gitlord
/
synapse
mirror of https://github.com/matrix-org/synapse.git
1
0
Fork 0
Code Issues 0 Releases 671 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1 Commit
842 Branches
288 MiB
 
 
 
 
 
 
Tree: 4f475c7697
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '4f475c7697'
${ noResults }
synapse/synapse/api/auth.py

165 lines
6.3 KiB
Raw Blame History 

  1. # -*- coding: utf-8 -*-

  2. # Copyright 2014 matrix.org

  3. #

  4. # Licensed under the Apache License, Version 2.0 (the "License");

  5. # you may not use this file except in compliance with the License.

  6. # You may obtain a copy of the License at

  7. #

  8. #     http://www.apache.org/licenses/LICENSE-2.0

  9. #

  10. # Unless required by applicable law or agreed to in writing, software

  11. # distributed under the License is distributed on an "AS IS" BASIS,

  12. # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  13. # See the License for the specific language governing permissions and

  14. # limitations under the License.

  15. """This module contains classes for authenticating the user."""

  16. from twisted.internet import defer

  17. 

  18. from synapse.api.constants import Membership

  19. from synapse.api.errors import AuthError, StoreError

  20. from synapse.api.events.room import (RoomTopicEvent, RoomMemberEvent,

  21.                                      MessageEvent, FeedbackEvent)

  22. 

  23. import logging

  24. 

  25. logger = logging.getLogger(__name__)

  26. 

  27. 

  28. class Auth(object):

  29. 

  30.     def __init__(self, hs):

  31.         self.hs = hs

  32.         self.store = hs.get_datastore()

  33. 

  34.     @defer.inlineCallbacks

  35.     def check(self, event, raises=False):

  36.         """ Checks if this event is correctly authed.

  37. 

  38.         Returns:

  39.             True if the auth checks pass.

  40.         Raises:

  41.             AuthError if there was a problem authorising this event. This will

  42.             be raised only if raises=True.

  43.         """

  44.         try:

  45.             if event.type in [RoomTopicEvent.TYPE, MessageEvent.TYPE,

  46.                               FeedbackEvent.TYPE]:

  47.                 yield self.check_joined_room(event.room_id, event.user_id)

  48.                 defer.returnValue(True)

  49.             elif event.type == RoomMemberEvent.TYPE:

  50.                 allowed = yield self.is_membership_change_allowed(event)

  51.                 defer.returnValue(allowed)

  52.             else:

  53.                 raise AuthError(500, "Unknown event type %s" % event.type)

  54.         except AuthError as e:

  55.             logger.info("Event auth check failed on event %s with msg: %s",

  56.                         event, e.msg)

  57.             if raises:

  58.                 raise e

  59.         defer.returnValue(False)

  60. 

  61.     @defer.inlineCallbacks

  62.     def check_joined_room(self, room_id, user_id):

  63.         try:

  64.             member = yield self.store.get_room_member(

  65.                 room_id=room_id,

  66.                 user_id=user_id

  67.             )

  68.             if not member or member.membership != Membership.JOIN:

  69.                 raise AuthError(403, "User %s not in room %s" %

  70.                                 (user_id, room_id))

  71.             defer.returnValue(member)

  72.         except AttributeError:

  73.             pass

  74.         defer.returnValue(None)

  75. 

  76.     @defer.inlineCallbacks

  77.     def is_membership_change_allowed(self, event):

  78.         # does this room even exist

  79.         room = yield self.store.get_room(event.room_id)

  80.         if not room:

  81.             raise AuthError(403, "Room does not exist")

  82. 

  83.         # get info about the caller

  84.         try:

  85.             caller = yield self.store.get_room_member(

  86.                 user_id=event.user_id,

  87.                 room_id=event.room_id)

  88.         except:

  89.             caller = None

  90.         caller_in_room = caller and caller.membership == "join"

  91. 

  92.         # get info about the target

  93.         try:

  94.             target = yield self.store.get_room_member(

  95.                 user_id=event.target_user_id,

  96.                 room_id=event.room_id)

  97.         except:

  98.             target = None

  99.         target_in_room = target and target.membership == "join"

  100. 

  101.         membership = event.content["membership"]

  102. 

  103.         if Membership.INVITE == membership:

  104.             # Invites are valid iff caller is in the room and target isn't.

  105.             if not caller_in_room:  # caller isn't joined

  106.                 raise AuthError(403, "You are not in room %s." % event.room_id)

  107.             elif target_in_room:  # the target is already in the room.

  108.                 raise AuthError(403, "%s is already in the room." %

  109.                                      event.target_user_id)

  110.         elif Membership.JOIN == membership:

  111.             # Joins are valid iff caller == target and they were:

  112.             # invited: They are accepting the invitation

  113.             # joined: It's a NOOP

  114.             if event.user_id != event.target_user_id:

  115.                 raise AuthError(403, "Cannot force another user to join.")

  116.             elif room.is_public:

  117.                 pass  # anyone can join public rooms.

  118.             elif (not caller or caller.membership not in

  119.                     [Membership.INVITE, Membership.JOIN]):

  120.                 raise AuthError(403, "You are not invited to this room.")

  121.         elif Membership.LEAVE == membership:

  122.             if not caller_in_room:  # trying to leave a room you aren't joined

  123.                 raise AuthError(403, "You are not in room %s." % event.room_id)

  124.             elif event.target_user_id != event.user_id:

  125.                 # trying to force another user to leave

  126.                 raise AuthError(403, "Cannot force %s to leave." %

  127.                                 event.target_user_id)

  128.         else:

  129.             raise AuthError(500, "Unknown membership %s" % membership)

  130. 

  131.         defer.returnValue(True)

  132. 

  133.     def get_user_by_req(self, request):

  134.         """ Get a registered user's ID.

  135. 

  136.         Args:

  137.             request - An HTTP request with an access_token query parameter.

  138.         Returns:

  139.             UserID : User ID object of the user making the request

  140.         Raises:

  141.             AuthError if no user by that token exists or the token is invalid.

  142.         """

  143.         # Can optionally look elsewhere in the request (e.g. headers)

  144.         try:

  145.             return self.get_user_by_token(request.args["access_token"][0])

  146.         except KeyError:

  147.             raise AuthError(403, "Missing access token.")

  148. 

  149.     @defer.inlineCallbacks

  150.     def get_user_by_token(self, token):

  151.         """ Get a registered user's ID.

  152. 

  153.         Args:

  154.             token (str)- The access token to get the user by.

  155.         Returns:

  156.             UserID : User ID object of the user who has that access token.

  157.         Raises:

  158.             AuthError if no user by that token exists or the token is invalid.

  159.         """

  160.         try:

  161.             user_id = yield self.store.get_user_by_token(token=token)

  162.             defer.returnValue(self.hs.parse_userid(user_id))

  163.         except StoreError:

  164.             raise AuthError(403, "Unrecognised access token.")