summary refs log tree commit diff
diff options
context:
space:
mode:
authorBrendan Abolivier <babolivier@matrix.org>2019-05-09 15:02:21 +0100
committerGitHub <noreply@github.com>2019-05-09 15:02:21 +0100
commit38e3d9ed672c90138a7713ddd41170aac3755fd8 (patch)
treeab16e40ceab5425150495b5903972ea4a488e96f
parentMerge pull request #5098 from matrix-org/rav/fix_pep_517 (diff)
parentFix failing test (diff)
downloadsynapse-38e3d9ed672c90138a7713ddd41170aac3755fd8.tar.xz
Merge pull request #5115 from matrix-org/babolivier/lookup_path dinsic_2019-05-09
[DINSIC] Move 3PID lookup endpoint to CS API and proxy bulk lookups
Diffstat
-rw-r--r--synapse/api/urls.py1
-rwxr-xr-xsynapse/app/homeserver.py5
-rw-r--r--synapse/config/server.py1
-rw-r--r--synapse/handlers/identity.py55
-rw-r--r--synapse/rest/client/v2_alpha/account.py65
-rw-r--r--synapse/rest/identity/__init__.py14
-rw-r--r--synapse/rest/identity/v1/__init__.py24
-rw-r--r--synapse/rest/identity/v1/lookup.py70
-rw-r--r--tests/rest/client/test_identity.py174
-rw-r--r--tests/rulecheck/test_domainrulecheck.py3
10 files changed, 288 insertions, 124 deletions
diff --git a/synapse/api/urls.py b/synapse/api/urls.py

index e33ea0cf65..cb71d80875 100644
--- a/synapse/api/urls.py
+++ b/synapse/api/urls.py
@@ -33,7 +33,6 @@ CONTENT_REPO_PREFIX = "/_matrix/content"
 SERVER_KEY_V2_PREFIX = "/_matrix/key/v2"
 MEDIA_PREFIX = "/_matrix/media/r0"
 LEGACY_MEDIA_PREFIX = "/_matrix/media/v1"
-IDENTITY_PREFIX = "/_matrix/identity/api/v1"
 
 
 class ConsentURIBuilder(object):
diff --git a/synapse/app/homeserver.py b/synapse/app/homeserver.py

index 06aa582129..79be977ea6 100755
--- a/synapse/app/homeserver.py
+++ b/synapse/app/homeserver.py
@@ -40,7 +40,6 @@ from synapse import events
 from synapse.api.urls import (
     CONTENT_REPO_PREFIX,
     FEDERATION_PREFIX,
-    IDENTITY_PREFIX,
     LEGACY_MEDIA_PREFIX,
     MEDIA_PREFIX,
     SERVER_KEY_V2_PREFIX,
@@ -63,7 +62,6 @@ from synapse.python_dependencies import check_requirements
 from synapse.replication.http import REPLICATION_PREFIX, ReplicationRestResource
 from synapse.replication.tcp.resource import ReplicationStreamProtocolFactory
 from synapse.rest import ClientRestResource
-from synapse.rest.identity.v1 import IdentityApiV1Resource
 from synapse.rest.key.v2 import KeyApiV2Resource
 from synapse.rest.media.v0.content_repository import ContentRepoResource
 from synapse.rest.well_known import WellKnownResource
@@ -229,9 +227,6 @@ class SynapseHomeServer(HomeServer):
                     "'media' resource conflicts with enable_media_repo=False",
                 )
 
-        if name in ["identity"]:
-            resources[IDENTITY_PREFIX] = IdentityApiV1Resource(self)
-
         if name in ["keys", "federation"]:
             resources[SERVER_KEY_V2_PREFIX] = KeyApiV2Resource(self)
 
diff --git a/synapse/config/server.py b/synapse/config/server.py

index ac44b17a09..c5e5679d52 100644
--- a/synapse/config/server.py
+++ b/synapse/config/server.py
@@ -573,7 +573,6 @@ KNOWN_RESOURCES = (
     'replication',
     'static',
     'webclient',
-    'identity',
 )
 
 
diff --git a/synapse/handlers/identity.py b/synapse/handlers/identity.py

index d2039e2825..f39803629e 100644
--- a/synapse/handlers/identity.py
+++ b/synapse/handlers/identity.py
@@ -347,9 +347,15 @@ class IdentityHandler(BaseHandler):
 
