Compare commits
4 Commits
2e826cd80c
...
b9930d24a0
Author | SHA1 | Date |
---|---|---|
Patrick Cloke | b9930d24a0 | |
Patrick Cloke | 468dcc767b | |
siroccal | 250f87d0de | |
Erik Johnston | dfa0782254 |
|
@ -1,3 +1,11 @@
|
||||||
|
Next version
|
||||||
|
============
|
||||||
|
|
||||||
|
* A new template (`sso_auth_confirm.html`) was added to Synapse. If your Synapse
|
||||||
|
is configured to use SSO and a custom `sso_redirect_confirm_template_dir`
|
||||||
|
configuration then this template will need to be duplicated into that
|
||||||
|
directory.
|
||||||
|
|
||||||
Synapse 1.12.0 (2020-03-23)
|
Synapse 1.12.0 (2020-03-23)
|
||||||
===========================
|
===========================
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
Support SSO in the user interactive authentication workflow.
|
|
@ -0,0 +1 @@
|
||||||
|
Update postgres docs with login troubleshooting information.
|
|
@ -0,0 +1 @@
|
||||||
|
Admin users are no longer required to be in a room to create an alias for it.
|
|
@ -0,0 +1 @@
|
||||||
|
Move catchup of replication streams logic to worker.
|
|
@ -61,7 +61,33 @@ Note that the PostgreSQL database *must* have the correct encoding set
|
||||||
|
|
||||||
You may need to enable password authentication so `synapse_user` can
|
You may need to enable password authentication so `synapse_user` can
|
||||||
connect to the database. See
|
connect to the database. See
|
||||||
<https://www.postgresql.org/docs/11/auth-pg-hba-conf.html>.
|
<https://www.postgresql.org/docs/current/auth-pg-hba-conf.html>.
|
||||||
|
|
||||||
|
If you get an error along the lines of `FATAL: Ident authentication failed for
|
||||||
|
user "synapse_user"`, you may need to use an authentication method other than
|
||||||
|
`ident`:
|
||||||
|
|
||||||
|
* If the `synapse_user` user has a password, add the password to the `database:`
|
||||||
|
section of `homeserver.yaml`. Then add the following to `pg_hba.conf`:
|
||||||
|
|
||||||
|
```
|
||||||
|
host synapse synapse_user ::1/128 md5 # or `scram-sha-256` instead of `md5` if you use that
|
||||||
|
```
|
||||||
|
|
||||||
|
* If the `synapse_user` user does not have a password, then a password doesn't
|
||||||
|
have to be added to `homeserver.yaml`. But the following does need to be added
|
||||||
|
to `pg_hba.conf`:
|
||||||
|
|
||||||
|
```
|
||||||
|
host synapse synapse_user ::1/128 trust
|
||||||
|
```
|
||||||
|
|
||||||
|
Note that line order matters in `pg_hba.conf`, so make sure that if you do add a
|
||||||
|
new line, it is inserted before:
|
||||||
|
|
||||||
|
```
|
||||||
|
host all all ::1/128 ident
|
||||||
|
```
|
||||||
|
|
||||||
### Fixing incorrect `COLLATE` or `CTYPE`
|
### Fixing incorrect `COLLATE` or `CTYPE`
|
||||||
|
|
||||||
|
|
|
@ -61,6 +61,7 @@ class LoginType(object):
|
||||||
MSISDN = "m.login.msisdn"
|
MSISDN = "m.login.msisdn"
|
||||||
RECAPTCHA = "m.login.recaptcha"
|
RECAPTCHA = "m.login.recaptcha"
|
||||||
TERMS = "m.login.terms"
|
TERMS = "m.login.terms"
|
||||||
|
SSO = "org.matrix.login.sso"
|
||||||
DUMMY = "m.login.dummy"
|
DUMMY = "m.login.dummy"
|
||||||
|
|
||||||
# Only for C/S API v1
|
# Only for C/S API v1
|
||||||
|
|
|
@ -53,6 +53,31 @@ from ._base import BaseHandler
|
||||||
logger = logging.getLogger(__name__)
|
logger = logging.getLogger(__name__)
|
||||||
|
|
||||||
|
|
||||||
|
SUCCESS_TEMPLATE = """
|
||||||
|
<html>
|
||||||
|
<head>
|
||||||
|
<title>Success!</title>
|
||||||
|
<meta name='viewport' content='width=device-width, initial-scale=1,
|
||||||
|
user-scalable=no, minimum-scale=1.0, maximum-scale=1.0'>
|
||||||
|
<link rel="stylesheet" href="/_matrix/static/client/register/style.css">
|
||||||
|
<script>
|
||||||
|
if (window.onAuthDone) {
|
||||||
|
window.onAuthDone();
|
||||||
|
} else if (window.opener && window.opener.postMessage) {
|
||||||
|
window.opener.postMessage("authDone", "*");
|
||||||
|
}
|
||||||
|
</script>
|
||||||
|
</head>
|
||||||
|
<body>
|
||||||
|
<div>
|
||||||
|
<p>Thank you</p>
|
||||||
|
<p>You may now close this window and return to the application</p>
|
||||||
|
</div>
|
||||||
|
</body>
|
||||||
|
</html>
|
||||||
|
"""
|
||||||
|
|
||||||
|
|
||||||
class AuthHandler(BaseHandler):
|
class AuthHandler(BaseHandler):
|
||||||
SESSION_EXPIRE_MS = 48 * 60 * 60 * 1000
|
SESSION_EXPIRE_MS = 48 * 60 * 60 * 1000
|
||||||
|
|
||||||
|
@ -91,6 +116,7 @@ class AuthHandler(BaseHandler):
|
||||||
self.hs = hs # FIXME better possibility to access registrationHandler later?
|
self.hs = hs # FIXME better possibility to access registrationHandler later?
|
||||||
self.macaroon_gen = hs.get_macaroon_generator()
|
self.macaroon_gen = hs.get_macaroon_generator()
|
||||||
self._password_enabled = hs.config.password_enabled
|
self._password_enabled = hs.config.password_enabled
|
||||||
|
self._saml2_enabled = hs.config.saml2_enabled
|
||||||
|
|
||||||
# we keep this as a list despite the O(N^2) implication so that we can
|
# we keep this as a list despite the O(N^2) implication so that we can
|
||||||
# keep PASSWORD first and avoid confusing clients which pick the first
|
# keep PASSWORD first and avoid confusing clients which pick the first
|
||||||
|
@ -106,6 +132,13 @@ class AuthHandler(BaseHandler):
|
||||||
if t not in login_types:
|
if t not in login_types:
|
||||||
login_types.append(t)
|
login_types.append(t)
|
||||||
self._supported_login_types = login_types
|
self._supported_login_types = login_types
|
||||||
|
# Login types and UI Auth types have a heavy overlap, but are not
|
||||||
|
# necessarily identical. Login types have SSO (and other login types)
|
||||||
|
# added in the rest layer, see synapse.rest.client.v1.login.LoginRestServerlet.on_GET.
|
||||||
|
ui_auth_types = login_types.copy()
|
||||||
|
if self._saml2_enabled:
|
||||||
|
ui_auth_types.append(LoginType.SSO)
|
||||||
|
self._supported_ui_auth_types = ui_auth_types
|
||||||
|
|
||||||
# Ratelimiter for failed auth during UIA. Uses same ratelimit config
|
# Ratelimiter for failed auth during UIA. Uses same ratelimit config
|
||||||
# as per `rc_login.failed_attempts`.
|
# as per `rc_login.failed_attempts`.
|
||||||
|
@ -113,10 +146,21 @@ class AuthHandler(BaseHandler):
|
||||||
|
|
||||||
self._clock = self.hs.get_clock()
|
self._clock = self.hs.get_clock()
|
||||||
|
|
||||||
# Load the SSO redirect confirmation page HTML template
|
# Load the SSO HTML templates.
|
||||||
|
|
||||||
|
# The following template is shown to the user during a client login via SSO,
|
||||||
|
# after the SSO completes and before redirecting them back to their client.
|
||||||
|
# It notifies the user they are about to give access to their matrix account
|
||||||
|
# to the client.
|
||||||
self._sso_redirect_confirm_template = load_jinja2_templates(
|
self._sso_redirect_confirm_template = load_jinja2_templates(
|
||||||
hs.config.sso_redirect_confirm_template_dir, ["sso_redirect_confirm.html"],
|
hs.config.sso_redirect_confirm_template_dir, ["sso_redirect_confirm.html"],
|
||||||
)[0]
|
)[0]
|
||||||
|
# The following template is shown during user interactive authentication
|
||||||
|
# in the fallback auth scenario. It notifies the user that they are
|
||||||
|
# authenticating for an operation to occur on their account.
|
||||||
|
self._sso_auth_confirm_template = load_jinja2_templates(
|
||||||
|
hs.config.sso_redirect_confirm_template_dir, ["sso_auth_confirm.html"],
|
||||||
|
)[0]
|
||||||
|
|
||||||
self._server_name = hs.config.server_name
|
self._server_name = hs.config.server_name
|
||||||
|
|
||||||
|
@ -130,6 +174,7 @@ class AuthHandler(BaseHandler):
|
||||||
request: SynapseRequest,
|
request: SynapseRequest,
|
||||||
request_body: Dict[str, Any],
|
request_body: Dict[str, Any],
|
||||||
clientip: str,
|
clientip: str,
|
||||||
|
description: str,
|
||||||
):
|
):
|
||||||
"""
|
"""
|
||||||
Checks that the user is who they claim to be, via a UI auth.
|
Checks that the user is who they claim to be, via a UI auth.
|
||||||
|
@ -147,6 +192,9 @@ class AuthHandler(BaseHandler):
|
||||||
|
|
||||||
clientip: The IP address of the client.
|
clientip: The IP address of the client.
|
||||||
|
|
||||||
|
description: A human readable string to be displayed to the user that
|
||||||
|
describes the operation happening on their account.
|
||||||
|
|
||||||
Returns:
|
Returns:
|
||||||
defer.Deferred[dict]: the parameters for this request (which may
|
defer.Deferred[dict]: the parameters for this request (which may
|
||||||
have been given only in a previous call).
|
have been given only in a previous call).
