2014-08-12 10:10:52 -04:00
|
|
|
# -*- coding: utf-8 -*-
|
|
|
|
# Copyright 2014 matrix.org
|
|
|
|
#
|
|
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
# you may not use this file except in compliance with the License.
|
|
|
|
# You may obtain a copy of the License at
|
|
|
|
#
|
|
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
#
|
|
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
# See the License for the specific language governing permissions and
|
|
|
|
# limitations under the License.
|
2014-08-12 22:14:34 -04:00
|
|
|
|
2014-08-12 10:10:52 -04:00
|
|
|
"""This module contains classes for authenticating the user."""
|
2014-08-13 15:53:38 -04:00
|
|
|
|
2014-08-12 10:10:52 -04:00
|
|
|
from twisted.internet import defer
|
|
|
|
|
|
|
|
from synapse.api.constants import Membership
|
2014-08-14 08:47:39 -04:00
|
|
|
from synapse.api.errors import AuthError, StoreError, Codes
|
2014-08-26 10:20:05 -04:00
|
|
|
from synapse.api.events.room import RoomMemberEvent
|
2014-08-12 10:10:52 -04:00
|
|
|
|
|
|
|
import logging
|
|
|
|
|
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
|
|
|
|
|
|
|
|
class Auth(object):
|
|
|
|
|
|
|
|
def __init__(self, hs):
|
|
|
|
self.hs = hs
|
|
|
|
self.store = hs.get_datastore()
|
|
|
|
|
|
|
|
@defer.inlineCallbacks
|
2014-08-22 12:00:10 -04:00
|
|
|
def check(self, event, snapshot, raises=False):
|
2014-08-12 10:10:52 -04:00
|
|
|
""" Checks if this event is correctly authed.
|
|
|
|
|
|
|
|
Returns:
|
|
|
|
True if the auth checks pass.
|
|
|
|
Raises:
|
|
|
|
AuthError if there was a problem authorising this event. This will
|
|
|
|
be raised only if raises=True.
|
|
|
|
"""
|
|
|
|
try:
|
2014-08-22 10:59:15 -04:00
|
|
|
if hasattr(event, "room_id"):
|
|
|
|
if event.type == RoomMemberEvent.TYPE:
|
|
|
|
allowed = yield self.is_membership_change_allowed(event)
|
|
|
|
defer.returnValue(allowed)
|
|
|
|
else:
|
2014-08-26 11:07:05 -04:00
|
|
|
self._check_joined_room(
|
|
|
|
member=snapshot.membership_state,
|
|
|
|
user_id=snapshot.user_id,
|
|
|
|
room_id=snapshot.room_id,
|
|
|
|
)
|
2014-08-22 10:59:15 -04:00
|
|
|
defer.returnValue(True)
|
2014-08-12 10:10:52 -04:00
|
|
|
else:
|
2014-08-22 10:59:15 -04:00
|
|
|
raise AuthError(500, "Unknown event: %s" % event)
|
2014-08-12 10:10:52 -04:00
|
|
|
except AuthError as e:
|
|
|
|
logger.info("Event auth check failed on event %s with msg: %s",
|
|
|
|
event, e.msg)
|
|
|
|
if raises:
|
|
|
|
raise e
|
|
|
|
defer.returnValue(False)
|
|
|
|
|
|
|
|
@defer.inlineCallbacks
|
|
|
|
def check_joined_room(self, room_id, user_id):
|
|
|
|
try:
|
|
|
|
member = yield self.store.get_room_member(
|
|
|
|
room_id=room_id,
|
|
|
|
user_id=user_id
|
|
|
|
)
|
2014-08-22 12:00:10 -04:00
|
|
|
self._check_joined_room(member, user_id, room_id)
|
2014-08-12 10:10:52 -04:00
|
|
|
defer.returnValue(member)
|
|
|
|
except AttributeError:
|
|
|
|
pass
|
|
|
|
defer.returnValue(None)
|
|
|
|
|
2014-08-22 12:00:10 -04:00
|
|
|
def _check_joined_room(self, member, user_id, room_id):
|
|
|
|
if not member or member.membership != Membership.JOIN:
|
2014-08-27 10:31:04 -04:00
|
|
|
raise AuthError(403, "User %s not in room %s (%s)" % (
|
|
|
|
user_id, room_id, repr(member)
|
|
|
|
))
|
2014-08-22 12:00:10 -04:00
|
|
|
|
2014-08-12 10:10:52 -04:00
|
|
|
@defer.inlineCallbacks
|
|
|
|
def is_membership_change_allowed(self, event):
|
2014-08-26 04:26:07 -04:00
|
|
|
target_user_id = event.state_key
|
|
|
|
|
2014-08-12 10:10:52 -04:00
|
|
|
# does this room even exist
|
|
|
|
room = yield self.store.get_room(event.room_id)
|
|
|
|
if not room:
|
|
|
|
raise AuthError(403, "Room does not exist")
|
|
|
|
|
|
|
|
# get info about the caller
|
|
|
|
try:
|
|
|
|
caller = yield self.store.get_room_member(
|
|
|
|
user_id=event.user_id,
|
|
|
|
room_id=event.room_id)
|
|
|
|
except:
|
|
|
|
caller = None
|
|
|
|
caller_in_room = caller and caller.membership == "join"
|
|
|
|
|
|
|
|
# get info about the target
|
|
|
|
try:
|
|
|
|
target = yield self.store.get_room_member(
|
2014-08-26 04:26:07 -04:00
|
|
|
user_id=target_user_id,
|
2014-08-12 10:10:52 -04:00
|
|
|
room_id=event.room_id)
|
|
|
|
except:
|
|
|
|
target = None
|
|
|
|
target_in_room = target and target.membership == "join"
|
|
|
|
|
|
|
|
membership = event.content["membership"]
|
|
|
|
|
|
|
|
if Membership.INVITE == membership:
