use go module for dependencies (#594)

author: ruben <code@rbn.im> 2019-05-21 22:56:55 +0200
committer: Brendan Abolivier <babolivier@matrix.org> 2019-05-21 21:56:55 +0100
commit: 74827428bd3e11faab65f12204449c1b9469b0ae (patch)
tree: 0decafa542436a0667ed2d3e3cfd4df0f03de1e5 /clientapi/threepid
parent: 4d588f7008afe5600219ac0930c2eee2de5c447b (diff)
2 files changed, 551 insertions, 0 deletions
diff --git a/clientapi/threepid/invites.go b/clientapi/threepid/invites.go
new file mode 100644
index 00000000..2538577f
--- /dev/null
+++ b/clientapi/threepid/invites.go
@@ -0,0 +1,364 @@
+// Copyright 2017 Vector Creations Ltd
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package threepid
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"net/http"
+	"net/url"
+	"strings"
+	"time"
+
+	"github.com/matrix-org/dendrite/clientapi/auth/authtypes"
+	"github.com/matrix-org/dendrite/clientapi/auth/storage/accounts"
+	"github.com/matrix-org/dendrite/clientapi/producers"
+	"github.com/matrix-org/dendrite/common"
+	"github.com/matrix-org/dendrite/common/config"
+	"github.com/matrix-org/dendrite/roomserver/api"
+	"github.com/matrix-org/gomatrixserverlib"
+)
+
+// MembershipRequest represents the body of an incoming POST request
+// on /rooms/{roomID}/(join|kick|ban|unban|leave|invite)
+type MembershipRequest struct {
+	UserID   string `json:"user_id"`
+	Reason   string `json:"reason"`
+	IDServer string `json:"id_server"`
+	Medium   string `json:"medium"`
+	Address  string `json:"address"`
+}
+
+// idServerLookupResponse represents the response described at https://matrix.org/docs/spec/client_server/r0.2.0.html#get-matrix-identity-api-v1-lookup
+type idServerLookupResponse struct {
+	TS         int64                        `json:"ts"`
+	NotBefore  int64                        `json:"not_before"`
+	NotAfter   int64                        `json:"not_after"`
+	Medium     string                       `json:"medium"`
+	Address    string                       `json:"address"`
+	MXID       string                       `json:"mxid"`
+	Signatures map[string]map[string]string `json:"signatures"`
+}
+
+// idServerLookupResponse represents the response described at https://matrix.org/docs/spec/client_server/r0.2.0.html#invitation-storage
+type idServerStoreInviteResponse struct {
+	PublicKey   string             `json:"public_key"`
+	Token       string             `json:"token"`
+	DisplayName string             `json:"display_name"`
+	PublicKeys  []common.PublicKey `json:"public_keys"`
+}
+
+var (
+	// ErrMissingParameter is the error raised if a request for 3PID invite has
+	// an incomplete body
+	ErrMissingParameter = errors.New("'address', 'id_server' and 'medium' must all be supplied")
+	// ErrNotTrusted is the error raised if an identity server isn't in the list
+	// of trusted servers in the configuration file.
+	ErrNotTrusted = errors.New("untrusted server")
+)
+
+// CheckAndProcessInvite analyses the body of an incoming membership request.
+// If the fields relative to a third-party-invite are all supplied, lookups the
+// matching Matrix ID from the given identity server. If no Matrix ID is
+// associated to the given 3PID, asks the identity server to store the invite
+// and emit a "m.room.third_party_invite" event.
+// Returns a representation of the HTTP response to send to the user.
+// Returns a representation of a non-200 HTTP response if something went wrong
+// in the process, or if some 3PID fields aren't supplied but others are.
+// If none of the 3PID-specific fields are supplied, or if a Matrix ID is
+// supplied by the identity server, returns nil to indicate that the request
+// must be processed as a non-3PID membership request. In the latter case,
+// fills the Matrix ID in the request body so a normal invite membership event
+// can be emitted.
