Process requests for 3PID invites (#201)
* Structure for 3PID invite * Generate invite from 3PID known by ID server * Load user profile in a separate function * Generate m.room.third_party_invite if the ID server doesn't know the 3PID * Fix URLs to the spec in comments * Move third-party invites to a separate package and doc' it * Handle non-OK status codes on lookup * Send display name to identity server when asking to store an invite * Remove join response structure * Change the way some variables are declared or passed as argument * Use gomatrixserverlib.Base64String instead of the builtin base64 package * Don't copy the public keys array
This commit is contained in:
parent
685e056ab3
commit
2183712e04
@ -0,0 +1,356 @@
|
||||
// Copyright 2017 Vector Creations Ltd
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
package thirdpartyinvites
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/matrix-org/dendrite/clientapi/auth/authtypes"
|
||||
"github.com/matrix-org/dendrite/clientapi/auth/storage/accounts"
|
||||
"github.com/matrix-org/dendrite/clientapi/events"
|
||||
"github.com/matrix-org/dendrite/clientapi/httputil"
|
||||
"github.com/matrix-org/dendrite/clientapi/jsonerror"
|
||||
"github.com/matrix-org/dendrite/clientapi/producers"
|
||||
"github.com/matrix-org/dendrite/common"
|
||||
"github.com/matrix-org/dendrite/common/config"
|
||||
"github.com/matrix-org/dendrite/roomserver/api"
|
||||
"github.com/matrix-org/gomatrixserverlib"
|
||||
|
||||
"github.com/matrix-org/util"
|
||||
)
|
||||
|
||||
// MembershipRequest represents the body of an incoming POST request
|
||||
// on /rooms/{roomID}/(join|kick|ban|unban|leave|invite)
|
||||
type MembershipRequest struct {
|
||||
UserID string `json:"user_id"`
|
||||
Reason string `json:"reason"`
|
||||
IDServer string `json:"id_server"`
|
||||
Medium string `json:"medium"`
|
||||
Address string `json:"address"`
|
||||
}
|
||||
|
||||
// idServerLookupResponse represents the response described at https://matrix.org/docs/spec/client_server/r0.2.0.html#get-matrix-identity-api-v1-lookup
|
||||
type idServerLookupResponse struct {
|
||||
TS int64 `json:"ts"`
|
||||
NotBefore int64 `json:"not_before"`
|
||||
NotAfter int64 `json:"not_after"`
|
||||
Medium string `json:"medium"`
|
||||
Address string `json:"address"`
|
||||
MXID string `json:"mxid"`
|
||||
Signatures map[string]map[string]string `json:"signatures"`
|
||||
}
|
||||
|
||||
// idServerLookupResponse represents the response described at https://matrix.org/docs/spec/client_server/r0.2.0.html#invitation-storage
|
||||
type idServerStoreInviteResponse struct {
|
||||
PublicKey string `json:"public_key"`
|
||||
Token string `json:"token"`
|
||||
DisplayName string `json:"display_name"`
|
||||
PublicKeys []common.PublicKey `json:"public_keys"`
|
||||
}
|
||||
|
||||
// CheckAndProcess analyses the body of an incoming membership request.
|
||||
// If the fields relative to a third-party-invite are all supplied, lookups the
|
||||
// matching Matrix ID from the given identity server. If no Matrix ID is
|
||||
// associated to the given 3PID, asks the identity server to store the invite
|
||||
// and emit a "m.room.third_party_invite" event.
|
||||
// Returns a representation of the HTTP response to send to the user.
|
||||
// Returns a representation of a non-200 HTTP response if something went wrong
|
||||
// in the process, or if some 3PID fields aren't supplied but others are.
|
||||
// If none of the 3PID-specific fields are supplied, or if a Matrix ID is
|
||||
// supplied by the identity server, returns nil to indicate that the request
|
||||
// must be processed as a non-3PID membership request. In the latter case,
|
||||
// fills the Matrix ID in the request body so a normal invite membership event
|
||||
// can be emitted.
