pull/2352/head
Erik Johnston 2017-07-11 09:58:59 +01:00
parent b8ca494ee9
commit 83936293eb
4 changed files with 132 additions and 43 deletions

View File

@ -28,6 +28,8 @@ UPDATE_ATTESTATION_TIME_MS = 1 * 24 * 60 * 60 * 1000
class GroupAttestationSigning(object):
"""Creates and verifies group attestations.
"""
def __init__(self, hs):
self.keyring = hs.get_keyring()
self.clock = hs.get_clock()
@ -36,11 +38,20 @@ class GroupAttestationSigning(object):
@defer.inlineCallbacks
def verify_attestation(self, attestation, group_id, user_id, server_name=None):
"""Verifies that the given attestation matches the given paramaters.
An optional server_name can be supplied to explicitly set which server's
signature is expected. Otherwise assumes that either the group_id or user_id
is local and uses the other's server as the one to check.
"""
if not server_name:
if get_domain_from_id(group_id) == self.server_name:
server_name = get_domain_from_id(user_id)
else:
elif get_domain_from_id(user_id) == self.server_name:
server_name = get_domain_from_id(group_id)
else:
raise Exception("Expected eitehr group_id or user_id to be local")
if user_id != attestation["user_id"]:
raise SynapseError(400, "Attestation has incorrect user_id")
@ -48,6 +59,7 @@ class GroupAttestationSigning(object):
if group_id != attestation["group_id"]:
raise SynapseError(400, "Attestation has incorrect group_id")
# TODO:
valid_until_ms = attestation["valid_until_ms"]
if valid_until_ms - self.clock.time_msec() < MIN_ATTESTATION_LENGTH_MS:
raise SynapseError(400, "Attestation not valid for long enough")
@ -55,6 +67,9 @@ class GroupAttestationSigning(object):
yield self.keyring.verify_json_for_server(server_name, attestation)
def create_attestation(self, group_id, user_id):
"""Create an attestation for the group_id and user_id with default
validity length.
"""
return sign_json({
"group_id": group_id,
"user_id": user_id,
@ -63,11 +78,15 @@ class GroupAttestationSigning(object):
class GroupAttestionRenewer(object):
"""Responsible for sending and receiving attestation updates.
"""
def __init__(self, hs):
self.clock = hs.get_clock()
self.store = hs.get_datastore()
self.assestations = hs.get_groups_attestation_signing()
self.transport_client = hs.get_federation_transport_client()
self.is_mine_id = hs.is_mind_id
self._renew_attestations_loop = self.clock.looping_call(
self._renew_attestations, 30 * 60 * 1000,
@ -75,8 +94,13 @@ class GroupAttestionRenewer(object):
@defer.inlineCallbacks
def on_renew_attestation(self, group_id, user_id, content):
"""When a remote updates an attestation
"""
attestation = content["attestation"]
if not self.is_mine_id(group_id) and not self.is_mine_id(user_id):
raise SynapseError(400, "Neither user not group are on this server")
yield self.attestations.verify_attestation(
attestation,
user_id=user_id,
@ -89,6 +113,9 @@ class GroupAttestionRenewer(object):
@defer.inlineCallbacks
def _renew_attestations(self):
"""Called periodically to check if we need to update any of our attestations
"""
now = self.clock.time_msec()
rows = yield self.store.get_attestations_need_renewals(

