Matrix-Mirrors/anonymousland-synapse
1
0
Fork 0
mirror of https://git.anonymousland.org/anonymousland/synapse.git synced 2025-05-02 13:46:02 -04:00
Code Issues Projects Releases Packages Wiki Activity

Split event_auth.check into two parts (#10940)

Browse source 
Broadly, the existing `event_auth.check` function has two parts:
 * a validation section: checks that the event isn't too big, that it has the rught signatures, etc. 
   This bit is independent of the rest of the state in the room, and so need only be done once 
   for each event.
 * an auth section: ensures that the event is allowed, given the rest of the state in the room.
   This gets done multiple times, against various sets of room state, because it forms part of
   the state res algorithm.

Currently, this is implemented with `do_sig_check` and `do_size_check` parameters, but I think
that makes everything hard to follow. Instead, we split the function in two and call each part
separately where it is needed.
This commit is contained in:
Richard van der Hoff 2021-09-29 18:59:15 +01:00 committed by GitHub
parent a19aa8b162
commit 428174f902
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
10 changed files with 177 additions and 172 deletions
Download patch file Download diff file Expand all files Collapse all files

108
tests/test_event_auth.py
View file

@ -37,21 +37,19 @@ class EventAuthTestCase(unittest.TestCase):
}
# creator should be able to send state
event_auth.check(
event_auth.check_auth_rules_for_event(
RoomVersions.V1,
_random_state_event(creator),
auth_events,
do_sig_check=False,
)
# joiner should not be able to send state
self.assertRaises(
AuthError,
event_auth.check,
event_auth.check_auth_rules_for_event,
RoomVersions.V1,
_random_state_event(joiner),
auth_events,
do_sig_check=False,
)
def test_state_default_level(self):
@ -76,19 +74,17 @@ class EventAuthTestCase(unittest.TestCase):
# pleb should not be able to send state
self.assertRaises(
AuthError,
event_auth.check,
event_auth.check_auth_rules_for_event,
RoomVersions.V1,
_random_state_event(pleb),
auth_events,
do_sig_check=False,
),
# king should be able to send state
event_auth.check(
event_auth.check_auth_rules_for_event(
RoomVersions.V1,
_random_state_event(king),
auth_events,
do_sig_check=False,
)
def test_alias_event(self):
@ -101,37 +97,33 @@ class EventAuthTestCase(unittest.TestCase):
}
# creator should be able to send aliases
event_auth.check(
event_auth.check_auth_rules_for_event(
RoomVersions.V1,
_alias_event(creator),
auth_events,
do_sig_check=False,
)
# Reject an event with no state key.
with self.assertRaises(AuthError):
event_auth.check(
event_auth.check_auth_rules_for_event(
RoomVersions.V1,
_alias_event(creator, state_key=""),
auth_events,
do_sig_check=False,
)
# If the domain of the sender does not match the state key, reject.
with self.assertRaises(AuthError):
event_auth.check(
event_auth.check_auth_rules_for_event(
RoomVersions.V1,
_alias_event(creator, state_key="test.com"),
auth_events,
do_sig_check=False,
)
# Note that the member does *not* need to be in the room.
event_auth.check(
event_auth.check_auth_rules_for_event(
RoomVersions.V1,
_alias_event(other),
auth_events,
do_sig_check=False,
)
def test_msc2432_alias_event(self):
@ -144,34 +136,30 @@ class EventAuthTestCase(unittest.TestCase):
}
# creator should be able to send aliases
event_auth.check(
event_auth.check_auth_rules_for_event(
RoomVersions.V6,
_alias_event(creator),
auth_events,
do_sig_check=False,
)
# No particular checks are done on the state key.
event_auth.check(
event_auth.check_auth_rules_for_event(
RoomVersions.V6,
