mirror of
https://git.anonymousland.org/anonymousland/synapse.git
synced 2025-12-10 12:42:40 -05:00
Add ability for access tokens to belong to one user but grant access to another user. (#8616)
We do it this way round so that only the "owner" can delete the access token (i.e. `/logout/all` by the "owner" also deletes that token, but `/logout/all` by the "target user" doesn't).
A future PR will add an API for creating such a token.
When the target user and authenticated entity are different the `Processed request` log line will be logged with a: `{@admin:server as @bob:server} ...`. I'm not convinced by that format (especially since it adds spaces in there, making it harder to use `cut -d ' '` to chop off the start of log lines). Suggestions welcome.
This commit is contained in:
Erik Johnston
GitHub
parent
22eeb6bc54
commit
f21e24ffc2
22 changed files with 197 additions and 138 deletions
|
|
@ -29,6 +29,7 @@ from synapse.api.errors import (
|
|||
MissingClientTokenError,
|
||||
ResourceLimitError,
|
||||
)
|
||||
from synapse.storage.databases.main.registration import TokenLookupResult
|
||||
from synapse.types import UserID
|
||||
|
||||
from tests import unittest
|
||||
|
|
@ -61,7 +62,9 @@ class AuthTestCase(unittest.TestCase):
|
|||
|
||||
@defer.inlineCallbacks
|
||||
def test_get_user_by_req_user_valid_token(self):
|
||||
user_info = {"name": self.test_user, "token_id": "ditto", "device_id": "device"}
|
||||
user_info = TokenLookupResult(
|
||||
user_id=self.test_user, token_id=5, device_id="device"
|
||||
)
|
||||
self.store.get_user_by_access_token = Mock(
|
||||
return_value=defer.succeed(user_info)
|
||||
)
|
||||
|
|
@ -84,7 +87,7 @@ class AuthTestCase(unittest.TestCase):
|
|||
self.assertEqual(f.errcode, "M_UNKNOWN_TOKEN")
|
||||
|
||||
def test_get_user_by_req_user_missing_token(self):
|
||||
user_info = {"name": self.test_user, "token_id": "ditto"}
|
||||
user_info = TokenLookupResult(user_id=self.test_user, token_id=5)
|
||||
self.store.get_user_by_access_token = Mock(
|
||||
return_value=defer.succeed(user_info)
|
||||
)
|
||||
|
|
@ -221,7 +224,7 @@ class AuthTestCase(unittest.TestCase):
|
|||
def test_get_user_from_macaroon(self):
|
||||
self.store.get_user_by_access_token = Mock(
|
||||
return_value=defer.succeed(
|
||||
{"name": "@baldrick:matrix.org", "device_id": "device"}
|
||||
TokenLookupResult(user_id="@baldrick:matrix.org", device_id="device")
|
||||
)
|
||||
)
|
||||
|
||||
|
|
@ -237,12 +240,11 @@ class AuthTestCase(unittest.TestCase):
|
|||
user_info = yield defer.ensureDeferred(
|
||||
self.auth.get_user_by_access_token(macaroon.serialize())
|
||||
)
|
||||
user = user_info["user"]
|
||||
self.assertEqual(UserID.from_string(user_id), user)
|
||||
self.assertEqual(user_id, user_info.user_id)
