|
20 | 20 | # |
21 | 21 |
|
22 | 22 | import os |
| 23 | +import tempfile |
23 | 24 | from unittest.mock import Mock |
24 | 25 |
|
25 | 26 | from synapse.config import ConfigError |
@@ -275,3 +276,168 @@ def test_enable_3pid_changes_cannot_be_enabled(self) -> None: |
275 | 276 | self.config_dict["enable_3pid_changes"] = True |
276 | 277 | with self.assertRaises(ConfigError): |
277 | 278 | self.parse_config() |
| 279 | + |
| 280 | + |
| 281 | +class MasAuthDelegation(TestCase): |
| 282 | + """Test that the Homeserver fails to initialize if the config is invalid.""" |
| 283 | + |
| 284 | + def setUp(self) -> None: |
| 285 | + self.config_dict: JsonDict = { |
| 286 | + **default_config("test"), |
| 287 | + "public_baseurl": BASE_URL, |
| 288 | + "enable_registration": False, |
| 289 | + "matrix_authentication_service": { |
| 290 | + "enabled": True, |
| 291 | + "endpoint": "http://localhost:1324/", |
| 292 | + "secret": "verysecret", |
| 293 | + }, |
| 294 | + } |
| 295 | + |
| 296 | + def parse_config(self) -> HomeServerConfig: |
| 297 | + config = HomeServerConfig() |
| 298 | + config.parse_config_dict(self.config_dict, "", "") |
| 299 | + return config |
| 300 | + |
| 301 | + def test_endpoint_has_to_be_a_url(self) -> None: |
| 302 | + self.config_dict["matrix_authentication_service"]["endpoint"] = "not a url" |
| 303 | + with self.assertRaises(ConfigError): |
| 304 | + self.parse_config() |
| 305 | + |
| 306 | + def test_secret_and_secret_path_are_mutually_exclusive(self) -> None: |
| 307 | + with tempfile.NamedTemporaryFile() as f: |
| 308 | + self.config_dict["matrix_authentication_service"]["secret"] = "verysecret" |
| 309 | + self.config_dict["matrix_authentication_service"]["secret_path"] = f.name |
| 310 | + with self.assertRaises(ConfigError): |
| 311 | + self.parse_config() |
| 312 | + |
| 313 | + def test_secret_path_loads_secret(self) -> None: |
| 314 | + with tempfile.NamedTemporaryFile(buffering=0) as f: |
| 315 | + f.write(b"53C237") |
| 316 | + del self.config_dict["matrix_authentication_service"]["secret"] |
| 317 | + self.config_dict["matrix_authentication_service"]["secret_path"] = f.name |
| 318 | + config = self.parse_config() |
| 319 | + self.assertEqual(config.mas.secret(), "53C237") |
| 320 | + |
| 321 | + def test_secret_path_must_exist(self) -> None: |
| 322 | + del self.config_dict["matrix_authentication_service"]["secret"] |
| 323 | + self.config_dict["matrix_authentication_service"]["secret_path"] = ( |
| 324 | + "/not/a/valid/file" |
| 325 | + ) |
| 326 | + with self.assertRaises(ConfigError): |
| 327 | + self.parse_config() |
| 328 | + |
| 329 | + def test_registration_cannot_be_enabled(self) -> None: |
| 330 | + self.config_dict["enable_registration"] = True |
| 331 | + with self.assertRaises(ConfigError): |
| 332 | + self.parse_config() |
| 333 | + |
| 334 | + def test_user_consent_cannot_be_enabled(self) -> None: |
| 335 | + tmpdir = self.mktemp() |
| 336 | + os.mkdir(tmpdir) |
| 337 | + self.config_dict["user_consent"] = { |
| 338 | + "require_at_registration": True, |
| 339 | + "version": "1", |
| 340 | + "template_dir": tmpdir, |
| 341 | + "server_notice_content": { |
| 342 | + "msgtype": "m.text", |
| 343 | + "body": "foo", |
| 344 | + }, |
| 345 | + } |
| 346 | + with self.assertRaises(ConfigError): |
| 347 | + self.parse_config() |
| 348 | + |
| 349 | + def test_password_config_cannot_be_enabled(self) -> None: |
| 350 | + self.config_dict["password_config"] = {"enabled": True} |
| 351 | + with self.assertRaises(ConfigError): |
| 352 | + self.parse_config() |
| 353 | + |
| 354 | + @skip_unless(HAS_AUTHLIB, "requires authlib") |
| 355 | + def test_oidc_sso_cannot_be_enabled(self) -> None: |
