mirror of
https://mau.dev/maunium/synapse.git
synced 2024-11-15 22:42:23 +01:00
Validate that the session is not modified during UI-Auth (#7068)
This commit is contained in:
parent
6ca5e56fd1
commit
1c1242acba
8 changed files with 117 additions and 14 deletions
1
changelog.d/7068.bugfix
Normal file
1
changelog.d/7068.bugfix
Normal file
|
@ -0,0 +1 @@
|
||||||
|
Ensure that a user inteactive authentication session is tied to a single request.
|
|
@ -125,7 +125,11 @@ class AuthHandler(BaseHandler):
|
||||||
|
|
||||||
@defer.inlineCallbacks
|
@defer.inlineCallbacks
|
||||||
def validate_user_via_ui_auth(
|
def validate_user_via_ui_auth(
|
||||||
self, requester: Requester, request_body: Dict[str, Any], clientip: str
|
self,
|
||||||
|
requester: Requester,
|
||||||
|
request: SynapseRequest,
|
||||||
|
request_body: Dict[str, Any],
|
||||||
|
clientip: str,
|
||||||
):
|
):
|
||||||
"""
|
"""
|
||||||
Checks that the user is who they claim to be, via a UI auth.
|
Checks that the user is who they claim to be, via a UI auth.
|
||||||
|
@ -137,6 +141,8 @@ class AuthHandler(BaseHandler):
|
||||||
Args:
|
Args:
|
||||||
requester: The user, as given by the access token
|
requester: The user, as given by the access token
|
||||||
|
|
||||||
|
request: The request sent by the client.
|
||||||
|
|
||||||
request_body: The body of the request sent by the client
|
request_body: The body of the request sent by the client
|
||||||
|
|
||||||
clientip: The IP address of the client.
|
clientip: The IP address of the client.
|
||||||
|
@ -172,7 +178,9 @@ class AuthHandler(BaseHandler):
|
||||||
flows = [[login_type] for login_type in self._supported_login_types]
|
flows = [[login_type] for login_type in self._supported_login_types]
|
||||||
|
|
||||||
try:
|
try:
|
||||||
result, params, _ = yield self.check_auth(flows, request_body, clientip)
|
result, params, _ = yield self.check_auth(
|
||||||
|
flows, request, request_body, clientip
|
||||||
|
)
|
||||||
except LoginError:
|
except LoginError:
|
||||||
# Update the ratelimite to say we failed (`can_do_action` doesn't raise).
|
# Update the ratelimite to say we failed (`can_do_action` doesn't raise).
|
||||||
self._failed_uia_attempts_ratelimiter.can_do_action(
|
self._failed_uia_attempts_ratelimiter.can_do_action(
|
||||||
|
@ -211,7 +219,11 @@ class AuthHandler(BaseHandler):
|
||||||
|
|
||||||
@defer.inlineCallbacks
|
@defer.inlineCallbacks
|
||||||
def check_auth(
|
def check_auth(
|
||||||
self, flows: List[List[str]], clientdict: Dict[str, Any], clientip: str
|
self,
|
||||||
|
flows: List[List[str]],
|
||||||
|
request: SynapseRequest,
|
||||||
|
clientdict: Dict[str, Any],
|
||||||
|
clientip: str,
|
||||||
):
|
):
|
||||||
"""
|
"""
|
||||||
Takes a dictionary sent by the client in the login / registration
|
Takes a dictionary sent by the client in the login / registration
|
||||||
|
@ -231,6 +243,8 @@ class AuthHandler(BaseHandler):
|
||||||
strings representing auth-types. At least one full
|
strings representing auth-types. At least one full
|
||||||
flow must be completed in order for auth to be successful.
|
flow must be completed in order for auth to be successful.
|
||||||
|
|
||||||
|
request: The request sent by the client.
|
||||||
|
|
||||||
clientdict: The dictionary from the client root level, not the
|
clientdict: The dictionary from the client root level, not the
|
||||||
'auth' key: this method prompts for auth if none is sent.
|
'auth' key: this method prompts for auth if none is sent.
