Matrix-Mirrors/anonymousland-synapse
1
0
Fork 0
mirror of https://git.anonymousland.org/anonymousland/synapse.git synced 2024-10-01 11:49:51 -04:00
Code Issues Packages Projects Releases Wiki Activity
feb3e006d7
anonymousland-synapse/tests/rest/client/test_account.py

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

1040 lines
34 KiB
Python
Raw Normal View History

Change password reset links to /_matrix.
2019-06-11 06:31:12 -04:00
# Copyright 2015-2016 OpenMarket Ltd
# Copyright 2017-2018 New Vector Ltd
# Copyright 2019 The Matrix.org Foundation C.I.C.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
Track deactivated accounts in the database (#5378)
2019-06-14 08:18:24 -04:00
import json
Change password reset links to /_matrix.
2019-06-11 06:31:12 -04:00
import os
import re
from email.parser import Parser
Add a config option for validating 'next_link' parameters against a domain whitelist (#8275) This is a config option ported over from DINUM's Sydent: https://github.com/matrix-org/sydent/pull/285 They've switched to validating 3PIDs via Synapse rather than Sydent, and would like to retain this functionality. This original purpose for this change is phishing prevention. This solution could also potentially be replaced by a similar one to https://github.com/matrix-org/synapse/pull/8004, but across all `*/submit_token` endpoint. This option may still be useful to enterprise even with that safeguard in place though, if they want to be absolutely sure that their employees don't follow links to other domains.
2020-09-08 11:03:09 -04:00
from typing import Optional
Change password reset links to /_matrix.
2019-06-11 06:31:12 -04:00
import pkg_resources
import synapse.rest.admin
Add test to validate the change
2019-09-27 10:14:02 -04:00
from synapse.api.constants import LoginType, Membership
Ratelimit 3PID /requestToken API (#9238)
2021-01-28 12:39:21 -05:00
from synapse.api.errors import Codes, HttpResponseException
Support MSC2033: Device ID on whoami (#9918) * Fix no-access-token bug in deactivation tests * Support MSC2033: Device ID on whoami * Test for appservices too MSC: https://github.com/matrix-org/matrix-doc/pull/2033 The MSC has passed FCP, which means stable endpoints can be used.
2021-07-27 01:28:20 -04:00
from synapse.appservice import ApplicationService
Flatten the synapse.rest.client package (#10600)
2021-08-17 07:57:58 -04:00
from synapse.rest.client import account, login, register, room
Show a confirmation page during user password reset (#8004) This PR adds a confirmation step to resetting your user password between clicking the link in your email and your password actually being reset. This is to better align our password reset flow with the industry standard of requiring a confirmation from the user after email validation.
2020-09-10 06:45:12 -04:00
from synapse.rest.synapse.client.password_reset import PasswordResetSubmitTokenResource
Change password reset links to /_matrix.
2019-06-11 06:31:12 -04:00
from tests import unittest
use global make_request() directly where we have a custom Resource Where we want to render a request against a specific Resource, call the global make_request() function rather than the one in HomeserverTestCase, allowing us to pass in an appropriate `Site`.
2020-11-13 18:11:43 -05:00
from tests.server import FakeSite, make_request
Add a config option for validating 'next_link' parameters against a domain whitelist (#8275) This is a config option ported over from DINUM's Sydent: https://github.com/matrix-org/sydent/pull/285 They've switched to validating 3PIDs via Synapse rather than Sydent, and would like to retain this functionality. This original purpose for this change is phishing prevention. This solution could also potentially be replaced by a similar one to https://github.com/matrix-org/synapse/pull/8004, but across all `*/submit_token` endpoint. This option may still be useful to enterprise even with that safeguard in place though, if they want to be absolutely sure that their employees don't follow links to other domains.
2020-09-08 11:03:09 -04:00
from tests.unittest import override_config
Change password reset links to /_matrix.
2019-06-11 06:31:12 -04:00
class PasswordResetTestCase(unittest.HomeserverTestCase):
servlets = [
account.register_servlets,
synapse.rest.admin.register_servlets_for_client_rest_resource,
register.register_servlets,
login.register_servlets,
]
def make_homeserver(self, reactor, clock):
config = self.default_config()
# Email config.
config["email"] = {
"enable_notifs": False,
"template_dir": os.path.abspath(
pkg_resources.resource_filename("synapse", "res/templates")
),
"smtp_host": "127.0.0.1",
"smtp_port": 20,
"require_transport_security": False,
"smtp_user": None,
"smtp_pass": None,
"notif_from": "test@example.com",
}
config["public_baseurl"] = "https://example.com"
Add a setting to disable TLS for sending email (#10546) This is mostly useful in case the server offers TLS, but doesn't present a valid certificate.
2021-08-06 06:13:34 -04:00
hs = self.setup_test_homeserver(config=config)
async def sendmail(
reactor, smtphost, smtpport, from_addr, to_addrs, msg, **kwargs
):
self.email_attempts.append(msg)
self.email_attempts = []
hs.get_send_email_handler()._sendmail = sendmail
Change password reset links to /_matrix.
2019-06-11 06:31:12 -04:00
return hs
def prepare(self, reactor, clock, hs):
self.store = hs.get_datastore()
Show a confirmation page during user password reset (#8004) This PR adds a confirmation step to resetting your user password between clicking the link in your email and your password actually being reset. This is to better align our password reset flow with the industry standard of requiring a confirmation from the user after email validation.
2020-09-10 06:45:12 -04:00
self.submit_token_resource = PasswordResetSubmitTokenResource(hs)
Change password reset links to /_matrix.
