aboutsummaryrefslogtreecommitdiff
path: root/clientapi
diff options
context:
space:
mode:
authorsanthoshivan23 <47689668+santhoshivan23@users.noreply.github.com>2023-06-22 22:07:21 +0530
committerGitHub <noreply@github.com>2023-06-22 16:37:21 +0000
commit45082d4dcefadceada1b4374f3876365887cfd4a (patch)
tree899fda990a71f16eb05073098196a2a1a1218bd3 /clientapi
parenta734b112c6577a23b87c6b54c50fb2e9a629cf2b (diff)
feat: admin APIs for token authenticated registration (#3101)
### Pull Request Checklist <!-- Please read https://matrix-org.github.io/dendrite/development/contributing before submitting your pull request --> * [x] I have added Go unit tests or [Complement integration tests](https://github.com/matrix-org/complement) for this PR _or_ I have justified why this PR doesn't need tests * [x] Pull request includes a [sign off below using a legally identifiable name](https://matrix-org.github.io/dendrite/development/contributing#sign-off) _or_ I have already signed off privately Signed-off-by: `Santhoshivan Amudhan santhoshivan23@gmail.com`
Diffstat (limited to 'clientapi')
-rw-r--r--clientapi/admin_test.go638
-rw-r--r--clientapi/api/api.go8
-rw-r--r--clientapi/routing/admin.go242
-rw-r--r--clientapi/routing/routing.go30
4 files changed, 918 insertions, 0 deletions
diff --git a/clientapi/admin_test.go b/clientapi/admin_test.go
index 1145cb12..9d2acd68 100644
--- a/clientapi/admin_test.go
+++ b/clientapi/admin_test.go
@@ -2,6 +2,7 @@ package clientapi
import (
"context"
+ "fmt"
"net/http"
"net/http/httptest"
"reflect"
@@ -23,12 +24,649 @@ import (
"github.com/matrix-org/util"
"github.com/tidwall/gjson"
+ capi "github.com/matrix-org/dendrite/clientapi/api"
"github.com/matrix-org/dendrite/test"
"github.com/matrix-org/dendrite/test/testrig"
"github.com/matrix-org/dendrite/userapi"
uapi "github.com/matrix-org/dendrite/userapi/api"
)
+func TestAdminCreateToken(t *testing.T) {
+ aliceAdmin := test.NewUser(t, test.WithAccountType(uapi.AccountTypeAdmin))
+ bob := test.NewUser(t, test.WithAccountType(uapi.AccountTypeUser))
+ ctx := context.Background()
+ test.WithAllDatabases(t, func(t *testing.T, dbType test.DBType) {
+ cfg, processCtx, close := testrig.CreateConfig(t, dbType)
+ cfg.ClientAPI.RegistrationRequiresToken = true
+ defer close()
+ natsInstance := jetstream.NATSInstance{}
+ routers := httputil.NewRouters()
+ cm := sqlutil.NewConnectionManager(processCtx, cfg.Global.DatabaseOptions)
+ caches := caching.NewRistrettoCache(128*1024*1024, time.Hour, caching.DisableMetrics)
+ rsAPI := roomserver.NewInternalAPI(processCtx, cfg, cm, &natsInstance, caches, caching.DisableMetrics)
+ userAPI := userapi.NewInternalAPI(processCtx, cfg, cm, &natsInstance, rsAPI, nil)
+ AddPublicRoutes(processCtx, routers, cfg, &natsInstance, nil, rsAPI, nil, nil, nil, userAPI, nil, nil, caching.DisableMetrics)
+ accessTokens := map[*test.User]userDevice{
+ aliceAdmin: {},
+ bob: {},
+ }
+ createAccessTokens(t, accessTokens, userAPI, ctx, routers)
+ testCases := []struct {
+ name string
+ requestingUser *test.User
+ requestOpt test.HTTPRequestOpt
+ wantOK bool
+ withHeader bool
+ }{
+ {
+ name: "Missing auth",
+ requestingUser: bob,
+ wantOK: false,
+ requestOpt: test.WithJSONBody(t, map[string]interface{}{
+ "token": "token1",
+ },
+ ),
+ },
+ {
+ name: "Bob is denied access",
+ requestingUser: bob,
+ wantOK: false,
+ withHeader: true,
+ requestOpt: test.WithJSONBody(t, map[string]interface{}{
+ "token": "token2",
+ },
+ ),
+ },
+ {
+ name: "Alice can create a token without specifyiing any information",
+ requestingUser: aliceAdmin,
+ wantOK: true,
+ withHeader: true,
+ requestOpt: test.WithJSONBody(t, map[string]interface{}{}),
+ },
+ {
+ name: "Alice can to create a token specifying a name",
+ requestingUser: aliceAdmin,
+ wantOK: true,
+ withHeader: true,
+ requestOpt: test.WithJSONBody(t, map[string]interface{}{
+ "token": "token3",
+ },
+ ),
+ },
+ {
