1
0

test_power_levels.py 9.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283
  1. # Copyright 2020 The Matrix.org Foundation C.I.C.
  2. #
  3. # Licensed under the Apache License, Version 2.0 (the "License");
  4. # you may not use this file except in compliance with the License.
  5. # You may obtain a copy of the License at
  6. #
  7. # http://www.apache.org/licenses/LICENSE-2.0
  8. #
  9. # Unless required by applicable law or agreed to in writing, software
  10. # distributed under the License is distributed on an "AS IS" BASIS,
  11. # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  12. # See the License for the specific language governing permissions and
  13. # limitations under the License.
  14. from synapse.api.errors import Codes
  15. from synapse.events.utils import CANONICALJSON_MAX_INT, CANONICALJSON_MIN_INT
  16. from synapse.rest import admin
  17. from synapse.rest.client import login, room, sync
  18. from tests.unittest import HomeserverTestCase
  19. class PowerLevelsTestCase(HomeserverTestCase):
  20. """Tests that power levels are enforced in various situations"""
  21. servlets = [
  22. admin.register_servlets,
  23. room.register_servlets,
  24. login.register_servlets,
  25. sync.register_servlets,
  26. ]
  27. def make_homeserver(self, reactor, clock):
  28. config = self.default_config()
  29. return self.setup_test_homeserver(config=config)
  30. def prepare(self, reactor, clock, hs):
  31. # register a room admin, moderator and regular user
  32. self.admin_user_id = self.register_user("admin", "pass")
  33. self.admin_access_token = self.login("admin", "pass")
  34. self.mod_user_id = self.register_user("mod", "pass")
  35. self.mod_access_token = self.login("mod", "pass")
  36. self.user_user_id = self.register_user("user", "pass")
  37. self.user_access_token = self.login("user", "pass")
  38. # Create a room
  39. self.room_id = self.helper.create_room_as(
  40. self.admin_user_id, tok=self.admin_access_token
  41. )
  42. # Invite the other users
  43. self.helper.invite(
  44. room=self.room_id,
  45. src=self.admin_user_id,
  46. tok=self.admin_access_token,
  47. targ=self.mod_user_id,
  48. )
  49. self.helper.invite(
  50. room=self.room_id,
  51. src=self.admin_user_id,
  52. tok=self.admin_access_token,
  53. targ=self.user_user_id,
  54. )
  55. # Make the other users join the room
  56. self.helper.join(
  57. room=self.room_id, user=self.mod_user_id, tok=self.mod_access_token
  58. )
  59. self.helper.join(
  60. room=self.room_id, user=self.user_user_id, tok=self.user_access_token
  61. )
  62. # Mod the mod
  63. room_power_levels = self.helper.get_state(
  64. self.room_id,
  65. "m.room.power_levels",
  66. tok=self.admin_access_token,
  67. )
  68. # Update existing power levels with mod at PL50
  69. room_power_levels["users"].update({self.mod_user_id: 50})
  70. self.helper.send_state(
  71. self.room_id,
  72. "m.room.power_levels",
  73. room_power_levels,
  74. tok=self.admin_access_token,
  75. )
  76. def test_non_admins_cannot_enable_room_encryption(self):
  77. # have the mod try to enable room encryption
  78. self.helper.send_state(
  79. self.room_id,
  80. "m.room.encryption",
  81. {"algorithm": "m.megolm.v1.aes-sha2"},
  82. tok=self.mod_access_token,
  83. expect_code=403, # expect failure
  84. )
  85. # have the user try to enable room encryption
  86. self.helper.send_state(
  87. self.room_id,
  88. "m.room.encryption",
  89. {"algorithm": "m.megolm.v1.aes-sha2"},
  90. tok=self.user_access_token,
  91. expect_code=403, # expect failure
  92. )
  93. def test_non_admins_cannot_send_server_acl(self):
  94. # have the mod try to send a server ACL
  95. self.helper.send_state(
  96. self.room_id,
  97. "m.room.server_acl",
  98. {
  99. "allow": ["*"],
  100. "allow_ip_literals": False,
  101. "deny": ["*.evil.com", "evil.com"],
  102. },
  103. tok=self.mod_access_token,
  104. expect_code=403, # expect failure
  105. )
  106. # have the user try to send a server ACL
  107. self.helper.send_state(
  108. self.room_id,
  109. "m.room.server_acl",
  110. {
  111. "allow": ["*"],
  112. "allow_ip_literals": False,
  113. "deny": ["*.evil.com", "evil.com"],
  114. },
  115. tok=self.user_access_token,
