Compare commits

...

2 Commits

Author SHA1 Message Date
Patrick Cloke dc5ef6c9fd Add a human-readable description to the fallback template. 2020-03-31 11:38:14 -04:00
Patrick Cloke 018cd02b24 Fix docstring formatting. 2020-03-31 11:38:14 -04:00
7 changed files with 63 additions and 14 deletions

View File

@ -174,6 +174,7 @@ class AuthHandler(BaseHandler):
request: SynapseRequest, request: SynapseRequest,
request_body: Dict[str, Any], request_body: Dict[str, Any],
clientip: str, clientip: str,
description: str,
): ):
""" """
Checks that the user is who they claim to be, via a UI auth. Checks that the user is who they claim to be, via a UI auth.
@ -191,6 +192,9 @@ class AuthHandler(BaseHandler):
clientip: The IP address of the client. clientip: The IP address of the client.
description: A human readable string to be displayed to the user that
describes the operation happening on their account.
Returns: Returns:
defer.Deferred[dict]: the parameters for this request (which may defer.Deferred[dict]: the parameters for this request (which may
have been given only in a previous call). have been given only in a previous call).
@ -223,7 +227,7 @@ class AuthHandler(BaseHandler):
try: try:
result, params, _ = yield self.check_auth( result, params, _ = yield self.check_auth(
flows, request, request_body, clientip flows, request, request_body, clientip, description
) )
except LoginError: except LoginError:
# Update the ratelimite to say we failed (`can_do_action` doesn't raise). # Update the ratelimite to say we failed (`can_do_action` doesn't raise).
@ -268,6 +272,7 @@ class AuthHandler(BaseHandler):
request: SynapseRequest, request: SynapseRequest,
clientdict: Dict[str, Any], clientdict: Dict[str, Any],
clientip: str, clientip: str,
description: str,
): ):
""" """
Takes a dictionary sent by the client in the login / registration Takes a dictionary sent by the client in the login / registration
@ -294,6 +299,9 @@ class AuthHandler(BaseHandler):
clientip: The IP address of the client. clientip: The IP address of the client.
description: A human readable string to be displayed to the user that
describes the operation happening on their account.
Returns: Returns:
defer.Deferred[dict, dict, str]: a deferred tuple of defer.Deferred[dict, dict, str]: a deferred tuple of
(creds, params, session_id). (creds, params, session_id).
@ -343,12 +351,18 @@ class AuthHandler(BaseHandler):
comparator = (request.uri, request.method, clientdict) comparator = (request.uri, request.method, clientdict)
if "ui_auth" not in session: if "ui_auth" not in session:
session["ui_auth"] = comparator session["ui_auth"] = comparator
self._save_session(session)
elif session["ui_auth"] != comparator: elif session["ui_auth"] != comparator:
raise SynapseError( raise SynapseError(
403, 403,
"Requested operation has changed during the UI authentication session.", "Requested operation has changed during the UI authentication session.",
) )
# Add a human readable description to the session.
if "description" not in session:
session["description"] = description
self._save_session(session)
if not authdict: if not authdict:
raise InteractiveAuthIncompleteError( raise InteractiveAuthIncompleteError(
self._auth_dict_for_flows(flows, session) self._auth_dict_for_flows(flows, session)
@ -1035,14 +1049,24 @@ class AuthHandler(BaseHandler):
else: else:
return defer.succeed(False) return defer.succeed(False)
def start_sso_ui_auth(self, redirect_url: str) -> str: def start_sso_ui_auth(self, redirect_url: str, session_id: str) -> str:
""" """
Get the HTML for the SSO redirect confirmation page. Get the HTML for the SSO redirect confirmation page.
:param redirect_url: The URL to redirect to the SSO provider. Args:
:return: The HTML to render. redirect_url: The URL to redirect to the SSO provider.
session_id: The user interactive authentication session ID.
Returns:
The HTML to render.
""" """
return self._sso_auth_confirm_template.render(redirect_url=redirect_url,) session = self._get_session_info(session_id)
# Get the human readable operation of what is occurring, falling back to
# a generic message if it isn't available for some reason.
description = session.get("description", "modify your account")
return self._sso_auth_confirm_template.render(
description=description, redirect_url=redirect_url,
)
def complete_sso_ui_auth( def complete_sso_ui_auth(
self, registered_user_id: str, session_id: str, request: SynapseRequest, self, registered_user_id: str, session_id: str, request: SynapseRequest,

View File

@ -5,8 +5,7 @@
<body> <body>
<div> <div>
<p> <p>
A client is trying to remove a device/add an email address/take over A client is trying to {{ description | e }}. To confirm this action,
your account. To confirm this action,
<a href="{{ redirect_url | e }}">re-authenticate with single sign-on</a>. <a href="{{ redirect_url | e }}">re-authenticate with single sign-on</a>.
If you did not expect this, your account may be compromised! If you did not expect this, your account may be compromised!
</p> </p>

View File

@ -234,7 +234,11 @@ class PasswordRestServlet(RestServlet):
if self.auth.has_access_token(request): if self.auth.has_access_token(request):
requester = await self.auth.get_user_by_req(request) requester = await self.auth.get_user_by_req(request)
params = await self.auth_handler.validate_user_via_ui_auth( params = await self.auth_handler.validate_user_via_ui_auth(
requester, request, body, self.hs.get_ip_from_request(request), requester,
request,
body,
self.hs.get_ip_from_request(request),
"modify your account password",
) )
user_id = requester.user.to_string() user_id = requester.user.to_string()
else: else:
@ -244,6 +248,7 @@ class PasswordRestServlet(RestServlet):
request, request,
body, body,
self.hs.get_ip_from_request(request), self.hs.get_ip_from_request(request),
"modify your account password",
) )
if LoginType.EMAIL_IDENTITY in result: if LoginType.EMAIL_IDENTITY in result:
@ -311,7 +316,11 @@ class DeactivateAccountRestServlet(RestServlet):
return 200, {} return 200, {}
await self.auth_handler.validate_user_via_ui_auth( await self.auth_handler.validate_user_via_ui_auth(
requester, request, body, self.hs.get_ip_from_request(request), requester,
request,
body,
self.hs.get_ip_from_request(request),
"deactivate your account",
) )
result = await self._deactivate_account_handler.deactivate_account( result = await self._deactivate_account_handler.deactivate_account(
requester.user.to_string(), erase, id_server=body.get("id_server") requester.user.to_string(), erase, id_server=body.get("id_server")
@ -669,7 +678,11 @@ class ThreepidAddRestServlet(RestServlet):
assert_valid_client_secret(client_secret) assert_valid_client_secret(client_secret)
await self.auth_handler.validate_user_via_ui_auth( await self.auth_handler.validate_user_via_ui_auth(
requester, request, body, self.hs.get_ip_from_request(request), requester,
request,
body,
self.hs.get_ip_from_request(request),
"add a third-party identifier to your account",
) )
validation_session = await self.identity_handler.validate_threepid_session( validation_session = await self.identity_handler.validate_threepid_session(

View File

@ -140,7 +140,7 @@ class AuthRestServlet(RestServlet):
sso_redirect_url = self._saml_handler.handle_redirect_request( sso_redirect_url = self._saml_handler.handle_redirect_request(
client_redirect_url, session client_redirect_url, session
) )
html = self.auth_handler.start_sso_ui_auth(sso_redirect_url) html = self.auth_handler.start_sso_ui_auth(sso_redirect_url, session)
else: else:
raise SynapseError(404, "Unknown auth stage type") raise SynapseError(404, "Unknown auth stage type")

View File

@ -81,7 +81,11 @@ class DeleteDevicesRestServlet(RestServlet):
assert_params_in_dict(body, ["devices"]) assert_params_in_dict(body, ["devices"])
await self.auth_handler.validate_user_via_ui_auth( await self.auth_handler.validate_user_via_ui_auth(
requester, request, body, self.hs.get_ip_from_request(request), requester,
request,
body,
self.hs.get_ip_from_request(request),
"remove device(s) from your account",
) )
await self.device_handler.delete_devices( await self.device_handler.delete_devices(
@ -127,7 +131,11 @@ class DeviceRestServlet(RestServlet):
raise raise
await self.auth_handler.validate_user_via_ui_auth( await self.auth_handler.validate_user_via_ui_auth(
requester, request, body, self.hs.get_ip_from_request(request), requester,
request,
body,
self.hs.get_ip_from_request(request),
"remove a device from your account",
) )
await self.device_handler.delete_device(requester.user.to_string(), device_id) await self.device_handler.delete_device(requester.user.to_string(), device_id)

View File

@ -263,7 +263,11 @@ class SigningKeyUploadServlet(RestServlet):
body = parse_json_object_from_request(request) body = parse_json_object_from_request(request)
await self.auth_handler.validate_user_via_ui_auth( await self.auth_handler.validate_user_via_ui_auth(
requester, request, body, self.hs.get_ip_from_request(request), requester,
request,
body,
self.hs.get_ip_from_request(request),
"add a device signing key to your account",
) )
result = await self.e2e_keys_handler.upload_signing_keys_for_user(user_id, body) result = await self.e2e_keys_handler.upload_signing_keys_for_user(user_id, body)

View File

@ -505,6 +505,7 @@ class RegisterRestServlet(RestServlet):
request, request,
body, body,
self.hs.get_ip_from_request(request), self.hs.get_ip_from_request(request),
"log into your account",
) )
# Check that we're not trying to register a denied 3pid. # Check that we're not trying to register a denied 3pid.