synapse/tests/api/test_urls.py

#
# This file is licensed under the Affero General Public License (AGPL) version 3.
#
# Copyright (C) 2024 New Vector, Ltd
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# See the GNU Affero General Public License for more details:
# <https://www.gnu.org/licenses/agpl-3.0.html>.
#


from twisted.test.proto_helpers import MemoryReactor

from synapse.api.urls import LoginSSORedirectURIBuilder
from synapse.server import HomeServer
from synapse.util import Clock

from tests.unittest import HomeserverTestCase

# a (valid) url with some annoying characters in.  %3D is =, %26 is &, %2B is +
TRICKY_TEST_CLIENT_REDIRECT_URL = 'https://x?<ab c>&q"+%3D%2B"="fö%26=o"'


class LoginSSORedirectURIBuilderTestCase(HomeserverTestCase):
    def prepare(self, reactor: MemoryReactor, clock: Clock, hs: HomeServer) -> None:
        self.login_sso_redirect_url_builder = LoginSSORedirectURIBuilder(hs.config)

    def test_no_idp_id(self) -> None:
        self.assertEqual(
            self.login_sso_redirect_url_builder.build_login_sso_redirect_uri(
                idp_id=None, client_redirect_url="http://example.com/redirect"
            ),
            "https://test/_matrix/client/v3/login/sso/redirect?redirectUrl=http%3A%2F%2Fexample.com%2Fredirect",
        )

    def test_explicit_idp_id(self) -> None:
        self.assertEqual(
            self.login_sso_redirect_url_builder.build_login_sso_redirect_uri(
                idp_id="oidc-github", client_redirect_url="http://example.com/redirect"
            ),
            "https://test/_matrix/client/v3/login/sso/redirect/oidc-github?redirectUrl=http%3A%2F%2Fexample.com%2Fredirect",
        )

    def test_tricky_redirect_uri(self) -> None:
        self.assertEqual(
            self.login_sso_redirect_url_builder.build_login_sso_redirect_uri(
                idp_id="oidc-github",
                client_redirect_url=TRICKY_TEST_CLIENT_REDIRECT_URL,
            ),
            "https://test/_matrix/client/v3/login/sso/redirect/oidc-github?redirectUrl=https%3A%2F%2Fx%3F%3Cab+c%3E%26q%22%2B%253D%252B%22%3D%22f%C3%B6%2526%3Do%22",
        )
Consolidate SSO redirects through `/_matrix/client/v3/login/sso/redirect(/{idpId})` (#17972) Consolidate SSO redirects through `/_matrix/client/v3/login/sso/redirect(/{idpId})` Spawning from https://github.com/element-hq/sbg/pull/421#discussion_r1859497330 where we have a proxy that intercepts responses to `/_matrix/client/v3/login/sso/redirect(/{idpId})` in order to upgrade them to use OAuth 2.0 Pushed Authorization Requests (PAR). Instead of needing to intercept multiple endpoints that redirect to the authorization endpoint, it seems better to just have Synapse consolidate to a single flow. ### Testing strategy 1. Create a new OAuth application. I'll be using GitHub for example but there are [many options](https://github.com/matrix-org/synapse/blob/be65a8ec0195955c15fdb179c9158b187638e39a/docs/openid.md). Visit https://github.com/settings/developers -> New OAuth App - Application name: `Synapse local testing` - Homepage URL: `http://localhost:8008` - Authorization callback URL: `http://localhost:8008/_synapse/client/oidc/callback` 1. Update your Synapse `homeserver.yaml` ```yaml server_name: "my.synapse.server" public_baseurl: http://localhost:8008/ listeners: - port: 8008 bind_addresses: [ #'::1', '127.0.0.1' ] tls: false type: http x_forwarded: true resources: - names: [client, federation, metrics] compress: false # SSO login testing oidc_providers: - idp_id: github idp_name: Github idp_brand: "github" # optional: styling hint for clients discover: false issuer: "https://github.com/" client_id: "xxx" # TO BE FILLED client_secret: "xxx" # TO BE FILLED authorization_endpoint: "https://github.com/login/oauth/authorize" token_endpoint: "https://github.com/login/oauth/access_token" userinfo_endpoint: "https://api.github.com/user" scopes: ["read:user"] user_mapping_provider: config: subject_claim: "id" localpart_template: "{{ user.login }}" display_name_template: "{{ user.name }}" ``` 1. Start Synapse: `poetry run synapse_homeserver --config-path homeserver.yaml` 1. Visit `http://localhost:8008/_synapse/client/pick_idp?redirectUrl=http%3A%2F%2Fexample.com` 1. Choose GitHub 1. Notice that you're redirected to GitHub to sign in (`https://github.com/login/oauth/authorize?...`) Tested locally and works: 1. `http://localhost:8008/_synapse/client/pick_idp?idp=oidc-github&redirectUrl=http%3A//example.com` -> 1. `http://localhost:8008/_matrix/client/v3/login/sso/redirect/oidc-github?redirectUrl=http://example.com` -> 1. `https://github.com/login/oauth/authorize?response_type=code&client_id=xxx&redirect_uri=http%3A%2F%2Flocalhost%3A8008%2F_synapse%2Fclient%2Foidc%2Fcallback&scope=read%3Auser&state=xxx&nonce=xxx` 2024-11-29 20:26:37 +03:00			`#`
			`# This file is licensed under the Affero General Public License (AGPL) version 3.`
			`#`
			`# Copyright (C) 2024 New Vector, Ltd`
			`#`
			`# This program is free software: you can redistribute it and/or modify`
			`# it under the terms of the GNU Affero General Public License as`
			`# published by the Free Software Foundation, either version 3 of the`
			`# License, or (at your option) any later version.`
			`#`
			`# See the GNU Affero General Public License for more details:`
			`# <https://www.gnu.org/licenses/agpl-3.0.html>.`
			`#`


