From 597350a67f6fc803e1a81e4d651be3efbd0d5907 Mon Sep 17 00:00:00 2001 From: Jason Robinson Date: Mon, 4 Jan 2021 12:43:23 +0200 Subject: [PATCH] Ensure appservices can auth as users in their namespaces (#1672) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Ensure appservices can auth as users in their namespaces Currently in Dendrite appservices can only auth as a user if the user was created by said appservice. This does not align with the appservices spec which specifically says: > The application service may specify the virtual user to act as through use of a user_id query string parameter on the request. The user specified in the query string must be covered by one of the application service’s user namespaces. https://matrix.org/docs/spec/application_service/r0.1.2#identity-assertion In the case that a user has been created for example via manual registration but belongs to an appservice namespace, the current functionality does not allow appservices to auth as them. This PR fixes that by replacing the appservice ID check with a check against the appservice namespace. This also matches Synapse functionality, which I confirmed to allow appservices to auth as a user in their namespace, irregardless of how the user was registered. * Also allow appservice itself to auth with user_id Appservice user_id + access token check needs to work both when user_id is the appservice and when appservice has the user in their user namespace. Signed-off-by: Jason Robinson --- userapi/internal/api.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/userapi/internal/api.go b/userapi/internal/api.go index c1b9bcab..cf588a40 100644 --- a/userapi/internal/api.go +++ b/userapi/internal/api.go @@ -390,8 +390,9 @@ func (a *UserInternalAPI) queryAppServiceToken(ctx context.Context, token, appSe if localpart != "" { // AS is masquerading as another user // Verify that the user is registered account, err := a.AccountDB.GetAccountByLocalpart(ctx, localpart) - // Verify that account exists & appServiceID matches - if err == nil && account.AppServiceID == appService.ID { + // Verify that the account exists and either appServiceID matches or + // it belongs to the appservice user namespaces + if err == nil && (account.AppServiceID == appService.ID || appService.IsInterestedInUserID(appServiceUserID)) { // Set the userID of dummy device dev.UserID = appServiceUserID return &dev, nil