matrix-org.dendrite/clientapi/auth/user_interactive_test.go

package auth

import (
	"context"
	"encoding/json"
	"fmt"
	"testing"

	"github.com/matrix-org/dendrite/setup/config"
	"github.com/matrix-org/dendrite/userapi/api"
	"github.com/matrix-org/gomatrixserverlib/fclient"
	"github.com/matrix-org/gomatrixserverlib/spec"
	"github.com/matrix-org/util"
)

var (
	ctx        = context.Background()
	serverName = spec.ServerName("example.com")
	// space separated localpart+password -> account
	lookup = make(map[string]*api.Account)
	device = &api.Device{
		AccessToken: "flibble",
		DisplayName: "My Device",
		ID:          "device_id_goes_here",
	}
)

type fakeAccountDatabase struct{}

func (d *fakeAccountDatabase) PerformPasswordUpdate(ctx context.Context, req *api.PerformPasswordUpdateRequest, res *api.PerformPasswordUpdateResponse) error {
	return nil
}

func (d *fakeAccountDatabase) PerformAccountDeactivation(ctx context.Context, req *api.PerformAccountDeactivationRequest, res *api.PerformAccountDeactivationResponse) error {
	return nil
}

func (d *fakeAccountDatabase) QueryAccountByPassword(ctx context.Context, req *api.QueryAccountByPasswordRequest, res *api.QueryAccountByPasswordResponse) error {
	acc, ok := lookup[req.Localpart+" "+req.PlaintextPassword]
	if !ok {
		return fmt.Errorf("unknown user/password")
	}
	res.Account = acc
	res.Exists = true
	return nil
}

func setup() *UserInteractive {
	cfg := &config.ClientAPI{
		Matrix: &config.Global{
			SigningIdentity: fclient.SigningIdentity{
				ServerName: serverName,
			},
		},
	}
	return NewUserInteractive(&fakeAccountDatabase{}, cfg)
}

func TestUserInteractiveChallenge(t *testing.T) {
	uia := setup()
	// no auth key results in a challenge
	_, errRes := uia.Verify(ctx, []byte(`{}`), device)
	if errRes == nil {
		t.Fatalf("Verify succeeded with {} but expected failure")
	}
	if errRes.Code != 401 {
		t.Errorf("Expected HTTP 401, got %d", errRes.Code)
	}
}

func TestUserInteractivePasswordLogin(t *testing.T) {
	uia := setup()
	// valid password login succeeds when an account exists
	lookup["alice herpassword"] = &api.Account{
		Localpart:  "alice",
		ServerName: serverName,
		UserID:     fmt.Sprintf("@alice:%s", serverName),
	}
	// valid password requests
	testCases := []json.RawMessage{
		// deprecated form
		[]byte(`{
			"auth": {
				"type": "m.login.password",
				"user": "alice",
				"password": "herpassword"
			}
		}`),
		// new form
		[]byte(`{
			"auth": {
				"type": "m.login.password",
				"identifier": {
					"type": "m.id.user",
					"user": "alice"
				},
				"password": "herpassword"
			}
		}`),
	}
	for _, tc := range testCases {
		_, errRes := uia.Verify(ctx, tc, device)
		if errRes != nil {
			t.Errorf("Verify failed but expected success for request: %s - got %+v", string(tc), errRes)
		}
	}
}

func TestUserInteractivePasswordBadLogin(t *testing.T) {
	uia := setup()
	// password login fails when an account exists but is specced wrong
	lookup["bob hispassword"] = &api.Account{
		Localpart:  "bob",
		ServerName: serverName,
		UserID:     fmt.Sprintf("@bob:%s", serverName),
	}
	// invalid password requests
	testCases := []struct {
		body    json.RawMessage
		wantRes util.JSONResponse
	}{
		{
			// fields not in an auth dict
			body: []byte(`{
				"type": "m.login.password",
				"user": "bob",
				"password": "hispassword"
			}`),
			wantRes: util.JSONResponse{
				Code: 401,
			},
		},
		{
			// wrong type
			body: []byte(`{
				"auth": {
					"type": "m.login.not_password",
					"identifier": {
						"type": "m.id.user",
						"user": "bob"
					},
					"password": "hispassword"
				}
			}`),
			wantRes: util.JSONResponse{
				Code: 400,
			},
		},
		{
			// identifier type is wrong
			body: []byte(`{
				"auth": {
					"type": "m.login.password",
					"identifier": {
						"type": "m.id.thirdparty",
						"user": "bob"
					},
					"password": "hispassword"
				}
			}`),
			wantRes: util.JSONResponse{
				Code: 401,
			},
		},
		{
			// wrong password
			body: []byte(`{
				"auth": {
					"type": "m.login.password",
					"identifier": {
						"type": "m.id.user",
						"user": "bob"
					},
					"password": "not_his_password"
				}
			}`),
			wantRes: util.JSONResponse{
				Code: 401,
			},
		},
	}
	for _, tc := range testCases {
		_, errRes := uia.Verify(ctx, tc.body, device)
		if errRes == nil {
			t.Errorf("Verify succeeded but expected failure for request: %s", string(tc.body))
			continue
		}
		if errRes.Code != tc.wantRes.Code {
			t.Errorf("got code %d want code %d for request: %s", errRes.Code, tc.wantRes.Code, string(tc.body))
		}
	}
}

