Commit f509bf3ab10e82c5ba6e4e3b5a7db0f9c55026c1 - matrix-synapse

+1

-1

.buildkite/scripts/test_old_deps.sh less more

5	5	set -ex
6	6
7	7	apt-get update
8		apt-get install -y python3.5 python3.5-dev python3-pip libxml2-dev libxslt-dev zlib1g-dev tox
	8	apt-get install -y python3.5 python3.5-dev python3-pip libxml2-dev libxslt-dev xmlsec1 zlib1g-dev tox
9	9
10	10	export LANG="C.UTF-8"
11	11

+279

-150

CHANGES.md less more

	0	Synapse 1.24.0 (2020-12-09)
	1	===========================
	2
	3	Due to the two security issues highlighted below, server administrators are
	4	encouraged to update Synapse. We are not aware of these vulnerabilities being
	5	exploited in the wild.
	6
	7	Security advisory
	8	-----------------
	9
	10	The following issues are fixed in v1.23.1 and v1.24.0.
	11
	12	- There is a denial of service attack
	13	([CVE-2020-26257](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26257))
	14	against the federation APIs in which future events will not be correctly sent
	15	to other servers over federation. This affects all servers that participate in
	16	open federation. (Fixed in [#8776](https://github.com/matrix-org/synapse/pull/8776)).
	17
	18	- Synapse may be affected by OpenSSL
	19	[CVE-2020-1971](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1971).
	20	Synapse administrators should ensure that they have the latest versions of
	21	the cryptography Python package installed.
	22
	23	To upgrade Synapse along with the cryptography package:
	24
	25	* Administrators using the [`matrix.org` Docker
	26	image](https://hub.docker.com/r/matrixdotorg/synapse/) or the [Debian/Ubuntu
	27	packages from
	28	`matrix.org`](https://github.com/matrix-org/synapse/blob/master/INSTALL.md#matrixorg-packages)
	29	should ensure that they have version 1.24.0 or 1.23.1 installed: these images include
	30	the updated packages.
	31	* Administrators who have [installed Synapse from
	32	source](https://github.com/matrix-org/synapse/blob/master/INSTALL.md#installing-from-source)
	33	should upgrade the cryptography package within their virtualenv by running:
	34	```sh
	35	<path_to_virtualenv>/bin/pip install 'cryptography>=3.3'
	36	```
	37	* Administrators who have installed Synapse from distribution packages should
	38	consult the information from their distributions.
	39
	40	Internal Changes
	41	----------------
	42
	43	- Add a maximum version for pysaml2 on Python 3.5. ([\#8898](https://github.com/matrix-org/synapse/issues/8898))
	44
	45
	46	Synapse 1.24.0rc2 (2020-12-04)
	47	==============================
	48
	49	Bugfixes
	50	--------
	51
	52	- Fix a regression in v1.24.0rc1 which failed to allow SAML mapping providers which were unable to redirect users to an additional page. ([\#8878](https://github.com/matrix-org/synapse/issues/8878))
	53
	54
	55	Internal Changes
	56	----------------
	57
	58	- Add support for the `prometheus_client` newer than 0.9.0. Contributed by Jordan Bancino. ([\#8875](https://github.com/matrix-org/synapse/issues/8875))
	59
	60
	61	Synapse 1.24.0rc1 (2020-12-02)
	62	==============================
	63
	64	Features
	65	--------
	66
	67	- Add admin API for logging in as a user. ([\#8617](https://github.com/matrix-org/synapse/issues/8617))
	68	- Allow specification of the SAML IdP if the metadata returns multiple IdPs. ([\#8630](https://github.com/matrix-org/synapse/issues/8630))
	69	- Add support for re-trying generation of a localpart for OpenID Connect mapping providers. ([\#8801](https://github.com/matrix-org/synapse/issues/8801), [\#8855](https://github.com/matrix-org/synapse/issues/8855))
	70	- Allow the `Date` header through CORS. Contributed by Nicolas Chamo. ([\#8804](https://github.com/matrix-org/synapse/issues/8804))
	71	- Add a config option, `push.group_by_unread_count`, which controls whether unread message counts in push notifications are defined as "the number of rooms with unread messages" or "total unread messages". ([\#8820](https://github.com/matrix-org/synapse/issues/8820))
	72	- Add `force_purge` option to delete-room admin api. ([\#8843](https://github.com/matrix-org/synapse/issues/8843))
	73
	74
	75	Bugfixes
	76	--------
	77
	78	- Fix a bug where appservices may be sent an excessive amount of read receipts and presence. Broke in v1.22.0. ([\#8744](https://github.com/matrix-org/synapse/issues/8744))
	79	- Fix a bug in some federation APIs which could lead to unexpected behaviour if different parameters were set in the URI and the request body. ([\#8776](https://github.com/matrix-org/synapse/issues/8776))
	80	- Fix a bug where synctl could spawn duplicate copies of a worker. Contributed by Waylon Cude. ([\#8798](https://github.com/matrix-org/synapse/issues/8798))
	81	- Allow per-room profiles to be used for the server notice user. ([\#8799](https://github.com/matrix-org/synapse/issues/8799))
	82	- Fix a bug where logging could break after a call to SIGHUP. ([\#8817](https://github.com/matrix-org/synapse/issues/8817))
	83	- Fix `register_new_matrix_user` failing with "Bad Request" when trailing slash is included in server URL. Contributed by @angdraug. ([\#8823](https://github.com/matrix-org/synapse/issues/8823))
	84	- Fix a minor long-standing bug in login, where we would offer the `password` login type if a custom auth provider supported it, even if password login was disabled. ([\#8835](https://github.com/matrix-org/synapse/issues/8835))
	85	- Fix a long-standing bug which caused Synapse to require unspecified parameters during user-interactive authentication. ([\#8848](https://github.com/matrix-org/synapse/issues/8848))
	86	- Fix a bug introduced in v1.20.0 where the user-agent and IP address reported during user registration for CAS, OpenID Connect, and SAML were of the wrong form. ([\#8784](https://github.com/matrix-org/synapse/issues/8784))
	87
	88
	89	Improved Documentation
	90	----------------------
	91
	92	- Clarify the usecase for a msisdn delegate. Contributed by Adrian Wannenmacher. ([\#8734](https://github.com/matrix-org/synapse/issues/8734))
	93	- Remove extraneous comma from JSON example in User Admin API docs. ([\#8771](https://github.com/matrix-org/synapse/issues/8771))
	94	- Update `turn-howto.md` with troubleshooting notes. ([\#8779](https://github.com/matrix-org/synapse/issues/8779))
	95	- Fix the example on how to set the `Content-Type` header in nginx for the Client Well-Known URI. ([\#8793](https://github.com/matrix-org/synapse/issues/8793))
	96	- Improve the documentation for the admin API to list all media in a room with respect to encrypted events. ([\#8795](https://github.com/matrix-org/synapse/issues/8795))
	97	- Update the formatting of the `push` section of the homeserver config file to better align with the [code style guidelines](https://github.com/matrix-org/synapse/blob/develop/docs/code_style.md#configuration-file-format). ([\#8818](https://github.com/matrix-org/synapse/issues/8818))
	98	- Improve documentation how to configure prometheus for workers. ([\#8822](https://github.com/matrix-org/synapse/issues/8822))
	99	- Update example prometheus console. ([\#8824](https://github.com/matrix-org/synapse/issues/8824))
	100
	101
	102	Deprecations and Removals
	103	-------------------------
	104
	105	- Remove old `/_matrix/client/*/admin` endpoints which were deprecated since Synapse 1.20.0. ([\#8785](https://github.com/matrix-org/synapse/issues/8785))
	106	- Disable pretty printing JSON responses for curl. Users who want pretty-printed output should use [jq](https://stedolan.github.io/jq/) in combination with curl. Contributed by @tulir. ([\#8833](https://github.com/matrix-org/synapse/issues/8833))
	107
	108
	109	Internal Changes
	110	----------------
	111
	112	- Simplify the way the `HomeServer` object caches its internal attributes. ([\#8565](https://github.com/matrix-org/synapse/issues/8565), [\#8851](https://github.com/matrix-org/synapse/issues/8851))
	113	- Add an example and documentation for clock skew to the SAML2 sample configuration to allow for clock/time difference between the homserver and IdP. Contributed by @localguru. ([\#8731](https://github.com/matrix-org/synapse/issues/8731))
	114	- Generalise `RoomMemberHandler._locally_reject_invite` to apply to more flows than just invite. ([\#8751](https://github.com/matrix-org/synapse/issues/8751))
	115	- Generalise `RoomStore.maybe_store_room_on_invite` to handle other, non-invite membership events. ([\#8754](https://github.com/matrix-org/synapse/issues/8754))
	116	- Refactor test utilities for injecting HTTP requests. ([\#8757](https://github.com/matrix-org/synapse/issues/8757), [\#8758](https://github.com/matrix-org/synapse/issues/8758), [\#8759](https://github.com/matrix-org/synapse/issues/8759), [\#8760](https://github.com/matrix-org/synapse/issues/8760), [\#8761](https://github.com/matrix-org/synapse/issues/8761), [\#8777](https://github.com/matrix-org/synapse/issues/8777))
	117	- Consolidate logic between the OpenID Connect and SAML code. ([\#8765](https://github.com/matrix-org/synapse/issues/8765))
	118	- Use `TYPE_CHECKING` instead of magic `MYPY` variable. ([\#8770](https://github.com/matrix-org/synapse/issues/8770))
	119	- Add a commandline script to sign arbitrary json objects. ([\#8772](https://github.com/matrix-org/synapse/issues/8772))
	120	- Minor log line improvements for the SSO mapping code used to generate Matrix IDs from SSO IDs. ([\#8773](https://github.com/matrix-org/synapse/issues/8773))
	121	- Add additional error checking for OpenID Connect and SAML mapping providers. ([\#8774](https://github.com/matrix-org/synapse/issues/8774), [\#8800](https://github.com/matrix-org/synapse/issues/8800))
	122	- Add type hints to HTTP abstractions. ([\#8806](https://github.com/matrix-org/synapse/issues/8806), [\#8812](https://github.com/matrix-org/synapse/issues/8812))
	123	- Remove unnecessary function arguments and add typing to several membership replication classes. ([\#8809](https://github.com/matrix-org/synapse/issues/8809))
	124	- Optimise the lookup for an invite from another homeserver when trying to reject it. ([\#8815](https://github.com/matrix-org/synapse/issues/8815))
	125	- Add tests for `password_auth_provider`s. ([\#8819](https://github.com/matrix-org/synapse/issues/8819))
	126	- Drop redundant database index on `event_json`. ([\#8845](https://github.com/matrix-org/synapse/issues/8845))
	127	- Simplify `uk.half-shot.msc2778.login.application_service` login handler. ([\#8847](https://github.com/matrix-org/synapse/issues/8847))
	128	- Refactor `password_auth_provider` support code. ([\#8849](https://github.com/matrix-org/synapse/issues/8849))
	129	- Add missing `ordering` to background database updates. ([\#8850](https://github.com/matrix-org/synapse/issues/8850))
	130	- Allow for specifying a room version when creating a room in unit tests via `RestHelper.create_room_as`. ([\#8854](https://github.com/matrix-org/synapse/issues/8854))
	131
	132
0	133	Synapse 1.23.0 (2020-11-18)
1	134	===========================
2	135

6321	6454
6322	6455	See UPGRADES.rst for specific instructions on how to upgrade.
6323	6456
6324		> - Fix bug where we served up an Event that did not match its signatures.
6325		> - Fix regression where we no longer correctly handled the case where a homeserver receives an event for a room it doesn\'t recognise (but is in.)
	6457	- Fix bug where we served up an Event that did not match its signatures.
	6458	- Fix regression where we no longer correctly handled the case where a homeserver receives an event for a room it doesn\'t recognise (but is in.)
6326	6459
6327	6460	Changes in synapse 0.5.0 (2014-11-19)
6328	6461	=====================================

6333	6466
6334	6467	Homeserver:
6335	6468
6336		: - Add authentication and authorization to the federation protocol. Events are now signed by their originating homeservers.
6337		- Implement the new authorization model for rooms.
6338		- Split out web client into a seperate repository: matrix-angular-sdk.
6339		- Change the structure of PDUs.
6340		- Fix bug where user could not join rooms via an alias containing 4-byte UTF-8 characters.
6341		- Merge concept of PDUs and Events internally.
6342		- Improve logging by adding request ids to log lines.
6343		- Implement a very basic room initial sync API.
6344		- Implement the new invite/join federation APIs.
	6469	- Add authentication and authorization to the federation protocol. Events are now signed by their originating homeservers.
	6470	- Implement the new authorization model for rooms.
	6471	- Split out web client into a seperate repository: matrix-angular-sdk.
	6472	- Change the structure of PDUs.
	6473	- Fix bug where user could not join rooms via an alias containing 4-byte UTF-8 characters.
	6474	- Merge concept of PDUs and Events internally.
	6475	- Improve logging by adding request ids to log lines.
	6476	- Implement a very basic room initial sync API.
	6477	- Implement the new invite/join federation APIs.
6345	6478
6346	6479	Webclient:
6347	6480
6348		: - The webclient has been moved to a seperate repository.
	6481	- The webclient has been moved to a seperate repository.
6349	6482
6350	6483	Changes in synapse 0.4.2 (2014-10-31)
6351	6484	=====================================
6352	6485
6353	6486	Homeserver:
6354	6487
6355		: - Fix bugs where we did not notify users of correct presence updates.
6356		- Fix bug where we did not handle sub second event stream timeouts.
	6488	- Fix bugs where we did not notify users of correct presence updates.
	6489	- Fix bug where we did not handle sub second event stream timeouts.
6357	6490
6358	6491	Webclient:
6359	6492
6360		: - Add ability to click on messages to see JSON.
6361		- Add ability to redact messages.
6362		- Add ability to view and edit all room state JSON.
6363		- Handle incoming redactions.
6364		- Improve feedback on errors.
6365		- Fix bugs in mobile CSS.
6366		- Fix bugs with desktop notifications.
	6493	- Add ability to click on messages to see JSON.
	6494	- Add ability to redact messages.
	6495	- Add ability to view and edit all room state JSON.
	6496	- Handle incoming redactions.
	6497	- Improve feedback on errors.
	6498	- Fix bugs in mobile CSS.
	6499	- Fix bugs with desktop notifications.
6367	6500
6368	6501	Changes in synapse 0.4.1 (2014-10-17)
6369	6502	=====================================
6370	6503
6371	6504	Webclient:
6372	6505
6373		: - Fix bug with display of timestamps.
	6506	- Fix bug with display of timestamps.
6374	6507
6375	6508	Changes in synpase 0.4.0 (2014-10-17)
6376	6509	=====================================

6383	6516
6384	6517	Homeserver:
6385	6518
6386		: - Sign federation transactions to assert strong identity over federation.
6387		- Rename timestamp keys in PDUs and events from \'ts\' and \'hsob\_ts\' to \'origin\_server\_ts\'.
	6519	- Sign federation transactions to assert strong identity over federation.
	6520	- Rename timestamp keys in PDUs and events from \'ts\' and \'hsob\_ts\' to \'origin\_server\_ts\'.
6388	6521
6389	6522	Changes in synapse 0.3.4 (2014-09-25)
6390	6523	=====================================

6393	6526
6394	6527	Homeserver:
6395	6528
6396		: - Add support for redaction of messages.
6397		- Fix bug where inviting a user on a remote home server could take up to 20-30s.
6398		- Implement a get current room state API.
6399		- Add support specifying and retrieving turn server configuration.
	6529	- Add support for redaction of messages.
	6530	- Fix bug where inviting a user on a remote home server could take up to 20-30s.
	6531	- Implement a get current room state API.
	6532	- Add support specifying and retrieving turn server configuration.
6400	6533
6401	6534	Webclient:
6402	6535
6403		: - Add button to send messages to users from the home page.
6404		- Add support for using TURN for VoIP calls.
6405		- Show display name change messages.
6406		- Fix bug where the client didn\'t get the state of a newly joined room until after it has been refreshed.
6407		- Fix bugs with tab complete.
6408		- Fix bug where holding down the down arrow caused chrome to chew 100% CPU.
6409		- Fix bug where desktop notifications occasionally used \"Undefined\" as the display name.
6410		- Fix more places where we sometimes saw room IDs incorrectly.
6411		- Fix bug which caused lag when entering text in the text box.
	6536	- Add button to send messages to users from the home page.
	6537	- Add support for using TURN for VoIP calls.
	6538	- Show display name change messages.
	6539	- Fix bug where the client didn\'t get the state of a newly joined room until after it has been refreshed.
	6540	- Fix bugs with tab complete.
	6541	- Fix bug where holding down the down arrow caused chrome to chew 100% CPU.
	6542	- Fix bug where desktop notifications occasionally used \"Undefined\" as the display name.
	6543	- Fix more places where we sometimes saw room IDs incorrectly.
	6544	- Fix bug which caused lag when entering text in the text box.
6412	6545
6413	6546	Changes in synapse 0.3.3 (2014-09-22)
6414	6547	=====================================
6415	6548
6416	6549	Homeserver:
6417	6550
6418		: - Fix bug where you continued to get events for rooms you had left.
	6551	- Fix bug where you continued to get events for rooms you had left.
6419	6552
6420	6553	Webclient:
6421	6554
6422		: - Add support for video calls with basic UI.
6423		- Fix bug where one to one chats were named after your display name rather than the other person\'s.
6424		- Fix bug which caused lag when typing in the textarea.
6425		- Refuse to run on browsers we know won\'t work.
6426		- Trigger pagination when joining new rooms.
6427		- Fix bug where we sometimes didn\'t display invitations in recents.
6428		- Automatically join room when accepting a VoIP call.
6429		- Disable outgoing and reject incoming calls on browsers we don\'t support VoIP in.
6430		- Don\'t display desktop notifications for messages in the room you are non-idle and speaking in.
	6555	- Add support for video calls with basic UI.
	6556	- Fix bug where one to one chats were named after your display name rather than the other person\'s.
	6557	- Fix bug which caused lag when typing in the textarea.
	6558	- Refuse to run on browsers we know won\'t work.
	6559	- Trigger pagination when joining new rooms.
	6560	- Fix bug where we sometimes didn\'t display invitations in recents.
	6561	- Automatically join room when accepting a VoIP call.
	6562	- Disable outgoing and reject incoming calls on browsers we don\'t support VoIP in.
	6563	- Don\'t display desktop notifications for messages in the room you are non-idle and speaking in.
6431	6564
6432	6565	Changes in synapse 0.3.2 (2014-09-18)
6433	6566	=====================================
6434	6567
6435	6568	Webclient:
6436	6569
6437		: - Fix bug where an empty \"bing words\" list in old accounts didn\'t send notifications when it should have done.
	6570	- Fix bug where an empty \"bing words\" list in old accounts didn\'t send notifications when it should have done.
6438	6571
6439	6572	Changes in synapse 0.3.1 (2014-09-18)
6440	6573	=====================================

6443	6576
6444	6577	Webclient:
6445	6578
6446		: - Fix a regression where we sometimes displayed duplicate events.
6447		- Fix a regression where we didn\'t immediately remove rooms you were banned in from the recents list.
	6579	- Fix a regression where we sometimes displayed duplicate events.
	6580	- Fix a regression where we didn\'t immediately remove rooms you were banned in from the recents list.
6448	6581
6449	6582	Changes in synapse 0.3.0 (2014-09-18)
6450	6583	=====================================

6453	6586
6454	6587	Homeserver:
6455	6588
6456		: - When a user changes their displayname or avatar the server will now update all their join states to reflect this.
6457		- The server now adds \"age\" key to events to indicate how old they are. This is clock independent, so at no point does any server or webclient have to assume their clock is in sync with everyone else.
6458		- Fix bug where we didn\'t correctly pull in missing PDUs.
6459		- Fix bug where prev\_content key wasn\'t always returned.
6460		- Add support for password resets.
	6589	- When a user changes their displayname or avatar the server will now update all their join states to reflect this.
	6590	- The server now adds \"age\" key to events to indicate how old they are. This is clock independent, so at no point does any server or webclient have to assume their clock is in sync with everyone else.
	6591	- Fix bug where we didn\'t correctly pull in missing PDUs.
	6592	- Fix bug where prev\_content key wasn\'t always returned.
	6593	- Add support for password resets.
6461	6594
6462	6595	Webclient:
6463	6596
6464		: - Improve page content loading.
6465		- Join/parts now trigger desktop notifications.
6466		- Always show room aliases in the UI if one is present.
6467		- No longer show user-count in the recents side panel.
6468		- Add up & down arrow support to the text box for message sending to step through your sent history.
6469		- Don\'t display notifications for our own messages.
6470		- Emotes are now formatted correctly in desktop notifications.
6471		- The recents list now differentiates between public & private rooms.
6472		- Fix bug where when switching between rooms the pagination flickered before the view jumped to the bottom of the screen.
6473		- Add bing word support.
	6597	- Improve page content loading.
	6598	- Join/parts now trigger desktop notifications.
	6599	- Always show room aliases in the UI if one is present.
	6600	- No longer show user-count in the recents side panel.
	6601	- Add up & down arrow support to the text box for message sending to step through your sent history.
	6602	- Don\'t display notifications for our own messages.
	6603	- Emotes are now formatted correctly in desktop notifications.
	6604	- The recents list now differentiates between public & private rooms.
	6605	- Fix bug where when switching between rooms the pagination flickered before the view jumped to the bottom of the screen.
	6606	- Add bing word support.
6474	6607
6475	6608	Registration API:
6476	6609
6477		: - The registration API has been overhauled to function like the login API. In practice, this means registration requests must now include the following: \'type\':\'m.login.password\'. See UPGRADE for more information on this.
6478		- The \'user\_id\' key has been renamed to \'user\' to better match the login API.
6479		- There is an additional login type: \'m.login.email.identity\'.
6480		- The command client and web client have been updated to reflect these changes.
	6610	- The registration API has been overhauled to function like the login API. In practice, this means registration requests must now include the following: \'type\':\'m.login.password\'. See UPGRADE for more information on this.
	6611	- The \'user\_id\' key has been renamed to \'user\' to better match the login API.
	6612	- There is an additional login type: \'m.login.email.identity\'.
	6613	- The command client and web client have been updated to reflect these changes.
6481	6614
6482	6615	Changes in synapse 0.2.3 (2014-09-12)
6483	6616	=====================================
6484	6617
6485	6618	Homeserver:
6486	6619
6487		: - Fix bug where we stopped sending events to remote home servers if a user from that home server left, even if there were some still in the room.
6488		- Fix bugs in the state conflict resolution where it was incorrectly rejecting events.
	6620	- Fix bug where we stopped sending events to remote home servers if a user from that home server left, even if there were some still in the room.
	6621	- Fix bugs in the state conflict resolution where it was incorrectly rejecting events.
6489	6622
6490	6623	Webclient:
6491	6624
6492		: - Display room names and topics.
6493		- Allow setting/editing of room names and topics.
6494		- Display information about rooms on the main page.
6495		- Handle ban and kick events in real time.
6496		- VoIP UI and reliability improvements.
6497		- Add glare support for VoIP.
6498		- Improvements to initial startup speed.
6499		- Don\'t display duplicate join events.
6500		- Local echo of messages.
6501		- Differentiate sending and sent of local echo.
6502		- Various minor bug fixes.
	6625	- Display room names and topics.
	6626	- Allow setting/editing of room names and topics.
	6627	- Display information about rooms on the main page.
	6628	- Handle ban and kick events in real time.
	6629	- VoIP UI and reliability improvements.
	6630	- Add glare support for VoIP.
	6631	- Improvements to initial startup speed.
	6632	- Don\'t display duplicate join events.
	6633	- Local echo of messages.
	6634	- Differentiate sending and sent of local echo.
	6635	- Various minor bug fixes.
6503	6636
6504	6637	Changes in synapse 0.2.2 (2014-09-06)
6505	6638	=====================================
6506	6639
6507	6640	Homeserver:
6508	6641
6509		: - When the server returns state events it now also includes the previous content.
6510		- Add support for inviting people when creating a new room.
6511		- Make the homeserver inform the room via m.room.aliases when a new alias is added for a room.
6512		- Validate m.room.power\_level events.
	6642	- When the server returns state events it now also includes the previous content.
	6643	- Add support for inviting people when creating a new room.
	6644	- Make the homeserver inform the room via m.room.aliases when a new alias is added for a room.
	6645	- Validate m.room.power\_level events.
6513	6646
6514	6647	Webclient:
6515	6648
6516		: - Add support for captchas on registration.
6517		- Handle m.room.aliases events.
6518		- Asynchronously send messages and show a local echo.
6519		- Inform the UI when a message failed to send.
6520		- Only autoscroll on receiving a new message if the user was already at the bottom of the screen.
6521		- Add support for ban/kick reasons.
	6649	- Add support for captchas on registration.
	6650	- Handle m.room.aliases events.
	6651	- Asynchronously send messages and show a local echo.
	6652	- Inform the UI when a message failed to send.
	6653	- Only autoscroll on receiving a new message if the user was already at the bottom of the screen.
	6654	- Add support for ban/kick reasons.
6522	6655
6523	6656	Changes in synapse 0.2.1 (2014-09-03)
6524	6657	=====================================
6525	6658
6526	6659	Homeserver:
6527	6660
6528		: - Added support for signing up with a third party id.
6529		- Add synctl scripts.
6530		- Added rate limiting.
6531		- Add option to change the external address the content repo uses.
6532		- Presence bug fixes.
	6661	- Added support for signing up with a third party id.
	6662	- Add synctl scripts.
	6663	- Added rate limiting.
	6664	- Add option to change the external address the content repo uses.
	6665	- Presence bug fixes.
6533	6666
6534	6667	Webclient:
6535	6668
6536		: - Added support for signing up with a third party id.
6537		- Added support for banning and kicking users.
6538		- Added support for displaying and setting ops.
6539		- Added support for room names.
6540		- Fix bugs with room membership event display.
	6669	- Added support for signing up with a third party id.
	6670	- Added support for banning and kicking users.
	6671	- Added support for displaying and setting ops.
	6672	- Added support for room names.
	6673	- Fix bugs with room membership event display.
6541	6674
6542	6675	Changes in synapse 0.2.0 (2014-09-02)
6543	6676	=====================================

6546	6679
6547	6680	Homeserver:
6548	6681
6549		: - Require SSL for server-server connections.
6550		- Add SSL listener for client-server connections.
6551		- Add ability to use config files.
6552		- Add support for kicking/banning and power levels.
6553		- Allow setting of room names and topics on creation.
6554		- Change presence to include last seen time of the user.
6555		- Change url path prefix to /\_matrix/\...
6556		- Bug fixes to presence.
	6682	- Require SSL for server-server connections.
	6683	- Add SSL listener for client-server connections.
	6684	- Add ability to use config files.
	6685	- Add support for kicking/banning and power levels.
	6686	- Allow setting of room names and topics on creation.
	6687	- Change presence to include last seen time of the user.
	6688	- Change url path prefix to /\_matrix/\...
	6689	- Bug fixes to presence.
6557	6690
6558	6691	Webclient:
6559	6692
6560		: - Reskin the CSS for registration and login.
6561		- Various improvements to rooms CSS.
6562		- Support changes in client-server API.
6563		- Bug fixes to VOIP UI.
6564		- Various bug fixes to handling of changes to room member list.
	6693	- Reskin the CSS for registration and login.
	6694	- Various improvements to rooms CSS.
	6695	- Support changes in client-server API.
	6696	- Bug fixes to VOIP UI.
	6697	- Various bug fixes to handling of changes to room member list.
6565	6698
6566	6699	Changes in synapse 0.1.2 (2014-08-29)
6567	6700	=====================================
6568	6701
6569	6702	Webclient:
6570	6703
6571		: - Add basic call state UI for VoIP calls.
	6704	- Add basic call state UI for VoIP calls.
6572	6705
6573	6706	Changes in synapse 0.1.1 (2014-08-29)
6574	6707	=====================================
6575	6708
6576	6709	Homeserver:
6577	6710
6578		: - Fix bug that caused the event stream to not notify some clients about changes.
	6711	- Fix bug that caused the event stream to not notify some clients about changes.
6579	6712
6580	6713	Changes in synapse 0.1.0 (2014-08-29)
6581	6714	=====================================

6584	6717
6585	6718	Homeserver:
6586	6719
6587		: -
6588
6589		Update client to server API, including:
6590
6591		: - Use a more consistent url scheme.
6592		- Provide more useful information in the initial sync api.
6593
6594		- Change the presence handling to be much more efficient.
6595		- Change the presence server to server API to not require explicit polling of all users who share a room with a user.
6596		- Fix races in the event streaming logic.
	6720	- Update client to server API, including:
	6721	- Use a more consistent url scheme.
	6722	- Provide more useful information in the initial sync api.
	6723	- Change the presence handling to be much more efficient.
	6724	- Change the presence server to server API to not require explicit polling of all users who share a room with a user.
	6725	- Fix races in the event streaming logic.
6597	6726
6598	6727	Webclient:
6599	6728
6600		: - Update to use new client to server API.
6601		- Add basic VOIP support.
6602		- Add idle timers that change your status to away.
6603		- Add recent rooms column when viewing a room.
6604		- Various network efficiency improvements.
6605		- Add basic mobile browser support.
6606		- Add a settings page.
	6729	- Update to use new client to server API.
	6730	- Add basic VOIP support.
	6731	- Add idle timers that change your status to away.
	6732	- Add recent rooms column when viewing a room.
	6733	- Various network efficiency improvements.
	6734	- Add basic mobile browser support.
	6735	- Add a settings page.
6607	6736
6608	6737	Changes in synapse 0.0.1 (2014-08-22)
6609	6738	=====================================

6612	6741
6613	6742	Homeserver:
6614	6743
6615		: - Completely change the database schema to support generic event types.
6616		- Improve presence reliability.
6617		- Improve reliability of joining remote rooms.
6618		- Fix bug where room join events were duplicated.
6619		- Improve initial sync API to return more information to the client.
6620		- Stop generating fake messages for room membership events.
	6744	- Completely change the database schema to support generic event types.
	6745	- Improve presence reliability.
	6746	- Improve reliability of joining remote rooms.
	6747	- Fix bug where room join events were duplicated.
	6748	- Improve initial sync API to return more information to the client.
	6749	- Stop generating fake messages for room membership events.
6621	6750
6622	6751	Webclient:
6623	6752
6624		: - Add tab completion of names.
6625		- Add ability to upload and send images.
6626		- Add profile pages.
6627		- Improve CSS layout of room.
6628		- Disambiguate identical display names.
6629		- Don\'t get remote users display names and avatars individually.
6630		- Use the new initial sync API to reduce number of round trips to the homeserver.
6631		- Change url scheme to use room aliases instead of room ids where known.
6632		- Increase longpoll timeout.
	6753	- Add tab completion of names.
	6754	- Add ability to upload and send images.
	6755	- Add profile pages.
	6756	- Improve CSS layout of room.
	6757	- Disambiguate identical display names.
	6758	- Don\'t get remote users display names and avatars individually.
	6759	- Use the new initial sync API to reduce number of round trips to the homeserver.
	6760	- Change url scheme to use room aliases instead of room ids where known.
	6761	- Increase longpoll timeout.
6633	6762
6634	6763	Changes in synapse 0.0.0 (2014-08-13)
6635	6764	=====================================
6636	6765
6637		> - Initial alpha release
	6766	- Initial alpha release

+1

-1

INSTALL.md less more

486	486	```
487	487	location /.well-known/matrix/client {
488	488	return 200 '{"m.homeserver": {"base_url": "https://<matrix.example.com>"}}';
489		add_header Content-Type application/json;
	489	default_type application/json;
490	490	add_header Access-Control-Allow-Origin *;
491	491	}
492	492	```

+52

-0

UPGRADE.rst less more

73	73	# replace `1.3.0` and `stretch` accordingly:
74	74	wget https://packages.matrix.org/debian/pool/main/m/matrix-synapse-py3/matrix-synapse-py3_1.3.0+stretch1_amd64.deb
75	75	dpkg -i matrix-synapse-py3_1.3.0+stretch1_amd64.deb
	76
	77	Upgrading to v1.24.0
	78	====================
	79
	80	Custom OpenID Connect mapping provider breaking change
	81	------------------------------------------------------
	82
	83	This release allows the OpenID Connect mapping provider to perform normalisation
	84	of the localpart of the Matrix ID. This allows for the mapping provider to
	85	specify different algorithms, instead of the [default way](https://matrix.org/docs/spec/appendices#mapping-from-other-character-sets).
	86
	87	If your Synapse configuration uses a custom mapping provider
	88	(`oidc_config.user_mapping_provider.module` is specified and not equal to
	89	`synapse.handlers.oidc_handler.JinjaOidcMappingProvider`) then you must ensure
	90	that `map_user_attributes` of the mapping provider performs some normalisation
	91	of the `localpart` returned. To match previous behaviour you can use the
	92	`map_username_to_mxid_localpart` function provided by Synapse. An example is
	93	shown below:
	94
	95	.. code-block:: python
	96
	97	from synapse.types import map_username_to_mxid_localpart
	98
	99	class MyMappingProvider:
	100	def map_user_attributes(self, userinfo, token):
	101	# ... your custom logic ...
	102	sso_user_id = ...
	103	localpart = map_username_to_mxid_localpart(sso_user_id)
	104
	105	return {"localpart": localpart}
	106
	107	Removal historical Synapse Admin API
	108	------------------------------------
	109
	110	Historically, the Synapse Admin API has been accessible under:
	111
	112	* ``/_matrix/client/api/v1/admin``
	113	* ``/_matrix/client/unstable/admin``
	114	* ``/_matrix/client/r0/admin``
	115	* ``/_synapse/admin/v1``
	116
	117	The endpoints with ``/_matrix/client/*`` prefixes have been removed as of v1.24.0.
	118	The Admin API is now only accessible under:
	119
	120	* ``/_synapse/admin/v1``
	121
	122	The only exception is the `/admin/whois` endpoint, which is
	123	`also available via the client-server API <https://matrix.org/docs/spec/client_server/r0.6.1#get-matrix-client-r0-admin-whois-userid>`_.
	124
	125	The deprecation of the old endpoints was announced with Synapse 1.20.0 (released
	126	on 2020-09-22) and makes it easier for homeserver admins to lock down external
	127	access to the Admin API endpoints.
76	128
77	129	Upgrading to v1.23.0
78	130	====================

+7

-3

contrib/prometheus/README.md less more

19	19	```
20	20
21	21	### for Prometheus v2
	22
22	23	Add a new job to the main prometheus.yml file:
23	24
24	25	```yaml

28	29	scheme: "https"
29	30
30	31	static_configs:
31		- targets: ['SERVER.LOCATION:PORT']
	32	- targets: ["my.server.here:port"]
32	33	```
	34
	35	An example of a Prometheus configuration with workers can be found in
	36	[metrics-howto.md](https://github.com/matrix-org/synapse/blob/master/docs/metrics-howto.md).
33	37
34	38	To use `synapse.rules` add
35	39
36	40	```yaml
37		rule_files:
38		- "/PATH/TO/synapse-v2.rules"
	41	rule_files:
	42	- "/PATH/TO/synapse-v2.rules"
39	43	```
40	44
41	45	Metrics are disabled by default when running synapse; they must be enabled

+72

-73

contrib/prometheus/consoles/synapse.html less more

8	8	new PromConsole.Graph({
9	9	node: document.querySelector("#process_resource_utime"),
10	10	expr: "rate(process_cpu_seconds_total[2m]) * 100",
11		name: "[[job]]",
	11	name: "[[job]]-[[index]]",
12	12	min: 0,
13	13	max: 100,
14	14	renderer: "line",

21	21	</script>
22	22
23	23	<h3>Memory</h3>
24		<div id="process_resource_maxrss"></div>
25		<script>
26		new PromConsole.Graph({
27		node: document.querySelector("#process_resource_maxrss"),
28		expr: "process_psutil_rss:max",
29		name: "Maxrss",
	24	<div id="process_resident_memory_bytes"></div>
	25	<script>
	26	new PromConsole.Graph({
	27	node: document.querySelector("#process_resident_memory_bytes"),
	28	expr: "process_resident_memory_bytes",
	29	name: "[[job]]-[[index]]",
30	30	min: 0,
31	31	renderer: "line",
32	32	height: 150,

42	42	<script>
43	43	new PromConsole.Graph({
44	44	node: document.querySelector("#process_fds"),
45		expr: "process_open_fds{job='synapse'}",
46		name: "FDs",
	45	expr: "process_open_fds",
	46	name: "[[job]]-[[index]]",
47	47	min: 0,
48	48	renderer: "line",
49	49	height: 150,

61	61	<script>
62	62	new PromConsole.Graph({
63	63	node: document.querySelector("#reactor_total_time"),
64		expr: "rate(python_twisted_reactor_tick_time:total[2m]) / 1000",
65		name: "time",
	64	expr: "rate(python_twisted_reactor_tick_time_sum[2m])",
	65	name: "[[job]]-[[index]]",
66	66	max: 1,
67	67	min: 0,
68	68	renderer: "area",

79	79	<script>
80	80	new PromConsole.Graph({
81	81	node: document.querySelector("#reactor_average_time"),
82		expr: "rate(python_twisted_reactor_tick_time:total[2m]) / rate(python_twisted_reactor_tick_time:count[2m]) / 1000",
83		name: "time",
	82	expr: "rate(python_twisted_reactor_tick_time_sum[2m]) / rate(python_twisted_reactor_tick_time_count[2m])",
	83	name: "[[job]]-[[index]]",
84	84	min: 0,
85	85	renderer: "line",
86	86	height: 150,

96	96	<script>
97	97	new PromConsole.Graph({
98	98	node: document.querySelector("#reactor_pending_calls"),
99		expr: "rate(python_twisted_reactor_pending_calls:total[30s])/rate(python_twisted_reactor_pending_calls:count[30s])",
100		name: "calls",
101		min: 0,
102		renderer: "line",
103		height: 150,
104		yAxisFormatter: PromConsole.NumberFormatter.humanize,
105		yHoverFormatter: PromConsole.NumberFormatter.humanize,
106		yTitle: "Pending Cals"
	99	expr: "rate(python_twisted_reactor_pending_calls_sum[30s]) / rate(python_twisted_reactor_pending_calls_count[30s])",
	100	name: "[[job]]-[[index]]",
	101	min: 0,
	102	renderer: "line",
	103	height: 150,
	104	yAxisFormatter: PromConsole.NumberFormatter.humanize,
	105	yHoverFormatter: PromConsole.NumberFormatter.humanize,
	106	yTitle: "Pending Calls"
107	107	})
108	108	</script>
109	109

114	114	<script>
115	115	new PromConsole.Graph({
116	116	node: document.querySelector("#synapse_storage_query_time"),
117		expr: "rate(synapse_storage_query_time:count[2m])",
	117	expr: "sum(rate(synapse_storage_query_time_count[2m])) by (verb)",
118	118	name: "[[verb]]",
119	119	yAxisFormatter: PromConsole.NumberFormatter.humanizeNoSmallPrefix,
120	120	yHoverFormatter: PromConsole.NumberFormatter.humanizeNoSmallPrefix,

128	128	<script>
129	129	new PromConsole.Graph({
130	130	node: document.querySelector("#synapse_storage_transaction_time"),
131		expr: "rate(synapse_storage_transaction_time:count[2m])",
132		name: "[[desc]]",
	131	expr: "topk(10, rate(synapse_storage_transaction_time_count[2m]))",
	132	name: "[[job]]-[[index]] [[desc]]",
133	133	min: 0,
134	134	yAxisFormatter: PromConsole.NumberFormatter.humanizeNoSmallPrefix,
135	135	yHoverFormatter: PromConsole.NumberFormatter.humanizeNoSmallPrefix,

139	139	</script>
140	140
141	141	<h3>Transaction execution time</h3>
142		<div id="synapse_storage_transactions_time_msec"></div>
143		<script>
144		new PromConsole.Graph({
145		node: document.querySelector("#synapse_storage_transactions_time_msec"),
146		expr: "rate(synapse_storage_transaction_time:total[2m]) / 1000",
147		name: "[[desc]]",
	142	<div id="synapse_storage_transactions_time_sec"></div>
	143	<script>
	144	new PromConsole.Graph({
	145	node: document.querySelector("#synapse_storage_transactions_time_sec"),
	146	expr: "rate(synapse_storage_transaction_time_sum[2m])",
	147	name: "[[job]]-[[index]] [[desc]]",
148	148	min: 0,
149	149	yAxisFormatter: PromConsole.NumberFormatter.humanize,
150	150	yHoverFormatter: PromConsole.NumberFormatter.humanize,

153	153	})
154	154	</script>
155	155
156		<h3>Database scheduling latency</h3>
157		<div id="synapse_storage_schedule_time"></div>
158		<script>
159		new PromConsole.Graph({
160		node: document.querySelector("#synapse_storage_schedule_time"),
161		expr: "rate(synapse_storage_schedule_time:total[2m]) / 1000",
162		name: "Total latency",
163		min: 0,
164		yAxisFormatter: PromConsole.NumberFormatter.humanize,
165		yHoverFormatter: PromConsole.NumberFormatter.humanize,
166		yUnits: "s/s",
167		yTitle: "Usage"
168		})
169		</script>
170
171		<h3>Cache hit ratio</h3>
172		<div id="synapse_cache_ratio"></div>
173		<script>
174		new PromConsole.Graph({
175		node: document.querySelector("#synapse_cache_ratio"),
176		expr: "rate(synapse_util_caches_cache:total[2m]) * 100",
177		name: "[[name]]",
178		min: 0,
179		max: 100,
180		yAxisFormatter: PromConsole.NumberFormatter.humanizeNoSmallPrefix,
181		yHoverFormatter: PromConsole.NumberFormatter.humanizeNoSmallPrefix,
182		yUnits: "%",
183		yTitle: "Percentage"
	156	<h3>Average time waiting for database connection</h3>
	157	<div id="synapse_storage_avg_waiting_time"></div>
	158	<script>
	159	new PromConsole.Graph({
	160	node: document.querySelector("#synapse_storage_avg_waiting_time"),
	161	expr: "rate(synapse_storage_schedule_time_sum[2m]) / rate(synapse_storage_schedule_time_count[2m])",
	162	name: "[[job]]-[[index]]",
	163	min: 0,
	164	yAxisFormatter: PromConsole.NumberFormatter.humanize,
	165	yHoverFormatter: PromConsole.NumberFormatter.humanize,
	166	yUnits: "s",
	167	yTitle: "Time"
	168	})
	169	</script>
	170
	171	<h3>Cache request rate</h3>
	172	<div id="synapse_cache_request_rate"></div>
	173	<script>
	174	new PromConsole.Graph({
	175	node: document.querySelector("#synapse_cache_request_rate"),
	176	expr: "rate(synapse_util_caches_cache:total[2m])",
	177	name: "[[job]]-[[index]] [[name]]",
	178	min: 0,
	179	yAxisFormatter: PromConsole.NumberFormatter.humanizeNoSmallPrefix,
	180	yHoverFormatter: PromConsole.NumberFormatter.humanizeNoSmallPrefix,
	181	yUnits: "rps",
	182	yTitle: "Cache request rate"
184	183	})
185	184	</script>
186	185

190	189	new PromConsole.Graph({
191	190	node: document.querySelector("#synapse_cache_size"),
192	191	expr: "synapse_util_caches_cache:size",
193		name: "[[name]]",
	192	name: "[[job]]-[[index]] [[name]]",
194	193	yAxisFormatter: PromConsole.NumberFormatter.humanizeNoSmallPrefix,
195	194	yHoverFormatter: PromConsole.NumberFormatter.humanizeNoSmallPrefix,
196	195	yUnits: "",

205	204	<script>
206	205	new PromConsole.Graph({
207	206	node: document.querySelector("#synapse_http_server_request_count_servlet"),
208		expr: "rate(synapse_http_server_request_count:servlet[2m])",
209		name: "[[servlet]]",
	207	expr: "rate(synapse_http_server_in_flight_requests_count[2m])",
	208	name: "[[job]]-[[index]] [[method]] [[servlet]]",
210	209	yAxisFormatter: PromConsole.NumberFormatter.humanize,
211	210	yHoverFormatter: PromConsole.NumberFormatter.humanize,
212	211	yUnits: "req/s",

218	217	<script>
219	218	new PromConsole.Graph({
220	219	node: document.querySelector("#synapse_http_server_request_count_servlet_minus_events"),
221		expr: "rate(synapse_http_server_request_count:servlet{servlet!=\"EventStreamRestServlet\", servlet!=\"SyncRestServlet\"}[2m])",
222		name: "[[servlet]]",
	220	expr: "rate(synapse_http_server_in_flight_requests_count{servlet!=\"EventStreamRestServlet\", servlet!=\"SyncRestServlet\"}[2m])",
	221	name: "[[job]]-[[index]] [[method]] [[servlet]]",
223	222	yAxisFormatter: PromConsole.NumberFormatter.humanize,
224	223	yHoverFormatter: PromConsole.NumberFormatter.humanize,
225	224	yUnits: "req/s",

232	231	<script>
233	232	new PromConsole.Graph({
234	233	node: document.querySelector("#synapse_http_server_response_time_avg"),
235		expr: "rate(synapse_http_server_response_time_seconds[2m]) / rate(synapse_http_server_response_count[2m]) / 1000",
236		name: "[[servlet]]",
	234	expr: "rate(synapse_http_server_response_time_seconds_sum[2m]) / rate(synapse_http_server_response_count[2m])",
	235	name: "[[job]]-[[index]] [[servlet]]",
237	236	yAxisFormatter: PromConsole.NumberFormatter.humanize,
238	237	yHoverFormatter: PromConsole.NumberFormatter.humanize,
239	238	yUnits: "s/req",

276	275	new PromConsole.Graph({
277	276	node: document.querySelector("#synapse_http_server_response_ru_utime"),
278	277	expr: "rate(synapse_http_server_response_ru_utime_seconds[2m])",
279		name: "[[servlet]]",
	278	name: "[[job]]-[[index]] [[servlet]]",
280	279	yAxisFormatter: PromConsole.NumberFormatter.humanize,
281	280	yHoverFormatter: PromConsole.NumberFormatter.humanize,
282	281	yUnits: "s/s",

291	290	new PromConsole.Graph({
292	291	node: document.querySelector("#synapse_http_server_response_db_txn_duration"),
293	292	expr: "rate(synapse_http_server_response_db_txn_duration_seconds[2m])",
294		name: "[[servlet]]",
	293	name: "[[job]]-[[index]] [[servlet]]",
295	294	yAxisFormatter: PromConsole.NumberFormatter.humanize,
296	295	yHoverFormatter: PromConsole.NumberFormatter.humanize,
297	296	yUnits: "s/s",

305	304	<script>
306	305	new PromConsole.Graph({
307	306	node: document.querySelector("#synapse_http_server_send_time_avg"),
308		expr: "rate(synapse_http_server_response_time_second{servlet='RoomSendEventRestServlet'}[2m]) / rate(synapse_http_server_response_count{servlet='RoomSendEventRestServlet'}[2m]) / 1000",
309		name: "[[servlet]]",
	307	expr: "rate(synapse_http_server_response_time_seconds_sum{servlet='RoomSendEventRestServlet'}[2m]) / rate(synapse_http_server_response_count{servlet='RoomSendEventRestServlet'}[2m])",
	308	name: "[[job]]-[[index]] [[servlet]]",
310	309	yAxisFormatter: PromConsole.NumberFormatter.humanize,
311	310	yHoverFormatter: PromConsole.NumberFormatter.humanize,
312	311	yUnits: "s/req",

322	321	new PromConsole.Graph({
323	322	node: document.querySelector("#synapse_federation_client_sent"),
324	323	expr: "rate(synapse_federation_client_sent[2m])",
325		name: "[[type]]",
	324	name: "[[job]]-[[index]] [[type]]",
326	325	yAxisFormatter: PromConsole.NumberFormatter.humanize,
327	326	yHoverFormatter: PromConsole.NumberFormatter.humanize,
328	327	yUnits: "req/s",

336	335	new PromConsole.Graph({
337	336	node: document.querySelector("#synapse_federation_server_received"),
338	337	expr: "rate(synapse_federation_server_received[2m])",
339		name: "[[type]]",
	338	name: "[[job]]-[[index]] [[type]]",
340	339	yAxisFormatter: PromConsole.NumberFormatter.humanize,
341	340	yHoverFormatter: PromConsole.NumberFormatter.humanize,
342	341	yUnits: "req/s",

366	365	new PromConsole.Graph({
367	366	node: document.querySelector("#synapse_notifier_listeners"),
368	367	expr: "synapse_notifier_listeners",
369		name: "listeners",
	368	name: "[[job]]-[[index]]",
370	369	min: 0,
371	370	yAxisFormatter: PromConsole.NumberFormatter.humanizeNoSmallPrefix,
372	371	yHoverFormatter: PromConsole.NumberFormatter.humanizeNoSmallPrefix,

381	380	new PromConsole.Graph({
382	381	node: document.querySelector("#synapse_notifier_notified_events"),
383	382	expr: "rate(synapse_notifier_notified_events[2m])",
384		name: "events",
	383	name: "[[job]]-[[index]]",
385	384	yAxisFormatter: PromConsole.NumberFormatter.humanize,
386	385	yHoverFormatter: PromConsole.NumberFormatter.humanize,
387	386	yUnits: "events/s",

+6

-0

debian/changelog less more

	0	matrix-synapse-py3 (1.24.0) stable; urgency=medium
	1
	2	* New synapse release 1.24.0.
	3
	4	-- Synapse Packaging team <packages@matrix.org> Wed, 09 Dec 2020 10:14:30 +0000
	5
0	6	matrix-synapse-py3 (1.23.0) stable; urgency=medium
1	7
2	8	* New synapse release 1.23.0.

+1

-1

docker/Dockerfile less more

36	36	jaeger-client \
37	37	opentracing \
38	38	# Match the version constraints of Synapse
39		"prometheus_client>=0.4.0,<0.9.0" \
	39	"prometheus_client>=0.4.0" \
40	40	psycopg2 \
41	41	pycparser \
42	42	pyrsistent \

+1

-0

docs/admin_api/media_admin_api.md less more

0	0	# List all media in a room
1	1
2	2	This API gets a list of known media in a room.
	3	However, it only shows media from unencrypted events or rooms.
3	4
4	5	The API is:
5	6	```

+5

-1

docs/admin_api/rooms.md less more

381	381
382	382	The API is:
383	383
384		```json
	384	```
385	385	POST /_synapse/admin/v1/rooms/<room_id>/delete
386	386	```
387	387

438	438	future attempts to join the room. Defaults to `false`.
439	439	* `purge` - Optional. If set to `true`, it will remove all traces of the room from your database.
440	440	Defaults to `true`.
	441	* `force_purge` - Optional, and ignored unless `purge` is `true`. If set to `true`, it
	442	will force a purge to go ahead even if there are local users still in the room. Do not
	443	use this unless a regular `purge` operation fails, as it could leave those users'
	444	clients in a confused state.
441	445
442	446	The JSON body must not be empty. The body must be at least `{}`.
443	447

+43

-1

docs/admin_api/user_admin_api.rst less more

175	175
176	176	GET /_synapse/admin/v1/whois/<user_id>
177	177
	178	and::
	179
	180	GET /_matrix/client/r0/admin/whois/<userId>
	181
	182	See also: `Client Server API Whois
	183	<https://matrix.org/docs/spec/client_server/r0.6.1#get-matrix-client-r0-admin-whois-userid>`_
	184
178	185	To use it, you will need to authenticate by providing an ``access_token`` for a
179	186	server admin: see `README.rst <README.rst>`_.
180	187

253	260
254	261	{
255	262	"new_password": "<secret>",
256		"logout_devices": true,
	263	"logout_devices": true
257	264	}
258	265
259	266	To use it, you will need to authenticate by providing an ``access_token`` for a

423	430	- ``next_token``: integer - Indication for pagination. See above.
424	431	- ``total`` - integer - Total number of media.
425	432
	433	Login as a user
	434	===============
	435
	436	Get an access token that can be used to authenticate as that user. Useful for
	437	when admins wish to do actions on behalf of a user.
	438
	439	The API is::
	440
	441	POST /_synapse/admin/v1/users/<user_id>/login
	442	{}
	443
	444	An optional ``valid_until_ms`` field can be specified in the request body as an
	445	integer timestamp that specifies when the token should expire. By default tokens
	446	do not expire.
	447
	448	A response body like the following is returned:
	449
	450	.. code:: json
	451
	452	{
	453	"access_token": "<opaque_access_token_string>"
	454	}
	455
	456
	457	This API does not generate a new device for the user, and so will not appear
	458	their ``/devices`` list, and in general the target user should not be able to
	459	tell they have been logged in as.
	460
	461	To expire the token call the standard ``/logout`` API with the token.
	462
	463	Note: The token will expire if the admin user calls ``/logout/all`` from any
	464	of their devices, but the token will not expire if the target user does the
	465	same.
	466
	467
426	468	User devices
427	469	============
428	470

+57

-17

docs/metrics-howto.md less more

12	12	can be enabled by adding the \"metrics\" resource to the existing
13	13	listener as such:
14	14
15		resources:
16		- names:
17		- client
18		- metrics
	15	```yaml
	16	resources:
	17	- names:
	18	- client
	19	- metrics
	20	```
19	21
20	22	This provides a simple way of adding metrics to your Synapse
21	23	installation, and serves under `/_synapse/metrics`. If you do not

30	32
31	33	Add a new listener to homeserver.yaml:
32	34
33		listeners:
34		- type: metrics
35		port: 9000
36		bind_addresses:
37		- '0.0.0.0'
	35	```yaml
	36	listeners:
	37	- type: metrics
	38	port: 9000
	39	bind_addresses:
	40	- '0.0.0.0'
	41	```
38	42
39	43	For both options, you will need to ensure that `enable_metrics` is
40	44	set to `True`.

46	50	It needs to set the `metrics_path` to a non-default value (under
47	51	`scrape_configs`):
48	52
49		- job_name: "synapse"
50		metrics_path: "/_synapse/metrics"
51		static_configs:
52		- targets: ["my.server.here:port"]
	53	```yaml
	54	- job_name: "synapse"
	55	scrape_interval: 15s
	56	metrics_path: "/_synapse/metrics"
	57	static_configs:
	58	- targets: ["my.server.here:port"]
	59	```
53	60
54	61	where `my.server.here` is the IP address of Synapse, and `port` is
55	62	the listener port configured with the `metrics` resource.

59	66
60	67	1. Restart Prometheus.
61	68
62		1. Consider using the [grafana dashboard](https://github.com/matrix-org/synapse/tree/master/contrib/grafana/) and required [recording rules](https://github.com/matrix-org/synapse/tree/master/contrib/prometheus/)
	69	1. Consider using the [grafana dashboard](https://github.com/matrix-org/synapse/tree/master/contrib/grafana/)
	70	and required [recording rules](https://github.com/matrix-org/synapse/tree/master/contrib/prometheus/)
63	71
64	72	## Monitoring workers
65	73

75	83	under `worker_listeners`:
76	84
77	85	```yaml
78		- type: metrics
79		bind_address: ''
80		port: 9101
	86	- type: metrics
	87	bind_address: ''
	88	port: 9101
81	89	```
82	90
83	91	The `bind_address` and `port` parameters should be set so that

85	93	don't clash with an existing worker.
86	94	With this example, the worker's metrics would then be available
87	95	on `http://127.0.0.1:9101`.
	96
	97	Example Prometheus target for Synapse with workers:
	98
	99	```yaml
	100	- job_name: "synapse"
	101	scrape_interval: 15s
	102	metrics_path: "/_synapse/metrics"
	103	static_configs:
	104	- targets: ["my.server.here:port"]
	105	labels:
	106	instance: "my.server"
	107	job: "master"
	108	index: 1
	109	- targets: ["my.workerserver.here:port"]
	110	labels:
	111	instance: "my.server"
	112	job: "generic_worker"
	113	index: 1
	114	- targets: ["my.workerserver.here:port"]
	115	labels:
	116	instance: "my.server"
	117	job: "generic_worker"
	118	index: 2
	119	- targets: ["my.workerserver.here:port"]
	120	labels:
	121	instance: "my.server"
	122	job: "media_repository"
	123	index: 1
	124	```
	125
	126	Labels (`instance`, `job`, `index`) can be defined as anything.
	127	The labels are used to group graphs in grafana.
88	128
89	129	## Renaming of metrics & deprecation of old names in 1.2
90	130

+1

-0

docs/password_auth_providers.md less more

25	25
26	26	It should perform any appropriate sanity checks on the provided
27	27	configuration, and return an object which is then passed into
	28	`__init__`.
28	29
29	30	This method should have the `@staticmethod` decoration.
30	31

+46

-16

docs/sample_config.yaml less more

1229	1229	# email will be globally disabled.
1230	1230	#
1231	1231	# Additionally, if `msisdn` is not set, registration and password resets via msisdn
1232		# will be disabled regardless. This is due to Synapse currently not supporting any
1233		# method of sending SMS messages on its own.
	1232	# will be disabled regardless, and users will not be able to associate an msisdn
	1233	# identifier to their account. This is due to Synapse currently not supporting
	1234	# any method of sending SMS messages on its own.
1234	1235	#
1235	1236	# To enable using an identity server for operations regarding a particular third-party
1236	1237	# identifier type, set the value to the URL of that identity server as shown in the

1543	1544	# local: ["saml2/idp.xml"]
1544	1545	# remote:
1545	1546	# - url: https://our_idp/metadata.xml
	1547
	1548	# Allowed clock difference in seconds between the homeserver and IdP.
	1549	#
	1550	# Uncomment the below to increase the accepted time difference from 0 to 3 seconds.
	1551	#
	1552	#accepted_time_diff: 3
1546	1553
1547	1554	# By default, the user has to go to our login page first. If you'd like
1548	1555	# to allow IdP-initiated login, set 'allow_unsolicited: true' in a

1666	1673	# - attribute: department
1667	1674	# value: "sales"
1668	1675
	1676	# If the metadata XML contains multiple IdP entities then the `idp_entityid`
	1677	# option must be set to the entity to redirect users to.
	1678	#
	1679	# Most deployments only have a single IdP entity and so should omit this
	1680	# option.
	1681	#
	1682	#idp_entityid: 'https://our_idp/entityid'
	1683
1669	1684
1670	1685	# Enable OpenID Connect (OIDC) / OAuth 2.0 for registration and login.
1671	1686	#

2235	2250
2236	2251
2237	2252
2238		# Clients requesting push notifications can either have the body of
2239		# the message sent in the notification poke along with other details
2240		# like the sender, or just the event ID and room ID (`event_id_only`).
2241		# If clients choose the former, this option controls whether the
2242		# notification request includes the content of the event (other details
2243		# like the sender are still included). For `event_id_only` push, it
2244		# has no effect.
2245		#
2246		# For modern android devices the notification content will still appear
2247		# because it is loaded by the app. iPhone, however will send a
2248		# notification saying only that a message arrived and who it came from.
2249		#
2250		#push:
2251		# include_content: true
	2253	## Push ##
	2254
	2255	push:
	2256	# Clients requesting push notifications can either have the body of
	2257	# the message sent in the notification poke along with other details
	2258	# like the sender, or just the event ID and room ID (`event_id_only`).
	2259	# If clients choose the former, this option controls whether the
	2260	# notification request includes the content of the event (other details
	2261	# like the sender are still included). For `event_id_only` push, it
	2262	# has no effect.
	2263	#
	2264	# For modern android devices the notification content will still appear
	2265	# because it is loaded by the app. iPhone, however will send a
	2266	# notification saying only that a message arrived and who it came from.
	2267	#
	2268	# The default value is "true" to include message details. Uncomment to only
	2269	# include the event ID and room ID in push notification payloads.
	2270	#
	2271	#include_content: false
	2272
	2273	# When a push notification is received, an unread count is also sent.
	2274	# This number can either be calculated as the number of unread messages
	2275	# for the user, or the number of rooms the user has unread messages in.
	2276	#
	2277	# The default value is "true", meaning push clients will see the number of
	2278	# rooms with unread messages in them. Uncomment to instead send the number
	2279	# of unread messages.
	2280	#
	2281	#group_unread_count_by_room: false
2252	2282
2253	2283
2254	2284	# Spam checkers are third-party modules that can block specific actions

+25

-2

docs/sso_mapping_providers.md less more

14	14	SSO mapping providers are currently supported for OpenID and SAML SSO
15	15	configurations. Please see the details below for how to implement your own.
16	16
	17	It is the responsibility of the mapping provider to normalise the SSO attributes
	18	and map them to a valid Matrix ID. The
	19	[specification for Matrix IDs](https://matrix.org/docs/spec/appendices#user-identifiers)
	20	has some information about what is considered valid. Alternately an easy way to
	21	ensure it is valid is to use a Synapse utility function:
	22	`synapse.types.map_username_to_mxid_localpart`.
	23
17	24	External mapping providers are provided to Synapse in the form of an external
18		Python module. You can retrieve this module from [PyPi](https://pypi.org) or elsewhere,
	25	Python module. You can retrieve this module from [PyPI](https://pypi.org) or elsewhere,
19	26	but it must be importable via Synapse (e.g. it must be in the same virtualenv
20	27	as Synapse). The Synapse config is then modified to point to the mapping provider
21	28	(and optionally provide additional configuration for it).

55	62	information from.
56	63	- This method must return a string, which is the unique identifier for the
57	64	user. Commonly the ``sub`` claim of the response.
58		* `map_user_attributes(self, userinfo, token)`
	65	* `map_user_attributes(self, userinfo, token, failures)`
59	66	- This method must be async.
60	67	- Arguments:
61	68	- `userinfo` - A `authlib.oidc.core.claims.UserInfo` object to extract user
62	69	information from.
63	70	- `token` - A dictionary which includes information necessary to make
64	71	further requests to the OpenID provider.
	72	- `failures` - An `int` that represents the amount of times the returned
	73	mxid localpart mapping has failed. This should be used
	74	to create a deduplicated mxid localpart which should be
	75	returned instead. For example, if this method returns
	76	`john.doe` as the value of `localpart` in the returned
	77	dict, and that is already taken on the homeserver, this
	78	method will be called again with the same parameters but
	79	with failures=1. The method should then return a different
	80	`localpart` value, such as `john.doe1`.
65	81	- Returns a dictionary with two keys:
66	82	- localpart: A required string, used to generate the Matrix ID.
67	83	- displayname: An optional string, the display name for the user.

151	167	the value of `mxid_localpart`.
152	168	* `emails` - A list of emails for the new user. If not provided, will
153	169	default to an empty list.
	170
	171	Alternatively it can raise a `synapse.api.errors.RedirectException` to
	172	redirect the user to another page. This is useful to prompt the user for
	173	additional information, e.g. if you want them to provide their own username.
	174	It is the responsibility of the mapping provider to either redirect back
	175	to `client_redirect_url` (including any additional information) or to
	176	complete registration using methods from the `ModuleApi`.
154	177
155	178	### Default SAML Mapping Provider
156	179

+125

-10

docs/turn-howto.md less more

41	41
42	42	./configure
43	43
44		> You may need to install `libevent2`: if so, you should do so in
45		> the way recommended by your operating system. You can ignore
46		> warnings about lack of database support: a database is unnecessary
47		> for this purpose.
	44	You may need to install `libevent2`: if so, you should do so in
	45	the way recommended by your operating system. You can ignore
	46	warnings about lack of database support: a database is unnecessary
	47	for this purpose.
48	48
49	49	1. Build and install it:
50	50

64	64	the `static-auth-secret` is with `pwgen`:
65	65
66	66	pwgen -s 64 1
	67
	68	A `realm` must be specified, but its value is somewhat arbitrary. (It is
	69	sent to clients as part of the authentication flow.) It is conventional to
	70	set it to be your server name.
	71
	72	1. You will most likely want to configure coturn to write logs somewhere. The
	73	easiest way is normally to send them to the syslog:
	74
	75	syslog
	76
	77	(in which case, the logs will be available via `journalctl -u coturn` on a
	78	systemd system). Alternatively, coturn can be configured to write to a
	79	logfile - check the example config file supplied with coturn.
67	80
68	81	1. Consider your security settings. TURN lets users request a relay which will
69	82	connect to arbitrary IP addresses and ports. The following configuration is

95	108	# TLS private key file
96	109	pkey=/path/to/privkey.pem
97	110
	111	In this case, replace the `turn:` schemes in the `turn_uri` settings below
	112	with `turns:`.
	113
	114	We recommend that you only try to set up TLS/DTLS once you have set up a
	115	basic installation and got it working.
	116
98	117	1. Ensure your firewall allows traffic into the TURN server on the ports
99		you've configured it to listen on (By default: 3478 and 5349 for the TURN(s)
	118	you've configured it to listen on (By default: 3478 and 5349 for TURN
100	119	traffic (remember to allow both TCP and UDP traffic), and ports 49152-65535
101	120	for the UDP relay.)
	121
	122	1. We do not recommend running a TURN server behind NAT, and are not aware of
	123	anyone doing so successfully.
	124
	125	If you want to try it anyway, you will at least need to tell coturn its
	126	external IP address:
	127
	128	external-ip=192.88.99.1
	129
	130	... and your NAT gateway must forward all of the relayed ports directly
	131	(eg, port 56789 on the external IP must be always be forwarded to port
	132	56789 on the internal IP).
	133
	134	If you get this working, let us know!
102	135
103	136	1. (Re)start the turn server:
104	137

136	169	without having gone through a CAPTCHA or similar to register a
137	170	real account.
138	171
139		As an example, here is the relevant section of the config file for matrix.org:
140
141		turn_uris: [ "turn:turn.matrix.org:3478?transport=udp", "turn:turn.matrix.org:3478?transport=tcp" ]
	172	As an example, here is the relevant section of the config file for `matrix.org`. The
	173	`turn_uris` are appropriate for TURN servers listening on the default ports, with no TLS.
	174
	175	turn_uris: [ "turn:turn.matrix.org?transport=udp", "turn:turn.matrix.org?transport=tcp" ]
142	176	turn_shared_secret: "n0t4ctuAllymatr1Xd0TorgSshar3d5ecret4obvIousreAsons"
143	177	turn_user_lifetime: 86400000
144	178	turn_allow_guests: True

154	188	```
155	189	systemctl restart synapse.service
156	190	```
157
158		..and your Home Server now supports VoIP relaying!
	191	... and then reload any clients (or wait an hour for them to refresh their
	192	settings).
	193
	194	## Troubleshooting
	195
	196	The normal symptoms of a misconfigured TURN server are that calls between
	197	devices on different networks ring, but get stuck at "call
	198	connecting". Unfortunately, troubleshooting this can be tricky.
	199
	200	Here are a few things to try:
	201
	202	* Check that your TURN server is not behind NAT. As above, we're not aware of
	203	anyone who has successfully set this up.
	204
	205	* Check that you have opened your firewall to allow TCP and UDP traffic to the
	206	TURN ports (normally 3478 and 5479).
	207
	208	* Check that you have opened your firewall to allow UDP traffic to the UDP
	209	relay ports (49152-65535 by default).
	210
	211	* Some WebRTC implementations (notably, that of Google Chrome) appear to get
	212	confused by TURN servers which are reachable over IPv6 (this appears to be
	213	an unexpected side-effect of its handling of multiple IP addresses as
	214	defined by
	215	[`draft-ietf-rtcweb-ip-handling`](https://tools.ietf.org/html/draft-ietf-rtcweb-ip-handling-12)).
	216
	217	Try removing any AAAA records for your TURN server, so that it is only
	218	reachable over IPv4.
	219
	220	* Enable more verbose logging in coturn via the `verbose` setting:
	221
	222	```
	223	verbose
	224	```
	225
	226	... and then see if there are any clues in its logs.
	227
	228	* If you are using a browser-based client under Chrome, check
	229	`chrome://webrtc-internals/` for insights into the internals of the
	230	negotiation. On Firefox, check the "Connection Log" on `about:webrtc`.
	231
	232	(Understanding the output is beyond the scope of this document!)
	233
	234	* There is a WebRTC test tool at
	235	https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/. To
	236	use it, you will need a username/password for your TURN server. You can
	237	either:
	238
	239	* look for the `GET /_matrix/client/r0/voip/turnServer` request made by a
	240	matrix client to your homeserver in your browser's network inspector. In
	241	the response you should see `username` and `password`. Or:
	242
	243	* Use the following shell commands:
	244
	245	```sh
	246	secret=staticAuthSecretHere
	247
	248	u=$((`date +%s` + 3600)):test
	249	p=$(echo -n $u \| openssl dgst -hmac $secret -sha1 -binary \| base64)
	250	echo -e "username: $u\npassword: $p"
	251	```
	252
	253	Or:
	254
	255	* Temporarily configure coturn to accept a static username/password. To do
	256	this, comment out `use-auth-secret` and `static-auth-secret` and add the
	257	following:
	258
	259	```
	260	lt-cred-mech
	261	user=username:password
	262	```
	263
	264	Note: these settings will not take effect unless `use-auth-secret`
	265	and `static-auth-secret` are disabled.
	266
	267	Restart coturn after changing the configuration file.
	268
	269	Remember to restore the original settings to go back to testing with
	270	Matrix clients!
	271
	272	If the TURN server is working correctly, you should see at least one `relay`
	273	entry in the results.