         Returns:
             Deferred[dict]: The result of the lookup. See
-            https://matrix.org/docs/spec/identity_service/r0.1.0.html#id15
+            https://matrix.org/docs/spec/identity_service/r0.1.0.html#association-lookup
             for details
         """
+        if not self._should_trust_id_server(id_server):
+            raise SynapseError(
+                400, "Untrusted ID server '%s'" % id_server,
+                Codes.SERVER_NOT_TRUSTED
+            )
+
         if not self._enable_lookup:
             raise AuthError(
                 403, "Looking up third-party identifiers is denied from this server",
@@ -376,7 +382,52 @@ class IdentityHandler(BaseHandler):
             raise e.to_synapse_error()
         except IOError as e:
             logger.info("Failed to contact %r: %s", id_server, e)
-            raise ProxiedRequestError(503, "Failed to contact homeserver")
+            raise ProxiedRequestError(503, "Failed to contact identity server")
+
+        defer.returnValue(data)
+
+    @defer.inlineCallbacks
+    def bulk_lookup_3pid(self, id_server, threepids):
+        """Looks up given 3pids in the passed identity server.
+
+        Args:
+            id_server (str): The server name (including port, if required)
+                of the identity server to use.
+            threepids ([[str, str]]): The third party identifiers to lookup, as
+                a list of 2-string sized lists ([medium, address]).
+
+        Returns:
+            Deferred[dict]: The result of the lookup. See
+            https://matrix.org/docs/spec/identity_service/r0.1.0.html#association-lookup
+            for details
+        """
+        if not self._should_trust_id_server(id_server):
+            raise SynapseError(
+                400, "Untrusted ID server '%s'" % id_server,
+                Codes.SERVER_NOT_TRUSTED
+            )
+
+        if not self._enable_lookup:
+            raise AuthError(
+                403, "Looking up third-party identifiers is denied from this server",
+            )
+
+        target = self.rewrite_identity_server_urls.get(id_server, id_server)
+
+        try:
+            data = yield self.http_client.post_json_get_json(
+                "https://%s/_matrix/identity/api/v1/bulk_lookup" % (target,),
+                {
+                    "threepids": threepids,
+                }
+            )
+
+        except HttpResponseException as e:
+            logger.info("Proxied lookup failed: %r", e)
+            raise e.to_synapse_error()
+        except IOError as e:
+            logger.info("Failed to contact %r: %s", id_server, e)
+            raise ProxiedRequestError(503, "Failed to contact identity server")
 
         defer.returnValue(data)
 
diff --git a/synapse/rest/client/v2_alpha/account.py b/synapse/rest/client/v2_alpha/account.py

index 7e5884df0c..08079a9bc6 100644
--- a/synapse/rest/client/v2_alpha/account.py
+++ b/synapse/rest/client/v2_alpha/account.py
@@ -1,7 +1,7 @@
 # -*- coding: utf-8 -*-
 # Copyright 2015, 2016 OpenMarket Ltd
 # Copyright 2017 Vector Creations Ltd
-# Copyright 2018 New Vector Ltd
+# Copyright 2018, 2019 New Vector Ltd
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -15,6 +15,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 import logging
+import re
 
 from six.moves import http_client
 
@@ -26,6 +27,7 @@ from synapse.http.servlet import (
     RestServlet,
     assert_params_in_dict,
     parse_json_object_from_request,
+    parse_string,
 )
 from synapse.types import UserID
 from synapse.util.msisdn import phone_number_to_msisdn
@@ -480,6 +482,65 @@ class ThreepidDeleteRestServlet(RestServlet):
         )
 
