Comments
parent
b8ca494ee9
commit
83936293eb
|
@ -28,6 +28,8 @@ UPDATE_ATTESTATION_TIME_MS = 1 * 24 * 60 * 60 * 1000
|
|||
|
||||
|
||||
class GroupAttestationSigning(object):
|
||||
"""Creates and verifies group attestations.
|
||||
"""
|
||||
def __init__(self, hs):
|
||||
self.keyring = hs.get_keyring()
|
||||
self.clock = hs.get_clock()
|
||||
|
@ -36,11 +38,20 @@ class GroupAttestationSigning(object):
|
|||
|
||||
@defer.inlineCallbacks
|
||||
def verify_attestation(self, attestation, group_id, user_id, server_name=None):
|
||||
"""Verifies that the given attestation matches the given paramaters.
|
||||
|
||||
An optional server_name can be supplied to explicitly set which server's
|
||||
signature is expected. Otherwise assumes that either the group_id or user_id
|
||||
is local and uses the other's server as the one to check.
|
||||
"""
|
||||
|
||||
if not server_name:
|
||||
if get_domain_from_id(group_id) == self.server_name:
|
||||
server_name = get_domain_from_id(user_id)
|
||||
else:
|
||||
elif get_domain_from_id(user_id) == self.server_name:
|
||||
server_name = get_domain_from_id(group_id)
|
||||
else:
|
||||
raise Exception("Expected eitehr group_id or user_id to be local")
|
||||
|
||||
if user_id != attestation["user_id"]:
|
||||
raise SynapseError(400, "Attestation has incorrect user_id")
|
||||
|
@ -48,6 +59,7 @@ class GroupAttestationSigning(object):
|
|||
if group_id != attestation["group_id"]:
|
||||
raise SynapseError(400, "Attestation has incorrect group_id")
|
||||
|
||||
# TODO:
|
||||
valid_until_ms = attestation["valid_until_ms"]
|
||||
if valid_until_ms - self.clock.time_msec() < MIN_ATTESTATION_LENGTH_MS:
|
||||
raise SynapseError(400, "Attestation not valid for long enough")
|
||||
|
@ -55,6 +67,9 @@ class GroupAttestationSigning(object):
|
|||
yield self.keyring.verify_json_for_server(server_name, attestation)
|
||||
|
||||
def create_attestation(self, group_id, user_id):
|
||||
"""Create an attestation for the group_id and user_id with default
|
||||
validity length.
|
||||
"""
|
||||
return sign_json({
|
||||
"group_id": group_id,
|
||||
"user_id": user_id,
|
||||
|
@ -63,11 +78,15 @@ class GroupAttestationSigning(object):
|
|||
|
||||
|
||||
class GroupAttestionRenewer(object):
|
||||
"""Responsible for sending and receiving attestation updates.