2019-06-11 06:31:12 -04:00
def test_basic_password_reset(self):
"""Test basic password reset flow"""
old_password = "monkey"
new_password = "kangeroo"
user_id = self.register_user("kermit", old_password)
self.login("kermit", old_password)
email = "test@example.com"
# Add a threepid
self.get_success(
self.store.user_add_threepid(
user_id=user_id,
medium="email",
address=email,
validated_at=0,
added_at=0,
)
)
client_secret = "foobar"
session_id = self._request_token(email, client_secret)
self.assertEquals(len(self.email_attempts), 1)
link = self._get_link_from_email()
self._validate_token(link)
self._reset_password(new_password, session_id, client_secret)
# Assert we can log in with the new password
self.login("kermit", new_password)
# Assert we can't log in with the old password
self.attempt_wrong_password_login("kermit", old_password)
Ratelimit 3PID /requestToken API (#9238)
2021-01-28 12:39:21 -05:00
@override_config({"rc_3pid_validation": {"burst_count": 3}})
def test_ratelimit_by_email(self):
"""Test that we ratelimit /requestToken for the same email."""
old_password = "monkey"
new_password = "kangeroo"
user_id = self.register_user("kermit", old_password)
self.login("kermit", old_password)
email = "test1@example.com"
# Add a threepid
self.get_success(
self.store.user_add_threepid(
user_id=user_id,
medium="email",
address=email,
validated_at=0,
added_at=0,
)
)
def reset(ip):
client_secret = "foobar"
session_id = self._request_token(email, client_secret, ip)
self.assertEquals(len(self.email_attempts), 1)
link = self._get_link_from_email()
self._validate_token(link)
self._reset_password(new_password, session_id, client_secret)
self.email_attempts.clear()
# We expect to be able to make three requests before getting rate
# limited.
#
# We change IPs to ensure that we're not being ratelimited due to the
# same IP
reset("127.0.0.1")
reset("127.0.0.2")
reset("127.0.0.3")
with self.assertRaises(HttpResponseException) as cm:
reset("127.0.0.4")
self.assertEqual(cm.exception.code, 429)
Fix inconsistent handling of upper and lower cases of email addresses. (#7021) fixes #7016
2020-07-03 09:03:13 -04:00
def test_basic_password_reset_canonicalise_email(self):
"""Test basic password reset flow
Request password reset with different spelling
"""
old_password = "monkey"
new_password = "kangeroo"
user_id = self.register_user("kermit", old_password)
self.login("kermit", old_password)
email_profile = "test@example.com"
email_passwort_reset = "TEST@EXAMPLE.COM"
# Add a threepid
self.get_success(
self.store.user_add_threepid(
user_id=user_id,
medium="email",
address=email_profile,
validated_at=0,
added_at=0,
)
)
client_secret = "foobar"
session_id = self._request_token(email_passwort_reset, client_secret)
self.assertEquals(len(self.email_attempts), 1)
link = self._get_link_from_email()
self._validate_token(link)
self._reset_password(new_password, session_id, client_secret)
# Assert we can log in with the new password
self.login("kermit", new_password)
# Assert we can't log in with the old password
self.attempt_wrong_password_login("kermit", old_password)
Change password reset links to /_matrix.
2019-06-11 06:31:12 -04:00
def test_cant_reset_password_without_clicking_link(self):
"""Test that we do actually need to click the link in the email"""
old_password = "monkey"
new_password = "kangeroo"
user_id = self.register_user("kermit", old_password)
self.login("kermit", old_password)
email = "test@example.com"
# Add a threepid
self.get_success(
self.store.user_add_threepid(
user_id=user_id,
medium="email",
address=email,
validated_at=0,
added_at=0,
)
)
client_secret = "foobar"
session_id = self._request_token(email, client_secret)
self.assertEquals(len(self.email_attempts), 1)
# Attempt to reset password without clicking the link
self._reset_password(new_password, session_id, client_secret, expected_code=401)
# Assert we can log in with the old password
self.login("kermit", old_password)
# Assert we can't log in with the new password
self.attempt_wrong_password_login("kermit", new_password)
def test_no_valid_token(self):
"""Test that we do actually need to request a token and can't just
make a session up.
"""
old_password = "monkey"
new_password = "kangeroo"
user_id = self.register_user("kermit", old_password)
self.login("kermit", old_password)
email = "test@example.com"
# Add a threepid
self.get_success(
self.store.user_add_threepid(
user_id=user_id,
medium="email",
address=email,
validated_at=0,
added_at=0,
)
)
client_secret = "foobar"
session_id = "weasle"
# Attempt to reset password without even requesting an email
self._reset_password(new_password, session_id, client_secret, expected_code=401)
# Assert we can log in with the old password
self.login("kermit", old_password)
# Assert we can't log in with the new password
self.attempt_wrong_password_login("kermit", new_password)
Revert "Revert "Merge pull request #7315 from matrix-org/babolivier/request_token"" This reverts commit 1adf6a55870aa08de272591ff49db9dc49738076.
2020-04-23 05:23:53 -04:00
@unittest.override_config({"request_token_inhibit_3pid_errors": True})
def test_password_reset_bad_email_inhibit_error(self):
"""Test that triggering a password reset with an email address that isn't bound
to an account doesn't leak the lack of binding for that address if configured
that way.
"""
self.register_user("kermit", "monkey")
self.login("kermit", "monkey")
email = "test@example.com"
client_secret = "foobar"
session_id = self._request_token(email, client_secret)
self.assertIsNotNone(session_id)
Ratelimit 3PID /requestToken API (#9238)
2021-01-28 12:39:21 -05:00
def _request_token(self, email, client_secret, ip="127.0.0.1"):
Remove spurious "SynapseRequest" result from `make_request" This was never used, so let's get rid of it.
2020-12-15 09:44:04 -05:00
channel = self.make_request(
Change password reset links to /_matrix.
2019-06-11 06:31:12 -04:00
"POST",
b"account/password/email/requestToken",
{"client_secret": client_secret, "email": email, "send_attempt": 1},
Ratelimit 3PID /requestToken API (#9238)
2021-01-28 12:39:21 -05:00
client_ip=ip,
Change password reset links to /_matrix.
2019-06-11 06:31:12 -04:00
)
Ratelimit 3PID /requestToken API (#9238)
2021-01-28 12:39:21 -05:00
if channel.code != 200:
raise HttpResponseException(
channel.code,
channel.result["reason"],
channel.result["body"],
)
Change password reset links to /_matrix.
2019-06-11 06:31:12 -04:00
return channel.json_body["sid"]
def _validate_token(self, link):
# Remove the host
path = link.replace("https://example.com", "")
Show a confirmation page during user password reset (#8004) This PR adds a confirmation step to resetting your user password between clicking the link in your email and your password actually being reset. This is to better align our password reset flow with the industry standard of requiring a confirmation from the user after email validation.
2020-09-10 06:45:12 -04:00
# Load the password reset confirmation page
Remove spurious "SynapseRequest" result from `make_request" This was never used, so let's get rid of it.
2020-12-15 09:44:04 -05:00
channel = make_request(
use global make_request() directly where we have a custom Resource Where we want to render a request against a specific Resource, call the global make_request() function rather than the one in HomeserverTestCase, allowing us to pass in an appropriate `Site`.
2020-11-13 18:11:43 -05:00
self.reactor,
Add reactor to `SynapseRequest` and fix up types. (#10868)
2021-09-24 06:01:25 -04:00
FakeSite(self.submit_token_resource, self.reactor),
use global make_request() directly where we have a custom Resource Where we want to render a request against a specific Resource, call the global make_request() function rather than the one in HomeserverTestCase, allowing us to pass in an appropriate `Site`.
2020-11-13 18:11:43 -05:00
"GET",
path,
shorthand=False,
)
Show a confirmation page during user password reset (#8004) This PR adds a confirmation step to resetting your user password between clicking the link in your email and your password actually being reset. This is to better align our password reset flow with the industry standard of requiring a confirmation from the user after email validation.
2020-09-10 06:45:12 -04:00
self.assertEquals(200, channel.code, channel.result)
# Now POST to the same endpoint, mimicking the same behaviour as clicking the
# password reset confirm button
# Confirm the password reset
Remove spurious "SynapseRequest" result from `make_request" This was never used, so let's get rid of it.
2020-12-15 09:44:04 -05:00
channel = make_request(
use global make_request() directly where we have a custom Resource Where we want to render a request against a specific Resource, call the global make_request() function rather than the one in HomeserverTestCase, allowing us to pass in an appropriate `Site`.
2020-11-13 18:11:43 -05:00
self.reactor,
Add reactor to `SynapseRequest` and fix up types. (#10868)
2021-09-24 06:01:25 -04:00
FakeSite(self.submit_token_resource, self.reactor),
Show a confirmation page during user password reset (#8004) This PR adds a confirmation step to resetting your user password between clicking the link in your email and your password actually being reset. This is to better align our password reset flow with the industry standard of requiring a confirmation from the user after email validation.
2020-09-10 06:45:12 -04:00
"POST",
path,
Remove redundant reading of SynapseRequest.args this didn't seem to be doing a lot, so remove it.
2020-12-15 10:18:03 -05:00
content=b"",
Show a confirmation page during user password reset (#8004) This PR adds a confirmation step to resetting your user password between clicking the link in your email and your password actually being reset. This is to better align our password reset flow with the industry standard of requiring a confirmation from the user after email validation.
2020-09-10 06:45:12 -04:00
shorthand=False,
content_is_form=True,
)
Change password reset links to /_matrix.
2019-06-11 06:31:12 -04:00
self.assertEquals(200, channel.code, channel.result)
def _get_link_from_email(self):
assert self.email_attempts, "No emails have been sent"
raw_msg = self.email_attempts[-1].decode("UTF-8")
mail = Parser().parsestr(raw_msg)
text = None
for part in mail.walk():
if part.get_content_type() == "text/plain":
text = part.get_payload(decode=True).decode("UTF-8")
break
if not text:
self.fail("Could not find text portion of email to parse")
match = re.search(r"https://example.com\S+", text)
assert match, "Could not find link in email"
return match.group(0)
def _reset_password(
self, new_password, session_id, client_secret, expected_code=200
):
Remove spurious "SynapseRequest" result from `make_request" This was never used, so let's get rid of it.
2020-12-15 09:44:04 -05:00
channel = self.make_request(
Change password reset links to /_matrix.
2019-06-11 06:31:12 -04:00
"POST",
b"account/password",
{
"new_password": new_password,
"auth": {
"type": LoginType.EMAIL_IDENTITY,
"threepid_creds": {
"client_secret": client_secret,
"sid": session_id,
},
},
},
)
self.assertEquals(expected_code, channel.code, channel.result)
Track deactivated accounts in the database (#5378)
2019-06-14 08:18:24 -04:00
class DeactivateTestCase(unittest.HomeserverTestCase):
servlets = [
synapse.rest.admin.register_servlets_for_client_rest_resource,
login.register_servlets,
account.register_servlets,
Add test to validate the change
2019-09-27 10:14:02 -04:00
room.register_servlets,
Track deactivated accounts in the database (#5378)
2019-06-14 08:18:24 -04:00
]
def make_homeserver(self, reactor, clock):
Add test to validate the change
2019-09-27 10:14:02 -04:00
self.hs = self.setup_test_homeserver()
return self.hs
Track deactivated accounts in the database (#5378)
2019-06-14 08:18:24 -04:00
def test_deactivate_account(self):
user_id = self.register_user("kermit", "test")
tok = self.login("kermit", "test")
Add test to validate the change
2019-09-27 10:14:02 -04:00
self.deactivate(user_id, tok)
store = self.hs.get_datastore()
# Check that the user has been marked as deactivated.
self.assertTrue(self.get_success(store.get_user_deactivated_status(user_id)))
# Check that this access token has been invalidated.
Support MSC2033: Device ID on whoami (#9918) * Fix no-access-token bug in deactivation tests * Support MSC2033: Device ID on whoami * Test for appservices too MSC: https://github.com/matrix-org/matrix-doc/pull/2033 The MSC has passed FCP, which means stable endpoints can be used.
2021-07-27 01:28:20 -04:00
channel = self.make_request("GET", "account/whoami", access_token=tok)
Replace `request.code` with `channel.code` The two are equivalent, but really we want to check the HTTP result that got returned to the channel, not the code that the Request object *intended* to return to the channel.