|
||||||
|
|
||||||
|
@ -270,13 +284,27 @@ class AuthHandler(BaseHandler):
|
||||||
# email auth link on there). It's probably too open to abuse
|
# email auth link on there). It's probably too open to abuse
|
||||||
# because it lets unauthenticated clients store arbitrary objects
|
# because it lets unauthenticated clients store arbitrary objects
|
||||||
# on a homeserver.
|
# on a homeserver.
|
||||||
# Revisit: Assumimg the REST APIs do sensible validation, the data
|
# Revisit: Assuming the REST APIs do sensible validation, the data
|
||||||
# isn't arbintrary.
|
# isn't arbintrary.
|
||||||
session["clientdict"] = clientdict
|
session["clientdict"] = clientdict
|
||||||
self._save_session(session)
|
self._save_session(session)
|
||||||
elif "clientdict" in session:
|
elif "clientdict" in session:
|
||||||
clientdict = session["clientdict"]
|
clientdict = session["clientdict"]
|
||||||
|
|
||||||
|
# Ensure that the queried operation does not vary between stages of
|
||||||
|
# the UI authentication session. This is done by generating a stable
|
||||||
|
# comparator based on the URI, method, and body (minus the auth dict)
|
||||||
|
# and storing it during the initial query. Subsequent queries ensure
|
||||||
|
# that this comparator has not changed.
|
||||||
|
comparator = (request.uri, request.method, clientdict)
|
||||||
|
if "ui_auth" not in session:
|
||||||
|
session["ui_auth"] = comparator
|
||||||
|
elif session["ui_auth"] != comparator:
|
||||||
|
raise SynapseError(
|
||||||
|
403,
|
||||||
|
"Requested operation has changed during the UI authentication session.",
|
||||||
|
)
|
||||||
|
|
||||||
if not authdict:
|
if not authdict:
|
||||||
raise InteractiveAuthIncompleteError(
|
raise InteractiveAuthIncompleteError(
|
||||||
self._auth_dict_for_flows(flows, session)
|
self._auth_dict_for_flows(flows, session)
|
||||||
|
@ -322,6 +350,7 @@ class AuthHandler(BaseHandler):
|
||||||
creds,
|
creds,
|
||||||
list(clientdict),
|
list(clientdict),
|
||||||
)
|
)
|
||||||
|
|
||||||
return creds, clientdict, session["id"]
|
return creds, clientdict, session["id"]
|
||||||
|
|
||||||
ret = self._auth_dict_for_flows(flows, session)
|
ret = self._auth_dict_for_flows(flows, session)
|
||||||
|
|
|
@ -234,13 +234,16 @@ class PasswordRestServlet(RestServlet):
|
||||||
if self.auth.has_access_token(request):
|
if self.auth.has_access_token(request):
|
||||||
requester = await self.auth.get_user_by_req(request)
|
requester = await self.auth.get_user_by_req(request)
|
||||||
params = await self.auth_handler.validate_user_via_ui_auth(
|
params = await self.auth_handler.validate_user_via_ui_auth(
|
||||||
requester, body, self.hs.get_ip_from_request(request)
|
requester, request, body, self.hs.get_ip_from_request(request),
|
||||||
)
|
)
|
||||||
user_id = requester.user.to_string()
|
user_id = requester.user.to_string()
|
||||||
else:
|
else:
|
||||||
requester = None
|
requester = None
|
||||||
result, params, _ = await self.auth_handler.check_auth(
|
result, params, _ = await self.auth_handler.check_auth(
|
||||||
[[LoginType.EMAIL_IDENTITY]], body, self.hs.get_ip_from_request(request)
|
[[LoginType.EMAIL_IDENTITY]],
|
||||||
|
request,
|
||||||
|
body,
|
||||||
|
self.hs.get_ip_from_request(request),
|
||||||
)
|
)
|
||||||
|
|
||||||
if LoginType.EMAIL_IDENTITY in result:
|
if LoginType.EMAIL_IDENTITY in result:
|
||||||
|
@ -308,7 +311,7 @@ class DeactivateAccountRestServlet(RestServlet):
|
||||||
return 200, {}
|
return 200, {}
|
||||||
|
|
||||||
await self.auth_handler.validate_user_via_ui_auth(
|
await self.auth_handler.validate_user_via_ui_auth(
|
||||||
requester, body, self.hs.get_ip_from_request(request)
|
requester, request, body, self.hs.get_ip_from_request(request),
|
||||||
)
|
)
|
||||||
result = await self._deactivate_account_handler.deactivate_account(
|
result = await self._deactivate_account_handler.deactivate_account(
|
||||||
requester.user.to_string(), erase, id_server=body.get("id_server")
|
requester.user.to_string(), erase, id_server=body.get("id_server")