+ name: "Alice cannot to create a token that already exists",
+ requestingUser: aliceAdmin,
+ wantOK: false,
+ withHeader: true,
+ requestOpt: test.WithJSONBody(t, map[string]interface{}{
+ "token": "token3",
+ },
+ ),
+ },
+ {
+ name: "Alice can create a token specifying valid params",
+ requestingUser: aliceAdmin,
+ wantOK: true,
+ withHeader: true,
+ requestOpt: test.WithJSONBody(t, map[string]interface{}{
+ "token": "token4",
+ "uses_allowed": 5,
+ "expiry_time": time.Now().Add(5*24*time.Hour).UnixNano() / int64(time.Millisecond),
+ },
+ ),
+ },
+ {
+ name: "Alice cannot create a token specifying invalid name",
+ requestingUser: aliceAdmin,
+ wantOK: false,
+ withHeader: true,
+ requestOpt: test.WithJSONBody(t, map[string]interface{}{
+ "token": "token@",
+ },
+ ),
+ },
+ {
+ name: "Alice cannot create a token specifying invalid uses_allowed",
+ requestingUser: aliceAdmin,
+ wantOK: false,
+ withHeader: true,
+ requestOpt: test.WithJSONBody(t, map[string]interface{}{
+ "token": "token5",
+ "uses_allowed": -1,
+ },
+ ),
+ },
+ {
+ name: "Alice cannot create a token specifying invalid expiry_time",
+ requestingUser: aliceAdmin,
+ wantOK: false,
+ withHeader: true,
+ requestOpt: test.WithJSONBody(t, map[string]interface{}{
+ "token": "token6",
+ "expiry_time": time.Now().Add(-1*5*24*time.Hour).UnixNano() / int64(time.Millisecond),
+ },
+ ),
+ },
+ {
+ name: "Alice cannot to create a token specifying invalid length",
+ requestingUser: aliceAdmin,
+ wantOK: false,
+ withHeader: true,
+ requestOpt: test.WithJSONBody(t, map[string]interface{}{
+ "length": 80,
+ },
+ ),
+ },
+ }
+
+ for _, tc := range testCases {
+ tc := tc
+ t.Run(tc.name, func(t *testing.T) {
+ req := test.NewRequest(t, http.MethodPost, "/_dendrite/admin/registrationTokens/new")
+ if tc.requestOpt != nil {
+ req = test.NewRequest(t, http.MethodPost, "/_dendrite/admin/registrationTokens/new", tc.requestOpt)
+ }
+ if tc.withHeader {
+ req.Header.Set("Authorization", "Bearer "+accessTokens[tc.requestingUser].accessToken)
+ }
+ rec := httptest.NewRecorder()
+ routers.DendriteAdmin.ServeHTTP(rec, req)
+ t.Logf("%s", rec.Body.String())
+ if tc.wantOK && rec.Code != http.StatusOK {
+ t.Fatalf("expected http status %d, got %d: %s", http.StatusOK, rec.Code, rec.Body.String())
+ }
+ })
+ }
+ })
+}
+
+func TestAdminListRegistrationTokens(t *testing.T) {
+ aliceAdmin := test.NewUser(t, test.WithAccountType(uapi.AccountTypeAdmin))
+ bob := test.NewUser(t, test.WithAccountType(uapi.AccountTypeUser))
+ ctx := context.Background()
+ test.WithAllDatabases(t, func(t *testing.T, dbType test.DBType) {
+ cfg, processCtx, close := testrig.CreateConfig(t, dbType)
+ cfg.ClientAPI.RegistrationRequiresToken = true
+ defer close()
+ natsInstance := jetstream.NATSInstance{}
+ routers := httputil.NewRouters()
+ cm := sqlutil.NewConnectionManager(processCtx, cfg.Global.DatabaseOptions)
+ caches := caching.NewRistrettoCache(128*1024*1024, time.Hour, caching.DisableMetrics)
+ rsAPI := roomserver.NewInternalAPI(processCtx, cfg, cm, &natsInstance, caches, caching.DisableMetrics)
+ userAPI := userapi.NewInternalAPI(processCtx, cfg, cm, &natsInstance, rsAPI, nil)
+ AddPublicRoutes(processCtx, routers, cfg, &natsInstance, nil, rsAPI, nil, nil, nil, userAPI, nil, nil, caching.DisableMetrics)
+ accessTokens := map[*test.User]userDevice{
+ aliceAdmin: {},
+ bob: {},
+ }
+ tokens := []capi.RegistrationToken{
+ {
+ Token: getPointer("valid"),
+ UsesAllowed: getPointer(int32(10)),
+ ExpiryTime: getPointer(time.Now().Add(5*24*time.Hour).UnixNano() / int64(time.Millisecond)),
+ Pending: getPointer(int32(0)),
+ Completed: getPointer(int32(0)),
+ },
+ {
+ Token: getPointer("invalid"),
+ UsesAllowed: getPointer(int32(10)),
+ ExpiryTime: getPointer(time.Now().Add(-1*5*24*time.Hour).UnixNano() / int64(time.Millisecond)),
+ Pending: getPointer(int32(0)),
+ Completed: getPointer(int32(0)),
+ },
+ }
+ for _, tkn := range tokens {
+ tkn := tkn
+ userAPI.PerformAdminCreateRegistrationToken(ctx, &tkn)
+ }
+ createAccessTokens(t, accessTokens, userAPI, ctx, routers)
+ testCases := []struct {
+ name string
+ requestingUser *test.User
+ valid string
+ isValidSpecified bool
+ wantOK bool
+ withHeader bool
+ }{
+ {
+ name: "Missing auth",
+ requestingUser: bob,
+ wantOK: false,
+ isValidSpecified: false,
+ },
+ {
+ name: "Bob is denied access",
+ requestingUser: bob,
+ wantOK: false,
+ withHeader: true,
+ isValidSpecified: false,
+ },
+ {
+ name: "Alice can list all tokens",
+ requestingUser: aliceAdmin,
+ wantOK: true,
+ withHeader: true,
+ },
+ {
+ name: "Alice can list all valid tokens",
+ requestingUser: aliceAdmin,
+ wantOK: true,
+ withHeader: true,
+ valid: "true",
+ isValidSpecified: true,
+ },
+ {
+ name: "Alice can list all invalid tokens",
+ requestingUser: aliceAdmin,
+ wantOK: true,
+ withHeader: true,
+ valid: "false",
+ isValidSpecified: true,
+ },
+ {
+ name: "No response when valid has a bad value",
+ requestingUser: aliceAdmin,
+ wantOK: false,
+ withHeader: true,
+ valid: "trueee",
+ isValidSpecified: true,
+ },
+ }
+
+ for _, tc := range testCases {
+ tc := tc
+ t.Run(tc.name, func(t *testing.T) {
+ var path string
+ if tc.isValidSpecified {
+ path = fmt.Sprintf("/_dendrite/admin/registrationTokens?valid=%v", tc.valid)
+ } else {
+ path = "/_dendrite/admin/registrationTokens"
+ }
+ req := test.NewRequest(t, http.MethodGet, path)
+ if tc.withHeader {
+ req.Header.Set("Authorization", "Bearer "+accessTokens[tc.requestingUser].accessToken)
+ }
+ rec := httptest.NewRecorder()
+ routers.DendriteAdmin.ServeHTTP(rec, req)
+ t.Logf("%s", rec.Body.String())
+ if tc.wantOK && rec.Code != http.StatusOK {
+ t.Fatalf("expected http status %d, got %d: %s", http.StatusOK, rec.Code, rec.Body.String())
+ }
+ })
+ }
+ })
+}
+
+func TestAdminGetRegistrationToken(t *testing.T) {
+ aliceAdmin := test.NewUser(t, test.WithAccountType(uapi.AccountTypeAdmin))
+ bob := test.NewUser(t, test.WithAccountType(uapi.AccountTypeUser))
+ ctx := context.Background()
+ test.WithAllDatabases(t, func(t *testing.T, dbType test.DBType) {
+ cfg, processCtx, close := testrig.CreateConfig(t, dbType)
+ cfg.ClientAPI.RegistrationRequiresToken = true
+ defer close()
+ natsInstance := jetstream.NATSInstance{}
+ routers := httputil.NewRouters()
+ cm := sqlutil.NewConnectionManager(processCtx, cfg.Global.DatabaseOptions)
+ caches := caching.NewRistrettoCache(128*1024*1024, time.Hour, caching.DisableMetrics)
+ rsAPI := roomserver.NewInternalAPI(processCtx, cfg, cm, &natsInstance, caches, caching.DisableMetrics)
+ userAPI := userapi.NewInternalAPI(processCtx, cfg, cm, &natsInstance, rsAPI, nil)
+ AddPublicRoutes(processCtx, routers, cfg, &natsInstance, nil, rsAPI, nil, nil, nil, userAPI, nil, nil, caching.DisableMetrics)
+ accessTokens := map[*test.User]userDevice{
+ aliceAdmin: {},
+ bob: {},
+ }
+ tokens := []capi.RegistrationToken{
+ {
+ Token: getPointer("alice_token1"),
+ UsesAllowed: getPointer(int32(10)),
+ ExpiryTime: getPointer(time.Now().Add(5*24*time.Hour).UnixNano() / int64(time.Millisecond)),
+ Pending: getPointer(int32(0)),
+ Completed: getPointer(int32(0)),
+ },
+ {
+ Token: getPointer("alice_token2"),
+ UsesAllowed: getPointer(int32(10)),
+ ExpiryTime: getPointer(time.Now().Add(-1*5*24*time.Hour).UnixNano() / int64(time.Millisecond)),
+ Pending: getPointer(int32(0)),
+ Completed: getPointer(int32(0)),
+ },
+ }
+ for _, tkn := range tokens {
+ tkn := tkn
+ userAPI.PerformAdminCreateRegistrationToken(ctx, &tkn)
+ }
+ createAccessTokens(t, accessTokens, userAPI, ctx, routers)
+ testCases := []struct {
+ name string
+ requestingUser *test.User
+ token string
+ wantOK bool
+ withHeader bool
+ }{
+ {
+ name: "Missing auth",
+ requestingUser: bob,
+ wantOK: false,
+ },
+ {
+ name: "Bob is denied access",
+ requestingUser: bob,
+ wantOK: false,
+ withHeader: true,
+ },
+ {
+ name: "Alice can GET alice_token1",
+ token: "alice_token1",
+ requestingUser: aliceAdmin,
+ wantOK: true,
+ withHeader: true,
+ },
+ {
+ name: "Alice can GET alice_token2",
+ requestingUser: aliceAdmin,
+ wantOK: true,
+ withHeader: true,
+ token: "alice_token2",
+ },
+ {
+ name: "Alice cannot GET a token that does not exists",
+ requestingUser: aliceAdmin,
+ wantOK: false,
+ withHeader: true,
+ token: "alice_token3",
+ },
+ }
+
+ for _, tc := range testCases {
+ tc := tc
+ t.Run(tc.name, func(t *testing.T) {
+ path := fmt.Sprintf("/_dendrite/admin/registrationTokens/%s", tc.token)
+ req := test.NewRequest(t, http.MethodGet, path)
+ if tc.withHeader {
+ req.Header.Set("Authorization", "Bearer "+accessTokens[tc.requestingUser].accessToken)
+ }
+ rec := httptest.NewRecorder()
+ routers.DendriteAdmin.ServeHTTP(rec, req)
+ t.Logf("%s", rec.Body.String())
+ if tc.wantOK && rec.Code != http.StatusOK {
+ t.Fatalf("expected http status %d, got %d: %s", http.StatusOK, rec.Code, rec.Body.String())
+ }
+ })
+ }
+ })
+}
+
+func TestAdminDeleteRegistrationToken(t *testing.T) {
+ aliceAdmin := test.NewUser(t, test.WithAccountType(uapi.AccountTypeAdmin))
+ bob := test.NewUser(t, test.WithAccountType(uapi.AccountTypeUser))
+ ctx := context.Background()
+ test.WithAllDatabases(t, func(t *testing.T, dbType test.DBType) {
+ cfg, processCtx, close := testrig.CreateConfig(t, dbType)
+ cfg.ClientAPI.RegistrationRequiresToken = true
+ defer close()
+ natsInstance := jetstream.NATSInstance{}
+ routers := httputil.NewRouters()
+ cm := sqlutil.NewConnectionManager(processCtx, cfg.Global.DatabaseOptions)
+ caches := caching.NewRistrettoCache(128*1024*1024, time.Hour, caching.DisableMetrics)
+ rsAPI := roomserver.NewInternalAPI(processCtx, cfg, cm, &natsInstance, caches, caching.DisableMetrics)
+ userAPI := userapi.NewInternalAPI(processCtx, cfg, cm, &natsInstance, rsAPI, nil)
+ AddPublicRoutes(processCtx, routers, cfg, &natsInstance, nil, rsAPI, nil, nil, nil, userAPI, nil, nil, caching.DisableMetrics)
+ accessTokens := map[*test.User]userDevice{
+ aliceAdmin: {},
+ bob: {},
+ }
+ tokens := []capi.RegistrationToken{
+ {
+ Token: getPointer("alice_token1"),
+ UsesAllowed: getPointer(int32(10)),
+ ExpiryTime: getPointer(time.Now().Add(5*24*time.Hour).UnixNano() / int64(time.Millisecond)),
+ Pending: getPointer(int32(0)),
+ Completed: getPointer(int32(0)),
+ },
+ {
+ Token: getPointer("alice_token2"),
+ UsesAllowed: getPointer(int32(10)),
+ ExpiryTime: getPointer(time.Now().Add(-1*5*24*time.Hour).UnixNano() / int64(time.Millisecond)),
+ Pending: getPointer(int32(0)),
+ Completed: getPointer(int32(0)),
+ },
+ }
+ for _, tkn := range tokens {
+ tkn := tkn
+ userAPI.PerformAdminCreateRegistrationToken(ctx, &tkn)
+ }
+ createAccessTokens(t, accessTokens, userAPI, ctx, routers)
+ testCases := []struct {
+ name string
+ requestingUser *test.User
+ token string
+ wantOK bool
+ withHeader bool
+ }{
+ {
+ name: "Missing auth",
+ requestingUser: bob,
+ wantOK: false,
+ },
+ {
+ name: "Bob is denied access",
+ requestingUser: bob,
+ wantOK: false,
+ withHeader: true,
+ },
+ {
+ name: "Alice can DELETE alice_token1",
+ token: "alice_token1",
+ requestingUser: aliceAdmin,
+ wantOK: true,
+ withHeader: true,
+ },
+ {
+ name: "Alice can DELETE alice_token2",
+ requestingUser: aliceAdmin,
+ wantOK: true,
+ withHeader: true,
+ token: "alice_token2",
+ },
+ }
+
+ for _, tc := range testCases {
+ tc := tc
+ t.Run(tc.name, func(t *testing.T) {
+ path := fmt.Sprintf("/_dendrite/admin/registrationTokens/%s", tc.token)
+ req := test.NewRequest(t, http.MethodDelete, path)
+ if tc.withHeader {
+ req.Header.Set("Authorization", "Bearer "+accessTokens[tc.requestingUser].accessToken)
+ }
+ rec := httptest.NewRecorder()
+ routers.DendriteAdmin.ServeHTTP(rec, req)
+ t.Logf("%s", rec.Body.String())
+ if tc.wantOK && rec.Code != http.StatusOK {
+ t.Fatalf("expected http status %d, got %d: %s", http.StatusOK, rec.Code, rec.Body.String())
