Add admin API for logging in as a user (#8617)

2025-11-13 03:30:50 -05:00 · 2020-11-17 10:51:25 +00:00 · 2020-11-17 10:51:25 +00:00 · f737368a26
commit f737368a26
parent 3dc1871219
25 changed files with 475 additions and 87 deletions
--- a/synapse/handlers/_base.py
+++ b/synapse/handlers/_base.py
@ -169,7 +169,9 @@ class BaseHandler:
                # and having homeservers have their own users leave keeps more
                # of that decision-making and control local to the guest-having
                # homeserver.
-                requester = synapse.types.create_requester(target_user, is_guest=True)
+                requester = synapse.types.create_requester(
+                    target_user, is_guest=True, authenticated_entity=self.server_name
+                )
                handler = self.hs.get_room_member_handler()
                await handler.update_membership(
                    requester,
--- a/synapse/handlers/auth.py
+++ b/synapse/handlers/auth.py
@ -698,8 +698,12 @@ class AuthHandler(BaseHandler):
        }

    async def get_access_token_for_user_id(
-        self, user_id: str, device_id: Optional[str], valid_until_ms: Optional[int]
-    ):
+        self,
+        user_id: str,
+        device_id: Optional[str],
+        valid_until_ms: Optional[int],
+        puppets_user_id: Optional[str] = None,
+    ) -> str:
        """
        Creates a new access token for the user with the given user ID.

@ -725,13 +729,25 @@ class AuthHandler(BaseHandler):
            fmt_expiry = time.strftime(
                " until %Y-%m-%d %H:%M:%S", time.localtime(valid_until_ms / 1000.0)
            )
-        logger.info("Logging in user %s on device %s%s", user_id, device_id, fmt_expiry)
+
+        if puppets_user_id:
+            logger.info(
+                "Logging in user %s as %s%s", user_id, puppets_user_id, fmt_expiry
+            )
+        else:
+            logger.info(
+                "Logging in user %s on device %s%s", user_id, device_id, fmt_expiry
+            )

        await self.auth.check_auth_blocking(user_id)

        access_token = self.macaroon_gen.generate_access_token(user_id)
        await self.store.add_access_token_to_user(
-            user_id, access_token, device_id, valid_until_ms
+            user_id=user_id,
+            token=access_token,
+            device_id=device_id,
+            valid_until_ms=valid_until_ms,
+            puppets_user_id=puppets_user_id,
        )

        # the device *should* have been registered before we got here; however,
--- a/synapse/handlers/deactivate_account.py
+++ b/synapse/handlers/deactivate_account.py
@ -39,6 +39,7 @@ class DeactivateAccountHandler(BaseHandler):
        self._room_member_handler = hs.get_room_member_handler()
        self._identity_handler = hs.get_identity_handler()
        self.user_directory_handler = hs.get_user_directory_handler()
+        self._server_name = hs.hostname

        # Flag that indicates whether the process to part users from rooms is running
        self._user_parter_running = False
@ -152,7 +153,7 @@ class DeactivateAccountHandler(BaseHandler):
        for room in pending_invites:
            try:
                await self._room_member_handler.update_membership(
-                    create_requester(user),
+                    create_requester(user, authenticated_entity=self._server_name),
                    user,
                    room.room_id,
                    "leave",
@ -208,7 +209,7 @@ class DeactivateAccountHandler(BaseHandler):
            logger.info("User parter parting %r from %r", user_id, room_id)
            try:
                await self._room_member_handler.update_membership(
-                    create_requester(user),
+                    create_requester(user, authenticated_entity=self._server_name),
                    user,
                    room_id,
                    "leave",
--- a/synapse/handlers/message.py
+++ b/synapse/handlers/message.py
@ -472,7 +472,7 @@ class EventCreationHandler:
        Returns:
            Tuple of created event, Context
        """
-        await self.auth.check_auth_blocking(requester.user.to_string())
+        await self.auth.check_auth_blocking(requester=requester)

        if event_dict["type"] == EventTypes.Create and event_dict["state_key"] == "":
            room_version = event_dict["content"]["room_version"]
@ -619,7 +619,13 @@ class EventCreationHandler:
        if requester.app_service is not None:
            return