|
|
|
|
# Invites are valid iff caller is in the room and target isn't.
|
|
|
|
if not caller_in_room: # caller isn't joined
|
|
|
|
raise AuthError(403, "You are not in room %s." % event.room_id)
|
|
|
|
elif target_in_room: # the target is already in the room.
|
|
|
|
raise AuthError(403, "%s is already in the room." %
|
2014-08-26 04:26:07 -04:00
|
|
|
target_user_id)
|
2014-08-12 10:10:52 -04:00
|
|
|
elif Membership.JOIN == membership:
|
|
|
|
# Joins are valid iff caller == target and they were:
|
|
|
|
# invited: They are accepting the invitation
|
|
|
|
# joined: It's a NOOP
|
2014-08-26 04:26:07 -04:00
|
|
|
if event.user_id != target_user_id:
|
2014-08-12 10:10:52 -04:00
|
|
|
raise AuthError(403, "Cannot force another user to join.")
|
|
|
|
elif room.is_public:
|
|
|
|
pass # anyone can join public rooms.
|
|
|
|
elif (not caller or caller.membership not in
|
|
|
|
[Membership.INVITE, Membership.JOIN]):
|
|
|
|
raise AuthError(403, "You are not invited to this room.")
|
|
|
|
elif Membership.LEAVE == membership:
|
|
|
|
if not caller_in_room: # trying to leave a room you aren't joined
|
|
|
|
raise AuthError(403, "You are not in room %s." % event.room_id)
|
2014-08-26 04:26:07 -04:00
|
|
|
elif target_user_id != event.user_id:
|
2014-08-12 10:10:52 -04:00
|
|
|
# trying to force another user to leave
|
|
|
|
raise AuthError(403, "Cannot force %s to leave." %
|
2014-08-26 04:26:07 -04:00
|
|
|
target_user_id)
|
2014-08-12 10:10:52 -04:00
|
|
|
else:
|
|
|
|
raise AuthError(500, "Unknown membership %s" % membership)
|
|
|
|
|
|
|
|
defer.returnValue(True)
|
|
|
|
|
|
|
|
def get_user_by_req(self, request):
|
|
|
|
""" Get a registered user's ID.
|
|
|
|
|
|
|
|
Args:
|
|
|
|
request - An HTTP request with an access_token query parameter.
|
|
|
|
Returns:
|
|
|
|
UserID : User ID object of the user making the request
|
|
|
|
Raises:
|
|
|
|
AuthError if no user by that token exists or the token is invalid.
|
|
|
|
"""
|
|
|
|
# Can optionally look elsewhere in the request (e.g. headers)
|
|
|
|
try:
|
|
|
|
return self.get_user_by_token(request.args["access_token"][0])
|
|
|
|
except KeyError:
|
|
|
|
raise AuthError(403, "Missing access token.")
|
|
|
|
|
|
|
|
@defer.inlineCallbacks
|
|
|
|
def get_user_by_token(self, token):
|
|
|
|
""" Get a registered user's ID.
|
|
|
|
|
|
|
|
Args:
|
|
|
|
token (str)- The access token to get the user by.
|
|
|
|
Returns:
|
|
|
|
UserID : User ID object of the user who has that access token.
|
|
|
|
Raises:
|
|
|
|
AuthError if no user by that token exists or the token is invalid.
|
|
|
|
"""
|
|
|
|
try:
|
|
|
|
user_id = yield self.store.get_user_by_token(token=token)
|
2014-08-27 04:43:42 -04:00
|
|
|
if not user_id:
|
|
|
|
raise StoreError()
|
2014-08-12 10:10:52 -04:00
|
|
|
defer.returnValue(self.hs.parse_userid(user_id))
|
|
|
|
except StoreError:
|
2014-08-14 08:47:39 -04:00
|
|
|
raise AuthError(403, "Unrecognised access token.",
|
|
|
|
errcode=Codes.UNKNOWN_TOKEN)
|