test_auth.py 7.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218
  1. # Copyright 2015, 2016 OpenMarket Ltd
  2. #
  3. # Licensed under the Apache License, Version 2.0 (the "License");
  4. # you may not use this file except in compliance with the License.
  5. # You may obtain a copy of the License at
  6. #
  7. # http://www.apache.org/licenses/LICENSE-2.0
  8. #
  9. # Unless required by applicable law or agreed to in writing, software
  10. # distributed under the License is distributed on an "AS IS" BASIS,
  11. # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  12. # See the License for the specific language governing permissions and
  13. # limitations under the License.
  14. from unittest.mock import Mock
  15. import pymacaroons
  16. from synapse.api.errors import AuthError, ResourceLimitError
  17. from synapse.rest import admin
  18. from tests import unittest
  19. from tests.test_utils import make_awaitable
  20. class AuthTestCase(unittest.HomeserverTestCase):
  21. servlets = [
  22. admin.register_servlets,
  23. ]
  24. def prepare(self, reactor, clock, hs):
  25. self.auth_handler = hs.get_auth_handler()
  26. self.macaroon_generator = hs.get_macaroon_generator()
  27. # MAU tests
  28. # AuthBlocking reads from the hs' config on initialization. We need to
  29. # modify its config instead of the hs'
  30. self.auth_blocking = hs.get_auth()._auth_blocking
  31. self.auth_blocking._max_mau_value = 50
  32. self.small_number_of_users = 1
  33. self.large_number_of_users = 100
  34. self.user1 = self.register_user("a_user", "pass")
  35. def test_macaroon_caveats(self):
  36. token = self.macaroon_generator.generate_guest_access_token("a_user")
  37. macaroon = pymacaroons.Macaroon.deserialize(token)
  38. def verify_gen(caveat):
  39. return caveat == "gen = 1"
  40. def verify_user(caveat):
  41. return caveat == "user_id = a_user"
  42. def verify_type(caveat):
  43. return caveat == "type = access"
  44. def verify_nonce(caveat):
  45. return caveat.startswith("nonce =")
  46. def verify_guest(caveat):
  47. return caveat == "guest = true"
  48. v = pymacaroons.Verifier()
  49. v.satisfy_general(verify_gen)
  50. v.satisfy_general(verify_user)
  51. v.satisfy_general(verify_type)
  52. v.satisfy_general(verify_nonce)
  53. v.satisfy_general(verify_guest)
  54. v.verify(macaroon, self.hs.config.key.macaroon_secret_key)
  55. def test_short_term_login_token_gives_user_id(self):
  56. token = self.macaroon_generator.generate_short_term_login_token(
  57. self.user1, "", 5000
  58. )
  59. res = self.get_success(self.auth_handler.validate_short_term_login_token(token))
  60. self.assertEqual(self.user1, res.user_id)
  61. self.assertEqual("", res.auth_provider_id)
  62. # when we advance the clock, the token should be rejected
  63. self.reactor.advance(6)
  64. self.get_failure(
  65. self.auth_handler.validate_short_term_login_token(token),
  66. AuthError,
  67. )
  68. def test_short_term_login_token_gives_auth_provider(self):
  69. token = self.macaroon_generator.generate_short_term_login_token(
  70. self.user1, auth_provider_id="my_idp"
  71. )
  72. res = self.get_success(self.auth_handler.validate_short_term_login_token(token))
  73. self.assertEqual(self.user1, res.user_id)
  74. self.assertEqual("my_idp", res.auth_provider_id)
  75. def test_short_term_login_token_cannot_replace_user_id(self):
  76. token = self.macaroon_generator.generate_short_term_login_token(
  77. self.user1, "", 5000
  78. )
  79. macaroon = pymacaroons.Macaroon.deserialize(token)
  80. res = self.get_success(
  81. self.auth_handler.validate_short_term_login_token(macaroon.serialize())
  82. )
  83. self.assertEqual(self.user1, res.user_id)
  84. # add another "user_id" caveat, which might allow us to override the
  85. # user_id.
