OpenCloud
/
MatrixSynapse
mirror of https://github.com/matrix-org/synapse
1
0
Fork 0
Code Issues Releases Wiki Activity
MatrixSynapse/synapse/api/auth.py

457 lines
15 KiB
Python
Raw Normal View History

Reference Matrix Home Server
2014-08-12 16:10:52 +02:00
# -*- coding: utf-8 -*-
fix the copyright holder from matrix.org to OpenMarket Ltd, as matrix.org hasn't been incorporated in time for launch.
2014-09-03 18:29:13 +02:00
# Copyright 2014 OpenMarket Ltd
Reference Matrix Home Server
2014-08-12 16:10:52 +02:00
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
add in whitespace after copyright statements to improve legibility
2014-08-13 04:14:34 +02:00
Reference Matrix Home Server
2014-08-12 16:10:52 +02:00
"""This module contains classes for authenticating the user."""
fix whitespace
2014-08-13 21:53:38 +02:00
Reference Matrix Home Server
2014-08-12 16:10:52 +02:00
from twisted.internet import defer
Implement power level lists, default power levels and send_evnet_level/add_state_level events.
2014-09-01 14:44:19 +02:00
from synapse.api.constants import Membership, JoinRules
Validate power levels event changes. Change error messages to be more helpful. Fix bug where we checked the wrong power levels
2014-09-05 22:54:16 +02:00
from synapse.api.errors import AuthError, StoreError, Codes, SynapseError
SYN-12: Implement auth for deletion by adding a 'delete_level' on the ops levels event SYN-12 # comment Auth has been added.
2014-09-23 18:36:17 +02:00
from synapse.api.events.room import (
Rename deletions to redactions
2014-09-24 16:27:59 +02:00
RoomMemberEvent, RoomPowerLevelsEvent, RoomRedactionEvent,
SYN-12: Implement auth for deletion by adding a 'delete_level' on the ops levels event SYN-12 # comment Auth has been added.
2014-09-23 18:36:17 +02:00
)
Implement power level lists, default power levels and send_evnet_level/add_state_level events.
2014-09-01 14:44:19 +02:00
from synapse.util.logutils import log_function
Reference Matrix Home Server
2014-08-12 16:10:52 +02:00
import logging
logger = logging.getLogger(__name__)
class Auth(object):
def __init__(self, hs):
self.hs = hs
self.store = hs.get_datastore()
@defer.inlineCallbacks
Take a snapshot of the state of the room before performing updates
2014-08-22 18:00:10 +02:00
def check(self, event, snapshot, raises=False):
Reference Matrix Home Server
2014-08-12 16:10:52 +02:00
""" Checks if this event is correctly authed.
Returns:
True if the auth checks pass.
Raises:
AuthError if there was a problem authorising this event. This will
be raised only if raises=True.
"""
try:
Impl: /rooms/roomid/state/eventtype/state_key - Renamed RoomTopicRestServlet to RoomStateEventRestServlet. Support generic state event sending.
2014-08-22 16:59:15 +02:00
if hasattr(event, "room_id"):
Add all the necessary checks to make banning work.
2014-09-01 19:24:56 +02:00
is_state = hasattr(event, "state_key")
Impl: /rooms/roomid/state/eventtype/state_key - Renamed RoomTopicRestServlet to RoomStateEventRestServlet. Support generic state event sending.
2014-08-22 16:59:15 +02:00
if event.type == RoomMemberEvent.TYPE:
Add all the necessary checks to make banning work.
2014-09-01 19:24:56 +02:00
yield self._can_replace_state(event)
Impl: /rooms/roomid/state/eventtype/state_key - Renamed RoomTopicRestServlet to RoomStateEventRestServlet. Support generic state event sending.
2014-08-22 16:59:15 +02:00
allowed = yield self.is_membership_change_allowed(event)
defer.returnValue(allowed)
Implement power level lists, default power levels and send_evnet_level/add_state_level events.
