Merge branch 'develop' into daniel/forgetrooms

2025-05-02 16:44:49 -04:00 · 2015-11-19 16:53:13 +00:00 · 2015-11-19 16:53:13 +00:00 · 1cfda3d2d8
commit 1cfda3d2d8
parent 9da4c5340d 8b5349c7bc
18 changed files with 181 additions and 88 deletions
--- a/synapse/api/auth.py
+++ b/synapse/api/auth.py
@ -594,10 +594,7 @@ class Auth(object):
    def _get_user_from_macaroon(self, macaroon_str):
        try:
            macaroon = pymacaroons.Macaroon.deserialize(macaroon_str)
-            self.validate_macaroon(
-                macaroon, "access",
-                [lambda c: c.startswith("time < ")]
-            )
+            self.validate_macaroon(macaroon, "access", False)

            user_prefix = "user_id = "
            user = None
@ -645,22 +642,34 @@ class Auth(object):
                errcode=Codes.UNKNOWN_TOKEN
            )

-    def validate_macaroon(self, macaroon, type_string, additional_validation_functions):
+    def validate_macaroon(self, macaroon, type_string, verify_expiry):
+        """
+        validate that a Macaroon is understood by and was signed by this server.
+
+        Args:
+            macaroon(pymacaroons.Macaroon): The macaroon to validate
+            type_string(str): The kind of token this is (e.g. "access", "refresh")
+            verify_expiry(bool): Whether to verify whether the macaroon has expired.
+                This should really always be True, but no clients currently implement
+                token refresh, so we can't enforce expiry yet.
+        """
        v = pymacaroons.Verifier()
        v.satisfy_exact("gen = 1")
        v.satisfy_exact("type = " + type_string)
        v.satisfy_general(lambda c: c.startswith("user_id = "))
        v.satisfy_exact("guest = true")
+        if verify_expiry:
+            v.satisfy_general(self._verify_expiry)
+        else:
+            v.satisfy_general(lambda c: c.startswith("time < "))

-        for validation_function in additional_validation_functions:
-            v.satisfy_general(validation_function)
        v.verify(macaroon, self.hs.config.macaroon_secret_key)

        v = pymacaroons.Verifier()
        v.satisfy_general(self._verify_recognizes_caveats)
        v.verify(macaroon, self.hs.config.macaroon_secret_key)

-    def verify_expiry(self, caveat):
+    def _verify_expiry(self, caveat):
        prefix = "time < "
        if not caveat.startswith(prefix):
            return False
--- a/synapse/api/filtering.py
+++ b/synapse/api/filtering.py
@ -54,7 +54,7 @@ class Filtering(object):
        ]

        room_level_definitions = [
-            "state", "timeline", "ephemeral", "private_user_data"
+            "state", "timeline", "ephemeral", "account_data"
        ]

        for key in top_level_definitions:
@ -131,8 +131,8 @@ class FilterCollection(object):
            self.filter_json.get("room", {}).get("ephemeral", {})
        )

-        self.room_private_user_data = Filter(
-            self.filter_json.get("room", {}).get("private_user_data", {})
+        self.room_account_data = Filter(
+            self.filter_json.get("room", {}).get("account_data", {})
        )

        self.presence_filter = Filter(
@ -160,8 +160,8 @@ class FilterCollection(object):
    def filter_room_ephemeral(self, events):
        return self.room_ephemeral_filter.filter(events)

-    def filter_room_private_user_data(self, events):
-        return self.room_private_user_data.filter(events)
+    def filter_room_account_data(self, events):
+        return self.room_account_data.filter(events)


 class Filter(object):