Merge remote-tracking branch 'origin/develop' into matrix-org-hotfixes
This commit is contained in:
Erik Johnston
commit
91fd180be1
1
.gitignore
vendored
1
.gitignore
vendored
|
|
@ -16,6 +16,7 @@ _trial_temp*/
|
|||
# stuff that is likely to exist when you run a server locally
|
||||
/*.db
|
||||
/*.log
|
||||
/*.log.*
|
||||
/*.log.config
|
||||
/*.pid
|
||||
/.python-version
|
||||
|
|
|
|||
90
CHANGES.md
90
CHANGES.md
|
|
@ -1,5 +1,5 @@
|
|||
Synapse 1.25.0 (2020-xx-xx)
|
||||
===========================
|
||||
Synapse 1.25.0rc1 (2021-01-06)
|
||||
==============================
|
||||
|
||||
Removal warning
|
||||
---------------
|
||||
|
|
@ -12,6 +12,92 @@ are deprecated and will be removed in a future release. They will be replaced by
|
|||
`POST /_synapse/admin/v1/rooms/<room_id>/delete` replaces `POST /_synapse/admin/v1/purge_room` and
|
||||
`POST /_synapse/admin/v1/shutdown_room/<room_id>`.
|
||||
|
||||
Features
|
||||
--------
|
||||
|
||||
- Add an admin API that lets server admins get power in rooms in which local users have power. ([\#8756](https://github.com/matrix-org/synapse/issues/8756))
|
||||
- Add optional HTTP authentication to replication endpoints. ([\#8853](https://github.com/matrix-org/synapse/issues/8853))
|
||||
- Improve the error messages printed as a result of configuration problems for extension modules. ([\#8874](https://github.com/matrix-org/synapse/issues/8874))
|
||||
- Add the number of local devices to Room Details Admin API. Contributed by @dklimpel. ([\#8886](https://github.com/matrix-org/synapse/issues/8886))
|
||||
- Add `X-Robots-Tag` header to stop web crawlers from indexing media. Contributed by Aaron Raimist. ([\#8887](https://github.com/matrix-org/synapse/issues/8887))
|
||||
- Spam-checkers may now define their methods as `async`. ([\#8890](https://github.com/matrix-org/synapse/issues/8890))
|
||||
- Add support for allowing users to pick their own user ID during a single-sign-on login. ([\#8897](https://github.com/matrix-org/synapse/issues/8897), [\#8900](https://github.com/matrix-org/synapse/issues/8900), [\#8911](https://github.com/matrix-org/synapse/issues/8911), [\#8938](https://github.com/matrix-org/synapse/issues/8938), [\#8941](https://github.com/matrix-org/synapse/issues/8941), [\#8942](https://github.com/matrix-org/synapse/issues/8942), [\#8951](https://github.com/matrix-org/synapse/issues/8951))
|
||||
- Add an `email.invite_client_location` configuration option to send a web client location to the invite endpoint on the identity server which allows customisation of the email template. ([\#8930](https://github.com/matrix-org/synapse/issues/8930))
|
||||
- The search term in the list room and list user Admin APIs is now treated as case-insensitive. ([\#8931](https://github.com/matrix-org/synapse/issues/8931))
|
||||
- Apply an IP range blacklist to push and key revocation requests. ([\#8821](https://github.com/matrix-org/synapse/issues/8821), [\#8870](https://github.com/matrix-org/synapse/issues/8870), [\#8954](https://github.com/matrix-org/synapse/issues/8954))
|
||||
- Add an option to allow re-use of user-interactive authentication sessions for a period of time. ([\#8970](https://github.com/matrix-org/synapse/issues/8970))
|
||||
- Allow running the redact endpoint on workers. ([\#8994](https://github.com/matrix-org/synapse/issues/8994))
|
||||
|
||||
|
||||
Bugfixes
|
||||
--------
|
||||
|
||||
- Fix bug where we might not correctly calculate the current state for rooms with multiple extremities. ([\#8827](https://github.com/matrix-org/synapse/issues/8827))
|
||||
- Fix a long-standing bug in the register admin endpoint (`/_synapse/admin/v1/register`) when the `mac` field was not provided. The endpoint now properly returns a 400 error. Contributed by @edwargix. ([\#8837](https://github.com/matrix-org/synapse/issues/8837))
|
||||
- Fix a long-standing bug on Synapse instances supporting Single-Sign-On, where users would be prompted to enter their password to confirm certain actions, even though they have not set a password. ([\#8858](https://github.com/matrix-org/synapse/issues/8858))
|
||||
- Fix a longstanding bug where a 500 error would be returned if the `Content-Length` header was not provided to the upload media resource. ([\#8862](https://github.com/matrix-org/synapse/issues/8862))
|
||||
- Add additional validation to pusher URLs to be compliant with the specification. ([\#8865](https://github.com/matrix-org/synapse/issues/8865))
|
||||
- Fix the error code that is returned when a user tries to register on a homeserver on which new-user registration has been disabled. ([\#8867](https://github.com/matrix-org/synapse/issues/8867))
|
||||
- Fix a bug where `PUT /_synapse/admin/v2/users/<user_id>` failed to create a new user when `avatar_url` is specified. Bug introduced in Synapse v1.9.0. ([\#8872](https://github.com/matrix-org/synapse/issues/8872))
|
||||
- Fix a 500 error when attempting to preview an empty HTML file. ([\#8883](https://github.com/matrix-org/synapse/issues/8883))
|
||||
- Fix occasional deadlock when handling SIGHUP. ([\#8918](https://github.com/matrix-org/synapse/issues/8918))
|
||||
- Fix login API to not ratelimit application services that have ratelimiting disabled. ([\#8920](https://github.com/matrix-org/synapse/issues/8920))
|
||||
- Fix bug where we ratelimited auto joining of rooms on registration (using `auto_join_rooms` config). ([\#8921](https://github.com/matrix-org/synapse/issues/8921))
|
||||
- Fix a bug where deactivated users appeared in the user directory when their profile information was updated. ([\#8933](https://github.com/matrix-org/synapse/issues/8933), [\#8964](https://github.com/matrix-org/synapse/issues/8964))
|
||||
- Fix bug introduced in Synapse v1.24.0 which would cause an exception on startup if both `enabled` and `localdb_enabled` were set to `False` in the `password_config` setting of the configuration file. ([\#8937](https://github.com/matrix-org/synapse/issues/8937))
|
||||
- Fix a bug where 500 errors would be returned if the `m.room_history_visibility` event had invalid content. ([\#8945](https://github.com/matrix-org/synapse/issues/8945))
|
||||
- Fix a bug causing common English words to not be considered for a user directory search. ([\#8959](https://github.com/matrix-org/synapse/issues/8959))
|
||||
- Fix bug where application services couldn't register new ghost users if the server had reached its MAU limit. ([\#8962](https://github.com/matrix-org/synapse/issues/8962))
|
||||
- Fix a long-standing bug where a `m.image` event without a `url` would cause errors on push. ([\#8965](https://github.com/matrix-org/synapse/issues/8965))
|
||||
- Fix a small bug in v2 state resolution algorithm, which could also cause performance issues for rooms with large numbers of power levels. ([\#8971](https://github.com/matrix-org/synapse/issues/8971))
|
||||
- Add validation to the `sendToDevice` API to raise a missing parameters error instead of a 500 error. ([\#8975](https://github.com/matrix-org/synapse/issues/8975))
|
||||
- Add validation of group IDs to raise a 400 error instead of a 500 eror. ([\#8977](https://github.com/matrix-org/synapse/issues/8977))
|
||||
|
||||
|
||||
Improved Documentation
|
||||
----------------------
|
||||
|
||||
- Fix the "Event persist rate" section of the included grafana dashboard by adding missing prometheus rules. ([\#8802](https://github.com/matrix-org/synapse/issues/8802))
