Merge pull request #765 from matrix-org/markjh/open_id
Add an openidish mechanism for proving that you own a given user_id
This commit is contained in:
commit
1f590f3e9a
|
@ -387,6 +387,11 @@ class FederationServer(FederationBase):
|
||||||
"events": [ev.get_pdu_json(time_now) for ev in missing_events],
|
"events": [ev.get_pdu_json(time_now) for ev in missing_events],
|
||||||
})
|
})
|
||||||
|
|
||||||
|
@log_function
|
||||||
|
def on_openid_userinfo(self, token):
|
||||||
|
ts_now_ms = self._clock.time_msec()
|
||||||
|
return self.store.get_user_id_for_open_id_token(token, ts_now_ms)
|
||||||
|
|
||||||
@log_function
|
@log_function
|
||||||
def _get_persisted_pdu(self, origin, event_id, do_auth=True):
|
def _get_persisted_pdu(self, origin, event_id, do_auth=True):
|
||||||
""" Get a PDU from the database with given origin and id.
|
""" Get a PDU from the database with given origin and id.
|
||||||
|
|
|
@ -18,7 +18,7 @@ from twisted.internet import defer
|
||||||
from synapse.api.urls import FEDERATION_PREFIX as PREFIX
|
from synapse.api.urls import FEDERATION_PREFIX as PREFIX
|
||||||
from synapse.api.errors import Codes, SynapseError
|
from synapse.api.errors import Codes, SynapseError
|
||||||
from synapse.http.server import JsonResource
|
from synapse.http.server import JsonResource
|
||||||
from synapse.http.servlet import parse_json_object_from_request
|
from synapse.http.servlet import parse_json_object_from_request, parse_string
|
||||||
from synapse.util.ratelimitutils import FederationRateLimiter
|
from synapse.util.ratelimitutils import FederationRateLimiter
|
||||||
|
|
||||||
import functools
|
import functools
|
||||||
|
@ -448,6 +448,50 @@ class On3pidBindServlet(BaseFederationServlet):
|
||||||
return code
|
return code
|
||||||
|
|
||||||
|
|
||||||
|
class OpenIdUserInfo(BaseFederationServlet):
|
||||||
|
"""
|
||||||
|
Exchange a bearer token for information about a user.
|
||||||
|
|
||||||
|
The response format should be compatible with:
|
||||||
|
http://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse
|
||||||
|
|
||||||
|
GET /openid/userinfo?access_token=ABDEFGH HTTP/1.1
|
||||||
|
|
||||||
|
HTTP/1.1 200 OK
|
||||||
|
Content-Type: application/json
|
||||||
|
|
||||||
|
{
|
||||||
|
"sub": "@userpart:example.org",
|
||||||
|
}
|
||||||
|
"""
|
||||||
|
|
||||||
|
PATH = "/openid/userinfo"
|
||||||
|
|
||||||
|
@defer.inlineCallbacks
|
||||||
|
def on_GET(self, request):
|
||||||
|
token = parse_string(request, "access_token")
|
||||||
|
if token is None:
|
||||||
|
defer.returnValue((401, {
|
||||||
|
"errcode": "M_MISSING_TOKEN", "error": "Access Token required"
|
||||||
|
}))
|
||||||
|
return
|
||||||
|
|
||||||
|
user_id = yield self.handler.on_openid_userinfo(token)
|
||||||
|
|
||||||
|
if user_id is None:
|
||||||
|
defer.returnValue((401, {
|
||||||
|
"errcode": "M_UNKNOWN_TOKEN",
|
||||||
|
"error": "Access Token unknown or expired"
|
||||||
|
}))
|
||||||
|
|
||||||
|
defer.returnValue((200, {"sub": user_id}))
|
||||||
|
|
||||||
|
# Avoid doing remote HS authorization checks which are done by default by
|
||||||
|
# BaseFederationServlet.
|
||||||
|
def _wrap(self, code):
|
||||||
|
return code
|
||||||
|
|
||||||
|
|
||||||
SERVLET_CLASSES = (
|
SERVLET_CLASSES = (
|
||||||
FederationSendServlet,
|
FederationSendServlet,
|
||||||
FederationPullServlet,
|
FederationPullServlet,
|
||||||
|
@ -468,6 +512,7 @@ SERVLET_CLASSES = (
|
||||||
FederationClientKeysClaimServlet,
|
FederationClientKeysClaimServlet,
|
||||||
FederationThirdPartyInviteExchangeServlet,
|
FederationThirdPartyInviteExchangeServlet,
|
||||||
On3pidBindServlet,
|
On3pidBindServlet,
|
||||||
|
OpenIdUserInfo,
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -45,6 +45,7 @@ from synapse.rest.client.v2_alpha import (
|
||||||
tags,
|
tags,
|
||||||
account_data,
|
account_data,
|
||||||
report_event,
|
report_event,
|
||||||
|
openid,
|
||||||
)
|
)
|
||||||
|
|
||||||
from synapse.http.server import JsonResource
|
from synapse.http.server import JsonResource
|
||||||
|
@ -88,3 +89,4 @@ class ClientRestResource(JsonResource):
|
||||||
tags.register_servlets(hs, client_resource)
|
tags.register_servlets(hs, client_resource)
|
||||||
account_data.register_servlets(hs, client_resource)
|
account_data.register_servlets(hs, client_resource)
|
||||||
report_event.register_servlets(hs, client_resource)
|
report_event.register_servlets(hs, client_resource)
|
||||||
|
openid.register_servlets(hs, client_resource)
|
||||||
|
|
|
@ -0,0 +1,96 @@
|
||||||
|
# -*- coding: utf-8 -*-
|
||||||
|
# Copyright 2015, 2016 OpenMarket Ltd
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
|
||||||
|
from ._base import client_v2_patterns
|
||||||
|
|
||||||
|
from synapse.http.servlet import RestServlet, parse_json_object_from_request
|
||||||
|
from synapse.api.errors import AuthError
|
||||||
|
from synapse.util.stringutils import random_string
|
||||||
|
|
||||||
|
from twisted.internet import defer
|
||||||
|
|
||||||
|
import logging
|
||||||
|
|
||||||
|
logger = logging.getLogger(__name__)
|
||||||
|
|
||||||
|
|
||||||
|
class IdTokenServlet(RestServlet):
|
||||||
|
"""
|
||||||
|
Get a bearer token that may be passed to a third party to confirm ownership
|
||||||
|
of a matrix user id.
|
||||||
|
|
||||||
|
The format of the response could be made compatible with the format given
|
||||||
|
in http://openid.net/specs/openid-connect-core-1_0.html#TokenResponse
|
||||||
|
|
||||||
|
But instead of returning a signed "id_token" the response contains the
|
||||||
|
name of the issuing matrix homeserver. This means that for now the third
|
||||||
|
party will need to check the validity of the "id_token" against the
|
||||||
|
federation /openid/userinfo endpoint of the homeserver.
|
||||||
|
|
||||||
|
Request:
|
||||||
|
|
||||||
|
POST /user/{user_id}/openid/request_token?access_token=... HTTP/1.1
|
||||||
|
|
||||||
|
{}
|
||||||
|
|
||||||
|
Response:
|
||||||
|
|
||||||
|
HTTP/1.1 200 OK
|
||||||
|
{
|
||||||
|
"access_token": "ABDEFGH",
|
||||||
|
"token_type": "Bearer",
|
||||||
|
"matrix_server_name": "example.com",
|
||||||
|
"expires_in": 3600,
|
||||||
|
}
|
||||||
|
"""
|
||||||
|
PATTERNS = client_v2_patterns(
|
||||||
|
"/user/(?P<user_id>[^/]*)/openid/request_token"
|
||||||
|
)
|
||||||
|
|
||||||
|
EXPIRES_MS = 3600 * 1000
|
||||||
|
|
||||||
|
def __init__(self, hs):
|
||||||
|
super(IdTokenServlet, self).__init__()
|
||||||
|
self.auth = hs.get_auth()
|
||||||
|
self.store = hs.get_datastore()
|
||||||
|
self.clock = hs.get_clock()
|
||||||
|
self.server_name = hs.config.server_name
|
||||||
|
|
||||||
|
@defer.inlineCallbacks
|
||||||
|
def on_POST(self, request, user_id):
|
||||||
|
requester = yield self.auth.get_user_by_req(request)
|
||||||
|
if user_id != requester.user.to_string():
|
||||||
|
raise AuthError(403, "Cannot request tokens for other users.")
