2014-08-12 16:10:52 +02:00
|
|
|
# -*- coding: utf-8 -*-
|
2016-01-05 19:01:18 +01:00
|
|
|
# Copyright 2014 - 2016 OpenMarket Ltd
|
2014-08-12 16:10:52 +02:00
|
|
|
#
|
|
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
# you may not use this file except in compliance with the License.
|
|
|
|
# You may obtain a copy of the License at
|
|
|
|
#
|
|
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
#
|
|
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
# See the License for the specific language governing permissions and
|
|
|
|
# limitations under the License.
|
2014-08-13 04:14:34 +02:00
|
|
|
|
2016-07-26 17:46:53 +02:00
|
|
|
import logging
|
|
|
|
|
|
|
|
import pymacaroons
|
2014-08-12 16:10:52 +02:00
|
|
|
from twisted.internet import defer
|
|
|
|
|
2016-07-26 17:46:53 +02:00
|
|
|
import synapse.types
|
2017-01-13 16:07:32 +01:00
|
|
|
from synapse import event_auth
|
2014-12-12 17:31:50 +01:00
|
|
|
from synapse.api.constants import EventTypes, Membership, JoinRules
|
2017-01-13 16:07:32 +01:00
|
|
|
from synapse.api.errors import AuthError, Codes
|
|
|
|
from synapse.types import UserID
|
2017-03-23 01:17:46 +01:00
|
|
|
from synapse.util import logcontext
|
2016-04-13 12:15:59 +02:00
|
|
|
from synapse.util.metrics import Measure
|
2014-08-12 16:10:52 +02:00
|
|
|
|
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
|
|
|
|
|
2015-03-16 01:18:08 +01:00
|
|
|
AuthEventTypes = (
|
|
|
|
EventTypes.Create, EventTypes.Member, EventTypes.PowerLevels,
|
2015-07-03 11:31:17 +02:00
|
|
|
EventTypes.JoinRules, EventTypes.RoomHistoryVisibility,
|
2015-10-01 18:49:52 +02:00
|
|
|
EventTypes.ThirdPartyInvite,
|
2015-03-16 01:18:08 +01:00
|
|
|
)
|
|
|
|
|
2016-11-25 16:25:30 +01:00
|
|
|
# guests always get this device id.
|
|
|
|
GUEST_DEVICE_ID = "guest_device"
|
|
|
|
|
2015-03-16 01:18:08 +01:00
|
|
|
|
2017-01-10 19:16:54 +01:00
|
|
|
class Auth(object):
|
|
|
|
"""
|
|
|
|
FIXME: This class contains a mix of functions for authenticating users
|
|
|
|
of our client-server API and authenticating events added to room graphs.
|
|
|
|
"""
|
|
|
|
def __init__(self, hs):
|
|
|
|
self.hs = hs
|
|
|
|
self.clock = hs.get_clock()
|
|
|
|
self.store = hs.get_datastore()
|
|
|
|
self.state = hs.get_state_handler()
|
|
|
|
self.TOKEN_NOT_FOUND_HTTP_STATUS = 401
|
|
|
|
|
|
|
|
@defer.inlineCallbacks
|
|
|
|
def check_from_context(self, event, context, do_sig_check=True):
|
|
|
|
auth_events_ids = yield self.compute_auth_events(
|
|
|
|
event, context.prev_state_ids, for_verification=True,
|
|
|
|
)
|
|
|
|
auth_events = yield self.store.get_events(auth_events_ids)
|
|
|
|
auth_events = {
|
|
|
|
(e.type, e.state_key): e for e in auth_events.values()
|
|
|
|
}
|
|
|
|
self.check(event, auth_events=auth_events, do_sig_check=do_sig_check)
|
|
|
|
|
|
|
|
def check(self, event, auth_events, do_sig_check=True):
|
|
|
|
""" Checks if this event is correctly authed.
|
|
|
|
|
|
|
|
Args:
|
|
|
|
event: the event being checked.
|
|
|
|
auth_events (dict: event-key -> event): the existing room state.
|
|
|
|
|
|
|
|
|
|
|
|
Returns:
|
|
|
|
True if the auth checks pass.
|
|
|
|
"""
|
|
|
|
with Measure(self.clock, "auth.check"):
|
2017-01-13 16:07:32 +01:00
|
|
|
event_auth.check(event, auth_events, do_sig_check=do_sig_check)
|
2017-01-10 19:16:54 +01:00
|
|
|
|
|
|
|
@defer.inlineCallbacks
|
|
|
|
def check_joined_room(self, room_id, user_id, current_state=None):
|
|
|
|
"""Check if the user is currently joined in the room
|
|
|
|
Args:
|
|
|
|
room_id(str): The room to check.
|
|
|
|
user_id(str): The user to check.
|
|
|
|
current_state(dict): Optional map of the current state of the room.
|
|
|
|
If provided then that map is used to check whether they are a
|
|
|
|
member of the room. Otherwise the current membership is
|
|
|
|
loaded from the database.
|
|
|
|
Raises:
|
|
|
|
AuthError if the user is not in the room.
|
|
|
|
Returns:
|
|
|
|
A deferred membership event for the user if the user is in
|
|
|
|
the room.
