diff --git a/synapse/http/client.py b/synapse/http/client.py
index 0e8fa2eb25..9f54b74e3a 100644
--- a/synapse/http/client.py
+++ b/synapse/http/client.py
@@ -26,6 +26,8 @@ from syutil.jsonutil import encode_canonical_json
from synapse.api.errors import CodeMessageException, SynapseError
+from syutil.crypto.jsonsign import sign_json
+
from StringIO import StringIO
import json
@@ -147,7 +149,7 @@ class BaseHttpClient(object):
class MatrixHttpClient(BaseHttpClient):
- """ Wrapper around the twisted HTTP client api. Implements
+ """ Wrapper around the twisted HTTP client api. Implements
Attributes:
agent (twisted.web.client.Agent): The twisted Agent used to send the
@@ -156,8 +158,42 @@ class MatrixHttpClient(BaseHttpClient):
RETRY_DNS_LOOKUP_FAILURES = "__retry_dns"
+ def __init__(self, hs):
+ self.signing_key = hs.config.signing_key[0]
+ self.server_name = hs.hostname
+ BaseHttpClient.__init__(self, hs)
+
+ def sign_request(self, destination, method, url_bytes, headers_dict,
+ content=None):
+ request = {
+ "method": method,
+ "uri": url_bytes,
+ "origin": self.server_name,
+ "destination": destination,
+ }
+
+ if content is not None:
+ request["content"] = content
+
+ request = sign_json(request, self.server_name, self.signing_key)
+
+ from syutil.jsonutil import encode_canonical_json
+ logger.debug("Signing " + " " * 11 + "%s %s",
+ self.server_name, encode_canonical_json(request))
+
+ auth_headers = []
+
+ for key,sig in request["signatures"][self.server_name].items():
+ auth_headers.append(bytes(
+ "X-Matrix origin=%s,key=\"%s\",sig=\"%s\"" % (
+ self.server_name, key, sig,
+ )
+ ))
+
+ headers_dict[b"Authorization"] = auth_headers
+
@defer.inlineCallbacks
- def put_json(self, destination, path, data, on_send_callback=None):
+ def put_json(self, destination, path, data={}, json_data_callback=None):
""" Sends the specifed json data using PUT
Args:
@@ -166,6 +202,8 @@ class MatrixHttpClient(BaseHttpClient):
path (str): The HTTP path.
data (dict): A dict containing the data that will be used as
the request body. This will be encoded as JSON.
+ json_data_callback (callable): A callable returning the dict to
+ use as the request body.
Returns:
Deferred: Succeeds when we get a 2xx HTTP response. The result
@@ -173,13 +211,16 @@ class MatrixHttpClient(BaseHttpClient):
CodeMessageException is raised.
"""
- if not on_send_callback:
- def on_send_callback(destination, method, path_bytes, producer):
- pass
+ if not json_data_callback:
+ def json_data_callback():
+ return data
def body_callback(method, url_bytes, headers_dict):
- producer = _JsonProducer(data)
- on_send_callback(destination, method, path, producer)
+ json_data = json_data_callback()
+ self.sign_request(
+ destination, method, url_bytes, headers_dict, json_data
+ )
+ producer = _JsonProducer(json_data)
return producer
response = yield self._create_request(
@@ -221,6 +262,7 @@ class MatrixHttpClient(BaseHttpClient):
logger.debug("Query bytes: %s Retry DNS: %s", args, retry_on_dns_fail)
def body_callback(method, url_bytes, headers_dict):
+ self.sign_request(destination, method, url_bytes, headers_dict)
return None
response = yield self._create_request(
diff --git a/synapse/http/server_key_resource.py b/synapse/http/server_key_resource.py
new file mode 100644
index 0000000000..b30ecead27
--- /dev/null
+++ b/synapse/http/server_key_resource.py
@@ -0,0 +1,89 @@
+# -*- coding: utf-8 -*-
+# Copyright 2014 OpenMarket Ltd
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+from twisted.web.resource import Resource
+from synapse.http.server import respond_with_json_bytes
+from syutil.crypto.jsonsign import sign_json
+from syutil.base64util import encode_base64
+from syutil.jsonutil import encode_canonical_json
+from OpenSSL import crypto
+import logging
+
+
+logger = logging.getLogger(__name__)
+
+
+class LocalKey(Resource):
+ """HTTP resource containing encoding the TLS X.509 certificate and NACL
+ signature verification keys for this server::
+
+ GET /key HTTP/1.1
+
+ HTTP/1.1 200 OK
+ Content-Type: application/json
+ {
+ "server_name": "this.server.example.com"
+ "verify_keys": {
+ "algorithm:version": # base64 encoded NACL verification key.
+ },
+ "tls_certificate": # base64 ASN.1 DER encoded X.509 tls cert.
+ "signatures": {
+ "this.server.example.com": {
+ "algorithm:version": # NACL signature for this server.
+ }
+ }
+ }
+ """
+
+ def __init__(self, hs):
+ self.hs = hs
+ self.response_body = encode_canonical_json(
+ self.response_json_object(hs.config)
+ )
+ Resource.__init__(self)
+
+ @staticmethod
+ def response_json_object(server_config):
+ verify_keys = {}
+ for key in server_config.signing_key:
+ verify_key_bytes = key.verify_key.encode()
+ key_id = "%s:%s" % (key.alg, key.version)
+ verify_keys[key_id] = encode_base64(verify_key_bytes)
+
+ x509_certificate_bytes = crypto.dump_certificate(
+ crypto.FILETYPE_ASN1,
+ server_config.tls_certificate
+ )
+ json_object = {
+ u"server_name": server_config.server_name,
+ u"verify_keys": verify_keys,
+ u"tls_certificate": encode_base64(x509_certificate_bytes)
+ }
+ for key in server_config.signing_key:
+ json_object = sign_json(
+ json_object,
+ server_config.server_name,
+ key,
+ )
+
+ return json_object
+
+ def render_GET(self, request):
+ return respond_with_json_bytes(request, 200, self.response_body)
+
+ def getChild(self, name, request):
+ if name == '':
+ return self
|
