Implement check for trusted ID server

src/github.com/matrix-org/dendrite/clientapi/readers/threepid.go

@@ -22,6 +22,7 @@ import (
 	"github.com/matrix-org/dendrite/clientapi/httputil"
 	"github.com/matrix-org/dendrite/clientapi/jsonerror"
 	"github.com/matrix-org/dendrite/clientapi/threepid"
+	"github.com/matrix-org/dendrite/common/config"
 
 	"github.com/matrix-org/gomatrixserverlib"
 	"github.com/matrix-org/util"
@@ -38,7 +39,7 @@ type threePIDsResponse struct {
 // RequestEmailToken implements:
 //     POST /account/3pid/email/requestToken
 //     POST /register/email/requestToken
-func RequestEmailToken(req *http.Request, accountDB *accounts.Database) util.JSONResponse {
+func RequestEmailToken(req *http.Request, accountDB *accounts.Database, cfg config.Dendrite) util.JSONResponse {
 	var body threepid.EmailAssociationRequest
 	if reqErr := httputil.UnmarshalJSONRequest(req, &body); reqErr != nil {
 		return *reqErr
@@ -63,9 +64,9 @@ func RequestEmailToken(req *http.Request, accountDB *accounts.Database) util.JSO
 		}
 	}
 
-	resp.SID, err = threepid.CreateSession(body)
+	resp.SID, err = threepid.CreateSession(body, cfg)
 	if err != nil {
-		return httputil.LogThenError(req, err)
+		return threepid.ProcessIDServerError(req, err)
 	}
 
 	return util.JSONResponse{
@@ -77,6 +78,7 @@ func RequestEmailToken(req *http.Request, accountDB *accounts.Database) util.JSO
 // CheckAndSave3PIDAssociation implements POST /account/3pid
 func CheckAndSave3PIDAssociation(
 	req *http.Request, accountDB *accounts.Database, device *authtypes.Device,
+	cfg config.Dendrite,
 ) util.JSONResponse {
 	var body threepid.EmailAssociationCheckRequest
 	if reqErr := httputil.UnmarshalJSONRequest(req, &body); reqErr != nil {
@@ -84,9 +86,9 @@ func CheckAndSave3PIDAssociation(
 	}
 
 	// Check if the association has been validated
-	verified, address, medium, err := threepid.CheckAssociation(body.Creds)
+	verified, address, medium, err := threepid.CheckAssociation(body.Creds, cfg)
 	if err != nil {
-		return httputil.LogThenError(req, err)
+		return threepid.ProcessIDServerError(req, err)
 	}
 
 	if !verified {
@@ -101,8 +103,8 @@ func CheckAndSave3PIDAssociation(
 
 	if body.Bind {
 		// Publish the association on the identity server if requested
-		if err = threepid.PublishAssociation(body.Creds, device.UserID); err != nil {
-			return httputil.LogThenError(req, err)
+		if err = threepid.PublishAssociation(body.Creds, device.UserID, cfg); err != nil {
+			return threepid.ProcessIDServerError(req, err)
 		}
 	}
 

src/github.com/matrix-org/dendrite/clientapi/routing/routing.go

@@ -241,7 +241,7 @@ func Setup(
 
 	r0mux.Handle("/account/3pid",
 		common.MakeAuthAPI("account_3pid", deviceDB, func(req *http.Request, device *authtypes.Device) util.JSONResponse {
-			return readers.CheckAndSave3PIDAssociation(req, accountDB, device)
+			return readers.CheckAndSave3PIDAssociation(req, accountDB, device, cfg)
 		}),
 	).Methods("POST", "OPTIONS")
 
@@ -253,7 +253,7 @@ func Setup(
 
 	r0mux.Handle("/{path:(?:account/3pid|register)}/email/requestToken",
 		common.MakeAPI("account_3pid_request_token", func(req *http.Request) util.JSONResponse {
-			return readers.RequestEmailToken(req, accountDB)
+			return readers.RequestEmailToken(req, accountDB, cfg)
 		}),
 	).Methods("POST", "OPTIONS")
 

src/github.com/matrix-org/dendrite/clientapi/threepid/invites.go

@@ -66,6 +66,23 @@ type idServerStoreInviteResponse struct {
 	PublicKeys  []common.PublicKey `json:"public_keys"`
 }
 