|
||||||
|
@ -175,11 +223,11 @@ class AuthHandler(BaseHandler):
|
||||||
)
|
)
|
||||||
|
|
||||||
# build a list of supported flows
|
# build a list of supported flows
|
||||||
flows = [[login_type] for login_type in self._supported_login_types]
|
flows = [[login_type] for login_type in self._supported_ui_auth_types]
|
||||||
|
|
||||||
try:
|
try:
|
||||||
result, params, _ = yield self.check_auth(
|
result, params, _ = yield self.check_auth(
|
||||||
flows, request, request_body, clientip
|
flows, request, request_body, clientip, description
|
||||||
)
|
)
|
||||||
except LoginError:
|
except LoginError:
|
||||||
# Update the ratelimite to say we failed (`can_do_action` doesn't raise).
|
# Update the ratelimite to say we failed (`can_do_action` doesn't raise).
|
||||||
|
@ -193,7 +241,7 @@ class AuthHandler(BaseHandler):
|
||||||
raise
|
raise
|
||||||
|
|
||||||
# find the completed login type
|
# find the completed login type
|
||||||
for login_type in self._supported_login_types:
|
for login_type in self._supported_ui_auth_types:
|
||||||
if login_type not in result:
|
if login_type not in result:
|
||||||
continue
|
continue
|
||||||
|
|
||||||
|
@ -224,6 +272,7 @@ class AuthHandler(BaseHandler):
|
||||||
request: SynapseRequest,
|
request: SynapseRequest,
|
||||||
clientdict: Dict[str, Any],
|
clientdict: Dict[str, Any],
|
||||||
clientip: str,
|
clientip: str,
|
||||||
|
description: str,
|
||||||
):
|
):
|
||||||
"""
|
"""
|
||||||
Takes a dictionary sent by the client in the login / registration
|
Takes a dictionary sent by the client in the login / registration
|
||||||
|
@ -250,6 +299,9 @@ class AuthHandler(BaseHandler):
|
||||||
|
|
||||||
clientip: The IP address of the client.
|
clientip: The IP address of the client.
|
||||||
|
|
||||||
|
description: A human readable string to be displayed to the user that
|
||||||
|
describes the operation happening on their account.
|
||||||
|
|
||||||
Returns:
|
Returns:
|
||||||
defer.Deferred[dict, dict, str]: a deferred tuple of
|
defer.Deferred[dict, dict, str]: a deferred tuple of
|
||||||
(creds, params, session_id).
|
(creds, params, session_id).
|
||||||
|
@ -299,12 +351,18 @@ class AuthHandler(BaseHandler):
|
||||||
comparator = (request.uri, request.method, clientdict)
|
comparator = (request.uri, request.method, clientdict)
|
||||||
if "ui_auth" not in session:
|
if "ui_auth" not in session:
|
||||||
session["ui_auth"] = comparator
|
session["ui_auth"] = comparator
|
||||||
|
self._save_session(session)
|
||||||
elif session["ui_auth"] != comparator:
|
elif session["ui_auth"] != comparator:
|
||||||
raise SynapseError(
|
raise SynapseError(
|
||||||
403,
|
403,
|
||||||
"Requested operation has changed during the UI authentication session.",
|
"Requested operation has changed during the UI authentication session.",
|
||||||
)
|
)
|
||||||
|
|
||||||
|
# Add a human readable description to the session.
|
||||||
|
if "description" not in session:
|
||||||
|
session["description"] = description
|
||||||
|
self._save_session(session)
|
||||||
|
|
||||||
if not authdict:
|
if not authdict:
|
||||||
raise InteractiveAuthIncompleteError(
|
raise InteractiveAuthIncompleteError(
|
||||||
self._auth_dict_for_flows(flows, session)
|
self._auth_dict_for_flows(flows, session)
|
||||||
|
@ -991,6 +1049,56 @@ class AuthHandler(BaseHandler):
|
||||||
else:
|
else:
|
||||||
return defer.succeed(False)
|
return defer.succeed(False)
|
||||||
|
|
||||||
|
def start_sso_ui_auth(self, redirect_url: str, session_id: str) -> str:
|
||||||
|
"""
|
||||||
|
Get the HTML for the SSO redirect confirmation page.
|
||||||
|
|
||||||
|
Args:
|
||||||
|
redirect_url: The URL to redirect to the SSO provider.
|
||||||
|
session_id: The user interactive authentication session ID.
|
||||||
|
|
||||||
|
Returns:
|
||||||
|
The HTML to render.
|
||||||
|
"""
|
||||||
|
session = self._get_session_info(session_id)
|
||||||
|
# Get the human readable operation of what is occurring, falling back to
|
||||||
|
# a generic message if it isn't available for some reason.
|
||||||
|
description = session.get("description", "modify your account")
|
||||||
|
return self._sso_auth_confirm_template.render(
|
||||||
|
description=description, redirect_url=redirect_url,
|
||||||
|
)
|
||||||
|
|
||||||
|
def complete_sso_ui_auth(
|
||||||
|
self, registered_user_id: str, session_id: str, request: SynapseRequest,
|
||||||
|
):
|
||||||
|
"""Having figured out a mxid for this user, complete the HTTP request
|
||||||
|
|
||||||
|
Args:
|
||||||
|
registered_user_id: The registered user ID to complete SSO login for.
|
||||||
|
request: The request to complete.
|
||||||
|
client_redirect_url: The URL to which to redirect the user at the end of the
|
||||||
|
process.