|
||||
func CheckAndProcess(
|
||||
req *http.Request, device *authtypes.Device, body *MembershipRequest,
|
||||
cfg config.Dendrite, queryAPI api.RoomserverQueryAPI, db *accounts.Database,
|
||||
producer *producers.RoomserverProducer, membership string, roomID string,
|
||||
) *util.JSONResponse {
|
||||
if membership != "invite" || (body.Address == "" && body.IDServer == "" && body.Medium == "") {
|
||||
// If none of the 3PID-specific fields are supplied, it's a standard invite
|
||||
// so return nil for it to be processed as such
|
||||
return nil
|
||||
} else if body.Address == "" || body.IDServer == "" || body.Medium == "" {
|
||||
// If at least one of the 3PID-specific fields is supplied but not all
|
||||
// of them, return an error
|
||||
return &util.JSONResponse{
|
||||
Code: 400,
|
||||
JSON: jsonerror.BadJSON("'address', 'id_server' and 'medium' must all be supplied"),
|
||||
}
|
||||
}
|
||||
|
||||
lookupRes, storeInviteRes, err := queryIDServer(req, db, cfg, device, body, roomID)
|
||||
if err != nil {
|
||||
resErr := httputil.LogThenError(req, err)
|
||||
return &resErr
|
||||
}
|
||||
|
||||
if lookupRes.MXID == "" {
|
||||
// No Matrix ID could be found for this 3PID, meaning that a
|
||||
// "m.room.third_party_invite" have to be emitted from the data in
|
||||
// storeInviteRes.
|
||||
err = emit3PIDInviteEvent(body, storeInviteRes, device, roomID, cfg, queryAPI, producer)
|
||||
if err == events.ErrRoomNoExists {
|
||||
return &util.JSONResponse{
|
||||
Code: 404,
|
||||
JSON: jsonerror.NotFound(err.Error()),
|
||||
}
|
||||
} else if err != nil {
|
||||
resErr := httputil.LogThenError(req, err)
|
||||
return &resErr
|
||||
}
|
||||
|
||||
// If everything went well, returns with an empty response.
|
||||
return &util.JSONResponse{
|
||||
Code: 200,
|
||||
JSON: struct{}{},
|
||||
}
|
||||
}
|
||||
|
||||
// A Matrix ID have been found: set it in the body request and let the process
|
||||
// continue to create a "m.room.member" event with an "invite" membership
|
||||
body.UserID = lookupRes.MXID
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// queryIDServer handles all the requests to the identity server, starting by
|
||||
// looking up the given 3PID on the given identity server.
|
||||
// If the lookup returned a Matrix ID, checks if the current time is within the
|
||||
// time frame in which the 3PID-MXID association is known to be valid, and checks
|
||||
// the response's signatures. If one of the checks fails, returns an error.
|
||||
// If the lookup didn't return a Matrix ID, asks the identity server to store
|
||||
// the invite and to respond with a token.
|
||||
// Returns a representation of the response for both cases.
|
||||
// Returns an error if a check or a request failed.
|
||||
func queryIDServer(
|
||||
req *http.Request, db *accounts.Database, cfg config.Dendrite,
|
||||
device *authtypes.Device, body *MembershipRequest, roomID string,
|
||||
) (lookupRes *idServerLookupResponse, storeInviteRes *idServerStoreInviteResponse, err error) {
|
||||
// Lookup the 3PID
|
||||
lookupRes, err = queryIDServerLookup(body)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
if lookupRes.MXID == "" {
|
||||
// No Matrix ID matches with the given 3PID, ask the server to store the
|
||||
// invite and return a token
|
||||
storeInviteRes, err = queryIDServerStoreInvite(db, cfg, device, body, roomID)
|
||||
return
|
||||
}
|
||||
|
||||
// A Matrix ID matches with the given 3PID
|
||||
// Get timestamp in milliseconds to compare it with the timestamps provided
|
||||
// by the identity server
|
||||
now := time.Now().UnixNano() / 1000000
|
||||
if lookupRes.NotBefore > now || now > lookupRes.NotAfter {
|
||||
// If the current timestamp isn't in the time frame in which the association
|
||||
// is known to be valid, re-run the query
|
||||
return queryIDServer(req, db, cfg, device, body, roomID)
|
||||
}
|
||||
|
||||
// Check the request signatures and send an error if one isn't valid
|
||||
if err = checkIDServerSignatures(body, lookupRes); err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
// queryIDServerLookup sends a response to the identity server on /_matrix/identity/api/v1/lookup
|
||||
// and returns the response as a structure.
|
||||
// Returns an error if the request failed to send or if the response couldn't be parsed.
|
||||
func queryIDServerLookup(body *MembershipRequest) (*idServerLookupResponse, error) {
|
||||
address := url.QueryEscape(body.Address)
|
||||
url := fmt.Sprintf("https://%s/_matrix/identity/api/v1/lookup?medium=%s&address=%s", body.IDServer, body.Medium, address)
|
||||
resp, err := http.Get(url)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if resp.StatusCode != http.StatusOK {
|
||||
// TODO: Log the error supplied with the identity server?