+7

-1

mypy.ini less more

7	7	mypy_path = stubs
8	8	warn_unreachable = True
9	9	files =
	10	scripts-dev/sign_json,
10	11	synapse/api,
11	12	synapse/appservice,
12	13	synapse/config,

36	37	synapse/handlers/presence.py,
37	38	synapse/handlers/profile.py,
38	39	synapse/handlers/read_marker.py,
	40	synapse/handlers/register.py,
39	41	synapse/handlers/room.py,
40	42	synapse/handlers/room_member.py,
41	43	synapse/handlers/room_member_worker.py,
42	44	synapse/handlers/saml_handler.py,
43	45	synapse/handlers/sync.py,
44	46	synapse/handlers/ui_auth,
	47	synapse/http/client.py,
	48	synapse/http/federation/matrix_federation_agent.py,
45	49	synapse/http/federation/well_known_resolver.py,
	50	synapse/http/matrixfederationclient.py,
46	51	synapse/http/server.py,
47	52	synapse/http/site.py,
48	53	synapse/logging,

74	79	synapse/util/metrics.py,
75	80	tests/replication,
76	81	tests/test_utils,
	82	tests/handlers/test_password_providers.py,
77	83	tests/rest/client/v2_alpha/test_auth.py,
78	84	tests/util/test_stream_change_cache.py
79	85

104	110	[mypy-opentracing]
105	111	ignore_missing_imports = True
106	112
107		[mypy-OpenSSL]
	113	[mypy-OpenSSL.*]
108	114	ignore_missing_imports = True
109	115
110	116	[mypy-netaddr]

+127

-0

scripts-dev/sign_json less more

	0	#!/usr/bin/env python
	1	#
	2	# -- coding: utf-8 --
	3	# Copyright 2020 The Matrix.org Foundation C.I.C.
	4	#
	5	# Licensed under the Apache License, Version 2.0 (the "License");
	6	# you may not use this file except in compliance with the License.
	7	# You may obtain a copy of the License at
	8	#
	9	# http://www.apache.org/licenses/LICENSE-2.0
	10	#
	11	# Unless required by applicable law or agreed to in writing, software
	12	# distributed under the License is distributed on an "AS IS" BASIS,
	13	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	14	# See the License for the specific language governing permissions and
	15	# limitations under the License.
	16	import argparse
	17	import json
	18	import sys
	19	from json import JSONDecodeError
	20
	21	import yaml
	22	from signedjson.key import read_signing_keys
	23	from signedjson.sign import sign_json
	24
	25	from synapse.util import json_encoder
	26
	27
	28	def main():
	29	parser = argparse.ArgumentParser(
	30	description="""Adds a signature to a JSON object.
	31
	32	Example usage:
	33
	34	$ scripts-dev/sign_json.py -N test -k localhost.signing.key "{}"
	35	{"signatures":{"test":{"ed25519:a_ZnZh":"LmPnml6iM0iR..."}}}
	36	""",
	37	formatter_class=argparse.RawDescriptionHelpFormatter,
	38	)
	39
	40	parser.add_argument(
	41	"-N",
	42	"--server-name",
	43	help="Name to give as the local homeserver. If unspecified, will be "
	44	"read from the config file.",
	45	)
	46
	47	parser.add_argument(
	48	"-k",
	49	"--signing-key-path",
	50	help="Path to the file containing the private ed25519 key to sign the "
	51	"request with.",
	52	)
	53
	54	parser.add_argument(
	55	"-c",
	56	"--config",
	57	default="homeserver.yaml",
	58	help=(
	59	"Path to synapse config file, from which the server name and/or signing "
	60	"key path will be read. Ignored if --server-name and --signing-key-path "
	61	"are both given."
	62	),
	63	)
	64
	65	input_args = parser.add_mutually_exclusive_group()
	66
	67	input_args.add_argument("input_data", nargs="?", help="Raw JSON to be signed.")
	68
	69	input_args.add_argument(
	70	"-i",
	71	"--input",
	72	type=argparse.FileType("r"),
	73	default=sys.stdin,
	74	help=(
	75	"A file from which to read the JSON to be signed. If neither --input nor "
	76	"input_data are given, JSON will be read from stdin."
	77	),
	78	)
	79
	80	parser.add_argument(
	81	"-o",
	82	"--output",
	83	type=argparse.FileType("w"),
	84	default=sys.stdout,
	85	help="Where to write the signed JSON. Defaults to stdout.",
	86	)
	87
	88	args = parser.parse_args()
	89
	90	if not args.server_name or not args.signing_key_path:
	91	read_args_from_config(args)
	92
	93	with open(args.signing_key_path) as f:
	94	key = read_signing_keys(f)[0]
	95
	96	json_to_sign = args.input_data
	97	if json_to_sign is None:
	98	json_to_sign = args.input.read()
	99
	100	try:
	101	obj = json.loads(json_to_sign)
	102	except JSONDecodeError as e:
	103	print("Unable to parse input as JSON: %s" % e, file=sys.stderr)
	104	sys.exit(1)
	105
	106	if not isinstance(obj, dict):
	107	print("Input json was not an object", file=sys.stderr)
	108	sys.exit(1)
	109
	110	sign_json(obj, args.server_name, key)
	111	for c in json_encoder.iterencode(obj):
	112	args.output.write(c)
	113	args.output.write("\n")
	114
	115
	116	def read_args_from_config(args: argparse.Namespace) -> None:
	117	with open(args.config, "r") as fh:
	118	config = yaml.safe_load(fh)
	119	if not args.server_name:
	120	args.server_name = config["server_name"]
	121	if not args.signing_key_path:
	122	args.signing_key_path = config["signing_key_path"]
	123
	124
	125	if __name__ == "__main__":
	126	main()

+1

-1

synapse/__init__.py less more

47	47	except ImportError:
48	48	pass
49	49
50		__version__ = "1.23.0"
	50	__version__ = "1.24.0"
51	51
52	52	if bool(os.environ.get("SYNAPSE_TEST_PATCH_LOG_CONTEXTS", False)):
53	53	# We import here so that we don't have to install a bunch of deps when

+1

-1

synapse/_scripts/register_new_matrix_user.py less more

36	36	exit=sys.exit,
37	37	):
38	38
39		url = "%s/_matrix/client/r0/admin/register" % (server_location,)
	39	url = "%s/_synapse/admin/v1/register" % (server_location.rstrip("/"),)
40	40
41	41	# Get the nonce
42	42	r = requests.get(url, verify=False)

+29

-4

synapse/api/auth_blocking.py less more

13	13	# limitations under the License.
14	14
15	15	import logging
	16	from typing import Optional
16	17
17	18	from synapse.api.constants import LimitBlockingTypes, UserTypes
18	19	from synapse.api.errors import Codes, ResourceLimitError
19	20	from synapse.config.server import is_threepid_reserved
	21	from synapse.types import Requester
20	22
21	23	logger = logging.getLogger(__name__)
22	24

32	34	self._max_mau_value = hs.config.max_mau_value
33	35	self._limit_usage_by_mau = hs.config.limit_usage_by_mau
34	36	self._mau_limits_reserved_threepids = hs.config.mau_limits_reserved_threepids
	37	self._server_name = hs.hostname
35	38
36		async def check_auth_blocking(self, user_id=None, threepid=None, user_type=None):
	39	async def check_auth_blocking(
	40	self,
	41	user_id: Optional[str] = None,
	42	threepid: Optional[dict] = None,
	43	user_type: Optional[str] = None,
	44	requester: Optional[Requester] = None,
	45	):
37	46	"""Checks if the user should be rejected for some external reason,
38	47	such as monthly active user limiting or global disable flag
39	48
40	49	Args:
41		user_id(str\|None): If present, checks for presence against existing
	50	user_id: If present, checks for presence against existing
42	51	MAU cohort
43	52
44		threepid(dict\|None): If present, checks for presence against configured
	53	threepid: If present, checks for presence against configured
45	54	reserved threepid. Used in cases where the user is trying register
46	55	with a MAU blocked server, normally they would be rejected but their
47	56	threepid is on the reserved list. user_id and
48	57	threepid should never be set at the same time.
49	58
50		user_type(str\|None): If present, is used to decide whether to check against
	59	user_type: If present, is used to decide whether to check against
51	60	certain blocking reasons like MAU.
	61
	62	requester: If present, and the authenticated entity is a user, checks for
	63	presence against existing MAU cohort. Passing in both a `user_id` and
	64	`requester` is an error.
52	65	"""
	66	if requester and user_id:
	67	raise Exception(
	68	"Passed in both 'user_id' and 'requester' to 'check_auth_blocking'"
	69	)
	70
	71	if requester:
	72	if requester.authenticated_entity.startswith("@"):
	73	user_id = requester.authenticated_entity
	74	elif requester.authenticated_entity == self._server_name:
	75	# We never block the server from doing actions on behalf of
	76	# users.
	77	return
53	78
54	79	# Never fail an auth check for the server notices users or support user
55	80	# This can be a problem where event creation is prohibited due to blocking

+9

-1

synapse/app/_base.py less more

31	31	from synapse.config.server import ListenerConfig
32	32	from synapse.crypto import context_factory
33	33	from synapse.logging.context import PreserveLoggingContext
	34	from synapse.metrics.background_process_metrics import wrap_as_background_process
34	35	from synapse.util.async_helpers import Linearizer
35	36	from synapse.util.daemonize import daemonize_process
36	37	from synapse.util.rlimit import change_resource_limit

243	244	# Set up the SIGHUP machinery.
244	245	if hasattr(signal, "SIGHUP"):
245	246
	247	@wrap_as_background_process("sighup")
246	248	def handle_sighup(args, *kwargs):
247	249	# Tell systemd our state, if we're using it. This will silently fail if
248	250	# we're not using systemd.

253	255
254	256	sdnotify(b"READY=1")
255	257
256		signal.signal(signal.SIGHUP, handle_sighup)
	258	# We defer running the sighup handlers until next reactor tick. This
	259	# is so that we're in a sane state, e.g. flushing the logs may fail
	260	# if the sighup happens in the middle of writing a log entry.
	261	def run_sighup(args, *kwargs):
	262	hs.get_clock().call_later(0, handle_sighup, args, *kwargs)
	263
	264	signal.signal(signal.SIGHUP, run_sighup)
257	265
258	266	register_sighup(refresh_certificate, hs)
259	267

+33

-15

synapse/config/push.py less more

20	20	section = "push"
21	21
22	22	def read_config(self, config, **kwargs):
23		push_config = config.get("push", {})
	23	push_config = config.get("push") or {}
24	24	self.push_include_content = push_config.get("include_content", True)
	25	self.push_group_unread_count_by_room = push_config.get(
	26	"group_unread_count_by_room", True
	27	)
25	28
26	29	pusher_instances = config.get("pusher_instances") or []
27	30	self.pusher_shard_config = ShardedWorkerHandlingConfig(pusher_instances)

48	51
49	52	def generate_config_section(self, config_dir_path, server_name, **kwargs):
50	53	return """
51		# Clients requesting push notifications can either have the body of
52		# the message sent in the notification poke along with other details
53		# like the sender, or just the event ID and room ID (`event_id_only`).
54		# If clients choose the former, this option controls whether the
55		# notification request includes the content of the event (other details
56		# like the sender are still included). For `event_id_only` push, it
57		# has no effect.
58		#
59		# For modern android devices the notification content will still appear
60		# because it is loaded by the app. iPhone, however will send a
61		# notification saying only that a message arrived and who it came from.
62		#
63		#push:
64		# include_content: true
	54	## Push ##
	55
	56	push:
	57	# Clients requesting push notifications can either have the body of
	58	# the message sent in the notification poke along with other details
	59	# like the sender, or just the event ID and room ID (`event_id_only`).
	60	# If clients choose the former, this option controls whether the
	61	# notification request includes the content of the event (other details
	62	# like the sender are still included). For `event_id_only` push, it
	63	# has no effect.
	64	#
	65	# For modern android devices the notification content will still appear
	66	# because it is loaded by the app. iPhone, however will send a
	67	# notification saying only that a message arrived and who it came from.
	68	#
	69	# The default value is "true" to include message details. Uncomment to only
	70	# include the event ID and room ID in push notification payloads.
	71	#
	72	#include_content: false
	73
	74	# When a push notification is received, an unread count is also sent.
	75	# This number can either be calculated as the number of unread messages
	76	# for the user, or the number of rooms the user has unread messages in.
	77	#
	78	# The default value is "true", meaning push clients will see the number of
	79	# rooms with unread messages in them. Uncomment to instead send the number
	80	# of unread messages.
	81	#
	82	#group_unread_count_by_room: false
65	83	"""

+3

-2

synapse/config/registration.py less more

346	346	# email will be globally disabled.
347	347	#
348	348	# Additionally, if `msisdn` is not set, registration and password resets via msisdn
349		# will be disabled regardless. This is due to Synapse currently not supporting any
350		# method of sending SMS messages on its own.
	349	# will be disabled regardless, and users will not be able to associate an msisdn
	350	# identifier to their account. This is due to Synapse currently not supporting
	351	# any method of sending SMS messages on its own.
351	352	#
352	353	# To enable using an identity server for operations regarding a particular third-party
353	354	# identifier type, set the value to the URL of that identity server as shown in the

+16

-0

synapse/config/saml2_config.py less more

88	88	self.saml2_grandfathered_mxid_source_attribute = saml2_config.get(
89	89	"grandfathered_mxid_source_attribute", "uid"
90	90	)
	91
	92	self.saml2_idp_entityid = saml2_config.get("idp_entityid", None)
91	93
92	94	# user_mapping_provider may be None if the key is present but has no value
93	95	ump_dict = saml2_config.get("user_mapping_provider") or {}

255	257	# remote:
256	258	# - url: https://our_idp/metadata.xml
257	259
	260	# Allowed clock difference in seconds between the homeserver and IdP.
	261	#
	262	# Uncomment the below to increase the accepted time difference from 0 to 3 seconds.
	263	#
	264	#accepted_time_diff: 3
	265
258	266	# By default, the user has to go to our login page first. If you'd like
259	267	# to allow IdP-initiated login, set 'allow_unsolicited: true' in a
260	268	# 'service.sp' section:

376	384	# value: "staff"
377	385	# - attribute: department
378	386	# value: "sales"
	387
	388	# If the metadata XML contains multiple IdP entities then the `idp_entityid`
	389	# option must be set to the entity to redirect users to.
	390	#
	391	# Most deployments only have a single IdP entity and so should omit this
	392	# option.
	393	#
	394	#idp_entityid: 'https://our_idp/entityid'
379	395	""" % {
380	396	"config_dir_path": config_dir_path
381	397	}

+2

-3

synapse/events/spamcheck.py less more

14	14	# limitations under the License.
15	15
16	16	import inspect
17		from typing import Any, Dict, List, Optional, Tuple
	17	from typing import TYPE_CHECKING, Any, Dict, List, Optional, Tuple
18	18
19	19	from synapse.spam_checker_api import RegistrationBehaviour
20	20	from synapse.types import Collection
21	21
22		MYPY = False
23		if MYPY:
	22	if TYPE_CHECKING:
24	23	import synapse.events
25	24	import synapse.server
26	25

+10

-13

synapse/federation/federation_server.py less more

48	48	from synapse.federation.persistence import TransactionActions
49	49	from synapse.federation.units import Edu, Transaction
50	50	from synapse.http.endpoint import parse_server_name
	51	from synapse.http.servlet import assert_params_in_dict
51	52	from synapse.logging.context import (
52	53	make_deferred_yieldable,
53	54	nested_logging_context,

390	391	TRANSACTION_CONCURRENCY_LIMIT,
391	392	)
392	393
393		async def on_context_state_request(
	394	async def on_room_state_request(
394	395	self, origin: str, room_id: str, event_id: str
395	396	) -> Tuple[int, Dict[str, Any]]:
396	397	origin_host, _ = parse_server_name(origin)

513	514	return {"event": ret_pdu.get_pdu_json(time_now)}
514	515
515	516	async def on_send_join_request(
516		self, origin: str, content: JsonDict, room_id: str
	517	self, origin: str, content: JsonDict
517	518	) -> Dict[str, Any]:
518	519	logger.debug("on_send_join_request: content: %s", content)
519	520
520		room_version = await self.store.get_room_version(room_id)
	521	assert_params_in_dict(content, ["room_id"])
	522	room_version = await self.store.get_room_version(content["room_id"])
521	523	pdu = event_from_pdu_json(content, room_version)
522	524
523	525	origin_host, _ = parse_server_name(origin)

546	548	time_now = self._clock.time_msec()
547	549	return {"event": pdu.get_pdu_json(time_now), "room_version": room_version}
548	550
549		async def on_send_leave_request(
550		self, origin: str, content: JsonDict, room_id: str
551		) -> dict:
	551	async def on_send_leave_request(self, origin: str, content: JsonDict) -> dict:
552	552	logger.debug("on_send_leave_request: content: %s", content)
553	553
554		room_version = await self.store.get_room_version(room_id)
	554	assert_params_in_dict(content, ["room_id"])
	555	room_version = await self.store.get_room_version(content["room_id"])
555	556	pdu = event_from_pdu_json(content, room_version)
556	557
557	558	origin_host, _ = parse_server_name(origin)

747	748	)
748	749	return ret
749	750
750		async def on_exchange_third_party_invite_request(
751		self, room_id: str, event_dict: Dict
752		):
753		ret = await self.handler.on_exchange_third_party_invite_request(
754		room_id, event_dict
755		)
	751	async def on_exchange_third_party_invite_request(self, event_dict: Dict):
	752	ret = await self.handler.on_exchange_third_party_invite_request(event_dict)
756	753	return ret
757	754
758	755	async def check_server_matches_acl(self, server_name: str, room_id: str):

+40

-42

synapse/federation/transport/server.py less more

439	439
440	440
441	441	class FederationStateV1Servlet(BaseFederationServlet):
442		PATH = "/state/(?P<context>[^/]*)/?"
443
444		# This is when someone asks for all data for a given context.
445		async def on_GET(self, origin, content, query, context):
446		return await self.handler.on_context_state_request(
	442	PATH = "/state/(?P<room_id>[^/]*)/?"
	443
	444	# This is when someone asks for all data for a given room.
	445	async def on_GET(self, origin, content, query, room_id):
	446	return await self.handler.on_room_state_request(
447	447	origin,
448		context,
	448	room_id,
449	449	parse_string_from_args(query, "event_id", None, required=False),
450	450	)
451	451

462	462
463	463
464	464	class FederationBackfillServlet(BaseFederationServlet):
465		PATH = "/backfill/(?P<context>[^/]*)/?"
466
467		async def on_GET(self, origin, content, query, context):
	465	PATH = "/backfill/(?P<room_id>[^/]*)/?"
	466
	467	async def on_GET(self, origin, content, query, room_id):
468	468	versions = [x.decode("ascii") for x in query[b"v"]]
469	469	limit = parse_integer_from_args(query, "limit", None)
470	470
471	471	if not limit:
472	472	return 400, {"error": "Did not include limit param"}
473	473
474		return await self.handler.on_backfill_request(origin, context, versions, limit)
	474	return await self.handler.on_backfill_request(origin, room_id, versions, limit)
475	475
476	476
477	477	class FederationQueryServlet(BaseFederationServlet):

486	486
487	487
488	488	class FederationMakeJoinServlet(BaseFederationServlet):
489		PATH = "/make_join/(?P<context>[^/])/(?P<user_id>[^/])"
490
491		async def on_GET(self, origin, _content, query, context, user_id):
	489	PATH = "/make_join/(?P<room_id>[^/])/(?P<user_id>[^/])"
	490
	491	async def on_GET(self, origin, _content, query, room_id, user_id):
492	492	"""
493	493	Args:
494	494	origin (unicode): The authenticated server_name of the calling server

510	510	supported_versions = ["1"]
511	511
512	512	content = await self.handler.on_make_join_request(
513		origin, context, user_id, supported_versions=supported_versions
	513	origin, room_id, user_id, supported_versions=supported_versions
514	514	)
515	515	return 200, content
516	516
517	517
518	518	class FederationMakeLeaveServlet(BaseFederationServlet):
519		PATH = "/make_leave/(?P<context>[^/])/(?P<user_id>[^/])"
520
521		async def on_GET(self, origin, content, query, context, user_id):
522		content = await self.handler.on_make_leave_request(origin, context, user_id)
	519	PATH = "/make_leave/(?P<room_id>[^/])/(?P<user_id>[^/])"
	520
	521	async def on_GET(self, origin, content, query, room_id, user_id):
	522	content = await self.handler.on_make_leave_request(origin, room_id, user_id)
523	523	return 200, content
524	524
525	525

527	527	PATH = "/send_leave/(?P<room_id>[^/])/(?P<event_id>[^/])"
528	528
529	529	async def on_PUT(self, origin, content, query, room_id, event_id):
530		content = await self.handler.on_send_leave_request(origin, content, room_id)
	530	content = await self.handler.on_send_leave_request(origin, content)
531	531	return 200, (200, content)
532	532
533	533

537	537	PREFIX = FEDERATION_V2_PREFIX
538	538
539	539	async def on_PUT(self, origin, content, query, room_id, event_id):
540		content = await self.handler.on_send_leave_request(origin, content, room_id)
	540	content = await self.handler.on_send_leave_request(origin, content)
541	541	return 200, content
542	542
543	543
544	544	class FederationEventAuthServlet(BaseFederationServlet):
545		PATH = "/event_auth/(?P<context>[^/])/(?P<event_id>[^/])"
546
547		async def on_GET(self, origin, content, query, context, event_id):
548		return await self.handler.on_event_auth(origin, context, event_id)
	545	PATH = "/event_auth/(?P<room_id>[^/])/(?P<event_id>[^/])"
	546
	547	async def on_GET(self, origin, content, query, room_id, event_id):
	548	return await self.handler.on_event_auth(origin, room_id, event_id)
549	549
550	550
551	551	class FederationV1SendJoinServlet(BaseFederationServlet):
552		PATH = "/send_join/(?P<context>[^/])/(?P<event_id>[^/])"
553
554		async def on_PUT(self, origin, content, query, context, event_id):
555		# TODO(paul): assert that context/event_id parsed from path actually
	552	PATH = "/send_join/(?P<room_id>[^/])/(?P<event_id>[^/])"
	553
	554	async def on_PUT(self, origin, content, query, room_id, event_id):
	555	# TODO(paul): assert that room_id/event_id parsed from path actually
556	556	# match those given in content
557		content = await self.handler.on_send_join_request(origin, content, context)
	557	content = await self.handler.on_send_join_request(origin, content)
558	558	return 200, (200, content)
559	559
560	560
561	561	class FederationV2SendJoinServlet(BaseFederationServlet):
562		PATH = "/send_join/(?P<context>[^/])/(?P<event_id>[^/])"
	562	PATH = "/send_join/(?P<room_id>[^/])/(?P<event_id>[^/])"
563	563
564	564	PREFIX = FEDERATION_V2_PREFIX
565	565
566		async def on_PUT(self, origin, content, query, context, event_id):
567		# TODO(paul): assert that context/event_id parsed from path actually
	566	async def on_PUT(self, origin, content, query, room_id, event_id):
	567	# TODO(paul): assert that room_id/event_id parsed from path actually
568	568	# match those given in content
569		content = await self.handler.on_send_join_request(origin, content, context)
	569	content = await self.handler.on_send_join_request(origin, content)
570	570	return 200, content
571	571
572	572
573	573	class FederationV1InviteServlet(BaseFederationServlet):
574		PATH = "/invite/(?P<context>[^/])/(?P<event_id>[^/])"
575
576		async def on_PUT(self, origin, content, query, context, event_id):
	574	PATH = "/invite/(?P<room_id>[^/])/(?P<event_id>[^/])"
	575
	576	async def on_PUT(self, origin, content, query, room_id, event_id):
577	577	# We don't get a room version, so we have to assume its EITHER v1 or
578	578	# v2. This is "fine" as the only difference between V1 and V2 is the
579	579	# state resolution algorithm, and we don't use that for processing

588	588
589	589
590	590	class FederationV2InviteServlet(BaseFederationServlet):
591		PATH = "/invite/(?P<context>[^/])/(?P<event_id>[^/])"
	591	PATH = "/invite/(?P<room_id>[^/])/(?P<event_id>[^/])"
592	592
593	593	PREFIX = FEDERATION_V2_PREFIX
594	594
595		async def on_PUT(self, origin, content, query, context, event_id):
596		# TODO(paul): assert that context/event_id parsed from path actually
	595	async def on_PUT(self, origin, content, query, room_id, event_id):
	596	# TODO(paul): assert that room_id/event_id parsed from path actually
597	597	# match those given in content
598	598
599	599	room_version = content["room_version"]

615	615	PATH = "/exchange_third_party_invite/(?P<room_id>[^/]*)"
616	616
617	617	async def on_PUT(self, origin, content, query, room_id):
618		content = await self.handler.on_exchange_third_party_invite_request(
619		room_id, content
620		)
	618	content = await self.handler.on_exchange_third_party_invite_request(content)
621	619	return 200, content
622	620
623	621

+3

-1

synapse/handlers/_base.py less more

168	168	# and having homeservers have their own users leave keeps more
169	169	# of that decision-making and control local to the guest-having
170	170	# homeserver.
171		requester = synapse.types.create_requester(target_user, is_guest=True)
	171	requester = synapse.types.create_requester(
	172	target_user, is_guest=True, authenticated_entity=self.server_name
	173	)
172	174	handler = self.hs.get_room_member_handler()
173	175	await handler.update_membership(
174	176	requester,

+1

-1

synapse/handlers/appservice.py less more

225	225	new_token: Optional[int],
226	226	users: Collection[Union[str, UserID]],
227	227	):
228		logger.info("Checking interested services for %s" % (stream_key))
	228	logger.debug("Checking interested services for %s" % (stream_key))
229	229	with Measure(self.clock, "notify_interested_services_ephemeral"):
230	230	for service in services:
231	231	# Only handle typing if we have the latest token

+338

-84

synapse/handlers/auth.py less more

0	0	# -- coding: utf-8 --
1	1	# Copyright 2014 - 2016 OpenMarket Ltd
2	2	# Copyright 2017 Vector Creations Ltd
	3	# Copyright 2019 - 2020 The Matrix.org Foundation C.I.C.
3	4	#
4	5	# Licensed under the Apache License, Version 2.0 (the "License");
5	6	# you may not use this file except in compliance with the License.

24	25	Dict,
25	26	Iterable,
26	27	List,
	28	Mapping,
27	29	Optional,
28	30	Tuple,
29	31	Union,

180	182	# better way to break the loop
181	183	account_handler = ModuleApi(hs, self)
182	184
183		self.password_providers = []
184		for module, config in hs.config.password_providers:
185		try:
186		self.password_providers.append(
187		module(config=config, account_handler=account_handler)
188		)
189		except Exception as e:
190		logger.error("Error while initializing %r: %s", module, e)
191		raise
192
193		logger.info("Extra password_providers: %r", self.password_providers)
	185	self.password_providers = [
	186	PasswordProvider.load(module, config, account_handler)
	187	for module, config in hs.config.password_providers
	188	]
	189
	190	logger.info("Extra password_providers: %s", self.password_providers)
194	191
195	192	self.hs = hs # FIXME better possibility to access registrationHandler later?
196	193	self.macaroon_gen = hs.get_macaroon_generator()

204	201	# type in the list. (NB that the spec doesn't require us to do so and
205	202	# clients which favour types that they don't understand over those that
206	203	# they do are technically broken)
	204
	205	# start out by assuming PASSWORD is enabled; we will remove it later if not.
207	206	login_types = []
208		if self._password_enabled:
	207	if hs.config.password_localdb_enabled:
209	208	login_types.append(LoginType.PASSWORD)
	209
210	210	for provider in self.password_providers:
211	211	if hasattr(provider, "get_supported_login_types"):
212	212	for t in provider.get_supported_login_types().keys():
213	213	if t not in login_types:
214	214	login_types.append(t)
	215
	216	if not self._password_enabled:
	217	login_types.remove(LoginType.PASSWORD)
	218
215	219	self._supported_login_types = login_types
	220
216	221	# Login types and UI Auth types have a heavy overlap, but are not
217	222	# necessarily identical. Login types have SSO (and other login types)
218	223	# added in the rest layer, see synapse.rest.client.v1.login.LoginRestServerlet.on_GET.

225	230	# as per `rc_login.failed_attempts`.
226	231	self._failed_uia_attempts_ratelimiter = Ratelimiter(
227	232	clock=self.clock,
	233	rate_hz=self.hs.config.rc_login_failed_attempts.per_second,
	234	burst_count=self.hs.config.rc_login_failed_attempts.burst_count,
	235	)
	236
	237	# Ratelimitier for failed /login attempts
	238	self._failed_login_attempts_ratelimiter = Ratelimiter(
	239	clock=hs.get_clock(),
228	240	rate_hz=self.hs.config.rc_login_failed_attempts.per_second,
229	241	burst_count=self.hs.config.rc_login_failed_attempts.burst_count,
230	242	)

641	653	res = await checker.check_auth(authdict, clientip=clientip)
642	654	return res
643	655
644		# build a v1-login-style dict out of the authdict and fall back to the
645		# v1 code
646		user_id = authdict.get("user")
647
648		if user_id is None:
649		raise SynapseError(400, "", Codes.MISSING_PARAM)
650
651		(canonical_id, callback) = await self.validate_login(user_id, authdict)
	656	# fall back to the v1 login flow
	657	canonical_id, _ = await self.validate_login(authdict)
652	658	return canonical_id
653	659
654	660	def _get_params_recaptcha(self) -> dict:

697	703	}
698	704
699	705	async def get_access_token_for_user_id(
700		self, user_id: str, device_id: Optional[str], valid_until_ms: Optional[int]
701		):
	706	self,
	707	user_id: str,
	708	device_id: Optional[str],
	709	valid_until_ms: Optional[int],
	710	puppets_user_id: Optional[str] = None,
	711	) -> str:
702	712	"""
703	713	Creates a new access token for the user with the given user ID.
704	714

724	734	fmt_expiry = time.strftime(
725	735	" until %Y-%m-%d %H:%M:%S", time.localtime(valid_until_ms / 1000.0)
726	736	)
727		logger.info("Logging in user %s on device %s%s", user_id, device_id, fmt_expiry)
	737
	738	if puppets_user_id:
	739	logger.info(
	740	"Logging in user %s as %s%s", user_id, puppets_user_id, fmt_expiry
	741	)
	742	else:
	743	logger.info(
	744	"Logging in user %s on device %s%s", user_id, device_id, fmt_expiry
	745	)
728	746
729	747	await self.auth.check_auth_blocking(user_id)
730	748
731	749	access_token = self.macaroon_gen.generate_access_token(user_id)
732	750	await self.store.add_access_token_to_user(
733		user_id, access_token, device_id, valid_until_ms
	751	user_id=user_id,
	752	token=access_token,
	753	device_id=device_id,
	754	valid_until_ms=valid_until_ms,
	755	puppets_user_id=puppets_user_id,
734	756	)
735	757
736	758	# the device should have been registered before we got here; however,

807	829	return self._supported_login_types
808	830
809	831	async def validate_login(
810		self, username: str, login_submission: Dict[str, Any]
	832	self, login_submission: Dict[str, Any], ratelimit: bool = False,
811	833	) -> Tuple[str, Optional[Callable[[Dict[str, str]], None]]]:
812	834	"""Authenticates the user for the /login API
813	835
814		Also used by the user-interactive auth flow to validate
815		m.login.password auth types.
816
817		Args:
818		username: username supplied by the user
	836	Also used by the user-interactive auth flow to validate auth types which don't
	837	have an explicit UIA handler, including m.password.auth.
	838
	839	Args:
	840	login_submission: the whole of the login submission
	841	(including 'type' and other relevant fields)
	842	ratelimit: whether to apply the failed_login_attempt ratelimiter
	843	Returns:
	844	A tuple of the canonical user id, and optional callback
	845	to be called once the access token and device id are issued
	846	Raises:
	847	StoreError if there was a problem accessing the database
	848	SynapseError if there was a problem with the request
	849	LoginError if there was an authentication problem.
	850	"""
	851	login_type = login_submission.get("type")
	852	if not isinstance(login_type, str):
	853	raise SynapseError(400, "Bad parameter: type", Codes.INVALID_PARAM)
	854
	855	# ideally, we wouldn't be checking the identifier unless we know we have a login
	856	# method which uses it (https://github.com/matrix-org/synapse/issues/8836)
	857	#
	858	# But the auth providers' check_auth interface requires a username, so in
	859	# practice we can only support login methods which we can map to a username
	860	# anyway.
	861
	862	# special case to check for "password" for the check_password interface
	863	# for the auth providers
	864	password = login_submission.get("password")
	865	if login_type == LoginType.PASSWORD:
	866	if not self._password_enabled:
	867	raise SynapseError(400, "Password login has been disabled.")
	868	if not isinstance(password, str):
	869	raise SynapseError(400, "Bad parameter: password", Codes.INVALID_PARAM)
	870
	871	# map old-school login fields into new-school "identifier" fields.
	872	identifier_dict = convert_client_dict_legacy_fields_to_identifier(
	873	login_submission
	874	)
	875
	876	# convert phone type identifiers to generic threepids
	877	if identifier_dict["type"] == "m.id.phone":
	878	identifier_dict = login_id_phone_to_thirdparty(identifier_dict)
	879
	880	# convert threepid identifiers to user IDs
	881	if identifier_dict["type"] == "m.id.thirdparty":
	882	address = identifier_dict.get("address")
	883	medium = identifier_dict.get("medium")
	884
	885	if medium is None or address is None:
	886	raise SynapseError(400, "Invalid thirdparty identifier")
	887
	888	# For emails, canonicalise the address.
	889	# We store all email addresses canonicalised in the DB.
	890	# (See add_threepid in synapse/handlers/auth.py)
	891	if medium == "email":
	892	try:
	893	address = canonicalise_email(address)
	894	except ValueError as e:
	895	raise SynapseError(400, str(e))
	896
	897	# We also apply account rate limiting using the 3PID as a key, as
	898	# otherwise using 3PID bypasses the ratelimiting based on user ID.
	899	if ratelimit:
	900	self._failed_login_attempts_ratelimiter.ratelimit(
	901	(medium, address), update=False
	902	)
	903
	904	# Check for login providers that support 3pid login types
	905	if login_type == LoginType.PASSWORD:
	906	# we've already checked that there is a (valid) password field
	907	assert isinstance(password, str)
	908	(
	909	canonical_user_id,
	910	callback_3pid,
	911	) = await self.check_password_provider_3pid(medium, address, password)
	912	if canonical_user_id:
	913	# Authentication through password provider and 3pid succeeded
	914	return canonical_user_id, callback_3pid
	915
	916	# No password providers were able to handle this 3pid
	917	# Check local store
	918	user_id = await self.hs.get_datastore().get_user_id_by_threepid(
	919	medium, address
	920	)
	921	if not user_id:
	922	logger.warning(
	923	"unknown 3pid identifier medium %s, address %r", medium, address
	924	)
	925	# We mark that we've failed to log in here, as
	926	# `check_password_provider_3pid` might have returned `None` due
	927	# to an incorrect password, rather than the account not
	928	# existing.
	929	#
	930	# If it returned None but the 3PID was bound then we won't hit
	931	# this code path, which is fine as then the per-user ratelimit
	932	# will kick in below.
	933	if ratelimit:
	934	self._failed_login_attempts_ratelimiter.can_do_action(
	935	(medium, address)
	936	)
	937	raise LoginError(403, "", errcode=Codes.FORBIDDEN)
	938
	939	identifier_dict = {"type": "m.id.user", "user": user_id}
	940
	941	# by this point, the identifier should be an m.id.user: if it's anything
	942	# else, we haven't understood it.
	943	if identifier_dict["type"] != "m.id.user":
	944	raise SynapseError(400, "Unknown login identifier type")
	945
	946	username = identifier_dict.get("user")
	947	if not username:
	948	raise SynapseError(400, "User identifier is missing 'user' key")
	949
	950	if username.startswith("@"):
	951	qualified_user_id = username
	952	else:
	953	qualified_user_id = UserID(username, self.hs.hostname).to_string()
	954
	955	# Check if we've hit the failed ratelimit (but don't update it)
	956	if ratelimit:
	957	self._failed_login_attempts_ratelimiter.ratelimit(
	958	qualified_user_id.lower(), update=False
	959	)
	960
	961	try:
	962	return await self._validate_userid_login(username, login_submission)
	963	except LoginError:
	964	# The user has failed to log in, so we need to update the rate
	965	# limiter. Using `can_do_action` avoids us raising a ratelimit
	966	# exception and masking the LoginError. The actual ratelimiting
	967	# should have happened above.
	968	if ratelimit:
	969	self._failed_login_attempts_ratelimiter.can_do_action(
	970	qualified_user_id.lower()
	971	)
	972	raise
	973
	974	async def _validate_userid_login(
	975	self, username: str, login_submission: Dict[str, Any],
	976	) -> Tuple[str, Optional[Callable[[Dict[str, str]], None]]]:
	977	"""Helper for validate_login
	978
	979	Handles login, once we've mapped 3pids onto userids
	980
	981	Args:
	982	username: the username, from the identifier dict
819	983	login_submission: the whole of the login submission
820	984	(including 'type' and other relevant fields)
821	985	Returns:

826	990	SynapseError if there was a problem with the request
827	991	LoginError if there was an authentication problem.
828	992	"""
829
830	993	if username.startswith("@"):
831	994	qualified_user_id = username
832	995	else:
833	996	qualified_user_id = UserID(username, self.hs.hostname).to_string()
834	997
835	998	login_type = login_submission.get("type")
	999	# we already checked that we have a valid login type
	1000	assert isinstance(login_type, str)
	1001
836	1002	known_login_type = False
837	1003
838		# special case to check for "password" for the check_password interface
839		# for the auth providers
840		password = login_submission.get("password")
841
842		if login_type == LoginType.PASSWORD:
843		if not self._password_enabled:
844		raise SynapseError(400, "Password login has been disabled.")
845		if not password:
846		raise SynapseError(400, "Missing parameter: password")
847
848	1004	for provider in self.password_providers:
849		if hasattr(provider, "check_password") and login_type == LoginType.PASSWORD:
850		known_login_type = True
851		is_valid = await provider.check_password(qualified_user_id, password)
852		if is_valid:
853		return qualified_user_id, None
854
855		if not hasattr(provider, "get_supported_login_types") or not hasattr(
856		provider, "check_auth"
857		):
858		# this password provider doesn't understand custom login types
859		continue
860
861	1005	supported_login_types = provider.get_supported_login_types()
862	1006	if login_type not in supported_login_types:
863	1007	# this password provider doesn't understand this login type

882	1026
883	1027	result = await provider.check_auth(username, login_type, login_dict)
884	1028	if result:
885		if isinstance(result, str):
886		result = (result, None)
887	1029	return result
888	1030
889	1031	if login_type == LoginType.PASSWORD and self.hs.config.password_localdb_enabled:
890	1032	known_login_type = True
891	1033
	1034	# we've already checked that there is a (valid) password field
	1035	password = login_submission["password"]
	1036	assert isinstance(password, str)
	1037
892	1038	canonical_user_id = await self._check_local_password(
893		qualified_user_id, password # type: ignore
	1039	qualified_user_id, password
894	1040	)
895	1041
896	1042	if canonical_user_id:

921	1067	unsuccessful, `user_id` and `callback` are both `None`.
922	1068	"""
923	1069	for provider in self.password_providers:
924		if hasattr(provider, "check_3pid_auth"):
925		# This function is able to return a deferred that either
926		# resolves None, meaning authentication failure, or upon
927		# success, to a str (which is the user_id) or a tuple of
928		# (user_id, callback_func), where callback_func should be run
929		# after we've finished everything else
930		result = await provider.check_3pid_auth(medium, address, password)
931		if result:
932		# Check if the return value is a str or a tuple
933		if isinstance(result, str):
934		# If it's a str, set callback function to None
935		result = (result, None)
936		return result
	1070	result = await provider.check_3pid_auth(medium, address, password)
	1071	if result:
	1072	return result
937	1073
938	1074	return None, None
939	1075

991	1127
992	1128	# see if any of our auth providers want to know about this
993	1129	for provider in self.password_providers:
994		if hasattr(provider, "on_logged_out"):
995		# This might return an awaitable, if it does block the log out
996		# until it completes.
997		result = provider.on_logged_out(
998		user_id=user_info.user_id,
999		device_id=user_info.device_id,
1000		access_token=access_token,
1001		)
1002		if inspect.isawaitable(result):
1003		await result
	1130	await provider.on_logged_out(
	1131	user_id=user_info.user_id,
	1132	device_id=user_info.device_id,
	1133	access_token=access_token,
	1134	)
1004	1135
1005	1136	# delete pushers associated with this access token
1006	1137	if user_info.token_id is not None:

1029	1160
1030	1161	# see if any of our auth providers want to know about this
1031	1162	for provider in self.password_providers:
1032		if hasattr(provider, "on_logged_out"):
1033		for token, token_id, device_id in tokens_and_devices:
1034		await provider.on_logged_out(
1035		user_id=user_id, device_id=device_id, access_token=token
1036		)
	1163	for token, token_id, device_id in tokens_and_devices:
	1164	await provider.on_logged_out(
	1165	user_id=user_id, device_id=device_id, access_token=token
	1166	)
1037	1167
1038	1168	# delete pushers associated with the access tokens
1039	1169	await self.hs.get_pusherpool().remove_pushers_by_access_token(

1357	1487	macaroon.add_first_party_caveat("gen = 1")
1358	1488	macaroon.add_first_party_caveat("user_id = %s" % (user_id,))
1359	1489	return macaroon
	1490
	1491
	1492	class PasswordProvider:
	1493	"""Wrapper for a password auth provider module
	1494
	1495	This class abstracts out all of the backwards-compatibility hacks for
	1496	password providers, to provide a consistent interface.
	1497	"""
	1498
	1499	@classmethod
	1500	def load(cls, module, config, module_api: ModuleApi) -> "PasswordProvider":
	1501	try:
	1502	pp = module(config=config, account_handler=module_api)
	1503	except Exception as e:
	1504	logger.error("Error while initializing %r: %s", module, e)
	1505	raise
	1506	return cls(pp, module_api)
	1507
	1508	def __init__(self, pp, module_api: ModuleApi):
	1509	self._pp = pp
	1510	self._module_api = module_api
	1511
	1512	self._supported_login_types = {}
	1513
	1514	# grandfather in check_password support
	1515	if hasattr(self._pp, "check_password"):
	1516	self._supported_login_types[LoginType.PASSWORD] = ("password",)
	1517
	1518	g = getattr(self._pp, "get_supported_login_types", None)
	1519	if g:
	1520	self._supported_login_types.update(g())
	1521
	1522	def __str__(self):
	1523	return str(self._pp)
	1524
	1525	def get_supported_login_types(self) -> Mapping[str, Iterable[str]]:
	1526	"""Get the login types supported by this password provider
	1527
	1528	Returns a map from a login type identifier (such as m.login.password) to an
	1529	iterable giving the fields which must be provided by the user in the submission
	1530	to the /login API.
	1531
	1532	This wrapper adds m.login.password to the list if the underlying password
	1533	provider supports the check_password() api.
	1534	"""
	1535	return self._supported_login_types
	1536
	1537	async def check_auth(
	1538	self, username: str, login_type: str, login_dict: JsonDict
	1539	) -> Optional[Tuple[str, Optional[Callable]]]:
	1540	"""Check if the user has presented valid login credentials
	1541
	1542	This wrapper also calls check_password() if the underlying password provider
	1543	supports the check_password() api and the login type is m.login.password.
	1544
	1545	Args:
	1546	username: user id presented by the client. Either an MXID or an unqualified
	1547	username.
	1548
	1549	login_type: the login type being attempted - one of the types returned by
	1550	get_supported_login_types()
	1551
	1552	login_dict: the dictionary of login secrets passed by the client.
	1553
	1554	Returns: (user_id, callback) where `user_id` is the fully-qualified mxid of the
	1555	user, and `callback` is an optional callback which will be called with the
	1556	result from the /login call (including access_token, device_id, etc.)
	1557	"""
	1558	# first grandfather in a call to check_password
	1559	if login_type == LoginType.PASSWORD:
	1560	g = getattr(self._pp, "check_password", None)
	1561	if g:
	1562	qualified_user_id = self._module_api.get_qualified_user_id(username)
	1563	is_valid = await self._pp.check_password(
	1564	qualified_user_id, login_dict["password"]
	1565	)
	1566	if is_valid:
	1567	return qualified_user_id, None
	1568
	1569	g = getattr(self._pp, "check_auth", None)
	1570	if not g:
	1571	return None
	1572	result = await g(username, login_type, login_dict)
	1573
	1574	# Check if the return value is a str or a tuple
	1575	if isinstance(result, str):
	1576	# If it's a str, set callback function to None
	1577	return result, None
	1578
	1579	return result
	1580
	1581	async def check_3pid_auth(
	1582	self, medium: str, address: str, password: str
	1583	) -> Optional[Tuple[str, Optional[Callable]]]:
	1584	g = getattr(self._pp, "check_3pid_auth", None)
	1585	if not g:
	1586	return None
	1587
	1588	# This function is able to return a deferred that either
	1589	# resolves None, meaning authentication failure, or upon
	1590	# success, to a str (which is the user_id) or a tuple of
	1591	# (user_id, callback_func), where callback_func should be run
	1592	# after we've finished everything else
	1593	result = await g(medium, address, password)
	1594
	1595	# Check if the return value is a str or a tuple
	1596	if isinstance(result, str):
	1597	# If it's a str, set callback function to None
	1598	return result, None
	1599
	1600	return result
	1601
	1602	async def on_logged_out(
	1603	self, user_id: str, device_id: Optional[str], access_token: str
	1604	) -> None:
	1605	g = getattr(self._pp, "on_logged_out", None)
	1606	if not g:
	1607	return
	1608
	1609	# This might return an awaitable, if it does block the log out
	1610	# until it completes.
	1611	result = g(user_id=user_id, device_id=device_id, access_token=access_token,)
	1612	if inspect.isawaitable(result):
	1613	await result

+57

-24

synapse/handlers/cas_handler.py less more

13	13	# limitations under the License.
14	14	import logging
15	15	import urllib
16		from typing import Dict, Optional, Tuple
	16	from typing import TYPE_CHECKING, Dict, Optional, Tuple
17	17	from xml.etree import ElementTree as ET
18	18
19	19	from twisted.web.client import PartialDownloadError

22	22	from synapse.http.site import SynapseRequest
23	23	from synapse.types import UserID, map_username_to_mxid_localpart
24	24
	25	if TYPE_CHECKING:
	26	from synapse.app.homeserver import HomeServer
	27
25	28	logger = logging.getLogger(__name__)
26	29
27	30

30	33	Utility class for to handle the response from a CAS SSO service.
31	34
32	35	Args:
33		hs (synapse.server.HomeServer)
	36	hs
34	37	"""
35	38
36		def __init__(self, hs):
	39	def __init__(self, hs: "HomeServer"):
37	40	self.hs = hs
38	41	self._hostname = hs.hostname
39	42	self._auth_handler = hs.get_auth_handler()

199	202	args["session"] = session
200	203	username, user_display_name = await self._validate_ticket(ticket, args)
201	204
202		localpart = map_username_to_mxid_localpart(username)
	205	# Pull out the user-agent and IP from the request.
	206	user_agent = request.get_user_agent("")
	207	ip_address = self.hs.get_ip_from_request(request)
	208
	209	# Get the matrix ID from the CAS username.
	210	user_id = await self._map_cas_user_to_matrix_user(
	211	username, user_display_name, user_agent, ip_address
	212	)
	213
	214	if session:
	215	await self._auth_handler.complete_sso_ui_auth(
	216	user_id, session, request,
	217	)
	218	else:
	219	# If this not a UI auth request than there must be a redirect URL.
	220	assert client_redirect_url
	221
	222	await self._auth_handler.complete_sso_login(
	223	user_id, request, client_redirect_url
	224	)
	225
	226	async def _map_cas_user_to_matrix_user(
	227	self,
	228	remote_user_id: str,
	229	display_name: Optional[str],
	230	user_agent: str,
	231	ip_address: str,
	232	) -> str:
	233	"""
	234	Given a CAS username, retrieve the user ID for it and possibly register the user.
	235
	236	Args:
	237	remote_user_id: The username from the CAS response.
	238	display_name: The display name from the CAS response.
	239	user_agent: The user agent of the client making the request.
	240	ip_address: The IP address of the client making the request.
	241
	242	Returns:
	243	The user ID associated with this response.
	244	"""
	245
	246	localpart = map_username_to_mxid_localpart(remote_user_id)
203	247	user_id = UserID(localpart, self._hostname).to_string()
204	248	registered_user_id = await self._auth_handler.check_user_exists(user_id)
205	249
206		if session:
207		await self._auth_handler.complete_sso_ui_auth(
208		registered_user_id, session, request,
209		)
210
211		else:
212		if not registered_user_id:
213		# Pull out the user-agent and IP from the request.
214		user_agent = request.get_user_agent("")
215		ip_address = self.hs.get_ip_from_request(request)
216
217		registered_user_id = await self._registration_handler.register_user(
218		localpart=localpart,
219		default_display_name=user_display_name,
220		user_agent_ips=(user_agent, ip_address),
221		)
222
223		await self._auth_handler.complete_sso_login(
224		registered_user_id, request, client_redirect_url
225		)
	250	# If the user does not exist, register it.
	251	if not registered_user_id:
	252	registered_user_id = await self._registration_handler.register_user(
	253	localpart=localpart,
	254	default_display_name=display_name,
	255	user_agent_ips=[(user_agent, ip_address)],
	256	)
	257
	258	return registered_user_id

+3

-2

synapse/handlers/deactivate_account.py less more

38	38	self._room_member_handler = hs.get_room_member_handler()
39	39	self._identity_handler = hs.get_identity_handler()
40	40	self.user_directory_handler = hs.get_user_directory_handler()
	41	self._server_name = hs.hostname
41	42
42	43	# Flag that indicates whether the process to part users from rooms is running
43	44	self._user_parter_running = False

151	152	for room in pending_invites:
152	153	try:
153	154	await self._room_member_handler.update_membership(
154		create_requester(user),
	155	create_requester(user, authenticated_entity=self._server_name),
155	156	user,
156	157	room.room_id,
157	158	"leave",

207	208	logger.info("User parter parting %r from %r", user_id, room_id)
208	209	try:
209	210	await self._room_member_handler.update_membership(
210		create_requester(user),
	211	create_requester(user, authenticated_entity=self._server_name),
211	212	user,
212	213	room_id,
213	214	"leave",

+13

-11

synapse/handlers/federation.py less more

54	54	from synapse.events.snapshot import EventContext
55	55	from synapse.events.validator import EventValidator
56	56	from synapse.handlers._base import BaseHandler
	57	from synapse.http.servlet import assert_params_in_dict
57	58	from synapse.logging.context import (
58	59	make_deferred_yieldable,
59	60	nested_logging_context,

66	67	from synapse.replication.http.federation import (
67	68	ReplicationCleanRoomRestServlet,
68	69	ReplicationFederationSendEventsRestServlet,
69		ReplicationStoreRoomOnInviteRestServlet,
	70	ReplicationStoreRoomOnOutlierMembershipRestServlet,
70	71	)
71	72	from synapse.state import StateResolutionStore
72	73	from synapse.storage.databases.main.events_worker import EventRedactBehaviour

151	152	self._user_device_resync = ReplicationUserDevicesResyncRestServlet.make_client(
152	153	hs
153	154	)
154		self._maybe_store_room_on_invite = ReplicationStoreRoomOnInviteRestServlet.make_client(
	155	self._maybe_store_room_on_outlier_membership = ReplicationStoreRoomOnOutlierMembershipRestServlet.make_client(
155	156	hs
156	157	)
157	158	else:
158	159	self._device_list_updater = hs.get_device_handler().device_list_updater
159		self._maybe_store_room_on_invite = self.store.maybe_store_room_on_invite
	160	self._maybe_store_room_on_outlier_membership = (
	161	self.store.maybe_store_room_on_outlier_membership
	162	)
160	163
161	164	# When joining a room we need to queue any events for that room up.
162	165	# For each room, a list of (pdu, origin) tuples.

1616	1619	# keep a record of the room version, if we don't yet know it.
1617	1620	# (this may get overwritten if we later get a different room version in a
1618	1621	# join dance).
1619		await self._maybe_store_room_on_invite(
	1622	await self._maybe_store_room_on_outlier_membership(
1620	1623	room_id=event.room_id, room_version=room_version
1621	1624	)
1622	1625

2685	2688	)
2686	2689
2687	2690	async def on_exchange_third_party_invite_request(
2688		self, room_id: str, event_dict: JsonDict
	2691	self, event_dict: JsonDict
2689	2692	) -> None:
2690	2693	"""Handle an exchange_third_party_invite request from a remote server
2691	2694

2693	2696	into a normal m.room.member invite.
2694	2697
2695	2698	Args:
2696		room_id: The ID of the room.
2697
2698		event_dict (dict[str, Any]): Dictionary containing the event body.
2699
2700		"""
2701		room_version = await self.store.get_room_version_id(room_id)
	2699	event_dict: Dictionary containing the event body.
	2700
	2701	"""
	2702	assert_params_in_dict(event_dict, ["room_id"])
	2703	room_version = await self.store.get_room_version_id(event_dict["room_id"])
2702	2704
2703	2705	# NB: event_dict has a particular specced format we might need to fudge
2704	2706	# if we change event formats too much.

+2

-1

synapse/handlers/identity.py less more

353	353	raise SynapseError(500, "An error was encountered when sending the email")
354	354
355	355	token_expires = (
356		self.hs.clock.time_msec() + self.hs.config.email_validation_token_lifetime
	356	self.hs.get_clock().time_msec()
	357	+ self.hs.config.email_validation_token_lifetime
357	358	)
358	359
359	360	await self.store.start_or_continue_validation_session(

+10

-11

synapse/handlers/message.py less more

471	471	Returns:
472	472	Tuple of created event, Context
473	473	"""
474		await self.auth.check_auth_blocking(requester.user.to_string())
	474	await self.auth.check_auth_blocking(requester=requester)
475	475
476	476	if event_dict["type"] == EventTypes.Create and event_dict["state_key"] == "":
477	477	room_version = event_dict["content"]["room_version"]

618	618	if requester.app_service is not None:
619	619	return
620	620
621		user_id = requester.user.to_string()
	621	user_id = requester.authenticated_entity
	622	if not user_id.startswith("@"):
	623	# The authenticated entity might not be a user, e.g. if it's the
	624	# server puppetting the user.
	625	return
	626
	627	user = UserID.from_string(user_id)
622	628
623	629	# exempt the system notices user
624	630	if (

638	644	if u["consent_version"] == self.config.user_consent_version:
639	645	return
640	646
641		consent_uri = self._consent_uri_builder.build_user_consent_uri(
642		requester.user.localpart
643		)
	647	consent_uri = self._consent_uri_builder.build_user_consent_uri(user.localpart)
644	648	msg = self._block_events_without_consent_error % {"consent_uri": consent_uri}
645	649	raise ConsentNotGivenError(msg=msg, consent_uri=consent_uri)
646	650

1251	1255	for user_id in members:
1252	1256	if not self.hs.is_mine_id(user_id):
1253	1257	continue
1254		requester = create_requester(user_id)
	1258	requester = create_requester(user_id, authenticated_entity=self.server_name)
1255	1259	try:
1256	1260	event, context = await self.create_event(
1257	1261	requester,

1272	1276	requester, event, context, ratelimit=False, ignore_shadow_ban=True,
1273	1277	)
1274	1278	return True
1275		except ConsentNotGivenError:
1276		logger.info(
1277		"Failed to send dummy event into room %s for user %s due to "
1278		"lack of consent. Will try another user" % (room_id, user_id)
1279		)
1280	1279	except AuthError:
1281	1280	logger.info(
1282	1281	"Failed to send dummy event into room %s for user %s due to "

+108

-113

synapse/handlers/oidc_handler.py less more

11	11	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12	12	# See the License for the specific language governing permissions and
13	13	# limitations under the License.
	14	import inspect
14	15	import logging
15	16	from typing import TYPE_CHECKING, Dict, Generic, List, Optional, Tuple, TypeVar
16	17	from urllib.parse import urlencode

33	34	from twisted.web.client import readBody
34	35
35	36	from synapse.config import ConfigError
36		from synapse.http.server import respond_with_html
	37	from synapse.handlers._base import BaseHandler
	38	from synapse.handlers.sso import MappingException, UserAttributes
37	39	from synapse.http.site import SynapseRequest
38	40	from synapse.logging.context import make_deferred_yieldable
39	41	from synapse.types import JsonDict, UserID, map_username_to_mxid_localpart

82	84	return self.error
83	85
84	86
85		class MappingException(Exception):
86		"""Used to catch errors when mapping the UserInfo object
87		"""
88
89
90		class OidcHandler:
	87	class OidcHandler(BaseHandler):
91	88	"""Handles requests related to the OpenID Connect login flow.
92	89	"""
93	90
94	91	def __init__(self, hs: "HomeServer"):
95		self.hs = hs
	92	super().__init__(hs)
96	93	self._callback_url = hs.config.oidc_callback_url # type: str
97	94	self._scopes = hs.config.oidc_scopes # type: List[str]
98	95	self._user_profile_method = hs.config.oidc_user_profile_method # type: str

119	116	self._http_client = hs.get_proxied_http_client()
120	117	self._auth_handler = hs.get_auth_handler()
121	118	self._registration_handler = hs.get_registration_handler()
122		self._datastore = hs.get_datastore()
123		self._clock = hs.get_clock()
124		self._hostname = hs.hostname # type: str
125	119	self._server_name = hs.config.server_name # type: str
126	120	self._macaroon_secret_key = hs.config.macaroon_secret_key
127		self._error_template = hs.config.sso_error_template
128	121
129	122	# identifier for the external_ids table
130	123	self._auth_provider_id = "oidc"
131	124
132		def _render_error(
133		self, request, error: str, error_description: Optional[str] = None
134		) -> None:
135		"""Render the error template and respond to the request with it.
136
137		This is used to show errors to the user. The template of this page can
138		be found under `synapse/res/templates/sso_error.html`.
139
140		Args:
141		request: The incoming request from the browser.
142		We'll respond with an HTML page describing the error.
143		error: A technical identifier for this error. Those include
144		well-known OAuth2/OIDC error types like invalid_request or
145		access_denied.
146		error_description: A human-readable description of the error.
147		"""
148		html = self._error_template.render(
149		error=error, error_description=error_description
150		)
151		respond_with_html(request, 400, html)
	125	self._sso_handler = hs.get_sso_handler()
152	126
153	127	def _validate_metadata(self):
154	128	"""Verifies the provider metadata.

570	544
571	545	Since we might want to display OIDC-related errors in a user-friendly
572	546	way, we don't raise SynapseError from here. Instead, we call
573		``self._render_error`` which displays an HTML page for the error.
	547	``self._sso_handler.render_error`` which displays an HTML page for the error.
574	548
575	549	Most of the OpenID Connect logic happens here:
576	550

608	582	if error != "access_denied":
609	583	logger.error("Error from the OIDC provider: %s %s", error, description)
610	584
611		self._render_error(request, error, description)
	585	self._sso_handler.render_error(request, error, description)
612	586	return
613	587
614	588	# otherwise, it is presumably a successful response. see:

618	592	session = request.getCookie(SESSION_COOKIE_NAME) # type: Optional[bytes]
619	593	if session is None:
620	594	logger.info("No session cookie found")
621		self._render_error(request, "missing_session", "No session cookie found")
	595	self._sso_handler.render_error(
	596	request, "missing_session", "No session cookie found"
	597	)
622	598	return
623	599
624	600	# Remove the cookie. There is a good chance that if the callback failed

636	612	# Check for the state query parameter
637	613	if b"state" not in request.args:
638	614	logger.info("State parameter is missing")
639		self._render_error(request, "invalid_request", "State parameter is missing")
	615	self._sso_handler.render_error(
	616	request, "invalid_request", "State parameter is missing"
	617	)
640	618	return
641	619
642	620	state = request.args[b"state"][0].decode()

650	628	) = self._verify_oidc_session_token(session, state)
651	629	except MacaroonDeserializationException as e:
652	630	logger.exception("Invalid session")
653		self._render_error(request, "invalid_session", str(e))
	631	self._sso_handler.render_error(request, "invalid_session", str(e))
654	632	return
655	633	except MacaroonInvalidSignatureException as e:
656	634	logger.exception("Could not verify session")
657		self._render_error(request, "mismatching_session", str(e))
	635	self._sso_handler.render_error(request, "mismatching_session", str(e))
658	636	return
659	637
660	638	# Exchange the code with the provider
661	639	if b"code" not in request.args:
662	640	logger.info("Code parameter is missing")
663		self._render_error(request, "invalid_request", "Code parameter is missing")
	641	self._sso_handler.render_error(
	642	request, "invalid_request", "Code parameter is missing"
	643	)
664	644	return
665	645
666	646	logger.debug("Exchanging code")

669	649	token = await self._exchange_code(code)
670	650	except OidcError as e:
671	651	logger.exception("Could not exchange code")
672		self._render_error(request, e.error, e.error_description)
	652	self._sso_handler.render_error(request, e.error, e.error_description)
673	653	return
674	654
675	655	logger.debug("Successfully obtained OAuth2 access token")

682	662	userinfo = await self._fetch_userinfo(token)
683	663	except Exception as e:
684	664	logger.exception("Could not fetch userinfo")
685		self._render_error(request, "fetch_error", str(e))
	665	self._sso_handler.render_error(request, "fetch_error", str(e))
686	666	return
687	667	else:
688	668	logger.debug("Extracting userinfo from id_token")

690	670	userinfo = await self._parse_id_token(token, nonce=nonce)
691	671	except Exception as e:
692	672	logger.exception("Invalid id_token")
693		self._render_error(request, "invalid_token", str(e))
	673	self._sso_handler.render_error(request, "invalid_token", str(e))
694	674	return
695	675
696	676	# Pull out the user-agent and IP from the request.

704	684	)
705	685	except MappingException as e:
706	686	logger.exception("Could not map user")
707		self._render_error(request, "mapping_error", str(e))
	687	self._sso_handler.render_error(request, "mapping_error", str(e))
708	688	return
709	689
710	690	# Mapping providers might not have get_extra_attributes: only call this

769	749	macaroon.add_first_party_caveat(
770	750	"ui_auth_session_id = %s" % (ui_auth_session_id,)
771	751	)
772		now = self._clock.time_msec()
	752	now = self.clock.time_msec()
773	753	expiry = now + duration_in_ms
774	754	macaroon.add_first_party_caveat("time < %d" % (expiry,))
775	755

844	824	if not caveat.startswith(prefix):
845	825	return False
846	826	expiry = int(caveat[len(prefix) :])
847		now = self._clock.time_msec()
	827	now = self.clock.time_msec()
848	828	return now < expiry
849	829
850	830	async def _map_userinfo_to_user(

884	864	# to be strings.
885	865	remote_user_id = str(remote_user_id)
886	866
887		logger.info(
888		"Looking for existing mapping for user %s:%s",
	867	# Older mapping providers don't accept the `failures` argument, so we
	868	# try and detect support.
	869	mapper_signature = inspect.signature(
	870	self._user_mapping_provider.map_user_attributes
	871	)
	872	supports_failures = "failures" in mapper_signature.parameters
	873
	874	async def oidc_response_to_user_attributes(failures: int) -> UserAttributes:
	875	"""
	876	Call the mapping provider to map the OIDC userinfo and token to user attributes.
	877
	878	This is backwards compatibility for abstraction for the SSO handler.
	879	"""
	880	if supports_failures:
	881	attributes = await self._user_mapping_provider.map_user_attributes(
	882	userinfo, token, failures
	883	)
	884	else:
	885	# If the mapping provider does not support processing failures,
	886	# do not continually generate the same Matrix ID since it will
	887	# continue to already be in use. Note that the error raised is
	888	# arbitrary and will get turned into a MappingException.
	889	if failures:
	890	raise MappingException(
	891	"Mapping provider does not support de-duplicating Matrix IDs"
	892	)
	893
	894	attributes = await self._user_mapping_provider.map_user_attributes( # type: ignore
	895	userinfo, token
	896	)
	897
	898	return UserAttributes(**attributes)
	899
	900	async def grandfather_existing_users() -> Optional[str]:
	901	if self._allow_existing_users:
	902	# If allowing existing users we want to generate a single localpart
	903	# and attempt to match it.
	904	attributes = await oidc_response_to_user_attributes(failures=0)
	905
	906	user_id = UserID(attributes.localpart, self.server_name).to_string()
	907	users = await self.store.get_users_by_id_case_insensitive(user_id)
	908	if users:
	909	# If an existing matrix ID is returned, then use it.
	910	if len(users) == 1:
	911	previously_registered_user_id = next(iter(users))
	912	elif user_id in users:
	913	previously_registered_user_id = user_id
	914	else:
	915	# Do not attempt to continue generating Matrix IDs.
	916	raise MappingException(
	917	"Attempted to login as '{}' but it matches more than one user inexactly: {}".format(
	918	user_id, users
	919	)
	920	)
	921
	922	return previously_registered_user_id
	923
	924	return None
	925
	926	return await self._sso_handler.get_mxid_from_sso(
889	927	self._auth_provider_id,
890	928	remote_user_id,
891		)
892
893		registered_user_id = await self._datastore.get_user_by_external_id(
894		self._auth_provider_id, remote_user_id,
895		)
896
897		if registered_user_id is not None:
898		logger.info("Found existing mapping %s", registered_user_id)
899		return registered_user_id
900
901		try:
902		attributes = await self._user_mapping_provider.map_user_attributes(
903		userinfo, token
904		)
905		except Exception as e:
906		raise MappingException(
907		"Could not extract user attributes from OIDC response: " + str(e)
908		)
909
910		logger.debug(
911		"Retrieved user attributes from user mapping provider: %r", attributes
912		)
913
914		if not attributes["localpart"]:
915		raise MappingException("localpart is empty")
916
917		localpart = map_username_to_mxid_localpart(attributes["localpart"])
918
919		user_id = UserID(localpart, self._hostname).to_string()
920		users = await self._datastore.get_users_by_id_case_insensitive(user_id)
921		if users:
922		if self._allow_existing_users:
923		if len(users) == 1:
924		registered_user_id = next(iter(users))
925		elif user_id in users:
926		registered_user_id = user_id
927		else:
928		raise MappingException(
929		"Attempted to login as '{}' but it matches more than one user inexactly: {}".format(
930		user_id, list(users.keys())
931		)
932		)
933		else:
934		# This mxid is taken
935		raise MappingException("mxid '{}' is already taken".format(user_id))
936		else:
937		# It's the first time this user is logging in and the mapped mxid was
938		# not taken, register the user
939		registered_user_id = await self._registration_handler.register_user(
940		localpart=localpart,
941		default_display_name=attributes["display_name"],
942		user_agent_ips=(user_agent, ip_address),
943		)
944		await self._datastore.record_user_external_id(
945		self._auth_provider_id, remote_user_id, registered_user_id,
946		)
947		return registered_user_id
948
949
950		UserAttribute = TypedDict(
951		"UserAttribute", {"localpart": str, "display_name": Optional[str]}
	929	user_agent,
	930	ip_address,
	931	oidc_response_to_user_attributes,
	932	grandfather_existing_users,
	933	)
	934
	935
	936	UserAttributeDict = TypedDict(
	937	"UserAttributeDict", {"localpart": str, "display_name": Optional[str]}
952	938	)
953	939	C = TypeVar("C")
954	940

991	977	raise NotImplementedError()
992	978
993	979	async def map_user_attributes(
994		self, userinfo: UserInfo, token: Token
995		) -> UserAttribute:
	980	self, userinfo: UserInfo, token: Token, failures: int
	981	) -> UserAttributeDict:
996	982	"""Map a `UserInfo` object into user attributes.
997	983
998	984	Args:
999	985	userinfo: An object representing the user given by the OIDC provider
1000	986	token: A dict with the tokens returned by the provider
	987	failures: How many times a call to this function with this
	988	UserInfo has resulted in a failure.
1001	989
1002	990	Returns:
1003	991	A dict containing the ``localpart`` and (optionally) the ``display_name``

1097	1085	return userinfo[self._config.subject_claim]
1098	1086
1099	1087	async def map_user_attributes(
1100		self, userinfo: UserInfo, token: Token
1101		) -> UserAttribute:
	1088	self, userinfo: UserInfo, token: Token, failures: int
	1089	) -> UserAttributeDict:
1102	1090	localpart = self._config.localpart_template.render(user=userinfo).strip()
	1091
	1092	# Ensure only valid characters are included in the MXID.
	1093	localpart = map_username_to_mxid_localpart(localpart)
	1094
	1095	# Append suffix integer if last call to this function failed to produce
	1096	# a usable mxid.
	1097	localpart += str(failures) if failures else ""
1103	1098
1104	1099	display_name = None # type: Optional[str]
1105	1100	if self._config.display_name_template is not None:

1110	1105	if display_name == "":
1111	1106	display_name = None
1112	1107
1113		return UserAttribute(localpart=localpart, display_name=display_name)
	1108	return UserAttributeDict(localpart=localpart, display_name=display_name)
1114	1109
1115	1110	async def get_extra_attributes(self, userinfo: UserInfo, token: Token) -> JsonDict:
1116	1111	extras = {} # type: Dict[str, str]

+11

-6

synapse/handlers/pagination.py less more

298	298	"""
299	299	return self._purges_by_id.get(purge_id)
300	300
301		async def purge_room(self, room_id: str) -> None:
302		"""Purge the given room from the database"""
	301	async def purge_room(self, room_id: str, force: bool = False) -> None:
	302	"""Purge the given room from the database.
	303
	304	Args:
	305	room_id: room to be purged
	306	force: set true to skip checking for joined users.
	307	"""
303	308	with await self.pagination_lock.write(room_id):
304	309	# check we know about the room
305	310	await self.store.get_room_version_id(room_id)
306	311
307	312	# first check that we have no users in this room
308		joined = await self.store.is_host_joined(room_id, self._server_name)
309
310		if joined:
311		raise SynapseError(400, "Users are still joined to this room")
	313	if not force:
	314	joined = await self.store.is_host_joined(room_id, self._server_name)
	315	if joined:
	316	raise SynapseError(400, "Users are still joined to this room")
312	317
313	318	await self.storage.purge_events.purge_room(room_id)
314	319

+2

-3

synapse/handlers/presence.py less more

24	24	import abc
25	25	import logging
26	26	from contextlib import contextmanager
27		from typing import Dict, Iterable, List, Set, Tuple
	27	from typing import TYPE_CHECKING, Dict, Iterable, List, Set, Tuple
28	28
29	29	from prometheus_client import Counter
30	30	from typing_extensions import ContextManager

45	45	from synapse.util.metrics import Measure
46	46	from synapse.util.wheel_timer import WheelTimer
47	47
48		MYPY = False
49		if MYPY:
	48	if TYPE_CHECKING:
50	49	from synapse.server import HomeServer
51	50
52	51	logger = logging.getLogger(__name__)

+6

-2

synapse/handlers/profile.py less more

205	205	# the join event to update the displayname in the rooms.
206	206	# This must be done by the target user himself.
207	207	if by_admin:
208		requester = create_requester(target_user)
	208	requester = create_requester(
	209	target_user, authenticated_entity=requester.authenticated_entity,
	210	)
209	211
210	212	await self.store.set_profile_displayname(
211	213	target_user.localpart, displayname_to_set

285	287
286	288	# Same like set_displayname
287	289	if by_admin:
288		requester = create_requester(target_user)
	290	requester = create_requester(
	291	target_user, authenticated_entity=requester.authenticated_entity
	292	)
289	293
290	294	await self.store.set_profile_avatar_url(target_user.localpart, new_avatar_url)
291	295

+2

-1

synapse/handlers/receipts.py less more

157	157	if from_key == to_key:
158	158	return [], to_key
159	159
160		# We first need to fetch all new receipts
	160	# Fetch all read receipts for all rooms, up to a limit of 100. This is ordered
	161	# by most recent.
161	162	rooms_to_events = await self.store.get_linearized_receipts_for_all_rooms(
162	163	from_key=from_key, to_key=to_key
163	164	)

+132

-112

synapse/handlers/register.py less more

14	14
15	15	"""Contains functions for registering clients."""
16	16	import logging
	17	from typing import TYPE_CHECKING, List, Optional, Tuple
17	18
18	19	from synapse import types
19	20	from synapse.api.constants import MAX_USERID_LENGTH, EventTypes, JoinRules, LoginType
20	21	from synapse.api.errors import AuthError, Codes, ConsentNotGivenError, SynapseError
	22	from synapse.appservice import ApplicationService
21	23	from synapse.config.server import is_threepid_reserved
22	24	from synapse.http.servlet import assert_params_in_dict
23	25	from synapse.replication.http.login import RegisterDeviceReplicationServlet

31	33
32	34	from ._base import BaseHandler
33	35
	36	if TYPE_CHECKING:
	37	from synapse.app.homeserver import HomeServer
	38
34	39	logger = logging.getLogger(__name__)
35	40
36	41
37	42	class RegistrationHandler(BaseHandler):
38		def __init__(self, hs):
39		"""
40
41		Args:
42		hs (synapse.server.HomeServer):
43		"""
	43	def __init__(self, hs: "HomeServer"):
44	44	super().__init__(hs)
45	45	self.hs = hs
46	46	self.auth = hs.get_auth()

51	51	self.ratelimiter = hs.get_registration_ratelimiter()
52	52	self.macaroon_gen = hs.get_macaroon_generator()
53	53	self._server_notices_mxid = hs.config.server_notices_mxid
	54	self._server_name = hs.hostname
54	55
55	56	self.spam_checker = hs.get_spam_checker()
56	57

69	70	self.session_lifetime = hs.config.session_lifetime
70	71
71	72	async def check_username(
72		self, localpart, guest_access_token=None, assigned_user_id=None
	73	self,
	74	localpart: str,
	75	guest_access_token: Optional[str] = None,
	76	assigned_user_id: Optional[str] = None,
73	77	):
74	78	if types.contains_invalid_mxid_characters(localpart):
75	79	raise SynapseError(

138	142
139	143	async def register_user(
140	144	self,
141		localpart=None,
142		password_hash=None,
143		guest_access_token=None,
144		make_guest=False,
145		admin=False,
146		threepid=None,
147		user_type=None,
148		default_display_name=None,
149		address=None,
150		bind_emails=[],
151		by_admin=False,
152		user_agent_ips=None,
153		):
	145	localpart: Optional[str] = None,
	146	password_hash: Optional[str] = None,
	147	guest_access_token: Optional[str] = None,
	148	make_guest: bool = False,
	149	admin: bool = False,
	150	threepid: Optional[dict] = None,
	151	user_type: Optional[str] = None,
	152	default_display_name: Optional[str] = None,
	153	address: Optional[str] = None,
	154	bind_emails: List[str] = [],
	155	by_admin: bool = False,
	156	user_agent_ips: Optional[List[Tuple[str, str]]] = None,
	157	) -> str:
154	158	"""Registers a new client on the server.
155	159
156	160	Args:
157	161	localpart: The local part of the user ID to register. If None,
158	162	one will be generated.
159		password_hash (str\|None): The hashed password to assign to this user so they can
	163	password_hash: The hashed password to assign to this user so they can
160	164	login again. This can be None which means they cannot login again
161	165	via a password (e.g. the user is an application service user).
162		user_type (str\|None): type of user. One of the values from
	166	guest_access_token: The access token used when this was a guest
	167	account.
	168	make_guest: True if the the new user should be guest,
	169	false to add a regular user account.
	170	admin: True if the user should be registered as a server admin.
	171	threepid: The threepid used for registering, if any.
	172	user_type: type of user. One of the values from
163	173	api.constants.UserTypes, or None for a normal user.
164		default_display_name (unicode\|None): if set, the new user's displayname
	174	default_display_name: if set, the new user's displayname
165	175	will be set to this. Defaults to 'localpart'.
166		address (str\|None): the IP address used to perform the registration.
167		bind_emails (List[str]): list of emails to bind to this account.
168		by_admin (bool): True if this registration is being made via the
	176	address: the IP address used to perform the registration.
	177	bind_emails: list of emails to bind to this account.
	178	by_admin: True if this registration is being made via the
169	179	admin api, otherwise False.
170		user_agent_ips (List[(str, str)]): Tuples of IP addresses and user-agents used
	180	user_agent_ips: Tuples of IP addresses and user-agents used
171	181	during the registration process.
172	182	Returns:
173		str: user_id
	183	The registere user_id.
174	184	Raises:
175	185	SynapseError if there was a problem registering.
176	186	"""

234	244	else:
235	245	# autogen a sequential user ID
236	246	fail_count = 0
237		user = None
238		while not user:
	247	# If a default display name is not given, generate one.
	248	generate_display_name = default_display_name is None
	249	# This breaks on successful registration or errors after 10 failures.
	250	while True:
239	251	# Fail after being unable to find a suitable ID a few times
240	252	if fail_count > 10:
241	253	raise SynapseError(500, "Unable to find a suitable guest user ID")

244	256	user = UserID(localpart, self.hs.hostname)
245	257	user_id = user.to_string()
246	258	self.check_user_id_not_appservice_exclusive(user_id)
247		if default_display_name is None:
	259	if generate_display_name:
248	260	default_display_name = localpart
249	261	try:
250	262	await self.register_with_store(

260	272	break
261	273	except SynapseError:
262	274	# if user id is taken, just generate another
263		user = None
264		user_id = None
265	275	fail_count += 1
266	276
267	277	if not self.hs.config.user_consent_at_registration:

293	303
294	304	return user_id
295	305
296		async def _create_and_join_rooms(self, user_id: str):
	306	async def _create_and_join_rooms(self, user_id: str) -> None:
297	307	"""
298	308	Create the auto-join rooms and join or invite the user to them.
299	309

316	326	requires_join = False
317	327	if self.hs.config.registration.auto_join_user_id:
318	328	fake_requester = create_requester(
319		self.hs.config.registration.auto_join_user_id
	329	self.hs.config.registration.auto_join_user_id,
	330	authenticated_entity=self._server_name,
320	331	)
321	332
322	333	# If the room requires an invite, add the user to the list of invites.

