Reject tokens with multiple device scopes

author: Quentin Gliech <quenting@element.io> 2023-05-23 16:59:53 +0200
committer: Patrick Cloke <clokep@users.noreply.github.com> 2023-05-30 09:43:06 -0400
commit: f739bde962daa9bc425c8343f35993ae889dbc67 (patch)
tree: 11fdd98fb068bf980eac1a9b2e11277182368c04 /tests
parent: Make OIDC scope constants (diff)
download: synapse-f739bde962daa9bc425c8343f35993ae889dbc67.tar.xz
1 files changed, 28 insertions, 1 deletions
diff --git a/tests/handlers/test_oauth_delegation.py b/tests/handlers/test_oauth_delegation.py
index 16ce2c069d..0641535512 100644
--- a/tests/handlers/test_oauth_delegation.py
+++ b/tests/handlers/test_oauth_delegation.py
@@ -27,6 +27,7 @@ from signedjson.sign import sign_json
 from twisted.test.proto_helpers import MemoryReactor
 
 from synapse.api.errors import (
+    AuthError,
     Codes,
     InvalidClientTokenError,
     OAuthInsufficientScopeError,
@@ -68,8 +69,9 @@ INTROSPECTION_ENDPOINT = ISSUER + "introspect"
 SYNAPSE_ADMIN_SCOPE = "urn:synapse:admin:*"
 MATRIX_USER_SCOPE = "urn:matrix:org.matrix.msc2967.client:api:*"
 MATRIX_GUEST_SCOPE = "urn:matrix:org.matrix.msc2967.client:api:guest"
+MATRIX_DEVICE_SCOPE_PREFIX = "urn:matrix:org.matrix.msc2967.client:device:"
 DEVICE = "AABBCCDD"
-MATRIX_DEVICE_SCOPE = "urn:matrix:org.matrix.msc2967.client:device:" + DEVICE
+MATRIX_DEVICE_SCOPE = MATRIX_DEVICE_SCOPE_PREFIX + DEVICE
 SUBJECT = "abc-def-ghi"
 USERNAME = "test-user"
 USER_ID = "@" + USERNAME + ":" + SERVER_NAME
@@ -344,6 +346,31 @@ class MSC3861OAuthDelegation(HomeserverTestCase):
         )
         self.assertEqual(requester.device_id, DEVICE)
 
+    def test_multiple_devices(self) -> None:
+        """The handler should raise an error if multiple devices are found in the scope."""
+
+        self.http_client.request = simple_async_mock(
+            return_value=FakeResponse.json(
+                code=200,
+                payload={
+                    "active": True,
+                    "sub": SUBJECT,
+                    "scope": " ".join(
+                        [
+                            MATRIX_USER_SCOPE,
+                            f"{MATRIX_DEVICE_SCOPE_PREFIX}AABBCC",
+                            f"{MATRIX_DEVICE_SCOPE_PREFIX}DDEEFF",
+                        ]
+                    ),
+                    "username": USERNAME,
+                },
+            )
+        )
+        request = Mock(args={})
+        request.args[b"access_token"] = [b"mockAccessToken"]
+        request.requestHeaders.getRawHeaders = mock_getRawHeaders()
+        self.get_failure(self.auth.get_user_by_req(request), AuthError)
+
     def test_active_guest_not_allowed(self) -> None:
         """The handler should return an insufficient scope error."""
author	Quentin Gliech <quenting@element.io>	2023-05-23 16:59:53 +0200
committer	Patrick Cloke <clokep@users.noreply.github.com>	2023-05-30 09:43:06 -0400
commit	f739bde962daa9bc425c8343f35993ae889dbc67 (patch)
tree	11fdd98fb068bf980eac1a9b2e11277182368c04 /tests
parent	Make OIDC scope constants (diff)
download	synapse-f739bde962daa9bc425c8343f35993ae889dbc67.tar.xz