diff options
| -rw-r--r-- | synapse/event_auth.py | 15 | ||||
| -rw-r--r-- | synapse/handlers/event_auth.py | 2 | ||||
| -rw-r--r-- | synapse/handlers/federation_event.py | 16 | ||||
| -rw-r--r-- | synapse/state/v1.py | 4 | ||||
| -rw-r--r-- | synapse/state/v2.py | 1 | ||||
| -rw-r--r-- | tests/test_event_auth.py | 43 |
6 files changed, 16 insertions, 65 deletions
diff --git a/synapse/event_auth.py b/synapse/event_auth.py index 77f90558d8..e23503c1e0 100644 --- a/synapse/event_auth.py +++ b/synapse/event_auth.py @@ -113,7 +113,6 @@ def validate_event_for_room_version(event: "EventBase") -> None: def check_auth_rules_for_event( - room_version_obj: RoomVersion, event: "EventBase", auth_events: Iterable["EventBase"], ) -> None: @@ -132,7 +131,6 @@ def check_auth_rules_for_event( a bunch of other tests. Args: - room_version_obj: the version of the room event: the event being checked. auth_events: the room state to check the events against. @@ -201,7 +199,10 @@ def check_auth_rules_for_event( raise AuthError(403, "This room has been marked as unfederatable.") # 4. If type is m.room.aliases - if event.type == EventTypes.Aliases and room_version_obj.special_case_aliases_auth: + if ( + event.type == EventTypes.Aliases + and event.room_version.special_case_aliases_auth + ): # 4a. If event has no state_key, reject if not event.is_state(): raise AuthError(403, "Alias event must be a state event") @@ -221,7 +222,7 @@ def check_auth_rules_for_event( # 5. If type is m.room.membership if event.type == EventTypes.Member: - _is_membership_change_allowed(room_version_obj, event, auth_dict) + _is_membership_change_allowed(event.room_version, event, auth_dict) logger.debug("Allowing! %s", event) return @@ -243,17 +244,17 @@ def check_auth_rules_for_event( _can_send_event(event, auth_dict) if event.type == EventTypes.PowerLevels: - _check_power_levels(room_version_obj, event, auth_dict) + _check_power_levels(event.room_version, event, auth_dict) if event.type == EventTypes.Redaction: - check_redaction(room_version_obj, event, auth_dict) + check_redaction(event.room_version, event, auth_dict) if ( event.type == EventTypes.MSC2716_INSERTION or event.type == EventTypes.MSC2716_BATCH or event.type == EventTypes.MSC2716_MARKER ): - check_historical(room_version_obj, event, auth_dict) + check_historical(event.room_version, event, auth_dict) logger.debug("Allowing! %s", event) diff --git a/synapse/handlers/event_auth.py b/synapse/handlers/event_auth.py index 6bed464351..7bbb833f30 100644 --- a/synapse/handlers/event_auth.py +++ b/synapse/handlers/event_auth.py @@ -55,7 +55,7 @@ class EventAuthHandler: """Check an event passes the auth rules at its own auth events""" auth_event_ids = event.auth_event_ids() auth_events_by_id = await self._store.get_events(auth_event_ids) - check_auth_rules_for_event(room_version_obj, event, auth_events_by_id.values()) + check_auth_rules_for_event(event, auth_events_by_id.values()) def compute_auth_events( self, diff --git a/synapse/handlers/federation_event.py b/synapse/handlers/federation_event.py index 420ad8b969..9488fef297 100644 --- a/synapse/handlers/federation_event.py +++ b/synapse/handlers/federation_event.py @@ -1428,9 +1428,6 @@ class FederationEventHandler: allow_rejected=True, ) - room_version = await self._store.get_room_version_id(room_id) - room_version_obj = KNOWN_ROOM_VERSIONS[room_version] - def prep(event: EventBase) -> Optional[Tuple[EventBase, EventContext]]: with nested_logging_context(suffix=event.event_id): auth = [] @@ -1454,7 +1451,7 @@ class FederationEventHandler: context = EventContext.for_outlier(self._storage_controllers) try: validate_event_for_room_version(event) - check_auth_rules_for_event(room_version_obj, event, auth) + check_auth_rules_for_event(event, auth) except AuthError as e: logger.warning("Rejecting %r because %s", event, e) context.rejected = RejectedReason.AUTH_ERROR @@ -1497,9 +1494,6 @@ class FederationEventHandler: assert not event.internal_metadata.outlier # first of all, check that the event itself is valid. - room_version = await self._store.get_room_version_id(event.room_id) - room_version_obj = KNOWN_ROOM_VERSIONS[room_version] - try: validate_event_for_room_version(event) except AuthError as e: @@ -1519,7 +1513,7 @@ class FederationEventHandler: # ... and check that the event passes auth at those auth events. try: - check_auth_rules_for_event(room_version_obj, event, claimed_auth_events) + check_auth_rules_for_event(event, claimed_auth_events) except AuthError as e: logger.warning( "While checking auth of %r against auth_events: %s", event, e @@ -1567,9 +1561,7 @@ class FederationEventHandler: auth_events_for_auth = calculated_auth_event_map try: - check_auth_rules_for_event( - room_version_obj, event, auth_events_for_auth.values() - ) + check_auth_rules_for_event(event, auth_events_for_auth.values()) except AuthError as e: logger.warning("Failed auth resolution for %r because %s", event, e) context.rejected = RejectedReason.AUTH_ERROR @@ -1669,7 +1661,7 @@ class FederationEventHandler: ) try: - check_auth_rules_for_event(room_version_obj, event, current_auth_events) + check_auth_rules_for_event(event, current_auth_events) except AuthError as e: logger.warning( "Soft-failing %r (from %s) because %s", diff --git a/synapse/state/v1.py b/synapse/state/v1.py index 499a328201..8bbb4ce41c 100644 --- a/synapse/state/v1.py +++ b/synapse/state/v1.py @@ -30,7 +30,7 @@ from typing import ( from synapse import event_auth from synapse.api.constants import EventTypes from synapse.api.errors import AuthError -from synapse.api.room_versions import RoomVersion, RoomVersions +from synapse.api.room_versions import RoomVersion from synapse.events import EventBase from synapse.types import MutableStateMap, StateMap @@ -331,7 +331,6 @@ def _resolve_auth_events( try: # The signatures have already been checked at this point event_auth.check_auth_rules_for_event( - RoomVersions.V1, event, auth_events.values(), ) @@ -349,7 +348,6 @@ def _resolve_normal_events( try: # The signatures have already been checked at this point event_auth.check_auth_rules_for_event( - RoomVersions.V1, event, auth_events.values(), ) diff --git a/synapse/state/v2.py b/synapse/state/v2.py index c618df2fde..041ccac59e 100644 --- a/synapse/state/v2.py +++ b/synapse/state/v2.py @@ -547,7 +547,6 @@ async def _iterative_auth_checks( try: event_auth.check_auth_rules_for_event( - room_version, event, auth_events.values(), ) diff --git a/tests/test_event_auth.py b/tests/test_event_auth.py index 1e11fb5dac..229ecd84a6 100644 --- a/tests/test_event_auth.py +++ b/tests/test_event_auth.py @@ -38,7 +38,6 @@ class EventAuthTestCase(unittest.TestCase): # creator should be able to send state event_auth.check_auth_rules_for_event( - RoomVersions.V9, _random_state_event(RoomVersions.V9, creator), auth_events, ) @@ -55,7 +54,6 @@ class EventAuthTestCase(unittest.TestCase): self.assertRaises( AuthError, event_auth.check_auth_rules_for_event, - RoomVersions.V9, _random_state_event(RoomVersions.V9, creator), auth_events, ) @@ -66,7 +64,6 @@ class EventAuthTestCase(unittest.TestCase): self.assertRaises( AuthError, event_auth.check_auth_rules_for_event, - RoomVersions.V9, _random_state_event(RoomVersions.V9, creator), auth_events, ) @@ -86,7 +83,6 @@ class EventAuthTestCase(unittest.TestCase): # creator should be able to send state event_auth.check_auth_rules_for_event( - RoomVersions.V1, _random_state_event(RoomVersions.V1, creator), auth_events, ) @@ -95,7 +91,6 @@ class EventAuthTestCase(unittest.TestCase): self.assertRaises( AuthError, event_auth.check_auth_rules_for_event, - RoomVersions.V1, _random_state_event(RoomVersions.V1, joiner), auth_events, ) @@ -125,14 +120,12 @@ class EventAuthTestCase(unittest.TestCase): self.assertRaises( AuthError, event_auth.check_auth_rules_for_event, - RoomVersions.V1, _random_state_event(RoomVersions.V1, pleb), auth_events, ), # king should be able to send state event_auth.check_auth_rules_for_event( - RoomVersions.V1, _random_state_event(RoomVersions.V1, king), auth_events, ) @@ -148,7 +141,6 @@ class EventAuthTestCase(unittest.TestCase): # creator should be able to send aliases event_auth.check_auth_rules_for_event( - RoomVersions.V1, _alias_event(RoomVersions.V1, creator), auth_events, ) @@ -156,7 +148,6 @@ class EventAuthTestCase(unittest.TestCase): # Reject an event with no state key. with self.assertRaises(AuthError): event_auth.check_auth_rules_for_event( - RoomVersions.V1, _alias_event(RoomVersions.V1, creator, state_key=""), auth_events, ) @@ -164,14 +155,12 @@ class EventAuthTestCase(unittest.TestCase): # If the domain of the sender does not match the state key, reject. with self.assertRaises(AuthError): event_auth.check_auth_rules_for_event( - RoomVersions.V1, _alias_event(RoomVersions.V1, creator, state_key="test.com"), auth_events, ) # Note that the member does *not* need to be in the room. event_auth.check_auth_rules_for_event( - RoomVersions.V1, _alias_event(RoomVersions.V1, other), auth_events, ) @@ -187,19 +176,16 @@ class EventAuthTestCase(unittest.TestCase): # creator should be able to send aliases event_auth.check_auth_rules_for_event( - RoomVersions.V6, _alias_event(RoomVersions.V6, creator), auth_events, ) # No particular checks are done on the state key. event_auth.check_auth_rules_for_event( - RoomVersions.V6, _alias_event(RoomVersions.V6, creator, state_key=""), auth_events, ) event_auth.check_auth_rules_for_event( - RoomVersions.V6, _alias_event(RoomVersions.V6, creator, state_key="test.com"), auth_events, ) @@ -207,7 +193,6 @@ class EventAuthTestCase(unittest.TestCase): # Per standard auth rules, the member must be in the room. with self.assertRaises(AuthError): event_auth.check_auth_rules_for_event( - RoomVersions.V6, _alias_event(RoomVersions.V6, other), auth_events, ) @@ -235,14 +220,12 @@ class EventAuthTestCase(unittest.TestCase): # on room V1, pleb should be able to modify the notifications power level. if allow_modification: - event_auth.check_auth_rules_for_event(room_version, pl_event, auth_events) + event_auth.check_auth_rules_for_event(pl_event, auth_events) else: # But an MSC2209 room rejects this change. with self.assertRaises(AuthError): - event_auth.check_auth_rules_for_event( - room_version, pl_event, auth_events - ) + event_auth.check_auth_rules_for_event(pl_event, auth_events) def test_join_rules_public(self): """ @@ -261,7 +244,6 @@ class EventAuthTestCase(unittest.TestCase): # Check join. event_auth.check_auth_rules_for_event( - RoomVersions.V6, _join_event(RoomVersions.V6, pleb), auth_events.values(), ) @@ -269,7 +251,6 @@ class EventAuthTestCase(unittest.TestCase): # A user cannot be force-joined to a room. with self.assertRaises(AuthError): event_auth.check_auth_rules_for_event( - RoomVersions.V6, _member_event(RoomVersions.V6, pleb, "join", sender=creator), auth_events.values(), ) @@ -280,7 +261,6 @@ class EventAuthTestCase(unittest.TestCase): ) with self.assertRaises(AuthError): event_auth.check_auth_rules_for_event( - RoomVersions.V6, _join_event(RoomVersions.V6, pleb), auth_events.values(), ) @@ -290,7 +270,6 @@ class EventAuthTestCase(unittest.TestCase): RoomVersions.V6, pleb, "leave" ) event_auth.check_auth_rules_for_event( - RoomVersions.V6, _join_event(RoomVersions.V6, pleb), auth_events.values(), ) @@ -300,7 +279,6 @@ class EventAuthTestCase(unittest.TestCase): RoomVersions.V6, pleb, "join" ) event_auth.check_auth_rules_for_event( - RoomVersions.V6, _join_event(RoomVersions.V6, pleb), auth_events.values(), ) @@ -310,7 +288,6 @@ class EventAuthTestCase(unittest.TestCase): RoomVersions.V6, pleb, "invite", sender=creator ) event_auth.check_auth_rules_for_event( - RoomVersions.V6, _join_event(RoomVersions.V6, pleb), auth_events.values(), ) @@ -333,7 +310,6 @@ class EventAuthTestCase(unittest.TestCase): # A join without an invite is rejected. with self.assertRaises(AuthError): event_auth.check_auth_rules_for_event( - RoomVersions.V6, _join_event(RoomVersions.V6, pleb), auth_events.values(), ) @@ -341,7 +317,6 @@ class EventAuthTestCase(unittest.TestCase): # A user cannot be force-joined to a room. with self.assertRaises(AuthError): event_auth.check_auth_rules_for_event( - RoomVersions.V6, _member_event(RoomVersions.V6, pleb, "join", sender=creator), auth_events.values(), ) @@ -352,7 +327,6 @@ class EventAuthTestCase(unittest.TestCase): ) with self.assertRaises(AuthError): event_auth.check_auth_rules_for_event( - RoomVersions.V6, _join_event(RoomVersions.V6, pleb), auth_events.values(), ) @@ -363,7 +337,6 @@ class EventAuthTestCase(unittest.TestCase): ) with self.assertRaises(AuthError): event_auth.check_auth_rules_for_event( - RoomVersions.V6, _join_event(RoomVersions.V6, pleb), auth_events.values(), ) @@ -373,7 +346,6 @@ class EventAuthTestCase(unittest.TestCase): RoomVersions.V6, pleb, "join" ) event_auth.check_auth_rules_for_event( - RoomVersions.V6, _join_event(RoomVersions.V6, pleb), auth_events.values(), ) @@ -383,7 +355,6 @@ class EventAuthTestCase(unittest.TestCase): RoomVersions.V6, pleb, "invite", sender=creator ) event_auth.check_auth_rules_for_event( - RoomVersions.V6, _join_event(RoomVersions.V6, pleb), auth_events.values(), ) @@ -406,7 +377,6 @@ class EventAuthTestCase(unittest.TestCase): with self.assertRaises(AuthError): event_auth.check_auth_rules_for_event( - RoomVersions.V6, _join_event(RoomVersions.V6, pleb), auth_events.values(), ) @@ -444,7 +414,6 @@ class EventAuthTestCase(unittest.TestCase): }, ) event_auth.check_auth_rules_for_event( - RoomVersions.V8, authorised_join_event, auth_events.values(), ) @@ -461,7 +430,6 @@ class EventAuthTestCase(unittest.TestCase): RoomVersions.V8, "@inviter:foo.test" ) event_auth.check_auth_rules_for_event( - RoomVersions.V8, _join_event( RoomVersions.V8, pleb, @@ -475,7 +443,6 @@ class EventAuthTestCase(unittest.TestCase): # A join which is missing an authorised server is rejected. with self.assertRaises(AuthError): event_auth.check_auth_rules_for_event( - RoomVersions.V8, _join_event(RoomVersions.V8, pleb), auth_events.values(), ) @@ -489,7 +456,6 @@ class EventAuthTestCase(unittest.TestCase): ) with self.assertRaises(AuthError): event_auth.check_auth_rules_for_event( - RoomVersions.V8, _join_event( RoomVersions.V8, pleb, @@ -504,7 +470,6 @@ class EventAuthTestCase(unittest.TestCase): # *would* be valid, but is sent be a different user.) with self.assertRaises(AuthError): event_auth.check_auth_rules_for_event( - RoomVersions.V8, _member_event( RoomVersions.V8, pleb, @@ -523,7 +488,6 @@ class EventAuthTestCase(unittest.TestCase): ) with self.assertRaises(AuthError): event_auth.check_auth_rules_for_event( - RoomVersions.V8, authorised_join_event, auth_events.values(), ) @@ -533,7 +497,6 @@ class EventAuthTestCase(unittest.TestCase): RoomVersions.V8, pleb, "leave" ) event_auth.check_auth_rules_for_event( - RoomVersions.V8, authorised_join_event, auth_events.values(), ) @@ -544,7 +507,6 @@ class EventAuthTestCase(unittest.TestCase): RoomVersions.V8, pleb, "join" ) event_auth.check_auth_rules_for_event( - RoomVersions.V8, _join_event(RoomVersions.V8, pleb), auth_events.values(), ) @@ -555,7 +517,6 @@ class EventAuthTestCase(unittest.TestCase): RoomVersions.V8, pleb, "invite", sender=creator ) event_auth.check_auth_rules_for_event( - RoomVersions.V8, _join_event(RoomVersions.V8, pleb), auth_events.values(), ) |