From c5934f8416f1723524f0429a6afcc1270ec7515d Mon Sep 17 00:00:00 2001 From: Richard van der Hoff Date: Fri, 26 Feb 2021 16:31:59 +0000 Subject: [PATCH 01/13] Factor out `satisfy_expiry` function --- mypy.ini | 1 + synapse/api/auth.py | 11 ++------ synapse/handlers/oidc_handler.py | 11 ++------ synapse/util/macaroons.py | 44 ++++++++++++++++++++++++++++++++ 4 files changed, 49 insertions(+), 18 deletions(-) create mode 100644 synapse/util/macaroons.py diff --git a/mypy.ini b/mypy.ini index 64ed45dac24c..f31cd432e6a3 100644 --- a/mypy.ini +++ b/mypy.ini @@ -69,6 +69,7 @@ files = synapse/util/async_helpers.py, synapse/util/caches, synapse/util/metrics.py, + synapse/util/macaroons.py, synapse/util/stringutils.py, tests/replication, tests/test_utils, diff --git a/synapse/api/auth.py b/synapse/api/auth.py index 89e62b0e367b..9bee0d4f9d79 100644 --- a/synapse/api/auth.py +++ b/synapse/api/auth.py @@ -39,6 +39,7 @@ from synapse.storage.databases.main.registration import TokenLookupResult from synapse.types import StateMap, UserID from synapse.util.caches.lrucache import LruCache +from synapse.util.macaroons import satisfy_expiry from synapse.util.metrics import Measure logger = logging.getLogger(__name__) @@ -465,21 +466,13 @@ def validate_macaroon(self, macaroon, type_string, user_id): v.satisfy_exact("type = " + type_string) v.satisfy_exact("user_id = %s" % user_id) v.satisfy_exact("guest = true") - v.satisfy_general(self._verify_expiry) + satisfy_expiry(v, self.clock.time_msec) # access_tokens include a nonce for uniqueness: any value is acceptable v.satisfy_general(lambda c: c.startswith("nonce = ")) v.verify(macaroon, self._macaroon_secret_key) - def _verify_expiry(self, caveat): - prefix = "time < " - if not caveat.startswith(prefix): - return False - expiry = int(caveat[len(prefix) :]) - now = self.hs.get_clock().time_msec() - return now < expiry - def get_appservice_by_req(self, request: SynapseRequest) -> ApplicationService: token = self.get_access_token_from_request(request) service = self.store.get_app_service_by_token(token) diff --git a/synapse/handlers/oidc_handler.py b/synapse/handlers/oidc_handler.py index 07db1e31e425..3563de42ab41 100644 --- a/synapse/handlers/oidc_handler.py +++ b/synapse/handlers/oidc_handler.py @@ -42,6 +42,7 @@ from synapse.types import JsonDict, UserID, map_username_to_mxid_localpart from synapse.util import json_decoder from synapse.util.caches.cached_call import RetryOnExceptionCachedCall +from synapse.util.macaroons import satisfy_expiry if TYPE_CHECKING: from synapse.server import HomeServer @@ -1060,7 +1061,7 @@ def verify_oidc_session_token( # Sometimes there's a UI auth session ID, it seems to be OK to attempt # to always satisfy this. v.satisfy_general(lambda c: c.startswith("ui_auth_session_id = ")) - v.satisfy_general(self._verify_expiry) + satisfy_expiry(v, self._clock.time_msec) v.verify(macaroon, self._macaroon_secret_key) @@ -1103,14 +1104,6 @@ def _get_value_from_macaroon(self, macaroon: pymacaroons.Macaroon, key: str) -> return caveat.caveat_id[len(prefix) :] raise ValueError("No %s caveat in macaroon" % (key,)) - def _verify_expiry(self, caveat: str) -> bool: - prefix = "time < " - if not caveat.startswith(prefix): - return False - expiry = int(caveat[len(prefix) :]) - now = self._clock.time_msec() - return now < expiry - @attr.s(frozen=True, slots=True) class OidcSessionData: diff --git a/synapse/util/macaroons.py b/synapse/util/macaroons.py new file mode 100644 index 000000000000..cad396bc21b4 --- /dev/null +++ b/synapse/util/macaroons.py @@ -0,0 +1,44 @@ +# -*- coding: utf-8 -*- +# Copyright 2020 Quentin Gliech +# Copyright 2021 The Matrix.org Foundation C.I.C. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +"""Utilities for manipulating macaroons""" + +from typing import Callable + +import pymacaroons + + +def satisfy_expiry(v: pymacaroons.Verifier, get_time_ms: Callable[[], int]) -> None: + """Make a macaroon verifier which accepts 'time' caveats + + Builds a caveat verifier which will accept unexpired 'time' caveats, and adds it to + the given macaroon verifier. + + Args: + v: the macaroon verifier + get_time_ms: a callable which will return the timestamp after which the caveat + should be considered expired. Normally the current time. + """ + + def verify_expiry_caveat(caveat: str): + time_msec = get_time_ms() + prefix = "time < " + if not caveat.startswith(prefix): + return False + expiry = int(caveat[len(prefix) :]) + return time_msec < expiry + + v.satisfy_general(verify_expiry_caveat) From 444c69700842d97ccd62bee009b422317574a599 Mon Sep 17 00:00:00 2001 From: Richard van der Hoff Date: Fri, 26 Feb 2021 12:57:39 +0000 Subject: [PATCH 02/13] Factor out `get_value_from_macaroon` utility function --- synapse/handlers/oidc_handler.py | 37 +++++++------------------------- synapse/util/macaroons.py | 20 +++++++++++++++++ tests/handlers/test_oidc.py | 13 ++++------- 3 files changed, 32 insertions(+), 38 deletions(-) diff --git a/synapse/handlers/oidc_handler.py b/synapse/handlers/oidc_handler.py index 3563de42ab41..85e502a8d991 100644 --- a/synapse/handlers/oidc_handler.py +++ b/synapse/handlers/oidc_handler.py @@ -42,7 +42,7 @@ from synapse.types import JsonDict, UserID, map_username_to_mxid_localpart from synapse.util import json_decoder from synapse.util.caches.cached_call import RetryOnExceptionCachedCall -from synapse.util.macaroons import satisfy_expiry +from synapse.util.macaroons import get_value_from_macaroon, satisfy_expiry if TYPE_CHECKING: from synapse.server import HomeServer @@ -212,7 +212,7 @@ async def handle_oidc_callback(self, request: SynapseRequest) -> None: session_data = self._token_generator.verify_oidc_session_token( session, state ) - except (MacaroonDeserializationException, ValueError) as e: + except (MacaroonDeserializationException, KeyError) as e: logger.exception("Invalid session for OIDC callback") self._sso_handler.render_error(request, "invalid_session", str(e)) return @@ -1047,7 +1047,7 @@ def verify_oidc_session_token( The data extracted from the session cookie Raises: - ValueError if an expected caveat is missing from the macaroon. + KeyError if an expected caveat is missing from the macaroon. """ macaroon = pymacaroons.Macaroon.deserialize(session) @@ -1066,16 +1066,14 @@ def verify_oidc_session_token( v.verify(macaroon, self._macaroon_secret_key) # Extract the session data from the token. - nonce = self._get_value_from_macaroon(macaroon, "nonce") - idp_id = self._get_value_from_macaroon(macaroon, "idp_id") - client_redirect_url = self._get_value_from_macaroon( - macaroon, "client_redirect_url" - ) + nonce = get_value_from_macaroon(macaroon, "nonce") + idp_id = get_value_from_macaroon(macaroon, "idp_id") + client_redirect_url = get_value_from_macaroon(macaroon, "client_redirect_url") try: - ui_auth_session_id = self._get_value_from_macaroon( + ui_auth_session_id = get_value_from_macaroon( macaroon, "ui_auth_session_id" ) # type: Optional[str] - except ValueError: + except KeyError: ui_auth_session_id = None return OidcSessionData( @@ -1085,25 +1083,6 @@ def verify_oidc_session_token( ui_auth_session_id=ui_auth_session_id, ) - def _get_value_from_macaroon(self, macaroon: pymacaroons.Macaroon, key: str) -> str: - """Extracts a caveat value from a macaroon token. - - Args: - macaroon: the token - key: the key of the caveat to extract - - Returns: - The extracted value - - Raises: - ValueError: if the caveat was not in the macaroon - """ - prefix = key + " = " - for caveat in macaroon.caveats: - if caveat.caveat_id.startswith(prefix): - return caveat.caveat_id[len(prefix) :] - raise ValueError("No %s caveat in macaroon" % (key,)) - @attr.s(frozen=True, slots=True) class OidcSessionData: diff --git a/synapse/util/macaroons.py b/synapse/util/macaroons.py index cad396bc21b4..e392dc0e6b94 100644 --- a/synapse/util/macaroons.py +++ b/synapse/util/macaroons.py @@ -21,6 +21,26 @@ import pymacaroons +def get_value_from_macaroon(macaroon: pymacaroons.Macaroon, key: str) -> str: + """Extracts a caveat value from a macaroon token. + + Args: + macaroon: the token + key: the key of the caveat to extract + + Returns: + The extracted value + + Raises: + KeyError: if the caveat was not in the macaroon + """ + prefix = key + " = " + for caveat in macaroon.caveats: + if caveat.caveat_id.startswith(prefix): + return caveat.caveat_id[len(prefix) :] + raise KeyError("No %s caveat in macaroon" % (key,)) + + def satisfy_expiry(v: pymacaroons.Verifier, get_time_ms: Callable[[], int]) -> None: """Make a macaroon verifier which accepts 'time' caveats diff --git a/tests/handlers/test_oidc.py b/tests/handlers/test_oidc.py index cf1de28fa9b2..006234ffcec9 100644 --- a/tests/handlers/test_oidc.py +++ b/tests/handlers/test_oidc.py @@ -23,6 +23,7 @@ from synapse.handlers.sso import MappingException from synapse.server import HomeServer from synapse.types import UserID +from synapse.util.macaroons import get_value_from_macaroon from tests.test_utils import FakeResponse, get_awaitable_result, simple_async_mock from tests.unittest import HomeserverTestCase, override_config @@ -360,15 +361,9 @@ def test_redirect_request(self): self.assertEqual(name, b"oidc_session") macaroon = pymacaroons.Macaroon.deserialize(cookie) - state = self.handler._token_generator._get_value_from_macaroon( - macaroon, "state" - ) - nonce = self.handler._token_generator._get_value_from_macaroon( - macaroon, "nonce" - ) - redirect = self.handler._token_generator._get_value_from_macaroon( - macaroon, "client_redirect_url" - ) + state = get_value_from_macaroon(macaroon, "state") + nonce = get_value_from_macaroon(macaroon, "nonce") + redirect = get_value_from_macaroon(macaroon, "client_redirect_url") self.assertEqual(params["state"], [state]) self.assertEqual(params["nonce"], [nonce]) From 7fa4d778f492189d0cbbf37ac42137d0a63010ca Mon Sep 17 00:00:00 2001 From: Richard van der Hoff Date: Sun, 28 Feb 2021 21:52:07 +0000 Subject: [PATCH 03/13] get_value_from_macaroon: check only one instance of caveat --- synapse/util/macaroons.py | 27 ++++++++++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/synapse/util/macaroons.py b/synapse/util/macaroons.py index e392dc0e6b94..09a303a9eb00 100644 --- a/synapse/util/macaroons.py +++ b/synapse/util/macaroons.py @@ -16,14 +16,18 @@ """Utilities for manipulating macaroons""" -from typing import Callable +from typing import Callable, Optional import pymacaroons +from pymacaroons.exceptions import MacaroonVerificationFailedException def get_value_from_macaroon(macaroon: pymacaroons.Macaroon, key: str) -> str: """Extracts a caveat value from a macaroon token. + Checks that there is exactly one caveat of the form "key = " in the macaroon, + and returns the extracted value. + Args: macaroon: the token key: the key of the caveat to extract @@ -33,11 +37,28 @@ def get_value_from_macaroon(macaroon: pymacaroons.Macaroon, key: str) -> str: Raises: KeyError: if the caveat was not in the macaroon + MacaroonVerificationFailedException: if there are conflicting values for the + caveat in the macaroon """ prefix = key + " = " + result = None # type: Optional[str] for caveat in macaroon.caveats: - if caveat.caveat_id.startswith(prefix): - return caveat.caveat_id[len(prefix) :] + if not caveat.caveat_id.startswith(prefix): + continue + + val = caveat.caveat_id[len(prefix) :] + + if result is None: + # first time we found this caveat: record the value + result = val + elif val != result: + # on subsequent occurrences, raise if the value is different. + raise MacaroonVerificationFailedException( + "Conflicting values for caveat " + key + ) + + if result is not None: + return result raise KeyError("No %s caveat in macaroon" % (key,)) From 7f104a293264f5715c89ca684f2e76ceeba5aa9b Mon Sep 17 00:00:00 2001 From: Richard van der Hoff Date: Fri, 26 Feb 2021 13:03:42 +0000 Subject: [PATCH 04/13] Replace get_user_id_from_macaroon with calls to get_value_from_macaroon --- synapse/api/auth.py | 32 ++++++++------------------------ synapse/handlers/auth.py | 4 ++-- 2 files changed, 10 insertions(+), 26 deletions(-) diff --git a/synapse/api/auth.py b/synapse/api/auth.py index 9bee0d4f9d79..968cf6f17437 100644 --- a/synapse/api/auth.py +++ b/synapse/api/auth.py @@ -39,7 +39,7 @@ from synapse.storage.databases.main.registration import TokenLookupResult from synapse.types import StateMap, UserID from synapse.util.caches.lrucache import LruCache -from synapse.util.macaroons import satisfy_expiry +from synapse.util.macaroons import get_value_from_macaroon, satisfy_expiry from synapse.util.metrics import Measure logger = logging.getLogger(__name__) @@ -409,7 +409,7 @@ def _parse_and_validate_macaroon(self, token, rights="access"): raise _InvalidMacaroonException() try: - user_id = self.get_user_id_from_macaroon(macaroon) + user_id = get_value_from_macaroon(macaroon, "user_id") guest = False for caveat in macaroon.caveats: @@ -417,7 +417,12 @@ def _parse_and_validate_macaroon(self, token, rights="access"): guest = True self.validate_macaroon(macaroon, rights, user_id=user_id) - except (pymacaroons.exceptions.MacaroonException, TypeError, ValueError): + except ( + pymacaroons.exceptions.MacaroonException, + KeyError, + TypeError, + ValueError, + ): raise InvalidClientTokenError("Invalid macaroon passed.") if rights == "access": @@ -425,27 +430,6 @@ def _parse_and_validate_macaroon(self, token, rights="access"): return user_id, guest - def get_user_id_from_macaroon(self, macaroon): - """Retrieve the user_id given by the caveats on the macaroon. - - Does *not* validate the macaroon. - - Args: - macaroon (pymacaroons.Macaroon): The macaroon to validate - - Returns: - (str) user id - - Raises: - InvalidClientCredentialsError if there is no user_id caveat in the - macaroon - """ - user_prefix = "user_id = " - for caveat in macaroon.caveats: - if caveat.caveat_id.startswith(user_prefix): - return caveat.caveat_id[len(user_prefix) :] - raise InvalidClientTokenError("No user caveat in macaroon") - def validate_macaroon(self, macaroon, type_string, user_id): """ validate that a Macaroon is understood by and was signed by this server. diff --git a/synapse/handlers/auth.py b/synapse/handlers/auth.py index 9ba9f591d985..6dff60960cd5 100644 --- a/synapse/handlers/auth.py +++ b/synapse/handlers/auth.py @@ -65,6 +65,7 @@ from synapse.types import JsonDict, Requester, UserID from synapse.util import stringutils as stringutils from synapse.util.async_helpers import maybe_awaitable +from synapse.util.macaroons import get_value_from_macaroon from synapse.util.msisdn import phone_number_to_msisdn from synapse.util.threepids import canonicalise_email @@ -1166,10 +1167,9 @@ async def _check_local_password(self, user_id: str, password: str) -> Optional[s async def validate_short_term_login_token_and_get_user_id(self, login_token: str): auth_api = self.hs.get_auth() - user_id = None try: macaroon = pymacaroons.Macaroon.deserialize(login_token) - user_id = auth_api.get_user_id_from_macaroon(macaroon) + user_id = get_value_from_macaroon(macaroon, "user_id") auth_api.validate_macaroon(macaroon, "login", user_id) except Exception: raise AuthError(403, "Invalid token", errcode=Codes.FORBIDDEN) From d6516261d5134ac39f4e00b7df4693e16f440293 Mon Sep 17 00:00:00 2001 From: Richard van der Hoff Date: Fri, 26 Feb 2021 17:06:30 +0000 Subject: [PATCH 05/13] create verify_short_term_login_token function short-term-login tokens and access tokens use somewhat different caveats, so I think it makes more sense to use a different verify method. Putting it next to the generator makes it easier to keep them in sync. --- synapse/handlers/auth.py | 34 +++++++++++++++++++++++++++++----- 1 file changed, 29 insertions(+), 5 deletions(-) diff --git a/synapse/handlers/auth.py b/synapse/handlers/auth.py index 6dff60960cd5..e116388e0406 100644 --- a/synapse/handlers/auth.py +++ b/synapse/handlers/auth.py @@ -65,7 +65,7 @@ from synapse.types import JsonDict, Requester, UserID from synapse.util import stringutils as stringutils from synapse.util.async_helpers import maybe_awaitable -from synapse.util.macaroons import get_value_from_macaroon +from synapse.util.macaroons import get_value_from_macaroon, satisfy_expiry from synapse.util.msisdn import phone_number_to_msisdn from synapse.util.threepids import canonicalise_email @@ -1166,11 +1166,8 @@ async def _check_local_password(self, user_id: str, password: str) -> Optional[s return user_id async def validate_short_term_login_token_and_get_user_id(self, login_token: str): - auth_api = self.hs.get_auth() try: - macaroon = pymacaroons.Macaroon.deserialize(login_token) - user_id = get_value_from_macaroon(macaroon, "user_id") - auth_api.validate_macaroon(macaroon, "login", user_id) + user_id = self.macaroon_gen.verify_short_term_login_token(login_token) except Exception: raise AuthError(403, "Invalid token", errcode=Codes.FORBIDDEN) @@ -1578,6 +1575,33 @@ def generate_short_term_login_token( macaroon.add_first_party_caveat("time < %d" % (expiry,)) return macaroon.serialize() + def verify_short_term_login_token(self, token: str) -> str: + """Verify a short-term-login macaroon + + Checks that the given token is a valid, unexpired short-term-login token + minted by this server. + + Args: + token: the login token to verify + + Returns: + the user_id that this token is valid for + + Raises: + MacaroonVerificationFailedException if the verification failed + """ + macaroon = pymacaroons.Macaroon.deserialize(token) + user_id = get_value_from_macaroon(macaroon, "user_id") + + v = pymacaroons.Verifier() + v.satisfy_exact("gen = 1") + v.satisfy_exact("type = login") + v.satisfy_exact("user_id = %s" % (user_id,)) + satisfy_expiry(v, self.hs.get_clock().time_msec) + v.verify(macaroon, self.hs.config.key.macaroon_secret_key) + + return user_id + def generate_delete_pusher_token(self, user_id: str) -> str: macaroon = self._generate_base_macaroon(user_id) macaroon.add_first_party_caveat("type = delete_pusher") From 0b8dfb1ed5ec374c3c7f7547a49149df34b27984 Mon Sep 17 00:00:00 2001 From: Richard van der Hoff Date: Fri, 26 Feb 2021 17:29:47 +0000 Subject: [PATCH 06/13] Return an object from `validate_short_term_login_token_and_get_user_id` ... and rename it to `validate_short_term_login_token`. --- synapse/handlers/auth.py | 21 +++++++++++++++------ synapse/rest/client/v1/login.py | 6 ++---- tests/handlers/test_auth.py | 30 ++++++++++++------------------ 3 files changed, 29 insertions(+), 28 deletions(-) diff --git a/synapse/handlers/auth.py b/synapse/handlers/auth.py index e116388e0406..fa3b8efb7648 100644 --- a/synapse/handlers/auth.py +++ b/synapse/handlers/auth.py @@ -171,6 +171,13 @@ class SsoLoginExtraAttributes: extra_attributes = attr.ib(type=JsonDict) +@attr.s(slots=True, frozen=True) +class LoginTokenAttributes: + """Data we store in a short-term login token""" + + user_id = attr.ib(type=str) + + class AuthHandler(BaseHandler): SESSION_EXPIRE_MS = 48 * 60 * 60 * 1000 @@ -1165,14 +1172,16 @@ async def _check_local_password(self, user_id: str, password: str) -> Optional[s return None return user_id - async def validate_short_term_login_token_and_get_user_id(self, login_token: str): + async def validate_short_term_login_token( + self, login_token: str + ) -> LoginTokenAttributes: try: - user_id = self.macaroon_gen.verify_short_term_login_token(login_token) + res = self.macaroon_gen.verify_short_term_login_token(login_token) except Exception: raise AuthError(403, "Invalid token", errcode=Codes.FORBIDDEN) - await self.auth.check_auth_blocking(user_id) - return user_id + await self.auth.check_auth_blocking(res.user_id) + return res async def delete_access_token(self, access_token: str): """Invalidate a single access token @@ -1575,7 +1584,7 @@ def generate_short_term_login_token( macaroon.add_first_party_caveat("time < %d" % (expiry,)) return macaroon.serialize() - def verify_short_term_login_token(self, token: str) -> str: + def verify_short_term_login_token(self, token: str) -> LoginTokenAttributes: """Verify a short-term-login macaroon Checks that the given token is a valid, unexpired short-term-login token @@ -1600,7 +1609,7 @@ def verify_short_term_login_token(self, token: str) -> str: satisfy_expiry(v, self.hs.get_clock().time_msec) v.verify(macaroon, self.hs.config.key.macaroon_secret_key) - return