def test_maybe_send_server_notice_to_user_add_blocked_notice(self): """ Test when user does not have blocked notice, but should have one """ self._rlsn._auth.check_auth_blocking = Mock( return_value=defer.succeed(None), side_effect=ResourceLimitError(403, "foo")) self.get_success( self._rlsn.maybe_send_server_notice_to_user(self.user_id)) # Would be better to check contents, but 2 calls == set blocking event self.assertEqual(self._send_notice.call_count, 2)
def test_maybe_send_server_notice_to_user_add_blocked_notice(self): """ Test when user does not have blocked notice, but should have one """ self._rlsn._auth.check_auth_blocking = Mock( side_effect=ResourceLimitError(403, 'foo')) self.get_success( self._rlsn.maybe_send_server_notice_to_user(self.user_id)) # Would be better to check contents, but 2 calls == set blocking event self.assertTrue(self._send_notice.call_count == 2)
def test_maybe_send_server_notice_to_user_remove_blocked_notice_noop(self): """Test when user has blocked notice, but notice ought to be there (NOOP)""" self._rlsn._auth.check_auth_blocking = Mock( side_effect=ResourceLimitError(403, 'foo')) mock_event = Mock(type=EventTypes.Message, content={"msgtype": ServerNoticeMsgType}) self._rlsn._store.get_events = Mock( return_value=defer.succeed({"123": mock_event})) yield self._rlsn.maybe_send_server_notice_to_user(self.user_id) self._send_notice.assert_not_called()
def test_check_hs_disabled_unaffected_by_mau_alert_suppression(self): """ Test that when a server is disabled, that MAU limit alerting is ignored. """ self.hs.config.mau_limit_alerting = False self._rlsn._auth.check_auth_blocking = Mock( side_effect=ResourceLimitError( 403, "foo", limit_type=LimitBlockingTypes.HS_DISABLED)) self.get_success( self._rlsn.maybe_send_server_notice_to_user(self.user_id)) # Would be better to check contents, but 2 calls == set blocking event self.assertEqual(self._send_notice.call_count, 2)
def test_maybe_send_server_notice_when_alerting_suppressed_room_unblocked( self): """ Test that when server is over MAU limit and alerting is suppressed, then an alert message is not sent into the room """ self.hs.config.mau_limit_alerting = False self._rlsn._auth.check_auth_blocking = Mock( side_effect=ResourceLimitError( 403, "foo", limit_type=LimitBlockingTypes.MONTHLY_ACTIVE_USER)) self.get_success( self._rlsn.maybe_send_server_notice_to_user(self.user_id)) self.assertTrue(self._send_notice.call_count == 0)
def test_maybe_send_server_notice_when_alerting_suppressed_room_unblocked(self): """ Test that when server is over MAU limit and alerting is suppressed, then an alert message is not sent into the room """ self._rlsn._auth.check_auth_blocking = Mock( return_value=defer.succeed(None), side_effect=ResourceLimitError( 403, "foo", limit_type=LimitBlockingTypes.MONTHLY_ACTIVE_USER ), ) self.get_success(self._rlsn.maybe_send_server_notice_to_user(self.user_id)) self.assertEqual(self._send_notice.call_count, 0)
def test_maybe_send_server_notice_when_alerting_suppressed_room_blocked( self): """ When the room is already in a blocked state, test that when alerting is suppressed that the room is returned to an unblocked state. """ self.hs.config.mau_limit_alerting = False self._rlsn._auth.check_auth_blocking = Mock( side_effect=ResourceLimitError( 403, "foo", limit_type=LimitBlockingTypes.MONTHLY_ACTIVE_USER)) self._rlsn._server_notices_manager.__is_room_currently_blocked = Mock( return_value=defer.succeed((True, []))) mock_event = Mock(type=EventTypes.Message, content={"msgtype": ServerNoticeMsgType}) self._rlsn._store.get_events = Mock( return_value=defer.succeed({"123": mock_event})) self.get_success( self._rlsn.maybe_send_server_notice_to_user(self.user_id)) self._send_notice.assert_called_once()
async def check_auth_blocking( self, user_id: Optional[str] = None, threepid: Optional[dict] = None, user_type: Optional[str] = None, requester: Optional[Requester] = None, ): """Checks if the user should be rejected for some external reason, such as monthly active user limiting or global disable flag Args: user_id: If present, checks for presence against existing MAU cohort threepid: If present, checks for presence against configured reserved threepid. Used in cases where the user is trying register with a MAU blocked server, normally they would be rejected but their threepid is on the reserved list. user_id and threepid should never be set at the same time. user_type: If present, is used to decide whether to check against certain