From 3e10eefc7330fe122eac1d1ab232192fdf577a5a Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Fri, 10 Jun 2016 10:57:07 +0100 Subject: tox Gbp-Pq: Name 0001-tox.patch --- tox.ini | 1 + 1 file changed, 1 insertion(+) diff --git a/tox.ini b/tox.ini index 085f4389..470737f0 100644 --- a/tox.ini +++ b/tox.ini @@ -1,5 +1,6 @@ [tox] envlist = packaging, py27, py36, pep8, check_isort +sitepackages = True [base] deps = -- cgit v1.2.3 From 52bd660f9b1c76be1876be6a062a5d8404cdc065 Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Fri, 10 Jun 2016 10:57:07 +0100 Subject: change_instructions Gbp-Pq: Name 0002-change_instructions.patch --- synapse/config/_base.py | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/synapse/config/_base.py b/synapse/config/_base.py index 3d2e90dd..2d103487 100644 --- a/synapse/config/_base.py +++ b/synapse/config/_base.py @@ -32,6 +32,11 @@ class ConfigError(Exception): MISSING_REPORT_STATS_CONFIG_INSTRUCTIONS = """\ Please opt in or out of reporting anonymized homeserver usage statistics, by setting the `report_stats` key in your config file to either True or False. + +To set it run: + + dpkg-reconfigure matrix-synapse + """ MISSING_REPORT_STATS_SPIEL = """\ @@ -46,6 +51,11 @@ Thank you. MISSING_SERVER_NAME = """\ Missing mandatory `server_name` config option. + +To set it run: + + dpkg-reconfigure matrix-synapse + """ -- cgit v1.2.3 From ed868fa6c67a003f64b985e6d43d0158480823e7 Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Fri, 10 Jun 2016 10:57:07 +0100 Subject: webclient-instructions Gbp-Pq: Name 0004-webclient-instructions.patch --- synapse/app/homeserver.py | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/synapse/app/homeserver.py b/synapse/app/homeserver.py index 3eb5b663..22c0f81c 100755 --- a/synapse/app/homeserver.py +++ b/synapse/app/homeserver.py @@ -91,12 +91,11 @@ def build_resource_for_web_client(hs): "Please either install the matrix-angular-sdk or configure\n" "the location of the source to serve via the configuration\n" "option `web_client_location`\n\n" - "To install the `matrix-angular-sdk` via pip, run:\n\n" - " pip install '%(dep)s'\n" + "To install the `matrix-angular-sdk` via apt, run:\n\n" + " apt install matrix-synapse-angular-client\n" "\n" "You can also disable hosting of the webclient via the\n" "configuration option `web_client`\n" - % {"dep": CONDITIONAL_REQUIREMENTS["web_client"].keys()[0]} ) syweb_path = os.path.dirname(syweb.__file__) webclient_path = os.path.join(syweb_path, "webclient") -- cgit v1.2.3 From 83c01fd45b36d8a313e42883e66f9756a82351b8 Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Fri, 10 Jun 2016 13:24:51 +0100 Subject: Honour config.web_client Gbp-Pq: Name 0005-Honour-config.web_client.patch --- synapse/app/homeserver.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/synapse/app/homeserver.py b/synapse/app/homeserver.py index 22c0f81c..9ae215d6 100755 --- a/synapse/app/homeserver.py +++ b/synapse/app/homeserver.py @@ -125,7 +125,7 @@ class SynapseHomeServer(HomeServer): for res in listener_config["resources"]: for name in res["names"]: resources.update(self._configure_named_resource( - name, res.get("compress", False), + config, name, res.get("compress", False), )) additional_resources = listener_config.get("additional_resources", {}) @@ -172,7 +172,7 @@ class SynapseHomeServer(HomeServer): ) logger.info("Synapse now listening on port %d", port) - def _configure_named_resource(self, name, compress=False): + def _configure_named_resource(self, config, name, compress=False): """Build a resource map for a named resource Args: @@ -239,7 +239,7 @@ class SynapseHomeServer(HomeServer): SERVER_KEY_V2_PREFIX: KeyApiV2Resource(self), }) - if name == "webclient": + if name == "webclient" and config.web_client: resources[WEB_CLIENT_PREFIX] = build_resource_for_web_client(self) if name == "metrics" and self.get_config().enable_metrics: -- cgit v1.2.3 From e8db61f07fdfcdd224328e5fbcdf31c2b657da3a Mon Sep 17 00:00:00 2001 From: Richard van der Hoff Date: Fri, 7 Sep 2018 13:57:56 +0100 Subject: Avoid telling people to install packages with pip Origin: upstream Bug: https://github.com/matrix-org/synapse/issues/3743 Gbp-Pq: Name 0006-Avoid-pip-install.patch --- synapse/app/__init__.py | 4 ++-- synapse/config/jwt.py | 2 +- synapse/config/repository.py | 4 +--- 3 files changed, 4 insertions(+), 6 deletions(-) diff --git a/synapse/app/__init__.py b/synapse/app/__init__.py index 3b6b9368..98a6f954 100644 --- a/synapse/app/__init__.py +++ b/synapse/app/__init__.py @@ -25,8 +25,8 @@ try: except python_dependencies.MissingRequirementError as e: message = "\n".join([ "Missing Requirement: %s" % (e.message,), - "To install run:", - " pip install --upgrade --force \"%s\"" % (e.dependency,), + "To install, try:", + " sudo apt install python-%s" % (e.dependency,), "", ]) sys.stderr.writelines(message) diff --git a/synapse/config/jwt.py b/synapse/config/jwt.py index 51e7f7e0..6d3ee06b 100644 --- a/synapse/config/jwt.py +++ b/synapse/config/jwt.py @@ -19,7 +19,7 @@ MISSING_JWT = ( """Missing jwt library. This is required for jwt login. Install by running: - pip install pyjwt + sudo apt install python-jwt """ ) diff --git a/synapse/config/repository.py b/synapse/config/repository.py index fc909c1f..a704eeb2 100644 --- a/synapse/config/repository.py +++ b/synapse/config/repository.py @@ -27,9 +27,7 @@ MISSING_LXML = ( """Missing lxml library. This is required for URL preview API. Install by running: - pip install lxml - - Requires libxslt1-dev system package. + sudo apt install python-lxml """ ) -- cgit v1.2.3 From b0396f941d84616ec292ee999fe92b3d250144a5 Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Fri, 10 Jun 2016 10:57:07 +0100 Subject: change_instructions Gbp-Pq: Name 0002-change_instructions.patch --- synapse/config/_base.py | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/synapse/config/_base.py b/synapse/config/_base.py index 14dae65e..2ab55da3 100644 --- a/synapse/config/_base.py +++ b/synapse/config/_base.py @@ -32,6 +32,11 @@ class ConfigError(Exception): MISSING_REPORT_STATS_CONFIG_INSTRUCTIONS = """\ Please opt in or out of reporting anonymized homeserver usage statistics, by setting the `report_stats` key in your config file to either True or False. + +To set it run: + + dpkg-reconfigure matrix-synapse + """ MISSING_REPORT_STATS_SPIEL = """\ @@ -46,6 +51,11 @@ Thank you. MISSING_SERVER_NAME = """\ Missing mandatory `server_name` config option. + +To set it run: + + dpkg-reconfigure matrix-synapse + """ -- cgit v1.2.3 From bf0f9efdd433067daad98892d42d501a8bc7cd34 Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Fri, 10 Jun 2016 10:57:07 +0100 Subject: webclient-instructions Gbp-Pq: Name 0004-webclient-instructions.patch --- synapse/app/homeserver.py | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/synapse/app/homeserver.py b/synapse/app/homeserver.py index 415374a2..ee405c11 100755 --- a/synapse/app/homeserver.py +++ b/synapse/app/homeserver.py @@ -90,12 +90,11 @@ def build_resource_for_web_client(hs): "Please either install the matrix-angular-sdk or configure\n" "the location of the source to serve via the configuration\n" "option `web_client_location`\n\n" - "To install the `matrix-angular-sdk` via pip, run:\n\n" - " pip install '%(dep)s'\n" + "To install the `matrix-angular-sdk` via apt, run:\n\n" + " apt install matrix-synapse-angular-client\n" "\n" "You can also disable hosting of the webclient via the\n" "configuration option `web_client`\n" - % {"dep": CONDITIONAL_REQUIREMENTS["web_client"].keys()[0]} ) syweb_path = os.path.dirname(syweb.__file__) webclient_path = os.path.join(syweb_path, "webclient") -- cgit v1.2.3 From f94bd7902bf116b57ed71cc91e59c3bdd20c5194 Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Fri, 10 Jun 2016 13:24:51 +0100 Subject: Honour config.web_client Gbp-Pq: Name 0005-Honour-config.web_client.patch --- synapse/app/homeserver.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/synapse/app/homeserver.py b/synapse/app/homeserver.py index ee405c11..8af45335 100755 --- a/synapse/app/homeserver.py +++ b/synapse/app/homeserver.py @@ -124,7 +124,7 @@ class SynapseHomeServer(HomeServer): for res in listener_config["resources"]: for name in res["names"]: resources.update(self._configure_named_resource( - name, res.get("compress", False), + config, name, res.get("compress", False), )) additional_resources = listener_config.get("additional_resources", {}) @@ -171,7 +171,7 @@ class SynapseHomeServer(HomeServer): ) logger.info("Synapse now listening on port %d", port) - def _configure_named_resource(self, name, compress=False): + def _configure_named_resource(self, config, name, compress=False): """Build a resource map for a named resource Args: @@ -235,7 +235,7 @@ class SynapseHomeServer(HomeServer): if name in ["keys", "federation"]: resources[SERVER_KEY_V2_PREFIX] = KeyApiV2Resource(self) - if name == "webclient": + if name == "webclient" and config.web_client: resources[WEB_CLIENT_PREFIX] = build_resource_for_web_client(self) if name == "metrics" and self.get_config().enable_metrics: -- cgit v1.2.3 From 2c6afa4bcc4fc46f493946848a9ea579312f7ca9 Mon Sep 17 00:00:00 2001 From: Richard van der Hoff Date: Fri, 7 Sep 2018 13:57:56 +0100 Subject: Avoid telling people to install packages with pip Origin: upstream Bug: https://github.com/matrix-org/synapse/issues/3743 Gbp-Pq: Name 0006-Avoid-pip-install.patch --- synapse/app/__init__.py | 4 ++-- synapse/config/jwt_config.py | 2 +- synapse/config/repository.py | 4 +--- 3 files changed, 4 insertions(+), 6 deletions(-) diff --git a/synapse/app/__init__.py b/synapse/app/__init__.py index c3afcc57..a4911e65 100644 --- a/synapse/app/__init__.py +++ b/synapse/app/__init__.py @@ -25,8 +25,8 @@ try: except python_dependencies.MissingRequirementError as e: message = "\n".join([ "Missing Requirement: %s" % (str(e),), - "To install run:", - " pip install --upgrade --force \"%s\"" % (e.dependency,), + "To install, try:", + " sudo apt install python-%s" % (e.dependency,), "", ]) sys.stderr.writelines(message) diff --git a/synapse/config/jwt_config.py b/synapse/config/jwt_config.py index 51e7f7e0..6d3ee06b 100644 --- a/synapse/config/jwt_config.py +++ b/synapse/config/jwt_config.py @@ -19,7 +19,7 @@ MISSING_JWT = ( """Missing jwt library. This is required for jwt login. Install by running: - pip install pyjwt + sudo apt install python-jwt """ ) diff --git a/synapse/config/repository.py b/synapse/config/repository.py