328	339	# being necessary this will occur after the invite was sent.
329	340	requires_join = True
330	341	else:
331		fake_requester = create_requester(user_id)
	342	fake_requester = create_requester(
	343	user_id, authenticated_entity=self._server_name
	344	)
332	345
333	346	# Choose whether to federate the new room.
334	347	if not self.hs.config.registration.autocreate_auto_join_rooms_federated:

361	374	# created it, then ensure the first user joins it.
362	375	if requires_join:
363	376	await room_member_handler.update_membership(
364		requester=create_requester(user_id),
	377	requester=create_requester(
	378	user_id, authenticated_entity=self._server_name
	379	),
365	380	target=UserID.from_string(user_id),
366	381	room_id=info["room_id"],
367	382	# Since it was just created, there are no remote hosts.

369	384	action="join",
370	385	ratelimit=False,
371	386	)
372
373		except ConsentNotGivenError as e:
374		# Technically not necessary to pull out this error though
375		# moving away from bare excepts is a good thing to do.
376		logger.error("Failed to join new user to %r: %r", r, e)
377	387	except Exception as e:
378	388	logger.error("Failed to join new user to %r: %r", r, e)
379	389
380		async def _join_rooms(self, user_id: str):
	390	async def _join_rooms(self, user_id: str) -> None:
381	391	"""
382	392	Join or invite the user to the auto-join rooms.
383	393

423	433
424	434	# Send the invite, if necessary.
425	435	if requires_invite:
	436	# If an invite is required, there must be a auto-join user ID.
	437	assert self.hs.config.registration.auto_join_user_id
	438
426	439	await room_member_handler.update_membership(
427	440	requester=create_requester(
428		self.hs.config.registration.auto_join_user_id
	441	self.hs.config.registration.auto_join_user_id,
	442	authenticated_entity=self._server_name,
429	443	),
430	444	target=UserID.from_string(user_id),
431	445	room_id=room_id,

436	450
437	451	# Send the join.
438	452	await room_member_handler.update_membership(
439		requester=create_requester(user_id),
	453	requester=create_requester(
	454	user_id, authenticated_entity=self._server_name
	455	),
440	456	target=UserID.from_string(user_id),
441	457	room_id=room_id,
442	458	remote_room_hosts=remote_room_hosts,

451	467	except Exception as e:
452	468	logger.error("Failed to join new user to %r: %r", r, e)
453	469
454		async def _auto_join_rooms(self, user_id: str):
	470	async def _auto_join_rooms(self, user_id: str) -> None:
455	471	"""Automatically joins users to auto join rooms - creating the room in the first place
456	472	if the user is the first to be created.
457	473

474	490	else:
475	491	await self._join_rooms(user_id)
476	492
477		async def post_consent_actions(self, user_id):
	493	async def post_consent_actions(self, user_id: str) -> None:
478	494	"""A series of registration actions that can only be carried out once consent
479	495	has been granted
480	496
481	497	Args:
482		user_id (str): The user to join
	498	user_id: The user to join
483	499	"""
484	500	await self._auto_join_rooms(user_id)
485	501
486		async def appservice_register(self, user_localpart, as_token):
	502	async def appservice_register(self, user_localpart: str, as_token: str) -> str:
487	503	user = UserID(user_localpart, self.hs.hostname)
488	504	user_id = user.to_string()
489	505	service = self.store.get_app_service_by_token(as_token)

508	524	)
509	525	return user_id
510	526
511		def check_user_id_not_appservice_exclusive(self, user_id, allowed_appservice=None):
	527	def check_user_id_not_appservice_exclusive(
	528	self, user_id: str, allowed_appservice: Optional[ApplicationService] = None
	529	) -> None:
512	530	# don't allow people to register the server notices mxid
513	531	if self._server_notices_mxid is not None:
514	532	if user_id == self._server_notices_mxid:

532	550	errcode=Codes.EXCLUSIVE,
533	551	)
534	552
535		def check_registration_ratelimit(self, address):
	553	def check_registration_ratelimit(self, address: Optional[str]) -> None:
536	554	"""A simple helper method to check whether the registration rate limit has been hit
537	555	for a given IP address
538	556
539	557	Args:
540		address (str\|None): the IP address used to perform the registration. If this is
	558	address: the IP address used to perform the registration. If this is
541	559	None, no ratelimiting will be performed.
542	560
543	561	Raises:

548	566
549	567	self.ratelimiter.ratelimit(address)
550	568
551		def register_with_store(
	569	async def register_with_store(
552	570	self,
553		user_id,
554		password_hash=None,
555		was_guest=False,
556		make_guest=False,
557		appservice_id=None,
558		create_profile_with_displayname=None,
559		admin=False,
560		user_type=None,
561		address=None,
562		shadow_banned=False,
563		):
	571	user_id: str,
	572	password_hash: Optional[str] = None,
	573	was_guest: bool = False,
	574	make_guest: bool = False,
	575	appservice_id: Optional[str] = None,
	576	create_profile_with_displayname: Optional[str] = None,
	577	admin: bool = False,
	578	user_type: Optional[str] = None,
	579	address: Optional[str] = None,
	580	shadow_banned: bool = False,
	581	) -> None:
564	582	"""Register user in the datastore.
565	583
566	584	Args:
567		user_id (str): The desired user ID to register.
568		password_hash (str\|None): Optional. The password hash for this user.
569		was_guest (bool): Optional. Whether this is a guest account being
	585	user_id: The desired user ID to register.
	586	password_hash: Optional. The password hash for this user.
	587	was_guest: Optional. Whether this is a guest account being
570	588	upgraded to a non-guest account.
571		make_guest (boolean): True if the the new user should be guest,
	589	make_guest: True if the the new user should be guest,
572	590	false to add a regular user account.
573		appservice_id (str\|None): The ID of the appservice registering the user.
574		create_profile_with_displayname (unicode\|None): Optionally create a
	591	appservice_id: The ID of the appservice registering the user.
	592	create_profile_with_displayname: Optionally create a
575	593	profile for the user, setting their displayname to the given value
576		admin (boolean): is an admin user?
577		user_type (str\|None): type of user. One of the values from
	594	admin: is an admin user?
	595	user_type: type of user. One of the values from
578	596	api.constants.UserTypes, or None for a normal user.
579		address (str\|None): the IP address used to perform the registration.
580		shadow_banned (bool): Whether to shadow-ban the user
581
582		Returns:
583		Awaitable
	597	address: the IP address used to perform the registration.
	598	shadow_banned: Whether to shadow-ban the user
584	599	"""
585	600	if self.hs.config.worker_app:
586		return self._register_client(
	601	await self._register_client(
587	602	user_id=user_id,
588	603	password_hash=password_hash,
589	604	was_guest=was_guest,

596	611	shadow_banned=shadow_banned,
597	612	)
598	613	else:
599		return self.store.register_user(
	614	await self.store.register_user(
600	615	user_id=user_id,
601	616	password_hash=password_hash,
602	617	was_guest=was_guest,

609	624	)
610	625
611	626	async def register_device(
612		self, user_id, device_id, initial_display_name, is_guest=False
613		):
	627	self,
	628	user_id: str,
	629	device_id: Optional[str],
	630	initial_display_name: Optional[str],
	631	is_guest: bool = False,
	632	) -> Tuple[str, str]:
614	633	"""Register a device for a user and generate an access token.
615	634
616	635	The access token will be limited by the homeserver's session_lifetime config.
617	636
618	637	Args:
619		user_id (str): full canonical @user:id
620		device_id (str\|None): The device ID to check, or None to generate
621		a new one.
622		initial_display_name (str\|None): An optional display name for the
623		device.
624		is_guest (bool): Whether this is a guest account
	638	user_id: full canonical @user:id
	639	device_id: The device ID to check, or None to generate a new one.
	640	initial_display_name: An optional display name for the device.
	641	is_guest: Whether this is a guest account
625	642
626	643	Returns:
627		tuple[str, str]: Tuple of device ID and access token
	644	Tuple of device ID and access token
628	645	"""
629	646
630	647	if self.hs.config.worker_app:

644	661	)
645	662	valid_until_ms = self.clock.time_msec() + self.session_lifetime
646	663
647		device_id = await self.device_handler.check_device_registered(
	664	registered_device_id = await self.device_handler.check_device_registered(
648	665	user_id, device_id, initial_display_name
649	666	)
650	667	if is_guest:

654	671	)
655	672	else:
656	673	access_token = await self._auth_handler.get_access_token_for_user_id(
657		user_id, device_id=device_id, valid_until_ms=valid_until_ms
658		)
659
660		return (device_id, access_token)
661
662		async def post_registration_actions(self, user_id, auth_result, access_token):
	674	user_id, device_id=registered_device_id, valid_until_ms=valid_until_ms
	675	)
	676
	677	return (registered_device_id, access_token)
	678
	679	async def post_registration_actions(
	680	self, user_id: str, auth_result: dict, access_token: Optional[str]
	681	) -> None:
663	682	"""A user has completed registration
664	683
665	684	Args:
666		user_id (str): The user ID that consented
667		auth_result (dict): The authenticated credentials of the newly
668		registered user.
669		access_token (str\|None): The access token of the newly logged in
670		device, or None if `inhibit_login` enabled.
	685	user_id: The user ID that consented
	686	auth_result: The authenticated credentials of the newly registered user.
	687	access_token: The access token of the newly logged in device, or
	688	None if `inhibit_login` enabled.
671	689	"""
672	690	if self.hs.config.worker_app:
673	691	await self._post_registration_client(

693	711	if auth_result and LoginType.TERMS in auth_result:
694	712	await self._on_user_consented(user_id, self.hs.config.user_consent_version)
695	713
696		async def _on_user_consented(self, user_id, consent_version):
	714	async def _on_user_consented(self, user_id: str, consent_version: str) -> None:
697	715	"""A user consented to the terms on registration
698	716
699	717	Args:
700		user_id (str): The user ID that consented.
701		consent_version (str): version of the policy the user has
702		consented to.
	718	user_id: The user ID that consented.
	719	consent_version: version of the policy the user has consented to.
703	720	"""
704	721	logger.info("%s has consented to the privacy policy", user_id)
705	722	await self.store.user_set_consent_version(user_id, consent_version)
706	723	await self.post_consent_actions(user_id)
707	724
708		async def _register_email_threepid(self, user_id, threepid, token):
	725	async def _register_email_threepid(
	726	self, user_id: str, threepid: dict, token: Optional[str]
	727	) -> None:
709	728	"""Add an email address as a 3pid identifier
710	729
711	730	Also adds an email pusher for the email address, if configured in the

714	733	Must be called on master.
715	734
716	735	Args:
717		user_id (str): id of user
718		threepid (object): m.login.email.identity auth response
719		token (str\|None): access_token for the user, or None if not logged
720		in.
	736	user_id: id of user
	737	threepid: m.login.email.identity auth response
	738	token: access_token for the user, or None if not logged in.
721	739	"""
722	740	reqd = ("medium", "address", "validated_at")
723	741	if any(x not in threepid for x in reqd):

743	761	# up when the access token is saved, but that's quite an
744	762	# invasive change I'd rather do separately.
745	763	user_tuple = await self.store.get_user_by_access_token(token)
	764	# The token better still exist.
	765	assert user_tuple
746	766	token_id = user_tuple.token_id
747	767
748	768	await self.pusher_pool.add_pusher(

757	777	data={},
758	778	)
759	779
760		async def _register_msisdn_threepid(self, user_id, threepid):
	780	async def _register_msisdn_threepid(self, user_id: str, threepid: dict) -> None:
761	781	"""Add a phone number as a 3pid identifier
762	782
763	783	Must be called on master.
764	784
765	785	Args:
766		user_id (str): id of user
767		threepid (object): m.login.msisdn auth response
	786	user_id: id of user
	787	threepid: m.login.msisdn auth response
768	788	"""
769	789	try:
770	790	assert_params_in_dict(threepid, ["medium", "address", "validated_at"])

+7

-3

synapse/handlers/room.py less more

586	586	"""
587	587	user_id = requester.user.to_string()
588	588
589		await self.auth.check_auth_blocking(user_id)
	589	await self.auth.check_auth_blocking(requester=requester)
590	590
591	591	if (
592	592	self._server_notices_mxid is not None

1256	1256	400, "User must be our own: %s" % (new_room_user_id,)
1257	1257	)
1258	1258
1259		room_creator_requester = create_requester(new_room_user_id)
	1259	room_creator_requester = create_requester(
	1260	new_room_user_id, authenticated_entity=requester_user_id
	1261	)
1260	1262
1261	1263	info, stream_id = await self._room_creation_handler.create_room(
1262	1264	room_creator_requester,

1296	1298
1297	1299	try:
1298	1300	# Kick users from room
1299		target_requester = create_requester(user_id)
	1301	target_requester = create_requester(
	1302	user_id, authenticated_entity=requester_user_id
	1303	)
1300	1304	_, stream_id = await self.room_member_handler.update_membership(
1301	1305	requester=target_requester,
1302	1306	target=target_requester.user,

+45

-26

synapse/handlers/room_member.py less more

30	30	from synapse.api.ratelimiting import Ratelimiter
31	31	from synapse.events import EventBase
32	32	from synapse.events.snapshot import EventContext
33		from synapse.storage.roommember import RoomsForUser
34	33	from synapse.types import JsonDict, Requester, RoomAlias, RoomID, StateMap, UserID
35	34	from synapse.util.async_helpers import Linearizer
36	35	from synapse.util.distributor import user_left_room

346	345	# later on.
347	346	content = dict(content)
348	347
349		if not self.allow_per_room_profiles or requester.shadow_banned:
	348	# allow the server notices mxid to set room-level profile
	349	is_requester_server_notices_user = (
	350	self._server_notices_mxid is not None
	351	and requester.user.to_string() == self._server_notices_mxid
	352	)
	353
	354	if (
	355	not self.allow_per_room_profiles and not is_requester_server_notices_user
	356	) or requester.shadow_banned:
350	357	# Strip profile data, knowing that new profile data will be added to the
351	358	# event's content in event_creation_handler.create_event() using the target's
352	359	# global profile.

514	521	elif effective_membership_state == Membership.LEAVE:
515	522	if not is_host_in_room:
516	523	# perhaps we've been invited
517		invite = await self.store.get_invite_for_local_user_in_room(
518		user_id=target.to_string(), room_id=room_id
519		) # type: Optional[RoomsForUser]
520		if not invite:
	524	(
	525	current_membership_type,
	526	current_membership_event_id,
	527	) = await self.store.get_local_current_membership_for_user_in_room(
	528	target.to_string(), room_id
	529	)
	530	if (
	531	current_membership_type != Membership.INVITE
	532	or not current_membership_event_id
	533	):
521	534	logger.info(
522	535	"%s sent a leave request to %s, but that is not an active room "
523	536	"on this server, and there is no pending invite",

527	540
528	541	raise SynapseError(404, "Not a known room")
529	542
	543	invite = await self.store.get_event(current_membership_event_id)
530	544	logger.info(
531	545	"%s rejects invite to %s from %s", target, room_id, invite.sender
532	546	)

964	978
965	979	self.distributor = hs.get_distributor()
966	980	self.distributor.declare("user_left_room")
	981	self._server_name = hs.hostname
967	982
968	983	async def _is_remote_room_too_complex(
969	984	self, room_id: str, remote_room_hosts: List[str]

1058	1073	return event_id, stream_id
1059	1074
1060	1075	# The room is too large. Leave.
1061		requester = types.create_requester(user, None, False, False, None)
	1076	requester = types.create_requester(
	1077	user, authenticated_entity=self._server_name
	1078	)
1062	1079	await self.update_membership(
1063	1080	requester=requester, target=user, room_id=room_id, action="leave"
1064	1081	)

1103	1120	#
1104	1121	logger.warning("Failed to reject invite: %s", e)
1105	1122
1106		return await self._locally_reject_invite(
	1123	return await self._generate_local_out_of_band_leave(
1107	1124	invite_event, txn_id, requester, content
1108	1125	)
1109	1126
1110		async def _locally_reject_invite(
	1127	async def _generate_local_out_of_band_leave(
1111	1128	self,
1112		invite_event: EventBase,
	1129	previous_membership_event: EventBase,
1113	1130	txn_id: Optional[str],
1114	1131	requester: Requester,
1115	1132	content: JsonDict,
1116	1133	) -> Tuple[str, int]:
1117		"""Generate a local invite rejection
1118
1119		This is called after we fail to reject an invite via a remote server. It
1120		generates an out-of-band membership event locally.
	1134	"""Generate a local leave event for a room
	1135
	1136	This can be called after we e.g fail to reject an invite via a remote server.
	1137	It generates an out-of-band membership event locally.
1121	1138
1122	1139	Args:
1123		invite_event: the invite to be rejected
	1140	previous_membership_event: the previous membership event for this user
1124	1141	txn_id: optional transaction ID supplied by the client
1125		requester: user making the rejection request, according to the access token
1126		content: additional content to include in the rejection event.
	1142	requester: user making the request, according to the access token
	1143	content: additional content to include in the leave event.
1127	1144	Normally an empty dict.
1128		"""
1129
1130		room_id = invite_event.room_id
1131		target_user = invite_event.state_key
	1145
	1146	Returns:
	1147	A tuple containing (event_id, stream_id of the leave event)
	1148	"""
	1149	room_id = previous_membership_event.room_id
	1150	target_user = previous_membership_event.state_key
1132	1151
1133	1152	content["membership"] = Membership.LEAVE
1134	1153

1140	1159	"state_key": target_user,
1141	1160	}
1142	1161
1143		# the auth events for the new event are the same as that of the invite, plus
1144		# the invite itself.
	1162	# the auth events for the new event are the same as that of the previous event, plus
	1163	# the event itself.
1145	1164	#
1146		# the prev_events are just the invite.
1147		prev_event_ids = [invite_event.event_id]
1148		auth_event_ids = invite_event.auth_event_ids() + prev_event_ids
	1165	# the prev_events consist solely of the previous membership event.
	1166	prev_event_ids = [previous_membership_event.event_id]
	1167	auth_event_ids = previous_membership_event.auth_event_ids() + prev_event_ids
1149	1168
1150	1169	event, context = await self.event_creation_handler.create_event(
1151	1170	requester,

+56

-113

synapse/handlers/saml_handler.py less more

23	23	from synapse.api.errors import SynapseError
24	24	from synapse.config import ConfigError
25	25	from synapse.config.saml2_config import SamlAttributeRequirement
26		from synapse.http.server import respond_with_html
	26	from synapse.handlers._base import BaseHandler
	27	from synapse.handlers.sso import MappingException, UserAttributes
27	28	from synapse.http.servlet import parse_string
28	29	from synapse.http.site import SynapseRequest
29	30	from synapse.module_api import ModuleApi

36	37	from synapse.util.iterutils import chunk_seq
37	38
38	39	if TYPE_CHECKING:
39		import synapse.server
	40	from synapse.server import HomeServer
40	41
41	42	logger = logging.getLogger(__name__)
42
43
44		class MappingException(Exception):
45		"""Used to catch errors when mapping the SAML2 response to a user."""
46	43
47	44
48	45	@attr.s(slots=True)

56	53	ui_auth_session_id = attr.ib(type=Optional[str], default=None)
57	54
58	55
59		class SamlHandler:
60		def __init__(self, hs: "synapse.server.HomeServer"):
61		self.hs = hs
	56	class SamlHandler(BaseHandler):
	57	def __init__(self, hs: "HomeServer"):
	58	super().__init__(hs)
62	59	self._saml_client = Saml2Client(hs.config.saml2_sp_config)
63		self._auth = hs.get_auth()
	60	self._saml_idp_entityid = hs.config.saml2_idp_entityid
64	61	self._auth_handler = hs.get_auth_handler()
65	62	self._registration_handler = hs.get_registration_handler()
66	63
67		self._clock = hs.get_clock()
68		self._datastore = hs.get_datastore()
69		self._hostname = hs.hostname
70	64	self._saml2_session_lifetime = hs.config.saml2_session_lifetime
71	65	self._grandfathered_mxid_source_attribute = (
72	66	hs.config.saml2_grandfathered_mxid_source_attribute

87	81	self._outstanding_requests_dict = {} # type: Dict[str, Saml2SessionData]
88	82
89	83	# a lock on the mappings
90		self._mapping_lock = Linearizer(name="saml_mapping", clock=self._clock)
91
92		def _render_error(
93		self, request, error: str, error_description: Optional[str] = None
94		) -> None:
95		"""Render the error template and respond to the request with it.
96
97		This is used to show errors to the user. The template of this page can
98		be found under `synapse/res/templates/sso_error.html`.
99
100		Args:
101		request: The incoming request from the browser.
102		We'll respond with an HTML page describing the error.
103		error: A technical identifier for this error.
104		error_description: A human-readable description of the error.
105		"""
106		html = self._error_template.render(
107		error=error, error_description=error_description
108		)
109		respond_with_html(request, 400, html)
	84	self._mapping_lock = Linearizer(name="saml_mapping", clock=self.clock)
	85
	86	self._sso_handler = hs.get_sso_handler()
110	87
111	88	def handle_redirect_request(
112	89	self, client_redirect_url: bytes, ui_auth_session_id: Optional[str] = None

123	100	URL to redirect to
124	101	"""
125	102	reqid, info = self._saml_client.prepare_for_authenticate(
126		relay_state=client_redirect_url
	103	entityid=self._saml_idp_entityid, relay_state=client_redirect_url
127	104	)
128	105
129	106	# Since SAML sessions timeout it is useful to log when they were created.
130	107	logger.info("Initiating a new SAML session: %s" % (reqid,))
131	108
132		now = self._clock.time_msec()
	109	now = self.clock.time_msec()
133	110	self._outstanding_requests_dict[reqid] = Saml2SessionData(
134	111	creation_time=now, ui_auth_session_id=ui_auth_session_id,
135	112	)

170	147	# in the (user-visible) exception message, so let's log the exception here
171	148	# so we can track down the session IDs later.
172	149	logger.warning(str(e))
173		self._render_error(
	150	self._sso_handler.render_error(
174	151	request, "unsolicited_response", "Unexpected SAML2 login."
175	152	)
176	153	return
177	154	except Exception as e:
178		self._render_error(
	155	self._sso_handler.render_error(
179	156	request,
180	157	"invalid_response",
181	158	"Unable to parse SAML2 response: %s." % (e,),

183	160	return
184	161
185	162	if saml2_auth.not_signed:
186		self._render_error(
	163	self._sso_handler.render_error(
187	164	request, "unsigned_respond", "SAML2 response was not signed."
188	165	)
189	166	return

209	186	# attributes.
210	187	for requirement in self._saml2_attribute_requirements:
211	188	if not _check_attribute_requirement(saml2_auth.ava, requirement):
212		self._render_error(
	189	self._sso_handler.render_error(
213	190	request, "unauthorised", "You are not authorised to log in here."
214	191	)
215	192	return

225	202	)
226	203	except MappingException as e:
227	204	logger.exception("Could not map user")
228		self._render_error(request, "mapping_error", str(e))
	205	self._sso_handler.render_error(request, "mapping_error", str(e))
229	206	return
230	207
231	208	# Complete the interactive auth session or the login.

271	248	"Failed to extract remote user id from SAML response"
272	249	)
273	250
274		with (await self._mapping_lock.queue(self._auth_provider_id)):
275		# first of all, check if we already have a mapping for this user
276		logger.info(
277		"Looking for existing mapping for user %s:%s",
278		self._auth_provider_id,
279		remote_user_id,
280		)
281		registered_user_id = await self._datastore.get_user_by_external_id(
282		self._auth_provider_id, remote_user_id
283		)
284		if registered_user_id is not None:
285		logger.info("Found existing mapping %s", registered_user_id)
286		return registered_user_id
287
	251	async def saml_response_to_remapped_user_attributes(
	252	failures: int,
	253	) -> UserAttributes:
	254	"""
	255	Call the mapping provider to map a SAML response to user attributes and coerce the result into the standard form.
	256
	257	This is backwards compatibility for abstraction for the SSO handler.
	258	"""
	259	# Call the mapping provider.
	260	result = self._user_mapping_provider.saml_response_to_user_attributes(
	261	saml2_auth, failures, client_redirect_url
	262	)
	263	# Remap some of the results.
	264	return UserAttributes(
	265	localpart=result.get("mxid_localpart"),
	266	display_name=result.get("displayname"),
	267	emails=result.get("emails", []),
	268	)
	269
	270	async def grandfather_existing_users() -> Optional[str]:
288	271	# backwards-compatibility hack: see if there is an existing user with a
289	272	# suitable mapping from the uid
290	273	if (

293	276	):
294	277	attrval = saml2_auth.ava[self._grandfathered_mxid_source_attribute][0]
295	278	user_id = UserID(
296		map_username_to_mxid_localpart(attrval), self._hostname
	279	map_username_to_mxid_localpart(attrval), self.server_name
297	280	).to_string()
298		logger.info(
	281
	282	logger.debug(
299	283	"Looking for existing account based on mapped %s %s",
300	284	self._grandfathered_mxid_source_attribute,
301	285	user_id,
302	286	)
303	287
304		users = await self._datastore.get_users_by_id_case_insensitive(user_id)
	288	users = await self.store.get_users_by_id_case_insensitive(user_id)
305	289	if users:
306	290	registered_user_id = list(users.keys())[0]
307	291	logger.info("Grandfathering mapping to %s", registered_user_id)
308		await self._datastore.record_user_external_id(
309		self._auth_provider_id, remote_user_id, registered_user_id
310		)
311	292	return registered_user_id
312	293
313		# Map saml response to user attributes using the configured mapping provider
314		for i in range(1000):
315		attribute_dict = self._user_mapping_provider.saml_response_to_user_attributes(
316		saml2_auth, i, client_redirect_url=client_redirect_url,
317		)
318
319		logger.debug(
320		"Retrieved SAML attributes from user mapping provider: %s "
321		"(attempt %d)",
322		attribute_dict,
323		i,
324		)
325
326		localpart = attribute_dict.get("mxid_localpart")
327		if not localpart:
328		raise MappingException(
329		"Error parsing SAML2 response: SAML mapping provider plugin "
330		"did not return a mxid_localpart value"
331		)
332
333		displayname = attribute_dict.get("displayname")
334		emails = attribute_dict.get("emails", [])
335
336		# Check if this mxid already exists
337		if not await self._datastore.get_users_by_id_case_insensitive(
338		UserID(localpart, self._hostname).to_string()
339		):
340		# This mxid is free
341		break
342		else:
343		# Unable to generate a username in 1000 iterations
344		# Break and return error to the user
345		raise MappingException(
346		"Unable to generate a Matrix ID from the SAML response"
347		)
348
349		logger.info("Mapped SAML user to local part %s", localpart)
350
351		registered_user_id = await self._registration_handler.register_user(
352		localpart=localpart,
353		default_display_name=displayname,
354		bind_emails=emails,
355		user_agent_ips=(user_agent, ip_address),
356		)
357
358		await self._datastore.record_user_external_id(
359		self._auth_provider_id, remote_user_id, registered_user_id
360		)
361		return registered_user_id
	294	return None
	295
	296	with (await self._mapping_lock.queue(self._auth_provider_id)):
	297	return await self._sso_handler.get_mxid_from_sso(
	298	self._auth_provider_id,
	299	remote_user_id,
	300	user_agent,
	301	ip_address,
	302	saml_response_to_remapped_user_attributes,
	303	grandfather_existing_users,
	304	)
362	305
363	306	def expire_sessions(self):
364		expire_before = self._clock.time_msec() - self._saml2_session_lifetime
	307	expire_before = self.clock.time_msec() - self._saml2_session_lifetime
365	308	to_expire = set()
366	309	for reqid, data in self._outstanding_requests_dict.items():
367	310	if data.creation_time < expire_before:

473	416	)
474	417
475	418	# Use the configured mapper for this mxid_source
476		base_mxid_localpart = self._mxid_mapper(mxid_source)
	419	localpart = self._mxid_mapper(mxid_source)
477	420
478	421	# Append suffix integer if last call to this function failed to produce
479		# a usable mxid
480		localpart = base_mxid_localpart + (str(failures) if failures else "")
	422	# a usable mxid.
	423	localpart += str(failures) if failures else ""
481	424
482	425	# Retrieve the display name from the saml response
483	426	# If displayname is None, the mxid_localpart will be used instead

+244

-0

synapse/handlers/sso.py less more

	0	# -- coding: utf-8 --
	1	# Copyright 2020 The Matrix.org Foundation C.I.C.
	2	#
	3	# Licensed under the Apache License, Version 2.0 (the "License");
	4	# you may not use this file except in compliance with the License.
	5	# You may obtain a copy of the License at
	6	#
	7	# http://www.apache.org/licenses/LICENSE-2.0
	8	#
	9	# Unless required by applicable law or agreed to in writing, software
	10	# distributed under the License is distributed on an "AS IS" BASIS,
	11	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	12	# See the License for the specific language governing permissions and
	13	# limitations under the License.
	14	import logging
	15	from typing import TYPE_CHECKING, Awaitable, Callable, List, Optional
	16
	17	import attr
	18
	19	from synapse.api.errors import RedirectException
	20	from synapse.handlers._base import BaseHandler
	21	from synapse.http.server import respond_with_html
	22	from synapse.types import UserID, contains_invalid_mxid_characters
	23
	24	if TYPE_CHECKING:
	25	from synapse.server import HomeServer
	26
	27	logger = logging.getLogger(__name__)
	28
	29
	30	class MappingException(Exception):
	31	"""Used to catch errors when mapping an SSO response to user attributes.
	32
	33	Note that the msg that is raised is shown to end-users.
	34	"""
	35
	36
	37	@attr.s
	38	class UserAttributes:
	39	localpart = attr.ib(type=str)
	40	display_name = attr.ib(type=Optional[str], default=None)
	41	emails = attr.ib(type=List[str], default=attr.Factory(list))
	42
	43
	44	class SsoHandler(BaseHandler):
	45	# The number of attempts to ask the mapping provider for when generating an MXID.
	46	_MAP_USERNAME_RETRIES = 1000
	47
	48	def __init__(self, hs: "HomeServer"):
	49	super().__init__(hs)
	50	self._registration_handler = hs.get_registration_handler()
	51	self._error_template = hs.config.sso_error_template
	52
	53	def render_error(
	54	self, request, error: str, error_description: Optional[str] = None
	55	) -> None:
	56	"""Renders the error template and responds with it.
	57
	58	This is used to show errors to the user. The template of this page can
	59	be found under `synapse/res/templates/sso_error.html`.
	60
	61	Args:
	62	request: The incoming request from the browser.
	63	We'll respond with an HTML page describing the error.
	64	error: A technical identifier for this error.
	65	error_description: A human-readable description of the error.
	66	"""
	67	html = self._error_template.render(
	68	error=error, error_description=error_description
	69	)
	70	respond_with_html(request, 400, html)
	71
	72	async def get_sso_user_by_remote_user_id(
	73	self, auth_provider_id: str, remote_user_id: str
	74	) -> Optional[str]:
	75	"""
	76	Maps the user ID of a remote IdP to a mxid for a previously seen user.
	77
	78	If the user has not been seen yet, this will return None.
	79
	80	Args:
	81	auth_provider_id: A unique identifier for this SSO provider, e.g.
	82	"oidc" or "saml".
	83	remote_user_id: The user ID according to the remote IdP. This might
	84	be an e-mail address, a GUID, or some other form. It must be
	85	unique and immutable.
	86
	87	Returns:
	88	The mxid of a previously seen user.
	89	"""
	90	logger.debug(
	91	"Looking for existing mapping for user %s:%s",
	92	auth_provider_id,
	93	remote_user_id,
	94	)
	95
	96	# Check if we already have a mapping for this user.
	97	previously_registered_user_id = await self.store.get_user_by_external_id(
	98	auth_provider_id, remote_user_id,
	99	)
	100
	101	# A match was found, return the user ID.
	102	if previously_registered_user_id is not None:
	103	logger.info(
	104	"Found existing mapping for IdP '%s' and remote_user_id '%s': %s",
	105	auth_provider_id,
	106	remote_user_id,
	107	previously_registered_user_id,
	108	)
	109	return previously_registered_user_id
	110
	111	# No match.
	112	return None
	113
	114	async def get_mxid_from_sso(
	115	self,
	116	auth_provider_id: str,
	117	remote_user_id: str,
	118	user_agent: str,
	119	ip_address: str,
	120	sso_to_matrix_id_mapper: Callable[[int], Awaitable[UserAttributes]],
	121	grandfather_existing_users: Optional[Callable[[], Awaitable[Optional[str]]]],
	122	) -> str:
	123	"""
	124	Given an SSO ID, retrieve the user ID for it and possibly register the user.
	125
	126	This first checks if the SSO ID has previously been linked to a matrix ID,
	127	if it has that matrix ID is returned regardless of the current mapping
	128	logic.
	129
	130	If a callable is provided for grandfathering users, it is called and can
	131	potentially return a matrix ID to use. If it does, the SSO ID is linked to
	132	this matrix ID for subsequent calls.
	133
	134	The mapping function is called (potentially multiple times) to generate
	135	a localpart for the user.
	136
	137	If an unused localpart is generated, the user is registered from the
	138	given user-agent and IP address and the SSO ID is linked to this matrix
	139	ID for subsequent calls.
	140
	141	Args:
	142	auth_provider_id: A unique identifier for this SSO provider, e.g.
	143	"oidc" or "saml".
	144	remote_user_id: The unique identifier from the SSO provider.
	145	user_agent: The user agent of the client making the request.
	146	ip_address: The IP address of the client making the request.
	147	sso_to_matrix_id_mapper: A callable to generate the user attributes.
	148	The only parameter is an integer which represents the amount of
	149	times the returned mxid localpart mapping has failed.
	150
	151	It is expected that the mapper can raise two exceptions, which
	152	will get passed through to the caller:
	153
	154	MappingException if there was a problem mapping the response
	155	to the user.
	156	RedirectException to redirect to an additional page (e.g.
	157	to prompt the user for more information).
	158	grandfather_existing_users: A callable which can return an previously
	159	existing matrix ID. The SSO ID is then linked to the returned
	160	matrix ID.
	161
	162	Returns:
	163	The user ID associated with the SSO response.
	164
	165	Raises:
	166	MappingException if there was a problem mapping the response to a user.
	167	RedirectException: if the mapping provider needs to redirect the user
	168	to an additional page. (e.g. to prompt for more information)
	169
	170	"""
	171	# first of all, check if we already have a mapping for this user
	172	previously_registered_user_id = await self.get_sso_user_by_remote_user_id(
	173	auth_provider_id, remote_user_id,
	174	)
	175	if previously_registered_user_id:
	176	return previously_registered_user_id
	177
	178	# Check for grandfathering of users.
	179	if grandfather_existing_users:
	180	previously_registered_user_id = await grandfather_existing_users()
	181	if previously_registered_user_id:
	182	# Future logins should also match this user ID.
	183	await self.store.record_user_external_id(
	184	auth_provider_id, remote_user_id, previously_registered_user_id
	185	)
	186	return previously_registered_user_id
	187
	188	# Otherwise, generate a new user.
	189	for i in range(self._MAP_USERNAME_RETRIES):
	190	try:
	191	attributes = await sso_to_matrix_id_mapper(i)
	192	except (RedirectException, MappingException):
	193	# Mapping providers are allowed to issue a redirect (e.g. to ask
	194	# the user for more information) and can issue a mapping exception
	195	# if a name cannot be generated.
	196	raise
	197	except Exception as e:
	198	# Any other exception is unexpected.
	199	raise MappingException(
	200	"Could not extract user attributes from SSO response."
	201	) from e
	202
	203	logger.debug(
	204	"Retrieved user attributes from user mapping provider: %r (attempt %d)",
	205	attributes,
	206	i,
	207	)
	208
	209	if not attributes.localpart:
	210	raise MappingException(
	211	"Error parsing SSO response: SSO mapping provider plugin "
	212	"did not return a localpart value"
	213	)
	214
	215	# Check if this mxid already exists
	216	user_id = UserID(attributes.localpart, self.server_name).to_string()
	217	if not await self.store.get_users_by_id_case_insensitive(user_id):
	218	# This mxid is free
	219	break
	220	else:
	221	# Unable to generate a username in 1000 iterations
	222	# Break and return error to the user
	223	raise MappingException(
	224	"Unable to generate a Matrix ID from the SSO response"
	225	)
	226
	227	# Since the localpart is provided via a potentially untrusted module,
	228	# ensure the MXID is valid before registering.
	229	if contains_invalid_mxid_characters(attributes.localpart):
	230	raise MappingException("localpart is invalid: %s" % (attributes.localpart,))
	231
	232	logger.debug("Mapped SSO user to local part %s", attributes.localpart)
	233	registered_user_id = await self._registration_handler.register_user(
	234	localpart=attributes.localpart,
	235	default_display_name=attributes.display_name,
	236	bind_emails=attributes.emails,
	237	user_agent_ips=[(user_agent, ip_address)],
	238	)
	239
	240	await self.store.record_user_external_id(
	241	auth_provider_id, remote_user_id, registered_user_id
	242	)
	243	return registered_user_id

+3

-1

synapse/handlers/sync.py less more

30	30	Collection,
31	31	JsonDict,
32	32	MutableStateMap,
	33	Requester,
33	34	RoomStreamToken,
34	35	StateMap,
35	36	StreamToken,

259	260
260	261	async def wait_for_sync_for_user(
261	262	self,
	263	requester: Requester,
262	264	sync_config: SyncConfig,
263	265	since_token: Optional[StreamToken] = None,
264	266	timeout: int = 0,

272	274	# not been exceeded (if not part of the group by this point, almost certain
273	275	# auth_blocking will occur)
274	276	user_id = sync_config.user.to_string()
275		await self.auth.check_auth_blocking(user_id)
	277	await self.auth.check_auth_blocking(requester=requester)
276	278
277	279	res = await self.response_cache.wrap(
278	280	sync_config.request_key,

+140

-95

synapse/http/client.py less more

13	13	# See the License for the specific language governing permissions and
14	14	# limitations under the License.
15	15	import logging
16		import urllib
	16	import urllib.parse
17	17	from io import BytesIO
18	18	from typing import (
	19	TYPE_CHECKING,
19	20	Any,
20	21	BinaryIO,
21	22	Dict,

30	31
31	32	import treq
32	33	from canonicaljson import encode_canonical_json
33		from netaddr import IPAddress
	34	from netaddr import IPAddress, IPSet
34	35	from prometheus_client import Counter
35	36	from zope.interface import implementer, provider
36	37

38	39	from OpenSSL.SSL import VERIFY_NONE
39	40	from twisted.internet import defer, error as twisted_error, protocol, ssl
40	41	from twisted.internet.interfaces import (
	42	IAddress,
	43	IHostResolution,
41	44	IReactorPluggableNameResolver,
42	45	IResolutionReceiver,
43	46	)

52	55	)
53	56	from twisted.web.http import PotentialDataLoss
54	57	from twisted.web.http_headers import Headers
55		from twisted.web.iweb import IResponse
	58	from twisted.web.iweb import IAgent, IBodyProducer, IResponse
56	59
57	60	from synapse.api.errors import Codes, HttpResponseException, SynapseError
58	61	from synapse.http import QuieterFileBodyProducer, RequestTimedOutError, redact_uri

62	65	from synapse.util import json_decoder
63	66	from synapse.util.async_helpers import timeout_deferred
64	67
	68	if TYPE_CHECKING:
	69	from synapse.app.homeserver import HomeServer
	70
65	71	logger = logging.getLogger(__name__)
66	72
67	73	outgoing_requests_counter = Counter("synapse_http_client_requests", "", ["method"])

83	89	QueryParams = Union[Mapping[str, QueryParamValue], Mapping[bytes, QueryParamValue]]
84	90
85	91
86		def check_against_blacklist(ip_address, ip_whitelist, ip_blacklist):
87		"""
	92	def check_against_blacklist(
	93	ip_address: IPAddress, ip_whitelist: Optional[IPSet], ip_blacklist: IPSet
	94	) -> bool:
	95	"""
	96	Compares an IP address to allowed and disallowed IP sets.
	97
88	98	Args:
89		ip_address (netaddr.IPAddress)
90		ip_whitelist (netaddr.IPSet)
91		ip_blacklist (netaddr.IPSet)
	99	ip_address: The IP address to check
	100	ip_whitelist: Allowed IP addresses.
	101	ip_blacklist: Disallowed IP addresses.
	102
	103	Returns:
	104	True if the IP address is in the blacklist and not in the whitelist.
92	105	"""
93	106	if ip_address in ip_blacklist:
94	107	if ip_whitelist is None or ip_address not in ip_whitelist:

117	130	addresses, preventing DNS rebinding attacks on URL preview.
118	131	"""
119	132
120		def __init__(self, reactor, ip_whitelist, ip_blacklist):
121		"""
122		Args:
123		reactor (twisted.internet.reactor)
124		ip_whitelist (netaddr.IPSet)
125		ip_blacklist (netaddr.IPSet)
	133	def __init__(
	134	self,
	135	reactor: IReactorPluggableNameResolver,
	136	ip_whitelist: Optional[IPSet],
	137	ip_blacklist: IPSet,
	138	):
	139	"""
	140	Args:
	141	reactor: The twisted reactor.
	142	ip_whitelist: IP addresses to allow.
	143	ip_blacklist: IP addresses to disallow.
126	144	"""
127	145	self._reactor = reactor
128	146	self._ip_whitelist = ip_whitelist
129	147	self._ip_blacklist = ip_blacklist
130	148
131		def resolveHostName(self, recv, hostname, portNumber=0):
	149	def resolveHostName(
	150	self, recv: IResolutionReceiver, hostname: str, portNumber: int = 0
	151	) -> IResolutionReceiver:
132	152
133	153	r = recv()
134		addresses = []
135
136		def _callback():
	154	addresses = [] # type: List[IAddress]
	155
	156	def _callback() -> None:
137	157	r.resolutionBegan(None)
138	158
139	159	has_bad_ip = False

160	180	@provider(IResolutionReceiver)
161	181	class EndpointReceiver:
162	182	@staticmethod
163		def resolutionBegan(resolutionInProgress):
	183	def resolutionBegan(resolutionInProgress: IHostResolution) -> None:
164	184	pass
165	185
166	186	@staticmethod
167		def addressResolved(address):
	187	def addressResolved(address: IAddress) -> None:
168	188	addresses.append(address)
169	189
170	190	@staticmethod
171		def resolutionComplete():
	191	def resolutionComplete() -> None:
172	192	_callback()
173	193
174	194	self._reactor.nameResolver.resolveHostName(

184	204	directly (without an IP address lookup).
185	205	"""
186	206
187		def __init__(self, agent, reactor, ip_whitelist=None, ip_blacklist=None):
188		"""
189		Args:
190		agent (twisted.web.client.Agent): The Agent to wrap.
191		reactor (twisted.internet.reactor)
192		ip_whitelist (netaddr.IPSet)
193		ip_blacklist (netaddr.IPSet)
	207	def __init__(
	208	self,
	209	agent: IAgent,
	210	ip_whitelist: Optional[IPSet] = None,
	211	ip_blacklist: Optional[IPSet] = None,
	212	):
	213	"""
	214	Args:
	215	agent: The Agent to wrap.
	216	ip_whitelist: IP addresses to allow.
	217	ip_blacklist: IP addresses to disallow.
194	218	"""
195	219	self._agent = agent
196	220	self._ip_whitelist = ip_whitelist
197	221	self._ip_blacklist = ip_blacklist
198	222
199		def request(self, method, uri, headers=None, bodyProducer=None):
	223	def request(
	224	self,
	225	method: bytes,
	226	uri: bytes,
	227	headers: Optional[Headers] = None,
	228	bodyProducer: Optional[IBodyProducer] = None,
	229	) -> defer.Deferred:
200	230	h = urllib.parse.urlparse(uri.decode("ascii"))
201	231
202	232	try:

225	255
226	256	def __init__(
227	257	self,
228		hs,
229		treq_args={},
230		ip_whitelist=None,
231		ip_blacklist=None,
232		http_proxy=None,
233		https_proxy=None,
	258	hs: "HomeServer",
	259	treq_args: Dict[str, Any] = {},
	260	ip_whitelist: Optional[IPSet] = None,
	261	ip_blacklist: Optional[IPSet] = None,
	262	http_proxy: Optional[bytes] = None,
	263	https_proxy: Optional[bytes] = None,
234	264	):
235	265	"""
236	266	Args:
237		hs (synapse.server.HomeServer)
238		treq_args (dict): Extra keyword arguments to be given to treq.request.
239		ip_blacklist (netaddr.IPSet): The IP addresses that are blacklisted that
	267	hs
	268	treq_args: Extra keyword arguments to be given to treq.request.
	269	ip_blacklist: The IP addresses that are blacklisted that
240	270	we may not request.
241		ip_whitelist (netaddr.IPSet): The whitelisted IP addresses, that we can
	271	ip_whitelist: The whitelisted IP addresses, that we can
242	272	request if it were otherwise caught in a blacklist.
243		http_proxy (bytes): proxy server to use for http connections. host[:port]
244		https_proxy (bytes): proxy server to use for https connections. host[:port]
	273	http_proxy: proxy server to use for http connections. host[:port]
	274	https_proxy: proxy server to use for https connections. host[:port]
245	275	"""
246	276	self.hs = hs
247	277

305	335	# by the DNS resolution.
306	336	self.agent = BlacklistingAgentWrapper(
307	337	self.agent,
308		self.reactor,
309	338	ip_whitelist=self._ip_whitelist,
310	339	ip_blacklist=self._ip_blacklist,
311	340	)

396	425	async def post_urlencoded_get_json(
397	426	self,
398	427	uri: str,
399		args: Mapping[str, Union[str, List[str]]] = {},
	428	args: Optional[Mapping[str, Union[str, List[str]]]] = None,
400	429	headers: Optional[RawHeaders] = None,
401	430	) -> Any:
402	431	"""

421	450	# TODO: Do we ever want to log message contents?
422	451	logger.debug("post_urlencoded_get_json args: %s", args)
423	452
424		query_bytes = urllib.parse.urlencode(encode_urlencode_args(args), True).encode(
425		"utf8"
426		)
	453	query_bytes = encode_query_args(args)
427	454
428	455	actual_headers = {
429	456	b"Content-Type": [b"application/x-www-form-urlencoded"],

431	458	b"Accept": [b"application/json"],
432	459	}
433	460	if headers:
434		actual_headers.update(headers)
	461	actual_headers.update(headers) # type: ignore
435	462
436	463	response = await self.request(
437	464	"POST", uri, headers=Headers(actual_headers), data=query_bytes

478	505	b"Accept": [b"application/json"],
479	506	}
480	507	if headers:
481		actual_headers.update(headers)
	508	actual_headers.update(headers) # type: ignore
482	509
483	510	response = await self.request(
484	511	"POST", uri, headers=Headers(actual_headers), data=json_str

494	521	)
495	522
496	523	async def get_json(
497		self, uri: str, args: QueryParams = {}, headers: Optional[RawHeaders] = None,
	524	self,
	525	uri: str,
	526	args: Optional[QueryParams] = None,
	527	headers: Optional[RawHeaders] = None,
498	528	) -> Any:
499	529	"""Gets some json from the given URI.
500	530

515	545	"""
516	546	actual_headers = {b"Accept": [b"application/json"]}
517	547	if headers:
518		actual_headers.update(headers)
	548	actual_headers.update(headers) # type: ignore
519	549
520	550	body = await self.get_raw(uri, args, headers=headers)
521	551	return json_decoder.decode(body.decode("utf-8"))

524	554	self,
525	555	uri: str,
526	556	json_body: Any,
527		args: QueryParams = {},
	557	args: Optional[QueryParams] = None,
528	558	headers: RawHeaders = None,
529	559	) -> Any:
530	560	"""Puts some json to the given URI.

545	575
546	576	ValueError: if the response was not JSON
547	577	"""
548		if len(args):
549		query_bytes = urllib.parse.urlencode(args, True)
550		uri = "%s?%s" % (uri, query_bytes)
	578	if args:
	579	query_str = urllib.parse.urlencode(args, True)
	580	uri = "%s?%s" % (uri, query_str)
551	581
552	582	json_str = encode_canonical_json(json_body)
553	583

557	587	b"Accept": [b"application/json"],
558	588	}
559	589	if headers:
560		actual_headers.update(headers)
	590	actual_headers.update(headers) # type: ignore
561	591
562	592	response = await self.request(
563	593	"PUT", uri, headers=Headers(actual_headers), data=json_str

573	603	)
574	604
575	605	async def get_raw(
576		self, uri: str, args: QueryParams = {}, headers: Optional[RawHeaders] = None
	606	self,
	607	uri: str,
	608	args: Optional[QueryParams] = None,
	609	headers: Optional[RawHeaders] = None,
577	610	) -> bytes:
578	611	"""Gets raw text from the given URI.
579	612

591	624
592	625	HttpResponseException on a non-2xx HTTP response.
593	626	"""
594		if len(args):
595		query_bytes = urllib.parse.urlencode(args, True)
596		uri = "%s?%s" % (uri, query_bytes)
	627	if args:
	628	query_str = urllib.parse.urlencode(args, True)
	629	uri = "%s?%s" % (uri, query_str)
597	630
598	631	actual_headers = {b"User-Agent": [self.user_agent]}
599	632	if headers:
600		actual_headers.update(headers)
	633	actual_headers.update(headers) # type: ignore
601	634
602	635	response = await self.request("GET", uri, headers=Headers(actual_headers))
603	636

640	673
641	674	actual_headers = {b"User-Agent": [self.user_agent]}
642	675	if headers:
643		actual_headers.update(headers)
	676	actual_headers.update(headers) # type: ignore
644	677
645	678	response = await self.request("GET", url, headers=Headers(actual_headers))
646	679

648	681
649	682	if (
650	683	b"Content-Length" in resp_headers
	684	and max_size
651	685	and int(resp_headers[b"Content-Length"][0]) > max_size
652	686	):
653		logger.warning("Requested URL is too large > %r bytes" % (self.max_size,))
	687	logger.warning("Requested URL is too large > %r bytes" % (max_size,))
654	688	raise SynapseError(
655	689	502,
656		"Requested file is too large > %r bytes" % (self.max_size,),
	690	"Requested file is too large > %r bytes" % (max_size,),
657	691	Codes.TOO_LARGE,
658	692	)
659	693

667	701
668	702	try:
669	703	length = await make_deferred_yieldable(
670		_readBodyToFile(response, output_stream, max_size)
	704	readBodyToFile(response, output_stream, max_size)
671	705	)
672	706	except SynapseError:
673	707	# This can happen e.g. because the body is too large.

695	729	return f
696	730
697	731
698		# XXX: FIXME: This is horribly copy-pasted from matrixfederationclient.
699		# The two should be factored out.
700
701
702	732	class _ReadBodyToFileProtocol(protocol.Protocol):
703		def __init__(self, stream, deferred, max_size):
	733	def __init__(
	734	self, stream: BinaryIO, deferred: defer.Deferred, max_size: Optional[int]
	735	):
704	736	self.stream = stream
705	737	self.deferred = deferred
706	738	self.length = 0
707	739	self.max_size = max_size
708	740
709		def dataReceived(self, data):
	741	def dataReceived(self, data: bytes) -> None:
710	742	self.stream.write(data)
711	743	self.length += len(data)
712	744	if self.max_size is not None and self.length >= self.max_size:

720	752	self.deferred = defer.Deferred()
721	753	self.transport.loseConnection()
722	754
723		def connectionLost(self, reason):
	755	def connectionLost(self, reason: Failure) -> None:
724	756	if reason.check(ResponseDone):
725	757	self.deferred.callback(self.length)
726	758	elif reason.check(PotentialDataLoss):

731	763	self.deferred.errback(reason)
732	764
733	765
734		# XXX: FIXME: This is horribly copy-pasted from matrixfederationclient.
735		# The two should be factored out.
736
737
738		def _readBodyToFile(response, stream, max_size):
	766	def readBodyToFile(
	767	response: IResponse, stream: BinaryIO, max_size: Optional[int]
	768	) -> defer.Deferred:
	769	"""
	770	Read a HTTP response body to a file-object. Optionally enforcing a maximum file size.
	771
	772	Args:
	773	response: The HTTP response to read from.
	774	stream: The file-object to write to.
	775	max_size: The maximum file size to allow.
	776
	777	Returns:
	778	A Deferred which resolves to the length of the read body.
	779	"""
	780
739	781	d = defer.Deferred()
740	782	response.deliverBody(_ReadBodyToFileProtocol(stream, d, max_size))
741	783	return d
742	784
743	785
744		def encode_urlencode_args(args):
745		return {k: encode_urlencode_arg(v) for k, v in args.items()}
746
747
748		def encode_urlencode_arg(arg):
749		if isinstance(arg, str):
750		return arg.encode("utf-8")
751		elif isinstance(arg, list):
752		return [encode_urlencode_arg(i) for i in arg]
753		else:
754		return arg
755
756
757		def _print_ex(e):
758		if hasattr(e, "reasons") and e.reasons:
759		for ex in e.reasons:
760		_print_ex(ex)
761		else:
762		logger.exception(e)
	786	def encode_query_args(args: Optional[Mapping[str, Union[str, List[str]]]]) -> bytes:
	787	"""
	788	Encodes a map of query arguments to bytes which can be appended to a URL.
	789
	790	Args:
	791	args: The query arguments, a mapping of string to string or list of strings.
	792
	793	Returns:
	794	The query arguments encoded as bytes.
	795	"""
	796	if args is None:
	797	return b""
	798
	799	encoded_args = {}
	800	for k, vs in args.items():
	801	if isinstance(vs, str):
	802	vs = [vs]
	803	encoded_args[k] = [v.encode("utf8") for v in vs]
	804
	805	query_str = urllib.parse.urlencode(encoded_args, True)
	806
	807	return query_str.encode("utf8")
763	808
764	809
765	810	class InsecureInterceptableContextFactory(ssl.ContextFactory):

+64

-42

synapse/http/federation/matrix_federation_agent.py less more

11	11	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12	12	# See the License for the specific language governing permissions and
13	13	# limitations under the License.
14
15	14	import logging
16		import urllib
17		from typing import List
	15	import urllib.parse
	16	from typing import List, Optional
18	17
19	18	from netaddr import AddrFormatError, IPAddress
20	19	from zope.interface import implementer
21	20
22	21	from twisted.internet import defer
23	22	from twisted.internet.endpoints import HostnameEndpoint, wrapClientTLS
24		from twisted.internet.interfaces import IStreamClientEndpoint
25		from twisted.web.client import Agent, HTTPConnectionPool
	23	from twisted.internet.interfaces import (
	24	IProtocolFactory,
	25	IReactorCore,
	26	IStreamClientEndpoint,
	27	)
	28	from twisted.web.client import URI, Agent, HTTPConnectionPool
26	29	from twisted.web.http_headers import Headers
27		from twisted.web.iweb import IAgent, IAgentEndpointFactory
28
	30	from twisted.web.iweb import IAgent, IAgentEndpointFactory, IBodyProducer
	31
	32	from synapse.crypto.context_factory import FederationPolicyForHTTPS
29	33	from synapse.http.federation.srv_resolver import Server, SrvResolver
30	34	from synapse.http.federation.well_known_resolver import WellKnownResolver
31	35	from synapse.logging.context import make_deferred_yieldable, run_in_background

43	47	Doesn't implement any retries. (Those are done in MatrixFederationHttpClient.)
44	48
45	49	Args:
46		reactor (IReactor): twisted reactor to use for underlying requests
47
48		tls_client_options_factory (FederationPolicyForHTTPS\|None):
	50	reactor: twisted reactor to use for underlying requests
	51
	52	tls_client_options_factory:
49	53	factory to use for fetching client tls options, or none to disable TLS.
50	54
51		user_agent (bytes):
	55	user_agent:
52	56	The user agent header to use for federation requests.
53	57
54		_srv_resolver (SrvResolver\|None):
55		SRVResolver impl to use for looking up SRV records. None to use a default
56		implementation.
57
58		_well_known_resolver (WellKnownResolver\|None):
	58	_srv_resolver:
	59	SrvResolver implementation to use for looking up SRV records. None
	60	to use a default implementation.
	61
	62	_well_known_resolver:
59	63	WellKnownResolver to use to perform well-known lookups. None to use a
60	64	default implementation.
61	65	"""
62	66
63	67	def __init__(
64	68	self,
65		reactor,
66		tls_client_options_factory,
67		user_agent,
68		_srv_resolver=None,
69		_well_known_resolver=None,
	69	reactor: IReactorCore,
	70	tls_client_options_factory: Optional[FederationPolicyForHTTPS],
	71	user_agent: bytes,
	72	_srv_resolver: Optional[SrvResolver] = None,
	73	_well_known_resolver: Optional[WellKnownResolver] = None,
70	74	):
71	75	self._reactor = reactor
72	76	self._clock = Clock(reactor)

98	102	self._well_known_resolver = _well_known_resolver
99	103
100	104	@defer.inlineCallbacks
101		def request(self, method, uri, headers=None, bodyProducer=None):
	105	def request(
	106	self,
	107	method: bytes,
	108	uri: bytes,
	109	headers: Optional[Headers] = None,
	110	bodyProducer: Optional[IBodyProducer] = None,
	111	) -> defer.Deferred:
102	112	"""
103	113	Args:
104		method (bytes): HTTP method: GET/POST/etc
105		uri (bytes): Absolute URI to be retrieved
106		headers (twisted.web.http_headers.Headers\|None):
107		HTTP headers to send with the request, or None to
108		send no extra headers.
109		bodyProducer (twisted.web.iweb.IBodyProducer\|None):
	114	method: HTTP method: GET/POST/etc
	115	uri: Absolute URI to be retrieved
	116	headers:
	117	HTTP headers to send with the request, or None to send no extra headers.
	118	bodyProducer:
110	119	An object which can generate bytes to make up the
111	120	body of this request (for example, the properly encoded contents of
112	121	a file for a file upload). Or None if the request is to have

121	130	# We use urlparse as that will set `port` to None if there is no
122	131	# explicit port.
123	132	parsed_uri = urllib.parse.urlparse(uri)
	133
	134	# There must be a valid hostname.
	135	assert parsed_uri.hostname
124	136
125	137	# If this is a matrix:// URI check if the server has delegated matrix
126	138	# traffic using well-known delegation.

178	190	"""Factory for MatrixHostnameEndpoint for parsing to an Agent.
179	191	"""
180	192
181		def __init__(self, reactor, tls_client_options_factory, srv_resolver):
	193	def __init__(
	194	self,
	195	reactor: IReactorCore,
	196	tls_client_options_factory: Optional[FederationPolicyForHTTPS],
	197	srv_resolver: Optional[SrvResolver],
	198	):
182	199	self._reactor = reactor
183	200	self._tls_client_options_factory = tls_client_options_factory
184	201

202	219	resolution (i.e. via SRV). Does not check for well-known delegation.
203	220
204	221	Args:
205		reactor (IReactor)
206		tls_client_options_factory (ClientTLSOptionsFactory\|None):
	222	reactor: twisted reactor to use for underlying requests
	223	tls_client_options_factory:
207	224	factory to use for fetching client tls options, or none to disable TLS.
208		srv_resolver (SrvResolver): The SRV resolver to use
209		parsed_uri (twisted.web.client.URI): The parsed URI that we're wanting
210		to connect to.
	225	srv_resolver: The SRV resolver to use
	226	parsed_uri: The parsed URI that we're wanting to connect to.
211	227	"""
212	228
213		def __init__(self, reactor, tls_client_options_factory, srv_resolver, parsed_uri):
	229	def __init__(
	230	self,
	231	reactor: IReactorCore,
	232	tls_client_options_factory: Optional[FederationPolicyForHTTPS],
	233	srv_resolver: SrvResolver,
	234	parsed_uri: URI,
	235	):
214	236	self._reactor = reactor
215	237
216	238	self._parsed_uri = parsed_uri

230	252
231	253	self._srv_resolver = srv_resolver
232	254
233		def connect(self, protocol_factory):
	255	def connect(self, protocol_factory: IProtocolFactory) -> defer.Deferred:
234	256	"""Implements IStreamClientEndpoint interface
235	257	"""
236	258
237	259	return run_in_background(self._do_connect, protocol_factory)
238	260
239		async def _do_connect(self, protocol_factory):
	261	async def _do_connect(self, protocol_factory: IProtocolFactory) -> None:
240	262	first_exception = None
241	263
242	264	server_list = await self._resolve_server()

302	324	return [Server(host, 8448)]
303	325
304	326
305		def _is_ip_literal(host):
	327	def _is_ip_literal(host: bytes) -> bool:
306	328	"""Test if the given host name is either an IPv4 or IPv6 literal.
307	329
308	330	Args:
309		host (bytes)
	331	host: The host name to check
310	332
311	333	Returns:
312		bool
	334	True if the hostname is an IP address literal.
313	335	"""
314	336
315		host = host.decode("ascii")
	337	host_str = host.decode("ascii")
316	338
317	339	try:
318		IPAddress(host)
	340	IPAddress(host_str)
319	341	return True
320	342	except AddrFormatError:
321	343	return False

+8

-8

synapse/http/federation/well_known_resolver.py less more

11	11	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12	12	# See the License for the specific language governing permissions and
13	13	# limitations under the License.
14
15	14	import logging
16	15	import random
17	16	import time

20	19	import attr
21	20
22	21	from twisted.internet import defer
	22	from twisted.internet.interfaces import IReactorTime
23	23	from twisted.web.client import RedirectAgent, readBody
24	24	from twisted.web.http import stringToDatetime
25	25	from twisted.web.http_headers import Headers
26		from twisted.web.iweb import IResponse
	26	from twisted.web.iweb import IAgent, IResponse
27	27
28	28	from synapse.logging.context import make_deferred_yieldable
29	29	from synapse.util import Clock, json_decoder

80	80
81	81	def __init__(
82	82	self,
83		reactor,
84		agent,
85		user_agent,
86		well_known_cache=None,
87		had_well_known_cache=None,
	83	reactor: IReactorTime,
	84	agent: IAgent,
	85	user_agent: bytes,
	86	well_known_cache: Optional[TTLCache] = None,
	87	had_well_known_cache: Optional[TTLCache] = None,
88	88	):
89	89	self._reactor = reactor
90	90	self._clock = Clock(reactor)

126	126	with Measure(self._clock, "get_well_known"):
127	127	result, cache_period = await self._fetch_well_known(
128	128	server_name
129		) # type: Tuple[Optional[bytes], float]
	129	) # type: Optional[bytes], float
130	130
131	131	except _FetchWellKnownFailure as e:
132	132	if prev_result and e.temporary:

+170

-214

synapse/http/matrixfederationclient.py less more

16	16	import logging
17	17	import random
18	18	import sys
19		import urllib
	19	import urllib.parse
20	20	from io import BytesIO
	21	from typing import Callable, Dict, List, Optional, Tuple, Union
21	22
22	23	import attr
23	24	import treq

26	27	from signedjson.sign import sign_json
27	28	from zope.interface import implementer
28	29
29		from twisted.internet import defer, protocol
	30	from twisted.internet import defer
30	31	from twisted.internet.error import DNSLookupError
31	32	from twisted.internet.interfaces import IReactorPluggableNameResolver, IReactorTime
32	33	from twisted.internet.task import _EPSILON, Cooperator
33		from twisted.web._newclient import ResponseDone
34	34	from twisted.web.http_headers import Headers
35		from twisted.web.iweb import IResponse
	35	from twisted.web.iweb import IBodyProducer, IResponse
36	36
37	37	import synapse.metrics
38	38	import synapse.util.retryutils
39	39	from synapse.api.errors import (
40		Codes,
41	40	FederationDeniedError,
42	41	HttpResponseException,
43	42	RequestSendFailed,
44		SynapseError,
45	43	)
46	44	from synapse.http import QuieterFileBodyProducer
47		from synapse.http.client import BlacklistingAgentWrapper, IPBlacklistingResolver
	45	from synapse.http.client import (
	46	BlacklistingAgentWrapper,
	47	IPBlacklistingResolver,
	48	encode_query_args,
	49	readBodyToFile,
	50	)
48	51	from synapse.http.federation.matrix_federation_agent import MatrixFederationAgent
49	52	from synapse.logging.context import make_deferred_yieldable
50	53	from synapse.logging.opentracing import (

53	56	start_active_span,
54	57	tags,
55	58	)
	59	from synapse.types import JsonDict
56	60	from synapse.util import json_decoder
57	61	from synapse.util.async_helpers import timeout_deferred
58	62	from synapse.util.metrics import Measure

75	79	_next_id = 1
76	80
77	81
	82	QueryArgs = Dict[str, Union[str, List[str]]]
	83
	84
78	85	@attr.s(slots=True, frozen=True)
79	86	class MatrixFederationRequest:
80		method = attr.ib()
	87	method = attr.ib(type=str)
81	88	"""HTTP method
82		:type: str
83		"""
84
85		path = attr.ib()
	89	"""
	90
	91	path = attr.ib(type=str)
86	92	"""HTTP path
87		:type: str
88		"""
89
90		destination = attr.ib()
	93	"""
	94
	95	destination = attr.ib(type=str)
91	96	"""The remote server to send the HTTP request to.
92		:type: str"""
93
94		json = attr.ib(default=None)
	97	"""
	98
	99	json = attr.ib(default=None, type=Optional[JsonDict])
95	100	"""JSON to send in the body.
96		:type: dict\|None
97		"""
98
99		json_callback = attr.ib(default=None)
	101	"""
	102
	103	json_callback = attr.ib(default=None, type=Optional[Callable[[], JsonDict]])
100	104	"""A callback to generate the JSON.
101		:type: func\|None
102		"""
103
104		query = attr.ib(default=None)
	105	"""
	106
	107	query = attr.ib(default=None, type=Optional[dict])
105	108	"""Query arguments.
106		:type: dict\|None
107		"""
108
109		txn_id = attr.ib(default=None)
	109	"""
	110
	111	txn_id = attr.ib(default=None, type=Optional[str])
110	112	"""Unique ID for this request (for logging)
111		:type: str\|None
112	113	"""
113	114
114	115	uri = attr.ib(init=False, type=bytes)
115	116	"""The URI of this request
116	117	"""
117	118
118		def __attrs_post_init__(self):
	119	def __attrs_post_init__(self) -> None:
119	120	global _next_id
120	121	txn_id = "%s-O-%s" % (self.method, _next_id)
121	122	_next_id = (_next_id + 1) % (MAXINT - 1)

135	136	)
136	137	object.__setattr__(self, "uri", uri)
137	138
138		def get_json(self):
	139	def get_json(self) -> Optional[JsonDict]:
139	140	if self.json_callback:
140	141	return self.json_callback()
141	142	return self.json

147	148	request: MatrixFederationRequest,
148	149	response: IResponse,
149	150	start_ms: int,
150		):
	151	) -> JsonDict:
151	152	"""
152	153	Reads the JSON body of a response, with a timeout
153	154

159	160	start_ms: Timestamp when request was made
160	161
161	162	Returns:
162		dict: parsed JSON response
	163	The parsed JSON response
163	164	"""
164	165	try:
165	166	check_content_type_is_json(response.headers)

249	250	# Use a BlacklistingAgentWrapper to prevent circumventing the IP
250	251	# blacklist via IP literals in server names
251	252	self.agent = BlacklistingAgentWrapper(
252		self.agent,
253		self.reactor,
254		ip_blacklist=hs.config.federation_ip_range_blacklist,
	253	self.agent, ip_blacklist=hs.config.federation_ip_range_blacklist,
255	254	)
256	255
257	256	self.clock = hs.get_clock()

265	264	self._cooperator = Cooperator(scheduler=schedule)
266	265
267	266	async def _send_request_with_optional_trailing_slash(
268		self, request, try_trailing_slash_on_400=False, **send_request_args
269		):
	267	self,
	268	request: MatrixFederationRequest,
	269	try_trailing_slash_on_400: bool = False,
	270	**send_request_args
	271	) -> IResponse:
270	272	"""Wrapper for _send_request which can optionally retry the request
271	273	upon receiving a combination of a 400 HTTP response code and a
272	274	'M_UNRECOGNIZED' errcode. This is a workaround for Synapse <= v0.99.3
273	275	due to #3622.
274	276
275	277	Args:
276		request (MatrixFederationRequest): details of request to be sent
277		try_trailing_slash_on_400 (bool): Whether on receiving a 400
	278	request: details of request to be sent
	279	try_trailing_slash_on_400: Whether on receiving a 400
278	280	'M_UNRECOGNIZED' from the server to retry the request with a
279	281	trailing slash appended to the request path.
280		send_request_args (Dict): A dictionary of arguments to pass to
281		`_send_request()`.
	282	send_request_args: A dictionary of arguments to pass to `_send_request()`.
282	283
283	284	Raises:
284	285	HttpResponseException: If we get an HTTP response code >= 300
285	286	(except 429).
286	287
287	288	Returns:
288		Dict: Parsed JSON response body.
	289	Parsed JSON response body.
289	290	"""
290	291	try:
291	292	response = await self._send_request(request, **send_request_args)

312	313
313	314	async def _send_request(
314	315	self,
315		request,
316		retry_on_dns_fail=True,
317		timeout=None,
318		long_retries=False,
319		ignore_backoff=False,
320		backoff_on_404=False,
321		):
	316	request: MatrixFederationRequest,
	317	retry_on_dns_fail: bool = True,
	318	timeout: Optional[int] = None,
	319	long_retries: bool = False,
	320	ignore_backoff: bool = False,
	321	backoff_on_404: bool = False,
	322	) -> IResponse:
322	323	"""
323	324	Sends a request to the given server.
324	325
325	326	Args:
326		request (MatrixFederationRequest): details of request to be sent
327
328		timeout (int\|None): number of milliseconds to wait for the response headers
	327	request: details of request to be sent
	328
	329	retry_on_dns_fail: true if the request should be retied on DNS failures
	330
	331	timeout: number of milliseconds to wait for the response headers
329	332	(including connecting to the server), for each attempt.
330	333	60s by default.
331	334
332		long_retries (bool): whether to use the long retry algorithm.
	335	long_retries: whether to use the long retry algorithm.
333	336
334	337	The regular retry algorithm makes 4 attempts, with intervals
335	338	[0.5s, 1s, 2s].

