce(), "username": "a"})
  214. request, channel = self.make_request("POST", self.url, body.encode("utf8"))
  215. self.render(request)
  216. self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
  217. self.assertEqual("password must be specified", channel.json_body["error"])
  218. # Must be a string
  219. body = json.dumps({"nonce": nonce(), "username": "a", "password": 1234})
  220. request, channel = self.make_request("POST", self.url, body.encode("utf8"))
  221. self.render(request)
  222. self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
  223. self.assertEqual("Invalid password", channel.json_body["error"])
  224. # Must not have null bytes
  225. body = json.dumps({"nonce": nonce(), "username": "a", "password": "abcd\u0000"})
  226. request, channel = self.make_request("POST", self.url, body.encode("utf8"))
  227. self.render(request)
  228. self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
  229. self.assertEqual("Invalid password", channel.json_body["error"])
  230. # Super long
  231. body = json.dumps({"nonce": nonce(), "username": "a", "password": "A" * 1000})
  232. request, channel = self.make_request("POST", self.url, body.encode("utf8"))
  233. self.render(request)
  234. self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
  235. self.assertEqual("Invalid password", channel.json_body["error"])
  236. #
  237. # user_type check
  238. #
  239. # Invalid user_type
  240. body = json.dumps(
  241. {
  242. "nonce": nonce(),
  243. "username": "a",
  244. "password": "1234",
  245. "user_type": "invalid",
  246. }
  247. )
  248. request, channel = self.make_request("POST", self.url, body.encode("utf8"))
  249. self.render(request)
  250. self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
  251. self.assertEqual("Invalid user type", channel.json_body["error"])
  252. class UsersListTestCase(unittest.HomeserverTestCase):
  253. servlets = [
  254. synapse.rest.admin.register_servlets,
  255. login.register_servlets,
  256. ]
  257. url = "/_synapse/admin/v2/users"
  258. def prepare(self, reactor, clock, hs):
  259. self.admin_user = self.register_user("admin", "pass", admin=True)
  260. self.admin_user_tok = self.login("admin", "pass")
  261. self.register_user("user1", "pass1", admin=False)
  262. self.register_user("user2", "pass2", admin=False)
  263. def test_no_auth(self):
  264. """
  265. Try to list users without authentication.
  266. """
  267. request, channel = self.make_request("GET", self.url, b"{}")
  268. self.render(request)
  269. self.assertEqual(401, int(channel.result["code"]), msg=channel.result["body"])
  270. self.assertEqual("M_MISSING_TOKEN", channel.json_body["errcode"])
  271. def test_all_users(self):
  272. """
  273. List all users, including deactivated users.
  274. """
  275. request, channel = self.make_request(
  276. "GET",
  277. self.url + "?deactivated=true",
  278. b"{}",
  279. access_token=self.admin_user_tok,
  280. )
  281. self.render(request)
  282. self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
  283. self.assertEqual(3, len(channel.json_body["users"]))
  284. self.assertEqual(3, channel.json_body["total"])
  285. class UserRestTestCase(unittest.HomeserverTestCase):
  286. servlets = [
  287. synapse.rest.admin.register_servlets,
  288. login.register_servlets,
  289. ]
  290. def prepare(self, reactor, clock, hs):
  291. self.store = hs.get_datastore()
  292. self.admin_user = self.register_user("admin", "pass", admin=True)
  293. self.admin_user_tok = self.login("admin", "pass")
  294. self.other_user = self.register_user("user", "pass")
  295. self.other_user_token = self.login("user", "pass")
  296. self.url_other_user = "/_synapse/admin/v2/users/%s" % urllib.parse.quote(
  297. self.other_user
  298. )
  299. def test_requester_is_no_admin(self):
  300. """
  301. If the user is not a server admin, an error is returned.
  302. """
  303. self.hs.config.registration_shared_secret = None
  304. url = "/_synapse/admin/v2/users/@bob:test"
  305. request, channel = self.make_request(
  306. "GET", url, access_token=self.other_user_token,
  307. )
  308. self.render(request)
  309. self.assertEqual(403, int(channel.result["code"]), msg=channel.result["body"])
  310. self.assertEqual("You are not a server admin", channel.json_body["error"])
  311. request, channel = self.make_request(
  312. "PUT", url, access_token=self.other_user_token, content=b"{}",
  313. )
  314. self.render(request)
  315. self.assertEqual(403, int(channel.result["code"]), msg=channel.result["body"])
  316. self.assertEqual("You are not a server admin", channel.json_body["error"])
  317. def test_user_does_not_exist(self):
  318. """
  319. Tests that a lookup for a user that does not exist returns a 404
  320. """
  321. self.hs.config.registration_shared_secret = None
  322. request, channel = self.make_request(
  323. "GET",
  324. "/_synapse/admin/v2/users/@unknown_person:test",
  325. access_token=self.admin_user_tok,
  326. )
  327. self.render(request)
  328. self.assertEqual(404, channel.code, msg=channel.json_body)
  329. self.assertEqual("M_NOT_FOUND", channel.json_body["errcode"])
  330. def test_create_server_admin(self):
  331. """
