Implement shared secret registration (#257)

* Implement shared secret registration * Use HexString from gomatrixserverlib * Correctly check username validility
2025-10-11 11:52:46 +00:00 · 2017-09-22 16:13:19 +01:00 · 2017-09-22 16:13:19 +01:00 · 8dabca0f07
commit 8dabca0f07
parent 0218063339
8 changed files with 299 additions and 12 deletions
--- a/src/github.com/matrix-org/dendrite/clientapi/auth/authtypes/logintypes.go
+++ b/src/github.com/matrix-org/dendrite/clientapi/auth/authtypes/logintypes.go
@ -5,5 +5,6 @@ type LoginType string

 // The relevant login types implemented in Dendrite
 const (
-	LoginTypeDummy = "m.login.dummy"
+	LoginTypeDummy        = "m.login.dummy"
+	LoginTypeSharedSecret = "org.matrix.login.shared_secret"
 )
--- a/src/github.com/matrix-org/dendrite/clientapi/jsonerror/jsonerror.go
+++ b/src/github.com/matrix-org/dendrite/clientapi/jsonerror/jsonerror.go
@ -85,6 +85,12 @@ func WeakPassword(msg string) *MatrixError {
 	return &MatrixError{"M_WEAK_PASSWORD", msg}
 }

+// InvalidUsername is an error returned when the client tries to register an
+// invalid username
+func InvalidUsername(msg string) *MatrixError {
+	return &MatrixError{"M_INVALID_USERNAME", msg}
+}
+
 // GuestAccessForbidden is an error which is returned when the client is
 // forbidden from accessing a resource as a guest.
 func GuestAccessForbidden(msg string) *MatrixError {
--- a/src/github.com/matrix-org/dendrite/clientapi/routing/routing.go
+++ b/src/github.com/matrix-org/dendrite/clientapi/routing/routing.go
@ -34,6 +34,7 @@ import (
 	"github.com/matrix-org/util"
 )

+const pathPrefixV1 = "/_matrix/client/api/v1"
 const pathPrefixR0 = "/_matrix/client/r0"
 const pathPrefixUnstable = "/_matrix/client/unstable"

@ -67,6 +68,7 @@ func Setup(
 	).Methods("GET")

 	r0mux := apiMux.PathPrefix(pathPrefixR0).Subrouter()
+	v1mux := apiMux.PathPrefix(pathPrefixV1).Subrouter()
 	unstableMux := apiMux.PathPrefix(pathPrefixUnstable).Subrouter()

 	r0mux.Handle("/createRoom",
@ -115,7 +117,11 @@ func Setup(
 	).Methods("PUT", "OPTIONS")

 	r0mux.Handle("/register", common.MakeAPI("register", func(req *http.Request) util.JSONResponse {
-		return writers.Register(req, accountDB, deviceDB)
+		return writers.Register(req, accountDB, deviceDB, &cfg)
+	})).Methods("POST", "OPTIONS")
+
+	v1mux.Handle("/register", common.MakeAPI("register", func(req *http.Request) util.JSONResponse {
+		return writers.LegacyRegister(req, accountDB, deviceDB, &cfg)
 	})).Methods("POST", "OPTIONS")

 	r0mux.Handle("/directory/room/{roomAlias}",
--- a/src/github.com/matrix-org/dendrite/clientapi/writers/register.go
+++ b/src/github.com/matrix-org/dendrite/clientapi/writers/register.go
@ -2,10 +2,17 @@ package writers

 import (
 	"context"
+	"crypto/hmac"
+	"crypto/sha1"
+	"errors"
 	"fmt"
 	"net/http"
+	"regexp"
+	"strings"
 	"time"

+	"github.com/matrix-org/dendrite/common/config"
+
 	log "github.com/Sirupsen/logrus"
 	"github.com/matrix-org/dendrite/clientapi/auth"
 	"github.com/matrix-org/dendrite/clientapi/auth/authtypes"
@ -23,6 +30,8 @@ const (
 	maxUsernameLength = 254 // http://matrix.org/speculator/spec/HEAD/intro.html#user-identifiers TODO account for domain
 )

+var validUsernameRegex = regexp.MustCompile(`^[0-9a-zA-Z_\-./]+$`)
+
 // registerRequest represents the submitted registration request.
 // It can be broken down into 2 sections: the auth dictionary and registration parameters.
 // Registration parameters vary depending on the request, and will need to remembered across
@ -33,13 +42,15 @@ type registerRequest struct {
 	// registration parameters.
 	Password string `json:"password"`
 	Username string `json:"username"`
+	Admin    bool   `json:"admin"`
 	// user-interactive auth params
 	Auth authDict `json:"auth"`
 }

 type authDict struct {
-	Type    authtypes.LoginType `json:"type"`
-	Session string              `json:"session"`
+	Type    authtypes.LoginType         `json:"type"`
+	Session string                      `json:"session"`
+	Mac     gomatrixserverlib.HexString `json:"mac"`
 	// TODO: Lots of custom keys depending on the type
 }

@ -57,6 +68,15 @@ type authFlow struct {
 	Stages []authtypes.LoginType `json:"stages"`
 }

+// legacyRegisterRequest represents the submitted registration request for v1 API.
+type legacyRegisterRequest struct {
+	Password string                      `json:"password"`
+	Username string                      `json:"user"`
+	Admin    bool                        `json:"admin"`
+	Type     authtypes.LoginType         `json:"type"`
+	Mac      gomatrixserverlib.HexString `json:"mac"`
+}
+
 func newUserInteractiveResponse(sessionID string, fs []authFlow) userInteractiveResponse {
 	return userInteractiveResponse{
 		fs, []authtypes.LoginType{}, make(map[string]interface{}), sessionID,
@ -71,36 +91,51 @@ type registerResponse struct {
 	DeviceID    string                       `json:"device_id"`
 }

-// Validate returns an error response if the request fails to validate.
-func (r *registerRequest) Validate() *util.JSONResponse {
+// Validate returns an error response if the username/password are invalid
+func validate(username, password string) *util.JSONResponse {
 	// https://github.com/matrix-org/synapse/blob/v0.20.0/synapse/rest/client/v2_alpha/register.py#L161
-	if len(r.Password) > maxPasswordLength {
+	if len(password) > maxPasswordLength {
 		return &util.JSONResponse{
 			Code: 400,
 			JSON: jsonerror.BadJSON(fmt.Sprintf("'password' >%d characters", maxPasswordLength)),
 		}
-	} else if len(r.Username) > maxUsernameLength {
+	} else if len(username) > maxUsernameLength {
 		return &util.JSONResponse{
 			Code: 400,
 			JSON: jsonerror.BadJSON(fmt.Sprintf("'username' >%d characters", maxUsernameLength)),
 		}
-	} else if len(r.Password) > 0 && len(r.Password) < minPasswordLength {
+	} else if len(password) > 0 && len(password) < minPasswordLength {
 		return &util.JSONResponse{
 			Code: 400,
 			JSON: jsonerror.WeakPassword(fmt.Sprintf("password too weak: min %d chars", minPasswordLength)),
 		}
+	} else if !validUsernameRegex.MatchString(username) {
+		return &util.JSONResponse{
+			Code: 400,
+			JSON: jsonerror.InvalidUsername("User ID can only contain characters a-z, 0-9, or '_-./'"),
+		}
+	} else if username[0] == '_' { // Regex checks its not a zero length string
+		return &util.JSONResponse{
+			Code: 400,
+			JSON: jsonerror.InvalidUsername("User ID can't start with a '_'"),
+		}
 	}
 	return nil
 }

 // Register processes a /register request. http://matrix.org/speculator/spec/HEAD/client_server/unstable.html#post-matrix-client-unstable-register
-func Register(req *http.Request, accountDB *accounts.Database, deviceDB *devices.Database) util.JSONResponse {
+func Register(
+	req *http.Request,
+	accountDB *accounts.Database,
+	deviceDB *devices.Database,
+	cfg *config.Dendrite,
+) util.JSONResponse {
 	var r registerRequest
 	resErr := httputil.UnmarshalJSONRequest(req, &r)
 	if resErr != nil {
 		return *resErr
 	}
-	if resErr = r.Validate(); resErr != nil {
+	if resErr = validate(r.Username, r.Password); resErr != nil {
 		return *resErr
 	}

@ -124,6 +159,7 @@ func Register(req *http.Request, accountDB *accounts.Database, deviceDB *devices
 			//       Server admins should be able to change things around (eg enable captcha)
 			JSON: newUserInteractiveResponse(time.Now().String(), []authFlow{
 				{[]authtypes.LoginType{authtypes.LoginTypeDummy}},
+				{[]authtypes.LoginType{authtypes.LoginTypeSharedSecret}},
 			}),
 		}
 	}
@ -133,6 +169,79 @@ func Register(req *http.Request, accountDB *accounts.Database, deviceDB *devices