|
||||
- Combine related media admin API docs. ([\#8839](https://github.com/matrix-org/synapse/issues/8839))
|
||||
- Fix an error in the documentation for the SAML username mapping provider. ([\#8873](https://github.com/matrix-org/synapse/issues/8873))
|
||||
- Clarify comments around template directories in `sample_config.yaml`. ([\#8891](https://github.com/matrix-org/synapse/issues/8891))
|
||||
- Moved instructions for database setup, adjusted heading levels and improved syntax highlighting in [INSTALL.md](../INSTALL.md). Contributed by fossterer. ([\#8987](https://github.com/matrix-org/synapse/issues/8987))
|
||||
- Update the example value of `group_creation_prefix` in the sample configuration. ([\#8992](https://github.com/matrix-org/synapse/issues/8992))
|
||||
- Link the Synapse developer room to the development section in the docs. ([\#9002](https://github.com/matrix-org/synapse/issues/9002))
|
||||
|
||||
|
||||
Deprecations and Removals
|
||||
-------------------------
|
||||
|
||||
- Deprecate Shutdown Room and Purge Room Admin APIs. ([\#8829](https://github.com/matrix-org/synapse/issues/8829))
|
||||
|
||||
|
||||
Internal Changes
|
||||
----------------
|
||||
|
||||
- Properly store the mapping of external ID to Matrix ID for CAS users. ([\#8856](https://github.com/matrix-org/synapse/issues/8856), [\#8958](https://github.com/matrix-org/synapse/issues/8958))
|
||||
- Remove some unnecessary stubbing from unit tests. ([\#8861](https://github.com/matrix-org/synapse/issues/8861))
|
||||
- Remove unused `FakeResponse` class from unit tests. ([\#8864](https://github.com/matrix-org/synapse/issues/8864))
|
||||
- Pass `room_id` to `get_auth_chain_difference`. ([\#8879](https://github.com/matrix-org/synapse/issues/8879))
|
||||
- Add type hints to push module. ([\#8880](https://github.com/matrix-org/synapse/issues/8880), [\#8882](https://github.com/matrix-org/synapse/issues/8882), [\#8901](https://github.com/matrix-org/synapse/issues/8901), [\#8940](https://github.com/matrix-org/synapse/issues/8940), [\#8943](https://github.com/matrix-org/synapse/issues/8943), [\#9020](https://github.com/matrix-org/synapse/issues/9020))
|
||||
- Simplify logic for handling user-interactive-auth via single-sign-on servers. ([\#8881](https://github.com/matrix-org/synapse/issues/8881))
|
||||
- Skip the SAML tests if the requirements (`pysaml2` and `xmlsec1`) aren't available. ([\#8905](https://github.com/matrix-org/synapse/issues/8905))
|
||||
- Fix multiarch docker image builds. ([\#8906](https://github.com/matrix-org/synapse/issues/8906))
|
||||
- Don't publish `latest` docker image until all archs are built. ([\#8909](https://github.com/matrix-org/synapse/issues/8909))
|
||||
- Various clean-ups to the structured logging and logging context code. ([\#8916](https://github.com/matrix-org/synapse/issues/8916), [\#8935](https://github.com/matrix-org/synapse/issues/8935))
|
||||
- Automatically drop stale forward-extremities under some specific conditions. ([\#8929](https://github.com/matrix-org/synapse/issues/8929))
|
||||
- Refactor test utilities for injecting HTTP requests. ([\#8946](https://github.com/matrix-org/synapse/issues/8946))
|
||||
- Add a maximum size of 50 kilobytes to .well-known lookups. ([\#8950](https://github.com/matrix-org/synapse/issues/8950))
|
||||
- Fix bug in `generate_log_config` script which made it write empty files. ([\#8952](https://github.com/matrix-org/synapse/issues/8952))
|
||||
- Clean up tox.ini file; disable coverage checking for non-test runs. ([\#8963](https://github.com/matrix-org/synapse/issues/8963))
|
||||
- Add type hints to the admin and room list handlers. ([\#8973](https://github.com/matrix-org/synapse/issues/8973))
|
||||
- Add type hints to the receipts and user directory handlers. ([\#8976](https://github.com/matrix-org/synapse/issues/8976))
|
||||
- Drop the unused `local_invites` table. ([\#8979](https://github.com/matrix-org/synapse/issues/8979))
|
||||
- Add type hints to the base storage code. ([\#8980](https://github.com/matrix-org/synapse/issues/8980))
|
||||
- Support using PyJWT v2.0.0 in the test suite. ([\#8986](https://github.com/matrix-org/synapse/issues/8986))
|
||||
- Fix `tests.federation.transport.RoomDirectoryFederationTests` and ensure it runs in CI. ([\#8998](https://github.com/matrix-org/synapse/issues/8998))
|
||||
- Add type hints to the crypto module. ([\#8999](https://github.com/matrix-org/synapse/issues/8999))
|
||||
|
||||
|
||||
Synapse 1.24.0 (2020-12-09)
|
||||
===========================
|
||||
|
|
|
|||
|
|
@ -1 +0,0 @@
|
|||
Add admin API that lets server admins get power in rooms in which local users have power.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Fix the "Event persist rate" section of the included grafana dashboard by adding missing prometheus rules.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Apply an IP range blacklist to push and key revocation requests.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Fix bug where we might not correctly calculate the current state for rooms with multiple extremities.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Deprecate Shutdown Room and Purge Room Admin APIs.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Fix a long standing bug in the register admin endpoint (`/_synapse/admin/v1/register`) when the `mac` field was not provided. The endpoint now properly returns a 400 error. Contributed by @edwargix.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Combine related media admin API docs.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Add optional HTTP authentication to replication endpoints.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Properly store the mapping of external ID to Matrix ID for CAS users.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Fix a long-standing bug on Synapse instances supporting Single-Sign-On, where users would be prompted to enter their password to confirm certain actions, even though they have not set a password.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Remove some unnecessary stubbing from unit tests.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Fix a longstanding bug where a 500 error would be returned if the `Content-Length` header was not provided to the upload media resource.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Remove unused `FakeResponse` class from unit tests.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Add additional validation to pusher URLs to be compliant with the specification.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Fix the error code that is returned when a user tries to register on a homeserver on which new-user registration has been disabled.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Apply an IP range blacklist to push and key revocation requests.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Fix a bug where `PUT /_synapse/admin/v2/users/<user_id>` failed to create a new user when `avatar_url` is specified. Bug introduced in Synapse v1.9.0.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Fix an error in the documentation for the SAML username mapping provider.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Improve the error messages printed as a result of configuration problems for extension modules.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Pass `room_id` to `get_auth_chain_difference`.