View File

@ -19,7 +19,6 @@ from synapse.api.errors import SynapseError
from synapse.types import UserID, get_domain_from_id
import functools
import logging
logger = logging.getLogger(__name__)
@ -33,28 +32,6 @@ logger = logging.getLogger(__name__)
# TODO: Flairs
UPDATE_ATTESTATION_TIME_MS = 1 * 24 * 60 * 60 * 1000
def check_group_is_ours(and_exists=False):
def g(func):
@functools.wraps(func)
@defer.inlineCallbacks
def h(self, group_id, *args, **kwargs):
if not self.is_mine_id(group_id):
raise SynapseError(400, "Group not on this server")
if and_exists:
group = yield self.store.get_group(group_id)
if not group:
raise SynapseError(404, "Unknown group")
res = yield func(self, group_id, *args, **kwargs)
defer.returnValue(res)
return h
return g
class GroupsServerHandler(object):
def __init__(self, hs):
self.hs = hs
@ -72,9 +49,28 @@ class GroupsServerHandler(object):
# Ensure attestations get renewed
hs.get_groups_attestation_renewer()
@check_group_is_ours()
@defer.inlineCallbacks
def check_group_is_ours(self, group_id, and_exists=False):
"""Check that the group is ours, and optionally if it exists.
If group does exist then return group.
"""
if not self.is_mine_id(group_id):
raise SynapseError(400, "Group not on this server")
group = yield self.store.get_group(group_id)
if and_exists and not group:
raise SynapseError(404, "Unknown group")
defer.returnValue(group)
@defer.inlineCallbacks
def get_group_profile(self, group_id, requester_user_id):
"""Get the group profile as seen by requester_user_id
"""
yield self.check_group_is_ours(group_id)
group_description = yield self.store.get_group(group_id)
if group_description:
@ -82,9 +78,13 @@ class GroupsServerHandler(object):
else:
raise SynapseError(404, "Unknown group")
@check_group_is_ours(and_exists=True)
@defer.inlineCallbacks
def get_users_in_group(self, group_id, requester_user_id):
"""Get the users in group as seen by requester_user_id
"""
yield self.check_group_is_ours(group_id, and_exists=True)
is_user_in_group = yield self.store.is_user_in_group(requester_user_id, group_id)
user_results = yield self.store.get_users_in_group(
@ -123,9 +123,13 @@ class GroupsServerHandler(object):
"total_user_count_estimate": len(user_results),
})
@check_group_is_ours(and_exists=True)
@defer.inlineCallbacks
def get_rooms_in_group(self, group_id, requester_user_id):
"""Get the rooms in group as seen by requester_user_id
"""
yield self.check_group_is_ours(group_id, and_exists=True)
is_user_in_group = yield self.store.is_user_in_group(requester_user_id, group_id)
room_results = yield self.store.get_rooms_in_group(
@ -158,9 +162,13 @@ class GroupsServerHandler(object):
"total_room_count_estimate": len(room_results),
})
@check_group_is_ours(and_exists=True)
@defer.inlineCallbacks
def add_room(self, group_id, requester_user_id, room_id, content):
"""Add room to group
"""
yield self.check_group_is_ours(group_id, and_exists=True)
is_admin = yield self.store.is_user_admin_in_group(group_id, requester_user_id)
if not is_admin:
raise SynapseError(403, "User is not admin in group")
@ -182,9 +190,13 @@ class GroupsServerHandler(object):
defer.returnValue({})
@check_group_is_ours(and_exists=True)
@defer.inlineCallbacks
def invite_to_group(self, group_id, user_id, requester_user_id, content):
"""Invite user to group
"""
group = yield self.check_group_is_ours(group_id, and_exists=True)
is_admin = yield self.store.is_user_admin_in_group(
group_id, requester_user_id
)
@ -194,7 +206,6 @@ class GroupsServerHandler(object):
# TODO: Check if user knocked
# TODO: Check if user is already invited
group = yield self.store.get_group(group_id)
content = {
"profile": {
"name": group["name"],
@ -248,9 +259,16 @@ class GroupsServerHandler(object):
else:
raise SynapseError(502, "Unknown state returned by HS")
@check_group_is_ours(and_exists=True)
@defer.inlineCallbacks
def accept_invite(self, group_id, user_id, content):
"""User tries to accept an invite to the group.
This is different from them asking to join, and so should error if no
invite exists (and they're not a member of the group)
"""
yield self.check_group_is_ours(group_id, and_exists=True)
if not self.store.is_user_invited_to_local_group(group_id, user_id):
raise SynapseError(403, "User not invited to group")
@ -291,19 +309,33 @@ class GroupsServerHandler(object):
"attestation": local_attestation,
})
@check_group_is_ours(and_exists=True)
@defer.inlineCallbacks
def knock(self, group_id, user_id, content):
pass
"""A user requests becoming a member of the group
"""
yield self.check_group_is_ours(group_id, and_exists=True)
raise NotImplementedError()
@check_group_is_ours(and_exists=True)
@defer.inlineCallbacks
def accept_knock(self, group_id, user_id, content):
pass
"""Accept a users knock to the room.
Errors if the user hasn't knocked, rather than inviting them.
"""
yield self.check_group_is_ours(group_id, and_exists=True)
raise NotImplementedError()
@check_group_is_ours(and_exists=True)
@defer.inlineCallbacks
def remove_user_from_group(self, group_id, user_id, requester_user_id, content):
"""Remove a user from the group; either a user is leaving or and admin
kicked htem.
"""
yield self.check_group_is_ours(group_id, and_exists=True)
is_kick = False
if requester_user_id != user_id:
is_admin = yield self.store.is_user_admin_in_group(
@ -314,7 +346,7 @@ class GroupsServerHandler(object):
is_kick = True
yield self.store.remove_user_to_group(
yield self.store.remove_user_from_group(
group_id, user_id,
)
@ -328,11 +360,11 @@ class GroupsServerHandler(object):
defer.returnValue({})
@check_group_is_ours()
@defer.inlineCallbacks
def create_group(self, group_id, user_id, content):
group = yield self.check_group_is_ours(group_id)
logger.info("Attempting to create group with ID: %r", group_id)
group = yield self.store.get_group(group_id)
if group:
raise SynapseError(400, "Group already exists")

