MSC3861: allow impersonation by an admin using a query param (#16132)

author: Mathieu Velten <mathieuv@matrix.org> 2023-08-18 15:46:46 +0200
committer: GitHub <noreply@github.com> 2023-08-18 15:46:46 +0200
commit: 2d15e396843879bb514a148097cbddf10f50655c (patch)
tree: 4414b381e579bf5e45c39d4f5d880f8515d17765 /tests
parent: Allow filtering for admins in the list accounts admin API (#16114) (diff)
download: synapse-2d15e396843879bb514a148097cbddf10f50655c.tar.xz
1 files changed, 35 insertions, 0 deletions
diff --git a/tests/handlers/test_oauth_delegation.py b/tests/handlers/test_oauth_delegation.py
index 82c26e303f..1456b675a7 100644
--- a/tests/handlers/test_oauth_delegation.py
+++ b/tests/handlers/test_oauth_delegation.py
@@ -340,6 +340,41 @@ class MSC3861OAuthDelegation(HomeserverTestCase):
             get_awaitable_result(self.auth.is_server_admin(requester)), False
         )
 
+    def test_active_user_admin_impersonation(self) -> None:
+        """The handler should return a requester with normal user rights
+        and an user ID matching the one specified in query param `user_id`"""
+
+        self.http_client.request = simple_async_mock(
+            return_value=FakeResponse.json(
+                code=200,
+                payload={
+                    "active": True,
+                    "sub": SUBJECT,
+                    "scope": " ".join([SYNAPSE_ADMIN_SCOPE, MATRIX_USER_SCOPE]),
+                    "username": USERNAME,
+                },
+            )
+        )
+        request = Mock(args={})
+        request.args[b"access_token"] = [b"mockAccessToken"]
+        impersonated_user_id = f"@{USERNAME}:{SERVER_NAME}"
+        request.args[b"_oidc_admin_impersonate_user_id"] = [
+            impersonated_user_id.encode("ascii")
+        ]
+        request.requestHeaders.getRawHeaders = mock_getRawHeaders()
+        requester = self.get_success(self.auth.get_user_by_req(request))
+        self.http_client.get_json.assert_called_once_with(WELL_KNOWN)
+        self.http_client.request.assert_called_once_with(
+            method="POST", uri=INTROSPECTION_ENDPOINT, data=ANY, headers=ANY
+        )
+        self._assertParams()
+        self.assertEqual(requester.user.to_string(), impersonated_user_id)
+        self.assertEqual(requester.is_guest, False)
+        self.assertEqual(requester.device_id, None)
+        self.assertEqual(
+            get_awaitable_result(self.auth.is_server_admin(requester)), False
+        )
+
     def test_active_user_with_device(self) -> None:
         """The handler should return a requester with normal user rights and a device ID."""
author	Mathieu Velten <mathieuv@matrix.org>	2023-08-18 15:46:46 +0200
committer	GitHub <noreply@github.com>	2023-08-18 15:46:46 +0200
commit	2d15e396843879bb514a148097cbddf10f50655c (patch)
tree	4414b381e579bf5e45c39d4f5d880f8515d17765 /tests
parent	Allow filtering for admins in the list accounts admin API (#16114) (diff)
download	synapse-2d15e396843879bb514a148097cbddf10f50655c.tar.xz