|
|
|
|
"""
|
|
|
|
if current_state:
|
|
|
|
member = current_state.get(
|
|
|
|
(EventTypes.Member, user_id),
|
|
|
|
None
|
|
|
|
)
|
|
|
|
else:
|
|
|
|
member = yield self.state.get_current_state(
|
|
|
|
room_id=room_id,
|
|
|
|
event_type=EventTypes.Member,
|
|
|
|
state_key=user_id
|
|
|
|
)
|
|
|
|
|
|
|
|
self._check_joined_room(member, user_id, room_id)
|
|
|
|
defer.returnValue(member)
|
2015-11-05 17:43:19 +01:00
|
|
|
|
2017-01-10 19:16:54 +01:00
|
|
|
@defer.inlineCallbacks
|
|
|
|
def check_user_was_in_room(self, room_id, user_id):
|
|
|
|
"""Check if the user was in the room at some point.
|
|
|
|
Args:
|
|
|
|
room_id(str): The room to check.
|
|
|
|
user_id(str): The user to check.
|
|
|
|
Raises:
|
|
|
|
AuthError if the user was never in the room.
|
|
|
|
Returns:
|
|
|
|
A deferred membership event for the user if the user was in the
|
|
|
|
room. This will be the join event if they are currently joined to
|
|
|
|
the room. This will be the leave event if they have left the room.
|
|
|
|
"""
|
|
|
|
member = yield self.state.get_current_state(
|
|
|
|
room_id=room_id,
|
|
|
|
event_type=EventTypes.Member,
|
|
|
|
state_key=user_id
|
|
|
|
)
|
|
|
|
membership = member.membership if member else None
|
2015-10-01 18:49:52 +02:00
|
|
|
|
2017-01-10 19:16:54 +01:00
|
|
|
if membership not in (Membership.JOIN, Membership.LEAVE):
|
|
|
|
raise AuthError(403, "User %s not in room %s" % (
|
|
|
|
user_id, room_id
|
|
|
|
))
|
2016-02-23 16:11:25 +01:00
|
|
|
|
2017-01-10 19:16:54 +01:00
|
|
|
if membership == Membership.LEAVE:
|
|
|
|
forgot = yield self.store.did_forget(user_id, room_id)
|
|
|
|
if forgot:
|
|
|
|
raise AuthError(403, "User %s not in room %s" % (
|
|
|
|
user_id, room_id
|
|
|
|
))
|
2016-02-23 16:11:25 +01:00
|
|
|
|
2017-01-10 19:16:54 +01:00
|
|
|
defer.returnValue(member)
|
2016-02-23 16:11:25 +01:00
|
|
|
|
2017-01-10 19:16:54 +01:00
|
|
|
@defer.inlineCallbacks
|
|
|
|
def check_host_in_room(self, room_id, host):
|
|
|
|
with Measure(self.clock, "check_host_in_room"):
|
|
|
|
latest_event_ids = yield self.store.get_latest_event_ids_in_room(room_id)
|
2015-04-21 21:53:23 +02:00
|
|
|
|
2017-01-17 18:07:15 +01:00
|
|
|
logger.debug("calling resolve_state_groups from check_host_in_room")
|
2017-01-10 19:16:54 +01:00
|
|
|
entry = yield self.state.resolve_state_groups(
|
|
|
|
room_id, latest_event_ids
|
|
|
|
)
|
2015-04-21 21:53:23 +02:00
|
|
|
|
2017-01-10 19:16:54 +01:00
|
|
|
ret = yield self.store.is_host_joined(
|
|
|
|
room_id, host, entry.state_group, entry.state
|
|
|
|
)
|
|
|
|
defer.returnValue(ret)
|
2015-04-22 15:20:04 +02:00
|
|
|
|
2017-01-10 19:16:54 +01:00
|
|
|
def _check_joined_room(self, member, user_id, room_id):
|
|
|
|
if not member or member.membership != Membership.JOIN:
|
|
|
|
raise AuthError(403, "User %s not in room %s (%s)" % (
|
|
|
|
user_id, room_id, repr(member)
|
|
|
|
))
|
2014-10-15 17:06:59 +02:00
|
|
|
|
2017-01-10 19:16:54 +01:00
|
|
|
def can_federate(self, event, auth_events):
|
|
|
|
creation_event = auth_events.get((EventTypes.Create, ""))
|
2015-04-21 21:53:23 +02:00
|
|
|
|
2017-01-10 19:16:54 +01:00
|
|
|
return creation_event.content.get("m.federate", True) is True
|
2015-04-21 21:53:23 +02:00
|
|
|
|
2017-01-10 19:16:54 +01:00
|
|
|
def get_public_keys(self, invite_event):
|
2017-01-13 16:07:32 +01:00
|
|
|
return event_auth.get_public_keys(invite_event)
|
2014-10-15 17:06:59 +02:00
|
|
|
|
2014-09-26 17:36:24 +02:00
|
|
|
@defer.inlineCallbacks
|
2016-06-01 18:40:52 +02:00
|
|
|
def get_user_by_req(self, request, allow_guest=False, rights="access"):
|
2014-08-12 16:10:52 +02:00
|
|
|
""" Get a registered user's ID.
|
|
|
|
|
|
|
|
Args:
|
|
|
|
request - An HTTP request with an access_token query parameter.
|
|
|
|
Returns:
|
2016-07-26 17:46:53 +02:00
|
|
|
defer.Deferred: resolves to a ``synapse.types.Requester`` object
|
2014-08-12 16:10:52 +02:00
|
|
|
Raises:
|
|
|
|
AuthError if no user by that token exists or the token is invalid.
|
|
|
|
"""
|
|
|
|
# Can optionally look elsewhere in the request (e.g. headers)
|
|
|
|
try:
|
2016-10-20 13:04:54 +02:00
|
|
|
user_id, app_service = yield self._get_appservice_user_id(request)
|
2016-01-18 17:32:33 +01:00
|
|
|
if user_id:
|
2015-08-18 16:16:28 +02:00
|
|
|
request.authenticated_entity = user_id
|
2016-10-20 12:52:46 +02:00
|
|
|
defer.returnValue(
|
2016-10-20 13:04:54 +02:00
|
|
|
synapse.types.create_requester(user_id, app_service=app_service)
|
2016-10-20 12:52:46 +02:00
|
|
|
)
|
2015-02-05 16:00:33 +01:00
|
|
|
|
2016-09-09 17:29:10 +02:00
|
|
|
access_token = get_access_token_from_request(
|
|
|
|
request, self.TOKEN_NOT_FOUND_HTTP_STATUS
|
|
|
|
)
|
|
|
|
|
2016-06-01 18:40:52 +02:00
|
|
|
user_info = yield self.get_user_by_access_token(access_token, rights)
|
2014-09-29 15:59:52 +02:00
|
|
|
user = user_info["user"]
|
2015-01-28 17:58:23 +01:00
|
|
|
token_id = user_info["token_id"]
|
2015-11-04 18:29:07 +01:00
|
|
|
is_guest = user_info["is_guest"]
|
2014-09-26 17:36:24 +02:00
|
|
|
|
2016-07-20 16:25:40 +02:00
|
|
|
# device_id may not be present if get_user_by_access_token has been
|
|
|
|
# stubbed out.
|
|
|
|
device_id = user_info.get("device_id")
|
|
|
|
|
2014-09-26 17:36:24 +02:00
|
|
|
ip_addr = self.hs.get_ip_from_request(request)
|
2014-09-29 14:35:15 +02:00
|
|
|
user_agent = request.requestHeaders.getRawHeaders(
|
|
|
|
"User-Agent",
|
|
|
|
default=[""]
|
|
|
|
)[0]
|
2014-09-26 17:36:24 +02:00
|
|
|
if user and access_token and ip_addr:
|
2017-03-23 01:17:46 +01:00
|
|
|
logcontext.preserve_fn(self.store.insert_client_ip)(
|
2014-09-29 15:59:52 +02:00
|
|
|
user=user,
|
|
|
|
access_token=access_token,
|
|
|
|
ip=ip_addr,
|
2016-07-20 16:25:40 +02:00
|
|
|
user_agent=user_agent,
|
|
|
|
device_id=device_id,
|
2014-09-29 14:35:15 +02:00
|
|
|
)
|
2014-09-26 17:36:24 +02:00
|
|
|
|
2015-11-04 18:29:07 +01:00
|
|
|
if is_guest and not allow_guest:
|
|
|
|
raise AuthError(
|
|
|
|
403, "Guest access not allowed", errcode=Codes.GUEST_ACCESS_FORBIDDEN
|
|
|
|
)
|
|
|
|
|
2015-06-15 18:11:44 +02:00
|
|
|
request.authenticated_entity = user.to_string()
|
|
|
|
|
2016-07-26 17:46:53 +02:00
|
|
|
defer.returnValue(synapse.types.create_requester(
|
2016-10-20 13:07:16 +02:00
|
|
|
user, token_id, is_guest, device_id, app_service=app_service)
|
|
|
|
)
|
2014-08-12 16:10:52 +02:00
|
|
|
except KeyError:
|
2015-03-24 18:24:15 +01:00
|
|
|
raise AuthError(
|
2015-04-23 14:23:44 +02:00
|
|
|
self.TOKEN_NOT_FOUND_HTTP_STATUS, "Missing access token.",
|
|
|
|
errcode=Codes.MISSING_TOKEN
|
2015-03-24 18:24:15 +01:00
|
|
|
)
|
2014-08-12 16:10:52 +02:00
|
|
|
|
2016-01-18 17:32:33 +01:00
|
|
|
@defer.inlineCallbacks
|
2016-09-09 17:29:10 +02:00
|
|
|
def _get_appservice_user_id(self, request):
|
2016-10-06 10:43:32 +02:00
|
|
|
app_service = self.store.get_app_service_by_token(
|
2016-09-09 17:29:10 +02:00
|
|
|
get_access_token_from_request(
|
|
|
|
request, self.TOKEN_NOT_FOUND_HTTP_STATUS
|
|
|
|
)
|
2016-01-18 17:32:33 +01:00
|
|
|
)
|
|
|
|
if app_service is None:
|
2016-10-20 12:43:05 +02:00
|
|
|
defer.returnValue((None, None))
|
2016-01-18 17:32:33 +01:00
|
|
|
|
2016-09-09 17:29:10 +02:00
|
|
|
if "user_id" not in request.args:
|
2016-10-20 12:43:05 +02:00
|
|
|
defer.returnValue((app_service.sender, app_service))
|
2016-01-18 17:32:33 +01:00
|
|
|
|
2016-09-09 17:29:10 +02:00
|
|
|
user_id = request.args["user_id"][0]
|
2016-01-18 17:33:05 +01:00
|
|
|
if app_service.sender == user_id:
|
2016-10-20 12:43:05 +02:00
|
|
|
defer.returnValue((app_service.sender, app_service))
|
2016-01-18 17:32:33 +01:00
|
|
|
|
|
|
|
if not app_service.is_interested_in_user(user_id):
|
|
|
|
raise AuthError(
|
|
|
|
403,
|
|
|
|
"Application service cannot masquerade as this user."
|
|
|
|
)
|
|
|
|
if not (yield self.store.get_user_by_id(user_id)):
|
|
|
|
raise AuthError(
|
|
|
|
403,
|
|
|
|
"Application service has not registered this user"
|
2016-02-02 18:18:50 +01:00
|
|
|
)
|
2016-10-20 12:43:05 +02:00
|
|
|
defer.returnValue((user_id, app_service))
|
2016-01-18 17:32:33 +01:00
|
|
|
|
2014-08-12 16:10:52 +02:00
|
|
|
@defer.inlineCallbacks
|
2016-06-01 18:40:52 +02:00
|
|
|
def get_user_by_access_token(self, token, rights="access"):
|
2016-12-06 16:31:37 +01:00
|
|
|
""" Validate access token and get user_id from it
|
2014-08-12 16:10:52 +02:00
|
|
|
|
|
|
|
Args:
|
2014-09-29 16:35:54 +02:00
|
|
|
token (str): The access token to get the user by.
|
2016-12-06 16:31:37 +01:00
|
|
|
rights (str): The operation being performed; the access token must
|
|
|
|
allow this.
|
2014-08-12 16:10:52 +02:00
|
|
|
Returns:
|
2015-08-25 17:29:39 +02:00
|
|
|
dict : dict that includes the user and the ID of their access token.
|
2014-08-12 16:10:52 +02:00
|
|
|
Raises:
|
|
|
|
AuthError if no user by that token exists or the token is invalid.
|
|
|
|
"""
|
2015-08-26 14:22:23 +02:00
|
|
|
try:
|
2016-12-06 16:31:37 +01:00
|
|
|
macaroon = pymacaroons.Macaroon.deserialize(token)
|
|
|
|
except Exception: # deserialize can throw more-or-less anything
|
|
|
|
# doesn't look like a macaroon: treat it as an opaque token which
|
|
|
|
# must be in the database.
|
|
|
|
# TODO: it would be nice to get rid of this, but apparently some
|
|
|
|
# people use access tokens which aren't macaroons
|
|
|
|
r = yield self._look_up_user_by_access_token(token)
|
|
|
|
defer.returnValue(r)
|
2015-08-26 14:22:23 +02:00
|
|
|
|
|
|
|
try:
|
2016-08-08 17:34:07 +02:00
|
|
|
user_id = self.get_user_id_from_macaroon(macaroon)
|
|
|
|
user = UserID.from_string(user_id)
|
2015-11-04 18:29:07 +01:00
|
|
|
|
2016-07-07 17:11:37 +02:00
|
|
|
self.validate_macaroon(
|
|
|
|
macaroon, rights, self.hs.config.expire_access_token,
|
|
|
|
user_id=user_id,
|
|
|
|
)
|
|
|
|
|
2016-08-08 17:34:07 +02:00
|
|
|
guest = False
|
|
|
|
for caveat in macaroon.caveats:
|
|
|
|
if caveat.caveat_id == "guest = true":
|
|
|
|
guest = True
|
2015-11-04 18:29:07 +01:00
|
|
|
|
|
|
|
if guest:
|
2016-12-06 16:31:37 +01:00
|
|
|
# Guest access tokens are not stored in the database (there can
|
|
|
|
# only be one access token per guest, anyway).
|
|
|
|
#
|
|
|
|
# In order to prevent guest access tokens being used as regular
|
|
|
|
# user access tokens (and hence getting around the invalidation
|
|
|
|
# process), we look up the user id and check that it is indeed
|
|
|
|
# a guest user.
|
|
|
|
#
|
|
|
|
# It would of course be much easier to store guest access
|
|
|
|
# tokens in the database as well, but that would break existing
|
|
|
|
# guest tokens.
|
|
|
|
stored_user = yield self.store.get_user_by_id(user_id)
|
|
|
|
if not stored_user:
|
|
|
|
raise AuthError(
|
|
|
|
self.TOKEN_NOT_FOUND_HTTP_STATUS,
|
|
|
|
"Unknown user_id %s" % user_id,
|
|
|
|
errcode=Codes.UNKNOWN_TOKEN
|
|
|
|
)
|
|
|
|
if not stored_user["is_guest"]:
|
|
|
|
raise AuthError(
|
|
|
|
self.TOKEN_NOT_FOUND_HTTP_STATUS,
|
|
|
|
"Guest access token used for regular user",
|
|
|
|
errcode=Codes.UNKNOWN_TOKEN
|
|
|
|
)
|
2015-11-04 18:29:07 +01:00
|
|
|
ret = {
|
|
|
|
"user": user,
|
|
|
|
"is_guest": True,
|
|
|
|
"token_id": None,
|
2016-11-25 16:25:30 +01:00
|
|
|
# all guests get the same device id
|
|
|
|
"device_id": GUEST_DEVICE_ID,
|
2015-11-04 18:29:07 +01:00
|
|
|
}
|
2016-06-02 18:21:31 +02:00
|
|
|
elif rights == "delete_pusher":
|
|
|
|
# We don't store these tokens in the database
|
|
|
|
ret = {
|
|
|
|
"user": user,
|
|
|
|
"is_guest": False,
|
|
|
|
"token_id": None,
|
2016-07-20 16:25:40 +02:00
|
|
|
"device_id": None,
|
2016-06-02 18:21:31 +02:00
|
|
|
}
|
2015-11-04 18:29:07 +01:00
|
|
|
else:
