Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Fix AuthBlocking check when requester is appservice #10881

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog.d/10881.bugfix
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Fix application service users being subject to MAU blocking if MAU had been reached, even if configured not to be blocked.
2 changes: 1 addition & 1 deletion synapse/api/auth_blocking.py
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,7 @@ async def check_auth_blocking(
# We never block the server from doing actions on behalf of
# users.
return
elif requester.app_service and not self._track_appservice_user_ips:
if requester.app_service and not self._track_appservice_user_ips:
# If we're authenticated as an appservice then we only block
# auth if `track_appservice_user_ips` is set, as that option
# implicitly means that application services are part of MAU
Expand Down
62 changes: 62 additions & 0 deletions tests/api/test_auth.py
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,9 @@
MissingClientTokenError,
ResourceLimitError,
)
from synapse.appservice import ApplicationService
from synapse.storage.databases.main.registration import TokenLookupResult
from synapse.types import Requester

from tests import unittest
from tests.test_utils import simple_async_mock
Expand Down Expand Up @@ -290,6 +292,66 @@ def test_blocking_mau__depending_on_user_type(self):
# Real users not allowed
self.get_failure(self.auth.check_auth_blocking(), ResourceLimitError)

def test_blocking_mau__appservice_requester_allowed_when_not_tracking_ips(self):
self.auth_blocking._max_mau_value = 50
self.auth_blocking._limit_usage_by_mau = True
self.auth_blocking._track_appservice_user_ips = False

self.store.get_monthly_active_count = simple_async_mock(100)
self.store.user_last_seen_monthly_active = simple_async_mock()
self.store.is_trial_user = simple_async_mock()

appservice = ApplicationService(
"abcd",
self.hs.config.server_name,
id="1234",
namespaces={
"users": [{"regex": "@_appservice.*:sender", "exclusive": True}]
},
sender="@appservice:sender",
)
requester = Requester(
user="@appservice:server",
access_token_id=None,
device_id="FOOBAR",
is_guest=False,
shadow_banned=False,
app_service=appservice,
authenticated_entity="@appservice:server",
)
self.get_success(self.auth.check_auth_blocking(requester=requester))

def test_blocking_mau__appservice_requester_disallowed_when_tracking_ips(self):
self.auth_blocking._max_mau_value = 50
self.auth_blocking._limit_usage_by_mau = True
self.auth_blocking._track_appservice_user_ips = True

self.store.get_monthly_active_count = simple_async_mock(100)
self.store.user_last_seen_monthly_active = simple_async_mock()
self.store.is_trial_user = simple_async_mock()

appservice = ApplicationService(
"abcd",
self.hs.config.server_name,
id="1234",
namespaces={
"users": [{"regex": "@_appservice.*:sender", "exclusive": True}]
},
sender="@appservice:sender",
)
requester = Requester(
user="@appservice:server",
access_token_id=None,
device_id="FOOBAR",
is_guest=False,
shadow_banned=False,
app_service=appservice,
authenticated_entity="@appservice:server",
)
self.get_failure(
self.auth.check_auth_blocking(requester=requester), ResourceLimitError
)

def test_reserved_threepid(self):
self.auth_blocking._limit_usage_by_mau = True
self.auth_blocking._max_mau_value = 1
Expand Down