| 356 | + self.config_dict["oidc_providers"] = [ |
| 357 | + { |
| 358 | + "idp_id": "microsoft", |
| 359 | + "idp_name": "Microsoft", |
| 360 | + "issuer": "https://login.microsoftonline.com/<tenant id>/v2.0", |
| 361 | + "client_id": "<client id>", |
| 362 | + "client_secret": "<client secret>", |
| 363 | + "scopes": ["openid", "profile"], |
| 364 | + "authorization_endpoint": "https://login.microsoftonline.com/<tenant id>/oauth2/v2.0/authorize", |
| 365 | + "token_endpoint": "https://login.microsoftonline.com/<tenant id>/oauth2/v2.0/token", |
| 366 | + "userinfo_endpoint": "https://graph.microsoft.com/oidc/userinfo", |
| 367 | + } |
| 368 | + ] |
| 369 | + |
| 370 | + with self.assertRaises(ConfigError): |
| 371 | + self.parse_config() |
| 372 | + |
| 373 | + def test_cas_sso_cannot_be_enabled(self) -> None: |
| 374 | + self.config_dict["cas_config"] = { |
| 375 | + "enabled": True, |
| 376 | + "server_url": "https://cas-server.com", |
| 377 | + "displayname_attribute": "name", |
| 378 | + "required_attributes": {"userGroup": "staff", "department": "None"}, |
| 379 | + } |
| 380 | + |
| 381 | + with self.assertRaises(ConfigError): |
| 382 | + self.parse_config() |
| 383 | + |
| 384 | + def test_auth_providers_cannot_be_enabled(self) -> None: |
| 385 | + self.config_dict["modules"] = [ |
| 386 | + { |
| 387 | + "module": f"{__name__}.{CustomAuthModule.__qualname__}", |
| 388 | + "config": {}, |
| 389 | + } |
| 390 | + ] |
| 391 | + |
| 392 | + # This requires actually setting up an HS, as the module will be run on setup, |
| 393 | + # which should raise as the module tries to register an auth provider |
| 394 | + config = self.parse_config() |
| 395 | + reactor, clock = get_clock() |
| 396 | + with self.assertRaises(ConfigError): |
| 397 | + setup_test_homeserver( |
| 398 | + self.addCleanup, reactor=reactor, clock=clock, config=config |
| 399 | + ) |
| 400 | + |
| 401 | + @skip_unless(HAS_AUTHLIB, "requires authlib") |
| 402 | + def test_jwt_auth_cannot_be_enabled(self) -> None: |
| 403 | + self.config_dict["jwt_config"] = { |
| 404 | + "enabled": True, |
| 405 | + "secret": "my-secret-token", |
| 406 | + "algorithm": "HS256", |
| 407 | + } |
| 408 | + |
| 409 | + with self.assertRaises(ConfigError): |
| 410 | + self.parse_config() |
| 411 | + |
| 412 | + def test_login_via_existing_session_cannot_be_enabled(self) -> None: |
| 413 | + self.config_dict["login_via_existing_session"] = {"enabled": True} |
| 414 | + with self.assertRaises(ConfigError): |
| 415 | + self.parse_config() |
| 416 | + |
| 417 | + def test_captcha_cannot_be_enabled(self) -> None: |
| 418 | + self.config_dict.update( |
| 419 | + enable_registration_captcha=True, |
| 420 | + recaptcha_public_key="test", |
| 421 | + recaptcha_private_key="test", |
| 422 | + ) |
| 423 | + with self.assertRaises(ConfigError): |
| 424 | + self.parse_config() |
| 425 | + |
| 426 | + def test_refreshable_tokens_cannot_be_enabled(self) -> None: |
| 427 | + self.config_dict.update( |
| 428 | + refresh_token_lifetime="24h", |
| 429 | + refreshable_access_token_lifetime="10m", |
| 430 | + nonrefreshable_access_token_lifetime="24h", |
| 431 | + ) |
| 432 | + with self.assertRaises(ConfigError): |
| 433 | + self.parse_config() |
| 434 | + |
| 435 | + def test_session_lifetime_cannot_be_set(self) -> None: |
| 436 | + self.config_dict["session_lifetime"] = "24h" |
| 437 | + with self.assertRaises(ConfigError): |
| 438 | + self.parse_config() |
| 439 | + |
| 440 | + def test_enable_3pid_changes_cannot_be_enabled(self) -> None: |
| 441 | + self.config_dict["enable_3pid_changes"] = True |
| 442 | + with self.assertRaises(ConfigError): |
| 443 | + self.parse_config() |
0 commit comments