Merge branch 'rav/fix_sighup' into matrix-org-hotfixes

CHANGES.md

@@ -1,3 +1,13 @@
+Synapse 1.22.1 (2020-10-30)
+===========================
+
+Bugfixes
+--------
+
+- Fix a bug where an appservice may not be forwarded events for a room it was recently invited to. Broke in v1.22.0. ([\#8676](https://github.com/matrix-org/synapse/issues/8676))
+- Fix `Object of type frozendict is not JSON serializable` exceptions when using third-party event rules. Broke in v1.22.0. ([\#8678](https://github.com/matrix-org/synapse/issues/8678))
+
+
 Synapse 1.22.0 (2020-10-27)
 ===========================
 

changelog.d/8635.doc

@@ -0,0 +1 @@
+Improve the sample configuration for single sign-on providers.

changelog.d/8676.bugfix

@@ -1 +0,0 @@
-Fix a bug where an appservice may not be forwarded events for a room it was recently invited to. Broken in v1.22.0.

changelog.d/8678.bugfix

@@ -1 +0,0 @@
-Fix `Object of type frozendict is not JSON serializable` exceptions when using third-party event rules.

changelog.d/8693.misc

@@ -0,0 +1 @@
+Add more type hints to the application services code.

changelog.d/8697.misc

@@ -0,0 +1 @@
+ Re-organize the structured logging code to separate the TCP transport handling from the JSON formatting.

debian/changelog

@@ -1,3 +1,9 @@
+matrix-synapse-py3 (1.22.1) stable; urgency=medium
+
+  * New synapse release 1.22.1.
+
+ -- Synapse Packaging team <packages@matrix.org>  Fri, 30 Oct 2020 15:25:37 +0000
+
 matrix-synapse-py3 (1.22.0) stable; urgency=medium
 
   * New synapse release 1.22.0.

docs/sample_config.yaml

@@ -1505,10 +1505,8 @@ trusted_key_servers:
 
 ## Single sign-on integration ##
 
-# Enable SAML2 for registration and login. Uses pysaml2.
+# The following settings can be used to make Synapse use a single sign-on
-#
+# provider for authentication, instead of its internal password database.
-# At least one of `sp_config` or `config_path` must be set in this section to
-# enable SAML login.
 #
 # You will probably also want to set the following options to `false` to
 # disable the regular login/registration flows:
@@ -1517,6 +1515,11 @@ trusted_key_servers:
 #
 # You will also want to investigate the settings under the "sso" configuration
 # section below.
+
+# Enable SAML2 for registration and login. Uses pysaml2.
+#
+# At least one of `sp_config` or `config_path` must be set in this section to
+# enable SAML login.
 #
 # Once SAML support is enabled, a metadata file will be exposed at
 # https://<server>:<port>/_matrix/saml2/metadata.xml, which you may be able to
@@ -1532,35 +1535,37 @@ saml2_config:
   # so it is not normally necessary to specify them unless you need to
   # override them.
   #
-  #sp_config:
+  sp_config:
-  #  # point this to the IdP's metadata. You can use either a local file or
+    # Point this to the IdP's metadata. You must provide either a local
-  #  # (preferably) a URL.
+    # file via the `local` attribute or (preferably) a URL via the
+    # `remote` attribute.
+    #
     #metadata:
-  #    #local: ["saml2/idp.xml"]
+    #  local: ["saml2/idp.xml"]
     #  remote:
     #    - url: https://our_idp/metadata.xml
+
+    # By default, the user has to go to our login page first. If you'd like
+    # to allow IdP-initiated login, set 'allow_unsolicited: true' in a
+    # 'service.sp' section:
     #
-  #  # By default, the user has to go to our login page first. If you'd like
+    #service:
-  #  # to allow IdP-initiated login, set 'allow_unsolicited: true' in a
+    #  sp:
-  #  # 'service.sp' section:
+    #    allow_unsolicited: true
-  #  #
+
-  #  #service:
+    # The examples below are just used to generate our metadata xml, and you
-  #  #  sp:
+    # may well not need them, depending on your setup. Alternatively you
-  #  #    allow_unsolicited: true
+    # may need a whole lot more detail - see the pysaml2 docs!
-  #
+
-  #  # The examples below are just used to generate our metadata xml, and you
-  #  # may well not need them, depending on your setup. Alternatively you
-  #  # may need a whole lot more detail - see the pysaml2 docs!
-  #
     #description: ["My awesome SP", "en"]
     #name: ["Test SP", "en"]
-  #
+
     #organization:
     #  name: Example com
     #  display_name:
     #    - ["Example co", "en"]
     #  url: "http://example.com"
-  #
+
     #contact_person:
     #  - given_name: Bob
     #    sur_name: "the Sysadmin"
@@ -1641,11 +1646,10 @@ saml2_config:
   #    value: "sales"
 
 
-# OpenID Connect integration. The following settings can be used to make Synapse
+# Enable OpenID Connect (OIDC) / OAuth 2.0 for registration and login.
-# use an OpenID Connect Provider for authentication, instead of its internal
-# password database.
 #
-# See https://github.com/matrix-org/synapse/blob/master/docs/openid.md.
+# See https://github.com/matrix-org/synapse/blob/master/docs/openid.md
+# for some example configurations.
 #
 oidc_config:
   # Uncomment the following to enable authorization against an OpenID Connect
@@ -1778,15 +1782,37 @@ oidc_config:
 
 
 
-# Enable CAS for registration and login.
+# Enable Central Authentication Service (CAS) for registration and login.
+#
+cas_config:
+  # Uncomment the following to enable authorization against a CAS server.
+  # Defaults to false.
   #
-#cas_config:
   #enabled: true
+
+  # The URL of the CAS authorization endpoint.
+  #
   #server_url: "https://cas-server.com"
+
+  # The public URL of the homeserver.
+  #
   #service_url: "https://homeserver.domain.com:8448"
-#   #displayname_attribute: name
+
-#   #required_attributes:
+  # The attribute of the CAS response to use as the display name.
-#   #    name: value
+  #
+  # If unset, no displayname will be set.
+  #
+  #displayname_attribute: name
+
+  # It is possible to configure Synapse to only allow logins if CAS attributes
+  # match particular values. All of the keys in the mapping below must exist
+  # and the values must match the given value. Alternately if the given value
+  # is None then any value is allowed (the attribute just must exist).
+  # All of the listed attributes must match for the login to be permitted.
+  #
+  #required_attributes:
+  #  userGroup: "staff"
+  #  department: None
 
 
 # Additional settings to use with single-sign on systems such as OpenID Connect,

synapse/__init__.py

@@ -48,7 +48,7 @@ try:
 except ImportError:
     pass
 
-__version__ = "1.22.0"
+__version__ = "1.22.1"
 
 if bool(os.environ.get("SYNAPSE_TEST_PATCH_LOG_CONTEXTS", False)):
     # We import here so that we don't have to install a bunch of deps when

synapse/app/_base.py

@@ -49,7 +49,6 @@ def register_sighup(func, *args, **kwargs):
 
     Args:
         func (function): Function to be called when sent a SIGHUP signal.
-            Will be called with a single default argument, the homeserver.
         *args, **kwargs: args and kwargs to be passed to the target function.
     """
     _sighup_callbacks.append((func, args, kwargs))
@@ -251,13 +250,13 @@ def start(hs: "synapse.server.HomeServer", listeners: Iterable[ListenerConfig]):
                 sdnotify(b"RELOADING=1")
 
                 for i, args, kwargs in _sighup_callbacks:
-                    i(hs, *args, **kwargs)
+                    i(*args, **kwargs)
 
                 sdnotify(b"READY=1")
 
             signal.signal(signal.SIGHUP, handle_sighup)
 
-            register_sighup(refresh_certificate)
+            register_sighup(refresh_certificate, hs)
 
         # Load the certificate from disk.
         refresh_certificate(hs)

synapse/config/cas.py

@@ -26,14 +26,14 @@ class CasConfig(Config):
 
     def read_config(self, config, **kwargs):
         cas_config = config.get("cas_config", None)
-        if cas_config:
+        self.cas_enabled = cas_config and cas_config.get("enabled", True)
-            self.cas_enabled = cas_config.get("enabled", True)
+
+        if self.cas_enabled:
             self.cas_server_url = cas_config["server_url"]
             self.cas_service_url = cas_config["service_url"]
             self.cas_displayname_attribute = cas_config.get("displayname_attribute")
-            self.cas_required_attributes = cas_config.get("required_attributes", {})
+            self.cas_required_attributes = cas_config.get("required_attributes") or {}
         else:
-            self.cas_enabled = False
             self.cas_server_url = None
             self.cas_service_url = None
             self.cas_displayname_attribute = None
@@ -41,13 +41,35 @@ class CasConfig(Config):
 
     def generate_config_section(self, config_dir_path, server_name, **kwargs):
         return """
-        # Enable CAS for registration and login.
+        # Enable Central Authentication Service (CAS) for registration and login.
+        #
+        cas_config:
+          # Uncomment the following to enable authorization against a CAS server.
+          # Defaults to false.
           #
-        #cas_config:
           #enabled: true
+
+          # The URL of the CAS authorization endpoint.
+          #
           #server_url: "https://cas-server.com"
+
+          # The public URL of the homeserver.
+          #
           #service_url: "https://homeserver.domain.com:8448"
-        #   #displayname_attribute: name
+
-        #   #required_attributes:
+          # The attribute of the CAS response to use as the display name.
-        #   #    name: value
+          #
+          # If unset, no displayname will be set.
+          #
+          #displayname_attribute: name
+
+          # It is possible to configure Synapse to only allow logins if CAS attributes
+          # match particular values. All of the keys in the mapping below must exist
+          # and the values must match the given value. Alternately if the given value
+          # is None then any value is allowed (the attribute just must exist).
+          # All of the listed attributes must match for the login to be permitted.
+          #
+          #required_attributes:
+          #  userGroup: "staff"
+          #  department: None
         """

synapse/config/oidc_config.py

@@ -87,11 +87,10 @@ class OIDCConfig(Config):
 
     def generate_config_section(self, config_dir_path, server_name, **kwargs):
         return """\
-        # OpenID Connect integration. The following settings can be used to make Synapse
+        # Enable OpenID Connect (OIDC) / OAuth 2.0 for registration and login.
-        # use an OpenID Connect Provider for authentication, instead of its internal
-        # password database.
         #
-        # See https://github.com/matrix-org/synapse/blob/master/docs/openid.md.
+        # See https://github.com/matrix-org/synapse/blob/master/docs/openid.md
+        # for some example configurations.
         #
         oidc_config:
           # Uncomment the following to enable authorization against an OpenID Connect

synapse/config/saml2_config.py

@@ -216,10 +216,8 @@ class SAML2Config(Config):
         return """\
         ## Single sign-on integration ##
 
-        # Enable SAML2 for registration and login. Uses pysaml2.
+        # The following settings can be used to make Synapse use a single sign-on
-        #
+        # provider for authentication, instead of its internal password database.
-        # At least one of `sp_config` or `config_path` must be set in this section to
-        # enable SAML login.
         #
         # You will probably also want to set the following options to `false` to
         # disable the regular login/registration flows:
@@ -228,6 +226,11 @@ class SAML2Config(Config):
         #
         # You will also want to investigate the settings under the "sso" configuration
         # section below.
+
+        # Enable SAML2 for registration and login. Uses pysaml2.
+        #
+        # At least one of `sp_config` or `config_path` must be set in this section to
+        # enable SAML login.
         #
         # Once SAML support is enabled, a metadata file will be exposed at
         # https://<server>:<port>/_matrix/saml2/metadata.xml, which you may be able to
@@ -243,35 +246,37 @@ class SAML2Config(Config):
           # so it is not normally necessary to specify them unless you need to
           # override them.
           #
-          #sp_config:
+          sp_config:
-          #  # point this to the IdP's metadata. You can use either a local file or
+            # Point this to the IdP's metadata. You must provide either a local
-          #  # (preferably) a URL.
+            # file via the `local` attribute or (preferably) a URL via the
+            # `remote` attribute.
+            #
             #metadata:
-          #    #local: ["saml2/idp.xml"]
+            #  local: ["saml2/idp.xml"]
             #  remote:
             #    - url: https://our_idp/metadata.xml
+
+            # By default, the user has to go to our login page first. If you'd like
+            # to allow IdP-initiated login, set 'allow_unsolicited: true' in a
+            # 'service.sp' section:
             #
-          #  # By default, the user has to go to our login page first. If you'd like
+            #service:
-          #  # to allow IdP-initiated login, set 'allow_unsolicited: true' in a
+            #  sp:
-          #  # 'service.sp' section:
+            #    allow_unsolicited: true
-          #  #
+
-          #  #service:
+            # The examples below are just used to generate our metadata xml, and you
-          #  #  sp:
+            # may well not need them, depending on your setup. Alternatively you
-          #  #    allow_unsolicited: true
+            # may need a whole lot more detail - see the pysaml2 docs!
-          #
+
-          #  # The examples below are just used to generate our metadata xml, and you
-          #  # may well not need them, depending on your setup. Alternatively you
-          #  # may need a whole lot more detail - see the pysaml2 docs!
-          #
             #description: ["My awesome SP", "en"]
             #name: ["Test SP", "en"]
-          #
+
             #organization:
             #  name: Example com
             #  display_name:
             #    - ["Example co", "en"]
             #  url: "http://example.com"
-          #
+
             #contact_person:
             #  - given_name: Bob
             #    sur_name: "the Sysadmin"

synapse/storage/databases/main/appservice.py

@@ -261,7 +261,7 @@ class ApplicationServiceTransactionWorkerStore(
             # has probably missed some events), so whine loudly but still continue,
             # since it shouldn't fail completion of the transaction.
             last_txn_id = self._get_last_txn(txn, service.id)
-            if (txn_id + 1) != txn_id:
+            if (last_txn_id + 1) != txn_id:
                 logger.error(
                     "appservice: Completing a transaction which has an ID > 1 from "
                     "the last ID sent to this AS. We've either dropped events or "