summary refs log tree commit diff
path: root/synapse
diff options
context:
space:
mode:
authorLuke Barnard <lukeb@openmarket.com>2016-10-20 11:43:05 +0100
committerLuke Barnard <lukeb@openmarket.com>2016-10-20 11:43:05 +0100
commit1b17d1a106604ddf1d8b97d499db8de1dc0651b5 (patch)
tree717e4235947ac2ea32ec8c5036a7bcd29373bba3 /synapse
parentAllow Configurable Rate Limiting Per AS (diff)
downloadsynapse-1b17d1a106604ddf1d8b97d499db8de1dc0651b5.tar.xz
Use real AS object by passing it through the requester
This means synapse does not have to check if the AS is interested, but instead it effectively re-uses what it already knew about the requesting user
Diffstat (limited to '')
-rw-r--r--synapse/api/auth.py14
-rw-r--r--synapse/handlers/_base.py11
-rw-r--r--synapse/types.py8
3 files changed, 15 insertions, 18 deletions
diff --git a/synapse/api/auth.py b/synapse/api/auth.py
index 1b3b55d517..c0bd0890fa 100644
--- a/synapse/api/auth.py
+++ b/synapse/api/auth.py
@@ -603,10 +603,10 @@ class Auth(object):
         """
         # Can optionally look elsewhere in the request (e.g. headers)
         try:
-            user_id = yield self._get_appservice_user_id(request)
+            user_id, as_user = yield self._get_appservice_user_id(request)
             if user_id:
                 request.authenticated_entity = user_id
-                defer.returnValue(synapse.types.create_requester(user_id))
+                defer.returnValue(synapse.types.create_requester(user_id, as_user=as_user))
 
             access_token = get_access_token_from_request(
                 request, self.TOKEN_NOT_FOUND_HTTP_STATUS
@@ -644,7 +644,7 @@ class Auth(object):
             request.authenticated_entity = user.to_string()
 
             defer.returnValue(synapse.types.create_requester(
-                user, token_id, is_guest, device_id))
+                user, token_id, is_guest, device_id, as_user=as_user))
         except KeyError:
             raise AuthError(
                 self.TOKEN_NOT_FOUND_HTTP_STATUS, "Missing access token.",
@@ -659,14 +659,14 @@ class Auth(object):
             )
         )
         if app_service is None:
-            defer.returnValue(None)
+            defer.returnValue((None, None))
 
         if "user_id" not in request.args:
-            defer.returnValue(app_service.sender)
+            defer.returnValue((app_service.sender, app_service))
 
         user_id = request.args["user_id"][0]
         if app_service.sender == user_id:
-            defer.returnValue(app_service.sender)
+            defer.returnValue((app_service.sender, app_service))
 
         if not app_service.is_interested_in_user(user_id):
             raise AuthError(
@@ -678,7 +678,7 @@ class Auth(object):
                 403,
                 "Application service has not registered this user"
             )
-        defer.returnValue(user_id)
+        defer.returnValue((user_id, app_service))
 
     @defer.inlineCallbacks
     def get_user_by_access_token(self, token, rights="access"):
diff --git a/synapse/handlers/_base.py b/synapse/handlers/_base.py
index a377b1225b..ba62746214 100644
--- a/synapse/handlers/_base.py
+++ b/synapse/handlers/_base.py
@@ -65,14 +65,9 @@ class BaseHandler(object):
         if app_service is not None:
             return  # do not ratelimit app service senders
 
-        should_rate_limit = True
-
-        for service in self.store.get_app_services():
-            if service.is_interested_in_user(user_id):
-                should_rate_limit = service.is_rate_limited()
-                break
-
-        if not should_rate_limit:
+        if requester.as_user and not requester.as_user.is_rate_limited():
+            # do not ratelimit users of which a non-rate-limited AS is
+            # acting on behalf
             return
 
         allowed, time_allowed = self.ratelimiter.send_message(
diff --git a/synapse/types.py b/synapse/types.py
index 1694af1250..35e05b9c41 100644
--- a/synapse/types.py
+++ b/synapse/types.py
@@ -19,7 +19,7 @@ from collections import namedtuple
 
 
 Requester = namedtuple("Requester",
-                       ["user", "access_token_id", "is_guest", "device_id"])
+                       ["user", "access_token_id", "is_guest", "device_id", "as_user"])
 """
 Represents the user making a request
 
@@ -29,11 +29,12 @@ Attributes:
         request, or None if it came via the appservice API or similar
     is_guest (bool):  True if the user making this request is a guest user
     device_id (str|None):  device_id which was set at authentication time
+    as_user (ApplicationService|None):  the AS requesting on behalf of the user
 """
 
 
 def create_requester(user_id, access_token_id=None, is_guest=False,
-                     device_id=None):
+                     device_id=None, as_user=None):
     """
     Create a new ``Requester`` object
 
@@ -43,13 +44,14 @@ def create_requester(user_id, access_token_id=None, is_guest=False,
             request, or None if it came via the appservice API or similar
         is_guest (bool):  True if the user making this request is a guest user
         device_id (str|None):  device_id which was set at authentication time
+        as_user (ApplicationService|None):  the AS requesting on behalf of the user
 
     Returns:
         Requester
     """
     if not isinstance(user_id, UserID):
         user_id = UserID.from_string(user_id)
-    return Requester(user_id, access_token_id, is_guest, device_id)
+    return Requester(user_id, access_token_id, is_guest, device_id, as_user)
 
 
 def get_domain_from_id(string):