Fix messages from multiple senders in historical chunk (MSC2716) (#10276)

Fix messages from multiple senders in historical chunk. This also means that an app service does not need to define `?user_id` when using this endpoint.

Follow-up to https://github.com/matrix-org/synapse/pull/9247

Part of MSC2716: https://github.com/matrix-org/matrix-doc/pull/2716
This commit is contained in:
Eric Eastwood 2021-07-13 14:12:33 -05:00 committed by GitHub
parent 30b56f6925
commit 0d5b08ac7a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 76 additions and 11 deletions

1
changelog.d/10276.bugfix Normal file
View File

@ -0,0 +1 @@
Fix historical batch send endpoint (MSC2716) rejecting batches with messages from multiple senders.

View File

@ -240,6 +240,37 @@ class Auth:
except KeyError: except KeyError:
raise MissingClientTokenError() raise MissingClientTokenError()
async def validate_appservice_can_control_user_id(
self, app_service: ApplicationService, user_id: str
):
"""Validates that the app service is allowed to control
the given user.
Args:
app_service: The app service that controls the user
user_id: The author MXID that the app service is controlling
Raises:
AuthError: If the application service is not allowed to control the user
(user namespace regex does not match, wrong homeserver, etc)
or if the user has not been registered yet.
"""
# It's ok if the app service is trying to use the sender from their registration
if app_service.sender == user_id:
pass
# Check to make sure the app service is allowed to control the user
elif not app_service.is_interested_in_user(user_id):
raise AuthError(
403,
"Application service cannot masquerade as this user (%s)." % user_id,
)
# Check to make sure the user is already registered on the homeserver
elif not (await self.store.get_user_by_id(user_id)):
raise AuthError(
403, "Application service has not registered this user (%s)" % user_id
)
async def _get_appservice_user_id( async def _get_appservice_user_id(
self, request: Request self, request: Request
) -> Tuple[Optional[str], Optional[ApplicationService]]: ) -> Tuple[Optional[str], Optional[ApplicationService]]:
@ -261,13 +292,11 @@ class Auth:
return app_service.sender, app_service return app_service.sender, app_service
user_id = request.args[b"user_id"][0].decode("utf8") user_id = request.args[b"user_id"][0].decode("utf8")
await self.validate_appservice_can_control_user_id(app_service, user_id)
if app_service.sender == user_id: if app_service.sender == user_id:
return app_service.sender, app_service return app_service.sender, app_service
if not app_service.is_interested_in_user(user_id):
raise AuthError(403, "Application service cannot masquerade as this user.")
if not (await self.store.get_user_by_id(user_id)):
raise AuthError(403, "Application service has not registered this user")
return user_id, app_service return user_id, app_service
async def get_user_by_access_token( async def get_user_by_access_token(