345	348	NB: the long retry algorithm takes over 20 minutes to complete, with
346	349	a default timeout of 60s!
347	350
348		ignore_backoff (bool): true to ignore the historical backoff data
	351	ignore_backoff: true to ignore the historical backoff data
349	352	and try the request anyway.
350	353
351		backoff_on_404 (bool): Back off if we get a 404
	354	backoff_on_404: Back off if we get a 404
352	355
353	356	Returns:
354		twisted.web.client.Response: resolves with the HTTP
355		response object on success.
	357	Resolves with the HTTP response object on success.
356	358
357	359	Raises:
358	360	HttpResponseException: If we get an HTTP response code >= 300

403	405	)
404	406
405	407	# Inject the span into the headers
406		headers_dict = {}
	408	headers_dict = {} # type: Dict[bytes, List[bytes]]
407	409	inject_active_span_byte_dict(headers_dict, request.destination)
408	410
409	411	headers_dict[b"User-Agent"] = [self.version_string_bytes]

434	436	data = encode_canonical_json(json)
435	437	producer = QuieterFileBodyProducer(
436	438	BytesIO(data), cooperator=self._cooperator
437		)
	439	) # type: Optional[IBodyProducer]
438	440	else:
439	441	producer = None
440	442	auth_headers = self.build_auth_headers(

523	525	)
524	526	body = None
525	527
526		e = HttpResponseException(response.code, response_phrase, body)
	528	exc = HttpResponseException(
	529	response.code, response_phrase, body
	530	)
527	531
528	532	# Retry if the error is a 429 (Too Many Requests),
529	533	# otherwise just raise a standard HttpResponseException
530	534	if response.code == 429:
531		raise RequestSendFailed(e, can_retry=True) from e
	535	raise RequestSendFailed(exc, can_retry=True) from exc
532	536	else:
533		raise e
	537	raise exc
534	538
535	539	break
536	540	except RequestSendFailed as e:

581	585	return response
582	586
583	587	def build_auth_headers(
584		self, destination, method, url_bytes, content=None, destination_is=None
585		):
	588	self,
	589	destination: Optional[bytes],
	590	method: bytes,
	591	url_bytes: bytes,
	592	content: Optional[JsonDict] = None,
	593	destination_is: Optional[bytes] = None,
	594	) -> List[bytes]:
586	595	"""
587	596	Builds the Authorization headers for a federation request
588	597	Args:
589		destination (bytes\|None): The destination homeserver of the request.
	598	destination: The destination homeserver of the request.
590	599	May be None if the destination is an identity server, in which case
591	600	destination_is must be non-None.
592		method (bytes): The HTTP method of the request
593		url_bytes (bytes): The URI path of the request
594		content (object): The body of the request
595		destination_is (bytes): As 'destination', but if the destination is an
	601	method: The HTTP method of the request
	602	url_bytes: The URI path of the request
	603	content: The body of the request
	604	destination_is: As 'destination', but if the destination is an
596	605	identity server
597	606
598	607	Returns:
599		list[bytes]: a list of headers to be added as "Authorization:" headers
	608	A list of headers to be added as "Authorization:" headers
600	609	"""
601	610	request = {
602	611	"method": method.decode("ascii"),

628	637
629	638	async def put_json(
630	639	self,
631		destination,
632		path,
633		args={},
634		data={},
635		json_data_callback=None,
636		long_retries=False,
637		timeout=None,
638		ignore_backoff=False,
639		backoff_on_404=False,
640		try_trailing_slash_on_400=False,
641		):
	640	destination: str,
	641	path: str,
	642	args: Optional[QueryArgs] = None,
	643	data: Optional[JsonDict] = None,
	644	json_data_callback: Optional[Callable[[], JsonDict]] = None,
	645	long_retries: bool = False,
	646	timeout: Optional[int] = None,
	647	ignore_backoff: bool = False,
	648	backoff_on_404: bool = False,
	649	try_trailing_slash_on_400: bool = False,
	650	) -> Union[JsonDict, list]:
642	651	""" Sends the specified json data using PUT
643	652
644	653	Args:
645		destination (str): The remote server to send the HTTP request
646		to.
647		path (str): The HTTP path.
648		args (dict): query params
649		data (dict): A dict containing the data that will be used as
	654	destination: The remote server to send the HTTP request to.
	655	path: The HTTP path.
	656	args: query params
	657	data: A dict containing the data that will be used as
650	658	the request body. This will be encoded as JSON.
651		json_data_callback (callable): A callable returning the dict to
	659	json_data_callback: A callable returning the dict to
652	660	use as the request body.
653	661
654		long_retries (bool): whether to use the long retry algorithm. See
	662	long_retries: whether to use the long retry algorithm. See
655	663	docs on _send_request for details.
656	664
657		timeout (int\|None): number of milliseconds to wait for the response.
	665	timeout: number of milliseconds to wait for the response.
658	666	self._default_timeout (60s) by default.
659	667
660	668	Note that we may make several attempts to send the request; this

662	670	each attempt (including connection time) as well as the time spent
663	671	reading the response body after a 200 response.
664	672
665		ignore_backoff (bool): true to ignore the historical backoff data
	673	ignore_backoff: true to ignore the historical backoff data
666	674	and try the request anyway.
667		backoff_on_404 (bool): True if we should count a 404 response as
	675	backoff_on_404: True if we should count a 404 response as
668	676	a failure of the server (and should therefore back off future
669	677	requests).
670		try_trailing_slash_on_400 (bool): True if on a 400 M_UNRECOGNIZED
	678	try_trailing_slash_on_400: True if on a 400 M_UNRECOGNIZED
671	679	response we should try appending a trailing slash to the end
672	680	of the request. Workaround for #3622 in Synapse <= v0.99.3. This
673	681	will be attempted before backing off if backing off has been
674	682	enabled.
675	683
676	684	Returns:
677		dict\|list: Succeeds when we get a 2xx HTTP response. The
	685	Succeeds when we get a 2xx HTTP response. The
678	686	result will be the decoded JSON body.
679	687
680	688	Raises:

720	728
721	729	async def post_json(
722	730	self,
723		destination,
724		path,
725		data={},
726		long_retries=False,
727		timeout=None,
728		ignore_backoff=False,
729		args={},
730		):
	731	destination: str,
	732	path: str,
	733	data: Optional[JsonDict] = None,
	734	long_retries: bool = False,
	735	timeout: Optional[int] = None,
	736	ignore_backoff: bool = False,
	737	args: Optional[QueryArgs] = None,
	738	) -> Union[JsonDict, list]:
731	739	""" Sends the specified json data using POST
732	740
733	741	Args:
734		destination (str): The remote server to send the HTTP request
735		to.
736
737		path (str): The HTTP path.
738
739		data (dict): A dict containing the data that will be used as
	742	destination: The remote server to send the HTTP request to.
	743
	744	path: The HTTP path.
	745
	746	data: A dict containing the data that will be used as
740	747	the request body. This will be encoded as JSON.
741	748
742		long_retries (bool): whether to use the long retry algorithm. See
	749	long_retries: whether to use the long retry algorithm. See
743	750	docs on _send_request for details.
744	751
745		timeout (int\|None): number of milliseconds to wait for the response.
	752	timeout: number of milliseconds to wait for the response.
746	753	self._default_timeout (60s) by default.
747	754
748	755	Note that we may make several attempts to send the request; this

750	757	each attempt (including connection time) as well as the time spent
751	758	reading the response body after a 200 response.
752	759
753		ignore_backoff (bool): true to ignore the historical backoff data and
	760	ignore_backoff: true to ignore the historical backoff data and
754	761	try the request anyway.
755	762
756		args (dict): query params
	763	args: query params
757	764	Returns:
758	765	dict\|list: Succeeds when we get a 2xx HTTP response. The
759	766	result will be the decoded JSON body.

794	801
795	802	async def get_json(
796	803	self,
797		destination,
798		path,
799		args=None,
800		retry_on_dns_fail=True,
801		timeout=None,
802		ignore_backoff=False,
803		try_trailing_slash_on_400=False,
804		):
	804	destination: str,
	805	path: str,
	806	args: Optional[QueryArgs] = None,
	807	retry_on_dns_fail: bool = True,
	808	timeout: Optional[int] = None,
	809	ignore_backoff: bool = False,
	810	try_trailing_slash_on_400: bool = False,
	811	) -> Union[JsonDict, list]:
805	812	""" GETs some json from the given host homeserver and path
806	813
807	814	Args:
808		destination (str): The remote server to send the HTTP request
809		to.
810
811		path (str): The HTTP path.
812
813		args (dict\|None): A dictionary used to create query strings, defaults to
	815	destination: The remote server to send the HTTP request to.
	816
	817	path: The HTTP path.
	818
	819	args: A dictionary used to create query strings, defaults to
814	820	None.
815	821
816		timeout (int\|None): number of milliseconds to wait for the response.
	822	timeout: number of milliseconds to wait for the response.
817	823	self._default_timeout (60s) by default.
818	824
819	825	Note that we may make several attempts to send the request; this

821	827	each attempt (including connection time) as well as the time spent
822	828	reading the response body after a 200 response.
823	829
824		ignore_backoff (bool): true to ignore the historical backoff data
	830	ignore_backoff: true to ignore the historical backoff data
825	831	and try the request anyway.
826	832
827		try_trailing_slash_on_400 (bool): True if on a 400 M_UNRECOGNIZED
	833	try_trailing_slash_on_400: True if on a 400 M_UNRECOGNIZED
828	834	response we should try appending a trailing slash to the end of
829	835	the request. Workaround for #3622 in Synapse <= v0.99.3.
830	836	Returns:
831		dict\|list: Succeeds when we get a 2xx HTTP response. The
	837	Succeeds when we get a 2xx HTTP response. The
832	838	result will be the decoded JSON body.
833	839
834	840	Raises:

869	875
870	876	async def delete_json(
871	877	self,
872		destination,
873		path,
874		long_retries=False,
875		timeout=None,
876		ignore_backoff=False,
877		args={},
878		):
	878	destination: str,
	879	path: str,
	880	long_retries: bool = False,
	881	timeout: Optional[int] = None,
	882	ignore_backoff: bool = False,
	883	args: Optional[QueryArgs] = None,
	884	) -> Union[JsonDict, list]:
879	885	"""Send a DELETE request to the remote expecting some json response
880	886
881	887	Args:
882		destination (str): The remote server to send the HTTP request
883		to.
884		path (str): The HTTP path.
885
886		long_retries (bool): whether to use the long retry algorithm. See
	888	destination: The remote server to send the HTTP request to.
	889	path: The HTTP path.
	890
	891	long_retries: whether to use the long retry algorithm. See
887	892	docs on _send_request for details.
888	893
889		timeout (int\|None): number of milliseconds to wait for the response.
	894	timeout: number of milliseconds to wait for the response.
890	895	self._default_timeout (60s) by default.
891	896
892	897	Note that we may make several attempts to send the request; this

894	899	each attempt (including connection time) as well as the time spent
895	900	reading the response body after a 200 response.
896	901
897		ignore_backoff (bool): true to ignore the historical backoff data and
	902	ignore_backoff: true to ignore the historical backoff data and
898	903	try the request anyway.
899	904
900		args (dict): query params
	905	args: query params
901	906	Returns:
902		dict\|list: Succeeds when we get a 2xx HTTP response. The
	907	Succeeds when we get a 2xx HTTP response. The
903	908	result will be the decoded JSON body.
904	909
905	910	Raises:

937	942
938	943	async def get_file(
939	944	self,
940		destination,
941		path,
	945	destination: str,
	946	path: str,
942	947	output_stream,
943		args={},
944		retry_on_dns_fail=True,
945		max_size=None,
946		ignore_backoff=False,
947		):
	948	args: Optional[QueryArgs] = None,
	949	retry_on_dns_fail: bool = True,
	950	max_size: Optional[int] = None,
	951	ignore_backoff: bool = False,
	952	) -> Tuple[int, Dict[bytes, List[bytes]]]:
948	953	"""GETs a file from a given homeserver
949	954	Args:
950		destination (str): The remote server to send the HTTP request to.
951		path (str): The HTTP path to GET.
952		output_stream (file): File to write the response body to.
953		args (dict): Optional dictionary used to create the query string.
954		ignore_backoff (bool): true to ignore the historical backoff data
	955	destination: The remote server to send the HTTP request to.
	956	path: The HTTP path to GET.
	957	output_stream: File to write the response body to.
	958	args: Optional dictionary used to create the query string.
	959	ignore_backoff: true to ignore the historical backoff data
955	960	and try the request anyway.
956	961
957	962	Returns:
958		tuple[int, dict]: Resolves with an (int,dict) tuple of
	963	Resolves with an (int,dict) tuple of
959	964	the file length and a dict of the response headers.
960	965
961	966	Raises:

979	984	headers = dict(response.headers.getAllRawHeaders())
980	985
981	986	try:
982		d = _readBodyToFile(response, output_stream, max_size)
	987	d = readBodyToFile(response, output_stream, max_size)
983	988	d.addTimeout(self.default_timeout, self.reactor)
984	989	length = await make_deferred_yieldable(d)
985	990	except Exception as e:

1003	1008	return (length, headers)
1004	1009
1005	1010
1006		class _ReadBodyToFileProtocol(protocol.Protocol):
1007		def __init__(self, stream, deferred, max_size):
1008		self.stream = stream
1009		self.deferred = deferred
1010		self.length = 0
1011		self.max_size = max_size
1012
1013		def dataReceived(self, data):
1014		self.stream.write(data)
1015		self.length += len(data)
1016		if self.max_size is not None and self.length >= self.max_size:
1017		self.deferred.errback(
1018		SynapseError(
1019		502,
1020		"Requested file is too large > %r bytes" % (self.max_size,),
1021		Codes.TOO_LARGE,
1022		)
1023		)
1024		self.deferred = defer.Deferred()
1025		self.transport.loseConnection()
1026
1027		def connectionLost(self, reason):
1028		if reason.check(ResponseDone):
1029		self.deferred.callback(self.length)
1030		else:
1031		self.deferred.errback(reason)
1032
1033
1034		def _readBodyToFile(response, stream, max_size):
1035		d = defer.Deferred()
1036		response.deliverBody(_ReadBodyToFileProtocol(stream, d, max_size))
1037		return d
1038
1039
1040	1011	def _flatten_response_never_received(e):
1041	1012	if hasattr(e, "reasons"):
1042	1013	reasons = ", ".join(

1048	1019	return repr(e)
1049	1020
1050	1021
1051		def check_content_type_is_json(headers):
	1022	def check_content_type_is_json(headers: Headers) -> None:
1052	1023	"""
1053	1024	Check that a set of HTTP headers have a Content-Type header, and that it
1054	1025	is application/json.
1055	1026
1056	1027	Args:
1057		headers (twisted.web.http_headers.Headers): headers to check
	1028	headers: headers to check
1058	1029
1059	1030	Raises:
1060	1031	RequestSendFailed: if the Content-Type header is missing or isn't JSON

1077	1048	),
1078	1049	can_retry=False,
1079	1050	)
1080
1081
1082		def encode_query_args(args):
1083		if args is None:
1084		return b""
1085
1086		encoded_args = {}
1087		for k, vs in args.items():
1088		if isinstance(vs, str):
1089		vs = [vs]
1090		encoded_args[k] = [v.encode("UTF-8") for v in vs]
1091
1092		query_bytes = urllib.parse.urlencode(encoded_args, True)
1093
1094		return query_bytes.encode("utf8")

+6

-25

synapse/http/server.py less more

24	24	from typing import Any, Callable, Dict, Iterator, List, Tuple, Union
25	25
26	26	import jinja2
27		from canonicaljson import iterencode_canonical_json, iterencode_pretty_printed_json
	27	from canonicaljson import iterencode_canonical_json
28	28	from zope.interface import implementer
29	29
30	30	from twisted.internet import defer, interfaces

93	93	pass
94	94	else:
95	95	respond_with_json(
96		request,
97		error_code,
98		error_dict,
99		send_cors=True,
100		pretty_print=_request_user_agent_is_curl(request),
	96	request, error_code, error_dict, send_cors=True,
101	97	)
102	98
103	99

289	285	code,
290	286	response_object,
291	287	send_cors=True,
292		pretty_print=_request_user_agent_is_curl(request),
293	288	canonical_json=self.canonical_json,
294	289	)
295	290

586	581	code: int,
587	582	json_object: Any,
588	583	send_cors: bool = False,
589		pretty_print: bool = False,
590	584	canonical_json: bool = True,
591	585	):
592	586	"""Sends encoded JSON in response to the given request.

597	591	json_object: The object to serialize to JSON.
598	592	send_cors: Whether to send Cross-Origin Resource Sharing headers
599	593	https://fetch.spec.whatwg.org/#http-cors-protocol
600		pretty_print: Whether to include indentation and line-breaks in the
601		resulting JSON bytes.
602	594	canonical_json: Whether to use the canonicaljson algorithm when encoding
603	595	the JSON bytes.
604	596

614	606	)
615	607	return None
616	608
617		if pretty_print:
618		encoder = iterencode_pretty_printed_json
	609	if canonical_json:
	610	encoder = iterencode_canonical_json
619	611	else:
620		if canonical_json:
621		encoder = iterencode_canonical_json
622		else:
623		encoder = _encode_json_bytes
	612	encoder = _encode_json_bytes
624	613
625	614	request.setResponseCode(code)
626	615	request.setHeader(b"Content-Type", b"application/json")

684	673	)
685	674	request.setHeader(
686	675	b"Access-Control-Allow-Headers",
687		b"Origin, X-Requested-With, Content-Type, Accept, Authorization",
	676	b"Origin, X-Requested-With, Content-Type, Accept, Authorization, Date",
688	677	)
689	678
690	679

758	747	request.finish()
759	748	except RuntimeError as e:
760	749	logger.info("Connection disconnected before response was written: %r", e)
761
762
763		def _request_user_agent_is_curl(request: Request) -> bool:
764		user_agents = request.requestHeaders.getRawHeaders(b"User-Agent", default=[])
765		for user_agent in user_agents:
766		if b"curl" in user_agent:
767		return True
768		return False

+4

-1

synapse/module_api/__init__.py less more

48	48	self._store = hs.get_datastore()
49	49	self._auth = hs.get_auth()
50	50	self._auth_handler = auth_handler
	51	self._server_name = hs.hostname
51	52
52	53	# We expose these as properties below in order to attach a helpful docstring.
53	54	self._http_client = hs.get_simple_http_client() # type: SimpleHttpClient

335	336	SynapseError if the event was not allowed.
336	337	"""
337	338	# Create a requester object
338		requester = create_requester(event_dict["sender"])
	339	requester = create_requester(
	340	event_dict["sender"], authenticated_entity=self._server_name
	341	)
339	342
340	343	# Create and send the event
341	344	(

+11

-2

synapse/push/httppusher.py less more

74	74	self.failing_since = pusherdict["failing_since"]
75	75	self.timed_call = None
76	76	self._is_processing = False
	77	self._group_unread_count_by_room = hs.config.push_group_unread_count_by_room
77	78
78	79	# This is the highest stream ordering we know it's safe to process.
79	80	# When new events arrive, we'll be given a window of new events: we

135	136	async def _update_badge(self):
136	137	# XXX as per https://github.com/matrix-org/matrix-doc/issues/2627, this seems
137	138	# to be largely redundant. perhaps we can remove it.
138		badge = await push_tools.get_badge_count(self.hs.get_datastore(), self.user_id)
	139	badge = await push_tools.get_badge_count(
	140	self.hs.get_datastore(),
	141	self.user_id,
	142	group_by_room=self._group_unread_count_by_room,
	143	)
139	144	await self._send_badge(badge)
140	145
141	146	def on_timer(self):

282	287	return True
283	288
284	289	tweaks = push_rule_evaluator.tweaks_for_actions(push_action["actions"])
285		badge = await push_tools.get_badge_count(self.hs.get_datastore(), self.user_id)
	290	badge = await push_tools.get_badge_count(
	291	self.hs.get_datastore(),
	292	self.user_id,
	293	group_by_room=self._group_unread_count_by_room,
	294	)
286	295
287	296	event = await self.store.get_event(push_action["event_id"], allow_none=True)
288	297	if event is None:

+11

-5

synapse/push/push_tools.py less more

11	11	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12	12	# See the License for the specific language governing permissions and
13	13	# limitations under the License.
14
15	14	from synapse.push.presentable_names import calculate_room_name, name_from_member_event
16	15	from synapse.storage import Storage
	16	from synapse.storage.databases.main import DataStore
17	17
18	18
19		async def get_badge_count(store, user_id):
	19	async def get_badge_count(store: DataStore, user_id: str, group_by_room: bool) -> int:
20	20	invites = await store.get_invited_rooms_for_local_user(user_id)
21	21	joins = await store.get_rooms_for_user(user_id)
22	22

33	33	room_id, user_id, last_unread_event_id
34	34	)
35	35	)
36		# return one badge count per conversation, as count per
37		# message is so noisy as to be almost useless
38		badge += 1 if notifs["notify_count"] else 0
	36	if notifs["notify_count"] == 0:
	37	continue
	38
	39	if group_by_room:
	40	# return one badge count per conversation
	41	badge += 1
	42	else:
	43	# increment the badge count by the number of unread messages in the room
	44	badge += notifs["notify_count"]
39	45	return badge
40	46
41	47

+10

-9

synapse/python_dependencies.py less more

38	38	#
39	39	# Note that these both represent runtime dependencies (and the versions
40	40	# installed are checked at runtime).
	41	#
	42	# Also note that we replicate these constraints in the Synapse Dockerfile while
	43	# pre-installing dependencies. If these constraints are updated here, the same
	44	# change should be made in the Dockerfile.
41	45	#
42	46	# [1] https://pip.pypa.io/en/stable/reference/pip_install/#requirement-specifiers.
43	47

68	72	"msgpack>=0.5.2",
69	73	"phonenumbers>=8.2.0",
70	74	# we use GaugeHistogramMetric, which was added in prom-client 0.4.0.
71		# prom-client has a history of breaking backwards compatibility between
72		# minor versions (https://github.com/prometheus/client_python/issues/317),
73		# so we also pin the minor version.
74		#
75		# Note that we replicate these constraints in the Synapse Dockerfile while
76		# pre-installing dependencies. If these constraints are updated here, the
77		# same change should be made in the Dockerfile.
78		"prometheus_client>=0.4.0,<0.9.0",
	75	"prometheus_client>=0.4.0",
79	76	# we use attr.validators.deep_iterable, which arrived in 19.1.0 (Note:
80	77	# Fedora 31 only has 19.1, so if we want to upgrade we should wait until 33
81	78	# is out in November.)

98	95	# python 3.5.2, as per https://github.com/itamarst/eliot/issues/418
99	96	'eliot<1.8.0;python_version<"3.5.3"',
100	97	],
101		"saml2": ["pysaml2>=4.5.0"],
	98	"saml2": [
	99	# pysaml2 6.4.0 is incompatible with Python 3.5 (see https://github.com/IdentityPython/pysaml2/issues/749)
	100	"pysaml2>=4.5.0,<6.4.0;python_version<'3.6'",
	101	"pysaml2>=4.5.0;python_version>='3.6'",
	102	],
102	103	"oidc": ["authlib>=0.14.0"],
103	104	"systemd": ["systemd-python>=231"],
104	105	"url_preview": ["lxml>=3.5.0"],

+5

-5

synapse/replication/http/federation.py less more

253	253	return 200, {}
254	254
255	255
256		class ReplicationStoreRoomOnInviteRestServlet(ReplicationEndpoint):
	256	class ReplicationStoreRoomOnOutlierMembershipRestServlet(ReplicationEndpoint):
257	257	"""Called to clean up any data in DB for a given room, ready for the
258	258	server to join the room.
259	259
260	260	Request format:
261	261
262		POST /_synapse/replication/store_room_on_invite/:room_id/:txn_id
	262	POST /_synapse/replication/store_room_on_outlier_membership/:room_id/:txn_id
263	263
264	264	{
265	265	"room_version": "1",
266	266	}
267	267	"""
268	268
269		NAME = "store_room_on_invite"
	269	NAME = "store_room_on_outlier_membership"
270	270	PATH_ARGS = ("room_id",)
271	271
272	272	def __init__(self, hs):

281	281	async def _handle_request(self, request, room_id):
282	282	content = parse_json_object_from_request(request)
283	283	room_version = KNOWN_ROOM_VERSIONS[content["room_version"]]
284		await self.store.maybe_store_room_on_invite(room_id, room_version)
	284	await self.store.maybe_store_room_on_outlier_membership(room_id, room_version)
285	285	return 200, {}
286	286
287	287

290	290	ReplicationFederationSendEduRestServlet(hs).register(http_server)
291	291	ReplicationGetQueryRestServlet(hs).register(http_server)
292	292	ReplicationCleanRoomRestServlet(hs).register(http_server)
293		ReplicationStoreRoomOnInviteRestServlet(hs).register(http_server)
	293	ReplicationStoreRoomOnOutlierMembershipRestServlet(hs).register(http_server)

+44

-22

synapse/replication/http/membership.py less more

11	11	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12	12	# See the License for the specific language governing permissions and
13	13	# limitations under the License.
14
15	14	import logging
16		from typing import TYPE_CHECKING, Optional
	15	from typing import TYPE_CHECKING, List, Optional, Tuple
	16
	17	from twisted.web.http import Request
17	18
18	19	from synapse.http.servlet import parse_json_object_from_request
19	20	from synapse.replication.http._base import ReplicationEndpoint

51	52	self.clock = hs.get_clock()
52	53
53	54	@staticmethod
54		async def _serialize_payload(
55		requester, room_id, user_id, remote_room_hosts, content
56		):
	55	async def _serialize_payload( # type: ignore
	56	requester: Requester,
	57	room_id: str,
	58	user_id: str,
	59	remote_room_hosts: List[str],
	60	content: JsonDict,
	61	) -> JsonDict:
57	62	"""
58	63	Args:
59		requester(Requester)
60		room_id (str)
61		user_id (str)
62		remote_room_hosts (list[str]): Servers to try and join via
63		content(dict): The event content to use for the join event
	64	requester: The user making the request according to the access token
	65	room_id: The ID of the room.
	66	user_id: The ID of the user.
	67	remote_room_hosts: Servers to try and join via
	68	content: The event content to use for the join event
	69
	70	Returns:
	71	A dict representing the payload of the request.
64	72	"""
65	73	return {
66	74	"requester": requester.serialize(),

68	76	"content": content,
69	77	}
70	78
71		async def _handle_request(self, request, room_id, user_id):
	79	async def _handle_request( # type: ignore
	80	self, request: Request, room_id: str, user_id: str
	81	) -> Tuple[int, JsonDict]:
72	82	content = parse_json_object_from_request(request)
73	83
74	84	remote_room_hosts = content["remote_room_hosts"]

117	127	txn_id: Optional[str],
118	128	requester: Requester,
119	129	content: JsonDict,
120		):
	130	) -> JsonDict:
121	131	"""
122	132	Args:
123		invite_event_id: ID of the invite to be rejected
124		txn_id: optional transaction ID supplied by the client
125		requester: user making the rejection request, according to the access token
126		content: additional content to include in the rejection event.
	133	invite_event_id: The ID of the invite to be rejected.
	134	txn_id: Optional transaction ID supplied by the client
	135	requester: User making the rejection request, according to the access token
	136	content: Additional content to include in the rejection event.
127	137	Normally an empty dict.
	138
	139	Returns:
	140	A dict representing the payload of the request.
128	141	"""
129	142	return {
130	143	"txn_id": txn_id,

132	145	"content": content,
133	146	}
134	147
135		async def _handle_request(self, request, invite_event_id):
	148	async def _handle_request( # type: ignore
	149	self, request: Request, invite_event_id: str
	150	) -> Tuple[int, JsonDict]:
136	151	content = parse_json_object_from_request(request)
137	152
138	153	txn_id = content["txn_id"]

173	188	self.distributor = hs.get_distributor()
174	189
175	190	@staticmethod
176		async def _serialize_payload(room_id, user_id, change):
	191	async def _serialize_payload( # type: ignore
	192	room_id: str, user_id: str, change: str
	193	) -> JsonDict:
177	194	"""
178	195	Args:
179		room_id (str)
180		user_id (str)
181		change (str): "left"
	196	room_id: The ID of the room.
	197	user_id: The ID of the user.
	198	change: "left"
	199
	200	Returns:
	201	A dict representing the payload of the request.
182	202	"""
183	203	assert change == "left"
184	204
185	205	return {}
186	206
187		def _handle_request(self, request, room_id, user_id, change):
	207	def _handle_request( # type: ignore
	208	self, request: Request, room_id: str, user_id: str, change: str
	209	) -> Tuple[int, JsonDict]:
188	210	logger.info("user membership change: %s in %s", user_id, room_id)
189	211
190	212	user = UserID.from_string(user_id)

+5

-9

synapse/rest/admin/__init__.py less more

20	20	from synapse.api.errors import Codes, NotFoundError, SynapseError
21	21	from synapse.http.server import JsonResource
22	22	from synapse.http.servlet import RestServlet, parse_json_object_from_request
23		from synapse.rest.admin._base import (
24		admin_patterns,
25		assert_requester_is_admin,
26		historical_admin_path_patterns,
27		)
	23	from synapse.rest.admin._base import admin_patterns, assert_requester_is_admin
28	24	from synapse.rest.admin.devices import (
29	25	DeleteDevicesRestServlet,
30	26	DeviceRestServlet,

60	56	UserRestServletV2,
61	57	UsersRestServlet,
62	58	UsersRestServletV2,
	59	UserTokenRestServlet,
63	60	WhoisRestServlet,
64	61	)
65	62	from synapse.types import RoomStreamToken

82	79
83	80
84	81	class PurgeHistoryRestServlet(RestServlet):
85		PATTERNS = historical_admin_path_patterns(
	82	PATTERNS = admin_patterns(
86	83	"/purge_history/(?P<room_id>[^/]*)(/(?P<event_id>[^/]+))?"
87	84	)
88	85

167	164
168	165
169	166	class PurgeHistoryStatusRestServlet(RestServlet):
170		PATTERNS = historical_admin_path_patterns(
171		"/purge_history_status/(?P<purge_id>[^/]+)"
172		)
	167	PATTERNS = admin_patterns("/purge_history_status/(?P<purge_id>[^/]+)")
173	168
174	169	def __init__(self, hs):
175	170	"""

222	217	UserAdminServlet(hs).register(http_server)
223	218	UserMediaRestServlet(hs).register(http_server)
224	219	UserMembershipRestServlet(hs).register(http_server)
	220	UserTokenRestServlet(hs).register(http_server)
225	221	UserRestServletV2(hs).register(http_server)
226	222	UsersRestServletV2(hs).register(http_server)
227	223	DeviceRestServlet(hs).register(http_server)

+0

-22

synapse/rest/admin/_base.py less more

19	19	import synapse.api.auth
20	20	from synapse.api.errors import AuthError
21	21	from synapse.types import UserID
22
23
24		def historical_admin_path_patterns(path_regex):
25		"""Returns the list of patterns for an admin endpoint, including historical ones
26
27		This is a backwards-compatibility hack. Previously, the Admin API was exposed at
28		various paths under /_matrix/client. This function returns a list of patterns
29		matching those paths (as well as the new one), so that existing scripts which rely
30		on the endpoints being available there are not broken.
31
32		Note that this should only be used for existing endpoints: new ones should just
33		register for the /_synapse/admin path.
34		"""
35		return [
36		re.compile(prefix + path_regex)
37		for prefix in (
38		"^/_synapse/admin/v1",
39		"^/_matrix/client/api/v1/admin",
40		"^/_matrix/client/unstable/admin",
41		"^/_matrix/client/r0/admin",
42		)
43		]
44	22
45	23
46	24	def admin_patterns(path_regex: str, version: str = "v1"):

+2

-5

synapse/rest/admin/groups.py less more

15	15
16	16	from synapse.api.errors import SynapseError
17	17	from synapse.http.servlet import RestServlet
18		from synapse.rest.admin._base import (
19		assert_user_is_admin,
20		historical_admin_path_patterns,
21		)
	18	from synapse.rest.admin._base import admin_patterns, assert_user_is_admin
22	19
23	20	logger = logging.getLogger(__name__)
24	21

27	24	"""Allows deleting of local groups
28	25	"""
29	26
30		PATTERNS = historical_admin_path_patterns("/delete_group/(?P<group_id>[^/]*)")
	27	PATTERNS = admin_patterns("/delete_group/(?P<group_id>[^/]*)")
31	28
32	29	def __init__(self, hs):
33	30	self.group_server = hs.get_groups_server_handler()

+6

-9

synapse/rest/admin/media.py less more

21	21	admin_patterns,
22	22	assert_requester_is_admin,
23	23	assert_user_is_admin,
24		historical_admin_path_patterns,
25	24	)
26	25
27	26	logger = logging.getLogger(__name__)

33	32	"""
34	33
35	34	PATTERNS = (
36		historical_admin_path_patterns("/room/(?P<room_id>[^/]+)/media/quarantine")
	35	admin_patterns("/room/(?P<room_id>[^/]+)/media/quarantine")
37	36	+
38	37	# This path kept around for legacy reasons
39		historical_admin_path_patterns("/quarantine_media/(?P<room_id>[^/]+)")
	38	admin_patterns("/quarantine_media/(?P<room_id>[^/]+)")
40	39	)
41	40
42	41	def __init__(self, hs):

62	61	this server.
63	62	"""
64	63
65		PATTERNS = historical_admin_path_patterns(
66		"/user/(?P<user_id>[^/]+)/media/quarantine"
67		)
	64	PATTERNS = admin_patterns("/user/(?P<user_id>[^/]+)/media/quarantine")
68	65
69	66	def __init__(self, hs):
70	67	self.store = hs.get_datastore()

89	86	it via this server.
90	87	"""
91	88
92		PATTERNS = historical_admin_path_patterns(
	89	PATTERNS = admin_patterns(
93	90	"/media/quarantine/(?P<server_name>[^/]+)/(?P<media_id>[^/]+)"
94	91	)
95	92

115	112	"""Lists all of the media in a given room.
116	113	"""
117	114
118		PATTERNS = historical_admin_path_patterns("/room/(?P<room_id>[^/]+)/media")
	115	PATTERNS = admin_patterns("/room/(?P<room_id>[^/]+)/media")
119	116
120	117	def __init__(self, hs):
121	118	self.store = hs.get_datastore()

133	130
134	131
135	132	class PurgeMediaCacheRestServlet(RestServlet):
136		PATTERNS = historical_admin_path_patterns("/purge_media_cache")
	133	PATTERNS = admin_patterns("/purge_media_cache")
137	134
138	135	def __init__(self, hs):
139	136	self.media_repository = hs.get_media_repository()

+21

-8

synapse/rest/admin/rooms.py less more

28	28	admin_patterns,
29	29	assert_requester_is_admin,
30	30	assert_user_is_admin,
31		historical_admin_path_patterns,
32	31	)
33	32	from synapse.storage.databases.main.room import RoomSortOrder
34	33	from synapse.types import RoomAlias, RoomID, UserID, create_requester

43	42	joined to the new room.
44	43	"""
45	44
46		PATTERNS = historical_admin_path_patterns("/shutdown_room/(?P<room_id>[^/]+)")
	45	PATTERNS = admin_patterns("/shutdown_room/(?P<room_id>[^/]+)")
47	46
48	47	def __init__(self, hs):
49	48	self.hs = hs

70	69
71	70
72	71	class DeleteRoomRestServlet(RestServlet):
73		"""Delete a room from server. It is a combination and improvement of
74		shut down and purge room.
	72	"""Delete a room from server.
	73
	74	It is a combination and improvement of shutdown and purge room.
	75
75	76	Shuts down a room by removing all local users from the room.
76	77	Blocking all future invites and joins to the room is optional.
	78
77	79	If desired any local aliases will be repointed to a new room
78		created by `new_room_user_id` and kicked users will be auto
	80	created by `new_room_user_id` and kicked users will be auto-
79	81	joined to the new room.
80		It will remove all trace of a room from the database.
	82
	83	If 'purge' is true, it will remove all traces of a room from the database.
81	84	"""
82	85
83	86	PATTERNS = admin_patterns("/rooms/(?P<room_id>[^/]+)/delete$")

107	110	raise SynapseError(
108	111	HTTPStatus.BAD_REQUEST,
109	112	"Param 'purge' must be a boolean, if given",
	113	Codes.BAD_JSON,
	114	)
	115
	116	force_purge = content.get("force_purge", False)
	117	if not isinstance(force_purge, bool):
	118	raise SynapseError(
	119	HTTPStatus.BAD_REQUEST,
	120	"Param 'force_purge' must be a boolean, if given",
110	121	Codes.BAD_JSON,
111	122	)
112	123

121	132
122	133	# Purge room
123	134	if purge:
124		await self.pagination_handler.purge_room(room_id)
	135	await self.pagination_handler.purge_room(room_id, force=force_purge)
125	136
126	137	return (200, ret)
127	138

308	319	400, "%s was not legal room ID or room alias" % (room_identifier,)
309	320	)
310	321
311		fake_requester = create_requester(target_user)
	322	fake_requester = create_requester(
	323	target_user, authenticated_entity=requester.authenticated_entity
	324	)
312	325
313	326	# send invite if room has "JoinRules.INVITE"
314	327	room_state = await self.state_handler.get_current_state(room_id)

+68

-11

synapse/rest/admin/users.py less more

15	15	import hmac
16	16	import logging
17	17	from http import HTTPStatus
18		from typing import Tuple
	18	from typing import TYPE_CHECKING, Tuple
19	19
20	20	from synapse.api.constants import UserTypes
21	21	from synapse.api.errors import Codes, NotFoundError, SynapseError

32	32	admin_patterns,
33	33	assert_requester_is_admin,
34	34	assert_user_is_admin,
35		historical_admin_path_patterns,
36	35	)
	36	from synapse.rest.client.v2_alpha._base import client_patterns
37	37	from synapse.types import JsonDict, UserID
	38
	39	if TYPE_CHECKING:
	40	from synapse.server import HomeServer
38	41
39	42	logger = logging.getLogger(__name__)
40	43

51	54
52	55
53	56	class UsersRestServlet(RestServlet):
54		PATTERNS = historical_admin_path_patterns("/users/(?P<user_id>[^/]*)$")
	57	PATTERNS = admin_patterns("/users/(?P<user_id>[^/]*)$")
55	58
56	59	def __init__(self, hs):
57	60	self.hs = hs

334	337	nonce to the time it was generated, in int seconds.
335	338	"""
336	339
337		PATTERNS = historical_admin_path_patterns("/register")
	340	PATTERNS = admin_patterns("/register")
338	341	NONCE_TIMEOUT = 60
339	342
340	343	def __init__(self, hs):

457	460
458	461
459	462	class WhoisRestServlet(RestServlet):
460		PATTERNS = historical_admin_path_patterns("/whois/(?P<user_id>[^/]*)")
	463	path_regex = "/whois/(?P<user_id>[^/]*)$"
	464	PATTERNS = (
	465	admin_patterns(path_regex)
	466	+
	467	# URL for spec reason
	468	# https://matrix.org/docs/spec/client_server/r0.6.1#get-matrix-client-r0-admin-whois-userid
	469	client_patterns("/admin" + path_regex, v1=True)
	470	)
461	471
462	472	def __init__(self, hs):
463	473	self.hs = hs

481	491
482	492
483	493	class DeactivateAccountRestServlet(RestServlet):
484		PATTERNS = historical_admin_path_patterns("/deactivate/(?P<target_user_id>[^/]*)")
	494	PATTERNS = admin_patterns("/deactivate/(?P<target_user_id>[^/]*)")
485	495
486	496	def __init__(self, hs):
487	497	self._deactivate_account_handler = hs.get_deactivate_account_handler()

512	522
513	523
514	524	class AccountValidityRenewServlet(RestServlet):
515		PATTERNS = historical_admin_path_patterns("/account_validity/validity$")
	525	PATTERNS = admin_patterns("/account_validity/validity$")
516	526
517	527	def __init__(self, hs):
518	528	"""

555	565	200 OK with empty object if success otherwise an error.
556	566	"""
557	567
558		PATTERNS = historical_admin_path_patterns(
559		"/reset_password/(?P<target_user_id>[^/]*)"
560		)
	568	PATTERNS = admin_patterns("/reset_password/(?P<target_user_id>[^/]*)")
561	569
562	570	def __init__(self, hs):
563	571	self.store = hs.get_datastore()

599	607	200 OK with json object {list[dict[str, Any]], count} or empty object.
600	608	"""
601	609
602		PATTERNS = historical_admin_path_patterns("/search_users/(?P<target_user_id>[^/]*)")
	610	PATTERNS = admin_patterns("/search_users/(?P<target_user_id>[^/]*)")
603	611
604	612	def __init__(self, hs):
605	613	self.hs = hs

827	835	ret["next_token"] = start + len(media)
828	836
829	837	return 200, ret
	838
	839
	840	class UserTokenRestServlet(RestServlet):
	841	"""An admin API for logging in as a user.
	842
	843	Example:
	844
	845	POST /_synapse/admin/v1/users/@test:example.com/login
	846	{}
	847
	848	200 OK
	849	{
	850	"access_token": "<some_token>"
	851	}
	852	"""
	853
	854	PATTERNS = admin_patterns("/users/(?P<user_id>[^/]*)/login$")
	855
	856	def __init__(self, hs: "HomeServer"):
	857	self.hs = hs
	858	self.store = hs.get_datastore()
	859	self.auth = hs.get_auth()
	860	self.auth_handler = hs.get_auth_handler()
	861
	862	async def on_POST(self, request, user_id):
	863	requester = await self.auth.get_user_by_req(request)
	864	await assert_user_is_admin(self.auth, requester.user)
	865	auth_user = requester.user
	866
	867	if not self.hs.is_mine_id(user_id):
	868	raise SynapseError(400, "Only local users can be logged in as")
	869
	870	body = parse_json_object_from_request(request, allow_empty_body=True)
	871
	872	valid_until_ms = body.get("valid_until_ms")
	873	if valid_until_ms and not isinstance(valid_until_ms, int):
	874	raise SynapseError(400, "'valid_until_ms' parameter must be an int")
	875
	876	if auth_user.to_string() == user_id:
	877	raise SynapseError(400, "Cannot use admin API to login as self")
	878
	879	token = await self.auth_handler.get_access_token_for_user_id(
	880	user_id=auth_user.to_string(),
	881	device_id=None,
	882	valid_until_ms=valid_until_ms,
	883	puppets_user_id=user_id,
	884	)
	885
	886	return 200, {"access_token": token}

+25

-113

synapse/rest/client/v1/login.py less more

18	18	from synapse.api.errors import Codes, LoginError, SynapseError
19	19	from synapse.api.ratelimiting import Ratelimiter
20	20	from synapse.appservice import ApplicationService
21		from synapse.handlers.auth import (
22		convert_client_dict_legacy_fields_to_identifier,
23		login_id_phone_to_thirdparty,
24		)
25	21	from synapse.http.server import finish_request
26	22	from synapse.http.servlet import (
27	23	RestServlet,

32	28	from synapse.rest.client.v2_alpha._base import client_patterns
33	29	from synapse.rest.well_known import WellKnownBuilder
34	30	from synapse.types import JsonDict, UserID
35		from synapse.util.threepids import canonicalise_email
36	31
37	32	logger = logging.getLogger(__name__)
38	33

76	71	clock=hs.get_clock(),
77	72	rate_hz=self.hs.config.rc_login_account.per_second,
78	73	burst_count=self.hs.config.rc_login_account.burst_count,
79		)
80		self._failed_attempts_ratelimiter = Ratelimiter(
81		clock=hs.get_clock(),
82		rate_hz=self.hs.config.rc_login_failed_attempts.per_second,
83		burst_count=self.hs.config.rc_login_failed_attempts.burst_count,
84	74	)
85	75
86	76	def on_GET(self, request: SynapseRequest):

139	129	result["well_known"] = well_known_data
140	130	return 200, result
141	131
142		def _get_qualified_user_id(self, identifier):
143		if identifier["type"] != "m.id.user":
144		raise SynapseError(400, "Unknown login identifier type")
145		if "user" not in identifier:
146		raise SynapseError(400, "User identifier is missing 'user' key")
147
148		if identifier["user"].startswith("@"):
149		return identifier["user"]
150		else:
151		return UserID(identifier["user"], self.hs.hostname).to_string()
152
153	132	async def _do_appservice_login(
154	133	self, login_submission: JsonDict, appservice: ApplicationService
155	134	):
156		logger.info(
157		"Got appservice login request with identifier: %r",
158		login_submission.get("identifier"),
159		)
160
161		identifier = convert_client_dict_legacy_fields_to_identifier(login_submission)
162		qualified_user_id = self._get_qualified_user_id(identifier)
	135	identifier = login_submission.get("identifier")
	136	logger.info("Got appservice login request with identifier: %r", identifier)
	137
	138	if not isinstance(identifier, dict):
	139	raise SynapseError(
	140	400, "Invalid identifier in login submission", Codes.INVALID_PARAM
	141	)
	142
	143	# this login flow only supports identifiers of type "m.id.user".
	144	if identifier.get("type") != "m.id.user":
	145	raise SynapseError(
	146	400, "Unknown login identifier type", Codes.INVALID_PARAM
	147	)
	148
	149	user = identifier.get("user")
	150	if not isinstance(user, str):
	151	raise SynapseError(400, "Invalid user in identifier", Codes.INVALID_PARAM)
	152
	153	if user.startswith("@"):
	154	qualified_user_id = user
	155	else:
	156	qualified_user_id = UserID(user, self.hs.hostname).to_string()
163	157
164	158	if not appservice.is_interested_in_user(qualified_user_id):
165	159	raise LoginError(403, "Invalid access_token", errcode=Codes.FORBIDDEN)

185	179	login_submission.get("address"),
186	180	login_submission.get("user"),
187	181	)
188		identifier = convert_client_dict_legacy_fields_to_identifier(login_submission)
189
190		# convert phone type identifiers to generic threepids
191		if identifier["type"] == "m.id.phone":
192		identifier = login_id_phone_to_thirdparty(identifier)
193
194		# convert threepid identifiers to user IDs
195		if identifier["type"] == "m.id.thirdparty":
196		address = identifier.get("address")
197		medium = identifier.get("medium")
198
199		if medium is None or address is None:
200		raise SynapseError(400, "Invalid thirdparty identifier")
201
202		# For emails, canonicalise the address.
203		# We store all email addresses canonicalised in the DB.
204		# (See add_threepid in synapse/handlers/auth.py)
205		if medium == "email":
206		try:
207		address = canonicalise_email(address)
208		except ValueError as e:
209		raise SynapseError(400, str(e))
210
211		# We also apply account rate limiting using the 3PID as a key, as
212		# otherwise using 3PID bypasses the ratelimiting based on user ID.
213		self._failed_attempts_ratelimiter.ratelimit((medium, address), update=False)
214
215		# Check for login providers that support 3pid login types
216		(
217		canonical_user_id,
218		callback_3pid,
219		) = await self.auth_handler.check_password_provider_3pid(
220		medium, address, login_submission["password"]
221		)
222		if canonical_user_id:
223		# Authentication through password provider and 3pid succeeded
224
225		result = await self._complete_login(
226		canonical_user_id, login_submission, callback_3pid
227		)
228		return result
229
230		# No password providers were able to handle this 3pid
231		# Check local store
232		user_id = await self.hs.get_datastore().get_user_id_by_threepid(
233		medium, address
234		)
235		if not user_id:
236		logger.warning(
237		"unknown 3pid identifier medium %s, address %r", medium, address
238		)
239		# We mark that we've failed to log in here, as
240		# `check_password_provider_3pid` might have returned `None` due
241		# to an incorrect password, rather than the account not
242		# existing.
243		#
244		# If it returned None but the 3PID was bound then we won't hit
245		# this code path, which is fine as then the per-user ratelimit
246		# will kick in below.
247		self._failed_attempts_ratelimiter.can_do_action((medium, address))
248		raise LoginError(403, "", errcode=Codes.FORBIDDEN)
249
250		identifier = {"type": "m.id.user", "user": user_id}
251
252		# by this point, the identifier should be an m.id.user: if it's anything
253		# else, we haven't understood it.
254		qualified_user_id = self._get_qualified_user_id(identifier)
255
256		# Check if we've hit the failed ratelimit (but don't update it)
257		self._failed_attempts_ratelimiter.ratelimit(
258		qualified_user_id.lower(), update=False
259		)
260
261		try:
262		canonical_user_id, callback = await self.auth_handler.validate_login(
263		identifier["user"], login_submission
264		)
265		except LoginError:
266		# The user has failed to log in, so we need to update the rate
267		# limiter. Using `can_do_action` avoids us raising a ratelimit
268		# exception and masking the LoginError. The actual ratelimiting
269		# should have happened above.
270		self._failed_attempts_ratelimiter.can_do_action(qualified_user_id.lower())
271		raise
272
	182	canonical_user_id, callback = await self.auth_handler.validate_login(
	183	login_submission, ratelimit=True
	184	)
273	185	result = await self._complete_login(
274	186	canonical_user_id, login_submission, callback
275	187	)

+2

-3

synapse/rest/client/v1/room.py less more

17	17
18	18	import logging
19	19	import re
20		from typing import List, Optional
	20	from typing import TYPE_CHECKING, List, Optional
21	21	from urllib import parse as urlparse
22	22
23	23	from synapse.api.constants import EventTypes, Membership

47	47	from synapse.util import json_decoder
48	48	from synapse.util.stringutils import random_string
49	49
50		MYPY = False
51		if MYPY:
	50	if TYPE_CHECKING:
52	51	import synapse.server
53	52
54	53	logger = logging.getLogger(__name__)

+3

-3

synapse/rest/client/v2_alpha/account.py less more

114	114	# comments for request_token_inhibit_3pid_errors.
115	115	# Also wait for some random amount of time between 100ms and 1s to make it
116	116	# look like we did something.
117		await self.hs.clock.sleep(random.randint(1, 10) / 10)
	117	await self.hs.get_clock().sleep(random.randint(1, 10) / 10)
118	118	return 200, {"sid": random_string(16)}
119	119
120	120	raise SynapseError(400, "Email not found", Codes.THREEPID_NOT_FOUND)

386	386	# comments for request_token_inhibit_3pid_errors.
387	387	# Also wait for some random amount of time between 100ms and 1s to make it
388	388	# look like we did something.
389		await self.hs.clock.sleep(random.randint(1, 10) / 10)
	389	await self.hs.get_clock().sleep(random.randint(1, 10) / 10)
390	390	return 200, {"sid": random_string(16)}
391	391
392	392	raise SynapseError(400, "Email is already in use", Codes.THREEPID_IN_USE)

465	465	# comments for request_token_inhibit_3pid_errors.
466	466	# Also wait for some random amount of time between 100ms and 1s to make it
467	467	# look like we did something.
468		await self.hs.clock.sleep(random.randint(1, 10) / 10)
	468	await self.hs.get_clock().sleep(random.randint(1, 10) / 10)
469	469	return 200, {"sid": random_string(16)}
470	470
471	471	raise SynapseError(400, "MSISDN is already in use", Codes.THREEPID_IN_USE)

+2

-2

synapse/rest/client/v2_alpha/register.py less more

134	134	# comments for request_token_inhibit_3pid_errors.
135	135	# Also wait for some random amount of time between 100ms and 1s to make it
136	136	# look like we did something.
137		await self.hs.clock.sleep(random.randint(1, 10) / 10)
	137	await self.hs.get_clock().sleep(random.randint(1, 10) / 10)
138	138	return 200, {"sid": random_string(16)}
139	139
140	140	raise SynapseError(400, "Email is already in use", Codes.THREEPID_IN_USE)

213	213	# comments for request_token_inhibit_3pid_errors.
214	214	# Also wait for some random amount of time between 100ms and 1s to make it
215	215	# look like we did something.
216		await self.hs.clock.sleep(random.randint(1, 10) / 10)
	216	await self.hs.get_clock().sleep(random.randint(1, 10) / 10)
217	217	return 200, {"sid": random_string(16)}
218	218
219	219	raise SynapseError(

+1

-0

synapse/rest/client/v2_alpha/sync.py less more

170	170	)
171	171	with context:
172	172	sync_result = await self.sync_handler.wait_for_sync_for_user(
	173	requester,
173	174	sync_config,
174	175	since_token=since_token,
175	176	timeout=timeout,

+1

-1

synapse/rest/key/v2/local_key_resource.py less more

65	65
66	66	def __init__(self, hs):
67	67	self.config = hs.config
68		self.clock = hs.clock
	68	self.clock = hs.get_clock()
69	69	self.update_response_body(self.clock.time_msec())
70	70	Resource.__init__(self)
71	71

+21

-16

synapse/server.py less more

26	26	import os
27	27	from typing import TYPE_CHECKING, Any, Callable, Dict, List, Optional, TypeVar, cast
28	28
29		import twisted
	29	import twisted.internet.base
	30	import twisted.internet.tcp
30	31	from twisted.mail.smtp import sendmail
31	32	from twisted.web.iweb import IPolicyForHTTPS
32	33

88	89	from synapse.handlers.room_member_worker import RoomMemberWorkerHandler
89	90	from synapse.handlers.search import SearchHandler
90	91	from synapse.handlers.set_password import SetPasswordHandler
	92	from synapse.handlers.sso import SsoHandler
91	93	from synapse.handlers.stats import StatsHandler
92	94	from synapse.handlers.sync import SyncHandler
93	95	from synapse.handlers.typing import FollowerTypingHandler, TypingWriterHandler

144	146	"@cache_in_self can only be used on functions starting with `get_`"
145	147	)
146	148
147		depname = builder.__name__[len("get_") :]
	149	# get_attr -> _attr
	150	depname = builder.__name__[len("get") :]
148	151
149	152	building = [False]
150	153

232	235	self._instance_id = random_string(5)
233	236	self._instance_name = config.worker_name or "master"
234	237
235		self.clock = Clock(reactor)
236		self.distributor = Distributor()
237
238		self.registration_ratelimiter = Ratelimiter(
239		clock=self.clock,
240		rate_hz=config.rc_registration.per_second,
241		burst_count=config.rc_registration.burst_count,
242		)
243
244	238	self.version_string = version_string
245	239
246	240	self.datastores = None # type: Optional[Databases]

298	292	def is_mine_id(self, string: str) -> bool:
299	293	return string.split(":", 1)[1] == self.hostname
300	294
	295	@cache_in_self
301	296	def get_clock(self) -> Clock:
302		return self.clock
	297	return Clock(self._reactor)
303	298
304	299	def get_datastore(self) -> DataStore:
305	300	if not self.datastores:

316	311	def get_config(self) -> HomeServerConfig:
317	312	return self.config
318	313
	314	@cache_in_self
319	315	def get_distributor(self) -> Distributor:
320		return self.distributor
321
	316	return Distributor()
	317
	318	@cache_in_self
322	319	def get_registration_ratelimiter(self) -> Ratelimiter:
323		return self.registration_ratelimiter
	320	return Ratelimiter(
	321	clock=self.get_clock(),
	322	rate_hz=self.config.rc_registration.per_second,
	323	burst_count=self.config.rc_registration.burst_count,
	324	)
324	325
325	326	@cache_in_self
326	327	def get_federation_client(self) -> FederationClient:

388	389	return TypingWriterHandler(self)
389	390	else:
390	391	return FollowerTypingHandler(self)
	392
	393	@cache_in_self
	394	def get_sso_handler(self) -> SsoHandler:
	395	return SsoHandler(self)
391	396
392	397	@cache_in_self
393	398	def get_sync_handler(self) -> SyncHandler:

680	685
681	686	@cache_in_self
682	687	def get_federation_ratelimiter(self) -> FederationRateLimiter:
683		return FederationRateLimiter(self.clock, config=self.config.rc_federation)
	688	return FederationRateLimiter(self.get_clock(), config=self.config.rc_federation)
684	689
685	690	@cache_in_self
686	691	def get_module_api(self) -> ModuleApi:

+10

-3

synapse/server_notices/server_notices_manager.py less more

38	38	self._room_member_handler = hs.get_room_member_handler()
39	39	self._event_creation_handler = hs.get_event_creation_handler()
40	40	self._is_mine_id = hs.is_mine_id
	41	self._server_name = hs.hostname
41	42
42	43	self._notifier = hs.get_notifier()
43	44	self.server_notices_mxid = self._config.server_notices_mxid

71	72	await self.maybe_invite_user_to_room(user_id, room_id)
72	73
73	74	system_mxid = self._config.server_notices_mxid
74		requester = create_requester(system_mxid)
	75	requester = create_requester(
	76	system_mxid, authenticated_entity=self._server_name
	77	)
75	78
76	79	logger.info("Sending server notice to %s", user_id)
77	80

144	147	"avatar_url": self._config.server_notices_mxid_avatar_url,
145	148	}
146	149
147		requester = create_requester(self.server_notices_mxid)
	150	requester = create_requester(
	151	self.server_notices_mxid, authenticated_entity=self._server_name
	152	)
148	153	info, _ = await self._room_creation_handler.create_room(
149	154	requester,
150	155	config={

173	178	user_id: The ID of the user to invite.
174	179	room_id: The ID of the room to invite the user to.
175	180	"""
176		requester = create_requester(self.server_notices_mxid)
	181	requester = create_requester(
	182	self.server_notices_mxid, authenticated_entity=self._server_name
	183	)
177	184
178	185	# Check whether the user has already joined or been invited to this room. If
179	186	# that's the case, there is no need to re-invite them.

+1

-1

synapse/storage/databases/main/purge_events.py less more

313	313	for table in (
314	314	"event_auth",
315	315	"event_edges",
	316	"event_json",
316	317	"event_push_actions_staging",
317	318	"event_reference_hashes",
318	319	"event_relations",

339	340	"destination_rooms",
340	341	"event_backward_extremities",
341	342	"event_forward_extremities",
342		"event_json",
343	343	"event_push_actions",
344	344	"event_search",
345	345	"events",

+6

-1

synapse/storage/databases/main/receipts.py less more

277	277	async def get_linearized_receipts_for_all_rooms(
278	278	self, to_key: int, from_key: Optional[int] = None
279	279	) -> Dict[str, JsonDict]:
280		"""Get receipts for all rooms between two stream_ids.
	280	"""Get receipts for all rooms between two stream_ids, up
	281	to a limit of the latest 100 read receipts.
281	282
282	283	Args:
283	284	to_key: Max stream id to fetch receipts upto.

293	294	sql = """
294	295	SELECT * FROM receipts_linearized WHERE
295	296	stream_id > ? AND stream_id <= ?
	297	ORDER BY stream_id DESC
	298	LIMIT 100
296	299	"""
297	300	txn.execute(sql, [from_key, to_key])
298	301	else:
299	302	sql = """
300	303	SELECT * FROM receipts_linearized WHERE
301	304	stream_id <= ?
	305	ORDER BY stream_id DESC
	306	LIMIT 100
302	307	"""
303	308
304	309	txn.execute(sql, [to_key])

+2

-0

synapse/storage/databases/main/registration.py less more

1109	1109	token: str,
1110	1110	device_id: Optional[str],
1111	1111	valid_until_ms: Optional[int],
	1112	puppets_user_id: Optional[str] = None,
1112	1113	) -> int:
1113	1114	"""Adds an access token for the given user.
1114	1115

1132	1133	"token": token,
1133	1134	"device_id": device_id,
1134	1135	"valid_until_ms": valid_until_ms,
	1136	"puppets_user_id": puppets_user_id,
1135	1137	},
1136	1138	desc="add_access_token_to_user",
1137	1139	)

+7

-5

synapse/storage/databases/main/room.py less more

1239	1239	logger.error("store_room with room_id=%s failed: %s", room_id, e)
1240	1240	raise StoreError(500, "Problem creating room.")
1241	1241
1242		async def maybe_store_room_on_invite(self, room_id: str, room_version: RoomVersion):
1243		"""
1244		When we receive an invite over federation, store the version of the room if we
1245		don't already know the room version.
	1242	async def maybe_store_room_on_outlier_membership(
	1243	self, room_id: str, room_version: RoomVersion
	1244	):
	1245	"""
	1246	When we receive an invite or any other event over federation that may relate to a room
	1247	we are not in, store the version of the room if we don't already know the room version.
1246	1248	"""
1247	1249	await self.db_pool.simple_upsert(
1248		desc="maybe_store_room_on_invite",
	1250	desc="maybe_store_room_on_outlier_membership",
1249	1251	table="rooms",
1250	1252	keyvalues={"room_id": room_id},
1251	1253	values={},

+33

-1

synapse/storage/databases/main/roommember.py less more

13	13	# See the License for the specific language governing permissions and
14	14	# limitations under the License.
15	15	import logging
16		from typing import TYPE_CHECKING, Dict, FrozenSet, Iterable, List, Optional, Set
	16	from typing import TYPE_CHECKING, Dict, FrozenSet, Iterable, List, Optional, Set, Tuple
17	17
18	18	from synapse.api.constants import EventTypes, Membership
19	19	from synapse.events import EventBase

348	348	results = [RoomsForUser(**r) for r in self.db_pool.cursor_to_dict(txn)]
349	349
350	350	return results
	351
	352	async def get_local_current_membership_for_user_in_room(
	353	self, user_id: str, room_id: str
	354	) -> Tuple[Optional[str], Optional[str]]:
	355	"""Retrieve the current local membership state and event ID for a user in a room.
	356
	357	Args:
	358	user_id: The ID of the user.
	359	room_id: The ID of the room.
	360
	361	Returns:
	362	A tuple of (membership_type, event_id). Both will be None if a
	363	room_id/user_id pair is not found.
	364	"""
	365	# Paranoia check.
	366	if not self.hs.is_mine_id(user_id):
	367	raise Exception(
	368	"Cannot call 'get_local_current_membership_for_user_in_room' on "
	369	"non-local user %s" % (user_id,),
	370	)
	371
	372	results_dict = await self.db_pool.simple_select_one(
	373	"local_current_membership",
	374	{"room_id": room_id, "user_id": user_id},
	375	("membership", "event_id"),
	376	allow_none=True,
	377	desc="get_local_current_membership_for_user_in_room",
	378	)
	379	if not results_dict:
	380	return None, None
	381
	382	return results_dict.get("membership"), results_dict.get("event_id")
351	383
352	384	@cached(max_entries=500000, iterable=True)
353	385	async def get_rooms_for_user_with_stream_ordering(

+6

-6

synapse/storage/databases/main/schema/delta/58/07add_method_to_thumbnail_constraint.sql.postgres less more

19	19	*/
20	20
21	21	-- add new index that includes method to local media
22		INSERT INTO background_updates (update_name, progress_json) VALUES
23		('local_media_repository_thumbnails_method_idx', '{}');
	22	INSERT INTO background_updates (ordering, update_name, progress_json) VALUES
	23	(5807, 'local_media_repository_thumbnails_method_idx', '{}');
24	24
25	25	-- add new index that includes method to remote media
26		INSERT INTO background_updates (update_name, progress_json, depends_on) VALUES
27		('remote_media_repository_thumbnails_method_idx', '{}', 'local_media_repository_thumbnails_method_idx');
	26	INSERT INTO background_updates (ordering, update_name, progress_json, depends_on) VALUES
	27	(5807, 'remote_media_repository_thumbnails_method_idx', '{}', 'local_media_repository_thumbnails_method_idx');
28	28
29	29	-- drop old index
30		INSERT INTO background_updates (update_name, progress_json, depends_on) VALUES
31		('media_repository_drop_index_wo_method', '{}', 'remote_media_repository_thumbnails_method_idx');
	30	INSERT INTO background_updates (ordering, update_name, progress_json, depends_on) VALUES
	31	(5807, 'media_repository_drop_index_wo_method', '{}', 'remote_media_repository_thumbnails_method_idx');
32	32

+2

-2

synapse/storage/databases/main/schema/delta/58/12room_stats.sql less more

27	27	-- functionality as the old one. This effectively restarts the background job
28	28	-- from the beginning, without running it twice in a row, supporting both
29	29	-- upgrade usecases.
30		INSERT INTO background_updates (update_name, progress_json) VALUES
31		('populate_stats_process_rooms_2', '{}');
	30	INSERT INTO background_updates (ordering, update_name, progress_json) VALUES
	31	(5812, 'populate_stats_process_rooms_2', '{}');

+2

-2

synapse/storage/databases/main/schema/delta/58/22users_have_local_media.sql less more

0		INSERT INTO background_updates (update_name, progress_json) VALUES
1		('users_have_local_media', '{}');⏎
	0	INSERT INTO background_updates (ordering, update_name, progress_json) VALUES
	1	(5822, 'users_have_local_media', '{}');

+2

-2

synapse/storage/databases/main/schema/delta/58/23e2e_cross_signing_keys_idx.sql less more

12	12	* limitations under the License.
13	13	*/
14	14
15		INSERT INTO background_updates (update_name, progress_json) VALUES
16		('e2e_cross_signing_keys_idx', '{}');
	15	INSERT INTO background_updates (ordering, update_name, progress_json) VALUES
	16	(5823, 'e2e_cross_signing_keys_idx', '{}');

+19

-0

synapse/storage/databases/main/schema/delta/58/24drop_event_json_index.sql less more

	0	/* Copyright 2020 The Matrix.org Foundation C.I.C
	1	*
	2	* Licensed under the Apache License, Version 2.0 (the "License");
	3	* you may not use this file except in compliance with the License.
	4	* You may obtain a copy of the License at
	5	*
	6	* http://www.apache.org/licenses/LICENSE-2.0
	7	*
	8	* Unless required by applicable law or agreed to in writing, software
	9	* distributed under the License is distributed on an "AS IS" BASIS,
	10	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	11	* See the License for the specific language governing permissions and
	12	* limitations under the License.
	13	*/
	14
	15	-- this index is essentially redundant. The only time it was ever used was when purging
	16	-- rooms - and Synapse 1.24 will change that.
	17
	18	DROP INDEX IF EXISTS event_json_room_id;

+3

-3

synapse/types.py less more

316	316	)
317	317
318	318
319		def contains_invalid_mxid_characters(localpart):
	319	def contains_invalid_mxid_characters(localpart: str) -> bool:
320	320	"""Check for characters not allowed in an mxid or groupid localpart
321	321
322	322	Args:
323		localpart (basestring): the localpart to be checked
	323	localpart: the localpart to be checked
324	324
325	325	Returns:
326		bool: True if there are any naughty characters
	326	True if there are any naughty characters
327	327	"""
328	328	return any(c not in mxid_localpart_allowed_characters for c in localpart)
329	329

+7

-0

synctl less more

357	357	for worker in workers:
358	358	env = os.environ.copy()
359	359
	360	# Skip starting a worker if its already running
	361	if os.path.exists(worker.pidfile) and pid_running(
	362	int(open(worker.pidfile).read())
	363	):
	364	print(worker.app + " already running")
	365	continue
	366
360	367	if worker.cache_factor:
361	368	os.environ["SYNAPSE_CACHE_FACTOR"] = str(worker.cache_factor)
362	369

+5

-1

tests/api/test_auth.py less more

281	281	)
282	282	)
283	283	self.store.add_access_token_to_user.assert_called_with(
284		USER_ID, token, "DEVICE", None
	284	user_id=USER_ID,
	285	token=token,
	286	device_id="DEVICE",
	287	valid_until_ms=None,
	288	puppets_user_id=None,
285	289	)
286	290
287	291	def get_user(tok):

+3

-6

tests/app/test_frontend_proxy.py less more

14	14
15	15	from synapse.app.generic_worker import GenericWorkerServer
16	16
	17	from tests.server import make_request
17	18	from tests.unittest import HomeserverTestCase
18	19
19	20

54	55	# Grab the resource from the site that was told to listen
55	56	self.assertEqual(len(self.reactor.tcpServers), 1)
56	57	site = self.reactor.tcpServers[0][1]
57		self.resource = site.resource.children[b"_matrix"].children[b"client"]
58	58
59		request, channel = self.make_request("PUT", "presence/a/status")
60		self.render(request)
	59	_, channel = make_request(self.reactor, site, "PUT", "presence/a/status")
61	60
62	61	# 400 + unrecognised, because nothing is registered
63	62	self.assertEqual(channel.code, 400)

76	75	# Grab the resource from the site that was told to listen
77	76	self.assertEqual(len(self.reactor.tcpServers), 1)
78	77	site = self.reactor.tcpServers[0][1]
79		self.resource = site.resource.children[b"_matrix"].children[b"client"]
80	78
81		request, channel = self.make_request("PUT", "presence/a/status")
82		self.render(request)
	79	_, channel = make_request(self.reactor, site, "PUT", "presence/a/status")
83	80
84	81	# 401, because the stub servlet still checks authentication
85	82	self.assertEqual(channel.code, 401)

+7

-8

tests/app/test_openid_listener.py less more

19	19	from synapse.app.homeserver import SynapseHomeServer
20	20	from synapse.config.server import parse_listener_def
21	21
	22	from tests.server import make_request
22	23	from tests.unittest import HomeserverTestCase
23	24
24	25

65	66	# Grab the resource from the site that was told to listen
66	67	site = self.reactor.tcpServers[0][1]
67	68	try:
68		self.resource = site.resource.children[b"_matrix"].children[b"federation"]
	69	site.resource.children[b"_matrix"].children[b"federation"]
69	70	except KeyError:
70	71	if expectation == "no_resource":
71	72	return
72	73	raise
73	74
74		request, channel = self.make_request(
75		"GET", "/_matrix/federation/v1/openid/userinfo"
	75	_, channel = make_request(
	76	self.reactor, site, "GET", "/_matrix/federation/v1/openid/userinfo"
76	77	)
77		self.render(request)
78	78
79	79	self.assertEqual(channel.code, 401)
80	80

114	114	# Grab the resource from the site that was told to listen
115	115	site = self.reactor.tcpServers[0][1]
116	116	try:
117		self.resource = site.resource.children[b"_matrix"].children[b"federation"]
	117	site.resource.children[b"_matrix"].children[b"federation"]
118	118	except KeyError:
119	119	if expectation == "no_resource":
120	120	return
121	121	raise
122	122
123		request, channel = self.make_request(
124		"GET", "/_matrix/federation/v1/openid/userinfo"
	123	_, channel = make_request(
	124	self.reactor, site, "GET", "/_matrix/federation/v1/openid/userinfo"
125	125	)
126		self.render(request)
127	126
128	127	self.assertEqual(channel.code, 401)

+0

-2

tests/federation/test_complexity.py less more

50	50	request, channel = self.make_request(
51	51	"GET", "/_matrix/federation/unstable/rooms/%s/complexity" % (room_1,)
52	52	)
53		self.render(request)
54	53	self.assertEquals(200, channel.code)
55	54	complexity = channel.json_body["v1"]
56	55	self.assertTrue(complexity > 0, complexity)

63	62	request, channel = self.make_request(
64	63	"GET", "/_matrix/federation/unstable/rooms/%s/complexity" % (room_1,)
65	64	)
66		self.render(request)
67	65	self.assertEquals(200, channel.code)
68	66	complexity = channel.json_body["v1"]
69	67	self.assertEqual(complexity, 1.23)

+0

-3

tests/federation/test_federation_server.py less more

50	50	"/_matrix/federation/v1/get_missing_events/%s" % (room_1,),
51	51	query_content,
52	52	)
53		self.render(request)
54	53	self.assertEquals(400, channel.code, channel.result)
55	54	self.assertEqual(channel.json_body["errcode"], "M_NOT_JSON")
56	55

98	97	request, channel = self.make_request(
99	98	"GET", "/_matrix/federation/v1/state/%s" % (room_1,)
100	99	)
101		self.render(request)
102	100	self.assertEquals(200, channel.code, channel.result)
103	101
104	102	self.assertEqual(

131	129	request, channel = self.make_request(
132	130	"GET", "/_matrix/federation/v1/state/%s" % (room_1,)
133	131	)
134		self.render(request)
135	132	self.assertEquals(403, channel.code, channel.result)
136	133	self.assertEqual(channel.json_body["errcode"], "M_FORBIDDEN")
137	134

+0

-2

tests/federation/transport/test_server.py less more

39	39	request, channel = self.make_request(
40	40	"GET", "/_matrix/federation/v1/publicRooms"
41	41	)
42		self.render(request)
43	42	self.assertEquals(403, channel.code)
44	43
45	44	@override_config({"allow_public_rooms_over_federation": True})

47	46	request, channel = self.make_request(
48	47	"GET", "/_matrix/federation/v1/publicRooms"
49	48	)
50		self.render(request)
51	49	self.assertEquals(200, channel.code)

+3

-3

tests/handlers/test_auth.py less more

51	51	self.fail("some_user was not in %s" % macaroon.inspect())
52	52
53	53	def test_macaroon_caveats(self):
54		self.hs.clock.now = 5000
	54	self.hs.get_clock().now = 5000
55	55
56	56	token = self.macaroon_generator.generate_access_token("a_user")
57	57	macaroon = pymacaroons.Macaroon.deserialize(token)

77	77
78	78	@defer.inlineCallbacks
79	79	def test_short_term_login_token_gives_user_id(self):
80		self.hs.clock.now = 1000
	80	self.hs.get_clock().now = 1000
81	81
82	82	token = self.macaroon_generator.generate_short_term_login_token("a_user", 5000)
83	83	user_id = yield defer.ensureDeferred(

86	86	self.assertEqual("a_user", user_id)
87	87
88	88	# when we advance the clock, the token should be rejected
89		self.hs.clock.now = 6000
	89	self.hs.get_clock().now = 6000
90	90	with self.assertRaises(synapse.api.errors.AuthError):
91	91	yield defer.ensureDeferred(
92	92	self.auth_handler.validate_short_term_login_token_and_get_user_id(token)

+0

-6

tests/handlers/test_directory.py less more

411	411	b"directory/room/%23test%3Atest",
412	412	('{"room_id":"%s"}' % (room_id,)).encode("ascii"),
413	413	)
414		self.render(request)
415	414	self.assertEquals(403, channel.code, channel.result)
416	415
417	416	def test_allowed(self):

422	421	b"directory/room/%23unofficial_test%3Atest",
423	422	('{"room_id":"%s"}' % (room_id,)).encode("ascii"),
424	423	)
425		self.render(request)
426	424	self.assertEquals(200, channel.code, channel.result)
427	425
428	426

437	435	request, channel = self.make_request(
438	436	"PUT", b"directory/list/room/%s" % (room_id.encode("ascii"),), b"{}"
439	437	)
440		self.render(request)
441	438	self.assertEquals(200, channel.code, channel.result)
442	439
443	440	self.room_list_handler = hs.get_room_list_handler()

451	448
452	449	# Room list is enabled so we should get some results
453	450	request, channel = self.make_request("GET", b"publicRooms")
454		self.render(request)
455	451	self.assertEquals(200, channel.code, channel.result)
456	452	self.assertTrue(len(channel.json_body["chunk"]) > 0)
457	453

460	456
461	457	# Room list disabled so we should get no results
462	458	request, channel = self.make_request("GET", b"publicRooms")
463		self.render(request)
464	459	self.assertEquals(200, channel.code, channel.result)
465	460	self.assertTrue(len(channel.json_body["chunk"]) == 0)
466	461

469	464	request, channel = self.make_request(
470	465	"PUT", b"directory/list/room/%s" % (room_id.encode("ascii"),), b"{}"
471	466	)
472		self.render(request)
473	467	self.assertEquals(403, channel.code, channel.result)

+0

-1

tests/handlers/test_federation.py less more

58	58	)
59	59
60	60	d = self.handler.on_exchange_third_party_invite_request(
61		room_id=room_id,
62	61	event_dict={
63	62	"type": EventTypes.Member,
64	63	"room_id": room_id,

+0

-1

tests/handlers/test_message.py less more

208	208	request, channel = self.make_request(
209	209	"POST", path, content={}, access_token=self.access_token
210	210	)
211		self.render(request)
212	211	self.assertEqual(int(channel.result["code"]), 403)

+186

-44

tests/handlers/test_oidc.py less more

11	11	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12	12	# See the License for the specific language governing permissions and
13	13	# limitations under the License.
14
15	14	import json
16	15	from urllib.parse import parse_qs, urlparse
17	16

23	22	from twisted.python.failure import Failure
24	23	from twisted.web._newclient import ResponseDone
25	24
26		from synapse.handlers.oidc_handler import (
27		MappingException,
28		OidcError,
29		OidcHandler,
30		OidcMappingProvider,
31		)
	25	from synapse.handlers.oidc_handler import OidcError, OidcMappingProvider
	26	from synapse.handlers.sso import MappingException
32	27	from synapse.types import UserID
33	28
34	29	from tests.unittest import HomeserverTestCase, override_config

91	86	class TestMappingProviderExtra(TestMappingProvider):
92	87	async def get_extra_attributes(self, userinfo, token):
93	88	return {"phone": userinfo["phone"]}
	89
	90
	91	class TestMappingProviderFailures(TestMappingProvider):
	92	async def map_user_attributes(self, userinfo, token, failures):
	93	return {
	94	"localpart": userinfo["username"] + (str(failures) if failures else ""),
	95	"display_name": None,
	96	}
94	97
95	98
96	99	def simple_async_mock(return_value=None, raises=None):

123	126
124	127
125	128	class OidcHandlerTestCase(HomeserverTestCase):
126		def make_homeserver(self, reactor, clock):
127
128		self.http_client = Mock(spec=["get_json"])
129		self.http_client.get_json.side_effect = get_json
130		self.http_client.user_agent = "Synapse Test"
131
132		config = self.default_config()
	129	def default_config(self):
	130	config = super().default_config()
133	131	config["public_baseurl"] = BASE_URL
134		oidc_config = {}
135		oidc_config["enabled"] = True
136		oidc_config["client_id"] = CLIENT_ID
137		oidc_config["client_secret"] = CLIENT_SECRET
138		oidc_config["issuer"] = ISSUER
139		oidc_config["scopes"] = SCOPES
140		oidc_config["user_mapping_provider"] = {
141		"module": __name__ + ".TestMappingProvider",
	132	oidc_config = {
	133	"enabled": True,
	134	"client_id": CLIENT_ID,
	135	"client_secret": CLIENT_SECRET,
	136	"issuer": ISSUER,
	137	"scopes": SCOPES,
	138	"user_mapping_provider": {"module": __name__ + ".TestMappingProvider"},
142	139	}
143	140
144	141	# Update this config with what's in the default config so that

146	143	oidc_config.update(config.get("oidc_config", {}))
147	144	config["oidc_config"] = oidc_config
148	145
149		hs = self.setup_test_homeserver(
150		http_client=self.http_client,
151		proxied_http_client=self.http_client,
152		config=config,
153		)
154
155		self.handler = OidcHandler(hs)
	146	return config
	147
	148	def make_homeserver(self, reactor, clock):
	149
	150	self.http_client = Mock(spec=["get_json"])
	151	self.http_client.get_json.side_effect = get_json
	152	self.http_client.user_agent = "Synapse Test"
	153
	154	hs = self.setup_test_homeserver(proxied_http_client=self.http_client)
	155
	156	self.handler = hs.get_oidc_handler()
	157	sso_handler = hs.get_sso_handler()
	158	# Mock the render error method.
	159	self.render_error = Mock(return_value=None)
	160	sso_handler.render_error = self.render_error
	161
	162	# Reduce the number of attempts when generating MXIDs.
	163	sso_handler._MAP_USERNAME_RETRIES = 3
156	164
157	165	return hs
158	166

160	168	return patch.dict(self.handler._provider_metadata, values)
161	169
162	170	def assertRenderedError(self, error, error_description=None):
163		args = self.handler._render_error.call_args[0]
	171	args = self.render_error.call_args[0]
164	172	self.assertEqual(args[1], error)
165	173	if error_description is not None:
166	174	self.assertEqual(args[2], error_description)
167	175	# Reset the render_error mock
168		self.handler._render_error.reset_mock()
	176	self.render_error.reset_mock()
169	177
170	178	def test_config(self):
171	179	"""Basic config correctly sets up the callback URL and client auth correctly."""

