mirrors/dendrite
1
0
Fork 0
mirror of https://github.com/element-hq/dendrite.git synced 2025-09-13 21:02:25 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

feat: admin APIs for token authenticated registration (#3101)

Browse source 
### Pull Request Checklist

<!-- Please read
https://matrix-org.github.io/dendrite/development/contributing before
submitting your pull request -->

* [x] I have added Go unit tests or [Complement integration
tests](https://github.com/matrix-org/complement) for this PR _or_ I have
justified why this PR doesn't need tests
* [x] Pull request includes a [sign off below using a legally
identifiable
name](https://matrix-org.github.io/dendrite/development/contributing#sign-off)
_or_ I have already signed off privately

Signed-off-by: `Santhoshivan Amudhan santhoshivan23@gmail.com`
This commit is contained in:
santhoshivan23 2023-06-22 22:07:21 +05:30 committed by GitHub
parent a734b112c6
commit 45082d4dce
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
14 changed files with 1474 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

638
clientapi/admin_test.go
View file

@ -2,6 +2,7 @@ package clientapi
import (
"context"
"fmt"
"net/http"
"net/http/httptest"
"reflect"
@ -23,12 +24,649 @@ import (
"github.com/matrix-org/util"
"github.com/tidwall/gjson"
capi "github.com/matrix-org/dendrite/clientapi/api"
"github.com/matrix-org/dendrite/test"
"github.com/matrix-org/dendrite/test/testrig"
"github.com/matrix-org/dendrite/userapi"
uapi "github.com/matrix-org/dendrite/userapi/api"
)
func TestAdminCreateToken(t *testing.T) {
aliceAdmin := test.NewUser(t, test.WithAccountType(uapi.AccountTypeAdmin))
bob := test.NewUser(t, test.WithAccountType(uapi.AccountTypeUser))
ctx := context.Background()
test.WithAllDatabases(t, func(t *testing.T, dbType test.DBType) {
cfg, processCtx, close := testrig.CreateConfig(t, dbType)
cfg.ClientAPI.RegistrationRequiresToken = true
defer close()
natsInstance := jetstream.NATSInstance{}
routers := httputil.NewRouters()
cm := sqlutil.NewConnectionManager(processCtx, cfg.Global.DatabaseOptions)
caches := caching.NewRistrettoCache(128*1024*1024, time.Hour, caching.DisableMetrics)
rsAPI := roomserver.NewInternalAPI(processCtx, cfg, cm, &natsInstance, caches, caching.DisableMetrics)
userAPI := userapi.NewInternalAPI(processCtx, cfg, cm, &natsInstance, rsAPI, nil)
AddPublicRoutes(processCtx, routers, cfg, &natsInstance, nil, rsAPI, nil, nil, nil, userAPI, nil, nil, caching.DisableMetrics)
accessTokens := map[*test.User]userDevice{
aliceAdmin: {},
bob: {},
}
createAccessTokens(t, accessTokens, userAPI, ctx, routers)
testCases := []struct {
name string
requestingUser *test.User
requestOpt test.HTTPRequestOpt
wantOK bool
withHeader bool
}{
{
name: "Missing auth",
requestingUser: bob,
wantOK: false,
requestOpt: test.WithJSONBody(t, map[string]interface{}{
"token": "token1",
},
),
},
{
name: "Bob is denied access",
requestingUser: bob,
wantOK: false,
withHeader: true,
requestOpt: test.WithJSONBody(t, map[string]interface{}{
"token": "token2",
},
),
},
{
name: "Alice can create a token without specifyiing any information",
requestingUser: aliceAdmin,
wantOK: true,
withHeader: true,
requestOpt: test.WithJSONBody(t, map[string]interface{}{}),
