From 4b291d6530cf8792e51971a4a7caca4c57f2f865 Mon Sep 17 00:00:00 2001 From: Patrick Cloke Date: Thu, 14 May 2020 10:26:21 -0400 Subject: [PATCH 1/4] Add an additional flag on the RoomVersion. --- synapse/api/room_versions.py | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/synapse/api/room_versions.py b/synapse/api/room_versions.py index 871179749a78..3aded47c0c32 100644 --- a/synapse/api/room_versions.py +++ b/synapse/api/room_versions.py @@ -58,7 +58,11 @@ class RoomVersion(object): enforce_key_validity = attr.ib() # bool # bool: before MSC2261/MSC2432, m.room.aliases had special auth rules and redaction rules - special_case_aliases_auth = attr.ib(type=bool, default=False) + special_case_aliases_auth = attr.ib(type=bool) + + # bool: MSC2209: Check 'notifications' key while verifying + # m.room.power_levels auth rules. + check_notifications_auth = attr.ib(type=bool) class RoomVersions(object): @@ -69,6 +73,7 @@ class RoomVersions(object): StateResolutionVersions.V1, enforce_key_validity=False, special_case_aliases_auth=True, + check_notifications_auth=False, ) V2 = RoomVersion( "2", @@ -77,6 +82,7 @@ class RoomVersions(object): StateResolutionVersions.V2, enforce_key_validity=False, special_case_aliases_auth=True, + check_notifications_auth=False, ) V3 = RoomVersion( "3", @@ -85,6 +91,7 @@ class RoomVersions(object): StateResolutionVersions.V2, enforce_key_validity=False, special_case_aliases_auth=True, + check_notifications_auth=False, ) V4 = RoomVersion( "4", @@ -93,6 +100,7 @@ class RoomVersions(object): StateResolutionVersions.V2, enforce_key_validity=False, special_case_aliases_auth=True, + check_notifications_auth=False, ) V5 = RoomVersion( "5", @@ -101,6 +109,7 @@ class RoomVersions(object): StateResolutionVersions.V2, enforce_key_validity=True, special_case_aliases_auth=True, + check_notifications_auth=False, ) MSC2432_DEV = RoomVersion( "org.matrix.msc2432", @@ -109,6 +118,16 @@ class RoomVersions(object): StateResolutionVersions.V2, enforce_key_validity=True, special_case_aliases_auth=False, + check_notifications_auth=False, + ) + MSC2209_DEV = RoomVersion( + "org.matrix.msc2209", + RoomDisposition.UNSTABLE, + EventFormatVersions.V3, + StateResolutionVersions.V2, + enforce_key_validity=True, + special_case_aliases_auth=True, + check_notifications_auth=True, ) @@ -121,5 +140,6 @@ class RoomVersions(object): RoomVersions.V4, RoomVersions.V5, RoomVersions.MSC2432_DEV, + RoomVersions.MSC2209_DEV, ) } # type: Dict[str, RoomVersion] From 466fff91f330d17560f7971fc2125ae9378b3363 Mon Sep 17 00:00:00 2001 From: Patrick Cloke Date: Thu, 14 May 2020 10:39:19 -0400 Subject: [PATCH 2/4] Enforce auth rules on notifications key in power levels event. --- synapse/event_auth.py | 12 ++++++++++-- tests/test_event_auth.py | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 43 insertions(+), 2 deletions(-) diff --git a/synapse/event_auth.py b/synapse/event_auth.py index 46beb5334fad..36a4b3dfbb93 100644 --- a/synapse/event_auth.py +++ b/synapse/event_auth.py @@ -181,7 +181,7 @@ def check( _can_send_event(event, auth_events) if event.type == EventTypes.PowerLevels: - _check_power_levels(event, auth_events) + _check_power_levels(room_version_obj, event, auth_events) if event.type == EventTypes.Redaction: check_redaction(room_version_obj, event, auth_events) @@ -442,7 +442,7 @@ def check_redaction(room_version_obj: RoomVersion, event, auth_events): raise AuthError(403, "You don't have permission to redact events") -def _check_power_levels(event, auth_events): +def _check_power_levels(room_version_obj, event, auth_events): user_list = event.content.get("users", {}) # Validate users for k, v in user_list.items(): @@ -484,6 +484,14 @@ def _check_power_levels(event, auth_events): for ev_id in set(list(old_list) + list(new_list)): levels_to_check.append((ev_id, "events")) + # MSC2209 specifies these checks should also be done for the "notifications" + # key. + if room_version_obj.check_notifications_auth: + old_list = current_state.content.get("notifications", {}) + new_list = event.content.get("notifications", {}) + for ev_id in set(list(old_list) + list(new_list)): + levels_to_check.append((ev_id, "notifications")) + old_state = current_state.content new_state = event.content diff --git a/tests/test_event_auth.py b/tests/test_event_auth.py index 6c2351cf559f..f2def601fb29 100644 --- a/tests/test_event_auth.py +++ b/tests/test_event_auth.py @@ -165,6 +165,39 @@ def test_msc2432_alias_event(self): do_sig_check=False, ) + def test_msc2209(self): + """ + Notifications power levels get checked due to MSC2209. + """ + creator = "@creator:example.com" + pleb = "@joiner:example.com" + + auth_events = { + ("m.room.create", ""): _create_event(creator), + ("m.room.member", creator): _join_event(creator), + ("m.room.power_levels", ""): _power_levels_event( + creator, {"state_default": "30", "users": {pleb: "30"}} + ), + ("m.room.member", pleb): _join_event(pleb), + } + + # pleb should be able to modify the notifications power level. + event_auth.check( + RoomVersions.V1, + _power_levels_event(pleb, {"notifications": {"room": 100}}), + auth_events, + do_sig_check=False, + ) + + # But an MSC2209 room rejects this change. + with self.assertRaises(AuthError): + event_auth.check( + RoomVersions.MSC2209_DEV, + _power_levels_event(pleb, {"notifications": {"room": 100}}), + auth_events, + do_sig_check=False, + ) + # helpers for making events From b7c28b5b8f47dde415b514a649433fe304aef392 Mon Sep 17 00:00:00 2001 From: Patrick Cloke Date: Thu, 14 May 2020 11:02:28 -0400 Subject: [PATCH 3/4] Add a newsfragment. --- changelog.d/7502.feature | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog.d/7502.feature diff --git a/changelog.d/7502.feature b/changelog.d/7502.feature new file mode 100644 index 000000000000..059a05bfca1f --- /dev/null +++ b/changelog.d/7502.feature @@ -0,0 +1 @@ +Add additional authentication checks for m.room.power_levels event per [MSC2209](https://github.com/matrix-org/matrix-doc/pull/2209). From 187a00ef1a8842baa9dd629073b7c01f711a7788 Mon Sep 17 00:00:00 2001 From: Patrick Cloke Date: Thu, 14 May 2020 11:28:45 -0400 Subject: [PATCH 4/4] Update the variable name based on feedback. --- synapse/api/room_versions.py | 16 ++++++++-------- synapse/event_auth.py | 2 +- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/synapse/api/room_versions.py b/synapse/api/room_versions.py index 3aded47c0c32..af3612ed61e9 100644 --- a/synapse/api/room_versions.py +++ b/synapse/api/room_versions.py @@ -62,7 +62,7 @@ class RoomVersion(object): # bool: MSC2209: Check 'notifications' key while verifying # m.room.power_levels auth rules. - check_notifications_auth = attr.ib(type=bool) + limit_notifications_power_levels = attr.ib(type=bool) class RoomVersions(object): @@ -73,7 +73,7 @@ class RoomVersions(object): StateResolutionVersions.V1, enforce_key_validity=False, special_case_aliases_auth=True, - check_notifications_auth=False, + limit_notifications_power_levels=False, ) V2 = RoomVersion( "2", @@ -82,7 +82,7 @@ class RoomVersions(object): StateResolutionVersions.V2, enforce_key_validity=False, special_case_aliases_auth=True, - check_notifications_auth=False, + limit_notifications_power_levels=False, ) V3 = RoomVersion( "3", @@ -91,7 +91,7 @@ class RoomVersions(object): StateResolutionVersions.V2, enforce_key_validity=False, special_case_aliases_auth=True, - check_notifications_auth=False, + limit_notifications_power_levels=False, ) V4 = RoomVersion( "4", @@ -100,7 +100,7 @@ class RoomVersions(object): StateResolutionVersions.V2, enforce_key_validity=False, special_case_aliases_auth=True, - check_notifications_auth=False, + limit_notifications_power_levels=False, ) V5 = RoomVersion( "5", @@ -109,7 +109,7 @@ class RoomVersions(object): StateResolutionVersions.V2, enforce_key_validity=True, special_case_aliases_auth=True, - check_notifications_auth=False, + limit_notifications_power_levels=False, ) MSC2432_DEV = RoomVersion( "org.matrix.msc2432", @@ -118,7 +118,7 @@ class RoomVersions(object): StateResolutionVersions.V2, enforce_key_validity=True, special_case_aliases_auth=False, - check_notifications_auth=False, + limit_notifications_power_levels=False, ) MSC2209_DEV = RoomVersion( "org.matrix.msc2209", @@ -127,7 +127,7 @@ class RoomVersions(object): StateResolutionVersions.V2, enforce_key_validity=True, special_case_aliases_auth=True, - check_notifications_auth=True, + limit_notifications_power_levels=True, ) diff --git a/synapse/event_auth.py b/synapse/event_auth.py index 36a4b3dfbb93..5a5b568a953c 100644 --- a/synapse/event_auth.py +++ b/synapse/event_auth.py @@ -486,7 +486,7 @@ def _check_power_levels(room_version_obj, event, auth_events): # MSC2209 specifies these checks should also be done for the "notifications" # key. - if room_version_obj.check_notifications_auth: + if room_version_obj.limit_notifications_power_levels: old_list = current_state.content.get("notifications", {}) new_list = event.content.get("notifications", {}) for ev_id in set(list(old_list) + list(new_list)):