+// ProcessIDServerError differentiate errors caused by the absence of the identity
+// server in the list of trusted servers in the configuration file from normal
+// errors caused by a failure in a process.
+// Returns the representation of a 400 error in the former case (without logging),
+// and the one of a 500 error in the latter (with logging of the error).
+func ProcessIDServerError(req *http.Request, err error) util.JSONResponse {
+	// Check whether this is an
+	mErr, ok := err.(*jsonerror.MatrixError)
+	if !ok || mErr.ErrCode != "M_SERVER_NOT_TRUSTED" {
+		return httputil.LogThenError(req, err)
+	}
+	return util.JSONResponse{
+		Code: 400,
+		JSON: mErr,
+	}
+}
+
 // CheckAndProcessInvite analyses the body of an incoming membership request.
 // If the fields relative to a third-party-invite are all supplied, lookups the
 // matching Matrix ID from the given identity server. If no Matrix ID is
@@ -99,7 +116,7 @@ func CheckAndProcessInvite(
 
 	lookupRes, storeInviteRes, err := queryIDServer(req, db, cfg, device, body, roomID)
 	if err != nil {
-		resErr := httputil.LogThenError(req, err)
+		resErr := ProcessIDServerError(req, err)
 		return &resErr
 	}
 
@@ -145,6 +162,10 @@ func queryIDServer(
 	req *http.Request, db *accounts.Database, cfg config.Dendrite,
 	device *authtypes.Device, body *MembershipRequest, roomID string,
 ) (lookupRes *idServerLookupResponse, storeInviteRes *idServerStoreInviteResponse, err error) {
+	if err = isTrusted(body.IDServer, cfg); err != nil {
+		return nil, nil, err
+	}
+
 	// Lookup the 3PID
 	lookupRes, err = queryIDServerLookup(body)
 	if err != nil {

src/github.com/matrix-org/dendrite/clientapi/threepid/threepid.go

@@ -22,6 +22,9 @@ import (
 	"net/url"
 	"strconv"
 	"strings"
+
+	"github.com/matrix-org/dendrite/clientapi/jsonerror"
+	"github.com/matrix-org/dendrite/common/config"
 )
 
 // EmailAssociationRequest represents the request defined at https://matrix.org/docs/spec/client_server/r0.2.0.html#post-matrix-client-r0-register-email-requesttoken
@@ -49,8 +52,10 @@ type Credentials struct {
 // Returns the session's ID.
 // Returns an error if there was a problem sending the request or decoding the
 // response, or if the identity server responded with a non-OK status.
-func CreateSession(req EmailAssociationRequest) (string, error) {
-	// TODO: Check if the ID server is trusted
+func CreateSession(req EmailAssociationRequest, cfg config.Dendrite) (string, error) {
+	if err := isTrusted(req.IDServer, cfg); err != nil {
+		return "", err
+	}
 
 	// Create a session on the ID server
 	postURL := fmt.Sprintf("https://%s/_matrix/identity/api/v1/validate/email/requestToken", req.IDServer)
@@ -93,8 +98,11 @@ func CreateSession(req EmailAssociationRequest) (string, error) {
 // identifier and its medium.
 // Returns an error if there was a problem sending the request or decoding the
 // response, or if the identity server responded with a non-OK status.
-func CheckAssociation(creds Credentials) (bool, string, string, error) {
-	// TODO: Check if the ID server is trusted
+func CheckAssociation(creds Credentials, cfg config.Dendrite) (bool, string, string, error) {
+	if err := isTrusted(creds.IDServer, cfg); err != nil {
+		return false, "", "", err
+	}
+
 	url := fmt.Sprintf("https://%s/_matrix/identity/api/v1/3pid/getValidated3pid?sid=%s&client_secret=%s", creds.IDServer, creds.SID, creds.Secret)
 	resp, err := http.Get(url)
 	if err != nil {
@@ -126,8 +134,11 @@ func CheckAssociation(creds Credentials) (bool, string, string, error) {
 // identifier and a Matrix ID.
 // Returns an error if there was a problem sending the request or decoding the
 // response, or if the identity server responded with a non-OK status.
-func PublishAssociation(creds Credentials, userID string) error {
-	// TODO: Check if the ID server is trusted
+func PublishAssociation(creds Credentials, userID string, cfg config.Dendrite) error {
+	if err := isTrusted(creds.IDServer, cfg); err != nil {
+		return err
+	}
+
 	postURL := fmt.Sprintf("https://%s/_matrix/identity/api/v1/3pid/bind", creds.IDServer)
 
 	data := url.Values{}
@@ -154,3 +165,13 @@ func PublishAssociation(creds Credentials, userID string) error {
 
 	return nil
 }
+
+// isTrusted checks if a given identity server is
+func isTrusted(idServer string, cfg config.Dendrite) error {
+	for _, server := range cfg.Matrix.TrustedIDServers {
+		if idServer == server {
+			return nil
+		}
+	}
+	return jsonerror.NotTrusted(idServer)
+}