index 06c62ab6..0ccbc8c9 100644 --- a/synapse/config/repository.py +++ b/synapse/config/repository.py @@ -27,9 +27,7 @@ MISSING_LXML = ( """Missing lxml library. This is required for URL preview API. Install by running: - pip install lxml - - Requires libxslt1-dev system package. + sudo apt install python-lxml """ ) -- cgit v1.2.3 From f98257a9ed4ac606f20b96df3ffbf1f9a4e454f5 Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Fri, 10 Jun 2016 10:57:07 +0100 Subject: change_instructions Gbp-Pq: Name 0002-change_instructions.patch --- synapse/config/_base.py | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/synapse/config/_base.py b/synapse/config/_base.py index 14dae65e..2ab55da3 100644 --- a/synapse/config/_base.py +++ b/synapse/config/_base.py @@ -32,6 +32,11 @@ class ConfigError(Exception): MISSING_REPORT_STATS_CONFIG_INSTRUCTIONS = """\ Please opt in or out of reporting anonymized homeserver usage statistics, by setting the `report_stats` key in your config file to either True or False. + +To set it run: + + dpkg-reconfigure matrix-synapse + """ MISSING_REPORT_STATS_SPIEL = """\ @@ -46,6 +51,11 @@ Thank you. MISSING_SERVER_NAME = """\ Missing mandatory `server_name` config option. + +To set it run: + + dpkg-reconfigure matrix-synapse + """ -- cgit v1.2.3 From d03e68e452e1f9f8a15a3cd6d373d6525d689bec Mon Sep 17 00:00:00 2001 From: Richard van der Hoff Date: Fri, 7 Sep 2018 13:57:56 +0100 Subject: Avoid telling people to install packages with pip Origin: upstream Bug: https://github.com/matrix-org/synapse/issues/3743 Gbp-Pq: Name 0006-Avoid-pip-install.patch --- synapse/app/__init__.py | 4 ++-- synapse/config/jwt_config.py | 2 +- synapse/config/repository.py | 4 +--- 3 files changed, 4 insertions(+), 6 deletions(-) diff --git a/synapse/app/__init__.py b/synapse/app/__init__.py index c3afcc57..05075566 100644 --- a/synapse/app/__init__.py +++ b/synapse/app/__init__.py @@ -25,8 +25,8 @@ try: except python_dependencies.MissingRequirementError as e: message = "\n".join([ "Missing Requirement: %s" % (str(e),), - "To install run:", - " pip install --upgrade --force \"%s\"" % (e.dependency,), + "To install, try:", + " sudo apt install python3-%s" % (e.dependency,), "", ]) sys.stderr.writelines(message) diff --git a/synapse/config/jwt_config.py b/synapse/config/jwt_config.py index 51e7f7e0..91c43cf6 100644 --- a/synapse/config/jwt_config.py +++ b/synapse/config/jwt_config.py @@ -19,7 +19,7 @@ MISSING_JWT = ( """Missing jwt library. This is required for jwt login. Install by running: - pip install pyjwt + sudo apt install python3-jwt """ ) diff --git a/synapse/config/repository.py b/synapse/config/repository.py index 06c62ab6..7cb98c64 100644 --- a/synapse/config/repository.py +++ b/synapse/config/repository.py @@ -27,9 +27,7 @@ MISSING_LXML = ( """Missing lxml library. This is required for URL preview API. Install by running: - pip install lxml - - Requires libxslt1-dev system package. + sudo apt install python3-lxml """ ) -- cgit v1.2.3 From 049158f3cf443dc15d59caaf893536b5a2f2a1bd Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Fri, 10 Jun 2016 10:57:07 +0100 Subject: change_instructions Gbp-Pq: Name 0002-change_instructions.patch --- synapse/config/_base.py | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/synapse/config/_base.py b/synapse/config/_base.py index 14dae65e..2ab55da3 100644 --- a/synapse/config/_base.py +++ b/synapse/config/_base.py @@ -32,6 +32,11 @@ class