File tree Expand file tree Collapse file tree 2 files changed +41
-1
lines changed
policies/authorization_grant Expand file tree Collapse file tree 2 files changed +41
-1
lines changed Original file line number Diff line number Diff line change @@ -98,6 +98,26 @@ uses_stable_scopes if {
9898 count ({scope | some scope in scope_list; startswith (scope, " urn:matrix:client:" > 0
9999}
100100
101+ has_device_scope if {
102+ scope_list := split (input.scope, " "
103+ count ({scope | some scope in scope_list; startswith (scope, " urn:matrix:client:device:" > 0
104+ }
105+
106+ has_device_scope if {
107+ scope_list := split (input.scope, " "
108+ count ({scope | some scope in scope_list; startswith (scope, " urn:matrix:org.matrix.msc2967.client:device:" > 0
109+ }
110+
111+ has_cs_api_scope if {
112+ scope_list := split (input.scope, " "
113+ count ({scope | some scope in scope_list; startswith (scope, " urn:matrix:client:api:" > 0
114+ }
115+
116+ has_cs_api_scope if {
117+ scope_list := split (input.scope, " "
118+ count ({scope | some scope in scope_list; startswith (scope, " urn:matrix:org.matrix.msc2967.client:api:" > 0
119+ }
120+
101121# METADATA
102122# entrypoint: true
103123violation contains {" msg" if {
@@ -116,6 +136,12 @@ violation contains {"msg": "only one device scope is allowed at a time"} if {
116136 count ({scope | some scope in scope_list; startswith (scope, " urn:matrix:client:device:" > 1
117137}
118138
139+ # Prevent the creation of C-S API devices for sessions that don't have C-S API access.
140+ violation contains {" msg" " device scopes are only allowed when the client-server API scope is requested" if {
141+ has_device_scope
142+ not has_cs_api_scope
143+ }
144+
119145violation contains {" msg" " request cannot mix unstable and stable scopes" if {
120146 uses_stable_scopes
121147 uses_unstable_scopes
Original file line number Diff line number Diff line change @@ -141,7 +141,21 @@ test_stable_device_scopes if {
141141 # Not authorization_grant.allowed for the client credentials grant
142142 not authorization_grant.allow with input.client as client
143143 with input.grant_type as " client_credentials"
144- with input.scope as " urn:matrix:client:device:AAbbCCdd01"
144+ with input.scope as " urn:matrix:client:api:* urn:matrix:client:device:AAbbCCdd01"
145+ }
146+
147+ test_device_scope_only_with_cs_api_scope if {
148+ not authorization_grant.allow with input.user as user
149+ with input.client as client
150+ with input.grant_type as " authorization_code"
151+ # Requested a device scope but no C-S API scope:
152+ with input.scope as " urn:matrix:client:device:AAbbCCdd01"
153+
154+ not authorization_grant.allow with input.user as user
155+ with input.client as client
156+ with input.grant_type as " authorization_code"
157+ # Requested a device scope but no C-S API scope:
158+ with input.scope as " urn:matrix:org.matrix.msc2967.client:device:AAbbCCdd01"
145159}
146160
147161test_mix_stable_and_unstable_scopes if {
You can’t perform that action at this time.
0 commit comments