Split event_auth.check into two parts (#10940)

Broadly, the existing `event_auth.check` function has two parts: * a validation section: checks that the event isn't too big, that it has the rught signatures, etc. This bit is independent of the rest of the state in the room, and so need only be done once for each event. * an auth section: ensures that the event is allowed, given the rest of the state in the room. This gets done multiple times, against various sets of room state, because it forms part of the state res algorithm. Currently, this is implemented with `do_sig_check` and `do_size_check` parameters, but I think that makes everything hard to follow. Instead, we split the function in two and call each part separately where it is needed.
2025-08-02 15:26:04 -04:00 · 2021-09-29 18:59:15 +01:00 · 2021-09-29 18:59:15 +01:00 · 428174f902
commit 428174f902
parent a19aa8b162
10 changed files with 177 additions and 172 deletions
--- a/synapse/handlers/event_auth.py
+++ b/synapse/handlers/event_auth.py
@ -22,7 +22,8 @@ from synapse.api.constants import (
    RestrictedJoinRuleTypes,
 )
 from synapse.api.errors import AuthError, Codes, SynapseError
-from synapse.api.room_versions import KNOWN_ROOM_VERSIONS, RoomVersion
+from synapse.api.room_versions import RoomVersion
+from synapse.event_auth import check_auth_rules_for_event
 from synapse.events import EventBase
 from synapse.events.builder import EventBuilder
 from synapse.events.snapshot import EventContext
@ -45,21 +46,17 @@ class EventAuthHandler:
        self._store = hs.get_datastore()
        self._server_name = hs.hostname

-    async def check_from_context(
+    async def check_auth_rules_from_context(
        self,
-        room_version: str,
+        room_version_obj: RoomVersion,
        event: EventBase,
        context: EventContext,
-        do_sig_check: bool = True,
    ) -> None:
+        """Check an event passes the auth rules at its own auth events"""
        auth_event_ids = event.auth_event_ids()
        auth_events_by_id = await self._store.get_events(auth_event_ids)
        auth_events = {(e.type, e.state_key): e for e in auth_events_by_id.values()}
-
-        room_version_obj = KNOWN_ROOM_VERSIONS[room_version]
-        event_auth.check(
-            room_version_obj, event, auth_events=auth_events, do_sig_check=do_sig_check
-        )
+        check_auth_rules_for_event(room_version_obj, event, auth_events)

    def compute_auth_events(
        self,
--- a/synapse/handlers/federation.py
+++ b/synapse/handlers/federation.py
@ -40,6 +40,10 @@ from synapse.api.errors import (
 )
 from synapse.api.room_versions import KNOWN_ROOM_VERSIONS, RoomVersion, RoomVersions
 from synapse.crypto.event_signing import compute_event_signature
+from synapse.event_auth import (
+    check_auth_rules_for_event,
+    validate_event_for_room_version,
+)
 from synapse.events import EventBase
 from synapse.events.snapshot import EventContext
 from synapse.events.validator import EventValidator
@ -742,10 +746,9 @@ class FederationHandler(BaseHandler):

        # The remote hasn't signed it yet, obviously. We'll do the full checks
        # when we get the event back in `on_send_join_request`
-        await self._event_auth_handler.check_from_context(
-            room_version.identifier, event, context, do_sig_check=False
+        await self._event_auth_handler.check_auth_rules_from_context(
+            room_version, event, context
        )
-
        return event

    async def on_invite_request(
@ -916,8 +919,8 @@ class FederationHandler(BaseHandler):
        try:
            # The remote hasn't signed it yet, obviously. We'll do the full checks
            # when we get the event back in `on_send_leave_request`
-            await self._event_auth_handler.check_from_context(
-                room_version_obj.identifier, event, context, do_sig_check=False
+            await self._event_auth_handler.check_auth_rules_from_context(
+                room_version_obj, event, context
            )
        except AuthError as e:
            logger.warning("Failed to create new leave %r because %s", event, e)
@ -978,8 +981,8 @@ class FederationHandler(BaseHandler):
        try:
            # The remote hasn't signed it yet, obviously. We'll do the full checks
            # when we get the event back in `on_send_knock_request`
-            await self._event_auth_handler.check_from_context(
-                room_version_obj.identifier, event, context, do_sig_check=False
+            await self._event_auth_handler.check_auth_rules_from_context(
+                room_version_obj, event, context
            )
        except AuthError as e:
            logger.warning("Failed to create new knock %r because %s", event, e)
@ -1168,7 +1171,8 @@ class FederationHandler(BaseHandler):
                auth_for_e[(EventTypes.Create, "")] = create_event

            try:
-                event_auth.check(room_version, e, auth_events=auth_for_e)
+                validate_event_for_room_version(room_version, e)
+                check_auth_rules_for_event(room_version, e, auth_for_e)
            except SynapseError as err:
                # we may get SynapseErrors here as well as AuthErrors. For
                # instance, there are a couple of (ancient) events in some
@ -1266,8 +1270,9 @@ class FederationHandler(BaseHandler):
            event.internal_metadata.send_on_behalf_of = self.hs.hostname

