mirror of
https://mau.dev/maunium/synapse.git
synced 2024-11-17 23:42:33 +01:00
Merge pull request #765 from matrix-org/markjh/open_id
Add an openidish mechanism for proving that you own a given user_id
This commit is contained in:
commit
1f590f3e9a
7 changed files with 193 additions and 2 deletions
|
@ -387,6 +387,11 @@ class FederationServer(FederationBase):
|
|||
"events": [ev.get_pdu_json(time_now) for ev in missing_events],
|
||||
})
|
||||
|
||||
@log_function
|
||||
def on_openid_userinfo(self, token):
|
||||
ts_now_ms = self._clock.time_msec()
|
||||
return self.store.get_user_id_for_open_id_token(token, ts_now_ms)
|
||||
|
||||
@log_function
|
||||
def _get_persisted_pdu(self, origin, event_id, do_auth=True):
|
||||
""" Get a PDU from the database with given origin and id.
|
||||
|
|
|
@ -18,7 +18,7 @@ from twisted.internet import defer
|
|||
from synapse.api.urls import FEDERATION_PREFIX as PREFIX
|
||||
from synapse.api.errors import Codes, SynapseError
|
||||
from synapse.http.server import JsonResource
|
||||
from synapse.http.servlet import parse_json_object_from_request
|
||||
from synapse.http.servlet import parse_json_object_from_request, parse_string
|
||||
from synapse.util.ratelimitutils import FederationRateLimiter
|
||||
|
||||
import functools
|
||||
|
@ -448,6 +448,50 @@ class On3pidBindServlet(BaseFederationServlet):
|
|||
return code
|
||||
|
||||
|
||||
class OpenIdUserInfo(BaseFederationServlet):
|
||||
"""
|
||||
Exchange a bearer token for information about a user.
|
||||
|
||||
The response format should be compatible with:
|
||||
http://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse
|
||||
|
||||
GET /openid/userinfo?access_token=ABDEFGH HTTP/1.1
|
||||
|
||||
HTTP/1.1 200 OK
|
||||
Content-Type: application/json
|
||||
|
||||
{
|
||||
"sub": "@userpart:example.org",
|
||||
}
|
||||
"""
|
||||
|
||||
PATH = "/openid/userinfo"
|
||||
|
||||
@defer.inlineCallbacks
|
||||
def on_GET(self, request):
|
||||
token = parse_string(request, "access_token")
|
||||
if token is None:
|
||||
defer.returnValue((401, {
|
||||
"errcode": "M_MISSING_TOKEN", "error": "Access Token required"
|
||||
}))
|
||||
return
|
||||
|
||||
user_id = yield self.handler.on_openid_userinfo(token)
|
||||
|
||||
if user_id is None:
|
||||
defer.returnValue((401, {
|
||||
"errcode": "M_UNKNOWN_TOKEN",
|
||||
"error": "Access Token unknown or expired"
|
||||
}))
|
||||
|
||||
defer.returnValue((200, {"sub": user_id}))
|
||||
|
||||
# Avoid doing remote HS authorization checks which are done by default by
|
||||
# BaseFederationServlet.
|
||||
def _wrap(self, code):
|
||||
return code
|
||||
|
||||
|
||||
SERVLET_CLASSES = (
|
||||
FederationSendServlet,
|
||||
FederationPullServlet,
|
||||
|
@ -468,6 +512,7 @@ SERVLET_CLASSES = (
|
|||
FederationClientKeysClaimServlet,
|
||||
FederationThirdPartyInviteExchangeServlet,
|
||||
On3pidBindServlet,
|
||||
OpenIdUserInfo,
|
||||
)
|
||||
|
||||
|
||||
|
|
|
@ -45,6 +45,7 @@ from synapse.rest.client.v2_alpha import (
|
|||
tags,
|
||||
account_data,
|
||||
report_event,
|
||||
openid,
|
||||
)
|
||||
|
||||
from synapse.http.server import JsonResource
|
||||
|
@ -88,3 +89,4 @@ class ClientRestResource(JsonResource):
|
|||
tags.register_servlets(hs, client_resource)
|
||||
account_data.register_servlets(hs, client_resource)
|
||||
report_event.register_servlets(hs, client_resource)
|
||||
openid.register_servlets(hs, client_resource)
|
||||
|
|
96
synapse/rest/client/v2_alpha/openid.py
Normal file
96
synapse/rest/client/v2_alpha/openid.py
Normal file
|
@ -0,0 +1,96 @@
|
|||
# -*- coding: utf-8 -*-
|
||||
# Copyright 2015, 2016 OpenMarket Ltd
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
|
||||
from ._base import client_v2_patterns
|
||||
|
||||
from synapse.http.servlet import RestServlet, parse_json_object_from_request
|
||||
from synapse.api.errors import AuthError
|
||||
from synapse.util.stringutils import random_string
|
||||
|
||||
from twisted.internet import defer
|
||||
|
||||
import logging
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
|
||||
class IdTokenServlet(RestServlet):
|
||||
"""
|
||||
Get a bearer token that may be passed to a third party to confirm ownership
|
||||
of a matrix user id.