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Add type hints to push module.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Simplify logic for handling user-interactive-auth via single-sign-on servers.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Add type hints to push module.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Fix a 500 error when attempting to preview an empty HTML file.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Add number of local devices to Room Details Admin API. Contributed by @dklimpel.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Add `X-Robots-Tag` header to stop web crawlers from indexing media.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Spam-checkers may now define their methods as `async`.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Clarify comments around template directories in `sample_config.yaml`.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Add support for allowing users to pick their own user ID during a single-sign-on login.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Add support for allowing users to pick their own user ID during a single-sign-on login.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Add type hints to push module.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Skip the SAML tests if the requirements (`pysaml2` and `xmlsec1`) aren't available.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Fix multiarch docker image builds.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Don't publish `latest` docker image until all archs are built.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Add support for allowing users to pick their own user ID during a single-sign-on login.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Fix occasional deadlock when handling SIGHUP.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Fix login API to not ratelimit application services that have ratelimiting disabled.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Fix bug where we ratelimited auto joining of rooms on registration (using `auto_join_rooms` config).
|
||||
|
|
@ -1 +0,0 @@
|
|||
Automatically drop stale forward-extremities under some specific conditions.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Add an `email.invite_client_location` configuration option to send a web client location to the invite endpoint on the identity server which allows customisation of the email template.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Make search statement in List Room and List User Admin API case-insensitive.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Fix a bug where deactivated users appeared in the user directory when their profile information was updated.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Various clean-ups to the structured logging and logging context code.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Fix bug introduced in Synapse v1.24.0 which would cause an exception on startup if both `enabled` and `localdb_enabled` were set to `False` in the `password_config` setting of the configuration file.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Add support for allowing users to pick their own user ID during a single-sign-on login.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Add type hints to push module.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Add support for allowing users to pick their own user ID during a single-sign-on login.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Add support for allowing users to pick their own user ID during a single-sign-on login.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Add type hints to push module.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Fix a bug where 500 errors would be returned if the `m.room_history_visibility` event had invalid content.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Refactor test utilities for injecting HTTP requests.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Add a maximum size of 50 kilobytes to .well-known lookups.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Add support for allowing users to pick their own user ID during a single-sign-on login.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Fix bug in `generate_log_config` script which made it write empty files.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Apply an IP range blacklist to push and key revocation requests.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Properly store the mapping of external ID to Matrix ID for CAS users.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Fix a bug causing common English words to not be considered for a user directory search.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Fix bug where application services couldn't register new ghost users if the server had reached its MAU limit.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Clean up tox.ini file; disable coverage checking for non-test runs.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Fix a bug where deactivated users appeared in the user directory when their profile information was updated.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Fix a longstanding bug where a `m.image` event without a `url` would cause errors on push.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Allow re-using an user-interactive authentication session for a period of time.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Fix small bug in v2 state resolution algorithm, which could also cause performance issues for rooms with large numbers of power levels.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Add type hints to the admin and room list handlers.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Add validation to the `sendToDevice` API to raise a missing parameters error instead of a 500 error.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Add type hints to the receipts and user directory handlers.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Properly return 400 errors on invalid group IDs.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Drop the unused `local_invites` table.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Add type hints to the base storage code.
|
||||
1
changelog.d/8984.feature
Normal file
1
changelog.d/8984.feature
Normal file
|
|
@ -0,0 +1 @@
|
|||
Implement [MSC2176](https://github.com/matrix-org/matrix-doc/pull/2176) in an experimental room version.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Support using PyJWT v2.0.0 in the test suite.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Moved instructions for database setup, adjusted heading levels and improved syntax highlighting in [INSTALL.md](../INSTALL.md). Contributed by fossterer.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Update the example value of `group_creation_prefix` in the sample configuration.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Allow running the redact endpoint on workers.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Fix `tests.federation.transport.RoomDirectoryFederationTests` and ensure it runs in CI.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Add type hints to the crypto module.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Link the Synapse developer room to the development section in the docs.
