Enforce MSC2209: auth rules for notifications in power level event (#7502)
In a new room version, the "notifications" key of power level events are subject to restricted auth rules.pull/7507/head
parent
5611644519
commit
fef3ff5cc4
|
@ -0,0 +1 @@
|
||||||
|
Add additional authentication checks for m.room.power_levels event per [MSC2209](https://github.com/matrix-org/matrix-doc/pull/2209).
|
|
@ -58,7 +58,11 @@ class RoomVersion(object):
|
||||||
enforce_key_validity = attr.ib() # bool
|
enforce_key_validity = attr.ib() # bool
|
||||||
|
|
||||||
# bool: before MSC2261/MSC2432, m.room.aliases had special auth rules and redaction rules
|
# bool: before MSC2261/MSC2432, m.room.aliases had special auth rules and redaction rules
|
||||||
special_case_aliases_auth = attr.ib(type=bool, default=False)
|
special_case_aliases_auth = attr.ib(type=bool)
|
||||||
|
|
||||||
|
# bool: MSC2209: Check 'notifications' key while verifying
|
||||||
|
# m.room.power_levels auth rules.
|
||||||
|
limit_notifications_power_levels = attr.ib(type=bool)
|
||||||
|
|
||||||
|
|
||||||
class RoomVersions(object):
|
class RoomVersions(object):
|
||||||
|
@ -69,6 +73,7 @@ class RoomVersions(object):
|
||||||
StateResolutionVersions.V1,
|
StateResolutionVersions.V1,
|
||||||
enforce_key_validity=False,
|
enforce_key_validity=False,
|
||||||
special_case_aliases_auth=True,
|
special_case_aliases_auth=True,
|
||||||
|
limit_notifications_power_levels=False,
|
||||||
)
|
)
|
||||||
V2 = RoomVersion(
|
V2 = RoomVersion(
|
||||||
"2",
|
"2",
|
||||||
|
@ -77,6 +82,7 @@ class RoomVersions(object):
|
||||||
StateResolutionVersions.V2,
|
StateResolutionVersions.V2,
|
||||||
enforce_key_validity=False,
|
enforce_key_validity=False,
|
||||||
special_case_aliases_auth=True,
|
special_case_aliases_auth=True,
|
||||||
|
limit_notifications_power_levels=False,
|
||||||
)
|
)
|
||||||
V3 = RoomVersion(
|
V3 = RoomVersion(
|
||||||
"3",
|
"3",
|
||||||
|
@ -85,6 +91,7 @@ class RoomVersions(object):
|
||||||
StateResolutionVersions.V2,
|
StateResolutionVersions.V2,
|
||||||
enforce_key_validity=False,
|
enforce_key_validity=False,
|
||||||
special_case_aliases_auth=True,
|
special_case_aliases_auth=True,
|
||||||
|
limit_notifications_power_levels=False,
|
||||||
)
|
)
|
||||||
V4 = RoomVersion(
|
V4 = RoomVersion(
|
||||||
"4",
|
"4",
|
||||||
|
@ -93,6 +100,7 @@ class RoomVersions(object):
|
||||||
StateResolutionVersions.V2,
|
StateResolutionVersions.V2,
|
||||||
enforce_key_validity=False,
|
enforce_key_validity=False,
|
||||||
special_case_aliases_auth=True,
|
special_case_aliases_auth=True,
|
||||||
|
limit_notifications_power_levels=False,
|
||||||
)
|
)
|
||||||
V5 = RoomVersion(
|
V5 = RoomVersion(
|
||||||
"5",
|
"5",
|
||||||
|
@ -101,6 +109,7 @@ class RoomVersions(object):
|
||||||
StateResolutionVersions.V2,
|
StateResolutionVersions.V2,
|
||||||
enforce_key_validity=True,
|
enforce_key_validity=True,
|
||||||
special_case_aliases_auth=True,
|
special_case_aliases_auth=True,
|
||||||
|
limit_notifications_power_levels=False,
|
||||||
)
|
)
|
||||||
MSC2432_DEV = RoomVersion(
|
MSC2432_DEV = RoomVersion(
|
||||||
"org.matrix.msc2432",
|
"org.matrix.msc2432",
|
||||||
|
@ -109,6 +118,16 @@ class RoomVersions(object):
|
||||||
StateResolutionVersions.V2,
|
StateResolutionVersions.V2,
|
||||||
enforce_key_validity=True,
|
enforce_key_validity=True,
|
||||||
special_case_aliases_auth=False,
|
special_case_aliases_auth=False,
|
||||||
|
limit_notifications_power_levels=False,
|
||||||
|
)
|
||||||
|
MSC2209_DEV = RoomVersion(
|
||||||
|
"org.matrix.msc2209",
|
||||||
|
RoomDisposition.UNSTABLE,
|
||||||
|
EventFormatVersions.V3,
|
||||||
|
StateResolutionVersions.V2,
|
||||||
|
enforce_key_validity=True,
|
||||||
|
special_case_aliases_auth=True,
|
||||||
|
limit_notifications_power_levels=True,
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
