Skip to content
This repository was archived by the owner on Apr 26, 2024. It is now read-only.

Commit 21a5d6a

Browse files
MadLittleModsMadLittleMods
committed
Share validation logic
1 parent 3596575 commit 21a5d6a

File tree

2 files changed

+40
-24
lines changed

2 files changed

+40
-24
lines changed

synapse/api/auth.py

Lines changed: 33 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -240,6 +240,37 @@ async def get_user_by_req(
240240
except KeyError:
241241
raise MissingClientTokenError()
242242

243+
async def validate_appservice_can_control_user_id(
244+
self, app_service: ApplicationService, user_id: str
245+
):
246+
"""Validates that the app service is allowed to control
247+
the given user.
248+
249+
Args:
250+
app_service: The app service that controls the user
251+
user_id: The author MXID that the app service is controlling
252+
253+
Raises:
254+
AuthError: If the application service is not allowed to control the user
255+
(user namespace regex does not match, wrong homeserver, etc)
256+
or if the user has not been registered yet.
257+
"""
258+
259+
# It's ok if the app service is trying to use the sender from their registration
260+
if app_service.sender == user_id:
261+
pass
262+
# Check to make sure the app service is allowed to control the user
263+
elif not app_service.is_interested_in_user(user_id):
264+
raise AuthError(
265+
403,
266+
"Application service cannot masquerade as this user (%s)." % user_id,
267+
)
268+
# Check to make sure the user is already registered on the homeserver
269+
elif not (await self.store.get_user_by_id(user_id)):
270+
raise AuthError(
271+
403, "Application service has not registered this user (%s)" % user_id
272+
)
273+
243274
async def _get_appservice_user_id(
244275
self, request: Request
245276
) -> Tuple[Optional[str], Optional[ApplicationService]]:
@@ -261,13 +292,11 @@ async def _get_appservice_user_id(
261292
return app_service.sender, app_service
262293

263294
user_id = request.args[b"user_id"][0].decode("utf8")
295+
await self.validate_appservice_can_control_user_id(app_service, user_id)
296+
264297
if app_service.sender == user_id:
265298
return app_service.sender, app_service
266299

267-
if not app_service.is_interested_in_user(user_id):
268-
raise AuthError(403, "Application service cannot masquerade as this user.")
269-
if not (await self.store.get_user_by_id(user_id)):
270-
raise AuthError(403, "Application service has not registered this user")
271300
return user_id, app_service
272301

273302
async def get_user_by_access_token(

synapse/rest/client/v1/room.py

Lines changed: 7 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -381,7 +381,7 @@ def _create_insertion_event_dict(
381381

382382
return insertion_event
383383

384-
async def _create_requester_from_app_service(
384+
async def _create_requester_for_user_id_from_app_service(
385385
self, user_id: str, app_service: ApplicationService
386386
) -> Requester:
387387
"""Creates a new requester for the given user_id
@@ -396,20 +396,7 @@ async def _create_requester_from_app_service(
396396
Requester object
397397
"""
398398

399-
# It's ok if the app service is trying to use the sender from their registration
400-
if app_service.sender == user_id:
401-
pass
402-
# Check to make sure the app service is allowed to control the user
403-
elif not app_service.is_interested_in_user(user_id):
404-
raise AuthError(
405-
403,
406-
"Application service cannot masquerade as this user (%s)." % user_id,
407-
)
408-
# Check to make sure the user is already registered on the homeserver
409-
elif not (await self.store.get_user_by_id(user_id)):
410-
raise AuthError(
411-
403, "Application service has not registered this user (%s)" % user_id
412-
)
399+
await self.auth.validate_appservice_can_control_user_id(app_service, user_id)
413400

414401
return create_requester(user_id, app_service=app_service)
415402

@@ -478,7 +465,7 @@ async def on_POST(self, request, room_id):
478465
if event_dict["type"] == EventTypes.Member:
479466
membership = event_dict["content"].get("membership", None)
480467
event_id, _ = await self.room_member_handler.update_membership(
481-
await self._create_requester_from_app_service(
468+
await self._create_requester_for_user_id_from_app_service(
482469
state_event["sender"], requester.app_service
483470
),
484471
target=UserID.from_string(event_dict["state_key"]),
@@ -500,7 +487,7 @@ async def on_POST(self, request, room_id):
500487
event,
501488
_,
502489
) = await self.event_creation_handler.create_and_send_nonmember_event(
503-
await self._create_requester_from_app_service(
490+
await self._create_requester_for_user_id_from_app_service(
504491
state_event["sender"], requester.app_service
505492
),
506493
event_dict,
@@ -550,7 +537,7 @@ async def on_POST(self, request, room_id):
550537
base_insertion_event,
551538
_,
552539
) = await self.event_creation_handler.create_and_send_nonmember_event(
553-
await self._create_requester_from_app_service(
540+
await self._create_requester_for_user_id_from_app_service(
554541
base_insertion_event_dict["sender"],
555542
requester.app_service,
556543
),
@@ -602,7 +589,7 @@ async def on_POST(self, request, room_id):
602589
}
603590

604591
event, context = await self.event_creation_handler.create_event(
605-
await self._create_requester_from_app_service(
592+
await self._create_requester_for_user_id_from_app_service(
606593
ev["sender"], requester.app_service
607594
),
608595
event_dict,
@@ -634,7 +621,7 @@ async def on_POST(self, request, room_id):
634621
# where topological_ordering is just depth.
635622
for (event, context) in reversed(events_to_persist):
636623
ev = await self.event_creation_handler.handle_new_client_event(
637-
await self._create_requester_from_app_service(
624+
await self._create_requester_for_user_id_from_app_service(
638625
event["sender"], requester.app_service
639626
),
640627
event=event,

0 commit comments

Comments
 (0)