From 53ef4da8c243b0dab68937c36bc68a9366b6a366 Mon Sep 17 00:00:00 2001 From: Neil Johnson Date: Fri, 25 Jan 2019 11:04:11 +0000 Subject: [PATCH 01/17] track unstable room v3 --- synapse/api/constants.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/synapse/api/constants.py b/synapse/api/constants.py index 46c4b4b9dc..c47346a4bf 100644 --- a/synapse/api/constants.py +++ b/synapse/api/constants.py @@ -104,6 +104,7 @@ class ThirdPartyEntityKind(object): class RoomVersions(object): V1 = "1" V2 = "2" + V3 = "3" VDH_TEST = "vdh-test-version" STATE_V2_TEST = "state-v2-test" @@ -118,6 +119,7 @@ KNOWN_ROOM_VERSIONS = { RoomVersions.V2, RoomVersions.VDH_TEST, RoomVersions.STATE_V2_TEST, + RoomVersions.V3, } ServerNoticeMsgType = "m.server_notice" From a3f0556beadff8590b690e09395bc14bd7a07a24 Mon Sep 17 00:00:00 2001 From: Neil Johnson Date: Fri, 25 Jan 2019 11:15:41 +0000 Subject: [PATCH 02/17] towncrier --- changelog.d/4472.feature | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog.d/4472.feature diff --git a/changelog.d/4472.feature b/changelog.d/4472.feature new file mode 100644 index 0000000000..b6b2125d06 --- /dev/null +++ b/changelog.d/4472.feature @@ -0,0 +1 @@ +Support room version capabilities in CS API (MSC1804) From 95f871fc0d4fce4bd792146ac397149d13f00484 Mon Sep 17 00:00:00 2001 From: Neil Johnson Date: Fri, 25 Jan 2019 11:16:29 +0000 Subject: [PATCH 03/17] Support room version capabilities in CS API (MSC1804) --- synapse/rest/client/v2_alpha/capabilities.py | 49 +++++++++++++++++++ .../rest/client/v2_alpha/test_capabilities.py | 39 +++++++++++++++ 2 files changed, 88 insertions(+) create mode 100644 synapse/rest/client/v2_alpha/capabilities.py create mode 100644 tests/rest/client/v2_alpha/test_capabilities.py diff --git a/synapse/rest/client/v2_alpha/capabilities.py b/synapse/rest/client/v2_alpha/capabilities.py new file mode 100644 index 0000000000..d73153ccc7 --- /dev/null +++ b/synapse/rest/client/v2_alpha/capabilities.py @@ -0,0 +1,49 @@ +# -*- coding: utf-8 -*- +# Copyright 2019 New Vector +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from synapse.http.servlet import RestServlet + +from ._base import client_v2_patterns + + +class CapabilitiesRestServlet(RestServlet): + PATTERNS = client_v2_patterns("/capabilities$") + + def __init__(self, hs): + """ + Args: + hs (synapse.server.HomeServer): server + """ + super(CapabilitiesRestServlet, self).__init__() + self.hs = hs + + def on_GET(self, request): + return 200, { + "capabilities": { + "m.room_versions": { + "default": "1", + "available": { + "1": "stable", + "2": "stable", + "state-v2-test": "unstable", + "3": "unstable" + } + } + } + } + + +def register_servlets(hs, http_server): + CapabilitiesRestServlet(hs).register(http_server) diff --git a/tests/rest/client/v2_alpha/test_capabilities.py b/tests/rest/client/v2_alpha/test_capabilities.py new file mode 100644 index 0000000000..1a0ed8d12f --- /dev/null +++ b/tests/rest/client/v2_alpha/test_capabilities.py @@ -0,0 +1,39 @@ +# -*- coding: utf-8 -*- +# Copyright 2019 New Vector Ltd +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from synapse.api.constants import DEFAULT_ROOM_VERSION, KNOWN_ROOM_VERSIONS +from synapse.rest.client.v2_alpha.capabilities import register_servlets + +from tests import unittest + + +class CapabilitiesTestCase(unittest.HomeserverTestCase): + servlets = [register_servlets] + + def make_homeserver(self, reactor, clock): + self.url = b"/_matrix/client/r0/capabilities" + hs = self.setup_test_homeserver() + return hs + + def test_get_room_version_capabilities(self): + request, channel = self.make_request("GET", self.url) + self.render(request) + capabilities = channel.json_body['capabilities'] + self.assertEqual(channel.code, 200) + for room_version in capabilities['m.room_versions']['available'].keys(): + self.assertTrue(room_version in KNOWN_ROOM_VERSIONS, "" + room_version) + self.assertEqual( + DEFAULT_ROOM_VERSION, capabilities['m.room_versions']['default'] + ) From 893107be78b93699cd96d0e025ee6610bcff9c5a Mon Sep 17 00:00:00 2001 From: Neil Johnson