355	363
356	364	def test_callback_error(self):
357	365	"""Errors from the provider returned in the callback are displayed."""
358		self.handler._render_error = Mock()
359	366	request = Mock(args={})
360	367	request.args[b"error"] = [b"invalid_client"]
361	368	self.get_success(self.handler.handle_oidc_callback(request))

386	393	"preferred_username": "bar",
387	394	}
388	395	user_id = "@foo:domain.org"
389		self.handler._render_error = Mock(return_value=None)
390	396	self.handler._exchange_code = simple_async_mock(return_value=token)
391	397	self.handler._parse_id_token = simple_async_mock(return_value=userinfo)
392	398	self.handler._fetch_userinfo = simple_async_mock(return_value=userinfo)

434	440	userinfo, token, user_agent, ip_address
435	441	)
436	442	self.handler._fetch_userinfo.assert_not_called()
437		self.handler._render_error.assert_not_called()
	443	self.render_error.assert_not_called()
438	444
439	445	# Handle mapping errors
440	446	self.handler._map_userinfo_to_user = simple_async_mock(

468	474	userinfo, token, user_agent, ip_address
469	475	)
470	476	self.handler._fetch_userinfo.assert_called_once_with(token)
471		self.handler._render_error.assert_not_called()
	477	self.render_error.assert_not_called()
472	478
473	479	# Handle userinfo fetching error
474	480	self.handler._fetch_userinfo = simple_async_mock(raises=Exception())

484	490
485	491	def test_callback_session(self):
486	492	"""The callback verifies the session presence and validity"""
487		self.handler._render_error = Mock(return_value=None)
488	493	request = Mock(spec=["args", "getCookie", "addCookie"])
489	494
490	495	# Missing cookie

698	703	),
699	704	MappingException,
700	705	)
701		self.assertEqual(str(e.value), "mxid '@test_user_3:test' is already taken")
	706	self.assertEqual(
	707	str(e.value), "Mapping provider does not support de-duplicating Matrix IDs",
	708	)
702	709
703	710	@override_config({"oidc_config": {"allow_existing_users": True}})
704	711	def test_map_userinfo_to_existing_user(self):
705	712	"""Existing users can log in with OpenID Connect when allow_existing_users is True."""
706	713	store = self.hs.get_datastore()
707		user4 = UserID.from_string("@test_user_4:test")
	714	user = UserID.from_string("@test_user:test")
708	715	self.get_success(
709		store.register_user(user_id=user4.to_string(), password_hash=None)
710		)
711		userinfo = {
712		"sub": "test4",
713		"username": "test_user_4",
	716	store.register_user(user_id=user.to_string(), password_hash=None)
	717	)
	718
	719	# Map a user via SSO.
	720	userinfo = {
	721	"sub": "test",
	722	"username": "test_user",
714	723	}
715	724	token = {}
716	725	mxid = self.get_success(

718	727	userinfo, token, "user-agent", "10.10.10.10"
719	728	)
720	729	)
721		self.assertEqual(mxid, "@test_user_4:test")
	730	self.assertEqual(mxid, "@test_user:test")
	731
	732	# Subsequent calls should map to the same mxid.
	733	mxid = self.get_success(
	734	self.handler._map_userinfo_to_user(
	735	userinfo, token, "user-agent", "10.10.10.10"
	736	)
	737	)
	738	self.assertEqual(mxid, "@test_user:test")
	739
	740	# Note that a second SSO user can be mapped to the same Matrix ID. (This
	741	# requires a unique sub, but something that maps to the same matrix ID,
	742	# in this case we'll just use the same username. A more realistic example
	743	# would be subs which are email addresses, and mapping from the localpart
	744	# of the email, e.g. bob@foo.com and bob@bar.com -> @bob:test.)
	745	userinfo = {
	746	"sub": "test1",
	747	"username": "test_user",
	748	}
	749	token = {}
	750	mxid = self.get_success(
	751	self.handler._map_userinfo_to_user(
	752	userinfo, token, "user-agent", "10.10.10.10"
	753	)
	754	)
	755	self.assertEqual(mxid, "@test_user:test")
	756
	757	# Register some non-exact matching cases.
	758	user2 = UserID.from_string("@TEST_user_2:test")
	759	self.get_success(
	760	store.register_user(user_id=user2.to_string(), password_hash=None)
	761	)
	762	user2_caps = UserID.from_string("@test_USER_2:test")
	763	self.get_success(
	764	store.register_user(user_id=user2_caps.to_string(), password_hash=None)
	765	)
	766
	767	# Attempting to login without matching a name exactly is an error.
	768	userinfo = {
	769	"sub": "test2",
	770	"username": "TEST_USER_2",
	771	}
	772	e = self.get_failure(
	773	self.handler._map_userinfo_to_user(
	774	userinfo, token, "user-agent", "10.10.10.10"
	775	),
	776	MappingException,
	777	)
	778	self.assertTrue(
	779	str(e.value).startswith(
	780	"Attempted to login as '@TEST_USER_2:test' but it matches more than one user inexactly:"
	781	)
	782	)
	783
	784	# Logging in when matching a name exactly should work.
	785	user2 = UserID.from_string("@TEST_USER_2:test")
	786	self.get_success(
	787	store.register_user(user_id=user2.to_string(), password_hash=None)
	788	)
	789
	790	mxid = self.get_success(
	791	self.handler._map_userinfo_to_user(
	792	userinfo, token, "user-agent", "10.10.10.10"
	793	)
	794	)
	795	self.assertEqual(mxid, "@TEST_USER_2:test")
	796
	797	def test_map_userinfo_to_invalid_localpart(self):
	798	"""If the mapping provider generates an invalid localpart it should be rejected."""
	799	userinfo = {
	800	"sub": "test2",
	801	"username": "föö",
	802	}
	803	token = {}
	804
	805	e = self.get_failure(
	806	self.handler._map_userinfo_to_user(
	807	userinfo, token, "user-agent", "10.10.10.10"
	808	),
	809	MappingException,
	810	)
	811	self.assertEqual(str(e.value), "localpart is invalid: föö")
	812
	813	@override_config(
	814	{
	815	"oidc_config": {
	816	"user_mapping_provider": {
	817	"module": __name__ + ".TestMappingProviderFailures"
	818	}
	819	}
	820	}
	821	)
	822	def test_map_userinfo_to_user_retries(self):
	823	"""The mapping provider can retry generating an MXID if the MXID is already in use."""
	824	store = self.hs.get_datastore()
	825	self.get_success(
	826	store.register_user(user_id="@test_user:test", password_hash=None)
	827	)
	828	userinfo = {
	829	"sub": "test",
	830	"username": "test_user",
	831	}
	832	token = {}
	833	mxid = self.get_success(
	834	self.handler._map_userinfo_to_user(
	835	userinfo, token, "user-agent", "10.10.10.10"
	836	)
	837	)
	838	# test_user is already taken, so test_user1 gets registered instead.
	839	self.assertEqual(mxid, "@test_user1:test")
	840
	841	# Register all of the potential mxids for a particular OIDC username.
	842	self.get_success(
	843	store.register_user(user_id="@tester:test", password_hash=None)
	844	)
	845	for i in range(1, 3):
	846	self.get_success(
	847	store.register_user(user_id="@tester%d:test" % i, password_hash=None)
	848	)
	849
	850	# Now attempt to map to a username, this will fail since all potential usernames are taken.
	851	userinfo = {
	852	"sub": "tester",
	853	"username": "tester",
	854	}
	855	e = self.get_failure(
	856	self.handler._map_userinfo_to_user(
	857	userinfo, token, "user-agent", "10.10.10.10"
	858	),
	859	MappingException,
	860	)
	861	self.assertEqual(
	862	str(e.value), "Unable to generate a Matrix ID from the SSO response"
	863	)

+580

-0

tests/handlers/test_password_providers.py less more

	0	# -- coding: utf-8 --
	1	# Copyright 2020 The Matrix.org Foundation C.I.C.
	2	#
	3	# Licensed under the Apache License, Version 2.0 (the "License");
	4	# you may not use this file except in compliance with the License.
	5	# You may obtain a copy of the License at
	6	#
	7	# http://www.apache.org/licenses/LICENSE-2.0
	8	#
	9	# Unless required by applicable law or agreed to in writing, software
	10	# distributed under the License is distributed on an "AS IS" BASIS,
	11	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	12	# See the License for the specific language governing permissions and
	13	# limitations under the License.
	14
	15	"""Tests for the password_auth_provider interface"""
	16
	17	from typing import Any, Type, Union
	18
	19	from mock import Mock
	20
	21	from twisted.internet import defer
	22
	23	import synapse
	24	from synapse.rest.client.v1 import login
	25	from synapse.rest.client.v2_alpha import devices
	26	from synapse.types import JsonDict
	27
	28	from tests import unittest
	29	from tests.server import FakeChannel
	30	from tests.unittest import override_config
	31
	32	# (possibly experimental) login flows we expect to appear in the list after the normal
	33	# ones
	34	ADDITIONAL_LOGIN_FLOWS = [{"type": "uk.half-shot.msc2778.login.application_service"}]
	35
	36	# a mock instance which the dummy auth providers delegate to, so we can see what's going
	37	# on
	38	mock_password_provider = Mock()
	39
	40
	41	class PasswordOnlyAuthProvider:
	42	"""A password_provider which only implements `check_password`."""
	43
	44	@staticmethod
	45	def parse_config(self):
	46	pass
	47
	48	def __init__(self, config, account_handler):
	49	pass
	50
	51	def check_password(self, *args):
	52	return mock_password_provider.check_password(*args)
	53
	54
	55	class CustomAuthProvider:
	56	"""A password_provider which implements a custom login type."""
	57
	58	@staticmethod
	59	def parse_config(self):
	60	pass
	61
	62	def __init__(self, config, account_handler):
	63	pass
	64
	65	def get_supported_login_types(self):
	66	return {"test.login_type": ["test_field"]}
	67
	68	def check_auth(self, *args):
	69	return mock_password_provider.check_auth(*args)
	70
	71
	72	class PasswordCustomAuthProvider:
	73	"""A password_provider which implements password login via `check_auth`, as well
	74	as a custom type."""
	75
	76	@staticmethod
	77	def parse_config(self):
	78	pass
	79
	80	def __init__(self, config, account_handler):
	81	pass
	82
	83	def get_supported_login_types(self):
	84	return {"m.login.password": ["password"], "test.login_type": ["test_field"]}
	85
	86	def check_auth(self, *args):
	87	return mock_password_provider.check_auth(*args)
	88
	89
	90	def providers_config(*providers: Type[Any]) -> dict:
	91	"""Returns a config dict that will enable the given password auth providers"""
	92	return {
	93	"password_providers": [
	94	{"module": "%s.%s" % (__name__, provider.__qualname__), "config": {}}
	95	for provider in providers
	96	]
	97	}
	98
	99
	100	class PasswordAuthProviderTests(unittest.HomeserverTestCase):
	101	servlets = [
	102	synapse.rest.admin.register_servlets,
	103	login.register_servlets,
	104	devices.register_servlets,
	105	]
	106
	107	def setUp(self):
	108	# we use a global mock device, so make sure we are starting with a clean slate
	109	mock_password_provider.reset_mock()
	110	super().setUp()
	111
	112	@override_config(providers_config(PasswordOnlyAuthProvider))
	113	def test_password_only_auth_provider_login(self):
	114	# login flows should only have m.login.password
	115	flows = self._get_login_flows()
	116	self.assertEqual(flows, [{"type": "m.login.password"}] + ADDITIONAL_LOGIN_FLOWS)
	117
	118	# check_password must return an awaitable
	119	mock_password_provider.check_password.return_value = defer.succeed(True)
	120	channel = self._send_password_login("u", "p")
	121	self.assertEqual(channel.code, 200, channel.result)
	122	self.assertEqual("@u:test", channel.json_body["user_id"])
	123	mock_password_provider.check_password.assert_called_once_with("@u:test", "p")
	124	mock_password_provider.reset_mock()
	125
	126	# login with mxid should work too
	127	channel = self._send_password_login("@u:bz", "p")
	128	self.assertEqual(channel.code, 200, channel.result)
	129	self.assertEqual("@u:bz", channel.json_body["user_id"])
	130	mock_password_provider.check_password.assert_called_once_with("@u:bz", "p")
	131	mock_password_provider.reset_mock()
	132
	133	# try a weird username / pass. Honestly it's unclear what we expect to happen
	134	# in these cases, but at least we can guard against the API changing
	135	# unexpectedly
	136	channel = self._send_password_login(" USER🙂NAME ", " pASS\U0001F622word ")
	137	self.assertEqual(channel.code, 200, channel.result)
	138	self.assertEqual("@ USER🙂NAME :test", channel.json_body["user_id"])
	139	mock_password_provider.check_password.assert_called_once_with(
	140	"@ USER🙂NAME :test", " pASS😢word "
	141	)
	142
	143	@override_config(providers_config(PasswordOnlyAuthProvider))
	144	def test_password_only_auth_provider_ui_auth(self):
	145	"""UI Auth should delegate correctly to the password provider"""
	146
	147	# create the user, otherwise access doesn't work
	148	module_api = self.hs.get_module_api()
	149	self.get_success(module_api.register_user("u"))
	150
	151	# log in twice, to get two devices
	152	mock_password_provider.check_password.return_value = defer.succeed(True)
	153	tok1 = self.login("u", "p")
	154	self.login("u", "p", device_id="dev2")
	155	mock_password_provider.reset_mock()
	156
	157	# have the auth provider deny the request to start with
	158	mock_password_provider.check_password.return_value = defer.succeed(False)
	159
	160	# make the initial request which returns a 401
	161	session = self._start_delete_device_session(tok1, "dev2")
	162	mock_password_provider.check_password.assert_not_called()
	163
	164	# Make another request providing the UI auth flow.
	165	channel = self._authed_delete_device(tok1, "dev2", session, "u", "p")
	166	self.assertEqual(channel.code, 401) # XXX why not a 403?
	167	self.assertEqual(channel.json_body["errcode"], "M_FORBIDDEN")
	168	mock_password_provider.check_password.assert_called_once_with("@u:test", "p")
	169	mock_password_provider.reset_mock()
	170
	171	# Finally, check the request goes through when we allow it
	172	mock_password_provider.check_password.return_value = defer.succeed(True)
	173	channel = self._authed_delete_device(tok1, "dev2", session, "u", "p")
	174	self.assertEqual(channel.code, 200)
	175	mock_password_provider.check_password.assert_called_once_with("@u:test", "p")
	176
	177	@override_config(providers_config(PasswordOnlyAuthProvider))
	178	def test_local_user_fallback_login(self):
	179	"""rejected login should fall back to local db"""
	180	self.register_user("localuser", "localpass")
	181
	182	# check_password must return an awaitable
	183	mock_password_provider.check_password.return_value = defer.succeed(False)
	184	channel = self._send_password_login("u", "p")
	185	self.assertEqual(channel.code, 403, channel.result)
	186
	187	channel = self._send_password_login("localuser", "localpass")
	188	self.assertEqual(channel.code, 200, channel.result)
	189	self.assertEqual("@localuser:test", channel.json_body["user_id"])
	190
	191	@override_config(providers_config(PasswordOnlyAuthProvider))
	192	def test_local_user_fallback_ui_auth(self):
	193	"""rejected login should fall back to local db"""
	194	self.register_user("localuser", "localpass")
	195
	196	# have the auth provider deny the request
	197	mock_password_provider.check_password.return_value = defer.succeed(False)
	198
	199	# log in twice, to get two devices
	200	tok1 = self.login("localuser", "localpass")
	201	self.login("localuser", "localpass", device_id="dev2")
	202	mock_password_provider.check_password.reset_mock()
	203
	204	# first delete should give a 401
	205	session = self._start_delete_device_session(tok1, "dev2")
	206	mock_password_provider.check_password.assert_not_called()
	207
	208	# Wrong password
	209	channel = self._authed_delete_device(tok1, "dev2", session, "localuser", "xxx")
	210	self.assertEqual(channel.code, 401) # XXX why not a 403?
	211	self.assertEqual(channel.json_body["errcode"], "M_FORBIDDEN")
	212	mock_password_provider.check_password.assert_called_once_with(
	213	"@localuser:test", "xxx"
	214	)
	215	mock_password_provider.reset_mock()
	216
	217	# Right password
	218	channel = self._authed_delete_device(
	219	tok1, "dev2", session, "localuser", "localpass"
	220	)
	221	self.assertEqual(channel.code, 200)
	222	mock_password_provider.check_password.assert_called_once_with(
	223	"@localuser:test", "localpass"
	224	)
	225
	226	@override_config(
	227	{
	228	**providers_config(PasswordOnlyAuthProvider),
	229	"password_config": {"localdb_enabled": False},
	230	}
	231	)
	232	def test_no_local_user_fallback_login(self):
	233	"""localdb_enabled can block login with the local password
	234	"""
	235	self.register_user("localuser", "localpass")
	236
	237	# check_password must return an awaitable
	238	mock_password_provider.check_password.return_value = defer.succeed(False)
	239	channel = self._send_password_login("localuser", "localpass")
	240	self.assertEqual(channel.code, 403)
	241	self.assertEqual(channel.json_body["errcode"], "M_FORBIDDEN")
	242	mock_password_provider.check_password.assert_called_once_with(
	243	"@localuser:test", "localpass"
	244	)
	245
	246	@override_config(
	247	{
	248	**providers_config(PasswordOnlyAuthProvider),
	249	"password_config": {"localdb_enabled": False},
	250	}
	251	)
	252	def test_no_local_user_fallback_ui_auth(self):
	253	"""localdb_enabled can block ui auth with the local password
	254	"""
	255	self.register_user("localuser", "localpass")
	256
	257	# allow login via the auth provider
	258	mock_password_provider.check_password.return_value = defer.succeed(True)
	259
	260	# log in twice, to get two devices
	261	tok1 = self.login("localuser", "p")
	262	self.login("localuser", "p", device_id="dev2")
	263	mock_password_provider.check_password.reset_mock()
	264
	265	# first delete should give a 401
	266	channel = self._delete_device(tok1, "dev2")
	267	self.assertEqual(channel.code, 401)
	268	# m.login.password UIA is permitted because the auth provider allows it,
	269	# even though the localdb does not.
	270	self.assertEqual(channel.json_body["flows"], [{"stages": ["m.login.password"]}])
	271	session = channel.json_body["session"]
	272	mock_password_provider.check_password.assert_not_called()
	273
	274	# now try deleting with the local password
	275	mock_password_provider.check_password.return_value = defer.succeed(False)
	276	channel = self._authed_delete_device(
	277	tok1, "dev2", session, "localuser", "localpass"
	278	)
	279	self.assertEqual(channel.code, 401) # XXX why not a 403?
	280	self.assertEqual(channel.json_body["errcode"], "M_FORBIDDEN")
	281	mock_password_provider.check_password.assert_called_once_with(
	282	"@localuser:test", "localpass"
	283	)
	284
	285	@override_config(
	286	{
	287	**providers_config(PasswordOnlyAuthProvider),
	288	"password_config": {"enabled": False},
	289	}
	290	)
	291	def test_password_auth_disabled(self):
	292	"""password auth doesn't work if it's disabled across the board"""
	293	# login flows should be empty
	294	flows = self._get_login_flows()
	295	self.assertEqual(flows, ADDITIONAL_LOGIN_FLOWS)
	296
	297	# login shouldn't work and should be rejected with a 400 ("unknown login type")
	298	channel = self._send_password_login("u", "p")
	299	self.assertEqual(channel.code, 400, channel.result)
	300	mock_password_provider.check_password.assert_not_called()
	301
	302	@override_config(providers_config(CustomAuthProvider))
	303	def test_custom_auth_provider_login(self):
	304	# login flows should have the custom flow and m.login.password, since we
	305	# haven't disabled local password lookup.
	306	# (password must come first, because reasons)
	307	flows = self._get_login_flows()
	308	self.assertEqual(
	309	flows,
	310	[{"type": "m.login.password"}, {"type": "test.login_type"}]
	311	+ ADDITIONAL_LOGIN_FLOWS,
	312	)
	313
	314	# login with missing param should be rejected
	315	channel = self._send_login("test.login_type", "u")
	316	self.assertEqual(channel.code, 400, channel.result)
	317	mock_password_provider.check_auth.assert_not_called()
	318
	319	mock_password_provider.check_auth.return_value = defer.succeed("@user:bz")
	320	channel = self._send_login("test.login_type", "u", test_field="y")
	321	self.assertEqual(channel.code, 200, channel.result)
	322	self.assertEqual("@user:bz", channel.json_body["user_id"])
	323	mock_password_provider.check_auth.assert_called_once_with(
	324	"u", "test.login_type", {"test_field": "y"}
	325	)
	326	mock_password_provider.reset_mock()
	327
	328	# try a weird username. Again, it's unclear what we expect to happen
	329	# in these cases, but at least we can guard against the API changing
	330	# unexpectedly
	331	mock_password_provider.check_auth.return_value = defer.succeed(
	332	"@ MALFORMED! :bz"
	333	)
	334	channel = self._send_login("test.login_type", " USER🙂NAME ", test_field=" abc ")
	335	self.assertEqual(channel.code, 200, channel.result)
	336	self.assertEqual("@ MALFORMED! :bz", channel.json_body["user_id"])
	337	mock_password_provider.check_auth.assert_called_once_with(
	338	" USER🙂NAME ", "test.login_type", {"test_field": " abc "}
	339	)
	340
	341	@override_config(providers_config(CustomAuthProvider))
	342	def test_custom_auth_provider_ui_auth(self):
	343	# register the user and log in twice, to get two devices
	344	self.register_user("localuser", "localpass")
	345	tok1 = self.login("localuser", "localpass")
	346	self.login("localuser", "localpass", device_id="dev2")
	347
	348	# make the initial request which returns a 401
	349	channel = self._delete_device(tok1, "dev2")
	350	self.assertEqual(channel.code, 401)
	351	# Ensure that flows are what is expected.
	352	self.assertIn({"stages": ["m.login.password"]}, channel.json_body["flows"])
	353	self.assertIn({"stages": ["test.login_type"]}, channel.json_body["flows"])
	354	session = channel.json_body["session"]
	355
	356	# missing param
	357	body = {
	358	"auth": {
	359	"type": "test.login_type",
	360	"identifier": {"type": "m.id.user", "user": "localuser"},
	361	"session": session,
	362	},
	363	}
	364
	365	channel = self._delete_device(tok1, "dev2", body)
	366	self.assertEqual(channel.code, 400)
	367	# there's a perfectly good M_MISSING_PARAM errcode, but heaven forfend we should
	368	# use it...
	369	self.assertIn("Missing parameters", channel.json_body["error"])
	370	mock_password_provider.check_auth.assert_not_called()
	371	mock_password_provider.reset_mock()
	372
	373	# right params, but authing as the wrong user
	374	mock_password_provider.check_auth.return_value = defer.succeed("@user:bz")
	375	body["auth"]["test_field"] = "foo"
	376	channel = self._delete_device(tok1, "dev2", body)
	377	self.assertEqual(channel.code, 403)
	378	self.assertEqual(channel.json_body["errcode"], "M_FORBIDDEN")
	379	mock_password_provider.check_auth.assert_called_once_with(
	380	"localuser", "test.login_type", {"test_field": "foo"}
	381	)
	382	mock_password_provider.reset_mock()
	383
	384	# and finally, succeed
	385	mock_password_provider.check_auth.return_value = defer.succeed(
	386	"@localuser:test"
	387	)
	388	channel = self._delete_device(tok1, "dev2", body)
	389	self.assertEqual(channel.code, 200)
	390	mock_password_provider.check_auth.assert_called_once_with(
	391	"localuser", "test.login_type", {"test_field": "foo"}
	392	)
	393
	394	@override_config(providers_config(CustomAuthProvider))
	395	def test_custom_auth_provider_callback(self):
	396	callback = Mock(return_value=defer.succeed(None))
	397
	398	mock_password_provider.check_auth.return_value = defer.succeed(
	399	("@user:bz", callback)
	400	)
	401	channel = self._send_login("test.login_type", "u", test_field="y")
	402	self.assertEqual(channel.code, 200, channel.result)
	403	self.assertEqual("@user:bz", channel.json_body["user_id"])
	404	mock_password_provider.check_auth.assert_called_once_with(
	405	"u", "test.login_type", {"test_field": "y"}
	406	)
	407
	408	# check the args to the callback
	409	callback.assert_called_once()
	410	call_args, call_kwargs = callback.call_args
	411	# should be one positional arg
	412	self.assertEqual(len(call_args), 1)
	413	self.assertEqual(call_args[0]["user_id"], "@user:bz")
	414	for p in ["user_id", "access_token", "device_id", "home_server"]:
	415	self.assertIn(p, call_args[0])
	416
	417	@override_config(
	418	{**providers_config(CustomAuthProvider), "password_config": {"enabled": False}}
	419	)
	420	def test_custom_auth_password_disabled(self):
	421	"""Test login with a custom auth provider where password login is disabled"""
	422	self.register_user("localuser", "localpass")
	423
	424	flows = self._get_login_flows()
	425	self.assertEqual(flows, [{"type": "test.login_type"}] + ADDITIONAL_LOGIN_FLOWS)
	426
	427	# login shouldn't work and should be rejected with a 400 ("unknown login type")
	428	channel = self._send_password_login("localuser", "localpass")
	429	self.assertEqual(channel.code, 400, channel.result)
	430	mock_password_provider.check_auth.assert_not_called()
	431
	432	@override_config(
	433	{
	434	**providers_config(PasswordCustomAuthProvider),
	435	"password_config": {"enabled": False},
	436	}
	437	)
	438	def test_password_custom_auth_password_disabled_login(self):
	439	"""log in with a custom auth provider which implements password, but password
	440	login is disabled"""
	441	self.register_user("localuser", "localpass")
	442
	443	flows = self._get_login_flows()
	444	self.assertEqual(flows, [{"type": "test.login_type"}] + ADDITIONAL_LOGIN_FLOWS)
	445
	446	# login shouldn't work and should be rejected with a 400 ("unknown login type")
	447	channel = self._send_password_login("localuser", "localpass")
	448	self.assertEqual(channel.code, 400, channel.result)
	449	mock_password_provider.check_auth.assert_not_called()
	450
	451	@override_config(
	452	{
	453	**providers_config(PasswordCustomAuthProvider),
	454	"password_config": {"enabled": False},
	455	}
	456	)
	457	def test_password_custom_auth_password_disabled_ui_auth(self):
	458	"""UI Auth with a custom auth provider which implements password, but password
	459	login is disabled"""
	460	# register the user and log in twice via the test login type to get two devices,
	461	self.register_user("localuser", "localpass")
	462	mock_password_provider.check_auth.return_value = defer.succeed(
	463	"@localuser:test"
	464	)
	465	channel = self._send_login("test.login_type", "localuser", test_field="")
	466	self.assertEqual(channel.code, 200, channel.result)
	467	tok1 = channel.json_body["access_token"]
	468
	469	channel = self._send_login(
	470	"test.login_type", "localuser", test_field="", device_id="dev2"
	471	)
	472	self.assertEqual(channel.code, 200, channel.result)
	473
	474	# make the initial request which returns a 401
	475	channel = self._delete_device(tok1, "dev2")
	476	self.assertEqual(channel.code, 401)
	477	# Ensure that flows are what is expected. In particular, "password" should not
	478	# be present.
	479	self.assertIn({"stages": ["test.login_type"]}, channel.json_body["flows"])
	480	session = channel.json_body["session"]
	481
	482	mock_password_provider.reset_mock()
	483
	484	# check that auth with password is rejected
	485	body = {
	486	"auth": {
	487	"type": "m.login.password",
	488	"identifier": {"type": "m.id.user", "user": "localuser"},
	489	"password": "localpass",
	490	"session": session,
	491	},
	492	}
	493
	494	channel = self._delete_device(tok1, "dev2", body)
	495	self.assertEqual(channel.code, 400)
	496	self.assertEqual(
	497	"Password login has been disabled.", channel.json_body["error"]
	498	)
	499	mock_password_provider.check_auth.assert_not_called()
	500	mock_password_provider.reset_mock()
	501
	502	# successful auth
	503	body["auth"]["type"] = "test.login_type"
	504	body["auth"]["test_field"] = "x"
	505	channel = self._delete_device(tok1, "dev2", body)
	506	self.assertEqual(channel.code, 200)
	507	mock_password_provider.check_auth.assert_called_once_with(
	508	"localuser", "test.login_type", {"test_field": "x"}
	509	)
	510
	511	@override_config(
	512	{
	513	**providers_config(CustomAuthProvider),
	514	"password_config": {"localdb_enabled": False},
	515	}
	516	)
	517	def test_custom_auth_no_local_user_fallback(self):
	518	"""Test login with a custom auth provider where the local db is disabled"""
	519	self.register_user("localuser", "localpass")
	520
	521	flows = self._get_login_flows()
	522	self.assertEqual(flows, [{"type": "test.login_type"}] + ADDITIONAL_LOGIN_FLOWS)
	523
	524	# password login shouldn't work and should be rejected with a 400
	525	# ("unknown login type")
	526	channel = self._send_password_login("localuser", "localpass")
	527	self.assertEqual(channel.code, 400, channel.result)
	528
	529	def _get_login_flows(self) -> JsonDict:
	530	_, channel = self.make_request("GET", "/_matrix/client/r0/login")
	531	self.assertEqual(channel.code, 200, channel.result)
	532	return channel.json_body["flows"]
	533
	534	def _send_password_login(self, user: str, password: str) -> FakeChannel:
	535	return self._send_login(type="m.login.password", user=user, password=password)
	536
	537	def _send_login(self, type, user, **params) -> FakeChannel:
	538	params.update({"identifier": {"type": "m.id.user", "user": user}, "type": type})
	539	_, channel = self.make_request("POST", "/_matrix/client/r0/login", params)
	540	return channel
	541
	542	def _start_delete_device_session(self, access_token, device_id) -> str:
	543	"""Make an initial delete device request, and return the UI Auth session ID"""
	544	channel = self._delete_device(access_token, device_id)
	545	self.assertEqual(channel.code, 401)
	546	# Ensure that flows are what is expected.
	547	self.assertIn({"stages": ["m.login.password"]}, channel.json_body["flows"])
	548	return channel.json_body["session"]
	549
	550	def _authed_delete_device(
	551	self,
	552	access_token: str,
	553	device_id: str,
	554	session: str,
	555	user_id: str,
	556	password: str,
	557	) -> FakeChannel:
	558	"""Make a delete device request, authenticating with the given uid/password"""
	559	return self._delete_device(
	560	access_token,
	561	device_id,
	562	{
	563	"auth": {
	564	"type": "m.login.password",
	565	"identifier": {"type": "m.id.user", "user": user_id},
	566	"password": password,
	567	"session": session,
	568	},
	569	},
	570	)
	571
	572	def _delete_device(
	573	self, access_token: str, device: str, body: Union[JsonDict, bytes] = b"",
	574	) -> FakeChannel:
	575	"""Delete an individual device."""
	576	_, channel = self.make_request(
	577	"DELETE", "devices/" + device, body, access_token=access_token
	578	)
	579	return channel

+196

-0

tests/handlers/test_saml.py less more

	0	# Copyright 2020 The Matrix.org Foundation C.I.C.
	1	#
	2	# Licensed under the Apache License, Version 2.0 (the "License");
	3	# you may not use this file except in compliance with the License.
	4	# You may obtain a copy of the License at
	5	#
	6	# http://www.apache.org/licenses/LICENSE-2.0
	7	#
	8	# Unless required by applicable law or agreed to in writing, software
	9	# distributed under the License is distributed on an "AS IS" BASIS,
	10	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	11	# See the License for the specific language governing permissions and
	12	# limitations under the License.
	13
	14	import attr
	15
	16	from synapse.api.errors import RedirectException
	17	from synapse.handlers.sso import MappingException
	18
	19	from tests.unittest import HomeserverTestCase, override_config
	20
	21	# These are a few constants that are used as config parameters in the tests.
	22	BASE_URL = "https://synapse/"
	23
	24
	25	@attr.s
	26	class FakeAuthnResponse:
	27	ava = attr.ib(type=dict)
	28
	29
	30	class TestMappingProvider:
	31	def __init__(self, config, module):
	32	pass
	33
	34	@staticmethod
	35	def parse_config(config):
	36	return
	37
	38	@staticmethod
	39	def get_saml_attributes(config):
	40	return {"uid"}, {"displayName"}
	41
	42	def get_remote_user_id(self, saml_response, client_redirect_url):
	43	return saml_response.ava["uid"]
	44
	45	def saml_response_to_user_attributes(
	46	self, saml_response, failures, client_redirect_url
	47	):
	48	localpart = saml_response.ava["username"] + (str(failures) if failures else "")
	49	return {"mxid_localpart": localpart, "displayname": None}
	50
	51
	52	class TestRedirectMappingProvider(TestMappingProvider):
	53	def saml_response_to_user_attributes(
	54	self, saml_response, failures, client_redirect_url
	55	):
	56	raise RedirectException(b"https://custom-saml-redirect/")
	57
	58
	59	class SamlHandlerTestCase(HomeserverTestCase):
	60	def default_config(self):
	61	config = super().default_config()
	62	config["public_baseurl"] = BASE_URL
	63	saml_config = {
	64	"sp_config": {"metadata": {}},
	65	# Disable grandfathering.
	66	"grandfathered_mxid_source_attribute": None,
	67	"user_mapping_provider": {"module": __name__ + ".TestMappingProvider"},
	68	}
	69
	70	# Update this config with what's in the default config so that
	71	# override_config works as expected.
	72	saml_config.update(config.get("saml2_config", {}))
	73	config["saml2_config"] = saml_config
	74
	75	return config
	76
	77	def make_homeserver(self, reactor, clock):
	78	hs = self.setup_test_homeserver()
	79
	80	self.handler = hs.get_saml_handler()
	81
	82	# Reduce the number of attempts when generating MXIDs.
	83	sso_handler = hs.get_sso_handler()
	84	sso_handler._MAP_USERNAME_RETRIES = 3
	85
	86	return hs
	87
	88	def test_map_saml_response_to_user(self):
	89	"""Ensure that mapping the SAML response returned from a provider to an MXID works properly."""
	90	saml_response = FakeAuthnResponse({"uid": "test_user", "username": "test_user"})
	91	# The redirect_url doesn't matter with the default user mapping provider.
	92	redirect_url = ""
	93	mxid = self.get_success(
	94	self.handler._map_saml_response_to_user(
	95	saml_response, redirect_url, "user-agent", "10.10.10.10"
	96	)
	97	)
	98	self.assertEqual(mxid, "@test_user:test")
	99
	100	@override_config({"saml2_config": {"grandfathered_mxid_source_attribute": "mxid"}})
	101	def test_map_saml_response_to_existing_user(self):
	102	"""Existing users can log in with SAML account."""
	103	store = self.hs.get_datastore()
	104	self.get_success(
	105	store.register_user(user_id="@test_user:test", password_hash=None)
	106	)
	107
	108	# Map a user via SSO.
	109	saml_response = FakeAuthnResponse(
	110	{"uid": "tester", "mxid": ["test_user"], "username": "test_user"}
	111	)
	112	redirect_url = ""
	113	mxid = self.get_success(
	114	self.handler._map_saml_response_to_user(
	115	saml_response, redirect_url, "user-agent", "10.10.10.10"
	116	)
	117	)
	118	self.assertEqual(mxid, "@test_user:test")
	119
	120	# Subsequent calls should map to the same mxid.
	121	mxid = self.get_success(
	122	self.handler._map_saml_response_to_user(
	123	saml_response, redirect_url, "user-agent", "10.10.10.10"
	124	)
	125	)
	126	self.assertEqual(mxid, "@test_user:test")
	127
	128	def test_map_saml_response_to_invalid_localpart(self):
	129	"""If the mapping provider generates an invalid localpart it should be rejected."""
	130	saml_response = FakeAuthnResponse({"uid": "test", "username": "föö"})
	131	redirect_url = ""
	132	e = self.get_failure(
	133	self.handler._map_saml_response_to_user(
	134	saml_response, redirect_url, "user-agent", "10.10.10.10"
	135	),
	136	MappingException,
	137	)
	138	self.assertEqual(str(e.value), "localpart is invalid: föö")
	139
	140	def test_map_saml_response_to_user_retries(self):
	141	"""The mapping provider can retry generating an MXID if the MXID is already in use."""
	142	store = self.hs.get_datastore()
	143	self.get_success(
	144	store.register_user(user_id="@test_user:test", password_hash=None)
	145	)
	146	saml_response = FakeAuthnResponse({"uid": "test", "username": "test_user"})
	147	redirect_url = ""
	148	mxid = self.get_success(
	149	self.handler._map_saml_response_to_user(
	150	saml_response, redirect_url, "user-agent", "10.10.10.10"
	151	)
	152	)
	153	# test_user is already taken, so test_user1 gets registered instead.
	154	self.assertEqual(mxid, "@test_user1:test")
	155
	156	# Register all of the potential mxids for a particular SAML username.
	157	self.get_success(
	158	store.register_user(user_id="@tester:test", password_hash=None)
	159	)
	160	for i in range(1, 3):
	161	self.get_success(
	162	store.register_user(user_id="@tester%d:test" % i, password_hash=None)
	163	)
	164
	165	# Now attempt to map to a username, this will fail since all potential usernames are taken.
	166	saml_response = FakeAuthnResponse({"uid": "tester", "username": "tester"})
	167	e = self.get_failure(
	168	self.handler._map_saml_response_to_user(
	169	saml_response, redirect_url, "user-agent", "10.10.10.10"
	170	),
	171	MappingException,
	172	)
	173	self.assertEqual(
	174	str(e.value), "Unable to generate a Matrix ID from the SSO response"
	175	)
	176
	177	@override_config(
	178	{
	179	"saml2_config": {
	180	"user_mapping_provider": {
	181	"module": __name__ + ".TestRedirectMappingProvider"
	182	},
	183	}
	184	}
	185	)
	186	def test_map_saml_response_redirect(self):
	187	saml_response = FakeAuthnResponse({"uid": "test", "username": "test_user"})
	188	redirect_url = ""
	189	e = self.get_failure(
	190	self.handler._map_saml_response_to_user(
	191	saml_response, redirect_url, "user-agent", "10.10.10.10"
	192	),
	193	RedirectException,
	194	)
	195	self.assertEqual(e.value.location, b"https://custom-saml-redirect/")

+10

-4

tests/handlers/test_sync.py less more

15	15	from synapse.api.errors import Codes, ResourceLimitError
16	16	from synapse.api.filtering import DEFAULT_FILTER_COLLECTION
17	17	from synapse.handlers.sync import SyncConfig
18		from synapse.types import UserID
	18	from synapse.types import UserID, create_requester
19	19
20	20	import tests.unittest
21	21	import tests.utils

37	37	user_id1 = "@user1:test"
38	38	user_id2 = "@user2:test"
39	39	sync_config = self._generate_sync_config(user_id1)
	40	requester = create_requester(user_id1)
40	41
41	42	self.reactor.advance(100) # So we get not 0 time
42	43	self.auth_blocking._limit_usage_by_mau = True

44	45
45	46	# Check that the happy case does not throw errors
46	47	self.get_success(self.store.upsert_monthly_active_user(user_id1))
47		self.get_success(self.sync_handler.wait_for_sync_for_user(sync_config))
	48	self.get_success(
	49	self.sync_handler.wait_for_sync_for_user(requester, sync_config)
	50	)
48	51
49	52	# Test that global lock works
50	53	self.auth_blocking._hs_disabled = True
51	54	e = self.get_failure(
52		self.sync_handler.wait_for_sync_for_user(sync_config), ResourceLimitError
	55	self.sync_handler.wait_for_sync_for_user(requester, sync_config),
	56	ResourceLimitError,
53	57	)
54	58	self.assertEquals(e.value.errcode, Codes.RESOURCE_LIMIT_EXCEEDED)
55	59
56	60	self.auth_blocking._hs_disabled = False
57	61
58	62	sync_config = self._generate_sync_config(user_id2)
	63	requester = create_requester(user_id2)
59	64
60	65	e = self.get_failure(
61		self.sync_handler.wait_for_sync_for_user(sync_config), ResourceLimitError
	66	self.sync_handler.wait_for_sync_for_user(requester, sync_config),
	67	ResourceLimitError,
62	68	)
63	69	self.assertEquals(e.value.errcode, Codes.RESOURCE_LIMIT_EXCEEDED)
64	70

+0

-1

tests/handlers/test_typing.py less more

227	227	),
228	228	federation_auth_origin=b"farm",
229	229	)
230		self.render(request)
231	230	self.assertEqual(channel.code, 200)
232	231
233	232	self.on_new_event.assert_has_calls([call("typing_key", 1, rooms=[ROOM_ID])])

+0

-2

tests/handlers/test_user_directory.py less more

536	536	request, channel = self.make_request(
537	537	"POST", b"user_directory/search", b'{"search_term":"user2"}'
538	538	)
539		self.render(request)
540	539	self.assertEquals(200, channel.code, channel.result)
541	540	self.assertTrue(len(channel.json_body["results"]) > 0)
542	541

545	544	request, channel = self.make_request(
546	545	"POST", b"user_directory/search", b'{"search_term":"user2"}'
547	546	)
548		self.render(request)
549	547	self.assertEquals(200, channel.code, channel.result)
550	548	self.assertTrue(len(channel.json_body["results"]) == 0)

+5

-6

tests/http/test_additional_resource.py less more

16	16	from synapse.http.additional_resource import AdditionalResource
17	17	from synapse.http.server import respond_with_json
18	18
	19	from tests.server import FakeSite, make_request
19	20	from tests.unittest import HomeserverTestCase
20	21
21	22

42	43
43	44	def test_async(self):
44	45	handler = _AsyncTestCustomEndpoint({}, None).handle_request
45		self.resource = AdditionalResource(self.hs, handler)
	46	resource = AdditionalResource(self.hs, handler)
46	47
47		request, channel = self.make_request("GET", "/")
48		self.render(request)
	48	request, channel = make_request(self.reactor, FakeSite(resource), "GET", "/")
49	49
50	50	self.assertEqual(request.code, 200)
51	51	self.assertEqual(channel.json_body, {"some_key": "some_value_async"})
52	52
53	53	def test_sync(self):
54	54	handler = _SyncTestCustomEndpoint({}, None).handle_request
55		self.resource = AdditionalResource(self.hs, handler)
	55	resource = AdditionalResource(self.hs, handler)
56	56
57		request, channel = self.make_request("GET", "/")
58		self.render(request)
	57	request, channel = make_request(self.reactor, FakeSite(resource), "GET", "/")
59	58
60	59	self.assertEqual(request.code, 200)
61	60	self.assertEqual(channel.json_body, {"some_key": "some_value_sync"})

+6

-5

tests/module_api/test_api.py less more

93	93	self.assertFalse(hasattr(event, "state_key"))
94	94	self.assertDictEqual(event.content, content)
95	95
	96	expected_requester = create_requester(
	97	user_id, authenticated_entity=self.hs.hostname
	98	)
	99
96	100	# Check that the event was sent
97	101	self.event_creation_handler.create_and_send_nonmember_event.assert_called_with(
98		create_requester(user_id),
99		event_dict,
100		ratelimit=False,
101		ignore_shadow_ban=True,
	102	expected_requester, event_dict, ratelimit=False, ignore_shadow_ban=True,
102	103	)
103	104
104	105	# Create and send a state event

127	128
128	129	# Check that the event was sent
129	130	self.event_creation_handler.create_and_send_nonmember_event.assert_called_with(
130		create_requester(user_id),
	131	expected_requester,
131	132	{
132	133	"type": "m.room.power_levels",
133	134	"content": content,

+162

-3

tests/push/test_http.py less more

11	11	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12	12	# See the License for the specific language governing permissions and
13	13	# limitations under the License.
14
15	14	from mock import Mock
16	15
17	16	from twisted.internet.defer import Deferred

19	18	import synapse.rest.admin
20	19	from synapse.logging.context import make_deferred_yieldable
21	20	from synapse.rest.client.v1 import login, room
22
23		from tests.unittest import HomeserverTestCase
	21	from synapse.rest.client.v2_alpha import receipts
	22
	23	from tests.unittest import HomeserverTestCase, override_config
24	24
25	25
26	26	class HTTPPusherTests(HomeserverTestCase):

28	28	synapse.rest.admin.register_servlets_for_client_rest_resource,
29	29	room.register_servlets,
30	30	login.register_servlets,
	31	receipts.register_servlets,
31	32	]
32	33	user_id = True
33	34	hijack_auth = False

498	499
499	500	# check that this is low-priority
500	501	self.assertEqual(self.push_attempts[1][2]["notification"]["prio"], "low")
	502
	503	def test_push_unread_count_group_by_room(self):
	504	"""
	505	The HTTP pusher will group unread count by number of unread rooms.
	506	"""
	507	# Carry out common push count tests and setup
	508	self._test_push_unread_count()
	509
	510	# Carry out our option-value specific test
	511	#
	512	# This push should still only contain an unread count of 1 (for 1 unread room)
	513	self.assertEqual(
	514	self.push_attempts[5][2]["notification"]["counts"]["unread"], 1
	515	)
	516
	517	@override_config({"push": {"group_unread_count_by_room": False}})
	518	def test_push_unread_count_message_count(self):
	519	"""
	520	The HTTP pusher will send the total unread message count.
	521	"""
	522	# Carry out common push count tests and setup
	523	self._test_push_unread_count()
	524
	525	# Carry out our option-value specific test
	526	#
	527	# We're counting every unread message, so there should now be 4 since the
	528	# last read receipt
	529	self.assertEqual(
	530	self.push_attempts[5][2]["notification"]["counts"]["unread"], 4
	531	)
	532
	533	def _test_push_unread_count(self):
	534	"""
	535	Tests that the correct unread count appears in sent push notifications
	536
	537	Note that:
	538	* Sending messages will cause push notifications to go out to relevant users
	539	* Sending a read receipt will cause a "badge update" notification to go out to
	540	the user that sent the receipt
	541	"""
	542	# Register the user who gets notified
	543	user_id = self.register_user("user", "pass")
	544	access_token = self.login("user", "pass")
	545
	546	# Register the user who sends the message
	547	other_user_id = self.register_user("other_user", "pass")
	548	other_access_token = self.login("other_user", "pass")
	549
	550	# Create a room (as other_user)
	551	room_id = self.helper.create_room_as(other_user_id, tok=other_access_token)
	552
	553	# The user to get notified joins
	554	self.helper.join(room=room_id, user=user_id, tok=access_token)
	555
	556	# Register the pusher
	557	user_tuple = self.get_success(
	558	self.hs.get_datastore().get_user_by_access_token(access_token)
	559	)
	560	token_id = user_tuple.token_id
	561
	562	self.get_success(
	563	self.hs.get_pusherpool().add_pusher(
	564	user_id=user_id,
	565	access_token=token_id,
	566	kind="http",
	567	app_id="m.http",
	568	app_display_name="HTTP Push Notifications",
	569	device_display_name="pushy push",
	570	pushkey="a@example.com",
	571	lang=None,
	572	data={"url": "example.com"},
	573	)
	574	)
	575
	576	# Send a message
	577	response = self.helper.send(
	578	room_id, body="Hello there!", tok=other_access_token
	579	)
	580	# To get an unread count, the user who is getting notified has to have a read
	581	# position in the room. We'll set the read position to this event in a moment
	582	first_message_event_id = response["event_id"]
	583
	584	# Advance time a bit (so the pusher will register something has happened) and
	585	# make the push succeed
	586	self.push_attempts[0][0].callback({})
	587	self.pump()
	588
	589	# Check our push made it
	590	self.assertEqual(len(self.push_attempts), 1)
	591	self.assertEqual(self.push_attempts[0][1], "example.com")
	592
	593	# Check that the unread count for the room is 0
	594	#
	595	# The unread count is zero as the user has no read receipt in the room yet
	596	self.assertEqual(
	597	self.push_attempts[0][2]["notification"]["counts"]["unread"], 0
	598	)
	599
	600	# Now set the user's read receipt position to the first event
	601	#
	602	# This will actually trigger a new notification to be sent out so that
	603	# even if the user does not receive another message, their unread
	604	# count goes down
	605	request, channel = self.make_request(
	606	"POST",
	607	"/rooms/%s/receipt/m.read/%s" % (room_id, first_message_event_id),
	608	{},
	609	access_token=access_token,
	610	)
	611	self.assertEqual(channel.code, 200, channel.json_body)
	612
	613	# Advance time and make the push succeed
	614	self.push_attempts[1][0].callback({})
	615	self.pump()
	616
	617	# Unread count is still zero as we've read the only message in the room
	618	self.assertEqual(len(self.push_attempts), 2)
	619	self.assertEqual(
	620	self.push_attempts[1][2]["notification"]["counts"]["unread"], 0
	621	)
	622
	623	# Send another message
	624	self.helper.send(
	625	room_id, body="How's the weather today?", tok=other_access_token
	626	)
	627
	628	# Advance time and make the push succeed
	629	self.push_attempts[2][0].callback({})
	630	self.pump()
	631
	632	# This push should contain an unread count of 1 as there's now been one
	633	# message since our last read receipt
	634	self.assertEqual(len(self.push_attempts), 3)
	635	self.assertEqual(
	636	self.push_attempts[2][2]["notification"]["counts"]["unread"], 1
	637	)
	638
	639	# Since we're grouping by room, sending more messages shouldn't increase the
	640	# unread count, as they're all being sent in the same room
	641	self.helper.send(room_id, body="Hello?", tok=other_access_token)
	642
	643	# Advance time and make the push succeed
	644	self.pump()
	645	self.push_attempts[3][0].callback({})
	646
	647	self.helper.send(room_id, body="Hello??", tok=other_access_token)
	648
	649	# Advance time and make the push succeed
	650	self.pump()
	651	self.push_attempts[4][0].callback({})
	652
	653	self.helper.send(room_id, body="HELLO???", tok=other_access_token)
	654
	655	# Advance time and make the push succeed
	656	self.pump()
	657	self.push_attempts[5][0].callback({})
	658
	659	self.assertEqual(len(self.push_attempts), 6)

+4

-7

tests/replication/_base.py less more

35	35	from synapse.util import Clock
36	36
37	37	from tests import unittest
38		from tests.server import FakeTransport, render
	38	from tests.server import FakeTransport
39	39
40	40	try:
41	41	import hiredis

77	77	self.worker_hs.get_datastore().db_pool = hs.get_datastore().db_pool
78	78
79	79	self.test_handler = self._build_replication_data_handler()
80		self.worker_hs.replication_data_handler = self.test_handler
	80	self.worker_hs._replication_data_handler = self.test_handler
81	81
82	82	repl_handler = ReplicationCommandHandler(self.worker_hs)
83	83	self.client = ClientReplicationStreamProtocol(

239	239	lambda: self._handle_http_replication_attempt(self.hs, 8765),
240	240	)
241	241
242		def create_test_json_resource(self):
243		"""Overrides `HomeserverTestCase.create_test_json_resource`.
	242	def create_test_resource(self):
	243	"""Overrides `HomeserverTestCase.create_test_resource`.
244	244	"""
245	245	# We override this so that it automatically registers all the HTTP
246	246	# replication servlets, without having to explicitly do that in all

346	346	config["worker_replication_http_port"] = "8765"
347	347	return config
348	348
349		def render_on_worker(self, worker_hs: HomeServer, request: SynapseRequest):
350		render(request, self._hs_to_site[worker_hs].resource, self.reactor)
351
352	349	def replicate(self):
353	350	"""Tell the master side of replication that something has happened, and then
354	351	wait for the replication to occur.

+22

-11

tests/replication/test_client_reader_shard.py less more

19	19
20	20	from tests.replication._base import BaseMultiWorkerStreamTestCase
21	21	from tests.rest.client.v2_alpha.test_auth import DummyRecaptchaChecker
22		from tests.server import FakeChannel
	22	from tests.server import FakeChannel, make_request
23	23
24	24	logger = logging.getLogger(__name__)
25	25

45	45	"""Test that registration works when using a single client reader worker.
46	46	"""
47	47	worker_hs = self.make_worker_hs("synapse.app.client_reader")
	48	site = self._hs_to_site[worker_hs]
48	49
49		request_1, channel_1 = self.make_request(
	50	request_1, channel_1 = make_request(
	51	self.reactor,
	52	site,
50	53	"POST",
51	54	"register",
52	55	{"username": "user", "type": "m.login.password", "password": "bar"},
53	56	) # type: SynapseRequest, FakeChannel
54		self.render_on_worker(worker_hs, request_1)
55	57	self.assertEqual(request_1.code, 401)
56	58
57	59	# Grab the session
58	60	session = channel_1.json_body["session"]
59	61
60	62	# also complete the dummy auth
61		request_2, channel_2 = self.make_request(
62		"POST", "register", {"auth": {"session": session, "type": "m.login.dummy"}}
	63	request_2, channel_2 = make_request(
	64	self.reactor,
	65	site,
	66	"POST",
	67	"register",
	68	{"auth": {"session": session, "type": "m.login.dummy"}},
63	69	) # type: SynapseRequest, FakeChannel
64		self.render_on_worker(worker_hs, request_2)
65	70	self.assertEqual(request_2.code, 200)
66	71
67	72	# We're given a registered user.

73	78	worker_hs_1 = self.make_worker_hs("synapse.app.client_reader")
74	79	worker_hs_2 = self.make_worker_hs("synapse.app.client_reader")
75	80
76		request_1, channel_1 = self.make_request(
	81	site_1 = self._hs_to_site[worker_hs_1]
	82	request_1, channel_1 = make_request(
	83	self.reactor,
	84	site_1,
77	85	"POST",
78	86	"register",
79	87	{"username": "user", "type": "m.login.password", "password": "bar"},
80	88	) # type: SynapseRequest, FakeChannel
81		self.render_on_worker(worker_hs_1, request_1)
82	89	self.assertEqual(request_1.code, 401)
83	90
84	91	# Grab the session
85	92	session = channel_1.json_body["session"]
86	93
87	94	# also complete the dummy auth
88		request_2, channel_2 = self.make_request(
89		"POST", "register", {"auth": {"session": session, "type": "m.login.dummy"}}
	95	site_2 = self._hs_to_site[worker_hs_2]
	96	request_2, channel_2 = make_request(
	97	self.reactor,
	98	site_2,
	99	"POST",
	100	"register",
	101	{"auth": {"session": session, "type": "m.login.dummy"}},
90	102	) # type: SynapseRequest, FakeChannel
91		self.render_on_worker(worker_hs_2, request_2)
92	103	self.assertEqual(request_2.code, 200)
93	104
94	105	# We're given a registered user.

+7

-5

tests/replication/test_multi_media_repo.py less more

27	27
28	28	from tests.http import TestServerTLSConnectionFactory, get_test_ca_cert_file
29	29	from tests.replication._base import BaseMultiWorkerStreamTestCase
30		from tests.server import FakeChannel, FakeTransport
	30	from tests.server import FakeChannel, FakeSite, FakeTransport, make_request
31	31
32	32	logger = logging.getLogger(__name__)
33	33

66	66	The channel for the client request and the outbound request for
67	67	the media which the caller should respond to.
68	68	"""
69
70		request, channel = self.make_request(
	69	resource = hs.get_media_repository_resource().children[b"download"]
	70	_, channel = make_request(
	71	self.reactor,
	72	FakeSite(resource),
71	73	"GET",
72	74	"/{}/{}".format(target, media_id),
73	75	shorthand=False,
74	76	access_token=self.access_token,
75		)
76		request.render(hs.get_media_repository_resource().children[b"download"])
	77	await_result=False,
	78	)
77	79	self.pump()
78	80
79	81	clients = self.reactor.tcpClients

+34

-20

tests/replication/test_sharded_event_persister.py less more

21	21	from synapse.rest.client.v2_alpha import sync
22	22
23	23	from tests.replication._base import BaseMultiWorkerStreamTestCase
	24	from tests.server import make_request
24	25	from tests.utils import USE_POSTGRES_FOR_TESTS
25	26
26	27	logger = logging.getLogger(__name__)

147	148	sync_hs = self.make_worker_hs(
148	149	"synapse.app.generic_worker", {"worker_name": "sync"},
149	150	)
	151	sync_hs_site = self._hs_to_site[sync_hs]
150	152
151	153	# Specially selected room IDs that get persisted on different workers.
152	154	room_id1 = "!foo:test"

177	179	)
178	180
179	181	# Do an initial sync so that we're up to date.
180		request, channel = self.make_request("GET", "/sync", access_token=access_token)
181		self.render_on_worker(sync_hs, request)
	182	request, channel = make_request(
	183	self.reactor, sync_hs_site, "GET", "/sync", access_token=access_token
	184	)
182	185	next_batch = channel.json_body["next_batch"]
183	186
184	187	# We now gut wrench into the events stream MultiWriterIdGenerator on

202	205
203	206	# Check that syncing still gets the new event, despite the gap in the
204	207	# stream IDs.
205		request, channel = self.make_request(
206		"GET", "/sync?since={}".format(next_batch), access_token=access_token
207		)
208		self.render_on_worker(sync_hs, request)
	208	request, channel = make_request(
	209	self.reactor,
	210	sync_hs_site,
	211	"GET",
	212	"/sync?since={}".format(next_batch),
	213	access_token=access_token,
	214	)
209	215
210	216	# We should only see the new event and nothing else
211	217	self.assertIn(room_id1, channel.json_body["rooms"]["join"])

229	235	response = self.helper.send(room_id2, body="Hi!", tok=self.other_access_token)
230	236	first_event_in_room2 = response["event_id"]
231	237
232		request, channel = self.make_request(
	238	request, channel = make_request(
	239	self.reactor,
	240	sync_hs_site,
233	241	"GET",
234	242	"/sync?since={}".format(vector_clock_token),
235	243	access_token=access_token,
236	244	)
237		self.render_on_worker(sync_hs, request)
238	245
239	246	self.assertNotIn(room_id1, channel.json_body["rooms"]["join"])
240	247	self.assertIn(room_id2, channel.json_body["rooms"]["join"])

253	260	self.helper.send(room_id1, body="Hi again!", tok=self.other_access_token)
254	261	self.helper.send(room_id2, body="Hi again!", tok=self.other_access_token)
255	262
256		request, channel = self.make_request(
257		"GET", "/sync?since={}".format(next_batch), access_token=access_token
258		)
259		self.render_on_worker(sync_hs, request)
	263	request, channel = make_request(
	264	self.reactor,
	265	sync_hs_site,
	266	"GET",
	267	"/sync?since={}".format(next_batch),
	268	access_token=access_token,
	269	)
260	270
261	271	prev_batch1 = channel.json_body["rooms"]["join"][room_id1]["timeline"][
262	272	"prev_batch"

268	278	# Paginating back in the first room should not produce any results, as
269	279	# no events have happened in it. This tests that we are correctly
270	280	# filtering results based on the vector clock portion.
271		request, channel = self.make_request(
	281	request, channel = make_request(
	282	self.reactor,
	283	sync_hs_site,
272	284	"GET",
273	285	"/rooms/{}/messages?from={}&to={}&dir=b".format(
274	286	room_id1, prev_batch1, vector_clock_token
275	287	),
276	288	access_token=access_token,
277	289	)
278		self.render_on_worker(sync_hs, request)
279	290	self.assertListEqual([], channel.json_body["chunk"])
280	291
281	292	# Paginating back on the second room should produce the first event
282	293	# again. This tests that pagination isn't completely broken.
283		request, channel = self.make_request(
	294	request, channel = make_request(
	295	self.reactor,
	296	sync_hs_site,
284	297	"GET",
285	298	"/rooms/{}/messages?from={}&to={}&dir=b".format(
286	299	room_id2, prev_batch2, vector_clock_token
287	300	),
288	301	access_token=access_token,
289	302	)
290		self.render_on_worker(sync_hs, request)
291	303	self.assertEqual(len(channel.json_body["chunk"]), 1)
292	304	self.assertEqual(
293	305	channel.json_body["chunk"][0]["event_id"], first_event_in_room2
294	306	)
295	307
296	308	# Paginating forwards should give the same results
297		request, channel = self.make_request(
	309	request, channel = make_request(
	310	self.reactor,
	311	sync_hs_site,
298	312	"GET",
299	313	"/rooms/{}/messages?from={}&to={}&dir=f".format(
300	314	room_id1, vector_clock_token, prev_batch1
301	315	),
302	316	access_token=access_token,
303	317	)
304		self.render_on_worker(sync_hs, request)
305	318	self.assertListEqual([], channel.json_body["chunk"])
306	319
307		request, channel = self.make_request(
	320	request, channel = make_request(
	321	self.reactor,
	322	sync_hs_site,
308	323	"GET",
309	324	"/rooms/{}/messages?from={}&to={}&dir=f".format(
310	325	room_id2, vector_clock_token, prev_batch2,
311	326	),
312	327	access_token=access_token,
313	328	)
314		self.render_on_worker(sync_hs, request)
315	329	self.assertEqual(len(channel.json_body["chunk"]), 1)
316	330	self.assertEqual(
317	331	channel.json_body["chunk"][0]["event_id"], first_event_in_room2

+17

-26

tests/rest/admin/test_admin.py less more

29	29	from synapse.rest.client.v2_alpha import groups
30	30
31	31	from tests import unittest
	32	from tests.server import FakeSite, make_request
32	33
33	34
34	35	class VersionTestCase(unittest.HomeserverTestCase):
35	36	url = "/_synapse/admin/v1/server_version"
36	37
37		def create_test_json_resource(self):
	38	def create_test_resource(self):
38	39	resource = JsonResource(self.hs)
39	40	VersionServlet(self.hs).register(resource)
40	41	return resource
41	42
42	43	def test_version_string(self):
43	44	request, channel = self.make_request("GET", self.url, shorthand=False)
44		self.render(request)
45	45
46	46	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
47	47	self.assertEqual(

74	74	content={"localpart": "test"},
75	75	)
76	76
77		self.render(request)
78	77	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
79	78
80	79	group_id = channel.json_body["group_id"]

87	86	request, channel = self.make_request(
88	87	"PUT", url.encode("ascii"), access_token=self.admin_user_tok, content={}
89	88	)
90		self.render(request)
91	89	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
92	90
93	91	url = "/groups/%s/self/accept_invite" % (group_id,)
94	92	request, channel = self.make_request(
95	93	"PUT", url.encode("ascii"), access_token=self.other_user_token, content={}
96	94	)
97		self.render(request)
98	95	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
99	96
100	97	# Check other user knows they're in the group

102	99	self.assertIn(group_id, self._get_groups_user_is_in(self.other_user_token))
103	100
104	101	# Now delete the group
105		url = "/admin/delete_group/" + group_id
	102	url = "/_synapse/admin/v1/delete_group/" + group_id
106	103	request, channel = self.make_request(
107	104	"POST",
108	105	url.encode("ascii"),

110	107	content={"localpart": "test"},
111	108	)
112	109
113		self.render(request)
114	110	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
115	111
116	112	# Check group returns 404

130	126	"GET", url.encode("ascii"), access_token=self.admin_user_tok
131	127	)
132	128
133		self.render(request)
134	129	self.assertEqual(
135	130	expect_code, int(channel.result["code"]), msg=channel.result["body"]
136	131	)

142	137	"GET", "/joined_groups".encode("ascii"), access_token=access_token
143	138	)
144	139
145		self.render(request)
146	140	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
147	141
148	142	return channel.json_body["groups"]

221	215
222	216	def _ensure_quarantined(self, admin_user_tok, server_and_media_id):
223	217	"""Ensure a piece of media is quarantined when trying to access it."""
224		request, channel = self.make_request(
225		"GET", server_and_media_id, shorthand=False, access_token=admin_user_tok,
226		)
227		request.render(self.download_resource)
228		self.pump(1.0)
	218	request, channel = make_request(
	219	self.reactor,
	220	FakeSite(self.download_resource),
	221	"GET",
	222	server_and_media_id,
	223	shorthand=False,
	224	access_token=admin_user_tok,
	225	)
229	226
230	227	# Should be quarantined
231	228	self.assertEqual(

246	243	request, channel = self.make_request(
247	244	"POST", url.encode("ascii"), access_token=non_admin_user_tok,
248	245	)
249		self.render(request)
250	246
251	247	# Expect a forbidden error
252	248	self.assertEqual(

260	256	request, channel = self.make_request(
261	257	"POST", url.encode("ascii"), access_token=non_admin_user_tok,
262	258	)
263		self.render(request)
264	259
265	260	# Expect a forbidden error
266	261	self.assertEqual(

286	281	server_name, media_id = server_name_and_media_id.split("/")
287	282
288	283	# Attempt to access the media
289		request, channel = self.make_request(
	284	request, channel = make_request(
	285	self.reactor,
	286	FakeSite(self.download_resource),
290	287	"GET",
291	288	server_name_and_media_id,
292	289	shorthand=False,
293	290	access_token=non_admin_user_tok,
294	291	)
295		request.render(self.download_resource)
296		self.pump(1.0)
297	292
298	293	# Should be successful
299	294	self.assertEqual(200, int(channel.code), msg=channel.result["body"])

304	299	urllib.parse.quote(media_id),
305	300	)
306	301	request, channel = self.make_request("POST", url, access_token=admin_user_tok,)
307		self.render(request)
308	302	self.pump(1.0)
309	303	self.assertEqual(200, int(channel.code), msg=channel.result["body"])
310	304

357	351	room_id
358	352	)
359	353	request, channel = self.make_request("POST", url, access_token=admin_user_tok,)
360		self.render(request)
361	354	self.pump(1.0)
362	355	self.assertEqual(200, int(channel.code), msg=channel.result["body"])
363	356	self.assertEqual(

404	397	request, channel = self.make_request(
405	398	"POST", url.encode("ascii"), access_token=admin_user_tok,
406	399	)
407		self.render(request)
408	400	self.pump(1.0)
409	401	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
410	402	self.assertEqual(

447	439	request, channel = self.make_request(
448	440	"POST", url.encode("ascii"), access_token=admin_user_tok,
449	441	)
450		self.render(request)
451	442	self.pump(1.0)
452	443	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
453	444	self.assertEqual(

461	452	self._ensure_quarantined(admin_user_tok, server_and_media_id_1)
462	453
463	454	# Attempt to access each piece of media
464		request, channel = self.make_request(
	455	request, channel = make_request(
	456	self.reactor,
	457	FakeSite(self.download_resource),
465	458	"GET",
466	459	server_and_media_id_2,
467	460	shorthand=False,
468	461	access_token=non_admin_user_tok,
469	462	)
470		request.render(self.download_resource)
471		self.pump(1.0)
472	463
473	464	# Shouldn't be quarantined
474	465	self.assertEqual(

+0

-35

tests/rest/admin/test_device.py less more

50	50	Try to get a device of an user without authentication.
51	51	"""
52	52	request, channel = self.make_request("GET", self.url, b"{}")
53		self.render(request)
54	53
55	54	self.assertEqual(401, int(channel.result["code"]), msg=channel.result["body"])
56	55	self.assertEqual(Codes.MISSING_TOKEN, channel.json_body["errcode"])
57	56
58	57	request, channel = self.make_request("PUT", self.url, b"{}")
59		self.render(request)
60	58
61	59	self.assertEqual(401, int(channel.result["code"]), msg=channel.result["body"])
62	60	self.assertEqual(Codes.MISSING_TOKEN, channel.json_body["errcode"])
63	61
64	62	request, channel = self.make_request("DELETE", self.url, b"{}")
65		self.render(request)
66	63
67	64	self.assertEqual(401, int(channel.result["code"]), msg=channel.result["body"])
68	65	self.assertEqual(Codes.MISSING_TOKEN, channel.json_body["errcode"])

74	71	request, channel = self.make_request(
75	72	"GET", self.url, access_token=self.other_user_token,
76	73	)
77		self.render(request)
78	74
79	75	self.assertEqual(403, int(channel.result["code"]), msg=channel.result["body"])
80	76	self.assertEqual(Codes.FORBIDDEN, channel.json_body["errcode"])

82	78	request, channel = self.make_request(
83	79	"PUT", self.url, access_token=self.other_user_token,
84	80	)
85		self.render(request)
86	81
87	82	self.assertEqual(403, int(channel.result["code"]), msg=channel.result["body"])
88	83	self.assertEqual(Codes.FORBIDDEN, channel.json_body["errcode"])

90	85	request, channel = self.make_request(
91	86	"DELETE", self.url, access_token=self.other_user_token,
92	87	)
93		self.render(request)
94	88
95	89	self.assertEqual(403, int(channel.result["code"]), msg=channel.result["body"])
96	90	self.assertEqual(Codes.FORBIDDEN, channel.json_body["errcode"])

107	101	request, channel = self.make_request(
108	102	"GET", url, access_token=self.admin_user_tok,
109	103	)
110		self.render(request)
111	104
112	105	self.assertEqual(404, channel.code, msg=channel.json_body)
113	106	self.assertEqual(Codes.NOT_FOUND, channel.json_body["errcode"])

115	108	request, channel = self.make_request(
116	109	"PUT", url, access_token=self.admin_user_tok,
117	110	)
118		self.render(request)
119	111
120	112	self.assertEqual(404, channel.code, msg=channel.json_body)
121	113	self.assertEqual(Codes.NOT_FOUND, channel.json_body["errcode"])

123	115	request, channel = self.make_request(
124	116	"DELETE", url, access_token=self.admin_user_tok,
125	117	)
126		self.render(request)
127	118
128	119	self.assertEqual(404, channel.code, msg=channel.json_body)
129	120	self.assertEqual(Codes.NOT_FOUND, channel.json_body["errcode"])

140	131	request, channel = self.make_request(
141	132	"GET", url, access_token=self.admin_user_tok,
142	133	)
143		self.render(request)
144	134
145	135	self.assertEqual(400, channel.code, msg=channel.json_body)
146	136	self.assertEqual("Can only lookup local users", channel.json_body["error"])