|
||||||
|
"""
|
||||||
|
# Mark the stage of the authentication as successful.
|
||||||
|
sess = self._get_session_info(session_id)
|
||||||
|
if "creds" not in sess:
|
||||||
|
sess["creds"] = {}
|
||||||
|
creds = sess["creds"]
|
||||||
|
|
||||||
|
# Save the user who authenticated with SSO, this will be used to ensure
|
||||||
|
# that the account be modified is also the person who logged in.
|
||||||
|
creds[LoginType.SSO] = registered_user_id
|
||||||
|
self._save_session(sess)
|
||||||
|
|
||||||
|
# Render the HTML and return.
|
||||||
|
html_bytes = SUCCESS_TEMPLATE.encode("utf8")
|
||||||
|
request.setResponseCode(200)
|
||||||
|
request.setHeader(b"Content-Type", b"text/html; charset=utf-8")
|
||||||
|
request.setHeader(b"Content-Length", b"%d" % (len(html_bytes),))
|
||||||
|
|
||||||
|
request.write(html_bytes)
|
||||||
|
finish_request(request)
|
||||||
|
|
||||||
def complete_sso_login(
|
def complete_sso_login(
|
||||||
self,
|
self,
|
||||||
registered_user_id: str,
|
registered_user_id: str,
|
||||||
|
|
|
@ -127,7 +127,11 @@ class DirectoryHandler(BaseHandler):
|
||||||
errcode=Codes.EXCLUSIVE,
|
errcode=Codes.EXCLUSIVE,
|
||||||
)
|
)
|
||||||
else:
|
else:
|
||||||
if self.require_membership and check_membership:
|
# Server admins are not subject to the same constraints as normal
|
||||||
|
# users when creating an alias (e.g. being in the room).
|
||||||
|
is_admin = yield self.auth.is_server_admin(requester.user)
|
||||||
|
|
||||||
|
if (self.require_membership and check_membership) and not is_admin:
|
||||||
rooms_for_user = yield self.store.get_rooms_for_user(user_id)
|
rooms_for_user = yield self.store.get_rooms_for_user(user_id)
|
||||||
if room_id not in rooms_for_user:
|
if room_id not in rooms_for_user:
|
||||||
raise AuthError(
|
raise AuthError(
|
||||||
|
|
|
@ -14,7 +14,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
import logging
|
import logging
|
||||||
import re
|
import re
|
||||||
from typing import Tuple
|
from typing import Optional, Tuple
|
||||||
|
|
||||||
import attr
|
import attr
|
||||||
import saml2
|
import saml2
|
||||||
|
@ -44,11 +44,15 @@ class Saml2SessionData:
|
||||||
|
|
||||||
# time the session was created, in milliseconds
|
# time the session was created, in milliseconds
|
||||||
creation_time = attr.ib()
|
creation_time = attr.ib()
|
||||||
|
# The user interactive authentication session ID associated with this SAML
|
||||||
|
# session (or None if this SAML session is for an initial login).
|
||||||
|
ui_auth_session_id = attr.ib(type=Optional[str], default=None)
|
||||||
|
|
||||||
|
|
||||||
class SamlHandler:
|
class SamlHandler:
|
||||||
def __init__(self, hs):
|
def __init__(self, hs):
|
||||||
self._saml_client = Saml2Client(hs.config.saml2_sp_config)
|
self._saml_client = Saml2Client(hs.config.saml2_sp_config)
|
||||||
|
self._auth = hs.get_auth()
|
||||||
self._auth_handler = hs.get_auth_handler()
|
self._auth_handler = hs.get_auth_handler()
|
||||||
self._registration_handler = hs.get_registration_handler()
|
self._registration_handler = hs.get_registration_handler()
|
||||||
|
|
||||||
|
@ -77,12 +81,14 @@ class SamlHandler:
|
||||||
|
|
||||||
self._error_html_content = hs.config.saml2_error_html_content
|
self._error_html_content = hs.config.saml2_error_html_content
|
||||||
|
|
||||||
def handle_redirect_request(self, client_redirect_url):
|
def handle_redirect_request(self, client_redirect_url, ui_auth_session_id=None):
|
||||||
"""Handle an incoming request to /login/sso/redirect
|
"""Handle an incoming request to /login/sso/redirect
|
||||||
|
|
||||||
Args:
|
Args:
|
||||||
client_redirect_url (bytes): the URL that we should redirect the
|
client_redirect_url (bytes): the URL that we should redirect the
|
||||||
client to when everything is done
|
client to when everything is done
|
||||||
|
ui_auth_session_id (Optional[str]): The session ID of the ongoing UI Auth (or
|
||||||
|
None if this is a login).
|
||||||
|
|
||||||
Returns:
|
Returns:
|
||||||
bytes: URL to redirect to
|
bytes: URL to redirect to
|
||||||
|
@ -92,7 +98,9 @@ class SamlHandler:
|
||||||
)
|
)
|
||||||
|
|
||||||
now = self._clock.time_msec()
|
now = self._clock.time_msec()
|
||||||
self._outstanding_requests_dict[reqid] = Saml2SessionData(creation_time=now)
|
self._outstanding_requests_dict[reqid] = Saml2SessionData(
|
||||||
|
creation_time=now, ui_auth_session_id=ui_auth_session_id,
|
||||||
|
)
|
||||||
|
|
||||||
for key, value in info["headers"]:
|
for key, value in info["headers"]:
|
||||||
if key == "Location":
|
if key == "Location":
|
||||||
|
@ -119,7 +127,9 @@ class SamlHandler:
|
||||||
self.expire_sessions()
|
self.expire_sessions()
|
||||||
|
|
||||||
try:
|
try:
|
||||||
user_id = await self._map_saml_response_to_user(resp_bytes, relay_state)
|
user_id, current_session = await self._map_saml_response_to_user(
|
||||||
|
resp_bytes, relay_state
|
||||||
|
)
|
||||||
except RedirectException:
|
except RedirectException:
|
||||||
# Raise the exception as per the wishes of the SAML module response
|
# Raise the exception as per the wishes of the SAML module response
|
||||||
raise
|
raise
|
||||||
|
@ -137,9 +147,28 @@ class SamlHandler:
|
||||||
finish_request(request)
|
finish_request(request)
|
||||||
return
|
return
|
||||||
|
|
||||||
self._auth_handler.complete_sso_login(user_id, request, relay_state)