+func CheckAndProcessInvite(
+	ctx context.Context,
+	device *authtypes.Device, body *MembershipRequest, cfg config.Dendrite,
+	queryAPI api.RoomserverQueryAPI, db *accounts.Database,
+	producer *producers.RoomserverProducer, membership string, roomID string,
+	evTime time.Time,
+) (inviteStoredOnIDServer bool, err error) {
+	if membership != "invite" || (body.Address == "" && body.IDServer == "" && body.Medium == "") {
+		// If none of the 3PID-specific fields are supplied, it's a standard invite
+		// so return nil for it to be processed as such
+		return
+	} else if body.Address == "" || body.IDServer == "" || body.Medium == "" {
+		// If at least one of the 3PID-specific fields is supplied but not all
+		// of them, return an error
+		err = ErrMissingParameter
+		return
+	}
+
+	lookupRes, storeInviteRes, err := queryIDServer(ctx, db, cfg, device, body, roomID)
+	if err != nil {
+		return
+	}
+
+	if lookupRes.MXID == "" {
+		// No Matrix ID could be found for this 3PID, meaning that a
+		// "m.room.third_party_invite" have to be emitted from the data in
+		// storeInviteRes.
+		err = emit3PIDInviteEvent(
+			ctx, body, storeInviteRes, device, roomID, cfg, queryAPI, producer, evTime,
+		)
+		inviteStoredOnIDServer = err == nil
+
+		return
+	}
+
+	// A Matrix ID have been found: set it in the body request and let the process
+	// continue to create a "m.room.member" event with an "invite" membership
+	body.UserID = lookupRes.MXID
+
+	return
+}
+
+// queryIDServer handles all the requests to the identity server, starting by
+// looking up the given 3PID on the given identity server.
+// If the lookup returned a Matrix ID, checks if the current time is within the
+// time frame in which the 3PID-MXID association is known to be valid, and checks
+// the response's signatures. If one of the checks fails, returns an error.
+// If the lookup didn't return a Matrix ID, asks the identity server to store
+// the invite and to respond with a token.
+// Returns a representation of the response for both cases.
+// Returns an error if a check or a request failed.
+func queryIDServer(
+	ctx context.Context,
+	db *accounts.Database, cfg config.Dendrite, device *authtypes.Device,
+	body *MembershipRequest, roomID string,
+) (lookupRes *idServerLookupResponse, storeInviteRes *idServerStoreInviteResponse, err error) {
+	if err = isTrusted(body.IDServer, cfg); err != nil {
+		return
+	}
+
+	// Lookup the 3PID
+	lookupRes, err = queryIDServerLookup(ctx, body)
+	if err != nil {
+		return
+	}
+
+	if lookupRes.MXID == "" {
+		// No Matrix ID matches with the given 3PID, ask the server to store the
+		// invite and return a token
+		storeInviteRes, err = queryIDServerStoreInvite(ctx, db, cfg, device, body, roomID)
+		return
+	}
+
+	// A Matrix ID matches with the given 3PID
+	// Get timestamp in milliseconds to compare it with the timestamps provided
+	// by the identity server
+	now := time.Now().UnixNano() / 1000000
+	if lookupRes.NotBefore > now || now > lookupRes.NotAfter {
+		// If the current timestamp isn't in the time frame in which the association
+		// is known to be valid, re-run the query
+		return queryIDServer(ctx, db, cfg, device, body, roomID)
+	}
+
+	// Check the request signatures and send an error if one isn't valid
+	if err = checkIDServerSignatures(ctx, body, lookupRes); err != nil {
+		return
+	}
+
+	return
+}
+
+// queryIDServerLookup sends a response to the identity server on /_matrix/identity/api/v1/lookup
+// and returns the response as a structure.
+// Returns an error if the request failed to send or if the response couldn't be parsed.
+func queryIDServerLookup(ctx context.Context, body *MembershipRequest) (*idServerLookupResponse, error) {
+	address := url.QueryEscape(body.Address)
+	requestURL := fmt.Sprintf("https://%s/_matrix/identity/api/v1/lookup?medium=%s&address=%s", body.IDServer, body.Medium, address)
+	req, err := http.NewRequest(http.MethodGet, requestURL, nil)
+	if err != nil {
+		return nil, err
+	}
+	resp, err := http.DefaultClient.Do(req.WithContext(ctx))
+	if err != nil {
+		return nil, err
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		// TODO: Log the error supplied with the identity server?
+		errMgs := fmt.Sprintf("Failed to ask %s to store an invite for %s", body.IDServer, body.Address)
+		return nil, errors.New(errMgs)
+	}
+
+	var res idServerLookupResponse
+	err = json.NewDecoder(resp.Body).Decode(&res)
+	return &res, err
+}
+
+// queryIDServerStoreInvite sends a response to the identity server on /_matrix/identity/api/v1/store-invite
+// and returns the response as a structure.