user_id + return LoginTokenAttributes(user_id=user_id) def generate_delete_pusher_token(self, user_id: str) -> str: macaroon = self._generate_base_macaroon(user_id) diff --git a/synapse/rest/client/v1/login.py b/synapse/rest/client/v1/login.py index 925edfc40239..1ec3a47ffb0d 100644 --- a/synapse/rest/client/v1/login.py +++ b/synapse/rest/client/v1/login.py @@ -283,12 +283,10 @@ async def _do_token_login(self, login_submission: JsonDict) -> Dict[str, str]: """ token = login_submission["token"] auth_handler = self.auth_handler - user_id = await auth_handler.validate_short_term_login_token_and_get_user_id( - token - ) + res = await auth_handler.validate_short_term_login_token(token) return await self._complete_login( - user_id, login_submission, self.auth_handler._sso_login_callback + res.user_id, login_submission, self.auth_handler._sso_login_callback ) async def _do_jwt_login(self, login_submission: JsonDict) -> Dict[str, str]: diff --git a/tests/handlers/test_auth.py b/tests/handlers/test_auth.py index 0e42013bb901..86d745224690 100644 --- a/tests/handlers/test_auth.py +++ b/tests/handlers/test_auth.py @@ -69,15 +69,13 @@ def verify_nonce(caveat): def test_short_term_login_token_gives_user_id(self): token = self.macaroon_generator.generate_short_term_login_token("a_user", 5000) - user_id = self.get_success( - self.auth_handler.validate_short_term_login_token_and_get_user_id(token) - ) - self.assertEqual("a_user", user_id) + res = self.get_success(self.auth_handler.validate_short_term_login_token(token)) + self.assertEqual("a_user", res.user_id) # when we advance the clock, the token should be rejected self.reactor.advance(6) self.get_failure( - self.auth_handler.validate_short_term_login_token_and_get_user_id(token), + self.auth_handler.validate_short_term_login_token(token), AuthError, ) @@ -85,21 +83,17 @@ def test_short_term_login_token_cannot_replace_user_id(self): token = self.macaroon_generator.generate_short_term_login_token("a_user", 5000) macaroon = pymacaroons.Macaroon.deserialize(token) - user_id = self.get_success( - self.auth_handler.validate_short_term_login_token_and_get_user_id( - macaroon.serialize() - ) + res = self.get_success( + self.auth_handler.validate_short_term_login_token(macaroon.serialize()) ) - self.assertEqual("a_user", user_id) + self.assertEqual("a_user", res.user_id) # add another "user_id" caveat, which might allow us to override the # user_id. macaroon.add_first_party_caveat("user_id = b_user") self.get_failure( - self.auth_handler.validate_short_term_login_token_and_get_user_id( - macaroon.serialize() - ), + self.auth_handler.validate_short_term_login_token(macaroon.serialize()), AuthError, ) @@ -113,7 +107,7 @@ def test_mau_limits_disabled(self): ) self.get_success( - self.auth_handler.validate_short_term_login_token_and_get_user_id( + self.auth_handler.validate_short_term_login_token( self._get_macaroon().serialize() ) ) @@ -135,7 +129,7 @@ def test_mau_limits_exceeded_large(self): return_value=make_awaitable(self.large_number_of_users) ) self.get_failure( - self.auth_handler.validate_short_term_login_token_and_get_user_id( + self.auth_handler.validate_short_term_login_token( self._get_macaroon().serialize() ), ResourceLimitError, @@ -159,7 +153,7 @@ def test_mau_limits_parity(self): ResourceLimitError, ) self.get_failure( - self.auth_handler.validate_short_term_login_token_and_get_user_id( + self.auth_handler.validate_short_term_login_token( self._get_macaroon().serialize() ), ResourceLimitError, @@ -175,7 +169,7 @@ def test_mau_limits_parity(self): ) ) self.get_success( - self.auth_handler.validate_short_term_login_token_and_get_user_id( + self.auth_handler.validate_short_term_login_token( self._get_macaroon().serialize() ) ) @@ -197,7 +191,7 @@ def test_mau_limits_not_exceeded(self): return_value=make_awaitable(self.small_number_of_users) ) self.get_success( - self.auth_handler.validate_short_term_login_token_and_get_user_id( + self.auth_handler.validate_short_term_login_token( self._get_macaroon().serialize() ) ) From 3d4902b066247c97ddb8eb18d008d75bd3be7357 Mon Sep 17 00:00:00 2001 From: Richard van der Hoff Date: Sun, 28 Feb 2021 22:11:26 +0000 Subject: [PATCH 07/13] Allow login tokens to include auth_provider_id --- synapse/handlers/auth.py | 9 +++++++-- synapse/util/macaroons.py | 37 +++++++++++++++++++++++++++++++++---- tests/handlers/test_auth.py | 1 + 3 files changed, 41 insertions(+), 6 deletions(-) diff --git a/synapse/handlers/auth.py b/synapse/handlers/auth.py index fa3b8efb7648..71b4262fad09 100644 --- a/synapse/handlers/auth.py +++ b/synapse/handlers/auth.py @@ -177,6 +177,9 @@ class LoginTokenAttributes: user_id = attr.ib(type=str) + # the SSO Identity Provider that the user authenticated with, to get this token + auth_provider_id = attr.ib(type=Optional[str]) + class AuthHandler(BaseHandler): SESSION_EXPIRE_MS = 48 * 60 * 60 * 1000 @@ -1601,15 +1604,17 @@ def verify_short_term_login_token(self, token: str) -> LoginTokenAttributes: """ macaroon = pymacaroons.Macaroon.deserialize(token) user_id = get_value_from_macaroon(macaroon, "user_id") + auth_provider_id = get_value_from_macaroon(macaroon, "auth_provider_id", None) v = pymacaroons.Verifier() v.satisfy_exact("gen = 1") v.satisfy_exact("type = login") - v.satisfy_exact("user_id = %s" % (user_id,)) + v.satisfy_general(lambda c: c.startswith("user_id = ")) + v.satisfy_general(lambda c: c.startswith("auth_provider_id = ")) satisfy_expiry(v, self.hs.get_clock().time_msec) v.verify(macaroon, self.hs.config.key.macaroon_secret_key) - return LoginTokenAttributes(user_id=user_id) + return LoginTokenAttributes(user_id=user_id, auth_provider_id=auth_provider_id) def generate_delete_pusher_token(self, user_id: str) -> str: macaroon = self._generate_base_macaroon(user_id) diff --git a/synapse/util/macaroons.py b/synapse/util/macaroons.py index 09a303a9eb00..235130fe89b4 100644 --- a/synapse/util/macaroons.py +++ b/synapse/util/macaroons.py @@ -16,13 +16,40 @@ """Utilities for manipulating macaroons""" -from typing import Callable, Optional +import enum +from typing import Callable, Optional, TypeVar, Union, overload import pymacaroons from pymacaroons.exceptions import MacaroonVerificationFailedException +_TV = TypeVar("_TV") + +class _Sentinel(enum.Enum): + # defining a sentinel in this way allows mypy to correctly handle the typing + sentinel = object() + + +_SENTINEL = object() + + +@overload def get_value_from_macaroon(macaroon: pymacaroons.Macaroon, key: str) -> str: + ... + + +@overload +def get_value_from_macaroon( + macaroon: pymacaroons.Macaroon, key: str, default: _TV +) -> Union[str, _TV]: + ... + + +def get_value_from_macaroon( + macaroon: pymacaroons.Macaroon, + key: str, + default=_SENTINEL, +): """Extracts a caveat value from a macaroon token. Checks that there is exactly one caveat of the form "key = " in the macaroon, @@ -33,10 +60,10 @@ def get_value_from_macaroon(macaroon: pymacaroons.Macaroon, key: str) -> str: key: the key of the caveat to extract Returns: - The extracted value + The extracted value, or `default` Raises: - KeyError: if the caveat was not in the macaroon + KeyError: if `default` was not given, and the caveat was not in the macaroon MacaroonVerificationFailedException: if there are conflicting values for the caveat in the macaroon """ @@ -59,7 +86,9 @@ def get_value_from_macaroon(macaroon: pymacaroons.Macaroon, key: str) -> str: if result is not None: return result - raise KeyError("No %s caveat in macaroon" % (key,)) + if default is _SENTINEL: + raise KeyError("No %s caveat in macaroon" % (key,)) + return default def satisfy_expiry(v: pymacaroons.Verifier, get_time_ms: Callable[[], int]) -> None: diff --git a/tests/handlers/test_auth.py b/tests/handlers/test_auth.py index 86d745224690..e759fb3b7293 100644 --- a/tests/handlers/test_auth.py +++ b/tests/handlers/test_auth.py @@ -71,6 +71,7 @@ def test_short_term_login_token_gives_user_id(self): token = self.macaroon_generator.generate_short_term_login_token("a_user", 5000) res = self.get_success(self.auth_handler.validate_short_term_login_token(token)) self.assertEqual("a_user", res.user_id) + self.assertIsNone(res.auth_provider_id) # when we advance the clock, the token should be rejected self.reactor.advance(6) From f2466b289fec989fb0022ca1687343d5e54648cd Mon Sep 17 00:00:00 2001 From: Richard van der Hoff Date: Sun, 28 Feb 2021 22:13:04 +0000 Subject: [PATCH 08/13] Store auth provider id in login tokens --- synapse/handlers/auth.py | 17 +++++++++++++++-- synapse/handlers/sso.py | 2 ++ synapse/module_api/__init__.py | 31 +++++++++++++++++++++++++++---- tests/handlers/test_auth.py | 8 ++++++++ 4 files changed, 52 insertions(+), 6 deletions(-) diff --git a/synapse/handlers/auth.py b/synapse/handlers/auth.py index 71b4262fad09..229b7a31e80c 100644 --- a/synapse/handlers/auth.py +++ b/synapse/handlers/auth.py @@ -1406,6 +1406,7 @@ async def start_sso_ui_auth(self, request: SynapseRequest, session_id: str) -> s async def complete_sso_login( self, registered_user_id: str, + auth_provider_id: str, request: Request, client_redirect_url: str, extra_attributes: Optional[JsonDict] = None, @@ -1415,6 +1416,9 @@ async def complete_sso_login( Args: registered_user_id: The registered user ID to complete SSO login for. + auth_provider_id: The id of the SSO Identity provider that was used for + login. This will be stored in the login token for future tracking in + prometheus metrics. request: The request to complete. client_redirect_url: The URL to which to redirect the user at the end of the process. @@ -1436,6 +1440,7 @@ async def complete_sso_login( self._complete_sso_login( registered_user_id, + auth_provider_id, request, client_redirect_url, extra_attributes, @@ -1446,6 +1451,7 @@ async def complete_sso_login( def _complete_sso_login( self, registered_user_id: str, + auth_provider_id: str, request: Request, client_redirect_url: str, extra_attributes: Optional[JsonDict] = None, @@ -1472,7 +1478,7 @@ def _complete_sso_login( # Create a login token login_token = self.macaroon_gen.generate_short_term_login_token( - registered_user_id + registered_user_id, auth_provider_id=auth_provider_id ) # Append the login token to the original redirect URL (i.e. with its query @@ -1578,13 +1584,20 @@ def generate_access_token( return macaroon.serialize() def generate_short_term_login_token( - self, user_id: str, duration_in_ms: int = (2 * 60 * 1000) + self, + user_id: str, + duration_in_ms: int = (2 * 60 * 1000), + auth_provider_id: Optional[str] = None, ) -> str: macaroon = self._generate_base_macaroon(user_id) macaroon.add_first_party_caveat("type = login") now = self.hs.get_clock().time_msec() expiry = now + duration_in_ms macaroon.add_first_party_caveat("time < %d" % (expiry,)) + if auth_provider_id is not None: + macaroon.add_first_party_caveat( + "auth_provider_id = %s" % (auth_provider_id,) + ) return macaroon.serialize() def verify_short_term_login_token(self, token: str) -> LoginTokenAttributes: diff --git a/synapse/handlers/sso.py b/synapse/handlers/sso.py index 514b1f69d8ee..a98af2ba220c 100644 --- a/synapse/handlers/sso.py +++ b/synapse/handlers/sso.py @@ -456,6 +456,7 @@ async def complete_sso_login_request( await self._auth_handler.complete_sso_login( user_id, + auth_provider_id, request, client_redirect_url, extra_login_attributes, @@ -886,6 +887,7 @@ async def register_sso_user(self, request: Request, session_id: str) -> None: await self._auth_handler.complete_sso_login( user_id, + session.auth_provider_id, request, session.client_redirect_url, session.extra_login_attributes, diff --git a/synapse/module_api/__init__.py b/synapse/module_api/__init__.py index 2e3b311c4a08..a47d701aa3f2 100644 --- a/synapse/module_api/__init__.py +++ b/synapse/module_api/__init__.py @@ -203,11 +203,26 @@ def record_user_external_id( ) def generate_short_term_login_token( - self, user_id: str, duration_in_ms: int = (2 * 60 * 1000) + self, + user_id: str, + duration_in_ms: int = (2 * 60 * 1000), + auth_provider_id: Optional[str] = None, ) -> str: - """Generate a login token suitable for m.login.token authentication""" + """Generate a login token suitable for m.login.token authentication + + Args: + user_id: gives the ID of the user that the token is for + + duration_in_ms: the time that the token will be valid for + + auth_provider_id: the ID of the SSO IdP that the user used to authenticate + to get this token, if any. This is encoded in the token so that + /login can report stats on number of successful logins by IdP. + """ return self._hs.get_macaroon_generator().generate_short_term_login_token( - user_id, duration_in_ms + user_id, + duration_in_ms, + auth_provider_id=auth_provider_id, ) @defer.inlineCallbacks @@ -276,6 +291,7 @@ def complete_sso_login( """ self._auth_handler._complete_sso_login( registered_user_id, + "", request, client_redirect_url, ) @@ -286,6 +302,7 @@ async def complete_sso_login_async( request: SynapseRequest, client_redirect_url: str, new_user: bool = False, + auth_provider_id: str = "", ): """Complete a SSO login by redirecting the user to a page to confirm whether they want their access token sent to `client_redirect_url`, or redirect them to that @@ -299,9 +316,15 @@ async def complete_sso_login_async( redirect them directly if whitelisted). new_user: set to true to use wording for the consent appropriate to a user who has just registered. + auth_provider_id: the ID of the SSO IdP which was used to log in. This + is used to track counts of sucessful logins by IdP. """ await self._auth_handler.complete_sso_login( - registered_user_id, request, client_redirect_url, new_user=new_user + registered_user_id, + auth_provider_id, + request, + client_redirect_url, + new_user=new_user, ) @defer.inlineCallbacks diff --git a/tests/handlers/test_auth.py b/tests/handlers/test_auth.py index e759fb3b7293..78fa658f3753 100644 --- a/tests/handlers/test_auth.py +++ b/tests/handlers/test_auth.py @@ -80,6 +80,14 @@ def test_short_term_login_token_gives_user_id(self): AuthError, ) + def test_short_term_login_token_gives_auth_provider(self): + token = self.macaroon_generator.generate_short_term_login_token( + "a_user", auth_provider_id="my_idp" + ) + res = self.get_success(self.auth_handler.validate_short_term_login_token(token)) + self.assertEqual("a_user", res.user_id) + self.assertEqual("my_idp", res.auth_provider_id) + def test_short_term_login_token_cannot_replace_user_id(self): token = self.macaroon_generator.generate_short_term_login_token("a_user", 5000) macaroon = pymacaroons.Macaroon.deserialize(token) From cd7448ed6313bcd2ab8b6c413d552d5a12ea12ac Mon Sep 17 00:00:00 2001 From: Richard van der Hoff Date: Sun, 28 Feb 2021 22:29:45 +0000 Subject: [PATCH 09/13] changelog --- changelog.d/9510.feature | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog.d/9510.feature diff --git a/changelog.d/9510.feature b/changelog.d/9510.feature new file mode 100644 index 000000000000..5214b50d414c --- /dev/null +++ b/changelog.d/9510.feature @@ -0,0 +1 @@ +Add prometheus metrics for number of users successfully registering and logging in. From a7e51122fa52bb436e47c7159d1acbd0121217d4 Mon Sep 17 00:00:00 2001 From: Richard van der Hoff Date: Tue, 2 Mar 2021 13:26:56 +0000 Subject: [PATCH 10/13] Ensure that each login token has an auth provider id --- synapse/handlers/auth.py | 7 ++----- synapse/module_api/__init__.py | 4 ++-- tests/handlers/test_auth.py | 14 ++++++++++---- 3 files changed, 14 insertions(+), 11 deletions(-) diff --git a/synapse/handlers/auth.py b/synapse/handlers/auth.py index 229b7a31e80c..918e7bdc9b1b 100644 --- a/synapse/handlers/auth.py +++ b/synapse/handlers/auth.py @@ -1586,18 +1586,15 @@ def generate_access_token( def generate_short_term_login_token( self, user_id: str, + auth_provider_id: str, duration_in_ms: int = (2 * 60 * 1000), - auth_provider_id: Optional[str] = None, ) -> str: macaroon = self._generate_base_macaroon(user_id) macaroon.add_first_party_caveat("type = login") now = self.hs.get_clock().time_msec() expiry = now + duration_in_ms macaroon.add_first_party_caveat("time < %d" % (expiry,)) - if auth_provider_id is not None: - macaroon.add_first_party_caveat( - "auth_provider_id = %s" % (auth_provider_id,) - ) + macaroon.add_first_party_caveat("auth_provider_id = %s" % (auth_provider_id,)) return macaroon.serialize() def verify_short_term_login_token(self, token: str) -> LoginTokenAttributes: diff --git a/synapse/module_api/__init__.py b/synapse/module_api/__init__.py index a47d701aa3f2..a840610c074a 100644 --- a/synapse/module_api/__init__.py +++ b/synapse/module_api/__init__.py @@ -206,7 +206,7 @@ def generate_short_term_login_token( self, user_id: str, duration_in_ms: int = (2 * 60 * 1000), - auth_provider_id: Optional[str] = None, + auth_provider_id: str = "", ) -> str: """Generate a login token suitable for m.login.token authentication @@ -221,8 +221,8 @@ def generate_short_term_login_token( """ return self._hs.get_macaroon_generator().generate_short_term_login_token( user_id, + auth_provider_id, duration_in_ms, - auth_provider_id=auth_provider_id, ) @defer.inlineCallbacks diff --git a/tests/handlers/test_auth.py b/tests/handlers/test_auth.py index 78fa658f3753..c9f889b5117d 100644 --- a/tests/handlers/test_auth.py +++ b/tests/handlers/test_auth.py @@ -68,10 +68,12 @@ def verify_nonce(caveat): v.verify(macaroon, self.hs.config.macaroon_secret_key) def test_short_term_login_token_gives_user_id(self): - token = self.macaroon_generator.generate_short_term_login_token("a_user", 5000) + token = self.macaroon_generator.generate_short_term_login_token( + "a_user", "", 5000 + ) res = self.get_success(self.auth_handler.validate_short_term_login_token(token)) self.assertEqual("a_user", res.user_id) - self.assertIsNone(res.auth_provider_id) + self.assertEqual("", res.auth_provider_id) # when we advance the clock, the token should be rejected self.reactor.advance(6) @@ -89,7 +91,9 @@ def test_short_term_login_token_gives_auth_provider(self): self.assertEqual("my_idp", res.auth_provider_id) def test_short_term_login_token_cannot_replace_user_id(self): - token = self.macaroon_generator.generate_short_term_login_token("a_user", 5000) + token = self.macaroon_generator.generate_short_term_login_token( + "a_user", "", 5000 + ) macaroon = pymacaroons.Macaroon.deserialize(token) res = self.get_success( @@ -206,5 +210,7 @@ def test_mau_limits_not_exceeded(self): ) def _get_macaroon(self): - token = self.macaroon_generator.generate_short_term_login_token("user_a", 5000) + token = self.macaroon_generator.generate_short_term_login_token( + "user_a", "", 5000 + ) return pymacaroons.Macaroon.deserialize(token) From 94226a4ffefecf4d48ea5ec1b702e799fbd375fd Mon Sep 17 00:00:00 2001 From: Richard van der Hoff Date: Wed, 3 Mar 2021 14:51:45 +0000 Subject: [PATCH 11/13] fix tests --- tests/handlers/test_cas.py | 10 +++++----- tests/handlers/test_oidc.py | 19 ++++++++++--------- tests/handlers/test_saml.py | 10 +++++----- 3 files changed, 20 insertions(+), 19 deletions(-) diff --git a/tests/handlers/test_cas.py b/tests/handlers/test_cas.py index 6f992291b8ba..7975af243c7c 100644 --- a/tests/handlers/test_cas.py +++ b/tests/handlers/test_cas.py @@ -66,7 +66,7 @@ def test_map_cas_user_to_user(self): # check that the auth handler got called as expected auth_handler.complete_sso_login.assert_called_once_with( - "@test_user:test", request, "redirect_uri", None, new_user=True + "@test_user:test", "cas", request, "redirect_uri", None, new_user=True ) def test_map_cas_user_to_existing_user(self): @@ -89,7 +89,7 @@ def test_map_cas_user_to_existing_user(self): # check that the auth handler got called as expected auth_handler.complete_sso_login.assert_called_once_with( - "@test_user:test", request, "redirect_uri", None, new_user=False + "@test_user:test", "cas", request, "redirect_uri", None, new_user=False ) # Subsequent calls should map to the same mxid. @@ -98,7 +98,7 @@ def test_map_cas_user_to_existing_user(self): self.handler._handle_cas_response(request, cas_response, "redirect_uri", "") ) auth_handler.complete_sso_login.assert_called_once_with( - "@test_user:test", request, "redirect_uri", None, new_user=False + "@test_user:test", "cas", request, "redirect_uri", None, new_user=False ) def test_map_cas_user_to_invalid_localpart(self): @@ -116,7 +116,7 @@ def test_map_cas_user_to_invalid_localpart(self): # check that the auth handler got called as expected auth_handler.complete_sso_login.assert_called_once_with( - "@f=c3=b6=c3=b6:test", request, "redirect_uri", None, new_user=True + "@f=c3=b6=c3=b6:test", "cas", request, "redirect_uri", None, new_user=True ) @override_config( @@ -160,7 +160,7 @@ def test_required_attributes(self): # check that the auth handler got called as expected auth_handler.complete_sso_login.assert_called_once_with( - "@test_user:test", request, "redirect_uri", None, new_user=True + "@test_user:test", "cas", request, "redirect_uri", None, new_user=True ) diff --git a/tests/handlers/test_oidc.py b/tests/handlers/test_oidc.py index 006234ffcec9..1ad0c46eb235 100644 --- a/tests/handlers/test_oidc.py +++ b/tests/handlers/test_oidc.py @@ -429,7 +429,7 @@ def test_callback(self): self.get_success(self.handler.handle_oidc_callback(request)) auth_handler.complete_sso_login.assert_called_once_with( - expected_user_id, request, client_redirect_url, None, new_user=True + expected_user_id, "oidc", request, client_redirect_url, None, new_user=True ) self.provider._exchange_code.assert_called_once_with(code) self.provider._parse_id_token.assert_called_once_with(token, nonce=nonce) @@ -460,7 +460,7 @@ def test_callback(self): self.get_success(self.handler.handle_oidc_callback(request)) auth_handler.complete_sso_login.assert_called_once_with( - expected_user_id, request, client_redirect_url, None, new_user=False + expected_user_id, "oidc", request, client_redirect_url, None, new_user=False ) self.provider._exchange_code.assert_called_once_with(code) self.provider._parse_id_token.assert_not_called() @@ -646,6 +646,7 @@ def test_extra_attributes(self): auth_handler.complete_sso_login.assert_called_once_with( "@foo:test", + "oidc", request, client_redirect_url, {"phone": "1234567"}, @@ -663,7 +664,7 @@ def test_map_userinfo_to_user(self): } self.get_success(_make_callback_with_userinfo(self.hs, userinfo)) auth_handler.complete_sso_login.assert_called_once_with( - "@test_user:test", ANY, ANY, None, new_user=True + "@test_user:test", "oidc", ANY, ANY, None, new_user=True ) auth_handler.complete_sso_login.reset_mock() @@ -674,7 +675,7 @@ def test_map_userinfo_to_user(self): } self.get_success(_make_callback_with_userinfo(self.hs, userinfo)) auth_handler.complete_sso_login.assert_called_once_with( - "@test_user_2:test", ANY, ANY, None, new_user=True + "@test_user_2:test", "oidc", ANY, ANY, None, new_user=True ) auth_handler.complete_sso_login.reset_mock() @@ -711,14 +712,14 @@ def test_map_userinfo_to_existing_user(self): } self.get_success(_make_callback_with_userinfo(self.hs, userinfo)) auth_handler.complete_sso_login.assert_called_once_with( - user.to_string(), ANY, ANY, None, new_user=False + user.to_string(), "oidc", ANY, ANY, None, new_user=False ) auth_handler.complete_sso_login.reset_mock() # Subsequent calls should map to the same mxid. self.get_success(_make_callback_with_userinfo(self.hs, userinfo)) auth_handler.complete_sso_login.assert_called_once_with( - user.to_string(), ANY, ANY, None, new_user=False + user.to_string(), "oidc", ANY, ANY, None, new_user=False ) auth_handler.complete_sso_login.reset_mock() @@ -733,7 +734,7 @@ def test_map_userinfo_to_existing_user(self): } self.get_success(_make_callback_with_userinfo(self.hs, userinfo)) auth_handler.complete_sso_login.assert_called_once_with( - user.to_string(), ANY, ANY, None, new_user=False + user.to_string(), "oidc", ANY, ANY, None, new_user=False ) auth_handler.complete_sso_login.reset_mock() @@ -769,7 +770,7 @@ def test_map_userinfo_to_existing_user(self): self.get_success(_make_callback_with_userinfo(self.hs, userinfo)) auth_handler.complete_sso_login.assert_called_once_with( - "@TEST_USER_2:test", ANY, ANY, None, new_user=False + "@TEST_USER_2:test", "oidc", ANY, ANY, None, new_user=False ) def test_map_userinfo_to_invalid_localpart(self): @@ -805,7 +806,7 @@ def test_map_userinfo_to_user_retries(self): # test_user is already taken, so test_user1 gets registered instead. auth_handler.complete_sso_login.assert_called_once_with( - "@test_user1:test", ANY, ANY, None, new_user=True + "@test_user1:test", "oidc", ANY, ANY, None, new_user=True ) auth_handler.complete_sso_login.reset_mock() diff --git a/tests/handlers/test_saml.py b/tests/handlers/test_saml.py index 029af2853e17..30efd43b4060 100644 --- a/tests/handlers/test_saml.py +++ b/tests/handlers/test_saml.py @@ -131,7 +131,7 @@ def test_map_saml_response_to_user(self): # check that the auth handler got called as expected auth_handler.complete_sso_login.assert_called_once_with( - "@test_user:test", request, "redirect_uri", None, new_user=True + "@test_user:test", "saml", request, "redirect_uri", None, new_user=True ) @override_config({"saml2_config": {"grandfathered_mxid_source_attribute": "mxid"}}) @@ -157,7 +157,7 @@ def test_map_saml_response_to_existing_user(self): # check that the auth handler got called as expected auth_handler.complete_sso_login.assert_called_once_with( - "@test_user:test", request, "", None, new_user=False + "@test_user:test", "saml", request, "", None, new_user=False ) # Subsequent calls should map to the same mxid. @@ -166,7 +166,7 @@ def test_map_saml_response_to_existing_user(self): self.handler._handle_authn_response(request, saml_response, "") ) auth_handler.complete_sso_login.assert_called_once_with( - "@test_user:test", request, "", None, new_user=False + "@test_user:test", "saml", request, "", None, new_user=False ) def test_map_saml_response_to_invalid_localpart(self): @@ -214,7 +214,7 @@ def test_map_saml_response_to_user_retries(self): # test_user is already taken, so test_user1 gets registered instead. auth_handler.complete_sso_login.assert_called_once_with( - "@test_user1:test", request, "", None, new_user=True + "@test_user1:test", "saml", request, "", None, new_user=True ) auth_handler.complete_sso_login.reset_mock() @@ -310,7 +310,7 @@ def test_attribute_requirements(self): # check that the auth handler got called as expected auth_handler.complete_sso_login.assert_called_once_with( - "@test_user:test", request, "redirect_uri", None, new_user=True + "@test_user:test", "saml", request, "redirect_uri", None, new_user=True ) From 92a2f05379dc817a8d69d5bdc27b0a5ef0370a3e Mon Sep 17 00:00:00 2001 From: Richard van der Hoff Date: Thu, 4 Mar 2021 11:29:27 +0000 Subject: [PATCH 12/13] Remove support for default values in macaroons --- synapse/handlers/auth.py | 2 +- synapse/handlers/oidc_handler.py | 23 ++++++----------- synapse/util/macaroons.py | 43 +++++++------------------------- tests/handlers/test_oidc.py | 4 +-- 4 files changed, 19 insertions(+), 53 deletions(-) diff --git a/synapse/handlers/auth.py b/synapse/handlers/auth.py index e7061da7d598..15a6badb4bfe 100644 --- a/synapse/handlers/auth.py +++ b/synapse/handlers/auth.py @@ -1614,7 +1614,7 @@ def verify_short_term_login_token(self, token: str) -> LoginTokenAttributes: """ macaroon = pymacaroons.Macaroon.deserialize(token) user_id = get_value_from_macaroon(macaroon, "user_id") - auth_provider_id = get_value_from_macaroon(macaroon, "auth_provider_id", None) + auth_provider_id = get_value_from_macaroon(macaroon, "auth_provider_id") v = pymacaroons.Verifier() v.satisfy_exact("gen = 1") diff --git a/synapse/handlers/oidc_handler.py b/synapse/handlers/oidc_handler.py index 85e502a8d991..b4a74390cca3 100644 --- a/synapse/handlers/oidc_handler.py +++ b/synapse/handlers/oidc_handler.py @@ -746,7 +746,7 @@ async def handle_redirect_request( idp_id=self.idp_id, nonce=nonce, client_redirect_url=client_redirect_url.decode(), - ui_auth_session_id=ui_auth_session_id, + ui_auth_session_id=ui_auth_session_id or "", ), ) @@ -1021,10 +1021,9 @@ def generate_oidc_session_token( macaroon.add_first_party_caveat( "client_redirect_url = %s" % (session_data.client_redirect_url,) ) - if session_data.ui_auth_session_id: - macaroon.add_first_party_caveat( - "ui_auth_session_id = %s" % (session_data.ui_auth_session_id,) - ) + macaroon.add_first_party_caveat( + "ui_auth_session_id = %s" % (session_data.ui_auth_session_id,) + ) now = self._clock.time_msec() expiry = now + duration_in_ms macaroon.add_first_party_caveat("time < %d" % (expiry,)) @@ -1058,8 +1057,6 @@ def verify_oidc_session_token( v.satisfy_general(lambda c: c.startswith("nonce = ")) v.satisfy_general(lambda c: c.startswith("idp_id = ")) v.satisfy_general(lambda c: c.startswith("client_redirect_url = ")) - # Sometimes there's a UI auth session ID, it seems to be OK to attempt - # to always satisfy this. v.satisfy_general(lambda c: c.startswith("ui_auth_session_id = ")) satisfy_expiry(v, self._clock.time_msec) @@ -1069,13 +1066,7 @@ def verify_oidc_session_token( nonce = get_value_from_macaroon(macaroon, "nonce") idp_id = get_value_from_macaroon(macaroon, "idp_id") client_redirect_url = get_value_from_macaroon(macaroon, "client_redirect_url") - try: - ui_auth_session_id = get_value_from_macaroon( - macaroon, "ui_auth_session_id" - ) # type: Optional[str] - except KeyError: - ui_auth_session_id = None - + ui_auth_session_id = get_value_from_macaroon(macaroon, "ui_auth_session_id") return OidcSessionData( nonce=nonce, idp_id=idp_id, @@ -1097,8 +1088,8 @@ class OidcSessionData: # The URL the client gave when it initiated the flow. ("" if this is a UI Auth) client_redirect_url = attr.ib(type=str) - # The session ID of the ongoing UI Auth (None if this is a login) - ui_auth_session_id = attr.ib(type=Optional[str], default=None) + # The session ID of the ongoing UI Auth ("" if this is a login) + ui_auth_session_id = attr.ib(type=str) UserAttributeDict = TypedDict( diff --git a/synapse/util/macaroons.py b/synapse/util/macaroons.py index 235130fe89b4..12cdd53327cd 100644 --- a/synapse/util/macaroons.py +++ b/synapse/util/macaroons.py @@ -16,40 +16,13 @@ """Utilities for manipulating macaroons""" -import enum -from typing import Callable, Optional, TypeVar, Union, overload +from typing import Callable, Optional import pymacaroons from pymacaroons.exceptions import MacaroonVerificationFailedException -_TV = TypeVar("_TV") - -class _Sentinel(enum.Enum): - # defining a sentinel in this way allows mypy to correctly handle the typing - sentinel = object() - - -_SENTINEL = object() - - -@overload def get_value_from_macaroon(macaroon: pymacaroons.Macaroon, key: str) -> str: - ... - - -@overload -def get_value_from_macaroon( - macaroon: pymacaroons.Macaroon, key: str, default: _TV -) -> Union[str, _TV]: - ... - - -def get_value_from_macaroon( - macaroon: pymacaroons.Macaroon, - key: str, - default=_SENTINEL, -): """Extracts a caveat value from a macaroon token. Checks that there is exactly one caveat of the form "key = " in the macaroon, @@ -60,12 +33,11 @@ def get_value_from_macaroon( key: the key of the caveat to extract Returns: - The extracted value, or `default` + The extracted value Raises: - KeyError: if `default` was not given, and the caveat was not in the macaroon MacaroonVerificationFailedException: if there are conflicting values for the - caveat in the macaroon + caveat in the macaroon, or if the caveat was not found in the macaroon. """ prefix = key + " = " result = None # type: Optional[str] @@ -86,9 +58,12 @@ def get_value_from_macaroon( if result is not None: return result - if default is _SENTINEL: - raise KeyError("No %s caveat in macaroon" % (key,)) - return default + + # If the caveat is not there, we raise a MacaroonVerificationFailedException. + # Note that it is insecure to generate a macaroon without all the caveats you + # might need (because there is nothing stopping people from adding extra caveats), + # so if the caveat isn't there, something odd must be going on. + raise MacaroonVerificationFailedException("No %s caveat in macaroon" % (key,)) def satisfy_expiry(v: pymacaroons.Verifier, get_time_ms: Callable[[], int]) -> None: diff --git a/tests/handlers/test_oidc.py b/tests/handlers/test_oidc.py index 1ad0c46eb235..02d4b2de0d24 100644 --- a/tests/handlers/test_oidc.py +++ b/tests/handlers/test_oidc.py @@ -13,7 +13,6 @@ # See the License for the specific language governing permissions and # limitations under the License. import json -from typing import Optional from urllib.parse import parse_qs, urlparse from mock import ANY, Mock, patch @@ -862,7 +861,7 @@ def _generate_oidc_session_token( state: str, nonce: str, client_redirect_url: str, - ui_auth_session_id: Optional[str] = None, + ui_auth_session_id: str = "", ) -> str: from synapse.handlers.oidc_handler import OidcSessionData @@ -905,6 +904,7 @@ async def _make_callback_with_userinfo( idp_id="oidc", nonce="nonce", client_redirect_url=client_redirect_url, + ui_auth_session_id="", ), ) request = _build_callback_request("code", state, session) From ee4f580c90ddc1cff26a7a248e999602ffb00345 Mon Sep 17 00:00:00 2001 From: Richard van der Hoff Date: Thu, 4 Mar 2021 12:03:44 +0000 Subject: [PATCH 13/13] auth_provider_id is no longer Optional --- synapse/handlers/auth.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/synapse/handlers/auth.py b/synapse/handlers/auth.py index 15a6badb4bfe..bec0c615d4ea 100644 --- a/synapse/handlers/auth.py +++ b/synapse/handlers/auth.py @@ -178,7 +178,7 @@ class LoginTokenAttributes: user_id = attr.ib(type=str) # the SSO Identity Provider that the user authenticated with, to get this token - auth_provider_id = attr.ib(type=Optional[str]) + auth_provider_id = attr.ib(type=str) class AuthHandler(BaseHandler):