diff --git a/tests/config/test_tls.py b/tests/config/test_tls.py
index a5d88d644a..4f8a87a3df 100644
--- a/tests/config/test_tls.py
+++ b/tests/config/test_tls.py
@@ -1,5 +1,6 @@
# -*- coding: utf-8 -*-
# Copyright 2019 New Vector Ltd
+# Copyright 2019 Matrix.org Foundation C.I.C.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -15,7 +16,10 @@
import os
-from synapse.config.tls import TlsConfig
+from OpenSSL import SSL
+
+from synapse.config.tls import ConfigError, TlsConfig
+from synapse.crypto.context_factory import ClientTLSOptionsFactory
from tests.unittest import TestCase
@@ -78,3 +82,112 @@ s4niecZKPBizL6aucT59CsunNmmb5Glq8rlAcU+1ZTZZzGYqVYhF6axB9Qg=
"or use Synapse's ACME support to provision one."
),
)
+
+ def test_tls_client_minimum_default(self):
+ """
+ The default client TLS version is 1.0.
+ """
+ config = {}
+ t = TestConfig()
+ t.read_config(config, config_dir_path="", data_dir_path="")
+
+ self.assertEqual(t.federation_client_minimum_tls_version, "1")
+
+ def test_tls_client_minimum_set(self):
+ """
+ The default client TLS version can be set to 1.0, 1.1, and 1.2.
+ """
+ config = {"federation_client_minimum_tls_version": 1}
+ t = TestConfig()
+ t.read_config(config, config_dir_path="", data_dir_path="")
+ self.assertEqual(t.federation_client_minimum_tls_version, "1")
+
+ config = {"federation_client_minimum_tls_version": 1.1}
+ t = TestConfig()
+ t.read_config(config, config_dir_path="", data_dir_path="")
+ self.assertEqual(t.federation_client_minimum_tls_version, "1.1")
+
+ config = {"federation_client_minimum_tls_version": 1.2}
+ t = TestConfig()
+ t.read_config(config, config_dir_path="", data_dir_path="")
+ self.assertEqual(t.federation_client_minimum_tls_version, "1.2")
+
+ # Also test a string version
+ config = {"federation_client_minimum_tls_version": "1"}
+ t = TestConfig()
+ t.read_config(config, config_dir_path="", data_dir_path="")
+ self.assertEqual(t.federation_client_minimum_tls_version, "1")
+
+ config = {"federation_client_minimum_tls_version": "1.2"}
+ t = TestConfig()
+ t.read_config(config, config_dir_path="", data_dir_path="")
+ self.assertEqual(t.federation_client_minimum_tls_version, "1.2")
+
+ def test_tls_client_minimum_1_point_3_missing(self):
+ """
+ If TLS 1.3 support is missing and it's configured, it will raise a
+ ConfigError.
+ """
+ # thanks i hate it
+ if hasattr(SSL, "OP_NO_TLSv1_3"):
+ OP_NO_TLSv1_3 = SSL.OP_NO_TLSv1_3
+ delattr(SSL, "OP_NO_TLSv1_3")
+ self.addCleanup(setattr, SSL, "SSL.OP_NO_TLSv1_3", OP_NO_TLSv1_3)
+ assert not hasattr(SSL, "OP_NO_TLSv1_3")
+
+ config = {"federation_client_minimum_tls_version": 1.3}
+ t = TestConfig()
+ with self.assertRaises(ConfigError) as e:
+ t.read_config(config, config_dir_path="", data_dir_path="")
+ self.assertEqual(
+ e.exception.args[0],
+ (
+ "federation_client_minimum_tls_version cannot be 1.3, "
+ "your OpenSSL does not support it"
+ ),
+ )
+
+ def test_tls_client_minimum_1_point_3_exists(self):
+ """
+ If TLS 1.3 support exists and it's configured, it will be settable.
+ """
+ # thanks i hate it, still
+ if not hasattr(SSL, "OP_NO_TLSv1_3"):
+ SSL.OP_NO_TLSv1_3 = 0x00
+ self.addCleanup(lambda: delattr(SSL, "OP_NO_TLSv1_3"))
+ assert hasattr(SSL, "OP_NO_TLSv1_3")
+
+ config = {"federation_client_minimum_tls_version": 1.3}
+ t = TestConfig()
+ t.read_config(config, config_dir_path="", data_dir_path="")
+ self.assertEqual(t.federation_client_minimum_tls_version, "1.3")
+
+ def test_tls_client_minimum_set_passed_through_1_2(self):
+ """
+ The configured TLS version is correctly configured by the ContextFactory.
+ """
+ config = {"federation_client_minimum_tls_version": 1.2}
+ t = TestConfig()
+ t.read_config(config, config_dir_path="", data_dir_path="")
+
+ cf = ClientTLSOptionsFactory(t)
+
+ # The context has had NO_TLSv1_1 and NO_TLSv1_0 set, but not NO_TLSv1_2
+ self.assertNotEqual(cf._verify_ssl._options & SSL.OP_NO_TLSv1, 0)
+ self.assertNotEqual(cf._verify_ssl._options & SSL.OP_NO_TLSv1_1, 0)
+ self.assertEqual(cf._verify_ssl._options & SSL.OP_NO_TLSv1_2, 0)
+
+ def test_tls_client_minimum_set_passed_through_1_0(self):
+ """
+ The configured TLS version is correctly configured by the ContextFactory.