			`from twisted.test.proto_helpers import MemoryReactor`

			`from synapse.api.urls import LoginSSORedirectURIBuilder`
			`from synapse.server import HomeServer`
			`from synapse.util import Clock`

			`from tests.unittest import HomeserverTestCase`

			`# a (valid) url with some annoying characters in. %3D is =, %26 is &, %2B is +`
			`TRICKY_TEST_CLIENT_REDIRECT_URL = 'https://x?<ab c>&q"+%3D%2B"="fö%26=o"'`


			`class LoginSSORedirectURIBuilderTestCase(HomeserverTestCase):`
			`def prepare(self, reactor: MemoryReactor, clock: Clock, hs: HomeServer) -> None:`
			`self.login_sso_redirect_url_builder = LoginSSORedirectURIBuilder(hs.config)`

			`def test_no_idp_id(self) -> None:`
			`self.assertEqual(`
			`self.login_sso_redirect_url_builder.build_login_sso_redirect_uri(`
			`idp_id=None, client_redirect_url="http://example.com/redirect"`
			`),`
			`"https://test/_matrix/client/v3/login/sso/redirect?redirectUrl=http%3A%2F%2Fexample.com%2Fredirect",`
			`)`

			`def test_explicit_idp_id(self) -> None:`
			`self.assertEqual(`
			`self.login_sso_redirect_url_builder.build_login_sso_redirect_uri(`
			`idp_id="oidc-github", client_redirect_url="http://example.com/redirect"`
			`),`
			`"https://test/_matrix/client/v3/login/sso/redirect/oidc-github?redirectUrl=http%3A%2F%2Fexample.com%2Fredirect",`
			`)`

			`def test_tricky_redirect_uri(self) -> None:`
			`self.assertEqual(`
			`self.login_sso_redirect_url_builder.build_login_sso_redirect_uri(`
			`idp_id="oidc-github",`
			`client_redirect_url=TRICKY_TEST_CLIENT_REDIRECT_URL,`
			`),`
			`"https://test/_matrix/client/v3/login/sso/redirect/oidc-github?redirectUrl=https%3A%2F%2Fx%3F%3Cab+c%3E%26q%22%2B%253D%252B%22%3D%22f%C3%B6%2526%3Do%22",`
			`)`