Raise a SynapseError if the authorisation header is missing or malformed

This commit is contained in:
Mark Haines 2014-10-13 15:53:18 +01:00
parent 75e517a2da
commit 25d80f35f1
2 changed files with 31 additions and 19 deletions

View File

@ -211,11 +211,15 @@ class TransportLayer(object):
if request.method == "PUT": if request.method == "PUT":
#TODO: Handle other method types? other content types? #TODO: Handle other method types? other content types?
try:
content_bytes = request.content.read() content_bytes = request.content.read()
content = json.loads(content_bytes) content = json.loads(content_bytes)
json_request["content"] = content json_request["content"] = content
except:
raise SynapseError(400, "Unable to parse JSON", Codes.BAD_JSON)
def parse_auth_header(header_str): def parse_auth_header(header_str):
try:
params = auth.split(" ")[1].split(",") params = auth.split(" ")[1].split(",")
param_dict = dict(kv.split("=") for kv in params) param_dict = dict(kv.split("=") for kv in params)
def strip_quotes(value): def strip_quotes(value):
@ -227,20 +231,24 @@ class TransportLayer(object):
key = strip_quotes(param_dict["key"]) key = strip_quotes(param_dict["key"])
sig = strip_quotes(param_dict["sig"]) sig = strip_quotes(param_dict["sig"])
return (origin, key, sig) return (origin, key, sig)
except:
raise SynapseError(
400, "Malformed Authorization Header", Codes.FORBIDDEN
)
auth_headers = request.requestHeaders.getRawHeaders(b"Authorization") auth_headers = request.requestHeaders.getRawHeaders(b"Authorization")
if not auth_headers:
raise SynapseError(
401, "Missing Authorization headers", Codes.FORBIDDEN,
)
for auth in auth_headers: for auth in auth_headers:
if auth.startswith("X-Matrix"): if auth.startswith("X-Matrix"):
(origin, key, sig) = parse_auth_header(auth) (origin, key, sig) = parse_auth_header(auth)
json_request["origin"] = origin json_request["origin"] = origin
json_request["signatures"].setdefault(origin,{})[key] = sig json_request["signatures"].setdefault(origin,{})[key] = sig
if not json_request["signatures"]:
raise SynapseError(
401, "Missing Authorization headers", Codes.FORBIDDEN,
)
yield self.keyring.verify_json_for_server(origin, json_request) yield self.keyring.verify_json_for_server(origin, json_request)
defer.returnValue((origin, content)) defer.returnValue((origin, content))

View File

@ -79,6 +79,10 @@ class MockHttpResource(HttpServer):
mock_request.method = http_method mock_request.method = http_method
mock_request.uri = path mock_request.uri = path
mock_request.requestHeaders.getRawHeaders.return_value=[
"X-Matrix origin=test,key=,sig="
]
# return the right path if the event requires it # return the right path if the event requires it
mock_request.path = path mock_request.path = path