|
2016-07-20 16:25:40 +02:00
|
|
|
# This codepath exists for several reasons:
|
|
|
|
# * so that we can actually return a token ID, which is used
|
|
|
|
# in some parts of the schema (where we probably ought to
|
|
|
|
# use device IDs instead)
|
|
|
|
# * the only way we currently have to invalidate an
|
|
|
|
# access_token is by removing it from the database, so we
|
|
|
|
# have to check here that it is still in the db
|
|
|
|
# * some attributes (notably device_id) aren't stored in the
|
|
|
|
# macaroon. They probably should be.
|
|
|
|
# TODO: build the dictionary from the macaroon once the
|
|
|
|
# above are fixed
|
2016-12-06 16:31:37 +01:00
|
|
|
ret = yield self._look_up_user_by_access_token(token)
|
2015-11-04 18:29:07 +01:00
|
|
|
if ret["user"] != user:
|
|
|
|
logger.error(
|
|
|
|
"Macaroon user (%s) != DB user (%s)",
|
|
|
|
user,
|
|
|
|
ret["user"]
|
|
|
|
)
|
|
|
|
raise AuthError(
|
|
|
|
self.TOKEN_NOT_FOUND_HTTP_STATUS,
|
|
|
|
"User mismatch in macaroon",
|
|
|
|
errcode=Codes.UNKNOWN_TOKEN
|
|
|
|
)
|
|
|
|
defer.returnValue(ret)
|
2015-08-26 14:22:23 +02:00
|
|
|
except (pymacaroons.exceptions.MacaroonException, TypeError, ValueError):
|
|
|
|
raise AuthError(
|
|
|
|
self.TOKEN_NOT_FOUND_HTTP_STATUS, "Invalid macaroon passed.",
|
|
|
|
errcode=Codes.UNKNOWN_TOKEN
|
|
|
|
)
|
|
|
|
|
2016-08-08 17:34:07 +02:00
|
|
|
def get_user_id_from_macaroon(self, macaroon):
|
|
|
|
"""Retrieve the user_id given by the caveats on the macaroon.
|
|
|
|
|
|
|
|
Does *not* validate the macaroon.
|
|
|
|
|
|
|
|
Args:
|
|
|
|
macaroon (pymacaroons.Macaroon): The macaroon to validate
|
|
|
|
|
|
|
|
Returns:
|
|
|
|
(str) user id
|
|
|
|
|
|
|
|
Raises:
|
|
|
|
AuthError if there is no user_id caveat in the macaroon
|
|
|
|
"""
|
|
|
|
user_prefix = "user_id = "
|
|
|
|
for caveat in macaroon.caveats:
|
|
|
|
if caveat.caveat_id.startswith(user_prefix):
|
|
|
|
return caveat.caveat_id[len(user_prefix):]
|
|
|
|
raise AuthError(
|
|
|
|
self.TOKEN_NOT_FOUND_HTTP_STATUS, "No user caveat in macaroon",
|
|
|
|
errcode=Codes.UNKNOWN_TOKEN
|
|
|
|
)
|
|
|
|
|
2016-07-07 17:11:37 +02:00
|
|
|
def validate_macaroon(self, macaroon, type_string, verify_expiry, user_id):
|
2015-11-19 16:16:25 +01:00
|
|
|
"""
|
|
|
|
validate that a Macaroon is understood by and was signed by this server.
|
|
|
|
|
|
|
|
Args:
|
|
|
|
macaroon(pymacaroons.Macaroon): The macaroon to validate
|
2016-11-30 18:40:18 +01:00
|
|
|
type_string(str): The kind of token required (e.g. "access",
|
2016-06-01 18:40:52 +02:00
|
|
|
"delete_pusher")
|
2015-11-19 16:16:25 +01:00
|
|
|
verify_expiry(bool): Whether to verify whether the macaroon has expired.
|
2016-08-08 17:34:07 +02:00
|
|
|
user_id (str): The user_id required
|
2015-11-19 16:16:25 +01:00
|
|
|
"""
|
2015-08-26 14:22:23 +02:00
|
|
|
v = pymacaroons.Verifier()
|
2016-11-24 13:38:17 +01:00
|
|
|
|
|
|
|
# the verifier runs a test for every caveat on the macaroon, to check
|
|
|
|
# that it is met for the current request. Each caveat must match at
|
|
|
|
# least one of the predicates specified by satisfy_exact or
|
|
|
|
# specify_general.
|
2015-08-26 14:22:23 +02:00
|
|
|
v.satisfy_exact("gen = 1")
|
2015-11-11 12:12:35 +01:00
|
|
|
v.satisfy_exact("type = " + type_string)
|
2016-07-07 17:11:37 +02:00
|
|
|
v.satisfy_exact("user_id = %s" % user_id)
|
2015-11-17 11:58:05 +01:00
|
|
|
v.satisfy_exact("guest = true")