+// Returns an error if the request failed to send or if the response couldn't be parsed.
+func queryIDServerStoreInvite(
+	ctx context.Context,
+	db *accounts.Database, cfg config.Dendrite, device *authtypes.Device,
+	body *MembershipRequest, roomID string,
+) (*idServerStoreInviteResponse, error) {
+	// Retrieve the sender's profile to get their display name
+	localpart, serverName, err := gomatrixserverlib.SplitID('@', device.UserID)
+	if err != nil {
+		return nil, err
+	}
+
+	var profile *authtypes.Profile
+	if serverName == cfg.Matrix.ServerName {
+		profile, err = db.GetProfileByLocalpart(ctx, localpart)
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		profile = &authtypes.Profile{}
+	}
+
+	client := http.Client{}
+
+	data := url.Values{}
+	data.Add("medium", body.Medium)
+	data.Add("address", body.Address)
+	data.Add("room_id", roomID)
+	data.Add("sender", device.UserID)
+	data.Add("sender_display_name", profile.DisplayName)
+	// TODO: Also send:
+	//      - The room name (room_name)
+	//      - The room's avatar url (room_avatar_url)
+	//      See https://github.com/matrix-org/sydent/blob/master/sydent/http/servlets/store_invite_servlet.py#L82-L91
+	//      These can be easily retrieved by requesting the public rooms API
+	//      server's database.
+
+	requestURL := fmt.Sprintf("https://%s/_matrix/identity/api/v1/store-invite", body.IDServer)
+	req, err := http.NewRequest(http.MethodPost, requestURL, strings.NewReader(data.Encode()))
+	if err != nil {
+		return nil, err
+	}
+
+	req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
+	resp, err := client.Do(req.WithContext(ctx))
+	if err != nil {
+		return nil, err
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		errMsg := fmt.Sprintf("Identity server %s responded with a %d error code", body.IDServer, resp.StatusCode)
+		return nil, errors.New(errMsg)
+	}
+
+	var idResp idServerStoreInviteResponse
+	err = json.NewDecoder(resp.Body).Decode(&idResp)
+	return &idResp, err
+}
+
+// queryIDServerPubKey requests a public key identified with a given ID to the
+// a given identity server and returns the matching base64-decoded public key.
+// We assume that the ID server is trusted at this point.
+// Returns an error if the request couldn't be sent, if its body couldn't be parsed
+// or if the key couldn't be decoded from base64.
+func queryIDServerPubKey(ctx context.Context, idServerName string, keyID string) ([]byte, error) {
+	requestURL := fmt.Sprintf("https://%s/_matrix/identity/api/v1/pubkey/%s", idServerName, keyID)
+	req, err := http.NewRequest(http.MethodGet, requestURL, nil)
+	if err != nil {
+		return nil, err
+	}
+	resp, err := http.DefaultClient.Do(req.WithContext(ctx))
+	if err != nil {
+		return nil, err
+	}
+
+	var pubKeyRes struct {
+		PublicKey gomatrixserverlib.Base64String `json:"public_key"`
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		errMsg := fmt.Sprintf("Couldn't retrieve key %s from server %s", keyID, idServerName)
+		return nil, errors.New(errMsg)
+	}
+
+	err = json.NewDecoder(resp.Body).Decode(&pubKeyRes)
+	return pubKeyRes.PublicKey, err
+}
+
+// checkIDServerSignatures iterates over the signatures of a requests.
+// If no signature can be found for the ID server's domain, returns an error, else
+// iterates over the signature for the said domain, retrieves the matching public
+// key, and verify it.
+// We assume that the ID server is trusted at this point.
+// Returns nil if all the verifications succeeded.
+// Returns an error if something failed in the process.
+func checkIDServerSignatures(
+	ctx context.Context, body *MembershipRequest, res *idServerLookupResponse,
+) error {
+	// Mashall the body so we can give it to VerifyJSON
+	marshalledBody, err := json.Marshal(*res)
+	if err != nil {
+		return err
+	}
+
+	signatures, ok := res.Signatures[body.IDServer]
+	if !ok {
+		return errors.New("No signature for domain " + body.IDServer)
+	}
+
+	for keyID := range signatures {
+		pubKey, err := queryIDServerPubKey(ctx, body.IDServer, keyID)
+		if err != nil {
+			return err
+		}
+		if err = gomatrixserverlib.VerifyJSON(body.IDServer, gomatrixserverlib.KeyID(keyID), pubKey, marshalledBody); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// emit3PIDInviteEvent builds and sends a "m.room.third_party_invite" event.
+// Returns an error if something failed in the process.
+func emit3PIDInviteEvent(
+	ctx context.Context,
+	body *MembershipRequest, res *idServerStoreInviteResponse,
+	device *authtypes.Device, roomID string, cfg config.Dendrite,
+	queryAPI api.RoomserverQueryAPI, producer *producers.RoomserverProducer,
+	evTime time.Time,
+) error {
+	builder := &gomatrixserverlib.EventBuilder{
+		Sender:   device.UserID,
+		RoomID:   roomID,
+		Type:     "m.room.third_party_invite",
+		StateKey: &res.Token,
+	}
+
+	validityURL := fmt.Sprintf("https://%s/_matrix/identity/api/v1/pubkey/isvalid", body.IDServer)
+	content := common.ThirdPartyInviteContent{
+		DisplayName:    res.DisplayName,
+		KeyValidityURL: validityURL,
+		PublicKey:      res.PublicKey,
+		PublicKeys:     res.PublicKeys,
+	}
+
+	if err := builder.SetContent(content); err != nil {
+		return err
+	}
+
+	var queryRes *api.QueryLatestEventsAndStateResponse
+	event, err := common.BuildEvent(ctx, builder, cfg, evTime, queryAPI, queryRes)
+	if err != nil {
+		return err
+	}
+
+	_, err = producer.SendEvents(ctx, []gomatrixserverlib.Event{*event}, cfg.Matrix.ServerName, nil)
+	return err
+}
diff --git a/clientapi/threepid/threepid.go b/clientapi/threepid/threepid.go
new file mode 100644
index 00000000..e5b3305e
--- /dev/null
+++ b/clientapi/threepid/threepid.go
@@ -0,0 +1,187 @@
+// Copyright 2017 Vector Creations Ltd
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package threepid
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"net/http"
+	"net/url"
+	"strconv"
+	"strings"
+
+	"github.com/matrix-org/dendrite/common/config"
+)
+
+// EmailAssociationRequest represents the request defined at https://matrix.org/docs/spec/client_server/r0.2.0.html#post-matrix-client-r0-register-email-requesttoken
+type EmailAssociationRequest struct {
+	IDServer    string `json:"id_server"`
+	Secret      string `json:"client_secret"`
+	Email       string `json:"email"`
+	SendAttempt int    `json:"send_attempt"`
+}
+
+// EmailAssociationCheckRequest represents the request defined at https://matrix.org/docs/spec/client_server/r0.2.0.html#post-matrix-client-r0-account-3pid
+type EmailAssociationCheckRequest struct {
+	Creds Credentials `json:"threePidCreds"`
+	Bind  bool        `json:"bind"`
+}
+
+// Credentials represents the "ThreePidCredentials" structure defined at https://matrix.org/docs/spec/client_server/r0.2.0.html#post-matrix-client-r0-account-3pid
+type Credentials struct {
+	SID      string `json:"sid"`
+	IDServer string `json:"id_server"`
+	Secret   string `json:"client_secret"`
+}
+
+// CreateSession creates a session on an identity server.
+// Returns the session's ID.
+// Returns an error if there was a problem sending the request or decoding the
+// response, or if the identity server responded with a non-OK status.
+func CreateSession(
+	ctx context.Context, req EmailAssociationRequest, cfg config.Dendrite,
+) (string, error) {
+	if err := isTrusted(req.IDServer, cfg); err != nil {
+		return "", err
+	}
+
+	// Create a session on the ID server
+	postURL := fmt.Sprintf("https://%s/_matrix/identity/api/v1/validate/email/requestToken", req.IDServer)
+
+	data := url.Values{}
+	data.Add("client_secret", req.Secret)
+	data.Add("email", req.Email)
+	data.Add("send_attempt", strconv.Itoa(req.SendAttempt))
+
+	request, err := http.NewRequest(http.MethodPost, postURL, strings.NewReader(data.Encode()))
+	if err != nil {
+		return "", err
+	}
+	request.Header.Add("Content-Type", "application/x-www-form-urlencoded")
+
+	client := http.Client{}
+	resp, err := client.Do(request.WithContext(ctx))
+	if err != nil {
+		return "", err
+	}
+
+	// Error if the status isn't OK
+	if resp.StatusCode != http.StatusOK {
+		return "", fmt.Errorf("Could not create a session on the server %s", req.IDServer)
+	}
+
+	// Extract the SID from the response and return it
+	var sid struct {
+		SID string `json:"sid"`
+	}
+	err = json.NewDecoder(resp.Body).Decode(&sid)
+
+	return sid.SID, err
+}
+
+// CheckAssociation checks the status of an ongoing association validation on an
+// identity server.
+// Returns a boolean set to true if the association has been validated, false if not.
+// If the association has been validated, also returns the related third-party
+// identifier and its medium.
+// Returns an error if there was a problem sending the request or decoding the
+// response, or if the identity server responded with a non-OK status.
+func CheckAssociation(
+	ctx context.Context, creds Credentials, cfg config.Dendrite,
+) (bool, string, string, error) {
+	if err := isTrusted(creds.IDServer, cfg); err != nil {
+		return false, "", "", err
+	}
+
+	requestURL := fmt.Sprintf("https://%s/_matrix/identity/api/v1/3pid/getValidated3pid?sid=%s&client_secret=%s", creds.IDServer, creds.SID, creds.Secret)
+	req, err := http.NewRequest(http.MethodGet, requestURL, nil)
+	if err != nil {
+		return false, "", "", err
+	}
+	resp, err := http.DefaultClient.Do(req.WithContext(ctx))
+	if err != nil {
+		return false, "", "", err
+	}
+
+	var respBody struct {
+		Medium      string `json:"medium"`
+		ValidatedAt int64  `json:"validated_at"`
+		Address     string `json:"address"`
+		ErrCode     string `json:"errcode"`
+		Error       string `json:"error"`
+	}
+
+	if err = json.NewDecoder(resp.Body).Decode(&respBody); err != nil {
+		return false, "", "", err
+	}
+
+	if respBody.ErrCode == "M_SESSION_NOT_VALIDATED" {
+		return false, "", "", nil
+	} else if len(respBody.ErrCode) > 0 {
+		return false, "", "", errors.New(respBody.Error)
+	}
+
+	return true, respBody.Address, respBody.Medium, nil
+}
+
+// PublishAssociation publishes a validated association between a third-party
+// identifier and a Matrix ID.
+// Returns an error if there was a problem sending the request or decoding the
+// response, or if the identity server responded with a non-OK status.
+func PublishAssociation(creds Credentials, userID string, cfg config.Dendrite) error {
+	if err := isTrusted(creds.IDServer, cfg); err != nil {
+		return err
+	}
+
+	postURL := fmt.Sprintf("https://%s/_matrix/identity/api/v1/3pid/bind", creds.IDServer)
+
+	data := url.Values{}
+	data.Add("sid", creds.SID)
+	data.Add("client_secret", creds.Secret)
+	data.Add("mxid", userID)
+
+	request, err := http.NewRequest(http.MethodPost, postURL, strings.NewReader(data.Encode()))
+	if err != nil {
+		return err
+	}
+	request.Header.Add("Content-Type", "application/x-www-form-urlencoded")
+
+	client := http.Client{}
+	resp, err := client.Do(request)
+	if err != nil {
+		return err
+	}
+
+	// Error if the status isn't OK
+	if resp.StatusCode != http.StatusOK {
+		return fmt.Errorf("Could not publish the association on the server %s", creds.IDServer)
+	}
+
+	return nil
+}
+
+// isTrusted checks if a given identity server is part of the list of trusted
+// identity servers in the configuration file.
+// Returns an error if the server isn't trusted.
+func isTrusted(idServer string, cfg config.Dendrite) error {
+	for _, server := range cfg.Matrix.TrustedIDServers {
+		if idServer == server {
+			return nil
+		}
+	}
+	return ErrNotTrusted
+}
author	ruben <code@rbn.im>	2019-05-21 22:56:55 +0200
committer	Brendan Abolivier <babolivier@matrix.org>	2019-05-21 21:56:55 +0100
commit	74827428bd3e11faab65f12204449c1b9469b0ae (patch)
tree	0decafa542436a0667ed2d3e3cfd4df0f03de1e5 /clientapi/threepid
parent	4d588f7008afe5600219ac0930c2eee2de5c447b (diff)