2020-12-15 09:51:25 -05:00
self.assertEqual(channel.code, 401)
Add test to validate the change
2019-09-27 10:14:02 -04:00
def test_pending_invites(self):
"""Tests that deactivating a user rejects every pending invite for them."""
store = self.hs.get_datastore()
inviter_id = self.register_user("inviter", "test")
inviter_tok = self.login("inviter", "test")
invitee_id = self.register_user("invitee", "test")
invitee_tok = self.login("invitee", "test")
# Make @inviter:test invite @invitee:test in a new room.
room_id = self.helper.create_room_as(inviter_id, tok=inviter_tok)
ok
2019-09-27 10:23:07 -04:00
self.helper.invite(
room=room_id, src=inviter_id, targ=invitee_id, tok=inviter_tok
)
Add test to validate the change
2019-09-27 10:14:02 -04:00
# Make sure the invite is here.
Add `local_current_membership` table (#6655) Currently we rely on `current_state_events` to figure out what rooms a user was in and their last membership event in there. However, if the server leaves the room then the table may be cleaned up and that information is lost. So lets add a table that separately holds that information.
2020-01-15 09:59:33 -05:00
pending_invites = self.get_success(
store.get_invited_rooms_for_local_user(invitee_id)
)
Add test to validate the change
2019-09-27 10:14:02 -04:00
self.assertEqual(len(pending_invites), 1, pending_invites)
self.assertEqual(pending_invites[0].room_id, room_id, pending_invites)
# Deactivate @invitee:test.
self.deactivate(invitee_id, invitee_tok)
# Check that the invite isn't there anymore.
Add `local_current_membership` table (#6655) Currently we rely on `current_state_events` to figure out what rooms a user was in and their last membership event in there. However, if the server leaves the room then the table may be cleaned up and that information is lost. So lets add a table that separately holds that information.
2020-01-15 09:59:33 -05:00
pending_invites = self.get_success(
store.get_invited_rooms_for_local_user(invitee_id)
)
Add test to validate the change
2019-09-27 10:14:02 -04:00
self.assertEqual(len(pending_invites), 0, pending_invites)
# Check that the membership of @invitee:test in the room is now "leave".
memberships = self.get_success(
Add `local_current_membership` table (#6655) Currently we rely on `current_state_events` to figure out what rooms a user was in and their last membership event in there. However, if the server leaves the room then the table may be cleaned up and that information is lost. So lets add a table that separately holds that information.
2020-01-15 09:59:33 -05:00
store.get_rooms_for_local_user_where_membership_is(
invitee_id, [Membership.LEAVE]
)
Add test to validate the change
2019-09-27 10:14:02 -04:00
)
self.assertEqual(len(memberships), 1, memberships)
self.assertEqual(memberships[0].room_id, room_id, memberships)
def deactivate(self, user_id, tok):
Track deactivated accounts in the database (#5378)
2019-06-14 08:18:24 -04:00
request_data = json.dumps(
{
"auth": {
"type": "m.login.password",
"user": user_id,
"password": "test",
},
"erase": False,
}
)
Remove spurious "SynapseRequest" result from `make_request" This was never used, so let's get rid of it.
2020-12-15 09:44:04 -05:00
channel = self.make_request(
Track deactivated accounts in the database (#5378)
2019-06-14 08:18:24 -04:00
"POST", "account/deactivate", request_data, access_token=tok
)
Replace `request.code` with `channel.code` The two are equivalent, but really we want to check the HTTP result that got returned to the channel, not the code that the Request object *intended* to return to the channel.
2020-12-15 09:51:25 -05:00
self.assertEqual(channel.code, 200)
Add options to prevent users from changing their profile. (#7096)
2020-03-27 15:15:23 -04:00
Support MSC2033: Device ID on whoami (#9918) * Fix no-access-token bug in deactivation tests * Support MSC2033: Device ID on whoami * Test for appservices too MSC: https://github.com/matrix-org/matrix-doc/pull/2033 The MSC has passed FCP, which means stable endpoints can be used.
2021-07-27 01:28:20 -04:00
class WhoamiTestCase(unittest.HomeserverTestCase):
servlets = [
synapse.rest.admin.register_servlets_for_client_rest_resource,
login.register_servlets,
account.register_servlets,
register.register_servlets,
]
Implement MSC3069: Guest support on whoami (#9655)
2021-09-29 06:32:45 -04:00
def default_config(self):
config = super().default_config()
config["allow_guest_access"] = True
return config
Support MSC2033: Device ID on whoami (#9918) * Fix no-access-token bug in deactivation tests * Support MSC2033: Device ID on whoami * Test for appservices too MSC: https://github.com/matrix-org/matrix-doc/pull/2033 The MSC has passed FCP, which means stable endpoints can be used.
2021-07-27 01:28:20 -04:00
def test_GET_whoami(self):
device_id = "wouldgohere"
user_id = self.register_user("kermit", "test")
tok = self.login("kermit", "test", device_id=device_id)
Implement MSC3069: Guest support on whoami (#9655)
2021-09-29 06:32:45 -04:00
whoami = self._whoami(tok)
self.assertEqual(
whoami,
{
"user_id": user_id,
"device_id": device_id,
# Unstable until MSC3069 enters spec
"org.matrix.msc3069.is_guest": False,
},
)
def test_GET_whoami_guests(self):
channel = self.make_request(
b"POST", b"/_matrix/client/r0/register?kind=guest", b"{}"
)
tok = channel.json_body["access_token"]
user_id = channel.json_body["user_id"]
device_id = channel.json_body["device_id"]
whoami = self._whoami(tok)
self.assertEqual(
whoami,
{
"user_id": user_id,
"device_id": device_id,
# Unstable until MSC3069 enters spec
"org.matrix.msc3069.is_guest": True,
},
)
Support MSC2033: Device ID on whoami (#9918) * Fix no-access-token bug in deactivation tests * Support MSC2033: Device ID on whoami * Test for appservices too MSC: https://github.com/matrix-org/matrix-doc/pull/2033 The MSC has passed FCP, which means stable endpoints can be used.
2021-07-27 01:28:20 -04:00
def test_GET_whoami_appservices(self):
user_id = "@as:test"
as_token = "i_am_an_app_service"
appservice = ApplicationService(
as_token,
Use direct references for configuration variables (part 6). (#10916)
2021-09-29 06:44:15 -04:00
self.hs.config.server.server_name,
Support MSC2033: Device ID on whoami (#9918) * Fix no-access-token bug in deactivation tests * Support MSC2033: Device ID on whoami * Test for appservices too MSC: https://github.com/matrix-org/matrix-doc/pull/2033 The MSC has passed FCP, which means stable endpoints can be used.
2021-07-27 01:28:20 -04:00
id="1234",
namespaces={"users": [{"regex": user_id, "exclusive": True}]},
sender=user_id,
)
self.hs.get_datastore().services_cache.append(appservice)
Implement MSC3069: Guest support on whoami (#9655)
2021-09-29 06:32:45 -04:00
whoami = self._whoami(as_token)
self.assertEqual(
whoami,
{
"user_id": user_id,
# Unstable until MSC3069 enters spec
"org.matrix.msc3069.is_guest": False,
},
)
Support MSC2033: Device ID on whoami (#9918) * Fix no-access-token bug in deactivation tests * Support MSC2033: Device ID on whoami * Test for appservices too MSC: https://github.com/matrix-org/matrix-doc/pull/2033 The MSC has passed FCP, which means stable endpoints can be used.
2021-07-27 01:28:20 -04:00
self.assertFalse(hasattr(whoami, "device_id"))
Implement MSC3069: Guest support on whoami (#9655)
2021-09-29 06:32:45 -04:00
def _whoami(self, tok):
Support MSC2033: Device ID on whoami (#9918) * Fix no-access-token bug in deactivation tests * Support MSC2033: Device ID on whoami * Test for appservices too MSC: https://github.com/matrix-org/matrix-doc/pull/2033 The MSC has passed FCP, which means stable endpoints can be used.
2021-07-27 01:28:20 -04:00
channel = self.make_request("GET", "account/whoami", {}, access_token=tok)
self.assertEqual(channel.code, 200)
return channel.json_body
Add options to prevent users from changing their profile. (#7096)
2020-03-27 15:15:23 -04:00
class ThreepidEmailRestTestCase(unittest.HomeserverTestCase):
servlets = [
account.register_servlets,
login.register_servlets,
synapse.rest.admin.register_servlets_for_client_rest_resource,
]
def make_homeserver(self, reactor, clock):
config = self.default_config()
# Email config.
config["email"] = {
"enable_notifs": False,
"template_dir": os.path.abspath(
pkg_resources.resource_filename("synapse", "res/templates")
),
"smtp_host": "127.0.0.1",
"smtp_port": 20,
"require_transport_security": False,
"smtp_user": None,
"smtp_pass": None,
"notif_from": "test@example.com",
}
config["public_baseurl"] = "https://example.com"
Add a setting to disable TLS for sending email (#10546) This is mostly useful in case the server offers TLS, but doesn't present a valid certificate.
2021-08-06 06:13:34 -04:00
self.hs = self.setup_test_homeserver(config=config)
async def sendmail(
reactor, smtphost, smtpport, from_addr, to_addrs, msg, **kwargs
):
self.email_attempts.append(msg)
self.email_attempts = []
self.hs.get_send_email_handler()._sendmail = sendmail
Add options to prevent users from changing their profile. (#7096)
2020-03-27 15:15:23 -04:00
return self.hs
def prepare(self, reactor, clock, hs):
self.store = hs.get_datastore()
self.user_id = self.register_user("kermit", "test")
self.user_id_tok = self.login("kermit", "test")
self.email = "test@example.com"
self.url_3pid = b"account/3pid"
Fix inconsistent handling of upper and lower cases of email addresses. (#7021) fixes #7016
2020-07-03 09:03:13 -04:00
def test_add_valid_email(self):
self.get_success(self._add_email(self.email, self.email))
Add options to prevent users from changing their profile. (#7096)
2020-03-27 15:15:23 -04:00
Fix inconsistent handling of upper and lower cases of email addresses. (#7021) fixes #7016
2020-07-03 09:03:13 -04:00
def test_add_valid_email_second_time(self):
self.get_success(self._add_email(self.email, self.email))
self.get_success(
self._request_token_invalid_email(
self.email,
expected_errcode=Codes.THREEPID_IN_USE,
expected_error="Email is already in use",
)
)
Add options to prevent users from changing their profile. (#7096)
2020-03-27 15:15:23 -04:00
Fix inconsistent handling of upper and lower cases of email addresses. (#7021) fixes #7016
2020-07-03 09:03:13 -04:00
def test_add_valid_email_second_time_canonicalise(self):
self.get_success(self._add_email(self.email, self.email))
self.get_success(
self._request_token_invalid_email(
"TEST@EXAMPLE.COM",
expected_errcode=Codes.THREEPID_IN_USE,
expected_error="Email is already in use",
)
)
Add options to prevent users from changing their profile. (#7096)
2020-03-27 15:15:23 -04:00
Fix inconsistent handling of upper and lower cases of email addresses. (#7021) fixes #7016
2020-07-03 09:03:13 -04:00
def test_add_email_no_at(self):
self.get_success(
self._request_token_invalid_email(
"address-without-at.bar",
expected_errcode=Codes.UNKNOWN,
expected_error="Unable to parse email address",
)
Add options to prevent users from changing their profile. (#7096)
2020-03-27 15:15:23 -04:00
)
Fix inconsistent handling of upper and lower cases of email addresses. (#7021) fixes #7016
2020-07-03 09:03:13 -04:00
def test_add_email_two_at(self):
self.get_success(
self._request_token_invalid_email(
"foo@foo@test.bar",
expected_errcode=Codes.UNKNOWN,
expected_error="Unable to parse email address",
)
)
Add options to prevent users from changing their profile. (#7096)
2020-03-27 15:15:23 -04:00
Fix inconsistent handling of upper and lower cases of email addresses. (#7021) fixes #7016
2020-07-03 09:03:13 -04:00
def test_add_email_bad_format(self):
self.get_success(
self._request_token_invalid_email(
"user@bad.example.net@good.example.com",
expected_errcode=Codes.UNKNOWN,
expected_error="Unable to parse email address",
)
Add options to prevent users from changing their profile. (#7096)
2020-03-27 15:15:23 -04:00
)
Fix inconsistent handling of upper and lower cases of email addresses. (#7021) fixes #7016
2020-07-03 09:03:13 -04:00
def test_add_email_domain_to_lower(self):
self.get_success(self._add_email("foo@TEST.BAR", "foo@test.bar"))
def test_add_email_domain_with_umlaut(self):
self.get_success(self._add_email("foo@Öumlaut.com", "foo@öumlaut.com"))
def test_add_email_address_casefold(self):
self.get_success(self._add_email("Strauß@Example.com", "strauss@example.com"))
def test_address_trim(self):
self.get_success(self._add_email(" foo@test.bar ", "foo@test.bar"))
Add options to prevent users from changing their profile. (#7096)
2020-03-27 15:15:23 -04:00
Ratelimit 3PID /requestToken API (#9238)
2021-01-28 12:39:21 -05:00
@override_config({"rc_3pid_validation": {"burst_count": 3}})
def test_ratelimit_by_ip(self):
"""Tests that adding emails is ratelimited by IP"""
# We expect to be able to set three emails before getting ratelimited.
self.get_success(self._add_email("foo1@test.bar", "foo1@test.bar"))
self.get_success(self._add_email("foo2@test.bar", "foo2@test.bar"))
self.get_success(self._add_email("foo3@test.bar", "foo3@test.bar"))
with self.assertRaises(HttpResponseException) as cm:
self.get_success(self._add_email("foo4@test.bar", "foo4@test.bar"))
self.assertEqual(cm.exception.code, 429)
Add options to prevent users from changing their profile. (#7096)
2020-03-27 15:15:23 -04:00
def test_add_email_if_disabled(self):
"""Test adding email to profile when doing so is disallowed"""
Use direct references for configuration variables (part 7). (#10959)
2021-10-04 07:18:54 -04:00
self.hs.config.registration.enable_3pid_changes = False
Add options to prevent users from changing their profile. (#7096)
2020-03-27 15:15:23 -04:00
client_secret = "foobar"
session_id = self._request_token(self.email, client_secret)
self.assertEquals(len(self.email_attempts), 1)
link = self._get_link_from_email()
self._validate_token(link)
Remove spurious "SynapseRequest" result from `make_request" This was never used, so let's get rid of it.
2020-12-15 09:44:04 -05:00
channel = self.make_request(
Add options to prevent users from changing their profile. (#7096)
2020-03-27 15:15:23 -04:00
"POST",
b"/_matrix/client/unstable/account/3pid/add",
{
"client_secret": client_secret,
"sid": session_id,
"auth": {
"type": "m.login.password",
"user": self.user_id,
"password": "test",
},
},
access_token=self.user_id_tok,
)
self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
self.assertEqual(Codes.FORBIDDEN, channel.json_body["errcode"])
# Get user
Remove spurious "SynapseRequest" result from `make_request" This was never used, so let's get rid of it.
2020-12-15 09:44:04 -05:00
channel = self.make_request(
Add options to prevent users from changing their profile. (#7096)
2020-03-27 15:15:23 -04:00
"GET",
self.url_3pid,
access_token=self.user_id_tok,
)
self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
self.assertFalse(channel.json_body["threepids"])
def test_delete_email(self):
"""Test deleting an email from profile"""
# Add a threepid
self.get_success(
self.store.user_add_threepid(
user_id=self.user_id,
medium="email",
address=self.email,
validated_at=0,
added_at=0,
)
)
Remove spurious "SynapseRequest" result from `make_request" This was never used, so let's get rid of it.
2020-12-15 09:44:04 -05:00
channel = self.make_request(
Add options to prevent users from changing their profile. (#7096)
2020-03-27 15:15:23 -04:00
"POST",
b"account/3pid/delete",
{"medium": "email", "address": self.email},
access_token=self.user_id_tok,
)
self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
# Get user
Remove spurious "SynapseRequest" result from `make_request" This was never used, so let's get rid of it.
2020-12-15 09:44:04 -05:00
channel = self.make_request(
Add options to prevent users from changing their profile. (#7096)
2020-03-27 15:15:23 -04:00
"GET",
self.url_3pid,
access_token=self.user_id_tok,
)
self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
self.assertFalse(channel.json_body["threepids"])
def test_delete_email_if_disabled(self):
"""Test deleting an email from profile when disallowed"""
Use direct references for configuration variables (part 7). (#10959)
2021-10-04 07:18:54 -04:00
self.hs.config.registration.enable_3pid_changes = False
Add options to prevent users from changing their profile. (#7096)
2020-03-27 15:15:23 -04:00
# Add a threepid
self.get_success(
self.store.user_add_threepid(
user_id=self.user_id,
medium="email",
address=self.email,
validated_at=0,
added_at=0,
)
)
Remove spurious "SynapseRequest" result from `make_request" This was never used, so let's get rid of it.
2020-12-15 09:44:04 -05:00
channel = self.make_request(
Add options to prevent users from changing their profile. (#7096)
2020-03-27 15:15:23 -04:00
"POST",
b"account/3pid/delete",
{"medium": "email", "address": self.email},
access_token=self.user_id_tok,
)
self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
self.assertEqual(Codes.FORBIDDEN, channel.json_body["errcode"])
# Get user
Remove spurious "SynapseRequest" result from `make_request" This was never used, so let's get rid of it.
2020-12-15 09:44:04 -05:00
channel = self.make_request(
Add options to prevent users from changing their profile. (#7096)
2020-03-27 15:15:23 -04:00
"GET",
self.url_3pid,
access_token=self.user_id_tok,
)
self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
self.assertEqual("email", channel.json_body["threepids"][0]["medium"])
self.assertEqual(self.email, channel.json_body["threepids"][0]["address"])
def test_cant_add_email_without_clicking_link(self):
"""Test that we do actually need to click the link in the email"""
client_secret = "foobar"
session_id = self._request_token(self.email, client_secret)
self.assertEquals(len(self.email_attempts), 1)
# Attempt to add email without clicking the link
Remove spurious "SynapseRequest" result from `make_request" This was never used, so let's get rid of it.
2020-12-15 09:44:04 -05:00
channel = self.make_request(
Add options to prevent users from changing their profile. (#7096)
2020-03-27 15:15:23 -04:00
"POST",
b"/_matrix/client/unstable/account/3pid/add",
{
"client_secret": client_secret,
"sid": session_id,
"auth": {
"type": "m.login.password",
"user": self.user_id,
"password": "test",
},
},
access_token=self.user_id_tok,
)
self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
self.assertEqual(Codes.THREEPID_AUTH_FAILED, channel.json_body["errcode"])
# Get user
Remove spurious "SynapseRequest" result from `make_request" This was never used, so let's get rid of it.
2020-12-15 09:44:04 -05:00
channel = self.make_request(
Add options to prevent users from changing their profile. (#7096)
2020-03-27 15:15:23 -04:00
"GET",
self.url_3pid,
access_token=self.user_id_tok,
)
self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
self.assertFalse(channel.json_body["threepids"])
def test_no_valid_token(self):
"""Test that we do actually need to request a token and can't just
make a session up.
"""
client_secret = "foobar"
session_id = "weasle"
# Attempt to add email without even requesting an email
Remove spurious "SynapseRequest" result from `make_request" This was never used, so let's get rid of it.
2020-12-15 09:44:04 -05:00
channel = self.make_request(
Add options to prevent users from changing their profile. (#7096)
2020-03-27 15:15:23 -04:00
"POST",
b"/_matrix/client/unstable/account/3pid/add",
{
"client_secret": client_secret,
"sid": session_id,
"auth": {
"type": "m.login.password",
"user": self.user_id,
"password": "test",
},
},
access_token=self.user_id_tok,
)
self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
self.assertEqual(Codes.THREEPID_AUTH_FAILED, channel.json_body["errcode"])
# Get user
Remove spurious "SynapseRequest" result from `make_request" This was never used, so let's get rid of it.
2020-12-15 09:44:04 -05:00
channel = self.make_request(
Add options to prevent users from changing their profile. (#7096)
2020-03-27 15:15:23 -04:00
"GET",
self.url_3pid,
access_token=self.user_id_tok,
)
self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
self.assertFalse(channel.json_body["threepids"])
Add a config option for validating 'next_link' parameters against a domain whitelist (#8275) This is a config option ported over from DINUM's Sydent: https://github.com/matrix-org/sydent/pull/285 They've switched to validating 3PIDs via Synapse rather than Sydent, and would like to retain this functionality. This original purpose for this change is phishing prevention. This solution could also potentially be replaced by a similar one to https://github.com/matrix-org/synapse/pull/8004, but across all `*/submit_token` endpoint. This option may still be useful to enterprise even with that safeguard in place though, if they want to be absolutely sure that their employees don't follow links to other domains.
2020-09-08 11:03:09 -04:00
@override_config({"next_link_domain_whitelist": None})
def test_next_link(self):
"""Tests a valid next_link parameter value with no whitelist (good case)"""
self._request_token(
"something@example.com",
"some_secret",
next_link="https://example.com/a/good/site",
expect_code=200,
)
@override_config({"next_link_domain_whitelist": None})
def test_next_link_exotic_protocol(self):
"""Tests using a esoteric protocol as a next_link parameter value.
Someone may be hosting a client on IPFS etc.
"""
self._request_token(
"something@example.com",
"some_secret",
next_link="some-protocol://abcdefghijklmopqrstuvwxyz",
expect_code=200,
)
@override_config({"next_link_domain_whitelist": None})
def test_next_link_file_uri(self):
"""Tests next_link parameters cannot be file URI"""
# Attempt to use a next_link value that points to the local disk
self._request_token(
"something@example.com",
"some_secret",
next_link="file:///host/path",
expect_code=400,
)
@override_config({"next_link_domain_whitelist": ["example.com", "example.org"]})
def test_next_link_domain_whitelist(self):
"""Tests next_link parameters must fit the whitelist if provided"""
Only assert valid next_link params when provided (#8417) Broken in https://github.com/matrix-org/synapse/pull/8275 and has yet to be put in a release. Fixes https://github.com/matrix-org/synapse/issues/8418. `next_link` is an optional parameter. However, we were checking whether the `next_link` param was valid, even if it wasn't provided. In that case, `next_link` was `None`, which would clearly not be a valid URL. This would prevent password reset and other operations if `next_link` was not provided, and the `next_link_domain_whitelist` config option was set.
2020-09-29 07:36:44 -04:00
# Ensure not providing a next_link parameter still works
self._request_token(
"something@example.com",
"some_secret",
next_link=None,
expect_code=200,
)
Add a config option for validating 'next_link' parameters against a domain whitelist (#8275) This is a config option ported over from DINUM's Sydent: https://github.com/matrix-org/sydent/pull/285 They've switched to validating 3PIDs via Synapse rather than Sydent, and would like to retain this functionality. This original purpose for this change is phishing prevention. This solution could also potentially be replaced by a similar one to https://github.com/matrix-org/synapse/pull/8004, but across all `*/submit_token` endpoint. This option may still be useful to enterprise even with that safeguard in place though, if they want to be absolutely sure that their employees don't follow links to other domains.