|
||||
"""
|
||||
|
||||
def __init__(self, hs):
|
||||
self.clock = hs.get_clock()
|
||||
self.store = hs.get_datastore()
|
||||
self.assestations = hs.get_groups_attestation_signing()
|
||||
self.transport_client = hs.get_federation_transport_client()
|
||||
self.is_mine_id = hs.is_mind_id
|
||||
|
||||
self._renew_attestations_loop = self.clock.looping_call(
|
||||
self._renew_attestations, 30 * 60 * 1000,
|
||||
|
@ -75,8 +94,13 @@ class GroupAttestionRenewer(object):
|
|||
|
||||
@defer.inlineCallbacks
|
||||
def on_renew_attestation(self, group_id, user_id, content):
|
||||
"""When a remote updates an attestation
|
||||
"""
|
||||
attestation = content["attestation"]
|
||||
|
||||
if not self.is_mine_id(group_id) and not self.is_mine_id(user_id):
|
||||
raise SynapseError(400, "Neither user not group are on this server")
|
||||
|
||||
yield self.attestations.verify_attestation(
|
||||
attestation,
|
||||
user_id=user_id,
|
||||
|
@ -89,6 +113,9 @@ class GroupAttestionRenewer(object):
|
|||
|
||||
@defer.inlineCallbacks
|
||||
def _renew_attestations(self):
|
||||
"""Called periodically to check if we need to update any of our attestations
|
||||
"""
|
||||
|
||||
now = self.clock.time_msec()
|
||||
|
||||
rows = yield self.store.get_attestations_need_renewals(
|
||||
|
|
|
@ -19,7 +19,6 @@ from synapse.api.errors import SynapseError
|
|||
from synapse.types import UserID, get_domain_from_id
|
||||
|
||||
|
||||
import functools
|
||||
import logging
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
@ -33,28 +32,6 @@ logger = logging.getLogger(__name__)
|
|||
# TODO: Flairs
|
||||
|
||||
|
||||
UPDATE_ATTESTATION_TIME_MS = 1 * 24 * 60 * 60 * 1000
|
||||
|
||||
|
||||
def check_group_is_ours(and_exists=False):
|
||||
def g(func):
|
||||
@functools.wraps(func)
|
||||
@defer.inlineCallbacks
|
||||
def h(self, group_id, *args, **kwargs):
|
||||
if not self.is_mine_id(group_id):
|
||||
raise SynapseError(400, "Group not on this server")
|
||||
if and_exists:
|
||||
group = yield self.store.get_group(group_id)
|
||||
if not group:
|
||||
raise SynapseError(404, "Unknown group")
|
||||
|
||||
res = yield func(self, group_id, *args, **kwargs)
|
||||
defer.returnValue(res)
|
||||
|
||||
return h
|
||||
return g
|
||||
|
||||
|
||||
class GroupsServerHandler(object):
|
||||
def __init__(self, hs):
|
||||
self.hs = hs
|
||||
|
@ -72,9 +49,28 @@ class GroupsServerHandler(object):
|
|||
# Ensure attestations get renewed
|
||||
hs.get_groups_attestation_renewer()
|
||||
|
||||
@check_group_is_ours()
|
||||
@defer.inlineCallbacks
|
||||
def check_group_is_ours(self, group_id, and_exists=False):
|
||||
"""Check that the group is ours, and optionally if it exists.
|
||||
|
||||
If group does exist then return group.
|
||||
"""
|
||||
if not self.is_mine_id(group_id):
|
||||
raise SynapseError(400, "Group not on this server")
|
||||
|
||||
group = yield self.store.get_group(group_id)
|
||||
if and_exists and not group:
|
||||
raise SynapseError(404, "Unknown group")
|
||||
|
||||
defer.returnValue(group)
|
||||
|
||||
@defer.inlineCallbacks
|
||||
def get_group_profile(self, group_id, requester_user_id):
|
||||
"""Get the group profile as seen by requester_user_id
|
||||
"""
|
||||
|
||||
yield self.check_group_is_ours(group_id)
|
||||
|
||||
group_description = yield self.store.get_group(group_id)
|
||||
|
||||
if group_description:
|
||||
|
@ -82,9 +78,13 @@ class GroupsServerHandler(object):
|
|||
else:
|
||||
raise SynapseError(404, "Unknown group")
|
||||
|
||||
@check_group_is_ours(and_exists=True)
|
||||
@defer.inlineCallbacks
|
||||
def get_users_in_group(self, group_id, requester_user_id):