|
||||
|
||||
# TODO: device_id should come from the macaroon, but currently comes
|
||||
# from the db.
|
||||
self.assertEqual(user_info["device_id"], "device")
|
||||
self.assertEqual(user_info.device_id, "device")
|
||||
|
||||
@defer.inlineCallbacks
|
||||
def test_get_guest_user_from_macaroon(self):
|
||||
|
|
@ -264,10 +266,8 @@ class AuthTestCase(unittest.TestCase):
|
|||
user_info = yield defer.ensureDeferred(
|
||||
self.auth.get_user_by_access_token(serialized)
|
||||
)
|
||||
user = user_info["user"]
|
||||
is_guest = user_info["is_guest"]
|
||||
self.assertEqual(UserID.from_string(user_id), user)
|
||||
self.assertTrue(is_guest)
|
||||
self.assertEqual(user_id, user_info.user_id)
|
||||
self.assertTrue(user_info.is_guest)
|
||||
self.store.get_user_by_id.assert_called_with(user_id)
|
||||
|
||||
@defer.inlineCallbacks
|
||||
|
|
@ -289,12 +289,9 @@ class AuthTestCase(unittest.TestCase):
|
|||
if token != tok:
|
||||
return defer.succeed(None)
|
||||
return defer.succeed(
|
||||
{
|
||||
"name": USER_ID,
|
||||
"is_guest": False,
|
||||
"token_id": 1234,
|
||||
"device_id": "DEVICE",
|
||||
}
|
||||
TokenLookupResult(
|
||||
user_id=USER_ID, is_guest=False, token_id=1234, device_id="DEVICE",
|
||||
)
|
||||
)
|
||||
|
||||
self.store.get_user_by_access_token = get_user
|
||||
|
|
|
|||
|
|
@ -43,7 +43,7 @@ class TestRatelimiter(unittest.TestCase):
|
|||
|
||||
def test_allowed_appservice_ratelimited_via_can_requester_do_action(self):
|
||||
appservice = ApplicationService(
|
||||
None, "example.com", id="foo", rate_limited=True,
|
||||
None, "example.com", id="foo", rate_limited=True, sender="@as:example.com",
|
||||
)
|
||||
as_requester = create_requester("@user:example.com", app_service=appservice)
|
||||
|
||||
|
|
@ -68,7 +68,7 @@ class TestRatelimiter(unittest.TestCase):
|
|||
|
||||
def test_allowed_appservice_via_can_requester_do_action(self):
|
||||
appservice = ApplicationService(
|
||||
None, "example.com", id="foo", rate_limited=False,
|
||||
None, "example.com", id="foo", rate_limited=False, sender="@as:example.com",
|
||||
)
|
||||
as_requester = create_requester("@user:example.com", app_service=appservice)
|
||||
|
||||
|
|
|
|||
|
|
@ -31,6 +31,7 @@ class ApplicationServiceTestCase(unittest.TestCase):
|
|||
def setUp(self):
|
||||
self.service = ApplicationService(
|
||||
id="unique_identifier",
|
||||
sender="@as:test",
|
||||
url="some_url",
|
||||
token="some_token",
|
||||
hostname="matrix.org", # only used by get_groups_for_user
|
||||
|
|
|
|||
|
|
@ -289,7 +289,7 @@ class DehydrationTestCase(unittest.HomeserverTestCase):
|
|||
# make sure that our device ID has changed
|
||||
user_info = self.get_success(self.auth.get_user_by_access_token(access_token))
|
||||
|
||||
self.assertEqual(user_info["device_id"], retrieved_device_id)
|
||||
self.assertEqual(user_info.device_id, retrieved_device_id)
|
||||
|
||||
# make sure the device has the display name that was set from the login
|
||||
res = self.get_success(self.handler.get_device(user_id, retrieved_device_id))
|
||||
|
|
|
|||
|
|
@ -46,7 +46,7 @@ class EventCreationTestCase(unittest.HomeserverTestCase):
|
|||
self.info = self.get_success(
|
||||
self.hs.get_datastore().get_user_by_access_token(self.access_token,)
|
||||
)
|
||||
self.token_id = self.info["token_id"]
|
||||
self.token_id = self.info.token_id
|
||||
|
||||
self.requester = create_requester(self.user_id, access_token_id=self.token_id)
|
||||
|
||||
|
|
|
|||
|
|
@ -100,7 +100,7 @@ class EmailPusherTests(HomeserverTestCase):
|
|||
user_tuple = self.get_success(
|
||||
self.hs.get_datastore().get_user_by_access_token(self.access_token)
|