func TestUserInteractive_AddCompletedStage(t *testing.T) {
	tests := []struct {
		name      string
		sessionID string
	}{
		{
			name:      "first user",
			sessionID: util.RandomString(8),
		},
		{
			name:      "second user",
			sessionID: util.RandomString(8),
		},
		{
			name:      "third user",
			sessionID: util.RandomString(8),
		},
	}
	u := setup()
	ctx := context.Background()
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			_, resp := u.Verify(ctx, []byte("{}"), nil)
			challenge, ok := resp.JSON.(Challenge)
			if !ok {
				t.Fatalf("expected a Challenge, got %T", resp.JSON)
			}
			if len(challenge.Completed) > 0 {
				t.Fatalf("expected 0 completed stages, got %d", len(challenge.Completed))
			}
			u.AddCompletedStage(tt.sessionID, "")
		})
	}
}
Add User-Interactive Authentication (#1193) * Add User-Interactive Authentication And use it when deleting a device. With tests. * Make remaining sytest pass * Linting * 403 not 401 on wrong user/pass 2020-07-09 23:39:44 +00:00			`package auth`

			`import (`
			`"context"`
			`"encoding/json"`
			`"fmt"`
			`"testing"`

Top-level setup package (#1605) * Move config, setup, mscs into "setup" top-level folder * oops, forgot the EDU server * Add setup * goimports 2020-12-02 17:41:00 +00:00			`"github.com/matrix-org/dendrite/setup/config"`
Add User-Interactive Authentication (#1193) * Add User-Interactive Authentication And use it when deleting a device. With tests. * Make remaining sytest pass * Linting * 403 not 401 on wrong user/pass 2020-07-09 23:39:44 +00:00			`"github.com/matrix-org/dendrite/userapi/api"`
refactor: use latest GMSL which splits fed client from matrix room logic (#3051) Part of a series of refactors on GMSL. 2023-04-06 08:55:01 +00:00			`"github.com/matrix-org/gomatrixserverlib/fclient"`
refactor: update GMSL (#3058) Sister PR to https://github.com/matrix-org/gomatrixserverlib/pull/364 Read this commit by commit to avoid going insane. 2023-04-19 14:50:33 +00:00			`"github.com/matrix-org/gomatrixserverlib/spec"`
Add User-Interactive Authentication (#1193) * Add User-Interactive Authentication And use it when deleting a device. With tests. * Make remaining sytest pass * Linting * 403 not 401 on wrong user/pass 2020-07-09 23:39:44 +00:00			`"github.com/matrix-org/util"`
			`)`

			`var (`
			`ctx = context.Background()`
refactor: update GMSL (#3058) Sister PR to https://github.com/matrix-org/gomatrixserverlib/pull/364 Read this commit by commit to avoid going insane. 2023-04-19 14:50:33 +00:00			`serverName = spec.ServerName("example.com")`
Add User-Interactive Authentication (#1193) * Add User-Interactive Authentication And use it when deleting a device. With tests. * Make remaining sytest pass * Linting * 403 not 401 on wrong user/pass 2020-07-09 23:39:44 +00:00			`// space separated localpart+password -> account`
			`lookup = make(map[string]*api.Account)`
			`device = &api.Device{`
			`AccessToken: "flibble",`
			`DisplayName: "My Device",`
			`ID: "device_id_goes_here",`
			`}`
			`)`