|
||||
"""Get the users in group as seen by requester_user_id
|
||||
"""
|
||||
|
||||
yield self.check_group_is_ours(group_id, and_exists=True)
|
||||
|
||||
is_user_in_group = yield self.store.is_user_in_group(requester_user_id, group_id)
|
||||
|
||||
user_results = yield self.store.get_users_in_group(
|
||||
|
@ -123,9 +123,13 @@ class GroupsServerHandler(object):
|
|||
"total_user_count_estimate": len(user_results),
|
||||
})
|
||||
|
||||
@check_group_is_ours(and_exists=True)
|
||||
@defer.inlineCallbacks
|
||||
def get_rooms_in_group(self, group_id, requester_user_id):
|
||||
"""Get the rooms in group as seen by requester_user_id
|
||||
"""
|
||||
|
||||
yield self.check_group_is_ours(group_id, and_exists=True)
|
||||
|
||||
is_user_in_group = yield self.store.is_user_in_group(requester_user_id, group_id)
|
||||
|
||||
room_results = yield self.store.get_rooms_in_group(
|
||||
|
@ -158,9 +162,13 @@ class GroupsServerHandler(object):
|
|||
"total_room_count_estimate": len(room_results),
|
||||
})
|
||||
|
||||
@check_group_is_ours(and_exists=True)
|
||||
@defer.inlineCallbacks
|
||||
def add_room(self, group_id, requester_user_id, room_id, content):
|
||||
"""Add room to group
|
||||
"""
|
||||
|
||||
yield self.check_group_is_ours(group_id, and_exists=True)
|
||||
|
||||
is_admin = yield self.store.is_user_admin_in_group(group_id, requester_user_id)
|
||||
if not is_admin:
|
||||
raise SynapseError(403, "User is not admin in group")
|
||||
|
@ -182,9 +190,13 @@ class GroupsServerHandler(object):
|
|||
|
||||
defer.returnValue({})
|
||||
|
||||
@check_group_is_ours(and_exists=True)
|
||||
@defer.inlineCallbacks
|
||||
def invite_to_group(self, group_id, user_id, requester_user_id, content):
|
||||
"""Invite user to group
|
||||
"""
|
||||
|
||||
group = yield self.check_group_is_ours(group_id, and_exists=True)
|
||||
|
||||
is_admin = yield self.store.is_user_admin_in_group(
|
||||
group_id, requester_user_id
|
||||
)
|
||||
|
@ -194,7 +206,6 @@ class GroupsServerHandler(object):
|
|||
# TODO: Check if user knocked
|
||||
# TODO: Check if user is already invited
|
||||
|
||||
group = yield self.store.get_group(group_id)
|
||||
content = {
|
||||
"profile": {
|
||||
"name": group["name"],
|
||||
|
@ -248,9 +259,16 @@ class GroupsServerHandler(object):
|
|||
else:
|
||||
raise SynapseError(502, "Unknown state returned by HS")
|
||||
|
||||
@check_group_is_ours(and_exists=True)
|
||||
@defer.inlineCallbacks
|
||||
def accept_invite(self, group_id, user_id, content):
|
||||
"""User tries to accept an invite to the group.
|
||||
|
||||
This is different from them asking to join, and so should error if no
|
||||
invite exists (and they're not a member of the group)
|
||||
"""
|
||||
|
||||
yield self.check_group_is_ours(group_id, and_exists=True)
|
||||
|
||||
if not self.store.is_user_invited_to_local_group(group_id, user_id):
|
||||
raise SynapseError(403, "User not invited to group")
|
||||
|
||||
|
@ -291,19 +309,33 @@ class GroupsServerHandler(object):
|
|||
"attestation": local_attestation,
|
||||
})
|
||||
|
||||
@check_group_is_ours(and_exists=True)
|
||||
@defer.inlineCallbacks
|
||||
def knock(self, group_id, user_id, content):
|
||||
pass
|
||||
"""A user requests becoming a member of the group
|
||||
"""
|
||||
yield self.check_group_is_ours(group_id, and_exists=True)
|
||||
|
||||
raise NotImplementedError()
|
||||
|
||||
@check_group_is_ours(and_exists=True)
|
||||
@defer.inlineCallbacks
|
||||
def accept_knock(self, group_id, user_id, content):
|
||||
pass
|
||||
"""Accept a users knock to the room.
|
||||
|
||||
Errors if the user hasn't knocked, rather than inviting them.
|
||||
"""
|
||||
|
||||
yield self.check_group_is_ours(group_id, and_exists=True)
|
||||
|
||||
raise NotImplementedError()
|
||||
|
||||
@check_group_is_ours(and_exists=True)
|
||||
@defer.inlineCallbacks
|
||||
def remove_user_from_group(self, group_id, user_id, requester_user_id, content):
|
||||
"""Remove a user from the group; either a user is leaving or and admin
|
||||
kicked htem.
|
||||
"""
|
||||
|
||||
yield self.check_group_is_ours(group_id, and_exists=True)
|
||||
|
||||
is_kick = False
|
||||
if requester_user_id != user_id:
|
||||
is_admin = yield self.store.is_user_admin_in_group(
|
||||
|
@ -314,7 +346,7 @@ class GroupsServerHandler(object):
|
|||
|
||||
is_kick = True
|
||||
|
||||
yield self.store.remove_user_to_group(
|
||||
yield self.store.remove_user_from_group(
|
||||
group_id, user_id,
|
||||
)
|
||||
|
||||
|
@ -328,11 +360,11 @@ class GroupsServerHandler(object):
|
|||
|
||||
defer.returnValue({})
|
||||
|
||||
@check_group_is_ours()
|
||||
@defer.inlineCallbacks
|
||||
def create_group(self, group_id, user_id, content):
|
||||
group = yield self.check_group_is_ours(group_id)
|
||||
|
||||
logger.info("Attempting to create group with ID: %r", group_id)
|
||||
group = yield self.store.get_group(group_id)
|
||||
if group:
|
||||
raise SynapseError(400, "Group already exists")
|
||||
|
||||
|
|
|
@ -89,6 +89,8 @@ class GroupServerStore(SQLBaseStore):
|
|||
)
|
||||
|
||||
def add_group_invite(self, group_id, user_id):
|
||||
"""Record that the group server has invited a user
|
||||
"""
|
||||
return self._simple_insert(
|
||||
table="group_invites",
|
||||
values={
|
||||
|
@ -99,6 +101,8 @@ class GroupServerStore(SQLBaseStore):
|
|||
)
|
||||
|
||||
def is_user_invited_to_local_group(self, group_id, user_id):
|
||||
"""Has the group server invited a user?
|
||||
"""
|
||||
return self._simple_select_one_onecol(
|
||||
table="group_invites",
|
||||
keyvalues={
|
||||
|
@ -112,6 +116,19 @@ class GroupServerStore(SQLBaseStore):
|
|||
|
||||
def add_user_to_group(self, group_id, user_id, is_admin=False, is_public=True,
|
||||
local_attestation=None, remote_attestation=None):
|
||||
"""Add a user to the group server.
|
||||
|
||||
Args:
|
||||
group_id (str)
|
||||
user_id (str)
|
||||
is_admin (bool)
|
||||
is_public (bool)
|
||||
local_attestation (dict): The attestation the GS created to give
|
||||
to the remote server. Optional if the user and group are on the
|
||||
same server
|
||||
remote_attestation (dict): The attestation given to GS by remote
|
||||
server. Optional if the user and group are on the same server
|
||||
"""
|
||||
def _add_user_to_group_txn(txn):
|
||||
self._simple_insert_txn(
|
||||
txn,
|
||||
|
@ -159,8 +176,8 @@ class GroupServerStore(SQLBaseStore):
|
|||
"add_user_to_group", _add_user_to_group_txn
|
||||
)
|
||||
|
||||
def remove_user_to_group(self, group_id, user_id):
|
||||
def _remove_user_to_group_txn(txn):
|
||||
def remove_user_from_group(self, group_id, user_id):
|
||||
def _remove_user_from_group_txn(txn):
|
||||
self._simple_delete_txn(
|
||||
txn,
|
||||
table="group_users",
|
||||
|
@ -193,7 +210,7 @@ class GroupServerStore(SQLBaseStore):
|
|||
"user_id": user_id,
|
||||
},
|
||||
)