blocking reasons like MAU. requester: If present, and the authenticated entity is a user, checks for presence against existing MAU cohort. Passing in both a `user_id` and `requester` is an error. """ if requester and user_id: raise Exception( "Passed in both 'user_id' and 'requester' to 'check_auth_blocking'" ) if requester: if requester.authenticated_entity.startswith("@"): user_id = requester.authenticated_entity elif requester.authenticated_entity == self._server_name: # We never block the server from doing actions on behalf of # users. return elif requester.app_service and not self._track_appservice_user_ips: # If we're authenticated as an appservice then we only block # auth if `track_appservice_user_ips` is set, as that option # implicitly means that application services are part of MAU # limits. return # Never fail an auth check for the server notices users or support user # This can be a problem where event creation is prohibited due to blocking if user_id is not None: if user_id == self._server_notices_mxid: return if await self.store.is_support_user(user_id): return if self._hs_disabled: raise ResourceLimitError( 403, self._hs_disabled_message, errcode=Codes.RESOURCE_LIMIT_EXCEEDED, admin_contact=self._admin_contact, limit_type=LimitBlockingTypes.HS_DISABLED, ) if self._limit_usage_by_mau is True: assert not (user_id and threepid) # If the user is already part of the MAU cohort or a trial user if user_id: timestamp = await self.store.user_last_seen_monthly_active( user_id) if timestamp: return is_trial = await self.store.is_trial_user(user_id) if is_trial: return elif threepid: # If the user does not exist yet, but is signing up with a # reserved threepid then pass auth check if is_threepid_reserved(self._mau_limits_reserved_threepids, threepid): return elif user_type == UserTypes.SUPPORT: # If the user does not exist yet and is of type "support", # allow registration. Support users are excluded from MAU checks. return # Else if there is no room in the MAU bucket, bail current_mau = await self.store.get_monthly_active_count() if current_mau >= self._max_mau_value: raise ResourceLimitError( 403, "Monthly Active User Limit Exceeded", admin_contact=self._admin_contact, errcode=Codes.RESOURCE_LIMIT_EXCEEDED, limit_type=LimitBlockingTypes.MONTHLY_ACTIVE_USER, )
async def check_auth_blocking(self, user_id=None, threepid=None, user_type=None): """Checks if the user should be rejected for some external reason, such as monthly active user limiting or global disable flag Args: user_id(str|None): If present, checks for presence against existing MAU cohort threepid(dict|None): If present, checks for presence against configured reserved threepid. Used in cases where the user is trying register with a MAU blocked server, normally they would be rejected but their threepid is on the reserved list. user_id and threepid should never be set at the same time. user_type(str|None): If present, is used to decide whether to check against certain blocking reasons like MAU. """ # Never fail an auth check for the server notices users or support user # This can be a problem where event creation is prohibited due to blocking if user_id is not None: if user_id == self._server_notices_mxid: return if await self.store.is_support_user(user_id): return if self._hs_disabled: raise ResourceLimitError( 403, self._hs_disabled_message, errcode=Codes.RESOURCE_LIMIT_EXCEEDED, admin_contact=self._admin_contact, limit_type=LimitBlockingTypes.HS_DISABLED, ) if self._limit_usage_by_mau is True: assert not (user_id and threepid) # If the user is already part of the MAU cohort or a trial user if user_id: timestamp = await self.store.user_last_seen_monthly_active( user_id) if timestamp: return is_trial = await self.store.is_trial_user(user_id) if is_trial: return elif threepid: # If the user does not exist yet, but is signing up with a # reserved threepid then pass auth check if is_threepid_reserved(self._mau_limits_reserved_threepids, threepid): return elif user_type == UserTypes.SUPPORT: # If the user does not exist yet and is of type "support", # allow registration. Support users are excluded from MAU checks. return # Else if there is no room in the MAU bucket, bail current_mau = await self.store.get_monthly_active_count() if current_mau >= self._max_mau_value: raise ResourceLimitError( 403, "Monthly Active User Limit Exceeded", admin_contact=self._admin_contact, errcode=Codes.RESOURCE_LIMIT_EXCEEDED, limit_type=LimitBlockingTypes.MONTHLY_ACTIVE_USER, )