2020-09-08 11:03:09 -04:00
self._request_token(
"something@example.com",
"some_secret",
next_link="https://example.com/some/good/page",
expect_code=200,
)
self._request_token(
"something@example.com",
"some_secret",
next_link="https://example.org/some/also/good/page",
expect_code=200,
)
self._request_token(
"something@example.com",
"some_secret",
next_link="https://bad.example.org/some/bad/page",
expect_code=400,
)
@override_config({"next_link_domain_whitelist": []})
def test_empty_next_link_domain_whitelist(self):
"""Tests an empty next_lint_domain_whitelist value, meaning next_link is essentially
disallowed
"""
self._request_token(
"something@example.com",
"some_secret",
next_link="https://example.com/a/page",
expect_code=400,
)
def _request_token(
self,
email: str,
client_secret: str,
next_link: Optional[str] = None,
expect_code: int = 200,
) -> str:
"""Request a validation token to add an email address to a user's account
Args:
email: The email address to validate
client_secret: A secret string
next_link: A link to redirect the user to after validation
expect_code: Expected return code of the call
Returns:
The ID of the new threepid validation session
"""
body = {"client_secret": client_secret, "email": email, "send_attempt": 1}
if next_link:
body["next_link"] = next_link
Remove spurious "SynapseRequest" result from `make_request" This was never used, so let's get rid of it.
2020-12-15 09:44:04 -05:00
channel = self.make_request(
"POST",
b"account/3pid/email/requestToken",
body,
)
Ratelimit 3PID /requestToken API (#9238)
2021-01-28 12:39:21 -05:00
if channel.code != expect_code:
raise HttpResponseException(
channel.code,
channel.result["reason"],
channel.result["body"],
)
Add options to prevent users from changing their profile. (#7096)
2020-03-27 15:15:23 -04:00
Add a config option for validating 'next_link' parameters against a domain whitelist (#8275) This is a config option ported over from DINUM's Sydent: https://github.com/matrix-org/sydent/pull/285 They've switched to validating 3PIDs via Synapse rather than Sydent, and would like to retain this functionality. This original purpose for this change is phishing prevention. This solution could also potentially be replaced by a similar one to https://github.com/matrix-org/synapse/pull/8004, but across all `*/submit_token` endpoint. This option may still be useful to enterprise even with that safeguard in place though, if they want to be absolutely sure that their employees don't follow links to other domains.
2020-09-08 11:03:09 -04:00
return channel.json_body.get("sid")
Add options to prevent users from changing their profile. (#7096)
2020-03-27 15:15:23 -04:00
Fix inconsistent handling of upper and lower cases of email addresses. (#7021) fixes #7016
2020-07-03 09:03:13 -04:00
def _request_token_invalid_email(
self,
email,
expected_errcode,
expected_error,
client_secret="foobar",
):
Remove spurious "SynapseRequest" result from `make_request" This was never used, so let's get rid of it.
2020-12-15 09:44:04 -05:00
channel = self.make_request(
Fix inconsistent handling of upper and lower cases of email addresses. (#7021) fixes #7016
2020-07-03 09:03:13 -04:00
"POST",
b"account/3pid/email/requestToken",
{"client_secret": client_secret, "email": email, "send_attempt": 1},
)
self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
self.assertEqual(expected_errcode, channel.json_body["errcode"])
self.assertEqual(expected_error, channel.json_body["error"])
Add options to prevent users from changing their profile. (#7096)
2020-03-27 15:15:23 -04:00
def _validate_token(self, link):
# Remove the host
path = link.replace("https://example.com", "")
Remove spurious "SynapseRequest" result from `make_request" This was never used, so let's get rid of it.
2020-12-15 09:44:04 -05:00
channel = self.make_request("GET", path, shorthand=False)
Add options to prevent users from changing their profile. (#7096)
2020-03-27 15:15:23 -04:00
self.assertEquals(200, channel.code, channel.result)
def _get_link_from_email(self):
assert self.email_attempts, "No emails have been sent"
raw_msg = self.email_attempts[-1].decode("UTF-8")
mail = Parser().parsestr(raw_msg)
text = None
for part in mail.walk():
if part.get_content_type() == "text/plain":
text = part.get_payload(decode=True).decode("UTF-8")
break
if not text:
self.fail("Could not find text portion of email to parse")
match = re.search(r"https://example.com\S+", text)
assert match, "Could not find link in email"
return match.group(0)
Fix inconsistent handling of upper and lower cases of email addresses. (#7021) fixes #7016
2020-07-03 09:03:13 -04:00
def _add_email(self, request_email, expected_email):
"""Test adding an email to profile"""
Ratelimit 3PID /requestToken API (#9238)
2021-01-28 12:39:21 -05:00
previous_email_attempts = len(self.email_attempts)
Fix inconsistent handling of upper and lower cases of email addresses. (#7021) fixes #7016
2020-07-03 09:03:13 -04:00
client_secret = "foobar"
session_id = self._request_token(request_email, client_secret)
Ratelimit 3PID /requestToken API (#9238)
2021-01-28 12:39:21 -05:00
self.assertEquals(len(self.email_attempts) - previous_email_attempts, 1)
Fix inconsistent handling of upper and lower cases of email addresses. (#7021) fixes #7016
2020-07-03 09:03:13 -04:00
link = self._get_link_from_email()
self._validate_token(link)
Remove spurious "SynapseRequest" result from `make_request" This was never used, so let's get rid of it.
2020-12-15 09:44:04 -05:00
channel = self.make_request(
Fix inconsistent handling of upper and lower cases of email addresses. (#7021) fixes #7016
2020-07-03 09:03:13 -04:00
"POST",
b"/_matrix/client/unstable/account/3pid/add",
{
"client_secret": client_secret,
"sid": session_id,
"auth": {
"type": "m.login.password",
"user": self.user_id,
"password": "test",
},
},
access_token=self.user_id_tok,
)
self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
# Get user
Remove spurious "SynapseRequest" result from `make_request" This was never used, so let's get rid of it.
2020-12-15 09:44:04 -05:00
channel = self.make_request(
Fix inconsistent handling of upper and lower cases of email addresses. (#7021) fixes #7016
2020-07-03 09:03:13 -04:00
"GET",
self.url_3pid,
access_token=self.user_id_tok,
)
self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
self.assertEqual("email", channel.json_body["threepids"][0]["medium"])
Ratelimit 3PID /requestToken API (#9238)
2021-01-28 12:39:21 -05:00
threepids = {threepid["address"] for threepid in channel.json_body["threepids"]}
self.assertIn(expected_email, threepids)
Reference in New Issue Copy Permalink