+ }
+ })
+ }
+ })
+}
+
+func TestAdminUpdateRegistrationToken(t *testing.T) {
+ aliceAdmin := test.NewUser(t, test.WithAccountType(uapi.AccountTypeAdmin))
+ bob := test.NewUser(t, test.WithAccountType(uapi.AccountTypeUser))
+ ctx := context.Background()
+ test.WithAllDatabases(t, func(t *testing.T, dbType test.DBType) {
+ cfg, processCtx, close := testrig.CreateConfig(t, dbType)
+ cfg.ClientAPI.RegistrationRequiresToken = true
+ defer close()
+ natsInstance := jetstream.NATSInstance{}
+ routers := httputil.NewRouters()
+ cm := sqlutil.NewConnectionManager(processCtx, cfg.Global.DatabaseOptions)
+ caches := caching.NewRistrettoCache(128*1024*1024, time.Hour, caching.DisableMetrics)
+ rsAPI := roomserver.NewInternalAPI(processCtx, cfg, cm, &natsInstance, caches, caching.DisableMetrics)
+ userAPI := userapi.NewInternalAPI(processCtx, cfg, cm, &natsInstance, rsAPI, nil)
+ AddPublicRoutes(processCtx, routers, cfg, &natsInstance, nil, rsAPI, nil, nil, nil, userAPI, nil, nil, caching.DisableMetrics)
+ accessTokens := map[*test.User]userDevice{
+ aliceAdmin: {},
+ bob: {},
+ }
+ createAccessTokens(t, accessTokens, userAPI, ctx, routers)
+ tokens := []capi.RegistrationToken{
+ {
+ Token: getPointer("alice_token1"),
+ UsesAllowed: getPointer(int32(10)),
+ ExpiryTime: getPointer(time.Now().Add(5*24*time.Hour).UnixNano() / int64(time.Millisecond)),
+ Pending: getPointer(int32(0)),
+ Completed: getPointer(int32(0)),
+ },
+ {
+ Token: getPointer("alice_token2"),
+ UsesAllowed: getPointer(int32(10)),
+ ExpiryTime: getPointer(time.Now().Add(-1*5*24*time.Hour).UnixNano() / int64(time.Millisecond)),
+ Pending: getPointer(int32(0)),
+ Completed: getPointer(int32(0)),
+ },
+ }
+ for _, tkn := range tokens {
+ tkn := tkn
+ userAPI.PerformAdminCreateRegistrationToken(ctx, &tkn)
+ }
+ testCases := []struct {
+ name string
+ requestingUser *test.User
+ method string
+ token string
+ requestOpt test.HTTPRequestOpt
+ wantOK bool
+ withHeader bool
+ }{
+ {
+ name: "Missing auth",
+ requestingUser: bob,
+ wantOK: false,
+ token: "alice_token1",
+ requestOpt: test.WithJSONBody(t, map[string]interface{}{
+ "uses_allowed": 10,
+ },
+ ),
+ },
+ {
+ name: "Bob is denied access",
+ requestingUser: bob,
+ wantOK: false,
+ withHeader: true,
+ token: "alice_token1",
+ requestOpt: test.WithJSONBody(t, map[string]interface{}{
+ "uses_allowed": 10,
+ },
+ ),
+ },
+ {
+ name: "Alice can UPDATE a token's uses_allowed property",
+ requestingUser: aliceAdmin,
+ wantOK: true,
+ withHeader: true,
+ token: "alice_token1",
+ requestOpt: test.WithJSONBody(t, map[string]interface{}{
+ "uses_allowed": 10,
+ }),
+ },
+ {
+ name: "Alice can UPDATE a token's expiry_time property",
+ requestingUser: aliceAdmin,
+ wantOK: true,
+ withHeader: true,
+ token: "alice_token2",
+ requestOpt: test.WithJSONBody(t, map[string]interface{}{
+ "expiry_time": time.Now().Add(5*24*time.Hour).UnixNano() / int64(time.Millisecond),
+ },
+ ),
+ },
+ {
+ name: "Alice can UPDATE a token's uses_allowed and expiry_time property",
+ requestingUser: aliceAdmin,
+ wantOK: false,
+ withHeader: true,
+ token: "alice_token1",
+ requestOpt: test.WithJSONBody(t, map[string]interface{}{
+ "uses_allowed": 20,
+ "expiry_time": time.Now().Add(10*24*time.Hour).UnixNano() / int64(time.Millisecond),
+ },
+ ),
+ },
+ {
+ name: "Alice CANNOT update a token with invalid properties",
+ requestingUser: aliceAdmin,
+ wantOK: false,
+ withHeader: true,
+ token: "alice_token2",
+ requestOpt: test.WithJSONBody(t, map[string]interface{}{
+ "uses_allowed": -5,
+ "expiry_time": time.Now().Add(-1*5*24*time.Hour).UnixNano() / int64(time.Millisecond),
+ },
+ ),
+ },
+ {
+ name: "Alice CANNOT UPDATE a token that does not exist",
+ requestingUser: aliceAdmin,
+ wantOK: false,
+ withHeader: true,
+ token: "alice_token9",
+ requestOpt: test.WithJSONBody(t, map[string]interface{}{
+ "uses_allowed": 100,
+ },