2014-09-01 14:44:19 +02:00
return
self._check_joined_room(
member=snapshot.membership_state,
user_id=snapshot.user_id,
room_id=snapshot.room_id,
)
Add all the necessary checks to make banning work.
2014-09-01 19:24:56 +02:00
if is_state:
Add beginnings of ban support.
2014-09-01 17:15:34 +02:00
# TODO (erikj): This really only should be called for *new*
# state
Implement power level lists, default power levels and send_evnet_level/add_state_level events.
2014-09-01 14:44:19 +02:00
yield self._can_add_state(event)
Add all the necessary checks to make banning work.
2014-09-01 19:24:56 +02:00
yield self._can_replace_state(event)
Impl: /rooms/roomid/state/eventtype/state_key - Renamed RoomTopicRestServlet to RoomStateEventRestServlet. Support generic state event sending.
2014-08-22 16:59:15 +02:00
else:
Implement power level lists, default power levels and send_evnet_level/add_state_level events.
2014-09-01 14:44:19 +02:00
yield self._can_send_event(event)
AUth the contents of power level events
2014-09-04 17:40:23 +02:00
if event.type == RoomPowerLevelsEvent.TYPE:
yield self._check_power_levels(event)
Rename deletions to redactions
2014-09-24 16:27:59 +02:00
if event.type == RoomRedactionEvent.TYPE:
yield self._check_redaction(event)
SYN-12: Implement auth for deletion by adding a 'delete_level' on the ops levels event SYN-12 # comment Auth has been added.
2014-09-23 18:36:17 +02:00
Implement power level lists, default power levels and send_evnet_level/add_state_level events.
2014-09-01 14:44:19 +02:00
defer.returnValue(True)
Reference Matrix Home Server
2014-08-12 16:10:52 +02:00
else:
Impl: /rooms/roomid/state/eventtype/state_key - Renamed RoomTopicRestServlet to RoomStateEventRestServlet. Support generic state event sending.
2014-08-22 16:59:15 +02:00
raise AuthError(500, "Unknown event: %s" % event)
Reference Matrix Home Server
2014-08-12 16:10:52 +02:00
except AuthError as e:
logger.info("Event auth check failed on event %s with msg: %s",
event, e.msg)
if raises:
raise e
defer.returnValue(False)
@defer.inlineCallbacks
def check_joined_room(self, room_id, user_id):
try:
member = yield self.store.get_room_member(
room_id=room_id,
user_id=user_id
)
Take a snapshot of the state of the room before performing updates
2014-08-22 18:00:10 +02:00
self._check_joined_room(member, user_id, room_id)
Reference Matrix Home Server
2014-08-12 16:10:52 +02:00
defer.returnValue(member)
except AttributeError:
pass
defer.returnValue(None)
Take a snapshot of the state of the room before performing updates
2014-08-22 18:00:10 +02:00
def _check_joined_room(self, member, user_id, room_id):
if not member or member.membership != Membership.JOIN:
add _get_room_member, fix datastore methods
2014-08-27 16:31:04 +02:00
raise AuthError(403, "User %s not in room %s (%s)" % (
user_id, room_id, repr(member)
))
Take a snapshot of the state of the room before performing updates
2014-08-22 18:00:10 +02:00
Reference Matrix Home Server
2014-08-12 16:10:52 +02:00
@defer.inlineCallbacks
def is_membership_change_allowed(self, event):
Removed member list servlet: now using generic state paths.
2014-08-26 10:26:07 +02:00
target_user_id = event.state_key
Reference Matrix Home Server
2014-08-12 16:10:52 +02:00
# does this room even exist
room = yield self.store.get_room(event.room_id)
if not room:
raise AuthError(403, "Room does not exist")
# get info about the caller
try:
caller = yield self.store.get_room_member(
user_id=event.user_id,
room_id=event.room_id)
except:
caller = None
caller_in_room = caller and caller.membership == "join"
# get info about the target
try:
target = yield self.store.get_room_member(
Removed member list servlet: now using generic state paths.
