From 74474a6d637359de6913ce6d02d93fdf82450df1 Mon Sep 17 00:00:00 2001 From: Daniel Wagner-Hall Date: Mon, 18 Jan 2016 16:32:33 +0000 Subject: [PATCH 1/2] Pull out app service user lookup I find this a lot simpler than nested try-catches and stuff --- synapse/api/auth.py | 59 +++++++++++++++++++++------------------------ 1 file changed, 28 insertions(+), 31 deletions(-) diff --git a/synapse/api/auth.py b/synapse/api/auth.py index e36313e2f..cc0296adf 100644 --- a/synapse/api/auth.py +++ b/synapse/api/auth.py @@ -510,42 +510,14 @@ class Auth(object): """ # Can optionally look elsewhere in the request (e.g. headers) try: - access_token = request.args["access_token"][0] - - # Check for application service tokens with a user_id override - try: - app_service = yield self.store.get_app_service_by_token( - access_token - ) - if not app_service: - raise KeyError - - user_id = app_service.sender - if "user_id" in request.args: - user_id = request.args["user_id"][0] - if not app_service.is_interested_in_user(user_id): - raise AuthError( - 403, - "Application service cannot masquerade as this user." - ) - if not (yield self.store.get_user_by_id(user_id)): - raise AuthError( - 403, - "Application service has not registered this user" - ) - - if not user_id: - raise KeyError - + user_id = yield self._get_appservice_user_id(request.args) + if user_id: request.authenticated_entity = user_id - defer.returnValue( Requester(UserID.from_string(user_id), "", False) ) - return - except KeyError: - pass # normal users won't have the user_id query parameter set. + access_token = request.args["access_token"][0] user_info = yield self._get_user_by_access_token(access_token) user = user_info["user"] token_id = user_info["token_id"] @@ -578,6 +550,31 @@ class Auth(object): errcode=Codes.MISSING_TOKEN ) + @defer.inlineCallbacks + def _get_appservice_user_id(self, request_args): + app_service = yield self.store.get_app_service_by_token( + request_args["access_token"][0] + ) + if app_service is None: + defer.returnValue(None) + + if "user_id" not in request_args: + defer.returnValue(app_service.sender) + + user_id = request_args["user_id"][0] + + if not app_service.is_interested_in_user(user_id): + raise AuthError( + 403, + "Application service cannot masquerade as this user." + ) + if not (yield self.store.get_user_by_id(user_id)): + raise AuthError( + 403, + "Application service has not registered this user" + ) + defer.returnValue(user_id) + @defer.inlineCallbacks def _get_user_by_access_token(self, token): """ Get a registered user's ID. From 808a8aedab4dbd2166b5935b86edf65501cc24a3 Mon Sep 17 00:00:00 2001 From: Daniel Wagner-Hall Date: Mon, 18 Jan 2016 16:33:05 +0000 Subject: [PATCH 2/2] Don't error on AS non-ghost user use This will probably go away either when we fix our existing ASes, or when we kill the concept of non-ghost users. --- synapse/api/auth.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/synapse/api/auth.py b/synapse/api/auth.py index cc0296adf..b5536e856 100644 --- a/synapse/api/auth.py +++ b/synapse/api/auth.py @@ -562,6 +562,8 @@ class Auth(object): defer.returnValue(app_service.sender) user_id = request_args["user_id"][0] + if app_service.sender == user_id: + defer.returnValue(app_service.sender) if not app_service.is_interested_in_user(user_id): raise AuthError(