|
||||
return self.runInteraction("remove_user_to_group", _remove_user_to_group_txn)
|
||||
return self.runInteraction("remove_user_from_group", _remove_user_from_group_txn)
|
||||
|
||||
def add_room_to_group(self, group_id, room_id, is_public):
|
||||
return self._simple_insert(
|
||||
|
@ -222,6 +239,8 @@ class GroupServerStore(SQLBaseStore):
|
|||
)
|
||||
|
||||
def get_attestations_need_renewals(self, valid_until_ms):
|
||||
"""Get all attestations that need to be renewed until givent time
|
||||
"""
|
||||
def _get_attestations_need_renewals_txn(txn):
|
||||
sql = """
|
||||
SELECT group_id, user_id FROM group_attestations_renewals
|
||||
|
@ -234,6 +253,8 @@ class GroupServerStore(SQLBaseStore):
|
|||
)
|
||||
|
||||
def update_attestation_renewal(self, group_id, user_id, attestation):
|
||||
"""Update an attestation that we have renewed
|
||||
"""
|
||||
return self._simple_update_one(
|
||||
table="group_attestations_renewals",
|
||||
keyvalues={
|
||||
|
@ -247,6 +268,8 @@ class GroupServerStore(SQLBaseStore):
|
|||
)
|
||||
|
||||
def update_remote_attestion(self, group_id, user_id, attestation):
|
||||
"""Update an attestation that a remote has renewed
|
||||
"""
|
||||
return self._simple_update_one(
|
||||
table="group_attestations_remote",
|
||||
keyvalues={
|
||||
|
@ -262,6 +285,9 @@ class GroupServerStore(SQLBaseStore):
|
|||
|
||||
@defer.inlineCallbacks
|
||||
def get_remote_attestation(self, group_id, user_id):
|
||||
"""Get the attestation that proves the remote agrees that the user is
|
||||
in the group.
|
||||
"""
|
||||
row = yield self._simple_select_one(
|
||||
table="group_attestations_remote",
|
||||
keyvalues={
|
||||
|
|
|
@ -24,6 +24,7 @@ CREATE TABLE groups (
|
|||
CREATE UNIQUE INDEX groups_idx ON groups(group_id);
|
||||
|
||||
|
||||
-- list of users the group server thinks are joined
|
||||
CREATE TABLE group_users (
|
||||
group_id TEXT NOT NULL,
|
||||
user_id TEXT NOT NULL,
|
||||
|
@ -35,7 +36,7 @@ CREATE TABLE group_users (
|
|||
CREATE INDEX groups_users_g_idx ON group_users(group_id, user_id);
|
||||
CREATE INDEX groups_users_u_idx ON group_users(user_id);
|
||||
|
||||
|
||||
-- list of users the group server thinks are invited
|
||||
CREATE TABLE group_invites (
|
||||
group_id TEXT NOT NULL,
|
||||
user_id TEXT NOT NULL
|
||||
|
@ -55,6 +56,7 @@ CREATE INDEX groups_rooms_g_idx ON group_rooms(group_id, room_id);
|
|||
CREATE INDEX groups_rooms_r_idx ON group_rooms(room_id);
|
||||
|
||||
|
||||
-- List of attestations we've given out and need to renew
|
||||
CREATE TABLE group_attestations_renewals (
|
||||
group_id TEXT NOT NULL,
|
||||
user_id TEXT NOT NULL,
|
||||
|
@ -65,6 +67,8 @@ CREATE INDEX group_attestations_renewals_g_idx ON group_attestations_renewals(gr
|
|||
CREATE INDEX group_attestations_renewals_u_idx ON group_attestations_renewals(user_id);
|
||||
CREATE INDEX group_attestations_renewals_v_idx ON group_attestations_renewals(valid_until_ms);
|
||||
|
||||
|
||||
-- List of attestations we've received from remotes and are interested in.
|
||||
CREATE TABLE group_attestations_remote (
|
||||
group_id TEXT NOT NULL,
|
||||
user_id TEXT NOT NULL,
|
||||
|
|
Loading…
Reference in New Issue