|
2016-11-30 08:36:32 +01:00
|
|
|
|
|
|
|
# verify_expiry should really always be True, but there exist access
|
|
|
|
# tokens in the wild which expire when they should not, so we can't
|
|
|
|
# enforce expiry yet (so we have to allow any caveat starting with
|
|
|
|
# 'time < ' in access tokens).
|
|
|
|
#
|
|
|
|
# On the other hand, short-term login tokens (as used by CAS login, for
|
|
|
|
# example) have an expiry time which we do want to enforce.
|
|
|
|
|
2015-11-19 16:16:25 +01:00
|
|
|
if verify_expiry:
|
|
|
|
v.satisfy_general(self._verify_expiry)
|
|
|
|
else:
|
|
|
|
v.satisfy_general(lambda c: c.startswith("time < "))
|
2015-11-11 12:12:35 +01:00
|
|
|
|
2016-11-30 18:40:18 +01:00
|
|
|
# access_tokens include a nonce for uniqueness: any value is acceptable
|
2016-11-28 10:55:21 +01:00
|
|
|
v.satisfy_general(lambda c: c.startswith("nonce = "))
|
|
|
|
|
2015-08-26 14:22:23 +02:00
|
|
|
v.verify(macaroon, self.hs.config.macaroon_secret_key)
|
|
|
|
|
2015-11-19 16:16:25 +01:00
|
|
|
def _verify_expiry(self, caveat):
|
2015-08-26 14:22:23 +02:00
|
|
|
prefix = "time < "
|
|
|
|
if not caveat.startswith(prefix):
|
|
|
|
return False
|
|
|
|
expiry = int(caveat[len(prefix):])
|
|
|
|
now = self.hs.get_clock().time_msec()
|
|
|
|
return now < expiry
|
|
|
|
|
|
|
|
@defer.inlineCallbacks
|
|
|
|
def _look_up_user_by_access_token(self, token):
|
2015-08-20 17:01:29 +02:00
|
|
|
ret = yield self.store.get_user_by_access_token(token)
|
2015-03-24 18:24:15 +01:00
|
|
|
if not ret:
|
2016-02-02 20:21:49 +01:00
|
|
|
logger.warn("Unrecognised access token - not in store: %s" % (token,))
|
2015-03-24 18:24:15 +01:00
|
|
|
raise AuthError(
|
|
|
|
self.TOKEN_NOT_FOUND_HTTP_STATUS, "Unrecognised access token.",
|
|
|
|
errcode=Codes.UNKNOWN_TOKEN
|
|
|
|
)
|
2016-07-20 16:25:40 +02:00
|
|
|
# we use ret.get() below because *lots* of unit tests stub out
|
|
|
|
# get_user_by_access_token in a way where it only returns a couple of
|
|
|
|
# the fields.
|
2015-03-24 18:24:15 +01:00
|
|
|
user_info = {
|
|
|
|
"user": UserID.from_string(ret.get("name")),
|
|
|
|
"token_id": ret.get("token_id", None),
|
2015-11-04 18:29:07 +01:00
|
|
|
"is_guest": False,
|
2016-07-20 16:25:40 +02:00
|
|
|
"device_id": ret.get("device_id"),
|
2015-03-24 18:24:15 +01:00
|
|
|
}
|
|
|
|
defer.returnValue(user_info)
|
2014-09-01 14:44:19 +02:00
|
|
|
|
2015-02-06 11:57:14 +01:00
|
|
|
def get_appservice_by_req(self, request):
|
|
|
|
try:
|
2016-09-09 17:29:10 +02:00
|
|
|
token = get_access_token_from_request(
|
|
|
|
request, self.TOKEN_NOT_FOUND_HTTP_STATUS
|
|
|
|
)
|
2016-10-06 10:43:32 +02:00
|
|
|
service = self.store.get_app_service_by_token(token)
|
2015-02-06 11:57:14 +01:00
|
|
|
if not service:
|
2016-02-02 20:21:49 +01:00
|
|
|
logger.warn("Unrecognised appservice access token: %s" % (token,))
|
2015-03-24 18:24:15 +01:00
|
|
|
raise AuthError(
|
|
|
|
self.TOKEN_NOT_FOUND_HTTP_STATUS,
|
|
|
|
"Unrecognised access token.",
|
|
|
|
errcode=Codes.UNKNOWN_TOKEN
|
|
|
|
)
|
2015-08-18 16:16:28 +02:00
|
|
|
request.authenticated_entity = service.sender
|
2016-10-06 10:43:32 +02:00
|
|
|
return defer.succeed(service)
|
2015-02-06 11:57:14 +01:00
|
|
|
except KeyError:
|
2015-03-24 18:24:15 +01:00
|
|
|
raise AuthError(
|
|
|
|
self.TOKEN_NOT_FOUND_HTTP_STATUS, "Missing access token."
