summary refs log tree commit diff
path: root/tests/handlers/test_oidc.py (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Bump mypy-zope & mypy. (#16188)Patrick Cloke2023-08-291-2/+2
|
* Replace simple_async_mock with AsyncMock (#16180)Patrick Cloke2023-08-251-3/+3
| | | | Python 3.8 has a native AsyncMock, use it instead of a custom implementation.
* Add the ability to enable/disable registrations when in the OIDC flow (#14978)Warren Bailey2023-03-301-1/+16
| | | Signed-off-by: Warren Bailey <warren@warrenbailey.net>
* Add more missing type hints to tests. (#15028)Patrick Cloke2023-02-081-2/+2
|
* Support RFC7636 PKCE in the OAuth 2.0 flow. (#14750)Patrick Cloke2023-01-041-8/+144
| | | | | | | PKCE can protect against certain attacks and is enabled by default. Support can be controlled manually by setting the pkce_method of each oidc_providers entry to 'auto' (default), 'always', or 'never'. This is required by Twitter OAuth 2.0 support.
* Add missing type hints to tests.handlers. (#14680)Patrick Cloke2022-12-161-17/+31
| | | And do not allow untyped defs in tests.handlers.
* Refactor OIDC tests to better mimic an actual OIDC provider. (#13910)Quentin Gliech2022-10-251-330/+250
| | | | | | | | | This implements a fake OIDC server, which intercepts calls to the HTTP client. Improves accuracy of tests by covering more internal methods. One particular example was the ID token validation, which previously mocked. This uncovered an incorrect dependency: Synapse actually requires at least authlib 0.15.1, not 0.14.0.
* Move the "email unsubscribe" resource, refactor the macaroon generator & ↵Quentin Gliech2022-06-141-4/+3
| | | | | | | | | | | | | | | | | | | | | simplify the access token verification logic. (#12986) This simplifies the access token verification logic by removing the `rights` parameter which was only ever used for the unsubscribe link in email notifications. The latter has been moved under the `/_synapse` namespace, since it is not a standard API. This also makes the email verification link more secure, by embedding the app_id and pushkey in the macaroon and verifying it. This prevents the user from tampering the query parameters of that unsubscribe link. Macaroon generation is refactored: - Centralised all macaroon generation and verification logic to the `MacaroonGenerator` - Moved to `synapse.utils` - Changed the constructor to require only a `Clock`, hostname, and a secret key (instead of a full `Homeserver`). - Added tests for all methods.
* Use `getClientAddress` instead of `getClientIP`. (#12599)Patrick Cloke2022-05-041-2/+2
| | | | | getClientIP was deprecated in Twisted 18.4.0, which also added getClientAddress. The Synapse minimum version for Twisted is currently 18.9.0, so all supported versions have the new API.
* Add type hints for `tests/unittest.py`. (#12347)Richard van der Hoff2022-04-011-3/+4
| | | In particular, add type hints for get_success and friends, which are then helpful in a bunch of places.
* Add type hints to some tests/handlers files. (#12224)Dirk Klimpel2022-03-151-44/+50
|
* Remove `HomeServer.get_datastore()` (#12031)Richard van der Hoff2022-02-231-3/+3
| | | | | | | The presence of this method was confusing, and mostly present for backwards compatibility. Let's get rid of it. Part of #11733
* Adds misc missing type hints (#11953)Patrick Cloke2022-02-111-7/+2
|
* Save the OIDC session ID (sid) with the device on login (#11482)Quentin Gliech2021-12-061-20/+115
| | | As a step towards allowing back-channel logout for OIDC.
* Rename handler and config modules which end in handler/config. (#9816)Patrick Cloke2021-04-201-4/+4
|
* Remove redundant "coding: utf-8" lines (#9786)Jonathan de Jong2021-04-141-1/+0
| | | | | | | Part of #9744 Removes all redundant `# -*- coding: utf-8 -*-` lines from files, as python 3 automatically reads source code as utf-8 now. `Signed-off-by: Jonathan de Jong <jonathan@automatia.nl>`
* Use mock from the stdlib. (#9772)Patrick Cloke2021-04-091-2/+1
|
* Add SSO attribute requirements for OIDC providers (#9609)Hubbe2021-03-161-0/+132
| | | | Allows limiting who can login using OIDC via the claims made from the IdP.
* JWT OIDC secrets for Sign in with Apple (#9549)Richard van der Hoff2021-03-091-24/+157
| | | | | Apple had to be special. They want a client secret which is generated from an EC key. Fixes #9220. Also fixes #9212 while I'm here.
* Record the SSO Auth Provider in the login token (#9510)Richard van der Hoff2021-03-041-20/+16
| | | This great big stack of commits is a a whole load of hoop-jumping to make it easier to store additional values in login tokens, and then to actually store the SSO Identity Provider in the login token. (Making use of that data will follow in a subsequent PR.)