|
||||
1
changelog.d/9015.feature
Normal file
1
changelog.d/9015.feature
Normal file
|
|
@ -0,0 +1 @@
|
|||
Add support for multiple SSO Identity Providers.
|
||||
1
changelog.d/9017.feature
Normal file
1
changelog.d/9017.feature
Normal file
|
|
@ -0,0 +1 @@
|
|||
Add support for multiple SSO Identity Providers.
|
||||
1
changelog.d/9018.misc
Normal file
1
changelog.d/9018.misc
Normal file
|
|
@ -0,0 +1 @@
|
|||
Ignore date-rotated homeserver logs saved to disk.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Add type hints to push module.
|
||||
1
changelog.d/9023.bugfix
Normal file
1
changelog.d/9023.bugfix
Normal file
|
|
@ -0,0 +1 @@
|
|||
Fix a longstanding issue where an internal server error would occur when requesting a profile over federation that did not include a display name / avatar URL.
|
||||
1
changelog.d/9028.bugfix
Normal file
1
changelog.d/9028.bugfix
Normal file
|
|
@ -0,0 +1 @@
|
|||
Fix a long-standing bug where some caches could grow larger than configured.
|
||||
|
|
@ -1909,6 +1909,31 @@ sso:
|
|||
#
|
||||
# Synapse will look for the following templates in this directory:
|
||||
#
|
||||
# * HTML page to prompt the user to choose an Identity Provider during
|
||||
# login: 'sso_login_idp_picker.html'.
|
||||
#
|
||||
# This is only used if multiple SSO Identity Providers are configured.
|
||||
#
|
||||
# When rendering, this template is given the following variables:
|
||||
# * redirect_url: the URL that the user will be redirected to after
|
||||
# login. Needs manual escaping (see
|
||||
# https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping).
|
||||
#
|
||||
# * server_name: the homeserver's name.
|
||||
#
|
||||
# * providers: a list of available Identity Providers. Each element is
|
||||
# an object with the following attributes:
|
||||
# * idp_id: unique identifier for the IdP
|
||||
# * idp_name: user-facing name for the IdP
|
||||
#
|
||||
# The rendered HTML page should contain a form which submits its results
|
||||
# back as a GET request, with the following query parameters:
|
||||
#
|
||||
# * redirectUrl: the client redirect URI (ie, the `redirect_url` passed
|
||||
# to the template)
|
||||
#
|
||||
# * idp: the 'idp_id' of the chosen IDP.
|
||||
#
|
||||
# * HTML page for a confirmation step before redirecting back to the client
|
||||
# with the login token: 'sso_redirect_confirm.html'.
|
||||
#
|
||||
|
|
|
|||
|
|
@ -48,7 +48,7 @@ try:
|
|||
except ImportError:
|
||||
pass
|
||||
|
||||
__version__ = "1.24.0"
|
||||
__version__ = "1.25.0rc1"
|
||||
|
||||
if bool(os.environ.get("SYNAPSE_TEST_PATCH_LOG_CONTEXTS", False)):
|
||||
# We import here so that we don't have to install a bunch of deps when
|
||||
|
|
|
|||
|
|
@ -51,11 +51,11 @@ class RoomDisposition:
|
|||
class RoomVersion:
|
||||
"""An object which describes the unique attributes of a room version."""
|
||||
|
||||
identifier = attr.ib() # str; the identifier for this version
|
||||
disposition = attr.ib() # str; one of the RoomDispositions
|
||||
event_format = attr.ib() # int; one of the EventFormatVersions
|
||||
state_res = attr.ib() # int; one of the StateResolutionVersions
|
||||
enforce_key_validity = attr.ib() # bool
|
||||
identifier = attr.ib(type=str) # the identifier for this version
|
||||
disposition = attr.ib(type=str) # one of the RoomDispositions
|
||||
event_format = attr.ib(type=int) # one of the EventFormatVersions
|
||||
state_res = attr.ib(type=int) # one of the StateResolutionVersions
|
||||
enforce_key_validity = attr.ib(type=bool)
|
||||
|
||||
# bool: before MSC2261/MSC2432, m.room.aliases had special auth rules and redaction rules
|
||||
special_case_aliases_auth = attr.ib(type=bool)
|
||||
|
|
@ -64,9 +64,11 @@ class RoomVersion:
|
|||
# * Floats
|
||||
# * NaN, Infinity, -Infinity
|
||||
strict_canonicaljson = attr.ib(type=bool)
|
||||
# bool: MSC2209: Check 'notifications' key while verifying
|
||||
# MSC2209: Check 'notifications' key while verifying
|
||||
# m.room.power_levels auth rules.
|
||||
limit_notifications_power_levels = attr.ib(type=bool)