Date: Fri, 25 Jan 2019 17:27:36 +0000 Subject: [PATCH 04/17] backout v3 --- synapse/api/constants.py | 1 - synapse/rest/client/v2_alpha/capabilities.py | 1 - 2 files changed, 2 deletions(-) diff --git a/synapse/api/constants.py b/synapse/api/constants.py index c47346a4bf..1112618329 100644 --- a/synapse/api/constants.py +++ b/synapse/api/constants.py @@ -119,7 +119,6 @@ KNOWN_ROOM_VERSIONS = { RoomVersions.V2, RoomVersions.VDH_TEST, RoomVersions.STATE_V2_TEST, - RoomVersions.V3, } ServerNoticeMsgType = "m.server_notice" diff --git a/synapse/rest/client/v2_alpha/capabilities.py b/synapse/rest/client/v2_alpha/capabilities.py index d73153ccc7..61319a7a2e 100644 --- a/synapse/rest/client/v2_alpha/capabilities.py +++ b/synapse/rest/client/v2_alpha/capabilities.py @@ -38,7 +38,6 @@ class CapabilitiesRestServlet(RestServlet): "1": "stable", "2": "stable", "state-v2-test": "unstable", - "3": "unstable" } } } From 327b992e17dee1ced66d0b1a38bedce42f43aadf Mon Sep 17 00:00:00 2001 From: Neil Johnson Date: Tue, 29 Jan 2019 10:28:35 +0000 Subject: [PATCH 05/17] register capabilities servlet --- synapse/rest/__init__.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/synapse/rest/__init__.py b/synapse/rest/__init__.py index 66585c991f..91f5247d52 100644 --- a/synapse/rest/__init__.py +++ b/synapse/rest/__init__.py @@ -34,6 +34,7 @@ from synapse.rest.client.v2_alpha import ( account, account_data, auth, + capabilities, devices, filter, groups, @@ -107,3 +108,4 @@ class ClientRestResource(JsonResource): user_directory.register_servlets(hs, client_resource) groups.register_servlets(hs, client_resource) room_upgrade_rest_servlet.register_servlets(hs, client_resource) + capabilities.register_servlets(hs, client_resource) From a124025dab9f64b72cac0ae42c2e0a78f58f301f Mon Sep 17 00:00:00 2001 From: Neil Johnson Date: Tue, 29 Jan 2019 11:37:56 +0000 Subject: [PATCH 06/17] enforce auth for capabilities endpoint --- synapse/rest/client/v2_alpha/capabilities.py | 27 ++++++++++++------- .../rest/client/v2_alpha/test_capabilities.py | 23 +++++++++++++--- 2 files changed, 36 insertions(+), 14 deletions(-) diff --git a/synapse/rest/client/v2_alpha/capabilities.py b/synapse/rest/client/v2_alpha/capabilities.py index 61319a7a2e..767e6c9798 100644 --- a/synapse/rest/client/v2_alpha/capabilities.py +++ b/synapse/rest/client/v2_alpha/capabilities.py @@ -12,6 +12,7 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. +from twisted.internet import defer from synapse.http.servlet import RestServlet @@ -28,20 +29,26 @@ class CapabilitiesRestServlet(RestServlet): """ super(CapabilitiesRestServlet, self).__init__() self.hs = hs + self.auth = hs.get_auth() + @defer.inlineCallbacks def on_GET(self, request): - return 200, { - "capabilities": { - "m.room_versions": { - "default": "1", - "available": { - "1": "stable", - "2": "stable", - "state-v2-test": "unstable", + + yield self.auth.get_user_by_req(request, allow_guest=True) + defer.returnValue( + (200, { + "capabilities": { + "m.room_versions": { + "default": "1", + "available": { + "1": "stable", + "2": "stable", + "state-v2-test": "unstable", + } } } - } - } + }) + ) def register_servlets(hs, http_server): diff --git a/tests/rest/client/v2_alpha/test_capabilities.py b/tests/rest/client/v2_alpha/test_capabilities.py index 1a0ed8d12f..f9f80c8969 100644 --- a/tests/rest/client/v2_alpha/test_capabilities.py +++ b/tests/rest/client/v2_alpha/test_capabilities.py @@ -14,23 +14,38 @@ # limitations under the License. from synapse.api.constants import DEFAULT_ROOM_VERSION, KNOWN_ROOM_VERSIONS -from synapse.rest.client.v2_alpha.capabilities import register_servlets - +from synapse.rest.client.v2_alpha import capabilities +from synapse.rest.client.v1 import login, admin from tests import unittest class CapabilitiesTestCase(unittest.HomeserverTestCase): - servlets = [register_servlets] + + servlets = [ + admin.register_servlets, + capabilities.register_servlets, + login.register_servlets, + ] def make_homeserver(self, reactor, clock): self.url = b"/_matrix/client/r0/capabilities" hs = self.setup_test_homeserver() return