diff --git a/tests/api/test_auth.py b/tests/api/test_auth.py
index c0ed64f784..1b0a815757 100644
--- a/tests/api/test_auth.py
+++ b/tests/api/test_auth.py
@@ -21,13 +21,11 @@ from synapse.api.constants import UserTypes
from synapse.api.errors import (
AuthError,
Codes,
- InvalidClientCredentialsError,
InvalidClientTokenError,
MissingClientTokenError,
ResourceLimitError,
)
from synapse.storage.databases.main.registration import TokenLookupResult
-from synapse.types import UserID
from tests import unittest
from tests.test_utils import simple_async_mock
@@ -253,67 +251,6 @@ class AuthTestCase(unittest.HomeserverTestCase):
self.assertTrue(user_info.is_guest)
self.store.get_user_by_id.assert_called_with(user_id)
- def test_cannot_use_regular_token_as_guest(self):
- USER_ID = "@percy:matrix.org"
- self.store.add_access_token_to_user = simple_async_mock(None)
- self.store.get_device = simple_async_mock(None)
-
- token = self.get_success(
- self.hs.get_auth_handler().get_access_token_for_user_id(
- USER_ID, "DEVICE", valid_until_ms=None
- )
- )
- self.store.add_access_token_to_user.assert_called_with(
- user_id=USER_ID,
- token=token,
- device_id="DEVICE",
- valid_until_ms=None,
- puppets_user_id=None,
- )
-
- async def get_user(tok):
- if token != tok:
- return None
- return TokenLookupResult(
- user_id=USER_ID,
- is_guest=False,
- token_id=1234,
- device_id="DEVICE",
- )
-
- self.store.get_user_by_access_token = get_user
- self.store.get_user_by_id = simple_async_mock({"is_guest": False})
-
- # check the token works
- request = Mock(args={})
- request.args[b"access_token"] = [token.encode("ascii")]
- request.requestHeaders.getRawHeaders = mock_getRawHeaders()
- requester = self.get_success(
- self.auth.get_user_by_req(request, allow_guest=True)
- )
- self.assertEqual(UserID.from_string(USER_ID), requester.user)
- self.assertFalse(requester.is_guest)
-
- # add an is_guest caveat
- mac = pymacaroons.Macaroon.deserialize(token)
- mac.add_first_party_caveat("guest = true")
- guest_tok = mac.serialize()
-
- # the token should *not* work now
- request = Mock(args={})
- request.args[b"access_token"] = [guest_tok.encode("ascii")]
- request.requestHeaders.getRawHeaders = mock_getRawHeaders()
-
- cm = self.get_failure(
- self.auth.get_user_by_req(request, allow_guest=True),
- InvalidClientCredentialsError,
- )
-
- self.assertEqual(401, cm.value.code)
- self.assertEqual("Guest access token used for regular user", cm.value.msg)
-
- self.store.get_user_by_id.assert_called_with(USER_ID)
-
def test_blocking_mau(self):
self.auth_blocking._limit_usage_by_mau = False
self.auth_blocking._max_mau_value = 50
diff --git a/tests/handlers/test_auth.py b/tests/handlers/test_auth.py
index fe7e9484fd..5f3350e490 100644
--- a/tests/handlers/test_auth.py
+++ b/tests/handlers/test_auth.py
@@ -16,12 +16,17 @@ from unittest.mock import Mock
import pymacaroons
from synapse.api.errors import AuthError, ResourceLimitError