  332. Check that a new admin user is created successfully.
  333. """
  334. self.hs.config.registration_shared_secret = None
  335. url = "/_synapse/admin/v2/users/@bob:test"
  336. # Create user (server admin)
  337. body = json.dumps(
  338. {
  339. "password": "abc123",
  340. "admin": True,
  341. "displayname": "Bob's name",
  342. "threepids": [{"medium": "email", "address": "bob@bob.bob"}],
  343. "avatar_url": None,
  344. }
  345. )
  346. request, channel = self.make_request(
  347. "PUT",
  348. url,
  349. access_token=self.admin_user_tok,
  350. content=body.encode(encoding="utf_8"),
  351. )
  352. self.render(request)
  353. self.assertEqual(201, int(channel.result["code"]), msg=channel.result["body"])
  354. self.assertEqual("@bob:test", channel.json_body["name"])
  355. self.assertEqual("Bob's name", channel.json_body["displayname"])
  356. self.assertEqual("email", channel.json_body["threepids"][0]["medium"])
  357. self.assertEqual("bob@bob.bob", channel.json_body["threepids"][0]["address"])
  358. self.assertEqual(True, channel.json_body["admin"])
  359. # Get user
  360. request, channel = self.make_request(
  361. "GET", url, access_token=self.admin_user_tok,
  362. )
  363. self.render(request)
  364. self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
  365. self.assertEqual("@bob:test", channel.json_body["name"])
  366. self.assertEqual("Bob's name", channel.json_body["displayname"])
  367. self.assertEqual("email", channel.json_body["threepids"][0]["medium"])
  368. self.assertEqual("bob@bob.bob", channel.json_body["threepids"][0]["address"])
  369. self.assertEqual(True, channel.json_body["admin"])
  370. self.assertEqual(False, channel.json_body["is_guest"])
  371. self.assertEqual(False, channel.json_body["deactivated"])
  372. def test_create_user(self):
  373. """
  374. Check that a new regular user is created successfully.
  375. """
  376. self.hs.config.registration_shared_secret = None
  377. url = "/_synapse/admin/v2/users/@bob:test"
  378. # Create user
  379. body = json.dumps(
  380. {
  381. "password": "abc123",
  382. "admin": False,
  383. "displayname": "Bob's name",
  384. "threepids": [{"medium": "email", "address": "bob@bob.bob"}],
  385. }
  386. )
  387. request, channel = self.make_request(
  388. "PUT",
  389. url,
  390. access_token=self.admin_user_tok,
  391. content=body.encode(encoding="utf_8"),
  392. )
  393. self.render(request)
  394. self.assertEqual(201, int(channel.result["code"]), msg=channel.result["body"])
  395. self.assertEqual("@bob:test", channel.json_body["name"])
  396. self.assertEqual("Bob's name", channel.json_body["displayname"])
  397. self.assertEqual("email", channel.json_body["threepids"][0]["medium"])
  398. self.assertEqual("bob@bob.bob", channel.json_body["threepids"][0]["address"])
  399. self.assertEqual(False, channel.json_body["admin"])
  400. # Get user
  401. request, channel = self.make_request(
  402. "GET", url, access_token=self.admin_user_tok,
  403. )
  404. self.render(request)
  405. self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
  406. self.assertEqual("@bob:test", channel.json_body["name"])
  407. self.assertEqual("Bob's name", channel.json_body["displayname"])
  408. self.assertEqual("email", channel.json_body["threepids"][0]["medium"])
  409. self.assertEqual("bob@bob.bob", channel.json_body["threepids"][0]["address"])
  410. self.assertEqual(False, channel.json_body["admin"])
  411. self.assertEqual(False, channel.json_body["is_guest"])
  412. self.assertEqual(False, channel.json_body["deactivated"])
  413. def test_set_password(self):
  414. """
  415. Test setting a new password for another user.
  416. """
  417. self.hs.config.registration_shared_secret = None
  418. # Change password
  419. body = json.dumps({"password": "hahaha"})
  420. request, channel = self.make_request(
  421. "PUT",
  422. self.url_other_user,
  423. access_token=self.admin_user_tok,
  424. content=body.encode(encoding="utf_8"),
  425. )
  426. self.render(request)
  427. self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
  428. def test_set_displayname(self):
  429. """
  430. Test setting the displayname of another user.
  431. """
  432. self.hs.config.registration_shared_secret = None
  433. # Modify user
  434. body = json.dumps({"displayname": "foobar"})
  435. request, channel = self.make_request(
  436. "PUT",
  437. self.url_other_user,
  438. access_token=self.admin_user_tok,
  439. content=body.encode(encoding="utf_8"),
  440. )
  441. self.render(request)
  442. self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
  443. self.assertEqual("@user:test", channel.json_body["name"])
  444. self.assertEqual("foobar", channel.json_body["displayname"])
  445. # Get user
  446. request, channel = self.make_request(
  447. "GET", self.url_other_user, access_token=self.admin_user_tok,
  448. )
  449. self.render(request)
  450. self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
  451. self.assertEqual("@user:test", channel.json_body["name"])
  452. self.assertEqual("foobar", channel.json_body["displayname"])
  453. def test_set_threepid(self):
  454. """
  455. Test setting threepid for an other user.
  456. """
  457. self.hs.config.registration_shared_secret = None
  458. # Delete old and add new threepid to user
  459. body = json.dumps(
  460. {"threepids": [{"medium": "email", "address": "bob3@bob.bob"}]}
  461. )
  462. request, channel = self.make_request(
  463. "PUT",
  464. self.url_other_user,
  465. access_token=self.admin_user_tok,
  466. content=body.encode(encoding="utf_8"),
  467. )
  468. self.render(request)
  469. self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
  470. self.assertEqual("@user:test", channel.json_body["name"])
  471. self.assertEqual("email", channel.json_body["threepids"][0]["medium"])
  472. self.assertEqual("bob3@bob.bob", channel.json_body["threepids"][0]["address"])
  473. # Get user
  474. request, channel = self.make_request(
  475. "GET", self.url_other_user, access_token=self.admin_user_tok,
  476. )
  477. self.render(request)
  478. self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
  479. self.assertEqual("@user:test", channel.json_body["name"])
  480. self.assertEqual("email", channel.json_body["threepids"][0]["medium"])
  481. self.assertEqual("bob3@bob.bob", channel.json_body["threepids"][0]["address"])
  482. def test_deactivate_user(self):
  483. """
  484. Test deactivating another user.
  485. """
  486. # Deactivate user
  487. body = json.dumps({"deactivated": True})
  488. request, channel = self.make_request(
  489. "PUT",
  490. self.url_other_user,
  491. access_token=self.admin_user_tok,
  492. content=body.encode(encoding="utf_8"),
  493. )
  494. self.render(request)
  495. self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
  496. self.assertEqual("@user:test", channel.json_body["name"])
  497. self.assertEqual(True, channel.json_body["deactivated"])
  498. # the user is deactivated, the threepid will be deleted
  499. # Get user
  500. request, channel = self.make_request(
  501. "GET", self.url_other_user, access_token=self.admin_user_tok,
  502. )
  503. self.render(request)
  504. self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
  505. self.assertEqual("@user:test", channel.json_body["name"])
  506. self.assertEqual(True, channel.json_body["deactivated"])
  507. def test_set_user_as_admin(self):
  508. """
  509. Test setting the admin flag on a user.
  510. """
  511. self.hs.config.registration_shared_secret = None
  512. # Set a user as an admin
  513. body = json.dumps({"admin": True})
  514. request, channel = self.make_request(
  515. "PUT",
  516. self.url_other_user,
  517. access_token=self.admin_user_tok,
  518. content=body.encode(encoding="utf_8"),
  519. )
  520. self.render(request)
  521. self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
  522. self.assertEqual("@user:test", channel.json_body["name"])
  523. self.assertEqual(True, channel.json_body["admin"])
  524. # Get user
  525. request, channel = self.make_request(
  526. "GET", self.url_other_user, access_token=self.admin_user_tok,
  527. )
  528. self.render(request)
  529. self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
  530. self.assertEqual("@user:test", channel.json_body["name"])
  531. self.assertEqual(True, channel.json_body["admin"])
  532. def test_accidental_deactivation_prevention(self):
  533. """
  534. Ensure an account can't accidentally be deactivated by using a str value
  535. for the deactivated body parameter
  536. """
  537. self.hs.config.registration_shared_secret = None
  538. url = "/_synapse/admin/v2/users/@bob:test"
  539. # Create user
  540. body = json.dumps({"password": "abc123"})
  541. request, channel = self.make_request(
  542. "PUT",
  543. url,
  544. access_token=self.admin_user_tok,
  545. content=body.encode(encoding="utf_8"),
  546. )
  547. self.render(request)
  548. self.assertEqual(201, int(channel.result["code"]), msg=channel.result["body"])
  549. self.assertEqual("@bob:test", channel.json_body["name"])
  550. self.assertEqual("bob", channel.json_body["displayname"])
  551. # Get user
  552. request, channel = self.make_request(
  553. "GET", url, access_token=self.admin_user_tok,
  554. )
  555. self.render(request)
  556. self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
  557. self.assertEqual("@bob:test", channel.json_body["name"])
  558. self.assertEqual("bob", channel.json_body["displayname"])
  559. self.assertEqual(0, channel.json_body["deactivated"])
  560. # Change password (and use a str for deactivate instead of a bool)
  561. body = json.dumps({"password": "abc123", "deactivated": "false"}) # oops!
  562. request, channel = self.make_request(
  563. "PUT",
  564. url,
  565. access_token=self.admin_user_tok,
  566. content=body.encode(encoding="utf_8"),
  567. )
  568. self.render(request)
  569. self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
  570. # Check user is not deactivated
  571. request, channel = self.make_request(
  572. "GET", url, access_token=self.admin_user_tok,
  573. )
  574. self.render(request)
  575. self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
  576. self.assertEqual("@bob:test", channel.json_body["name"])
  577. self.assertEqual("bob", channel.json_body["displayname"])
  578. # Ensure they're still alive
  579. self.assertEqual(0, channel.json_body["deactivated"])