Define component interfaces based on consumers (1/2) (#2423) * Specify interfaces used by appservice, do half of clientapi * convert more deps of clientapi to finer-grained interfaces * Convert mediaapi and rest of clientapi * Somehow this got missed 2022-05-05 12:17:38 +00:00			`type fakeAccountDatabase struct{}`
Support for `m.login.token` (#2014) * Add GOPATH to PATH in find-lint.sh. The user doesn't necessarily have it in PATH. * Refactor LoginTypePassword and Type to support m.login.token and m.login.sso. For login token: * m.login.token will require deleting the token after completeAuth has generated an access token, so a cleanup function is returned by Type.Login. * Allowing different login types will require parsing the /login body twice: first to extract the "type" and then the type-specific parsing. Thus, we will have to buffer the request JSON in /login, like UserInteractive already does. For SSO: * NewUserInteractive will have to also use GetAccountByLocalpart. It makes more sense to just pass a (narrowed-down) accountDB interface to it than adding more function pointers. Code quality: * Passing around (and down-casting) interface{} for login request types has drawbacks in terms of type-safety, and no inherent benefits. We always decode JSON anyway. Hence renaming to Type.LoginFromJSON. Code that directly uses LoginTypePassword with parsed data can still use Login. * Removed a TODO for SSO. This is already tracked in #1297. * httputil.UnmarshalJSON is useful because it returns a JSONResponse. This change is intended to have no functional changes. * Support login tokens in User API. This adds full lifecycle functions for login tokens: create, query, delete. * Support m.login.token in /login. * Fixes for PR review. * Set @matrix-org/dendrite-core as repository code owner * Return event NID from `StoreEvent`, match PSQL vs SQLite behaviour, tweak backfill persistence (#2071) Co-authored-by: kegsay <kegan@matrix.org> Co-authored-by: Neil Alexander <neilalexander@users.noreply.github.com> 2022-02-10 10:27:26 +00:00
Refactor appservice & client API to use userapi internal (#2290) * Refactor user api internal * Refactor clientapi to use internal userapi * Use internal userapi instead of user DB directly * Remove AccountDB dependency * Fix linter issues Co-authored-by: Neil Alexander <neilalexander@users.noreply.github.com> 2022-03-24 21:45:44 +00:00			`func (d fakeAccountDatabase) PerformPasswordUpdate(ctx context.Context, req api.PerformPasswordUpdateRequest, res *api.PerformPasswordUpdateResponse) error {`
			`return nil`
			`}`

			`func (d fakeAccountDatabase) PerformAccountDeactivation(ctx context.Context, req api.PerformAccountDeactivationRequest, res *api.PerformAccountDeactivationResponse) error {`
			`return nil`
			`}`

			`func (d fakeAccountDatabase) QueryAccountByPassword(ctx context.Context, req api.QueryAccountByPasswordRequest, res *api.QueryAccountByPasswordResponse) error {`
			`acc, ok := lookup[req.Localpart+" "+req.PlaintextPassword]`
Add User-Interactive Authentication (#1193) * Add User-Interactive Authentication And use it when deleting a device. With tests. * Make remaining sytest pass * Linting * 403 not 401 on wrong user/pass 2020-07-09 23:39:44 +00:00			`if !ok {`
Refactor appservice & client API to use userapi internal (#2290) * Refactor user api internal * Refactor clientapi to use internal userapi * Use internal userapi instead of user DB directly * Remove AccountDB dependency * Fix linter issues Co-authored-by: Neil Alexander <neilalexander@users.noreply.github.com> 2022-03-24 21:45:44 +00:00			`return fmt.Errorf("unknown user/password")`
Add User-Interactive Authentication (#1193) * Add User-Interactive Authentication And use it when deleting a device. With tests. * Make remaining sytest pass * Linting * 403 not 401 on wrong user/pass 2020-07-09 23:39:44 +00:00			`}`
Refactor appservice & client API to use userapi internal (#2290) * Refactor user api internal * Refactor clientapi to use internal userapi * Use internal userapi instead of user DB directly * Remove AccountDB dependency * Fix linter issues Co-authored-by: Neil Alexander <neilalexander@users.noreply.github.com> 2022-03-24 21:45:44 +00:00			`res.Account = acc`
			`res.Exists = true`
			`return nil`
Add User-Interactive Authentication (#1193) * Add User-Interactive Authentication And use it when deleting a device. With tests. * Make remaining sytest pass * Linting * 403 not 401 on wrong user/pass 2020-07-09 23:39:44 +00:00			`}`