* Support for form_post in OIDC responses (#9376)Richard van der Hoff2021-02-171-13/+13
| | | Apple want to POST the OIDC auth response back to us rather than using query-params; add the necessary support to make that work.
* Update black, and run auto formatting over the codebase (#9381)Eric Eastwood2021-02-161-6/+20
| | | | | | | - Update black version to the latest - Run black auto formatting over the codebase - Run autoformatting according to [`docs/code_style.md `](https://github.com/matrix-org/synapse/blob/80d6dc9783aa80886a133756028984dbf8920168/docs/code_style.md) - Update `code_style.md` docs around installing black to use the correct version
* Clean up caching/locking of OIDC metadata load (#9362)Richard van der Hoff2021-02-161-26/+45
| | | | Ensure that we lock correctly to prevent multiple concurrent metadata load requests, and generally clean up the way we construct the metadata cache.
* Put OIDC callback URI under /_synapse/client. (#9288)Richard van der Hoff2021-02-011-9/+6
|
* Improve styling and wording of SSO redirect confirm template (#9272)Richard van der Hoff2021-02-011-10/+14
|
* Land support for multiple OIDC providers (#9110)Richard van der Hoff2021-01-151-2/+2
| | | | | | | | | | | | | | | | | | | | | | | This is the final step for supporting multiple OIDC providers concurrently. First of all, we reorganise the config so that you can specify a list of OIDC providers, instead of a single one. Before: oidc_config: enabled: true issuer: "https://oidc_provider" # etc After: oidc_providers: - idp_id: prov1 issuer: "https://oidc_provider" - idp_id: prov2 issuer: "https://another_oidc_provider" The old format is still grandfathered in. With that done, it's then simply a matter of having OidcHandler instantiate a new OidcProvider for each configured provider.
* Improve UsernamePickerTestCase (#9112)Richard van der Hoff2021-01-151-118/+2
| | | | | * make the OIDC bits of the test work at a higher level - via the REST api instead of poking the OIDCHandler directly. * Move it to test_login.py, where I think it fits better.
* Store an IdP ID in the OIDC session (#9109)Richard van der Hoff2021-01-151-1/+2
| | | | | Again in preparation for handling more than one OIDC provider, add a new caveat to the macaroon used as an OIDC session cookie, which remembers which OIDC provider we are talking to. In future, when we get a callback, we'll need it to make sure we talk to the right IdP. As part of this, I'm adding an idp_id and idp_name field to the OIDC configuration object. They aren't yet documented, and we'll just use the old values by default.
* Split OidcProvider out of OidcHandler (#9107)Richard van der Hoff2021-01-141-45/+48
| | | | | | | The idea here is that we will have an instance of OidcProvider for each configured IdP, with OidcHandler just doing the marshalling of them. For now it's still hardcoded with a single provider.
* Preparatory refactors of OidcHandler (#9067)Richard van der Hoff2021-01-131-24/+37
| | | | | | | | Some light refactoring of OidcHandler, in preparation for bigger things: * remove inheritance from deprecated BaseHandler * add an object to hold the things that go into a session cookie * factor out a separate class for manipulating said cookies
* Remove SynapseRequest.get_user_agent (#9069)Richard van der Hoff2021-01-121-2/+1
| | | | | | | | | | | SynapseRequest is in danger of becoming a bit of a dumping-ground for "useful stuff relating to Requests", which isn't really its intention (its purpose is to override render, finished and connectionLost to set up the LoggingContext and write the right entries to the request log). Putting utility functions inside SynapseRequest means that lots of our code ends up requiring a SynapseRequest when there is nothing synapse-specific about the Request at all, and any old twisted.web.iweb.IRequest will do. This increases code coupling and makes testing more difficult. In short: move get_user_agent out to a utility function.
* Skip unit tests which require optional dependencies (#9031)Richard van der Hoff2021-01-071-1/+18
| | | If we are lacking an optional dependency, skip the tests that rely on it.
* Implement a username picker for synapse (#8942)Richard van der Hoff2020-12-181-1/+142
| | | | | | | | | | | | | | The final part (for now) of my work to implement a username picker in synapse itself. The idea is that we allow `UsernameMappingProvider`s to return `localpart=None`, in which case, rather than redirecting the browser back to the client, we redirect to a username-picker resource, which allows the user to enter a username. We *then* complete the SSO flow (including doing the client permission checks). The static resources for the username picker itself (in https://github.com/matrix-org/synapse/tree/rav/username_picker/synapse/res/username_picker) are essentially lifted wholesale from https://github.com/matrix-org/matrix-synapse-saml-mozilla/tree/master/matrix_synapse_saml_mozilla/res. As the comment says, we might want to think about making them customisable, but that can be a follow-up. Fixes #8876.
* Make `_make_callback_with_userinfo` asyncRichard van der Hoff2020-12-151-68/+83
| | | | | | ... so that we can test its behaviour when it raises. Also pull it out to the top level so that I can use it from other test classes.