+ ),
+ },
+ {
+ name: "Alice can UPDATE token specifying uses_allowed as null - Valid for infinite uses",
+ requestingUser: aliceAdmin,
+ wantOK: false,
+ withHeader: true,
+ token: "alice_token1",
+ requestOpt: test.WithJSONBody(t, map[string]interface{}{
+ "uses_allowed": nil,
+ },
+ ),
+ },
+ {
+ name: "Alice can UPDATE token specifying expiry_time AS null - Valid for infinite time",
+ requestingUser: aliceAdmin,
+ wantOK: false,
+ withHeader: true,
+ token: "alice_token1",
+ requestOpt: test.WithJSONBody(t, map[string]interface{}{
+ "expiry_time": nil,
+ },
+ ),
+ },
+ }
+
+ for _, tc := range testCases {
+ tc := tc
+ t.Run(tc.name, func(t *testing.T) {
+ path := fmt.Sprintf("/_dendrite/admin/registrationTokens/%s", tc.token)
+ req := test.NewRequest(t, http.MethodPut, path)
+ if tc.requestOpt != nil {
+ req = test.NewRequest(t, http.MethodPut, path, tc.requestOpt)
+ }
+ if tc.withHeader {
+ req.Header.Set("Authorization", "Bearer "+accessTokens[tc.requestingUser].accessToken)
+ }
+ rec := httptest.NewRecorder()
+ routers.DendriteAdmin.ServeHTTP(rec, req)
+ t.Logf("%s", rec.Body.String())
+ if tc.wantOK && rec.Code != http.StatusOK {
+ t.Fatalf("expected http status %d, got %d: %s", http.StatusOK, rec.Code, rec.Body.String())
+ }
+ })
+ }
+ })
+}
+
+func getPointer[T any](s T) *T {
+ return &s
+}
+
func TestAdminResetPassword(t *testing.T) {
aliceAdmin := test.NewUser(t, test.WithAccountType(uapi.AccountTypeAdmin))
bob := test.NewUser(t, test.WithAccountType(uapi.AccountTypeUser))
diff --git a/clientapi/api/api.go b/clientapi/api/api.go
index 23974c86..28ff593f 100644
--- a/clientapi/api/api.go
+++ b/clientapi/api/api.go
@@ -21,3 +21,11 @@ type ExtraPublicRoomsProvider interface {
// Rooms returns the extra rooms. This is called on-demand by clients, so cache appropriately.
Rooms() []fclient.PublicRoom
}
+
+type RegistrationToken struct {
+ Token *string `json:"token"`
+ UsesAllowed *int32 `json:"uses_allowed"`
+ Pending *int32 `json:"pending"`
+ Completed *int32 `json:"completed"`
+ ExpiryTime *int64 `json:"expiry_time"`
+}
diff --git a/clientapi/routing/admin.go b/clientapi/routing/admin.go
index 3d64454c..51966607 100644
--- a/clientapi/routing/admin.go
+++ b/clientapi/routing/admin.go
@@ -6,6 +6,8 @@ import (
"errors"
"fmt"
"net/http"
+ "regexp"
+ "strconv"
"time"
"github.com/gorilla/mux"
@@ -16,14 +18,254 @@ import (
"github.com/matrix-org/util"
"github.com/nats-io/nats.go"
"github.com/sirupsen/logrus"
+ "golang.org/x/exp/constraints"
+ clientapi "github.com/matrix-org/dendrite/clientapi/api"
"github.com/matrix-org/dendrite/internal/httputil"
roomserverAPI "github.com/matrix-org/dendrite/roomserver/api"
"github.com/matrix-org/dendrite/setup/config"
"github.com/matrix-org/dendrite/setup/jetstream"
"github.com/matrix-org/dendrite/userapi/api"
+ userapi "github.com/matrix-org/dendrite/userapi/api"
)
+var validRegistrationTokenRegex = regexp.MustCompile("^[[:ascii:][:digit:]_]*$")
+
+func AdminCreateNewRegistrationToken(req *http.Request, cfg *config.ClientAPI, userAPI userapi.ClientUserAPI) util.JSONResponse {
+ if !cfg.RegistrationRequiresToken {
+ return util.JSONResponse{
+ Code: http.StatusForbidden,
+ JSON: spec.Forbidden("Registration via tokens is not enabled on this homeserver"),
+ }
+ }
+ request := struct {
+ Token string `json:"token"`
+ UsesAllowed *int32 `json:"uses_allowed,omitempty"`
+ ExpiryTime *int64 `json:"expiry_time,omitempty"`
+ Length int32 `json:"length"`
+ }{}
+
+ if err := json.NewDecoder(req.Body).Decode(&request); err != nil {
+ return util.JSONResponse{
+ Code: http.StatusBadRequest,
+ JSON: spec.BadJSON(fmt.Sprintf("Failed to decode request body: %s", err)),
+ }
+ }
+
+ token := request.Token
+ usesAllowed := request.UsesAllowed
+ expiryTime := request.ExpiryTime
+ length := request.Length
+
+ if len(token) == 0 {
+ if length == 0 {
+ // length not provided in request. Assign default value of 16.