+ """
+ config = {"federation_client_minimum_tls_version": 1}
+ t = TestConfig()
+ t.read_config(config, config_dir_path="", data_dir_path="")
+
+ cf = ClientTLSOptionsFactory(t)
+
+ # The context has not had any of the NO_TLS set.
+ self.assertEqual(cf._verify_ssl._options & SSL.OP_NO_TLSv1, 0)
+ self.assertEqual(cf._verify_ssl._options & SSL.OP_NO_TLSv1_1, 0)
+ self.assertEqual(cf._verify_ssl._options & SSL.OP_NO_TLSv1_2, 0)
diff --git a/tests/rest/media/v1/test_media_storage.py b/tests/rest/media/v1/test_media_storage.py
index e2d418b1df..39c9342423 100644
--- a/tests/rest/media/v1/test_media_storage.py
+++ b/tests/rest/media/v1/test_media_storage.py
@@ -22,7 +22,6 @@ from binascii import unhexlify
from mock import Mock
from six.moves.urllib import parse
-from twisted.internet import defer, reactor
from twisted.internet.defer import Deferred
from synapse.rest.media.v1._base import FileInfo
@@ -34,15 +33,17 @@ from synapse.util.logcontext import make_deferred_yieldable
from tests import unittest
-class MediaStorageTests(unittest.TestCase):
- def setUp(self):
+class MediaStorageTests(unittest.HomeserverTestCase):
+
+ needs_threadpool = True
+
+ def prepare(self, reactor, clock, hs):
self.test_dir = tempfile.mkdtemp(prefix="synapse-tests-")
+ self.addCleanup(shutil.rmtree, self.test_dir)
self.primary_base_path = os.path.join(self.test_dir, "primary")
self.secondary_base_path = os.path.join(self.test_dir, "secondary")
- hs = Mock()
- hs.get_reactor = Mock(return_value=reactor)
hs.config.media_store_path = self.primary_base_path
storage_providers = [FileStorageProviderBackend(hs, self.secondary_base_path)]
@@ -52,10 +53,6 @@ class MediaStorageTests(unittest.TestCase):
hs, self.primary_base_path, self.filepaths, storage_providers
)
- def tearDown(self):
- shutil.rmtree(self.test_dir)
-
- @defer.inlineCallbacks
def test_ensure_media_is_in_local_cache(self):
media_id = "some_media_id"
test_body = "Test\n"
@@ -73,7 +70,15 @@ class MediaStorageTests(unittest.TestCase):
# Now we run ensure_media_is_in_local_cache, which should copy the file
# to the local cache.
file_info = FileInfo(None, media_id)
- local_path = yield self.media_storage.ensure_media_is_in_local_cache(file_info)
+
+ # This uses a real blocking threadpool so we have to wait for it to be
+ # actually done :/
+ x = self.media_storage.ensure_media_is_in_local_cache(file_info)
+
+ # Hotloop until the threadpool does its job...
+ self.wait_on_thread(x)
+
+ local_path = self.get_success(x)
self.assertTrue(os.path.exists(local_path))
diff --git a/tests/unittest.py b/tests/unittest.py
index 36df43c137..d26804b5b5 100644
--- a/tests/unittest.py
+++ b/tests/unittest.py
@@ -17,6 +17,7 @@ import gc
import hashlib
import hmac
import logging
+import time
from mock import Mock
@@ -24,7 +25,8 @@ from canonicaljson import json
import twisted
import twisted.logger
-from twisted.internet.defer import Deferred
+from twisted.internet.defer import Deferred, succeed
+from twisted.python.threadpool import ThreadPool
from twisted.trial import unittest
from synapse.api.constants import EventTypes
@@ -164,6 +166,7 @@ class HomeserverTestCase(TestCase):
servlets = []
hijack_auth = True
+ needs_threadpool = False
def setUp(self):
"""
@@ -192,15 +195,19 @@ class HomeserverTestCase(TestCase):
if self.hijack_auth:
def get_user_by_access_token(token=None, allow_guest=False):
- return {
- "user": UserID.from_string(self.helper.auth_user_id),
- "token_id": 1,
- "is_guest": False,
- }
+ return succeed(
+ {
+ "user": UserID.from_string(self.helper.auth_user_id),
+ "token_id": 1,
+ "is_guest": False,
+ }
+ )
def get_user_by_req(request, allow_guest=False, rights="access"):
- return create_requester(
- UserID.from_string(self.helper.auth_user_id), 1, False, None
+ return succeed(
+ create_requester(
+ UserID.from_string(self.helper.auth_user_id), 1, False, None
+ )
)
self.hs.get_auth().get_user_by_req = get_user_by_req
@@ -209,9 +216,26 @@ class HomeserverTestCase(TestCase):
return_value="1234"
)
+ if self.needs_threadpool:
+ self.reactor.threadpool = ThreadPool()
+ self.addCleanup(self.reactor.threadpool.stop)
+ self.reactor.threadpool.start()
+
if hasattr(self, "prepare"):
self.prepare(self.reactor, self.clock, self.hs)
+ def wait_on_thread(self, deferred, timeout=10):
+ """
+ Wait until a Deferred is done, where it's waiting on a real thread.
+ """
+ start_time = time.time()
+
+ while not deferred.called:
+ if start_time + timeout < time.time():
+ raise ValueError("Timed out waiting for threadpool")
+ self.reactor.advance(0.01)
+ time.sleep(0.01)
+
def make_homeserver(self, reactor, clock):
"""
Make and return a homeserver.
|
