Matrix-Mirrors/anonymousland-synapse
1
0
Fork 0
mirror of https://git.anonymousland.org/anonymousland/synapse.git synced 2025-05-08 00:15:10 -04:00
Code Issues Projects Releases Packages Wiki Activity

Save the OIDC session ID (sid) with the device on login (#11482)

Browse source 
As a step towards allowing back-channel logout for OIDC.
This commit is contained in:
Quentin Gliech 2021-12-06 18:43:06 +01:00 committed by GitHub
parent 8b4b153c9e
commit a15a893df8
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
15 changed files with 370 additions and 65 deletions
Download patch file Download diff file Expand all files Collapse all files

135
tests/handlers/test_oidc.py
View file

@ -252,13 +252,6 @@ class OidcHandlerTestCase(HomeserverTestCase):
with patch.object(self.provider, "load_metadata", patched_load_metadata):
self.get_failure(self.provider.load_jwks(force=True), RuntimeError)
# Return empty key set if JWKS are not used
self.provider._scopes = [] # not asking the openid scope
self.http_client.get_json.reset_mock()
jwks = self.get_success(self.provider.load_jwks(force=True))
self.http_client.get_json.assert_not_called()
self.assertEqual(jwks, {"keys": []})
@override_config({"oidc_config": DEFAULT_CONFIG})
def test_validate_config(self):
"""Provider metadatas are extensively validated."""
@ -455,7 +448,13 @@ class OidcHandlerTestCase(HomeserverTestCase):
self.get_success(self.handler.handle_oidc_callback(request))
auth_handler.complete_sso_login.assert_called_once_with(
expected_user_id, "oidc", request, client_redirect_url, None, new_user=True
expected_user_id,
"oidc",
request,
client_redirect_url,
None,
new_user=True,
auth_provider_session_id=None,
)
self.provider._exchange_code.assert_called_once_with(code)
self.provider._parse_id_token.assert_called_once_with(token, nonce=nonce)
@ -482,17 +481,58 @@ class OidcHandlerTestCase(HomeserverTestCase):
self.provider._fetch_userinfo.reset_mock()
# With userinfo fetching
self.provider._scopes = [] # do not ask the "openid" scope
self.provider._user_profile_method = "userinfo_endpoint"
token = {
"type": "bearer",
"access_token": "access_token",
}
self.provider._exchange_code = simple_async_mock(return_value=token)
self.get_success(self.handler.handle_oidc_callback(request))
auth_handler.complete_sso_login.assert_called_once_with(
expected_user_id, "oidc", request, client_redirect_url, None, new_user=False
expected_user_id,
"oidc",
request,
client_redirect_url,
None,
new_user=False,
auth_provider_session_id=None,
)
self.provider._exchange_code.assert_called_once_with(code)
self.provider._parse_id_token.assert_not_called()
self.provider._fetch_userinfo.assert_called_once_with(token)
self.render_error.assert_not_called()
# With an ID token, userinfo fetching and sid in the ID token
self.provider._user_profile_method = "userinfo_endpoint"
token = {
"type": "bearer",
"access_token": "access_token",
"id_token": "id_token",
}
id_token = {
"sid": "abcdefgh",
}
self.provider._parse_id_token = simple_async_mock(return_value=id_token)
self.provider._exchange_code = simple_async_mock(return_value=token)
auth_handler.complete_sso_login.reset_mock()
self.provider._fetch_userinfo.reset_mock()
self.get_success(self.handler.handle_oidc_callback(request))
auth_handler.complete_sso_login.assert_called_once_with(
expected_user_id,
"oidc",
request,
client_redirect_url,
None,
new_user=False,
auth_provider_session_id=id_token["sid"],
)
self.provider._exchange_code.assert_called_once_with(code)
self.provider._parse_id_token.assert_called_once_with(token, nonce=nonce)
self.provider._fetch_userinfo.assert_called_once_with(token)
self.render_error.assert_not_called()
# Handle userinfo fetching error
self.provider._fetch_userinfo = simple_async_mock(raises=Exception())
self.get_success(self.handler.handle_oidc_callback(request))
@ -776,6 +816,7 @@ class OidcHandlerTestCase(HomeserverTestCase):
client_redirect_url,
{"phone": "1234567"},
new_user=True,
auth_provider_session_id=None,
)
@override_config({"oidc_config": DEFAULT_CONFIG})
@ -790,7 +831,13 @@ class OidcHandlerTestCase(HomeserverTestCase):
}
self.get_success(_make_callback_with_userinfo(self.hs, userinfo))
auth_handler.complete_sso_login.assert_called_once_with(
"@test_user:test", "oidc", ANY, ANY, None, new_user=True
"@test_user:test",
"oidc",
ANY,
ANY,
None,
new_user=True,
auth_provider_session_id=None,
)
auth_handler.complete_sso_login.reset_mock()
@ -801,7 +848,13 @@ class OidcHandlerTestCase(HomeserverTestCase):
}
self.get_success(_make_callback_with_userinfo(self.hs, userinfo))
auth_handler.complete_sso_login.assert_called_once_with(
"@test_user_2:test", "oidc", ANY, ANY, None, new_user=True
"@test_user_2:test",
"oidc",
ANY,
ANY,
None,
new_user=True,
auth_provider_session_id=None,
)
auth_handler.complete_sso_login.reset_mock()
@ -838,14 +891,26 @@ class OidcHandlerTestCase(HomeserverTestCase):
}
self.get_success(_make_callback_with_userinfo(self.hs, userinfo))
auth_handler.complete_sso_login.assert_called_once_with(
user.to_string(), "oidc", ANY, ANY, None, new_user=False
user.to_string(),
"oidc",
ANY,
ANY,
None,
new_user=False,
auth_provider_session_id=None,
)
auth_handler.complete_sso_login.reset_mock()
# Subsequent calls should map to the same mxid.
self.get_success(_make_callback_with_userinfo(self.hs, userinfo))
auth_handler.complete_sso_login.assert_called_once_with(
user.to_string(), "oidc", ANY, ANY, None, new_user=False
user.to_string(),
"oidc",
ANY,
ANY,
None,
new_user=False,
auth_provider_session_id=None,
)
auth_handler.complete_sso_login.reset_mock()
@ -860,7 +925,13 @@ class OidcHandlerTestCase(HomeserverTestCase):
}
self.get_success(_make_callback_with_userinfo(self.hs, userinfo))
auth_handler.complete_sso_login.assert_called_once_with(
user.to_string(), "oidc", ANY, ANY, None, new_user=False
user.to_string(),
"oidc",
ANY,
ANY,
None,
new_user=False,
auth_provider_session_id=None,
)
auth_handler.complete_sso_login.reset_mock()
@ -896,7 +967,13 @@ class OidcHandlerTestCase(HomeserverTestCase):
self.get_success(_make_callback_with_userinfo(self.hs, userinfo))
auth_handler.complete_sso_login.assert_called_once_with(
"@TEST_USER_2:test", "oidc", ANY, ANY, None, new_user=False
"@TEST_USER_2:test",
"oidc",
ANY,
ANY,
None,
new_user=False,
auth_provider_session_id=None,
)
@override_config({"oidc_config": DEFAULT_CONFIG})
@ -934,7 +1011,13 @@ class OidcHandlerTestCase(HomeserverTestCase):
# test_user is already taken, so test_user1 gets registered instead.
auth_handler.complete_sso_login.assert_called_once_with(
"@test_user1:test", "oidc", ANY, ANY, None, new_user=True
"@test_user1:test",
"oidc",
ANY,
ANY,
None,
new_user=True,
auth_provider_session_id=None,
)
auth_handler.complete_sso_login.reset_mock()
@ -1018,7 +1101,13 @@ class OidcHandlerTestCase(HomeserverTestCase):
# check that the auth handler got called as expected
auth_handler.complete_sso_login.assert_called_once_with(
"@tester:test", "oidc", ANY, ANY, None, new_user=True
"@tester:test",
"oidc",
ANY,
ANY,
None,
new_user=True,
auth_provider_session_id=None,
)
@override_config(
@ -1043,7 +1132,13 @@ class OidcHandlerTestCase(HomeserverTestCase):
# check that the auth handler got called as expected
auth_handler.complete_sso_login.assert_called_once_with(
"@tester:test", "oidc", ANY, ANY, None, new_user=True
"@tester:test",
"oidc",
ANY,
ANY,
None,
new_user=True,
auth_provider_session_id=None,
)
@override_config(
@ -1156,7 +1251,7 @@ async def _make_callback_with_userinfo(
handler = hs.get_oidc_handler()
provider = handler._providers["oidc"]
provider._exchange_code = simple_async_mock(return_value={})
provider._exchange_code = simple_async_mock(return_value={"id_token": ""})
provider._parse_id_token = simple_async_mock(return_value=userinfo)
provider._fetch_userinfo = simple_async_mock(return_value=userinfo)