|
|
|
|
)
|
2015-02-06 11:57:14 +01:00
|
|
|
|
2014-09-29 14:35:38 +02:00
|
|
|
def is_server_admin(self, user):
|
|
|
|
return self.store.is_server_admin(user)
|
|
|
|
|
2014-11-07 11:42:44 +01:00
|
|
|
@defer.inlineCallbacks
|
2014-12-05 17:20:48 +01:00
|
|
|
def add_auth_events(self, builder, context):
|
2016-08-31 14:55:02 +02:00
|
|
|
auth_ids = yield self.compute_auth_events(builder, context.prev_state_ids)
|
2015-01-28 17:16:53 +01:00
|
|
|
|
|
|
|
auth_events_entries = yield self.store.add_event_hashes(
|
|
|
|
auth_ids
|
|
|
|
)
|
|
|
|
|
|
|
|
builder.auth_events = auth_events_entries
|
|
|
|
|
2016-08-25 18:32:22 +02:00
|
|
|
@defer.inlineCallbacks
|
|
|
|
def compute_auth_events(self, event, current_state_ids, for_verification=False):
|
2015-01-28 17:16:53 +01:00
|
|
|
if event.type == EventTypes.Create:
|
2016-08-25 18:32:22 +02:00
|
|
|
defer.returnValue([])
|
2014-11-07 11:42:44 +01:00
|
|
|
|
2014-12-08 10:08:26 +01:00
|
|
|
auth_ids = []
|
2014-11-07 11:42:44 +01:00
|
|
|
|
2014-12-12 17:31:50 +01:00
|
|
|
key = (EventTypes.PowerLevels, "", )
|
2016-08-25 18:32:22 +02:00
|
|
|
power_level_event_id = current_state_ids.get(key)
|
2014-11-07 11:42:44 +01:00
|
|
|
|
2016-08-25 18:32:22 +02:00
|
|
|
if power_level_event_id:
|
|
|
|
auth_ids.append(power_level_event_id)
|
2014-11-07 11:42:44 +01:00
|
|
|
|
2014-12-12 17:31:50 +01:00
|
|
|
key = (EventTypes.JoinRules, "", )
|
2016-08-25 18:32:22 +02:00
|
|
|
join_rule_event_id = current_state_ids.get(key)
|
2014-11-07 11:42:44 +01:00
|
|
|
|
2015-01-28 17:16:53 +01:00
|
|
|
key = (EventTypes.Member, event.user_id, )
|
2016-08-25 18:32:22 +02:00
|
|
|
member_event_id = current_state_ids.get(key)
|
2014-11-07 11:42:44 +01:00
|
|
|
|
2014-12-12 17:31:50 +01:00
|
|
|
key = (EventTypes.Create, "", )
|
2016-08-25 18:32:22 +02:00
|
|
|
create_event_id = current_state_ids.get(key)
|
|
|
|
if create_event_id:
|
|
|
|
auth_ids.append(create_event_id)
|
2014-11-25 12:31:18 +01:00
|
|
|
|
2016-08-25 18:32:22 +02:00
|
|
|
if join_rule_event_id:
|
|
|
|
join_rule_event = yield self.store.get_event(join_rule_event_id)
|
2014-11-07 11:42:44 +01:00
|
|
|
join_rule = join_rule_event.content.get("join_rule")
|
|
|
|
is_public = join_rule == JoinRules.PUBLIC if join_rule else False
|
2014-11-10 12:15:02 +01:00
|
|
|
else:
|
|
|
|
is_public = False
|
2014-11-07 11:42:44 +01:00
|
|
|
|
2015-01-28 17:16:53 +01:00
|
|
|
if event.type == EventTypes.Member:
|
|
|
|
e_type = event.content["membership"]
|
2014-11-10 12:15:02 +01:00
|
|
|
if e_type in [Membership.JOIN, Membership.INVITE]:
|
2016-08-25 18:32:22 +02:00
|
|
|
if join_rule_event_id:
|
|
|
|
auth_ids.append(join_rule_event_id)
|
2014-11-07 11:42:44 +01:00
|
|
|
|
2014-12-12 11:42:27 +01:00
|
|
|
if e_type == Membership.JOIN:
|
2016-08-25 18:32:22 +02:00
|
|
|
if member_event_id and not is_public:
|
|
|
|
auth_ids.append(member_event_id)
|
2015-11-05 17:43:19 +01:00
|
|
|
else:
|
2016-08-25 18:32:22 +02:00
|
|
|
if member_event_id:
|
|
|
|
auth_ids.append(member_event_id)
|
|
|
|
|
|
|
|
if for_verification:
|
|
|
|
key = (EventTypes.Member, event.state_key, )
|
|
|
|
existing_event_id = current_state_ids.get(key)
|
|
|
|
if existing_event_id:
|
|
|
|
auth_ids.append(existing_event_id)
|
2015-11-05 17:43:19 +01:00
|
|
|
|
|
|
|
if e_type == Membership.INVITE:
|
|
|
|
if "third_party_invite" in event.content:
|
2015-10-13 16:48:12 +02:00
|
|
|
key = (
|
|
|
|
EventTypes.ThirdPartyInvite,
|
2015-12-17 18:09:51 +01:00
|
|
|
event.content["third_party_invite"]["signed"]["token"]
|
2015-10-13 16:48:12 +02:00
|
|
|
)
|
2016-08-25 18:32:22 +02:00
|
|
|
third_party_invite_id = current_state_ids.get(key)
|
|
|
|
if third_party_invite_id:
|
|
|
|
auth_ids.append(third_party_invite_id)
|
|
|
|
elif member_event_id:
|
|
|
|
member_event = yield self.store.get_event(member_event_id)
|
2014-11-07 11:42:44 +01:00
|
|
|
if member_event.content["membership"] == Membership.JOIN:
|
2014-12-08 10:08:26 +01:00
|
|
|
auth_ids.append(member_event.event_id)
|
2014-11-07 11:42:44 +01:00
|
|
|
|
2016-08-25 18:32:22 +02:00
|
|
|
defer.returnValue(auth_ids)
|
2014-11-07 11:42:44 +01:00
|
|
|
|
2015-08-28 16:31:49 +02:00
|
|
|
def check_redaction(self, event, auth_events):
|
|
|
|
"""Check whether the event sender is allowed to redact the target event.
|
|
|
|
|
|
|
|
Returns:
|
|
|
|
True if the the sender is allowed to redact the target event if the
|
|
|
|
target event was created by them.
|
|
|
|
False if the sender is allowed to redact the target event with no
|
|
|
|
further checks.
|
|
|
|
|
|
|
|
Raises:
|
|
|
|
AuthError if the event sender is definitely not allowed to redact
|
|
|
|
the target event.
