Support configuring the lifetime of non-refreshable access tokens separately to refreshable access tokens. (#11445)

This commit is contained in:
reivilibre 2021-12-03 16:42:44 +00:00 committed by GitHub
parent e5f426cd54
commit 637df95de6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 221 additions and 3 deletions

View File

@ -0,0 +1 @@
Support configuring the lifetime of non-refreshable access tokens separately to refreshable access tokens.

View File

@ -130,11 +130,60 @@ class RegistrationConfig(Config):
int int
] = refreshable_access_token_lifetime ] = refreshable_access_token_lifetime
if (
self.session_lifetime is not None
and "refreshable_access_token_lifetime" in config
):
if self.session_lifetime < self.refreshable_access_token_lifetime:
raise ConfigError(
"Both `session_lifetime` and `refreshable_access_token_lifetime` "
"configuration options have been set, but `refreshable_access_token_lifetime` "
" exceeds `session_lifetime`!"
)
# The `nonrefreshable_access_token_lifetime` applies for tokens that can NOT be
# refreshed using a refresh token.
# If it is None, then these tokens last for the entire length of the session,
# which is infinite by default.
# The intention behind this configuration option is to help with requiring
# all clients to use refresh tokens, if the homeserver administrator requires.
nonrefreshable_access_token_lifetime = config.get(
"nonrefreshable_access_token_lifetime",
None,
)
if nonrefreshable_access_token_lifetime is not None:
nonrefreshable_access_token_lifetime = self.parse_duration(
nonrefreshable_access_token_lifetime
)
self.nonrefreshable_access_token_lifetime = nonrefreshable_access_token_lifetime
if (
self.session_lifetime is not None
and self.nonrefreshable_access_token_lifetime is not None
):
if self.session_lifetime < self.nonrefreshable_access_token_lifetime:
raise ConfigError(
"Both `session_lifetime` and `nonrefreshable_access_token_lifetime` "
"configuration options have been set, but `nonrefreshable_access_token_lifetime` "
" exceeds `session_lifetime`!"
)
refresh_token_lifetime = config.get("refresh_token_lifetime") refresh_token_lifetime = config.get("refresh_token_lifetime")
if refresh_token_lifetime is not None: if refresh_token_lifetime is not None:
refresh_token_lifetime = self.parse_duration(refresh_token_lifetime) refresh_token_lifetime = self.parse_duration(refresh_token_lifetime)
self.refresh_token_lifetime: Optional[int] = refresh_token_lifetime self.refresh_token_lifetime: Optional[int] = refresh_token_lifetime
if (
self.session_lifetime is not None
and self.refresh_token_lifetime is not None
):
if self.session_lifetime < self.refresh_token_lifetime:
raise ConfigError(
"Both `session_lifetime` and `refresh_token_lifetime` "
"configuration options have been set, but `refresh_token_lifetime` "
" exceeds `session_lifetime`!"
)
# The fallback template used for authenticating using a registration token # The fallback template used for authenticating using a registration token
self.registration_token_template = self.read_template("registration_token.html") self.registration_token_template = self.read_template("registration_token.html")

View File

@ -1,4 +1,5 @@
# Copyright 2014 - 2016 OpenMarket Ltd # Copyright 2014 - 2016 OpenMarket Ltd
# Copyright 2021 The Matrix.org Foundation C.I.C.
# #
# Licensed under the Apache License, Version 2.0 (the "License"); # Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License. # you may not use this file except in compliance with the License.
@ -116,6 +117,9 @@ class RegistrationHandler:
self.pusher_pool = hs.get_pusherpool() self.pusher_pool = hs.get_pusherpool()
self.session_lifetime = hs.config.registration.session_lifetime self.session_lifetime = hs.config.registration.session_lifetime
self.nonrefreshable_access_token_lifetime = (
hs.config.registration.nonrefreshable_access_token_lifetime
)
self.refreshable_access_token_lifetime = ( self.refreshable_access_token_lifetime = (
hs.config.registration.refreshable_access_token_lifetime hs.config.registration.refreshable_access_token_lifetime
) )
@ -794,13 +798,25 @@ class RegistrationHandler:
class and RegisterDeviceReplicationServlet. class and RegisterDeviceReplicationServlet.
""" """
assert not self.hs.config.worker.worker_app assert not self.hs.config.worker.worker_app
now_ms = self.clock.time_msec()
access_token_expiry = None access_token_expiry = None
if self.session_lifetime is not None: if self.session_lifetime is not None:
if is_guest: if is_guest:
raise Exception( raise Exception(
"session_lifetime is not currently implemented for guest access" "session_lifetime is not currently implemented for guest access"
) )
access_token_expiry = self.clock.time_msec() + self.session_lifetime access_token_expiry = now_ms + self.session_lifetime
if self.nonrefreshable_access_token_lifetime is not None:
if access_token_expiry is not None:
# Don't allow the non-refreshable access token to outlive the
# session.
access_token_expiry = min(
now_ms + self.nonrefreshable_access_token_lifetime,
access_token_expiry,
)
else:
access_token_expiry = now_ms + self.nonrefreshable_access_token_lifetime
refresh_token = None refresh_token = None
refresh_token_id = None refresh_token_id = None
@ -818,8 +834,6 @@ class RegistrationHandler:
# that this value is set before setting this flag). # that this value is set before setting this flag).
assert self.refreshable_access_token_lifetime is not None assert self.refreshable_access_token_lifetime is not None
now_ms = self.clock.time_msec()
# Set the expiry time of the refreshable access token # Set the expiry time of the refreshable access token
access_token_expiry = now_ms + self.refreshable_access_token_lifetime access_token_expiry = now_ms + self.refreshable_access_token_lifetime