hs - def test_get_room_version_capabilities(self): + def test_check_auth_required(self): request, channel = self.make_request("GET", self.url) self.render(request) + + self.assertEqual(channel.code, 401) + + def test_get_room_version_capabilities(self): + self.register_user("user", "pass") + access_token = self.login("user", "pass") + + request, channel = self.make_request("GET", self.url, access_token=access_token) + self.render(request) capabilities = channel.json_body['capabilities'] + self.assertEqual(channel.code, 200) for room_version in capabilities['m.room_versions']['available'].keys(): self.assertTrue(room_version in KNOWN_ROOM_VERSIONS, "" + room_version) From 4eeb2fb215eff17042021095e7fac73d449bdc13 Mon Sep 17 00:00:00 2001 From: Neil Johnson Date: Tue, 29 Jan 2019 12:44:10 +0000 Subject: [PATCH 07/17] isort --- tests/rest/client/v2_alpha/test_capabilities.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/rest/client/v2_alpha/test_capabilities.py b/tests/rest/client/v2_alpha/test_capabilities.py index f9f80c8969..131a4af417 100644 --- a/tests/rest/client/v2_alpha/test_capabilities.py +++ b/tests/rest/client/v2_alpha/test_capabilities.py @@ -14,8 +14,9 @@ # limitations under the License. from synapse.api.constants import DEFAULT_ROOM_VERSION, KNOWN_ROOM_VERSIONS +from synapse.rest.client.v1 import admin, login from synapse.rest.client.v2_alpha import capabilities -from synapse.rest.client.v1 import login, admin + from tests import unittest From f03b3a7a3a33df190ec9473ffc5bc4be04c58ae8 Mon Sep 17 00:00:00 2001 From: Neil Johnson Date: Tue, 29 Jan 2019 15:58:37 +0000 Subject: [PATCH 08/17] support change_password in capabilities end-point --- synapse/rest/client/v2_alpha/capabilities.py | 14 +++++++++-- .../rest/client/v2_alpha/test_capabilities.py | 23 +++++++++++++++++++ 2 files changed, 35 insertions(+), 2 deletions(-) diff --git a/synapse/rest/client/v2_alpha/capabilities.py b/synapse/rest/client/v2_alpha/capabilities.py index 767e6c9798..08df941b5f 100644 --- a/synapse/rest/client/v2_alpha/capabilities.py +++ b/synapse/rest/client/v2_alpha/capabilities.py @@ -12,14 +12,20 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. +import logging + from twisted.internet import defer from synapse.http.servlet import RestServlet from ._base import client_v2_patterns +logger = logging.getLogger(__name__) + class CapabilitiesRestServlet(RestServlet): + """End point to expose the capabilities of the server.""" + PATTERNS = client_v2_patterns("/capabilities$") def __init__(self, hs): @@ -30,11 +36,14 @@ class CapabilitiesRestServlet(RestServlet): super(CapabilitiesRestServlet, self).__init__() self.hs = hs self.auth = hs.get_auth() + self.store = hs.get_datastore() @defer.inlineCallbacks def on_GET(self, request): + requester = yield self.auth.get_user_by_req(request, allow_guest=True) + user = yield self.store.get_user_by_id(requester.user.to_string()) + change_password = bool(user['password_hash']) - yield self.auth.get_user_by_req(request, allow_guest=True) defer.returnValue( (200, { "capabilities": { @@ -45,7 +54,8 @@ class CapabilitiesRestServlet(RestServlet): "2": "stable", "state-v2-test": "unstable", } - } + }, + "m.change_password": change_password, } }) ) diff --git a/tests/rest/client/v2_alpha/test_capabilities.py b/tests/rest/client/v2_alpha/test_capabilities.py index 131a4af417..62dbfa06b2 100644 --- a/tests/rest/client/v2_alpha/test_capabilities.py +++ b/tests/rest/client/v2_alpha/test_capabilities.py @@ -31,6 +31,7 @@ class CapabilitiesTestCase(unittest.HomeserverTestCase): def make_homeserver(self, reactor, clock): self.url = b"/_matrix/client/r0/capabilities" hs = self.setup_test_homeserver() + self.store = hs.get_datastore() return hs def test_check_auth_required(self): @@ -53,3 +54,25 @@ class CapabilitiesTestCase(unittest.HomeserverTestCase): self.assertEqual( DEFAULT_ROOM_VERSION, capabilities['m.room_versions']['default'] ) + + def test_get_change_password_capabilities(self): + localpart = "user" + password = "pass" + user = self.register_user(localpart, password) + access_token = self.login(user, password) + + request, channel = self.make_request("GET", self.url, access_token=access_token) + self.render(request) + capabilities = channel.json_body['capabilities'] + + self.assertEqual(channel.code, 200) + + # Test case where password is handled outside of Synapse + self.assertTrue(capabilities['m.change_password']) + self.get_success(self.store.user_set_password_hash(user, None)) + request, channel = self.make_request("GET", self.url, access_token=access_token) + self.render(request) + capabilities = channel.json_body['capabilities'] + + self.assertEqual(channel.code, 200) + self.assertFalse(capabilities['m.change_password']) From 19259d903c295d03ad1cda59f8b31f65aded231e Mon Sep 17 00:00:00 2001 From: Neil Johnson Date: Tue, 29 Jan 2019 16:01:46 +0000 Subject: [PATCH 09/17] update to reflect broadening scope --- changelog.d/4472.feature | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/changelog.d/4472.feature b/changelog.d/4472.feature index b6b2125d06..3413c33d48 100644 --- a/changelog.d/4472.feature +++ b/changelog.d/4472.feature @@ -1 +1 @@ -Support room version capabilities in CS API (MSC1804) +Support exposing server capabilities in CS API (MSC1753, MSC1804) From e4bef9d470aa99cbb06b0a19fcafc5bd32008207 Mon Sep 17 00:00:00 2001 From: Neil Johnson Date: Tue, 29 Jan 2019 18:04:56 +0000 Subject: [PATCH 10/17] rework format of change password capability --- synapse/rest/client/v2_alpha/capabilities.py | 4 +++- tests/rest/client/v2_alpha/test_capabilities.py | 4 ++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/synapse/rest/client/v2_alpha/capabilities.py b/synapse/rest/client/v2_alpha/capabilities.py index 08df941b5f..756c2dbdec 100644 --- a/synapse/rest/client/v2_alpha/capabilities.py +++ b/synapse/rest/client/v2_alpha/capabilities.py @@ -55,7 +55,9 @@ class CapabilitiesRestServlet(RestServlet): "state-v2-test": "unstable", } }, - "m.change_password": change_password, + "m.change_password": { + "enabled": change_password, + }, } }) ) diff --git a/tests/rest/client/v2_alpha/test_capabilities.py b/tests/rest/client/v2_alpha/test_capabilities.py index 62dbfa06b2..d3d43970fb 100644 --- a/tests/rest/client/v2_alpha/test_capabilities.py +++ b/tests/rest/client/v2_alpha/test_capabilities.py @@ -68,11 +68,11 @@ class CapabilitiesTestCase(unittest.HomeserverTestCase): self.assertEqual(channel.code, 200) # Test case where password is handled outside of Synapse - self.assertTrue(capabilities['m.change_password']) + self.assertTrue(capabilities['m.change_password']['enabled']) self.get_success(self.store.user_set_password_hash(user, None)) request, channel = self.make_request("GET", self.url, access_token=access_token) self.render(request) capabilities = channel.json_body['capabilities'] self.assertEqual(channel.code, 200) - self.assertFalse(capabilities['m.change_password']) + self.assertFalse(capabilities['m.change_password']['enabled']) From c7837dce248a4a482cdd66caadd5fd5550d56e6f Mon Sep 17 00:00:00 2001 From: Neil Johnson Date: Wed, 30 Jan 2019 09:33:30 +0000 Subject: [PATCH 11/17] reflect that rooms v3 is a stable room version --- synapse/api/constants.py | 1 + synapse/rest/client/v2_alpha/capabilities.py | 1 + 2 files changed, 2 insertions(+) diff --git a/synapse/api/constants.py b/synapse/api/constants.py index 1112618329..c47346a4bf 100644 --- a/synapse/api/constants.py +++ b/synapse/api/constants.py @@ -119,6 +119,7 @@ KNOWN_ROOM_VERSIONS = { RoomVersions.V2, RoomVersions.VDH_TEST, RoomVersions.STATE_V2_TEST, + RoomVersions.V3, } ServerNoticeMsgType = "m.server_notice" diff --git a/synapse/rest/client/v2_alpha/capabilities.py b/synapse/rest/client/v2_alpha/capabilities.py index 756c2dbdec..3dad4e9542 100644 --- a/synapse/rest/client/v2_alpha/capabilities.py +++ b/synapse/rest/client/v2_alpha/capabilities.py @@ -53,6 +53,7 @@ class CapabilitiesRestServlet(RestServlet): "1": "stable", "2": "stable", "state-v2-test": "unstable", + "3": "stable", } }, "m.change_password": { From 2f4680405507aa421d7c32052b3cd522969c0b3a Mon Sep 17 00:00:00 2001 From: Neil Johnson Date: Wed, 30 Jan 2019 09:39:10 +0000 Subject: [PATCH 12/17] Populate default room version from Constants --- synapse/rest/client/v2_alpha/capabilities.