Add a toggle to disable signature verification

pietroalbini · pietroalbini · commit a5b48f534450 · 2017-07-05T15:21:57.000+02:00
diff --git a/botogram/bot.py b/botogram/bot.py
@@ -55,6 +55,8 @@ def __init__(self, api_connection):
 
         self.process_backlog = False
 
+        self.validate_callback_signatures = True
+
         self._lang = ""
         self._lang_inst = None
 
@@ -119,6 +121,13 @@ def __reduce__(self):
         return object.__reduce__(self)
 
     def __setattr__(self, name, value):
+        # Warn about disabled callback validation
+        if name == "validate_callback_signatures" and not value:
+            self.logger.warn("Your code disabled signature validation for "
+                             "callbacks!")
+            self.logger.warn("This can cause security issues. Please enable "
+                             "it again.")
+
         # Use the standard __setattr__
         return object.__setattr__(self, name, value)
 
@@ -256,6 +265,7 @@ def freeze(self):
         return frozenbot.FrozenBot(self.api, self.about, self.owner,
                                    self._hide_commands, self.before_help,
                                    self.after_help, self.link_preview_in_help,
+                                   self.validate_callback_signatures,
                                    self.process_backlog, self.lang,
                                    self.itself, self._commands_re,
                                    self._commands, chains, self._scheduler,
diff --git a/botogram/callbacks.py b/botogram/callbacks.py
@@ -116,9 +116,11 @@ def parse_callback_data(bot, chat, raw):
     name = prelude[16:]
     data = raw[32:]
 
-    correct = get_signature(bot, chat, name, data)
-    if not crypto.compare(correct, signature):
-        raise crypto.TamperedMessageError
+    # Don't check the signature if the user explicitly disabled the check
+    if bot.validate_callback_signatures:
+        correct = get_signature(bot, chat, name, data)
+        if not crypto.compare(correct, signature):
+            raise crypto.TamperedMessageError
 
     if data:
         return name, data.decode("utf-8")
diff --git a/botogram/frozenbot.py b/botogram/frozenbot.py
@@ -33,9 +33,10 @@ class FrozenBot:
     """A frozen version of botogram.Bot"""
 
     def __init__(self, api, about, owner, hide_commands, before_help,
-                 after_help, link_preview_in_help, process_backlog, lang,
-                 itself, commands_re, commands, chains, scheduler,
-                 main_component_id, bot_id, shared_memory, update_processors):
+                 after_help, link_preview_in_help,
+                 validate_callback_signatures, process_backlog, lang, itself,
+                 commands_re, commands, chains, scheduler, main_component_id,
+                 bot_id, shared_memory, update_processors):
         # This attribute should be added with the default setattr, because is
         # needed by the custom setattr
         object.__setattr__(self, "_frozen", False)
@@ -48,6 +49,7 @@ def __init__(self, api, about, owner, hide_commands, before_help,
         self.before_help = before_help
         self.after_help = after_help
         self.link_preview_in_help = link_preview_in_help
+        self.validate_callback_signatures = validate_callback_signatures
         self.process_backlog = process_backlog
         self.lang = lang
         self._commands_re = commands_re
@@ -77,10 +79,10 @@ def __reduce__(self):
         args = (
             self.api, self.about, self.owner, self._hide_commands,
             self.before_help, self.after_help, self.link_preview_in_help,
-            self.process_backlog, self.lang, self.itself, self._commands_re,
-            self._commands, self._chains, self._scheduler,
-            self._main_component_id, self._bot_id, self._shared_memory,
-            self._update_processors,
+            self.validate_callback_signatures, self.process_backlog, self.lang,
+            self.itself, self._commands_re, self._commands, self._chains,
+            self._scheduler, self._main_component_id, self._bot_id,
+            self._shared_memory, self._update_processors,
         )
         return restore, args
 
diff --git a/docs/api/bot.rst b/docs/api/bot.rst
@@ -60,6 +60,17 @@ components.
 
       .. versionadded:: 0.4
 
+   .. py:attribute:: validate_callback_signatures
+
+      Enable or disable signature verification for callbacks. Disabling them
+      can cause security issues for your bot, and it's advised to do so only if
+      you changed the bot token recently. See the :ref:`security section for
+      callbacks <buttons-security>` for more details.
+
+      The default value is **True**.
+
+      .. versionadded:: 0.4
+
    .. py:attribute:: process_backlog
 
       A boolean representing if the backlog should be processed. Backlog is
diff --git a/docs/buttons.rst b/docs/buttons.rst
@@ -235,3 +235,16 @@ This protection is completly transparent: you don't have to do anything to
 enable or manage it. The signature is based on the token of the bot though:
 this means if you revoke or change the token, all previous callbacks will
 become invalid, which may annoy your users because old buttons stop working.
+
+If you want to avoid disruption after changing your bot's token, it's advised
+to disable signature verification for a few days: it lowers the security of
+your bot, but allows the user to keep using buttons under old messages. In
+order to disable the verification you need to add this snippet of code before
+the bot is started:
+
+.. code-block:: python
+
+   bot.validate_callback_signatures = False
+
+You should remove the snippet after a few days. The bot will print a
+warning at startup to remember you to do so.
diff --git a/docs/changelog/0.4.rst b/docs/changelog/0.4.rst
@@ -21,6 +21,7 @@ New features
 
 * Added support for :ref:`buttons and callbacks <buttons>`
 
+  * New attribute :py:attr:`botogram.Bot.validate_callback_signatures`
   * New class :py:class:`botogram.Buttons`
   * New class :py:class:`botogram.ButtonsRow`
   * New class :py:class:`botogram.CallbackQuery`
diff --git a/tests/test_callbacks.py b/tests/test_callbacks.py
@@ -20,10 +20,13 @@
 
 import json
 
+import pytest
+
 from botogram.callbacks import Buttons, parse_callback_data, get_callback_data
 from botogram.callbacks import hashed_callback_name
 from botogram.components import Component
 from botogram.context import Context
+from botogram.crypto import TamperedMessageError
 from botogram.hooks import Hook
 
 
@@ -84,3 +87,16 @@ def test_parse_callback_data(bot, sample_update):
         hashed_callback_name("test_callback"),
         None,
     )
+
+    with pytest.raises(TamperedMessageError):
+        raw = get_callback_data(bot, c, "test_callback", "data") + "!"
+        parse_callback_data(bot, c, raw)
+
+    # Now test with disabled signature verification
+    bot.validate_callback_signatures = False
+
+    raw = get_callback_data(bot, c, "test_callback", "data") + "!"
+    assert parse_callback_data(bot, c, raw) == (
+        hashed_callback_name("test_callback"),
+        "data!"
+    )
