This repository has been archived by the owner on Apr 26, 2024. It is now read-only.
-
-
Notifications
You must be signed in to change notification settings - Fork 2.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #12 from matrix-org/federation_authorization
Federation authorization
- Loading branch information
Showing
71 changed files
with
3,774 additions
and
3,913 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
from synapse.crypto.event_signing import * | ||
from syutil.base64util import encode_base64 | ||
|
||
import argparse | ||
import hashlib | ||
import sys | ||
import json | ||
|
||
|
||
class dictobj(dict): | ||
def __init__(self, *args, **kargs): | ||
dict.__init__(self, *args, **kargs) | ||
self.__dict__ = self | ||
|
||
def get_dict(self): | ||
return dict(self) | ||
|
||
def get_full_dict(self): | ||
return dict(self) | ||
|
||
|
||
def main(): | ||
parser = argparse.ArgumentParser() | ||
parser.add_argument("input_json", nargs="?", type=argparse.FileType('r'), | ||
default=sys.stdin) | ||
args = parser.parse_args() | ||
logging.basicConfig() | ||
|
||
event_json = dictobj(json.load(args.input_json)) | ||
|
||
algorithms = { | ||
"sha256": hashlib.sha256, | ||
} | ||
|
||
for alg_name in event_json.hashes: | ||
if check_event_content_hash(event_json, algorithms[alg_name]): | ||
print "PASS content hash %s" % (alg_name,) | ||
else: | ||
print "FAIL content hash %s" % (alg_name,) | ||
|
||
for algorithm in algorithms.values(): | ||
name, h_bytes = compute_event_reference_hash(event_json, algorithm) | ||
print "Reference hash %s: %s" % (name, encode_base64(h_bytes)) | ||
|
||
if __name__=="__main__": | ||
main() | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,73 @@ | ||
|
||
from syutil.crypto.jsonsign import verify_signed_json | ||
from syutil.crypto.signing_key import ( | ||
decode_verify_key_bytes, write_signing_keys | ||
) | ||
from syutil.base64util import decode_base64 | ||
|
||
import urllib2 | ||
import json | ||
import sys | ||
import dns.resolver | ||
import pprint | ||
import argparse | ||
import logging | ||
|
||
def get_targets(server_name): | ||
if ":" in server_name: | ||
target, port = server_name.split(":") | ||
yield (target, int(port)) | ||
return | ||
try: | ||
answers = dns.resolver.query("_matrix._tcp." + server_name, "SRV") | ||
for srv in answers: | ||
yield (srv.target, srv.port) | ||
except dns.resolver.NXDOMAIN: | ||
yield (server_name, 8480) | ||
|
||
def get_server_keys(server_name, target, port): | ||
url = "https://%s:%i/_matrix/key/v1" % (target, port) | ||
keys = json.load(urllib2.urlopen(url)) | ||
verify_keys = {} | ||
for key_id, key_base64 in keys["verify_keys"].items(): | ||
verify_key = decode_verify_key_bytes(key_id, decode_base64(key_base64)) | ||
verify_signed_json(keys, server_name, verify_key) | ||
verify_keys[key_id] = verify_key | ||
return verify_keys | ||
|
||
def main(): | ||
|
||
parser = argparse.ArgumentParser() | ||
parser.add_argument("signature_name") | ||
parser.add_argument("input_json", nargs="?", type=argparse.FileType('r'), | ||
default=sys.stdin) | ||
|
||
args = parser.parse_args() | ||
logging.basicConfig() | ||
|
||
server_name = args.signature_name | ||
keys = {} | ||
for target, port in get_targets(server_name): | ||
try: | ||
keys = get_server_keys(server_name, target, port) | ||
print "Using keys from https://%s:%s/_matrix/key/v1" % (target, port) | ||
write_signing_keys(sys.stdout, keys.values()) | ||
break | ||
except: | ||
logging.exception("Error talking to %s:%s", target, port) | ||
|
||
json_to_check = json.load(args.input_json) | ||
print "Checking JSON:" | ||
for key_id in json_to_check["signatures"][args.signature_name]: | ||
try: | ||
key = keys[key_id] | ||
verify_signed_json(json_to_check, args.signature_name, key) | ||
print "PASS %s" % (key_id,) | ||
except: | ||
logging.exception("Check for key %s failed" % (key_id,)) | ||
print "FAIL %s" % (key_id,) | ||
|
||
|
||
if __name__ == '__main__': | ||
main() | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,69 @@ | ||
from synapse.storage.pdu import PduStore | ||
from synapse.storage.signatures import SignatureStore | ||
from synapse.storage._base import SQLBaseStore | ||
from synapse.federation.units import Pdu | ||
from synapse.crypto.event_signing import ( | ||
add_event_pdu_content_hash, compute_pdu_event_reference_hash | ||
) | ||
from synapse.api.events.utils import prune_pdu | ||
from syutil.base64util import encode_base64, decode_base64 | ||
from syutil.jsonutil import encode_canonical_json | ||
import sqlite3 | ||
import sys | ||
|
||
class Store(object): | ||
_get_pdu_tuples = PduStore.__dict__["_get_pdu_tuples"] | ||
_get_pdu_content_hashes_txn = SignatureStore.__dict__["_get_pdu_content_hashes_txn"] | ||
_get_prev_pdu_hashes_txn = SignatureStore.__dict__["_get_prev_pdu_hashes_txn"] | ||
_get_pdu_origin_signatures_txn = SignatureStore.__dict__["_get_pdu_origin_signatures_txn"] | ||
_store_pdu_content_hash_txn = SignatureStore.__dict__["_store_pdu_content_hash_txn"] | ||
_store_pdu_reference_hash_txn = SignatureStore.__dict__["_store_pdu_reference_hash_txn"] | ||
_store_prev_pdu_hash_txn = SignatureStore.__dict__["_store_prev_pdu_hash_txn"] | ||
_simple_insert_txn = SQLBaseStore.__dict__["_simple_insert_txn"] | ||
|
||
|
||
store = Store() | ||
|
||
|
||
def select_pdus(cursor): | ||
cursor.execute( | ||
"SELECT pdu_id, origin FROM pdus ORDER BY depth ASC" | ||
) | ||
|
||
ids = cursor.fetchall() | ||
|
||
pdu_tuples = store._get_pdu_tuples(cursor, ids) | ||
|
||
pdus = [Pdu.from_pdu_tuple(p) for p in pdu_tuples] | ||
|
||
reference_hashes = {} | ||
|
||
for pdu in pdus: | ||
try: | ||
if pdu.prev_pdus: | ||
print "PROCESS", pdu.pdu_id, pdu.origin, pdu.prev_pdus | ||
for pdu_id, origin, hashes in pdu.prev_pdus: | ||
ref_alg, ref_hsh = reference_hashes[(pdu_id, origin)] | ||
hashes[ref_alg] = encode_base64(ref_hsh) | ||
store._store_prev_pdu_hash_txn(cursor, pdu.pdu_id, pdu.origin, pdu_id, origin, ref_alg, ref_hsh) | ||
print "SUCCESS", pdu.pdu_id, pdu.origin, pdu.prev_pdus | ||
pdu = add_event_pdu_content_hash(pdu) | ||
ref_alg, ref_hsh = compute_pdu_event_reference_hash(pdu) | ||
reference_hashes[(pdu.pdu_id, pdu.origin)] = (ref_alg, ref_hsh) | ||
store._store_pdu_reference_hash_txn(cursor, pdu.pdu_id, pdu.origin, ref_alg, ref_hsh) | ||
|
||
for alg, hsh_base64 in pdu.hashes.items(): | ||
print alg, hsh_base64 | ||
store._store_pdu_content_hash_txn(cursor, pdu.pdu_id, pdu.origin, alg, decode_base64(hsh_base64)) | ||
|
||
except: | ||
print "FAILED_", pdu.pdu_id, pdu.origin, pdu.prev_pdus | ||
|
||
def main(): | ||
conn = sqlite3.connect(sys.argv[1]) | ||
cursor = conn.cursor() | ||
select_pdus(cursor) | ||
conn.commit() | ||
|
||
if __name__=='__main__': | ||
main() |
Oops, something went wrong.