Merge branch 'develop' of github.com:matrix-org/synapse into release-v0.11.0

author: Erik Johnston <erik@matrix.org> 2015-11-17 14:37:13 +0000
committer: Erik Johnston <erik@matrix.org> 2015-11-17 14:37:13 +0000
commit: 0186aef81421111ead4577debafcada211ddd0c3 (patch)
tree: 2c8bfa0a7d9276b54ed2503926240015dfa47ea1 /synapse/api
parent: Bump version and change log (diff)
parent: Merge pull request #349 from stevenhammerton/sh-cas-auth-via-homeserver (diff)
download: synapse-0186aef81421111ead4577debafcada211ddd0c3.tar.xz
1 files changed, 10 insertions, 8 deletions
diff --git a/synapse/api/auth.py b/synapse/api/auth.py
index 3e891a6193..8111b34428 100644
--- a/synapse/api/auth.py
+++ b/synapse/api/auth.py
@@ -587,7 +587,10 @@ class Auth(object):
     def _get_user_from_macaroon(self, macaroon_str):
         try:
             macaroon = pymacaroons.Macaroon.deserialize(macaroon_str)
-            self._validate_macaroon(macaroon)
+            self.validate_macaroon(
+                macaroon, "access",
+                [lambda c: c.startswith("time < ")]
+            )
 
             user_prefix = "user_id = "
             user = None
@@ -635,26 +638,25 @@ class Auth(object):
                 errcode=Codes.UNKNOWN_TOKEN
             )
 
-    def _validate_macaroon(self, macaroon):
+    def validate_macaroon(self, macaroon, type_string, additional_validation_functions):
         v = pymacaroons.Verifier()
         v.satisfy_exact("gen = 1")
-        v.satisfy_exact("type = access")
+        v.satisfy_exact("type = " + type_string)
         v.satisfy_general(lambda c: c.startswith("user_id = "))
-        v.satisfy_general(self._verify_expiry)
         v.satisfy_exact("guest = true")
+
+        for validation_function in additional_validation_functions:
+            v.satisfy_general(validation_function)
         v.verify(macaroon, self.hs.config.macaroon_secret_key)
 
         v = pymacaroons.Verifier()
         v.satisfy_general(self._verify_recognizes_caveats)
         v.verify(macaroon, self.hs.config.macaroon_secret_key)
 
-    def _verify_expiry(self, caveat):
+    def verify_expiry(self, caveat):
         prefix = "time < "
         if not caveat.startswith(prefix):
             return False
-        # TODO(daniel): Enable expiry check when clients actually know how to
-        # refresh tokens. (And remember to enable the tests)
-        return True
         expiry = int(caveat[len(prefix):])
         now = self.hs.get_clock().time_msec()
         return now < expiry
author	Erik Johnston <erik@matrix.org>	2015-11-17 14:37:13 +0000
committer	Erik Johnston <erik@matrix.org>	2015-11-17 14:37:13 +0000
commit	0186aef81421111ead4577debafcada211ddd0c3 (patch)
tree	2c8bfa0a7d9276b54ed2503926240015dfa47ea1 /synapse/api
parent	Bump version and change log (diff)
parent	Merge pull request #349 from stevenhammerton/sh-cas-auth-via-homeserver (diff)
download	synapse-0186aef81421111ead4577debafcada211ddd0c3.tar.xz