Share more code between macaroon validation

author: Steven Hammerton <steven.hammerton@openmarket.com> 2015-11-11 11:12:35 +0000
committer: Steven Hammerton <steven.hammerton@openmarket.com> 2015-11-11 11:12:35 +0000
commit: dd2eb49385f4b7d3bba94597a1fadb04bdeda0a4 (patch)
tree: fcf394902f6fdfc2ed9c2759a54e44192d734c14 /synapse/api
parent: Updates to fallback CAS login to do new token login (diff)
download: synapse-dd2eb49385f4b7d3bba94597a1fadb04bdeda0a4.tar.xz
1 files changed, 10 insertions, 9 deletions
diff --git a/synapse/api/auth.py b/synapse/api/auth.py
index 3e891a6193..7fbbd89179 100644
--- a/synapse/api/auth.py
+++ b/synapse/api/auth.py
@@ -587,7 +587,10 @@ class Auth(object):
     def _get_user_from_macaroon(self, macaroon_str):
         try:
             macaroon = pymacaroons.Macaroon.deserialize(macaroon_str)
-            self._validate_macaroon(macaroon)
+            self.validate_macaroon(
+                macaroon, "access",
+                [lambda c: c == "guest = true", lambda c: c.startswith("time < ")]
+            )
 
             user_prefix = "user_id = "
             user = None
@@ -635,26 +638,24 @@ class Auth(object):
                 errcode=Codes.UNKNOWN_TOKEN
             )
 
-    def _validate_macaroon(self, macaroon):
+    def validate_macaroon(self, macaroon, type_string, additional_validation_functions):
         v = pymacaroons.Verifier()
         v.satisfy_exact("gen = 1")
-        v.satisfy_exact("type = access")
+        v.satisfy_exact("type = " + type_string)
         v.satisfy_general(lambda c: c.startswith("user_id = "))
-        v.satisfy_general(self._verify_expiry)
-        v.satisfy_exact("guest = true")
+
+        for validation_function in additional_validation_functions:
+            v.satisfy_general(validation_function)
         v.verify(macaroon, self.hs.config.macaroon_secret_key)
 
         v = pymacaroons.Verifier()
         v.satisfy_general(self._verify_recognizes_caveats)
         v.verify(macaroon, self.hs.config.macaroon_secret_key)
 
-    def _verify_expiry(self, caveat):
+    def verify_expiry(self, caveat):
         prefix = "time < "
         if not caveat.startswith(prefix):
             return False
-        # TODO(daniel): Enable expiry check when clients actually know how to
-        # refresh tokens. (And remember to enable the tests)
-        return True
         expiry = int(caveat[len(prefix):])
         now = self.hs.get_clock().time_msec()
         return now < expiry
author	Steven Hammerton <steven.hammerton@openmarket.com>	2015-11-11 11:12:35 +0000
committer	Steven Hammerton <steven.hammerton@openmarket.com>	2015-11-11 11:12:35 +0000
commit	dd2eb49385f4b7d3bba94597a1fadb04bdeda0a4 (patch)
tree	fcf394902f6fdfc2ed9c2759a54e44192d734c14 /synapse/api
parent	Updates to fallback CAS login to do new token login (diff)
download	synapse-dd2eb49385f4b7d3bba94597a1fadb04bdeda0a4.tar.xz