},
{
name: "Alice can to create a token specifying a name",
requestingUser: aliceAdmin,
wantOK: true,
withHeader: true,
requestOpt: test.WithJSONBody(t, map[string]interface{}{
"token": "token3",
},
),
},
{
name: "Alice cannot to create a token that already exists",
requestingUser: aliceAdmin,
wantOK: false,
withHeader: true,
requestOpt: test.WithJSONBody(t, map[string]interface{}{
"token": "token3",
},
),
},
{
name: "Alice can create a token specifying valid params",
requestingUser: aliceAdmin,
wantOK: true,
withHeader: true,
requestOpt: test.WithJSONBody(t, map[string]interface{}{
"token": "token4",
"uses_allowed": 5,
"expiry_time": time.Now().Add(5*24*time.Hour).UnixNano() / int64(time.Millisecond),
},
),
},
{
name: "Alice cannot create a token specifying invalid name",
requestingUser: aliceAdmin,
wantOK: false,
withHeader: true,
requestOpt: test.WithJSONBody(t, map[string]interface{}{
"token": "token@",
},
),
},
{
name: "Alice cannot create a token specifying invalid uses_allowed",
requestingUser: aliceAdmin,
wantOK: false,
withHeader: true,
requestOpt: test.WithJSONBody(t, map[string]interface{}{
"token": "token5",
"uses_allowed": -1,
},
),
},
{
name: "Alice cannot create a token specifying invalid expiry_time",
requestingUser: aliceAdmin,
wantOK: false,
withHeader: true,
requestOpt: test.WithJSONBody(t, map[string]interface{}{
"token": "token6",
"expiry_time": time.Now().Add(-1*5*24*time.Hour).UnixNano() / int64(time.Millisecond),
},
),
},
{
name: "Alice cannot to create a token specifying invalid length",
requestingUser: aliceAdmin,
wantOK: false,
withHeader: true,
requestOpt: test.WithJSONBody(t, map[string]interface{}{
"length": 80,
},
),
},
}
for _, tc := range testCases {
tc := tc
t.Run(tc.name, func(t *testing.T) {
req := test.NewRequest(t, http.MethodPost, "/_dendrite/admin/registrationTokens/new")
if tc.requestOpt != nil {
req = test.NewRequest(t, http.MethodPost, "/_dendrite/admin/registrationTokens/new", tc.requestOpt)
}
if tc.withHeader {
req.Header.Set("Authorization", "Bearer "+accessTokens[tc.requestingUser].accessToken)
}
rec := httptest.NewRecorder()
routers.DendriteAdmin.ServeHTTP(rec, req)
t.Logf("%s", rec.Body.String())
if tc.wantOK && rec.Code != http.StatusOK {
t.Fatalf("expected http status %d, got %d: %s", http.StatusOK, rec.Code, rec.Body.String())
}
})
}
})
}
func TestAdminListRegistrationTokens(t *testing.T) {
aliceAdmin := test.NewUser(t, test.WithAccountType(uapi.AccountTypeAdmin))
bob := test.NewUser(t, test.WithAccountType(uapi.AccountTypeUser))
ctx := context.Background()
test.WithAllDatabases(t, func(t *testing.T, dbType test.DBType) {
cfg, processCtx, close := testrig.CreateConfig(t, dbType)
cfg.ClientAPI.RegistrationRequiresToken = true
defer close()
natsInstance := jetstream.NATSInstance{}
routers := httputil.NewRouters()
cm := sqlutil.NewConnectionManager(processCtx, cfg.Global.DatabaseOptions)
caches := caching.NewRistrettoCache(128*1024*1024, time.Hour, caching.DisableMetrics)
rsAPI := roomserver.NewInternalAPI(processCtx, cfg, cm, &natsInstance, caches, caching.DisableMetrics)
userAPI := userapi.NewInternalAPI(processCtx, cfg, cm, &natsInstance, rsAPI, nil)
AddPublicRoutes(processCtx, routers, cfg, &natsInstance, nil, rsAPI, nil, nil, nil, userAPI, nil, nil, caching.DisableMetrics)
accessTokens := map[*test.User]userDevice{
aliceAdmin: {},
bob: {},
}
tokens := []capi.RegistrationToken{
{
Token: getPointer("valid"),
UsesAllowed: getPointer(int32(10)),
ExpiryTime: getPointer(time.Now().Add(5*24*time.Hour).UnixNano() / int64(time.Millisecond)),
Pending: getPointer(int32(0)),
Completed: getPointer(int32(0)),
},
{
Token: getPointer("invalid"),
UsesAllowed: getPointer(int32(10)),
ExpiryTime: getPointer(time.Now().Add(-1*5*24*time.Hour).UnixNano() / int64(time.Millisecond)),
Pending: getPointer(int32(0)),
Completed: getPointer(int32(0)),
},
}
for _, tkn := range tokens {
tkn := tkn
userAPI.PerformAdminCreateRegistrationToken(ctx, &tkn)
}
createAccessTokens(t, accessTokens, userAPI, ctx, routers)
testCases := []struct {
name string
requestingUser *test.User
valid string
isValidSpecified bool
wantOK bool
withHeader bool
}{
{
name: "Missing auth",
requestingUser: bob,
wantOK: false,
isValidSpecified: false,
},
{
name: "Bob is denied access",
requestingUser: bob,
wantOK: false,
withHeader: true,
isValidSpecified: false,
},
{
name: "Alice can list all tokens",
requestingUser: aliceAdmin,
wantOK: true,
withHeader: true,
},
{
name: "Alice can list all valid tokens",
requestingUser: aliceAdmin,
wantOK: true,
withHeader: true,
valid: "true",
isValidSpecified: true,
},
{
name: "Alice can list all invalid tokens",
requestingUser: aliceAdmin,
wantOK: true,
withHeader: true,
valid: "false",
isValidSpecified: true,
},
{
name: "No response when valid has a bad value",
requestingUser: aliceAdmin,
wantOK: false,
withHeader: true,
valid: "trueee",
isValidSpecified: true,
},
}
for _, tc := range testCases {
tc := tc
t.Run(tc.name, func(t *testing.T) {
var path string
if tc.isValidSpecified {
path = fmt.Sprintf("/_dendrite/admin/registrationTokens?valid=%v", tc.valid)
} else {
path = "/_dendrite/admin/registrationTokens"
}
req := test.NewRequest(t, http.MethodGet, path)
if tc.withHeader {
req.Header.Set("Authorization", "Bearer "+accessTokens[tc.requestingUser].accessToken)
}
rec := httptest.NewRecorder()
routers.DendriteAdmin.ServeHTTP(rec, req)
t.Logf("%s", rec.Body.String())
if tc.wantOK && rec.Code != http.StatusOK {
t.Fatalf("expected http status %d, got %d: %s", http.StatusOK, rec.Code, rec.Body.String())
}
})
}
})
}
func TestAdminGetRegistrationToken(t *testing.T) {
aliceAdmin := test.NewUser(t, test.WithAccountType(uapi.AccountTypeAdmin))
bob := test.NewUser(t, test.WithAccountType(uapi.AccountTypeUser))
ctx := context.Background()
test.WithAllDatabases(t, func(t *testing.T, dbType test.DBType) {
cfg, processCtx, close := testrig.CreateConfig(t, dbType)
cfg.ClientAPI.RegistrationRequiresToken = true
defer close()
natsInstance := jetstream.NATSInstance{}
routers := httputil.NewRouters()
cm := sqlutil.NewConnectionManager(processCtx, cfg.Global.DatabaseOptions)
caches := caching.NewRistrettoCache(128*1024*1024, time.Hour, caching.DisableMetrics)
rsAPI := roomserver.NewInternalAPI(processCtx, cfg, cm, &natsInstance, caches, caching.DisableMetrics)
userAPI := userapi.NewInternalAPI(processCtx, cfg, cm, &natsInstance, rsAPI, nil)
AddPublicRoutes(processCtx, routers, cfg, &natsInstance, nil, rsAPI, nil, nil, nil, userAPI, nil, nil, caching.DisableMetrics)
accessTokens := map[*test.User]userDevice{
aliceAdmin: {},
bob: {},
}
tokens := []capi.RegistrationToken{
{
Token: getPointer("alice_token1"),
UsesAllowed: getPointer(int32(10)),
ExpiryTime: getPointer(time.Now().Add(5*24*time.Hour).UnixNano() / int64(time.Millisecond)),
Pending: getPointer(int32(0)),
Completed: getPointer(int32(0)),
},
{
Token: getPointer("alice_token2"),
UsesAllowed: getPointer(int32(10)),
ExpiryTime: getPointer(time.Now().Add(-1*5*24*time.Hour).UnixNano() / int64(time.Millisecond)),
Pending: getPointer(int32(0)),
Completed: getPointer(int32(0)),
},
}
for _, tkn := range tokens {
tkn := tkn
userAPI.PerformAdminCreateRegistrationToken(ctx, &tkn)
}
createAccessTokens(t, accessTokens, userAPI, ctx, routers)
testCases := []struct {
name string
requestingUser *test.User
token string
wantOK bool
withHeader bool
}{
{
name: "Missing auth",
requestingUser: bob,
wantOK: false,
},
{
name: "Bob is denied access",
requestingUser: bob,
wantOK: false,
withHeader: true,
},
{
name: "Alice can GET alice_token1",
token: "alice_token1",
requestingUser: aliceAdmin,
wantOK: true,
withHeader: true,
},
{
name: "Alice can GET alice_token2",
requestingUser: aliceAdmin,
wantOK: true,
withHeader: true,
token: "alice_token2",
},
{
name: "Alice cannot GET a token that does not exists",
requestingUser: aliceAdmin,
wantOK: false,
withHeader: true,
token: "alice_token3",
},
}
for _, tc := range testCases {
tc := tc
t.Run(tc.name, func(t *testing.T) {
path := fmt.Sprintf("/_dendrite/admin/registrationTokens/%s", tc.token)
req := test.NewRequest(t, http.MethodGet, path)
if tc.withHeader {
req.Header.Set("Authorization", "Bearer "+accessTokens[tc.requestingUser].accessToken)
}
rec := httptest.NewRecorder()
routers.DendriteAdmin.ServeHTTP(rec, req)
t.Logf("%s", rec.Body.String())
if tc.wantOK && rec.Code != http.StatusOK {
t.Fatalf("expected http status %d, got %d: %s", http.StatusOK, rec.Code, rec.Body.String())
}
})
}
})
}
func TestAdminDeleteRegistrationToken(t *testing.T) {
aliceAdmin := test.NewUser(t, test.WithAccountType(uapi.AccountTypeAdmin))
bob := test.NewUser(t, test.WithAccountType(uapi.AccountTypeUser))
ctx := context.Background()
test.WithAllDatabases(t, func(t *testing.T, dbType test.DBType) {
cfg, processCtx, close := testrig.CreateConfig(t, dbType)
cfg.ClientAPI.RegistrationRequiresToken = true
defer close()
natsInstance := jetstream.NATSInstance{}
routers := httputil.NewRouters()
cm := sqlutil.NewConnectionManager(processCtx, cfg.Global.DatabaseOptions)
caches := caching.NewRistrettoCache(128*1024*1024, time.Hour, caching.DisableMetrics)
rsAPI := roomserver.NewInternalAPI(processCtx, cfg, cm, &natsInstance, caches, caching.DisableMetrics)
userAPI := userapi.NewInternalAPI(processCtx, cfg, cm, &natsInstance, rsAPI, nil)
AddPublicRoutes(processCtx, routers, cfg, &natsInstance, nil, rsAPI, nil, nil, nil, userAPI, nil, nil, caching.DisableMetrics)
accessTokens := map[*test.User]userDevice{
aliceAdmin: {},
bob: {},
}
tokens := []capi.RegistrationToken{
{
Token: getPointer("alice_token1"),
UsesAllowed: getPointer(int32(10)),
ExpiryTime: getPointer(time.Now().Add(5*24*time.Hour).UnixNano() / int64(time.Millisecond)),
Pending: getPointer(int32(0)),
Completed: getPointer(int32(0)),
},
{
Token: getPointer("alice_token2"),
UsesAllowed: getPointer(int32(10)),
ExpiryTime: getPointer(time.Now().Add(-1*5*24*time.Hour).UnixNano() / int64(time.Millisecond)),
Pending: getPointer(int32(0)),
Completed: getPointer(int32(0)),
},
}
for _, tkn := range tokens {
tkn := tkn
userAPI.PerformAdminCreateRegistrationToken(ctx, &tkn)
}
createAccessTokens(t, accessTokens, userAPI, ctx, routers)
testCases := []struct {
name string
requestingUser *test.User
token string
wantOK bool
withHeader bool
}{
{
name: "Missing auth",
requestingUser: bob,
wantOK: false,
},
{
name: "Bob is denied access",
requestingUser: bob,
wantOK: false,
withHeader: true,
},
{
name: "Alice can DELETE alice_token1",
token: "alice_token1",
requestingUser: aliceAdmin,
wantOK: true,
withHeader: true,
},
{
name: "Alice can DELETE alice_token2",
requestingUser: aliceAdmin,
wantOK: true,
withHeader: true,
token: "alice_token2",
},
}
for _, tc := range testCases {
tc := tc
t.Run(tc.name, func(t *testing.T) {
path := fmt.Sprintf("/_dendrite/admin/registrationTokens/%s", tc.token)
req := test.NewRequest(t, http.MethodDelete, path)
if tc.withHeader {
req.Header.Set("Authorization", "Bearer "+accessTokens[tc.requestingUser].accessToken)
}
rec := httptest.NewRecorder()
routers.DendriteAdmin.ServeHTTP(rec, req)
t.Logf("%s", rec.Body.String())
if tc.wantOK && rec.Code != http.StatusOK {
t.Fatalf("expected http status %d, got %d: %s", http.StatusOK, rec.Code, rec.Body.String())
}
})
}
})
}
func TestAdminUpdateRegistrationToken(t *testing.T) {
aliceAdmin := test.NewUser(t, test.WithAccountType(uapi.AccountTypeAdmin))
bob := test.NewUser(t, test.WithAccountType(uapi.AccountTypeUser))
ctx := context.Background()
test.WithAllDatabases(t, func(t *testing.T, dbType test.DBType) {
cfg, processCtx, close := testrig.CreateConfig(t, dbType)
cfg.ClientAPI.RegistrationRequiresToken = true
defer close()
natsInstance := jetstream.NATSInstance{}
routers := httputil.NewRouters()
cm := sqlutil.NewConnectionManager(processCtx, cfg.Global.DatabaseOptions)
caches := caching.NewRistrettoCache(128*1024*1024, time.Hour, caching.DisableMetrics)
rsAPI := roomserver.NewInternalAPI(processCtx, cfg, cm, &natsInstance, caches, caching.DisableMetrics)
userAPI := userapi.NewInternalAPI(processCtx, cfg, cm, &natsInstance, rsAPI, nil)
AddPublicRoutes(processCtx, routers, cfg, &natsInstance, nil, rsAPI, nil, nil, nil, userAPI, nil, nil, caching.DisableMetrics)
accessTokens := map[*test.User]userDevice{
aliceAdmin: {},
bob: {},
}
createAccessTokens(t, accessTokens, userAPI, ctx, routers)
tokens := []capi.RegistrationToken{
{
Token: getPointer("alice_token1"),
UsesAllowed: getPointer(int32(10)),
ExpiryTime: getPointer(time.Now().Add(5*24*time.Hour).UnixNano() / int64(time.Millisecond)),
Pending: getPointer(int32(0)),
Completed: getPointer(int32(0)),
},
{
Token: getPointer("alice_token2"),
UsesAllowed: getPointer(int32(10)),
ExpiryTime: getPointer(time.Now().Add(-1*5*24*time.Hour).UnixNano() / int64(time.Millisecond)),
Pending: getPointer(int32(0)),
Completed: getPointer(int32(0)),
},
}
for _, tkn := range tokens {
tkn := tkn
userAPI.PerformAdminCreateRegistrationToken(ctx, &tkn)
}
testCases := []struct {
name string
requestingUser *test.User
method string