|
|
|
|
"""
|
2017-01-13 16:07:32 +01:00
|
|
|
return event_auth.check_redaction(event, auth_events)
|
2016-03-21 15:03:20 +01:00
|
|
|
|
|
|
|
@defer.inlineCallbacks
|
|
|
|
def check_can_change_room_list(self, room_id, user):
|
|
|
|
"""Check if the user is allowed to edit the room's entry in the
|
|
|
|
published room list.
|
|
|
|
|
|
|
|
Args:
|
|
|
|
room_id (str)
|
|
|
|
user (UserID)
|
|
|
|
"""
|
|
|
|
|
|
|
|
is_admin = yield self.is_server_admin(user)
|
|
|
|
if is_admin:
|
|
|
|
defer.returnValue(True)
|
|
|
|
|
|
|
|
user_id = user.to_string()
|
|
|
|
yield self.check_joined_room(room_id, user_id)
|
|
|
|
|
|
|
|
# We currently require the user is a "moderator" in the room. We do this
|
|
|
|
# by checking if they would (theoretically) be able to change the
|
|
|
|
# m.room.aliases events
|
|
|
|
power_level_event = yield self.state.get_current_state(
|
|
|
|
room_id, EventTypes.PowerLevels, ""
|
|
|
|
)
|
|
|
|
|
|
|
|
auth_events = {}
|
|
|
|
if power_level_event:
|
|
|
|
auth_events[(EventTypes.PowerLevels, "")] = power_level_event
|
|
|
|
|
2017-01-13 16:07:32 +01:00
|
|
|
send_level = event_auth.get_send_level(
|
2016-03-21 15:03:20 +01:00
|
|
|
EventTypes.Aliases, "", auth_events
|
|
|
|
)
|
2017-01-13 16:07:32 +01:00
|
|
|
user_level = event_auth.get_user_power_level(user_id, auth_events)
|
2016-03-21 15:03:20 +01:00
|
|
|
|
|
|
|
if user_level < send_level:
|
|
|
|
raise AuthError(
|
|
|
|
403,
|
|
|
|
"This server requires you to be a moderator in the room to"
|
|
|
|
" edit its room list entry"
|
|
|
|
)
|
2016-09-09 17:29:10 +02:00
|
|
|
|
|
|
|
|
|
|
|
def has_access_token(request):
|
|
|
|
"""Checks if the request has an access_token.
|
|
|
|
|
|
|
|
Returns:
|
|
|
|
bool: False if no access_token was given, True otherwise.
|
|
|
|
"""
|
|
|
|
query_params = request.args.get("access_token")
|
2016-09-09 19:17:42 +02:00
|
|
|
auth_headers = request.requestHeaders.getRawHeaders("Authorization")
|
|
|
|
return bool(query_params) or bool(auth_headers)
|
2016-09-09 17:29:10 +02:00
|
|
|
|
|
|
|
|
|
|
|
def get_access_token_from_request(request, token_not_found_http_status=401):
|
|
|
|
"""Extracts the access_token from the request.
|
|
|
|
|
|
|
|
Args:
|
|
|
|
request: The http request.
|
|
|
|
token_not_found_http_status(int): The HTTP status code to set in the
|
|
|
|
AuthError if the token isn't found. This is used in some of the
|
|
|
|
legacy APIs to change the status code to 403 from the default of
|
|
|
|
401 since some of the old clients depended on auth errors returning
|
|
|
|
403.
|
|
|
|
Returns:
|
|
|
|
str: The access_token
|
|
|
|
Raises:
|
|
|
|
AuthError: If there isn't an access_token in the request.
|
|
|
|
"""
|
2016-09-09 19:17:42 +02:00
|
|
|
|
|
|
|
auth_headers = request.requestHeaders.getRawHeaders("Authorization")
|
2016-09-09 17:29:10 +02:00
|
|
|
query_params = request.args.get("access_token")
|
2016-09-12 11:46:02 +02:00
|
|
|
if auth_headers:
|
2016-09-09 19:17:42 +02:00
|
|
|
# Try the get the access_token from a "Authorization: Bearer"
|
|
|
|
# header
|
|
|
|
if query_params is not None:
|
|
|
|
raise AuthError(
|
|
|
|
token_not_found_http_status,
|
|
|
|
"Mixing Authorization headers and access_token query parameters.",
|
|
|
|
errcode=Codes.MISSING_TOKEN,
|
|
|
|
)
|
|
|
|
if len(auth_headers) > 1:
|
|
|
|
raise AuthError(
|
|
|
|
token_not_found_http_status,
|
|
|
|
"Too many Authorization headers.",
|
|
|
|
errcode=Codes.MISSING_TOKEN,
|
|
|
|
)
|
|
|
|
parts = auth_headers[0].split(" ")
|
|
|
|
if parts[0] == "Bearer" and len(parts) == 2:
|
|
|
|
return parts[1]
|
|
|
|
else:
|
|
|
|
raise AuthError(
|
|
|
|
token_not_found_http_status,
|
|
|
|
"Invalid Authorization header.",
|
|
|
|
errcode=Codes.MISSING_TOKEN,
|
|
|
|
)
|
|
|
|
else:
|
|
|
|
# Try to get the access_token from the query params.
|
|
|
|
if not query_params:
|
|
|
|
raise AuthError(
|
|
|
|
token_not_found_http_status,
|
|
|
|
"Missing access token.",
|
|
|
|
errcode=Codes.MISSING_TOKEN
|
|
|
|
)
|
2016-09-09 17:29:10 +02:00
|
|
|
|
2016-09-09 19:17:42 +02:00
|
|
|
return query_params[0]
|