			`func setup() *UserInteractive {`
Configuration format v1 (#1230) * Initial pass at refactoring config (not finished) * Don't forget current state and EDU servers * More shifting around * Update server key API tests * Fix roomserver test * Fix more tests * Further tweaks * Fix current state server test (sort of) * Maybe fix appservices * Fix client API test * Include database connection string in database options * Fix sync API build * Update config test * Fix unit tests * Fix federation sender build * Fix gobind build * Set Listen address for all services in HTTP monolith mode * Validate config, reinstate appservice derived in directory, tweaks * Tweak federation API test * Set MaxOpenConnections/MaxIdleConnections to previous values * Update generate-config 2020-08-10 13:18:04 +00:00			`cfg := &config.ClientAPI{`
			`Matrix: &config.Global{`
refactor: use latest GMSL which splits fed client from matrix room logic (#3051) Part of a series of refactors on GMSL. 2023-04-06 08:55:01 +00:00			`SigningIdentity: fclient.SigningIdentity{`
Fix registration for virtual hosting 2022-11-18 13:24:02 +00:00			`ServerName: serverName,`
			`},`
Configuration format v1 (#1230) * Initial pass at refactoring config (not finished) * Don't forget current state and EDU servers * More shifting around * Update server key API tests * Fix roomserver test * Fix more tests * Further tweaks * Fix current state server test (sort of) * Maybe fix appservices * Fix client API test * Include database connection string in database options * Fix sync API build * Update config test * Fix unit tests * Fix federation sender build * Fix gobind build * Set Listen address for all services in HTTP monolith mode * Validate config, reinstate appservice derived in directory, tweaks * Tweak federation API test * Set MaxOpenConnections/MaxIdleConnections to previous values * Update generate-config 2020-08-10 13:18:04 +00:00			`},`
			`}`
Support for `m.login.token` (#2014) * Add GOPATH to PATH in find-lint.sh. The user doesn't necessarily have it in PATH. * Refactor LoginTypePassword and Type to support m.login.token and m.login.sso. For login token: * m.login.token will require deleting the token after completeAuth has generated an access token, so a cleanup function is returned by Type.Login. * Allowing different login types will require parsing the /login body twice: first to extract the "type" and then the type-specific parsing. Thus, we will have to buffer the request JSON in /login, like UserInteractive already does. For SSO: * NewUserInteractive will have to also use GetAccountByLocalpart. It makes more sense to just pass a (narrowed-down) accountDB interface to it than adding more function pointers. Code quality: * Passing around (and down-casting) interface{} for login request types has drawbacks in terms of type-safety, and no inherent benefits. We always decode JSON anyway. Hence renaming to Type.LoginFromJSON. Code that directly uses LoginTypePassword with parsed data can still use Login. * Removed a TODO for SSO. This is already tracked in #1297. * httputil.UnmarshalJSON is useful because it returns a JSONResponse. This change is intended to have no functional changes. * Support login tokens in User API. This adds full lifecycle functions for login tokens: create, query, delete. * Support m.login.token in /login. * Fixes for PR review. * Set @matrix-org/dendrite-core as repository code owner * Return event NID from `StoreEvent`, match PSQL vs SQLite behaviour, tweak backfill persistence (#2071) Co-authored-by: kegsay <kegan@matrix.org> Co-authored-by: Neil Alexander <neilalexander@users.noreply.github.com> 2022-02-10 10:27:26 +00:00			`return NewUserInteractive(&fakeAccountDatabase{}, cfg)`
Add User-Interactive Authentication (#1193) * Add User-Interactive Authentication And use it when deleting a device. With tests. * Make remaining sytest pass * Linting * 403 not 401 on wrong user/pass 2020-07-09 23:39:44 +00:00			`}`

			`func TestUserInteractiveChallenge(t *testing.T) {`
			`uia := setup()`
			`// no auth key results in a challenge`
			_, errRes := uia.Verify(ctx, []byte(`{}`), device)
			`if errRes == nil {`
			`t.Fatalf("Verify succeeded with {} but expected failure")`
			`}`
			`if errRes.Code != 401 {`
			`t.Errorf("Expected HTTP 401, got %d", errRes.Code)`
			`}`
			`}`