 
+class ThreepidLookupRestServlet(RestServlet):
+    PATTERNS = [re.compile("^/_matrix/client/unstable/account/3pid/lookup$")]
+
+    def __init__(self, hs):
+        super(ThreepidLookupRestServlet, self).__init__()
+        self.auth = hs.get_auth()
+        self.identity_handler = hs.get_handlers().identity_handler
+
+    @defer.inlineCallbacks
+    def on_GET(self, request):
+        """Proxy a /_matrix/identity/api/v1/lookup request to an identity
+        server
+        """
+        yield self.auth.get_user_by_req(request)
+
+        # Verify query parameters
+        query_params = request.args
+        assert_params_in_dict(query_params, [b"medium", b"address", b"id_server"])
+
+        # Retrieve needed information from query parameters
+        medium = parse_string(request, "medium")
+        address = parse_string(request, "address")
+        id_server = parse_string(request, "id_server")
+
+        # Proxy the request to the identity server. lookup_3pid handles checking
+        # if the lookup is allowed so we don't need to do it here.
+        ret = yield self.identity_handler.lookup_3pid(id_server, medium, address)
+
+        defer.returnValue((200, ret))
+
+
+class ThreepidBulkLookupRestServlet(RestServlet):
+    PATTERNS = [re.compile("^/_matrix/client/unstable/account/3pid/bulk_lookup$")]
+
+    def __init__(self, hs):
+        super(ThreepidBulkLookupRestServlet, self).__init__()
+        self.auth = hs.get_auth()
+        self.identity_handler = hs.get_handlers().identity_handler
+
+    @defer.inlineCallbacks
+    def on_POST(self, request):
+        """Proxy a /_matrix/identity/api/v1/bulk_lookup request to an identity
+        server
+        """
+        yield self.auth.get_user_by_req(request)
+
+        body = parse_json_object_from_request(request)
+
+        assert_params_in_dict(body, ["threepids", "id_server"])
+
+        # Proxy the request to the identity server. lookup_3pid handles checking
+        # if the lookup is allowed so we don't need to do it here.
+        ret = yield self.identity_handler.bulk_lookup_3pid(
+            body["id_server"], body["threepids"],
+        )
+
+        defer.returnValue((200, ret))
+
+
 class WhoamiRestServlet(RestServlet):
     PATTERNS = client_v2_patterns("/account/whoami$")
 
@@ -503,4 +564,6 @@ def register_servlets(hs, http_server):
     MsisdnThreepidRequestTokenRestServlet(hs).register(http_server)
     ThreepidRestServlet(hs).register(http_server)
     ThreepidDeleteRestServlet(hs).register(http_server)
+    ThreepidLookupRestServlet(hs).register(http_server)
+    ThreepidBulkLookupRestServlet(hs).register(http_server)
     WhoamiRestServlet(hs).register(http_server)
diff --git a/synapse/rest/identity/__init__.py b/synapse/rest/identity/__init__.py
deleted file mode 100644

index 1453d04571..0000000000
--- a/synapse/rest/identity/__init__.py
+++ /dev/null
@@ -1,14 +0,0 @@
-# -*- coding: utf-8 -*-
-# Copyright 2019 New Vector Ltd
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
diff --git a/synapse/rest/identity/v1/__init__.py b/synapse/rest/identity/v1/__init__.py
deleted file mode 100644

index 09057ea16b..0000000000
--- a/synapse/rest/identity/v1/__init__.py
+++ /dev/null
@@ -1,24 +0,0 @@
-# -*- coding: utf-8 -*-
-# Copyright 2019 New Vector Ltd
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-from twisted.web.resource import Resource
-
-from .lookup import IdentityLookup
-
-
-class IdentityApiV1Resource(Resource):
-    def __init__(self, hs):
-        Resource.__init__(self)
-        self.putChild(b"lookup", IdentityLookup(hs))
diff --git a/synapse/rest/identity/v1/lookup.py b/synapse/rest/identity/v1/lookup.py
deleted file mode 100644

