Add a cypress test for SSO login (#11401)

* Allow `startHomeserver` to take an options object

... so that we can add more options

* Add a Cypress test for SSO login

cypress/plugins/dendritedocker/index.ts

@@ -26,6 +26,7 @@ import PluginConfigOptions = Cypress.PluginConfigOptions;
 import { getFreePort } from "../utils/port";
 import { dockerExec, dockerLogs, dockerRun, dockerStop } from "../docker";
 import { HomeserverConfig, HomeserverInstance } from "../utils/homeserver";
+import { StartHomeserverOpts } from "../../support/homeserver";
 
 // A cypress plugins to add command to start & stop dendrites in
 // docker with preset templates.
@@ -82,8 +83,8 @@ async function cfgDirFromTemplate(template: string, dendriteImage: string): Prom
 // Start a dendrite instance: the template must be the name of
 // one of the templates in the cypress/plugins/dendritedocker/templates
 // directory
-async function dendriteStart(template: string): Promise<HomeserverInstance> {
-    return containerStart(template, false);
+async function dendriteStart(opts: StartHomeserverOpts): Promise<HomeserverInstance> {
+    return containerStart(opts.template, false);
 }
 
 // Start a dendrite instance using pinecone routing: the template must be the name of

cypress/plugins/index.ts

@@ -25,6 +25,7 @@ import { slidingSyncProxyDocker } from "./sliding-sync";
 import { webserver } from "./webserver";
 import { docker } from "./docker";
 import { log } from "./log";
+import { oAuthServer } from "./oauth_server";
 
 /**
  * @type {Cypress.PluginConfig}
@@ -35,6 +36,7 @@ export default function (on: PluginEvents, config: PluginConfigOptions) {
     dendriteDocker(on, config);
     slidingSyncProxyDocker(on, config);
     webserver(on, config);
+    oAuthServer(on, config);
     log(on, config);
     installLogsPrinter(on, {
         // printLogsToConsole: "always",

cypress/plugins/oauth_server/README.md

@@ -0,0 +1,24 @@
+# oauth_server
+
+A very simple OAuth identity provider server.
+
+The following endpoints are exposed:
+
+-   `/oauth/auth.html`: An OAuth2 [authorization endpoint](https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint).
+    In a proper OAuth2 system, this would prompt the user to log in; we just give a big "Submit" button (and an
+    auth code that can be changed if we want the next step to fail). It redirects back to the calling application
+    with a "code".
+
+-   `/oauth/token`: An OAuth2 [token endpoint](https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint).
+    Receives the code issued by "auth.html" and, if it is valid, exchanges it for an OAuth2 access token.
+
+-   `/oauth/userinfo`: An OAuth2 [userinfo endpoint](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo).
+    Returns details about the owner of the offered access token.
+
+To start the server, do:
+
+```javascript
+cy.task("startOAuthServer").then((port) => {
+    // now we can configure Synapse or Element to talk to the OAuth2 server.
+});
+```

cypress/plugins/oauth_server/index.ts

@@ -0,0 +1,81 @@
+/*
+Copyright 2023 The Matrix.org Foundation C.I.C.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+import http from "http";
+import express from "express";
+import { AddressInfo } from "net";
+
+import PluginEvents = Cypress.PluginEvents;
+import PluginConfigOptions = Cypress.PluginConfigOptions;
+
+const servers: http.Server[] = [];
+
+function startOAuthServer(html: string): number {
+    const app = express();
+
+    // static files. This includes the "authorization endpoint".
+    app.use(express.static(__dirname + "/res"));
+
+    // token endpoint (see https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint)
+    app.use("/oauth/token", express.urlencoded());
+    app.post("/oauth/token", (req, res) => {
+        // if the code is valid, accept it. Otherwise, return an error.
+        const code = req.body.code;
+        if (code === "valid_auth_code") {
+            res.send({
+                access_token: "oauth_access_token",
+                token_type: "Bearer",
+                expires_in: "3600",
+            });
+        } else {
+            res.send({ error: "bad auth code" });
+        }
+    });
+
+    // userinfo endpoint (see https://openid.net/specs/openid-connect-core-1_0.html#UserInfo)
+    app.get("/oauth/userinfo", (req, res) => {
+        // TODO: validate that the request carries an auth header which matches the access token we issued above
+
+        // return an OAuth2 user info object
+        res.send({
+            sub: "alice",
+            name: "Alice",
+        });
+    });
+
+    const server = http.createServer(app);
+    server.listen();
+    servers.push(server);
+    const address = server.address() as AddressInfo;
+    console.log(`Started OAuth server at ${address.address}:${address.port}`);
+    return address.port;
+}
+
+function stopOAuthServer(): null {
+    console.log("Stopping OAuth servers");
+    for (const server of servers) {
+        const address = server.address() as AddressInfo;
+        server.close();
+        console.log(`Stopped OAuth server at ${address.address}:${address.port}`);
+    }
+    servers.splice(0, servers.length); // clear
+    return null;
+}
+
+export function oAuthServer(on: PluginEvents, config: PluginConfigOptions) {
+    on("task", { startOAuthServer, stopOAuthServer });
+    on("after:run", stopOAuthServer);
+}

cypress/plugins/oauth_server/res/oauth/auth.html

@@ -0,0 +1,42 @@
+<!--
+Copyright 2023 The Matrix.org Foundation C.I.C.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+
+<!--
+A dummy OAuth2 authorization endpoint (see https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint)
+
+Mostly, it just redirects back to the `redirect_uri` in the query params.
+-->
+
+<html lang="en">
+    <body>
+        <h1>Test OAuth page</h1>
+
+        <form id="auth_form">
+            <input type="hidden" id="state" name="state" />
+            <label for="code">Auth Code:</label>
+            <input type="text" id="code" name="code" value="valid_auth_code" />
+            <input type="submit" value="Submit" />
+        </form>
+
+        <script>
+            // process the query params, and set up the form
+            const urlParams = new URLSearchParams(window.location.search);
+            console.log("Test OAuth page: query params:", new Map(urlParams.entries()));
+            document.getElementById("auth_form").action = urlParams.get("redirect_uri");
+            document.getElementById("state").value = urlParams.get("state");
+        </script>
+    </body>
+</html>

cypress/plugins/synapsedocker/index.ts

@@ -26,6 +26,7 @@ import PluginConfigOptions = Cypress.PluginConfigOptions;
 import { getFreePort } from "../utils/port";
 import { dockerExec, dockerLogs, dockerRun, dockerStop } from "../docker";
 import { HomeserverConfig, HomeserverInstance } from "../utils/homeserver";
+import { StartHomeserverOpts } from "../../support/homeserver";
 
 // A cypress plugins to add command to start & stop synapses in
 // docker with preset templates.
@@ -36,12 +37,12 @@ function randB64Bytes(numBytes: number): string {
     return crypto.randomBytes(numBytes).toString("base64").replace(/=*$/, "");
 }
 
-async function cfgDirFromTemplate(template: string): Promise<HomeserverConfig> {
-    const templateDir = path.join(__dirname, "templates", template);
+async function cfgDirFromTemplate(opts: StartHomeserverOpts): Promise<HomeserverConfig> {
+    const templateDir = path.join(__dirname, "templates", opts.template);
 
     const stats = await fse.stat(templateDir);
     if (!stats?.isDirectory) {
-        throw new Error(`No such template: ${template}`);
+        throw new Error(`No such template: ${opts.template}`);
     }
     const tempDir = await fse.mkdtemp(path.join(os.tmpdir(), "react-sdk-synapsedocker-"));
 
@@ -63,6 +64,7 @@ async function cfgDirFromTemplate(template: string): Promise<HomeserverConfig> {
     hsYaml = hsYaml.replace(/{{MACAROON_SECRET_KEY}}/g, macaroonSecret);
     hsYaml = hsYaml.replace(/{{FORM_SECRET}}/g, formSecret);
     hsYaml = hsYaml.replace(/{{PUBLIC_BASEURL}}/g, baseUrl);
+    hsYaml = hsYaml.replace(/{{OAUTH_SERVER_PORT}}/g, opts.oAuthServerPort?.toString());
     await fse.writeFile(path.join(tempDir, "homeserver.yaml"), hsYaml);
 
     // now generate a signing key (we could use synapse's config generation for
@@ -83,15 +85,24 @@ async function cfgDirFromTemplate(template: string): Promise<HomeserverConfig> {
 // Start a synapse instance: the template must be the name of
 // one of the templates in the cypress/plugins/synapsedocker/templates
 // directory
-async function synapseStart(template: string): Promise<HomeserverInstance> {
-    const synCfg = await cfgDirFromTemplate(template);
+async function synapseStart(opts: StartHomeserverOpts): Promise<HomeserverInstance> {
+    const synCfg = await cfgDirFromTemplate(opts);
 
     console.log(`Starting synapse with config dir ${synCfg.configDir}...`);
 
     const synapseId = await dockerRun({
         image: "matrixdotorg/synapse:develop",
         containerName: `react-sdk-cypress-synapse`,
-        params: ["--rm", "-v", `${synCfg.configDir}:/data`, "-p", `${synCfg.port}:8008/tcp`],
+        params: [
+            "--rm",
+            "-v",
+            `${synCfg.configDir}:/data`,
+            "-p",
+            `${synCfg.port}:8008/tcp`,
+            // make host.docker.internal work to allow Synapse to talk to the test OIDC server
+            "--add-host",
+            "host.docker.internal:host-gateway",
+        ],
         cmd: ["run"],
     });
 

cypress/plugins/synapsedocker/templates/default/homeserver.yaml

@@ -74,3 +74,20 @@ suppress_key_server_warning: true
 
 ui_auth:
     session_timeout: "300s"
+
+oidc_providers:
+    - idp_id: test
+      idp_name: "OAuth test"
+      issuer: "http://localhost:{{OAUTH_SERVER_PORT}}/oauth"
+      authorization_endpoint: "http://localhost:{{OAUTH_SERVER_PORT}}/oauth/auth.html"
+      # the token endpoint receives requests from synapse, rather than the webapp, so needs to escape the docker container.
+      # Hence, host.docker.internal rather than localhost.
+      token_endpoint: "http://host.docker.internal:{{OAUTH_SERVER_PORT}}/oauth/token"
+      userinfo_endpoint: "http://host.docker.internal:{{OAUTH_SERVER_PORT}}/oauth/userinfo"
+      client_id: "synapse"
+      discover: false
+      scopes: ["profile"]
+      skip_verification: true
+      user_mapping_provider:
+          config:
+              display_name_template: "{{ user.name }}"