|
||||
# MSC2174/MSC2176: Apply updated redaction rules algorithm.
|
||||
msc2176_redaction_rules = attr.ib(type=bool)
|
||||
|
||||
|
||||
class RoomVersions:
|
||||
|
|
@ -79,6 +81,7 @@ class RoomVersions:
|
|||
special_case_aliases_auth=True,
|
||||
strict_canonicaljson=False,
|
||||
limit_notifications_power_levels=False,
|
||||
msc2176_redaction_rules=False,
|
||||
)
|
||||
V2 = RoomVersion(
|
||||
"2",
|
||||
|
|
@ -89,6 +92,7 @@ class RoomVersions:
|
|||
special_case_aliases_auth=True,
|
||||
strict_canonicaljson=False,
|
||||
limit_notifications_power_levels=False,
|
||||
msc2176_redaction_rules=False,
|
||||
)
|
||||
V3 = RoomVersion(
|
||||
"3",
|
||||
|
|
@ -99,6 +103,7 @@ class RoomVersions:
|
|||
special_case_aliases_auth=True,
|
||||
strict_canonicaljson=False,
|
||||
limit_notifications_power_levels=False,
|
||||
msc2176_redaction_rules=False,
|
||||
)
|
||||
V4 = RoomVersion(
|
||||
"4",
|
||||
|
|
@ -109,6 +114,7 @@ class RoomVersions:
|
|||
special_case_aliases_auth=True,
|
||||
strict_canonicaljson=False,
|
||||
limit_notifications_power_levels=False,
|
||||
msc2176_redaction_rules=False,
|
||||
)
|
||||
V5 = RoomVersion(
|
||||
"5",
|
||||
|
|
@ -119,6 +125,7 @@ class RoomVersions:
|
|||
special_case_aliases_auth=True,
|
||||
strict_canonicaljson=False,
|
||||
limit_notifications_power_levels=False,
|
||||
msc2176_redaction_rules=False,
|
||||
)
|
||||
V6 = RoomVersion(
|
||||
"6",
|
||||
|
|
@ -129,6 +136,18 @@ class RoomVersions:
|
|||
special_case_aliases_auth=False,
|
||||
strict_canonicaljson=True,
|
||||
limit_notifications_power_levels=True,
|
||||
msc2176_redaction_rules=False,
|
||||
)
|
||||
MSC2176 = RoomVersion(
|
||||
"org.matrix.msc2176",
|
||||
RoomDisposition.UNSTABLE,
|
||||
EventFormatVersions.V3,
|
||||
StateResolutionVersions.V2,
|
||||
enforce_key_validity=True,
|
||||
special_case_aliases_auth=False,
|
||||
strict_canonicaljson=True,
|
||||
limit_notifications_power_levels=True,
|
||||
msc2176_redaction_rules=True,
|
||||
)
|
||||
|
||||
|
||||
|
|
@ -141,5 +160,6 @@ KNOWN_ROOM_VERSIONS = {
|
|||
RoomVersions.V4,
|
||||
RoomVersions.V5,
|
||||
RoomVersions.V6,
|
||||
RoomVersions.MSC2176,
|
||||
)
|
||||
} # type: Dict[str, RoomVersion]
|
||||
|
|
|
|||
|
|
@ -63,6 +63,7 @@ from synapse.rest import ClientRestResource
|
|||
from synapse.rest.admin import AdminRestResource
|
||||
from synapse.rest.health import HealthResource
|
||||
from synapse.rest.key.v2 import KeyApiV2Resource
|
||||
from synapse.rest.synapse.client.pick_idp import PickIdpResource
|
||||
from synapse.rest.synapse.client.pick_username import pick_username_resource
|
||||
from synapse.rest.well_known import WellKnownResource
|
||||
from synapse.server import HomeServer
|
||||
|
|
@ -194,6 +195,7 @@ class SynapseHomeServer(HomeServer):
|
|||
"/.well-known/matrix/client": WellKnownResource(self),
|
||||
"/_synapse/admin": AdminRestResource(self),
|
||||
"/_synapse/client/pick_username": pick_username_resource(self),
|
||||
"/_synapse/client/pick_idp": PickIdpResource(self),
|
||||
}
|
||||
)
|
||||
|
||||
|
|
|
|||
|
|
@ -31,6 +31,7 @@ class SSOConfig(Config):
|
|||
|
||||
# Read templates from disk
|
||||
(
|
||||
self.sso_login_idp_picker_template,
|
||||
self.sso_redirect_confirm_template,
|
||||
self.sso_auth_confirm_template,
|
||||
self.sso_error_template,
|
||||
|
|
@ -38,6 +39,7 @@ class SSOConfig(Config):
|
|||
sso_auth_success_template,
|
||||
) = self.read_templates(
|
||||
[
|
||||
"sso_login_idp_picker.html",
|
||||
"sso_redirect_confirm.html",
|
||||
"sso_auth_confirm.html",
|
||||
"sso_error.html",
|
||||
|
|
@ -98,6 +100,31 @@ class SSOConfig(Config):
|
|||
#
|
||||
# Synapse will look for the following templates in this directory:
|
||||
#
|
||||
# * HTML page to prompt the user to choose an Identity Provider during
|
||||
# login: 'sso_login_idp_picker.html'.
|
||||
#
|
||||
# This is only used if multiple SSO Identity Providers are configured.
|
||||
#
|
||||
# When rendering, this template is given the following variables:
|
||||
# * redirect_url: the URL that the user will be redirected to after
|
||||
# login. Needs manual escaping (see
|
||||
# https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping).
|
||||
#
|
||||
# * server_name: the homeserver's name.
|
||||
#
|
||||
# * providers: a list of available Identity Providers. Each element is
|
||||
# an object with the following attributes:
|
||||
# * idp_id: unique identifier for the IdP
|
||||
# * idp_name: user-facing name for the IdP
|
||||
#
|
||||
# The rendered HTML page should contain a form which submits its results
|
||||
# back as a GET request, with the following query parameters:
|
||||
#
|
||||
# * redirectUrl: the client redirect URI (ie, the `redirect_url` passed
|
||||
# to the template)
|
||||
#
|
||||
# * idp: the 'idp_id' of the chosen IDP.
|
||||
#
|
||||
# * HTML page for a confirmation step before redirecting back to the client
|
||||
# with the login token: 'sso_redirect_confirm.html'.
|
||||
#
|
||||
|
|
|
|||
|
|
@ -79,13 +79,15 @@ def prune_event_dict(room_version: RoomVersion, event_dict: dict) -> dict:
|
|||
"state_key",
|
||||
"depth",
|
||||
"prev_events",
|
||||
"prev_state",
|
||||
"auth_events",
|
||||
"origin",
|
||||
"origin_server_ts",
|
||||
"membership",
|
||||
]