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/synapse/rest/client/v2_alpha/capabilities.py b/synapse/rest/client/v2_alpha/capabilities.py index 3dad4e9542..21e79f9233 100644 --- a/synapse/rest/client/v2_alpha/capabilities.py +++ b/synapse/rest/client/v2_alpha/capabilities.py @@ -16,6 +16,7 @@ import logging from twisted.internet import defer +from synapse.api.constants import DEFAULT_ROOM_VERSION from synapse.http.servlet import RestServlet from ._base import client_v2_patterns @@ -48,7 +49,7 @@ class CapabilitiesRestServlet(RestServlet): (200, { "capabilities": { "m.room_versions": { - "default": "1", + "default": DEFAULT_ROOM_VERSION, "available": { "1": "stable", "2": "stable", From 9c850d9d5e83c91cfbc89f978d57ec55b982a1fc Mon Sep 17 00:00:00 2001 From: Neil Johnson Date: Wed, 30 Jan 2019 10:23:26 +0000 Subject: [PATCH 13/17] formatting and use constants where available --- synapse/rest/client/v2_alpha/capabilities.py | 36 +++++++++----------- 1 file changed, 17 insertions(+), 19 deletions(-) diff --git a/synapse/rest/client/v2_alpha/capabilities.py b/synapse/rest/client/v2_alpha/capabilities.py index 21e79f9233..de3cf2b072 100644 --- a/synapse/rest/client/v2_alpha/capabilities.py +++ b/synapse/rest/client/v2_alpha/capabilities.py @@ -16,7 +16,8 @@ import logging from twisted.internet import defer -from synapse.api.constants import DEFAULT_ROOM_VERSION +from synapse.api.constants import DEFAULT_ROOM_VERSION, RoomVersions, RoomDisposition + from synapse.http.servlet import RestServlet from ._base import client_v2_patterns @@ -43,26 +44,23 @@ class CapabilitiesRestServlet(RestServlet): def on_GET(self, request): requester = yield self.auth.get_user_by_req(request, allow_guest=True) user = yield self.store.get_user_by_id(requester.user.to_string()) - change_password = bool(user['password_hash']) + change_password = bool(user["password_hash"]) - defer.returnValue( - (200, { - "capabilities": { - "m.room_versions": { - "default": DEFAULT_ROOM_VERSION, - "available": { - "1": "stable", - "2": "stable", - "state-v2-test": "unstable", - "3": "stable", - } + response = { + "capabilities": { + "m.room_versions": { + "default": DEFAULT_ROOM_VERSION, + "available": { + RoomVersions.V1: RoomDisposition.STABLE, + RoomVersions.V2: RoomDisposition.STABLE, + RoomVersions.STATE_V2_TEST: RoomDisposition.UNSTABLE, + RoomVersions.V3: RoomDisposition.STABLE, }, - "m.change_password": { - "enabled": change_password, - }, - } - }) - ) + }, + "m.change_password": {"enabled": change_password}, + } + } + defer.returnValue((200, response)) def register_servlets(hs, http_server): From c5a0f82cca76a47c5c5ffb0b17a733829de15cb5 Mon Sep 17 00:00:00 2001 From: Neil Johnson Date: Wed, 30 Jan 2019 10:24:24 +0000 Subject: [PATCH 14/17] define room dispositions for use in exposing room capabilities --- synapse/api/constants.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/synapse/api/constants.py b/synapse/api/constants.py index c47346a4bf..2c6417c65a 100644 --- a/synapse/api/constants.py +++ b/synapse/api/constants.py @@ -109,6 +109,11 @@ class RoomVersions(object): STATE_V2_TEST = "state-v2-test" +class RoomDisposition(object): + STABLE = "stable", + UNSTABLE = "unstable" + + # the version we will give rooms which are created on this server DEFAULT_ROOM_VERSION = RoomVersions.V1 From f834d9840239db1cb101ec717c250a9f616a3049 Mon Sep 17 00:00:00 2001 From: Neil Johnson Date: Wed, 30 Jan 2019 10:55:42 +0000 Subject: [PATCH 15/17] isort --- synapse/rest/client/v2_alpha/capabilities.