|
||||||
|
@ -656,7 +659,7 @@ class ThreepidAddRestServlet(RestServlet):
|
||||||
assert_valid_client_secret(client_secret)
|
assert_valid_client_secret(client_secret)
|
||||||
|
|
||||||
await self.auth_handler.validate_user_via_ui_auth(
|
await self.auth_handler.validate_user_via_ui_auth(
|
||||||
requester, body, self.hs.get_ip_from_request(request)
|
requester, request, body, self.hs.get_ip_from_request(request),
|
||||||
)
|
)
|
||||||
|
|
||||||
validation_session = await self.identity_handler.validate_threepid_session(
|
validation_session = await self.identity_handler.validate_threepid_session(
|
||||||
|
|
|
@ -81,7 +81,7 @@ class DeleteDevicesRestServlet(RestServlet):
|
||||||
assert_params_in_dict(body, ["devices"])
|
assert_params_in_dict(body, ["devices"])
|
||||||
|
|
||||||
await self.auth_handler.validate_user_via_ui_auth(
|
await self.auth_handler.validate_user_via_ui_auth(
|
||||||
requester, body, self.hs.get_ip_from_request(request)
|
requester, request, body, self.hs.get_ip_from_request(request),
|
||||||
)
|
)
|
||||||
|
|
||||||
await self.device_handler.delete_devices(
|
await self.device_handler.delete_devices(
|
||||||
|
@ -127,7 +127,7 @@ class DeviceRestServlet(RestServlet):
|
||||||
raise
|
raise
|
||||||
|
|
||||||
await self.auth_handler.validate_user_via_ui_auth(
|
await self.auth_handler.validate_user_via_ui_auth(
|
||||||
requester, body, self.hs.get_ip_from_request(request)
|
requester, request, body, self.hs.get_ip_from_request(request),
|
||||||
)
|
)
|
||||||
|
|
||||||
await self.device_handler.delete_device(requester.user.to_string(), device_id)
|
await self.device_handler.delete_device(requester.user.to_string(), device_id)
|
||||||
|
|
|
@ -263,7 +263,7 @@ class SigningKeyUploadServlet(RestServlet):
|
||||||
body = parse_json_object_from_request(request)
|
body = parse_json_object_from_request(request)
|
||||||
|
|
||||||
await self.auth_handler.validate_user_via_ui_auth(
|
await self.auth_handler.validate_user_via_ui_auth(
|
||||||
requester, body, self.hs.get_ip_from_request(request)
|
requester, request, body, self.hs.get_ip_from_request(request),
|
||||||
)
|
)
|
||||||
|
|
||||||
result = await self.e2e_keys_handler.upload_signing_keys_for_user(user_id, body)
|
result = await self.e2e_keys_handler.upload_signing_keys_for_user(user_id, body)
|
||||||
|
|
|
@ -499,7 +499,10 @@ class RegisterRestServlet(RestServlet):
|
||||||
)
|
)
|
||||||
|
|
||||||
auth_result, params, session_id = await self.auth_handler.check_auth(
|
auth_result, params, session_id = await self.auth_handler.check_auth(
|
||||||
self._registration_flows, body, self.hs.get_ip_from_request(request)
|
self._registration_flows,
|
||||||
|
request,
|
||||||
|
body,
|
||||||
|
self.hs.get_ip_from_request(request),
|
||||||
)
|
)
|
||||||
|
|
||||||
# Check that we're not trying to register a denied 3pid.
|
# Check that we're not trying to register a denied 3pid.
|
||||||
|
|
|
@ -104,7 +104,7 @@ class FallbackAuthTests(unittest.HomeserverTestCase):
|
||||||
)
|
)
|
||||||
self.render(request)
|
self.render(request)
|
||||||
|
|
||||||
# Now we should have fufilled a complete auth flow, including
|
# Now we should have fulfilled a complete auth flow, including
|
||||||
# the recaptcha fallback step, we can then send a
|
# the recaptcha fallback step, we can then send a
|
||||||
# request to the register API with the session in the authdict.
|
# request to the register API with the session in the authdict.
|
||||||
request, channel = self.make_request(
|
request, channel = self.make_request(
|
||||||
|
@ -115,3 +115,69 @@ class FallbackAuthTests(unittest.HomeserverTestCase):
|
||||||
|
|
||||||
# We're given a registered user.
|
# We're given a registered user.
|
||||||
self.assertEqual(channel.json_body["user_id"], "@user:test")
|
self.assertEqual(channel.json_body["user_id"], "@user:test")
|
||||||
|
|
||||||
|
def test_cannot_change_operation(self):
|
||||||
|
"""
|
||||||
|
The initial requested operation cannot be modified during the user interactive authentication session.