index c2d18fbb63..0000000000
--- a/synapse/rest/identity/v1/lookup.py
+++ /dev/null
@@ -1,70 +0,0 @@
-# -*- coding: utf-8 -*-
-# Copyright 2019 New Vector Ltd
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-
-import logging
-
-from twisted.internet import defer
-from twisted.web.resource import Resource
-from twisted.web.server import NOT_DONE_YET
-
-from synapse.api.errors import SynapseError
-from synapse.handlers.identity import IdentityHandler
-from synapse.http.server import respond_with_json, wrap_json_request_handler
-from synapse.http.servlet import assert_params_in_dict, parse_string
-
-logger = logging.getLogger(__name__)
-
-
-class IdentityLookup(Resource):
-    isLeaf = True
-
-    def __init__(self, hs):
-        self.config = hs.config
-        self.auth = hs.get_auth()
-        self.identity_handler = IdentityHandler(hs)
-        Resource.__init__(self)
-
-    def render_GET(self, request):
-        self.async_render_GET(request)
-        return NOT_DONE_YET
-
-    @wrap_json_request_handler
-    @defer.inlineCallbacks
-    def async_render_GET(self, request):
-        """Proxy a /_matrix/identity/api/v1/lookup request to an identity
-        server
-        """
-        yield self.auth.get_user_by_req(request, allow_guest=True)
-
-        if not self.config.enable_3pid_lookup:
-            raise SynapseError(
-                403,
-                "Looking up third-party identifiers is denied from this server"
-            )
-
-        # Extract query parameters
-        query_params = request.args
-        assert_params_in_dict(query_params, [b"medium", b"address", b"is_server"])
-
-        # Retrieve address and medium from the request parameters
-        medium = parse_string(request, "medium")
-        address = parse_string(request, "address")
-        is_server = parse_string(request, "is_server")
-
-        # Proxy the request to the identity server
-        ret = yield self.identity_handler.lookup_3pid(is_server, medium, address)
-
-        respond_with_json(request, 200, ret, send_cors=True)
diff --git a/tests/rest/client/test_identity.py b/tests/rest/client/test_identity.py

index 7e8b95887f..ec260a2873 100644
--- a/tests/rest/client/test_identity.py
+++ b/tests/rest/client/test_identity.py
@@ -15,14 +15,21 @@
 
 import json
 
+from mock import Mock
+
+from twisted.internet import defer
+
 from synapse.rest.client.v1 import admin, login, room
+from synapse.rest.client.v2_alpha import account
 
 from tests import unittest
 
 
-class IdentityTestCase(unittest.HomeserverTestCase):
+class IdentityDisabledTestCase(unittest.HomeserverTestCase):
+    """Tests that 3PID lookup attempts fail when the HS's config disallows them."""
 
     servlets = [
+        account.register_servlets,
         admin.register_servlets,
         room.register_servlets,
         login.register_servlets,
@@ -32,16 +39,21 @@ class IdentityTestCase(unittest.HomeserverTestCase):
 
         config = self.default_config()
         config.enable_3pid_lookup = False
+        config.trusted_third_party_id_servers = [
+            "testis",
+        ]
+
         self.hs = self.setup_test_homeserver(config=config)
 
         return self.hs
 
-    def test_3pid_lookup_disabled(self):
-        self.register_user("kermit", "monkey")
-        tok = self.login("kermit", "monkey")
+    def prepare(self, reactor, clock, hs):
+        self.user_id = self.register_user("kermit", "monkey")
+        self.tok = self.login("kermit", "monkey")
 
