From b48a9b43968023450cfabda22538b1ec877fe21a Mon Sep 17 00:00:00 2001 From: Nikos Filippakis Date: Tue, 18 Aug 2020 10:47:21 +0200 Subject: [PATCH] Control which users can start a SAS verification with Neb through regexes in the config Signed-off-by: Nikos Filippakis --- api/api.go | 6 +++++- api/handlers/client.go | 4 ++-- clients/bot_client.go | 22 ++++++++++++++++++++-- clients/clients.go | 3 ++- config.sample.yaml | 2 ++ 5 files changed, 31 insertions(+), 6 deletions(-) diff --git a/api/api.go b/api/api.go index 7b5b240..a49fefa 100644 --- a/api/api.go +++ b/api/api.go @@ -78,11 +78,15 @@ type ClientConfig struct { // The desired display name for this client. // This does not automatically set the display name for this client. See /configureClient. DisplayName string + // A list of regexes that control which users are allowed to start a SAS verification with this client. + // When a user starts a new SAS verification with us, their user ID has to match one of these regexes + // for the verification process to start. + AcceptVerificationFromUsers []string } // A IncomingDecimalSAS contains the decimal SAS as displayed on another device. The SAS consists of three numbers. type IncomingDecimalSAS struct { - // The matrix User ID of the user that Neb uses in the verification process. E.g. @alice:matrix.org + // The matrix User ID of the user that Neb uses in the verification process. E.g. @neb:localhost UserID id.UserID // The three numbers that the SAS consists of. SAS [3]uint diff --git a/api/handlers/client.go b/api/handlers/client.go index b906a90..d057b64 100644 --- a/api/handlers/client.go +++ b/api/handlers/client.go @@ -100,11 +100,11 @@ func (s *VerifySAS) OnIncomingRequest(req *http.Request) util.JSONResponse { var body api.IncomingDecimalSAS if err := json.NewDecoder(req.Body).Decode(&body); err != nil { - return util.MessageResponse(400, "Error parsing request JSON") + return util.MessageResponse(400, "Error parsing request JSON: "+err.Error()) } if err := body.Check(); err != nil { - return util.MessageResponse(400, "Error parsing client config") + return util.MessageResponse(400, "Request error: "+err.Error()) } client, err := s.Clients.Client(body.UserID) diff --git a/clients/bot_client.go b/clients/bot_client.go index c56a38a..bee4c33 100644 --- a/clients/bot_client.go +++ b/clients/bot_client.go @@ -2,6 +2,7 @@ package clients import ( "errors" + "regexp" "sync" "time" @@ -59,8 +60,25 @@ func (botClient *BotClient) InitOlmMachine(client *mautrix.Client, nebStore *mat botClient.stateStore = &NebStateStore{&nebStore.InMemoryStore} olmMachine := crypto.NewOlmMachine(client, cryptoLogger, cryptoStore, botClient.stateStore) - olmMachine.AcceptVerificationFrom = func(_ string, _ *crypto.DeviceIdentity) (crypto.VerificationRequestResponse, crypto.VerificationHooks) { - return crypto.AcceptRequest, botClient + + regexes := make([]*regexp.Regexp, 0, len(botClient.config.AcceptVerificationFromUsers)) + for _, userRegex := range botClient.config.AcceptVerificationFromUsers { + regex, err := regexp.Compile(userRegex) + if err != nil { + cryptoLogger.Error("Error compiling regex %v: %v", userRegex, err) + } else { + regexes = append(regexes, regex) + } + } + olmMachine.AcceptVerificationFrom = func(_ string, otherDevice *crypto.DeviceIdentity) (crypto.VerificationRequestResponse, crypto.VerificationHooks) { + for _, regex := range regexes { + if regex.MatchString(otherDevice.UserID.String()) { + cryptoLogger.Trace("User ID %v matches regex %v, accepting SAS request", otherDevice.UserID, regex) + return crypto.AcceptRequest, botClient + } + } + cryptoLogger.Trace("User ID %v does not match any regex, rejecting SAS request", otherDevice.UserID) + return crypto.RejectRequest, botClient } if err = olmMachine.Load(); err != nil { return diff --git a/clients/clients.go b/clients/clients.go index 07272fe..0e5816c 100644 --- a/clients/clients.go +++ b/clients/clients.go @@ -4,6 +4,7 @@ import ( "database/sql" "fmt" "net/http" + "reflect" "strings" "sync" @@ -111,7 +112,7 @@ func (c *Clients) updateClientInDB(newConfig api.ClientConfig) (new, old BotClie defer c.dbMutex.Unlock() old = c.getClient(newConfig.UserID) - if old.Client != nil && old.config == newConfig { + if old.Client != nil && reflect.DeepEqual(old.config, newConfig) { // Already have a client with that config. new = old return diff --git a/config.sample.yaml b/config.sample.yaml index 00c10c2..e48c2ea 100644 --- a/config.sample.yaml +++ b/config.sample.yaml @@ -26,6 +26,7 @@ clients: Sync: true AutoJoinRooms: true DisplayName: "Go-NEB!" + AcceptVerificationFromUsers: [":localhost:8008"] - UserID: "@another_goneb:localhost" AccessToken: "MDASDASJDIASDJASDAFGFRGER" @@ -34,6 +35,7 @@ clients: Sync: false AutoJoinRooms: false DisplayName: "Go-NEB!" + AcceptVerificationFromUsers: ["^@admin:localhost:8008$"] # The list of realms which Go-NEB is aware of. # Delete or modify this list as appropriate.