From 921f29a8578a10da19b4f1b21f9495127b8dc497 Mon Sep 17 00:00:00 2001
From: Quentin Gliech <quenting@element.io>
Date: Thu, 31 Aug 2023 12:08:14 +0200
Subject: [PATCH 1/3] Do not check for internal account lock for MSC3861
 delegated auth

---
 changelog.d/16215.bugfix              |  1 +
 synapse/api/auth/msc3861_delegated.py | 11 -----------
 2 files changed, 1 insertion(+), 11 deletions(-)
 create mode 100644 changelog.d/16215.bugfix

diff --git a/changelog.d/16215.bugfix b/changelog.d/16215.bugfix
new file mode 100644
index 000000000000..9247b0eda1f5
--- /dev/null
+++ b/changelog.d/16215.bugfix
@@ -0,0 +1 @@
+Fix a bug where admin tokens stopped working with MSC3861 auth delegation was enabled.
\ No newline at end of file
diff --git a/synapse/api/auth/msc3861_delegated.py b/synapse/api/auth/msc3861_delegated.py
index 14cba50c9082..3cf00dd53929 100644
--- a/synapse/api/auth/msc3861_delegated.py
+++ b/synapse/api/auth/msc3861_delegated.py
@@ -282,17 +282,6 @@ async def get_user_by_req(
                             "Impersonation not possible by a non admin user",
                         )
 
-            # Deny the request if the user account is locked.
-            if not allow_locked and await self.store.get_user_locked_status(
-                requester.user.to_string()
-            ):
-                raise AuthError(
-                    401,
-                    "User account has been locked",
-                    errcode=Codes.USER_LOCKED,
-                    additional_fields={"soft_logout": True},
-                )
-
         if not allow_guest and requester.is_guest:
             raise OAuthInsufficientScopeError([SCOPE_MATRIX_API])
 

From 99a7fa859fc86969a0995e7dba457ae31cce2b51 Mon Sep 17 00:00:00 2001
From: Mathieu Velten <mathieuv@matrix.org>
Date: Thu, 31 Aug 2023 14:19:33 +0200
Subject: [PATCH 2/3] lint

---
 synapse/api/auth/msc3861_delegated.py | 1 -
 1 file changed, 1 deletion(-)

diff --git a/synapse/api/auth/msc3861_delegated.py b/synapse/api/auth/msc3861_delegated.py
index 3cf00dd53929..da21accdd0e0 100644
--- a/synapse/api/auth/msc3861_delegated.py
+++ b/synapse/api/auth/msc3861_delegated.py
@@ -28,7 +28,6 @@
 from synapse.api.auth.base import BaseAuth
 from synapse.api.errors import (
     AuthError,
-    Codes,
     HttpResponseException,
     InvalidClientTokenError,
     OAuthInsufficientScopeError,

From 10b4e12a2f6496fcb963077437eda62ebe864f41 Mon Sep 17 00:00:00 2001
From: Hugh Nimmo-Smith <hughns@element.io>
Date: Mon, 4 Sep 2023 12:13:45 +0100
Subject: [PATCH 3/3] Add unit tests

---
 tests/handlers/test_oauth_delegation.py | 37 +++++++++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/tests/handlers/test_oauth_delegation.py b/tests/handlers/test_oauth_delegation.py
index b891e8469041..3baeb28e620f 100644
--- a/tests/handlers/test_oauth_delegation.py
+++ b/tests/handlers/test_oauth_delegation.py
@@ -122,6 +122,7 @@ def default_config(self) -> Dict[str, Any]:
                 "client_id": CLIENT_ID,
                 "client_auth_method": "client_secret_post",
                 "client_secret": CLIENT_SECRET,
+                "admin_token": "admin_token_value",
             }
         }
         return config
@@ -791,3 +792,39 @@ def test_admin_api_endpoints_removed(self) -> None:
         self.expect_unrecognized("GET", "/_synapse/admin/v1/users/foo/admin")
         self.expect_unrecognized("PUT", "/_synapse/admin/v1/users/foo/admin")
         self.expect_unrecognized("POST", "/_synapse/admin/v1/account_validity/validity")
+
+    def test_admin_token(self) -> None:
+        """The handler should return a requester with admin rights when admin_token is used."""
+
+        request = Mock(args={})
+        request.args[b"access_token"] = [b"admin_token_value"]
+        request.requestHeaders.getRawHeaders = mock_getRawHeaders()
+        requester = self.get_success(self.auth.get_user_by_req(request))
+        self.assertEqual(
+            requester.user.to_string(), "@%s:%s" % ("__oidc_admin", SERVER_NAME)
+        )
+        self.assertEqual(requester.is_guest, False)
+        self.assertEqual(requester.device_id, None)
+        self.assertEqual(
+            get_awaitable_result(self.auth.is_server_admin(requester)), True
+        )
+
+    def test_oidc_admin_impersonate_user_id(self) -> None:
+        """The handler should return a requester with the correct user when _oidc_admin_impersonate_user_id param is used."""
+
+        request = Mock(
+            args={
+                b"_oidc_admin_impersonate_user_id": [
+                    ("@foo:" + SERVER_NAME).encode("ascii")
+                ],
+                b"access_token": [b"admin_token_value"],
+            }
+        )
+        request.requestHeaders.getRawHeaders = mock_getRawHeaders()
+        requester = self.get_success(self.auth.get_user_by_req(request))
+        self.assertEqual(requester.user.to_string(), "@%s:%s" % ("foo", SERVER_NAME))
+        self.assertEqual(requester.is_guest, False)
+        self.assertEqual(requester.device_id, None)
+        self.assertEqual(
+            get_awaitable_result(self.auth.is_server_admin(requester)), False
+        )