Add Vaccount auth flow to current arhitecture

- login with owner key `VA`
- login with operational `VA`
- login with ephemeral `VA`

Fixed:
- Bug with display name table row

Author: Alladin9393

synapse/api/constants.py

@@ -26,6 +26,7 @@
 
 # the maximum length for a user id is 255 characters
 MAX_USERID_LENGTH = 255
+USERID_BYTES_LENGTH = 20
 
 # The maximum length for a group id is 255 characters
 MAX_GROUPID_LENGTH = 255

synapse/handlers/register.py

@@ -21,7 +21,7 @@
 from prometheus_client import Counter
 
 from synapse import types
-from synapse.api.constants import MAX_USERID_LENGTH, EventTypes, JoinRules, LoginType
+from synapse.api.constants import EventTypes, JoinRules, LoginType
 from synapse.api.errors import AuthError, Codes, ConsentNotGivenError, SynapseError
 from synapse.appservice import ApplicationService
 from synapse.config.server import is_threepid_reserved
@@ -33,7 +33,7 @@
 )
 from synapse.spam_checker_api import RegistrationBehaviour
 from synapse.storage.state import StateFilter
-from synapse.types import RoomAlias, UserID, create_requester
+from synapse.types import RoomAlias, UserID, create_requester, is_valid_mxid_len
 
 from ._base import BaseHandler
 
@@ -96,10 +96,15 @@ async def check_username(
         if types.contains_invalid_mxid_characters(localpart):
             raise SynapseError(
                 400,
-                "User ID can only contain characters a-z, 0-9, or '=_-./'",
+                "User ID can only contain hexdigits",
                 Codes.INVALID_USERNAME,
             )
 
+        if not is_valid_mxid_len(localpart):
+            raise SynapseError(
+                400, "User ID length must be 20 bytes", Codes.INVALID_USERNAME
+            )
+
         if not localpart:
             raise SynapseError(400, "User ID cannot be empty", Codes.INVALID_USERNAME)
 
@@ -122,13 +127,6 @@ async def check_username(
 
         self.check_user_id_not_appservice_exclusive(user_id)
 
-        if len(user_id) > MAX_USERID_LENGTH:
-            raise SynapseError(
-                400,
-                "User ID may not be longer than %s characters" % (MAX_USERID_LENGTH,),
-                Codes.INVALID_USERNAME,
-            )
-
         users = await self.store.get_users_by_id_case_insensitive(user_id)
         if users:
             if not guest_access_token:

synapse/handlers/vaccount_auth/__init__.py

@@ -0,0 +1,11 @@
+"""Top-level module `Vaccount` auth Provider for `synapse`.
+This module provider login/registration based on signature by private key associated
+with `Vaccount` stored on `VelasChain` or ephemeral.
+"""
+
+__version__ = "0.1.0"
+__version_info__ = tuple(
+    int(i) for i in __version__.split(".") if i.isdigit()
+)
+
+from synapse.handlers.vaccount_auth.auth_provider import VaccountAuthProvider