 	// TODO: email / msisdn / recaptcha auth types.
 	switch r.Auth.Type {
+	case authtypes.LoginTypeSharedSecret:
+		if cfg.Matrix.RegistrationSharedSecret == "" {
+			return util.MessageResponse(400, "Shared secret registration is disabled")
+		}
+
+		valid, err := isValidMacLogin(r.Username, r.Password, r.Admin, r.Auth.Mac, cfg.Matrix.RegistrationSharedSecret)
+
+		if err != nil {
+			return httputil.LogThenError(req, err)
+		}
+
+		if !valid {
+			return util.MessageResponse(403, "HMAC incorrect")
+		}
+
+		return completeRegistration(req.Context(), accountDB, deviceDB, r.Username, r.Password)
+	case authtypes.LoginTypeDummy:
+		// there is nothing to do
+		return completeRegistration(req.Context(), accountDB, deviceDB, r.Username, r.Password)
+	default:
+		return util.JSONResponse{
+			Code: 501,
+			JSON: jsonerror.Unknown("unknown/unimplemented auth type"),
+		}
+	}
+}
+
+// LegacyRegister process register requests from the legacy v1 API
+func LegacyRegister(
+	req *http.Request,
+	accountDB *accounts.Database,
+	deviceDB *devices.Database,
+	cfg *config.Dendrite,
+) util.JSONResponse {
+	var r legacyRegisterRequest
+	resErr := httputil.UnmarshalJSONRequest(req, &r)
+	if resErr != nil {
+		return *resErr
+	}
+	if resErr = validate(r.Username, r.Password); resErr != nil {
+		return *resErr
+	}
+
+	logger := util.GetLogger(req.Context())
+	logger.WithFields(log.Fields{
+		"username":  r.Username,
+		"auth.type": r.Type,
+	}).Info("Processing registration request")
+
+	// All registration requests must specify what auth they are using to perform this request
+	if r.Type == "" {
+		return util.JSONResponse{
+			Code: 400,
+			JSON: jsonerror.BadJSON("invalid type"),
+		}
+	}
+
+	switch r.Type {
+	case authtypes.LoginTypeSharedSecret:
+		if cfg.Matrix.RegistrationSharedSecret == "" {
+			return util.MessageResponse(400, "Shared secret registration is disabled")
+		}
+
+		valid, err := isValidMacLogin(r.Username, r.Password, r.Admin, r.Mac, cfg.Matrix.RegistrationSharedSecret)
+		if err != nil {
+			return httputil.LogThenError(req, err)
+		}
+
+		if !valid {
+			return util.MessageResponse(403, "HMAC incorrect")
+		}
+
+		return completeRegistration(req.Context(), accountDB, deviceDB, r.Username, r.Password)
 	case authtypes.LoginTypeDummy:
 		// there is nothing to do
 		return completeRegistration(req.Context(), accountDB, deviceDB, r.Username, r.Password)
@ -198,3 +307,39 @@ func completeRegistration(
 		},
 	}
 }
+
+// Used for shared secret registration.
+// Checks if the username, password and isAdmin flag matches the given mac.
+func isValidMacLogin(
+	username, password string,
+	isAdmin bool,
+	givenMac []byte,
+	sharedSecret string,
+) (bool, error) {
+	// Double check that username/passowrd don't contain the HMAC delimiters. We should have
+	// already checked this.
+	if strings.Contains(username, "\x00") {
+		return false, errors.New("Username contains invalid character")
+	}
+	if strings.Contains(password, "\x00") {
+		return false, errors.New("Password contains invalid character")
+	}
+	if sharedSecret == "" {
+		return false, errors.New("Shared secret registration is disabled")
+	}
+
+	adminString := "notadmin"
+	if isAdmin {
+		adminString = "admin"
+	}
+	joined := strings.Join([]string{username, password, adminString}, "\x00")
+
+	mac := hmac.New(sha1.New, []byte(sharedSecret))
+	_, err := mac.Write([]byte(joined))
+	if err != nil {
+		return false, err
+	}
+	expectedMAC := mac.Sum(nil)
+
+	return hmac.Equal(givenMac, expectedMAC), nil
+}
--- a/src/github.com/matrix-org/dendrite/common/config/config.go
+++ b/src/github.com/matrix-org/dendrite/common/config/config.go
@ -74,6 +74,9 @@ type Dendrite struct {
 		// verify third-party identifiers.
 		// Defaults to an empty array.
 		TrustedIDServers []string `yaml:"trusted_third_party_id_servers"`
+		// If set, allows registration by anyone who also has the shared
+		// secret, even if registration is otherwise disabled.
+		RegistrationSharedSecret string `yaml:"registration_shared_secret"`
 	} `yaml:"matrix"`

 	// The configuration specific to the media repostitory.