Working unsubscribe links going straight to the HS

and authed by macaroons that let you delete pushers and nothing else
2016-06-02 17:21:31 +01:00 · 2016-06-02 17:21:31 +01:00 · 1f31cc37f8
parent c71177f285
commit 1f31cc37f8
4 changed files with 36 additions and 6 deletions
--- a/synapse/api/auth.py
+++ b/synapse/api/auth.py
@ -660,6 +660,13 @@ class Auth(object):
                    "is_guest": True,
                    "token_id": None,
                }
+            elif rights == "delete_pusher":
+                # We don't store these tokens in the database
+                ret = {
+                    "user": user,
+                    "is_guest": False,
+                    "token_id": None,
+                }
            else:
                # This codepath exists so that we can actually return a
                # token ID, because we use token IDs in place of device
--- a/synapse/app/pusher.py
+++ b/synapse/app/pusher.py
@ -21,6 +21,7 @@ from synapse.config._base import ConfigError
 from synapse.config.database import DatabaseConfig
 from synapse.config.logger import LoggingConfig
 from synapse.config.emailconfig import EmailConfig
+from synapse.config.key import KeyConfig
 from synapse.http.site import SynapseSite
 from synapse.metrics.resource import MetricsResource, METRICS_PREFIX
 from synapse.storage.roommember import RoomMemberStore
@ -63,6 +64,26 @@ class SlaveConfig(DatabaseConfig):
        self.pid_file = self.abspath(config.get("pid_file"))
        self.public_baseurl = config["public_baseurl"]

+        # some things used by the auth handler but not actually used in the
+        # pusher codebase
+        self.bcrypt_rounds = None
+        self.ldap_enabled = None
+        self.ldap_server = None
+        self.ldap_port = None
+        self.ldap_tls = None
+        self.ldap_search_base = None
+        self.ldap_search_property = None
+        self.ldap_email_property = None
+        self.ldap_full_name_property = None
+
+        # We would otherwise try to use the registration shared secret as the
+        # macaroon shared secret if there was no macaroon_shared_secret, but
+        # that means pulling in RegistrationConfig too. We don't need to be
+        # backwards compaitible in the pusher codebase so just make people set
+        # macaroon_shared_secret. We set this to None to prevent it referencing
+        # an undefined key.
+        self.registration_shared_secret = None
+
    def default_config(self, server_name, **kwargs):
        pid_file = self.abspath("pusher.pid")
        return """\
@ -95,7 +116,7 @@ class SlaveConfig(DatabaseConfig):
        """ % locals()


-class PusherSlaveConfig(SlaveConfig, LoggingConfig, EmailConfig):
+class PusherSlaveConfig(SlaveConfig, LoggingConfig, EmailConfig, KeyConfig):
    pass


--- a/synapse/push/mailer.py
+++ b/synapse/push/mailer.py
@ -81,7 +81,7 @@ class Mailer(object):
    def __init__(self, hs, app_name):
        self.hs = hs
        self.store = self.hs.get_datastore()
-        self.handlers = self.hs.get_handlers()
+        self.auth_handler = self.hs.get_auth_handler()
        self.state_handler = self.hs.get_state_handler()
        loader = jinja2.FileSystemLoader(self.hs.config.email_template_dir)
        self.app_name = app_name
@ -161,7 +161,7 @@ class Mailer(object):

        template_vars = {
            "user_display_name": user_display_name,
-            "unsubscribe_link": self.make_unsubscribe_link(app_id, email_address),
+            "unsubscribe_link": self.make_unsubscribe_link(user_id, app_id, email_address),
            "summary_text": summary_text,
            "app_name": self.app_name,
            "rooms": rooms,
@ -427,9 +427,9 @@ class Mailer(object):
                notif['room_id'], notif['event_id']
            )

-    def make_unsubscribe_link(self, app_id, email_address):
+    def make_unsubscribe_link(self, user_id, app_id, email_address):
        params = {
-            "access_token": self.handlers.auth.generate_delete_pusher_token(),
+            "access_token": self.auth_handler.generate_delete_pusher_token(user_id),
            "app_id": app_id,
            "pushkey": email_address,
        }
--- a/synapse/rest/client/v1/pusher.py
+++ b/synapse/rest/client/v1/pusher.py
@ -149,11 +149,13 @@ class PushersRemoveRestServlet(RestServlet):

    def __init__(self, hs):
        super(RestServlet, self).__init__()
+        self.hs = hs
        self.notifier = hs.get_notifier()
+        self.auth = hs.get_v1auth()

    @defer.inlineCallbacks
    def on_GET(self, request):
-        requester = yield self.auth.get_user_by_req(request, "delete_pusher")
+        requester = yield self.auth.get_user_by_req(request, rights="delete_pusher")
        user = requester.user

        app_id = parse_string(request, "app_id", required=True)