|
# Complete the interactive auth session or the login.
|
||||||
|
if current_session and current_session.ui_auth_session_id:
|
||||||
|
self._auth_handler.complete_sso_ui_auth(
|
||||||
|
user_id, current_session.ui_auth_session_id, request
|
||||||
|
)
|
||||||
|
|
||||||
async def _map_saml_response_to_user(self, resp_bytes, client_redirect_url):
|
else:
|
||||||
|
self._auth_handler.complete_sso_login(user_id, request, relay_state)
|
||||||
|
|
||||||
|
async def _map_saml_response_to_user(
|
||||||
|
self, resp_bytes: str, client_redirect_url: str
|
||||||
|
) -> Tuple[str, Optional[Saml2SessionData]]:
|
||||||
|
"""
|
||||||
|
Given a sample response, retrieve the cached session and user for it.
|
||||||
|
|
||||||
|
Args:
|
||||||
|
resp_bytes: The SAML response.
|
||||||
|
client_redirect_url: The redirect URL passed in by the client.
|
||||||
|
|
||||||
|
Returns:
|
||||||
|
Tuple of the user ID and SAML session associated with this response.
|
||||||
|
"""
|
||||||
try:
|
try:
|
||||||
saml2_auth = self._saml_client.parse_authn_request_response(
|
saml2_auth = self._saml_client.parse_authn_request_response(
|
||||||
resp_bytes,
|
resp_bytes,
|
||||||
|
@ -167,7 +196,9 @@ class SamlHandler:
|
||||||
|
|
||||||
logger.info("SAML2 mapped attributes: %s", saml2_auth.ava)
|
logger.info("SAML2 mapped attributes: %s", saml2_auth.ava)
|
||||||
|
|
||||||
self._outstanding_requests_dict.pop(saml2_auth.in_response_to, None)
|
current_session = self._outstanding_requests_dict.pop(
|
||||||
|
saml2_auth.in_response_to, None
|
||||||
|
)
|
||||||
|
|
||||||
remote_user_id = self._user_mapping_provider.get_remote_user_id(
|
remote_user_id = self._user_mapping_provider.get_remote_user_id(
|
||||||
saml2_auth, client_redirect_url
|
saml2_auth, client_redirect_url
|
||||||
|
@ -188,7 +219,7 @@ class SamlHandler:
|
||||||
)
|
)
|
||||||
if registered_user_id is not None:
|
if registered_user_id is not None:
|
||||||
logger.info("Found existing mapping %s", registered_user_id)
|
logger.info("Found existing mapping %s", registered_user_id)
|
||||||
return registered_user_id
|
return registered_user_id, current_session
|
||||||
|
|
||||||
# backwards-compatibility hack: see if there is an existing user with a
|
# backwards-compatibility hack: see if there is an existing user with a
|
||||||
# suitable mapping from the uid
|
# suitable mapping from the uid
|
||||||
|
@ -213,7 +244,7 @@ class SamlHandler:
|
||||||
await self._datastore.record_user_external_id(
|
await self._datastore.record_user_external_id(
|
||||||
self._auth_provider_id, remote_user_id, registered_user_id
|
self._auth_provider_id, remote_user_id, registered_user_id
|
||||||
)
|
)
|
||||||
return registered_user_id
|
return registered_user_id, current_session
|
||||||
|
|
||||||
# Map saml response to user attributes using the configured mapping provider
|
# Map saml response to user attributes using the configured mapping provider
|
||||||
for i in range(1000):
|
for i in range(1000):
|
||||||
|
@ -260,7 +291,7 @@ class SamlHandler:
|
||||||
await self._datastore.record_user_external_id(
|
await self._datastore.record_user_external_id(
|
||||||
self._auth_provider_id, remote_user_id, registered_user_id
|
self._auth_provider_id, remote_user_id, registered_user_id
|
||||||
)
|
)
|
||||||
return registered_user_id
|
return registered_user_id, current_session
|
||||||
|
|
||||||
def expire_sessions(self):
|
def expire_sessions(self):
|
||||||
expire_before = self._clock.time_msec() - self._saml2_session_lifetime
|
expire_before = self._clock.time_msec() - self._saml2_session_lifetime
|
||||||
|
|
|
@ -99,22 +99,6 @@ class ReplicationStreamer(object):
|
||||||
|
|
||||||
self.streams_by_name = {stream.NAME: stream for stream in self.streams}
|
self.streams_by_name = {stream.NAME: stream for stream in self.streams}
|
||||||
|
|
||||||
LaterGauge(
|
|
||||||
"synapse_replication_tcp_resource_connections_per_stream",
|
|
||||||
"",
|
|
||||||
["stream_name"],
|
|
||||||
lambda: {
|
|
||||||
(stream_name,): len(
|
|
||||||
[
|
|
||||||
conn
|
|
||||||
for conn in self.connections
|
|
||||||
if stream_name in conn.replication_streams
|
|
||||||
]
|
|
||||||
)
|
|
||||||
for stream_name in self.streams_by_name
|
|
||||||
},
|
|
||||||
)
|
|
||||||
|
|
||||||
self.federation_sender = None
|
self.federation_sender = None
|
||||||
if not hs.config.send_federation:
|
if not hs.config.send_federation:
|
||||||
self.federation_sender = hs.get_federation_sender()
|
self.federation_sender = hs.get_federation_sender()
|
||||||
|
|
|
@ -0,0 +1,14 @@
|
||||||
|
<html>
|
||||||
|
<head>
|
||||||
|
<title>Authentication</title>
|
||||||
|
</head>
|
||||||
|
<body>
|
||||||
|
<div>
|
||||||
|
<p>
|
||||||
|
A client is trying to {{ description | e }}. To confirm this action,
|
||||||
|
<a href="{{ redirect_url | e }}">re-authenticate with single sign-on</a>.