||||
)
|
||||
token_id = user_tuple["token_id"]
|
||||
token_id = user_tuple.token_id
|
||||
|
||||
self.pusher = self.get_success(
|
||||
self.hs.get_pusherpool().add_pusher(
|
||||
|
|
|
|||
|
|
@ -69,7 +69,7 @@ class HTTPPusherTests(HomeserverTestCase):
|
|||
user_tuple = self.get_success(
|
||||
self.hs.get_datastore().get_user_by_access_token(access_token)
|
||||
)
|
||||
token_id = user_tuple["token_id"]
|
||||
token_id = user_tuple.token_id
|
||||
|
||||
self.get_success(
|
||||
self.hs.get_pusherpool().add_pusher(
|
||||
|
|
@ -181,7 +181,7 @@ class HTTPPusherTests(HomeserverTestCase):
|
|||
user_tuple = self.get_success(
|
||||
self.hs.get_datastore().get_user_by_access_token(access_token)
|
||||
)
|
||||
token_id = user_tuple["token_id"]
|
||||
token_id = user_tuple.token_id
|
||||
|
||||
self.get_success(
|
||||
self.hs.get_pusherpool().add_pusher(
|
||||
|
|
@ -297,7 +297,7 @@ class HTTPPusherTests(HomeserverTestCase):
|
|||
user_tuple = self.get_success(
|
||||
self.hs.get_datastore().get_user_by_access_token(access_token)
|
||||
)
|
||||
token_id = user_tuple["token_id"]
|
||||
token_id = user_tuple.token_id
|
||||
|
||||
self.get_success(
|
||||
self.hs.get_pusherpool().add_pusher(
|
||||
|
|
@ -379,7 +379,7 @@ class HTTPPusherTests(HomeserverTestCase):
|
|||
user_tuple = self.get_success(
|
||||
self.hs.get_datastore().get_user_by_access_token(access_token)
|
||||
)
|
||||
token_id = user_tuple["token_id"]
|
||||
token_id = user_tuple.token_id
|
||||
|
||||
self.get_success(
|
||||
self.hs.get_pusherpool().add_pusher(
|
||||
|
|
@ -452,7 +452,7 @@ class HTTPPusherTests(HomeserverTestCase):
|
|||
user_tuple = self.get_success(
|
||||
self.hs.get_datastore().get_user_by_access_token(access_token)
|
||||
)
|
||||
token_id = user_tuple["token_id"]
|
||||
token_id = user_tuple.token_id
|
||||
|
||||
self.get_success(
|
||||
self.hs.get_pusherpool().add_pusher(
|
||||
|
|
|
|||
|
|
@ -55,7 +55,7 @@ class PusherShardTestCase(BaseMultiWorkerStreamTestCase):
|
|||
user_dict = self.get_success(
|
||||
self.hs.get_datastore().get_user_by_access_token(access_token)
|
||||
)
|
||||
token_id = user_dict["token_id"]
|
||||
token_id = user_dict.token_id
|
||||
|
||||
self.get_success(
|
||||
self.hs.get_pusherpool().add_pusher(
|
||||
|
|
|
|||
|
|
@ -55,6 +55,7 @@ class RegisterRestServletTestCase(unittest.HomeserverTestCase):
|
|||
self.hs.config.server_name,
|
||||
id="1234",
|
||||
namespaces={"users": [{"regex": r"@as_user.*", "exclusive": True}]},
|
||||
sender="@as:test",
|
||||
)
|
||||
|
||||
self.hs.get_datastore().services_cache.append(appservice)
|
||||
|
|
|
|||
|
|
@ -69,11 +69,9 @@ class RegistrationStoreTestCase(unittest.TestCase):
|
|||
self.store.get_user_by_access_token(self.tokens[1])
|
||||
)
|
||||
|
||||
self.assertDictContainsSubset(
|
||||
{"name": self.user_id, "device_id": self.device_id}, result
|
||||
)
|
||||
|
||||
self.assertTrue("token_id" in result)
|
||||
self.assertEqual(result.user_id, self.user_id)
|
||||
self.assertEqual(result.device_id, self.device_id)
|
||||
self.assertIsNotNone(result.token_id)
|
||||
|
||||
@defer.inlineCallbacks
|
||||
def test_user_delete_access_tokens(self):
|
||||
|
|
@ -105,7 +103,7 @@ class RegistrationStoreTestCase(unittest.TestCase):
|
|||
user = yield defer.ensureDeferred(
|
||||
self.store.get_user_by_access_token(self.tokens[0])
|
||||
)
|
||||
self.assertEqual(self.user_id, user["name"])
|
||||
self.assertEqual(self.user_id, user.user_id)
|
||||
|
||||
# now delete the rest
|
||||
yield defer.ensureDeferred(self.store.user_delete_access_tokens(self.user_id))
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue