Move some event auth checks out to a different method (#13065)

* Add auth events to events used in tests * Move some event auth checks out to a different method Some of the event auth checks apply to an event's auth_events, rather than the state at the event - which means they can play no part in state resolution. Move them out to a separate method. * Rename check_auth_rules_for_event Now it only checks the state-dependent auth rules, it needs a better name.
2025-08-09 22:42:13 -04:00 · 2022-06-15 19:48:22 +01:00 · 2022-06-15 19:48:22 +01:00 · 8ecf6be1e1
commit 8ecf6be1e1
parent cba1c5cbc2
7 changed files with 219 additions and 98 deletions
--- a/synapse/handlers/federation_event.py
+++ b/synapse/handlers/federation_event.py
@ -50,7 +50,8 @@ from synapse.api.errors import (
 from synapse.api.room_versions import KNOWN_ROOM_VERSIONS, RoomVersion, RoomVersions
 from synapse.event_auth import (
    auth_types_for_event,
-    check_auth_rules_for_event,
+    check_state_dependent_auth_rules,
+    check_state_independent_auth_rules,
    validate_event_for_room_version,
 )
 from synapse.events import EventBase
@ -1430,7 +1431,9 @@ class FederationEventHandler:
            allow_rejected=True,
        )

-        def prep(event: EventBase) -> Optional[Tuple[EventBase, EventContext]]:
+        events_and_contexts_to_persist: List[Tuple[EventBase, EventContext]] = []
+
+        async def prep(event: EventBase) -> None:
            with nested_logging_context(suffix=event.event_id):
                auth = []
                for auth_event_id in event.auth_event_ids():
@ -1444,7 +1447,7 @@ class FederationEventHandler:
                            event,
                            auth_event_id,
                        )
-                        return None
+                        return
                    auth.append(ae)

                # we're not bothering about room state, so flag the event as an outlier.
@ -1453,17 +1456,20 @@ class FederationEventHandler:
                context = EventContext.for_outlier(self._storage_controllers)
                try:
                    validate_event_for_room_version(event)
-                    check_auth_rules_for_event(event, auth)
+                    await check_state_independent_auth_rules(self._store, event)
+                    check_state_dependent_auth_rules(event, auth)
                except AuthError as e:
                    logger.warning("Rejecting %r because %s", event, e)
                    context.rejected = RejectedReason.AUTH_ERROR

-            return event, context
+            events_and_contexts_to_persist.append((event, context))
+
+        for event in fetched_events:
+            await prep(event)

-        events_to_persist = (x for x in (prep(event) for event in fetched_events) if x)
        await self.persist_events_and_notify(
            room_id,
-            tuple(events_to_persist),
+            events_and_contexts_to_persist,
            # Mark these events backfilled as they're historic events that will
            # eventually be backfilled. For example, missing events we fetch
            # during backfill should be marked as backfilled as well.
@ -1515,7 +1521,8 @@ class FederationEventHandler:

        # ... and check that the event passes auth at those auth events.
        try:
-            check_auth_rules_for_event(event, claimed_auth_events)
+            await check_state_independent_auth_rules(self._store, event)
+            check_state_dependent_auth_rules(event, claimed_auth_events)
        except AuthError as e:
            logger.warning(
                "While checking auth of %r against auth_events: %s", event, e
@ -1563,7 +1570,7 @@ class FederationEventHandler:
            auth_events_for_auth = calculated_auth_event_map

        try:
-            check_auth_rules_for_event(event, auth_events_for_auth.values())
+            check_state_dependent_auth_rules(event, auth_events_for_auth.values())
        except AuthError as e:
            logger.warning("Failed auth resolution for %r because %s", event, e)
            context.rejected = RejectedReason.AUTH_ERROR
@ -1663,7 +1670,7 @@ class FederationEventHandler:
        )

        try:
-            check_auth_rules_for_event(event, current_auth_events)
+            check_state_dependent_auth_rules(event, current_auth_events)
        except AuthError as e:
            logger.warning(
                "Soft-failing %r (from %s) because %s",