* Remove spurious mocking of complete_sso_loginRichard van der Hoff2020-12-151-2/+0
| | | | The tests that need this all do it already.
* Test `get_extra_attributes` fallbackRichard van der Hoff2020-12-151-11/+21
| | | | | despite the warnings saying "don't implement get_extra_attributes", we had implemented it, so the tests weren't doing what we thought they were.
* Preparatory refactoring of the SamlHandlerTestCase (#8938)Richard van der Hoff2020-12-151-11/+1
| | | | | | | | | | | | | * move simple_async_mock to test_utils ... so that it can be re-used * Remove references to `SamlHandler._map_saml_response_to_user` from tests This method is going away, so we can no longer use it as a test point. Instead, factor out a higher-level method which takes a SAML object, and verify correct behaviour by mocking out `AuthHandler.complete_sso_login`. * changelog
* Preparatory refactoring of the OidcHandlerTestCase (#8911)Richard van der Hoff2020-12-141-141/+145
| | | | | | | | | | | | | | | | | | | | | | | * Remove references to handler._auth_handler (and replace them with hs.get_auth_handler) * Factor out a utility function for building Requests * Remove mocks of `OidcHandler._map_userinfo_to_user` This method is going away, so mocking it out is no longer a valid approach. Instead, we mock out lower-level methods (eg _remote_id_from_userinfo), or simply allow the regular implementation to proceed and update the expectations accordingly. * Remove references to `OidcHandler._map_userinfo_to_user` from tests This method is going away, so we can no longer use it as a test point. Instead we build mock "callback" requests which we pass into `handle_oidc_callback`, and verify correct behaviour by mocking out `AuthHandler.complete_sso_login`.
* Merge tag 'v1.24.0rc2' into developPatrick Cloke2020-12-041-2/+1
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | Synapse 1.24.0rc2 (2020-12-04) ============================== Bugfixes -------- - Fix a regression in v1.24.0rc1 which failed to allow SAML mapping providers which were unable to redirect users to an additional page. ([\#8878](https://github.com/matrix-org/synapse/issues/8878)) Internal Changes ---------------- - Add support for the `prometheus_client` newer than 0.9.0. Contributed by Jordan Bancino. ([\#8875](https://github.com/matrix-org/synapse/issues/8875))
| * Fix a regression that mapping providers should be able to redirect users. ↵Patrick Cloke2020-12-041-2/+1
| | | | | | | | | | (#8878) This was broken in #8801.
* | Factor out FakeResponse from test_oidcRichard van der Hoff2020-12-021-16/+1
|/
* Fix a regression when grandfathering SAML users. (#8855)Patrick Cloke2020-12-021-0/+8
| | | | | | This was broken in #8801 when abstracting code shared with OIDC. After this change both SAML and OIDC have a concept of grandfathering users, but with different implementations.
* Add basic SAML tests for mapping users. (#8800)Patrick Cloke2020-12-021-17/+17
|
* Support trying multiple localparts for OpenID Connect. (#8801)Patrick Cloke2020-11-251-1/+87
| | | | Abstracts the SAML and OpenID Connect code which attempts to regenerate the localpart of a matrix ID if it is already in use.
* Improve error checking for OIDC/SAML mapping providers (#8774)Patrick Cloke2020-11-191-20/+69
| | | | | | Checks that the localpart returned by mapping providers for SAML and OIDC are valid before registering new users. Extends the OIDC tests for existing users and invalid data.
* Abstract shared SSO code. (#8765)Patrick Cloke2020-11-171-7/+7
| | | De-duplicates code between the SAML and OIDC implementations.
* Fix handling of User-Agent headers with bad utf-8. (#8632)Erik Johnston2020-10-231-6/+18
|
* Add config option for always using "userinfo endpoint" for OIDC (#7658)BBBSnowball2020-10-011-2/+8
| | | This allows for connecting to certain IdPs, e.g. GitLab.
* Allow additional SSO properties to be passed to the client (#8413)Patrick Cloke2020-09-301-55/+105
|
* Allow existing users to login via OpenID Connect. (#8345)Tdxdxoz2020-09-251-0/+35
| | | | | | | Co-authored-by: Benjamin Koch <bbbsnowball@gmail.com> This adds configuration flags that will match a user to pre-existing users when logging in via OpenID Connect. This is useful when switching to an existing SSO system.
* Ensure that the OpenID Connect remote ID is a string. (#8190)Patrick Cloke2020-08-281-2/+39
|
* Allow denying or shadow banning registrations via the spam checker (#8034)Patrick Cloke2020-08-201-3/+15
|
* Support UI Authentication for OpenID Connect accounts (#7457)Patrick Cloke2020-05-151-5/+10
|
* Implement OpenID Connect-based login (#7256)Quentin Gliech2020-05-081-0/+565