synapse/synapse/config/emailconfig.py

# -*- coding: utf-8 -*-
# Copyright 2015-2016 OpenMarket Ltd
# Copyright 2017-2018 New Vector Ltd
# Copyright 2019 The Matrix.org Foundation C.I.C.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

from __future__ import print_function

# This file can't be called email.py because if it is, we cannot:
import email.utils
import os
from enum import Enum

import pkg_resources

from ._base import Config, ConfigError


class EmailConfig(Config):
    def read_config(self, config, **kwargs):
        # TODO: We should separate better the email configuration from the notification
        # and account validity config.

        self.email_enable_notifs = False

        email_config = config.get("email", {})

        self.email_smtp_host = email_config.get("smtp_host", None)
        self.email_smtp_port = email_config.get("smtp_port", None)
        self.email_smtp_user = email_config.get("smtp_user", None)
        self.email_smtp_pass = email_config.get("smtp_pass", None)
        self.require_transport_security = email_config.get(
            "require_transport_security", False
        )
        if "app_name" in email_config:
            self.email_app_name = email_config["app_name"]
        else:
            self.email_app_name = "Matrix"

        # TODO: Rename notif_from to something more generic, or have a separate
        # from for password resets, message notifications, etc?
        # Currently the email section is a bit bogged down with settings for
        # multiple functions. Would be good to split it out into separate
        # sections and only put the common ones under email:
        self.email_notif_from = email_config.get("notif_from", None)
        if self.email_notif_from is not None:
            # make sure it's valid
            parsed = email.utils.parseaddr(self.email_notif_from)
            if parsed[1] == "":
                raise RuntimeError("Invalid notif_from address")

        template_dir = email_config.get("template_dir")
        # we need an absolute path, because we change directory after starting (and
        # we don't yet know what auxilliary templates like mail.css we will need).
        # (Note that loading as package_resources with jinja.PackageLoader doesn't
        # work for the same reason.)
        if not template_dir:
            template_dir = pkg_resources.resource_filename("synapse", "res/templates")

        self.email_template_dir = os.path.abspath(template_dir)

        self.email_enable_notifs = email_config.get("enable_notifs", False)
        account_validity_renewal_enabled = config.get("account_validity", {}).get(
            "renew_at"
        )

        self.threepid_behaviour_email = (
            # Have Synapse handle the email sending if account_threepid_delegates.email
            # is not defined
            # msisdn is currently always remote while Synapse does not support any method of
            # sending SMS messages
            ThreepidBehaviour.REMOTE
            if self.account_threepid_delegate_email
            else ThreepidBehaviour.LOCAL
        )
        # Prior to Synapse v1.4.0, there was another option that defined whether Synapse would
        # use an identity server to password reset tokens on its behalf. We now warn the user
        # if they have this set and tell them to use the updated option, while using a default
        # identity server in the process.
        self.using_identity_server_from_trusted_list = False
        if (
            not self.account_threepid_delegate_email
            and config.get("trust_identity_server_for_password_resets", False) is True
        ):
            # Use the first entry in self.trusted_third_party_id_servers instead
            if self.trusted_third_party_id_servers:
                # XXX: It's a little confusing that account_threepid_delegate_email is modified
                # both in RegistrationConfig and here. We should factor this bit out
                self.account_threepid_delegate_email = self.trusted_third_party_id_servers[
                    0
                ]
                self.using_identity_server_from_trusted_list = True
            else:
                raise ConfigError(
                    "Attempted to use an identity server from"
                    '"trusted_third_party_id_servers" but it is empty.'
                )

        self.local_threepid_handling_disabled_due_to_email_config = False
        if (
            self.threepid_behaviour_email == ThreepidBehaviour.LOCAL
            and email_config == {}
        ):
            # We cannot warn the user this has happened here
            # Instead do so when a user attempts to reset their password
            self.local_threepid_handling_disabled_due_to_email_config = True

            self.threepid_behaviour_email = ThreepidBehaviour.OFF

        # Get lifetime of a validation token in milliseconds
        self.email_validation_token_lifetime = self.parse_duration(
            email_config.get("validation_token_lifetime", "1h")
        )

        if (
            self.email_enable_notifs
            or account_validity_renewal_enabled
            or self.threepid_behaviour_email == ThreepidBehaviour.LOCAL
        ):
            # make sure we can import the required deps
            import jinja2
            import bleach

            # prevent unused warnings
            jinja2
            bleach

        if self.threepid_behaviour_email == ThreepidBehaviour.LOCAL:
            required = ["smtp_host", "smtp_port", "notif_from"]

            missing = []
            for k in required:
                if k not in email_config:
                    missing.append("email." + k)

            if config.get("public_baseurl") is None:
                missing.append("public_baseurl")

            if len(missing) > 0:
                raise RuntimeError(
                    "Password resets emails are configured to be sent from "
                    "this homeserver due to a partial 'email' block. "
                    "However, the following required keys are missing: %s"
                    % (", ".join(missing),)
                )

            # These email templates have placeholders in them, and thus must be
            # parsed using a templating engine during a request
            self.email_password_reset_template_html = email_config.get(
                "password_reset_template_html", "password_reset.html"
            )
            self.email_password_reset_template_text = email_config.get(
                "password_reset_template_text", "password_reset.txt"
            )
            self.email_registration_template_html = email_config.get(
                "registration_template_html", "registration.html"
            )
            self.email_registration_template_text = email_config.get(
                "registration_template_text", "registration.txt"
            )
            self.email_password_reset_template_failure_html = email_config.get(
                "password_reset_template_failure_html", "password_reset_failure.html"
            )
            self.email_registration_template_failure_html = email_config.get(
                "registration_template_failure_html", "registration_failure.html"
            )

            # These templates do not support any placeholder variables, so we
            # will read them from disk once during setup
            email_password_reset_template_success_html = email_config.get(
                "password_reset_template_success_html", "password_reset_success.html"
            )
            email_registration_template_success_html = email_config.get(
                "registration_template_success_html", "registration_success.html"
            )

            # Check templates exist
            for f in [
                self.email_password_reset_template_html,
                self.email_password_reset_template_text,
                self.email_registration_template_html,
                self.email_registration_template_text,
                self.email_password_reset_template_failure_html,
                email_password_reset_template_success_html,
                email_registration_template_success_html,
            ]:
                p = os.path.join(self.email_template_dir, f)
                if not os.path.isfile(p):
                    raise ConfigError("Unable to find template file %s" % (p,))

            # Retrieve content of web templates
            filepath = os.path.join(
                self.email_template_dir, email_password_reset_template_success_html
            )
            self.email_password_reset_template_success_html = self.read_file(
                filepath, "email.password_reset_template_success_html"
            )
            filepath = os.path.join(
                self.email_template_dir, email_registration_template_success_html
            )
            self.email_registration_template_success_html_content = self.read_file(
                filepath, "email.registration_template_success_html"
            )

        if self.email_enable_notifs:
            required = [
                "smtp_host",
                "smtp_port",
                "notif_from",
                "notif_template_html",
                "notif_template_text",
            ]

            missing = []
            for k in required:
                if k not in email_config:
                    missing.append(k)

            if len(missing) > 0:
                raise RuntimeError(
                    "email.enable_notifs is True but required keys are missing: %s"
                    % (", ".join(["email." + k for k in missing]),)
                )

            if config.get("public_baseurl") is None:
                raise RuntimeError(
                    "email.enable_notifs is True but no public_baseurl is set"
                )

            self.email_notif_template_html = email_config["notif_template_html"]
            self.email_notif_template_text = email_config["notif_template_text"]

            for f in self.email_notif_template_text, self.email_notif_template_html:
                p = os.path.join(self.email_template_dir, f)
                if not os.path.isfile(p):
                    raise ConfigError("Unable to find email template file %s" % (p,))

            self.email_notif_for_new_users = email_config.get(
                "notif_for_new_users", True
            )
            self.email_riot_base_url = email_config.get("riot_base_url", None)

        if account_validity_renewal_enabled:
            self.email_expiry_template_html = email_config.get(
                "expiry_template_html", "notice_expiry.html"
            )
            self.email_expiry_template_text = email_config.get(
                "expiry_template_text", "notice_expiry.txt"
            )

            for f in self.email_expiry_template_text, self.email_expiry_template_html:
                p = os.path.join(self.email_template_dir, f)
                if not os.path.isfile(p):
                    raise ConfigError("Unable to find email template file %s" % (p,))

    def generate_config_section(self, config_dir_path, server_name, **kwargs):
        return """
        # Enable sending emails for password resets, notification events or
        # account expiry notices
        #
        # If your SMTP server requires authentication, the optional smtp_user &
        # smtp_pass variables should be used
        #
        #email:
        #   enable_notifs: false
        #   smtp_host: "localhost"
        #   smtp_port: 25 # SSL: 465, STARTTLS: 587
        #   smtp_user: "exampleusername"
        #   smtp_pass: "examplepassword"
        #   require_transport_security: False
        #   notif_from: "Your Friendly %(app)s Home Server <noreply@example.com>"
        #   app_name: Matrix
        #
        #   # Enable email notifications by default
        #   #
        #   notif_for_new_users: True
        #
        #   # Defining a custom URL for Riot is only needed if email notifications
        #   # should contain links to a self-hosted installation of Riot; when set
        #   # the "app_name" setting is ignored
        #   #
        #   riot_base_url: "http://localhost/riot"
        #
        #   # Configure the time that a validation email or text message code
        #   # will expire after sending
        #   #
        #   # This is currently used for password resets
        #   #
        #   #validation_token_lifetime: 1h
        #
        #   # Template directory. All template files should be stored within this
        #   # directory. If not set, default templates from within the Synapse
        #   # package will be used
        #   #
        #   # For the list of default templates, please see
        #   # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates
        #   #
        #   #template_dir: res/templates
        #
        #   # Templates for email notifications
        #   #
        #   notif_template_html: notif_mail.html
        #   notif_template_text: notif_mail.txt
        #
        #   # Templates for account expiry notices
        #   #
        #   expiry_template_html: notice_expiry.html
        #   expiry_template_text: notice_expiry.txt
        #
        #   # Templates for password reset emails sent by the homeserver
        #   #
        #   #password_reset_template_html: password_reset.html
        #   #password_reset_template_text: password_reset.txt
        #
        #   # Templates for registration emails sent by the homeserver
        #   #
        #   #registration_template_html: registration.html
        #   #registration_template_text: registration.txt
        #
        #   # Templates for password reset success and failure pages that a user
        #   # will see after attempting to reset their password
        #   #
        #   #password_reset_template_success_html: password_reset_success.html
        #   #password_reset_template_failure_html: password_reset_failure.html
        #
        #   # Templates for registration success and failure pages that a user
        #   # will see after attempting to register using an email or phone
        #   #
        #   #registration_template_success_html: registration_success.html
        #   #registration_template_failure_html: registration_failure.html
        """


class ThreepidBehaviour(Enum):
    """
    Enum to define the behaviour of Synapse with regards to when it contacts an identity
    server for 3pid registration and password resets

    REMOTE = use an external server to send tokens
    LOCAL = send tokens ourselves
    OFF = disable registration via 3pid and password resets
    """

    REMOTE = "remote"
    LOCAL = "local"
    OFF = "off"