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/synapse/rest/client/v2_alpha/capabilities.py b/synapse/rest/client/v2_alpha/capabilities.py index de3cf2b072..373f95126e 100644 --- a/synapse/rest/client/v2_alpha/capabilities.py +++ b/synapse/rest/client/v2_alpha/capabilities.py @@ -16,8 +16,7 @@ import logging from twisted.internet import defer -from synapse.api.constants import DEFAULT_ROOM_VERSION, RoomVersions, RoomDisposition - +from synapse.api.constants import DEFAULT_ROOM_VERSION, RoomDisposition, RoomVersions from synapse.http.servlet import RestServlet from ._base import client_v2_patterns From 7615a8ced1385460d73dca45fc6534a2fcb64227 Mon Sep 17 00:00:00 2001 From: Richard van der Hoff <1389908+richvdh@users.noreply.github.com> Date: Wed, 30 Jan 2019 14:17:55 +0000 Subject: [PATCH 16/17] ACME config cleanups (#4525) * Handle listening for ACME requests on IPv6 addresses the weird url-but-not-actually-a-url-string doesn't handle IPv6 addresses without extra quoting. Building a string which you are about to parse again seems like a weird choice. Let's just use listenTCP, which is consistent with what we do elsewhere. * Clean up the default ACME config make it look a bit more consistent with everything else, and tweak the defaults to listen on port 80. * newsfile --- changelog.d/4525.feature | 1 + synapse/app/__init__.py | 25 +++++++++- synapse/app/_base.py | 22 +-------- synapse/config/tls.py | 100 +++++++++++++++++++++++++++++---------- synapse/handlers/acme.py | 27 ++++++----- 5 files changed, 115 insertions(+), 60 deletions(-) create mode 100644 changelog.d/4525.feature diff --git a/changelog.d/4525.feature b/changelog.d/4525.feature new file mode 100644 index 0000000000..c7f595cec2 --- /dev/null +++ b/changelog.d/4525.feature @@ -0,0 +1 @@ + Synapse can now automatically provision TLS certificates via ACME (the protocol used by CAs like Let's Encrypt). diff --git a/synapse/app/__init__.py b/synapse/app/__init__.py index b45adafdd3..f56f5fcc13 100644 --- a/synapse/app/__init__.py +++ b/synapse/app/__init__.py @@ -12,15 +12,38 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - +import logging import sys from synapse import python_dependencies # noqa: E402 sys.dont_write_bytecode = True +logger = logging.getLogger(__name__) + try: python_dependencies.check_requirements() except python_dependencies.DependencyException as e: sys.stderr.writelines(e.message) sys.exit(1) + + +def check_bind_error(e, address, bind_addresses): + """ + This method checks an exception occurred while binding on 0.0.0.0. + If :: is specified in the bind addresses a warning is shown. + The exception is still raised otherwise. + + Binding on both 0.0.0.0 and :: causes an exception on Linux and macOS + because :: binds on both IPv4 and IPv6 (as per RFC 3493). + When binding on 0.0.0.0 after :: this can safely be ignored. + + Args: + e (Exception): Exception that was caught. + address (str): Address on which binding was attempted. + bind_addresses (list): Addresses on which the service listens. + """ + if address == '0.0.0.0' and '::' in bind_addresses: + logger.warn('Failed to listen on 0.0.0.0, continuing because listening on [::]') + else: + raise e diff --git a/synapse/app/_base.py b/synapse/app/_base.py index 3840c663ab..5b97a54d45 100644 --- a/synapse/app/_base.py +++ b/synapse/app/_base.py @@ -22,6 +22,7 @@ from daemonize import Daemonize from twisted.internet import error, reactor +from synapse.app import check_bind_error from synapse.util import PreserveLoggingContext from synapse.util.rlimit import change_resource_limit @@ -188,24 +189,3 @@ def listen_ssl( logger.info("Synapse now listening on port %d (TLS)", port) return r - - -def check_bind_error(e, address, bind_addresses): - """ - This method checks an exception occurred while binding on 0.0.0.0. - If :: is specified in the bind addresses a warning is shown. - The exception is still raised otherwise. - - Binding on both 0.0.0.0 and :: causes an exception on Linux and macOS - because :: binds on both IPv4 and IPv6 (as per RFC 3493). - When binding on 0.0.0.0 after :: this can safely be ignored. - - Args: - e (Exception): Exception that was caught. - address (str): Address on which binding was attempted. - bind_addresses (list): Addresses on which the service listens. - """ - if address == '0.0.0.0' and '::' in bind_addresses: - logger.warn('Failed to listen on 0.0.0.0, continuing because listening on [::]') - else: - raise e diff --git a/synapse/config/tls.py