Synapse 1.12.3 (2020-04-03)

===========================
 
 - Remove the the pin to Pillow 7.0 which was introduced in Synapse 1.12.2, and
 correctly fix the issue with building the Debian packages. ([\#7212](https://github.com/matrix-org/synapse/issues/7212))
 -----BEGIN PGP SIGNATURE-----
 
 iQEzBAABCAAdFiEEv27Axt/F4vrTL/8QOSor00I9eP8FAl6HCicACgkQOSor00I9
 eP+TYgf+P5+hlfR1xiYt8R+qzT2YIyBmYa6eGT8QoHMQx3ndMuYF2rCm/7i6JVVO
 +40kXIkRwRyge9dQIPaFNiWWGVQTMPROkLqB1Wo4CBK2fDLGqh2mEoqkS/65ZYFX
 8ktaB0i/iyhUQg6KQCQ701mLydikh3Lr+a2RnezWa8xGJpBFdA/MYYf+O5reiorg
 LeKyEgxVOBbURxFPNBV+eBv9+/bUYUIV+TijXK+n+mywsYa5MQpPKFWK6NzCR3O9
 7LqW0lInkKeZjusUZNZuuFYtbZqKiqQKomCAxyOCiUKerENXrCXxfKLrDSVlc7l+
 doyZEZA8uNXpiz7CF5DNrheEOxDzzQ==
 =ZWNz
 -----END PGP SIGNATURE-----

Merge tag 'v1.12.3'

Synapse 1.12.3 (2020-04-03)
===========================

- Remove the the pin to Pillow 7.0 which was introduced in Synapse 1.12.2, and
correctly fix the issue with building the Debian packages. ([\#7212](https://github.com/matrix-org/synapse/issues/7212))

CHANGES.md

@@ -1,3 +1,19 @@
+Synapse 1.12.3 (2020-04-03)
+===========================
+
+- Remove the the pin to Pillow 7.0 which was introduced in Synapse 1.12.2, and
+correctly fix the issue with building the Debian packages. ([\#7212](https://github.com/matrix-org/synapse/issues/7212))
+
+Synapse 1.12.2 (2020-04-02)
+===========================
+
+This release works around [an
+issue](https://github.com/matrix-org/synapse/issues/7208) with building the
+debian packages.
+
+No other significant changes since 1.12.1.
+
+
 Synapse 1.12.1 (2020-04-02)
 ===========================
 

changelog.d/7152.feature

@@ -1 +0,0 @@
-Improve the support for SSO authentication on the login fallback page.

changelog.d/7153.feature

@@ -1 +0,0 @@
-Always whitelist the login fallback in the SSO configuration if `public_baseurl` is set.

debian/changelog

@@ -1,3 +1,20 @@
+matrix-synapse-py3 (1.12.3) stable; urgency=medium
+
+  [ Richard van der Hoff ]
+  * Update the Debian build scripts to handle the new installation paths
+   for the support libraries introduced by Pillow 7.1.1.
+
+  [ Synapse Packaging team ]
+  * New synapse release 1.12.3.
+
+ -- Synapse Packaging team <packages@matrix.org>  Fri, 03 Apr 2020 10:55:03 +0100
+
+matrix-synapse-py3 (1.12.2) stable; urgency=medium
+
+  * New synapse release 1.12.2.
+
+ -- Synapse Packaging team <packages@matrix.org>  Mon, 02 Apr 2020 19:02:17 +0000
+
 matrix-synapse-py3 (1.12.1) stable; urgency=medium
 
   * New synapse release 1.12.1.

debian/rules

@@ -15,17 +15,38 @@ override_dh_installinit:
 # we don't really want to strip the symbols from our object files.
 override_dh_strip:
 
+# dh_shlibdeps calls dpkg-shlibdeps, which finds all the binary files
+# (executables and shared libs) in the package, and looks for the shared
+# libraries that they depend on. It then adds a dependency on the package that
+# contains that library to the package.
+#
+# We make two modifications to that process...
+#
 override_dh_shlibdeps:
-        # make the postgres package's dependencies a recommendation
-        # rather than a hard dependency.
+        # Firstly, postgres is not a hard dependency for us, so we want to make
+        # the things that psycopg2 depends on (such as libpq) be
+        # recommendations rather than hard dependencies. We do so by
+        # running dpkg-shlibdeps manually on psycopg2's libs.
+        #
 	find debian/$(PACKAGE_NAME)/ -path '*/site-packages/psycopg2/*.so' | \
 	    xargs dpkg-shlibdeps -Tdebian/$(PACKAGE_NAME).substvars \
 	        -pshlibs1 -dRecommends
 