148	138	request, channel = self.make_request(
149	139	"PUT", url, access_token=self.admin_user_tok,
150	140	)
151		self.render(request)
152	141
153	142	self.assertEqual(400, channel.code, msg=channel.json_body)
154	143	self.assertEqual("Can only lookup local users", channel.json_body["error"])

156	145	request, channel = self.make_request(
157	146	"DELETE", url, access_token=self.admin_user_tok,
158	147	)
159		self.render(request)
160	148
161	149	self.assertEqual(400, channel.code, msg=channel.json_body)
162	150	self.assertEqual("Can only lookup local users", channel.json_body["error"])

172	160	request, channel = self.make_request(
173	161	"GET", url, access_token=self.admin_user_tok,
174	162	)
175		self.render(request)
176	163
177	164	self.assertEqual(404, channel.code, msg=channel.json_body)
178	165	self.assertEqual(Codes.NOT_FOUND, channel.json_body["errcode"])

180	167	request, channel = self.make_request(
181	168	"PUT", url, access_token=self.admin_user_tok,
182	169	)
183		self.render(request)
184	170
185	171	self.assertEqual(200, channel.code, msg=channel.json_body)
186	172
187	173	request, channel = self.make_request(
188	174	"DELETE", url, access_token=self.admin_user_tok,
189	175	)
190		self.render(request)
191	176
192	177	# Delete unknown device returns status 200
193	178	self.assertEqual(200, channel.code, msg=channel.json_body)

217	202	access_token=self.admin_user_tok,
218	203	content=body.encode(encoding="utf_8"),
219	204	)
220		self.render(request)
221	205
222	206	self.assertEqual(400, channel.code, msg=channel.json_body)
223	207	self.assertEqual(Codes.TOO_LARGE, channel.json_body["errcode"])

226	210	request, channel = self.make_request(
227	211	"GET", self.url, access_token=self.admin_user_tok,
228	212	)
229		self.render(request)
230	213
231	214	self.assertEqual(200, channel.code, msg=channel.json_body)
232	215	self.assertEqual("new display", channel.json_body["display_name"])

246	229	request, channel = self.make_request(
247	230	"PUT", self.url, access_token=self.admin_user_tok,
248	231	)
249		self.render(request)
250	232
251	233	self.assertEqual(200, channel.code, msg=channel.json_body)
252	234

254	236	request, channel = self.make_request(
255	237	"GET", self.url, access_token=self.admin_user_tok,
256	238	)
257		self.render(request)
258	239
259	240	self.assertEqual(200, channel.code, msg=channel.json_body)
260	241	self.assertEqual("new display", channel.json_body["display_name"])

271	252	access_token=self.admin_user_tok,
272	253	content=body.encode(encoding="utf_8"),
273	254	)
274		self.render(request)
275	255
276	256	self.assertEqual(200, channel.code, msg=channel.json_body)
277	257

279	259	request, channel = self.make_request(
280	260	"GET", self.url, access_token=self.admin_user_tok,
281	261	)
282		self.render(request)
283	262
284	263	self.assertEqual(200, channel.code, msg=channel.json_body)
285	264	self.assertEqual("new displayname", channel.json_body["display_name"])

291	270	request, channel = self.make_request(
292	271	"GET", self.url, access_token=self.admin_user_tok,
293	272	)
294		self.render(request)
295	273
296	274	self.assertEqual(200, channel.code, msg=channel.json_body)
297	275	self.assertEqual(self.other_user, channel.json_body["user_id"])

315	293	request, channel = self.make_request(
316	294	"DELETE", self.url, access_token=self.admin_user_tok,
317	295	)
318		self.render(request)
319	296
320	297	self.assertEqual(200, channel.code, msg=channel.json_body)
321	298

346	323	Try to list devices of an user without authentication.
347	324	"""
348	325	request, channel = self.make_request("GET", self.url, b"{}")
349		self.render(request)
350	326
351	327	self.assertEqual(401, int(channel.result["code"]), msg=channel.result["body"])
352	328	self.assertEqual(Codes.MISSING_TOKEN, channel.json_body["errcode"])

360	336	request, channel = self.make_request(
361	337	"GET", self.url, access_token=other_user_token,
362	338	)
363		self.render(request)
364	339
365	340	self.assertEqual(403, int(channel.result["code"]), msg=channel.result["body"])
366	341	self.assertEqual(Codes.FORBIDDEN, channel.json_body["errcode"])

373	348	request, channel = self.make_request(
374	349	"GET", url, access_token=self.admin_user_tok,
375	350	)
376		self.render(request)
377	351
378	352	self.assertEqual(404, channel.code, msg=channel.json_body)
379	353	self.assertEqual(Codes.NOT_FOUND, channel.json_body["errcode"])

387	361	request, channel = self.make_request(
388	362	"GET", url, access_token=self.admin_user_tok,
389	363	)
390		self.render(request)
391	364
392	365	self.assertEqual(400, channel.code, msg=channel.json_body)
393	366	self.assertEqual("Can only lookup local users", channel.json_body["error"])

402	375	request, channel = self.make_request(
403	376	"GET", self.url, access_token=self.admin_user_tok,
404	377	)
405		self.render(request)
406	378
407	379	self.assertEqual(200, channel.code, msg=channel.json_body)
408	380	self.assertEqual(0, channel.json_body["total"])

421	393	request, channel = self.make_request(
422	394	"GET", self.url, access_token=self.admin_user_tok,
423	395	)
424		self.render(request)
425	396
426	397	self.assertEqual(200, channel.code, msg=channel.json_body)
427	398	self.assertEqual(number_devices, channel.json_body["total"])

460	431	Try to delete devices of an user without authentication.
461	432	"""
462	433	request, channel = self.make_request("POST", self.url, b"{}")
463		self.render(request)
464	434
465	435	self.assertEqual(401, int(channel.result["code"]), msg=channel.result["body"])
466	436	self.assertEqual(Codes.MISSING_TOKEN, channel.json_body["errcode"])

474	444	request, channel = self.make_request(
475	445	"POST", self.url, access_token=other_user_token,
476	446	)
477		self.render(request)
478	447
479	448	self.assertEqual(403, int(channel.result["code"]), msg=channel.result["body"])
480	449	self.assertEqual(Codes.FORBIDDEN, channel.json_body["errcode"])

487	456	request, channel = self.make_request(
488	457	"POST", url, access_token=self.admin_user_tok,
489	458	)
490		self.render(request)
491	459
492	460	self.assertEqual(404, channel.code, msg=channel.json_body)
493	461	self.assertEqual(Codes.NOT_FOUND, channel.json_body["errcode"])

501	469	request, channel = self.make_request(
502	470	"POST", url, access_token=self.admin_user_tok,
503	471	)
504		self.render(request)
505	472
506	473	self.assertEqual(400, channel.code, msg=channel.json_body)
507	474	self.assertEqual("Can only lookup local users", channel.json_body["error"])

517	484	access_token=self.admin_user_tok,
518	485	content=body.encode(encoding="utf_8"),
519	486	)
520		self.render(request)
521	487
522	488	# Delete unknown devices returns status 200
523	489	self.assertEqual(200, channel.code, msg=channel.json_body)

549	515	access_token=self.admin_user_tok,
550	516	content=body.encode(encoding="utf_8"),
551	517	)
552		self.render(request)
553	518
554	519	self.assertEqual(200, channel.code, msg=channel.json_body)
555	520

+0

-27

tests/rest/admin/test_event_reports.py less more

74	74	Try to get an event report without authentication.
75	75	"""
76	76	request, channel = self.make_request("GET", self.url, b"{}")
77		self.render(request)
78	77
79	78	self.assertEqual(401, int(channel.result["code"]), msg=channel.result["body"])
80	79	self.assertEqual(Codes.MISSING_TOKEN, channel.json_body["errcode"])

87	86	request, channel = self.make_request(
88	87	"GET", self.url, access_token=self.other_user_tok,
89	88	)
90		self.render(request)
91	89
92	90	self.assertEqual(403, int(channel.result["code"]), msg=channel.result["body"])
93	91	self.assertEqual(Codes.FORBIDDEN, channel.json_body["errcode"])

100	98	request, channel = self.make_request(
101	99	"GET", self.url, access_token=self.admin_user_tok,
102	100	)
103		self.render(request)
104	101
105	102	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
106	103	self.assertEqual(channel.json_body["total"], 20)

116	113	request, channel = self.make_request(
117	114	"GET", self.url + "?limit=5", access_token=self.admin_user_tok,
118	115	)
119		self.render(request)
120	116
121	117	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
122	118	self.assertEqual(channel.json_body["total"], 20)

132	128	request, channel = self.make_request(
133	129	"GET", self.url + "?from=5", access_token=self.admin_user_tok,
134	130	)
135		self.render(request)
136	131
137	132	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
138	133	self.assertEqual(channel.json_body["total"], 20)

148	143	request, channel = self.make_request(
149	144	"GET", self.url + "?from=5&limit=10", access_token=self.admin_user_tok,
150	145	)
151		self.render(request)
152	146
153	147	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
154	148	self.assertEqual(channel.json_body["total"], 20)

166	160	self.url + "?room_id=%s" % self.room_id1,
167	161	access_token=self.admin_user_tok,
168	162	)
169		self.render(request)
170	163
171	164	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
172	165	self.assertEqual(channel.json_body["total"], 10)

187	180	self.url + "?user_id=%s" % self.other_user,
188	181	access_token=self.admin_user_tok,
189	182	)
190		self.render(request)
191	183
192	184	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
193	185	self.assertEqual(channel.json_body["total"], 10)

208	200	self.url + "?user_id=%s&room_id=%s" % (self.other_user, self.room_id1),
209	201	access_token=self.admin_user_tok,
210	202	)
211		self.render(request)
212	203
213	204	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
214	205	self.assertEqual(channel.json_body["total"], 5)

229	220	request, channel = self.make_request(
230	221	"GET", self.url + "?dir=b", access_token=self.admin_user_tok,
231	222	)
232		self.render(request)
233	223
234	224	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
235	225	self.assertEqual(channel.json_body["total"], 20)

246	236	request, channel = self.make_request(
247	237	"GET", self.url + "?dir=f", access_token=self.admin_user_tok,
248	238	)
249		self.render(request)
250	239
251	240	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
252	241	self.assertEqual(channel.json_body["total"], 20)

267	256	request, channel = self.make_request(
268	257	"GET", self.url + "?dir=bar", access_token=self.admin_user_tok,
269	258	)
270		self.render(request)
271	259
272	260	self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
273	261	self.assertEqual(Codes.INVALID_PARAM, channel.json_body["errcode"])

281	269	request, channel = self.make_request(
282	270	"GET", self.url + "?limit=-5", access_token=self.admin_user_tok,
283	271	)
284		self.render(request)
285	272
286	273	self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
287	274	self.assertEqual(Codes.INVALID_PARAM, channel.json_body["errcode"])

294	281	request, channel = self.make_request(
295	282	"GET", self.url + "?from=-5", access_token=self.admin_user_tok,
296	283	)
297		self.render(request)
298	284
299	285	self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
300	286	self.assertEqual(Codes.INVALID_PARAM, channel.json_body["errcode"])

309	295	request, channel = self.make_request(
310	296	"GET", self.url + "?limit=20", access_token=self.admin_user_tok,
311	297	)
312		self.render(request)
313	298
314	299	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
315	300	self.assertEqual(channel.json_body["total"], 20)

321	306	request, channel = self.make_request(
322	307	"GET", self.url + "?limit=21", access_token=self.admin_user_tok,
323	308	)
324		self.render(request)
325	309
326	310	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
327	311	self.assertEqual(channel.json_body["total"], 20)

333	317	request, channel = self.make_request(
334	318	"GET", self.url + "?limit=19", access_token=self.admin_user_tok,
335	319	)
336		self.render(request)
337	320
338	321	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
339	322	self.assertEqual(channel.json_body["total"], 20)

346	329	request, channel = self.make_request(
347	330	"GET", self.url + "?from=19", access_token=self.admin_user_tok,
348	331	)
349		self.render(request)
350	332
351	333	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
352	334	self.assertEqual(channel.json_body["total"], 20)

365	347	json.dumps({"score": -100, "reason": "this makes me sad"}),
366	348	access_token=user_tok,
367	349	)
368		self.render(request)
369	350	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
370	351
371	352	def _check_fields(self, content):

418	399	Try to get event report without authentication.
419	400	"""
420	401	request, channel = self.make_request("GET", self.url, b"{}")
421		self.render(request)
422	402
423	403	self.assertEqual(401, int(channel.result["code"]), msg=channel.result["body"])
424	404	self.assertEqual(Codes.MISSING_TOKEN, channel.json_body["errcode"])

431	411	request, channel = self.make_request(
432	412	"GET", self.url, access_token=self.other_user_tok,
433	413	)
434		self.render(request)
435	414
436	415	self.assertEqual(403, int(channel.result["code"]), msg=channel.result["body"])
437	416	self.assertEqual(Codes.FORBIDDEN, channel.json_body["errcode"])

444	423	request, channel = self.make_request(
445	424	"GET", self.url, access_token=self.admin_user_tok,
446	425	)
447		self.render(request)
448	426
449	427	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
450	428	self._check_fields(channel.json_body)

460	438	"/_synapse/admin/v1/event_reports/-123",
461	439	access_token=self.admin_user_tok,
462	440	)
463		self.render(request)
464	441
465	442	self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
466	443	self.assertEqual(Codes.INVALID_PARAM, channel.json_body["errcode"])

475	452	"/_synapse/admin/v1/event_reports/abcdef",
476	453	access_token=self.admin_user_tok,
477	454	)
478		self.render(request)
479	455
480	456	self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
481	457	self.assertEqual(Codes.INVALID_PARAM, channel.json_body["errcode"])

490	466	"/_synapse/admin/v1/event_reports/",
491	467	access_token=self.admin_user_tok,
492	468	)
493		self.render(request)
494	469
495	470	self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
496	471	self.assertEqual(Codes.INVALID_PARAM, channel.json_body["errcode"])

509	484	"/_synapse/admin/v1/event_reports/123",
510	485	access_token=self.admin_user_tok,
511	486	)
512		self.render(request)
513	487
514	488	self.assertEqual(404, int(channel.result["code"]), msg=channel.result["body"])
515	489	self.assertEqual(Codes.NOT_FOUND, channel.json_body["errcode"])

527	501	json.dumps({"score": -100, "reason": "this makes me sad"}),
528	502	access_token=user_tok,
529	503	)
530		self.render(request)
531	504	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
532	505
533	506	def _check_fields(self, content):

+10

-33

tests/rest/admin/test_media.py less more

22	22	from synapse.rest.media.v1.filepath import MediaFilePaths
23	23
24	24	from tests import unittest
	25	from tests.server import FakeSite, make_request
25	26
26	27
27	28	class DeleteMediaByIDTestCase(unittest.HomeserverTestCase):

49	50	url = "/_synapse/admin/v1/media/%s/%s" % (self.server_name, "12345")
50	51
51	52	request, channel = self.make_request("DELETE", url, b"{}")
52		self.render(request)
53	53
54	54	self.assertEqual(401, int(channel.result["code"]), msg=channel.result["body"])
55	55	self.assertEqual(Codes.MISSING_TOKEN, channel.json_body["errcode"])

66	66	request, channel = self.make_request(
67	67	"DELETE", url, access_token=self.other_user_token,
68	68	)
69		self.render(request)
70	69
71	70	self.assertEqual(403, int(channel.result["code"]), msg=channel.result["body"])
72	71	self.assertEqual(Codes.FORBIDDEN, channel.json_body["errcode"])

80	79	request, channel = self.make_request(
81	80	"DELETE", url, access_token=self.admin_user_tok,
82	81	)
83		self.render(request)
84	82
85	83	self.assertEqual(404, channel.code, msg=channel.json_body)
86	84	self.assertEqual(Codes.NOT_FOUND, channel.json_body["errcode"])

94	92	request, channel = self.make_request(
95	93	"DELETE", url, access_token=self.admin_user_tok,
96	94	)
97		self.render(request)
98	95
99	96	self.assertEqual(400, channel.code, msg=channel.json_body)
100	97	self.assertEqual("Can only delete local media", channel.json_body["error"])

123	120	self.assertEqual(server_name, self.server_name)
124	121
125	122	# Attempt to access media
126		request, channel = self.make_request(
	123	request, channel = make_request(
	124	self.reactor,
	125	FakeSite(download_resource),
127	126	"GET",
128	127	server_and_media_id,
129	128	shorthand=False,
130	129	access_token=self.admin_user_tok,
131	130	)
132		request.render(download_resource)
133		self.pump(1.0)
134	131
135	132	# Should be successful
136	133	self.assertEqual(

151	148	request, channel = self.make_request(
152	149	"DELETE", url, access_token=self.admin_user_tok,
153	150	)
154		self.render(request)
155	151
156	152	self.assertEqual(200, channel.code, msg=channel.json_body)
157	153	self.assertEqual(1, channel.json_body["total"])

160	156	)
161	157
162	158	# Attempt to access media
163		request, channel = self.make_request(
	159	request, channel = make_request(
	160	self.reactor,
	161	FakeSite(download_resource),
164	162	"GET",
165	163	server_and_media_id,
166	164	shorthand=False,
167	165	access_token=self.admin_user_tok,
168	166	)
169		request.render(download_resource)
170		self.pump(1.0)
171	167	self.assertEqual(
172	168	404,
173	169	channel.code,

195	191	self.handler = hs.get_device_handler()
196	192	self.media_repo = hs.get_media_repository_resource()
197	193	self.server_name = hs.hostname
198		self.clock = hs.clock
199	194
200	195	self.admin_user = self.register_user("admin", "pass", admin=True)
201	196	self.admin_user_tok = self.login("admin", "pass")

209	204	"""
210	205
211	206	request, channel = self.make_request("POST", self.url, b"{}")
212		self.render(request)
213	207
214	208	self.assertEqual(401, int(channel.result["code"]), msg=channel.result["body"])
215	209	self.assertEqual(Codes.MISSING_TOKEN, channel.json_body["errcode"])

224	218	request, channel = self.make_request(
225	219	"POST", self.url, access_token=self.other_user_token,
226	220	)
227		self.render(request)
228	221
229	222	self.assertEqual(403, int(channel.result["code"]), msg=channel.result["body"])
230	223	self.assertEqual(Codes.FORBIDDEN, channel.json_body["errcode"])

238	231	request, channel = self.make_request(
239	232	"POST", url + "?before_ts=1234", access_token=self.admin_user_tok,
240	233	)
241		self.render(request)
242	234
243	235	self.assertEqual(400, channel.code, msg=channel.json_body)
244	236	self.assertEqual("Can only delete local media", channel.json_body["error"])

250	242	request, channel = self.make_request(
251	243	"POST", self.url, access_token=self.admin_user_tok,
252	244	)
253		self.render(request)
254	245
255	246	self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
256	247	self.assertEqual(Codes.MISSING_PARAM, channel.json_body["errcode"])

265	256	request, channel = self.make_request(
266	257	"POST", self.url + "?before_ts=-1234", access_token=self.admin_user_tok,
267	258	)
268		self.render(request)
269	259
270	260	self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
271	261	self.assertEqual(Codes.INVALID_PARAM, channel.json_body["errcode"])

279	269	self.url + "?before_ts=1234&size_gt=-1234",
280	270	access_token=self.admin_user_tok,
281	271	)
282		self.render(request)
283	272
284	273	self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
285	274	self.assertEqual(Codes.INVALID_PARAM, channel.json_body["errcode"])

293	282	self.url + "?before_ts=1234&keep_profiles=not_bool",
294	283	access_token=self.admin_user_tok,
295	284	)
296		self.render(request)
297	285
298	286	self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
299	287	self.assertEqual(Codes.UNKNOWN, channel.json_body["errcode"])

324	312	self.url + "?before_ts=" + str(now_ms),
325	313	access_token=self.admin_user_tok,
326	314	)
327		self.render(request)
328	315	self.assertEqual(200, channel.code, msg=channel.json_body)
329	316	self.assertEqual(1, channel.json_body["total"])
330	317	self.assertEqual(

349	336	self.url + "?before_ts=" + str(now_ms),
350	337	access_token=self.admin_user_tok,
351	338	)
352		self.render(request)
353	339	self.assertEqual(200, channel.code, msg=channel.json_body)
354	340	self.assertEqual(0, channel.json_body["total"])
355	341

362	348	self.url + "?before_ts=" + str(now_ms),
363	349	access_token=self.admin_user_tok,
364	350	)
365		self.render(request)
366	351	self.assertEqual(200, channel.code, msg=channel.json_body)
367	352	self.assertEqual(1, channel.json_body["total"])
368	353	self.assertEqual(

386	371	self.url + "?before_ts=" + str(now_ms) + "&size_gt=67",
387	372	access_token=self.admin_user_tok,
388	373	)
389		self.render(request)
390	374	self.assertEqual(200, channel.code, msg=channel.json_body)
391	375	self.assertEqual(0, channel.json_body["total"])
392	376

398	382	self.url + "?before_ts=" + str(now_ms) + "&size_gt=66",
399	383	access_token=self.admin_user_tok,
400	384	)
401		self.render(request)
402	385	self.assertEqual(200, channel.code, msg=channel.json_body)
403	386	self.assertEqual(1, channel.json_body["total"])
404	387	self.assertEqual(

423	406	content=json.dumps({"avatar_url": "mxc://%s" % (server_and_media_id,)}),
424	407	access_token=self.admin_user_tok,
425	408	)
426		self.render(request)
427	409	self.assertEqual(200, channel.code, msg=channel.json_body)
428	410
429	411	now_ms = self.clock.time_msec()

432	414	self.url + "?before_ts=" + str(now_ms) + "&keep_profiles=true",
433	415	access_token=self.admin_user_tok,
434	416	)
435		self.render(request)
436	417	self.assertEqual(200, channel.code, msg=channel.json_body)
437	418	self.assertEqual(0, channel.json_body["total"])
438	419

444	425	self.url + "?before_ts=" + str(now_ms) + "&keep_profiles=false",
445	426	access_token=self.admin_user_tok,
446	427	)
447		self.render(request)
448	428	self.assertEqual(200, channel.code, msg=channel.json_body)
449	429	self.assertEqual(1, channel.json_body["total"])
450	430	self.assertEqual(

470	450	content=json.dumps({"url": "mxc://%s" % (server_and_media_id,)}),
471	451	access_token=self.admin_user_tok,
472	452	)
473		self.render(request)
474	453	self.assertEqual(200, channel.code, msg=channel.json_body)
475	454
476	455	now_ms = self.clock.time_msec()

479	458	self.url + "?before_ts=" + str(now_ms) + "&keep_profiles=true",
480	459	access_token=self.admin_user_tok,
481	460	)
482		self.render(request)
483	461	self.assertEqual(200, channel.code, msg=channel.json_body)
484	462	self.assertEqual(0, channel.json_body["total"])
485	463

491	469	self.url + "?before_ts=" + str(now_ms) + "&keep_profiles=false",
492	470	access_token=self.admin_user_tok,
493	471	)
494		self.render(request)
495	472	self.assertEqual(200, channel.code, msg=channel.json_body)
496	473	self.assertEqual(1, channel.json_body["total"])
497	474	self.assertEqual(

534	511	media_id = server_and_media_id.split("/")[1]
535	512	local_path = self.filepaths.local_media_filepath(media_id)
536	513
537		request, channel = self.make_request(
	514	request, channel = make_request(
	515	self.reactor,
	516	FakeSite(download_resource),
538	517	"GET",
539	518	server_and_media_id,
540	519	shorthand=False,
541	520	access_token=self.admin_user_tok,
542	521	)
543		request.render(download_resource)
544		self.pump(1.0)
545	522
546	523	if expect_success:
547	524	self.assertEqual(

+2

-48

tests/rest/admin/test_room.py less more

77	77	)
78	78
79	79	# Test that the admin can still send shutdown
80		url = "admin/shutdown_room/" + room_id
	80	url = "/_synapse/admin/v1/shutdown_room/" + room_id
81	81	request, channel = self.make_request(
82	82	"POST",
83	83	url.encode("ascii"),
84	84	json.dumps({"new_room_user_id": self.admin_user}),
85	85	access_token=self.admin_user_tok,
86	86	)
87		self.render(request)
88	87
89	88	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
90	89

109	108	json.dumps({"history_visibility": "world_readable"}),
110	109	access_token=self.other_user_token,
111	110	)
112		self.render(request)
113	111	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
114	112
115	113	# Test that the admin can still send shutdown
116		url = "admin/shutdown_room/" + room_id
	114	url = "/_synapse/admin/v1/shutdown_room/" + room_id
117	115	request, channel = self.make_request(
118	116	"POST",
119	117	url.encode("ascii"),
120	118	json.dumps({"new_room_user_id": self.admin_user}),
121	119	access_token=self.admin_user_tok,
122	120	)
123		self.render(request)
124	121
125	122	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
126	123

135	132	request, channel = self.make_request(
136	133	"GET", url.encode("ascii"), access_token=self.admin_user_tok
137	134	)
138		self.render(request)
139	135	self.assertEqual(
140	136	expect_code, int(channel.result["code"]), msg=channel.result["body"]
141	137	)

144	140	request, channel = self.make_request(
145	141	"GET", url.encode("ascii"), access_token=self.admin_user_tok
146	142	)
147		self.render(request)
148	143	self.assertEqual(
149	144	expect_code, int(channel.result["code"]), msg=channel.result["body"]
150	145	)

191	186	request, channel = self.make_request(
192	187	"POST", self.url, json.dumps({}), access_token=self.other_user_tok,
193	188	)
194		self.render(request)
195	189
196	190	self.assertEqual(403, int(channel.result["code"]), msg=channel.result["body"])
197	191	self.assertEqual(Codes.FORBIDDEN, channel.json_body["errcode"])

205	199	request, channel = self.make_request(
206	200	"POST", url, json.dumps({}), access_token=self.admin_user_tok,
207	201	)
208		self.render(request)
209	202
210	203	self.assertEqual(404, int(channel.result["code"]), msg=channel.result["body"])
211	204	self.assertEqual(Codes.NOT_FOUND, channel.json_body["errcode"])

219	212	request, channel = self.make_request(
220	213	"POST", url, json.dumps({}), access_token=self.admin_user_tok,
221	214	)
222		self.render(request)
223	215
224	216	self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
225	217	self.assertEqual(

238	230	content=body.encode(encoding="utf_8"),
239	231	access_token=self.admin_user_tok,
240	232	)
241		self.render(request)
242	233
243	234	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
244	235	self.assertIn("new_room_id", channel.json_body)

258	249	content=body.encode(encoding="utf_8"),
259	250	access_token=self.admin_user_tok,
260	251	)
261		self.render(request)
262	252
263	253	self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
264	254	self.assertEqual(

277	267	content=body.encode(encoding="utf_8"),
278	268	access_token=self.admin_user_tok,
279	269	)
280		self.render(request)
281	270
282	271	self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
283	272	self.assertEqual(Codes.BAD_JSON, channel.json_body["errcode"])

294	283	content=body.encode(encoding="utf_8"),
295	284	access_token=self.admin_user_tok,
296	285	)
297		self.render(request)
298	286
299	287	self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
300	288	self.assertEqual(Codes.BAD_JSON, channel.json_body["errcode"])

321	309	content=body.encode(encoding="utf_8"),
322	310	access_token=self.admin_user_tok,
323	311	)
324		self.render(request)
325	312
326	313	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
327	314	self.assertEqual(None, channel.json_body["new_room_id"])

355	342	content=body.encode(encoding="utf_8"),
356	343	access_token=self.admin_user_tok,
357	344	)
358		self.render(request)
359	345
360	346	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
361	347	self.assertEqual(None, channel.json_body["new_room_id"])

390	376	content=body.encode(encoding="utf_8"),
391	377	access_token=self.admin_user_tok,
392	378	)
393		self.render(request)
394	379
395	380	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
396	381	self.assertEqual(None, channel.json_body["new_room_id"])

438	423	json.dumps({"new_room_user_id": self.admin_user}),
439	424	access_token=self.admin_user_tok,
440	425	)
441		self.render(request)
442	426
443	427	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
444	428	self.assertEqual(self.other_user, channel.json_body["kicked_users"][0])

469	453	json.dumps({"history_visibility": "world_readable"}),
470	454	access_token=self.other_user_tok,
471	455	)
472		self.render(request)
473	456	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
474	457
475	458	# Test that room is not purged

487	470	json.dumps({"new_room_user_id": self.admin_user}),
488	471	access_token=self.admin_user_tok,
489	472	)
490		self.render(request)
491	473
492	474	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
493	475	self.assertEqual(self.other_user, channel.json_body["kicked_users"][0])

550	532	request, channel = self.make_request(
551	533	"GET", url.encode("ascii"), access_token=self.admin_user_tok
552	534	)
553		self.render(request)
554	535	self.assertEqual(
555	536	expect_code, int(channel.result["code"]), msg=channel.result["body"]
556	537	)

559	540	request, channel = self.make_request(
560	541	"GET", url.encode("ascii"), access_token=self.admin_user_tok
561	542	)
562		self.render(request)
563	543	self.assertEqual(
564	544	expect_code, int(channel.result["code"]), msg=channel.result["body"]
565	545	)

594	574	{"room_id": room_id},
595	575	access_token=self.admin_user_tok,
596	576	)
597		self.render(request)
598	577
599	578	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
600	579

646	625	request, channel = self.make_request(
647	626	"GET", url.encode("ascii"), access_token=self.admin_user_tok,
648	627	)
649		self.render(request)
650	628
651	629	# Check request completed successfully
652	630	self.assertEqual(200, int(channel.code), msg=channel.json_body)

728	706	request, channel = self.make_request(
729	707	"GET", url.encode("ascii"), access_token=self.admin_user_tok,
730	708	)
731		self.render(request)
732	709	self.assertEqual(
733	710	200, int(channel.result["code"]), msg=channel.result["body"]
734	711	)

769	746	request, channel = self.make_request(
770	747	"GET", url.encode("ascii"), access_token=self.admin_user_tok,
771	748	)
772		self.render(request)
773	749	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
774	750
775	751	def test_correct_room_attributes(self):

793	769	{"room_id": room_id},
794	770	access_token=self.admin_user_tok,
795	771	)
796		self.render(request)
797	772	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
798	773
799	774	# Set this new alias as the canonical alias for this room

821	796	request, channel = self.make_request(
822	797	"GET", url.encode("ascii"), access_token=self.admin_user_tok,
823	798	)
824		self.render(request)
825	799	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
826	800
827	801	# Check that rooms were returned

866	840	{"room_id": room_id},
867	841	access_token=admin_user_tok,
868	842	)
869		self.render(request)
870	843	self.assertEqual(
871	844	200, int(channel.result["code"]), msg=channel.result["body"]
872	845	)

904	877	request, channel = self.make_request(
905	878	"GET", url.encode("ascii"), access_token=self.admin_user_tok,
906	879	)
907		self.render(request)
908	880	self.assertEqual(200, channel.code, msg=channel.json_body)
909	881
910	882	# Check that rooms were returned

1041	1013	request, channel = self.make_request(
1042	1014	"GET", url.encode("ascii"), access_token=self.admin_user_tok,
1043	1015	)
1044		self.render(request)
1045	1016	self.assertEqual(expected_http_code, channel.code, msg=channel.json_body)
1046	1017
1047	1018	if expected_http_code != 200:

1103	1074	request, channel = self.make_request(
1104	1075	"GET", url.encode("ascii"), access_token=self.admin_user_tok,
1105	1076	)
1106		self.render(request)
1107	1077	self.assertEqual(200, channel.code, msg=channel.json_body)
1108	1078
1109	1079	self.assertIn("room_id", channel.json_body)

1151	1121	request, channel = self.make_request(
1152	1122	"GET", url.encode("ascii"), access_token=self.admin_user_tok,
1153	1123	)
1154		self.render(request)
1155	1124	self.assertEqual(200, channel.code, msg=channel.json_body)
1156	1125
1157	1126	self.assertCountEqual(

1163	1132	request, channel = self.make_request(
1164	1133	"GET", url.encode("ascii"), access_token=self.admin_user_tok,
1165	1134	)
1166		self.render(request)
1167	1135	self.assertEqual(200, channel.code, msg=channel.json_body)
1168	1136
1169	1137	self.assertCountEqual(

1207	1175	content=body.encode(encoding="utf_8"),
1208	1176	access_token=self.second_tok,
1209	1177	)
1210		self.render(request)
1211	1178
1212	1179	self.assertEqual(403, int(channel.result["code"]), msg=channel.result["body"])
1213	1180	self.assertEqual(Codes.FORBIDDEN, channel.json_body["errcode"])

1224	1191	content=body.encode(encoding="utf_8"),
1225	1192	access_token=self.admin_user_tok,
1226	1193	)
1227		self.render(request)
1228	1194
1229	1195	self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
1230	1196	self.assertEqual(Codes.MISSING_PARAM, channel.json_body["errcode"])

1241	1207	content=body.encode(encoding="utf_8"),
1242	1208	access_token=self.admin_user_tok,
1243	1209	)
1244		self.render(request)
1245	1210
1246	1211	self.assertEqual(404, int(channel.result["code"]), msg=channel.result["body"])
1247	1212	self.assertEqual(Codes.NOT_FOUND, channel.json_body["errcode"])

1258	1223	content=body.encode(encoding="utf_8"),
1259	1224	access_token=self.admin_user_tok,
1260	1225	)
1261		self.render(request)
1262	1226
1263	1227	self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
1264	1228	self.assertEqual(

1279	1243	content=body.encode(encoding="utf_8"),
1280	1244	access_token=self.admin_user_tok,
1281	1245	)
1282		self.render(request)
1283	1246
1284	1247	self.assertEqual(404, int(channel.result["code"]), msg=channel.result["body"])
1285	1248	self.assertEqual("No known servers", channel.json_body["error"])

1297	1260	content=body.encode(encoding="utf_8"),
1298	1261	access_token=self.admin_user_tok,
1299	1262	)
1300		self.render(request)
1301	1263
1302	1264	self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
1303	1265	self.assertEqual(

1317	1279	content=body.encode(encoding="utf_8"),
1318	1280	access_token=self.admin_user_tok,
1319	1281	)
1320		self.render(request)
1321	1282
1322	1283	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
1323	1284	self.assertEqual(self.public_room_id, channel.json_body["room_id"])

1327	1288	request, channel = self.make_request(
1328	1289	"GET", "/_matrix/client/r0/joined_rooms", access_token=self.second_tok,
1329	1290	)
1330		self.render(request)
1331	1291	self.assertEquals(200, int(channel.result["code"]), msg=channel.result["body"])
1332	1292	self.assertEqual(self.public_room_id, channel.json_body["joined_rooms"][0])
1333	1293

1348	1308	content=body.encode(encoding="utf_8"),
1349	1309	access_token=self.admin_user_tok,
1350	1310	)
1351		self.render(request)
1352	1311
1353	1312	self.assertEqual(403, int(channel.result["code"]), msg=channel.result["body"])
1354	1313	self.assertEqual(Codes.FORBIDDEN, channel.json_body["errcode"])

1376	1335	request, channel = self.make_request(
1377	1336	"GET", "/_matrix/client/r0/joined_rooms", access_token=self.admin_user_tok,
1378	1337	)
1379		self.render(request)
1380	1338	self.assertEquals(200, int(channel.result["code"]), msg=channel.result["body"])
1381	1339	self.assertEqual(private_room_id, channel.json_body["joined_rooms"][0])
1382	1340

1391	1349	content=body.encode(encoding="utf_8"),
1392	1350	access_token=self.admin_user_tok,
1393	1351	)
1394		self.render(request)
1395	1352	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
1396	1353	self.assertEqual(private_room_id, channel.json_body["room_id"])
1397	1354

1400	1357	request, channel = self.make_request(
1401	1358	"GET", "/_matrix/client/r0/joined_rooms", access_token=self.second_tok,
1402	1359	)
1403		self.render(request)
1404	1360	self.assertEquals(200, int(channel.result["code"]), msg=channel.result["body"])
1405	1361	self.assertEqual(private_room_id, channel.json_body["joined_rooms"][0])
1406	1362

1421	1377	content=body.encode(encoding="utf_8"),
1422	1378	access_token=self.admin_user_tok,
1423	1379	)
1424		self.render(request)
1425	1380
1426	1381	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
1427	1382	self.assertEqual(private_room_id, channel.json_body["room_id"])

1431	1386	request, channel = self.make_request(
1432	1387	"GET", "/_matrix/client/r0/joined_rooms", access_token=self.second_tok,
1433	1388	)
1434		self.render(request)
1435	1389	self.assertEquals(200, int(channel.result["code"]), msg=channel.result["body"])
1436	1390	self.assertEqual(private_room_id, channel.json_body["joined_rooms"][0])
1437	1391

+0

-27

tests/rest/admin/test_statistics.py less more

46	46	Try to list users without authentication.
47	47	"""
48	48	request, channel = self.make_request("GET", self.url, b"{}")
49		self.render(request)
50	49
51	50	self.assertEqual(401, int(channel.result["code"]), msg=channel.result["body"])
52	51	self.assertEqual(Codes.MISSING_TOKEN, channel.json_body["errcode"])

58	57	request, channel = self.make_request(
59	58	"GET", self.url, json.dumps({}), access_token=self.other_user_tok,
60	59	)
61		self.render(request)
62	60
63	61	self.assertEqual(403, int(channel.result["code"]), msg=channel.result["body"])
64	62	self.assertEqual(Codes.FORBIDDEN, channel.json_body["errcode"])

71	69	request, channel = self.make_request(
72	70	"GET", self.url + "?order_by=bar", access_token=self.admin_user_tok,
73	71	)
74		self.render(request)
75	72
76	73	self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
77	74	self.assertEqual(Codes.INVALID_PARAM, channel.json_body["errcode"])

80	77	request, channel = self.make_request(
81	78	"GET", self.url + "?from=-5", access_token=self.admin_user_tok,
82	79	)
83		self.render(request)
84	80
85	81	self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
86	82	self.assertEqual(Codes.INVALID_PARAM, channel.json_body["errcode"])

89	85	request, channel = self.make_request(
90	86	"GET", self.url + "?limit=-5", access_token=self.admin_user_tok,
91	87	)
92		self.render(request)
93	88
94	89	self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
95	90	self.assertEqual(Codes.INVALID_PARAM, channel.json_body["errcode"])

98	93	request, channel = self.make_request(
99	94	"GET", self.url + "?from_ts=-1234", access_token=self.admin_user_tok,
100	95	)
101		self.render(request)
102	96
103	97	self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
104	98	self.assertEqual(Codes.INVALID_PARAM, channel.json_body["errcode"])

107	101	request, channel = self.make_request(
108	102	"GET", self.url + "?until_ts=-1234", access_token=self.admin_user_tok,
109	103	)
110		self.render(request)
111	104
112	105	self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
113	106	self.assertEqual(Codes.INVALID_PARAM, channel.json_body["errcode"])

118	111	self.url + "?from_ts=10&until_ts=5",
119	112	access_token=self.admin_user_tok,
120	113	)
121		self.render(request)
122	114
123	115	self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
124	116	self.assertEqual(Codes.INVALID_PARAM, channel.json_body["errcode"])

127	119	request, channel = self.make_request(
128	120	"GET", self.url + "?search_term=", access_token=self.admin_user_tok,
129	121	)
130		self.render(request)
131	122
132	123	self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
133	124	self.assertEqual(Codes.INVALID_PARAM, channel.json_body["errcode"])

136	127	request, channel = self.make_request(
137	128	"GET", self.url + "?dir=bar", access_token=self.admin_user_tok,
138	129	)
139		self.render(request)
140	130
141	131	self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
142	132	self.assertEqual(Codes.INVALID_PARAM, channel.json_body["errcode"])

150	140	request, channel = self.make_request(
151	141	"GET", self.url + "?limit=5", access_token=self.admin_user_tok,
152	142	)
153		self.render(request)
154	143
155	144	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
156	145	self.assertEqual(channel.json_body["total"], 10)

167	156	request, channel = self.make_request(
168	157	"GET", self.url + "?from=5", access_token=self.admin_user_tok,
169	158	)
170		self.render(request)
171	159
172	160	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
173	161	self.assertEqual(channel.json_body["total"], 20)

184	172	request, channel = self.make_request(
185	173	"GET", self.url + "?from=5&limit=10", access_token=self.admin_user_tok,
186	174	)
187		self.render(request)
188	175
189	176	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
190	177	self.assertEqual(channel.json_body["total"], 20)

205	192	request, channel = self.make_request(
206	193	"GET", self.url + "?limit=20", access_token=self.admin_user_tok,
207	194	)
208		self.render(request)
209	195
210	196	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
211	197	self.assertEqual(channel.json_body["total"], number_users)

217	203	request, channel = self.make_request(
218	204	"GET", self.url + "?limit=21", access_token=self.admin_user_tok,
219	205	)
220		self.render(request)
221	206
222	207	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
223	208	self.assertEqual(channel.json_body["total"], number_users)

229	214	request, channel = self.make_request(
230	215	"GET", self.url + "?limit=19", access_token=self.admin_user_tok,
231	216	)
232		self.render(request)
233	217
234	218	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
235	219	self.assertEqual(channel.json_body["total"], number_users)

241	225	request, channel = self.make_request(
242	226	"GET", self.url + "?from=19", access_token=self.admin_user_tok,
243	227	)
244		self.render(request)
245	228
246	229	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
247	230	self.assertEqual(channel.json_body["total"], number_users)

257	240	request, channel = self.make_request(
258	241	"GET", self.url, access_token=self.admin_user_tok,
259	242	)
260		self.render(request)
261	243
262	244	self.assertEqual(200, channel.code, msg=channel.json_body)
263	245	self.assertEqual(0, channel.json_body["total"])

336	318	request, channel = self.make_request(
337	319	"GET", self.url, access_token=self.admin_user_tok,
338	320	)
339		self.render(request)
340	321	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
341	322	self.assertEqual(channel.json_body["users"][0]["media_count"], 3)
342	323

345	326	request, channel = self.make_request(
346	327	"GET", self.url + "?from_ts=%s" % (ts1,), access_token=self.admin_user_tok,
347	328	)
348		self.render(request)
349	329	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
350	330	self.assertEqual(channel.json_body["total"], 0)
351	331

361	341	self.url + "?from_ts=%s&until_ts=%s" % (ts1, ts2),
362	342	access_token=self.admin_user_tok,
363	343	)
364		self.render(request)
365	344	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
366	345	self.assertEqual(channel.json_body["users"][0]["media_count"], 3)
367	346

369	348	request, channel = self.make_request(
370	349	"GET", self.url + "?until_ts=%s" % (ts2,), access_token=self.admin_user_tok,
371	350	)
372		self.render(request)
373	351	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
374	352	self.assertEqual(channel.json_body["users"][0]["media_count"], 6)
375	353

380	358	request, channel = self.make_request(
381	359	"GET", self.url, access_token=self.admin_user_tok,
382	360	)
383		self.render(request)
384	361	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
385	362	self.assertEqual(channel.json_body["total"], 20)
386	363

390	367	self.url + "?search_term=foo_user_1",
391	368	access_token=self.admin_user_tok,
392	369	)
393		self.render(request)
394	370	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
395	371	self.assertEqual(channel.json_body["total"], 11)
396	372

400	376	self.url + "?search_term=bar_user_10",
401	377	access_token=self.admin_user_tok,
402	378	)
403		self.render(request)
404	379	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
405	380	self.assertEqual(channel.json_body["users"][0]["displayname"], "bar_user_10")
406	381	self.assertEqual(channel.json_body["total"], 1)

409	384	request, channel = self.make_request(
410	385	"GET", self.url + "?search_term=foobar", access_token=self.admin_user_tok,
411	386	)
412		self.render(request)
413	387	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
414	388	self.assertEqual(channel.json_body["total"], 0)
415	389

475	449	request, channel = self.make_request(
476	450	"GET", url.encode("ascii"), access_token=self.admin_user_tok,
477	451	)
478		self.render(request)
479	452	self.assertEqual(200, channel.code, msg=channel.json_body)
480	453	self.assertEqual(channel.json_body["total"], len(expected_user_list))
481	454

+336

-98

tests/rest/admin/test_user.py less more

23	23	import synapse.rest.admin
24	24	from synapse.api.constants import UserTypes
25	25	from synapse.api.errors import Codes, HttpResponseException, ResourceLimitError
26		from synapse.rest.client.v1 import login, profile, room
27		from synapse.rest.client.v2_alpha import sync
	26	from synapse.rest.client.v1 import login, logout, profile, room
	27	from synapse.rest.client.v2_alpha import devices, sync
28	28
29	29	from tests import unittest
30	30	from tests.test_utils import make_awaitable

40	40
41	41	def make_homeserver(self, reactor, clock):
42	42
43		self.url = "/_matrix/client/r0/admin/register"
	43	self.url = "/_synapse/admin/v1/register"
44	44
45	45	self.registration_handler = Mock()
46	46	self.identity_handler = Mock()

70	70	self.hs.config.registration_shared_secret = None
71	71
72	72	request, channel = self.make_request("POST", self.url, b"{}")
73		self.render(request)
74	73
75	74	self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
76	75	self.assertEqual(

88	87	self.hs.get_secrets = Mock(return_value=secrets)
89	88
90	89	request, channel = self.make_request("GET", self.url)
91		self.render(request)
92	90
93	91	self.assertEqual(channel.json_body, {"nonce": "abcd"})
94	92

98	96	only last for SALT_TIMEOUT (60s).
99	97	"""
100	98	request, channel = self.make_request("GET", self.url)
101		self.render(request)
102	99	nonce = channel.json_body["nonce"]
103	100
104	101	# 59 seconds

106	103
107	104	body = json.dumps({"nonce": nonce})
108	105	request, channel = self.make_request("POST", self.url, body.encode("utf8"))
109		self.render(request)
110	106
111	107	self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
112	108	self.assertEqual("username must be specified", channel.json_body["error"])

115	111	self.reactor.advance(2)
116	112
117	113	request, channel = self.make_request("POST", self.url, body.encode("utf8"))
118		self.render(request)
119	114
120	115	self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
121	116	self.assertEqual("unrecognised nonce", channel.json_body["error"])

125	120	Only the provided nonce can be used, as it's checked in the MAC.
126	121	"""
127	122	request, channel = self.make_request("GET", self.url)
128		self.render(request)
129	123	nonce = channel.json_body["nonce"]
130	124
131	125	want_mac = hmac.new(key=b"shared", digestmod=hashlib.sha1)

142	136	}
143	137	)
144	138	request, channel = self.make_request("POST", self.url, body.encode("utf8"))
145		self.render(request)
146	139
147	140	self.assertEqual(403, int(channel.result["code"]), msg=channel.result["body"])
148	141	self.assertEqual("HMAC incorrect", channel.json_body["error"])

153	146	user is registered.
154	147	"""
155	148	request, channel = self.make_request("GET", self.url)
156		self.render(request)
157	149	nonce = channel.json_body["nonce"]
158	150
159	151	want_mac = hmac.new(key=b"shared", digestmod=hashlib.sha1)

173	165	}
174	166	)
175	167	request, channel = self.make_request("POST", self.url, body.encode("utf8"))
176		self.render(request)
177	168
178	169	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
179	170	self.assertEqual("@bob:test", channel.json_body["user_id"])

183	174	A valid unrecognised nonce.
184	175	"""
185	176	request, channel = self.make_request("GET", self.url)
186		self.render(request)
187	177	nonce = channel.json_body["nonce"]
188	178
189	179	want_mac = hmac.new(key=b"shared", digestmod=hashlib.sha1)

200	190	}
201	191	)
202	192	request, channel = self.make_request("POST", self.url, body.encode("utf8"))
203		self.render(request)
204	193
205	194	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
206	195	self.assertEqual("@bob:test", channel.json_body["user_id"])
207	196
208	197	# Now, try and reuse it
209	198	request, channel = self.make_request("POST", self.url, body.encode("utf8"))
210		self.render(request)
211	199
212	200	self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
213	201	self.assertEqual("unrecognised nonce", channel.json_body["error"])

221	209
222	210	def nonce():
223	211	request, channel = self.make_request("GET", self.url)
224		self.render(request)
225	212	return channel.json_body["nonce"]
226	213
227	214	#

231	218	# Must be present
232	219	body = json.dumps({})
233	220	request, channel = self.make_request("POST", self.url, body.encode("utf8"))
234		self.render(request)
235	221
236	222	self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
237	223	self.assertEqual("nonce must be specified", channel.json_body["error"])

243	229	# Must be present
244	230	body = json.dumps({"nonce": nonce()})
245	231	request, channel = self.make_request("POST", self.url, body.encode("utf8"))
246		self.render(request)
247	232
248	233	self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
249	234	self.assertEqual("username must be specified", channel.json_body["error"])

251	236	# Must be a string
252	237	body = json.dumps({"nonce": nonce(), "username": 1234})
253	238	request, channel = self.make_request("POST", self.url, body.encode("utf8"))
254		self.render(request)
255	239
256	240	self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
257	241	self.assertEqual("Invalid username", channel.json_body["error"])

259	243	# Must not have null bytes
260	244	body = json.dumps({"nonce": nonce(), "username": "abcd\u0000"})
261	245	request, channel = self.make_request("POST", self.url, body.encode("utf8"))
262		self.render(request)
263	246
264	247	self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
265	248	self.assertEqual("Invalid username", channel.json_body["error"])

267	250	# Must not have null bytes
268	251	body = json.dumps({"nonce": nonce(), "username": "a" * 1000})
269	252	request, channel = self.make_request("POST", self.url, body.encode("utf8"))
270		self.render(request)
271	253
272	254	self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
273	255	self.assertEqual("Invalid username", channel.json_body["error"])

279	261	# Must be present
280	262	body = json.dumps({"nonce": nonce(), "username": "a"})
281	263	request, channel = self.make_request("POST", self.url, body.encode("utf8"))
282		self.render(request)
283	264
284	265	self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
285	266	self.assertEqual("password must be specified", channel.json_body["error"])

287	268	# Must be a string
288	269	body = json.dumps({"nonce": nonce(), "username": "a", "password": 1234})
289	270	request, channel = self.make_request("POST", self.url, body.encode("utf8"))
290		self.render(request)
291	271
292	272	self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
293	273	self.assertEqual("Invalid password", channel.json_body["error"])

295	275	# Must not have null bytes
296	276	body = json.dumps({"nonce": nonce(), "username": "a", "password": "abcd\u0000"})
297	277	request, channel = self.make_request("POST", self.url, body.encode("utf8"))
298		self.render(request)
299	278
300	279	self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
301	280	self.assertEqual("Invalid password", channel.json_body["error"])

303	282	# Super long
304	283	body = json.dumps({"nonce": nonce(), "username": "a", "password": "A" * 1000})
305	284	request, channel = self.make_request("POST", self.url, body.encode("utf8"))
306		self.render(request)
307	285
308	286	self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
309	287	self.assertEqual("Invalid password", channel.json_body["error"])

322	300	}
323	301	)
324	302	request, channel = self.make_request("POST", self.url, body.encode("utf8"))
325		self.render(request)
326	303
327	304	self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
328	305	self.assertEqual("Invalid user type", channel.json_body["error"])

334	311
335	312	# set no displayname
336	313	request, channel = self.make_request("GET", self.url)
337		self.render(request)
338	314	nonce = channel.json_body["nonce"]
339	315
340	316	want_mac = hmac.new(key=b"shared", digestmod=hashlib.sha1)

345	321	{"nonce": nonce, "username": "bob1", "password": "abc123", "mac": want_mac}
346	322	)
347	323	request, channel = self.make_request("POST", self.url, body.encode("utf8"))
348		self.render(request)
349	324
350	325	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
351	326	self.assertEqual("@bob1:test", channel.json_body["user_id"])
352	327
353	328	request, channel = self.make_request("GET", "/profile/@bob1:test/displayname")
354		self.render(request)
355	329	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
356	330	self.assertEqual("bob1", channel.json_body["displayname"])
357	331
358	332	# displayname is None
359	333	request, channel = self.make_request("GET", self.url)
360		self.render(request)
361	334	nonce = channel.json_body["nonce"]
362	335
363	336	want_mac = hmac.new(key=b"shared", digestmod=hashlib.sha1)

374	347	}
375	348	)
376	349	request, channel = self.make_request("POST", self.url, body.encode("utf8"))
377		self.render(request)
378	350
379	351	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
380	352	self.assertEqual("@bob2:test", channel.json_body["user_id"])
381	353
382	354	request, channel = self.make_request("GET", "/profile/@bob2:test/displayname")
383		self.render(request)
384	355	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
385	356	self.assertEqual("bob2", channel.json_body["displayname"])
386	357
387	358	# displayname is empty
388	359	request, channel = self.make_request("GET", self.url)
389		self.render(request)
390	360	nonce = channel.json_body["nonce"]
391	361
392	362	want_mac = hmac.new(key=b"shared", digestmod=hashlib.sha1)

403	373	}
404	374	)
405	375	request, channel = self.make_request("POST", self.url, body.encode("utf8"))
406		self.render(request)
407	376
408	377	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
409	378	self.assertEqual("@bob3:test", channel.json_body["user_id"])
410	379
411	380	request, channel = self.make_request("GET", "/profile/@bob3:test/displayname")
412		self.render(request)
413	381	self.assertEqual(404, int(channel.result["code"]), msg=channel.result["body"])
414	382
415	383	# set displayname
416	384	request, channel = self.make_request("GET", self.url)
417		self.render(request)
418	385	nonce = channel.json_body["nonce"]
419	386
420	387	want_mac = hmac.new(key=b"shared", digestmod=hashlib.sha1)

431	398	}
432	399	)
433	400	request, channel = self.make_request("POST", self.url, body.encode("utf8"))
434		self.render(request)
435	401
436	402	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
437	403	self.assertEqual("@bob4:test", channel.json_body["user_id"])
438	404
439	405	request, channel = self.make_request("GET", "/profile/@bob4:test/displayname")
440		self.render(request)
441	406	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
442	407	self.assertEqual("Bob's Name", channel.json_body["displayname"])
443	408

464	429
465	430	# Register new user with admin API
466	431	request, channel = self.make_request("GET", self.url)
467		self.render(request)
468	432	nonce = channel.json_body["nonce"]
469	433
470	434	want_mac = hmac.new(key=b"shared", digestmod=hashlib.sha1)

484	448	}
485	449	)
486	450	request, channel = self.make_request("POST", self.url, body.encode("utf8"))
487		self.render(request)
488	451
489	452	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
490	453	self.assertEqual("@bob:test", channel.json_body["user_id"])

510	473	Try to list users without authentication.
511	474	"""
512	475	request, channel = self.make_request("GET", self.url, b"{}")
513		self.render(request)
514	476
515	477	self.assertEqual(401, int(channel.result["code"]), msg=channel.result["body"])
516	478	self.assertEqual("M_MISSING_TOKEN", channel.json_body["errcode"])

525	487	b"{}",
526	488	access_token=self.admin_user_tok,
527	489	)
528		self.render(request)
529	490
530	491	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
531	492	self.assertEqual(3, len(channel.json_body["users"]))

561	522	request, channel = self.make_request(
562	523	"GET", url, access_token=self.other_user_token,
563	524	)
564		self.render(request)
565	525
566	526	self.assertEqual(403, int(channel.result["code"]), msg=channel.result["body"])
567	527	self.assertEqual("You are not a server admin", channel.json_body["error"])

569	529	request, channel = self.make_request(
570	530	"PUT", url, access_token=self.other_user_token, content=b"{}",
571	531	)
572		self.render(request)
573	532
574	533	self.assertEqual(403, int(channel.result["code"]), msg=channel.result["body"])
575	534	self.assertEqual("You are not a server admin", channel.json_body["error"])

584	543	"/_synapse/admin/v2/users/@unknown_person:test",
585	544	access_token=self.admin_user_tok,
586	545	)
587		self.render(request)
588	546
589	547	self.assertEqual(404, channel.code, msg=channel.json_body)
590	548	self.assertEqual("M_NOT_FOUND", channel.json_body["errcode"])

612	570	access_token=self.admin_user_tok,
613	571	content=body.encode(encoding="utf_8"),
614	572	)
615		self.render(request)
616	573
617	574	self.assertEqual(201, int(channel.result["code"]), msg=channel.result["body"])
618	575	self.assertEqual("@bob:test", channel.json_body["name"])

625	582	request, channel = self.make_request(
626	583	"GET", url, access_token=self.admin_user_tok,
627	584	)
628		self.render(request)
629	585
630	586	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
631	587	self.assertEqual("@bob:test", channel.json_body["name"])

658	614	access_token=self.admin_user_tok,
659	615	content=body.encode(encoding="utf_8"),
660	616	)
661		self.render(request)
662	617
663	618	self.assertEqual(201, int(channel.result["code"]), msg=channel.result["body"])
664	619	self.assertEqual("@bob:test", channel.json_body["name"])

671	626	request, channel = self.make_request(
672	627	"GET", url, access_token=self.admin_user_tok,
673	628	)
674		self.render(request)
675	629
676	630	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
677	631	self.assertEqual("@bob:test", channel.json_body["name"])

699	653	request, channel = self.make_request(
700	654	"GET", "/sync", access_token=self.admin_user_tok
701	655	)
702		self.render(request)
703	656
704	657	if channel.code != 200:
705	658	raise HttpResponseException(

728	681	access_token=self.admin_user_tok,
729	682	content=body.encode(encoding="utf_8"),
730	683	)
731		self.render(request)
732	684
733	685	self.assertEqual(201, int(channel.result["code"]), msg=channel.result["body"])
734	686	self.assertEqual("@bob:test", channel.json_body["name"])

768	720	access_token=self.admin_user_tok,
769	721	content=body.encode(encoding="utf_8"),
770	722	)
771		self.render(request)
772	723
773	724	# Admin user is not blocked by mau anymore
774	725	self.assertEqual(201, int(channel.result["code"]), msg=channel.result["body"])

806	757	access_token=self.admin_user_tok,
807	758	content=body.encode(encoding="utf_8"),
808	759	)
809		self.render(request)
810	760
811	761	self.assertEqual(201, int(channel.result["code"]), msg=channel.result["body"])
812	762	self.assertEqual("@bob:test", channel.json_body["name"])

851	801	access_token=self.admin_user_tok,
852	802	content=body.encode(encoding="utf_8"),
853	803	)
854		self.render(request)
855	804
856	805	self.assertEqual(201, int(channel.result["code"]), msg=channel.result["body"])
857	806	self.assertEqual("@bob:test", channel.json_body["name"])

878	827	access_token=self.admin_user_tok,
879	828	content=body.encode(encoding="utf_8"),
880	829	)
881		self.render(request)
882	830
883	831	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
884	832

896	844	access_token=self.admin_user_tok,
897	845	content=body.encode(encoding="utf_8"),
898	846	)
899		self.render(request)
900	847
901	848	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
902	849	self.assertEqual("@user:test", channel.json_body["name"])

906	853	request, channel = self.make_request(
907	854	"GET", self.url_other_user, access_token=self.admin_user_tok,
908	855	)
909		self.render(request)
910	856
911	857	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
912	858	self.assertEqual("@user:test", channel.json_body["name"])

928	874	access_token=self.admin_user_tok,
929	875	content=body.encode(encoding="utf_8"),
930	876	)
931		self.render(request)
932	877
933	878	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
934	879	self.assertEqual("@user:test", channel.json_body["name"])

939	884	request, channel = self.make_request(
940	885	"GET", self.url_other_user, access_token=self.admin_user_tok,
941	886	)
942		self.render(request)
943	887
944	888	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
945	889	self.assertEqual("@user:test", channel.json_body["name"])

960	904	access_token=self.admin_user_tok,
961	905	content=body.encode(encoding="utf_8"),
962	906	)
963		self.render(request)
964	907
965	908	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
966	909	self.assertEqual("@user:test", channel.json_body["name"])

971	914	request, channel = self.make_request(
972	915	"GET", self.url_other_user, access_token=self.admin_user_tok,
973	916	)
974		self.render(request)
975	917
976	918	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
977	919	self.assertEqual("@user:test", channel.json_body["name"])

989	931	access_token=self.admin_user_tok,
990	932	content=json.dumps({"deactivated": True}).encode(encoding="utf_8"),
991	933	)
992		self.render(request)
993	934	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
994	935	self._is_erased("@user:test", False)
995	936	d = self.store.mark_user_erased("@user:test")

1003	944	access_token=self.admin_user_tok,
1004	945	content=json.dumps({"deactivated": False}).encode(encoding="utf_8"),
1005	946	)
1006		self.render(request)
1007	947	self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
1008	948
1009	949	# Reactivate the user.

1015	955	encoding="utf_8"
1016	956	),
1017	957	)
1018		self.render(request)
1019	958	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
1020	959
1021	960	# Get user
1022	961	request, channel = self.make_request(
1023	962	"GET", self.url_other_user, access_token=self.admin_user_tok,
1024	963	)
1025		self.render(request)
1026	964
1027	965	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
1028	966	self.assertEqual("@user:test", channel.json_body["name"])

1043	981	access_token=self.admin_user_tok,
1044	982	content=body.encode(encoding="utf_8"),
1045	983	)
1046		self.render(request)
1047	984
1048	985	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
1049	986	self.assertEqual("@user:test", channel.json_body["name"])

1053	990	request, channel = self.make_request(
1054	991	"GET", self.url_other_user, access_token=self.admin_user_tok,
1055	992	)
1056		self.render(request)
1057	993
1058	994	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
1059	995	self.assertEqual("@user:test", channel.json_body["name"])

1075	1011	access_token=self.admin_user_tok,
1076	1012	content=body.encode(encoding="utf_8"),
1077	1013	)
1078		self.render(request)
1079	1014
1080	1015	self.assertEqual(201, int(channel.result["code"]), msg=channel.result["body"])
1081	1016	self.assertEqual("@bob:test", channel.json_body["name"])

1085	1020	request, channel = self.make_request(
1086	1021	"GET", url, access_token=self.admin_user_tok,
1087	1022	)
1088		self.render(request)
1089	1023
1090	1024	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
1091	1025	self.assertEqual("@bob:test", channel.json_body["name"])

1101	1035	access_token=self.admin_user_tok,
1102	1036	content=body.encode(encoding="utf_8"),
1103	1037	)
1104		self.render(request)
1105	1038
1106	1039	self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
1107	1040

1109	1042	request, channel = self.make_request(
1110	1043	"GET", url, access_token=self.admin_user_tok,
1111	1044	)
1112		self.render(request)
1113	1045
1114	1046	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
1115	1047	self.assertEqual("@bob:test", channel.json_body["name"])

1152	1084	Try to list rooms of an user without authentication.
1153	1085	"""
1154	1086	request, channel = self.make_request("GET", self.url, b"{}")
1155		self.render(request)
1156	1087
1157	1088	self.assertEqual(401, int(channel.result["code"]), msg=channel.result["body"])
1158	1089	self.assertEqual(Codes.MISSING_TOKEN, channel.json_body["errcode"])

1166	1097	request, channel = self.make_request(
1167	1098	"GET", self.url, access_token=other_user_token,
1168	1099	)
1169		self.render(request)
1170	1100
1171	1101	self.assertEqual(403, int(channel.result["code"]), msg=channel.result["body"])
1172	1102	self.assertEqual(Codes.FORBIDDEN, channel.json_body["errcode"])

1179	1109	request, channel = self.make_request(
1180	1110	"GET", url, access_token=self.admin_user_tok,
1181	1111	)
1182		self.render(request)
1183	1112
1184	1113	self.assertEqual(404, channel.code, msg=channel.json_body)
1185	1114	self.assertEqual(Codes.NOT_FOUND, channel.json_body["errcode"])

1193	1122	request, channel = self.make_request(
1194	1123	"GET", url, access_token=self.admin_user_tok,
1195	1124	)
1196		self.render(request)
1197	1125
1198	1126	self.assertEqual(400, channel.code, msg=channel.json_body)
1199	1127	self.assertEqual("Can only lookup local users", channel.json_body["error"])

1207	1135	request, channel = self.make_request(
1208	1136	"GET", self.url, access_token=self.admin_user_tok,
1209	1137	)
1210		self.render(request)
1211	1138
1212	1139	self.assertEqual(200, channel.code, msg=channel.json_body)
1213	1140	self.assertEqual(0, channel.json_body["total"])

1227	1154	request, channel = self.make_request(
1228	1155	"GET", self.url, access_token=self.admin_user_tok,
1229	1156	)
1230		self.render(request)
1231	1157
1232	1158	self.assertEqual(200, channel.code, msg=channel.json_body)
1233	1159	self.assertEqual(number_rooms, channel.json_body["total"])

1257	1183	Try to list pushers of an user without authentication.
1258	1184	"""
1259	1185	request, channel = self.make_request("GET", self.url, b"{}")
1260		self.render(request)
1261	1186
1262	1187	self.assertEqual(401, int(channel.result["code"]), msg=channel.result["body"])
1263	1188	self.assertEqual(Codes.MISSING_TOKEN, channel.json_body["errcode"])

1271	1196	request, channel = self.make_request(
1272	1197	"GET", self.url, access_token=other_user_token,
1273	1198	)
1274		self.render(request)
1275	1199
1276	1200	self.assertEqual(403, int(channel.result["code"]), msg=channel.result["body"])
1277	1201	self.assertEqual(Codes.FORBIDDEN, channel.json_body["errcode"])

1284	1208	request, channel = self.make_request(
1285	1209	"GET", url, access_token=self.admin_user_tok,
1286	1210	)
1287		self.render(request)
1288	1211
1289	1212	self.assertEqual(404, channel.code, msg=channel.json_body)
1290	1213	self.assertEqual(Codes.NOT_FOUND, channel.json_body["errcode"])

1298	1221	request, channel = self.make_request(
1299	1222	"GET", url, access_token=self.admin_user_tok,
1300	1223	)
1301		self.render(request)
1302	1224
1303	1225	self.assertEqual(400, channel.code, msg=channel.json_body)
1304	1226	self.assertEqual("Can only lookup local users", channel.json_body["error"])

1312	1234	request, channel = self.make_request(
1313	1235	"GET", self.url, access_token=self.admin_user_tok,
1314	1236	)
1315		self.render(request)
1316	1237
1317	1238	self.assertEqual(200, channel.code, msg=channel.json_body)
1318	1239	self.assertEqual(0, channel.json_body["total"])

1342	1263	request, channel = self.make_request(
1343	1264	"GET", self.url, access_token=self.admin_user_tok,
1344	1265	)
1345		self.render(request)
1346	1266
1347	1267	self.assertEqual(200, channel.code, msg=channel.json_body)
1348	1268	self.assertEqual(1, channel.json_body["total"])

1382	1302	Try to list media of an user without authentication.
1383	1303	"""
1384	1304	request, channel = self.make_request("GET", self.url, b"{}")
1385		self.render(request)
1386	1305
1387	1306	self.assertEqual(401, int(channel.result["code"]), msg=channel.result["body"])
1388	1307	self.assertEqual(Codes.MISSING_TOKEN, channel.json_body["errcode"])

1396	1315	request, channel = self.make_request(
1397	1316	"GET", self.url, access_token=other_user_token,
1398	1317	)
1399		self.render(request)
1400	1318
1401	1319	self.assertEqual(403, int(channel.result["code"]), msg=channel.result["body"])
1402	1320	self.assertEqual(Codes.FORBIDDEN, channel.json_body["errcode"])

1409	1327	request, channel = self.make_request(
1410	1328	"GET", url, access_token=self.admin_user_tok,
1411	1329	)
1412		self.render(request)
1413	1330
1414	1331	self.assertEqual(404, channel.code, msg=channel.json_body)
1415	1332	self.assertEqual(Codes.NOT_FOUND, channel.json_body["errcode"])

1423	1340	request, channel = self.make_request(
1424	1341	"GET", url, access_token=self.admin_user_tok,
1425	1342	)
1426		self.render(request)
1427	1343
1428	1344	self.assertEqual(400, channel.code, msg=channel.json_body)
1429	1345	self.assertEqual("Can only lookup local users", channel.json_body["error"])

1440	1356	request, channel = self.make_request(
1441	1357	"GET", self.url + "?limit=5", access_token=self.admin_user_tok,
1442	1358	)
1443		self.render(request)
1444	1359
1445	1360	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
1446	1361	self.assertEqual(channel.json_body["total"], number_media)

1460	1375	request, channel = self.make_request(
1461	1376	"GET", self.url + "?from=5", access_token=self.admin_user_tok,
1462	1377	)
1463		self.render(request)
1464	1378
1465	1379	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
1466	1380	self.assertEqual(channel.json_body["total"], number_media)

1480	1394	request, channel = self.make_request(
1481	1395	"GET", self.url + "?from=5&limit=10", access_token=self.admin_user_tok,
1482	1396	)
1483		self.render(request)
1484	1397
1485	1398	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
1486	1399	self.assertEqual(channel.json_body["total"], number_media)

1496	1409	request, channel = self.make_request(
1497	1410	"GET", self.url + "?limit=-5", access_token=self.admin_user_tok,
1498	1411	)
1499		self.render(request)
1500	1412
1501	1413	self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
1502	1414	self.assertEqual(Codes.INVALID_PARAM, channel.json_body["errcode"])

1509	1421	request, channel = self.make_request(
1510	1422	"GET", self.url + "?from=-5", access_token=self.admin_user_tok,
1511	1423	)
1512		self.render(request)
1513	1424
1514	1425	self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
1515	1426	self.assertEqual(Codes.INVALID_PARAM, channel.json_body["errcode"])

1528	1439	request, channel = self.make_request(
1529	1440	"GET", self.url + "?limit=20", access_token=self.admin_user_tok,
1530	1441	)
1531		self.render(request)
1532	1442
1533	1443	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
1534	1444	self.assertEqual(channel.json_body["total"], number_media)

1540	1450	request, channel = self.make_request(
1541	1451	"GET", self.url + "?limit=21", access_token=self.admin_user_tok,
1542	1452	)
1543		self.render(request)
1544	1453
1545	1454	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
1546	1455	self.assertEqual(channel.json_body["total"], number_media)

1552	1461	request, channel = self.make_request(
1553	1462	"GET", self.url + "?limit=19", access_token=self.admin_user_tok,
1554	1463	)
1555		self.render(request)
1556	1464
1557	1465	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
1558	1466	self.assertEqual(channel.json_body["total"], number_media)

1565	1473	request, channel = self.make_request(
1566	1474	"GET", self.url + "?from=19", access_token=self.admin_user_tok,
1567	1475	)
1568		self.render(request)
1569	1476
1570	1477	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
1571	1478	self.assertEqual(channel.json_body["total"], number_media)

1581	1488	request, channel = self.make_request(
1582	1489	"GET", self.url, access_token=self.admin_user_tok,
1583	1490	)
1584		self.render(request)
1585	1491
1586	1492	self.assertEqual(200, channel.code, msg=channel.json_body)
1587	1493	self.assertEqual(0, channel.json_body["total"])

1599	1505	request, channel = self.make_request(
1600	1506	"GET", self.url, access_token=self.admin_user_tok,
1601	1507	)
1602		self.render(request)
1603	1508
1604	1509	self.assertEqual(200, channel.code, msg=channel.json_body)
1605	1510	self.assertEqual(number_media, channel.json_body["total"])

