diff options
author | Sean Quah <seanq@element.io> | 2021-12-07 16:38:29 +0000 |
---|---|---|
committer | Sean Quah <seanq@element.io> | 2021-12-07 16:47:31 +0000 |
commit | 158d73ebdd61eef33831ae5f6990acf07244fc55 (patch) | |
tree | 723f79596374042e349d55a6195cbe2b5eea29eb /tests/rest/client/test_auth.py | |
parent | Sort internal changes in changelog (diff) | |
download | synapse-158d73ebdd61eef33831ae5f6990acf07244fc55.tar.xz |
Revert accidental fast-forward merge from v1.49.0rc1
Revert "Sort internal changes in changelog" Revert "Update CHANGES.md" Revert "1.49.0rc1" Revert "Revert "Move `glob_to_regex` and `re_word_boundary` to `matrix-python-common` (#11505) (#11527)" Revert "Refactors in `_generate_sync_entry_for_rooms` (#11515)" Revert "Correctly register shutdown handler for presence workers (#11518)" Revert "Fix `ModuleApi.looping_background_call` for non-async functions (#11524)" Revert "Fix 'delete room' admin api to work on incomplete rooms (#11523)" Revert "Correctly ignore invites from ignored users (#11511)" Revert "Fix the test breakage introduced by #11435 as a result of concurrent PRs (#11522)" Revert "Stabilise support for MSC2918 refresh tokens as they have now been merged into the Matrix specification. (#11435)" Revert "Save the OIDC session ID (sid) with the device on login (#11482)" Revert "Add admin API to get some information about federation status (#11407)" Revert "Include bundled aggregations in /sync and related fixes (#11478)" Revert "Move `glob_to_regex` and `re_word_boundary` to `matrix-python-common` (#11505)" Revert "Update backward extremity docs to make it clear that it does not indicate whether we have fetched an events' `prev_events` (#11469)" Revert "Support configuring the lifetime of non-refreshable access tokens separately to refreshable access tokens. (#11445)" Revert "Add type hints to `synapse/tests/rest/admin` (#11501)" Revert "Revert accidental commits to develop." Revert "Newsfile" Revert "Give `tests.server.setup_test_homeserver` (nominally!) the same behaviour" Revert "Move `tests.utils.setup_test_homeserver` to `tests.server`" Revert "Convert one of the `setup_test_homeserver`s to `make_test_homeserver_synchronous`" Revert "Disambiguate queries on `state_key` (#11497)" Revert "Comments on the /sync tentacles (#11494)" Revert "Clean up tests.storage.test_appservice (#11492)" Revert "Clean up `tests.storage.test_main` to remove use of legacy code. (#11493)" Revert "Clean up `tests.test_visibility` to remove legacy code. (#11495)" Revert "Minor cleanup on recently ported doc pages (#11466)" Revert "Add most of the missing type hints to `synapse.federation`. (#11483)" Revert "Avoid waiting for zombie processes in `synctl stop` (#11490)" Revert "Fix media repository failing when media store path contains symlinks (#11446)" Revert "Add type annotations to `tests.storage.test_appservice`. (#11488)" Revert "`scripts-dev/sign_json`: support for signing events (#11486)" Revert "Add MSC3030 experimental client and federation API endpoints to get the closest event to a given timestamp (#9445)" Revert "Port wiki pages to documentation website (#11402)" Revert "Add a license header and comment. (#11479)" Revert "Clean-up get_version_string (#11468)" Revert "Link background update controller docs to summary (#11475)" Revert "Additional type hints for config module. (#11465)" Revert "Register the login redirect endpoint for v3. (#11451)" Revert "Update openid.md" Revert "Remove mention of OIDC certification from Dex (#11470)" Revert "Add a note about huge pages to our Postgres doc (#11467)" Revert "Don't start Synapse master process if `worker_app` is set (#11416)" Revert "Expose worker & homeserver as entrypoints in `setup.py` (#11449)" Revert "Bundle relations of relations into the `/relations` result. (#11284)" Revert "Fix `LruCache` corruption bug with a `size_callback` that can return 0 (#11454)" Revert "Eliminate a few `Any`s in `LruCache` type hints (#11453)" Revert "Remove unnecessary `json.dumps` from `tests.rest.admin` (#11461)" Revert "Merge branch 'master' into develop" This reverts commit 26b5d2320f62b5eb6262c7614fbdfc364a4dfc02. This reverts commit bce4220f387bf5448387f0ed7d14ed1e41e40747. This reverts commit 966b5d0fa0893c3b628c942dfc232e285417f46d. This reverts commit 088d748f2cb51f03f3bcacc0fb3af1e0f9607737. This reverts commit 14d593f72d10b4d8cb67e3288bb3131ee30ccf59. This reverts commit 2a3ec6facf79f6aae011d9fb6f9ed5e43c7b6bec. This reverts commit eccc49d7554d1fab001e1fefb0fda8ffb254b630. This reverts commit b1ecd19c5d19815b69e425d80f442bf2877cab76. This reverts commit 9c55dedc8c4484e6269451a8c3c10b3e314aeb4a. This reverts commit 2d42e586a8c54be1a83643148358b1651c1ca666. This reverts commit 2f053f3f82ca174cc1c858c75afffae51af8ce0d. This reverts commit a15a893df8428395df7cb95b729431575001c38a. This reverts commit 8b4b153c9e86c04c7db8c74fde4b6a04becbc461. This reverts commit 494ebd7347ba52d702802fba4c3bb13e7bfbc2cf. This reverts commit a77c36989785c0d5565ab9a1169f4f88e512ce8a. This reverts commit 4eb77965cd016181d2111f37d93526e9bb0434f0. This reverts commit 637df95de63196033a6da4a6e286e1d58ea517b6. This reverts commit e5f426cd54609e7f05f8241d845e6e36c5f10d9a. This reverts commit 8cd68b8102eeab1b525712097c1b2e9679c11896. This reverts commit 6cae125e20865c52d770b24278bb7ab8fde5bc0d. This reverts commit 7be88fbf48156b36b6daefb228e1258e7d48cae4. This reverts commit b3fd99b74a3f6f42a9afd1b19ee4c60e38e8e91a. This reverts commit f7ec6e7d9e0dc360d9fb41f3a1afd7bdba1475c7. This reverts commit 5640992d176a499204a0756b1677c9b1575b0a49. This reverts commit d26808dd854006bd26a2366c675428ce0737238c. This reverts commit f91624a5950e14ba9007eed9bfa1c828676d4745. This reverts commit 16d39a5490ce74c901c7a8dbb990c6e83c379207. This reverts commit 8a4c2969874c0b7d72003f2523883eba8a348e83. This reverts commit 49e1356ee3d5d72929c91f778b3a231726c1413c. This reverts commit d2279f471ba8f44d9f578e62b286897a338d8aa1. This reverts commit b50e39df578adc3f86c5efa16bee9035cfdab61b. This reverts commit 858d80bf0f9f656a03992794874081b806e49222. This reverts commit 435f04480728c5d982e1a63c1b2777784bf9cd26. This reverts commit f61462e1be36a51dbf571076afa8e1930cb182f4. This reverts commit a6f1a3abecf8e8fd3e1bff439a06b853df18f194. This reverts commit 84dc50e160a2ec6590813374b5a1e58b97f7a18d. This reverts commit ed635d32853ee0a3e5ec1078679b27e7844a4ac7. This reverts commit 7b62791e001d6a4f8897ed48b3232d7f8fe6aa48. This reverts commit 153194c7717d8016b0eb974c81b1baee7dc1917d. This reverts commit f44d729d4ccae61bc0cdd5774acb3233eb5f7c13. This reverts commit a265fbd397ae72b2d3ea4c9310591ff1d0f3e05c. This reverts commit b9fef1a7cdfcc128fa589a32160e6aa7ed8964d7. This reverts commit b0eb64ff7bf6bde42046e091f8bdea9b7aab5f04. This reverts commit f1795463bf503a6fca909d77f598f641f9349f56. This reverts commit 70cbb1a5e311f609b624e3fae1a1712db639c51e. This reverts commit 42bf0204635213e2c75188b19ee66dc7e7d8a35e. This reverts commit 379f2650cf875f50c59524147ec0e33cfd5ef60c. This reverts commit 7ff22d6da41cd5ca80db95c18b409aea38e49fcd. This reverts commit 5a0b652d36ae4b6d423498c1f2c82c97a49c6f75. This reverts commit 432a174bc192740ac7a0a755009f6099b8363ad9. This reverts commit b14f8a1baf6f500997ae4c1d6a6d72094ce14270, reversing changes made to e713855dca17a7605bae99ea8d71bc7f8657e4b8.
Diffstat (limited to 'tests/rest/client/test_auth.py')
-rw-r--r-- | tests/rest/client/test_auth.py | 265 |
1 files changed, 18 insertions, 247 deletions
diff --git a/tests/rest/client/test_auth.py b/tests/rest/client/test_auth.py index 72bbc87b4a..8552671431 100644 --- a/tests/rest/client/test_auth.py +++ b/tests/rest/client/test_auth.py @@ -12,7 +12,6 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. -from http import HTTPStatus from typing import Optional, Union from twisted.internet.defer import succeed @@ -514,39 +513,12 @@ class RefreshAuthTests(unittest.HomeserverTestCase): self.user_pass = "pass" self.user = self.register_user("test", self.user_pass) - def use_refresh_token(self, refresh_token: str) -> FakeChannel: - """ - Helper that makes a request to use a refresh token. - """ - return self.make_request( - "POST", - "/_matrix/client/v1/refresh", - {"refresh_token": refresh_token}, - ) - - def is_access_token_valid(self, access_token) -> bool: - """ - Checks whether an access token is valid, returning whether it is or not. - """ - code = self.make_request( - "GET", "/_matrix/client/v3/account/whoami", access_token=access_token - ).code - - # Either 200 or 401 is what we get back; anything else is a bug. - assert code in {HTTPStatus.OK, HTTPStatus.UNAUTHORIZED} - - return code == HTTPStatus.OK - def test_login_issue_refresh_token(self): """ A login response should include a refresh_token only if asked. """ # Test login - body = { - "type": "m.login.password", - "user": "test", - "password": self.user_pass, - } + body = {"type": "m.login.password", "user": "test", "password": self.user_pass} login_without_refresh = self.make_request( "POST", "/_matrix/client/r0/login", body @@ -556,8 +528,8 @@ class RefreshAuthTests(unittest.HomeserverTestCase): login_with_refresh = self.make_request( "POST", - "/_matrix/client/r0/login", - {"refresh_token": True, **body}, + "/_matrix/client/r0/login?org.matrix.msc2918.refresh_token=true", + body, ) self.assertEqual(login_with_refresh.code, 200, login_with_refresh.result) self.assertIn("refresh_token", login_with_refresh.json_body) @@ -583,12 +555,11 @@ class RefreshAuthTests(unittest.HomeserverTestCase): register_with_refresh = self.make_request( "POST", - "/_matrix/client/r0/register", + "/_matrix/client/r0/register?org.matrix.msc2918.refresh_token=true", { "username": "test3", "password": self.user_pass, "auth": {"type": LoginType.DUMMY}, - "refresh_token": True, }, ) self.assertEqual(register_with_refresh.code, 200, register_with_refresh.result) @@ -599,22 +570,17 @@ class RefreshAuthTests(unittest.HomeserverTestCase): """ A refresh token can be used to issue a new access token. """ - body = { - "type": "m.login.password", - "user": "test", - "password": self.user_pass, - "refresh_token": True, - } + body = {"type": "m.login.password", "user": "test", "password": self.user_pass} login_response = self.make_request( "POST", - "/_matrix/client/r0/login", + "/_matrix/client/r0/login?org.matrix.msc2918.refresh_token=true", body, ) self.assertEqual(login_response.code, 200, login_response.result) refresh_response = self.make_request( "POST", - "/_matrix/client/v1/refresh", + "/_matrix/client/unstable/org.matrix.msc2918.refresh_token/refresh", {"refresh_token": login_response.json_body["refresh_token"]}, ) self.assertEqual(refresh_response.code, 200, refresh_response.result) @@ -633,19 +599,14 @@ class RefreshAuthTests(unittest.HomeserverTestCase): ) @override_config({"refreshable_access_token_lifetime": "1m"}) - def test_refreshable_access_token_expiration(self): + def test_refresh_token_expiration(self): """ The access token should have some time as specified in the config. """ - body = { - "type": "m.login.password", - "user": "test", - "password": self.user_pass, - "refresh_token": True, - } + body = {"type": "m.login.password", "user": "test", "password": self.user_pass} login_response = self.make_request( "POST", - "/_matrix/client/r0/login", + "/_matrix/client/r0/login?org.matrix.msc2918.refresh_token=true", body, ) self.assertEqual(login_response.code, 200, login_response.result) @@ -655,198 +616,13 @@ class RefreshAuthTests(unittest.HomeserverTestCase): refresh_response = self.make_request( "POST", - "/_matrix/client/v1/refresh", + "/_matrix/client/unstable/org.matrix.msc2918.refresh_token/refresh", {"refresh_token": login_response.json_body["refresh_token"]}, ) self.assertEqual(refresh_response.code, 200, refresh_response.result) self.assertApproximates( refresh_response.json_body["expires_in_ms"], 60 * 1000, 100 ) - access_token = refresh_response.json_body["access_token"] - - # Advance 59 seconds in the future (just shy of 1 minute, the time of expiry) - self.reactor.advance(59.0) - # Check that our token is valid - self.assertEqual( - self.make_request( - "GET", "/_matrix/client/v3/account/whoami", access_token=access_token - ).code, - HTTPStatus.OK, - ) - - # Advance 2 more seconds (just past the time of expiry) - self.reactor.advance(2.0) - # Check that our token is invalid - self.assertEqual( - self.make_request( - "GET", "/_matrix/client/v3/account/whoami", access_token=access_token - ).code, - HTTPStatus.UNAUTHORIZED, - ) - - @override_config( - { - "refreshable_access_token_lifetime": "1m", - "nonrefreshable_access_token_lifetime": "10m", - } - ) - def test_different_expiry_for_refreshable_and_nonrefreshable_access_tokens(self): - """ - Tests that the expiry times for refreshable and non-refreshable access - tokens can be different. - """ - body = { - "type": "m.login.password", - "user": "test", - "password": self.user_pass, - } - login_response1 = self.make_request( - "POST", - "/_matrix/client/r0/login", - {"refresh_token": True, **body}, - ) - self.assertEqual(login_response1.code, 200, login_response1.result) - self.assertApproximates( - login_response1.json_body["expires_in_ms"], 60 * 1000, 100 - ) - refreshable_access_token = login_response1.json_body["access_token"] - - login_response2 = self.make_request( - "POST", - "/_matrix/client/r0/login", - body, - ) - self.assertEqual(login_response2.code, 200, login_response2.result) - nonrefreshable_access_token = login_response2.json_body["access_token"] - - # Advance 59 seconds in the future (just shy of 1 minute, the time of expiry) - self.reactor.advance(59.0) - - # Both tokens should still be valid. - self.assertTrue(self.is_access_token_valid(refreshable_access_token)) - self.assertTrue(self.is_access_token_valid(nonrefreshable_access_token)) - - # Advance to 61 s (just past 1 minute, the time of expiry) - self.reactor.advance(2.0) - - # Only the non-refreshable token is still valid. - self.assertFalse(self.is_access_token_valid(refreshable_access_token)) - self.assertTrue(self.is_access_token_valid(nonrefreshable_access_token)) - - # Advance to 599 s (just shy of 10 minutes, the time of expiry) - self.reactor.advance(599.0 - 61.0) - - # It's still the case that only the non-refreshable token is still valid. - self.assertFalse(self.is_access_token_valid(refreshable_access_token)) - self.assertTrue(self.is_access_token_valid(nonrefreshable_access_token)) - - # Advance to 601 s (just past 10 minutes, the time of expiry) - self.reactor.advance(2.0) - - # Now neither token is valid. - self.assertFalse(self.is_access_token_valid(refreshable_access_token)) - self.assertFalse(self.is_access_token_valid(nonrefreshable_access_token)) - - @override_config( - {"refreshable_access_token_lifetime": "1m", "refresh_token_lifetime": "2m"} - ) - def test_refresh_token_expiry(self): - """ - The refresh token can be configured to have a limited lifetime. - When that lifetime has ended, the refresh token can no longer be used to - refresh the session. - """ - - body = { - "type": "m.login.password", - "user": "test", - "password": self.user_pass, - "refresh_token": True, - } - login_response = self.make_request( - "POST", - "/_matrix/client/r0/login", - body, - ) - self.assertEqual(login_response.code, HTTPStatus.OK, login_response.result) - refresh_token1 = login_response.json_body["refresh_token"] - - # Advance 119 seconds in the future (just shy of 2 minutes) - self.reactor.advance(119.0) - - # Refresh our session. The refresh token should still JUST be valid right now. - # By doing so, we get a new access token and a new refresh token. - refresh_response = self.use_refresh_token(refresh_token1) - self.assertEqual(refresh_response.code, HTTPStatus.OK, refresh_response.result) - self.assertIn( - "refresh_token", - refresh_response.json_body, - "No new refresh token returned after refresh.", - ) - refresh_token2 = refresh_response.json_body["refresh_token"] - - # Advance 121 seconds in the future (just a bit more than 2 minutes) - self.reactor.advance(121.0) - - # Try to refresh our session, but instead notice that the refresh token is - # not valid (it just expired). - refresh_response = self.use_refresh_token(refresh_token2) - self.assertEqual( - refresh_response.code, HTTPStatus.FORBIDDEN, refresh_response.result - ) - - @override_config( - { - "refreshable_access_token_lifetime": "2m", - "refresh_token_lifetime": "2m", - "session_lifetime": "3m", - } - ) - def test_ultimate_session_expiry(self): - """ - The session can be configured to have an ultimate, limited lifetime. - """ - - body = { - "type": "m.login.password", - "user": "test", - "password": self.user_pass, - "refresh_token": True, - } - login_response = self.make_request( - "POST", - "/_matrix/client/r0/login", - body, - ) - self.assertEqual(login_response.code, 200, login_response.result) - refresh_token = login_response.json_body["refresh_token"] - - # Advance shy of 2 minutes into the future - self.reactor.advance(119.0) - - # Refresh our session. The refresh token should still be valid right now. - refresh_response = self.use_refresh_token(refresh_token) - self.assertEqual(refresh_response.code, 200, refresh_response.result) - self.assertIn( - "refresh_token", - refresh_response.json_body, - "No new refresh token returned after refresh.", - ) - # Notice that our access token lifetime has been diminished to match the - # session lifetime. - # 3 minutes - 119 seconds = 61 seconds. - self.assertEqual(refresh_response.json_body["expires_in_ms"], 61_000) - refresh_token = refresh_response.json_body["refresh_token"] - - # Advance 61 seconds into the future. Our session should have expired - # now, because we've had our 3 minutes. - self.reactor.advance(61.0) - - # Try to issue a new, refreshed, access token. - # This should fail because the refresh token's lifetime has also been - # diminished as our session expired. - refresh_response = self.use_refresh_token(refresh_token) - self.assertEqual(refresh_response.code, 403, refresh_response.result) def test_refresh_token_invalidation(self): """Refresh tokens are invalidated after first use of the next token. @@ -864,15 +640,10 @@ class RefreshAuthTests(unittest.HomeserverTestCase): |-> fourth_refresh (fails) """ - body = { - "type": "m.login.password", - "user": "test", - "password": self.user_pass, - "refresh_token": True, - } + body = {"type": "m.login.password", "user": "test", "password": self.user_pass} login_response = self.make_request( "POST", - "/_matrix/client/r0/login", + "/_matrix/client/r0/login?org.matrix.msc2918.refresh_token=true", body, ) self.assertEqual(login_response.code, 200, login_response.result) @@ -880,7 +651,7 @@ class RefreshAuthTests(unittest.HomeserverTestCase): # This first refresh should work properly first_refresh_response = self.make_request( "POST", - "/_matrix/client/v1/refresh", + "/_matrix/client/unstable/org.matrix.msc2918.refresh_token/refresh", {"refresh_token": login_response.json_body["refresh_token"]}, ) self.assertEqual( @@ -890,7 +661,7 @@ class RefreshAuthTests(unittest.HomeserverTestCase): # This one as well, since the token in the first one was never used second_refresh_response = self.make_request( "POST", - "/_matrix/client/v1/refresh", + "/_matrix/client/unstable/org.matrix.msc2918.refresh_token/refresh", {"refresh_token": login_response.json_body["refresh_token"]}, ) self.assertEqual( @@ -900,7 +671,7 @@ class RefreshAuthTests(unittest.HomeserverTestCase): # This one should not, since the token from the first refresh is not valid anymore third_refresh_response = self.make_request( "POST", - "/_matrix/client/v1/refresh", + "/_matrix/client/unstable/org.matrix.msc2918.refresh_token/refresh", {"refresh_token": first_refresh_response.json_body["refresh_token"]}, ) self.assertEqual( @@ -928,7 +699,7 @@ class RefreshAuthTests(unittest.HomeserverTestCase): # Now that the access token from the last valid refresh was used once, refreshing with the N-1 token should fail fourth_refresh_response = self.make_request( "POST", - "/_matrix/client/v1/refresh", + "/_matrix/client/unstable/org.matrix.msc2918.refresh_token/refresh", {"refresh_token": login_response.json_body["refresh_token"]}, ) self.assertEqual( @@ -938,7 +709,7 @@ class RefreshAuthTests(unittest.HomeserverTestCase): # But refreshing from the last valid refresh token still works fifth_refresh_response = self.make_request( "POST", - "/_matrix/client/v1/refresh", + "/_matrix/client/unstable/org.matrix.msc2918.refresh_token/refresh", {"refresh_token": second_refresh_response.json_body["refresh_token"]}, ) self.assertEqual( |