diff options
author | Erik Johnston <erik@matrix.org> | 2015-11-17 14:36:15 +0000 |
---|---|---|
committer | Erik Johnston <erik@matrix.org> | 2015-11-17 14:36:15 +0000 |
commit | e5038489908d544c82619901582083dbf1b5fb61 (patch) | |
tree | 34e3624b590635eb5cc4ee21278c6869d54ccd5c /synapse/api/auth.py | |
parent | Merge pull request #380 from matrix-org/daniel/jenkins-sytest (diff) | |
parent | Always check guest = true in macaroons (diff) | |
download | synapse-e5038489908d544c82619901582083dbf1b5fb61.tar.xz |
Merge pull request #349 from stevenhammerton/sh-cas-auth-via-homeserver
SH CAS auth via homeserver
Diffstat (limited to 'synapse/api/auth.py')
-rw-r--r-- | synapse/api/auth.py | 18 |
1 files changed, 10 insertions, 8 deletions
diff --git a/synapse/api/auth.py b/synapse/api/auth.py index 3e891a6193..8111b34428 100644 --- a/synapse/api/auth.py +++ b/synapse/api/auth.py @@ -587,7 +587,10 @@ class Auth(object): def _get_user_from_macaroon(self, macaroon_str): try: macaroon = pymacaroons.Macaroon.deserialize(macaroon_str) - self._validate_macaroon(macaroon) + self.validate_macaroon( + macaroon, "access", + [lambda c: c.startswith("time < ")] + ) user_prefix = "user_id = " user = None @@ -635,26 +638,25 @@ class Auth(object): errcode=Codes.UNKNOWN_TOKEN ) - def _validate_macaroon(self, macaroon): + def validate_macaroon(self, macaroon, type_string, additional_validation_functions): v = pymacaroons.Verifier() v.satisfy_exact("gen = 1") - v.satisfy_exact("type = access") + v.satisfy_exact("type = " + type_string) v.satisfy_general(lambda c: c.startswith("user_id = ")) - v.satisfy_general(self._verify_expiry) v.satisfy_exact("guest = true") + + for validation_function in additional_validation_functions: + v.satisfy_general(validation_function) v.verify(macaroon, self.hs.config.macaroon_secret_key) v = pymacaroons.Verifier() v.satisfy_general(self._verify_recognizes_caveats) v.verify(macaroon, self.hs.config.macaroon_secret_key) - def _verify_expiry(self, caveat): + def verify_expiry(self, caveat): prefix = "time < " if not caveat.startswith(prefix): return False - # TODO(daniel): Enable expiry check when clients actually know how to - # refresh tokens. (And remember to enable the tests) - return True expiry = int(caveat[len(prefix):]) now = self.hs.get_clock().time_msec() return now < expiry |