Make userapi responsible for checking access tokens (#1133)

* Make userapi responsible for checking access tokens There's still plenty of dependencies on account/device DBs, but this is a start. This is a breaking change as it adds a required config value `listen.user_api`. * Cleanup * Review comments and test fix
author: Kegsay <kegan@matrix.org> 2020-06-16 14:10:55 +0100
committer: GitHub <noreply@github.com> 2020-06-16 14:10:55 +0100
commit: 9c77022513f400db59409f5b55fc6223d38d6bb8 (patch)
tree: 52223755553ef4d7065747528e40c27a79a71dff /internal
parent: 57b7fa3db801c27190bfd143cfebe98e3d76a6ae (diff)
5 files changed, 34 insertions, 9 deletions
diff --git a/internal/config/config.go b/internal/config/config.go
index bff4945b..2bd56ad9 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -241,6 +241,7 @@ type Dendrite struct {
 		ServerKeyAPI     Address `yaml:"server_key_api"`
 		AppServiceAPI    Address `yaml:"appservice_api"`
 		SyncAPI          Address `yaml:"sync_api"`
+		UserAPI          Address `yaml:"user_api"`
 		RoomServer       Address `yaml:"room_server"`
 		FederationSender Address `yaml:"federation_sender"`
 		PublicRoomsAPI   Address `yaml:"public_rooms_api"`
@@ -610,6 +611,7 @@ func (config *Dendrite) checkListen(configErrs *configErrors) {
 	checkNotEmpty(configErrs, "listen.room_server", string(config.Listen.RoomServer))
 	checkNotEmpty(configErrs, "listen.edu_server", string(config.Listen.EDUServer))
 	checkNotEmpty(configErrs, "listen.server_key_api", string(config.Listen.EDUServer))
+	checkNotEmpty(configErrs, "listen.user_api", string(config.Listen.UserAPI))
 }
 
 // checkLogging verifies the parameters logging.* are valid.
@@ -723,6 +725,15 @@ func (config *Dendrite) RoomServerURL() string {
 	return "http://" + string(config.Listen.RoomServer)
 }
 
+// UserAPIURL returns an HTTP URL for where the userapi is listening.
+func (config *Dendrite) UserAPIURL() string {
+	// Hard code the userapi to talk HTTP for now.
+	// If we support HTTPS we need to think of a practical way to do certificate validation.
+	// People setting up servers shouldn't need to get a certificate valid for the public
+	// internet for an internal API.
+	return "http://" + string(config.Listen.UserAPI)
+}
+
 // EDUServerURL returns an HTTP URL for where the EDU server is listening.
 func (config *Dendrite) EDUServerURL() string {
 	// Hard code the EDU server to talk HTTP for now.
diff --git a/internal/config/config_test.go b/internal/config/config_test.go
index b72f5fad..9a543e76 100644
--- a/internal/config/config_test.go
+++ b/internal/config/config_test.go
@@ -63,6 +63,7 @@ listen:
   media_api: "localhost:7774"
   appservice_api: "localhost:7777"
   edu_server: "localhost:7778"
+  user_api: "localhost:7779"
 logging:
   - type: "file"
     level: "info"
diff --git a/internal/httputil/httpapi.go b/internal/httputil/httpapi.go
index a35a10d6..d371d172 100644
--- a/internal/httputil/httpapi.go
+++ b/internal/httputil/httpapi.go
@@ -27,9 +27,9 @@ import (
 
 	"github.com/gorilla/mux"
 	"github.com/matrix-org/dendrite/clientapi/auth"
-	"github.com/matrix-org/dendrite/clientapi/auth/authtypes"
 	federationsenderAPI "github.com/matrix-org/dendrite/federationsender/api"
 	"github.com/matrix-org/dendrite/internal/config"
+	userapi "github.com/matrix-org/dendrite/userapi/api"
 	"github.com/matrix-org/gomatrixserverlib"
 	"github.com/matrix-org/util"
 	opentracing "github.com/opentracing/opentracing-go"
@@ -48,11 +48,11 @@ type BasicAuth struct {
 
 // MakeAuthAPI turns a util.JSONRequestHandler function into an http.Handler which authenticates the request.
 func MakeAuthAPI(
-	metricsName string, data auth.Data,
-	f func(*http.Request, *authtypes.Device) util.JSONResponse,
+	metricsName string, userAPI userapi.UserInternalAPI,
+	f func(*http.Request, *userapi.Device) util.JSONResponse,
 ) http.Handler {
 	h := func(req *http.Request) util.JSONResponse {
-		device, err := auth.VerifyUserFromRequest(req, data)
+		device, err := auth.VerifyUserFromRequest(req, userAPI)
 		if err != nil {
 			return *err
 		}
diff --git a/internal/setup/base.go b/internal/setup/base.go
index 59bdfd2e..e287cfbd 100644
--- a/internal/setup/base.go
+++ b/internal/setup/base.go
@@ -46,6 +46,8 @@ import (
 	rsinthttp "github.com/matrix-org/dendrite/roomserver/inthttp"
 	serverKeyAPI "github.com/matrix-org/dendrite/serverkeyapi/api"
 	skinthttp "github.com/matrix-org/dendrite/serverkeyapi/inthttp"
+	userapi "github.com/matrix-org/dendrite/userapi/api"
+	userapiinthttp "github.com/matrix-org/dendrite/userapi/inthttp"
 	"github.com/sirupsen/logrus"
 
 	_ "net/http/pprof"
@@ -160,6 +162,15 @@ func (b *BaseDendrite) RoomserverHTTPClient() roomserverAPI.RoomserverInternalAP
 	return rsAPI
 }
 
+// UserAPIClient returns UserInternalAPI for hitting the userapi over HTTP.
+func (b *BaseDendrite) UserAPIClient() userapi.UserInternalAPI {
+	userAPI, err := userapiinthttp.NewUserAPIClient(b.Cfg.UserAPIURL(), b.httpClient)
+	if err != nil {
+		logrus.WithError(err).Panic("UserAPIClient failed", b.httpClient)
+	}
+	return userAPI
+}
+
 // EDUServerClient returns EDUServerInputAPI for hitting the EDU server over HTTP
 func (b *BaseDendrite) EDUServerClient() eduServerAPI.EDUServerInputAPI {
 	e, err := eduinthttp.NewEDUServerClient(b.Cfg.EDUServerURL(), b.httpClient)
diff --git a/internal/setup/monolith.go b/internal/setup/monolith.go
index 4dfbf711..f28fea8f 100644
--- a/internal/setup/monolith.go
+++ b/internal/setup/monolith.go
@@ -34,6 +34,7 @@ import (
 	roomserverAPI "github.com/matrix-org/dendrite/roomserver/api"
 	serverKeyAPI "github.com/matrix-org/dendrite/serverkeyapi/api"
 	"github.com/matrix-org/dendrite/syncapi"
+	userapi "github.com/matrix-org/dendrite/userapi/api"
 	"github.com/matrix-org/gomatrixserverlib"
 )
 
@@ -53,6 +54,7 @@ type Monolith struct {
 	FederationSenderAPI federationSenderAPI.FederationSenderInternalAPI
 	RoomserverAPI       roomserverAPI.RoomserverInternalAPI
 	ServerKeyAPI        serverKeyAPI.ServerKeyInternalAPI
+	UserAPI             userapi.UserInternalAPI
 
 	// TODO: can we remove this? It's weird that we are required the database
 	// yet every other component can do that on its own. libp2p-demo uses a custom
@@ -69,21 +71,21 @@ func (m *Monolith) AddAllPublicRoutes(publicMux *mux.Router) {
 		publicMux, m.Config, m.KafkaConsumer, m.KafkaProducer, m.DeviceDB, m.AccountDB,
 		m.FedClient, m.RoomserverAPI,
 		m.EDUInternalAPI, m.AppserviceAPI, transactions.New(),
-		m.FederationSenderAPI,
+		m.FederationSenderAPI, m.UserAPI,
 	)
 
-	keyserver.AddPublicRoutes(publicMux, m.Config, m.DeviceDB, m.AccountDB)
+	keyserver.AddPublicRoutes(publicMux, m.Config, m.UserAPI)
 	federationapi.AddPublicRoutes(
 		publicMux, m.Config, m.AccountDB, m.DeviceDB, m.FedClient,
 		m.KeyRing, m.RoomserverAPI, m.AppserviceAPI, m.FederationSenderAPI,
 		m.EDUInternalAPI,
 	)
-	mediaapi.AddPublicRoutes(publicMux, m.Config, m.DeviceDB)
+	mediaapi.AddPublicRoutes(publicMux, m.Config, m.UserAPI)
 	publicroomsapi.AddPublicRoutes(
-		publicMux, m.Config, m.KafkaConsumer, m.DeviceDB, m.PublicRoomsDB, m.RoomserverAPI, m.FedClient,
+		publicMux, m.Config, m.KafkaConsumer, m.UserAPI, m.PublicRoomsDB, m.RoomserverAPI, m.FedClient,
 		m.ExtPublicRoomsProvider,
 	)
 	syncapi.AddPublicRoutes(
-		publicMux, m.KafkaConsumer, m.DeviceDB, m.AccountDB, m.RoomserverAPI, m.FedClient, m.Config,
+		publicMux, m.KafkaConsumer, m.UserAPI, m.AccountDB, m.RoomserverAPI, m.FedClient, m.Config,
 	)
 }
author	Kegsay <kegan@matrix.org>	2020-06-16 14:10:55 +0100
committer	GitHub <noreply@github.com>	2020-06-16 14:10:55 +0100
commit	9c77022513f400db59409f5b55fc6223d38d6bb8 (patch)
tree	52223755553ef4d7065747528e40c27a79a71dff /internal
parent	57b7fa3db801c27190bfd143cfebe98e3d76a6ae (diff)