+from synapse.rest import admin
from tests import unittest
from tests.test_utils import make_awaitable
class AuthTestCase(unittest.HomeserverTestCase):
+ servlets = [
+ admin.register_servlets,
+ ]
+
def prepare(self, reactor, clock, hs):
self.auth_handler = hs.get_auth_handler()
self.macaroon_generator = hs.get_macaroon_generator()
@@ -35,16 +40,10 @@ class AuthTestCase(unittest.HomeserverTestCase):
self.small_number_of_users = 1
self.large_number_of_users = 100
- def test_token_is_a_macaroon(self):
- token = self.macaroon_generator.generate_access_token("some_user")
- # Check that we can parse the thing with pymacaroons
- macaroon = pymacaroons.Macaroon.deserialize(token)
- # The most basic of sanity checks
- if "some_user" not in macaroon.inspect():
- self.fail("some_user was not in %s" % macaroon.inspect())
+ self.user1 = self.register_user("a_user", "pass")
def test_macaroon_caveats(self):
- token = self.macaroon_generator.generate_access_token("a_user")
+ token = self.macaroon_generator.generate_guest_access_token("a_user")
macaroon = pymacaroons.Macaroon.deserialize(token)
def verify_gen(caveat):
@@ -59,19 +58,23 @@ class AuthTestCase(unittest.HomeserverTestCase):
def verify_nonce(caveat):
return caveat.startswith("nonce =")
+ def verify_guest(caveat):
+ return caveat == "guest = true"
+
v = pymacaroons.Verifier()
v.satisfy_general(verify_gen)
v.satisfy_general(verify_user)
v.satisfy_general(verify_type)
v.satisfy_general(verify_nonce)
+ v.satisfy_general(verify_guest)
v.verify(macaroon, self.hs.config.macaroon_secret_key)
def test_short_term_login_token_gives_user_id(self):
token = self.macaroon_generator.generate_short_term_login_token(
- "a_user", "", 5000
+ self.user1, "", 5000
)
res = self.get_success(self.auth_handler.validate_short_term_login_token(token))
- self.assertEqual("a_user", res.user_id)
+ self.assertEqual(self.user1, res.user_id)
self.assertEqual("", res.auth_provider_id)
# when we advance the clock, the token should be rejected
@@ -83,22 +86,22 @@ class AuthTestCase(unittest.HomeserverTestCase):
def test_short_term_login_token_gives_auth_provider(self):
token = self.macaroon_generator.generate_short_term_login_token(
- "a_user", auth_provider_id="my_idp"
+ self.user1, auth_provider_id="my_idp"
)
res = self.get_success(self.auth_handler.validate_short_term_login_token(token))
- self.assertEqual("a_user", res.user_id)
+ self.assertEqual(self.user1, res.user_id)
self.assertEqual("my_idp", res.auth_provider_id)
def test_short_term_login_token_cannot_replace_user_id(self):
token = self.macaroon_generator.generate_short_term_login_token(
- "a_user", "", 5000
+ self.user1, "", 5000
)
macaroon = pymacaroons.Macaroon.deserialize(token)
res = self.get_success(
self.auth_handler.validate_short_term_login_token(macaroon.serialize())
)
- self.assertEqual("a_user", res.user_id)
+ self.assertEqual(self.user1, res.user_id)
# add another "user_id" caveat, which might allow us to override the
# user_id.
@@ -114,7 +117,7 @@ class AuthTestCase(unittest.HomeserverTestCase):
# Ensure does not throw exception
self.get_success(
self.auth_handler.get_access_token_for_user_id(
- "user_a", device_id=None, valid_until_ms=None
+ self.user1, device_id=None, valid_until_ms=None
)
)
@@ -132,7 +135,7 @@ class AuthTestCase(unittest.HomeserverTestCase):
self.get_failure(
self.auth_handler.get_access_token_for_user_id(
- "user_a", device_id=None, valid_until_ms=None
+ self.user1, device_id=None, valid_until_ms=None
),
ResourceLimitError,
)
@@ -160,7 +163,7 @@ class AuthTestCase(unittest.HomeserverTestCase):
# If not in monthly active cohort
self.get_failure(
self.auth_handler.get_access_token_for_user_id(
- "user_a", device_id=None, valid_until_ms=None
+ self.user1, device_id=None, valid_until_ms=None
),
ResourceLimitError,
)
@@ -177,7 +180,7 @@ class AuthTestCase(unittest.HomeserverTestCase):
)
self.get_success(
self.auth_handler.get_access_token_for_user_id(
- "user_a", device_id=None, valid_until_ms=None
+ self.user1, device_id=None, valid_until_ms=None
)
)
self.get_success(
@@ -195,7 +198,7 @@ class AuthTestCase(unittest.HomeserverTestCase):
# Ensure does not raise exception
self.get_success(
self.auth_handler.get_access_token_for_user_id(
- "user_a", device_id=None, valid_until_ms=None
+ self.user1, device_id=None, valid_until_ms=None
)
)
@@ -210,6 +213,6 @@ class AuthTestCase(unittest.HomeserverTestCase):
def _get_macaroon(self):
token = self.macaroon_generator.generate_short_term_login_token(
- "user_a", "", 5000
+ self.user1, "", 5000
)
return pymacaroons.Macaroon.deserialize(token)
diff --git a/tests/handlers/test_register.py b/tests/handlers/test_register.py
index 608f8f3d33..bd43190523 100644
--- a/tests/handlers/test_register.py
+++ b/tests/handlers/test_register.py
@@ -48,10 +48,6 @@ class RegistrationTestCase(unittest.HomeserverTestCase):
self.mock_distributor = Mock()
self.mock_distributor.declare("registered_user")
self.mock_captcha_client = Mock()
- self.macaroon_generator = Mock(
- generate_access_token=Mock(return_value="secret")
- )
- self.hs.get_macaroon_generator = Mock(return_value=self.macaroon_generator)
self.handler = self.hs.get_registration_handler()
self.store = self.hs.get_datastore()
self.lots_of_users = 100
@@ -67,8 +63,8 @@ class RegistrationTestCase(unittest.HomeserverTestCase):
self.get_or_create_user(requester, frank.localpart, "Frankie")
)
self.assertEquals(result_user_id, user_id)
- self.assertTrue(result_token is not None)
- self.assertEquals(result_token, "secret")
+ self.assertIsInstance(result_token, str)
+ self.assertGreater(len(result_token), 20)
def test_if_user_exists(self):
store = self.hs.get_datastore()
@@ -500,7 +496,7 @@ class RegistrationTestCase(unittest.HomeserverTestCase):
user_id = self.get_success(self.handler.register_user(localpart="user"))
# Get an access token.
- token = self.macaroon_generator.generate_access_token(user_id)
+ token = "testtok"
self.get_success(
self.store.add_access_token_to_user(
user_id=user_id, token=token, device_id=None, valid_until_ms=None
@@ -577,7 +573,7 @@ class RegistrationTestCase(unittest.HomeserverTestCase):
user = UserID(localpart, self.hs.hostname)
user_id = user.to_string()
- token = self.macaroon_generator.generate_access_token(user_id)
+ token = self.hs.get_auth_handler().generate_access_token(user)
if need_register:
await self.handler.register_with_store(
diff --git a/tests/util/test_stringutils.py b/tests/util/test_stringutils.py
index f7fecd9cf3..ad4dd7f007 100644
--- a/tests/util/test_stringutils.py
+++ b/tests/util/test_stringutils.py
@@ -13,7 +13,7 @@
# limitations under the License.
from synapse.api.errors import SynapseError
-from synapse.util.stringutils import assert_valid_client_secret
+from synapse.util.stringutils import assert_valid_client_secret, base62_encode
from .. import unittest
@@ -45,3 +45,9 @@ class StringUtilsTestCase(unittest.TestCase):
for client_secret in bad:
with self.assertRaises(SynapseError):
assert_valid_client_secret(client_secret)
+
+ def test_base62_encode(self):
+ self.assertEqual("0", base62_encode(0))
+ self.assertEqual("10", base62_encode(62))
+ self.assertEqual("1c", base62_encode(100))
+ self.assertEqual("001c", base62_encode(100, minwidth=4))
|
