tests/util/test_macaroons.py


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119

# Copyright 2022 The Matrix.org Foundation C.I.C.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

from pymacaroons.exceptions import MacaroonVerificationFailedException

from synapse.util.macaroons import MacaroonGenerator, OidcSessionData

from tests.server import get_clock
from tests.unittest import TestCase


class MacaroonGeneratorTestCase(TestCase):
    def setUp(self) -> None:
        self.reactor, hs_clock = get_clock()
        self.macaroon_generator = MacaroonGenerator(hs_clock, "tesths", b"verysecret")
        self.other_macaroon_generator = MacaroonGenerator(
            hs_clock, "tesths", b"anothersecretkey"
        )

    def test_guest_access_token(self) -> None:
        """Test the generation and verification of guest access tokens"""
        token = self.macaroon_generator.generate_guest_access_token("@user:tesths")
        user_id = self.macaroon_generator.verify_guest_token(token)
        self.assertEqual(user_id, "@user:tesths")

        # Raises with another secret key
        with self.assertRaises(MacaroonVerificationFailedException):
            self.other_macaroon_generator.verify_guest_token(token)

        # Check that an old access token without the guest caveat does not work
        macaroon = self.macaroon_generator._generate_base_macaroon("access")
        macaroon.add_first_party_caveat(f"user_id = {user_id}")
        macaroon.add_first_party_caveat("nonce = 0123456789abcdef")
        token = macaroon.serialize()

        with self.assertRaises(MacaroonVerificationFailedException):
            self.macaroon_generator.verify_guest_token(token)

    def test_delete_pusher_token(self) -> None:
        """Test the generation and verification of delete_pusher tokens"""
        token = self.macaroon_generator.generate_delete_pusher_token(
            "@user:tesths", "m.mail", "john@example.com"
        )
        user_id = self.macaroon_generator.verify_delete_pusher_token(
            token, "m.mail", "john@example.com"
        )
        self.assertEqual(user_id, "@user:tesths")

        # Raises with another secret key
        with self.assertRaises(MacaroonVerificationFailedException):
            self.other_macaroon_generator.verify_delete_pusher_token(
                token, "m.mail", "john@example.com"
            )

        # Raises when verifying for another pushkey
        with self.assertRaises(MacaroonVerificationFailedException):
            self.macaroon_generator.verify_delete_pusher_token(
                token, "m.mail", "other@example.com"
            )

        # Raises when verifying for another app_id
        with self.assertRaises(MacaroonVerificationFailedException):
            self.macaroon_generator.verify_delete_pusher_token(
                token, "somethingelse", "john@example.com"
            )

        # Check that an old token without the app_id and pushkey still works
        macaroon = self.macaroon_generator._generate_base_macaroon("delete_pusher")
        macaroon.add_first_party_caveat("user_id = @user:tesths")
        token = macaroon.serialize()
        user_id = self.macaroon_generator.verify_delete_pusher_token(
            token, "m.mail", "john@example.com"
        )
        self.assertEqual(user_id, "@user:tesths")

    def test_oidc_session_token(self) -> None:
        """Test the generation and verification of OIDC session cookies"""
        state = "arandomstate"
        session_data = OidcSessionData(
            idp_id="oidc",
            nonce="nonce",
            client_redirect_url="https://example.com/",
            ui_auth_session_id="",
            code_verifier="",
        )
        token = self.macaroon_generator.generate_oidc_session_token(
            state, session_data, duration_in_ms=2 * 60 * 1000
        ).encode("utf-8")
        info = self.macaroon_generator.verify_oidc_session_token(token, state)
        self.assertEqual(session_data, info)

        # Raises with another secret key
        with self.assertRaises(MacaroonVerificationFailedException):
            self.other_macaroon_generator.verify_oidc_session_token(token, state)

        # Should raise with another state
        with self.assertRaises(MacaroonVerificationFailedException):
            self.macaroon_generator.verify_oidc_session_token(token, "anotherstate")

        # Wait a minute
        self.reactor.pump([60])
        # Shouldn't raise
        self.macaroon_generator.verify_oidc_session_token(token, state)
        # Wait another minute
        self.reactor.pump([60])
        # Should raise since it expired
        with self.assertRaises(MacaroonVerificationFailedException):
            self.macaroon_generator.verify_oidc_session_token(token, state)