  86. macaroon.add_first_party_caveat("user_id = b_user")
  87. self.get_failure(
  88. self.auth_handler.validate_short_term_login_token(macaroon.serialize()),
  89. AuthError,
  90. )
  91. def test_mau_limits_disabled(self):
  92. self.auth_blocking._limit_usage_by_mau = False
  93. # Ensure does not throw exception
  94. self.get_success(
  95. self.auth_handler.create_access_token_for_user_id(
  96. self.user1, device_id=None, valid_until_ms=None
  97. )
  98. )
  99. self.get_success(
  100. self.auth_handler.validate_short_term_login_token(
  101. self._get_macaroon().serialize()
  102. )
  103. )
  104. def test_mau_limits_exceeded_large(self):
  105. self.auth_blocking._limit_usage_by_mau = True
  106. self.hs.get_datastore().get_monthly_active_count = Mock(
  107. return_value=make_awaitable(self.large_number_of_users)
  108. )
  109. self.get_failure(
  110. self.auth_handler.create_access_token_for_user_id(
  111. self.user1, device_id=None, valid_until_ms=None
  112. ),
  113. ResourceLimitError,
  114. )
  115. self.hs.get_datastore().get_monthly_active_count = Mock(
  116. return_value=make_awaitable(self.large_number_of_users)
  117. )
  118. self.get_failure(
  119. self.auth_handler.validate_short_term_login_token(
  120. self._get_macaroon().serialize()
  121. ),
  122. ResourceLimitError,
  123. )
  124. def test_mau_limits_parity(self):
  125. # Ensure we're not at the unix epoch.
  126. self.reactor.advance(1)
  127. self.auth_blocking._limit_usage_by_mau = True
  128. # Set the server to be at the edge of too many users.
  129. self.hs.get_datastore().get_monthly_active_count = Mock(
  130. return_value=make_awaitable(self.auth_blocking._max_mau_value)
  131. )
  132. # If not in monthly active cohort
  133. self.get_failure(
  134. self.auth_handler.create_access_token_for_user_id(
  135. self.user1, device_id=None, valid_until_ms=None
  136. ),
  137. ResourceLimitError,
  138. )
  139. self.get_failure(
  140. self.auth_handler.validate_short_term_login_token(
  141. self._get_macaroon().serialize()
  142. ),
  143. ResourceLimitError,
  144. )
  145. # If in monthly active cohort
  146. self.hs.get_datastore().user_last_seen_monthly_active = Mock(
  147. return_value=make_awaitable(self.clock.time_msec())
  148. )
  149. self.get_success(
  150. self.auth_handler.create_access_token_for_user_id(
  151. self.user1, device_id=None, valid_until_ms=None
  152. )
  153. )
  154. self.get_success(
  155. self.auth_handler.validate_short_term_login_token(
  156. self._get_macaroon().serialize()
  157. )
  158. )
  159. def test_mau_limits_not_exceeded(self):
  160. self.auth_blocking._limit_usage_by_mau = True
  161. self.hs.get_datastore().get_monthly_active_count = Mock(
  162. return_value=make_awaitable(self.small_number_of_users)
  163. )
  164. # Ensure does not raise exception
  165. self.get_success(
  166. self.auth_handler.create_access_token_for_user_id(
  167. self.user1, device_id=None, valid_until_ms=None
  168. )
  169. )
  170. self.hs.get_datastore().get_monthly_active_count = Mock(
  171. return_value=make_awaitable(self.small_number_of_users)
  172. )
  173. self.get_success(
  174. self.auth_handler.validate_short_term_login_token(
  175. self._get_macaroon().serialize()
  176. )
  177. )
  178. def _get_macaroon(self):
  179. token = self.macaroon_generator.generate_short_term_login_token(
  180. self.user1, "", 5000
  181. )
  182. return pymacaroons.Macaroon.deserialize(token)