diff --git a/contrib/vertobot/bot.pl b/contrib/vertobot/bot.pl index 0430a38aa..31eed4092 100755 --- a/contrib/vertobot/bot.pl +++ b/contrib/vertobot/bot.pl @@ -126,12 +126,26 @@ sub on_unknown_event if (!$bridgestate->{$room_id}->{gathered_candidates}) { $bridgestate->{$room_id}->{gathered_candidates} = 1; my $offer = $bridgestate->{$room_id}->{offer}; - my $candidate_block = ""; + my $candidate_block = { + audio => '', + video => '', + }; foreach (@{$event->{content}->{candidates}}) { - $candidate_block .= "a=" . $_->{candidate} . "\r\n"; + if ($_->{sdpMid}) { + $candidate_block->{$_->{sdpMid}} .= "a=" . $_->{candidate} . "\r\n"; + } + else { + $candidate_block->{audio} .= "a=" . $_->{candidate} . "\r\n"; + $candidate_block->{video} .= "a=" . $_->{candidate} . "\r\n"; + } } - # XXX: collate using the right m= line - for now assume audio call - $offer =~ s/(a=rtcp.*[\r\n]+)/$1$candidate_block/; + + # XXX: assumes audio comes first + #$offer =~ s/(a=rtcp-mux[\r\n]+)/$1$candidate_block->{audio}/; + #$offer =~ s/(a=rtcp-mux[\r\n]+)/$1$candidate_block->{video}/; + + $offer =~ s/(m=video)/$candidate_block->{audio}$1/; + $offer =~ s/(.$)/$1\n$candidate_block->{video}$1/; my $f = send_verto_json_request("verto.invite", { "sdp" => $offer, @@ -172,22 +186,18 @@ sub on_room_message warn "[Matrix] in $room_id: $from: " . $content->{body} . "\n"; } -my $verto_connecting = $loop->new_future; -$bot_verto->connect( - %{ $CONFIG{"verto-bot"} }, - on_connect_error => sub { die "Cannot connect to verto - $_[-1]" }, - on_resolve_error => sub { die "Cannot resolve to verto - $_[-1]" }, -)->then( sub { - warn("[Verto] connected to websocket"); - $verto_connecting->done($bot_verto) if not $verto_connecting->is_done; -}); - Future->needs_all( $bot_matrix->login( %{ $CONFIG{"matrix-bot"} } )->then( sub { $bot_matrix->start; }), - $verto_connecting, + $bot_verto->connect( + %{ $CONFIG{"verto-bot"} }, + on_connect_error => sub { die "Cannot connect to verto - $_[-1]" }, + on_resolve_error => sub { die "Cannot resolve to verto - $_[-1]" }, + )->on_done( sub { + warn("[Verto] connected to websocket"); + }), )->get; $loop->attach_signal( diff --git a/contrib/vertobot/cpanfile b/contrib/vertobot/cpanfile index c29fcaa6f..800dc288e 100644 --- a/contrib/vertobot/cpanfile +++ b/contrib/vertobot/cpanfile @@ -11,7 +11,4 @@ requires 'YAML', 0; requires 'JSON', 0; requires 'Getopt::Long', 0; -on 'test' => sub { - requires 'Test::More', '>= 0.98'; -}; diff --git a/synapse/config/registration.py b/synapse/config/registration.py index 67e780864..62de4b399 100644 --- a/synapse/config/registration.py +++ b/synapse/config/registration.py @@ -32,9 +32,11 @@ class RegistrationConfig(Config): ) self.registration_shared_secret = config.get("registration_shared_secret") + self.macaroon_secret_key = config.get("macaroon_secret_key") def default_config(self, config_dir, server_name): registration_shared_secret = random_string_with_symbols(50) + macaroon_secret_key = random_string_with_symbols(50) return """\ ## Registration ## @@ -44,6 +46,8 @@ class RegistrationConfig(Config): # If set, allows registration by anyone who also has the shared # secret, even if registration is otherwise disabled. registration_shared_secret: "%(registration_shared_secret)s" + + macaroon_secret_key: "%(macaroon_secret_key)s" """ % locals() def add_arguments(self, parser): diff --git a/synapse/handlers/register.py b/synapse/handlers/register.py index 39392d9fd..c391c1bdf 100644 --- a/synapse/handlers/register.py +++ b/synapse/handlers/register.py @@ -25,9 +25,9 @@ import synapse.util.stringutils as stringutils from synapse.util.async import run_on_reactor from synapse.http.client import CaptchaServerHttpClient -import base64 import bcrypt import logging +import pymacaroons import urllib logger = logging.getLogger(__name__) @@ -274,11 +274,18 @@ class RegistrationHandler(BaseHandler): ) def generate_token(self, user_id): - # urlsafe variant uses _ and - so use . as the separator and replace - # all =s with .s so http clients don't quote =s when it is used as - # query params. - return (base64.urlsafe_b64encode(user_id).replace('=', '.') + '.' + - stringutils.random_string(18)) + macaroon = pymacaroons.Macaroon( + location = self.hs.config.server_name, + identifier = "key", + key = self.hs.config.macaroon_secret_key) + macaroon.add_first_party_caveat("gen = 1") + macaroon.add_first_party_caveat("user_id = %s" % (user_id,)) + macaroon.add_first_party_caveat("type = access") + now = self.hs.get_clock().time_msec() + expiry = now + (60 * 60 * 1000) + macaroon.add_first_party_caveat("time < %d" % (expiry,)) + + return macaroon.serialize() def _generate_user_id(self): return "-" + stringutils.random_string(18) diff --git a/synapse/python_dependencies.py b/synapse/python_dependencies.py index fa06480ad..fa2419937 100644 --- a/synapse/python_dependencies.py +++ b/synapse/python_dependencies.py @@ -33,6 +33,7 @@ REQUIREMENTS = { "ujson": ["ujson"], "blist": ["blist"], "pysaml2": ["saml2"], + "pymacaroons-pynacl": ["pymacaroons"], } CONDITIONAL_REQUIREMENTS = { "web_client": { diff --git a/tests/handlers/test_register.py b/tests/handlers/test_register.py new file mode 100644 index 000000000..91cc90242 --- /dev/null +++ b/tests/handlers/test_register.py @@ -0,0 +1,70 @@ +# -*- coding: utf-8 -*- +# Copyright 2015 OpenMarket Ltd +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import pymacaroons + +from mock import Mock, NonCallableMock +from synapse.handlers.register import RegistrationHandler +from tests import unittest +from tests.utils import setup_test_homeserver +from twisted.internet import defer + + +class RegisterHandlers(object): + def __init__(self, hs): + self.registration_handler = RegistrationHandler(hs) + + +class RegisterTestCase(unittest.TestCase): + @defer.inlineCallbacks + def setUp(self): + self.hs = yield setup_test_homeserver(handlers=None) + self.hs.handlers = RegisterHandlers(self.hs) + + def test_token_is_a_macaroon(self): + self.hs.config.macaroon_secret_key = "this key is a huge secret" + + token = self.hs.handlers.registration_handler.generate_token("some_user") + # Check that we can parse the thing with pymacaroons + macaroon = pymacaroons.Macaroon.deserialize(token) + # The most basic of sanity checks + if "some_user" not in macaroon.inspect(): + self.fail("some_user was not in %s" % macaroon.inspect()) + + def test_macaroon_caveats(self): + self.hs.config.macaroon_secret_key = "this key is a massive secret" + self.hs.clock.now = 5000 + + token = self.hs.handlers.registration_handler.generate_token("a_user") + macaroon = pymacaroons.Macaroon.deserialize(token) + + def verify_gen(caveat): + return caveat == "gen = 1" + + def verify_user(caveat): + return caveat == "user_id = a_user" + + def verify_type(caveat): + return caveat == "type = access" + + def verify_expiry(caveat): + return caveat == "time < 8600000" + + v = pymacaroons.Verifier() + v.satisfy_general(verify_gen) + v.satisfy_general(verify_user) + v.satisfy_general(verify_type) + v.satisfy_general(verify_expiry) + v.verify(macaroon, self.hs.config.macaroon_secret_key) diff --git a/tests/utils.py b/tests/utils.py index eb035cf48..80be70b74 100644 --- a/tests/utils.py +++ b/tests/utils.py @@ -44,6 +44,8 @@ def setup_test_homeserver(name="test", datastore=None, config=None, **kargs): config.signing_key = [MockKey()] config.event_cache_size = 1 config.disable_registration = False + config.macaroon_secret_key = "not even a little secret" + config.server_name = "server.under.test" if "clock" not in kargs: kargs["clock"] = MockClock()