View File

@ -89,6 +89,8 @@ class GroupServerStore(SQLBaseStore):
)
def add_group_invite(self, group_id, user_id):
"""Record that the group server has invited a user
"""
return self._simple_insert(
table="group_invites",
values={
@ -99,6 +101,8 @@ class GroupServerStore(SQLBaseStore):
)
def is_user_invited_to_local_group(self, group_id, user_id):
"""Has the group server invited a user?
"""
return self._simple_select_one_onecol(
table="group_invites",
keyvalues={
@ -112,6 +116,19 @@ class GroupServerStore(SQLBaseStore):
def add_user_to_group(self, group_id, user_id, is_admin=False, is_public=True,
local_attestation=None, remote_attestation=None):
"""Add a user to the group server.
Args:
group_id (str)
user_id (str)
is_admin (bool)
is_public (bool)
local_attestation (dict): The attestation the GS created to give
to the remote server. Optional if the user and group are on the
same server
remote_attestation (dict): The attestation given to GS by remote
server. Optional if the user and group are on the same server
"""
def _add_user_to_group_txn(txn):
self._simple_insert_txn(
txn,
@ -159,8 +176,8 @@ class GroupServerStore(SQLBaseStore):
"add_user_to_group", _add_user_to_group_txn
)
def remove_user_to_group(self, group_id, user_id):
def _remove_user_to_group_txn(txn):
def remove_user_from_group(self, group_id, user_id):
def _remove_user_from_group_txn(txn):
self._simple_delete_txn(
txn,
table="group_users",
@ -193,7 +210,7 @@ class GroupServerStore(SQLBaseStore):
"user_id": user_id,
},
)
return self.runInteraction("remove_user_to_group", _remove_user_to_group_txn)
return self.runInteraction("remove_user_from_group", _remove_user_from_group_txn)
def add_room_to_group(self, group_id, room_id, is_public):
return self._simple_insert(
@ -222,6 +239,8 @@ class GroupServerStore(SQLBaseStore):
)
def get_attestations_need_renewals(self, valid_until_ms):
"""Get all attestations that need to be renewed until givent time
"""
def _get_attestations_need_renewals_txn(txn):
sql = """
SELECT group_id, user_id FROM group_attestations_renewals
@ -234,6 +253,8 @@ class GroupServerStore(SQLBaseStore):
)
def update_attestation_renewal(self, group_id, user_id, attestation):
"""Update an attestation that we have renewed
"""
return self._simple_update_one(
table="group_attestations_renewals",
keyvalues={
@ -247,6 +268,8 @@ class GroupServerStore(SQLBaseStore):
)
def update_remote_attestion(self, group_id, user_id, attestation):
"""Update an attestation that a remote has renewed
"""
return self._simple_update_one(
table="group_attestations_remote",
keyvalues={
@ -262,6 +285,9 @@ class GroupServerStore(SQLBaseStore):
@defer.inlineCallbacks
def get_remote_attestation(self, group_id, user_id):
"""Get the attestation that proves the remote agrees that the user is
in the group.
"""
row = yield self._simple_select_one(
table="group_attestations_remote",
keyvalues={

View File

@ -24,6 +24,7 @@ CREATE TABLE groups (
CREATE UNIQUE INDEX groups_idx ON groups(group_id);
-- list of users the group server thinks are joined
CREATE TABLE group_users (
group_id TEXT NOT NULL,
user_id TEXT NOT NULL,
@ -35,7 +36,7 @@ CREATE TABLE group_users (
CREATE INDEX groups_users_g_idx ON group_users(group_id, user_id);
CREATE INDEX groups_users_u_idx ON group_users(user_id);
-- list of users the group server thinks are invited
CREATE TABLE group_invites (
group_id TEXT NOT NULL,
user_id TEXT NOT NULL
@ -55,6 +56,7 @@ CREATE INDEX groups_rooms_g_idx ON group_rooms(group_id, room_id);
CREATE INDEX groups_rooms_r_idx ON group_rooms(room_id);
-- List of attestations we've given out and need to renew
CREATE TABLE group_attestations_renewals (
group_id TEXT NOT NULL,
user_id TEXT NOT NULL,
@ -65,6 +67,8 @@ CREATE INDEX group_attestations_renewals_g_idx ON group_attestations_renewals(gr
CREATE INDEX group_attestations_renewals_u_idx ON group_attestations_renewals(user_id);
CREATE INDEX group_attestations_renewals_v_idx ON group_attestations_renewals(valid_until_ms);
-- List of attestations we've received from remotes and are interested in.
CREATE TABLE group_attestations_remote (
group_id TEXT NOT NULL,
user_id TEXT NOT NULL,