diff options
author | Daniel Wagner-Hall <dawagner@gmail.com> | 2015-11-19 15:00:14 -0500 |
---|---|---|
committer | Daniel Wagner-Hall <dawagner@gmail.com> | 2015-11-19 15:00:14 -0500 |
commit | 95c3306798e1ca6429f3f52797a5d1b6ce7d6f37 (patch) | |
tree | b43e191ea43c44a12b4c60c5a3a2ff09bc814e79 /synapse/api/auth.py | |
parent | Ignore forgotten rooms in v2 sync (diff) | |
parent | Merge branch 'develop' into daniel/forgetrooms (diff) | |
download | synapse-95c3306798e1ca6429f3f52797a5d1b6ce7d6f37.tar.xz |
Merge branch 'daniel/forgetrooms' of github.com:matrix-org/synapse into daniel/forgetrooms
Diffstat (limited to 'synapse/api/auth.py')
-rw-r--r-- | synapse/api/auth.py | 25 |
1 files changed, 17 insertions, 8 deletions
diff --git a/synapse/api/auth.py b/synapse/api/auth.py index 6eaa1150a3..4fdc779b4b 100644 --- a/synapse/api/auth.py +++ b/synapse/api/auth.py @@ -594,10 +594,7 @@ class Auth(object): def _get_user_from_macaroon(self, macaroon_str): try: macaroon = pymacaroons.Macaroon.deserialize(macaroon_str) - self.validate_macaroon( - macaroon, "access", - [lambda c: c.startswith("time < ")] - ) + self.validate_macaroon(macaroon, "access", False) user_prefix = "user_id = " user = None @@ -645,22 +642,34 @@ class Auth(object): errcode=Codes.UNKNOWN_TOKEN ) - def validate_macaroon(self, macaroon, type_string, additional_validation_functions): + def validate_macaroon(self, macaroon, type_string, verify_expiry): + """ + validate that a Macaroon is understood by and was signed by this server. + + Args: + macaroon(pymacaroons.Macaroon): The macaroon to validate + type_string(str): The kind of token this is (e.g. "access", "refresh") + verify_expiry(bool): Whether to verify whether the macaroon has expired. + This should really always be True, but no clients currently implement + token refresh, so we can't enforce expiry yet. + """ v = pymacaroons.Verifier() v.satisfy_exact("gen = 1") v.satisfy_exact("type = " + type_string) v.satisfy_general(lambda c: c.startswith("user_id = ")) v.satisfy_exact("guest = true") + if verify_expiry: + v.satisfy_general(self._verify_expiry) + else: + v.satisfy_general(lambda c: c.startswith("time < ")) - for validation_function in additional_validation_functions: - v.satisfy_general(validation_function) v.verify(macaroon, self.hs.config.macaroon_secret_key) v = pymacaroons.Verifier() v.satisfy_general(self._verify_recognizes_caveats) v.verify(macaroon, self.hs.config.macaroon_secret_key) - def verify_expiry(self, caveat): + def _verify_expiry(self, caveat): prefix = "time < " if not caveat.startswith(prefix): return False |