|
||||
|
||||
# Room versions from before MSC2176 had additional allowed keys.
|
||||
if not room_version.msc2176_redaction_rules:
|
||||
allowed_keys.extend(["prev_state", "membership"])
|
||||
|
||||
event_type = event_dict["type"]
|
||||
|
||||
new_content = {}
|
||||
|
|
@ -98,6 +100,10 @@ def prune_event_dict(room_version: RoomVersion, event_dict: dict) -> dict:
|
|||
if event_type == EventTypes.Member:
|
||||
add_fields("membership")
|
||||
elif event_type == EventTypes.Create:
|
||||
# MSC2176 rules state that create events cannot be redacted.
|
||||
if room_version.msc2176_redaction_rules:
|
||||
return event_dict
|
||||
|
||||
add_fields("creator")
|
||||
elif event_type == EventTypes.JoinRules:
|
||||
add_fields("join_rule")
|
||||
|
|
@ -112,10 +118,16 @@ def prune_event_dict(room_version: RoomVersion, event_dict: dict) -> dict:
|
|||
"kick",
|
||||
"redact",
|
||||
)
|
||||
|
||||
if room_version.msc2176_redaction_rules:
|
||||
add_fields("invite")
|
||||
|
||||
elif event_type == EventTypes.Aliases and room_version.special_case_aliases_auth:
|
||||
add_fields("aliases")
|
||||
elif event_type == EventTypes.RoomHistoryVisibility:
|
||||
add_fields("history_visibility")
|
||||
elif event_type == EventTypes.Redaction and room_version.msc2176_redaction_rules:
|
||||
add_fields("redacts")
|
||||
|
||||
allowed_fields = {k: v for k, v in event_dict.items() if k in allowed_keys}
|
||||
|
||||
|
|
|
|||
|
|
@ -75,10 +75,15 @@ class CasHandler:
|
|||
self._http_client = hs.get_proxied_http_client()
|
||||
|
||||
# identifier for the external_ids table
|
||||
self._auth_provider_id = "cas"
|
||||
self.idp_id = "cas"
|
||||
|
||||
# user-facing name of this auth provider
|
||||
self.idp_name = "CAS"
|
||||
|
||||
self._sso_handler = hs.get_sso_handler()
|
||||
|
||||
self._sso_handler.register_identity_provider(self)
|
||||
|
||||
def _build_service_param(self, args: Dict[str, str]) -> str:
|
||||
"""
|
||||
Generates a value to use as the "service" parameter when redirecting or
|
||||
|
|
@ -105,7 +110,7 @@ class CasHandler:
|
|||
Args:
|
||||
ticket: The CAS ticket from the client.
|
||||
service_args: Additional arguments to include in the service URL.
|
||||
Should be the same as those passed to `get_redirect_url`.
|
||||
Should be the same as those passed to `handle_redirect_request`.
|
||||
|
||||
Raises:
|
||||
CasError: If there's an error parsing the CAS response.
|
||||
|
|
@ -184,16 +189,31 @@ class CasHandler:
|
|||
|
||||
return CasResponse(user, attributes)
|
||||
|
||||
def get_redirect_url(self, service_args: Dict[str, str]) -> str:
|
||||
"""
|
||||
Generates a URL for the CAS server where the client should be redirected.
|
||||
async def handle_redirect_request(
|
||||
self,
|
||||
request: SynapseRequest,
|
||||
client_redirect_url: Optional[bytes],
|
||||
ui_auth_session_id: Optional[str] = None,
|
||||
) -> str:
|
||||
"""Generates a URL for the CAS server where the client should be redirected.
|
||||
|
||||
Args:
|
||||
service_args: Additional arguments to include in the final redirect URL.
|
||||
request: the incoming HTTP request
|
||||
client_redirect_url: the URL that we should redirect the
|
||||
client to after login (or None for UI Auth).
|
||||
ui_auth_session_id: The session ID of the ongoing UI Auth (or
|
||||
None if this is a login).
|
||||
|
||||
Returns:
|
||||
The URL to redirect the client to.
|
||||
URL to redirect to
|
||||
"""
|
||||
|
||||
if ui_auth_session_id:
|
||||
service_args = {"session": ui_auth_session_id}
|
||||
else:
|
||||
assert client_redirect_url
|
||||
service_args = {"redirectUrl": client_redirect_url.decode("utf8")}
|
||||
|
||||
args = urllib.parse.urlencode(
|
||||
{"service": self._build_service_param(service_args)}
|
||||
)
|
||||
|
|
@ -275,7 +295,7 @@ class CasHandler:
|
|||
# first check if we're doing a UIA
|
||||
if session:
|
||||
return await self._sso_handler.complete_sso_ui_auth_request(
|
||||
self._auth_provider_id, cas_response.username, session, request,
|
||||
self.idp_id, cas_response.username, session, request,
|
||||
)
|
||||
|
||||
# otherwise, we're handling a login request.
|
||||
|
|
@ -375,7 +395,7 @@ class CasHandler:
|
|||
return None
|
||||
|
||||
await self._sso_handler.complete_sso_login_request(
|
||||
self._auth_provider_id,
|
||||
self.idp_id,
|
||||
cas_response.username,
|
||||
request,
|
||||
client_redirect_url,
|
||||
|
|
|
|||
|
|
@ -119,10 +119,15 @@ class OidcHandler(BaseHandler):
|
|||
self._macaroon_secret_key = hs.config.macaroon_secret_key
|
||||
|
||||
# identifier for the external_ids table
|
||||
self._auth_provider_id = "oidc"
|
||||
self.idp_id = "oidc"
|
||||
|
||||
# user-facing name of this auth provider
|
||||
self.idp_name = "OIDC"
|
||||
|
||||
self._sso_handler = hs.get_sso_handler()
|
||||
|
||||
self._sso_handler.register_identity_provider(self)
|
||||
|
||||
def _validate_metadata(self):
|
||||
"""Verifies the provider metadata.
|
||||
|
||||
|
|
@ -475,7 +480,7 @@ class OidcHandler(BaseHandler):
|
|||
async def handle_redirect_request(
|
||||
self,
|
||||
request: SynapseRequest,
|
||||
client_redirect_url: bytes,
|
||||
client_redirect_url: Optional[bytes],
|
||||
ui_auth_session_id: Optional[str] = None,
|
||||
) -> str:
|
||||
"""Handle an incoming request to /login/sso/redirect
|
||||
|
|
@ -499,7 +504,7 @@ class OidcHandler(BaseHandler):
|
|||
request: the incoming request from the browser.
