From 79c0aa1987378ed0ad434b962022841d69199bc3 Mon Sep 17 00:00:00 2001
From: Patrick Cloke <patrickc@matrix.org>
Date: Mon, 2 Mar 2020 16:35:38 -0500
Subject: [PATCH] Remove tests that call query_auth endpoint.

---
 tests/50federation/42query-auth.pl           | 42 --------------------
 tests/50federation/50server-acl-endpoints.pl | 19 ---------
 2 files changed, 61 deletions(-)
 delete mode 100644 tests/50federation/42query-auth.pl

diff --git a/tests/50federation/42query-auth.pl b/tests/50federation/42query-auth.pl
deleted file mode 100644
index 29a9e6147..000000000
--- a/tests/50federation/42query-auth.pl
+++ /dev/null
@@ -1,42 +0,0 @@
-use Future::Utils qw( repeat );
-
-test "Querying auth checks the events requested belong to the room",
-   requires => [ $main::OUTBOUND_CLIENT,
-                 local_user_and_room_fixtures(),
-                 local_user_and_room_fixtures(),
-                 federation_user_id_fixture() ],
-   do => sub {
-      my ( $outbound_client, $priv_creator, $priv_room_id,
-           $pub_creator, $pub_room_id, $fed_user_id ) = @_;
-      my $first_home_server = $pub_creator->server_name;
-
-      my $local_server_name = $outbound_client->server_name;
-
-      my $priv_join_event;
-
-      # Join the public room, but don't touch the private one
-      $outbound_client->join_room(
-         server_name => $first_home_server,
-         room_id     => $pub_room_id,
-         user_id     => $fed_user_id,
-      )->then( sub {
-         # Send an event into the private room
-         matrix_send_room_text_message( $priv_creator, $priv_room_id,
-            body => "Hello world",
-         )
-      })->then( sub {
-         my ( $priv_event_id ) = @_;
-
-         # We specifically use the public room, but the private event ID
-         # That's the point of this test.
-         $outbound_client->do_request_json(
-            method   => "POST",
-            hostname => $first_home_server,
-            uri      => "/v1/query_auth/$pub_room_id/$priv_event_id",
-
-            content => {
-               auth_chain => [], # This is part of the exploit
-            }
-         )->main::expect_m_not_found;
-      });
-   };
diff --git a/tests/50federation/50server-acl-endpoints.pl b/tests/50federation/50server-acl-endpoints.pl
index c8ef3eea6..400b2a72c 100644
--- a/tests/50federation/50server-acl-endpoints.pl
+++ b/tests/50federation/50server-acl-endpoints.pl
@@ -28,7 +28,6 @@
    [ "get room state ids", *can_get_state_ids ],
    [ "backfill", *can_backfill ],
    [ "/event_auth", *can_event_auth ],
-   [ "query auth", *can_query_auth ],
    [ "get missing events", *can_get_missing_events ],
 );
 
@@ -240,24 +239,6 @@ sub can_event_auth {
    );
 }
 
-sub can_query_auth {
-   my ( %params ) = @_;
-   my $room = $params{room};
-   my $room_id = $room->{room_id};
-   my $event_id = $room->id_for_event($room->{prev_events}[-1]);
-
-   maybe_expect_forbidden(
-      $params{outbound_client}->do_request_json(
-         method   => "POST",
-         hostname => $params{dest_server},
-         uri      => "/v1/query_auth/$room_id/$event_id",
-         content  => {
-            auth_chain => [],
-         },
-      ), $params{expect_ban}, "/query_auth",
-   );
-}
-
 sub can_get_missing_events {
    my ( %params ) = @_;
    my $room = $params{room};