View File

@ -29,6 +29,7 @@ from synapse.api.errors import (
SynapseError, SynapseError,
) )
from synapse.api.filtering import Filter from synapse.api.filtering import Filter
from synapse.appservice import ApplicationService
from synapse.events.utils import format_event_for_client_v2 from synapse.events.utils import format_event_for_client_v2
from synapse.http.servlet import ( from synapse.http.servlet import (
RestServlet, RestServlet,
@ -47,11 +48,13 @@ from synapse.storage.state import StateFilter
from synapse.streams.config import PaginationConfig from synapse.streams.config import PaginationConfig
from synapse.types import ( from synapse.types import (
JsonDict, JsonDict,
Requester,
RoomAlias, RoomAlias,
RoomID, RoomID,
StreamToken, StreamToken,
ThirdPartyInstanceID, ThirdPartyInstanceID,
UserID, UserID,
create_requester,
) )
from synapse.util import json_decoder from synapse.util import json_decoder
from synapse.util.stringutils import parse_and_validate_server_name, random_string from synapse.util.stringutils import parse_and_validate_server_name, random_string
@ -309,7 +312,7 @@ class RoomBatchSendEventRestServlet(TransactionRestServlet):
self.room_member_handler = hs.get_room_member_handler() self.room_member_handler = hs.get_room_member_handler()
self.auth = hs.get_auth() self.auth = hs.get_auth()
async def inherit_depth_from_prev_ids(self, prev_event_ids) -> int: async def _inherit_depth_from_prev_ids(self, prev_event_ids) -> int:
( (
most_recent_prev_event_id, most_recent_prev_event_id,
most_recent_prev_event_depth, most_recent_prev_event_depth,
@ -378,6 +381,25 @@ class RoomBatchSendEventRestServlet(TransactionRestServlet):
return insertion_event return insertion_event
async def _create_requester_for_user_id_from_app_service(
self, user_id: str, app_service: ApplicationService
) -> Requester:
"""Creates a new requester for the given user_id
and validates that the app service is allowed to control
the given user.
Args:
user_id: The author MXID that the app service is controlling
app_service: The app service that controls the user
Returns:
Requester object
"""
await self.auth.validate_appservice_can_control_user_id(app_service, user_id)
return create_requester(user_id, app_service=app_service)
async def on_POST(self, request, room_id): async def on_POST(self, request, room_id):
requester = await self.auth.get_user_by_req(request, allow_guest=False) requester = await self.auth.get_user_by_req(request, allow_guest=False)
@ -443,7 +465,9 @@ class RoomBatchSendEventRestServlet(TransactionRestServlet):
if event_dict["type"] == EventTypes.Member: if event_dict["type"] == EventTypes.Member:
membership = event_dict["content"].get("membership", None) membership = event_dict["content"].get("membership", None)
event_id, _ = await self.room_member_handler.update_membership( event_id, _ = await self.room_member_handler.update_membership(
requester, await self._create_requester_for_user_id_from_app_service(
state_event["sender"], requester.app_service
),
target=UserID.from_string(event_dict["state_key"]), target=UserID.from_string(event_dict["state_key"]),
room_id=room_id, room_id=room_id,
action=membership, action=membership,
@ -463,7 +487,9 @@ class RoomBatchSendEventRestServlet(TransactionRestServlet):
event, event,
_, _,
) = await self.event_creation_handler.create_and_send_nonmember_event( ) = await self.event_creation_handler.create_and_send_nonmember_event(
requester, await self._create_requester_for_user_id_from_app_service(
state_event["sender"], requester.app_service
),
event_dict, event_dict,
outlier=True, outlier=True,
prev_event_ids=[fake_prev_event_id], prev_event_ids=[fake_prev_event_id],
@ -479,7 +505,9 @@ class RoomBatchSendEventRestServlet(TransactionRestServlet):
events_to_create = body["events"] events_to_create = body["events"]
prev_event_ids = prev_events_from_query prev_event_ids = prev_events_from_query
inherited_depth = await self.inherit_depth_from_prev_ids(prev_events_from_query) inherited_depth = await self._inherit_depth_from_prev_ids(
prev_events_from_query
)
# Figure out which chunk to connect to. If they passed in # Figure out which chunk to connect to. If they passed in
# chunk_id_from_query let's use it. The chunk ID passed in comes # chunk_id_from_query let's use it. The chunk ID passed in comes
@ -509,7 +537,10 @@ class RoomBatchSendEventRestServlet(TransactionRestServlet):
base_insertion_event, base_insertion_event,
_, _,
) = await self.event_creation_handler.create_and_send_nonmember_event( ) = await self.event_creation_handler.create_and_send_nonmember_event(
requester, await self._create_requester_for_user_id_from_app_service(
base_insertion_event_dict["sender"],
requester.app_service,
),
base_insertion_event_dict, base_insertion_event_dict,
prev_event_ids=base_insertion_event_dict.get("prev_events"), prev_event_ids=base_insertion_event_dict.get("prev_events"),
auth_event_ids=auth_event_ids, auth_event_ids=auth_event_ids,
@ -558,7 +589,9 @@ class RoomBatchSendEventRestServlet(TransactionRestServlet):
} }
event, context = await self.event_creation_handler.create_event( event, context = await self.event_creation_handler.create_event(
requester, await self._create_requester_for_user_id_from_app_service(
ev["sender"], requester.app_service
),
event_dict, event_dict,
prev_event_ids=event_dict.get("prev_events"), prev_event_ids=event_dict.get("prev_events"),
auth_event_ids=auth_event_ids, auth_event_ids=auth_event_ids,
@ -588,7 +621,9 @@ class RoomBatchSendEventRestServlet(TransactionRestServlet):
# where topological_ordering is just depth. # where topological_ordering is just depth.
for (event, context) in reversed(events_to_persist): for (event, context) in reversed(events_to_persist):
ev = await self.event_creation_handler.handle_new_client_event( ev = await self.event_creation_handler.handle_new_client_event(
requester=requester, await self._create_requester_for_user_id_from_app_service(
event["sender"], requester.app_service
),
event=event, event=event,
context=context, context=context,
) )