b/synapse/config/tls.py index 734f612db7..5f63676d9c 100644 --- a/synapse/config/tls.py +++ b/synapse/config/tls.py @@ -31,13 +31,16 @@ logger = logging.getLogger() class TlsConfig(Config): def read_config(self, config): - acme_config = config.get("acme", {}) + acme_config = config.get("acme", None) + if acme_config is None: + acme_config = {} + self.acme_enabled = acme_config.get("enabled", False) self.acme_url = acme_config.get( "url", "https://acme-v01.api.letsencrypt.org/directory" ) - self.acme_port = acme_config.get("port", 8449) - self.acme_bind_addresses = acme_config.get("bind_addresses", ["127.0.0.1"]) + self.acme_port = acme_config.get("port", 80) + self.acme_bind_addresses = acme_config.get("bind_addresses", ['::', '0.0.0.0']) self.acme_reprovision_threshold = acme_config.get("reprovision_threshold", 30) self.tls_certificate_file = self.abspath(config.get("tls_certificate_path")) @@ -126,21 +129,80 @@ class TlsConfig(Config): tls_certificate_path = base_key_name + ".tls.crt" tls_private_key_path = base_key_name + ".tls.key" + # this is to avoid the max line length. Sorrynotsorry + proxypassline = ( + 'ProxyPass /.well-known/acme-challenge ' + 'http://localhost:8009/.well-known/acme-challenge' + ) + return ( """\ - # PEM encoded X509 certificate for TLS. - # This certificate, as of Synapse 1.0, will need to be a valid - # and verifiable certificate, with a root that is available in - # the root store of other servers you wish to federate to. Any - # required intermediary certificates can be appended after the - # primary certificate in hierarchical order. + # PEM-encoded X509 certificate for TLS. + # This certificate, as of Synapse 1.0, will need to be a valid and verifiable + # certificate, signed by a recognised Certificate Authority. + # + # See 'ACME support' below to enable auto-provisioning this certificate via + # Let's Encrypt. + # tls_certificate_path: "%(tls_certificate_path)s" - # PEM encoded private key for TLS + # PEM-encoded private key for TLS tls_private_key_path: "%(tls_private_key_path)s" - # Don't bind to the https port - no_tls: False + # ACME support: This will configure Synapse to request a valid TLS certificate + # for your configured `server_name` via Let's Encrypt. + # + # Note that provisioning a certificate in this way requires port 80 to be + # routed to Synapse so that it can complete the http-01 ACME challenge. + # By default, if you enable ACME support, Synapse will attempt to listen on + # port 80 for incoming http-01 challenges - however, this will likely fail + # with 'Permission denied' or a similar error. + # + # There are a couple of potential solutions to this: + # + # * If you already have an Apache, Nginx, or similar listening on port 80, + # you can configure Synapse to use an alternate port, and have your web + # server forward the requests. For example, assuming you set 'port: 8009' + # below, on Apache, you would write: + # + # %(proxypassline)s + # + # * Alternatively, you can use something like `authbind` to give Synapse + # permission to listen on port 80. + # + acme: + # ACME support is disabled by default. Uncomment the following line + # to enable it. + # + # enabled: true + + # Endpoint to use to request certificates. If you only want to test, + # use Let's Encrypt's staging url: + # https://acme-staging.api.letsencrypt.org/directory + # + # url: https://acme-v01.api.letsencrypt.org/directory + + # Port number to listen on for the HTTP-01 challenge. Change this if + # you are forwarding connections through Apache/Nginx/etc. + # + # port: 80 + + # Local addresses to listen on for incoming connections. + # Again, you may want to change this if you are forwarding connections + # through Apache/Nginx/etc. + # + # bind_addresses: ['::', '0.0.0.0'] + + # How many days remaining on a certificate before it is renewed. + # + # reprovision_threshold: 30 + + # If your server runs behind a reverse-proxy which terminates TLS connections + # (for both client and federation connections), it may be useful to disable + # All TLS support for incoming connections. Setting no_tls to False will + # do so (and avoid the need to give synapse a TLS private key). + # + # no_tls: False # List of allowed TLS fingerprints for this server to publish along # with the signing keys for this server. Other matrix servers that @@ -170,20 +232,6 @@ class TlsConfig(Config): tls_fingerprints: [] # tls_fingerprints: [{"sha256": ""}] - ## Support for ACME certificate auto-provisioning. - # acme: - # enabled: false - ## ACME path. - ## If you only want to test, use the staging url: - ## https://acme-staging.api.letsencrypt.org/directory - # url: 'https://acme-v01.api.letsencrypt.org/directory' - ## Port number (to listen for the HTTP-01 challenge). - ## Using port 80 requires utilising something like authbind, or proxying to it. - # port: 8449 - ## Hosts to bind to. - # bind_addresses: ['127.0.0.1'] - ## How many days remaining on a certificate before it is renewed. - # reprovision_threshold: 30 """ % locals() ) diff --git a/synapse/handlers/acme.py b/synapse/handlers/acme.py index 73ea7ed018..dd0b217965 100644 --- a/synapse/handlers/acme.py +++ b/synapse/handlers/acme.py @@ -18,13 +18,16 @@ import logging import attr from zope.interface import implementer +import twisted +import twisted.internet.error from twisted.internet import defer -from twisted.internet.endpoints import serverFromString from twisted.python.filepath import FilePath from twisted.python.url import URL from twisted.web import server, static from twisted.web.resource import Resource +from synapse.app import check_bind_error + logger = logging.getLogger(__name__) try: @@ -96,16 +99,19 @@ class AcmeHandler(object): srv = server.Site(responder_resource) - listeners = [] - - for host in self.hs.config.acme_bind_addresses: + bind_addresses = self.hs.config.acme_bind_addresses + for host in bind_addresses: logger.info( - "Listening for ACME requests on %s:%s", host, self.hs.config.acme_port + "Listening for ACME requests on %s:%i", host, self.hs.config.acme_port, ) - endpoint = serverFromString( - self.reactor, "tcp:%s:interface=%s" % (self.hs.config.acme_port, host) - ) - listeners.append(endpoint.listen(srv)) + try: + self.reactor.listenTCP( + self.hs.config.acme_port, + srv, + interface=host, + ) + except twisted.internet.error.CannotListenError as e: + check_bind_error(e, host, bind_addresses) # Make sure we are registered to the ACME server. There's no public API # for this, it is usually triggered by startService, but since we don't @@ -114,9 +120,6 @@ class AcmeHandler(object): self._issuer._registered = False yield self._issuer._ensure_registered() - # Return a Deferred that will fire when all the servers have started up. - yield defer.DeferredList(listeners, fireOnOneErrback=True, consumeErrors=True) - @defer.inlineCallbacks def provision_certificate(self): From a4f52a33fefc537eeb1829773f2dbdbdaa246d1f Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Wed, 30 Jan 2019 14:19:52 +0000 Subject: [PATCH 17/17] Fix replication for room v3 (#4523) * Fix replication for room v3 We were not correctly quoting the path fragments over http replication, which meant that it exploded when the event IDs had a slash in them * Newsfile --- changelog.d/4523.feature | 1 + synapse/replication/http/_base.py | 5 ++++- 2 files changed, 5 insertions(+), 1 deletion(-) create mode 100644 changelog.d/4523.feature diff --git a/changelog.d/4523.feature b/changelog.d/4523.feature new file mode 100644 index 0000000000..9538c64f08 --- /dev/null +++ b/changelog.d/4523.feature @@ -0,0 +1 @@ +Add support for room version 3 diff --git a/synapse/replication/http/_base.py b/synapse/replication/http/_base.py index 5e5376cf58..e81456ab2b 100644 --- a/synapse/replication/http/_base.py +++ b/synapse/replication/http/_base.py @@ -127,7 +127,10 @@ class ReplicationEndpoint(object): def send_request(**kwargs): data = yield cls._serialize_payload(**kwargs) - url_args = [urllib.parse.quote(kwargs[name]) for name in cls.PATH_ARGS] + url_args = [ + urllib.parse.quote(kwargs[name], safe='') + for name in cls.PATH_ARGS + ] if cls.CACHE: txn_id = random_string(10)