Fix AuthBlocking check when requester is appservice (#10881)

If the MAU count had been reached, Synapse incorrectly blocked appservice users even though they've been explicitly configured not to be tracked (the default). This was due to bypassing the relevant if as it was chained behind another earlier hit if as an elif.

Signed-off-by: Jason Robinson <jasonr@matrix.org>
This commit is contained in:
Jason Robinson 2021-09-24 12:41:18 +03:00 committed by GitHub
parent 7f3352743e
commit fa74536384
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 64 additions and 1 deletions

1
changelog.d/10881.bugfix Normal file
View File

@ -0,0 +1 @@
Fix application service users being subject to MAU blocking if MAU had been reached, even if configured not to be blocked.

View File

@ -81,7 +81,7 @@ class AuthBlocking:
# We never block the server from doing actions on behalf of # We never block the server from doing actions on behalf of
# users. # users.
return return
elif requester.app_service and not self._track_appservice_user_ips: if requester.app_service and not self._track_appservice_user_ips:
# If we're authenticated as an appservice then we only block # If we're authenticated as an appservice then we only block
# auth if `track_appservice_user_ips` is set, as that option # auth if `track_appservice_user_ips` is set, as that option
# implicitly means that application services are part of MAU # implicitly means that application services are part of MAU

View File

@ -25,7 +25,9 @@ from synapse.api.errors import (
MissingClientTokenError, MissingClientTokenError,
ResourceLimitError, ResourceLimitError,
) )
from synapse.appservice import ApplicationService
from synapse.storage.databases.main.registration import TokenLookupResult from synapse.storage.databases.main.registration import TokenLookupResult
from synapse.types import Requester
from tests import unittest from tests import unittest
from tests.test_utils import simple_async_mock from tests.test_utils import simple_async_mock
@ -290,6 +292,66 @@ class AuthTestCase(unittest.HomeserverTestCase):
# Real users not allowed # Real users not allowed
self.get_failure(self.auth.check_auth_blocking(), ResourceLimitError) self.get_failure(self.auth.check_auth_blocking(), ResourceLimitError)
def test_blocking_mau__appservice_requester_allowed_when_not_tracking_ips(self):
self.auth_blocking._max_mau_value = 50
self.auth_blocking._limit_usage_by_mau = True
self.auth_blocking._track_appservice_user_ips = False
self.store.get_monthly_active_count = simple_async_mock(100)
self.store.user_last_seen_monthly_active = simple_async_mock()
self.store.is_trial_user = simple_async_mock()
appservice = ApplicationService(
"abcd",
self.hs.config.server_name,
id="1234",
namespaces={
"users": [{"regex": "@_appservice.*:sender", "exclusive": True}]
},
sender="@appservice:sender",
)
requester = Requester(
user="@appservice:server",
access_token_id=None,
device_id="FOOBAR",
is_guest=False,
shadow_banned=False,
app_service=appservice,
authenticated_entity="@appservice:server",
)
self.get_success(self.auth.check_auth_blocking(requester=requester))
def test_blocking_mau__appservice_requester_disallowed_when_tracking_ips(self):
self.auth_blocking._max_mau_value = 50
self.auth_blocking._limit_usage_by_mau = True
self.auth_blocking._track_appservice_user_ips = True
self.store.get_monthly_active_count = simple_async_mock(100)
self.store.user_last_seen_monthly_active = simple_async_mock()
self.store.is_trial_user = simple_async_mock()
appservice = ApplicationService(
"abcd",
self.hs.config.server_name,
id="1234",
namespaces={
"users": [{"regex": "@_appservice.*:sender", "exclusive": True}]
},
sender="@appservice:sender",
)
requester = Requester(
user="@appservice:server",
access_token_id=None,
device_id="FOOBAR",
is_guest=False,
shadow_banned=False,
app_service=appservice,
authenticated_entity="@appservice:server",
)
self.get_failure(
self.auth.check_auth_blocking(requester=requester), ResourceLimitError
)
def test_reserved_threepid(self): def test_reserved_threepid(self):
self.auth_blocking._limit_usage_by_mau = True self.auth_blocking._limit_usage_by_mau = True
self.auth_blocking._max_mau_value = 1 self.auth_blocking._max_mau_value = 1