            try:
-                await self._event_auth_handler.check_from_context(
-                    room_version_obj.identifier, event, context
+                validate_event_for_room_version(room_version_obj, event)
+                await self._event_auth_handler.check_auth_rules_from_context(
+                    room_version_obj, event, context
                )
            except AuthError as e:
                logger.warning("Denying new third party invite %r because %s", event, e)
@ -1317,8 +1322,9 @@ class FederationHandler(BaseHandler):
        )

        try:
-            await self._event_auth_handler.check_from_context(
-                room_version_obj.identifier, event, context
+            validate_event_for_room_version(room_version_obj, event)
+            await self._event_auth_handler.check_auth_rules_from_context(
+                room_version_obj, event, context
            )
        except AuthError as e:
            logger.warning("Denying third party invite %r because %s", event, e)
--- a/synapse/handlers/federation_event.py
+++ b/synapse/handlers/federation_event.py
@ -29,7 +29,6 @@ from typing import (

 from prometheus_client import Counter

-from synapse import event_auth
 from synapse.api.constants import (
    EventContentFields,
    EventTypes,
@ -47,7 +46,11 @@ from synapse.api.errors import (
    SynapseError,
 )
 from synapse.api.room_versions import KNOWN_ROOM_VERSIONS
-from synapse.event_auth import auth_types_for_event
+from synapse.event_auth import (
+    auth_types_for_event,
+    check_auth_rules_for_event,
+    validate_event_for_room_version,
+)
 from synapse.events import EventBase
 from synapse.events.snapshot import EventContext
 from synapse.federation.federation_client import InvalidResponseError
@ -1207,7 +1210,8 @@ class FederationEventHandler:

                context = EventContext.for_outlier()
                try:
-                    event_auth.check(room_version_obj, event, auth_events=auth)
+                    validate_event_for_room_version(room_version_obj, event)
+                    check_auth_rules_for_event(room_version_obj, event, auth)
                except AuthError as e:
                    logger.warning("Rejecting %r because %s", event, e)
                    context.rejected = RejectedReason.AUTH_ERROR
@ -1282,7 +1286,8 @@ class FederationEventHandler:
            auth_events_for_auth = calculated_auth_event_map

        try:
-            event_auth.check(room_version_obj, event, auth_events=auth_events_for_auth)
+            validate_event_for_room_version(room_version_obj, event)
+            check_auth_rules_for_event(room_version_obj, event, auth_events_for_auth)
        except AuthError as e:
            logger.warning("Failed auth resolution for %r because %s", event, e)
            context.rejected = RejectedReason.AUTH_ERROR
@ -1394,7 +1399,10 @@ class FederationEventHandler:
        }

        try:
-            event_auth.check(room_version_obj, event, auth_events=current_auth_events)
+            # TODO: skip the call to validate_event_for_room_version? we should already
+            #    have validated the event.
+            validate_event_for_room_version(room_version_obj, event)
+            check_auth_rules_for_event(room_version_obj, event, current_auth_events)
        except AuthError as e:
            logger.warning(
                "Soft-failing %r (from %s) because %s",
--- a/synapse/handlers/message.py
+++ b/synapse/handlers/message.py
@ -44,6 +44,7 @@ from synapse.api.errors import (
 )
 from synapse.api.room_versions import KNOWN_ROOM_VERSIONS, RoomVersions
 from synapse.api.urls import ConsentURIBuilder
+from synapse.event_auth import validate_event_for_room_version
 from synapse.events import EventBase
 from synapse.events.builder import EventBuilder
 from synapse.events.snapshot import EventContext
@ -1098,8 +1099,9 @@ class EventCreationHandler:
            assert event.content["membership"] == Membership.LEAVE
        else:
            try:
-                await self._event_auth_handler.check_from_context(
-                    room_version_obj.identifier, event, context
+                validate_event_for_room_version(room_version_obj, event)
+                await self._event_auth_handler.check_auth_rules_from_context(
+                    room_version_obj, event, context
                )
            except AuthError as err:
                logger.warning("Denying new event %r because %s", event, err)
--- a/synapse/handlers/room.py
+++ b/synapse/handlers/room.py
@ -52,6 +52,7 @@ from synapse.api.errors import (
 )
 from synapse.api.filtering import Filter
 from synapse.api.room_versions import KNOWN_ROOM_VERSIONS, RoomVersion
+from synapse.event_auth import validate_event_for_room_version
 from synapse.events import EventBase
 from synapse.events.utils import copy_power_levels_contents
 from synapse.rest.admin._base import assert_user_is_admin
@ -238,8 +239,9 @@ class RoomCreationHandler(BaseHandler):
            },
        )
        old_room_version = await self.store.get_room_version(old_room_id)
-        await self._event_auth_handler.check_from_context(
-            old_room_version.identifier, tombstone_event, tombstone_context
+        validate_event_for_room_version(old_room_version, tombstone_event)
+        await self._event_auth_handler.check_auth_rules_from_context(
+            old_room_version, tombstone_event, tombstone_context
        )

        await self.clone_existing_room(