split out signature processing into separate functions

2024-10-01 08:25:44 -04:00 · 2019-09-06 16:44:24 -04:00 · 2019-09-06 16:44:24 -04:00 · 561cbba057
commit 561cbba057
parent 369462da74
1 changed files with 219 additions and 210 deletions
--- a/synapse/handlers/e2e_keys.py
+++ b/synapse/handlers/e2e_keys.py
@ -624,15 +624,46 @@ class E2eKeysHandler(object):
        # signatures to be stored.  Each item will be a tuple of
        # (signing_key_id, target_user_id, target_device_id, signature)
        signature_list = []
-        # what devices have been updated, for notifying
-        self_device_ids = []

        # split between checking signatures for own user and signatures for
        # other users, since we verify them with different keys
        self_signatures = signatures.get(user_id, {})
        other_signatures = {k: v for k, v in signatures.items() if k != user_id}
-        if self_signatures:
-            self_device_ids = list(self_signatures.keys())
+
+        self_signature_list, self_failures = yield self._process_self_signatures(
+            user_id, self_signatures
+        )
+        signature_list.extend(self_signature_list)
+        failures.update(self_failures)
+
+        other_signature_list, other_failures = yield self._process_other_signatures(
+            user_id, other_signatures
+        )
+        signature_list.extend(other_signature_list)
+        failures.update(other_failures)
+
+        # store the signature, and send the appropriate notifications for sync
+        logger.debug("upload signature failures: %r", failures)
+        yield self.store.store_e2e_cross_signing_signatures(user_id, signature_list)
+
+        self_device_ids = [device_id for (_, _, device_id, _) in self_signature_list]
+        if self_device_ids:
+            yield self.device_handler.notify_device_update(user_id, self_device_ids)
+        signed_users = [user_id for (_, user_id, _, _) in other_signature_list]
+        if signed_users:
+            yield self.device_handler.notify_user_signature_update(
+                user_id, signed_users
+            )
+
+        return {"failures": failures}
+
+    @defer.inlineCallbacks
+    def _process_self_signatures(self, user_id, signatures):
+        signature_list = []
+        failures = {}
+        if not signatures:
+            return signature_list, failures
+
        try:
            # get our self-signing key to verify the signatures
            self_signing_key, self_signing_key_id, self_signing_verify_key = yield self._get_e2e_cross_signing_verify_key(
@ -653,7 +684,14 @@ class E2eKeysHandler(object):
                raise SynapseError(404, "No device keys found", Codes.NOT_FOUND)

            devices = devices[user_id]
-                for device_id, device in self_signatures.items():
+        except SynapseError as e:
+            failures[user_id] = {
+                device: _exception_to_failure(e)
+                for device in signatures.keys()
+            }
+            return signature_list, failures
+
+        for device_id, device in signatures.items():
            try:
                if (
                    "signatures" not in device
@ -676,9 +714,8 @@ class E2eKeysHandler(object):
                    # signature list.  (In practice, we're likely to
                    # only have only one signature anyways.)
                    master_key_signature_list = []
-                            for signing_key_id, signature in device["signatures"][
-                                user_id
-                            ].items():
+                    sigs = device["signatures"]
+                    for signing_key_id, signature in sigs[user_id].items():
                        alg, signing_device_id = signing_key_id.split(":", 1)
                        if (
                            signing_device_id not in devices
@ -693,16 +730,6 @@ class E2eKeysHandler(object):
                                Codes.INVALID_SIGNATURE,
                            )

-                                sigs = device["signatures"]
-                                del device["signatures"]
-                                # use pop to avoid exception if key doesn't exist
-                                device.pop("unsigned", None)
-                                master_key.pop("signature", None)
-                                master_key.pop("unsigned", None)
-
-                                if master_key != device:
-                                    raise SynapseError(400, "Key does not match")
-
                        # get the key and check the signature
                        pubkey = devices[signing_device_id]["keys"]["keys"][
                            signing_key_id
@ -710,15 +737,8 @@ class E2eKeysHandler(object):
                        verify_key = decode_verify_key_bytes(
                            signing_key_id, decode_base64(pubkey)
                        )
+                        _check_device_signature(user_id, verify_key, device, master_key)
                        device["signatures"] = sigs
-                                try:
-                                    verify_signed_json(device, user_id, verify_key)
-                                except SignatureVerifyException:
-                                    raise SynapseError(
-                                        400,
-                                        "Invalid signature",
-                                        Codes.INVALID_SIGNATURE,
-                                    )

