Merge pull request #3777 from matrix-org/neilj/fix_register_user_registration

fix bug where preserved threepid user comes to sign up and server is …
2024-06-30 16:38:21 +02:00 · 2018-08-31 16:31:48 +00:00 · 2018-08-31 16:31:48 +00:00 · 99178f8602
parent 14e4d4f4bf 301cb60d0b
commit 99178f8602
9 changed files with 78 additions and 5 deletions
--- a/changelog.d/3777.bugfix
+++ b/changelog.d/3777.bugfix
@ -0,0 +1 @@
+Fix bug where preserved threepid user comes to sign up and server is mau blocked
--- a/synapse/api/auth.py
+++ b/synapse/api/auth.py
@ -26,6 +26,7 @@ import synapse.types
 from synapse import event_auth
 from synapse.api.constants import EventTypes, JoinRules, Membership
 from synapse.api.errors import AuthError, Codes, ResourceLimitError
+from synapse.config.server import is_threepid_reserved
 from synapse.types import UserID
 from synapse.util.caches import CACHE_SIZE_FACTOR, register_cache
 from synapse.util.caches.lrucache import LruCache
@ -775,13 +776,19 @@ class Auth(object):
            )

    @defer.inlineCallbacks
-    def check_auth_blocking(self, user_id=None):
+    def check_auth_blocking(self, user_id=None, threepid=None):
        """Checks if the user should be rejected for some external reason,
        such as monthly active user limiting or global disable flag

        Args:
            user_id(str|None): If present, checks for presence against existing
            MAU cohort
+
+            threepid(dict|None): If present, checks for presence against configured
+            reserved threepid. Used in cases where the user is trying register
+            with a MAU blocked server, normally they would be rejected but their
+            threepid is on the reserved list. user_id and
+            threepid should never be set at the same time.
        """

        # Never fail an auth check for the server notices users
@ -797,6 +804,8 @@ class Auth(object):
                limit_type=self.hs.config.hs_disabled_limit_type
            )
        if self.hs.config.limit_usage_by_mau is True:
+            assert not (user_id and threepid)
+
            # If the user is already part of the MAU cohort or a trial user
            if user_id:
                timestamp = yield self.store.user_last_seen_monthly_active(user_id)
@ -806,12 +815,16 @@ class Auth(object):
                is_trial = yield self.store.is_trial_user(user_id)
                if is_trial:
                    return
+            elif threepid:
+                # If the user does not exist yet, but is signing up with a
+                # reserved threepid then pass auth check
+                if is_threepid_reserved(self.hs.config, threepid):
+                    return
            # Else if there is no room in the MAU bucket, bail
            current_mau = yield self.store.get_monthly_active_count()
            if current_mau >= self.hs.config.max_mau_value:
                raise ResourceLimitError(
                    403, "Monthly Active User Limit Exceeded",
-
                    admin_contact=self.hs.config.admin_contact,
                    errcode=Codes.RESOURCE_LIMIT_EXCEEDED,
                    limit_type="monthly_active_user"
--- a/synapse/config/server.py
+++ b/synapse/config/server.py
@ -404,6 +404,23 @@ class ServerConfig(Config):
                                  " service on the given port.")


+def is_threepid_reserved(config, threepid):
+    """Check the threepid against the reserved threepid config
+    Args:
+        config(ServerConfig) - to access server config attributes
+        threepid(dict) - The threepid to test for
+
+    Returns:
+        boolean Is the threepid undertest reserved_user
+    """
+
+    for tp in config.mau_limits_reserved_threepids:
+        if (threepid['medium'] == tp['medium']
+                and threepid['address'] == tp['address']):
+            return True
+    return False
+
+
 def read_gc_thresholds(thresholds):
    """Reads the three integer thresholds for garbage collection. Ensures that
    the thresholds are integers if thresholds are supplied.
--- a/synapse/handlers/register.py
+++ b/synapse/handlers/register.py
@ -125,6 +125,7 @@ class RegistrationHandler(BaseHandler):
        guest_access_token=None,
        make_guest=False,
        admin=False,
+        threepid=None,
    ):
        """Registers a new client on the server.

@ -145,7 +146,7 @@ class RegistrationHandler(BaseHandler):
            RegistrationError if there was a problem registering.
        """

-        yield self.auth.check_auth_blocking()
+        yield self.auth.check_auth_blocking(threepid=threepid)
        password_hash = None
        if password:
            password_hash = yield self.auth_handler().hash(password)
--- a/synapse/rest/client/v1_only/register.py
+++ b/synapse/rest/client/v1_only/register.py
@ -23,6 +23,7 @@ from twisted.internet import defer
 import synapse.util.stringutils as stringutils
 from synapse.api.constants import LoginType
 from synapse.api.errors import Codes, SynapseError
+from synapse.config.server import is_threepid_reserved
 from synapse.http.servlet import assert_params_in_dict, parse_json_object_from_request
 from synapse.rest.client.v1.base import ClientV1RestServlet
 from synapse.types import create_requester
@ -281,12 +282,20 @@ class RegisterRestServlet(ClientV1RestServlet):
            register_json["user"].encode("utf-8")
            if "user" in register_json else None
        )
+        threepid = None
+        if session.get(LoginType.EMAIL_IDENTITY):
+            threepid = session["threepidCreds"]

        handler = self.handlers.registration_handler
        (user_id, token) = yield handler.register(
            localpart=desired_user_id,
-            password=password
+            password=password,
+            threepid=threepid,
        )
+        # Necessary due to auth checks prior to the threepid being
+        # written to the db
+        if is_threepid_reserved(self.hs.config, threepid):
+            yield self.store.upsert_monthly_active_user(user_id)

        if session[LoginType.EMAIL_IDENTITY]:
            logger.debug("Binding emails %s to %s" % (
--- a/synapse/rest/client/v2_alpha/register.py
+++ b/synapse/rest/client/v2_alpha/register.py
@ -26,6 +26,7 @@ import synapse
 import synapse.types
 from synapse.api.constants import LoginType
 from synapse.api.errors import Codes, SynapseError, UnrecognizedRequestError
+from synapse.config.server import is_threepid_reserved
 from synapse.http.servlet import (
    RestServlet,
    assert_params_in_dict,
@ -395,12 +396,21 @@ class RegisterRestServlet(RestServlet):
            if desired_username is not None:
                desired_username = desired_username.lower()

+            threepid = None
+            if auth_result:
+                threepid = auth_result.get(LoginType.EMAIL_IDENTITY)
+
            (registered_user_id, _) = yield self.registration_handler.register(
                localpart=desired_username,
                password=new_password,
                guest_access_token=guest_access_token,
                generate_token=False,
+                threepid=threepid,
            )
+            # Necessary due to auth checks prior to the threepid being
+            # written to the db
+            if is_threepid_reserved(self.hs.config, threepid):
+                yield self.store.upsert_monthly_active_user(registered_user_id)

            # remember that we've now registered that user account, and with
            #  what user ID (since the user may not have specified)
--- a/synapse/storage/monthly_active_users.py
+++ b/synapse/storage/monthly_active_users.py
@ -36,7 +36,6 @@ class MonthlyActiveUsersStore(SQLBaseStore):

    @defer.inlineCallbacks
    def initialise_reserved_users(self, threepids):
-        # TODO Why can't I do this in init?
        store = self.hs.get_datastore()
        reserved_user_list = []

--- a/tests/api/test_auth.py
+++ b/tests/api/test_auth.py
@ -467,6 +467,23 @@ class AuthTestCase(unittest.TestCase):
        )
        yield self.auth.check_auth_blocking()

+    @defer.inlineCallbacks
+    def test_reserved_threepid(self):
+        self.hs.config.limit_usage_by_mau = True
+        self.hs.config.max_mau_value = 1
+        threepid = {'medium': 'email', 'address': 'reserved@server.com'}
+        unknown_threepid = {'medium': 'email', 'address': 'unreserved@server.com'}
+        self.hs.config.mau_limits_reserved_threepids = [threepid]
+
+        yield self.store.register(user_id='user1', token="123", password_hash=None)
+        with self.assertRaises(ResourceLimitError):
+            yield self.auth.check_auth_blocking()
+
+        with self.assertRaises(ResourceLimitError):
+            yield self.auth.check_auth_blocking(threepid=unknown_threepid)
+
+        yield self.auth.check_auth_blocking(threepid=threepid)
+
    @defer.inlineCallbacks
    def test_hs_disabled(self):
        self.hs.config.hs_disabled = True
--- a/tests/utils.py
+++ b/tests/utils.py
@ -26,6 +26,7 @@ from twisted.internet import defer, reactor

 from synapse.api.constants import EventTypes
 from synapse.api.errors import CodeMessageException, cs_error
+from synapse.config.server import ServerConfig
 from synapse.federation.transport import server
 from synapse.http.server import HttpServer
 from synapse.server import HomeServer
@ -158,6 +159,11 @@ def setup_test_homeserver(
        # background, which upsets the test runner.
        config.update_user_directory = False

+        def is_threepid_reserved(threepid):
+            return ServerConfig.is_threepid_reserved(config, threepid)
+
+        config.is_threepid_reserved.side_effect = is_threepid_reserved
+
    config.use_frozen_dicts = True
    config.ldap_enabled = False
				`@ -0,0 +1 @@`
				`Fix bug where preserved threepid user comes to sign up and server is mau blocked`