View File

@ -0,0 +1,78 @@
# Copyright 2021 The Matrix.org Foundation C.I.C.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from synapse.config import ConfigError
from synapse.config.homeserver import HomeServerConfig
from tests.unittest import TestCase
from tests.utils import default_config
class RegistrationConfigTestCase(TestCase):
def test_session_lifetime_must_not_be_exceeded_by_smaller_lifetimes(self):
"""
session_lifetime should logically be larger than, or at least as large as,
all the different token lifetimes.
Test that the user is faced with configuration errors if they make it
smaller, as that configuration doesn't make sense.
"""
config_dict = default_config("test")
# First test all the error conditions
with self.assertRaises(ConfigError):
HomeServerConfig().parse_config_dict(
{
"session_lifetime": "30m",
"nonrefreshable_access_token_lifetime": "31m",
**config_dict,
}
)
with self.assertRaises(ConfigError):
HomeServerConfig().parse_config_dict(
{
"session_lifetime": "30m",
"refreshable_access_token_lifetime": "31m",
**config_dict,
}
)
with self.assertRaises(ConfigError):
HomeServerConfig().parse_config_dict(
{
"session_lifetime": "30m",
"refresh_token_lifetime": "31m",
**config_dict,
}
)
# Then test all the fine conditions
HomeServerConfig().parse_config_dict(
{
"session_lifetime": "31m",
"nonrefreshable_access_token_lifetime": "31m",
**config_dict,
}
)
HomeServerConfig().parse_config_dict(
{
"session_lifetime": "31m",
"refreshable_access_token_lifetime": "31m",
**config_dict,
}
)
HomeServerConfig().parse_config_dict(
{"session_lifetime": "31m", "refresh_token_lifetime": "31m", **config_dict}
)

View File

@ -524,6 +524,19 @@ class RefreshAuthTests(unittest.HomeserverTestCase):
{"refresh_token": refresh_token}, {"refresh_token": refresh_token},
) )
def is_access_token_valid(self, access_token) -> bool:
"""
Checks whether an access token is valid, returning whether it is or not.
"""
code = self.make_request(
"GET", "/_matrix/client/v3/account/whoami", access_token=access_token
).code
# Either 200 or 401 is what we get back; anything else is a bug.
assert code in {HTTPStatus.OK, HTTPStatus.UNAUTHORIZED}
return code == HTTPStatus.OK
def test_login_issue_refresh_token(self): def test_login_issue_refresh_token(self):
""" """
A login response should include a refresh_token only if asked. A login response should include a refresh_token only if asked.
@ -671,6 +684,69 @@ class RefreshAuthTests(unittest.HomeserverTestCase):
HTTPStatus.UNAUTHORIZED, HTTPStatus.UNAUTHORIZED,
) )
@override_config(
{
"refreshable_access_token_lifetime": "1m",
"nonrefreshable_access_token_lifetime": "10m",
}
)
def test_different_expiry_for_refreshable_and_nonrefreshable_access_tokens(self):
"""
Tests that the expiry times for refreshable and non-refreshable access
tokens can be different.
"""
body = {
"type": "m.login.password",
"user": "test",
"password": self.user_pass,
}
login_response1 = self.make_request(
"POST",
"/_matrix/client/r0/login",
{"org.matrix.msc2918.refresh_token": True, **body},
)
self.assertEqual(login_response1.code, 200, login_response1.result)
self.assertApproximates(
login_response1.json_body["expires_in_ms"], 60 * 1000, 100
)
refreshable_access_token = login_response1.json_body["access_token"]
login_response2 = self.make_request(
"POST",
"/_matrix/client/r0/login",
body,
)
self.assertEqual(login_response2.code, 200, login_response2.result)
nonrefreshable_access_token = login_response2.json_body["access_token"]
# Advance 59 seconds in the future (just shy of 1 minute, the time of expiry)
self.reactor.advance(59.0)
# Both tokens should still be valid.
self.assertTrue(self.is_access_token_valid(refreshable_access_token))
self.assertTrue(self.is_access_token_valid(nonrefreshable_access_token))
# Advance to 61 s (just past 1 minute, the time of expiry)
self.reactor.advance(2.0)
# Only the non-refreshable token is still valid.
self.assertFalse(self.is_access_token_valid(refreshable_access_token))
self.assertTrue(self.is_access_token_valid(nonrefreshable_access_token))
# Advance to 599 s (just shy of 10 minutes, the time of expiry)
self.reactor.advance(599.0 - 61.0)
# It's still the case that only the non-refreshable token is still valid.
self.assertFalse(self.is_access_token_valid(refreshable_access_token))
self.assertTrue(self.is_access_token_valid(nonrefreshable_access_token))
# Advance to 601 s (just past 10 minutes, the time of expiry)
self.reactor.advance(2.0)
# Now neither token is valid.
self.assertFalse(self.is_access_token_valid(refreshable_access_token))
self.assertFalse(self.is_access_token_valid(nonrefreshable_access_token))
@override_config( @override_config(
{"refreshable_access_token_lifetime": "1m", "refresh_token_lifetime": "2m"} {"refreshable_access_token_lifetime": "1m", "refresh_token_lifetime": "2m"}
) )