mirror of
https://git.anonymousland.org/anonymousland/synapse-product.git
synced 2024-12-12 04:34:18 -05:00
847ecdd8fa
Fixes https://github.com/matrix-org/synapse/issues/9572 When a SSO user logs in for the first time, we create a local Matrix user for them. This goes through the register_user flow, which ends up triggering the spam checker. Spam checker modules don't currently have any way to differentiate between a user trying to sign up initially, versus an SSO user (whom has presumably already been approved elsewhere) trying to log in for the first time. This PR passes `auth_provider_id` as an argument to the `check_registration_for_spam` function. This argument will contain an ID of an SSO provider (`"saml"`, `"cas"`, etc.) if one was used, else `None`.
287 lines
10 KiB
Python
287 lines
10 KiB
Python
# -*- coding: utf-8 -*-
|
|
# Copyright 2017 New Vector Ltd
|
|
# Copyright 2019 The Matrix.org Foundation C.I.C.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
import inspect
|
|
import logging
|
|
from typing import TYPE_CHECKING, Any, Dict, List, Optional, Tuple, Union
|
|
|
|
from synapse.rest.media.v1._base import FileInfo
|
|
from synapse.rest.media.v1.media_storage import ReadableFileWrapper
|
|
from synapse.spam_checker_api import RegistrationBehaviour
|
|
from synapse.types import Collection
|
|
from synapse.util.async_helpers import maybe_awaitable
|
|
|
|
if TYPE_CHECKING:
|
|
import synapse.events
|
|
import synapse.server
|
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
|
|
class SpamChecker:
|
|
def __init__(self, hs: "synapse.server.HomeServer"):
|
|
self.spam_checkers = [] # type: List[Any]
|
|
api = hs.get_module_api()
|
|
|
|
for module, config in hs.config.spam_checkers:
|
|
# Older spam checkers don't accept the `api` argument, so we
|
|
# try and detect support.
|
|
spam_args = inspect.getfullargspec(module)
|
|
if "api" in spam_args.args:
|
|
self.spam_checkers.append(module(config=config, api=api))
|
|
else:
|
|
self.spam_checkers.append(module(config=config))
|
|
|
|
async def check_event_for_spam(
|
|
self, event: "synapse.events.EventBase"
|
|
) -> Union[bool, str]:
|
|
"""Checks if a given event is considered "spammy" by this server.
|
|
|
|
If the server considers an event spammy, then it will be rejected if
|
|
sent by a local user. If it is sent by a user on another server, then
|
|
users receive a blank event.
|
|
|
|
Args:
|
|
event: the event to be checked
|
|
|
|
Returns:
|
|
True or a string if the event is spammy. If a string is returned it
|
|
will be used as the error message returned to the user.
|
|
"""
|
|
for spam_checker in self.spam_checkers:
|
|
if await maybe_awaitable(spam_checker.check_event_for_spam(event)):
|
|
return True
|
|
|
|
return False
|
|
|
|
async def user_may_invite(
|
|
self, inviter_userid: str, invitee_userid: str, room_id: str
|
|
) -> bool:
|
|
"""Checks if a given user may send an invite
|
|
|
|
If this method returns false, the invite will be rejected.
|
|
|
|
Args:
|
|
inviter_userid: The user ID of the sender of the invitation
|
|
invitee_userid: The user ID targeted in the invitation
|
|
room_id: The room ID
|
|
|
|
Returns:
|
|
True if the user may send an invite, otherwise False
|
|
"""
|
|
for spam_checker in self.spam_checkers:
|
|
if (
|
|
await maybe_awaitable(
|
|
spam_checker.user_may_invite(
|
|
inviter_userid, invitee_userid, room_id
|
|
)
|
|
)
|
|
is False
|
|
):
|
|
return False
|
|
|
|
return True
|
|
|
|
async def user_may_create_room(self, userid: str) -> bool:
|
|
"""Checks if a given user may create a room
|
|
|
|
If this method returns false, the creation request will be rejected.
|
|
|
|
Args:
|
|
userid: The ID of the user attempting to create a room
|
|
|
|
Returns:
|
|
True if the user may create a room, otherwise False
|
|
"""
|
|
for spam_checker in self.spam_checkers:
|
|
if (
|
|
await maybe_awaitable(spam_checker.user_may_create_room(userid))
|
|
is False
|
|
):
|
|
return False
|
|
|
|
return True
|
|
|
|
async def user_may_create_room_alias(self, userid: str, room_alias: str) -> bool:
|
|
"""Checks if a given user may create a room alias
|
|
|
|
If this method returns false, the association request will be rejected.
|
|
|
|
Args:
|
|
userid: The ID of the user attempting to create a room alias
|
|
room_alias: The alias to be created
|
|
|
|
Returns:
|
|
True if the user may create a room alias, otherwise False
|
|
"""
|
|
for spam_checker in self.spam_checkers:
|
|
if (
|
|
await maybe_awaitable(
|
|
spam_checker.user_may_create_room_alias(userid, room_alias)
|
|
)
|
|
is False
|
|
):
|
|
return False
|
|
|
|
return True
|
|
|
|
async def user_may_publish_room(self, userid: str, room_id: str) -> bool:
|
|
"""Checks if a given user may publish a room to the directory
|
|
|
|
If this method returns false, the publish request will be rejected.
|
|
|
|
Args:
|
|
userid: The user ID attempting to publish the room
|
|
room_id: The ID of the room that would be published
|
|
|
|
Returns:
|
|
True if the user may publish the room, otherwise False
|
|
"""
|
|
for spam_checker in self.spam_checkers:
|
|
if (
|
|
await maybe_awaitable(
|
|
spam_checker.user_may_publish_room(userid, room_id)
|
|
)
|
|
is False
|
|
):
|
|
return False
|
|
|
|
return True
|
|
|
|
async def check_username_for_spam(self, user_profile: Dict[str, str]) -> bool:
|
|
"""Checks if a user ID or display name are considered "spammy" by this server.
|
|
|
|
If the server considers a username spammy, then it will not be included in
|
|
user directory results.
|
|
|
|
Args:
|
|
user_profile: The user information to check, it contains the keys:
|
|
* user_id
|
|
* display_name
|
|
* avatar_url
|
|
|
|
Returns:
|
|
True if the user is spammy.
|
|
"""
|
|
for spam_checker in self.spam_checkers:
|
|
# For backwards compatibility, only run if the method exists on the
|
|
# spam checker
|
|
checker = getattr(spam_checker, "check_username_for_spam", None)
|
|
if checker:
|
|
# Make a copy of the user profile object to ensure the spam checker
|
|
# cannot modify it.
|
|
if await maybe_awaitable(checker(user_profile.copy())):
|
|
return True
|
|
|
|
return False
|
|
|
|
async def check_registration_for_spam(
|
|
self,
|
|
email_threepid: Optional[dict],
|
|
username: Optional[str],
|
|
request_info: Collection[Tuple[str, str]],
|
|
auth_provider_id: Optional[str] = None,
|
|
) -> RegistrationBehaviour:
|
|
"""Checks if we should allow the given registration request.
|
|
|
|
Args:
|
|
email_threepid: The email threepid used for registering, if any
|
|
username: The request user name, if any
|
|
request_info: List of tuples of user agent and IP that
|
|
were used during the registration process.
|
|
auth_provider_id: The SSO IdP the user used, e.g "oidc", "saml",
|
|
"cas". If any. Note this does not include users registered
|
|
via a password provider.
|
|
|
|
Returns:
|
|
Enum for how the request should be handled
|
|
"""
|
|
|
|
for spam_checker in self.spam_checkers:
|
|
# For backwards compatibility, only run if the method exists on the
|
|
# spam checker
|
|
checker = getattr(spam_checker, "check_registration_for_spam", None)
|
|
if checker:
|
|
# Provide auth_provider_id if the function supports it
|
|
checker_args = inspect.signature(checker)
|
|
if len(checker_args.parameters) == 4:
|
|
d = checker(
|
|
email_threepid,
|
|
username,
|
|
request_info,
|
|
auth_provider_id,
|
|
)
|
|
elif len(checker_args.parameters) == 3:
|
|
d = checker(email_threepid, username, request_info)
|
|
else:
|
|
logger.error(
|
|
"Invalid signature for %s.check_registration_for_spam. Denying registration",
|
|
spam_checker.__module__,
|
|
)
|
|
return RegistrationBehaviour.DENY
|
|
|
|
behaviour = await maybe_awaitable(d)
|
|
assert isinstance(behaviour, RegistrationBehaviour)
|
|
if behaviour != RegistrationBehaviour.ALLOW:
|
|
return behaviour
|
|
|
|
return RegistrationBehaviour.ALLOW
|
|
|
|
async def check_media_file_for_spam(
|
|
self, file_wrapper: ReadableFileWrapper, file_info: FileInfo
|
|
) -> bool:
|
|
"""Checks if a piece of newly uploaded media should be blocked.
|
|
|
|
This will be called for local uploads, downloads of remote media, each
|
|
thumbnail generated for those, and web pages/images used for URL
|
|
previews.
|
|
|
|
Note that care should be taken to not do blocking IO operations in the
|
|
main thread. For example, to get the contents of a file a module
|
|
should do::
|
|
|
|
async def check_media_file_for_spam(
|
|
self, file: ReadableFileWrapper, file_info: FileInfo
|
|
) -> bool:
|
|
buffer = BytesIO()
|
|
await file.write_chunks_to(buffer.write)
|
|
|
|
if buffer.getvalue() == b"Hello World":
|
|
return True
|
|
|
|
return False
|
|
|
|
|
|
Args:
|
|
file: An object that allows reading the contents of the media.
|
|
file_info: Metadata about the file.
|
|
|
|
Returns:
|
|
True if the media should be blocked or False if it should be
|
|
allowed.
|
|
"""
|
|
|
|
for spam_checker in self.spam_checkers:
|
|
# For backwards compatibility, only run if the method exists on the
|
|
# spam checker
|
|
checker = getattr(spam_checker, "check_media_file_for_spam", None)
|
|
if checker:
|
|
spam = await maybe_awaitable(checker(file_wrapper, file_info))
|
|
if spam:
|
|
return True
|
|
|
|
return False
|