summary refs log tree commit diff
path: root/synapse
diff options
context:
space:
mode:
authorRichard van der Hoff <github@rvanderhoff.org.uk>2016-11-25 16:57:19 +0000
committerGitHub <noreply@github.com>2016-11-25 16:57:19 +0000
commitb6146537d2a79401a4b4b41f5d31d408a2b5fea0 (patch)
treef5e1901781155426b01739df8868c4c80afe7a17 /synapse
parentMerge pull request #1650 from matrix-org/erikj/respect_ratelimited (diff)
parentRemove redundant list of known caveat prefixes (diff)
downloadsynapse-b6146537d2a79401a4b4b41f5d31d408a2b5fea0.tar.xz
Merge pull request #1655 from matrix-org/rav/remove_redundant_macaroon_checks
Remove redundant list of known caveat prefixes
Diffstat (limited to 'synapse')
-rw-r--r--synapse/api/auth.py34
1 files changed, 8 insertions, 26 deletions
diff --git a/synapse/api/auth.py b/synapse/api/auth.py
index 69b3392735..1ab27da941 100644
--- a/synapse/api/auth.py
+++ b/synapse/api/auth.py
@@ -51,17 +51,6 @@ class Auth(object):
         self.store = hs.get_datastore()
         self.state = hs.get_state_handler()
         self.TOKEN_NOT_FOUND_HTTP_STATUS = 401
-        # Docs for these currently lives at
-        # github.com/matrix-org/matrix-doc/blob/master/drafts/macaroons_caveats.rst
-        # In addition, we have type == delete_pusher which grants access only to
-        # delete pushers.
-        self._KNOWN_CAVEAT_PREFIXES = set([
-            "gen = ",
-            "guest = ",
-            "type = ",
-            "time < ",
-            "user_id = ",
-        ])
 
     @defer.inlineCallbacks
     def check_from_context(self, event, context, do_sig_check=True):
@@ -801,11 +790,17 @@ class Auth(object):
             type_string(str): The kind of token required (e.g. "access", "refresh",
                               "delete_pusher")
             verify_expiry(bool): Whether to verify whether the macaroon has expired.
-                This should really always be True, but no clients currently implement
-                token refresh, so we can't enforce expiry yet.
+                This should really always be True, but there exist access tokens
+                in the wild which expire when they should not, so we can't
+                enforce expiry yet.
             user_id (str): The user_id required
         """
         v = pymacaroons.Verifier()
+
+        # the verifier runs a test for every caveat on the macaroon, to check
+        # that it is met for the current request. Each caveat must match at
+        # least one of the predicates specified by satisfy_exact or
+        # specify_general.
         v.satisfy_exact("gen = 1")
         v.satisfy_exact("type = " + type_string)
         v.satisfy_exact("user_id = %s" % user_id)
@@ -817,10 +812,6 @@ class Auth(object):
 
         v.verify(macaroon, self.hs.config.macaroon_secret_key)
 
-        v = pymacaroons.Verifier()
-        v.satisfy_general(self._verify_recognizes_caveats)
-        v.verify(macaroon, self.hs.config.macaroon_secret_key)
-
     def _verify_expiry(self, caveat):
         prefix = "time < "
         if not caveat.startswith(prefix):
@@ -829,15 +820,6 @@ class Auth(object):
         now = self.hs.get_clock().time_msec()
         return now < expiry
 
-    def _verify_recognizes_caveats(self, caveat):
-        first_space = caveat.find(" ")
-        if first_space < 0:
-            return False
-        second_space = caveat.find(" ", first_space + 1)
-        if second_space < 0:
-            return False
-        return caveat[:second_space + 1] in self._KNOWN_CAVEAT_PREFIXES
-
     @defer.inlineCallbacks
     def _look_up_user_by_access_token(self, token):
         ret = yield self.store.get_user_by_access_token(token)