-        # all the other dependencies can be normal 'Depends' requirements,
-        # except for PIL's, which is self-contained and which confuses
-        # dpkg-shlibdeps.
-	dh_shlibdeps -X site-packages/PIL/.libs -X site-packages/psycopg2
+        # secondly, we exclude PIL's libraries from the process. They are known
+        # to be self-contained, but they have interdependencies and
+        # dpkg-shlibdeps doesn't know how to resolve them.
+        #
+        # As of Pillow 7.1.0, these libraries are in
+        # site-packages/Pillow.libs. Previously, they were in
+        # site-packages/PIL/.libs.
+        #
+        # (we also need to exclude psycopg2, of course, since we've already
+        # dealt with that.)
+        #
+	dh_shlibdeps \
+	    -X site-packages/PIL/.libs \
+	    -X site-packages/Pillow.libs \
+	    -X site-packages/psycopg2
 
 override_dh_virtualenv:
 	./debian/build_virtualenv

docs/sample_config.yaml

@@ -1392,10 +1392,6 @@ sso:
     # phishing attacks from evil.site. To avoid this, include a slash after the
     # hostname: "https://my.client/".
     #
-    # If public_baseurl is set, then the login fallback page (used by clients
-    # that don't natively support the required login flows) is whitelisted in
-    # addition to any URLs in this list.
-    #
     # By default, this list is empty.
     #
     #client_whitelist:

synapse/__init__.py

@@ -36,7 +36,7 @@ try:
 except ImportError:
     pass
 
-__version__ = "1.12.1"
+__version__ = "1.12.3"
 
 if bool(os.environ.get("SYNAPSE_TEST_PATCH_LOG_CONTEXTS", False)):
     # We import here so that we don't have to install a bunch of deps when

synapse/config/sso.py

@@ -39,17 +39,6 @@ class SSOConfig(Config):
 
         self.sso_client_whitelist = sso_config.get("client_whitelist") or []
 
-        # Attempt to also whitelist the server's login fallback, since that fallback sets
-        # the redirect URL to itself (so it can process the login token then return
-        # gracefully to the client). This would make it pointless to ask the user for
-        # confirmation, since the URL the confirmation page would be showing wouldn't be
-        # the client's.
-        # public_baseurl is an optional setting, so we only add the fallback's URL to the
-        # list if it's provided (because we can't figure out what that URL is otherwise).
-        if self.public_baseurl:
-            login_fallback_url = self.public_baseurl + "_matrix/static/client/login"
-            self.sso_client_whitelist.append(login_fallback_url)
-
     def generate_config_section(self, **kwargs):
         return """\
         # Additional settings to use with single-sign on systems such as SAML2 and CAS.
@@ -65,10 +54,6 @@ class SSOConfig(Config):
             # phishing attacks from evil.site. To avoid this, include a slash after the
             # hostname: "https://my.client/".
             #
-            # If public_baseurl is set, then the login fallback page (used by clients
-            # that don't natively support the required login flows) is whitelisted in
-            # addition to any URLs in this list.
-            #
             # By default, this list is empty.
             #
             #client_whitelist:

synapse/static/client/login/index.html

@@ -9,7 +9,7 @@
 <body onload="matrixLogin.onLoad()">
     <center>
         <br/>
-        <h1 id="title"></h1>
+        <h1>Log in with one of the following methods</h1>
 
         <span id="feedback" style="color: #f00"></span>
 

synapse/static/client/login/js/login.js

@@ -1,41 +1,37 @@
 window.matrixLogin = {
     endpoint: location.origin + "/_matrix/client/r0/login",
     serverAcceptsPassword: false,
+    serverAcceptsCas: false,
     serverAcceptsSso: false,
 };
 
-var title_pre_auth = "Log in with one of the following methods";
-var title_post_auth = "Logging in...";
-
 var submitPassword = function(user, pwd) {
     console.log("Logging in with password...");
-    set_title(title_post_auth);
     var data = {
         type: "m.login.password",
         user: user,
         password: pwd,
     };
     $.post(matrixLogin.endpoint, JSON.stringify(data), function(response) {
+        show_login();
         matrixLogin.onLogin(response);
     }).error(errorFunc);
 };
 
 var submitToken = function(loginToken) {
     console.log("Logging in with login token...");
-    set_title(title_post_auth);
     var data = {
         type: "m.login.token",
         token: loginToken
     };
     $.post(matrixLogin.endpoint, JSON.stringify(data), function(response) {
+        show_login();
         matrixLogin.onLogin(response);
     }).error(errorFunc);
 };
 
 var errorFunc = function(err) {
-    // We want to show the error to the user rather than redirecting immediately to the
-    // SSO portal (if SSO is the only login option), so we inhibit the redirect.
-    show_login(true);
+    show_login();
 
     if (err.responseJSON && err.responseJSON.error) {
         setFeedbackString(err.responseJSON.error + " (" + err.responseJSON.errcode + ")");
@@ -49,33 +45,26 @@ var setFeedbackString = function(text) {
     $("#feedback").text(text);
 };
 
-var show_login = function(inhibit_redirect) {
+var show_login = function() {
+    $("#loading").hide();
+
     var this_page = window.location.origin + window.location.pathname;
     $("#sso_redirect_url").val(this_page);
 
-    // If inhibit_redirect is false, and SSO is the only supported login method, we can
-    // redirect straight to the SSO page
-    if (matrixLogin.serverAcceptsSso) {
-        if (!inhibit_redirect && !matrixLogin.serverAcceptsPassword) {
-            $("#sso_form").submit();
-            return;
-        }
-
-        // Otherwise, show the SSO form
-        $("#sso_form").show();
-    }
-
     if (matrixLogin.serverAcceptsPassword) {
         $("#password_flow").show();
     }
 
-    if (!matrixLogin.serverAcceptsPassword && !matrixLogin.serverAcceptsSso) {
-        $("#no_login_types").show();
+    if (matrixLogin.serverAcceptsSso) {
+        $("#sso_flow").show();
+    } else if (matrixLogin.serverAcceptsCas) {
+        $("#sso_form").attr("action", "/_matrix/client/r0/login/cas/redirect");
+        $("#sso_flow").show();
     }
 
-    set_title(title_pre_auth);
-
-    $("#loading").hide();
+    if (!matrixLogin.serverAcceptsPassword && !matrixLogin.serverAcceptsCas && !matrixLogin.serverAcceptsSso) {
+        $("#no_login_types").show();
+    }
 };
 
 var show_spinner = function() {
@@ -85,15 +74,17 @@ var show_spinner = function() {
     $("#loading").show();
 };
 
-var set_title = function(title) {
-    $("#title").text(title);
-};
 
 var fetch_info = function(cb) {
     $.get(matrixLogin.endpoint, function(response) {
         var serverAcceptsPassword = false;
+        var serverAcceptsCas = false;
         for (var i=0; i<response.flows.length; i++) {
             var flow = response.flows[i];
+            if ("m.login.cas" === flow.type) {
+                matrixLogin.serverAcceptsCas = true;
+                console.log("Server accepts CAS");
+            }
             if ("m.login.sso" === flow.type) {
                 matrixLogin.serverAcceptsSso = true;
                 console.log("Server accepts SSO");
@@ -111,7 +102,7 @@ var fetch_info = function(cb) {
 matrixLogin.onLoad = function() {
     fetch_info(function() {
         if (!try_token()) {
-            show_login(false);
+            show_login();
         }
     });
 };

tests/rest/client/v1/test_login.py

@@ -350,14 +350,7 @@ class CASRedirectConfirmTestCase(unittest.HomeserverTestCase):
     def test_cas_redirect_whitelisted(self):
         """Tests that the SSO login flow serves a redirect to a whitelisted url
         """
-        self._test_redirect("https://legit-site.com/")
-
-    @override_config({"public_baseurl": "https://example.com"})
-    def test_cas_redirect_login_fallback(self):
-        self._test_redirect("https://example.com/_matrix/static/client/login")
-
-    def _test_redirect(self, redirect_url):
-        """Tests that the SSO login flow serves a redirect for the given redirect URL."""
+        redirect_url = "https://legit-site.com/"
         cas_ticket_url = (
             "/_matrix/client/r0/login/cas/ticket?redirectUrl=%s&ticket=ticket"
             % (urllib.parse.quote(redirect_url))