+ length = 16
+ }
+ // token not present in request body. Hence, generate a random token.
+ if length <= 0 || length > 64 {
+ return util.JSONResponse{
+ Code: http.StatusBadRequest,
+ JSON: spec.BadJSON("length must be greater than zero and not greater than 64"),
+ }
+ }
+ token = util.RandomString(int(length))
+ }
+
+ if len(token) > 64 {
+ //Token present in request body, but is too long.
+ return util.JSONResponse{
+ Code: http.StatusBadRequest,
+ JSON: spec.BadJSON("token must not be longer than 64"),
+ }
+ }
+
+ isTokenValid := validRegistrationTokenRegex.Match([]byte(token))
+ if !isTokenValid {
+ return util.JSONResponse{
+ Code: http.StatusBadRequest,
+ JSON: spec.BadJSON("token must consist only of characters matched by the regex [A-Za-z0-9-_]"),
+ }
+ }
+ // At this point, we have a valid token, either through request body or through random generation.
+ if usesAllowed != nil && *usesAllowed < 0 {
+ return util.JSONResponse{
+ Code: http.StatusBadRequest,
+ JSON: spec.BadJSON("uses_allowed must be a non-negative integer or null"),
+ }
+ }
+ if expiryTime != nil && spec.Timestamp(*expiryTime).Time().Before(time.Now()) {
+ return util.JSONResponse{
+ Code: http.StatusBadRequest,
+ JSON: spec.BadJSON("expiry_time must not be in the past"),
+ }
+ }
+ pending := int32(0)
+ completed := int32(0)
+ // If usesAllowed or expiryTime is 0, it means they are not present in the request. NULL (indicating unlimited uses / no expiration will be persisted in DB)
+ registrationToken := &clientapi.RegistrationToken{
+ Token: &token,
+ UsesAllowed: usesAllowed,
+ Pending: &pending,
+ Completed: &completed,
+ ExpiryTime: expiryTime,
+ }
+ created, err := userAPI.PerformAdminCreateRegistrationToken(req.Context(), registrationToken)
+ if !created {
+ return util.JSONResponse{
+ Code: http.StatusConflict,
+ JSON: map[string]string{
+ "error": fmt.Sprintf("token: %s already exists", token),
+ },
+ }
+ }
+ if err != nil {
+ return util.JSONResponse{
+ Code: http.StatusInternalServerError,
+ JSON: err,
+ }
+ }
+ return util.JSONResponse{
+ Code: 200,
+ JSON: map[string]interface{}{
+ "token": token,
+ "uses_allowed": getReturnValue(usesAllowed),
+ "pending": pending,
+ "completed": completed,
+ "expiry_time": getReturnValue(expiryTime),
+ },
+ }
+}
+
+func getReturnValue[t constraints.Integer](in *t) any {
+ if in == nil {
+ return nil
+ }
+ return *in
+}
+
+func AdminListRegistrationTokens(req *http.Request, cfg *config.ClientAPI, userAPI userapi.ClientUserAPI) util.JSONResponse {
+ queryParams := req.URL.Query()
+ returnAll := true
+ valid := true
+ validQuery, ok := queryParams["valid"]
+ if ok {
+ returnAll = false
+ validValue, err := strconv.ParseBool(validQuery[0])
+ if err != nil {
+ return util.JSONResponse{
+ Code: http.StatusBadRequest,
+ JSON: spec.BadJSON("invalid 'valid' query parameter"),
+ }
+ }
+ valid = validValue
+ }
+ tokens, err := userAPI.PerformAdminListRegistrationTokens(req.Context(), returnAll, valid)
+ if err != nil {
+ return util.JSONResponse{
+ Code: http.StatusInternalServerError,
+ JSON: spec.ErrorUnknown,
+ }
+ }
+ return util.JSONResponse{
+ Code: 200,
+ JSON: map[string]interface{}{
+ "registration_tokens": tokens,
+ },
+ }
+}
+
+func AdminGetRegistrationToken(req *http.Request, cfg *config.ClientAPI, userAPI userapi.ClientUserAPI) util.JSONResponse {
+ vars, err := httputil.URLDecodeMapValues(mux.Vars(req))
+ if err != nil {
+ return util.ErrorResponse(err)
+ }
+ tokenText := vars["token"]
+ token, err := userAPI.PerformAdminGetRegistrationToken(req.Context(), tokenText)
+ if err != nil {
+ return util.JSONResponse{
+ Code: http.StatusNotFound,
+ JSON: spec.NotFound(fmt.Sprintf("token: %s not found", tokenText)),
+ }
+ }
+ return util.JSONResponse{
+ Code: 200,
+ JSON: token,
+ }
+}
+
+func AdminDeleteRegistrationToken(req *http.Request, cfg *config.ClientAPI, userAPI userapi.ClientUserAPI) util.JSONResponse {
+ vars, err := httputil.URLDecodeMapValues(mux.Vars(req))
+ if err != nil {
+ return util.ErrorResponse(err)