ConfigError(Exception): MISSING_REPORT_STATS_CONFIG_INSTRUCTIONS = """\ Please opt in or out of reporting anonymized homeserver usage statistics, by setting the `report_stats` key in your config file to either True or False. + +To set it run: + + dpkg-reconfigure matrix-synapse + """ MISSING_REPORT_STATS_SPIEL = """\ @@ -46,6 +51,11 @@ Thank you. MISSING_SERVER_NAME = """\ Missing mandatory `server_name` config option. + +To set it run: + + dpkg-reconfigure matrix-synapse + """ -- cgit v1.2.3 From 77a80bcc8af2151d015df3685dfff424d83fb7cd Mon Sep 17 00:00:00 2001 From: Richard van der Hoff Date: Fri, 7 Sep 2018 13:57:56 +0100 Subject: Avoid telling people to install packages with pip Origin: upstream Bug: https://github.com/matrix-org/synapse/issues/3743 Gbp-Pq: Name 0006-Avoid-pip-install.patch --- synapse/app/__init__.py | 4 ++-- synapse/config/jwt_config.py | 2 +- synapse/config/repository.py | 4 +--- 3 files changed, 4 insertions(+), 6 deletions(-) diff --git a/synapse/app/__init__.py b/synapse/app/__init__.py index c3afcc57..05075566 100644 --- a/synapse/app/__init__.py +++ b/synapse/app/__init__.py @@ -25,8 +25,8 @@ try: except python_dependencies.MissingRequirementError as e: message = "\n".join([ "Missing Requirement: %s" % (str(e),), - "To install run:", - " pip install --upgrade --force \"%s\"" % (e.dependency,), + "To install, try:", + " sudo apt install python3-%s" % (e.dependency,), "", ]) sys.stderr.writelines(message) diff --git a/synapse/config/jwt_config.py b/synapse/config/jwt_config.py index 51e7f7e0..91c43cf6 100644 --- a/synapse/config/jwt_config.py +++ b/synapse/config/jwt_config.py @@ -19,7 +19,7 @@ MISSING_JWT = ( """Missing jwt library. This is required for jwt login. Install by running: - pip install pyjwt + sudo apt install python3-jwt """ ) diff --git a/synapse/config/repository.py b/synapse/config/repository.py index 06c62ab6..7cb98c64 100644 --- a/synapse/config/repository.py +++ b/synapse/config/repository.py @@ -27,9 +27,7 @@ MISSING_LXML = ( """Missing lxml library. This is required for URL preview API. Install by running: - pip install lxml - - Requires libxslt1-dev system package. + sudo apt install python3-lxml """ ) -- cgit v1.2.3 From dca64acd01dd6c1fa730d1aac4ef15fa015952be Mon Sep 17 00:00:00 2001 From: Richard van der Hoff <1389908+richvdh@users.noreply.github.com> Date: Thu, 10 Jan 2019 14:21:50 +0000 Subject: [PATCH] Fix problem reading macaroon_secret_key from config (#4373) * Fix fallback to signing key for macaroon-secret-key * Skip macaroon check for access tokens in the db * Fix macaroon_secret_key fallback logic * changelog Gbp-Pq: Name CVE-2019-5885.patch --- changelog.d/4373.bugfix | 1 + synapse/api/auth.py | 65 +++++++++----------- synapse/config/key.py | 10 ++-- tests/api/test_auth.py | 155 +----------------------------------------------- 4 files changed, 34 insertions(+), 197 deletions(-) create mode 100644 changelog.d/4373.bugfix diff --git a/changelog.d/4373.bugfix b/changelog.d/4373.bugfix new file mode 100644 index 00000000..e50697cc --- /dev/null +++ b/changelog.d/4373.bugfix @@ -0,0 +1 @@ +Fix problem reading macaroon_secret_key from config diff --git a/synapse/api/auth.py b/synapse/api/auth.py index 53098997..4811300c 100644 --- a/synapse/api/auth.py +++ b/synapse/api/auth.py @@ -300,20 +300,28 @@ class Auth(object): Raises: AuthError if no user by that token exists or the token is invalid. """ - try: - user_id, guest = self._parse_and_validate_macaroon(token, rights) - except _InvalidMacaroonException: - # doesn't look like a macaroon: treat it as an opaque token which - # must be in the database. - # TODO: it would be nice to get rid of this, but apparently some - # people use access tokens which aren't macaroons + + if rights == "access": + # first look in the database r = yield self._look_up_user_by_access_token(token) - defer.returnValue(r) + if r: + defer.returnValue(r) + # otherwise it needs to be a valid macaroon try: + user_id, guest = self._parse_and_validate_macaroon(token, rights) user = UserID.from_string(user_id) - if guest: + if rights == "access": + if not guest: + # non-guest access tokens must be in the database + logger.warning("Unrecognised access token - not in store.") + raise AuthError( + self.TOKEN_NOT_FOUND_HTTP_STATUS, + "Unrecognised access token.", + errcode=Codes.UNKNOWN_TOKEN, + ) + # Guest access tokens are not stored in the database (there can # only be one access token per guest, anyway). # @@ -354,31 +362,15 @@ class Auth(object): "device_id": None, } else: - # This codepath exists for several reasons: - # * so that we can actually return a token ID, which is used - # in some parts of the schema (where we probably ought to - # use device IDs instead) - # * the only way we currently have to invalidate an - # access_token is by removing it from the database, so we - # have to check here that it is still in the db - # * some attributes (notably device_id) aren't stored in the - # macaroon. They probably should be. - # TODO: build the dictionary from the macaroon once the - # above are fixed - ret = yield self._look_up_user_by_access_token(token) - if ret["user"] != user: - logger.error( - "Macaroon user (%s) != DB user (%s)", - user, - ret["user"] - ) - raise AuthError( - self.TOKEN_NOT_FOUND_HTTP_STATUS, - "User mismatch in macaroon", - errcode=Codes.UNKNOWN_TOKEN - ) + raise RuntimeError("Unknown rights setting %s", rights) defer.returnValue(ret) - except (pymacaroons.exceptions.MacaroonException, TypeError, ValueError): + except ( + _InvalidMacaroonException, + pymacaroons.exceptions.MacaroonException, + TypeError, + ValueError, + ) as e: + logger.warning("Invalid macaroon in auth: %s %s", type(e), e) raise AuthError( self.TOKEN_NOT_FOUND_HTTP_STATUS, "Invalid macaroon passed.", errcode=Codes.UNKNOWN_TOKEN @@ -508,11 +500,8 @@ class Auth(object): def _look_up_user_by_access_token(self, token): ret = yield self.store.get_user_by_access_token(token) if not ret: - logger.warn("Unrecognised access token - not in store.") - raise AuthError( - self.TOKEN_NOT_FOUND_HTTP_STATUS, "Unrecognised access token.", - errcode=Codes.UNKNOWN_TOKEN - ) + defer.returnValue(None) + # we use ret.get() below because *lots* of unit tests stub out # get_user_by_access_token in a way where it only returns a couple of # the fields. diff --git a/synapse/config/key.py b/synapse/config/key.py index 279c47bb..c26b7529 100644 --- a/synapse/config/key.py +++ b/synapse/config/key.py @@ -57,8 +57,8 @@ class KeyConfig(Config): # Unfortunately, there are people out there that don't have this # set. Lets just be "nice" and derive one from their secret key. logger.warn("Config is missing missing macaroon_secret_key") - seed = self.signing_key[0].seed - self.macaroon_secret_key = hashlib.sha256(seed) + seed = bytes(self.signing_key[0]) + self.macaroon_secret_key = hashlib.sha256(seed).digest() self.expire_access_token = config.get("expire_access_token", False) @@ -71,14 +71,14 @@ class KeyConfig(Config): base_key_name = os.path.join(config_dir_path, server_name) if is_generating_file: - macaroon_secret_key = random_string_with_symbols(50) + macaroon_secret_key = '"%s"' % random_string_with_symbols(50) form_secret = '"%s"' % random_string_with_symbols(50) else: - macaroon_secret_key = None + macaroon_secret_key = 'null' form_secret = 'null' return """\ - macaroon_secret_key: "%(macaroon_secret_key)s" + macaroon_secret_key: %(macaroon_secret_key)s # Used to enable access token expiration. expire_access_token: False diff --git a/tests/api/test_auth.py b/tests/api/test_auth.py index 379e9c4a..dad86572 100644 --- a/tests/api/test_auth.py +++ b/tests/api/test_auth.py @@ -192,8 +192,6 @@ class AuthTestCase(unittest.TestCase): @defer.inlineCallbacks def test_get_user_from_macaroon(self): - # TODO(danielwh): Remove this mock when we remove the - # get_user_by_access_token fallback. self.store.get_user_by_access_token = Mock( return_value={"name": "@baldrick:matrix.org", "device_id": "device"} ) @@ -218,6 +216,7 @@ class AuthTestCase(unittest.TestCase): @defer.inlineCallbacks def test_get_guest_user_from_macaroon(self): self.store.get_user_by_id = Mock(return_value={"is_guest": True}) + self.store.get_user_by_access_token = Mock(return_value=None) user_id = "@baldrick:matrix.org" macaroon = pymacaroons.Macaroon( @@ -238,158 +237,6 @@ class AuthTestCase(unittest.TestCase): self.assertTrue(is_guest) self.store.get_user_by_id.assert_called_with(user_id) - @defer.inlineCallbacks - def test_get_user_from_macaroon_user_db_mismatch(self): - self.store.get_user_by_access_token = Mock( - return_value={"name": "@percy:matrix.org"} - ) - - user = "@baldrick:matrix.org" - macaroon = pymacaroons.Macaroon( - location=self.hs.config.server_name, - identifier="key", - key=self.hs.config.macaroon_secret_key, - ) - macaroon.add_first_party_caveat("gen = 1") - macaroon.add_first_party_caveat("type = access") - macaroon.add_first_party_caveat("user_id = %s" % (user,)) - with self.assertRaises(AuthError) as cm: - yield self.auth.get_user_by_access_token(macaroon.serialize()) - self.assertEqual(401, cm.exception.code) - self.assertIn("User mismatch", cm.exception.msg) - - @defer.inlineCallbacks - def test_get_user_from_macaroon_missing_caveat(self): - # TODO(danielwh): Remove this mock when we remove the - # get_user_by_access_token fallback. - self.store.get_user_by_access_token = Mock( - return_value={"name": "@baldrick:matrix.org"} - ) - - macaroon = pymacaroons.Macaroon( - location=self.hs.config.server_name, - identifier="key", - key=self.hs.config.macaroon_secret_key, - ) - macaroon.add_first_party_caveat("gen = 1") - macaroon.add_first_party_caveat("type = access") - - with self.assertRaises(AuthError) as cm: - yield self.auth.get_user_by_access_token(macaroon.serialize()) - self.assertEqual(401, cm.exception.code) - self.assertIn("No user caveat", cm.exception.msg) - - @defer.inlineCallbacks - def test_get_user_from_macaroon_wrong_key(self): - # TODO(danielwh): Remove this mock when we remove the - # get_user_by_access_token fallback. - self.store.get_user_by_access_token = Mock( - return_value={"name": "@baldrick:matrix.org"} - ) - - user = "@baldrick:matrix.org" - macaroon = pymacaroons.Macaroon( - location=self.hs.config.server_name, - identifier="key", - key=self.hs.config.macaroon_secret_key + "wrong", - ) - macaroon.add_first_party_caveat("gen = 1") - macaroon.add_first_party_caveat("type = access") - macaroon.add_first_party_caveat("user_id = %s" % (user,)) - - with self.assertRaises(AuthError) as cm: - yield self.auth.get_user_by_access_token(macaroon.serialize()) - self.assertEqual(401, cm.exception.code) - self.assertIn("Invalid macaroon", cm.exception.msg) - - @defer.inlineCallbacks - def test_get_user_from_macaroon_unknown_caveat(self): - # TODO(danielwh): Remove this mock when we remove the - # get_user_by_access_token fallback. - self.store.get_user_by_access_token = Mock( - return_value={"name": "@baldrick:matrix.org"} - ) - - user = "@baldrick:matrix.org" - macaroon = pymacaroons.Macaroon( - location=self.hs.config.server_name, - identifier="key", - key=self.hs.config.macaroon_secret_key, - ) - macaroon.add_first_party_caveat("gen = 1") - macaroon.add_first_party_caveat("type = access") - macaroon.add_first_party_caveat("user_id = %s" % (user,)) - macaroon.add_first_party_caveat("cunning > fox") - - with self.assertRaises(AuthError) as cm: - yield self.auth.get_user_by_access_token(macaroon.serialize()) - self.assertEqual(401, cm.exception.code) - self.assertIn("Invalid macaroon", cm.exception.msg) - - @defer.inlineCallbacks - def test_get_user_from_macaroon_expired(self): - # TODO(danielwh): Remove this mock when we remove the - # get_user_by_access_token fallback. - self.store.get_user_by_access_token = Mock( - return_value={"name": "@baldrick:matrix.org"} - ) - - self.store.get_user_by_access_token = Mock( - return_value={"name": "@baldrick:matrix.org"} - ) - - user = "@baldrick:matrix.org" - macaroon = pymacaroons.Macaroon( - location=self.hs.config.server_name, - identifier="key", - key=self.hs.config.macaroon_secret_key, - ) - macaroon.add_first_party_caveat("gen = 1") - macaroon.add_first_party_caveat("type = access") - macaroon.add_first_party_caveat("user_id = %s" % (user,)) - macaroon.add_first_party_caveat("time < -2000") # ms - - self.hs.clock.now = 5000 # seconds - self.hs.config.expire_access_token = True - # yield self.auth.get_user_by_access_token(macaroon.serialize()) - # TODO(daniel): Turn on the check that we validate expiration, when we - # validate expiration (and remove the above line, which will start - # throwing). - with self.assertRaises(AuthError) as cm: - yield self.auth.get_user_by_access_token(macaroon.serialize()) - self.assertEqual(401, cm.exception.code) - self.assertIn("Invalid macaroon", cm.exception.msg) - - @defer.inlineCallbacks - def test_get_user_from_macaroon_with_valid_duration(self): - # TODO(danielwh): Remove this mock when we remove the - # get_user_by_access_token fallback. - self.store.get_user_by_access_token = Mock( - return_value={"name": "@baldrick:matrix.org"} - ) - - self.store.get_user_by_access_token = Mock( - return_value={"name": "@baldrick:matrix.org"} - ) - - user_id = "@baldrick:matrix.org" - macaroon = pymacaroons.Macaroon( - location=self.hs.config.server_name, - identifier="key", - key=self.hs.config.macaroon_secret_key, - ) - macaroon.add_first_party_caveat("gen = 1") - macaroon.add_first_party_caveat("type = access") - macaroon.add_first_party_caveat("user_id = %s" % (user_id,)) - macaroon.add_first_party_caveat("time < 900000000") # ms - - self.hs.clock.now = 5000 # seconds - self.hs.config.expire_access_token = True - - user_info = yield self.auth.get_user_by_access_token(macaroon.serialize()) - user = user_info["user"] - self.assertEqual(UserID.from_string(user_id), user) - @defer.inlineCallbacks def test_cannot_use_regular_token_as_guest(self): USER_ID = "@percy:matrix.org" -- cgit v1.2.3