Fix typechecker problems exposed by signedjson 1.1.2 (#12326)

This commit is contained in:
David Robertson 2022-03-29 22:37:50 +01:00 committed by GitHub
parent 1f32b90b0f
commit e0bb268134
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 38 additions and 25 deletions

1
changelog.d/12326.misc Normal file
View File

@ -0,0 +1 @@
Fix typechecker problems exposed by signedjson 1.1.2.

View File

@ -273,6 +273,9 @@ ignore_missing_imports = True
[mypy-ijson.*] [mypy-ijson.*]
ignore_missing_imports = True ignore_missing_imports = True
[mypy-importlib_metadata.*]
ignore_missing_imports = True
[mypy-jaeger_client.*] [mypy-jaeger_client.*]
ignore_missing_imports = True ignore_missing_imports = True

View File

@ -16,7 +16,7 @@
import hashlib import hashlib
import logging import logging
import os import os
from typing import Any, Dict, Iterator, List, Optional from typing import TYPE_CHECKING, Any, Dict, Iterator, List, Optional
import attr import attr
import jsonschema import jsonschema
@ -38,6 +38,9 @@ from synapse.util.stringutils import random_string, random_string_with_symbols
from ._base import Config, ConfigError from ._base import Config, ConfigError
if TYPE_CHECKING:
from signedjson.key import VerifyKeyWithExpiry
INSECURE_NOTARY_ERROR = """\ INSECURE_NOTARY_ERROR = """\
Your server is configured to accept key server responses without signature Your server is configured to accept key server responses without signature
validation or TLS certificate validation. This is likely to be very insecure. If validation or TLS certificate validation. This is likely to be very insecure. If
@ -300,7 +303,7 @@ class KeyConfig(Config):
def read_old_signing_keys( def read_old_signing_keys(
self, old_signing_keys: Optional[JsonDict] self, old_signing_keys: Optional[JsonDict]
) -> Dict[str, VerifyKey]: ) -> Dict[str, "VerifyKeyWithExpiry"]:
if old_signing_keys is None: if old_signing_keys is None:
return {} return {}
keys = {} keys = {}
@ -308,8 +311,8 @@ class KeyConfig(Config):
if is_signing_algorithm_supported(key_id): if is_signing_algorithm_supported(key_id):
key_base64 = key_data["key"] key_base64 = key_data["key"]
key_bytes = decode_base64(key_base64) key_bytes = decode_base64(key_base64)
verify_key = decode_verify_key_bytes(key_id, key_bytes) verify_key: "VerifyKeyWithExpiry" = decode_verify_key_bytes(key_id, key_bytes) # type: ignore[assignment]
verify_key.expired_ts = key_data["expired_ts"] verify_key.expired = key_data["expired_ts"]
keys[key_id] = verify_key keys[key_id] = verify_key
else: else:
raise ConfigError( raise ConfigError(
@ -422,7 +425,7 @@ def _parse_key_servers(
server_name = server["server_name"] server_name = server["server_name"]
result = TrustedKeyServer(server_name=server_name) result = TrustedKeyServer(server_name=server_name)
verify_keys = server.get("verify_keys") verify_keys: Optional[Dict[str, str]] = server.get("verify_keys")
if verify_keys is not None: if verify_keys is not None:
result.verify_keys = {} result.verify_keys = {}
for key_id, key_base64 in verify_keys.items(): for key_id, key_base64 in verify_keys.items():

View File

@ -176,7 +176,7 @@ class Keyring:
self._local_verify_keys: Dict[str, FetchKeyResult] = {} self._local_verify_keys: Dict[str, FetchKeyResult] = {}
for key_id, key in hs.config.key.old_signing_keys.items(): for key_id, key in hs.config.key.old_signing_keys.items():
self._local_verify_keys[key_id] = FetchKeyResult( self._local_verify_keys[key_id] = FetchKeyResult(
verify_key=key, valid_until_ts=key.expired_ts verify_key=key, valid_until_ts=key.expired
) )
vk = get_verify_key(hs.signing_key) vk = get_verify_key(hs.signing_key)

View File

@ -15,7 +15,7 @@ import logging
from typing import TYPE_CHECKING, Any, Dict, List, Optional, Tuple, Union from typing import TYPE_CHECKING, Any, Dict, List, Optional, Tuple, Union
import attr import attr
from nacl.signing import SigningKey from signedjson.types import SigningKey
from synapse.api.constants import MAX_DEPTH from synapse.api.constants import MAX_DEPTH
from synapse.api.room_versions import ( from synapse.api.room_versions import (

View File

@ -76,17 +76,17 @@ class LocalKey(Resource):
def response_json_object(self) -> JsonDict: def response_json_object(self) -> JsonDict:
verify_keys = {} verify_keys = {}
for key in self.config.key.signing_key: for signing_key in self.config.key.signing_key:
verify_key_bytes = key.verify_key.encode() verify_key_bytes = signing_key.verify_key.encode()
key_id = "%s:%s" % (key.alg, key.version) key_id = "%s:%s" % (signing_key.alg, signing_key.version)
verify_keys[key_id] = {"key": encode_base64(verify_key_bytes)} verify_keys[key_id] = {"key": encode_base64(verify_key_bytes)}
old_verify_keys = {} old_verify_keys = {}
for key_id, key in self.config.key.old_signing_keys.items(): for key_id, old_signing_key in self.config.key.old_signing_keys.items():
verify_key_bytes = key.encode() verify_key_bytes = old_signing_key.encode()
old_verify_keys[key_id] = { old_verify_keys[key_id] = {
"key": encode_base64(verify_key_bytes), "key": encode_base64(verify_key_bytes),
"expired_ts": key.expired_ts, "expired_ts": old_signing_key.expired,
} }
json_object = { json_object = {

