Control which users can start a SAS verification with Neb through regexes in the config

Signed-off-by: Nikos Filippakis <me@nfil.dev>
4 years ago · b48a9b4396
5 changed files with 31 additions and 6 deletions
--- a/api/api.go
+++ b/api/api.go
@ -78,11 +78,15 @@ type ClientConfig struct {
 	// The desired display name for this client.
 	// This does not automatically set the display name for this client. See /configureClient.
 	DisplayName string
+	// A list of regexes that control which users are allowed to start a SAS verification with this client.
+	// When a user starts a new SAS verification with us, their user ID has to match one of these regexes
+	// for the verification process to start.
+	AcceptVerificationFromUsers []string
 }

 // A IncomingDecimalSAS contains the decimal SAS as displayed on another device. The SAS consists of three numbers.
 type IncomingDecimalSAS struct {
-	// The matrix User ID of the user that Neb uses in the verification process. E.g. @alice:matrix.org
+	// The matrix User ID of the user that Neb uses in the verification process. E.g. @neb:localhost
 	UserID id.UserID
 	// The three numbers that the SAS consists of.
 	SAS [3]uint
--- a/api/handlers/client.go
+++ b/api/handlers/client.go
@ -100,11 +100,11 @@ func (s *VerifySAS) OnIncomingRequest(req *http.Request) util.JSONResponse {

 	var body api.IncomingDecimalSAS
 	if err := json.NewDecoder(req.Body).Decode(&body); err != nil {
-		return util.MessageResponse(400, "Error parsing request JSON")
+		return util.MessageResponse(400, "Error parsing request JSON: "+err.Error())
 	}

 	if err := body.Check(); err != nil {
-		return util.MessageResponse(400, "Error parsing client config")
+		return util.MessageResponse(400, "Request error: "+err.Error())
 	}

 	client, err := s.Clients.Client(body.UserID)
--- a/clients/bot_client.go
+++ b/clients/bot_client.go
@ -2,6 +2,7 @@ package clients

 import (
 	"errors"
+	"regexp"
 	"sync"
 	"time"

@ -59,8 +60,25 @@ func (botClient *BotClient) InitOlmMachine(client *mautrix.Client, nebStore *mat

 	botClient.stateStore = &NebStateStore{&nebStore.InMemoryStore}
 	olmMachine := crypto.NewOlmMachine(client, cryptoLogger, cryptoStore, botClient.stateStore)
-	olmMachine.AcceptVerificationFrom = func(_ string, _ *crypto.DeviceIdentity) (crypto.VerificationRequestResponse, crypto.VerificationHooks) {
-		return crypto.AcceptRequest, botClient
+
+	regexes := make([]*regexp.Regexp, 0, len(botClient.config.AcceptVerificationFromUsers))
+	for _, userRegex := range botClient.config.AcceptVerificationFromUsers {
+		regex, err := regexp.Compile(userRegex)
+		if err != nil {
+			cryptoLogger.Error("Error compiling regex %v: %v", userRegex, err)
+		} else {
+			regexes = append(regexes, regex)
+		}
+	}
+	olmMachine.AcceptVerificationFrom = func(_ string, otherDevice *crypto.DeviceIdentity) (crypto.VerificationRequestResponse, crypto.VerificationHooks) {
+		for _, regex := range regexes {
+			if regex.MatchString(otherDevice.UserID.String()) {
+				cryptoLogger.Trace("User ID %v matches regex %v, accepting SAS request", otherDevice.UserID, regex)
+				return crypto.AcceptRequest, botClient
+			}
+		}
+		cryptoLogger.Trace("User ID %v does not match any regex, rejecting SAS request", otherDevice.UserID)
+		return crypto.RejectRequest, botClient
 	}
 	if err = olmMachine.Load(); err != nil {
 		return
--- a/clients/clients.go
+++ b/clients/clients.go
@ -4,6 +4,7 @@ import (
 	"database/sql"
 	"fmt"
 	"net/http"
+	"reflect"
 	"strings"
 	"sync"

@ -111,7 +112,7 @@ func (c *Clients) updateClientInDB(newConfig api.ClientConfig) (new, old BotClie
 	defer c.dbMutex.Unlock()

 	old = c.getClient(newConfig.UserID)
-	if old.Client != nil && old.config == newConfig {
+	if old.Client != nil && reflect.DeepEqual(old.config, newConfig) {
 		// Already have a client with that config.
 		new = old
 		return
--- a/config.sample.yaml
+++ b/config.sample.yaml
@ -26,6 +26,7 @@ clients:
    Sync: true
    AutoJoinRooms: true
    DisplayName: "Go-NEB!"
+    AcceptVerificationFromUsers: [":localhost:8008"]

  - UserID: "@another_goneb:localhost"
    AccessToken: "MDASDASJDIASDJASDAFGFRGER"
@ -34,6 +35,7 @@ clients:
    Sync: false
    AutoJoinRooms: false
    DisplayName: "Go-NEB!"
+    AcceptVerificationFromUsers: ["^@admin:localhost:8008$"]

 # The list of realms which Go-NEB is aware of.
 # Delete or modify this list as appropriate.