|
||||
|
||||
The format of the response could be made compatible with the format given
|
||||
in http://openid.net/specs/openid-connect-core-1_0.html#TokenResponse
|
||||
|
||||
But instead of returning a signed "id_token" the response contains the
|
||||
name of the issuing matrix homeserver. This means that for now the third
|
||||
party will need to check the validity of the "id_token" against the
|
||||
federation /openid/userinfo endpoint of the homeserver.
|
||||
|
||||
Request:
|
||||
|
||||
POST /user/{user_id}/openid/request_token?access_token=... HTTP/1.1
|
||||
|
||||
{}
|
||||
|
||||
Response:
|
||||
|
||||
HTTP/1.1 200 OK
|
||||
{
|
||||
"access_token": "ABDEFGH",
|
||||
"token_type": "Bearer",
|
||||
"matrix_server_name": "example.com",
|
||||
"expires_in": 3600,
|
||||
}
|
||||
"""
|
||||
PATTERNS = client_v2_patterns(
|
||||
"/user/(?P<user_id>[^/]*)/openid/request_token"
|
||||
)
|
||||
|
||||
EXPIRES_MS = 3600 * 1000
|
||||
|
||||
def __init__(self, hs):
|
||||
super(IdTokenServlet, self).__init__()
|
||||
self.auth = hs.get_auth()
|
||||
self.store = hs.get_datastore()
|
||||
self.clock = hs.get_clock()
|
||||
self.server_name = hs.config.server_name
|
||||
|
||||
@defer.inlineCallbacks
|
||||
def on_POST(self, request, user_id):
|
||||
requester = yield self.auth.get_user_by_req(request)
|
||||
if user_id != requester.user.to_string():
|
||||
raise AuthError(403, "Cannot request tokens for other users.")
|
||||
|
||||
# Parse the request body to make sure it's JSON, but ignore the contents
|
||||
# for now.
|
||||
parse_json_object_from_request(request)
|
||||
|
||||
token = random_string(24)
|
||||
ts_valid_until_ms = self.clock.time_msec() + self.EXPIRES_MS
|
||||
|
||||
yield self.store.insert_open_id_token(token, ts_valid_until_ms, user_id)
|
||||
|
||||
defer.returnValue((200, {
|
||||
"access_token": token,
|
||||
"token_type": "Bearer",
|
||||
"matrix_server_name": self.server_name,
|
||||
"expires_in": self.EXPIRES_MS / 1000,
|
||||
}))
|
||||
|
||||
|
||||
def register_servlets(hs, http_server):
|
||||
IdTokenServlet(hs).register(http_server)
|
|
@ -44,6 +44,7 @@ from .receipts import ReceiptsStore
|
|||
from .search import SearchStore
|
||||
from .tags import TagsStore
|
||||
from .account_data import AccountDataStore
|
||||
from .openid import OpenIdStore
|
||||
|
||||
from .util.id_generators import IdGenerator, StreamIdGenerator, ChainedIdGenerator
|
||||
|
||||
|
@ -81,7 +82,8 @@ class DataStore(RoomMemberStore, RoomStore,
|
|||
SearchStore,
|
||||
TagsStore,
|
||||
AccountDataStore,
|
||||
EventPushActionsStore
|
||||
EventPushActionsStore,
|
||||
OpenIdStore,
|
||||
):
|
||||
|
||||
def __init__(self, db_conn, hs):
|
||||
|
|
32
synapse/storage/openid.py
Normal file
32
synapse/storage/openid.py
Normal file
|
@ -0,0 +1,32 @@
|
|||
from ._base import SQLBaseStore
|
||||
|
||||
|
||||
class OpenIdStore(SQLBaseStore):
|
||||
def insert_open_id_token(self, token, ts_valid_until_ms, user_id):
|
||||
return self._simple_insert(
|
||||
table="open_id_tokens",
|
||||
values={
|
||||
"token": token,
|
||||
"ts_valid_until_ms": ts_valid_until_ms,
|
||||
"user_id": user_id,
|
||||
},
|
||||
desc="insert_open_id_token"
|
||||
)
|
||||
|
||||
def get_user_id_for_open_id_token(self, token, ts_now_ms):
|
||||
def get_user_id_for_token_txn(txn):
|
||||
sql = (
|
||||
"SELECT user_id FROM open_id_tokens"
|
||||
" WHERE token = ? AND ? <= ts_valid_until_ms"
|
||||
)
|
||||
|
||||
txn.execute(sql, (token, ts_now_ms))
|
||||
|
||||
rows = txn.fetchall()
|
||||
if not rows:
|
||||
return None
|
||||
else:
|
||||
return rows[0][0]
|
||||
return self.runInteraction(
|
||||
"get_user_id_for_token", get_user_id_for_token_txn
|
||||
)
|
9
synapse/storage/schema/delta/32/openid.sql
Normal file
9
synapse/storage/schema/delta/32/openid.sql
Normal file
|
@ -0,0 +1,9 @@
|
|||
|
||||
CREATE TABLE open_id_tokens (
|
||||
token TEXT NOT NULL PRIMARY KEY,
|
||||
ts_valid_until_ms bigint NOT NULL,
|
||||
user_id TEXT NOT NULL,
|
||||
UNIQUE (token)
|
||||
);
|
||||
|
||||
CREATE index open_id_tokens_ts_valid_until_ms ON open_id_tokens(ts_valid_until_ms);
|
Loading…
Reference in a new issue