|
||||
errMgs := fmt.Sprintf("Failed to ask %s to store an invite for %s", body.IDServer, body.Address)
|
||||
return nil, errors.New(errMgs)
|
||||
}
|
||||
|
||||
var res idServerLookupResponse
|
||||
err = json.NewDecoder(resp.Body).Decode(&res)
|
||||
return &res, err
|
||||
}
|
||||
|
||||
// queryIDServerStoreInvite sends a response to the identity server on /_matrix/identity/api/v1/store-invite
|
||||
// and returns the response as a structure.
|
||||
// Returns an error if the request failed to send or if the response couldn't be parsed.
|
||||
func queryIDServerStoreInvite(
|
||||
db *accounts.Database, cfg config.Dendrite, device *authtypes.Device,
|
||||
body *MembershipRequest, roomID string,
|
||||
) (*idServerStoreInviteResponse, error) {
|
||||
// Retrieve the sender's profile to get their display name
|
||||
localpart, serverName, err := gomatrixserverlib.SplitID('@', device.UserID)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
var profile *authtypes.Profile
|
||||
if serverName == cfg.Matrix.ServerName {
|
||||
profile, err = db.GetProfileByLocalpart(localpart)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
} else {
|
||||
profile = &authtypes.Profile{}
|
||||
}
|
||||
|
||||
client := http.Client{}
|
||||
|
||||
data := url.Values{}
|
||||
data.Add("medium", body.Medium)
|
||||
data.Add("address", body.Address)
|
||||
data.Add("room_id", roomID)
|
||||
data.Add("sender", device.UserID)
|
||||
data.Add("sender_display_name", profile.DisplayName)
|
||||
// TODO: Also send:
|
||||
// - The room name (room_name)
|
||||
// - The room's avatar url (room_avatar_url)
|
||||
// See https://github.com/matrix-org/sydent/blob/master/sydent/http/servlets/store_invite_servlet.py#L82-L91
|
||||
// These can be easily retrieved by requesting the public rooms API
|
||||
// server's database.
|
||||
|
||||
url := fmt.Sprintf("https://%s/_matrix/identity/api/v1/store-invite", body.IDServer)
|
||||
req, err := http.NewRequest("POST", url, strings.NewReader(data.Encode()))
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
|
||||
resp, err := client.Do(req)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if resp.StatusCode != http.StatusOK {
|
||||
// TODO: Log the error supplied with the identity server?
|
||||
errMsg := fmt.Sprintf("Identity server %s responded with a %d error code", body.IDServer, resp.StatusCode)
|
||||
return nil, errors.New(errMsg)
|
||||
}
|
||||
|
||||
var idResp idServerStoreInviteResponse
|
||||
err = json.NewDecoder(resp.Body).Decode(&idResp)
|
||||
return &idResp, err
|
||||
}
|
||||
|
||||
// queryIDServerPubKey requests a public key identified with a given ID to the
|
||||
// a given identity server and returns the matching base64-decoded public key.
|
||||
// Returns an error if the request couldn't be sent, if its body couldn't be parsed
|
||||
// or if the key couldn't be decoded from base64.
|
||||
func queryIDServerPubKey(idServerName string, keyID string) ([]byte, error) {
|
||||
url := fmt.Sprintf("https://%s/_matrix/identity/api/v1/pubkey/%s", idServerName, keyID)
|
||||
resp, err := http.Get(url)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
var pubKeyRes struct {
|
||||
PublicKey gomatrixserverlib.Base64String `json:"public_key"`
|
||||
}
|
||||
|
||||
if resp.StatusCode != http.StatusOK {
|
||||
// TODO: Log the error supplied with the identity server?
|
||||
errMsg := fmt.Sprintf("Couldn't retrieve key %s from server %s", keyID, idServerName)
|
||||
return nil, errors.New(errMsg)
|
||||
}
|
||||
|
||||
err = json.NewDecoder(resp.Body).Decode(&pubKeyRes)
|
||||
return pubKeyRes.PublicKey, err
|
||||
}
|
||||
|
||||
// checkIDServerSignatures iterates over the signatures of a requests.
|
||||
// If no signature can be found for the ID server's domain, returns an error, else
|
||||
// iterates over the signature for the said domain, retrieves the matching public
|
||||
// key, and verify it.
