Don't auto log failed auth checks

This commit is contained in:
Erik Johnston 2016-04-13 11:11:46 +01:00
parent 10ebbaea2e
commit c53f9d561e
3 changed files with 76 additions and 62 deletions

View File

@ -68,72 +68,64 @@ class Auth(object):
""" """
self.check_size_limits(event) self.check_size_limits(event)
try: if not hasattr(event, "room_id"):
if not hasattr(event, "room_id"): raise AuthError(500, "Event has no room_id: %s" % event)
raise AuthError(500, "Event has no room_id: %s" % event) if auth_events is None:
if auth_events is None: # Oh, we don't know what the state of the room was, so we
# Oh, we don't know what the state of the room was, so we # are trusting that this is allowed (at least for now)
# are trusting that this is allowed (at least for now) logger.warn("Trusting event: %s", event.event_id)
logger.warn("Trusting event: %s", event.event_id) return True
return True
if event.type == EventTypes.Create: if event.type == EventTypes.Create:
# FIXME # FIXME
return True return True
creation_event = auth_events.get((EventTypes.Create, ""), None) creation_event = auth_events.get((EventTypes.Create, ""), None)
if not creation_event: if not creation_event:
raise SynapseError( raise SynapseError(
403,
"Room %r does not exist" % (event.room_id,)
)
creating_domain = RoomID.from_string(event.room_id).domain
originating_domain = UserID.from_string(event.sender).domain
if creating_domain != originating_domain:
if not self.can_federate(event, auth_events):
raise AuthError(
403, 403,
"Room %r does not exist" % (event.room_id,) "This room has been marked as unfederatable."
) )
creating_domain = RoomID.from_string(event.room_id).domain # FIXME: Temp hack
originating_domain = UserID.from_string(event.sender).domain if event.type == EventTypes.Aliases:
if creating_domain != originating_domain: return True
if not self.can_federate(event, auth_events):
raise AuthError(
403,
"This room has been marked as unfederatable."
)
# FIXME: Temp hack logger.debug(
if event.type == EventTypes.Aliases: "Auth events: %s",
return True [a.event_id for a in auth_events.values()]
)
logger.debug( if event.type == EventTypes.Member:
"Auth events: %s", allowed = self.is_membership_change_allowed(
[a.event_id for a in auth_events.values()] event, auth_events
) )
if allowed:
logger.debug("Allowing! %s", event)
else:
logger.debug("Denying! %s", event)
return allowed
if event.type == EventTypes.Member: self.check_event_sender_in_room(event, auth_events)
allowed = self.is_membership_change_allowed( self._can_send_event(event, auth_events)
event, auth_events
)
if allowed:
logger.debug("Allowing! %s", event)
else:
logger.debug("Denying! %s", event)
return allowed
self.check_event_sender_in_room(event, auth_events) if event.type == EventTypes.PowerLevels:
self._can_send_event(event, auth_events) self._check_power_levels(event, auth_events)
if event.type == EventTypes.PowerLevels: if event.type == EventTypes.Redaction:
self._check_power_levels(event, auth_events) self.check_redaction(event, auth_events)
if event.type == EventTypes.Redaction: logger.debug("Allowing! %s", event)
self.check_redaction(event, auth_events)
logger.debug("Allowing! %s", event)
except AuthError as e:
logger.info(
"Event auth check failed on event %s with msg: %s",
event, e.msg
)
logger.info("Denying! %s", event)
raise
def check_size_limits(self, event): def check_size_limits(self, event):
def too_big(field): def too_big(field):

View File

@ -316,7 +316,11 @@ class BaseHandler(object):
if ratelimit: if ratelimit:
self.ratelimit(requester) self.ratelimit(requester)
self.auth.check(event, auth_events=context.current_state) try:
self.auth.check(event, auth_events=context.current_state)
except AuthError as err:
logger.warn("Denying new event %r because %s", event, err)
raise err
yield self.maybe_kick_guest_users(event, context.current_state.values()) yield self.maybe_kick_guest_users(event, context.current_state.values())

View File

@ -681,9 +681,13 @@ class FederationHandler(BaseHandler):
"state_key": user_id, "state_key": user_id,
}) })
event, context = yield self._create_new_client_event( try:
builder=builder, event, context = yield self._create_new_client_event(
) builder=builder,
)
except AuthError as e:
logger.warn("Failed to create join %r because %s", event, e)
raise e
self.auth.check(event, auth_events=context.current_state) self.auth.check(event, auth_events=context.current_state)
@ -915,7 +919,11 @@ class FederationHandler(BaseHandler):
builder=builder, builder=builder,
) )
self.auth.check(event, auth_events=context.current_state) try:
self.auth.check(event, auth_events=context.current_state)
except AuthError as e:
logger.warn("Failed to create new leave %r because %s", event, e)
raise e
defer.returnValue(event) defer.returnValue(event)
@ -1512,8 +1520,9 @@ class FederationHandler(BaseHandler):
try: try:
self.auth.check(event, auth_events=auth_events) self.auth.check(event, auth_events=auth_events)
except AuthError: except AuthError as e:
raise logger.warn("Failed auth resolution for %r because %s", event, e)
raise e
@defer.inlineCallbacks @defer.inlineCallbacks
def construct_auth_difference(self, local_auth, remote_auth): def construct_auth_difference(self, local_auth, remote_auth):
@ -1689,7 +1698,12 @@ class FederationHandler(BaseHandler):
event_dict, event, context event_dict, event, context
) )
self.auth.check(event, context.current_state) try:
self.auth.check(event, context.current_state)
except AuthError as e:
logger.warn("Denying new third party invite %r because %s", event, e)
raise e
yield self._check_signature(event, auth_events=context.current_state) yield self._check_signature(event, auth_events=context.current_state)
member_handler = self.hs.get_handlers().room_member_handler member_handler = self.hs.get_handlers().room_member_handler
yield member_handler.send_membership_event(None, event, context) yield member_handler.send_membership_event(None, event, context)
@ -1714,7 +1728,11 @@ class FederationHandler(BaseHandler):
event_dict, event, context event_dict, event, context
) )
self.auth.check(event, auth_events=context.current_state) try:
self.auth.check(event, auth_events=context.current_state)
except AuthError as e:
logger.warn("Denying third party invite %r because %s", event, e)
raise e
yield self._check_signature(event, auth_events=context.current_state) yield self._check_signature(event, auth_events=context.current_state)
returned_invite = yield self.send_invite(origin, event) returned_invite = yield self.send_invite(origin, event)