From 69135f59aa87962b848f9f19cad6adc625821ba8 Mon Sep 17 00:00:00 2001
From: Erik Johnston <erik@matrix.org>
Date: Fri, 13 Mar 2015 15:23:37 +0000
Subject: Implement registering with shared secret.

---
 synapse/rest/client/v1/register.py | 57 ++++++++++++++++++++++++++++++++++++--
 1 file changed, 55 insertions(+), 2 deletions(-)

(limited to 'synapse/rest/client')

diff --git a/synapse/rest/client/v1/register.py b/synapse/rest/client/v1/register.py
index f5acfb945f..a7c9c5bb6f 100644
--- a/synapse/rest/client/v1/register.py
+++ b/synapse/rest/client/v1/register.py
@@ -110,14 +110,22 @@ class RegisterRestServlet(ClientV1RestServlet):
             login_type = register_json["type"]
 
             is_application_server = login_type == LoginType.APPLICATION_SERVICE
-            if self.disable_registration and not is_application_server:
+            is_using_shared_secret = login_type == LoginType.SHARED_SECRET
+
+            can_register = (
+                not self.disable_registration
+                or is_application_server
+                or is_using_shared_secret
+            )
+            if not can_register:
                 raise SynapseError(403, "Registration has been disabled")
 
             stages = {
                 LoginType.RECAPTCHA: self._do_recaptcha,
                 LoginType.PASSWORD: self._do_password,
                 LoginType.EMAIL_IDENTITY: self._do_email_identity,
-                LoginType.APPLICATION_SERVICE: self._do_app_service
+                LoginType.APPLICATION_SERVICE: self._do_app_service,
+                LoginType.SHARED_SECRET: self._do_shared_secret,
             }
 
             session_info = self._get_session_info(request, session)
@@ -304,6 +312,51 @@ class RegisterRestServlet(ClientV1RestServlet):
             "home_server": self.hs.hostname,
         })
 
+    @defer.inlineCallbacks
+    def _do_shared_secret(self, request, register_json, session):
+        yield run_on_reactor()
+
+        if "mac" not in register_json:
+            raise SynapseError(400, "Expected mac.")
+        if "user" not in register_json:
+            raise SynapseError(400, "Expected 'user' key.")
+        if "password" not in register_json:
+            raise SynapseError(400, "Expected 'password' key.")
+
+        if not self.hs.config.registration_shared_secret:
+            raise SynapseError(400, "Shared secret registration is not enabled")
+
+        user = register_json["user"].encode("utf-8")
+
+        # str() because otherwise hmac complains that 'unicode' does not
+        # have the buffer interface
+        got_mac = str(register_json["mac"])
+
+        want_mac = hmac.new(
+            key=self.hs.config.registration_shared_secret,
+            msg=user,
+            digestmod=sha1,
+        ).hexdigest()
+
+        password = register_json["password"].encode("utf-8")
+
+        if compare_digest(want_mac, got_mac):
+            handler = self.handlers.registration_handler
+            user_id, token = yield handler.register(
+                localpart=user,
+                password=password,
+            )
+            self._remove_session(session)
+            defer.returnValue({
+                "user_id": user_id,
+                "access_token": token,
+                "home_server": self.hs.hostname,
+            })
+        else:
+            raise SynapseError(
+                400, "HMAC incorrect",
+            )
+
 
 def _parse_json(request):
     try:
-- 
cgit 1.4.1


From 250e143084dd1e6d29c6378abaa3b5177323ebf9 Mon Sep 17 00:00:00 2001
From: Erik Johnston <erik@matrix.org>
Date: Mon, 16 Mar 2015 13:11:42 +0000
Subject: Use 403 instead of 400

---
 synapse/rest/client/v1/register.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'synapse/rest/client')

diff --git a/synapse/rest/client/v1/register.py b/synapse/rest/client/v1/register.py
index a7c9c5bb6f..86519fd9dd 100644
--- a/synapse/rest/client/v1/register.py
+++ b/synapse/rest/client/v1/register.py
@@ -354,7 +354,7 @@ class RegisterRestServlet(ClientV1RestServlet):
             })
         else:
             raise SynapseError(
-                400, "HMAC incorrect",
+                403, "HMAC incorrect",
             )
 