2014-08-26 10:26:07 +02:00
user_id=target_user_id,
Reference Matrix Home Server
2014-08-12 16:10:52 +02:00
room_id=event.room_id)
except:
target = None
target_in_room = target and target.membership == "join"
membership = event.content["membership"]
Implement power level lists, default power levels and send_evnet_level/add_state_level events.
2014-09-01 14:44:19 +02:00
join_rule = yield self.store.get_room_join_rule(event.room_id)
if not join_rule:
join_rule = JoinRules.INVITE
Reference Matrix Home Server
2014-08-12 16:10:52 +02:00
if Membership.INVITE == membership:
Implement power level lists, default power levels and send_evnet_level/add_state_level events.
2014-09-01 14:44:19 +02:00
# TODO (erikj): We should probably handle this more intelligently
# PRIVATE join rules.
Reference Matrix Home Server
2014-08-12 16:10:52 +02:00
# Invites are valid iff caller is in the room and target isn't.
if not caller_in_room: # caller isn't joined
raise AuthError(403, "You are not in room %s." % event.room_id)
elif target_in_room: # the target is already in the room.
raise AuthError(403, "%s is already in the room." %
Removed member list servlet: now using generic state paths.
2014-08-26 10:26:07 +02:00
target_user_id)
Reference Matrix Home Server
2014-08-12 16:10:52 +02:00
elif Membership.JOIN == membership:
# Joins are valid iff caller == target and they were:
# invited: They are accepting the invitation
# joined: It's a NOOP
Removed member list servlet: now using generic state paths.
2014-08-26 10:26:07 +02:00
if event.user_id != target_user_id:
Reference Matrix Home Server
2014-08-12 16:10:52 +02:00
raise AuthError(403, "Cannot force another user to join.")
Implement power level lists, default power levels and send_evnet_level/add_state_level events.
2014-09-01 14:44:19 +02:00
elif join_rule == JoinRules.PUBLIC or room.is_public:
pass
elif join_rule == JoinRules.INVITE:
if (
not caller or caller.membership not in
[Membership.INVITE, Membership.JOIN]
):
raise AuthError(403, "You are not invited to this room.")
else:
# TODO (erikj): may_join list
# TODO (erikj): private rooms
raise AuthError(403, "You are not allowed to join this room")
Reference Matrix Home Server
2014-08-12 16:10:52 +02:00
elif Membership.LEAVE == membership:
Add beginnings of ban support.
2014-09-01 17:15:34 +02:00
# TODO (erikj): Implement kicks.
Reference Matrix Home Server
2014-08-12 16:10:52 +02:00
if not caller_in_room: # trying to leave a room you aren't joined
raise AuthError(403, "You are not in room %s." % event.room_id)
Removed member list servlet: now using generic state paths.
2014-08-26 10:26:07 +02:00
elif target_user_id != event.user_id:
Implement auth for kicking.
2014-09-02 11:52:49 +02:00
user_level = yield self.store.get_power_level(
event.room_id,
event.user_id,
)
SYN-12: Implement auth for deletion by adding a 'delete_level' on the ops levels event SYN-12 # comment Auth has been added.
2014-09-23 18:36:17 +02:00
_, kick_level, _ = yield self.store.get_ops_levels(event.room_id)
Implement auth for kicking.
2014-09-02 11:52:49 +02:00
Fix bug where we didn't correctly store the ops power levels event.
2014-09-02 13:11:52 +02:00
if kick_level:
kick_level = int(kick_level)
else:
Change the default power levels to be 0, 50 and 100
2014-09-04 17:16:26 +02:00
kick_level = 50
Fix bug where we didn't correctly store the ops power levels event.
2014-09-02 13:11:52 +02:00
Implement auth for kicking.
