OpenCloud
/
MatrixSynapse
mirror of https://github.com/matrix-org/synapse
1
0
Fork 0
Code Issues Releases Wiki Activity

Make OIDC scope constants

clokep/http-conn-pool
Quentin Gliech 2023-05-22 17:17:49 +02:00 committed by Patrick Cloke
parent 14a5be9c4d
commit 98afc57d59
1 changed files with 15 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
synapse/api/auth/msc3861_delegated.py
View File

@ -44,6 +44,15 @@ if TYPE_CHECKING:
logger = logging.getLogger(__name__) logger = logging.getLogger(__name__)
# Scope as defined by MSC2967
# https://github.com/matrix-org/matrix-spec-proposals/pull/2967
SCOPE_MATRIX_API = "urn:matrix:org.matrix.msc2967.client:api:*"
SCOPE_MATRIX_GUEST = "urn:matrix:org.matrix.msc2967.client:api:guest"
SCOPE_MATRIX_DEVICE_PREFIX = "urn:matrix:org.matrix.msc2967.client:device:"
# Scope which allows access to the Synapse admin API
SCOPE_SYNAPSE_ADMIN = "urn:synapse:admin:*"
def scope_to_list(scope: str) -> List[str]: def scope_to_list(scope: str) -> List[str]:
"""Convert a scope string to a list of scope tokens""" """Convert a scope string to a list of scope tokens"""
@ -197,9 +206,7 @@ class MSC3861DelegatedAuth(BaseAuth):
requester = await self.get_user_by_access_token(access_token, allow_expired) requester = await self.get_user_by_access_token(access_token, allow_expired)
if not allow_guest and requester.is_guest: if not allow_guest and requester.is_guest:
raise OAuthInsufficientScopeError( raise OAuthInsufficientScopeError([SCOPE_MATRIX_API])
["urn:matrix:org.matrix.msc2967.client:api:*"]
)
request.requester = requester request.requester = requester
@ -241,9 +248,9 @@ class MSC3861DelegatedAuth(BaseAuth):
scope: List[str] = scope_to_list(introspection_result.get("scope", "")) scope: List[str] = scope_to_list(introspection_result.get("scope", ""))
# Determine type of user based on presence of particular scopes # Determine type of user based on presence of particular scopes
has_admin_scope = "urn:synapse:admin:*" in scope has_admin_scope = SCOPE_SYNAPSE_ADMIN in scope
has_user_scope = "urn:matrix:org.matrix.msc2967.client:api:*" in scope has_user_scope = SCOPE_MATRIX_API in scope
has_guest_scope = "urn:matrix:org.matrix.msc2967.client:api:guest" in scope has_guest_scope = SCOPE_MATRIX_GUEST in scope
is_user = has_user_scope or has_admin_scope is_user = has_user_scope or has_admin_scope
is_guest = has_guest_scope and not is_user is_guest = has_guest_scope and not is_user
@ -299,10 +306,8 @@ class MSC3861DelegatedAuth(BaseAuth):
# Find device_id in scope # Find device_id in scope
device_id = None device_id = None
for tok in scope: for tok in scope:
if tok.startswith("urn:matrix:org.matrix.msc2967.client:device:"): if tok.startswith(SCOPE_MATRIX_DEVICE_PREFIX):
parts = tok.split(":") device_id = tok[len(SCOPE_MATRIX_DEVICE_PREFIX) :]
if len(parts) == 5:
device_id = parts[4]
if device_id: if device_id:
# Create the device on the fly if it does not exist # Create the device on the fly if it does not exist