Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Commit

Permalink
Revert "Add an admin endpoint to allow authorizing server to signal t…
Browse files Browse the repository at this point in the history
…oken revocations (#16125)"

This reverts commit 69048f7.
  • Loading branch information
sandhose committed Sep 5, 2023
1 parent 1cd0715 commit be3aa4e
Show file tree
Hide file tree
Showing 9 changed files with 1 addition and 222 deletions.
13 changes: 0 additions & 13 deletions synapse/api/auth/msc3861_delegated.py
Original file line number Diff line number Diff line change
Expand Up @@ -438,16 +438,3 @@ async def get_user_by_access_token(
scope=scope,
is_guest=(has_guest_scope and not has_user_scope),
)

def invalidate_cached_tokens(self, keys: List[str]) -> None:
"""
Invalidate the entry(s) in the introspection token cache corresponding to the given key
"""
for key in keys:
self._token_cache.invalidate(key)

def invalidate_token_cache(self) -> None:
"""
Invalidate the entire token cache.
"""
self._token_cache.invalidate_all()
12 changes: 0 additions & 12 deletions synapse/replication/tcp/client.py
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,6 @@
from synapse.metrics.background_process_metrics import run_as_background_process
from synapse.replication.tcp.streams import (
AccountDataStream,
CachesStream,
DeviceListsStream,
PushersStream,
PushRulesStream,
Expand Down Expand Up @@ -76,7 +75,6 @@ def __init__(self, hs: "HomeServer"):
self._instance_name = hs.get_instance_name()
self._typing_handler = hs.get_typing_handler()
self._state_storage_controller = hs.get_storage_controllers().state
self.auth = hs.get_auth()

self._notify_pushers = hs.config.worker.start_pushers
self._pusher_pool = hs.get_pusherpool()
Expand Down Expand Up @@ -224,16 +222,6 @@ async def on_rdata(
self._state_storage_controller.notify_event_un_partial_stated(
row.event_id
)
# invalidate the introspection token cache
elif stream_name == CachesStream.NAME:
for row in rows:
if row.cache_func == "introspection_token_invalidation":
if row.keys[0] is None:
# invalidate the whole cache
# mypy ignore - the token cache is defined on MSC3861DelegatedAuth
self.auth.invalidate_token_cache() # type: ignore[attr-defined]
else:
self.auth.invalidate_cached_tokens(row.keys) # type: ignore[attr-defined]

await self._presence_handler.process_replication_rows(
stream_name, instance_name, token, rows
Expand Down
3 changes: 0 additions & 3 deletions synapse/rest/admin/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,6 @@
ListDestinationsRestServlet,
)
from synapse.rest.admin.media import ListMediaInRoom, register_servlets_for_media_repo
from synapse.rest.admin.oidc import OIDCTokenRevocationRestServlet
from synapse.rest.admin.registration_tokens import (
ListRegistrationTokensRestServlet,
NewRegistrationTokenRestServlet,
Expand Down Expand Up @@ -298,8 +297,6 @@ def register_servlets(hs: "HomeServer", http_server: HttpServer) -> None:
BackgroundUpdateRestServlet(hs).register(http_server)
BackgroundUpdateStartJobRestServlet(hs).register(http_server)
ExperimentalFeaturesRestServlet(hs).register(http_server)
if hs.config.experimental.msc3861.enabled:
OIDCTokenRevocationRestServlet(hs).register(http_server)


def register_servlets_for_client_rest_resource(
Expand Down
55 changes: 0 additions & 55 deletions synapse/rest/admin/oidc.py

This file was deleted.

13 changes: 0 additions & 13 deletions synapse/storage/databases/main/cache.py
Original file line number Diff line number Diff line change
Expand Up @@ -584,19 +584,6 @@ def get_cache_stream_token_for_writer(self, instance_name: str) -> int:
else:
return 0

async def stream_introspection_token_invalidation(
self, key: Tuple[Optional[str]]
) -> None:
"""
Stream an invalidation request for the introspection token cache to workers
Args:
key: token_id of the introspection token to remove from the cache
"""
await self.send_invalidation_to_replication(
"introspection_token_invalidation", key
)

@wrap_as_background_process("clean_up_old_cache_invalidations")
async def _clean_up_cache_invalidation_wrapper(self) -> None:
"""
Expand Down
9 changes: 0 additions & 9 deletions synapse/storage/databases/main/devices.py
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,6 @@

from synapse.api.constants import EduTypes
from synapse.api.errors import Codes, StoreError
from synapse.config.homeserver import HomeServerConfig
from synapse.logging.opentracing import (
get_active_span_text_map,
set_tag,
Expand Down Expand Up @@ -1664,7 +1663,6 @@ def __init__(
self.device_id_exists_cache: LruCache[
Tuple[str, str], Literal[True]
] = LruCache(cache_name="device_id_exists", max_size=10000)
self.config: HomeServerConfig = hs.config

async def store_device(
self,
Expand Down Expand Up @@ -1786,13 +1784,6 @@ def _delete_devices_txn(txn: LoggingTransaction) -> None:
for device_id in device_ids:
self.device_id_exists_cache.invalidate((user_id, device_id))

# TODO: don't nuke the entire cache once there is a way to associate
# device_id -> introspection_token
if self.config.experimental.msc3861.enabled:
# mypy ignore - the token cache is defined on MSC3861DelegatedAuth
self.auth._token_cache.invalidate_all() # type: ignore[attr-defined]
await self.stream_introspection_token_invalidation((None,))

async def update_device(
self, user_id: str, device_id: str, new_display_name: Optional[str] = None
) -> None:
Expand Down
22 changes: 0 additions & 22 deletions synapse/util/caches/expiringcache.py
Original file line number Diff line number Diff line change
Expand Up @@ -140,20 +140,6 @@ def pop(self, key: KT, default: T = SENTINEL) -> Union[VT, T]:

return value.value

def invalidate(self, key: KT) -> None:
"""
Remove the given key from the cache.
"""

value = self._cache.pop(key, None)
if value:
if self.iterable:
self.metrics.inc_evictions(
EvictionReason.invalidation, len(value.value)
)
else:
self.metrics.inc_evictions(EvictionReason.invalidation)

def __contains__(self, key: KT) -> bool:
return key in self._cache

Expand Down Expand Up @@ -207,14 +193,6 @@ async def _prune_cache(self) -> None:
len(self),
)

def invalidate_all(self) -> None:
"""
Remove all items from the cache.
"""
keys = set(self._cache.keys())
for key in keys:
self._cache.pop(key)

def __len__(self) -> int:
if self.iterable:
return sum(len(entry.value) for entry in self._cache.values())
Expand Down
34 changes: 1 addition & 33 deletions tests/handlers/test_oauth_delegation.py
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@

from http import HTTPStatus
from typing import Any, Dict, Union
from unittest.mock import ANY, AsyncMock, Mock
from unittest.mock import ANY, Mock
from urllib.parse import parse_qs

from signedjson.key import (
Expand Down Expand Up @@ -588,38 +588,6 @@ def test_introspection_token_cache(self) -> None:
)
self.assertEqual(self.http_client.request.call_count, 2)

def test_revocation_endpoint(self) -> None:
# mock introspection response and then admin verification response
self.http_client.request = AsyncMock(
side_effect=[
FakeResponse.json(
code=200, payload={"active": True, "jti": "open_sesame"}
),
FakeResponse.json(
code=200,
payload={
"active": True,
"sub": SUBJECT,
"scope": " ".join([SYNAPSE_ADMIN_SCOPE, MATRIX_USER_SCOPE]),
"username": USERNAME,
},
),
]
)

# cache a token to delete
introspection_token = self.get_success(
self.auth._introspect_token("open_sesame") # type: ignore[attr-defined]
)
self.assertEqual(self.auth._token_cache.get("open_sesame"), introspection_token) # type: ignore[attr-defined]

# delete the revoked token
introspection_token_id = "open_sesame"
url = f"/_synapse/admin/v1/OIDC_token_revocation/{introspection_token_id}"
channel = self.make_request("DELETE", url, access_token="mockAccessToken")
self.assertEqual(channel.code, 200)
self.assertEqual(self.auth._token_cache.get("open_sesame"), None) # type: ignore[attr-defined]

def make_device_keys(self, user_id: str, device_id: str) -> JsonDict:
# We only generate a master key to simplify the test.
master_signing_key = generate_signing_key(device_id)
Expand Down
62 changes: 0 additions & 62 deletions tests/replication/test_intro_token_invalidation.py

This file was deleted.

0 comments on commit be3aa4e

Please sign in to comment.