 
-- 
cgit 1.4.1


From 57976f646ffe60eeb5fafce646983641fbfd7944 Mon Sep 17 00:00:00 2001
From: Erik Johnston <erik@matrix.org>
Date: Wed, 18 Mar 2015 11:30:04 +0000
Subject: Do more validation of incoming request

---
 synapse/rest/client/v1/register.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'synapse/rest/client')

diff --git a/synapse/rest/client/v1/register.py b/synapse/rest/client/v1/register.py
index 86519fd9dd..ccc457924b 100644
--- a/synapse/rest/client/v1/register.py
+++ b/synapse/rest/client/v1/register.py
@@ -316,11 +316,11 @@ class RegisterRestServlet(ClientV1RestServlet):
     def _do_shared_secret(self, request, register_json, session):
         yield run_on_reactor()
 
-        if "mac" not in register_json:
+        if not isinstance(register_json.get("mac", None), basestring):
             raise SynapseError(400, "Expected mac.")
-        if "user" not in register_json:
+        if not isinstance(register_json.get("user", None), basestring):
             raise SynapseError(400, "Expected 'user' key.")
-        if "password" not in register_json:
+        if not isinstance(register_json.get("password", None), basestring):
             raise SynapseError(400, "Expected 'password' key.")
 
         if not self.hs.config.registration_shared_secret:
-- 
cgit 1.4.1


From f88db7ac0bc36974240db869606634b817471842 Mon Sep 17 00:00:00 2001
From: Erik Johnston <erik@matrix.org>
Date: Wed, 18 Mar 2015 11:33:46 +0000
Subject: Factor out user id validation checks

---
 synapse/handlers/register.py       |  8 ++++++++
 synapse/rest/client/v1/register.py | 14 +++++---------
 2 files changed, 13 insertions(+), 9 deletions(-)

(limited to 'synapse/rest/client')

diff --git a/synapse/handlers/register.py b/synapse/handlers/register.py
index cda4a8502a..c25e321099 100644
--- a/synapse/handlers/register.py
+++ b/synapse/handlers/register.py
@@ -31,6 +31,7 @@ import base64
 import bcrypt
 import json
 import logging
+import urllib
 
 logger = logging.getLogger(__name__)
 
@@ -63,6 +64,13 @@ class RegistrationHandler(BaseHandler):
             password_hash = bcrypt.hashpw(password, bcrypt.gensalt())
 
         if localpart:
+            if localpart and urllib.quote(localpart) != localpart:
+                raise SynapseError(
+                    400,
+                    "User ID must only contain characters which do not"
+                    " require URL encoding."
+                )
+
             user = UserID(localpart, self.hs.hostname)
             user_id = user.to_string()
 
diff --git a/synapse/rest/client/v1/register.py b/synapse/rest/client/v1/register.py
index ccc457924b..a56834e365 100644
--- a/synapse/rest/client/v1/register.py
+++ b/synapse/rest/client/v1/register.py
@@ -27,7 +27,6 @@ from hashlib import sha1
 import hmac
 import simplejson as json
 import logging
-import urllib
 
 logger = logging.getLogger(__name__)
 
@@ -263,14 +262,11 @@ class RegisterRestServlet(ClientV1RestServlet):
             )
 
         password = register_json["password"].encode("utf-8")
-        desired_user_id = (register_json["user"].encode("utf-8")
-                           if "user" in register_json else None)
-        if (desired_user_id
-                and urllib.quote(desired_user_id) != desired_user_id):
-            raise SynapseError(
-                400,
-                "User ID must only contain characters which do not " +
-                "require URL encoding.")
+        desired_user_id = (
+            register_json["user"].encode("utf-8")
+            if "user" in register_json else None
+        )
+
         handler = self.handlers.registration_handler
         (user_id, token) = yield handler.register(
             localpart=desired_user_id,
-- 
cgit 1.4.1