|
@ -121,5 +140,6 @@ KNOWN_ROOM_VERSIONS = {
|
||||||
RoomVersions.V4,
|
RoomVersions.V4,
|
||||||
RoomVersions.V5,
|
RoomVersions.V5,
|
||||||
RoomVersions.MSC2432_DEV,
|
RoomVersions.MSC2432_DEV,
|
||||||
|
RoomVersions.MSC2209_DEV,
|
||||||
)
|
)
|
||||||
} # type: Dict[str, RoomVersion]
|
} # type: Dict[str, RoomVersion]
|
||||||
|
|
|
@ -181,7 +181,7 @@ def check(
|
||||||
_can_send_event(event, auth_events)
|
_can_send_event(event, auth_events)
|
||||||
|
|
||||||
if event.type == EventTypes.PowerLevels:
|
if event.type == EventTypes.PowerLevels:
|
||||||
_check_power_levels(event, auth_events)
|
_check_power_levels(room_version_obj, event, auth_events)
|
||||||
|
|
||||||
if event.type == EventTypes.Redaction:
|
if event.type == EventTypes.Redaction:
|
||||||
check_redaction(room_version_obj, event, auth_events)
|
check_redaction(room_version_obj, event, auth_events)
|
||||||
|
@ -442,7 +442,7 @@ def check_redaction(room_version_obj: RoomVersion, event, auth_events):
|
||||||
raise AuthError(403, "You don't have permission to redact events")
|
raise AuthError(403, "You don't have permission to redact events")
|
||||||
|
|
||||||
|
|
||||||
def _check_power_levels(event, auth_events):
|
def _check_power_levels(room_version_obj, event, auth_events):
|
||||||
user_list = event.content.get("users", {})
|
user_list = event.content.get("users", {})
|
||||||
# Validate users
|
# Validate users
|
||||||
for k, v in user_list.items():
|
for k, v in user_list.items():
|
||||||
|
@ -484,6 +484,14 @@ def _check_power_levels(event, auth_events):
|
||||||
for ev_id in set(list(old_list) + list(new_list)):
|
for ev_id in set(list(old_list) + list(new_list)):
|
||||||
levels_to_check.append((ev_id, "events"))
|
levels_to_check.append((ev_id, "events"))
|
||||||
|
|
||||||
|
# MSC2209 specifies these checks should also be done for the "notifications"
|
||||||
|
# key.
|
||||||
|
if room_version_obj.limit_notifications_power_levels:
|
||||||
|
old_list = current_state.content.get("notifications", {})
|
||||||
|
new_list = event.content.get("notifications", {})
|
||||||
|
for ev_id in set(list(old_list) + list(new_list)):
|
||||||
|
levels_to_check.append((ev_id, "notifications"))
|
||||||
|
|
||||||
old_state = current_state.content
|
old_state = current_state.content
|
||||||
new_state = event.content
|
new_state = event.content
|
||||||
|
|
||||||
|
|
|
@ -165,6 +165,39 @@ class EventAuthTestCase(unittest.TestCase):
|
||||||
do_sig_check=False,
|
do_sig_check=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
|
def test_msc2209(self):
|
||||||
|
"""
|
||||||
|
Notifications power levels get checked due to MSC2209.
|
||||||
|
"""
|
||||||
|
creator = "@creator:example.com"
|
||||||
|
pleb = "@joiner:example.com"
|
||||||
|
|
||||||
|
auth_events = {
|
||||||
|
("m.room.create", ""): _create_event(creator),
|
||||||
|
("m.room.member", creator): _join_event(creator),
|
||||||
|
("m.room.power_levels", ""): _power_levels_event(
|
||||||
|
creator, {"state_default": "30", "users": {pleb: "30"}}
|
||||||
|
),
|
||||||
|
("m.room.member", pleb): _join_event(pleb),
|
||||||
|
}
|
||||||
|
|
||||||
|
# pleb should be able to modify the notifications power level.
|
||||||
|
event_auth.check(
|
||||||
|
RoomVersions.V1,
|
||||||
|
_power_levels_event(pleb, {"notifications": {"room": 100}}),
|
||||||
|
auth_events,
|
||||||
|
do_sig_check=False,
|
||||||
|
)
|
||||||
|
|
||||||
|
# But an MSC2209 room rejects this change.
|
||||||
|
with self.assertRaises(AuthError):
|
||||||
|
event_auth.check(
|
||||||
|
RoomVersions.MSC2209_DEV,
|
||||||
|
_power_levels_event(pleb, {"notifications": {"room": 100}}),
|
||||||
|
auth_events,
|
||||||
|
do_sig_check=False,
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
# helpers for making events
|
# helpers for making events
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue