verify devices with emojis

2022-10-26 13:25:47 +02:00 · 2022-10-26 13:25:47 +02:00 · 004a575c81
commit 004a575c81
parent 0703517f85
7 changed files with 186 additions and 14 deletions
--- a/config.sample.yaml
+++ b/config.sample.yaml
@ -9,22 +9,34 @@ command_prefix: "!alert"
 matrix:
  # The Matrix User ID of the bot account
  user_id: "@bot:matrix.example.com"
+
  # Matrix account password (optional if access token used)
  user_password: "password"
+
  # Matrix account access token (optional if password used)
+  # If not set, the server will provide an access token after log in,
+  # which will be stored in the user token file (see below)
  #user_token: ""
+
+  # Path to the file where to store the user access token
+  user_token_file: "token.json"
+
  # The URL of the homeserver to connect to
  url: https://matrix.example.com
+
  # The device ID that is **non pre-existing** device
  # If this device ID already exists, messages will be dropped silently in encrypted rooms
-  # If not set the server will provide a device ID after log in. Note that this ID 
+  # If not set the server will provide a device ID after log in. Note that this ID
  # will change each time the bot reconnects.
  # device_id: ABCDEFGHIJ
+
  # What to name the logged in device
  device_name: matrix-alertbot
+
  # List of rooms where the bot can interact
  allowed_rooms:
    - "!abcdefgh:matrix.example.com"
+
  # List of allowed reactions to create silences.
  # Default is listed here.
  allowed_reactions: [🤫, 😶, 🤐, 🙊, 🔇, 🔕]
@ -52,8 +64,10 @@ storage:

 template:
  # Path to directory that contains templates for rendering alerts.
-  # The directory must contains the files "alert.html.j2" and "alert.txt.j2" and must respect Jinja2 templating format.
-  # Default is to use templates provided by the matrix_alertbot package. These templates are available in "matrix_alertbot/resources/templates".
+  # The directory must contains the files "alert.html.j2" and "alert.txt.j2" 
+  # and must respect Jinja2 templating format.
+  # Default is to use templates provided by the matrix_alertbot package. 
+  # These templates are available in "matrix_alertbot/resources/templates".
  path: "data/templates"

 # Logging setup
--- a/matrix_alertbot/callback.py
+++ b/matrix_alertbot/callback.py
@ -5,6 +5,10 @@ from nio import (
    AsyncClient,
    InviteMemberEvent,
    JoinError,
+    KeyVerificationCancel,
+    KeyVerificationKey,
+    KeyVerificationMac,
+    KeyVerificationStart,
    LocalProtocolError,
    MatrixRoom,
    MegolmEvent,
@ -12,6 +16,7 @@ from nio import (
    RoomGetEventError,
    RoomMessageText,
    SendRetryError,
+    ToDeviceError,
    UnknownEvent,
 )

@ -262,6 +267,96 @@ class Callbacks:
            f"commands a second time)."
        )

+    async def key_verification_start(self, event: KeyVerificationStart):
+        """Callback for when somebody wants to verify our devices."""
+        if "emoji" not in event.short_authentication_string:
+            logger.error(
+                f"Unable to use emoji verification with {event.sender} on device {event.from_device}."
+            )
+            return
+
+        event_response = await self.matrix_client.accept_key_verification(
+            event.transaction_id
+        )
+        if isinstance(event_response, ToDeviceError):
+            logger.error(
+                f"Unable to start key verification with {event.sender} on device {event.from_device}, got error: {event_response}."
+            )
+            return
+
+        sas = self.matrix_client.key_verifications[event.transaction_id]
+
+        todevice_msg = sas.share_key()
+        event_response = await self.matrix_client.to_device(todevice_msg)
+        if isinstance(event_response, ToDeviceError):
+            logger.error(
+                f"Unable to share key with {event.sender} on device {event.from_device}, got error: {event_response}."
+            )
+            return
+
+    async def key_verification_cancel(self, event: KeyVerificationCancel):
+        # There is no need to issue a
+        # client.cancel_key_verification(tx_id, reject=False)
+        # here. The SAS flow is already cancelled.
+        # We only need to inform the user.
+        logger.info(
+            f"Verification has been cancelled by {event.sender} for reason: {event.reason}."
+        )
+
+    async def key_verification_accept(self, event: KeyVerificationKey):
+        sas = self.matrix_client.key_verifications[event.transaction_id]
+        emoji_list = sas.get_emoji()
+        emoji_txt = emoji_list.join(" ")
+
+        logger.info(
+            f"Received request to verify emojis from {event.sender}: {emoji_txt}"
+        )
+
+        event_response = await self.matrix_client.confirm_short_auth_string(
+            event.transaction_id
+        )
+        if isinstance(event_response, ToDeviceError):
+            logger.error(
+                f"Unable to confirm emoji verification with {event.sender}, got error: {event_response}."
+            )
+
+        # FIXME: We should allow manual cancel or reject
+        # event_response = await self.matrix_client.cancel_key_verification(
+        #     event.transaction_id, reject=True
+        # )
+        # if isinstance(event_response, ToDeviceError):
+        #     logger.error(
+        #         f"Unable to reject emoji verification with {event.sender}, got error: {event_response}."
+        #     )
+        #
+        # event_response = await self.matrix_client.cancel_key_verification(
+        #     event.transaction_id, reject=False
+        # )
+        # if isinstance(event_response, ToDeviceError):
+        #     logger.error(
+        #         f"Unable to cancel emoji verification with {event.sender}, got error: {event_response}."
+        #     )
+
+    async def key_verification_end(self, event: KeyVerificationMac):
+        sas = self.matrix_client.key_verifications[event.transaction_id]
+        try:
+            todevice_msg = sas.get_mac()
+        except LocalProtocolError as e:
+            # e.g. it might have been cancelled by ourselves
+            logger.warn(f"Unable to conclude verification with {event.sender}: {e}.")
+            return
+
+        event_response = await self.matrix_client.to_device(todevice_msg)
+        if isinstance(event_response, ToDeviceError):
+            logger.error(
+                f"Unable to conclude verification with {event.sender}, got error: {event_response}."
+            )
+            return
+
+        logger.info(
+            f"Successfully verified devices from {event.sender}: {sas.verified_devices.join(' ')}"
+        )
+
    async def unknown(self, room: MatrixRoom, event: UnknownEvent) -> None:
        """Callback for when an event with a type that is unknown to matrix-nio is received.
        Currently this is used for reaction events, which are not yet part of a released
--- a/matrix_alertbot/config.py
+++ b/matrix_alertbot/config.py
@ -107,6 +107,9 @@ class Config:
        self.device_name: str = self._get_cfg(
            ["matrix", "device_name"], default="matrix-alertbot"
        )
+        self.user_token_file: str = self._get_cfg(
+            ["matrix", "user_token_file"], default="token.json"
+        )
        self.homeserver_url: str = self._get_cfg(["matrix", "url"], required=True)
        self.allowed_rooms: list = self._get_cfg(
            ["matrix", "allowed_rooms"], required=True
--- a/matrix_alertbot/main.py
+++ b/matrix_alertbot/main.py
@ -1,6 +1,8 @@
 #!/usr/bin/env python3
 import asyncio
+import json
 import logging
+import os
 import sys
 from asyncio import TimeoutError

@ -10,6 +12,10 @@ from nio import (
    AsyncClient,
    AsyncClientConfig,
    InviteMemberEvent,
+    KeyVerificationCancel,
+    KeyVerificationKey,
+    KeyVerificationMac,
+    KeyVerificationStart,
    LocalProtocolError,
    LoginError,
    MegolmEvent,
@ -44,7 +50,14 @@ def create_matrix_client(config: Config) -> AsyncClient:
            encryption_enabled=False,
        )

-    # Initialize the matrix client
+    # Load credentials from a previous session
+    if os.path.exists(config.user_token_file):
+        with open(config.user_token_file, "r") as ifd:
+            credentials = json.load(ifd)
+            config.user_token = credentials["access_token"]
+            config.device_id = credentials["device_id"]
+
+    # Initialize the matrix client based on stored credentials
    matrix_client = AsyncClient(
        config.homeserver_url,
        config.user_id,
@ -53,10 +66,6 @@ def create_matrix_client(config: Config) -> AsyncClient:
        config=matrix_client_config,
    )

-    if config.user_token:
-        matrix_client.access_token = config.user_token
-        matrix_client.user_id = config.user_id
-
    return matrix_client


@ -66,9 +75,12 @@ async def start_matrix_client(
    # Keep trying to reconnect on failure (with some time in-between)
    while True:
        try:
-            if config.user_token:
-                # Use token to log in
-                matrix_client.load_store()
+            if config.device_id and config.user_token:
+                matrix_client.restore_login(
+                    user_id=config.user_id,
+                    device_id=config.device_id,
+                    access_token=config.user_token,
+                )

                # Sync encryption keys with the server
                if matrix_client.should_upload_keys:
@ -96,6 +108,16 @@ async def start_matrix_client(
                    )
                    return False

+                # Save user's access token and device ID
+                with open(config.user_token_file, "w") as ofd:
+                    json.dump(
+                        {
+                            "device_id": login_response.device_id,
+                            "access_token": login_response.access_token,
+                        },
+                        ofd,
+                    )
+
                # Login succeeded!

            logger.info(f"Logged in as {config.user_id}")
@ -139,7 +161,18 @@ def main() -> None:
    matrix_client.add_event_callback(callbacks.decryption_failure, (MegolmEvent,))
    matrix_client.add_event_callback(callbacks.unknown, (UnknownEvent,))
    matrix_client.add_event_callback(callbacks.redaction, (RedactionEvent,))
-
+    matrix_client.add_to_device_callback(
+        callbacks.key_verification_start, (KeyVerificationStart,)
+    )
+    matrix_client.add_to_device_callback(
+        callbacks.key_verification_cancel, (KeyVerificationCancel,)
+    )
+    matrix_client.add_to_device_callback(
+        callbacks.key_verification_accept, (KeyVerificationKey,)
+    )
+    matrix_client.add_to_device_callback(
+        callbacks.key_verification_end, (KeyVerificationMac,)
+    )
    # Configure webhook server
    webhook_server = Webhook(matrix_client, alertmanager_client, cache, config)

--- a/tests/resources/config/config.full.yml
+++ b/tests/resources/config/config.full.yml
@ -9,25 +9,44 @@ command_prefix: "!alert"
 matrix:
  # The Matrix User ID of the bot account
  user_id: "@fakes_user:matrix.example.com"
+
  # Matrix account password (optional if access token used)
  user_password: "password"
+
  # Matrix account access token (optional if password used)
+  # If not set, the server will provide an access token after log in,
+  # which will be stored in the user token file (see below)
  #user_token: ""
+
+  # Path to the file where to store the user access token
+  user_token_file: "token.json"
+
  # The URL of the homeserver to connect to
  url: https://matrix.example.com
+
  # The device ID that is **non pre-existing** device
  # If this device ID already exists, messages will be dropped silently in encrypted rooms
+  # If not set the server will provide a device ID after log in. Note that this ID
+  # will change each time the bot reconnects.
  device_id: ABCDEFGHIJ
+
  # What to name the logged in device
  device_name: fake_device_name
+
+  # List of rooms where the bot can interact
  allowed_rooms:
    - "!abcdefgh:matrix.example.com"
+
+  # List of allowed reactions to create silences.
  allowed_reactions: [🤫, 😶, 🤐]

 webhook:
+  # Path to the socket for which the bot should listen to.
+  # This is mutually exclusive with webhook.address option.
  socket: matrix-alertbot.socket

 alertmanager:
+  # Url to Alertmanager server
  url: http://localhost:9093

 cache:
@ -40,6 +59,9 @@ storage:
  path: "data/store"

 template:
+  # Path to directory that contains templates for rendering alerts.
+  # The directory must contains the files "alert.html.j2" and "alert.txt.j2"
+  # and must respect Jinja2 templating format.
  path: "data/templates"

 # Logging setup
--- a/tests/resources/config/config.minimal.yml
+++ b/tests/resources/config/config.minimal.yml
@ -6,20 +6,24 @@
 matrix:
  # The Matrix User ID of the bot account
  user_id: "@fakes_user:matrix.example.com"
+
  # Matrix account password (optional if access token used)
  user_password: "password"
-  # Matrix account access token (optional if password used)
-  #user_token: ""
+
  # The URL of the homeserver to connect to
  url: https://matrix.example.com
+
+  # List of rooms where the bot can interact
  allowed_rooms:
    - "!abcdefgh:matrix.example.com"

 webhook:
+  # Address and port for which the bot should listen to
  address: 0.0.0.0
  port: 8080

 alertmanager:
+  # Url to Alertmanager server
  url: http://localhost:9093

 cache:
--- a/tests/test_config.py
+++ b/tests/test_config.py
@ -95,6 +95,7 @@ class ConfigTestCase(unittest.TestCase):
        self.assertEqual("@fakes_user:matrix.example.com", config.user_id)
        self.assertEqual("password", config.user_password)
        self.assertIsNone(config.user_token)
+        self.assertEqual("token.json", config.user_token_file)
        self.assertEqual("ABCDEFGHIJ", config.device_id)
        self.assertEqual("fake_device_name", config.device_name)
        self.assertEqual("https://matrix.example.com", config.homeserver_url)