			`func TestUserInteractivePasswordLogin(t *testing.T) {`
			`uia := setup()`
			`// valid password login succeeds when an account exists`
			`lookup["alice herpassword"] = &api.Account{`
			`Localpart: "alice",`
			`ServerName: serverName,`
			`UserID: fmt.Sprintf("@alice:%s", serverName),`
			`}`
			`// valid password requests`
			`testCases := []json.RawMessage{`
			`// deprecated form`
			[]byte(`{
			`"auth": {`
			`"type": "m.login.password",`
			`"user": "alice",`
			`"password": "herpassword"`
			`}`
			}`),
			`// new form`
			[]byte(`{
			`"auth": {`
			`"type": "m.login.password",`
			`"identifier": {`
			`"type": "m.id.user",`
			`"user": "alice"`
			`},`
			`"password": "herpassword"`
			`}`
			}`),
			`}`
			`for _, tc := range testCases {`
			`_, errRes := uia.Verify(ctx, tc, device)`
			`if errRes != nil {`
			`t.Errorf("Verify failed but expected success for request: %s - got %+v", string(tc), errRes)`
			`}`
			`}`
			`}`

			`func TestUserInteractivePasswordBadLogin(t *testing.T) {`
			`uia := setup()`
			`// password login fails when an account exists but is specced wrong`
			`lookup["bob hispassword"] = &api.Account{`
			`Localpart: "bob",`
			`ServerName: serverName,`
			`UserID: fmt.Sprintf("@bob:%s", serverName),`
			`}`
			`// invalid password requests`
			`testCases := []struct {`
			`body json.RawMessage`
			`wantRes util.JSONResponse`
			`}{`
			`{`
			`// fields not in an auth dict`
			body: []byte(`{
			`"type": "m.login.password",`
			`"user": "bob",`
			`"password": "hispassword"`
			}`),
			`wantRes: util.JSONResponse{`
			`Code: 401,`
			`},`
			`},`
			`{`
			`// wrong type`
			body: []byte(`{
			`"auth": {`
			`"type": "m.login.not_password",`
			`"identifier": {`
			`"type": "m.id.user",`
			`"user": "bob"`
			`},`
			`"password": "hispassword"`
			`}`
			}`),
			`wantRes: util.JSONResponse{`
			`Code: 400,`
			`},`
			`},`
			`{`
			`// identifier type is wrong`
			body: []byte(`{
			`"auth": {`
			`"type": "m.login.password",`
			`"identifier": {`
			`"type": "m.id.thirdparty",`
			`"user": "bob"`
			`},`
			`"password": "hispassword"`
			`}`
			}`),
			`wantRes: util.JSONResponse{`
			`Code: 401,`
			`},`
			`},`
			`{`
			`// wrong password`
			body: []byte(`{
			`"auth": {`
			`"type": "m.login.password",`
			`"identifier": {`
			`"type": "m.id.user",`
			`"user": "bob"`
			`},`
			`"password": "not_his_password"`
			`}`
			}`),
			`wantRes: util.JSONResponse{`
			`Code: 401,`
			`},`
			`},`
			`}`
			`for _, tc := range testCases {`
			`_, errRes := uia.Verify(ctx, tc.body, device)`
			`if errRes == nil {`
			`t.Errorf("Verify succeeded but expected failure for request: %s", string(tc.body))`
			`continue`
			`}`
			`if errRes.Code != tc.wantRes.Code {`
			`t.Errorf("got code %d want code %d for request: %s", errRes.Code, tc.wantRes.Code, string(tc.body))`
			`}`
			`}`
			`}`
Fix `/deactivate` (#2474) * Fix /deactivate * Update test to correctly check the expected response 2022-05-20 11:27:11 +00:00
			`func TestUserInteractive_AddCompletedStage(t *testing.T) {`
			`tests := []struct {`
			`name string`
			`sessionID string`
			`}{`
			`{`
			`name: "first user",`
			`sessionID: util.RandomString(8),`
			`},`
			`{`
			`name: "second user",`
			`sessionID: util.RandomString(8),`
			`},`
			`{`
			`name: "third user",`
			`sessionID: util.RandomString(8),`
			`},`
			`}`
			`u := setup()`
			`ctx := context.Background()`
			`for _, tt := range tests {`
			`t.Run(tt.name, func(t *testing.T) {`
			`_, resp := u.Verify(ctx, []byte("{}"), nil)`
			`challenge, ok := resp.JSON.(Challenge)`
			`if !ok {`
			`t.Fatalf("expected a Challenge, got %T", resp.JSON)`
			`}`
			`if len(challenge.Completed) > 0 {`
			`t.Fatalf("expected 0 completed stages, got %d", len(challenge.Completed))`
			`}`
			`u.AddCompletedStage(tt.sessionID, "")`
			`})`
			`}`
			`}`