_alias_event(creator, state_key=""),
auth_events,
do_sig_check=False,
)
event_auth.check(
event_auth.check_auth_rules_for_event(
RoomVersions.V6,
_alias_event(creator, state_key="test.com"),
auth_events,
do_sig_check=False,
)
# Per standard auth rules, the member must be in the room.
with self.assertRaises(AuthError):
event_auth.check(
event_auth.check_auth_rules_for_event(
RoomVersions.V6,
_alias_event(other),
auth_events,
do_sig_check=False,
)
def test_msc2209(self):
@ -191,20 +179,18 @@ class EventAuthTestCase(unittest.TestCase):
}
# pleb should be able to modify the notifications power level.
event_auth.check(
event_auth.check_auth_rules_for_event(
RoomVersions.V1,
_power_levels_event(pleb, {"notifications": {"room": 100}}),
auth_events,
do_sig_check=False,
)
# But an MSC2209 room rejects this change.
with self.assertRaises(AuthError):
event_auth.check(
event_auth.check_auth_rules_for_event(
RoomVersions.V6,
_power_levels_event(pleb, {"notifications": {"room": 100}}),
auth_events,
do_sig_check=False,
)
def test_join_rules_public(self):
@ -221,59 +207,53 @@ class EventAuthTestCase(unittest.TestCase):
}
# Check join.
event_auth.check(
event_auth.check_auth_rules_for_event(
RoomVersions.V6,
_join_event(pleb),
auth_events,
do_sig_check=False,
)
# A user cannot be force-joined to a room.
with self.assertRaises(AuthError):
event_auth.check(
event_auth.check_auth_rules_for_event(
RoomVersions.V6,
_member_event(pleb, "join", sender=creator),
auth_events,
do_sig_check=False,
)
# Banned should be rejected.
auth_events[("m.room.member", pleb)] = _member_event(pleb, "ban")
with self.assertRaises(AuthError):
event_auth.check(
event_auth.check_auth_rules_for_event(
RoomVersions.V6,
_join_event(pleb),
auth_events,
do_sig_check=False,
)
# A user who left can re-join.
auth_events[("m.room.member", pleb)] = _member_event(pleb, "leave")
event_auth.check(
event_auth.check_auth_rules_for_event(
RoomVersions.V6,
_join_event(pleb),
auth_events,
do_sig_check=False,
)
# A user can send a join if they're in the room.
auth_events[("m.room.member", pleb)] = _member_event(pleb, "join")
event_auth.check(
event_auth.check_auth_rules_for_event(
RoomVersions.V6,
_join_event(pleb),
auth_events,
do_sig_check=False,
)
# A user can accept an invite.
auth_events[("m.room.member", pleb)] = _member_event(
pleb, "invite", sender=creator
)
event_auth.check(
event_auth.check_auth_rules_for_event(
RoomVersions.V6,
_join_event(pleb),
auth_events,
do_sig_check=False,
)
def test_join_rules_invite(self):
@ -291,60 +271,54 @@ class EventAuthTestCase(unittest.TestCase):
# A join without an invite is rejected.
with self.assertRaises(AuthError):
event_auth.check(
event_auth.check_auth_rules_for_event(
RoomVersions.V6,
_join_event(pleb),
auth_events,
do_sig_check=False,
)
# A user cannot be force-joined to a room.
with self.assertRaises(AuthError):
event_auth.check(
event_auth.check_auth_rules_for_event(
RoomVersions.V6,
_member_event(pleb, "join", sender=creator),
auth_events,
do_sig_check=False,
)
# Banned should be rejected.
auth_events[("m.room.member", pleb)] = _member_event(pleb, "ban")
with self.assertRaises(AuthError):
event_auth.check(
event_auth.check_auth_rules_for_event(
RoomVersions.V6,
_join_event(pleb),
auth_events,
do_sig_check=False,
)
# A user who left cannot re-join.
auth_events[("m.room.member", pleb)] = _member_event(pleb, "leave")
with self.assertRaises(AuthError):
event_auth.check(
event_auth.check_auth_rules_for_event(
RoomVersions.V6,
_join_event(pleb),
auth_events,
do_sig_check=False,
)
# A user can send a join if they're in the room.
auth_events[("m.room.member", pleb)] = _member_event(pleb, "join")