2014-09-02 11:52:49 +02:00
if user_level < kick_level:
raise AuthError(
403, "You cannot kick user %s." % target_user_id
)
Add beginnings of ban support.
2014-09-01 17:15:34 +02:00
elif Membership.BAN == membership:
user_level = yield self.store.get_power_level(
event.room_id,
event.user_id,
)
SYN-12: Implement auth for deletion by adding a 'delete_level' on the ops levels event SYN-12 # comment Auth has been added.
2014-09-23 18:36:17 +02:00
ban_level, _, _ = yield self.store.get_ops_levels(event.room_id)
Add beginnings of ban support.
2014-09-01 17:15:34 +02:00
if ban_level:
ban_level = int(ban_level)
else:
Change the default power levels to be 0, 50 and 100
2014-09-04 17:16:26 +02:00
ban_level = 50 # FIXME (erikj): What should we do here?
Add beginnings of ban support.
2014-09-01 17:15:34 +02:00
Add all the necessary checks to make banning work.
2014-09-01 19:24:56 +02:00
if user_level < ban_level:
Add beginnings of ban support.
2014-09-01 17:15:34 +02:00
raise AuthError(403, "You don't have permission to ban")
Reference Matrix Home Server
2014-08-12 16:10:52 +02:00
else:
raise AuthError(500, "Unknown membership %s" % membership)
defer.returnValue(True)
Track the IP users connect with. Add an admin column to users table.
2014-09-26 17:36:24 +02:00
@defer.inlineCallbacks
Reference Matrix Home Server
2014-08-12 16:10:52 +02:00
def get_user_by_req(self, request):
""" Get a registered user's ID.
Args:
request - An HTTP request with an access_token query parameter.
Returns:
UserID : User ID object of the user making the request
Raises:
AuthError if no user by that token exists or the token is invalid.
"""
# Can optionally look elsewhere in the request (e.g. headers)
try:
Track the IP users connect with. Add an admin column to users table.
2014-09-26 17:36:24 +02:00
access_token = request.args["access_token"][0]
user = yield self.get_user_by_token(access_token)
ip_addr = self.hs.get_ip_from_request(request)
if user and access_token and ip_addr:
self.store.insert_client_ip(user, access_token, ip_addr)
defer.returnValue(user)
Reference Matrix Home Server
2014-08-12 16:10:52 +02:00
except KeyError:
raise AuthError(403, "Missing access token.")
@defer.inlineCallbacks
def get_user_by_token(self, token):
""" Get a registered user's ID.
Args:
token (str)- The access token to get the user by.
Returns:
UserID : User ID object of the user who has that access token.
Raises:
AuthError if no user by that token exists or the token is invalid.
"""
try:
user_id = yield self.store.get_user_by_token(token=token)
Modified /join/$identifier to support $identifier being a room ID in addition to a room alias.
2014-08-27 10:43:42 +02:00
if not user_id:
raise StoreError()
Reference Matrix Home Server
2014-08-12 16:10:52 +02:00
defer.returnValue(self.hs.parse_userid(user_id))
except StoreError:
Added M_UNKNOWN_TOKEN error code and send it when there is an unrecognised access_token
2014-08-14 14:47:39 +02:00
raise AuthError(403, "Unrecognised access token.",
errcode=Codes.UNKNOWN_TOKEN)
Implement power level lists, default power levels and send_evnet_level/add_state_level events.
2014-09-01 14:44:19 +02:00
@defer.inlineCallbacks
@log_function
def _can_send_event(self, event):
send_level = yield self.store.get_send_event_level(event.room_id)
if send_level:
send_level = int(send_level)
else:
send_level = 0
user_level = yield self.store.get_power_level(
event.room_id,
event.user_id,
)
if user_level:
user_level = int(user_level)
else:
user_level = 0
if user_level < send_level:
raise AuthError(
403, "You don't have permission to post to the room"
)
defer.returnValue(True)
@defer.inlineCallbacks
def _can_add_state(self, event):
add_level = yield self.store.get_add_state_level(event.room_id)
if not add_level:
defer.returnValue(True)
add_level = int(add_level)
user_level = yield self.store.get_power_level(
event.room_id,
event.user_id,
)
user_level = int(user_level)
if user_level < add_level:
raise AuthError(
403, "You don't have permission to add state to the room"
)
defer.returnValue(True)
Add all the necessary checks to make banning work.