|
||||
We'll respond to it with a redirect and a cookie.
|
||||
client_redirect_url: the URL that we should redirect the client to
|
||||
when everything is done
|
||||
when everything is done (or None for UI Auth)
|
||||
ui_auth_session_id: The session ID of the ongoing UI Auth (or
|
||||
None if this is a login).
|
||||
|
||||
|
|
@ -511,6 +516,9 @@ class OidcHandler(BaseHandler):
|
|||
state = generate_token()
|
||||
nonce = generate_token()
|
||||
|
||||
if not client_redirect_url:
|
||||
client_redirect_url = b""
|
||||
|
||||
cookie = self._generate_oidc_session_token(
|
||||
state=state,
|
||||
nonce=nonce,
|
||||
|
|
@ -682,7 +690,7 @@ class OidcHandler(BaseHandler):
|
|||
return
|
||||
|
||||
return await self._sso_handler.complete_sso_ui_auth_request(
|
||||
self._auth_provider_id, remote_user_id, ui_auth_session_id, request
|
||||
self.idp_id, remote_user_id, ui_auth_session_id, request
|
||||
)
|
||||
|
||||
# otherwise, it's a login
|
||||
|
|
@ -923,7 +931,7 @@ class OidcHandler(BaseHandler):
|
|||
extra_attributes = await get_extra_attributes(userinfo, token)
|
||||
|
||||
await self._sso_handler.complete_sso_login_request(
|
||||
self._auth_provider_id,
|
||||
self.idp_id,
|
||||
remote_user_id,
|
||||
request,
|
||||
client_redirect_url,
|
||||
|
|
|
|||
|
|
@ -156,7 +156,7 @@ class ProfileHandler(BaseHandler):
|
|||
except HttpResponseException as e:
|
||||
raise e.to_synapse_error()
|
||||
|
||||
return result["displayname"]
|
||||
return result.get("displayname")
|
||||
|
||||
async def set_displayname(
|
||||
self,
|
||||
|
|
@ -246,7 +246,7 @@ class ProfileHandler(BaseHandler):
|
|||
except HttpResponseException as e:
|
||||
raise e.to_synapse_error()
|
||||
|
||||
return result["avatar_url"]
|
||||
return result.get("avatar_url")
|
||||
|
||||
async def set_avatar_url(
|
||||
self,
|
||||
|
|
|
|||
|
|
@ -365,7 +365,7 @@ class RoomCreationHandler(BaseHandler):
|
|||
creation_content = {
|
||||
"room_version": new_room_version.identifier,
|
||||
"predecessor": {"room_id": old_room_id, "event_id": tombstone_event_id},
|
||||
}
|
||||
} # type: JsonDict
|
||||
|
||||
# Check if old room was non-federatable
|
||||
|
||||
|
|
|
|||
|
|
@ -73,27 +73,41 @@ class SamlHandler(BaseHandler):
|
|||
)
|
||||
|
||||
# identifier for the external_ids table
|
||||
self._auth_provider_id = "saml"
|
||||
self.idp_id = "saml"
|
||||
|
||||
# user-facing name of this auth provider
|
||||
self.idp_name = "SAML"
|
||||
|
||||
# a map from saml session id to Saml2SessionData object
|
||||
self._outstanding_requests_dict = {} # type: Dict[str, Saml2SessionData]
|
||||
|
||||
self._sso_handler = hs.get_sso_handler()
|
||||
self._sso_handler.register_identity_provider(self)
|
||||
|
||||
def handle_redirect_request(
|
||||
self, client_redirect_url: bytes, ui_auth_session_id: Optional[str] = None
|
||||
) -> bytes:
|
||||
async def handle_redirect_request(
|
||||
self,
|
||||
request: SynapseRequest,
|
||||
client_redirect_url: Optional[bytes],
|
||||
ui_auth_session_id: Optional[str] = None,
|
||||
) -> str:
|
||||
"""Handle an incoming request to /login/sso/redirect
|
||||
|
||||
Args:
|
||||
request: the incoming HTTP request
|
||||
client_redirect_url: the URL that we should redirect the
|
||||
client to when everything is done
|
||||
client to after login (or None for UI Auth).
|
||||
ui_auth_session_id: The session ID of the ongoing UI Auth (or
|
||||
None if this is a login).
|
||||
|
||||
Returns:
|
||||
URL to redirect to
|
||||
"""
|
||||
if not client_redirect_url:
|
||||
# Some SAML identity providers (e.g. Google) require a
|
||||
# RelayState parameter on requests, so pass in a dummy redirect URL
|
||||
# (which will never get used).
|
||||
client_redirect_url = b"unused"
|
||||
|
||||
reqid, info = self._saml_client.prepare_for_authenticate(
|
||||
entityid=self._saml_idp_entityid, relay_state=client_redirect_url
|
||||
)
|
||||
|
|
@ -210,7 +224,7 @@ class SamlHandler(BaseHandler):
|
|||
return
|
||||
|
||||
return await self._sso_handler.complete_sso_ui_auth_request(
|
||||
self._auth_provider_id,
|
||||
self.idp_id,
|
||||
remote_user_id,
|
||||
current_session.ui_auth_session_id,
|
||||
request,
|
||||
|
|
@ -306,7 +320,7 @@ class SamlHandler(BaseHandler):
|
|||
return None
|
||||
|
||||
await self._sso_handler.complete_sso_login_request(
|
||||
self._auth_provider_id,
|
||||
self.idp_id,
|
||||
remote_user_id,
|
||||
request,
|
||||
client_redirect_url,
|
||||
|
|
|
|||
|
|
@ -12,15 +12,17 @@
|
|||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
import abc
|
||||
import logging
|
||||
from typing import TYPE_CHECKING, Awaitable, Callable, Dict, List, Optional
|
||||
from typing import TYPE_CHECKING, Awaitable, Callable, Dict, List, Mapping, Optional
|
||||
from urllib.parse import urlencode
|
||||
|
||||
import attr
|
||||
from typing_extensions import NoReturn
|
||||
from typing_extensions import NoReturn, Protocol
|
||||
|
||||
from twisted.web.http import Request
|
||||
|
||||
from synapse.api.errors import RedirectException, SynapseError
|
||||
from synapse.api.errors import Codes, RedirectException, SynapseError
|
||||
from synapse.http.server import respond_with_html
|
||||
from synapse.http.site import SynapseRequest
|
||||
from synapse.types import JsonDict, UserID, contains_invalid_mxid_characters
|
||||
|
|
@ -40,6 +42,58 @@ class MappingException(Exception):
|
|||
"""
|
||||
|
||||
|
||||
class SsoIdentityProvider(Protocol):
|
||||
"""Abstract base class to be implemented by SSO Identity Providers
|
||||
|
||||
An Identity Provider, or IdP, is an external HTTP service which authenticates a user
|
||||
to say whether they should be allowed to log in, or perform a given action.
