Merge pull request #5100 from matrix-org/rav/verification_hackery
Improve logging when event-signature checking fails
This commit is contained in:
Richard van der Hoff
GitHub
commit
b31cc1c613
|
|
@ -0,0 +1 @@
|
||||||
|
Improve logging when event-signature checks fail.
|
||||||
|
|
@ -114,40 +114,54 @@ class Keyring(object):
|
||||||
server_name. The deferreds run their callbacks in the sentinel
|
server_name. The deferreds run their callbacks in the sentinel
|
||||||
logcontext.
|
logcontext.
|
||||||
"""
|
"""
|
||||||
|
# a list of VerifyKeyRequests
|
||||||
verify_requests = []
|
verify_requests = []
|
||||||
|
handle = preserve_fn(_handle_key_deferred)
|
||||||
|
|
||||||
for server_name, json_object in server_and_json:
|
def process(server_name, json_object):
|
||||||
|
"""Process an entry in the request list
|
||||||
|
|
||||||
|
Given a (server_name, json_object) pair from the request list,
|
||||||
|
adds a key request to verify_requests, and returns a deferred which will
|
||||||
|
complete or fail (in the sentinel context) when verification completes.
|
||||||
|
"""
|
||||||
key_ids = signature_ids(json_object, server_name)
|
key_ids = signature_ids(json_object, server_name)
|
||||||
|
|
||||||
if not key_ids:
|
if not key_ids:
|
||||||
logger.warn("Request from %s: no supported signature keys",
|
return defer.fail(
|
||||||
server_name)
|
SynapseError(
|
||||||
deferred = defer.fail(SynapseError(
|
400,
|
||||||
400,
|
"Not signed by %s" % (server_name,),
|
||||||
"Not signed with a supported algorithm",
|
Codes.UNAUTHORIZED,
|
||||||
Codes.UNAUTHORIZED,
|
)
|
||||||
))
|
)
|
||||||
else:
|
|
||||||
deferred = defer.Deferred()
|
|
||||||
|
|
||||||
logger.debug("Verifying for %s with key_ids %s",
|
logger.debug("Verifying for %s with key_ids %s",
|
||||||
server_name, key_ids)
|
server_name, key_ids)
|
||||||
|
|
||||||
|
# add the key request to the queue, but don't start it off yet.
|
||||||
verify_request = VerifyKeyRequest(
|
verify_request = VerifyKeyRequest(
|
||||||
server_name, key_ids, json_object, deferred
|
server_name, key_ids, json_object, defer.Deferred(),
|
||||||
)
|
)
|
||||||
|
|
||||||
verify_requests.append(verify_request)
|
verify_requests.append(verify_request)
|
||||||
|
|
||||||
run_in_background(self._start_key_lookups, verify_requests)
|
# now run _handle_key_deferred, which will wait for the key request
|
||||||
|
# to complete and then do the verification.
|
||||||
|
#
|
||||||
|
# We want _handle_key_request to log to the right context, so we
|
||||||
|
# wrap it with preserve_fn (aka run_in_background)
|
||||||
|
return handle(verify_request)
|
||||||
|
|
||||||
# Pass those keys to handle_key_deferred so that the json object
|
results = [
|
||||||
# signatures can be verified
|
process(server_name, json_object)
|
||||||
handle = preserve_fn(_handle_key_deferred)
|
for server_name, json_object in server_and_json
|
||||||
return [
|
|
||||||
handle(rq) for rq in verify_requests
|
|
||||||
]
|
]
|
||||||
|
|
||||||
|
if verify_requests:
|
||||||
|
run_in_background(self._start_key_lookups, verify_requests)
|
||||||
|
|
||||||
|
return results
|
||||||
|
|
||||||
@defer.inlineCallbacks
|
@defer.inlineCallbacks
|
||||||
def _start_key_lookups(self, verify_requests):
|
def _start_key_lookups(self, verify_requests):
|
||||||
"""Sets off the key fetches for each verify request
|
"""Sets off the key fetches for each verify request
|
||||||
|
|
|
||||||
|
|
@ -269,7 +269,18 @@ def _check_sigs_on_pdus(keyring, room_version, pdus):
|
||||||
for p in pdus_to_check_sender
|
for p in pdus_to_check_sender
|
||||||
])
|
])
|
||||||
|
|
||||||
|
def sender_err(e, pdu_to_check):
|
||||||
|
errmsg = "event id %s: unable to verify signature for sender %s: %s" % (
|
||||||
|
pdu_to_check.pdu.event_id,
|
||||||
|
pdu_to_check.sender_domain,
|
||||||
|
e.getErrorMessage(),
|
||||||
|
)
|
||||||
|
# XX not really sure if these are the right codes, but they are what
|
||||||
|
# we've done for ages
|
||||||
|
raise SynapseError(400, errmsg, Codes.UNAUTHORIZED)
|
||||||
|
|
||||||
for p, d in zip(pdus_to_check_sender, more_deferreds):
|
for p, d in zip(pdus_to_check_sender, more_deferreds):
|
||||||
|
d.addErrback(sender_err, p)
|
||||||
p.deferreds.append(d)
|
p.deferreds.append(d)
|
||||||
|
|
||||||
# now let's look for events where the sender's domain is different to the
|
# now let's look for events where the sender's domain is different to the
|
||||||
|
|
@ -291,7 +302,18 @@ def _check_sigs_on_pdus(keyring, room_version, pdus):
|
||||||
for p in pdus_to_check_event_id
|
for p in pdus_to_check_event_id
|
||||||
])
|
])
|
||||||
|
|
||||||
|
def event_err(e, pdu_to_check):
|
||||||
|
errmsg = (
|
||||||
|
"event id %s: unable to verify signature for event id domain: %s" % (
|
||||||
|
pdu_to_check.pdu.event_id,
|
||||||
|
e.getErrorMessage(),
|
||||||
|
)
|
||||||
|
)
|
||||||
|
# XX as above: not really sure if these are the right codes
|
||||||
|
raise SynapseError(400, errmsg, Codes.UNAUTHORIZED)
|
||||||
|
|
||||||
for p, d in zip(pdus_to_check_event_id, more_deferreds):
|
for p, d in zip(pdus_to_check_event_id, more_deferreds):
|
||||||
|
d.addErrback(event_err, p)
|
||||||
p.deferreds.append(d)
|
p.deferreds.append(d)
|
||||||
|
|
||||||
# replace lists of deferreds with single Deferreds
|
# replace lists of deferreds with single Deferreds
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue