From 560c71c7352946f70f58d6fc3d0c459084127b21 Mon Sep 17 00:00:00 2001
From: Erik Johnston <erik@matrix.org>
Date: Wed, 13 Jul 2016 13:07:19 +0100
Subject: [PATCH 1/4] Check creation event's room_id domain matches sender's

---
 synapse/api/auth.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/synapse/api/auth.py b/synapse/api/auth.py
index a4d658a9d..29b4ac456 100644
--- a/synapse/api/auth.py
+++ b/synapse/api/auth.py
@@ -86,6 +86,13 @@ class Auth(object):
                 return True
 
             if event.type == EventTypes.Create:
+                room_id_domain = get_domain_from_id(event.room_id)
+                sender_domain = get_domain_from_id(event.sender)
+                if room_id_domain != sender_domain:
+                    raise AuthError(
+                        403,
+                        "Creation event's room_id domain does not match sender's"
+                    )
                 # FIXME
                 return True
 

From 2cb758ac75e529d9d093122a207ec43bcfa5f067 Mon Sep 17 00:00:00 2001
From: Erik Johnston <erik@matrix.org>
Date: Wed, 13 Jul 2016 13:12:25 +0100
Subject: [PATCH 2/4] Check if alias event's state_key matches sender's domain

---
 synapse/api/auth.py | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/synapse/api/auth.py b/synapse/api/auth.py
index 29b4ac456..e05defd7d 100644
--- a/synapse/api/auth.py
+++ b/synapse/api/auth.py
@@ -115,6 +115,17 @@ class Auth(object):
 
             # FIXME: Temp hack
             if event.type == EventTypes.Aliases:
+                if not event.state_key:
+                    raise AuthError(
+                        403,
+                        "Alias event must have non-empty state_key"
+                    )
+                sender_domain = get_domain_from_id(event.sender)
+                if event.state_key != sender_domain:
+                    raise AuthError(
+                        403,
+                        "Alias event's state_key does not match sender's domain"
+                    )
                 return True
 
             logger.debug(

From ebdafd8114d1aed631a3497ad142f79efa9face7 Mon Sep 17 00:00:00 2001
From: Erik Johnston <erik@matrix.org>
Date: Thu, 14 Jul 2016 16:49:37 +0100
Subject: [PATCH 3/4] Check sender signed event

---
 synapse/api/auth.py            | 10 ++++++++--
 synapse/handlers/federation.py |  4 ++--
 synapse/state.py               |  4 ++--
 3 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/synapse/api/auth.py b/synapse/api/auth.py
index e05defd7d..e2f40ee65 100644
--- a/synapse/api/auth.py
+++ b/synapse/api/auth.py
@@ -63,7 +63,7 @@ class Auth(object):
             "user_id = ",
         ])
 
-    def check(self, event, auth_events):
+    def check(self, event, auth_events, do_sig_check=True):
         """ Checks if this event is correctly authed.
 
         Args:
@@ -79,6 +79,13 @@ class Auth(object):
 
             if not hasattr(event, "room_id"):
                 raise AuthError(500, "Event has no room_id: %s" % event)
+
+            sender_domain = get_domain_from_id(event.sender)
+
+            # Check the sender's domain has signed the event
+            if do_sig_check and not event.signatures.get(sender_domain):
+                raise AuthError(403, "Event not signed by sending server")
+
             if auth_events is None:
                 # Oh, we don't know what the state of the room was, so we
                 # are trusting that this is allowed (at least for now)
@@ -87,7 +94,6 @@ class Auth(object):
 
             if event.type == EventTypes.Create:
                 room_id_domain = get_domain_from_id(event.room_id)
-                sender_domain = get_domain_from_id(event.sender)
                 if room_id_domain != sender_domain:
                     raise AuthError(
                         403,
diff --git a/synapse/handlers/federation.py b/synapse/handlers/federation.py
index 351b21824..4e8ffa8f7 100644
--- a/synapse/handlers/federation.py
+++ b/synapse/handlers/federation.py
@@ -688,7 +688,7 @@ class FederationHandler(BaseHandler):
             logger.warn("Failed to create join %r because %s", event, e)
             raise e
 
-        self.auth.check(event, auth_events=context.current_state)
+        self.auth.check(event, auth_events=context.current_state, do_sig_check=False)
 
         defer.returnValue(event)
 
@@ -918,7 +918,7 @@ class FederationHandler(BaseHandler):
         )
 
         try:
-            self.auth.check(event, auth_events=context.current_state)
+            self.auth.check(event, auth_events=context.current_state, do_sig_check=False)
         except AuthError as e:
             logger.warn("Failed to create new leave %r because %s", event, e)
             raise e
diff --git a/synapse/state.py b/synapse/state.py
index d0f76dc4f..d7d08570c 100644
--- a/synapse/state.py
+++ b/synapse/state.py
@@ -379,7 +379,7 @@ class StateHandler(object):
             try:
                 # FIXME: hs.get_auth() is bad style, but we need to do it to
                 # get around circular deps.
-                self.hs.get_auth().check(event, auth_events)
+                self.hs.get_auth().check(event, auth_events, do_sig_check=False)
                 prev_event = event
             except AuthError:
                 return prev_event
@@ -391,7 +391,7 @@ class StateHandler(object):
             try:
                 # FIXME: hs.get_auth() is bad style, but we need to do it to
                 # get around circular deps.
-                self.hs.get_auth().check(event, auth_events)
+                self.hs.get_auth().check(event, auth_events, do_sig_check=False)
                 return event
             except AuthError:
                 pass

From 9e1b43bcbf46c38510cd8348b7df3eb5f6374e81 Mon Sep 17 00:00:00 2001
From: Erik Johnston <erik@matrix.org>
Date: Fri, 15 Jul 2016 09:29:54 +0100
Subject: [PATCH 4/4] Comment

---
 synapse/handlers/federation.py | 4 ++++
 synapse/state.py               | 2 ++
 2 files changed, 6 insertions(+)

diff --git a/synapse/handlers/federation.py b/synapse/handlers/federation.py
index 4e8ffa8f7..7622962d4 100644
--- a/synapse/handlers/federation.py
+++ b/synapse/handlers/federation.py
@@ -688,6 +688,8 @@ class FederationHandler(BaseHandler):
             logger.warn("Failed to create join %r because %s", event, e)
             raise e
 
+        # The remote hasn't signed it yet, obviously. We'll do the full checks
+        # when we get the event back in `on_send_join_request`
         self.auth.check(event, auth_events=context.current_state, do_sig_check=False)
 
         defer.returnValue(event)
@@ -918,6 +920,8 @@ class FederationHandler(BaseHandler):
         )
 
         try:
+            # The remote hasn't signed it yet, obviously. We'll do the full checks
+            # when we get the event back in `on_send_leave_request`
             self.auth.check(event, auth_events=context.current_state, do_sig_check=False)
         except AuthError as e:
             logger.warn("Failed to create new leave %r because %s", event, e)
diff --git a/synapse/state.py b/synapse/state.py
index d7d08570c..ef1bc470b 100644
--- a/synapse/state.py
+++ b/synapse/state.py
@@ -379,6 +379,7 @@ class StateHandler(object):
             try:
                 # FIXME: hs.get_auth() is bad style, but we need to do it to
                 # get around circular deps.
+                # The signatures have already been checked at this point
                 self.hs.get_auth().check(event, auth_events, do_sig_check=False)
                 prev_event = event
             except AuthError:
@@ -391,6 +392,7 @@ class StateHandler(object):
             try:
                 # FIXME: hs.get_auth() is bad style, but we need to do it to
                 # get around circular deps.
+                # The signatures have already been checked at this point
                 self.hs.get_auth().check(event, auth_events, do_sig_check=False)
                 return event
             except AuthError: