matrix-org · Half-Shot · Sep 18, 2020 · Sep 15, 2020 · Sep 15, 2020 · Sep 16, 2020
@@ -0,0 +1 @@
+Add `uk.half-shot.msc2778.login.application_service` login type to allow appservices to login.
@@ -18,6 +18,7 @@
 
 from synapse.api.errors import Codes, LoginError, SynapseError
 from synapse.api.ratelimiting import Ratelimiter
+from synapse.appservice import ApplicationService
 from synapse.handlers.auth import (
     convert_client_dict_legacy_fields_to_identifier,
     login_id_phone_to_thirdparty,
@@ -39,6 +40,7 @@
 
 class LoginRestServlet(RestServlet):
     PATTERNS = client_patterns("/login$", v1=True)
+    APPSERVICE_TYPE = "uk.half-shot.msc2778.login.application_service"
     CAS_TYPE = "m.login.cas"
     SSO_TYPE = "m.login.sso"
     TOKEN_TYPE = "m.login.token"
@@ -61,6 +63,8 @@ def __init__(self, hs):
         self.cas_enabled = hs.config.cas_enabled
         self.oidc_enabled = hs.config.oidc_enabled
 
+        self.auth = hs.get_auth()
+
         self.auth_handler = self.hs.get_auth_handler()
         self.registration_handler = hs.get_registration_handler()
         self.handlers = hs.get_handlers()
@@ -116,6 +120,11 @@ async def on_POST(self, request: SynapseRequest):
         self._address_ratelimiter.ratelimit(request.getClientIP())
 
         login_submission = parse_json_object_from_request(request)
+
+        appservice = None
+        if self.auth.has_access_token(request):
+            appservice = self.auth.get_appservice_by_req(request)
+
         try:
             if self.jwt_enabled and (
                 login_submission["type"] == LoginRestServlet.JWT_TYPE
@@ -125,7 +134,7 @@ async def on_POST(self, request: SynapseRequest):
             elif login_submission["type"] == LoginRestServlet.TOKEN_TYPE:
                 result = await self._do_token_login(login_submission)
             else:
-                result = await self._do_other_login(login_submission)
+                result = await self._do_other_login(login_submission, appservice)
         except KeyError:
             raise SynapseError(400, "Missing JSON keys.")
 
@@ -134,7 +143,9 @@ async def on_POST(self, request: SynapseRequest):
             result["well_known"] = well_known_data
         return 200, result
 
-    async def _do_other_login(self, login_submission: JsonDict) -> Dict[str, str]:
+    async def _do_other_login(
+        self, login_submission: JsonDict, appservice: Optional[ApplicationService]
+    ) -> Dict[str, str]:
         """Handle non-token/saml/jwt logins
 
         Args:
@@ -229,6 +240,15 @@ async def _do_other_login(self, login_submission: JsonDict) -> Dict[str, str]:
         else:
             qualified_user_id = UserID(identifier["user"], self.hs.hostname).to_string()
 
+        if login_submission["type"] == LoginRestServlet.APPSERVICE_TYPE:
+            if appservice is None or not appservice.is_interested_in_user(
+                qualified_user_id
+            ):
+                raise LoginError(403, "Invalid access_token", errcode=Codes.FORBIDDEN)
+
+            result = await self._complete_login(qualified_user_id, login_submission)
+            return result
+
         # Check if we've hit the failed ratelimit (but don't update it)
         self._failed_attempts_ratelimiter.ratelimit(
             qualified_user_id.lower(), update=False

@@ -7,8 +7,9 @@
 import jwt
 
 import synapse.rest.admin
+from synapse.appservice import ApplicationService
 from synapse.rest.client.v1 import login, logout
-from synapse.rest.client.v2_alpha import devices
+from synapse.rest.client.v2_alpha import devices, register
 from synapse.rest.client.v2_alpha.account import WhoamiRestServlet
 
 from tests import unittest
@@ -748,3 +749,74 @@ def test_login_jwt_invalid_signature(self):
             channel.json_body["error"],
             "JWT validation failed: Signature verification failed",
         )
+
+
+AS_USER = "as_user_alice"
+
+
+class AppserviceLoginRestServletTestCase(unittest.HomeserverTestCase):
+    servlets = [
+        login.register_servlets,
+        register.register_servlets,
+        lambda hs, http_server: WhoamiRestServlet(hs).register(http_server),
+    ]
+
+    def register_as_user(self, username):
+        request, channel = self.make_request(
+            b"POST",
+            f"/_matrix/client/r0/register?access_token={self.service.token}",
+            {"username": username},
+        )
+        self.render(request)
+
+    def make_homeserver(self, reactor, clock):
+        self.hs = self.setup_test_homeserver()
+
+        self.service = ApplicationService(
+            id="unique_identifier",
+            token="some_token",
+            hostname="example.com",
+            sender="@asbot:example.com",
+            namespaces={
+                ApplicationService.NS_USERS: [
+                    {"regex": r"@as_user.*", "exclusive": False}
+                ],
+                ApplicationService.NS_ROOMS: [],
+                ApplicationService.NS_ALIASES: [],
+            },
+        )
+
+        self.hs.get_datastore().services_cache.append(self.service)
+        return self.hs
+
+    def test_login_appservice_user(self):
+        """Test that an appservice user can use /login
+        """
+        self.register_as_user(AS_USER)
+
+        params = {
+            "type": login.LoginRestServlet.APPSERVICE_TYPE,
+            "identifier": {"type": "m.id.user", "user": AS_USER},
+        }
+        request, channel = self.make_request(
+            b"POST", LOGIN_URL, params, access_token=self.service.token
+        )
+
+        self.render(request)
+        self.assertEquals(channel.result["code"], b"200", channel.result)
+
+    def test_login_appservice_user_bot(self):
+        """Test that the appservice bot can use /login
+        """
+        self.register_as_user(AS_USER)
+
+        params = {
+            "type": login.LoginRestServlet.APPSERVICE_TYPE,
+            "identifier": {"type": "m.id.user", "user": self.service.sender},
+        }
+        request, channel = self.make_request(
+            b"POST", LOGIN_URL, params, access_token=self.service.token
+        )
+
+        self.render(request)
+        self.assertEquals(channel.result["code"], b"200", channel.result)