|
||||||
|
If you did not expect this, your account may be compromised!
|
||||||
|
</p>
|
||||||
|
</div>
|
||||||
|
</body>
|
||||||
|
</html>
|
|
@ -234,7 +234,11 @@ class PasswordRestServlet(RestServlet):
|
||||||
if self.auth.has_access_token(request):
|
if self.auth.has_access_token(request):
|
||||||
requester = await self.auth.get_user_by_req(request)
|
requester = await self.auth.get_user_by_req(request)
|
||||||
params = await self.auth_handler.validate_user_via_ui_auth(
|
params = await self.auth_handler.validate_user_via_ui_auth(
|
||||||
requester, request, body, self.hs.get_ip_from_request(request),
|
requester,
|
||||||
|
request,
|
||||||
|
body,
|
||||||
|
self.hs.get_ip_from_request(request),
|
||||||
|
"modify your account password",
|
||||||
)
|
)
|
||||||
user_id = requester.user.to_string()
|
user_id = requester.user.to_string()
|
||||||
else:
|
else:
|
||||||
|
@ -244,6 +248,7 @@ class PasswordRestServlet(RestServlet):
|
||||||
request,
|
request,
|
||||||
body,
|
body,
|
||||||
self.hs.get_ip_from_request(request),
|
self.hs.get_ip_from_request(request),
|
||||||
|
"modify your account password",
|
||||||
)
|
)
|
||||||
|
|
||||||
if LoginType.EMAIL_IDENTITY in result:
|
if LoginType.EMAIL_IDENTITY in result:
|
||||||
|
@ -311,7 +316,11 @@ class DeactivateAccountRestServlet(RestServlet):
|
||||||
return 200, {}
|
return 200, {}
|
||||||
|
|
||||||
await self.auth_handler.validate_user_via_ui_auth(
|
await self.auth_handler.validate_user_via_ui_auth(
|
||||||
requester, request, body, self.hs.get_ip_from_request(request),
|
requester,
|
||||||
|
request,
|
||||||
|
body,
|
||||||
|
self.hs.get_ip_from_request(request),
|
||||||
|
"deactivate your account",
|
||||||
)
|
)
|
||||||
result = await self._deactivate_account_handler.deactivate_account(
|
result = await self._deactivate_account_handler.deactivate_account(
|
||||||
requester.user.to_string(), erase, id_server=body.get("id_server")
|
requester.user.to_string(), erase, id_server=body.get("id_server")
|
||||||
|
@ -669,7 +678,11 @@ class ThreepidAddRestServlet(RestServlet):
|
||||||
assert_valid_client_secret(client_secret)
|
assert_valid_client_secret(client_secret)
|
||||||
|
|
||||||
await self.auth_handler.validate_user_via_ui_auth(
|
await self.auth_handler.validate_user_via_ui_auth(
|
||||||
requester, request, body, self.hs.get_ip_from_request(request),
|
requester,
|
||||||
|
request,
|
||||||
|
body,
|
||||||
|
self.hs.get_ip_from_request(request),
|
||||||
|
"add a third-party identifier to your account",
|
||||||
)
|
)
|
||||||
|
|
||||||
validation_session = await self.identity_handler.validate_threepid_session(
|
validation_session = await self.identity_handler.validate_threepid_session(
|
||||||
|
|
|
@ -18,6 +18,7 @@ import logging
|
||||||
from synapse.api.constants import LoginType
|
from synapse.api.constants import LoginType
|
||||||
from synapse.api.errors import SynapseError
|
from synapse.api.errors import SynapseError
|
||||||
from synapse.api.urls import CLIENT_API_PREFIX
|
from synapse.api.urls import CLIENT_API_PREFIX
|
||||||
|
from synapse.handlers.auth import SUCCESS_TEMPLATE
|
||||||
from synapse.http.server import finish_request
|
from synapse.http.server import finish_request
|
||||||
from synapse.http.servlet import RestServlet, parse_string
|
from synapse.http.servlet import RestServlet, parse_string
|
||||||
|
|
||||||
|
@ -89,30 +90,6 @@ TERMS_TEMPLATE = """
|
||||||
</html>
|
</html>
|
||||||
"""
|
"""
|
||||||
|
|
||||||
SUCCESS_TEMPLATE = """
|
|
||||||
<html>
|
|
||||||
<head>
|
|
||||||
<title>Success!</title>
|
|
||||||
<meta name='viewport' content='width=device-width, initial-scale=1,
|
|
||||||
user-scalable=no, minimum-scale=1.0, maximum-scale=1.0'>
|
|
||||||
<link rel="stylesheet" href="/_matrix/static/client/register/style.css">
|
|
||||||
<script>
|
|
||||||
if (window.onAuthDone) {
|
|
||||||
window.onAuthDone();
|
|
||||||
} else if (window.opener && window.opener.postMessage) {
|
|
||||||
window.opener.postMessage("authDone", "*");
|
|
||||||
}
|
|
||||||
</script>
|
|
||||||
</head>
|
|
||||||
<body>
|
|
||||||
<div>
|
|
||||||
<p>Thank you</p>
|
|
||||||
<p>You may now close this window and return to the application</p>
|
|
||||||
</div>
|
|
||||||
</body>
|
|
||||||
</html>
|
|
||||||
"""
|
|
||||||
|
|
||||||
|
|
||||||
class AuthRestServlet(RestServlet):
|
class AuthRestServlet(RestServlet):
|
||||||
"""
|
"""
|
||||||
|
@ -130,6 +107,11 @@ class AuthRestServlet(RestServlet):
|
||||||
self.auth_handler = hs.get_auth_handler()
|
self.auth_handler = hs.get_auth_handler()
|
||||||
self.registration_handler = hs.get_registration_handler()
|
self.registration_handler = hs.get_registration_handler()
|
||||||
|
|
||||||
|
# SSO configuration.
|
||||||
|
self._saml_enabled = hs.config.saml2_enabled
|
||||||
|
if self._saml_enabled:
|
||||||
|
self._saml_handler = hs.get_saml_handler()
|
||||||
|
|
||||||
def on_GET(self, request, stagetype):
|
def on_GET(self, request, stagetype):
|
||||||
session = parse_string(request, "session")
|
session = parse_string(request, "session")
|
||||||
if not session:
|
if not session:
|
||||||
|
@ -150,6 +132,15 @@ class AuthRestServlet(RestServlet):
|
||||||
"myurl": "%s/r0/auth/%s/fallback/web"
|
"myurl": "%s/r0/auth/%s/fallback/web"
|
||||||
% (CLIENT_API_PREFIX, LoginType.TERMS),
|
% (CLIENT_API_PREFIX, LoginType.TERMS),
|
||||||
}
|
}
|
||||||
|
|
||||||
|
elif stagetype == LoginType.SSO and self._saml_enabled:
|
||||||
|
# Display a confirmation page which prompts the user to
|
||||||
|
# re-authenticate with their SSO provider.
|
||||||
|
client_redirect_url = ""
|
||||||
|
sso_redirect_url = self._saml_handler.handle_redirect_request(
|
||||||
|
client_redirect_url, session
|
||||||
|
)
|
||||||
|
html = self.auth_handler.start_sso_ui_auth(sso_redirect_url, session)
|
||||||
else:
|
else:
|
||||||
raise SynapseError(404, "Unknown auth stage type")
|
raise SynapseError(404, "Unknown auth stage type")
|
||||||
|
|
||||||
|
@ -210,6 +201,9 @@ class AuthRestServlet(RestServlet):
|
||||||
"myurl": "%s/r0/auth/%s/fallback/web"
|
"myurl": "%s/r0/auth/%s/fallback/web"
|
||||||
% (CLIENT_API_PREFIX, LoginType.TERMS),
|
% (CLIENT_API_PREFIX, LoginType.TERMS),
|
||||||
}
|
}
|
||||||
|
elif stagetype == LoginType.SSO:
|
||||||
|
# The SSO fallback workflow should not post here,
|
||||||
|
raise SynapseError(404, "Fallback SSO auth does not support POST requests.")
|
||||||
else:
|
else:
|
||||||
raise SynapseError(404, "Unknown auth stage type")
|
raise SynapseError(404, "Unknown auth stage type")
|
||||||
|
|
||||||
|
|
|
@ -81,7 +81,11 @@ class DeleteDevicesRestServlet(RestServlet):
|
||||||
assert_params_in_dict(body, ["devices"])
|
assert_params_in_dict(body, ["devices"])
|
||||||
|
|
||||||
await self.auth_handler.validate_user_via_ui_auth(
|
await self.auth_handler.validate_user_via_ui_auth(
|
||||||
requester, request, body, self.hs.get_ip_from_request(request),
|
requester,
|
||||||
|
request,
|
||||||
|
body,
|
||||||
|
self.hs.get_ip_from_request(request),
|
||||||
|
"remove device(s) from your account",
|
||||||
)
|
)
|
||||||
|
|
||||||
await self.device_handler.delete_devices(
|
await self.device_handler.delete_devices(
|
||||||
|
@ -127,7 +131,11 @@ class DeviceRestServlet(RestServlet):
|
||||||
raise
|
raise
|
||||||
|
|
||||||
await self.auth_handler.validate_user_via_ui_auth(
|
await self.auth_handler.validate_user_via_ui_auth(
|
||||||
requester, request, body, self.hs.get_ip_from_request(request),
|
requester,
|
||||||
|
request,
|
||||||
|
body,
|
||||||
|
self.hs.get_ip_from_request(request),
|
||||||
|
"remove a device from your account",
|
||||||
)
|
)
|
||||||
|
|
||||||
await self.device_handler.delete_device(requester.user.to_string(), device_id)
|
await self.device_handler.delete_device(requester.user.to_string(), device_id)
|
||||||
|
|
|
@ -263,7 +263,11 @@ class SigningKeyUploadServlet(RestServlet):
|
||||||
body = parse_json_object_from_request(request)
|
body = parse_json_object_from_request(request)
|
||||||
|
|
||||||
await self.auth_handler.validate_user_via_ui_auth(
|
await self.auth_handler.validate_user_via_ui_auth(
|
||||||
requester, request, body, self.hs.get_ip_from_request(request),
|
requester,
|
||||||
|
request,
|
||||||
|
body,
|
||||||
|
self.hs.get_ip_from_request(request),
|
||||||
|
"add a device signing key to your account",
|
||||||
)
|
)
|
||||||
|
|
||||||
result = await self.e2e_keys_handler.upload_signing_keys_for_user(user_id, body)
|
result = await self.e2e_keys_handler.upload_signing_keys_for_user(user_id, body)
|
||||||
|
|
|
@ -505,6 +505,7 @@ class RegisterRestServlet(RestServlet):
|
||||||
request,
|
request,
|
||||||
body,
|
body,
|
||||||
self.hs.get_ip_from_request(request),
|
self.hs.get_ip_from_request(request),
|
||||||
|
"register a new account",
|
||||||
)
|
)
|
||||||
|
|
||||||
# Check that we're not trying to register a denied 3pid.
|
# Check that we're not trying to register a denied 3pid.
|
||||||
|
|
|
@ -102,6 +102,68 @@ class DirectoryTestCase(unittest.HomeserverTestCase):
|
||||||
self.assertEquals({"room_id": "!8765asdf:test", "servers": ["test"]}, response)
|
self.assertEquals({"room_id": "!8765asdf:test", "servers": ["test"]}, response)
|
||||||
|
|
||||||
|
|
||||||
|
class TestCreateAlias(unittest.HomeserverTestCase):
|
||||||
|
servlets = [
|
||||||
|
synapse.rest.admin.register_servlets,
|
||||||
|
login.register_servlets,
|
||||||
|
room.register_servlets,
|
||||||
|
directory.register_servlets,
|
||||||
|
]
|
||||||
|
|
||||||
|
def prepare(self, reactor, clock, hs):
|
||||||
|
self.handler = hs.get_handlers().directory_handler
|
||||||
|
|
||||||
|
# Create user
|
||||||
|
self.admin_user = self.register_user("admin", "pass", admin=True)
|
||||||
|
self.admin_user_tok = self.login("admin", "pass")
|
||||||
|
|
||||||
|
# Create a test room
|
||||||
|
self.room_id = self.helper.create_room_as(
|
||||||
|
self.admin_user, tok=self.admin_user_tok
|
||||||
|
)
|
||||||
|
|
||||||
|
self.test_alias = "#test:test"
|
||||||
|
self.room_alias = RoomAlias.from_string(self.test_alias)
|
||||||
|
|
||||||
|
# Create a test user.
|
||||||
|
self.test_user = self.register_user("user", "pass", admin=False)
|
||||||
|
self.test_user_tok = self.login("user", "pass")
|
||||||
|
self.helper.join(room=self.room_id, user=self.test_user, tok=self.test_user_tok)
|
||||||
|
|
||||||
|
def test_create_alias_joined_room(self):
|
||||||
|
"""A user can create an alias for a room they're in."""
|
||||||
|
self.get_success(
|
||||||
|
self.handler.create_association(
|
||||||
|
create_requester(self.test_user), self.room_alias, self.room_id,
|
||||||
|
)
|
||||||
|
)
|
||||||
|
|
||||||
|
def test_create_alias_other_room(self):
|
||||||
|
"""A user cannot create an alias for a room they're NOT in."""
|
||||||
|
other_room_id = self.helper.create_room_as(
|
||||||
|
self.admin_user, tok=self.admin_user_tok
|
||||||
|
)
|
||||||
|
|
||||||
|
self.get_failure(
|
||||||
|
self.handler.create_association(
|
||||||
|
create_requester(self.test_user), self.room_alias, other_room_id,
|
||||||
|
),
|
||||||
|
synapse.api.errors.SynapseError,
|
||||||
|
)
|
||||||
|
|
||||||
|
def test_create_alias_admin(self):
|
||||||
|
"""An admin can create an alias for a room they're NOT in."""
|
||||||
|
other_room_id = self.helper.create_room_as(
|
||||||
|
self.test_user, tok=self.test_user_tok
|
||||||
|
)
|
||||||
|
|
||||||
|
self.get_success(
|
||||||
|
self.handler.create_association(
|
||||||
|
create_requester(self.admin_user), self.room_alias, other_room_id,
|
||||||
|
)
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
class TestDeleteAlias(unittest.HomeserverTestCase):
|
class TestDeleteAlias(unittest.HomeserverTestCase):
|
||||||
servlets = [
|
servlets = [
|
||||||
synapse.rest.admin.register_servlets,
|
synapse.rest.admin.register_servlets,
|
||||||
|
|
Loading…
Reference in New Issue