Merge pull request #1655 from matrix-org/rav/remove_redundant_macaroon_checks

Remove redundant list of known caveat prefixes

Merge pull request #1655 from matrix-org/rav/remove_redundant_macaroon_checks
b6146537 · Richard van der Hoff · GitHub · 9192e593 · e1d7c968 · b6146537
Commit b6146537 authored 8 years ago by Richard van der Hoff Committed by GitHub 8 years ago
--- a/synapse/api/auth.py
+++ b/synapse/api/auth.py
@@ -51,17 +51,6 @@ class Auth(object):
        self.store = hs.get_datastore()
        self.state = hs.get_state_handler()
        self.TOKEN_NOT_FOUND_HTTP_STATUS = 401
-        # Docs for these currently lives at
-        # github.com/matrix-org/matrix-doc/blob/master/drafts/macaroons_caveats.rst
-        # In addition, we have type == delete_pusher which grants access only to
-        # delete pushers.
-        self._KNOWN_CAVEAT_PREFIXES = set([
-            "gen = ",
-            "guest = ",
-            "type = ",
-            "time < ",
-            "user_id = ",
-        ])

    @defer.inlineCallbacks
    def check_from_context(self, event, context, do_sig_check=True):
@@ -801,11 +790,17 @@ class Auth(object):
            type_string(str): The kind of token required (e.g. "access", "refresh",
                              "delete_pusher")
            verify_expiry(bool): Whether to verify whether the macaroon has expired.
-                This should really always be True, but no clients currently implement
-                token refresh, so we can't enforce expiry yet.
+                This should really always be True, but there exist access tokens
+                in the wild which expire when they should not, so we can't
+                enforce expiry yet.
            user_id (str): The user_id required
        """
        v = pymacaroons.Verifier()
+
+        # the verifier runs a test for every caveat on the macaroon, to check
+        # that it is met for the current request. Each caveat must match at
+        # least one of the predicates specified by satisfy_exact or
+        # specify_general.
        v.satisfy_exact("gen = 1")
        v.satisfy_exact("type = " + type_string)
        v.satisfy_exact("user_id = %s" % user_id)
@@ -817,10 +812,6 @@ class Auth(object):

        v.verify(macaroon, self.hs.config.macaroon_secret_key)

-        v = pymacaroons.Verifier()
-        v.satisfy_general(self._verify_recognizes_caveats)
-        v.verify(macaroon, self.hs.config.macaroon_secret_key)
-
    def _verify_expiry(self, caveat):
        prefix = "time < "
        if not caveat.startswith(prefix):
@@ -829,15 +820,6 @@ class Auth(object):
        now = self.hs.get_clock().time_msec()
        return now < expiry

-    def _verify_recognizes_caveats(self, caveat):
-        first_space = caveat.find(" ")
-        if first_space < 0:
-            return False
-        second_space = caveat.find(" ", first_space + 1)
-        if second_space < 0:
-            return False
-        return caveat[:second_space + 1] in self._KNOWN_CAVEAT_PREFIXES
-
    @defer.inlineCallbacks
    def _look_up_user_by_access_token(self, token):
        ret = yield self.store.get_user_by_access_token(token)