1637	1542	self.assertIn("last_access_ts", m)
1638	1543	self.assertIn("quarantined_by", m)
1639	1544	self.assertIn("safe_from_quarantine", m)
	1545
	1546
	1547	class UserTokenRestTestCase(unittest.HomeserverTestCase):
	1548	"""Test for /_synapse/admin/v1/users/<user>/login
	1549	"""
	1550
	1551	servlets = [
	1552	synapse.rest.admin.register_servlets,
	1553	login.register_servlets,
	1554	sync.register_servlets,
	1555	room.register_servlets,
	1556	devices.register_servlets,
	1557	logout.register_servlets,
	1558	]
	1559
	1560	def prepare(self, reactor, clock, hs):
	1561	self.store = hs.get_datastore()
	1562
	1563	self.admin_user = self.register_user("admin", "pass", admin=True)
	1564	self.admin_user_tok = self.login("admin", "pass")
	1565
	1566	self.other_user = self.register_user("user", "pass")
	1567	self.other_user_tok = self.login("user", "pass")
	1568	self.url = "/_synapse/admin/v1/users/%s/login" % urllib.parse.quote(
	1569	self.other_user
	1570	)
	1571
	1572	def _get_token(self) -> str:
	1573	request, channel = self.make_request(
	1574	"POST", self.url, b"{}", access_token=self.admin_user_tok
	1575	)
	1576	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
	1577	return channel.json_body["access_token"]
	1578
	1579	def test_no_auth(self):
	1580	"""Try to login as a user without authentication.
	1581	"""
	1582	request, channel = self.make_request("POST", self.url, b"{}")
	1583
	1584	self.assertEqual(401, int(channel.result["code"]), msg=channel.result["body"])
	1585	self.assertEqual(Codes.MISSING_TOKEN, channel.json_body["errcode"])
	1586
	1587	def test_not_admin(self):
	1588	"""Try to login as a user as a non-admin user.
	1589	"""
	1590	request, channel = self.make_request(
	1591	"POST", self.url, b"{}", access_token=self.other_user_tok
	1592	)
	1593
	1594	self.assertEqual(403, int(channel.result["code"]), msg=channel.result["body"])
	1595
	1596	def test_send_event(self):
	1597	"""Test that sending event as a user works.
	1598	"""
	1599	# Create a room.
	1600	room_id = self.helper.create_room_as(self.other_user, tok=self.other_user_tok)
	1601
	1602	# Login in as the user
	1603	puppet_token = self._get_token()
	1604
	1605	# Test that sending works, and generates the event as the right user.
	1606	resp = self.helper.send_event(room_id, "com.example.test", tok=puppet_token)
	1607	event_id = resp["event_id"]
	1608	event = self.get_success(self.store.get_event(event_id))
	1609	self.assertEqual(event.sender, self.other_user)
	1610
	1611	def test_devices(self):
	1612	"""Tests that logging in as a user doesn't create a new device for them.
	1613	"""
	1614	# Login in as the user
	1615	self._get_token()
	1616
	1617	# Check that we don't see a new device in our devices list
	1618	request, channel = self.make_request(
	1619	"GET", "devices", b"{}", access_token=self.other_user_tok
	1620	)
	1621	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
	1622
	1623	# We should only see the one device (from the login in `prepare`)
	1624	self.assertEqual(len(channel.json_body["devices"]), 1)
	1625
	1626	def test_logout(self):
	1627	"""Test that calling `/logout` with the token works.
	1628	"""
	1629	# Login in as the user
	1630	puppet_token = self._get_token()
	1631
	1632	# Test that we can successfully make a request
	1633	request, channel = self.make_request(
	1634	"GET", "devices", b"{}", access_token=puppet_token
	1635	)
	1636	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
	1637
	1638	# Logout with the puppet token
	1639	request, channel = self.make_request(
	1640	"POST", "logout", b"{}", access_token=puppet_token
	1641	)
	1642	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
	1643
	1644	# The puppet token should no longer work
	1645	request, channel = self.make_request(
	1646	"GET", "devices", b"{}", access_token=puppet_token
	1647	)
	1648	self.assertEqual(401, int(channel.result["code"]), msg=channel.result["body"])
	1649
	1650	# .. but the real user's tokens should still work
	1651	request, channel = self.make_request(
	1652	"GET", "devices", b"{}", access_token=self.other_user_tok
	1653	)
	1654	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
	1655
	1656	def test_user_logout_all(self):
	1657	"""Tests that the target user calling `/logout/all` does not expire
	1658	the token.
	1659	"""
	1660	# Login in as the user
	1661	puppet_token = self._get_token()
	1662
	1663	# Test that we can successfully make a request
	1664	request, channel = self.make_request(
	1665	"GET", "devices", b"{}", access_token=puppet_token
	1666	)
	1667	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
	1668
	1669	# Logout all with the real user token
	1670	request, channel = self.make_request(
	1671	"POST", "logout/all", b"{}", access_token=self.other_user_tok
	1672	)
	1673	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
	1674
	1675	# The puppet token should still work
	1676	request, channel = self.make_request(
	1677	"GET", "devices", b"{}", access_token=puppet_token
	1678	)
	1679	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
	1680
	1681	# .. but the real user's tokens shouldn't
	1682	request, channel = self.make_request(
	1683	"GET", "devices", b"{}", access_token=self.other_user_tok
	1684	)
	1685	self.assertEqual(401, int(channel.result["code"]), msg=channel.result["body"])
	1686
	1687	def test_admin_logout_all(self):
	1688	"""Tests that the admin user calling `/logout/all` does expire the
	1689	token.
	1690	"""
	1691	# Login in as the user
	1692	puppet_token = self._get_token()
	1693
	1694	# Test that we can successfully make a request
	1695	request, channel = self.make_request(
	1696	"GET", "devices", b"{}", access_token=puppet_token
	1697	)
	1698	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
	1699
	1700	# Logout all with the admin user token
	1701	request, channel = self.make_request(
	1702	"POST", "logout/all", b"{}", access_token=self.admin_user_tok
	1703	)
	1704	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
	1705
	1706	# The puppet token should no longer work
	1707	request, channel = self.make_request(
	1708	"GET", "devices", b"{}", access_token=puppet_token
	1709	)
	1710	self.assertEqual(401, int(channel.result["code"]), msg=channel.result["body"])
	1711
	1712	# .. but the real user's tokens should still work
	1713	request, channel = self.make_request(
	1714	"GET", "devices", b"{}", access_token=self.other_user_tok
	1715	)
	1716	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
	1717
	1718	@unittest.override_config(
	1719	{
	1720	"public_baseurl": "https://example.org/",
	1721	"user_consent": {
	1722	"version": "1.0",
	1723	"policy_name": "My Cool Privacy Policy",
	1724	"template_dir": "/",
	1725	"require_at_registration": True,
	1726	"block_events_error": "You should accept the policy",
	1727	},
	1728	"form_secret": "123secret",
	1729	}
	1730	)
	1731	def test_consent(self):
	1732	"""Test that sending a message is not subject to the privacy policies.
	1733	"""
	1734	# Have the admin user accept the terms.
	1735	self.get_success(self.store.user_set_consent_version(self.admin_user, "1.0"))
	1736
	1737	# First, cheekily accept the terms and create a room
	1738	self.get_success(self.store.user_set_consent_version(self.other_user, "1.0"))
	1739	room_id = self.helper.create_room_as(self.other_user, tok=self.other_user_tok)
	1740	self.helper.send_event(room_id, "com.example.test", tok=self.other_user_tok)
	1741
	1742	# Now unaccept it and check that we can't send an event
	1743	self.get_success(self.store.user_set_consent_version(self.other_user, "0.0"))
	1744	self.helper.send_event(
	1745	room_id, "com.example.test", tok=self.other_user_tok, expect_code=403
	1746	)
	1747
	1748	# Login in as the user
	1749	puppet_token = self._get_token()
	1750
	1751	# Sending an event on their behalf should work fine
	1752	self.helper.send_event(room_id, "com.example.test", tok=puppet_token)
	1753
	1754	@override_config(
	1755	{"limit_usage_by_mau": True, "max_mau_value": 1, "mau_trial_days": 0}
	1756	)
	1757	def test_mau_limit(self):
	1758	# Create a room as the admin user. This will bump the monthly active users to 1.
	1759	room_id = self.helper.create_room_as(self.admin_user, tok=self.admin_user_tok)
	1760
	1761	# Trying to join as the other user should fail due to reaching MAU limit.
	1762	self.helper.join(
	1763	room_id, user=self.other_user, tok=self.other_user_tok, expect_code=403
	1764	)
	1765
	1766	# Logging in as the other user and joining a room should work, even
	1767	# though the MAU limit would stop the user doing so.
	1768	puppet_token = self._get_token()
	1769	self.helper.join(room_id, user=self.other_user, tok=puppet_token)
	1770
	1771
	1772	class WhoisRestTestCase(unittest.HomeserverTestCase):
	1773
	1774	servlets = [
	1775	synapse.rest.admin.register_servlets,
	1776	login.register_servlets,
	1777	]
	1778
	1779	def prepare(self, reactor, clock, hs):
	1780	self.store = hs.get_datastore()
	1781
	1782	self.admin_user = self.register_user("admin", "pass", admin=True)
	1783	self.admin_user_tok = self.login("admin", "pass")
	1784
	1785	self.other_user = self.register_user("user", "pass")
	1786	self.url1 = "/_synapse/admin/v1/whois/%s" % urllib.parse.quote(self.other_user)
	1787	self.url2 = "/_matrix/client/r0/admin/whois/%s" % urllib.parse.quote(
	1788	self.other_user
	1789	)
	1790
	1791	def test_no_auth(self):
	1792	"""
	1793	Try to get information of an user without authentication.
	1794	"""
	1795	request, channel = self.make_request("GET", self.url1, b"{}")
	1796	self.assertEqual(401, int(channel.result["code"]), msg=channel.result["body"])
	1797	self.assertEqual(Codes.MISSING_TOKEN, channel.json_body["errcode"])
	1798
	1799	request, channel = self.make_request("GET", self.url2, b"{}")
	1800	self.assertEqual(401, int(channel.result["code"]), msg=channel.result["body"])
	1801	self.assertEqual(Codes.MISSING_TOKEN, channel.json_body["errcode"])
	1802
	1803	def test_requester_is_not_admin(self):
	1804	"""
	1805	If the user is not a server admin, an error is returned.
	1806	"""
	1807	self.register_user("user2", "pass")
	1808	other_user2_token = self.login("user2", "pass")
	1809
	1810	request, channel = self.make_request(
	1811	"GET", self.url1, access_token=other_user2_token,
	1812	)
	1813	self.assertEqual(403, int(channel.result["code"]), msg=channel.result["body"])
	1814	self.assertEqual(Codes.FORBIDDEN, channel.json_body["errcode"])
	1815
	1816	request, channel = self.make_request(
	1817	"GET", self.url2, access_token=other_user2_token,
	1818	)
	1819	self.assertEqual(403, int(channel.result["code"]), msg=channel.result["body"])
	1820	self.assertEqual(Codes.FORBIDDEN, channel.json_body["errcode"])
	1821
	1822	def test_user_is_not_local(self):
	1823	"""
	1824	Tests that a lookup for a user that is not a local returns a 400
	1825	"""
	1826	url1 = "/_synapse/admin/v1/whois/@unknown_person:unknown_domain"
	1827	url2 = "/_matrix/client/r0/admin/whois/@unknown_person:unknown_domain"
	1828
	1829	request, channel = self.make_request(
	1830	"GET", url1, access_token=self.admin_user_tok,
	1831	)
	1832	self.assertEqual(400, channel.code, msg=channel.json_body)
	1833	self.assertEqual("Can only whois a local user", channel.json_body["error"])
	1834
	1835	request, channel = self.make_request(
	1836	"GET", url2, access_token=self.admin_user_tok,
	1837	)
	1838	self.assertEqual(400, channel.code, msg=channel.json_body)
	1839	self.assertEqual("Can only whois a local user", channel.json_body["error"])
	1840
	1841	def test_get_whois_admin(self):
	1842	"""
	1843	The lookup should succeed for an admin.
	1844	"""
	1845	request, channel = self.make_request(
	1846	"GET", self.url1, access_token=self.admin_user_tok,
	1847	)
	1848	self.assertEqual(200, channel.code, msg=channel.json_body)
	1849	self.assertEqual(self.other_user, channel.json_body["user_id"])
	1850	self.assertIn("devices", channel.json_body)
	1851
	1852	request, channel = self.make_request(
	1853	"GET", self.url2, access_token=self.admin_user_tok,
	1854	)
	1855	self.assertEqual(200, channel.code, msg=channel.json_body)
	1856	self.assertEqual(self.other_user, channel.json_body["user_id"])
	1857	self.assertIn("devices", channel.json_body)
	1858
	1859	def test_get_whois_user(self):
	1860	"""
	1861	The lookup should succeed for a normal user looking up their own information.
	1862	"""
	1863	other_user_token = self.login("user", "pass")
	1864
	1865	request, channel = self.make_request(
	1866	"GET", self.url1, access_token=other_user_token,
	1867	)
	1868	self.assertEqual(200, channel.code, msg=channel.json_body)
	1869	self.assertEqual(self.other_user, channel.json_body["user_id"])
	1870	self.assertIn("devices", channel.json_body)
	1871
	1872	request, channel = self.make_request(
	1873	"GET", self.url2, access_token=other_user_token,
	1874	)
	1875	self.assertEqual(200, channel.code, msg=channel.json_body)
	1876	self.assertEqual(self.other_user, channel.json_body["user_id"])
	1877	self.assertIn("devices", channel.json_body)

+21

-11

tests/rest/client/test_consent.py less more

20	20	from synapse.rest.consent import consent_resource
21	21
22	22	from tests import unittest
23		from tests.server import render
	23	from tests.server import FakeSite, make_request
24	24
25	25
26	26	class ConsentResourceTestCase(unittest.HomeserverTestCase):

60	60	def test_render_public_consent(self):
61	61	"""You can observe the terms form without specifying a user"""
62	62	resource = consent_resource.ConsentResource(self.hs)
63		request, channel = self.make_request("GET", "/consent?v=1", shorthand=False)
64		render(request, resource, self.reactor)
	63	request, channel = make_request(
	64	self.reactor, FakeSite(resource), "GET", "/consent?v=1", shorthand=False
	65	)
65	66	self.assertEqual(channel.code, 200)
66	67
67	68	def test_accept_consent(self):

80	81	uri_builder.build_user_consent_uri(user_id).replace("_matrix/", "")
81	82	+ "&u=user"
82	83	)
83		request, channel = self.make_request(
84		"GET", consent_uri, access_token=access_token, shorthand=False
	84	request, channel = make_request(
	85	self.reactor,
	86	FakeSite(resource),
	87	"GET",
	88	consent_uri,
	89	access_token=access_token,
	90	shorthand=False,
85	91	)
86		render(request, resource, self.reactor)
87	92	self.assertEqual(channel.code, 200)
88	93
89	94	# Get the version from the body, and whether we've consented

91	96	self.assertEqual(consented, "False")
92	97
93	98	# POST to the consent page, saying we've agreed
94		request, channel = self.make_request(
	99	request, channel = make_request(
	100	self.reactor,
	101	FakeSite(resource),
95	102	"POST",
96	103	consent_uri + "&v=" + version,
97	104	access_token=access_token,
98	105	shorthand=False,
99	106	)
100		render(request, resource, self.reactor)
101	107	self.assertEqual(channel.code, 200)
102	108
103	109	# Fetch the consent page, to get the consent version -- it should have
104	110	# changed
105		request, channel = self.make_request(
106		"GET", consent_uri, access_token=access_token, shorthand=False
	111	request, channel = make_request(
	112	self.reactor,
	113	FakeSite(resource),
	114	"GET",
	115	consent_uri,
	116	access_token=access_token,
	117	shorthand=False,
107	118	)
108		render(request, resource, self.reactor)
109	119	self.assertEqual(channel.code, 200)
110	120
111	121	# Get the version from the body, and check that it's the version we

+0

-1

tests/rest/client/test_ephemeral_message.py less more

93	93	url = "/_matrix/client/r0/rooms/%s/event/%s" % (room_id, event_id)
94	94
95	95	request, channel = self.make_request("GET", url)
96		self.render(request)
97	96
98	97	self.assertEqual(channel.code, expected_code, channel.result)
99	98

+0

-2

tests/rest/client/test_identity.py less more

45	45	request, channel = self.make_request(
46	46	b"POST", "/createRoom", b"{}", access_token=tok
47	47	)
48		self.render(request)
49	48	self.assertEquals(channel.result["code"], b"200", channel.result)
50	49	room_id = channel.json_body["room_id"]
51	50

59	58	request, channel = self.make_request(
60	59	b"POST", request_url, request_data, access_token=tok
61	60	)
62		self.render(request)
63	61	self.assertEquals(channel.result["code"], b"403", channel.result)

+0

-2

tests/rest/client/test_redactions.py less more

71	71	request, channel = self.make_request(
72	72	"POST", path, content={}, access_token=access_token
73	73	)
74		self.render(request)
75	74	self.assertEqual(int(channel.result["code"]), expect_code)
76	75	return channel.json_body
77	76

79	78	request, channel = self.make_request(
80	79	"GET", "sync", access_token=self.mod_access_token
81	80	)
82		self.render(request)
83	81	self.assertEqual(channel.result["code"], b"200")
84	82	room_sync = channel.json_body["rooms"]["join"][room_id]
85	83	return room_sync["timeline"]["events"]

+0

-1

tests/rest/client/test_retention.py less more

325	325	url = "/_matrix/client/r0/rooms/%s/event/%s" % (room_id, event_id)
326	326
327	327	request, channel = self.make_request("GET", url, access_token=self.token)
328		self.render(request)
329	328
330	329	self.assertEqual(channel.code, expected_code, channel.result)
331	330

+0

-8

tests/rest/client/test_shadow_banned.py less more

94	94	{"id_server": "test", "medium": "email", "address": "test@test.test"},
95	95	access_token=self.banned_access_token,
96	96	)
97		self.render(request)
98	97	self.assertEquals(200, channel.code, channel.result)
99	98
100	99	# This should have raised an error earlier, but double check this wasn't called.

109	108	{"visibility": "public", "invite": [self.other_user_id]},
110	109	access_token=self.banned_access_token,
111	110	)
112		self.render(request)
113	111	self.assertEquals(200, channel.code, channel.result)
114	112	room_id = channel.json_body["room_id"]
115	113

165	163	{"new_version": "6"},
166	164	access_token=self.banned_access_token,
167	165	)
168		self.render(request)
169	166	self.assertEquals(200, channel.code, channel.result)
170	167	# A new room_id should be returned.
171	168	self.assertIn("replacement_room", channel.json_body)

191	188	{"typing": True, "timeout": 30000},
192	189	access_token=self.banned_access_token,
193	190	)
194		self.render(request)
195	191	self.assertEquals(200, channel.code)
196	192
197	193	# There should be no typing events.

207	203	{"typing": True, "timeout": 30000},
208	204	access_token=self.other_access_token,
209	205	)
210		self.render(request)
211	206	self.assertEquals(200, channel.code)
212	207
213	208	# These appear in the room.

254	249	{"displayname": new_display_name},
255	250	access_token=self.banned_access_token,
256	251	)
257		self.render(request)
258	252	self.assertEquals(200, channel.code, channel.result)
259	253	self.assertEqual(channel.json_body, {})
260	254

262	256	request, channel = self.make_request(
263	257	"GET", "/profile/%s/displayname" % (self.banned_user_id,)
264	258	)
265		self.render(request)
266	259	self.assertEqual(channel.code, 200, channel.result)
267	260	self.assertEqual(channel.json_body["displayname"], new_display_name)
268	261

295	288	{"membership": "join", "displayname": new_display_name},
296	289	access_token=self.banned_access_token,
297	290	)
298		self.render(request)
299	291	self.assertEquals(200, channel.code, channel.result)
300	292	self.assertIn("event_id", channel.json_body)
301	293

+0

-5

tests/rest/client/test_third_party_rules.py less more

91	91	{},
92	92	access_token=self.tok,
93	93	)
94		self.render(request)
95	94	self.assertEquals(channel.result["code"], b"200", channel.result)
96	95
97	96	callback.assert_called_once()

110	109	{},
111	110	access_token=self.tok,
112	111	)
113		self.render(request)
114	112	self.assertEquals(channel.result["code"], b"403", channel.result)
115	113
116	114	def test_cannot_modify_event(self):

130	128	{"x": "x"},
131	129	access_token=self.tok,
132	130	)
133		self.render(request)
134	131	self.assertEqual(channel.result["code"], b"500", channel.result)
135	132
136	133	def test_modify_event(self):

150	147	{"x": "x"},
151	148	access_token=self.tok,
152	149	)
153		self.render(request)
154	150	self.assertEqual(channel.result["code"], b"200", channel.result)
155	151	event_id = channel.json_body["event_id"]
156	152

160	156	"/_matrix/client/r0/rooms/%s/event/%s" % (self.room_id, event_id),
161	157	access_token=self.tok,
162	158	)
163		self.render(request)
164	159	self.assertEqual(channel.result["code"], b"200", channel.result)
165	160	ev = channel.json_body
166	161	self.assertEqual(ev["content"]["x"], "y")

+0

-4

tests/rest/client/v1/test_directory.py less more

93	93	request, channel = self.make_request(
94	94	"POST", url, request_data, access_token=self.user_tok
95	95	)
96		self.render(request)
97	96	self.assertEqual(channel.code, 400, channel.result)
98	97
99	98	def test_room_creation(self):

107	106	request, channel = self.make_request(
108	107	"POST", url, request_data, access_token=self.user_tok
109	108	)
110		self.render(request)
111	109	self.assertEqual(channel.code, 200, channel.result)
112	110
113	111	def set_alias_via_state_event(self, expected_code, alias_length=5):

122	120	request, channel = self.make_request(
123	121	"PUT", url, request_data, access_token=self.user_tok
124	122	)
125		self.render(request)
126	123	self.assertEqual(channel.code, expected_code, channel.result)
127	124
128	125	def set_alias_via_directory(self, expected_code, alias_length=5):

133	130	request, channel = self.make_request(
134	131	"PUT", url, request_data, access_token=self.user_tok
135	132	)
136		self.render(request)
137	133	self.assertEqual(channel.code, expected_code, channel.result)
138	134
139	135	def random_alias(self, length):

+0

-4

tests/rest/client/v1/test_events.py less more

65	65	request, channel = self.make_request(
66	66	"GET", "/events?access_token=%s" % ("invalid" + self.token,)
67	67	)
68		self.render(request)
69	68	self.assertEquals(channel.code, 401, msg=channel.result)
70	69
71	70	# valid token, expect content
72	71	request, channel = self.make_request(
73	72	"GET", "/events?access_token=%s&timeout=0" % (self.token,)
74	73	)
75		self.render(request)
76	74	self.assertEquals(channel.code, 200, msg=channel.result)
77	75	self.assertTrue("chunk" in channel.json_body)
78	76	self.assertTrue("start" in channel.json_body)

91	89	request, channel = self.make_request(
92	90	"GET", "/events?access_token=%s&timeout=0" % (self.token,)
93	91	)
94		self.render(request)
95	92	self.assertEquals(channel.code, 200, msg=channel.result)
96	93
97	94	# We may get a presence event for ourselves down

154	151	request, channel = self.make_request(
155	152	"GET", "/events/" + event_id, access_token=self.token,
156	153	)
157		self.render(request)
158	154	self.assertEquals(channel.code, 200, msg=channel.result)

+0

-32

tests/rest/client/v1/test_login.py less more

63	63	"password": "monkey",
64	64	}
65	65	request, channel = self.make_request(b"POST", LOGIN_URL, params)
66		self.render(request)
67	66
68	67	if i == 5:
69	68	self.assertEquals(channel.result["code"], b"429", channel.result)

83	82	"password": "monkey",
84	83	}
85	84	request, channel = self.make_request(b"POST", LOGIN_URL, params)
86		self.render(request)
87	85
88	86	self.assertEquals(channel.result["code"], b"200", channel.result)
89	87

110	108	"password": "monkey",
111	109	}
112	110	request, channel = self.make_request(b"POST", LOGIN_URL, params)
113		self.render(request)
114	111
115	112	if i == 5:
116	113	self.assertEquals(channel.result["code"], b"429", channel.result)

130	127	"password": "monkey",
131	128	}
132	129	request, channel = self.make_request(b"POST", LOGIN_URL, params)
133		self.render(request)
134	130
135	131	self.assertEquals(channel.result["code"], b"200", channel.result)
136	132

157	153	"password": "notamonkey",
158	154	}
159	155	request, channel = self.make_request(b"POST", LOGIN_URL, params)
160		self.render(request)
161	156
162	157	if i == 5:
163	158	self.assertEquals(channel.result["code"], b"429", channel.result)

177	172	"password": "notamonkey",
178	173	}
179	174	request, channel = self.make_request(b"POST", LOGIN_URL, params)
180		self.render(request)
181	175
182	176	self.assertEquals(channel.result["code"], b"403", channel.result)
183	177

187	181
188	182	# we shouldn't be able to make requests without an access token
189	183	request, channel = self.make_request(b"GET", TEST_URL)
190		self.render(request)
191	184	self.assertEquals(channel.result["code"], b"401", channel.result)
192	185	self.assertEquals(channel.json_body["errcode"], "M_MISSING_TOKEN")
193	186

198	191	"password": "monkey",
199	192	}
200	193	request, channel = self.make_request(b"POST", LOGIN_URL, params)
201		self.render(request)
202	194
203	195	self.assertEquals(channel.code, 200, channel.result)
204	196	access_token = channel.json_body["access_token"]

208	200	request, channel = self.make_request(
209	201	b"GET", TEST_URL, access_token=access_token
210	202	)
211		self.render(request)
212	203	self.assertEquals(channel.code, 200, channel.result)
213	204
214	205	# time passes

218	209	request, channel = self.make_request(
219	210	b"GET", TEST_URL, access_token=access_token
220	211	)
221		self.render(request)
222	212	self.assertEquals(channel.code, 401, channel.result)
223	213	self.assertEquals(channel.json_body["errcode"], "M_UNKNOWN_TOKEN")
224	214	self.assertEquals(channel.json_body["soft_logout"], True)

235	225	request, channel = self.make_request(
236	226	b"GET", TEST_URL, access_token=access_token
237	227	)
238		self.render(request)
239	228	self.assertEquals(channel.code, 401, channel.result)
240	229	self.assertEquals(channel.json_body["errcode"], "M_UNKNOWN_TOKEN")
241	230	self.assertEquals(channel.json_body["soft_logout"], True)

246	235	request, channel = self.make_request(
247	236	b"GET", TEST_URL, access_token=access_token
248	237	)
249		self.render(request)
250	238	self.assertEquals(channel.code, 401, channel.result)
251	239	self.assertEquals(channel.json_body["errcode"], "M_UNKNOWN_TOKEN")
252	240	self.assertEquals(channel.json_body["soft_logout"], False)

256	244	request, channel = self.make_request(
257	245	b"DELETE", "devices/" + device_id, access_token=access_token
258	246	)
259		self.render(request)
260	247	self.assertEquals(channel.code, 401, channel.result)
261	248	# check it's a UI-Auth fail
262	249	self.assertEqual(

280	267	access_token=access_token,
281	268	content={"auth": auth},
282	269	)
283		self.render(request)
284	270	self.assertEquals(channel.code, 200, channel.result)
285	271
286	272	@override_config({"session_lifetime": "24h"})

294	280	request, channel = self.make_request(
295	281	b"GET", TEST_URL, access_token=access_token
296	282	)
297		self.render(request)
298	283	self.assertEquals(channel.code, 200, channel.result)
299	284
300	285	# time passes

304	289	request, channel = self.make_request(
305	290	b"GET", TEST_URL, access_token=access_token
306	291	)
307		self.render(request)
308	292	self.assertEquals(channel.code, 401, channel.result)
309	293	self.assertEquals(channel.json_body["errcode"], "M_UNKNOWN_TOKEN")
310	294	self.assertEquals(channel.json_body["soft_logout"], True)

313	297	request, channel = self.make_request(
314	298	b"POST", "/logout", access_token=access_token
315	299	)
316		self.render(request)
317	300	self.assertEquals(channel.result["code"], b"200", channel.result)
318	301
319	302	@override_config({"session_lifetime": "24h"})

327	310	request, channel = self.make_request(
328	311	b"GET", TEST_URL, access_token=access_token
329	312	)
330		self.render(request)
331	313	self.assertEquals(channel.code, 200, channel.result)
332	314
333	315	# time passes

337	319	request, channel = self.make_request(
338	320	b"GET", TEST_URL, access_token=access_token
339	321	)
340		self.render(request)
341	322	self.assertEquals(channel.code, 401, channel.result)
342	323	self.assertEquals(channel.json_body["errcode"], "M_UNKNOWN_TOKEN")
343	324	self.assertEquals(channel.json_body["soft_logout"], True)

346	327	request, channel = self.make_request(
347	328	b"POST", "/logout/all", access_token=access_token
348	329	)
349		self.render(request)
350	330	self.assertEquals(channel.result["code"], b"200", channel.result)
351	331
352	332

422	402
423	403	# Get Synapse to call the fake CAS and serve the template.
424	404	request, channel = self.make_request("GET", cas_ticket_url)
425		self.render(request)
426	405
427	406	# Test that the response is HTML.
428	407	self.assertEqual(channel.code, 200)

467	446
468	447	# Get Synapse to call the fake CAS and serve the template.
469	448	request, channel = self.make_request("GET", cas_ticket_url)
470		self.render(request)
471	449
472	450	self.assertEqual(channel.code, 302)
473	451	location_headers = channel.headers.getRawHeaders("Location")

494	472
495	473	# Get Synapse to call the fake CAS and serve the template.
496	474	request, channel = self.make_request("GET", cas_ticket_url)
497		self.render(request)
498	475
499	476	# Because the user is deactivated they are served an error template.
500	477	self.assertEqual(channel.code, 403)

525	502	{"type": "org.matrix.login.jwt", "token": self.jwt_encode(*args)}
526	503	)
527	504	request, channel = self.make_request(b"POST", LOGIN_URL, params)
528		self.render(request)
529	505	return channel
530	506
531	507	def test_login_jwt_valid_registered(self):

658	634	def test_login_no_token(self):
659	635	params = json.dumps({"type": "org.matrix.login.jwt"})
660	636	request, channel = self.make_request(b"POST", LOGIN_URL, params)
661		self.render(request)
662	637	self.assertEqual(channel.result["code"], b"403", channel.result)
663	638	self.assertEqual(channel.json_body["errcode"], "M_FORBIDDEN")
664	639	self.assertEqual(channel.json_body["error"], "Token field for JWT is missing")

732	707	{"type": "org.matrix.login.jwt", "token": self.jwt_encode(*args)}
733	708	)
734	709	request, channel = self.make_request(b"POST", LOGIN_URL, params)
735		self.render(request)
736	710	return channel
737	711
738	712	def test_login_jwt_valid(self):

765	739	"/_matrix/client/r0/register?access_token=%s" % (self.service.token,),
766	740	{"username": username},
767	741	)
768		self.render(request)
769	742
770	743	def make_homeserver(self, reactor, clock):
771	744	self.hs = self.setup_test_homeserver()

814	787	b"POST", LOGIN_URL, params, access_token=self.service.token
815	788	)
816	789
817		self.render(request)
818	790	self.assertEquals(channel.result["code"], b"200", channel.result)
819	791
820	792	def test_login_appservice_user_bot(self):

830	802	b"POST", LOGIN_URL, params, access_token=self.service.token
831	803	)
832	804
833		self.render(request)
834	805	self.assertEquals(channel.result["code"], b"200", channel.result)
835	806
836	807	def test_login_appservice_wrong_user(self):

846	817	b"POST", LOGIN_URL, params, access_token=self.service.token
847	818	)
848	819
849		self.render(request)
850	820	self.assertEquals(channel.result["code"], b"403", channel.result)
851	821
852	822	def test_login_appservice_wrong_as(self):

862	832	b"POST", LOGIN_URL, params, access_token=self.another_service.token
863	833	)
864	834
865		self.render(request)
866	835	self.assertEquals(channel.result["code"], b"403", channel.result)
867	836
868	837	def test_login_appservice_no_token(self):

877	846	}
878	847	request, channel = self.make_request(b"POST", LOGIN_URL, params)
879	848
880		self.render(request)
881	849	self.assertEquals(channel.result["code"], b"401", channel.result)

+9

-8

tests/rest/client/v1/test_presence.py less more

32	32
33	33	def make_homeserver(self, reactor, clock):
34	34
	35	presence_handler = Mock()
	36	presence_handler.set_state.return_value = defer.succeed(None)
	37
35	38	hs = self.setup_test_homeserver(
36		"red", http_client=None, federation_client=Mock()
	39	"red",
	40	http_client=None,
	41	federation_client=Mock(),
	42	presence_handler=presence_handler,
37	43	)
38
39		hs.presence_handler = Mock()
40		hs.presence_handler.set_state.return_value = defer.succeed(None)
41	44
42	45	return hs
43	46

52	55	request, channel = self.make_request(
53	56	"PUT", "/presence/%s/status" % (self.user_id,), body
54	57	)
55		self.render(request)
56	58
57	59	self.assertEqual(channel.code, 200)
58		self.assertEqual(self.hs.presence_handler.set_state.call_count, 1)
	60	self.assertEqual(self.hs.get_presence_handler().set_state.call_count, 1)
59	61
60	62	def test_put_presence_disabled(self):
61	63	"""

68	70	request, channel = self.make_request(
69	71	"PUT", "/presence/%s/status" % (self.user_id,), body
70	72	)
71		self.render(request)
72	73
73	74	self.assertEqual(channel.code, 200)
74		self.assertEqual(self.hs.presence_handler.set_state.call_count, 0)
	75	self.assertEqual(self.hs.get_presence_handler().set_state.call_count, 0)

+1

-8

tests/rest/client/v1/test_profile.py less more

194	194	content=json.dumps({"displayname": "test"}),
195	195	access_token=self.owner_tok,
196	196	)
197		self.render(request)
198	197	self.assertEqual(channel.code, 200, channel.result)
199	198
200	199	res = self.get_displayname()

208	207	content=json.dumps({"displayname": "test" * 100}),
209	208	access_token=self.owner_tok,
210	209	)
211		self.render(request)
212	210	self.assertEqual(channel.code, 400, channel.result)
213	211
214	212	res = self.get_displayname()

218	216	request, channel = self.make_request(
219	217	"GET", "/profile/%s/displayname" % (self.owner,)
220	218	)
221		self.render(request)
222	219	self.assertEqual(channel.code, 200, channel.result)
223	220	return channel.json_body["displayname"]
224	221

283	280	request, channel = self.make_request(
284	281	"GET", self.profile_url + url_suffix, access_token=access_token
285	282	)
286		self.render(request)
287	283	self.assertEqual(channel.code, expected_code, channel.result)
288	284
289	285	def ensure_requester_left_room(self):

326	322	request, channel = self.make_request(
327	323	"GET", "/profile/" + self.requester, access_token=self.requester_tok
328	324	)
329		self.render(request)
330	325	self.assertEqual(channel.code, 200, channel.result)
331	326
332	327	request, channel = self.make_request(

334	329	"/profile/" + self.requester + "/displayname",
335	330	access_token=self.requester_tok,
336	331	)
337		self.render(request)
338	332	self.assertEqual(channel.code, 200, channel.result)
339	333
340	334	request, channel = self.make_request(

342	336	"/profile/" + self.requester + "/avatar_url",
343	337	access_token=self.requester_tok,
344	338	)
345		self.render(request)
346		self.assertEqual(channel.code, 200, channel.result)
	339	self.assertEqual(channel.code, 200, channel.result)

+22

-55

tests/rest/client/v1/test_push_rule_attrs.py less more

47	47	request, channel = self.make_request(
48	48	"PUT", "/pushrules/global/override/best.friend", body, access_token=token
49	49	)
50		self.render(request)
51	50	self.assertEqual(channel.code, 200)
52	51
53	52	# GET enabled for that new rule
54	53	request, channel = self.make_request(
55	54	"GET", "/pushrules/global/override/best.friend/enabled", access_token=token
56	55	)
57		self.render(request)
58	56	self.assertEqual(channel.code, 200)
59	57	self.assertEqual(channel.json_body["enabled"], True)
60	58

78	76	request, channel = self.make_request(
79	77	"PUT", "/pushrules/global/override/best.friend", body, access_token=token
80	78	)
81		self.render(request)
82	79	self.assertEqual(channel.code, 200)
83	80
84	81	# disable the rule

88	85	{"enabled": False},
89	86	access_token=token,
90	87	)
91		self.render(request)
92	88	self.assertEqual(channel.code, 200)
93	89
94	90	# check rule disabled
95	91	request, channel = self.make_request(
96	92	"GET", "/pushrules/global/override/best.friend/enabled", access_token=token
97	93	)
98		self.render(request)
99	94	self.assertEqual(channel.code, 200)
100	95	self.assertEqual(channel.json_body["enabled"], False)
101	96

103	98	request, channel = self.make_request(
104	99	"DELETE", "/pushrules/global/override/best.friend", access_token=token
105	100	)
106		self.render(request)
107		self.assertEqual(channel.code, 200)
108
109		# PUT a new rule
110		request, channel = self.make_request(
111		"PUT", "/pushrules/global/override/best.friend", body, access_token=token
112		)
113		self.render(request)
	101	self.assertEqual(channel.code, 200)
	102
	103	# PUT a new rule
	104	request, channel = self.make_request(
	105	"PUT", "/pushrules/global/override/best.friend", body, access_token=token
	106	)
114	107	self.assertEqual(channel.code, 200)
115	108
116	109	# GET enabled for that new rule
117	110	request, channel = self.make_request(
118	111	"GET", "/pushrules/global/override/best.friend/enabled", access_token=token
119	112	)
120		self.render(request)
121	113	self.assertEqual(channel.code, 200)
122	114	self.assertEqual(channel.json_body["enabled"], True)
123	115

140	132	request, channel = self.make_request(
141	133	"PUT", "/pushrules/global/override/best.friend", body, access_token=token
142	134	)
143		self.render(request)
144	135	self.assertEqual(channel.code, 200)
145	136
146	137	# disable the rule

150	141	{"enabled": False},
151	142	access_token=token,
152	143	)
153		self.render(request)
154	144	self.assertEqual(channel.code, 200)
155	145
156	146	# check rule disabled
157	147	request, channel = self.make_request(
158	148	"GET", "/pushrules/global/override/best.friend/enabled", access_token=token
159	149	)
160		self.render(request)
161	150	self.assertEqual(channel.code, 200)
162	151	self.assertEqual(channel.json_body["enabled"], False)
163	152

168	157	{"enabled": True},
169	158	access_token=token,
170	159	)
171		self.render(request)
172	160	self.assertEqual(channel.code, 200)
173	161
174	162	# check rule enabled
175	163	request, channel = self.make_request(
176	164	"GET", "/pushrules/global/override/best.friend/enabled", access_token=token
177	165	)
178		self.render(request)
179	166	self.assertEqual(channel.code, 200)
180	167	self.assertEqual(channel.json_body["enabled"], True)
181	168

197	184	request, channel = self.make_request(
198	185	"GET", "/pushrules/global/override/best.friend/enabled", access_token=token
199	186	)
200		self.render(request)
201		self.assertEqual(channel.code, 404)
202		self.assertEqual(channel.json_body["errcode"], Codes.NOT_FOUND)
203
204		# PUT a new rule
205		request, channel = self.make_request(
206		"PUT", "/pushrules/global/override/best.friend", body, access_token=token
207		)
208		self.render(request)
	187	self.assertEqual(channel.code, 404)
	188	self.assertEqual(channel.json_body["errcode"], Codes.NOT_FOUND)
	189
	190	# PUT a new rule
	191	request, channel = self.make_request(
	192	"PUT", "/pushrules/global/override/best.friend", body, access_token=token
	193	)
209	194	self.assertEqual(channel.code, 200)
210	195
211	196	# GET enabled for that new rule
212	197	request, channel = self.make_request(
213	198	"GET", "/pushrules/global/override/best.friend/enabled", access_token=token
214	199	)
215		self.render(request)
216	200	self.assertEqual(channel.code, 200)
217	201
218	202	# DELETE the rule
219	203	request, channel = self.make_request(
220	204	"DELETE", "/pushrules/global/override/best.friend", access_token=token
221	205	)
222		self.render(request)
223	206	self.assertEqual(channel.code, 200)
224	207
225	208	# check 404 for deleted rule
226	209	request, channel = self.make_request(
227	210	"GET", "/pushrules/global/override/best.friend/enabled", access_token=token
228	211	)
229		self.render(request)
230	212	self.assertEqual(channel.code, 404)
231	213	self.assertEqual(channel.json_body["errcode"], Codes.NOT_FOUND)
232	214

241	223	request, channel = self.make_request(
242	224	"GET", "/pushrules/global/override/.m.muahahaha/enabled", access_token=token
243	225	)
244		self.render(request)
245	226	self.assertEqual(channel.code, 404)
246	227	self.assertEqual(channel.json_body["errcode"], Codes.NOT_FOUND)
247	228

259	240	{"enabled": True},
260	241	access_token=token,
261	242	)
262		self.render(request)
263	243	self.assertEqual(channel.code, 404)
264	244	self.assertEqual(channel.json_body["errcode"], Codes.NOT_FOUND)
265	245

277	257	{"enabled": True},
278	258	access_token=token,
279	259	)
280		self.render(request)
281	260	self.assertEqual(channel.code, 404)
282	261	self.assertEqual(channel.json_body["errcode"], Codes.NOT_FOUND)
283	262

299	278	request, channel = self.make_request(
300	279	"PUT", "/pushrules/global/override/best.friend", body, access_token=token
301	280	)
302		self.render(request)
303	281	self.assertEqual(channel.code, 200)
304	282
305	283	# GET actions for that new rule
306	284	request, channel = self.make_request(
307	285	"GET", "/pushrules/global/override/best.friend/actions", access_token=token
308	286	)
309		self.render(request)
310	287	self.assertEqual(channel.code, 200)
311	288	self.assertEqual(
312	289	channel.json_body["actions"], ["notify", {"set_tweak": "highlight"}]

330	307	request, channel = self.make_request(
331	308	"PUT", "/pushrules/global/override/best.friend", body, access_token=token
332	309	)
333		self.render(request)
334	310	self.assertEqual(channel.code, 200)
335	311
336	312	# change the rule actions

340	316	{"actions": ["dont_notify"]},
341	317	access_token=token,
342	318	)
343		self.render(request)
344	319	self.assertEqual(channel.code, 200)
345	320
346	321	# GET actions for that new rule
347	322	request, channel = self.make_request(
348	323	"GET", "/pushrules/global/override/best.friend/actions", access_token=token
349	324	)
350		self.render(request)
351	325	self.assertEqual(channel.code, 200)
352	326	self.assertEqual(channel.json_body["actions"], ["dont_notify"])
353	327

369	343	request, channel = self.make_request(
370	344	"GET", "/pushrules/global/override/best.friend/enabled", access_token=token
371	345	)
372		self.render(request)
373		self.assertEqual(channel.code, 404)
374		self.assertEqual(channel.json_body["errcode"], Codes.NOT_FOUND)
375
376		# PUT a new rule
377		request, channel = self.make_request(
378		"PUT", "/pushrules/global/override/best.friend", body, access_token=token
379		)
380		self.render(request)
	346	self.assertEqual(channel.code, 404)
	347	self.assertEqual(channel.json_body["errcode"], Codes.NOT_FOUND)
	348
	349	# PUT a new rule
	350	request, channel = self.make_request(
	351	"PUT", "/pushrules/global/override/best.friend", body, access_token=token
	352	)
381	353	self.assertEqual(channel.code, 200)
382	354
383	355	# DELETE the rule
384	356	request, channel = self.make_request(
385	357	"DELETE", "/pushrules/global/override/best.friend", access_token=token
386	358	)
387		self.render(request)
388	359	self.assertEqual(channel.code, 200)
389	360
390	361	# check 404 for deleted rule
391	362	request, channel = self.make_request(
392	363	"GET", "/pushrules/global/override/best.friend/enabled", access_token=token
393	364	)
394		self.render(request)
395	365	self.assertEqual(channel.code, 404)
396	366	self.assertEqual(channel.json_body["errcode"], Codes.NOT_FOUND)
397	367

406	376	request, channel = self.make_request(
407	377	"GET", "/pushrules/global/override/.m.muahahaha/actions", access_token=token
408	378	)
409		self.render(request)
410	379	self.assertEqual(channel.code, 404)
411	380	self.assertEqual(channel.json_body["errcode"], Codes.NOT_FOUND)
412	381

424	393	{"actions": ["dont_notify"]},
425	394	access_token=token,
426	395	)
427		self.render(request)
428	396	self.assertEqual(channel.code, 404)
429	397	self.assertEqual(channel.json_body["errcode"], Codes.NOT_FOUND)
430	398

442	410	{"actions": ["dont_notify"]},
443	411	access_token=token,
444	412	)
445		self.render(request)
446		self.assertEqual(channel.code, 404)
447		self.assertEqual(channel.json_body["errcode"], Codes.NOT_FOUND)
	413	self.assertEqual(channel.code, 404)
	414	self.assertEqual(channel.json_body["errcode"], Codes.NOT_FOUND)

+0

-107

tests/rest/client/v1/test_rooms.py less more

85	85	request, channel = self.make_request(
86	86	"PUT", self.created_rmid_msg_path, b'{"msgtype":"m.text","body":"test msg"}'
87	87	)
88		self.render(request)
89	88	self.assertEquals(200, channel.code, channel.result)
90	89
91	90	# set topic for public room

94	93	("rooms/%s/state/m.room.topic" % self.created_public_rmid).encode("ascii"),
95	94	b'{"topic":"Public Room Topic"}',
96	95	)
97		self.render(request)
98	96	self.assertEquals(200, channel.code, channel.result)
99	97
100	98	# auth as user_id now

117	115	"/rooms/%s/send/m.room.message/mid2" % (self.uncreated_rmid,),
118	116	msg_content,
119	117	)
120		self.render(request)
121	118	self.assertEquals(403, channel.code, msg=channel.result["body"])
122	119
123	120	# send message in created room not joined (no state), expect 403
124	121	request, channel = self.make_request("PUT", send_msg_path(), msg_content)
125		self.render(request)
126	122	self.assertEquals(403, channel.code, msg=channel.result["body"])
127	123
128	124	# send message in created room and invited, expect 403

130	126	room=self.created_rmid, src=self.rmcreator_id, targ=self.user_id
131	127	)
132	128	request, channel = self.make_request("PUT", send_msg_path(), msg_content)
133		self.render(request)
134	129	self.assertEquals(403, channel.code, msg=channel.result["body"])
135	130
136	131	# send message in created room and joined, expect 200
137	132	self.helper.join(room=self.created_rmid, user=self.user_id)
138	133	request, channel = self.make_request("PUT", send_msg_path(), msg_content)
139		self.render(request)
140	134	self.assertEquals(200, channel.code, msg=channel.result["body"])
141	135
142	136	# send message in created room and left, expect 403
143	137	self.helper.leave(room=self.created_rmid, user=self.user_id)
144	138	request, channel = self.make_request("PUT", send_msg_path(), msg_content)
145		self.render(request)
146	139	self.assertEquals(403, channel.code, msg=channel.result["body"])
147	140
148	141	def test_topic_perms(self):

153	146	request, channel = self.make_request(
154	147	"PUT", "/rooms/%s/state/m.room.topic" % self.uncreated_rmid, topic_content
155	148	)
156		self.render(request)
157	149	self.assertEquals(403, channel.code, msg=channel.result["body"])
158	150	request, channel = self.make_request(
159	151	"GET", "/rooms/%s/state/m.room.topic" % self.uncreated_rmid
160	152	)
161		self.render(request)
162	153	self.assertEquals(403, channel.code, msg=channel.result["body"])
163	154
164	155	# set/get topic in created PRIVATE room not joined, expect 403
165	156	request, channel = self.make_request("PUT", topic_path, topic_content)
166		self.render(request)
167	157	self.assertEquals(403, channel.code, msg=channel.result["body"])
168	158	request, channel = self.make_request("GET", topic_path)
169		self.render(request)
170	159	self.assertEquals(403, channel.code, msg=channel.result["body"])
171	160
172	161	# set topic in created PRIVATE room and invited, expect 403

174	163	room=self.created_rmid, src=self.rmcreator_id, targ=self.user_id
175	164	)
176	165	request, channel = self.make_request("PUT", topic_path, topic_content)
177		self.render(request)
178	166	self.assertEquals(403, channel.code, msg=channel.result["body"])
179	167
180	168	# get topic in created PRIVATE room and invited, expect 403
181	169	request, channel = self.make_request("GET", topic_path)
182		self.render(request)
183	170	self.assertEquals(403, channel.code, msg=channel.result["body"])
184	171
185	172	# set/get topic in created PRIVATE room and joined, expect 200

188	175	# Only room ops can set topic by default
189	176	self.helper.auth_user_id = self.rmcreator_id
190	177	request, channel = self.make_request("PUT", topic_path, topic_content)
191		self.render(request)
192	178	self.assertEquals(200, channel.code, msg=channel.result["body"])
193	179	self.helper.auth_user_id = self.user_id
194	180
195	181	request, channel = self.make_request("GET", topic_path)
196		self.render(request)
197	182	self.assertEquals(200, channel.code, msg=channel.result["body"])
198	183	self.assert_dict(json.loads(topic_content.decode("utf8")), channel.json_body)
199	184
200	185	# set/get topic in created PRIVATE room and left, expect 403
201	186	self.helper.leave(room=self.created_rmid, user=self.user_id)
202	187	request, channel = self.make_request("PUT", topic_path, topic_content)
203		self.render(request)
204	188	self.assertEquals(403, channel.code, msg=channel.result["body"])
205	189	request, channel = self.make_request("GET", topic_path)
206		self.render(request)
207	190	self.assertEquals(200, channel.code, msg=channel.result["body"])
208	191
209	192	# get topic in PUBLIC room, not joined, expect 403
210	193	request, channel = self.make_request(
211	194	"GET", "/rooms/%s/state/m.room.topic" % self.created_public_rmid
212	195	)
213		self.render(request)
214	196	self.assertEquals(403, channel.code, msg=channel.result["body"])
215	197
216	198	# set topic in PUBLIC room, not joined, expect 403

219	201	"/rooms/%s/state/m.room.topic" % self.created_public_rmid,
220	202	topic_content,
221	203	)
222		self.render(request)
223	204	self.assertEquals(403, channel.code, msg=channel.result["body"])
224	205
225	206	def _test_get_membership(self, room=None, members=[], expect_code=None):
226	207	for member in members:
227	208	path = "/rooms/%s/state/m.room.member/%s" % (room, member)
228	209	request, channel = self.make_request("GET", path)
229		self.render(request)
230	210	self.assertEquals(expect_code, channel.code)
231	211
232	212	def test_membership_basic_room_perms(self):

399	379	def test_get_member_list(self):
400	380	room_id = self.helper.create_room_as(self.user_id)
401	381	request, channel = self.make_request("GET", "/rooms/%s/members" % room_id)
402		self.render(request)
403	382	self.assertEquals(200, channel.code, msg=channel.result["body"])
404	383
405	384	def test_get_member_list_no_room(self):
406	385	request, channel = self.make_request("GET", "/rooms/roomdoesnotexist/members")
407		self.render(request)
408	386	self.assertEquals(403, channel.code, msg=channel.result["body"])
409	387
410	388	def test_get_member_list_no_permission(self):
411	389	room_id = self.helper.create_room_as("@some_other_guy:red")
412	390	request, channel = self.make_request("GET", "/rooms/%s/members" % room_id)
413		self.render(request)
414	391	self.assertEquals(403, channel.code, msg=channel.result["body"])
415	392
416	393	def test_get_member_list_mixed_memberships(self):

420	397	self.helper.invite(room=room_id, src=room_creator, targ=self.user_id)
421	398	# can't see list if you're just invited.
422	399	request, channel = self.make_request("GET", room_path)
423		self.render(request)
424	400	self.assertEquals(403, channel.code, msg=channel.result["body"])
425	401
426	402	self.helper.join(room=room_id, user=self.user_id)
427	403	# can see list now joined
428	404	request, channel = self.make_request("GET", room_path)
429		self.render(request)
430	405	self.assertEquals(200, channel.code, msg=channel.result["body"])
431	406
432	407	self.helper.leave(room=room_id, user=self.user_id)
433	408	# can see old list once left
434	409	request, channel = self.make_request("GET", room_path)
435		self.render(request)
436	410	self.assertEquals(200, channel.code, msg=channel.result["body"])
437	411
438	412

445	419	# POST with no config keys, expect new room id
446	420	request, channel = self.make_request("POST", "/createRoom", "{}")
447	421
448		self.render(request)
449	422	self.assertEquals(200, channel.code, channel.result)
450	423	self.assertTrue("room_id" in channel.json_body)
451	424

454	427	request, channel = self.make_request(
455	428	"POST", "/createRoom", b'{"visibility":"private"}'
456	429	)
457		self.render(request)
458	430	self.assertEquals(200, channel.code)
459	431	self.assertTrue("room_id" in channel.json_body)
460	432

463	435	request, channel = self.make_request(
464	436	"POST", "/createRoom", b'{"custom":"stuff"}'
465	437	)
466		self.render(request)
467	438	self.assertEquals(200, channel.code)
468	439	self.assertTrue("room_id" in channel.json_body)
469	440

472	443	request, channel = self.make_request(
473	444	"POST", "/createRoom", b'{"visibility":"private","custom":"things"}'
474	445	)
475		self.render(request)
476	446	self.assertEquals(200, channel.code)
477	447	self.assertTrue("room_id" in channel.json_body)
478	448
479	449	def test_post_room_invalid_content(self):
480	450	# POST with invalid content / paths, expect 400
481	451	request, channel = self.make_request("POST", "/createRoom", b'{"visibili')
482		self.render(request)
483	452	self.assertEquals(400, channel.code)
484	453
485	454	request, channel = self.make_request("POST", "/createRoom", b'["hello"]')
486		self.render(request)
487	455	self.assertEquals(400, channel.code)
488	456
489	457	def test_post_room_invitees_invalid_mxid(self):

492	460	request, channel = self.make_request(
493	461	"POST", "/createRoom", b'{"invite":["@alice:example.com "]}'
494	462	)
495		self.render(request)
496	463	self.assertEquals(400, channel.code)
497	464
498	465

509	476	def test_invalid_puts(self):
510	477	# missing keys or invalid json
511	478	request, channel = self.make_request("PUT", self.path, "{}")
512		self.render(request)
513	479	self.assertEquals(400, channel.code, msg=channel.result["body"])
514	480
515	481	request, channel = self.make_request("PUT", self.path, '{"_name":"bo"}')
516		self.render(request)
517	482	self.assertEquals(400, channel.code, msg=channel.result["body"])
518	483
519	484	request, channel = self.make_request("PUT", self.path, '{"nao')
520		self.render(request)
521	485	self.assertEquals(400, channel.code, msg=channel.result["body"])
522	486
523	487	request, channel = self.make_request(
524	488	"PUT", self.path, '[{"_name":"bo"},{"_name":"jill"}]'
525	489	)
526		self.render(request)
527	490	self.assertEquals(400, channel.code, msg=channel.result["body"])
528	491
529	492	request, channel = self.make_request("PUT", self.path, "text only")
530		self.render(request)
531	493	self.assertEquals(400, channel.code, msg=channel.result["body"])
532	494
533	495	request, channel = self.make_request("PUT", self.path, "")
534		self.render(request)
535	496	self.assertEquals(400, channel.code, msg=channel.result["body"])
536	497
537	498	# valid key, wrong type
538	499	content = '{"topic":["Topic name"]}'
539	500	request, channel = self.make_request("PUT", self.path, content)
540		self.render(request)
541	501	self.assertEquals(400, channel.code, msg=channel.result["body"])
542	502
543	503	def test_rooms_topic(self):
544	504	# nothing should be there
545	505	request, channel = self.make_request("GET", self.path)
546		self.render(request)
547	506	self.assertEquals(404, channel.code, msg=channel.result["body"])
548	507
549	508	# valid put
550	509	content = '{"topic":"Topic name"}'
551	510	request, channel = self.make_request("PUT", self.path, content)
552		self.render(request)
553	511	self.assertEquals(200, channel.code, msg=channel.result["body"])
554	512
555	513	# valid get
556	514	request, channel = self.make_request("GET", self.path)
557		self.render(request)
558	515	self.assertEquals(200, channel.code, msg=channel.result["body"])
559	516	self.assert_dict(json.loads(content), channel.json_body)
560	517

562	519	# valid put with extra keys
563	520	content = '{"topic":"Seasons","subtopic":"Summer"}'
564	521	request, channel = self.make_request("PUT", self.path, content)
565		self.render(request)
566	522	self.assertEquals(200, channel.code, msg=channel.result["body"])
567	523
568	524	# valid get
569	525	request, channel = self.make_request("GET", self.path)
570		self.render(request)
571	526	self.assertEquals(200, channel.code, msg=channel.result["body"])
572	527	self.assert_dict(json.loads(content), channel.json_body)
573	528

584	539	path = "/rooms/%s/state/m.room.member/%s" % (self.room_id, self.user_id)
585	540	# missing keys or invalid json
586	541	request, channel = self.make_request("PUT", path, "{}")
587		self.render(request)
588	542	self.assertEquals(400, channel.code, msg=channel.result["body"])
589	543
590	544	request, channel = self.make_request("PUT", path, '{"_name":"bo"}')
591		self.render(request)
592	545	self.assertEquals(400, channel.code, msg=channel.result["body"])
593	546
594	547	request, channel = self.make_request("PUT", path, '{"nao')
595		self.render(request)
596	548	self.assertEquals(400, channel.code, msg=channel.result["body"])
597	549
598	550	request, channel = self.make_request(
599	551	"PUT", path, b'[{"_name":"bo"},{"_name":"jill"}]'
600	552	)
601		self.render(request)
602	553	self.assertEquals(400, channel.code, msg=channel.result["body"])
603	554
604	555	request, channel = self.make_request("PUT", path, "text only")
605		self.render(request)
606	556	self.assertEquals(400, channel.code, msg=channel.result["body"])
607	557
608	558	request, channel = self.make_request("PUT", path, "")
609		self.render(request)
610	559	self.assertEquals(400, channel.code, msg=channel.result["body"])
611	560
612	561	# valid keys, wrong types

616	565	Membership.LEAVE,
617	566	)
618	567	request, channel = self.make_request("PUT", path, content.encode("ascii"))
619		self.render(request)
620	568	self.assertEquals(400, channel.code, msg=channel.result["body"])
621	569
622	570	def test_rooms_members_self(self):

628	576	# valid join message (NOOP since we made the room)
629	577	content = '{"membership":"%s"}' % Membership.JOIN
630	578	request, channel = self.make_request("PUT", path, content.encode("ascii"))
631		self.render(request)
632	579	self.assertEquals(200, channel.code, msg=channel.result["body"])
633	580
634	581	request, channel = self.make_request("GET", path, None)
635		self.render(request)
636	582	self.assertEquals(200, channel.code, msg=channel.result["body"])
637	583
638	584	expected_response = {"membership": Membership.JOIN}

648	594	# valid invite message
649	595	content = '{"membership":"%s"}' % Membership.INVITE
650	596	request, channel = self.make_request("PUT", path, content)
651		self.render(request)
652	597	self.assertEquals(200, channel.code, msg=channel.result["body"])
653	598
654	599	request, channel = self.make_request("GET", path, None)
655		self.render(request)
656	600	self.assertEquals(200, channel.code, msg=channel.result["body"])
657	601	self.assertEquals(json.loads(content), channel.json_body)
658	602

669	613	"Join us!",
670	614	)
671	615	request, channel = self.make_request("PUT", path, content)
672		self.render(request)
673	616	self.assertEquals(200, channel.code, msg=channel.result["body"])
674	617
675	618	request, channel = self.make_request("GET", path, None)
676		self.render(request)
677	619	self.assertEquals(200, channel.code, msg=channel.result["body"])
678	620	self.assertEquals(json.loads(content), channel.json_body)
679	621

724	666	# Update the display name for the user.
725	667	path = "/_matrix/client/r0/profile/%s/displayname" % self.user_id
726	668	request, channel = self.make_request("PUT", path, {"displayname": "John Doe"})
727		self.render(request)
728	669	self.assertEquals(channel.code, 200, channel.json_body)
729	670
730	671	# Check that all the rooms have been sent a profile update into.

735	676	)
736	677
737	678	request, channel = self.make_request("GET", path)
738		self.render(request)
739	679	self.assertEquals(channel.code, 200)
740	680
741	681	self.assertIn("displayname", channel.json_body)

760	700	# if all of these requests ended up joining the user to a room.
761	701	for i in range(4):
762	702	request, channel = self.make_request("POST", path % room_id, {})
763		self.render(request)
764	703	self.assertEquals(channel.code, 200)
765	704
766	705

776	715	path = "/rooms/%s/send/m.room.message/mid1" % (urlparse.quote(self.room_id))
777	716	# missing keys or invalid json
778	717	request, channel = self.make_request("PUT", path, b"{}")
779		self.render(request)
780	718	self.assertEquals(400, channel.code, msg=channel.result["body"])
781	719
782	720	request, channel = self.make_request("PUT", path, b'{"_name":"bo"}')
783		self.render(request)
784	721	self.assertEquals(400, channel.code, msg=channel.result["body"])
785	722
786	723	request, channel = self.make_request("PUT", path, b'{"nao')
787		self.render(request)
788	724	self.assertEquals(400, channel.code, msg=channel.result["body"])
789	725
790	726	request, channel = self.make_request(
791	727	"PUT", path, b'[{"_name":"bo"},{"_name":"jill"}]'
792	728	)
793		self.render(request)
794	729	self.assertEquals(400, channel.code, msg=channel.result["body"])
795	730
796	731	request, channel = self.make_request("PUT", path, b"text only")
797		self.render(request)
798	732	self.assertEquals(400, channel.code, msg=channel.result["body"])
799	733
800	734	request, channel = self.make_request("PUT", path, b"")
801		self.render(request)
802	735	self.assertEquals(400, channel.code, msg=channel.result["body"])
803	736
804	737	def test_rooms_messages_sent(self):

806	739
807	740	content = b'{"body":"test","msgtype":{"type":"a"}}'
808	741	request, channel = self.make_request("PUT", path, content)
809		self.render(request)
810	742	self.assertEquals(400, channel.code, msg=channel.result["body"])
811	743
812	744	# custom message types
813	745	content = b'{"body":"test","msgtype":"test.custom.text"}'
814	746	request, channel = self.make_request("PUT", path, content)
815		self.render(request)
816	747	self.assertEquals(200, channel.code, msg=channel.result["body"])
817	748
818	749	# m.text message type
819	750	path = "/rooms/%s/send/m.room.message/mid2" % (urlparse.quote(self.room_id))
820	751	content = b'{"body":"test2","msgtype":"m.text"}'
821	752	request, channel = self.make_request("PUT", path, content)
822		self.render(request)
823	753	self.assertEquals(200, channel.code, msg=channel.result["body"])
824	754
825	755

836	766	request, channel = self.make_request(
837	767	"GET", "/rooms/%s/initialSync" % self.room_id
838	768	)
839		self.render(request)
840	769	self.assertEquals(200, channel.code)
841	770
842	771	self.assertEquals(self.room_id, channel.json_body["room_id"])

880	809	request, channel = self.make_request(
881	810	"GET", "/rooms/%s/messages?access_token=x&from=%s" % (self.room_id, token)
882	811	)
883		self.render(request)
884	812	self.assertEquals(200, channel.code)
885	813	self.assertTrue("start" in channel.json_body)
886	814	self.assertEquals(token, channel.json_body["start"])

892	820	request, channel = self.make_request(
893	821	"GET", "/rooms/%s/messages?access_token=x&from=%s" % (self.room_id, token)
894	822	)
895		self.render(request)
896	823	self.assertEquals(200, channel.code)
897	824	self.assertTrue("start" in channel.json_body)
898	825	self.assertEquals(token, channel.json_body["start"])

932	859	json.dumps({"types": [EventTypes.Message]}),
933	860	),
934	861	)
935		self.render(request)
936	862	self.assertEqual(channel.code, 200, channel.json_body)
937	863
938	864	chunk = channel.json_body["chunk"]

961	887	json.dumps({"types": [EventTypes.Message]}),
962	888	),
963	889	)
964		self.render(request)
965	890	self.assertEqual(channel.code, 200, channel.json_body)
966	891
967	892	chunk = channel.json_body["chunk"]

979	904	json.dumps({"types": [EventTypes.Message]}),
980	905	),
981	906	)
982		self.render(request)
983	907	self.assertEqual(channel.code, 200, channel.json_body)
984	908
985	909	chunk = channel.json_body["chunk"]

1039	963	}
1040	964	},
1041	965	)
1042		self.render(request)
1043	966
1044	967	# Check we get the results we expect -- one search result, of the sent
1045	968	# messages

1073	996	}
1074	997	},
1075	998	)
1076		self.render(request)
1077	999
1078	1000	# Check we get the results we expect -- one search result, of the sent
1079	1001	# messages

1110	1032
1111	1033	def test_restricted_no_auth(self):
1112	1034	request, channel = self.make_request("GET", self.url)
1113		self.render(request)
1114	1035	self.assertEqual(channel.code, 401, channel.result)
1115	1036
1116	1037	def test_restricted_auth(self):

1118	1039	tok = self.login("user", "pass")
1119	1040
1120	1041	request, channel = self.make_request("GET", self.url, access_token=tok)
1121		self.render(request)
1122	1042	self.assertEqual(channel.code, 200, channel.result)
1123	1043
1124	1044

1152	1072	request_data,
1153	1073	access_token=self.tok,
1154	1074	)
1155		self.render(request)
1156	1075	self.assertEqual(channel.code, 200, channel.result)
1157	1076
1158	1077	self.room_id = self.helper.create_room_as(self.user_id, tok=self.tok)

1167	1086	request_data,
1168	1087	access_token=self.tok,
1169	1088	)
1170		self.render(request)
1171	1089	self.assertEqual(channel.code, 200, channel.result)
1172	1090	event_id = channel.json_body["event_id"]
1173	1091

1176	1094	"/_matrix/client/r0/rooms/%s/event/%s" % (self.room_id, event_id),
1177	1095	access_token=self.tok,
1178	1096	)
1179		self.render(request)
1180	1097	self.assertEqual(channel.code, 200, channel.result)
1181	1098
1182	1099	res_displayname = channel.json_body["content"]["displayname"]

1211	1128	content={"reason": reason},
1212	1129	access_token=self.second_tok,
1213	1130	)
1214		self.render(request)
1215	1131	self.assertEqual(channel.code, 200, channel.result)
1216	1132
1217	1133	self._check_for_reason(reason)

1226	1142	content={"reason": reason},
1227	1143	access_token=self.second_tok,
1228	1144	)
1229		self.render(request)
1230	1145	self.assertEqual(channel.code, 200, channel.result)
1231	1146
1232	1147	self._check_for_reason(reason)

1241	1156	content={"reason": reason, "user_id": self.second_user_id},
1242	1157	access_token=self.second_tok,
1243	1158	)
1244		self.render(request)
1245	1159	self.assertEqual(channel.code, 200, channel.result)
1246	1160
1247	1161	self._check_for_reason(reason)

1256	1170	content={"reason": reason, "user_id": self.second_user_id},
1257	1171	access_token=self.creator_tok,
1258	1172	)
1259		self.render(request)
1260	1173	self.assertEqual(channel.code, 200, channel.result)
1261	1174
1262	1175	self._check_for_reason(reason)

1269	1182	content={"reason": reason, "user_id": self.second_user_id},
1270	1183	access_token=self.creator_tok,
1271	1184	)
1272		self.render(request)
1273	1185	self.assertEqual(channel.code, 200, channel.result)
1274	1186
1275	1187	self._check_for_reason(reason)

1282	1194	content={"reason": reason, "user_id": self.second_user_id},
1283	1195	access_token=self.creator_tok,
1284	1196	)
1285		self.render(request)
1286	1197	self.assertEqual(channel.code, 200, channel.result)
1287	1198
1288	1199	self._check_for_reason(reason)

1302	1213	content={"reason": reason},
1303	1214	access_token=self.second_tok,
1304	1215	)
1305		self.render(request)
1306	1216	self.assertEqual(channel.code, 200, channel.result)
1307	1217
1308	1218	self._check_for_reason(reason)

1315	1225	),
1316	1226	access_token=self.creator_tok,
1317	1227	)
1318		self.render(request)
1319	1228	self.assertEqual(channel.code, 200, channel.result)
1320	1229
1321	1230	event_content = channel.json_body

1364	1273	% (self.room_id, event_id, json.dumps(self.FILTER_LABELS)),
1365	1274	access_token=self.tok,
1366	1275	)
1367		self.render(request)
1368	1276	self.assertEqual(channel.code, 200, channel.result)
1369	1277
1370	1278	events_before = channel.json_body["events_before"]

1395	1303	% (self.room_id, event_id, json.dumps(self.FILTER_NOT_LABELS)),
1396	1304	access_token=self.tok,
1397	1305	)
1398		self.render(request)
1399	1306	self.assertEqual(channel.code, 200, channel.result)
1400	1307
1401	1308	events_before = channel.json_body["events_before"]

1431	1338	% (self.room_id, event_id, json.dumps(self.FILTER_LABELS_NOT_LABELS)),
1432	1339	access_token=self.tok,
1433	1340	)
1434		self.render(request)
1435	1341	self.assertEqual(channel.code, 200, channel.result)
1436	1342
1437	1343	events_before = channel.json_body["events_before"]

1459	1365	"/rooms/%s/messages?access_token=%s&from=%s&filter=%s"
1460	1366	% (self.room_id, self.tok, token, json.dumps(self.FILTER_LABELS)),
1461	1367	)
1462		self.render(request)
1463	1368
1464	1369	events = channel.json_body["chunk"]
1465	1370

1477	1382	"/rooms/%s/messages?access_token=%s&from=%s&filter=%s"
1478	1383	% (self.room_id, self.tok, token, json.dumps(self.FILTER_NOT_LABELS)),
1479	1384	)
1480		self.render(request)
1481	1385
1482	1386	events = channel.json_body["chunk"]
1483	1387

1506	1410	json.dumps(self.FILTER_LABELS_NOT_LABELS),
1507	1411	),
1508	1412	)
1509		self.render(request)
1510	1413
1511	1414	events = channel.json_body["chunk"]
1512	1415

1531	1434	request, channel = self.make_request(
1532	1435	"POST", "/search?access_token=%s" % self.tok, request_data
1533	1436	)
1534		self.render(request)
1535	1437
1536	1438	results = channel.json_body["search_categories"]["room_events"]["results"]
1537	1439

1567	1469	request, channel = self.make_request(
1568	1470	"POST", "/search?access_token=%s" % self.tok, request_data
1569	1471	)
1570		self.render(request)
1571	1472
1572	1473	results = channel.json_body["search_categories"]["room_events"]["results"]
1573	1474

1615	1516	request, channel = self.make_request(
1616	1517	"POST", "/search?access_token=%s" % self.tok, request_data
1617	1518	)
1618		self.render(request)
1619	1519
1620	1520	results = channel.json_body["search_categories"]["room_events"]["results"]
1621	1521

1740	1640	% (self.room_id, event_id),
1741	1641	access_token=self.tok,
1742	1642	)
1743		self.render(request)
1744	1643	self.assertEqual(channel.code, 200, channel.result)
1745	1644
1746	1645	events_before = channel.json_body["events_before"]

1805	1704	% (self.room_id, event_id),
1806	1705	access_token=invited_tok,
1807	1706	)
1808		self.render(request)
1809	1707	self.assertEqual(channel.code, 200, channel.result)
1810	1708
1811	1709	events_before = channel.json_body["events_before"]

1896	1794	% (self.room_id,),
1897	1795	access_token=access_token,
1898	1796	)
1899		self.render(request)
1900	1797	self.assertEqual(channel.code, expected_code, channel.result)
1901	1798	res = channel.json_body
1902	1799	self.assertIsInstance(res, dict)

1915	1812	request, channel = self.make_request(
1916	1813	"PUT", url, request_data, access_token=self.room_owner_tok
1917	1814	)
1918		self.render(request)
1919	1815	self.assertEqual(channel.code, expected_code, channel.result)
1920	1816
1921	1817

1946	1842	request, channel = self.make_request(
1947	1843	"PUT", url, request_data, access_token=self.room_owner_tok
1948	1844	)
1949		self.render(request)
1950	1845	self.assertEqual(channel.code, expected_code, channel.result)
1951	1846
1952	1847	def _get_canonical_alias(self, expected_code: int = 200) -> JsonDict:

1956	1851	"rooms/%s/state/m.room.canonical_alias" % (self.room_id,),
1957	1852	access_token=self.room_owner_tok,
1958	1853	)
1959		self.render(request)
1960	1854	self.assertEqual(channel.code, expected_code, channel.result)
1961	1855	res = channel.json_body
1962	1856	self.assertIsInstance(res, dict)

1970	1864	json.dumps(content),
1971	1865	access_token=self.room_owner_tok,
1972	1866	)
1973		self.render(request)
1974	1867	self.assertEqual(channel.code, expected_code, channel.result)
1975	1868	res = channel.json_body
1976	1869	self.assertIsInstance(res, dict)

+0

-4

tests/rest/client/v1/test_typing.py less more

98	98	"/rooms/%s/typing/%s" % (self.room_id, self.user_id),
99	99	b'{"typing": true, "timeout": 30000}',
100	100	)
101		self.render(request)
102	101	self.assertEquals(200, channel.code)
103	102
104	103	self.assertEquals(self.event_source.get_current_key(), 1)

122	121	"/rooms/%s/typing/%s" % (self.room_id, self.user_id),
123	122	b'{"typing": false}',
124	123	)
125		self.render(request)
126	124	self.assertEquals(200, channel.code)
127	125
128	126	def test_typing_timeout(self):

131	129	"/rooms/%s/typing/%s" % (self.room_id, self.user_id),
132	130	b'{"typing": true, "timeout": 30000}',
133	131	)
134		self.render(request)
135	132	self.assertEquals(200, channel.code)
136	133
137	134	self.assertEquals(self.event_source.get_current_key(), 1)

145	142	"/rooms/%s/typing/%s" % (self.room_id, self.user_id),
146	143	b'{"typing": true, "timeout": 30000}',
147	144	)
148		self.render(request)
149	145	self.assertEquals(200, channel.code)
150	146
151	147	self.assertEquals(self.event_source.get_current_key(), 3)

+61

-28

tests/rest/client/v1/utils.py less more

22	22	import attr
23	23
24	24	from twisted.web.resource import Resource
	25	from twisted.web.server import Site
25	26
26	27	from synapse.api.constants import Membership
27	28
28		from tests.server import make_request, render
	29	from tests.server import FakeSite, make_request
29	30
30	31
31	32	@attr.s

35	36	"""
36	37
37	38	hs = attr.ib()
38		resource = attr.ib()
	39	site = attr.ib(type=Site)
39	40	auth_user_id = attr.ib()
40	41
41	42	def create_room_as(
42		self, room_creator=None, is_public=True, tok=None, expect_code=200,
43		):
	43	self,
	44	room_creator: str = None,
	45	is_public: bool = True,
	46	room_version: str = None,
	47	tok: str = None,
	48	expect_code: int = 200,
	49	) -> str:
	50	"""
	51	Create a room.
	52
	53	Args:
	54	room_creator: The user ID to create the room with.
	55	is_public: If True, the `visibility` parameter will be set to the
	56	default (public). Otherwise, the `visibility` parameter will be set
	57	to "private".
	58	room_version: The room version to create the room as. Defaults to Synapse's
	59	default room version.
	60	tok: The access token to use in the request.
	61	expect_code: The expected HTTP response code.
	62
	63	Returns:
	64	The ID of the newly created room.
	65	"""
44	66	temp_id = self.auth_user_id
45	67	self.auth_user_id = room_creator
46	68	path = "/_matrix/client/r0/createRoom"
47	69	content = {}
48	70	if not is_public:
49	71	content["visibility"] = "private"
	72	if room_version:
	73	content["room_version"] = room_version
50	74	if tok:
51	75	path = path + "?access_token=%s" % tok
52	76
53		request, channel = make_request(
54		self.hs.get_reactor(), "POST", path, json.dumps(content).encode("utf8")
55		)
56		render(request, self.resource, self.hs.get_reactor())
	77	_, channel = make_request(
	78	self.hs.get_reactor(),
	79	self.site,
	80	"POST",
	81	path,
	82	json.dumps(content).encode("utf8"),
	83	)
57	84
58	85	assert channel.result["code"] == b"%d" % expect_code, channel.result
59	86	self.auth_user_id = temp_id

123	150	data = {"membership": membership}
124	151	data.update(extra_data)
125	152
126		request, channel = make_request(
127		self.hs.get_reactor(), "PUT", path, json.dumps(data).encode("utf8")
128		)
129
130		render(request, self.resource, self.hs.get_reactor())
	153	_, channel = make_request(
	154	self.hs.get_reactor(),
	155	self.site,
	156	"PUT",
	157	path,
	158	json.dumps(data).encode("utf8"),
	159	)
131	160
132	161	assert int(channel.result["code"]) == expect_code, (
133	162	"Expected: %d, got: %d, resp: %r"

156	185	if tok:
157	186	path = path + "?access_token=%s" % tok
158	187
159		request, channel = make_request(
160		self.hs.get_reactor(), "PUT", path, json.dumps(content).encode("utf8")
161		)
162		render(request, self.resource, self.hs.get_reactor())
	188	_, channel = make_request(
	189	self.hs.get_reactor(),
	190	self.site,
	191	"PUT",
	192	path,
	193	json.dumps(content).encode("utf8"),
	194	)
163	195
164	196	assert int(channel.result["code"]) == expect_code, (
165	197	"Expected: %d, got: %d, resp: %r"

209	241	if body is not None:
210	242	content = json.dumps(body).encode("utf8")
211	243
212		request, channel = make_request(self.hs.get_reactor(), method, path, content)
213
214		render(request, self.resource, self.hs.get_reactor())
	244	_, channel = make_request(
	245	self.hs.get_reactor(), self.site, method, path, content
	246	)
215	247
216	248	assert int(channel.result["code"]) == expect_code, (
217	249	"Expected: %d, got: %d, resp: %r"

294	326	"""
295	327	image_length = len(image_data)
296	328	path = "/_matrix/media/r0/upload?filename=%s" % (filename,)
297		request, channel = make_request(
298		self.hs.get_reactor(), "POST", path, content=image_data, access_token=tok
299		)
300		request.requestHeaders.addRawHeader(
301		b"Content-Length", str(image_length).encode("UTF-8")
302		)
303		request.render(resource)
304		self.hs.get_reactor().pump([100])
	329	_, channel = make_request(
	330	self.hs.get_reactor(),
	331	FakeSite(resource),
	332	"POST",
	333	path,
	334	content=image_data,
	335	access_token=tok,
	336	custom_headers=[(b"Content-Length", str(image_length))],
	337	)
305	338
306	339	assert channel.code == expect_code, "Expected: %d, got: %d, resp: %r" % (
307	340	expect_code,

+12

-25

tests/rest/client/v2_alpha/test_account.py less more

30	30	from synapse.rest.synapse.client.password_reset import PasswordResetSubmitTokenResource
31	31
32	32	from tests import unittest
	33	from tests.server import FakeSite, make_request
33	34	from tests.unittest import override_config
34	35
35	36

244	245	b"account/password/email/requestToken",
245	246	{"client_secret": client_secret, "email": email, "send_attempt": 1},
246	247	)
247		self.render(request)
248	248	self.assertEquals(200, channel.code, channel.result)
249	249
250	250	return channel.json_body["sid"]

254	254	path = link.replace("https://example.com", "")
255	255
256	256	# Load the password reset confirmation page
257		request, channel = self.make_request("GET", path, shorthand=False)
258		request.render(self.submit_token_resource)
259		self.pump()
	257	request, channel = make_request(
	258	self.reactor,
	259	FakeSite(self.submit_token_resource),
	260	"GET",
	261	path,
	262	shorthand=False,
	263	)
	264
260	265	self.assertEquals(200, channel.code, channel.result)
261	266
262	267	# Now POST to the same endpoint, mimicking the same behaviour as clicking the

270	275	form_args.append(arg)
271	276
272	277	# Confirm the password reset
273		request, channel = self.make_request(
	278	request, channel = make_request(
	279	self.reactor,
	280	FakeSite(self.submit_token_resource),
274	281	"POST",
275	282	path,
276	283	content=urlencode(form_args).encode("utf8"),
277	284	shorthand=False,
278	285	content_is_form=True,
279	286	)
280		request.render(self.submit_token_resource)
281		self.pump()
282	287	self.assertEquals(200, channel.code, channel.result)
283	288
284	289	def _get_link_from_email(self):

318	323	},
319	324	},
320	325	)
321		self.render(request)
322	326	self.assertEquals(expected_code, channel.code, channel.result)
323	327
324	328

348	352
349	353	# Check that this access token has been invalidated.
350	354	request, channel = self.make_request("GET", "account/whoami")
351		self.render(request)
352	355	self.assertEqual(request.code, 401)
353	356
354	357	def test_pending_invites(self):

406	409	request, channel = self.make_request(
407	410	"POST", "account/deactivate", request_data, access_token=tok
408	411	)
409		self.render(request)
410	412	self.assertEqual(request.code, 200)
411	413
412	414

541	543	},
542	544	access_token=self.user_id_tok,
543	545	)
544		self.render(request)
545	546	self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
546	547	self.assertEqual(Codes.FORBIDDEN, channel.json_body["errcode"])
547	548

549	550	request, channel = self.make_request(
550	551	"GET", self.url_3pid, access_token=self.user_id_tok,
551	552	)
552		self.render(request)
553	553
554	554	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
555	555	self.assertFalse(channel.json_body["threepids"])

574	574	{"medium": "email", "address": self.email},
575	575	access_token=self.user_id_tok,
576	576	)
577		self.render(request)
578	577	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
579	578
580	579	# Get user
581	580	request, channel = self.make_request(
582	581	"GET", self.url_3pid, access_token=self.user_id_tok,
583	582	)
584		self.render(request)
585	583
586	584	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
587	585	self.assertFalse(channel.json_body["threepids"])

608	606	{"medium": "email", "address": self.email},
609	607	access_token=self.user_id_tok,
610	608	)
611		self.render(request)
612	609
613	610	self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
614	611	self.assertEqual(Codes.FORBIDDEN, channel.json_body["errcode"])

617	614	request, channel = self.make_request(
618	615	"GET", self.url_3pid, access_token=self.user_id_tok,
619	616	)
620		self.render(request)
621	617
622	618	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
623	619	self.assertEqual("email", channel.json_body["threepids"][0]["medium"])

646	642	},
647	643	access_token=self.user_id_tok,
648	644	)
649		self.render(request)
650	645	self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
651	646	self.assertEqual(Codes.THREEPID_AUTH_FAILED, channel.json_body["errcode"])
652	647

654	649	request, channel = self.make_request(
655	650	"GET", self.url_3pid, access_token=self.user_id_tok,
656	651	)
657		self.render(request)
658	652
659	653	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
660	654	self.assertFalse(channel.json_body["threepids"])

681	675	},
682	676	access_token=self.user_id_tok,
683	677	)
684		self.render(request)
685	678	self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
686	679	self.assertEqual(Codes.THREEPID_AUTH_FAILED, channel.json_body["errcode"])
687	680

689	682	request, channel = self.make_request(
690	683	"GET", self.url_3pid, access_token=self.user_id_tok,
691	684	)
692		self.render(request)
693	685
694	686	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
695	687	self.assertFalse(channel.json_body["threepids"])

794	786	request, channel = self.make_request(
795	787	"POST", b"account/3pid/email/requestToken", body,
796	788	)
797		self.render(request)
798	789	self.assertEquals(expect_code, channel.code, channel.result)
799	790
800	791	return channel.json_body.get("sid")

807	798	b"account/3pid/email/requestToken",
808	799	{"client_secret": client_secret, "email": email, "send_attempt": 1},
809	800	)
810		self.render(request)
811	801	self.assertEqual(400, int(channel.result["code"]), msg=channel.result["body"])
812	802	self.assertEqual(expected_errcode, channel.json_body["errcode"])
813	803	self.assertEqual(expected_error, channel.json_body["error"])

817	807	path = link.replace("https://example.com", "")
818	808
819	809	request, channel = self.make_request("GET", path, shorthand=False)
820		self.render(request)
821	810	self.assertEquals(200, channel.code, channel.result)
822	811
823	812	def _get_link_from_email(self):

866	855	access_token=self.user_id_tok,
867	856	)
868	857
869		self.render(request)
870	858	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
871	859
872	860	# Get user
873	861	request, channel = self.make_request(
874	862	"GET", self.url_3pid, access_token=self.user_id_tok,
875	863	)
876		self.render(request)
877	864
878	865	self.assertEqual(200, int(channel.result["code"]), msg=channel.result["body"])
879	866	self.assertEqual("email", channel.json_body["threepids"][0]["medium"])

+25

-14

tests/rest/client/v2_alpha/test_auth.py less more

37	37	return succeed(True)
38	38
39	39
40		class DummyPasswordChecker(UserInteractiveAuthChecker):
41		def check_auth(self, authdict, clientip):
42		return succeed(authdict["identifier"]["user"])
43
44
45	40	class FallbackAuthTests(unittest.HomeserverTestCase):
46	41
47	42	servlets = [

71	66	request, channel = self.make_request(
72	67	"POST", "register", body
73	68	) # type: SynapseRequest, FakeChannel
74		self.render(request)
75	69
76	70	self.assertEqual(request.code, expected_response)
77	71	return channel

86	80	request, channel = self.make_request(
87	81	"GET", "auth/m.login.recaptcha/fallback/web?session=" + session
88	82	) # type: SynapseRequest, FakeChannel
89		self.render(request)
90	83	self.assertEqual(request.code, 200)
91	84
92	85	request, channel = self.make_request(

95	88	+ post_session
96	89	+ "&g-recaptcha-response=a",
97	90	)
98		self.render(request)
99	91	self.assertEqual(request.code, expected_post_response)
100	92
101	93	# The recaptcha handler is called with the response given

164	156	]
165	157
166	158	def prepare(self, reactor, clock, hs):
167		auth_handler = hs.get_auth_handler()
168		auth_handler.checkers[LoginType.PASSWORD] = DummyPasswordChecker(hs)
169
170	159	self.user_pass = "pass"
171	160	self.user = self.register_user("test", self.user_pass)
172	161	self.user_tok = self.login("test", self.user_pass)

176	165	request, channel = self.make_request(
177	166	"GET", "devices", access_token=self.user_tok,
178	167	) # type: SynapseRequest, FakeChannel
179		self.render(request)
180	168
181	169	# Get the ID of the device.
182	170	self.assertEqual(request.code, 200)

189	177	request, channel = self.make_request(
190	178	"DELETE", "devices/" + device, body, access_token=self.user_tok
191	179	) # type: SynapseRequest, FakeChannel
192		self.render(request)
193	180
194	181	# Ensure the response is sane.
195	182	self.assertEqual(request.code, expected_response)

203	190	request, channel = self.make_request(
204	191	"POST", "delete_devices", body, access_token=self.user_tok,
205	192	) # type: SynapseRequest, FakeChannel
206		self.render(request)
207	193
208	194	# Ensure the response is sane.
209	195	self.assertEqual(request.code, expected_response)

233	219	"auth": {
234	220	"type": "m.login.password",
235	221	"identifier": {"type": "m.id.user", "user": self.user},
	222	"password": self.user_pass,
	223	"session": session,
	224	},
	225	},
	226	)
	227
	228	def test_grandfathered_identifier(self):
	229	"""Check behaviour without "identifier" dict
	230
	231	Synapse used to require clients to submit a "user" field for m.login.password
	232	UIA - check that still works.
	233	"""
	234
	235	device_id = self.get_device_ids()[0]
	236	channel = self.delete_device(device_id, 401)
	237	session = channel.json_body["session"]
	238
	239	# Make another request providing the UI auth flow.
	240	self.delete_device(
	241	device_id,
	242	200,
	243	{
	244	"auth": {
	245	"type": "m.login.password",
	246	"user": self.user,
236	247	"password": self.user_pass,
237	248	"session": session,
238	249	},

+0

-4

tests/rest/client/v2_alpha/test_capabilities.py less more

36	36
37	37	def test_check_auth_required(self):
38	38	request, channel = self.make_request("GET", self.url)
39		self.render(request)
40	39
41	40	self.assertEqual(channel.code, 401)
42	41

45	44	access_token = self.login("user", "pass")
46	45
47	46	request, channel = self.make_request("GET", self.url, access_token=access_token)
48		self.render(request)
49	47	capabilities = channel.json_body["capabilities"]
50	48
51	49	self.assertEqual(channel.code, 200)

64	62	access_token = self.login(user, password)
65	63
66	64	request, channel = self.make_request("GET", self.url, access_token=access_token)
67		self.render(request)
68	65	capabilities = channel.json_body["capabilities"]
69	66
70	67	self.assertEqual(channel.code, 200)

73	70	self.assertTrue(capabilities["m.change_password"]["enabled"])
74	71	self.get_success(self.store.user_set_password_hash(user, None))
75	72	request, channel = self.make_request("GET", self.url, access_token=access_token)
76		self.render(request)
77	73	capabilities = channel.json_body["capabilities"]
78	74
79	75	self.assertEqual(channel.code, 200)

+0

-7

tests/rest/client/v2_alpha/test_filter.py less more

40	40	"/_matrix/client/r0/user/%s/filter" % (self.user_id),
41	41	self.EXAMPLE_FILTER_JSON,
42	42	)
43		self.render(request)
44	43
45	44	self.assertEqual(channel.result["code"], b"200")
46	45	self.assertEqual(channel.json_body, {"filter_id": "0"})

54	53	"/_matrix/client/r0/user/%s/filter" % ("@watermelon:test"),
55	54	self.EXAMPLE_FILTER_JSON,
56	55	)
57		self.render(request)
58	56
59	57	self.assertEqual(channel.result["code"], b"403")
60	58	self.assertEquals(channel.json_body["errcode"], Codes.FORBIDDEN)

67	65	"/_matrix/client/r0/user/%s/filter" % (self.user_id),
68	66	self.EXAMPLE_FILTER_JSON,
69	67	)
70		self.render(request)
71	68
72	69	self.hs.is_mine = _is_mine
73	70	self.assertEqual(channel.result["code"], b"403")

84	81	request, channel = self.make_request(
85	82	"GET", "/_matrix/client/r0/user/%s/filter/%s" % (self.user_id, filter_id)
86	83	)
87		self.render(request)
88	84
89	85	self.assertEqual(channel.result["code"], b"200")
90	86	self.assertEquals(channel.json_body, self.EXAMPLE_FILTER)

93	89	request, channel = self.make_request(
94	90	"GET", "/_matrix/client/r0/user/%s/filter/12382148321" % (self.user_id)
95	91	)
96		self.render(request)
97	92
98	93	self.assertEqual(channel.result["code"], b"404")
99	94	self.assertEquals(channel.json_body["errcode"], Codes.NOT_FOUND)

104	99	request, channel = self.make_request(
105	100	"GET", "/_matrix/client/r0/user/%s/filter/foobar" % (self.user_id)
106	101	)
107		self.render(request)
108	102
109	103	self.assertEqual(channel.result["code"], b"400")
110	104

113	107	request, channel = self.make_request(
114	108	"GET", "/_matrix/client/r0/user/%s/filter/" % (self.user_id)
115	109	)
116		self.render(request)
117	110
118	111	self.assertEqual(channel.result["code"], b"400")

+0

-8

tests/rest/client/v2_alpha/test_password_policy.py less more

72	72	request, channel = self.make_request(
73	73	"GET", "/_matrix/client/r0/password_policy"
74	74	)
75		self.render(request)
76	75
77	76	self.assertEqual(channel.code, 200, channel.result)
78	77	self.assertEqual(

90	89	def test_password_too_short(self):
91	90	request_data = json.dumps({"username": "kermit", "password": "shorty"})
92	91	request, channel = self.make_request("POST", self.register_url, request_data)
93		self.render(request)
94	92
95	93	self.assertEqual(channel.code, 400, channel.result)
96	94	self.assertEqual(

100	98	def test_password_no_digit(self):
101	99	request_data = json.dumps({"username": "kermit", "password": "longerpassword"})
102	100	request, channel = self.make_request("POST", self.register_url, request_data)
103		self.render(request)
104	101
105	102	self.assertEqual(channel.code, 400, channel.result)
106	103	self.assertEqual(

110	107	def test_password_no_symbol(self):
111	108	request_data = json.dumps({"username": "kermit", "password": "l0ngerpassword"})
112	109	request, channel = self.make_request("POST", self.register_url, request_data)
113		self.render(request)
114	110
115	111	self.assertEqual(channel.code, 400, channel.result)
116	112	self.assertEqual(

120	116	def test_password_no_uppercase(self):
121	117	request_data = json.dumps({"username": "kermit", "password": "l0ngerpassword!"})
122	118	request, channel = self.make_request("POST", self.register_url, request_data)
123		self.render(request)
124	119
125	120	self.assertEqual(channel.code, 400, channel.result)
126	121	self.assertEqual(

130	125	def test_password_no_lowercase(self):
131	126	request_data = json.dumps({"username": "kermit", "password": "L0NGERPASSWORD!"})
132	127	request, channel = self.make_request("POST", self.register_url, request_data)
133		self.render(request)
134	128
135	129	self.assertEqual(channel.code, 400, channel.result)
136	130	self.assertEqual(

140	134	def test_password_compliant(self):
141	135	request_data = json.dumps({"username": "kermit", "password": "L0ngerpassword!"})
142	136	request, channel = self.make_request("POST", self.register_url, request_data)
143		self.render(request)
144	137
145	138	# Getting a 401 here means the password has passed validation and the server has
146	139	# responded with a list of registration flows.

172	165	request_data,
173	166	access_token=tok,
174	167	)
175		self.render(request)
176	168
177	169	self.assertEqual(channel.code, 400, channel.result)
178	170	self.assertEqual(channel.json_body["errcode"], Codes.PASSWORD_NO_DIGIT)

+6

-37

tests/rest/client/v2_alpha/test_register.py less more

63	63	request, channel = self.make_request(
64	64	b"POST", self.url + b"?access_token=i_am_an_app_service", request_data
65	65	)
66		self.render(request)
67	66
68	67	self.assertEquals(channel.result["code"], b"200", channel.result)
69	68	det_data = {"user_id": user_id, "home_server": self.hs.hostname}

75	74	request, channel = self.make_request(
76	75	b"POST", self.url + b"?access_token=i_am_an_app_service", request_data
77	76	)
78		self.render(request)
79	77
80	78	self.assertEquals(channel.result["code"], b"401", channel.result)
81	79
82	80	def test_POST_bad_password(self):
83	81	request_data = json.dumps({"username": "kermit", "password": 666})
84	82	request, channel = self.make_request(b"POST", self.url, request_data)
85		self.render(request)
86	83
87	84	self.assertEquals(channel.result["code"], b"400", channel.result)
88	85	self.assertEquals(channel.json_body["error"], "Invalid password")

90	87	def test_POST_bad_username(self):
91	88	request_data = json.dumps({"username": 777, "password": "monkey"})
92	89	request, channel = self.make_request(b"POST", self.url, request_data)
93		self.render(request)
94	90
95	91	self.assertEquals(channel.result["code"], b"400", channel.result)
96	92	self.assertEquals(channel.json_body["error"], "Invalid username")

106	102	}
107	103	request_data = json.dumps(params)
108	104	request, channel = self.make_request(b"POST", self.url, request_data)
109		self.render(request)
110	105
111	106	det_data = {
112	107	"user_id": user_id,

122	117	self.auth_result = (None, {"username": "kermit", "password": "monkey"}, None)
123	118
124	119	request, channel = self.make_request(b"POST", self.url, request_data)
125		self.render(request)
126	120
127	121	self.assertEquals(channel.result["code"], b"403", channel.result)
128	122	self.assertEquals(channel.json_body["error"], "Registration has been disabled")

132	126	self.hs.config.allow_guest_access = True
133	127
134	128	request, channel = self.make_request(b"POST", self.url + b"?kind=guest", b"{}")
135		self.render(request)
136	129
137	130	det_data = {"home_server": self.hs.hostname, "device_id": "guest_device"}
138	131	self.assertEquals(channel.result["code"], b"200", channel.result)

142	135	self.hs.config.allow_guest_access = False
143	136
144	137	request, channel = self.make_request(b"POST", self.url + b"?kind=guest", b"{}")
145		self.render(request)
146	138
147	139	self.assertEquals(channel.result["code"], b"403", channel.result)
148	140	self.assertEquals(channel.json_body["error"], "Guest access is disabled")

152	144	for i in range(0, 6):
153	145	url = self.url + b"?kind=guest"
154	146	request, channel = self.make_request(b"POST", url, b"{}")
155		self.render(request)
156	147
157	148	if i == 5:
158	149	self.assertEquals(channel.result["code"], b"429", channel.result)

163	154	self.reactor.advance(retry_after_ms / 1000.0 + 1.0)
164	155
165	156	request, channel = self.make_request(b"POST", self.url + b"?kind=guest", b"{}")
166		self.render(request)
167	157
168	158	self.assertEquals(channel.result["code"], b"200", channel.result)
169	159

178	168	}
179	169	request_data = json.dumps(params)
180	170	request, channel = self.make_request(b"POST", self.url, request_data)
181		self.render(request)
182	171
183	172	if i == 5:
184	173	self.assertEquals(channel.result["code"], b"429", channel.result)

189	178	self.reactor.advance(retry_after_ms / 1000.0 + 1.0)
190	179
191	180	request, channel = self.make_request(b"POST", self.url + b"?kind=guest", b"{}")
192		self.render(request)
193	181
194	182	self.assertEquals(channel.result["code"], b"200", channel.result)
195	183
196	184	def test_advertised_flows(self):
197	185	request, channel = self.make_request(b"POST", self.url, b"{}")
198		self.render(request)
199	186	self.assertEquals(channel.result["code"], b"401", channel.result)
200	187	flows = channel.json_body["flows"]
201	188

219	206	)
220	207	def test_advertised_flows_captcha_and_terms_and_3pids(self):
221	208	request, channel = self.make_request(b"POST", self.url, b"{}")
222		self.render(request)
223	209	self.assertEquals(channel.result["code"], b"401", channel.result)
224	210	flows = channel.json_body["flows"]
225	211

252	238	)
253	239	def test_advertised_flows_no_msisdn_email_required(self):
254	240	request, channel = self.make_request(b"POST", self.url, b"{}")
255		self.render(request)
256	241	self.assertEquals(channel.result["code"], b"401", channel.result)
257	242	flows = channel.json_body["flows"]
258	243

297	282	b"register/email/requestToken",
298	283	{"client_secret": "foobar", "email": email, "send_attempt": 1},
299	284	)
300		self.render(request)
301	285	self.assertEquals(200, channel.code, channel.result)
302	286
303	287	self.assertIsNotNone(channel.json_body.get("sid"))

333	317	# The specific endpoint doesn't matter, all we need is an authenticated
334	318	# endpoint.
335	319	request, channel = self.make_request(b"GET", "/sync", access_token=tok)
336		self.render(request)
337	320
338	321	self.assertEquals(channel.result["code"], b"200", channel.result)
339	322
340	323	self.reactor.advance(datetime.timedelta(weeks=1).total_seconds())
341	324
342	325	request, channel = self.make_request(b"GET", "/sync", access_token=tok)
343		self.render(request)
344	326
345	327	self.assertEquals(channel.result["code"], b"403", channel.result)
346	328	self.assertEquals(

359	341	self.register_user("admin", "adminpassword", admin=True)
360	342	admin_tok = self.login("admin", "adminpassword")
361	343
362		url = "/_matrix/client/unstable/admin/account_validity/validity"
	344	url = "/_synapse/admin/v1/account_validity/validity"
363	345	params = {"user_id": user_id}
364	346	request_data = json.dumps(params)
365	347	request, channel = self.make_request(
366	348	b"POST", url, request_data, access_token=admin_tok
367	349	)
368		self.render(request)
369	350	self.assertEquals(channel.result["code"], b"200", channel.result)
370	351
371	352	# The specific endpoint doesn't matter, all we need is an authenticated
372	353	# endpoint.
373	354	request, channel = self.make_request(b"GET", "/sync", access_token=tok)
374		self.render(request)
375	355	self.assertEquals(channel.result["code"], b"200", channel.result)
376	356
377	357	def test_manual_expire(self):

381	361	self.register_user("admin", "adminpassword", admin=True)
382	362	admin_tok = self.login("admin", "adminpassword")
383	363
384		url = "/_matrix/client/unstable/admin/account_validity/validity"
	364	url = "/_synapse/admin/v1/account_validity/validity"
385	365	params = {
386	366	"user_id": user_id,
387	367	"expiration_ts": 0,

391	371	request, channel = self.make_request(
392	372	b"POST", url, request_data, access_token=admin_tok
393	373	)
394		self.render(request)
395	374	self.assertEquals(channel.result["code"], b"200", channel.result)
396	375
397	376	# The specific endpoint doesn't matter, all we need is an authenticated
398	377	# endpoint.
399	378	request, channel = self.make_request(b"GET", "/sync", access_token=tok)
400		self.render(request)
401	379	self.assertEquals(channel.result["code"], b"403", channel.result)
402	380	self.assertEquals(
403	381	channel.json_body["errcode"], Codes.EXPIRED_ACCOUNT, channel.result

410	388	self.register_user("admin", "adminpassword", admin=True)
411	389	admin_tok = self.login("admin", "adminpassword")
412	390
413		url = "/_matrix/client/unstable/admin/account_validity/validity"
	391	url = "/_synapse/admin/v1/account_validity/validity"
414	392	params = {
415	393	"user_id": user_id,
416	394	"expiration_ts": 0,

420	398	request, channel = self.make_request(
421	399	b"POST", url, request_data, access_token=admin_tok
422	400	)
423		self.render(request)
424	401	self.assertEquals(channel.result["code"], b"200", channel.result)
425	402
426	403	# Try to log the user out
427	404	request, channel = self.make_request(b"POST", "/logout", access_token=tok)
428		self.render(request)
429	405	self.assertEquals(channel.result["code"], b"200", channel.result)
430	406
431	407	# Log the user in again (allowed for expired accounts)

433	409
434	410	# Try to log out all of the user's sessions
435	411	request, channel = self.make_request(b"POST", "/logout/all", access_token=tok)
436		self.render(request)
437	412	self.assertEquals(channel.result["code"], b"200", channel.result)
438	413
439	414

508	483	renewal_token = self.get_success(self.store.get_renewal_token_for_user(user_id))
509	484	url = "/_matrix/client/unstable/account_validity/renew?token=%s" % renewal_token
510	485	request, channel = self.make_request(b"GET", url)
511		self.render(request)
512	486	self.assertEquals(channel.result["code"], b"200", channel.result)
513	487
514	488	# Check that we're getting HTML back.

529	503	# succeed.
530	504	self.reactor.advance(datetime.timedelta(days=3).total_seconds())
531	505	request, channel = self.make_request(b"GET", "/sync", access_token=tok)
532		self.render(request)
533	506	self.assertEquals(channel.result["code"], b"200", channel.result)
534	507
535	508	def test_renewal_invalid_token(self):

537	510	# expected, i.e. that it responds with 404 Not Found and the correct HTML.
538	511	url = "/_matrix/client/unstable/account_validity/renew?token=123"
539	512	request, channel = self.make_request(b"GET", url)
540		self.render(request)
541	513	self.assertEquals(channel.result["code"], b"404", channel.result)
542	514
543	515	# Check that we're getting HTML back.

563	535	"/_matrix/client/unstable/account_validity/send_mail",
564	536	access_token=tok,
565	537	)
566		self.render(request)
567	538	self.assertEquals(channel.result["code"], b"200", channel.result)
568	539
569	540	self.assertEqual(len(self.email_attempts), 1)

586	557	request, channel = self.make_request(
587	558	"POST", "account/deactivate", request_data, access_token=tok
588	559	)
589		self.render(request)
590	560	self.assertEqual(request.code, 200)
591	561
592	562	self.reactor.advance(datetime.timedelta(days=8).total_seconds())

598	568	tok = self.login("kermit", "monkey")
599	569	# We need to manually add an email address otherwise the handler will do
600	570	# nothing.
601		now = self.hs.clock.time_msec()
	571	now = self.hs.get_clock().time_msec()
602	572	self.get_success(
603	573	self.store.user_add_threepid(
604	574	user_id=user_id,

616	586
617	587	# We need to manually add an email address otherwise the handler will do
618	588	# nothing.
619		now = self.hs.clock.time_msec()
	589	now = self.hs.get_clock().time_msec()
620	590	self.get_success(
621	591	self.store.user_add_threepid(
622	592	user_id=user_id,

640	610	"/_matrix/client/unstable/account_validity/send_mail",
641	611	access_token=tok,
642	612	)
643		self.render(request)
644	613	self.assertEquals(channel.result["code"], b"200", channel.result)
645	614
646	615	self.assertEqual(len(self.email_attempts), 1)

676	645
677	646	self.hs.config.account_validity.startup_job_max_delta = self.max_delta
678	647
679		now_ms = self.hs.clock.time_msec()
	648	now_ms = self.hs.get_clock().time_msec()
680	649	self.get_success(self.store._set_expiration_date_when_missing())
681	650
682	651	res = self.get_success(self.store.get_expiration_ts_for_user(user_id))

+0

-18

tests/rest/client/v2_alpha/test_relations.py less more

64	64	"/rooms/%s/event/%s" % (self.room, event_id),
65	65	access_token=self.user_token,
66	66	)
67		self.render(request)
68	67	self.assertEquals(200, channel.code, channel.json_body)
69	68
70	69	self.assert_dict(

113	112	% (self.room, self.parent_id),
114	113	access_token=self.user_token,
115	114	)
116		self.render(request)
117	115	self.assertEquals(200, channel.code, channel.json_body)
118	116
119	117	# We expect to get back a single pagination result, which is the full

159	157	% (self.room, self.parent_id, from_token),
160	158	access_token=self.user_token,
161	159	)
162		self.render(request)
163	160	self.assertEquals(200, channel.code, channel.json_body)
164	161
165	162	found_event_ids.extend(e["event_id"] for e in channel.json_body["chunk"])

218	215	% (self.room, self.parent_id, from_token),
219	216	access_token=self.user_token,
220	217	)
221		self.render(request)
222	218	self.assertEquals(200, channel.code, channel.json_body)
223	219
224	220	self.assertEqual(len(channel.json_body["chunk"]), 1, channel.json_body)

295	291	),
296	292	access_token=self.user_token,
297	293	)
298		self.render(request)
299	294	self.assertEquals(200, channel.code, channel.json_body)
300	295
301	296	self.assertEqual(len(channel.json_body["chunk"]), 1, channel.json_body)

335	330	% (self.room, self.parent_id),
336	331	access_token=self.user_token,
337	332	)
338		self.render(request)
339	333	self.assertEquals(200, channel.code, channel.json_body)
340	334
341	335	self.assertEquals(

368	362	access_token=self.user_token,
369	363	content={},
370	364	)
371		self.render(request)
372	365	self.assertEquals(200, channel.code, channel.json_body)
373	366
374	367	request, channel = self.make_request(

377	370	% (self.room, self.parent_id),
378	371	access_token=self.user_token,
379	372	)
380		self.render(request)
381	373	self.assertEquals(200, channel.code, channel.json_body)
382	374
383	375	self.assertEquals(

395	387	% (self.room, self.parent_id, RelationTypes.REPLACE),
396	388	access_token=self.user_token,
397	389	)
398		self.render(request)
399	390	self.assertEquals(400, channel.code, channel.json_body)
400	391
401	392	def test_aggregation_get_event(self):

427	418	"/rooms/%s/event/%s" % (self.room, self.parent_id),
428	419	access_token=self.user_token,
429	420	)
430		self.render(request)
431	421	self.assertEquals(200, channel.code, channel.json_body)
432	422
433	423	self.assertEquals(

464	454	"/rooms/%s/event/%s" % (self.room, self.parent_id),
465	455	access_token=self.user_token,
466	456	)
467		self.render(request)
468	457	self.assertEquals(200, channel.code, channel.json_body)
469	458
470	459	self.assertEquals(channel.json_body["content"], new_body)

522	511	"/rooms/%s/event/%s" % (self.room, self.parent_id),
523	512	access_token=self.user_token,
524	513	)
525		self.render(request)
526	514	self.assertEquals(200, channel.code, channel.json_body)
527	515
528	516	self.assertEquals(channel.json_body["content"], new_body)

566	554	% (self.room, original_event_id),
567	555	access_token=self.user_token,
568	556	)
569		self.render(request)
570	557	self.assertEquals(200, channel.code, channel.json_body)
571	558
572	559	self.assertIn("chunk", channel.json_body)

580	567	access_token=self.user_token,
581	568	content="{}",
582	569	)
583		self.render(request)
584	570	self.assertEquals(200, channel.code, channel.json_body)
585	571
586	572	# Try to check for remaining m.replace relations

590	576	% (self.room, original_event_id),
591	577	access_token=self.user_token,
592	578	)
593		self.render(request)
594	579	self.assertEquals(200, channel.code, channel.json_body)
595	580
596	581	# Check that no relations are returned

623	608	access_token=self.user_token,
624	609	content="{}",
625	610	)
626		self.render(request)
627	611	self.assertEquals(200, channel.code, channel.json_body)
628	612
629	613	# Check that aggregations returns zero

633	617	% (self.room, original_event_id),
634	618	access_token=self.user_token,
635	619	)
636		self.render(request)
637	620	self.assertEquals(200, channel.code, channel.json_body)
638	621
639	622	self.assertIn("chunk", channel.json_body)

679	662	json.dumps(content).encode("utf-8"),
680	663	access_token=access_token,
681	664	)
682		self.render(request)
683	665	return channel
684	666
685	667	def _create_user(self, localpart):

+0

-1

tests/rest/client/v2_alpha/test_shared_rooms.py less more

46	46	% other_user,
47	47	access_token=token,
48	48	)
49		self.render(request)
50	49	return request, channel
51	50
52	51	def test_shared_room_list_public(self):

+2

-16

tests/rest/client/v2_alpha/test_sync.py less more

35	35
36	36	def test_sync_argless(self):
37	37	request, channel = self.make_request("GET", "/sync")
38		self.render(request)
39	38
40	39	self.assertEqual(channel.code, 200)
41	40	self.assertTrue(

56	55	self.hs.config.use_presence = False
57	56
58	57	request, channel = self.make_request("GET", "/sync")
59		self.render(request)
60	58
61	59	self.assertEqual(channel.code, 200)
62	60	self.assertTrue(

198	196	request, channel = self.make_request(
199	197	"GET", "/sync?filter=%s" % sync_filter, access_token=tok
200	198	)
201		self.render(request)
202	199	self.assertEqual(channel.code, 200, channel.result)
203	200
204	201	return channel.json_body["rooms"]["join"][room_id]["timeline"]["events"]

252	249	typing_url % (room, other_user_id, other_access_token),
253	250	b'{"typing": true, "timeout": 30000}',
254	251	)
255		self.render(request)
256	252	self.assertEquals(200, channel.code)
257	253
258	254	request, channel = self.make_request(
259	255	"GET", "/sync?access_token=%s" % (access_token,)
260	256	)
261		self.render(request)
262	257	self.assertEquals(200, channel.code)
263	258	next_batch = channel.json_body["next_batch"]
264	259

268	263	typing_url % (room, other_user_id, other_access_token),
269	264	b'{"typing": false}',
270	265	)
271		self.render(request)
272	266	self.assertEquals(200, channel.code)
273	267
274	268	# Start typing.

277	271	typing_url % (room, other_user_id, other_access_token),
278	272	b'{"typing": true, "timeout": 30000}',
279	273	)
280		self.render(request)
281	274	self.assertEquals(200, channel.code)
282	275
283	276	# Should return immediately
284	277	request, channel = self.make_request(
285	278	"GET", sync_url % (access_token, next_batch)
286	279	)
287		self.render(request)
288	280	self.assertEquals(200, channel.code)
289	281	next_batch = channel.json_body["next_batch"]
290	282

299	291	request, channel = self.make_request(
300	292	"GET", sync_url % (access_token, next_batch)
301	293	)
302		self.render(request)
303	294	self.assertEquals(200, channel.code)
304	295	next_batch = channel.json_body["next_batch"]
305	296

310	301	request, channel = self.make_request(
311	302	"GET", sync_url % (access_token, next_batch)
312	303	)
313		self.render(request)
314	304	self.assertEquals(200, channel.code)
315	305	next_batch = channel.json_body["next_batch"]
316	306

319	309	typing._reset()
320	310
321	311	# Now it SHOULD fail as it never completes!
322		request, channel = self.make_request(
323		"GET", sync_url % (access_token, next_batch)
324		)
325		self.assertRaises(TimedOutException, self.render, request)
	312	with self.assertRaises(TimedOutException):
	313	self.make_request("GET", sync_url % (access_token, next_batch))
326	314
327	315
328	316	class UnreadMessagesTestCase(unittest.HomeserverTestCase):

400	388	body,
401	389	access_token=self.tok,
402	390	)
403		self.render(request)
404	391	self.assertEqual(channel.code, 200, channel.json_body)
405	392
406	393	# Check that the unread counter is back to 0.

465	452	request, channel = self.make_request(
466	453	"GET", self.url % self.next_batch, access_token=self.tok,
467	454	)
468		self.render(request)
469	455
470	456	self.assertEqual(channel.code, 200, channel.json_body)
471	457

+4

-4

tests/rest/key/v2/test_remote_key_resource.py less more

31	31	from synapse.util.stringutils import random_string
32	32
33	33	from tests import unittest
34		from tests.server import FakeChannel, wait_until_result
	34	from tests.server import FakeChannel
35	35	from tests.utils import default_config
36	36
37	37

40	40	self.http_client = Mock()
41	41	return self.setup_test_homeserver(http_client=self.http_client)
42	42
43		def create_test_json_resource(self):
	43	def create_test_resource(self):
44	44	return create_resource_tree(
45	45	{"/_matrix/key/v2": KeyApiV2Resource(self.hs)}, root_resource=NoResource()
46	46	)

93	93	% (server_name.encode("utf-8"), key_id.encode("utf-8")),
94	94	b"1.1",
95	95	)
96		wait_until_result(self.reactor, req)
	96	channel.await_result()
97	97	self.assertEqual(channel.code, 200)
98	98	resp = channel.json_body
99	99	return resp

189	189	req.requestReceived(
190	190	b"POST", path.encode("utf-8"), b"1.1",
191	191	)
192		wait_until_result(self.reactor, req)
	192	channel.await_result()
193	193	self.assertEqual(channel.code, 200)
194	194	resp = channel.json_body
195	195	return resp

+18

-8

tests/rest/media/v1/test_media_storage.py less more

35	35	from synapse.rest.media.v1.storage_provider import FileStorageProviderBackend
36	36
37	37	from tests import unittest
	38	from tests.server import FakeSite, make_request
38	39
39	40
40	41	class MediaStorageTests(unittest.HomeserverTestCase):

226	227
227	228	def _req(self, content_disposition):
228	229
229		request, channel = self.make_request("GET", self.media_id, shorthand=False)
230		request.render(self.download_resource)
	230	request, channel = make_request(
	231	self.reactor,
	232	FakeSite(self.download_resource),
	233	"GET",
	234	self.media_id,
	235	shorthand=False,
	236	await_result=False,
	237	)
231	238	self.pump()
232	239
233	240	# We've made one fetch, to example.com, using the media URL, and asking

316	323
317	324	def _test_thumbnail(self, method, expected_body, expected_found):
318	325	params = "?width=32&height=32&method=" + method
319		request, channel = self.make_request(
320		"GET", self.media_id + params, shorthand=False
321		)
322		request.render(self.thumbnail_resource)
	326	request, channel = make_request(
	327	self.reactor,
	328	FakeSite(self.thumbnail_resource),
	329	"GET",
	330	self.media_id + params,
	331	shorthand=False,
	332	await_result=False,
	333	)
323	334	self.pump()
324	335
325	336	headers = {

347	358	channel.json_body,
348	359	{
349	360	"errcode": "M_NOT_FOUND",
350		"error": "Not found [b'example.com', b'12345?width=32&height=32&method=%s']"
351		% method,
	361	"error": "Not found [b'example.com', b'12345']",
352	362	},
353	363	)

+64

-67

tests/rest/media/v1/test_url_preview.py less more

132	132
133	133	self.reactor.nameResolver = Resolver()
134	134
	135	def create_test_resource(self):
	136	return self.hs.get_media_repository_resource()
	137
135	138	def test_cache_returns_correct_type(self):
136	139	self.lookups["matrix.org"] = [(IPv4Address, "10.1.2.3")]
137	140
138	141	request, channel = self.make_request(
139		"GET", "url_preview?url=http://matrix.org", shorthand=False
140		)
141		request.render(self.preview_url)
	142	"GET",
	143	"preview_url?url=http://matrix.org",
	144	shorthand=False,
	145	await_result=False,
	146	)
142	147	self.pump()
143	148
144	149	client = self.reactor.tcpClients[0][2].buildProtocol(None)

159	164
160	165	# Check the cache returns the correct response
161	166	request, channel = self.make_request(
162		"GET", "url_preview?url=http://matrix.org", shorthand=False
163		)
164		request.render(self.preview_url)
165		self.pump()
	167	"GET", "preview_url?url=http://matrix.org", shorthand=False
	168	)
166	169
167	170	# Check the cache response has the same content
168	171	self.assertEqual(channel.code, 200)

177	180
178	181	# Check the database cache returns the correct response
179	182	request, channel = self.make_request(
180		"GET", "url_preview?url=http://matrix.org", shorthand=False
181		)
182		request.render(self.preview_url)
183		self.pump()
	183	"GET", "preview_url?url=http://matrix.org", shorthand=False
	184	)
184	185
185	186	# Check the cache response has the same content
186	187	self.assertEqual(channel.code, 200)

200	201	)
201	202
202	203	request, channel = self.make_request(
203		"GET", "url_preview?url=http://matrix.org", shorthand=False
204		)
205		request.render(self.preview_url)
	204	"GET",
	205	"preview_url?url=http://matrix.org",
	206	shorthand=False,
	207	await_result=False,
	208	)
206	209	self.pump()
207	210
208	211	client = self.reactor.tcpClients[0][2].buildProtocol(None)

233	236	)
234	237
235	238	request, channel = self.make_request(
236		"GET", "url_preview?url=http://matrix.org", shorthand=False
237		)
238		request.render(self.preview_url)
	239	"GET",
	240	"preview_url?url=http://matrix.org",
	241	shorthand=False,
	242	await_result=False,
	243	)
239	244	self.pump()
240	245
241	246	client = self.reactor.tcpClients[0][2].buildProtocol(None)

266	271	)
267	272
268	273	request, channel = self.make_request(
269		"GET", "url_preview?url=http://matrix.org", shorthand=False
270		)
271		request.render(self.preview_url)
	274	"GET",
	275	"preview_url?url=http://matrix.org",
	276	shorthand=False,
	277	await_result=False,
	278	)
272	279	self.pump()
273	280
274	281	client = self.reactor.tcpClients[0][2].buildProtocol(None)

297	304	self.lookups["example.com"] = [(IPv4Address, "10.1.2.3")]
298	305
299	306	request, channel = self.make_request(
300		"GET", "url_preview?url=http://example.com", shorthand=False
301		)
302		request.render(self.preview_url)
	307	"GET",
	308	"preview_url?url=http://example.com",
	309	shorthand=False,
	310	await_result=False,
	311	)
303	312	self.pump()
304	313
305	314	client = self.reactor.tcpClients[0][2].buildProtocol(None)

325	334	self.lookups["example.com"] = [(IPv4Address, "192.168.1.1")]
326	335
327	336	request, channel = self.make_request(
328		"GET", "url_preview?url=http://example.com", shorthand=False
329		)
330		request.render(self.preview_url)
331		self.pump()
	337	"GET", "preview_url?url=http://example.com", shorthand=False
	338	)
332	339
333	340	# No requests made.
334	341	self.assertEqual(len(self.reactor.tcpClients), 0)

348	355	self.lookups["example.com"] = [(IPv4Address, "1.1.1.2")]
349	356
350	357	request, channel = self.make_request(
351		"GET", "url_preview?url=http://example.com", shorthand=False
352		)
353		request.render(self.preview_url)
354		self.pump()
	358	"GET", "preview_url?url=http://example.com", shorthand=False
	359	)
355	360
356	361	self.assertEqual(channel.code, 502)
357	362	self.assertEqual(

367	372	Blacklisted IP addresses, accessed directly, are not spidered.
368	373	"""
369	374	request, channel = self.make_request(
370		"GET", "url_preview?url=http://192.168.1.1", shorthand=False
371		)
372		request.render(self.preview_url)
373		self.pump()
	375	"GET", "preview_url?url=http://192.168.1.1", shorthand=False
	376	)
374	377
375	378	# No requests made.
376	379	self.assertEqual(len(self.reactor.tcpClients), 0)

388	391	Blacklisted IP ranges, accessed directly, are not spidered.
389	392	"""
390	393	request, channel = self.make_request(
391		"GET", "url_preview?url=http://1.1.1.2", shorthand=False
392		)
393		request.render(self.preview_url)
394		self.pump()
	394	"GET", "preview_url?url=http://1.1.1.2", shorthand=False
	395	)
395	396
396	397	self.assertEqual(channel.code, 403)
397	398	self.assertEqual(

410	411	self.lookups["example.com"] = [(IPv4Address, "1.1.1.1")]
411	412
412	413	request, channel = self.make_request(
413		"GET", "url_preview?url=http://example.com", shorthand=False
414		)
415		request.render(self.preview_url)
	414	"GET",
	415	"preview_url?url=http://example.com",
	416	shorthand=False,
	417	await_result=False,
	418	)
416	419	self.pump()
417	420
418	421	client = self.reactor.tcpClients[0][2].buildProtocol(None)

445	448	]
446	449
447	450	request, channel = self.make_request(
448		"GET", "url_preview?url=http://example.com", shorthand=False
449		)
450		request.render(self.preview_url)
451		self.pump()
	451	"GET", "preview_url?url=http://example.com", shorthand=False
	452	)
452	453	self.assertEqual(channel.code, 502)
453	454	self.assertEqual(
454	455	channel.json_body,

467	468	]
468	469
469	470	request, channel = self.make_request(
470		"GET", "url_preview?url=http://example.com", shorthand=False
471		)
472		request.render(self.preview_url)
473		self.pump()
	471	"GET", "preview_url?url=http://example.com", shorthand=False
	472	)
474	473
475	474	# No requests made.
476	475	self.assertEqual(len(self.reactor.tcpClients), 0)

490	489	self.lookups["example.com"] = [(IPv6Address, "2001:800::1")]
491	490
492	491	request, channel = self.make_request(
493		"GET", "url_preview?url=http://example.com", shorthand=False
494		)
495		request.render(self.preview_url)
496		self.pump()
	492	"GET", "preview_url?url=http://example.com", shorthand=False
	493	)
497	494
498	495	self.assertEqual(channel.code, 502)
499	496	self.assertEqual(

509	506	OPTIONS returns the OPTIONS.
510	507	"""
511	508	request, channel = self.make_request(
512		"OPTIONS", "url_preview?url=http://example.com", shorthand=False
513		)
514		request.render(self.preview_url)
515		self.pump()
	509	"OPTIONS", "preview_url?url=http://example.com", shorthand=False
	510	)
516	511	self.assertEqual(channel.code, 200)
517	512	self.assertEqual(channel.json_body, {})
518	513

524	519
525	520	# Build and make a request to the server
526	521	request, channel = self.make_request(
527		"GET", "url_preview?url=http://example.com", shorthand=False
528		)
529		request.render(self.preview_url)
	522	"GET",
	523	"preview_url?url=http://example.com",
	524	shorthand=False,
	525	await_result=False,
	526	)
530	527	self.pump()
531	528
532	529	# Extract Synapse's tcp client

597	594
598	595	request, channel = self.make_request(
599	596	"GET",
600		"url_preview?url=http://twitter.com/matrixdotorg/status/12345",
	597	"preview_url?url=http://twitter.com/matrixdotorg/status/12345",
601	598	shorthand=False,
602		)
603		request.render(self.preview_url)
	599	await_result=False,
	600	)
604	601	self.pump()
605	602
606	603	client = self.reactor.tcpClients[0][2].buildProtocol(None)

662	659
663	660	request, channel = self.make_request(
664	661	"GET",
665		"url_preview?url=http://twitter.com/matrixdotorg/status/12345",
	662	"preview_url?url=http://twitter.com/matrixdotorg/status/12345",
666	663	shorthand=False,
667		)
668		request.render(self.preview_url)
	664	await_result=False,
	665	)
669	666	self.pump()
670	667
671	668	client = self.reactor.tcpClients[0][2].buildProtocol(None)

+2

-5

tests/rest/test_health.py less more

19	19
20	20
21	21	class HealthCheckTests(unittest.HomeserverTestCase):
22		def setUp(self):
23		super().setUp()
24
	22	def create_test_resource(self):
25	23	# replace the JsonResource with a HealthResource.
26		self.resource = HealthResource()
	24	return HealthResource()
27	25
28	26	def test_health(self):
29	27	request, channel = self.make_request("GET", "/health", shorthand=False)
30		self.render(request)
31	28
32	29	self.assertEqual(request.code, 200)
33	30	self.assertEqual(channel.result["body"], b"OK")

+2

-6

tests/rest/test_well_known.py less more

19	19
20	20
21	21	class WellKnownTests(unittest.HomeserverTestCase):
22		def setUp(self):
23		super().setUp()
24
	22	def create_test_resource(self):
25	23	# replace the JsonResource with a WellKnownResource
26		self.resource = WellKnownResource(self.hs)
	24	return WellKnownResource(self.hs)
27	25
28	26	def test_well_known(self):
29	27	self.hs.config.public_baseurl = "https://tesths"

32	30	request, channel = self.make_request(
33	31	"GET", "/.well-known/matrix/client", shorthand=False
34	32	)
35		self.render(request)
36	33
37	34	self.assertEqual(request.code, 200)
38	35	self.assertEqual(

49	46	request, channel = self.make_request(
50	47	"GET", "/.well-known/matrix/client", shorthand=False
51	48	)
52		self.render(request)
53	49
54	50	self.assertEqual(request.code, 404)

+57

-33

tests/server.py less more

1	1	import logging
2	2	from collections import deque
3	3	from io import SEEK_END, BytesIO
4		from typing import Callable
	4	from typing import Callable, Iterable, Optional, Tuple, Union
5	5
6	6	import attr
7	7	from typing_extensions import Deque

18	18	)
19	19	from twisted.python.failure import Failure
20	20	from twisted.test.proto_helpers import AccumulatingProtocol, MemoryReactorClock
21		from twisted.web.http import unquote
22	21	from twisted.web.http_headers import Headers
	22	from twisted.web.resource import IResource
23	23	from twisted.web.server import Site
24	24
25	25	from synapse.http.site import SynapseRequest

116	116	def transport(self):
117	117	return self
118	118
	119	def await_result(self, timeout: int = 100) -> None:
	120	"""
	121	Wait until the request is finished.
	122	"""
	123	self._reactor.run()
	124	x = 0
	125
	126	while not self.result.get("done"):
	127	# If there's a producer, tell it to resume producing so we get content
	128	if self._producer:
	129	self._producer.resumeProducing()
	130
	131	x += 1
	132
	133	if x > timeout:
	134	raise TimedOutException("Timed out waiting for request to finish.")
	135
	136	self._reactor.advance(0.1)
	137
119	138
120	139	class FakeSite:
121	140	"""

127	146	site_tag = "test"
128	147	access_logger = logging.getLogger("synapse.access.http.fake")
129	148
	149	def __init__(self, resource: IResource):
	150	"""
	151
	152	Args:
	153	resource: the resource to be used for rendering all requests
	154	"""
	155	self._resource = resource
	156
	157	def getResourceFor(self, request):
	158	return self._resource
	159
130	160
131	161	def make_request(
132	162	reactor,
	163	site: Site,
133	164	method,
134	165	path,
135	166	content=b"",

138	169	shorthand=True,
139	170	federation_auth_origin=None,
140	171	content_is_form=False,
	172	await_result: bool = True,
	173	custom_headers: Optional[
	174	Iterable[Tuple[Union[bytes, str], Union[bytes, str]]]
	175	] = None,
141	176	):
142	177	"""
143		Make a web request using the given method and path, feed it the
144		content, and return the Request and the Channel underneath.
	178	Make a web request using the given method, path and content, and render it
	179
	180	Returns the Request and the Channel underneath.
145	181
146	182	Args:
	183	site: The twisted Site to use to render the request
	184
147	185	method (bytes/unicode): The HTTP request method ("verb").
148	186	path (bytes/unicode): The HTTP path, suitably URL encoded (e.g.
149	187	escaped UTF-8 & spaces and such).

156	194	content_is_form: Whether the content is URL encoded form data. Adds the
157	195	'Content-Type': 'application/x-www-form-urlencoded' header.
158	196
	197	custom_headers: (name, value) pairs to add as request headers
	198
	199	await_result: whether to wait for the request to complete rendering. If true,
	200	will pump the reactor until the the renderer tells the channel the request
	201	is finished.
	202
159	203	Returns:
160	204	Tuple[synapse.http.site.SynapseRequest, channel]
161	205	"""

177	221	if not path.startswith(b"/"):
178	222	path = b"/" + path
179	223
	224	if isinstance(content, dict):
	225	content = json.dumps(content).encode("utf8")
180	226	if isinstance(content, str):
181	227	content = content.encode("utf8")
182	228
183		site = FakeSite()
184	229	channel = FakeChannel(site, reactor)
185	230
186	231	req = request(channel)
187		req.process = lambda: b""
188	232	req.content = BytesIO(content)
189	233	# Twisted expects to be at the end of the content when parsing the request.
190	234	req.content.seek(SEEK_END)
191		req.postpath = list(map(unquote, path[1:].split(b"/")))
192	235
193	236	if access_token:
194	237	req.requestHeaders.addRawHeader(

210	253	# Assume the body is JSON
211	254	req.requestHeaders.addRawHeader(b"Content-Type", b"application/json")
212	255
	256	if custom_headers:
	257	for k, v in custom_headers:
	258	req.requestHeaders.addRawHeader(k, v)
	259
213	260	req.requestReceived(method, path, b"1.1")
214	261
	262	if await_result:
	263	channel.await_result()
	264
215	265	return req, channel
216
217
218		def wait_until_result(clock, request, timeout=100):
219		"""
220		Wait until the request is finished.
221		"""
222		clock.run()
223		x = 0
224
225		while not request.finished:
226
227		# If there's a producer, tell it to resume producing so we get content
228		if request._channel._producer:
229		request._channel._producer.resumeProducing()
230
231		x += 1
232
233		if x > timeout:
234		raise TimedOutException("Timed out waiting for request to finish.")
235
236		clock.advance(0.1)
237
238
239		def render(request, resource, clock):
240		request.render(resource)
241		wait_until_result(clock, request)
242	266
243	267
244	268	@implementer(IReactorPluggableNameResolver)

+0

-3

tests/server_notices/test_consent.py less more

72	72	request, channel = self.make_request(
73	73	"GET", "/_matrix/client/r0/sync", access_token=self.access_token
74	74	)
75		self.render(request)
76	75	self.assertEqual(channel.code, 200)
77	76
78	77	# Get the Room ID to join

84	83	"/_matrix/client/r0/rooms/" + room_id + "/join",
85	84	access_token=self.access_token,
86	85	)
87		self.render(request)
88	86	self.assertEqual(channel.code, 200)
89	87
90	88	# Sync again, to get the message in the room
91	89	request, channel = self.make_request(
92	90	"GET", "/_matrix/client/r0/sync", access_token=self.access_token
93	91	)
94		self.render(request)
95	92	self.assertEqual(channel.code, 200)
96	93
97	94	# Get the message

+0

-3

tests/server_notices/test_resource_limits_server_notices.py less more

305	305	tok = self.login("user", "password")
306	306
307	307	request, channel = self.make_request("GET", "/sync?timeout=0", access_token=tok)
308		self.render(request)
309	308
310	309	invites = channel.json_body["rooms"]["invite"]
311	310	self.assertEqual(len(invites), 0, invites)

319	318	# Sync again to retrieve the events in the room, so we can check whether this
320	319	# room has a notice in it.
321	320	request, channel = self.make_request("GET", "/sync?timeout=0", access_token=tok)
322		self.render(request)
323	321
324	322	# Scan the events in the room to search for a message from the server notices
325	323	# user.

357	355	request, channel = self.make_request(
358	356	"GET", "/sync?timeout=0", access_token=tok,
359	357	)
360		self.render(request)
361	358
362	359	# Also retrieves the list of invites for this user. We don't care about that
363	360	# one except if we're processing the last user, which should have received an

+0

-30

tests/storage/test_cleanup_extrems.py less more

308	308	)
309	309	self.assertTrue(len(latest_event_ids) < 10, len(latest_event_ids))
310	310
311		@patch("synapse.handlers.message._DUMMY_EVENT_ROOM_EXCLUSION_EXPIRY", new=0)
312		def test_send_dummy_event_without_consent(self):
313		self._create_extremity_rich_graph()
314		self._enable_consent_checking()
315
316		# Pump the reactor repeatedly so that the background updates have a
317		# chance to run. Attempt to add dummy event with user that has not consented
318		# Check that dummy event send fails.
319		self.pump(10 * 60)
320		latest_event_ids = self.get_success(
321		self.store.get_latest_event_ids_in_room(self.room_id)
322		)
323		self.assertTrue(len(latest_event_ids) == self.EXTREMITIES_COUNT)
324
325		# Create new user, and add consent
326		user2 = self.register_user("user2", "password")
327		token2 = self.login("user2", "password")
328		self.get_success(
329		self.store.user_set_consent_version(user2, self.CONSENT_VERSION)
330		)
331		self.helper.join(self.room_id, user2, tok=token2)
332
333		# Background updates should now cause a dummy event to be added to the graph
334		self.pump(10 * 60)
335
336		latest_event_ids = self.get_success(
337		self.store.get_latest_event_ids_in_room(self.room_id)
338		)
339		self.assertTrue(len(latest_event_ids) < 10, len(latest_event_ids))
340
341	311	@patch("synapse.handlers.message._DUMMY_EVENT_ROOM_EXCLUSION_EXPIRY", new=250)
342	312	def test_expiry_logic(self):
343	313	"""Simple test to ensure that _expire_rooms_to_exclude_from_dummy_event_insertion()

+9

-8

tests/storage/test_client_ips.py less more

20	20	from synapse.rest.client.v1 import login
21	21
22	22	from tests import unittest
	23	from tests.server import make_request
23	24	from tests.test_utils import make_awaitable
24	25	from tests.unittest import override_config
25	26

407	408	# Advance to a known time
408	409	self.reactor.advance(123456 - self.reactor.seconds())
409	410
410		request, channel = self.make_request(
	411	headers1 = {b"User-Agent": b"Mozzila pizza"}
	412	headers1.update(headers)
	413
	414	make_request(
	415	self.reactor,
	416	self.site,
411	417	"GET",
412		"/_matrix/client/r0/admin/users/" + self.user_id,
	418	"/_synapse/admin/v1/users/" + self.user_id,
413	419	access_token=access_token,
	420	custom_headers=headers1.items(),
414	421	**make_request_args,
415	422	)
416		request.requestHeaders.addRawHeader(b"User-Agent", b"Mozzila pizza")
417
418		# Add the optional headers
419		for h, v in headers.items():
420		request.requestHeaders.addRawHeader(h, v)
421		self.render(request)
422	423
423	424	# Advance so the save loop occurs
424	425	self.reactor.advance(100)

+0

-2

tests/test_mau.py less more

201	201	)
202	202
203	203	request, channel = self.make_request("POST", "/register", request_data)
204		self.render(request)
205	204
206	205	if channel.code != 200:
207	206	raise HttpResponseException(

214	213
215	214	def do_sync_for_user(self, token):
216	215	request, channel = self.make_request("GET", "/sync", access_token=token)
217		self.render(request)
218	216
219	217	if channel.code != 200:
220	218	raise HttpResponseException(

+17

-30

tests/test_server.py less more

25	25
26	26	from tests import unittest
27	27	from tests.server import (
	28	FakeSite,
28	29	ThreadedMemoryReactorClock,
29	30	make_request,
30		render,
31	31	setup_test_homeserver,
32	32	)
33	33

61	61	)
62	62
63	63	request, channel = make_request(
64		self.reactor, b"GET", b"/_matrix/foo/%E2%98%83?a=%E2%98%83"
65		)
66		render(request, res, self.reactor)
	64	self.reactor, FakeSite(res), b"GET", b"/_matrix/foo/%E2%98%83?a=%E2%98%83"
	65	)
67	66
68	67	self.assertEqual(request.args, {b"a": ["\N{SNOWMAN}".encode("utf8")]})
69	68	self.assertEqual(got_kwargs, {"room_id": "\N{SNOWMAN}"})

82	81	"GET", [re.compile("^/_matrix/foo$")], _callback, "test_servlet"
83	82	)
84	83
85		request, channel = make_request(self.reactor, b"GET", b"/_matrix/foo")
86		render(request, res, self.reactor)
	84	_, channel = make_request(self.reactor, FakeSite(res), b"GET", b"/_matrix/foo")
87	85
88	86	self.assertEqual(channel.result["code"], b"500")
89	87

107	105	"GET", [re.compile("^/_matrix/foo$")], _callback, "test_servlet"
108	106	)
109	107
110		request, channel = make_request(self.reactor, b"GET", b"/_matrix/foo")
111		render(request, res, self.reactor)
	108	_, channel = make_request(self.reactor, FakeSite(res), b"GET", b"/_matrix/foo")
112	109
113	110	self.assertEqual(channel.result["code"], b"500")
114	111

126	123	"GET", [re.compile("^/_matrix/foo$")], _callback, "test_servlet"
127	124	)
128	125
129		request, channel = make_request(self.reactor, b"GET", b"/_matrix/foo")
130		render(request, res, self.reactor)
	126	_, channel = make_request(self.reactor, FakeSite(res), b"GET", b"/_matrix/foo")
131	127
132	128	self.assertEqual(channel.result["code"], b"403")
133	129	self.assertEqual(channel.json_body["error"], "Forbidden!!one!")

149	145	"GET", [re.compile("^/_matrix/foo$")], _callback, "test_servlet"
150	146	)
151	147
152		request, channel = make_request(self.reactor, b"GET", b"/_matrix/foobar")
153		render(request, res, self.reactor)
	148	_, channel = make_request(
	149	self.reactor, FakeSite(res), b"GET", b"/_matrix/foobar"
	150	)
154	151
155	152	self.assertEqual(channel.result["code"], b"400")
156	153	self.assertEqual(channel.json_body["error"], "Unrecognized request")

172	169	)
173	170
174	171	# The path was registered as GET, but this is a HEAD request.
175		request, channel = make_request(self.reactor, b"HEAD", b"/_matrix/foo")
176		render(request, res, self.reactor)
	172	_, channel = make_request(self.reactor, FakeSite(res), b"HEAD", b"/_matrix/foo")
177	173
178	174	self.assertEqual(channel.result["code"], b"200")
179	175	self.assertNotIn("body", channel.result)

195	191
196	192	def _make_request(self, method, path):
197	193	"""Create a request from the method/path and return a channel with the response."""
198		request, channel = make_request(self.reactor, method, path, shorthand=False)
199		request.prepath = [] # This doesn't get set properly by make_request.
200
201	194	# Create a site and query for the resource.
202	195	site = SynapseSite(
203	196	"test",

206	199	self.resource,
207	200	"1.0",
208	201	)
209		request.site = site
210		resource = site.getResourceFor(request)
211
212		# Finally, render the resource and return the channel.
213		render(request, resource, self.reactor)
	202
	203	# render the request and return the channel
	204	_, channel = make_request(self.reactor, site, method, path, shorthand=False)
214	205	return channel
215	206
216	207	def test_unknown_options_request(self):

283	274	res = WrapHtmlRequestHandlerTests.TestResource()
284	275	res.callback = callback
285	276
286		request, channel = make_request(self.reactor, b"GET", b"/path")
287		render(request, res, self.reactor)
	277	_, channel = make_request(self.reactor, FakeSite(res), b"GET", b"/path")
288	278
289	279	self.assertEqual(channel.result["code"], b"200")
290	280	body = channel.result["body"]

302	292	res = WrapHtmlRequestHandlerTests.TestResource()
303	293	res.callback = callback
304	294
305		request, channel = make_request(self.reactor, b"GET", b"/path")
306		render(request, res, self.reactor)
	295	_, channel = make_request(self.reactor, FakeSite(res), b"GET", b"/path")
307	296
308	297	self.assertEqual(channel.result["code"], b"301")
309	298	headers = channel.result["headers"]

324	313	res = WrapHtmlRequestHandlerTests.TestResource()
325	314	res.callback = callback
326	315
327		request, channel = make_request(self.reactor, b"GET", b"/path")
328		render(request, res, self.reactor)
	316	_, channel = make_request(self.reactor, FakeSite(res), b"GET", b"/path")
329	317
330	318	self.assertEqual(channel.result["code"], b"304")
331	319	headers = channel.result["headers"]

344	332	res = WrapHtmlRequestHandlerTests.TestResource()
345	333	res.callback = callback
346	334
347		request, channel = make_request(self.reactor, b"HEAD", b"/path")
348		render(request, res, self.reactor)
	335	_, channel = make_request(self.reactor, FakeSite(res), b"HEAD", b"/path")
349	336
350	337	self.assertEqual(channel.result["code"], b"200")
351	338	self.assertNotIn("body", channel.result)

+1

-0

tests/test_state.py less more

168	168	"get_state_handler",
169	169	"get_clock",
170	170	"get_state_resolution_handler",
	171	"hostname",
171	172	]
172	173	)
173	174	hs.config = default_config("tesths", True)

+0

-3

tests/test_terms_auth.py less more

53	53	# Do a UI auth request
54	54	request_data = json.dumps({"username": "kermit", "password": "monkey"})
55	55	request, channel = self.make_request(b"POST", self.url, request_data)
56		self.render(request)
57	56
58	57	self.assertEquals(channel.result["code"], b"401", channel.result)
59	58

97	96	self.registration_handler.check_username = Mock(return_value=True)
98	97
99	98	request, channel = self.make_request(b"POST", self.url, request_data)
100		self.render(request)
101	99
102	100	# We don't bother checking that the response is correct - we'll leave that to
103	101	# other tests. We just want to make sure we're on the right path.

115	113	}
116	114	)
117	115	request, channel = self.make_request(b"POST", self.url, request_data)
118		self.render(request)
119	116
120	117	# We're interested in getting a response that looks like a successful
121	118	# registration, not so much that the details are exactly what we want.

+24

-42

tests/unittest.py less more

29	29	from twisted.python.failure import Failure
30	30	from twisted.python.threadpool import ThreadPool
31	31	from twisted.trial import unittest
	32	from twisted.web.resource import Resource
32	33
33	34	from synapse.api.constants import EventTypes, Membership
34	35	from synapse.config.homeserver import HomeServerConfig

46	47	from synapse.types import UserID, create_requester
47	48	from synapse.util.ratelimitutils import FederationRateLimiter
48	49
49		from tests.server import (
50		FakeChannel,
51		get_clock,
52		make_request,
53		render,
54		setup_test_homeserver,
55		)
	50	from tests.server import FakeChannel, get_clock, make_request, setup_test_homeserver
56	51	from tests.test_utils import event_injection, setup_awaitable_errors
57	52	from tests.test_utils.logging_setup import setup_logging
58	53	from tests.utils import default_config, setupdb

238	233	if not isinstance(self.hs, HomeServer):
239	234	raise Exception("A homeserver wasn't returned, but %r" % (self.hs,))
240	235
241		# Register the resources
242		self.resource = self.create_test_json_resource()
243
244		# create a site to wrap the resource.
	236	# create the root resource, and a site to wrap it.
	237	self.resource = self.create_test_resource()
245	238	self.site = SynapseSite(
246	239	logger_name="synapse.access.http.fake",
247	240	site_tag=self.hs.config.server.server_name,

252	245
253	246	from tests.rest.client.v1.utils import RestHelper
254	247
255		self.helper = RestHelper(self.hs, self.resource, getattr(self, "user_id", None))
	248	self.helper = RestHelper(self.hs, self.site, getattr(self, "user_id", None))
256	249
257	250	if hasattr(self, "user_id"):
258	251	if self.hijack_auth:

322	315	hs = self.setup_test_homeserver()
323	316	return hs
324	317
325		def create_test_json_resource(self):
326		"""
327		Create a test JsonResource, with the relevant servlets registerd to it
328
329		The default implementation calls each function in `servlets` to do the
330		registration.
331
332		Returns:
333		JsonResource:
	318	def create_test_resource(self) -> Resource:
	319	"""
	320	Create a the root resource for the test server.
	321
	322	The default implementation creates a JsonResource and calls each function in
	323	`servlets` to register servletes against it
334	324	"""
335	325	resource = JsonResource(self.hs)
336	326

380	370	shorthand: bool = True,
381	371	federation_auth_origin: str = None,
382	372	content_is_form: bool = False,
	373	await_result: bool = True,
383	374	) -> Tuple[SynapseRequest, FakeChannel]:
384	375	...
385	376

394	385	shorthand: bool = True,
395	386	federation_auth_origin: str = None,
396	387	content_is_form: bool = False,
	388	await_result: bool = True,
397	389	) -> Tuple[T, FakeChannel]:
398	390	...
399	391

407	399	shorthand: bool = True,
408	400	federation_auth_origin: str = None,
409	401	content_is_form: bool = False,
	402	await_result: bool = True,
410	403	) -> Tuple[T, FakeChannel]:
411	404	"""
412	405	Create a SynapseRequest at the path using the method and containing the

425	418	content_is_form: Whether the content is URL encoded form data. Adds the
426	419	'Content-Type': 'application/x-www-form-urlencoded' header.
427	420
	421	await_result: whether to wait for the request to complete rendering. If
	422	true (the default), will pump the test reactor until the the renderer
	423	tells the channel the request is finished.
	424
428	425	Returns:
429	426	Tuple[synapse.http.site.SynapseRequest, channel]
430	427	"""
431		if isinstance(content, dict):
432		content = json.dumps(content).encode("utf8")
433
434	428	return make_request(
435	429	self.reactor,
	430	self.site,
436	431	method,
437	432	path,
438	433	content,

441	436	shorthand,
442	437	federation_auth_origin,
443	438	content_is_form,
444		)
445
446		def render(self, request):
447		"""
448		Render a request against the resources registered by the test class's
449		servlets.
450
451		Args:
452		request (synapse.http.site.SynapseRequest): The request to render.
453		"""
454		render(request, self.resource, self.reactor)
	439	await_result,
	440	)
455	441
456	442	def setup_test_homeserver(self, args, *kwargs):
457	443	"""

567	553	self.hs.config.registration_shared_secret = "shared"
568	554
569	555	# Create the user
570		request, channel = self.make_request("GET", "/_matrix/client/r0/admin/register")
571		self.render(request)
	556	request, channel = self.make_request("GET", "/_synapse/admin/v1/register")
572	557	self.assertEqual(channel.code, 200, msg=channel.result)
573	558	nonce = channel.json_body["nonce"]
574	559

594	579	}
595	580	)
596	581	request, channel = self.make_request(
597		"POST", "/_matrix/client/r0/admin/register", body.encode("utf8")
598		)
599		self.render(request)
	582	"POST", "/_synapse/admin/v1/register", body.encode("utf8")
	583	)
600	584	self.assertEqual(channel.code, 200, channel.json_body)
601	585
602	586	user_id = channel.json_body["user_id"]

615	599	request, channel = self.make_request(
616	600	"POST", "/_matrix/client/r0/login", json.dumps(body).encode("utf8")
617	601	)
618		self.render(request)
619	602	self.assertEqual(channel.code, 200, channel.result)
620	603
621	604	access_token = channel.json_body["access_token"]

684	667	request, channel = self.make_request(
685	668	"POST", "/_matrix/client/r0/login", json.dumps(body).encode("utf8")
686	669	)
687		self.render(request)
688	670	self.assertEqual(channel.code, 403, channel.result)
689	671
690	672	def inject_room_member(self, room: str, user: str, membership: Membership) -> None:

+1

-1

tests/utils.py less more

270	270
271	271	# Install @cache_in_self attributes
272	272	for key, val in kwargs.items():
273		setattr(hs, key, val)
	273	setattr(hs, "_" + key, val)
274	274
275	275	# Mock TLS
276	276	hs.tls_server_context_factory = Mock()