+ }
+ tokenText := vars["token"]
+ err = userAPI.PerformAdminDeleteRegistrationToken(req.Context(), tokenText)
+ if err != nil {
+ return util.JSONResponse{
+ Code: http.StatusInternalServerError,
+ JSON: err,
+ }
+ }
+ return util.JSONResponse{
+ Code: 200,
+ JSON: map[string]interface{}{},
+ }
+}
+
+func AdminUpdateRegistrationToken(req *http.Request, cfg *config.ClientAPI, userAPI userapi.ClientUserAPI) util.JSONResponse {
+ vars, err := httputil.URLDecodeMapValues(mux.Vars(req))
+ if err != nil {
+ return util.ErrorResponse(err)
+ }
+ tokenText := vars["token"]
+ request := make(map[string]*int64)
+ if err = json.NewDecoder(req.Body).Decode(&request); err != nil {
+ return util.JSONResponse{
+ Code: http.StatusBadRequest,
+ JSON: spec.BadJSON(fmt.Sprintf("Failed to decode request body: %s", err)),
+ }
+ }
+ newAttributes := make(map[string]interface{})
+ usesAllowed, ok := request["uses_allowed"]
+ if ok {
+ // Only add usesAllowed to newAtrributes if it is present and valid
+ if usesAllowed != nil && *usesAllowed < 0 {
+ return util.JSONResponse{
+ Code: http.StatusBadRequest,
+ JSON: spec.BadJSON("uses_allowed must be a non-negative integer or null"),
+ }
+ }
+ newAttributes["usesAllowed"] = usesAllowed
+ }
+ expiryTime, ok := request["expiry_time"]
+ if ok {
+ // Only add expiryTime to newAtrributes if it is present and valid
+ if expiryTime != nil && spec.Timestamp(*expiryTime).Time().Before(time.Now()) {
+ return util.JSONResponse{
+ Code: http.StatusBadRequest,
+ JSON: spec.BadJSON("expiry_time must not be in the past"),
+ }
+ }
+ newAttributes["expiryTime"] = expiryTime
+ }
+ if len(newAttributes) == 0 {
+ // No attributes to update. Return existing token
+ return AdminGetRegistrationToken(req, cfg, userAPI)
+ }
+ updatedToken, err := userAPI.PerformAdminUpdateRegistrationToken(req.Context(), tokenText, newAttributes)
+ if err != nil {
+ return util.JSONResponse{
+ Code: http.StatusNotFound,
+ JSON: spec.NotFound(fmt.Sprintf("token: %s not found", tokenText)),
+ }
+ }
+ return util.JSONResponse{
+ Code: 200,
+ JSON: *updatedToken,
+ }
+}
+
func AdminEvacuateRoom(req *http.Request, rsAPI roomserverAPI.ClientRoomserverAPI) util.JSONResponse {
vars, err := httputil.URLDecodeMapValues(mux.Vars(req))
if err != nil {
diff --git a/clientapi/routing/routing.go b/clientapi/routing/routing.go
index d3f19cae..ab4aefdd 100644
--- a/clientapi/routing/routing.go
+++ b/clientapi/routing/routing.go
@@ -162,6 +162,36 @@ func Setup(
}),
).Methods(http.MethodGet, http.MethodPost, http.MethodOptions)
}
+ dendriteAdminRouter.Handle("/admin/registrationTokens/new",
+ httputil.MakeAdminAPI("admin_registration_tokens_new", userAPI, func(req *http.Request, device *userapi.Device) util.JSONResponse {
+ return AdminCreateNewRegistrationToken(req, cfg, userAPI)
+ }),
+ ).Methods(http.MethodPost, http.MethodOptions)
+
+ dendriteAdminRouter.Handle("/admin/registrationTokens",
+ httputil.MakeAdminAPI("admin_list_registration_tokens", userAPI, func(req *http.Request, device *userapi.Device) util.JSONResponse {
+ return AdminListRegistrationTokens(req, cfg, userAPI)
+ }),
+ ).Methods(http.MethodGet, http.MethodOptions)
+
+ dendriteAdminRouter.Handle("/admin/registrationTokens/{token}",
+ httputil.MakeAdminAPI("admin_get_registration_token", userAPI, func(req *http.Request, device *userapi.Device) util.JSONResponse {
+ switch req.Method {
+ case http.MethodGet:
+ return AdminGetRegistrationToken(req, cfg, userAPI)
+ case http.MethodPut:
+ return AdminUpdateRegistrationToken(req, cfg, userAPI)
+ case http.MethodDelete:
+ return AdminDeleteRegistrationToken(req, cfg, userAPI)
+ default:
+ return util.MatrixErrorResponse(
+ 404,
+ string(spec.ErrorNotFound),
+ "unknown method",
+ )
+ }
+ }),
+ ).Methods(http.MethodGet, http.MethodPut, http.MethodDelete, http.MethodOptions)
dendriteAdminRouter.Handle("/admin/evacuateRoom/{roomID}",
httputil.MakeAdminAPI("admin_evacuate_room", userAPI, func(req *http.Request, device *userapi.Device) util.JSONResponse {