synapse/handlers/vaccount_auth/auth_provider.py

@@ -0,0 +1,256 @@
+# -*- coding: utf-8 -*-
+#
+# Shared Secret Authenticator module for Matrix Synapse
+# Copyright (C) 2018 Slavi Pantaleev
+#
+# http://devture.com/
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+#
+from base58 import b58decode
+from unpaddedbase64 import encode_base64
+from hashlib import sha256
+
+from twisted.internet import defer
+from solana.publickey import PublicKey
+from nacl.signing import VerifyKey
+from nacl.exceptions import BadSignatureError
+
+import logging
+
+from synapse.handlers.vaccount_auth.constants import SIGN_TIMESTAMP_TOLERANCE, OPERATIONAL_STATE
+from synapse.handlers.vaccount_auth.utils import VaccountInfo, get_vaccount_evm_address
+from synapse.api.errors import HttpResponseException
+from synapse.handlers.vaccount_auth.utils import is_valid_vaccount_address
+from synapse.module_api import ModuleApi
+from synapse.storage import Databases, DataStore
+
+logger = logging.getLogger(__name__)
+
+
+class VaccountAuthProvider:
+    """
+    Provide a login/registration by Vaccount flow.
+    """
+
+    def __init__(self, config, account_handler: ModuleApi):
+        self.account_handler = account_handler
+        self.store: DataStore = account_handler._hs.get_datastore()
+        self.last_tonce = int(account_handler._hs.get_clock().time())
+
+    @staticmethod
+    def get_supported_login_types():
+        supported_login_types = {
+            'm.login.vaccount': (
+                'vaccount_address',
+                'signature',
+                'signer',
+                'signed_timestamp',
+                'signer_type',
+            )
+        }
+
+        return supported_login_types
+
+    async def check_auth(self, evm_vaccount_address, login_type, login_dict):
+        """Attempt to authenticate a user by Vaccount flow and register an account if none exists.
+
+        Args:
+            evm_vaccount_address: ethereum based interpretation of the Vaccount address
+            login_type: type of authentication
+            login_dict: authentication parameters `supported_login_types
+
+        Returns:
+            Canonical user ID if authentication was successful
+        """
+        vaccount_address = login_dict.get('vaccount_address')
+        signature = login_dict.get('signature')
+        signer_key = login_dict.get('signer')
+        signer_type = login_dict.get('signer_type')
+        signed_timestamp = int(login_dict.get('signed_timestamp'))
+        display_name = login_dict.get('displayname')
+
+        if not signature or not signer_key or not signed_timestamp or not vaccount_address or not signer_type:
+            return False
+
+        if not self._is_valid_sign_timestamp(signed_timestamp):
+            return False
+
+        if evm_vaccount_address.startswith("@") and ":" in evm_vaccount_address:
+            # username is of the form @V4Bw2..:bar.com
+            evm_vaccount_address = evm_vaccount_address.split(":", 1)[0][1:]
+        
+        # if evm_vaccount_address.startswith("0x"):
+        #     evm_vaccount_address = evm_vaccount_address[2:]
+
+        msg = f'{vaccount_address}*{signed_timestamp}'
+        signed_msg = sha256(msg.encode()).digest()
+
+        is_valid_signature = self._is_valid_signature(
+            signature=bytes.fromhex(signature),
+            signer_key=signer_key,
+            signed_msg=signed_msg
+        )
+
+        is_active_vaccount = await self._is_active_vaccount(
+            vaccount_address=PublicKey(vaccount_address),
+            signer=PublicKey(signer_key),
+            signer_type=signer_type,
+        )
+
+        expected_evm_address = get_vaccount_evm_address(PublicKey(vaccount_address))
+        is_valid_evm_address = expected_evm_address == evm_vaccount_address
+
+        if not is_valid_signature or not is_active_vaccount or not is_valid_evm_address:
+            return False
+
+        user_id = self.account_handler.get_qualified_user_id(username=evm_vaccount_address)
+
+        if await self.account_handler.check_user_exists(user_id):
+            return user_id
+
+        else:
+            user_id = await self.register_user(
+                localpart=evm_vaccount_address,
+                displayname=display_name,
+            )
+
+        # signer_key = encode_base64(b58decode(signer_key))
+        # vaccount_signing_key = {
+        #     'keys': {
+        #         f'ed25519{signer_key}': signer_key,
+        #     },
+        # }
+
+        # await self.store.set_e2e_cross_signing_key(
+        #     user_id,
+        #     "vaccount",
+        #     vaccount_signing_key,
+        # )
+
+        # async with self.store._cross_signing_id_gen.get_next() as stream_id:
+        #     await self.store.db_pool.runInteraction(
+        #         "add_e2e_cross_signing_key",
+        #         self.store._set_e2e_cross_signing_key_txn,
+        #         user_id,
+        #         "vaccount",
+        #         vaccount_signing_key,
+        #         stream_id,
+        #     )
+        # await self.store.set_e2e_cross_signing_key(
+        #     user_id, "master", vaccount_signing_key
+        # )
+        self.last_tonce = signed_timestamp
+
+        return user_id
+
+    @staticmethod
+    def _is_valid_signature(signature, signer_key, signed_msg) -> bool:
+        signer_key = b58decode(signer_key)
+        try:
+            VerifyKey(signer_key).verify(signed_msg, signature)
+
+        except BadSignatureError as e:
+            logger.debug(f"Invalid signature provided for {signer_key}.")
+            return False
+
+        return True
+
+    def _is_valid_sign_timestamp(self, signed_timestamp: int):
+        """Check if signed timestamp is valid
+        Args:
+           signed_tonce: signed timestamp
+        Returns:
+            True if timestamp is greater than last signed timestamp
+        """
+        current_timestamp = int(self.account_handler._hs.get_clock().time())
+        ts_window = current_timestamp - signed_timestamp 
+        if signed_timestamp >= self.last_tonce and ts_window <= SIGN_TIMESTAMP_TOLERANCE:
+            return True
+
+        return False
+
+    async def register_user(self, localpart, displayname):
+        """Register a Synapse user, first checking if they exist.
+        Args:
+            localpart (str): Localpart of the user to register on this homeserver.
+            displayname (str): Full name of the user.
+        Returns:
+            user_id (str): User ID of the newly registered user.
+        """
+        # Get full user id from localpart
+        user_id = self.account_handler.get_qualified_user_id(localpart)
+
+        if await self.account_handler.check_user_exists(user_id):
+            # exists, authentication complete
+            return user_id
+
+        user_id = await self.account_handler.register_user(
+            localpart=localpart,
+            displayname=displayname,
+        )
+
+        logger.info(f"Registration was successful: {user_id}, timestamp: {self.last_tonce}")
+        return user_id
+
+    async def _is_active_vaccount(self, vaccount_address: PublicKey, signer: PublicKey, signer_type: str) -> bool:
+        """
+        """
+        vaccount_info = VaccountInfo(vaccount_address)
+
+        if vaccount_info.is_ephemeral():
+            return is_valid_vaccount_address(signer, vaccount_address)
+
+        if signer_type == 'owner' and signer in vaccount_info.owners:
+            return True
+
+        if signer_type == 'operational':
+            for operational in vaccount_info.operational_storage:
+
+                if operational.pubkey == signer and operational.state == OPERATIONAL_STATE.enum.Initialized():
+                    return True
+
+        return False
+
+    async def _get_parsed_account_info(self, account_address):
+        """
+        """
+        testnet = 'https://testnet.velas.com/rpc'
+        payload = {
+            "jsonrpc": "2.0",
+            "id": 1,
+            "method": "getAccountInfo",
+            'params': [
+                str(account_address),
+                {
+                    'encoding': 'jsonParsed'
+                }
+            ]
+        }
+        try:
+            account_data = await self.account_handler.http_client.post_json_get_json(
+                uri=testnet,
+                post_json=payload,
+            )
+        except HttpResponseException as e:
+            logger.info(f"HttpResponseException eeee*: {e}")
+            return None
+
+        account_data = account_data.get('result').get('value').get('data').get('parsed').get('info')
+
+        return account_data
+
+    @staticmethod
+    def parse_config(config):
+        return config

synapse/handlers/vaccount_auth/constants.py

@@ -0,0 +1,43 @@
+"""
+Provide implementation of the constants for vaccount auth provider.
+"""
+from solana.publickey import PublicKey
+from borsh_construct import (
+    Bool,
+    CStruct, 
+    Enum, 
+    U8,
+    U16,
+)
+
+VACCOUNT_PROGRAM_ID = PublicKey("VAcccHVjpknkW5N5R9sfRppQxYJrJYVV7QJGKchkQj5")
+VACCOUNT_SEED = b'vaccount'
+VELAS_RPC_URI = 'https://api.devnet.velas.com'
+BASE_OPERATIONAL_LEN = 134
+
+SIGN_TIMESTAMP_TOLERANCE = 120
+
+VACCOUNT_INFO = CStruct(
+    'version' / U8,
+    'owners' / U8[96],
+    'genesis_seed_key' / U8[32],
+    'operational_storage_nonce' / U16,
+    'token_storage_nonce' / U16,
+    'programs_storage_nonce' / U16
+)
+
+OPERATIONAL_STATE = Enum (
+    'Initialized',
+    'Frozen',
+    enum_name="OperationalState"
+)
+
+OPERATIONAL_INFO = CStruct(
+    'pubkey' / U8[32],
+    'state' / OPERATIONAL_STATE,
+    'agent_type' / U8[32],
+    'scopes' / U8[4],
+    'tokens_indices' / U8[32],
+    'external_programs_indices' / U8[32],
+    'is_master_key' / Bool,
+)

synapse/handlers/vaccount_auth/errors.py

@@ -0,0 +1,3 @@
+"""
+Provide implementation of the custom `Vaccount` errors.
+"""