2014-09-01 19:24:56 +02:00
@defer.inlineCallbacks
def _can_replace_state(self, event):
current_state = yield self.store.get_current_state(
event.room_id,
event.type,
event.state_key,
)
if current_state:
current_state = current_state[0]
user_level = yield self.store.get_power_level(
event.room_id,
event.user_id,
)
if user_level:
user_level = int(user_level)
else:
user_level = 0
Validate power levels event changes. Change error messages to be more helpful. Fix bug where we checked the wrong power levels
2014-09-05 22:54:16 +02:00
logger.debug(
"Checking power level for %s, %s", event.user_id, user_level
)
Add all the necessary checks to make banning work.
2014-09-01 19:24:56 +02:00
if current_state and hasattr(current_state, "required_power_level"):
req = current_state.required_power_level
logger.debug("Checked power level for %s, %s", event.user_id, req)
if user_level < req:
raise AuthError(
403,
"You don't have permission to change that state"
)
AUth the contents of power level events
2014-09-04 17:40:23 +02:00
SYN-12: Implement auth for deletion by adding a 'delete_level' on the ops levels event SYN-12 # comment Auth has been added.
2014-09-23 18:36:17 +02:00
@defer.inlineCallbacks
Rename deletions to redactions
2014-09-24 16:27:59 +02:00
def _check_redaction(self, event):
SYN-12: Implement auth for deletion by adding a 'delete_level' on the ops levels event SYN-12 # comment Auth has been added.
2014-09-23 18:36:17 +02:00
user_level = yield self.store.get_power_level(
event.room_id,
event.user_id,
)
if user_level:
user_level = int(user_level)
else:
user_level = 0
Rename deletions to redactions
2014-09-24 16:27:59 +02:00
_, _, redact_level = yield self.store.get_ops_levels(event.room_id)
SYN-12: Implement auth for deletion by adding a 'delete_level' on the ops levels event SYN-12 # comment Auth has been added.
2014-09-23 18:36:17 +02:00
Rename deletions to redactions
2014-09-24 16:27:59 +02:00
if not redact_level:
redact_level = 50
SYN-12: Implement auth for deletion by adding a 'delete_level' on the ops levels event SYN-12 # comment Auth has been added.
2014-09-23 18:36:17 +02:00
Rename deletions to redactions
2014-09-24 16:27:59 +02:00
if user_level < redact_level:
SYN-12: Implement auth for deletion by adding a 'delete_level' on the ops levels event SYN-12 # comment Auth has been added.
2014-09-23 18:36:17 +02:00
raise AuthError(
403,
Rename deletions to redactions
2014-09-24 16:27:59 +02:00
"You don't have permission to redact events"
SYN-12: Implement auth for deletion by adding a 'delete_level' on the ops levels event SYN-12 # comment Auth has been added.
2014-09-23 18:36:17 +02:00
)
AUth the contents of power level events
2014-09-04 17:40:23 +02:00
@defer.inlineCallbacks
def _check_power_levels(self, event):
Validate power levels event changes. Change error messages to be more helpful. Fix bug where we checked the wrong power levels
2014-09-05 22:54:16 +02:00
for k, v in event.content.items():
if k == "default":
continue
# FIXME (erikj): We don't want hsob_Ts in content.
if k == "hsob_ts":
continue
try:
self.hs.parse_userid(k)
except:
raise SynapseError(400, "Not a valid user_id: %s" % (k,))
try:
int(v)
except:
raise SynapseError(400, "Not a valid power level: %s" % (v,))
AUth the contents of power level events
2014-09-04 17:40:23 +02:00
current_state = yield self.store.get_current_state(
event.room_id,
event.type,
event.state_key,
)
Generate m.room.aliases event when the HS creates a room alias
2014-09-05 22:35:56 +02:00
if not current_state:
return
else:
current_state = current_state[0]
AUth the contents of power level events
2014-09-04 17:40:23 +02:00
user_level = yield self.store.get_power_level(
event.room_id,
event.user_id,
)
if user_level:
user_level = int(user_level)
else:
user_level = 0
old_list = current_state.content
# FIXME (erikj)
old_people = {k: v for k, v in old_list.items() if k.startswith("@")}
Validate power levels event changes. Change error messages to be more helpful. Fix bug where we checked the wrong power levels
2014-09-05 22:54:16 +02:00
new_people = {
k: v for k, v in event.content.items()
if k.startswith("@")
}
AUth the contents of power level events
2014-09-04 17:40:23 +02:00
removed = set(old_people.keys()) - set(new_people.keys())
SYN-70: And fix another bug where I can't type
2014-09-24 17:19:29 +02:00
added = set(new_people.keys()) - set(old_people.keys())
AUth the contents of power level events
2014-09-04 17:40:23 +02:00
same = set(old_people.keys()) & set(new_people.keys())
for r in removed:
SYN-70: Fix typo
2014-09-24 17:15:58 +02:00
if int(old_list[r]) > user_level:
AUth the contents of power level events
2014-09-04 17:40:23 +02:00
raise AuthError(
403,
Validate power levels event changes. Change error messages to be more helpful. Fix bug where we checked the wrong power levels
2014-09-05 22:54:16 +02:00
"You don't have permission to remove user: %s" % (r, )
AUth the contents of power level events
2014-09-04 17:40:23 +02:00
)
Validate power levels event changes. Change error messages to be more helpful. Fix bug where we checked the wrong power levels
2014-09-05 22:54:16 +02:00
for n in added:
AUth the contents of power level events
2014-09-04 17:40:23 +02:00
if int(event.content[n]) > user_level:
raise AuthError(
403,
Validate power levels event changes. Change error messages to be more helpful. Fix bug where we checked the wrong power levels
2014-09-05 22:54:16 +02:00
"You don't have permission to add ops level greater "
"than your own"
AUth the contents of power level events
2014-09-04 17:40:23 +02:00
)
for s in same:
if int(event.content[s]) != int(old_list[s]):
Validate power levels event changes. Change error messages to be more helpful. Fix bug where we checked the wrong power levels
2014-09-05 22:54:16 +02:00
if int(event.content[s]) > user_level:
AUth the contents of power level events
2014-09-04 17:40:23 +02:00
raise AuthError(
403,
Validate power levels event changes. Change error messages to be more helpful. Fix bug where we checked the wrong power levels
2014-09-05 22:54:16 +02:00
"You don't have permission to add ops level greater "
"than your own"
AUth the contents of power level events
2014-09-04 17:40:23 +02:00
)
if "default" in old_list:
old_default = int(old_list["default"])
if old_default > user_level:
raise AuthError(
403,
Validate power levels event changes. Change error messages to be more helpful. Fix bug where we checked the wrong power levels
2014-09-05 22:54:16 +02:00
"You don't have permission to add ops level greater than "
"your own"
AUth the contents of power level events
2014-09-04 17:40:23 +02:00
)
if "default" in event.content:
new_default = int(event.content["default"])
if new_default > user_level:
raise AuthError(
403,
Validate power levels event changes. Change error messages to be more helpful. Fix bug where we checked the wrong power levels
2014-09-05 22:54:16 +02:00
"You don't have permission to add ops level greater "
"than your own"
AUth the contents of power level events
2014-09-04 17:40:23 +02:00
)