Add ability for access tokens to belong to one user but grant access to another user. (#8616)

We do it this way round so that only the "owner" can delete the access token (i.e. `/logout/all` by the "owner" also deletes that token, but `/logout/all` by the "target user" doesn't). A future PR will add an API for creating such a token. When the target user and authenticated entity are different the `Processed request` log line will be logged with a: `{@admin:server as @bob:server} ...`. I'm not convinced by that format (especially since it adds spaces in there, making it harder to use `cut -d ' '` to chop off the start of log lines). Suggestions welcome.
2025-05-02 10:06:05 -04:00 · 2020-10-29 15:58:44 +00:00 · 2020-10-29 15:58:44 +00:00 · f21e24ffc2
commit f21e24ffc2
parent 22eeb6bc54
22 changed files with 197 additions and 138 deletions
--- a/synapse/types.py
+++ b/synapse/types.py
@ -29,6 +29,7 @@ from typing import (
    Tuple,
    Type,
    TypeVar,
+    Union,
 )

 import attr
@ -38,6 +39,7 @@ from unpaddedbase64 import decode_base64
 from synapse.api.errors import Codes, SynapseError

 if TYPE_CHECKING:
+    from synapse.appservice.api import ApplicationService
    from synapse.storage.databases.main import DataStore

 # define a version of typing.Collection that works on python 3.5
@ -74,6 +76,7 @@ class Requester(
            "shadow_banned",
            "device_id",
            "app_service",
+            "authenticated_entity",
        ],
    )
 ):
@ -104,6 +107,7 @@ class Requester(
            "shadow_banned": self.shadow_banned,
            "device_id": self.device_id,
            "app_server_id": self.app_service.id if self.app_service else None,
+            "authenticated_entity": self.authenticated_entity,
        }

    @staticmethod
@ -129,16 +133,18 @@ class Requester(
            shadow_banned=input["shadow_banned"],
            device_id=input["device_id"],
            app_service=appservice,
+            authenticated_entity=input["authenticated_entity"],
        )


 def create_requester(
-    user_id,
-    access_token_id=None,
-    is_guest=False,
-    shadow_banned=False,
-    device_id=None,
-    app_service=None,
+    user_id: Union[str, "UserID"],
+    access_token_id: Optional[int] = None,
+    is_guest: Optional[bool] = False,
+    shadow_banned: Optional[bool] = False,
+    device_id: Optional[str] = None,
+    app_service: Optional["ApplicationService"] = None,
+    authenticated_entity: Optional[str] = None,
 ):
    """
    Create a new ``Requester`` object
@ -151,14 +157,27 @@ def create_requester(
        shadow_banned (bool):  True if the user making this request is shadow-banned.
        device_id (str|None):  device_id which was set at authentication time
        app_service (ApplicationService|None):  the AS requesting on behalf of the user
+        authenticated_entity: The entity that authenticated when making the request.
+            This is different to the user_id when an admin user or the server is
+            "puppeting" the user.

    Returns:
        Requester
    """
    if not isinstance(user_id, UserID):
        user_id = UserID.from_string(user_id)
+
+    if authenticated_entity is None:
+        authenticated_entity = user_id.to_string()
+
    return Requester(
-        user_id, access_token_id, is_guest, shadow_banned, device_id, app_service
+        user_id,
+        access_token_id,
+        is_guest,
+        shadow_banned,
+        device_id,
+        app_service,
+        authenticated_entity,
    )