  116. expect_code=403, # expect failure
  117. )
  118. def test_non_admins_cannot_tombstone_room(self):
  119. # Create another room that will serve as our "upgraded room"
  120. self.upgraded_room_id = self.helper.create_room_as(
  121. self.admin_user_id, tok=self.admin_access_token
  122. )
  123. # have the mod try to send a tombstone event
  124. self.helper.send_state(
  125. self.room_id,
  126. "m.room.tombstone",
  127. {
  128. "body": "This room has been replaced",
  129. "replacement_room": self.upgraded_room_id,
  130. },
  131. tok=self.mod_access_token,
  132. expect_code=403, # expect failure
  133. )
  134. # have the user try to send a tombstone event
  135. self.helper.send_state(
  136. self.room_id,
  137. "m.room.tombstone",
  138. {
  139. "body": "This room has been replaced",
  140. "replacement_room": self.upgraded_room_id,
  141. },
  142. tok=self.user_access_token,
  143. expect_code=403, # expect failure
  144. )
  145. def test_admins_can_enable_room_encryption(self):
  146. # have the admin try to enable room encryption
  147. self.helper.send_state(
  148. self.room_id,
  149. "m.room.encryption",
  150. {"algorithm": "m.megolm.v1.aes-sha2"},
  151. tok=self.admin_access_token,
  152. expect_code=200, # expect success
  153. )
  154. def test_admins_can_send_server_acl(self):
  155. # have the admin try to send a server ACL
  156. self.helper.send_state(
  157. self.room_id,
  158. "m.room.server_acl",
  159. {
  160. "allow": ["*"],
  161. "allow_ip_literals": False,
  162. "deny": ["*.evil.com", "evil.com"],
  163. },
  164. tok=self.admin_access_token,
  165. expect_code=200, # expect success
  166. )
  167. def test_admins_can_tombstone_room(self):
  168. # Create another room that will serve as our "upgraded room"
  169. self.upgraded_room_id = self.helper.create_room_as(
  170. self.admin_user_id, tok=self.admin_access_token
  171. )
  172. # have the admin try to send a tombstone event
  173. self.helper.send_state(
  174. self.room_id,
  175. "m.room.tombstone",
  176. {
  177. "body": "This room has been replaced",
  178. "replacement_room": self.upgraded_room_id,
  179. },
  180. tok=self.admin_access_token,
  181. expect_code=200, # expect success
  182. )
  183. def test_cannot_set_string_power_levels(self):
  184. room_power_levels = self.helper.get_state(
  185. self.room_id,
  186. "m.room.power_levels",
  187. tok=self.admin_access_token,
  188. )
  189. # Update existing power levels with user at PL "0"
  190. room_power_levels["users"].update({self.user_user_id: "0"})
  191. body = self.helper.send_state(
  192. self.room_id,
  193. "m.room.power_levels",
  194. room_power_levels,
  195. tok=self.admin_access_token,
  196. expect_code=400, # expect failure
  197. )
  198. self.assertEqual(
  199. body["errcode"],
  200. Codes.BAD_JSON,
  201. body,
  202. )
  203. def test_cannot_set_unsafe_large_power_levels(self):
  204. room_power_levels = self.helper.get_state(
  205. self.room_id,
  206. "m.room.power_levels",
  207. tok=self.admin_access_token,
  208. )
  209. # Update existing power levels with user at PL above the max safe integer
  210. room_power_levels["users"].update(
  211. {self.user_user_id: CANONICALJSON_MAX_INT + 1}
  212. )
  213. body = self.helper.send_state(
  214. self.room_id,
  215. "m.room.power_levels",
  216. room_power_levels,
  217. tok=self.admin_access_token,
  218. expect_code=400, # expect failure
  219. )
  220. self.assertEqual(
  221. body["errcode"],
  222. Codes.BAD_JSON,
  223. body,
  224. )
  225. def test_cannot_set_unsafe_small_power_levels(self):
  226. room_power_levels = self.helper.get_state(
  227. self.room_id,
  228. "m.room.power_levels",
  229. tok=self.admin_access_token,
  230. )
  231. # Update existing power levels with user at PL below the minimum safe integer
  232. room_power_levels["users"].update(
  233. {self.user_user_id: CANONICALJSON_MIN_INT - 1}
  234. )
  235. body = self.helper.send_state(
  236. self.room_id,
  237. "m.room.power_levels",
  238. room_power_levels,
  239. tok=self.admin_access_token,
  240. expect_code=400, # expect failure
  241. )
  242. self.assertEqual(
  243. body["errcode"],
  244. Codes.BAD_JSON,
  245. body,
  246. )