Make key fetches use regular federation client (#4426)

All this magic is redundant.
2024-10-01 11:49:51 -04:00 · 2019-01-22 11:04:20 +00:00 · 2019-01-22 11:04:20 +00:00 · 6bfa735a69
commit 6bfa735a69
parent 33a55289cb
3 changed files with 8 additions and 172 deletions
--- a/changelog.d/4426.misc
+++ b/changelog.d/4426.misc
@ -0,0 +1 @@
 Remove redundant SynapseKeyClientProtocol magic
--- a/synapse/crypto/keyclient.py
+++ b/synapse/crypto/keyclient.py
@ -1,149 +0,0 @@
 # -*- coding: utf-8 -*-
 # Copyright 2014-2016 OpenMarket Ltd
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 import logging
 from six.moves import urllib
 from canonicaljson import json
 from twisted.internet import defer, reactor
 from twisted.internet.error import ConnectError
 from twisted.internet.protocol import Factory
 from twisted.names.error import DomainError
 from twisted.web.http import HTTPClient
 from synapse.http.endpoint import matrix_federation_endpoint
 from synapse.util import logcontext
 logger = logging.getLogger(__name__)
 KEY_API_V2 = "/_matrix/key/v2/server/%s"
@defer.inlineCallbacks
 def fetch_server_key(server_name, tls_client_options_factory, key_id):
    """Fetch the keys for a remote server."""
    factory = SynapseKeyClientFactory()
    factory.path = KEY_API_V2 % (urllib.parse.quote(key_id), )
    factory.host = server_name
    endpoint = matrix_federation_endpoint(
        reactor, server_name, tls_client_options_factory, timeout=30
    )
    for i in range(5):
        try:
            with logcontext.PreserveLoggingContext():
                protocol = yield endpoint.connect(factory)
                server_response, server_certificate = yield protocol.remote_key
                defer.returnValue((server_response, server_certificate))
        except SynapseKeyClientError as e:
            logger.warn("Error getting key for %r: %s", server_name, e)
            if e.status.startswith(b"4"):
                # Don't retry for 4xx responses.
                raise IOError("Cannot get key for %r" % server_name)
        except (ConnectError, DomainError) as e:
            logger.warn("Error getting key for %r: %s", server_name, e)
        except Exception:
            logger.exception("Error getting key for %r", server_name)
    raise IOError("Cannot get key for %r" % server_name)
 class SynapseKeyClientError(Exception):
    """The key wasn't retrieved from the remote server."""
    status = None
    pass
 class SynapseKeyClientProtocol(HTTPClient):
    """Low level HTTPS client which retrieves an application/json response from
    the server and extracts the X.509 certificate for the remote peer from the
    SSL connection."""
    timeout = 30
    def __init__(self):
        self.remote_key = defer.Deferred()
        self.host = None
        self._peer = None
    def connectionMade(self):
        self._peer = self.transport.getPeer()
        logger.debug("Connected to %s", self._peer)
        if not isinstance(self.path, bytes):
            self.path = self.path.encode('ascii')
        if not isinstance(self.host, bytes):
            self.host = self.host.encode('ascii')
        self.sendCommand(b"GET", self.path)
        if self.host:
            self.sendHeader(b"Host", self.host)
        self.endHeaders()
        self.timer = reactor.callLater(
            self.timeout,
            self.on_timeout
        )
    def errback(self, error):
        if not self.remote_key.called:
            self.remote_key.errback(error)
    def callback(self, result):
        if not self.remote_key.called:
            self.remote_key.callback(result)
    def handleStatus(self, version, status, message):
        if status != b"200":
            # logger.info("Non-200 response from %s: %s %s",
            #            self.transport.getHost(), status, message)
            error = SynapseKeyClientError(
                "Non-200 response %r from %r" % (status, self.host)
            )
            error.status = status
            self.errback(error)
            self.transport.abortConnection()
    def handleResponse(self, response_body_bytes):
        try:
            json_response = json.loads(response_body_bytes)
        except ValueError:
            # logger.info("Invalid JSON response from %s",
            #            self.transport.getHost())
            self.transport.abortConnection()
            return
        certificate = self.transport.getPeerCertificate()
        self.callback((json_response, certificate))
        self.transport.abortConnection()
        self.timer.cancel()
    def on_timeout(self):
        logger.debug(
            "Timeout waiting for response from %s: %s",
            self.host, self._peer,
        )
        self.errback(IOError("Timeout waiting for response"))
        self.transport.abortConnection()
 class SynapseKeyClientFactory(Factory):
    def protocol(self):
        protocol = SynapseKeyClientProtocol()
        protocol.path = self.path
        protocol.host = self.host
        return protocol
--- a/synapse/crypto/keyring.py
+++ b/synapse/crypto/keyring.py
@ -14,10 +14,11 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 import hashlib
 import logging
 from collections import namedtuple
 from six.moves import urllib
 from signedjson.key import (
    decode_verify_key_bytes,
    encode_verify_key_base64,
@ -30,13 +31,11 @@ from signedjson.sign import (
    signature_ids,
    verify_signed_json,
 )
-from unpaddedbase64 import decode_base64, encode_base64
+from unpaddedbase64 import decode_base64
 from OpenSSL import crypto
 from twisted.internet import defer
 from synapse.api.errors import Codes, SynapseError
 from synapse.crypto.keyclient import fetch_server_key
 from synapse.util import logcontext, unwrapFirstError
 from synapse.util.logcontext import (
    LoggingContext,
@ -503,31 +502,16 @@ class Keyring(object):
            if requested_key_id in keys:
                continue
-            (response, tls_certificate) = yield fetch_server_key(
+            response = yield self.client.get_json(
-                server_name, self.hs.tls_client_options_factory, requested_key_id
+                destination=server_name,
                path="/_matrix/key/v2/server/" + urllib.parse.quote(requested_key_id),
                ignore_backoff=True,
            )
            if (u"signatures" not in response
                    or server_name not in response[u"signatures"]):
                raise KeyLookupError("Key response not signed by remote server")
            if "tls_fingerprints" not in response:
                raise KeyLookupError("Key response missing TLS fingerprints")
            certificate_bytes = crypto.dump_certificate(
                crypto.FILETYPE_ASN1, tls_certificate
            )
            sha256_fingerprint = hashlib.sha256(certificate_bytes).digest()
            sha256_fingerprint_b64 = encode_base64(sha256_fingerprint)
            response_sha256_fingerprints = set()
            for fingerprint in response[u"tls_fingerprints"]:
                if u"sha256" in fingerprint:
                    response_sha256_fingerprints.add(fingerprint[u"sha256"])
            if sha256_fingerprint_b64 not in response_sha256_fingerprints:
                raise KeyLookupError("TLS certificate not allowed by fingerprints")
            response_keys = yield self.process_v2_response(
                from_server=server_name,
                requested_ids=[requested_key_id],
		`@ -0,0 +1 @@`
							`Remove redundant SynapseKeyClientProtocol magic`