+    def test_3pid_invite_disabled(self):
         request, channel = self.make_request(
-            b"POST", "/createRoom", b"{}", access_token=tok,
+            b"POST", "/createRoom", b"{}", access_token=self.tok,
         )
         self.render(request)
         self.assertEquals(channel.result["code"], b"200", channel.result)
@@ -57,7 +69,157 @@ class IdentityTestCase(unittest.HomeserverTestCase):
             "/rooms/%s/invite" % (room_id)
         ).encode('ascii')
         request, channel = self.make_request(
-            b"POST", request_url, request_data, access_token=tok,
+            b"POST", request_url, request_data, access_token=self.tok,
         )
         self.render(request)
         self.assertEquals(channel.result["code"], b"403", channel.result)
+
+    def test_3pid_lookup_disabled(self):
+        url = ("/_matrix/client/unstable/account/3pid/lookup"
+               "?id_server=testis&medium=email&address=foo@bar.baz")
+        request, channel = self.make_request("GET", url, access_token=self.tok)
+        self.render(request)
+        self.assertEqual(channel.result["code"], b"403", channel.result)
+
+    def test_3pid_bulk_lookup_disabled(self):
+        url = "/_matrix/client/unstable/account/3pid/bulk_lookup"
+        data = {
+            "id_server": "testis",
+            "threepids": [
+                [
+                    "email",
+                    "foo@bar.baz"
+                ],
+                [
+                    "email",
+                    "john.doe@matrix.org"
+                ]
+            ]
+        }
+        request_data = json.dumps(data)
+        request, channel = self.make_request(
+            "POST", url, request_data, access_token=self.tok,
+        )
+        self.render(request)
+        self.assertEqual(channel.result["code"], b"403", channel.result)
+
+
+class IdentityEnabledTestCase(unittest.HomeserverTestCase):
+    """Tests that 3PID lookup attempts succeed when the HS's config allows them."""
+
+    servlets = [
+        account.register_servlets,
+        admin.register_servlets,
+        room.register_servlets,
+        login.register_servlets,
+    ]
+
+    def make_homeserver(self, reactor, clock):
+
+        config = self.default_config()
+        config.enable_3pid_lookup = True
+        config.trusted_third_party_id_servers = [
+            "testis",
+        ]
+
+        mock_http_client = Mock(spec=[
+            "get_json",
+            "post_json_get_json",
+        ])
+        mock_http_client.get_json.return_value = defer.succeed((200, "{}"))
+        mock_http_client.post_json_get_json.return_value = defer.succeed((200, "{}"))
+
+        self.hs = self.setup_test_homeserver(
+            config=config,
+            simple_http_client=mock_http_client,
+        )
+
+        return self.hs
+
+    def prepare(self, reactor, clock, hs):
+        self.user_id = self.register_user("kermit", "monkey")
+        self.tok = self.login("kermit", "monkey")
+
+    def test_3pid_invite_enabled(self):
+        request, channel = self.make_request(
+            b"POST", "/createRoom", b"{}", access_token=self.tok,
+        )
+        self.render(request)
+        self.assertEquals(channel.result["code"], b"200", channel.result)
+        room_id = channel.json_body["room_id"]
+
+        params = {
+            "id_server": "testis",
+            "medium": "email",
+            "address": "test@example.com",
+        }
+        request_data = json.dumps(params)
+        request_url = (
+            "/rooms/%s/invite" % (room_id)
+        ).encode('ascii')
+        request, channel = self.make_request(
+            b"POST", request_url, request_data, access_token=self.tok,
+        )
+        self.render(request)
+
+        get_json = self.hs.get_simple_http_client().get_json
+        get_json.assert_called_once_with(
+            "https://testis/_matrix/identity/api/v1/lookup",
+            {
+                "address": "test@example.com",
+                "medium": "email",
+            },
+        )
+
+    def test_3pid_lookup_enabled(self):
+        url = ("/_matrix/client/unstable/account/3pid/lookup"
+               "?id_server=testis&medium=email&address=foo@bar.baz")
+        request, channel = self.make_request("GET", url, access_token=self.tok)
+        self.render(request)
+
+        get_json = self.hs.get_simple_http_client().get_json
+        get_json.assert_called_once_with(
+            "https://testis/_matrix/identity/api/v1/lookup",
+            {
+                "address": "foo@bar.baz",
+                "medium": "email",
+            },
+        )
+
+    def test_3pid_bulk_lookup_enabled(self):
+        url = "/_matrix/client/unstable/account/3pid/bulk_lookup"
+        data = {
+            "id_server": "testis",
+            "threepids": [
+                [
+                    "email",
+                    "foo@bar.baz"
+                ],
+                [
+                    "email",
+                    "john.doe@matrix.org"
+                ]
+            ]
+        }
+        request_data = json.dumps(data)
+        request, channel = self.make_request(
+            "POST", url, request_data, access_token=self.tok,
+        )
+        self.render(request)
+
+        post_json = self.hs.get_simple_http_client().post_json_get_json
+        post_json.assert_called_once_with(
+            "https://testis/_matrix/identity/api/v1/bulk_lookup",
+            {
+                "threepids": [
+                    [
+                        "email",
+                        "foo@bar.baz"
+                    ],
+                    [
+                        "email",
+                        "john.doe@matrix.org"
+                    ]
+                ],
+            },
+        )
diff --git a/tests/rulecheck/test_domainrulecheck.py b/tests/rulecheck/test_domainrulecheck.py

index e3167aa06b..66b9cca4b3 100644
--- a/tests/rulecheck/test_domainrulecheck.py
+++ b/tests/rulecheck/test_domainrulecheck.py
@@ -164,6 +164,9 @@ class DomainRuleCheckerRoomTestCase(unittest.HomeserverTestCase):
 
     def make_homeserver(self, reactor, clock):
         config = self.default_config()
+        config.trusted_third_party_id_servers = [
+            "localhost",
+        ]
 
         config.spam_checker = (
             DomainRuleChecker,
generated by cgit-magenta 1.5.1 (git 2.48.1) at 2025-03-14 13:20:55 +0000