summary refs log tree commit diff
path: root/synapse
diff options
context:
space:
mode:
Diffstat (limited to 'synapse')
-rw-r--r--synapse/api/auth.py98
-rw-r--r--synapse/handlers/_base.py6
-rw-r--r--synapse/handlers/federation.py34
3 files changed, 76 insertions, 62 deletions
diff --git a/synapse/api/auth.py b/synapse/api/auth.py
index 4f9c3c9db8..12f753e7c3 100644
--- a/synapse/api/auth.py
+++ b/synapse/api/auth.py
@@ -68,72 +68,64 @@ class Auth(object):
         """
         self.check_size_limits(event)
 
-        try:
-            if not hasattr(event, "room_id"):
-                raise AuthError(500, "Event has no room_id: %s" % event)
-            if auth_events is None:
-                # Oh, we don't know what the state of the room was, so we
-                # are trusting that this is allowed (at least for now)
-                logger.warn("Trusting event: %s", event.event_id)
-                return True
+        if not hasattr(event, "room_id"):
+            raise AuthError(500, "Event has no room_id: %s" % event)
+        if auth_events is None:
+            # Oh, we don't know what the state of the room was, so we
+            # are trusting that this is allowed (at least for now)
+            logger.warn("Trusting event: %s", event.event_id)
+            return True
 
-            if event.type == EventTypes.Create:
-                # FIXME
-                return True
+        if event.type == EventTypes.Create:
+            # FIXME
+            return True
+
+        creation_event = auth_events.get((EventTypes.Create, ""), None)
 
-            creation_event = auth_events.get((EventTypes.Create, ""), None)
+        if not creation_event:
+            raise SynapseError(
+                403,
+                "Room %r does not exist" % (event.room_id,)
+            )
 
-            if not creation_event:
-                raise SynapseError(
+        creating_domain = RoomID.from_string(event.room_id).domain
+        originating_domain = UserID.from_string(event.sender).domain
+        if creating_domain != originating_domain:
+            if not self.can_federate(event, auth_events):
+                raise AuthError(
                     403,
-                    "Room %r does not exist" % (event.room_id,)
+                    "This room has been marked as unfederatable."
                 )
 
-            creating_domain = RoomID.from_string(event.room_id).domain
-            originating_domain = UserID.from_string(event.sender).domain
-            if creating_domain != originating_domain:
-                if not self.can_federate(event, auth_events):
-                    raise AuthError(
-                        403,
-                        "This room has been marked as unfederatable."
-                    )
+        # FIXME: Temp hack
+        if event.type == EventTypes.Aliases:
+            return True
 
-            # FIXME: Temp hack
-            if event.type == EventTypes.Aliases:
-                return True
+        logger.debug(
+            "Auth events: %s",
+            [a.event_id for a in auth_events.values()]
+        )
 
-            logger.debug(
-                "Auth events: %s",
-                [a.event_id for a in auth_events.values()]
+        if event.type == EventTypes.Member:
+            allowed = self.is_membership_change_allowed(
+                event, auth_events
             )
+            if allowed:
+                logger.debug("Allowing! %s", event)
+            else:
+                logger.debug("Denying! %s", event)
+            return allowed
 
-            if event.type == EventTypes.Member:
-                allowed = self.is_membership_change_allowed(
-                    event, auth_events
-                )
-                if allowed:
-                    logger.debug("Allowing! %s", event)
-                else:
-                    logger.debug("Denying! %s", event)
-                return allowed
-
-            self.check_event_sender_in_room(event, auth_events)
-            self._can_send_event(event, auth_events)
+        self.check_event_sender_in_room(event, auth_events)
+        self._can_send_event(event, auth_events)
 
-            if event.type == EventTypes.PowerLevels:
-                self._check_power_levels(event, auth_events)
+        if event.type == EventTypes.PowerLevels:
+            self._check_power_levels(event, auth_events)
 
-            if event.type == EventTypes.Redaction:
-                self.check_redaction(event, auth_events)
+        if event.type == EventTypes.Redaction:
+            self.check_redaction(event, auth_events)
 
-            logger.debug("Allowing! %s", event)
-        except AuthError as e:
-            logger.info(
-                "Event auth check failed on event %s with msg: %s",
-                event, e.msg
-            )
-            logger.info("Denying! %s", event)
-            raise
+        logger.debug("Allowing! %s", event)
 
     def check_size_limits(self, event):
         def too_big(field):
diff --git a/synapse/handlers/_base.py b/synapse/handlers/_base.py
index aaf6b1b837..13a675b208 100644
--- a/synapse/handlers/_base.py
+++ b/synapse/handlers/_base.py
@@ -316,7 +316,11 @@ class BaseHandler(object):
         if ratelimit:
             self.ratelimit(requester)
 
-        self.auth.check(event, auth_events=context.current_state)
+        try:
+            self.auth.check(event, auth_events=context.current_state)
+        except AuthError as err:
+            logger.warn("Denying new event %r because %s", event, err)
+            raise err
 
         yield self.maybe_kick_guest_users(event, context.current_state.values())
 
diff --git a/synapse/handlers/federation.py b/synapse/handlers/federation.py
index 5ac55e10f3..d95e0b23b1 100644
--- a/synapse/handlers/federation.py
+++ b/synapse/handlers/federation.py
@@ -681,9 +681,13 @@ class FederationHandler(BaseHandler):
             "state_key": user_id,
         })
 
-        event, context = yield self._create_new_client_event(
-            builder=builder,
-        )
+        try:
+            event, context = yield self._create_new_client_event(
+                builder=builder,
+            )
+        except AuthError as e:
+            logger.warn("Failed to create join %r because %s", event, e)
+            raise e
 
         self.auth.check(event, auth_events=context.current_state)
 
@@ -915,7 +919,11 @@ class FederationHandler(BaseHandler):
             builder=builder,
         )
 
-        self.auth.check(event, auth_events=context.current_state)
+        try:
+            self.auth.check(event, auth_events=context.current_state)
+        except AuthError as e:
+            logger.warn("Failed to create new leave %r because %s", event, e)
+            raise e
 
         defer.returnValue(event)
 
@@ -1512,8 +1520,9 @@ class FederationHandler(BaseHandler):
 
         try:
             self.auth.check(event, auth_events=auth_events)
-        except AuthError:
-            raise
+        except AuthError as e:
+            logger.warn("Failed auth resolution for %r because %s", event, e)
+            raise e
 
     @defer.inlineCallbacks
     def construct_auth_difference(self, local_auth, remote_auth):
@@ -1689,7 +1698,12 @@ class FederationHandler(BaseHandler):
                 event_dict, event, context
             )
 
-            self.auth.check(event, context.current_state)
+            try:
+                self.auth.check(event, context.current_state)
+            except AuthError as e:
+                logger.warn("Denying new third party invite %r because %s", event, e)
+                raise e
+
             yield self._check_signature(event, auth_events=context.current_state)
             member_handler = self.hs.get_handlers().room_member_handler
             yield member_handler.send_membership_event(None, event, context)
@@ -1714,7 +1728,11 @@ class FederationHandler(BaseHandler):
             event_dict, event, context
         )
 
-        self.auth.check(event, auth_events=context.current_state)
+        try:
+            self.auth.check(event, auth_events=context.current_state)
+        except AuthError as e:
+            logger.warn("Denying third party invite %r because %s", event, e)
+            raise e
         yield self._check_signature(event, auth_events=context.current_state)
 
         returned_invite = yield self.send_invite(origin, event)