|
||||||
|
"""
|
||||||
|
|
||||||
|
# Make the initial request to register. (Later on a different password
|
||||||
|
# will be used.)
|
||||||
|
request, channel = self.make_request(
|
||||||
|
"POST",
|
||||||
|
"register",
|
||||||
|
{"username": "user", "type": "m.login.password", "password": "bar"},
|
||||||
|
)
|
||||||
|
self.render(request)
|
||||||
|
|
||||||
|
# Returns a 401 as per the spec
|
||||||
|
self.assertEqual(request.code, 401)
|
||||||
|
# Grab the session
|
||||||
|
session = channel.json_body["session"]
|
||||||
|
# Assert our configured public key is being given
|
||||||
|
self.assertEqual(
|
||||||
|
channel.json_body["params"]["m.login.recaptcha"]["public_key"], "brokencake"
|
||||||
|
)
|
||||||
|
|
||||||
|
request, channel = self.make_request(
|
||||||
|
"GET", "auth/m.login.recaptcha/fallback/web?session=" + session
|
||||||
|
)
|
||||||
|
self.render(request)
|
||||||
|
self.assertEqual(request.code, 200)
|
||||||
|
|
||||||
|
request, channel = self.make_request(
|
||||||
|
"POST",
|
||||||
|
"auth/m.login.recaptcha/fallback/web?session="
|
||||||
|
+ session
|
||||||
|
+ "&g-recaptcha-response=a",
|
||||||
|
)
|
||||||
|
self.render(request)
|
||||||
|
self.assertEqual(request.code, 200)
|
||||||
|
|
||||||
|
# The recaptcha handler is called with the response given
|
||||||
|
attempts = self.recaptcha_checker.recaptcha_attempts
|
||||||
|
self.assertEqual(len(attempts), 1)
|
||||||
|
self.assertEqual(attempts[0][0]["response"], "a")
|
||||||
|
|
||||||
|
# also complete the dummy auth
|
||||||
|
request, channel = self.make_request(
|
||||||
|
"POST", "register", {"auth": {"session": session, "type": "m.login.dummy"}}
|
||||||
|
)
|
||||||
|
self.render(request)
|
||||||
|
|
||||||
|
# Now we should have fulfilled a complete auth flow, including
|
||||||
|
# the recaptcha fallback step. Make the initial request again, but
|
||||||
|
# with a different password. This causes the request to fail since the
|
||||||
|
# operaiton was modified during the ui auth session.
|
||||||
|
request, channel = self.make_request(
|
||||||
|
"POST",
|
||||||
|
"register",
|
||||||
|
{
|
||||||
|
"username": "user",
|
||||||
|
"type": "m.login.password",
|
||||||
|
"password": "foo", # Note this doesn't match the original request.
|
||||||
|
"auth": {"session": session},
|
||||||
|
},
|
||||||
|
)
|
||||||
|
self.render(request)
|
||||||
|
self.assertEqual(channel.code, 403)
|
||||||
|
|
|
@ -53,7 +53,8 @@ class TermsTestCase(unittest.HomeserverTestCase):
|
||||||
|
|
||||||
def test_ui_auth(self):
|
def test_ui_auth(self):
|
||||||
# Do a UI auth request
|
# Do a UI auth request
|
||||||
request, channel = self.make_request(b"POST", self.url, b"{}")
|
request_data = json.dumps({"username": "kermit", "password": "monkey"})
|
||||||
|
request, channel = self.make_request(b"POST", self.url, request_data)
|
||||||
self.render(request)
|
self.render(request)
|
||||||
|
|
||||||
self.assertEquals(channel.result["code"], b"401", channel.result)
|
self.assertEquals(channel.result["code"], b"401", channel.result)
|
||||||
|
|
Loading…
Reference in a new issue