diff options
| author | Richard van der Hoff <github@rvanderhoff.org.uk> | 2016-11-25 16:57:19 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2016-11-25 16:57:19 +0000 |
| commit | b6146537d2a79401a4b4b41f5d31d408a2b5fea0 (patch) | |
| tree | f5e1901781155426b01739df8868c4c80afe7a17 | |
| parent | Merge pull request #1650 from matrix-org/erikj/respect_ratelimited (diff) | |
| parent | Remove redundant list of known caveat prefixes (diff) | |
| download | synapse-b6146537d2a79401a4b4b41f5d31d408a2b5fea0.tar.xz | |
Merge pull request #1655 from matrix-org/rav/remove_redundant_macaroon_checks
Remove redundant list of known caveat prefixes
| -rw-r--r-- | synapse/api/auth.py | 34 |
1 files changed, 8 insertions, 26 deletions
diff --git a/synapse/api/auth.py b/synapse/api/auth.py index 69b3392735..1ab27da941 100644 --- a/synapse/api/auth.py +++ b/synapse/api/auth.py @@ -51,17 +51,6 @@ class Auth(object): self.store = hs.get_datastore() self.state = hs.get_state_handler() self.TOKEN_NOT_FOUND_HTTP_STATUS = 401 - # Docs for these currently lives at - # github.com/matrix-org/matrix-doc/blob/master/drafts/macaroons_caveats.rst - # In addition, we have type == delete_pusher which grants access only to - # delete pushers. - self._KNOWN_CAVEAT_PREFIXES = set([ - "gen = ", - "guest = ", - "type = ", - "time < ", - "user_id = ", - ]) @defer.inlineCallbacks def check_from_context(self, event, context, do_sig_check=True): @@ -801,11 +790,17 @@ class Auth(object): type_string(str): The kind of token required (e.g. "access", "refresh", "delete_pusher") verify_expiry(bool): Whether to verify whether the macaroon has expired. - This should really always be True, but no clients currently implement - token refresh, so we can't enforce expiry yet. + This should really always be True, but there exist access tokens + in the wild which expire when they should not, so we can't + enforce expiry yet. user_id (str): The user_id required """ v = pymacaroons.Verifier() + + # the verifier runs a test for every caveat on the macaroon, to check + # that it is met for the current request. Each caveat must match at + # least one of the predicates specified by satisfy_exact or + # specify_general. v.satisfy_exact("gen = 1") v.satisfy_exact("type = " + type_string) v.satisfy_exact("user_id = %s" % user_id) @@ -817,10 +812,6 @@ class Auth(object): v.verify(macaroon, self.hs.config.macaroon_secret_key) - v = pymacaroons.Verifier() - v.satisfy_general(self._verify_recognizes_caveats) - v.verify(macaroon, self.hs.config.macaroon_secret_key) - def _verify_expiry(self, caveat): prefix = "time < " if not caveat.startswith(prefix): @@ -829,15 +820,6 @@ class Auth(object): now = self.hs.get_clock().time_msec() return now < expiry - def _verify_recognizes_caveats(self, caveat): - first_space = caveat.find(" ") - if first_space < 0: - return False - second_space = caveat.find(" ", first_space + 1) - if second_space < 0: - return False - return caveat[:second_space + 1] in self._KNOWN_CAVEAT_PREFIXES - @defer.inlineCallbacks def _look_up_user_by_access_token(self, token): ret = yield self.store.get_user_by_access_token(token) |