diff options
author | Richard van der Hoff <richard@matrix.org> | 2021-01-13 12:35:23 +0000 |
---|---|---|
committer | Richard van der Hoff <richard@matrix.org> | 2021-01-13 20:22:41 +0000 |
commit | 26d10331e5fa33507b680b45c44641e660a3adeb (patch) | |
tree | 9fce95a219ffbfe9b9b1fe62595fdffb98ba64cd /tests/rest/client/v2_alpha | |
parent | Move `complete_sso_ui_auth` into SSOHandler (diff) | |
download | synapse-26d10331e5fa33507b680b45c44641e660a3adeb.tar.xz |
Add a test for wrong user returned by SSO
Diffstat (limited to 'tests/rest/client/v2_alpha')
-rw-r--r-- | tests/rest/client/v2_alpha/test_auth.py | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/tests/rest/client/v2_alpha/test_auth.py b/tests/rest/client/v2_alpha/test_auth.py index 5f6ca23b06..50630106ad 100644 --- a/tests/rest/client/v2_alpha/test_auth.py +++ b/tests/rest/client/v2_alpha/test_auth.py @@ -457,3 +457,30 @@ class UIAuthTests(unittest.HomeserverTestCase): self.assertIn({"stages": ["m.login.password"]}, flows) self.assertIn({"stages": ["m.login.sso"]}, flows) self.assertEqual(len(flows), 2) + + @skip_unless(HAS_OIDC, "requires OIDC") + @override_config({"oidc_config": TEST_OIDC_CONFIG}) + def test_ui_auth_fails_for_incorrect_sso_user(self): + """If the user tries to authenticate with the wrong SSO user, they get an error + """ + # log the user in + login_resp = self.helper.login_via_oidc(UserID.from_string(self.user).localpart) + self.assertEqual(login_resp["user_id"], self.user) + + # start a UI Auth flow by attempting to delete a device + channel = self.delete_device(self.user_tok, self.device_id, 401) + + flows = channel.json_body["flows"] + self.assertIn({"stages": ["m.login.sso"]}, flows) + session_id = channel.json_body["session"] + + # do the OIDC auth, but auth as the wrong user + channel = self.helper.auth_via_oidc("wrong_user", ui_auth_session_id=session_id) + + # that should return a failure message + self.assertSubstring("We were unable to validate", channel.text_body) + + # ... and the delete op should now fail with a 403 + self.delete_device( + self.user_tok, self.device_id, 403, body={"auth": {"session": session_id}} + ) |