-        user_id = requester.user.to_string()
+        user_id = requester.authenticated_entity
+        if not user_id.startswith("@"):
+            # The authenticated entity might not be a user, e.g. if it's the
+            # server puppetting the user.
+            return
+
+        user = UserID.from_string(user_id)

        # exempt the system notices user
        if (
@ -639,9 +645,7 @@ class EventCreationHandler:
        if u["consent_version"] == self.config.user_consent_version:
            return

-        consent_uri = self._consent_uri_builder.build_user_consent_uri(
-            requester.user.localpart
-        )
+        consent_uri = self._consent_uri_builder.build_user_consent_uri(user.localpart)
        msg = self._block_events_without_consent_error % {"consent_uri": consent_uri}
        raise ConsentNotGivenError(msg=msg, consent_uri=consent_uri)

@ -1252,7 +1256,7 @@ class EventCreationHandler:
        for user_id in members:
            if not self.hs.is_mine_id(user_id):
                continue
-            requester = create_requester(user_id)
+            requester = create_requester(user_id, authenticated_entity=self.server_name)
            try:
                event, context = await self.create_event(
                    requester,
@ -1273,11 +1277,6 @@ class EventCreationHandler:
                    requester, event, context, ratelimit=False, ignore_shadow_ban=True,
                )
                return True
-            except ConsentNotGivenError:
-                logger.info(
-                    "Failed to send dummy event into room %s for user %s due to "
-                    "lack of consent. Will try another user" % (room_id, user_id)
-                )
            except AuthError:
                logger.info(
                    "Failed to send dummy event into room %s for user %s due to "
--- a/synapse/handlers/profile.py
+++ b/synapse/handlers/profile.py
@ -206,7 +206,9 @@ class ProfileHandler(BaseHandler):
        # the join event to update the displayname in the rooms.
        # This must be done by the target user himself.
        if by_admin:
-            requester = create_requester(target_user)
+            requester = create_requester(
+                target_user, authenticated_entity=requester.authenticated_entity,
+            )

        await self.store.set_profile_displayname(
            target_user.localpart, displayname_to_set
@ -286,7 +288,9 @@ class ProfileHandler(BaseHandler):

        # Same like set_displayname
        if by_admin:
-            requester = create_requester(target_user)
+            requester = create_requester(
+                target_user, authenticated_entity=requester.authenticated_entity
+            )

        await self.store.set_profile_avatar_url(target_user.localpart, new_avatar_url)

--- a/synapse/handlers/register.py
+++ b/synapse/handlers/register.py
@ -52,6 +52,7 @@ class RegistrationHandler(BaseHandler):
        self.ratelimiter = hs.get_registration_ratelimiter()
        self.macaroon_gen = hs.get_macaroon_generator()
        self._server_notices_mxid = hs.config.server_notices_mxid
+        self._server_name = hs.hostname

        self.spam_checker = hs.get_spam_checker()

@ -317,7 +318,8 @@ class RegistrationHandler(BaseHandler):
        requires_join = False
        if self.hs.config.registration.auto_join_user_id:
            fake_requester = create_requester(
-                self.hs.config.registration.auto_join_user_id
+                self.hs.config.registration.auto_join_user_id,
+                authenticated_entity=self._server_name,
            )

            # If the room requires an invite, add the user to the list of invites.
@ -329,7 +331,9 @@ class RegistrationHandler(BaseHandler):
            # being necessary this will occur after the invite was sent.
            requires_join = True
        else:
-            fake_requester = create_requester(user_id)
+            fake_requester = create_requester(
+                user_id, authenticated_entity=self._server_name
+            )

        # Choose whether to federate the new room.
        if not self.hs.config.registration.autocreate_auto_join_rooms_federated:
@ -362,7 +366,9 @@ class RegistrationHandler(BaseHandler):
                    # created it, then ensure the first user joins it.
                    if requires_join:
                        await room_member_handler.update_membership(
-                            requester=create_requester(user_id),
+                            requester=create_requester(
+                                user_id, authenticated_entity=self._server_name
+                            ),
                            target=UserID.from_string(user_id),
                            room_id=info["room_id"],
                            # Since it was just created, there are no remote hosts.
@ -370,11 +376,6 @@ class RegistrationHandler(BaseHandler):
                            action="join",
                            ratelimit=False,
                        )
-
-            except ConsentNotGivenError as e:
-                # Technically not necessary to pull out this error though
-                # moving away from bare excepts is a good thing to do.
-                logger.error("Failed to join new user to %r: %r", r, e)
            except Exception as e:
                logger.error("Failed to join new user to %r: %r", r, e)

@ -426,7 +427,8 @@ class RegistrationHandler(BaseHandler):
                if requires_invite:
                    await room_member_handler.update_membership(
                        requester=create_requester(
-                            self.hs.config.registration.auto_join_user_id
+                            self.hs.config.registration.auto_join_user_id,
+                            authenticated_entity=self._server_name,
                        ),
                        target=UserID.from_string(user_id),
                        room_id=room_id,
@ -437,7 +439,9 @@ class RegistrationHandler(BaseHandler):

                # Send the join.
                await room_member_handler.update_membership(
-                    requester=create_requester(user_id),
+                    requester=create_requester(
+                        user_id, authenticated_entity=self._server_name
+                    ),
                    target=UserID.from_string(user_id),
                    room_id=room_id,
                    remote_room_hosts=remote_room_hosts,
--- a/synapse/handlers/room.py
+++ b/synapse/handlers/room.py
@ -587,7 +587,7 @@ class RoomCreationHandler(BaseHandler):
        """
        user_id = requester.user.to_string()

-        await self.auth.check_auth_blocking(user_id)
+        await self.auth.check_auth_blocking(requester=requester)

        if (
            self._server_notices_mxid is not None
@ -1257,7 +1257,9 @@ class RoomShutdownHandler:
                    400, "User must be our own: %s" % (new_room_user_id,)
                )

-            room_creator_requester = create_requester(new_room_user_id)
+            room_creator_requester = create_requester(
+                new_room_user_id, authenticated_entity=requester_user_id
+            )

            info, stream_id = await self._room_creation_handler.create_room(
                room_creator_requester,
@ -1297,7 +1299,9 @@ class RoomShutdownHandler:

            try:
                # Kick users from room
-                target_requester = create_requester(user_id)
+                target_requester = create_requester(
+                    user_id, authenticated_entity=requester_user_id
+                )
                _, stream_id = await self.room_member_handler.update_membership(
                    requester=target_requester,
                    target=target_requester.user,
--- a/synapse/handlers/room_member.py
+++ b/synapse/handlers/room_member.py
@ -965,6 +965,7 @@ class RoomMemberMasterHandler(RoomMemberHandler):

        self.distributor = hs.get_distributor()
        self.distributor.declare("user_left_room")
+        self._server_name = hs.hostname

    async def _is_remote_room_too_complex(
        self, room_id: str, remote_room_hosts: List[str]
@ -1059,7 +1060,9 @@ class RoomMemberMasterHandler(RoomMemberHandler):
                return event_id, stream_id

            # The room is too large. Leave.
-            requester = types.create_requester(user, None, False, False, None)
+            requester = types.create_requester(
+                user, authenticated_entity=self._server_name
+            )
            await self.update_membership(
                requester=requester, target=user, room_id=room_id, action="leave"
            )
--- a/synapse/handlers/sync.py
+++ b/synapse/handlers/sync.py
@ -31,6 +31,7 @@ from synapse.types import (
    Collection,
    JsonDict,
    MutableStateMap,
+    Requester,
    RoomStreamToken,
    StateMap,
    StreamToken,
@ -260,6 +261,7 @@ class SyncHandler:

    async def wait_for_sync_for_user(
        self,
+        requester: Requester,
        sync_config: SyncConfig,
        since_token: Optional[StreamToken] = None,
        timeout: int = 0,
@ -273,7 +275,7 @@ class SyncHandler:
        # not been exceeded (if not part of the group by this point, almost certain
        # auth_blocking will occur)
        user_id = sync_config.user.to_string()
-        await self.auth.check_auth_blocking(user_id)
+        await self.auth.check_auth_blocking(requester=requester)

        res = await self.response_cache.wrap(
            sync_config.request_key,