test_macaroons.py 5.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119
  1. # Copyright 2022 The Matrix.org Foundation C.I.C.
  2. #
  3. # Licensed under the Apache License, Version 2.0 (the "License");
  4. # you may not use this file except in compliance with the License.
  5. # You may obtain a copy of the License at
  6. #
  7. # http://www.apache.org/licenses/LICENSE-2.0
  8. #
  9. # Unless required by applicable law or agreed to in writing, software
  10. # distributed under the License is distributed on an "AS IS" BASIS,
  11. # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  12. # See the License for the specific language governing permissions and
  13. # limitations under the License.
  14. from pymacaroons.exceptions import MacaroonVerificationFailedException
  15. from synapse.util.macaroons import MacaroonGenerator, OidcSessionData
  16. from tests.server import get_clock
  17. from tests.unittest import TestCase
  18. class MacaroonGeneratorTestCase(TestCase):
  19. def setUp(self) -> None:
  20. self.reactor, hs_clock = get_clock()
  21. self.macaroon_generator = MacaroonGenerator(hs_clock, "tesths", b"verysecret")
  22. self.other_macaroon_generator = MacaroonGenerator(
  23. hs_clock, "tesths", b"anothersecretkey"
  24. )
  25. def test_guest_access_token(self) -> None:
  26. """Test the generation and verification of guest access tokens"""
  27. token = self.macaroon_generator.generate_guest_access_token("@user:tesths")
  28. user_id = self.macaroon_generator.verify_guest_token(token)
  29. self.assertEqual(user_id, "@user:tesths")
  30. # Raises with another secret key
  31. with self.assertRaises(MacaroonVerificationFailedException):
  32. self.other_macaroon_generator.verify_guest_token(token)
  33. # Check that an old access token without the guest caveat does not work
  34. macaroon = self.macaroon_generator._generate_base_macaroon("access")
  35. macaroon.add_first_party_caveat(f"user_id = {user_id}")
  36. macaroon.add_first_party_caveat("nonce = 0123456789abcdef")
  37. token = macaroon.serialize()
  38. with self.assertRaises(MacaroonVerificationFailedException):
  39. self.macaroon_generator.verify_guest_token(token)
  40. def test_delete_pusher_token(self) -> None:
  41. """Test the generation and verification of delete_pusher tokens"""
  42. token = self.macaroon_generator.generate_delete_pusher_token(
  43. "@user:tesths", "m.mail", "john@example.com"
  44. )
  45. user_id = self.macaroon_generator.verify_delete_pusher_token(
  46. token, "m.mail", "john@example.com"
  47. )
  48. self.assertEqual(user_id, "@user:tesths")
  49. # Raises with another secret key
  50. with self.assertRaises(MacaroonVerificationFailedException):
  51. self.other_macaroon_generator.verify_delete_pusher_token(
  52. token, "m.mail", "john@example.com"
  53. )
  54. # Raises when verifying for another pushkey
  55. with self.assertRaises(MacaroonVerificationFailedException):
  56. self.macaroon_generator.verify_delete_pusher_token(
  57. token, "m.mail", "other@example.com"
  58. )
  59. # Raises when verifying for another app_id
  60. with self.assertRaises(MacaroonVerificationFailedException):
  61. self.macaroon_generator.verify_delete_pusher_token(
  62. token, "somethingelse", "john@example.com"
  63. )
  64. # Check that an old token without the app_id and pushkey still works
  65. macaroon = self.macaroon_generator._generate_base_macaroon("delete_pusher")
  66. macaroon.add_first_party_caveat("user_id = @user:tesths")
  67. token = macaroon.serialize()
  68. user_id = self.macaroon_generator.verify_delete_pusher_token(
  69. token, "m.mail", "john@example.com"
  70. )
  71. self.assertEqual(user_id, "@user:tesths")
  72. def test_oidc_session_token(self) -> None:
  73. """Test the generation and verification of OIDC session cookies"""
  74. state = "arandomstate"
  75. session_data = OidcSessionData(
  76. idp_id="oidc",
  77. nonce="nonce",
  78. client_redirect_url="https://example.com/",
  79. ui_auth_session_id="",
  80. code_verifier="",
  81. )
  82. token = self.macaroon_generator.generate_oidc_session_token(
  83. state, session_data, duration_in_ms=2 * 60 * 1000
  84. ).encode("utf-8")
  85. info = self.macaroon_generator.verify_oidc_session_token(token, state)
  86. self.assertEqual(session_data, info)
  87. # Raises with another secret key
  88. with self.assertRaises(MacaroonVerificationFailedException):
  89. self.other_macaroon_generator.verify_oidc_session_token(token, state)
  90. # Should raise with another state
  91. with self.assertRaises(MacaroonVerificationFailedException):
  92. self.macaroon_generator.verify_oidc_session_token(token, "anotherstate")
  93. # Wait a minute
  94. self.reactor.pump([60])
  95. # Shouldn't raise
  96. self.macaroon_generator.verify_oidc_session_token(token, state)
  97. # Wait another minute
  98. self.reactor.pump([60])
  99. # Should raise since it expired
  100. with self.assertRaises(MacaroonVerificationFailedException):
  101. self.macaroon_generator.verify_oidc_session_token(token, state)