View File

@ -13,7 +13,7 @@
# limitations under the License. # limitations under the License.
import logging import logging
from typing import TYPE_CHECKING, Dict from typing import TYPE_CHECKING, Dict, Set
from signedjson.sign import sign_json from signedjson.sign import sign_json
@ -149,7 +149,7 @@ class RemoteKey(DirectServeJsonResource):
cached = await self.store.get_server_keys_json(store_queries) cached = await self.store.get_server_keys_json(store_queries)
json_results = set() json_results: Set[bytes] = set()
time_now_ms = self.clock.time_msec() time_now_ms = self.clock.time_msec()
@ -234,8 +234,8 @@ class RemoteKey(DirectServeJsonResource):
await self.query_keys(request, query, query_remote_on_cache_miss=False) await self.query_keys(request, query, query_remote_on_cache_miss=False)
else: else:
signed_keys = [] signed_keys = []
for key_json in json_results: for key_json_raw in json_results:
key_json = json_decoder.decode(key_json.decode("utf-8")) key_json = json_decoder.decode(key_json_raw.decode("utf-8"))
for signing_key in self.config.key.key_server_signing_keys: for signing_key in self.config.key.key_server_signing_keys:
key_json = sign_json( key_json = sign_json(
key_json, self.config.server.server_name, signing_key key_json, self.config.server.server_name, signing_key

View File

@ -28,8 +28,8 @@ from tests import unittest
SIGNING_KEY_SEED = decode_base64("YJDBA9Xnr2sVqXD9Vj7XVUnmFZcZrlw8Md7kMW+3XA1") SIGNING_KEY_SEED = decode_base64("YJDBA9Xnr2sVqXD9Vj7XVUnmFZcZrlw8Md7kMW+3XA1")
KEY_ALG = "ed25519" KEY_ALG = "ed25519"
KEY_VER = 1 KEY_VER = "1"
KEY_NAME = "%s:%d" % (KEY_ALG, KEY_VER) KEY_NAME = "%s:%s" % (KEY_ALG, KEY_VER)
HOSTNAME = "domain" HOSTNAME = "domain"
@ -39,7 +39,7 @@ class EventSigningTestCase(unittest.TestCase):
# NB: `signedjson` expects `nacl.signing.SigningKey` instances which have been # NB: `signedjson` expects `nacl.signing.SigningKey` instances which have been
# monkeypatched to include new `alg` and `version` attributes. This is captured # monkeypatched to include new `alg` and `version` attributes. This is captured
# by the `signedjson.types.SigningKey` protocol. # by the `signedjson.types.SigningKey` protocol.
self.signing_key: signedjson.types.SigningKey = nacl.signing.SigningKey( self.signing_key: signedjson.types.SigningKey = nacl.signing.SigningKey( # type: ignore[assignment]
SIGNING_KEY_SEED SIGNING_KEY_SEED
) )
self.signing_key.alg = KEY_ALG self.signing_key.alg = KEY_ALG

View File

@ -76,7 +76,7 @@ class BaseRemoteKeyResourceTestCase(unittest.HomeserverTestCase):
"verify_keys": { "verify_keys": {
key_id: { key_id: {
"key": signedjson.key.encode_verify_key_base64( "key": signedjson.key.encode_verify_key_base64(
signing_key.verify_key signedjson.key.get_verify_key(signing_key)
) )
} }
}, },
@ -175,7 +175,7 @@ class EndToEndPerspectivesTests(BaseRemoteKeyResourceTestCase):
% ( % (
self.hs_signing_key.version, self.hs_signing_key.version,
): signedjson.key.encode_verify_key_base64( ): signedjson.key.encode_verify_key_base64(
self.hs_signing_key.verify_key signedjson.key.get_verify_key(self.hs_signing_key)
) )
}, },
} }
@ -229,7 +229,9 @@ class EndToEndPerspectivesTests(BaseRemoteKeyResourceTestCase):
assert isinstance(keyres, FetchKeyResult) assert isinstance(keyres, FetchKeyResult)
self.assertEqual( self.assertEqual(
signedjson.key.encode_verify_key_base64(keyres.verify_key), signedjson.key.encode_verify_key_base64(keyres.verify_key),
signedjson.key.encode_verify_key_base64(testkey.verify_key), signedjson.key.encode_verify_key_base64(
signedjson.key.get_verify_key(testkey)
),
) )
def test_get_notary_key(self) -> None: def test_get_notary_key(self) -> None:
@ -251,7 +253,9 @@ class EndToEndPerspectivesTests(BaseRemoteKeyResourceTestCase):
assert isinstance(keyres, FetchKeyResult) assert isinstance(keyres, FetchKeyResult)
self.assertEqual( self.assertEqual(
signedjson.key.encode_verify_key_base64(keyres.verify_key), signedjson.key.encode_verify_key_base64(keyres.verify_key),
signedjson.key.encode_verify_key_base64(testkey.verify_key), signedjson.key.encode_verify_key_base64(
signedjson.key.get_verify_key(testkey)
),
) )
def test_get_notary_keyserver_key(self) -> None: def test_get_notary_keyserver_key(self) -> None:
@ -268,5 +272,7 @@ class EndToEndPerspectivesTests(BaseRemoteKeyResourceTestCase):
assert isinstance(keyres, FetchKeyResult) assert isinstance(keyres, FetchKeyResult)
self.assertEqual( self.assertEqual(
signedjson.key.encode_verify_key_base64(keyres.verify_key), signedjson.key.encode_verify_key_base64(keyres.verify_key),
signedjson.key.encode_verify_key_base64(self.hs_signing_key.verify_key), signedjson.key.encode_verify_key_base64(
signedjson.key.get_verify_key(self.hs_signing_key)
),
) )