summary refs log tree commit diff
path: root/tests
diff options
context:
space:
mode:
Diffstat (limited to 'tests')
-rw-r--r--tests/config/test_registration_config.py78
-rw-r--r--tests/rest/client/test_auth.py76
2 files changed, 154 insertions, 0 deletions
diff --git a/tests/config/test_registration_config.py b/tests/config/test_registration_config.py
new file mode 100644
index 0000000000..17a84d20d8
--- /dev/null
+++ b/tests/config/test_registration_config.py
@@ -0,0 +1,78 @@
+# Copyright 2021 The Matrix.org Foundation C.I.C.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+from synapse.config import ConfigError
+from synapse.config.homeserver import HomeServerConfig
+
+from tests.unittest import TestCase
+from tests.utils import default_config
+
+
+class RegistrationConfigTestCase(TestCase):
+    def test_session_lifetime_must_not_be_exceeded_by_smaller_lifetimes(self):
+        """
+        session_lifetime should logically be larger than, or at least as large as,
+        all the different token lifetimes.
+        Test that the user is faced with configuration errors if they make it
+        smaller, as that configuration doesn't make sense.
+        """
+        config_dict = default_config("test")
+
+        # First test all the error conditions
+        with self.assertRaises(ConfigError):
+            HomeServerConfig().parse_config_dict(
+                {
+                    "session_lifetime": "30m",
+                    "nonrefreshable_access_token_lifetime": "31m",
+                    **config_dict,
+                }
+            )
+
+        with self.assertRaises(ConfigError):
+            HomeServerConfig().parse_config_dict(
+                {
+                    "session_lifetime": "30m",
+                    "refreshable_access_token_lifetime": "31m",
+                    **config_dict,
+                }
+            )
+
+        with self.assertRaises(ConfigError):
+            HomeServerConfig().parse_config_dict(
+                {
+                    "session_lifetime": "30m",
+                    "refresh_token_lifetime": "31m",
+                    **config_dict,
+                }
+            )
+
+        # Then test all the fine conditions
+        HomeServerConfig().parse_config_dict(
+            {
+                "session_lifetime": "31m",
+                "nonrefreshable_access_token_lifetime": "31m",
+                **config_dict,
+            }
+        )
+
+        HomeServerConfig().parse_config_dict(
+            {
+                "session_lifetime": "31m",
+                "refreshable_access_token_lifetime": "31m",
+                **config_dict,
+            }
+        )
+
+        HomeServerConfig().parse_config_dict(
+            {"session_lifetime": "31m", "refresh_token_lifetime": "31m", **config_dict}
+        )
diff --git a/tests/rest/client/test_auth.py b/tests/rest/client/test_auth.py
index d8a94f4c12..7239e1a1b5 100644
--- a/tests/rest/client/test_auth.py
+++ b/tests/rest/client/test_auth.py
@@ -524,6 +524,19 @@ class RefreshAuthTests(unittest.HomeserverTestCase):
             {"refresh_token": refresh_token},
         )
 
+    def is_access_token_valid(self, access_token) -> bool:
+        """
+        Checks whether an access token is valid, returning whether it is or not.
+        """
+        code = self.make_request(
+            "GET", "/_matrix/client/v3/account/whoami", access_token=access_token
+        ).code
+
+        # Either 200 or 401 is what we get back; anything else is a bug.
+        assert code in {HTTPStatus.OK, HTTPStatus.UNAUTHORIZED}
+
+        return code == HTTPStatus.OK
+
     def test_login_issue_refresh_token(self):
         """
         A login response should include a refresh_token only if asked.
@@ -672,6 +685,69 @@ class RefreshAuthTests(unittest.HomeserverTestCase):
         )
 
     @override_config(
+        {
+            "refreshable_access_token_lifetime": "1m",
+            "nonrefreshable_access_token_lifetime": "10m",
+        }
+    )
+    def test_different_expiry_for_refreshable_and_nonrefreshable_access_tokens(self):
+        """
+        Tests that the expiry times for refreshable and non-refreshable access
+        tokens can be different.
+        """
+        body = {
+            "type": "m.login.password",
+            "user": "test",
+            "password": self.user_pass,
+        }
+        login_response1 = self.make_request(
+            "POST",
+            "/_matrix/client/r0/login",
+            {"org.matrix.msc2918.refresh_token": True, **body},
+        )
+        self.assertEqual(login_response1.code, 200, login_response1.result)
+        self.assertApproximates(
+            login_response1.json_body["expires_in_ms"], 60 * 1000, 100
+        )
+        refreshable_access_token = login_response1.json_body["access_token"]
+
+        login_response2 = self.make_request(
+            "POST",
+            "/_matrix/client/r0/login",
+            body,
+        )
+        self.assertEqual(login_response2.code, 200, login_response2.result)
+        nonrefreshable_access_token = login_response2.json_body["access_token"]
+
+        # Advance 59 seconds in the future (just shy of 1 minute, the time of expiry)
+        self.reactor.advance(59.0)
+
+        # Both tokens should still be valid.
+        self.assertTrue(self.is_access_token_valid(refreshable_access_token))
+        self.assertTrue(self.is_access_token_valid(nonrefreshable_access_token))
+
+        # Advance to 61 s (just past 1 minute, the time of expiry)
+        self.reactor.advance(2.0)
+
+        # Only the non-refreshable token is still valid.
+        self.assertFalse(self.is_access_token_valid(refreshable_access_token))
+        self.assertTrue(self.is_access_token_valid(nonrefreshable_access_token))
+
+        # Advance to 599 s (just shy of 10 minutes, the time of expiry)
+        self.reactor.advance(599.0 - 61.0)
+
+        # It's still the case that only the non-refreshable token is still valid.
+        self.assertFalse(self.is_access_token_valid(refreshable_access_token))
+        self.assertTrue(self.is_access_token_valid(nonrefreshable_access_token))
+
+        # Advance to 601 s (just past 10 minutes, the time of expiry)
+        self.reactor.advance(2.0)
+
+        # Now neither token is valid.
+        self.assertFalse(self.is_access_token_valid(refreshable_access_token))
+        self.assertFalse(self.is_access_token_valid(nonrefreshable_access_token))
+
+    @override_config(
         {"refreshable_access_token_lifetime": "1m", "refresh_token_lifetime": "2m"}
     )
     def test_refresh_token_expiry(self):