                        master_key_signature_list.append(
                            (signing_key_id, user_id, device_id, signature)
@ -759,24 +779,32 @@ class E2eKeysHandler(object):
                failures.setdefault(user_id, {})[
                    device_id
                ] = _exception_to_failure(e)
-            except SynapseError as e:
-                failures[user_id] = {
-                    device: _exception_to_failure(e)
-                    for device in self_signatures.keys()
-                }

-        signed_users = []  # what user have been signed, for notifying
-        if other_signatures:
+        return signature_list, failures
+
+    @defer.inlineCallbacks
+    def _process_other_signatures(self, user_id, signatures):
        # now check non-self signatures.  These signatures will be signed
        # by the user-signing key
+        signature_list = []
+        failures = {}
+        if not signatures:
+            return signature_list, failures

        try:
            # get our user-signing key to verify the signatures
            user_signing_key, user_signing_key_id, user_signing_verify_key = yield self._get_e2e_cross_signing_verify_key(
                user_id, "user_signing"
            )
+        except SynapseError as e:
+            failure = _exception_to_failure(e)
+            for user, devicemap in signatures.items():
+                failures[user] = {
+                    device_id: failure for device_id in devicemap.keys()
+                }
+            return signature_list, failures

-                for user, devicemap in other_signatures.items():
+        for user, devicemap in signatures.items():
            device_id = None
            try:
                # get the user's master key, to make sure it matches
@ -789,25 +817,24 @@ class E2eKeysHandler(object):
                # was signed (and no others)
                device_id = stored_key_id.split(":", 1)[1]
                if device_id not in devicemap:
+                    logger.error(
+                        "upload signature: could not find signature for device %s",
+                        device_id,
+                    )
                    # set device to None so that the failure gets
                    # marked on all the signatures
                    device_id = None
-                            logger.error(
-                                "upload signature: wrong device: %s vs %s",
-                                device,
-                                devicemap,
-                            )
                    raise SynapseError(404, "Unknown device", Codes.NOT_FOUND)
                key = devicemap[device_id]
-                        del devicemap[device_id]
-                        if len(devicemap) > 0:
+                other_devices = [k for k in devicemap.keys() if k != device_id]
+                if other_devices:
                    # other devices were signed -- mark those as failures
                    logger.error("upload signature: too many devices specified")
                    failure = _exception_to_failure(
                        SynapseError(404, "Unknown device", Codes.NOT_FOUND)
                    )
                    failures[user] = {
-                                device: failure for device in devicemap.keys()
+                        device: failure for device in other_devices
                    }

                if user_signing_key_id in stored_key.get("signatures", {}).get(
@ -820,7 +847,6 @@ class E2eKeysHandler(object):
                    user_id, user_signing_verify_key, key, stored_key
                )

-                        signed_users.append(user)
                signature = key["signatures"][user_id][user_signing_key_id]
                signature_list.append(
                    (user_signing_key_id, user, device_id, signature)
@ -833,25 +859,8 @@ class E2eKeysHandler(object):
                    }
                else:
                    failures.setdefault(user, {})[device_id] = failure
-            except SynapseError as e:
-                failure = _exception_to_failure(e)
-                for user, devicemap in signature.items():
-                    failures[user] = {
-                        device_id: failure for device_id in devicemap.keys()
-                    }

-        # store the signature, and send the appropriate notifications for sync
-        logger.debug("upload signature failures: %r", failures)
-        yield self.store.store_e2e_cross_signing_signatures(user_id, signature_list)
-
-        if len(self_device_ids):
-            yield self.device_handler.notify_device_update(user_id, self_device_ids)
-        if len(signed_users):
-            yield self.device_handler.notify_user_signature_update(
-                user_id, signed_users
-            )
-
-        return {"failures": failures}
+        return signature_list, failures

    @defer.inlineCallbacks
    def _get_e2e_cross_signing_verify_key(self, user_id, key_type, from_user_id=None):