|
||||||
|
|
||||||
|
# Parse the request body to make sure it's JSON, but ignore the contents
|
||||||
|
# for now.
|
||||||
|
parse_json_object_from_request(request)
|
||||||
|
|
||||||
|
token = random_string(24)
|
||||||
|
ts_valid_until_ms = self.clock.time_msec() + self.EXPIRES_MS
|
||||||
|
|
||||||
|
yield self.store.insert_open_id_token(token, ts_valid_until_ms, user_id)
|
||||||
|
|
||||||
|
defer.returnValue((200, {
|
||||||
|
"access_token": token,
|
||||||
|
"token_type": "Bearer",
|
||||||
|
"matrix_server_name": self.server_name,
|
||||||
|
"expires_in": self.EXPIRES_MS / 1000,
|
||||||
|
}))
|
||||||
|
|
||||||
|
|
||||||
|
def register_servlets(hs, http_server):
|
||||||
|
IdTokenServlet(hs).register(http_server)
|
|
@ -44,6 +44,7 @@ from .receipts import ReceiptsStore
|
||||||
from .search import SearchStore
|
from .search import SearchStore
|
||||||
from .tags import TagsStore
|
from .tags import TagsStore
|
||||||
from .account_data import AccountDataStore
|
from .account_data import AccountDataStore
|
||||||
|
from .openid import OpenIdStore
|
||||||
|
|
||||||
from .util.id_generators import IdGenerator, StreamIdGenerator, ChainedIdGenerator
|
from .util.id_generators import IdGenerator, StreamIdGenerator, ChainedIdGenerator
|
||||||
|
|
||||||
|
@ -81,7 +82,8 @@ class DataStore(RoomMemberStore, RoomStore,
|
||||||
SearchStore,
|
SearchStore,
|
||||||
TagsStore,
|
TagsStore,
|
||||||
AccountDataStore,
|
AccountDataStore,
|
||||||
EventPushActionsStore
|
EventPushActionsStore,
|
||||||
|
OpenIdStore,
|
||||||
):
|
):
|
||||||
|
|
||||||
def __init__(self, db_conn, hs):
|
def __init__(self, db_conn, hs):
|
||||||
|
|
|
@ -0,0 +1,32 @@
|
||||||
|
from ._base import SQLBaseStore
|
||||||
|
|
||||||
|
|
||||||
|
class OpenIdStore(SQLBaseStore):
|
||||||
|
def insert_open_id_token(self, token, ts_valid_until_ms, user_id):
|
||||||
|
return self._simple_insert(
|
||||||
|
table="open_id_tokens",
|
||||||
|
values={
|
||||||
|
"token": token,
|
||||||
|
"ts_valid_until_ms": ts_valid_until_ms,
|
||||||
|
"user_id": user_id,
|
||||||
|
},
|
||||||
|
desc="insert_open_id_token"
|
||||||
|
)
|
||||||
|
|
||||||
|
def get_user_id_for_open_id_token(self, token, ts_now_ms):
|
||||||
|
def get_user_id_for_token_txn(txn):
|
||||||
|
sql = (
|
||||||
|
"SELECT user_id FROM open_id_tokens"
|
||||||
|
" WHERE token = ? AND ? <= ts_valid_until_ms"
|
||||||
|
)
|
||||||
|
|
||||||
|
txn.execute(sql, (token, ts_now_ms))
|
||||||
|
|
||||||
|
rows = txn.fetchall()
|
||||||
|
if not rows:
|
||||||
|
return None
|
||||||
|
else:
|
||||||
|
return rows[0][0]
|
||||||
|
return self.runInteraction(
|
||||||
|
"get_user_id_for_token", get_user_id_for_token_txn
|
||||||
|
)
|
|
@ -0,0 +1,9 @@
|
||||||
|
|
||||||
|
CREATE TABLE open_id_tokens (
|
||||||
|
token TEXT NOT NULL PRIMARY KEY,
|
||||||
|
ts_valid_until_ms bigint NOT NULL,
|
||||||
|
user_id TEXT NOT NULL,
|
||||||
|
UNIQUE (token)
|
||||||
|
);
|
||||||
|
|
||||||
|
CREATE index open_id_tokens_ts_valid_until_ms ON open_id_tokens(ts_valid_until_ms);
|
Loading…
Reference in New Issue