|
||||
// Returns nil if all the verifications succeeded.
|
||||
// Returns an error if something failed in the process.
|
||||
func checkIDServerSignatures(body *MembershipRequest, res *idServerLookupResponse) error {
|
||||
// Mashall the body so we can give it to VerifyJSON
|
||||
marshalledBody, err := json.Marshal(*res)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// TODO: Check if the domain is part of a list of trusted ID servers
|
||||
signatures, ok := res.Signatures[body.IDServer]
|
||||
if !ok {
|
||||
return errors.New("No signature for domain " + body.IDServer)
|
||||
}
|
||||
|
||||
for keyID := range signatures {
|
||||
pubKey, err := queryIDServerPubKey(body.IDServer, keyID)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if err = gomatrixserverlib.VerifyJSON(body.IDServer, gomatrixserverlib.KeyID(keyID), pubKey, marshalledBody); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// emit3PIDInviteEvent builds and sends a "m.room.third_party_invite" event.
|
||||
// Returns an error if something failed in the process.
|
||||
func emit3PIDInviteEvent(
|
||||
body *MembershipRequest, res *idServerStoreInviteResponse,
|
||||
device *authtypes.Device, roomID string, cfg config.Dendrite,
|
||||
queryAPI api.RoomserverQueryAPI, producer *producers.RoomserverProducer,
|
||||
) error {
|
||||
builder := &gomatrixserverlib.EventBuilder{
|
||||
Sender: device.UserID,
|
||||
RoomID: roomID,
|
||||
Type: "m.room.third_party_invite",
|
||||
StateKey: &res.Token,
|
||||
}
|
||||
|
||||
validityURL := fmt.Sprintf("https://%s/_matrix/identity/api/v1/pubkey/isvalid", body.IDServer)
|
||||
content := common.ThirdPartyInviteContent{
|
||||
DisplayName: res.DisplayName,
|
||||
KeyValidityURL: validityURL,
|
||||
PublicKey: res.PublicKey,
|
||||
PublicKeys: res.PublicKeys,
|
||||
}
|
||||
|
||||
if err := builder.SetContent(content); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
var queryRes *api.QueryLatestEventsAndStateResponse
|
||||
event, err := events.BuildEvent(builder, cfg, queryAPI, queryRes)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if err := producer.SendEvents([]gomatrixserverlib.Event{*event}, cfg.Matrix.ServerName); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
@ -23,6 +23,7 @@ import (
|
||||
"github.com/matrix-org/dendrite/clientapi/httputil"
|
||||
"github.com/matrix-org/dendrite/clientapi/jsonerror"
|
||||
"github.com/matrix-org/dendrite/clientapi/producers"
|
||||
"github.com/matrix-org/dendrite/clientapi/thirdpartyinvites"
|
||||
"github.com/matrix-org/dendrite/common"
|
||||
"github.com/matrix-org/dendrite/common/config"
|
||||
"github.com/matrix-org/dendrite/roomserver/api"
|
||||
@ -38,26 +39,27 @@ func SendMembership(
|
||||
roomID string, membership string, cfg config.Dendrite,
|
||||
queryAPI api.RoomserverQueryAPI, producer *producers.RoomserverProducer,
|
||||
) util.JSONResponse {
|
||||
stateKey, reason, reqErr := getMembershipStateKey(req, device, membership)
|
||||
var body thirdpartyinvites.MembershipRequest
|
||||
if reqErr := httputil.UnmarshalJSONRequest(req, &body); reqErr != nil {
|
||||
return *reqErr
|
||||
}
|
||||
|
||||
if res := thirdpartyinvites.CheckAndProcess(
|
||||
req, device, &body, cfg, queryAPI, accountDB, producer, membership, roomID,
|
||||
); res != nil {
|
||||
return *res
|
||||
}
|
||||
|
||||
stateKey, reason, reqErr := getMembershipStateKey(body, device, membership)
|
||||
if reqErr != nil {
|
||||
return *reqErr
|
||||
}
|
||||
|
||||
localpart, serverName, err := gomatrixserverlib.SplitID('@', stateKey)
|
||||
profile, err := loadProfile(stateKey, cfg, accountDB)
|
||||
if err != nil {
|
||||
return httputil.LogThenError(req, err)
|
||||
}
|
||||
|
||||
var profile *authtypes.Profile
|
||||
if serverName == cfg.Matrix.ServerName {
|
||||
profile, err = accountDB.GetProfileByLocalpart(localpart)
|
||||
if err != nil {
|
||||
return httputil.LogThenError(req, err)
|
||||
}
|
||||
} else {
|
||||
profile = &authtypes.Profile{}
|
||||
}
|
||||
|
||||
builder := gomatrixserverlib.EventBuilder{
|
||||
Sender: device.UserID,
|
||||
RoomID: roomID,
|
||||
@ -101,28 +103,39 @@ func SendMembership(
|
||||
}
|
||||
}
|
||||
|
||||
// loadProfile lookups the profile of a given user from the database and returns
|
||||
// it if the user is local to this server, or returns an empty profile if not.
|
||||
// Returns an error if the retrieval failed or if the first parameter isn't a
|
||||
// valid Matrix ID.
|
||||
func loadProfile(userID string, cfg config.Dendrite, accountDB *accounts.Database) (*authtypes.Profile, error) {
|
||||
localpart, serverName, err := gomatrixserverlib.SplitID('@', userID)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
var profile *authtypes.Profile
|
||||
if serverName == cfg.Matrix.ServerName {
|
||||
profile, err = accountDB.GetProfileByLocalpart(localpart)
|
||||
} else {
|
||||
profile = &authtypes.Profile{}
|
||||
}
|
||||
|
||||
return profile, err
|
||||
}
|
||||
|
||||
// getMembershipStateKey extracts the target user ID of a membership change.
|
||||
// For "join" and "leave" this will be the ID of the user making the change.
|
||||
// For "ban", "unban", "kick" and "invite" the target user ID will be in the JSON request body.
|
||||
// In the latter case, if there was an issue retrieving the user ID from the request body,
|
||||
// returns a JSONResponse with a corresponding error code and message.
|
||||
func getMembershipStateKey(
|
||||
req *http.Request, device *authtypes.Device, membership string,
|
||||
body thirdpartyinvites.MembershipRequest, device *authtypes.Device, membership string,
|
||||
) (stateKey string, reason string, response *util.JSONResponse) {
|
||||
if membership == "ban" || membership == "unban" || membership == "kick" || membership == "invite" {
|
||||
// If we're in this case, the state key is contained in the request body,
|
||||
// possibly along with a reason (for "kick" and "ban") so we need to parse
|
||||
// it
|
||||
var requestBody struct {
|
||||
UserID string `json:"user_id"`
|
||||
Reason string `json:"reason"`
|
||||
}
|
||||
|
||||
if reqErr := httputil.UnmarshalJSONRequest(req, &requestBody); reqErr != nil {
|
||||
response = reqErr
|
||||
return
|
||||
}
|
||||
if requestBody.UserID == "" {
|
||||
if body.UserID == "" {
|
||||
response = &util.JSONResponse{
|
||||
Code: 400,
|
||||
JSON: jsonerror.BadJSON("'user_id' must be supplied."),
|
||||
@ -130,8 +143,8 @@ func getMembershipStateKey(
|
||||
return
|
||||
}
|
||||
|
||||
stateKey = requestBody.UserID
|
||||
reason = requestBody.Reason
|
||||
stateKey = body.UserID
|
||||
reason = body.Reason
|
||||
} else {
|
||||
stateKey = device.UserID
|
||||
}
|
||||
|
@ -29,6 +29,20 @@ type MemberContent struct {
|
||||
// TODO: ThirdPartyInvite string `json:"third_party_invite,omitempty"`
|
||||
}
|
||||
|
||||
// ThirdPartyInviteContent is the content event for https://matrix.org/docs/spec/client_server/r0.2.0.html#m-room-third-party-invite
|
||||
type ThirdPartyInviteContent struct {
|
||||
DisplayName string `json:"display_name"`
|
||||
KeyValidityURL string `json:"key_validity_url"`
|
||||
PublicKey string `json:"public_key"`
|
||||
PublicKeys []PublicKey `json:"public_keys"`
|
||||
}
|
||||
|
||||
// PublicKey is the PublicKeys structure in https://matrix.org/docs/spec/client_server/r0.2.0.html#m-room-third-party-invite
|
||||
type PublicKey struct {
|
||||
KeyValidityURL string `json:"key_validity_url"`
|
||||
PublicKey string `json:"public_key"`
|
||||
}
|
||||
|
||||
// NameContent is the event content for https://matrix.org/docs/spec/client_server/r0.2.0.html#m-room-name
|
||||
type NameContent struct {
|
||||
Name string `json:"name"`
|
||||
|
Loading…
Reference in New Issue
Block a user