diff --git a/tests/handlers/test_oauth_delegation.py b/tests/handlers/test_oauth_delegation.py
index 1456b675a7..b891e84690 100644
--- a/tests/handlers/test_oauth_delegation.py
+++ b/tests/handlers/test_oauth_delegation.py
@@ -14,7 +14,7 @@
from http import HTTPStatus
from typing import Any, Dict, Union
-from unittest.mock import ANY, Mock
+from unittest.mock import ANY, AsyncMock, Mock
from urllib.parse import parse_qs
from signedjson.key import (
@@ -588,6 +588,38 @@ class MSC3861OAuthDelegation(HomeserverTestCase):
)
self.assertEqual(self.http_client.request.call_count, 2)
+ def test_revocation_endpoint(self) -> None:
+ # mock introspection response and then admin verification response
+ self.http_client.request = AsyncMock(
+ side_effect=[
+ FakeResponse.json(
+ code=200, payload={"active": True, "jti": "open_sesame"}
+ ),
+ FakeResponse.json(
+ code=200,
+ payload={
+ "active": True,
+ "sub": SUBJECT,
+ "scope": " ".join([SYNAPSE_ADMIN_SCOPE, MATRIX_USER_SCOPE]),
+ "username": USERNAME,
+ },
+ ),
+ ]
+ )
+
+ # cache a token to delete
+ introspection_token = self.get_success(
+ self.auth._introspect_token("open_sesame") # type: ignore[attr-defined]
+ )
+ self.assertEqual(self.auth._token_cache.get("open_sesame"), introspection_token) # type: ignore[attr-defined]
+
+ # delete the revoked token
+ introspection_token_id = "open_sesame"
+ url = f"/_synapse/admin/v1/OIDC_token_revocation/{introspection_token_id}"
+ channel = self.make_request("DELETE", url, access_token="mockAccessToken")
+ self.assertEqual(channel.code, 200)
+ self.assertEqual(self.auth._token_cache.get("open_sesame"), None) # type: ignore[attr-defined]
+
def make_device_keys(self, user_id: str, device_id: str) -> JsonDict:
# We only generate a master key to simplify the test.
master_signing_key = generate_signing_key(device_id)
diff --git a/tests/replication/test_intro_token_invalidation.py b/tests/replication/test_intro_token_invalidation.py
new file mode 100644
index 0000000000..f90678b6b1
--- /dev/null
+++ b/tests/replication/test_intro_token_invalidation.py
@@ -0,0 +1,62 @@
+# Copyright 2023 The Matrix.org Foundation C.I.C.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from typing import Any, Dict
+
+import synapse.rest.admin._base
+
+from tests.replication._base import BaseMultiWorkerStreamTestCase
+
+
+class IntrospectionTokenCacheInvalidationTestCase(BaseMultiWorkerStreamTestCase):
+ servlets = [synapse.rest.admin.register_servlets]
+
+ def default_config(self) -> Dict[str, Any]:
+ config = super().default_config()
+ config["disable_registration"] = True
+ config["experimental_features"] = {
+ "msc3861": {
+ "enabled": True,
+ "issuer": "some_dude",
+ "client_id": "ID",
+ "client_auth_method": "client_secret_post",
+ "client_secret": "secret",
+ }
+ }
+ return config
+
+ def test_stream_introspection_token_invalidation(self) -> None:
+ worker_hs = self.make_worker_hs("synapse.app.generic_worker")
+ auth = worker_hs.get_auth()
+ store = self.hs.get_datastores().main
+
+ # add a token to the cache on the worker
+ auth._token_cache["open_sesame"] = "intro_token" # type: ignore[attr-defined]
+
+ # stream the invalidation from the master
+ self.get_success(
+ store.stream_introspection_token_invalidation(("open_sesame",))
+ )
+
+ # check that the cache on the worker was invalidated
+ self.assertEqual(auth._token_cache.get("open_sesame"), None) # type: ignore[attr-defined]
+
+ # test invalidating whole cache
+ for i in range(0, 5):
+ auth._token_cache[f"open_sesame_{i}"] = f"intro_token_{i}" # type: ignore[attr-defined]
+ self.assertEqual(len(auth._token_cache), 5) # type: ignore[attr-defined]
+
+ self.get_success(store.stream_introspection_token_invalidation((None,)))
+
+ self.assertEqual(len(auth._token_cache), 0) # type: ignore[attr-defined]
|