token string
requestOpt test.HTTPRequestOpt
wantOK bool
withHeader bool
}{
{
name: "Missing auth",
requestingUser: bob,
wantOK: false,
token: "alice_token1",
requestOpt: test.WithJSONBody(t, map[string]interface{}{
"uses_allowed": 10,
},
),
},
{
name: "Bob is denied access",
requestingUser: bob,
wantOK: false,
withHeader: true,
token: "alice_token1",
requestOpt: test.WithJSONBody(t, map[string]interface{}{
"uses_allowed": 10,
},
),
},
{
name: "Alice can UPDATE a token's uses_allowed property",
requestingUser: aliceAdmin,
wantOK: true,
withHeader: true,
token: "alice_token1",
requestOpt: test.WithJSONBody(t, map[string]interface{}{
"uses_allowed": 10,
}),
},
{
name: "Alice can UPDATE a token's expiry_time property",
requestingUser: aliceAdmin,
wantOK: true,
withHeader: true,
token: "alice_token2",
requestOpt: test.WithJSONBody(t, map[string]interface{}{
"expiry_time": time.Now().Add(5*24*time.Hour).UnixNano() / int64(time.Millisecond),
},
),
},
{
name: "Alice can UPDATE a token's uses_allowed and expiry_time property",
requestingUser: aliceAdmin,
wantOK: false,
withHeader: true,
token: "alice_token1",
requestOpt: test.WithJSONBody(t, map[string]interface{}{
"uses_allowed": 20,
"expiry_time": time.Now().Add(10*24*time.Hour).UnixNano() / int64(time.Millisecond),
},
),
},
{
name: "Alice CANNOT update a token with invalid properties",
requestingUser: aliceAdmin,
wantOK: false,
withHeader: true,
token: "alice_token2",
requestOpt: test.WithJSONBody(t, map[string]interface{}{
"uses_allowed": -5,
"expiry_time": time.Now().Add(-1*5*24*time.Hour).UnixNano() / int64(time.Millisecond),
},
),
},
{
name: "Alice CANNOT UPDATE a token that does not exist",
requestingUser: aliceAdmin,
wantOK: false,
withHeader: true,
token: "alice_token9",
requestOpt: test.WithJSONBody(t, map[string]interface{}{
"uses_allowed": 100,
},
),
},
{
name: "Alice can UPDATE token specifying uses_allowed as null - Valid for infinite uses",
requestingUser: aliceAdmin,
wantOK: false,
withHeader: true,
token: "alice_token1",
requestOpt: test.WithJSONBody(t, map[string]interface{}{
"uses_allowed": nil,
},
),
},
{
name: "Alice can UPDATE token specifying expiry_time AS null - Valid for infinite time",
requestingUser: aliceAdmin,
wantOK: false,
withHeader: true,
token: "alice_token1",
requestOpt: test.WithJSONBody(t, map[string]interface{}{
"expiry_time": nil,
},
),
},
}
for _, tc := range testCases {
tc := tc
t.Run(tc.name, func(t *testing.T) {
path := fmt.Sprintf("/_dendrite/admin/registrationTokens/%s", tc.token)
req := test.NewRequest(t, http.MethodPut, path)
if tc.requestOpt != nil {
req = test.NewRequest(t, http.MethodPut, path, tc.requestOpt)
}
if tc.withHeader {
req.Header.Set("Authorization", "Bearer "+accessTokens[tc.requestingUser].accessToken)
}
rec := httptest.NewRecorder()
routers.DendriteAdmin.ServeHTTP(rec, req)
t.Logf("%s", rec.Body.String())
if tc.wantOK && rec.Code != http.StatusOK {
t.Fatalf("expected http status %d, got %d: %s", http.StatusOK, rec.Code, rec.Body.String())
}
})
}
})
}
func getPointer[T any](s T) *T {
return &s
}
func TestAdminResetPassword(t *testing.T) {
aliceAdmin := test.NewUser(t, test.WithAccountType(uapi.AccountTypeAdmin))
bob := test.NewUser(t, test.WithAccountType(uapi.AccountTypeUser))