event_auth.check(
event_auth.check_auth_rules_for_event(
RoomVersions.V6,
_join_event(pleb),
auth_events,
do_sig_check=False,
)
# A user can accept an invite.
auth_events[("m.room.member", pleb)] = _member_event(
pleb, "invite", sender=creator
)
event_auth.check(
event_auth.check_auth_rules_for_event(
RoomVersions.V6,
_join_event(pleb),
auth_events,
do_sig_check=False,
)
def test_join_rules_msc3083_restricted(self):
@ -369,11 +343,10 @@ class EventAuthTestCase(unittest.TestCase):
# Older room versions don't understand this join rule
with self.assertRaises(AuthError):
event_auth.check(
event_auth.check_auth_rules_for_event(
RoomVersions.V6,
_join_event(pleb),
auth_events,
do_sig_check=False,
)
# A properly formatted join event should work.
@ -383,11 +356,10 @@ class EventAuthTestCase(unittest.TestCase):
"join_authorised_via_users_server": "@creator:example.com"
},
)
event_auth.check(
event_auth.check_auth_rules_for_event(
RoomVersions.V8,
authorised_join_event,
auth_events,
do_sig_check=False,
)
# A join issued by a specific user works (i.e. the power level checks
@ -399,7 +371,7 @@ class EventAuthTestCase(unittest.TestCase):
pl_auth_events[("m.room.member", "@inviter:foo.test")] = _join_event(
"@inviter:foo.test"
)
event_auth.check(
event_auth.check_auth_rules_for_event(
RoomVersions.V8,
_join_event(
pleb,
@ -408,16 +380,14 @@ class EventAuthTestCase(unittest.TestCase):
},
),
pl_auth_events,
do_sig_check=False,
)
# A join which is missing an authorised server is rejected.
with self.assertRaises(AuthError):
event_auth.check(
event_auth.check_auth_rules_for_event(
RoomVersions.V8,
_join_event(pleb),
auth_events,
do_sig_check=False,
)
# An join authorised by a user who is not in the room is rejected.
@ -426,7 +396,7 @@ class EventAuthTestCase(unittest.TestCase):
creator, {"invite": 100, "users": {"@other:example.com": 150}}
)
with self.assertRaises(AuthError):
event_auth.check(
event_auth.check_auth_rules_for_event(
RoomVersions.V8,
_join_event(
pleb,
@ -435,13 +405,12 @@ class EventAuthTestCase(unittest.TestCase):
},
),
auth_events,
do_sig_check=False,
)
# A user cannot be force-joined to a room. (This uses an event which
# *would* be valid, but is sent be a different user.)
with self.assertRaises(AuthError):
event_auth.check(
event_auth.check_auth_rules_for_event(
RoomVersions.V8,
_member_event(
pleb,
@ -452,36 +421,32 @@ class EventAuthTestCase(unittest.TestCase):
},
),
auth_events,
do_sig_check=False,
)
# Banned should be rejected.
auth_events[("m.room.member", pleb)] = _member_event(pleb, "ban")
with self.assertRaises(AuthError):
event_auth.check(
event_auth.check_auth_rules_for_event(
RoomVersions.V8,
authorised_join_event,
auth_events,
do_sig_check=False,
)
# A user who left can re-join.
auth_events[("m.room.member", pleb)] = _member_event(pleb, "leave")
event_auth.check(
event_auth.check_auth_rules_for_event(
RoomVersions.V8,
authorised_join_event,
auth_events,
do_sig_check=False,
)
# A user can send a join if they're in the room. (This doesn't need to
# be authorised since the user is already joined.)
auth_events[("m.room.member", pleb)] = _member_event(pleb, "join")
event_auth.check(
event_auth.check_auth_rules_for_event(
RoomVersions.V8,
_join_event(pleb),
auth_events,
do_sig_check=False,
)
# A user can accept an invite. (This doesn't need to be authorised since
@ -489,11 +454,10 @@ class EventAuthTestCase(unittest.TestCase):
auth_events[("m.room.member", pleb)] = _member_event(
pleb, "invite", sender=creator
)
event_auth.check(
event_auth.check_auth_rules_for_event(
RoomVersions.V8,
_join_event(pleb),
auth_events,
do_sig_check=False,
)