|
||||
|
||||
Synapse supports various implementations of IdPs, including OpenID Connect, SAML,
|
||||
and CAS.
|
||||
|
||||
The main entry point is `handle_redirect_request`, which should return a URI to
|
||||
redirect the user's browser to the IdP's authentication page.
|
||||
|
||||
Each IdP should be registered with the SsoHandler via
|
||||
`hs.get_sso_handler().register_identity_provider()`, so that requests to
|
||||
`/_matrix/client/r0/login/sso/redirect` can be correctly dispatched.
|
||||
"""
|
||||
|
||||
@property
|
||||
@abc.abstractmethod
|
||||
def idp_id(self) -> str:
|
||||
"""A unique identifier for this SSO provider
|
||||
|
||||
Eg, "saml", "cas", "github"
|
||||
"""
|
||||
|
||||
@property
|
||||
@abc.abstractmethod
|
||||
def idp_name(self) -> str:
|
||||
"""User-facing name for this provider"""
|
||||
|
||||
@abc.abstractmethod
|
||||
async def handle_redirect_request(
|
||||
self,
|
||||
request: SynapseRequest,
|
||||
client_redirect_url: Optional[bytes],
|
||||
ui_auth_session_id: Optional[str] = None,
|
||||
) -> str:
|
||||
"""Handle an incoming request to /login/sso/redirect
|
||||
|
||||
Args:
|
||||
request: the incoming HTTP request
|
||||
client_redirect_url: the URL that we should redirect the
|
||||
client to after login (or None for UI Auth).
|
||||
ui_auth_session_id: The session ID of the ongoing UI Auth (or
|
||||
None if this is a login).
|
||||
|
||||
Returns:
|
||||
URL to redirect to
|
||||
"""
|
||||
raise NotImplementedError()
|
||||
|
||||
|
||||
@attr.s
|
||||
class UserAttributes:
|
||||
# the localpart of the mxid that the mapper has assigned to the user.
|
||||
|
|
@ -100,6 +154,18 @@ class SsoHandler:
|
|||
# a map from session id to session data
|
||||
self._username_mapping_sessions = {} # type: Dict[str, UsernameMappingSession]
|
||||
|
||||
# map from idp_id to SsoIdentityProvider
|
||||
self._identity_providers = {} # type: Dict[str, SsoIdentityProvider]
|
||||
|
||||
def register_identity_provider(self, p: SsoIdentityProvider):
|
||||
p_id = p.idp_id
|
||||
assert p_id not in self._identity_providers
|
||||
self._identity_providers[p_id] = p
|
||||
|
||||
def get_identity_providers(self) -> Mapping[str, SsoIdentityProvider]:
|
||||
"""Get the configured identity providers"""
|
||||
return self._identity_providers
|
||||
|
||||
def render_error(
|
||||
self,
|
||||
request: Request,
|
||||
|
|
@ -124,6 +190,34 @@ class SsoHandler:
|
|||
)
|
||||
respond_with_html(request, code, html)
|
||||
|
||||
async def handle_redirect_request(
|
||||
self, request: SynapseRequest, client_redirect_url: bytes,
|
||||
) -> str:
|
||||
"""Handle a request to /login/sso/redirect
|
||||
|
||||
Args:
|
||||
request: incoming HTTP request
|
||||
client_redirect_url: the URL that we should redirect the
|
||||
client to after login.
|
||||
|
||||
Returns:
|
||||
the URI to redirect to
|
||||
"""
|
||||
if not self._identity_providers:
|
||||
raise SynapseError(
|
||||
400, "Homeserver not configured for SSO.", errcode=Codes.UNRECOGNIZED
|
||||
)
|
||||
|
||||
# if we only have one auth provider, redirect to it directly
|
||||
if len(self._identity_providers) == 1:
|
||||
ap = next(iter(self._identity_providers.values()))
|
||||
return await ap.handle_redirect_request(request, client_redirect_url)
|
||||
|
||||
# otherwise, redirect to the IDP picker
|
||||
return "/_synapse/client/pick_idp?" + urlencode(
|
||||
(("redirectUrl", client_redirect_url),)
|
||||
)
|
||||
|
||||
async def get_sso_user_by_remote_user_id(
|
||||
self, auth_provider_id: str, remote_user_id: str
|
||||
) -> Optional[str]:
|
||||
|
|
|
|||
|
|
@ -252,7 +252,12 @@ class LoggingContext:
|
|||
"scope",
|
||||
]
|
||||
|
||||
def __init__(self, name=None, parent_context=None, request=None) -> None:
|
||||
def __init__(
|
||||
self,
|
||||
name: Optional[str] = None,
|
||||
parent_context: "Optional[LoggingContext]" = None,
|
||||
request: Optional[str] = None,
|
||||
) -> None:
|
||||
self.previous_context = current_context()
|
||||
self.name = name
|
||||
|
||||
|
|
@ -536,20 +541,20 @@ class LoggingContextFilter(logging.Filter):
|
|||
def __init__(self, request: str = ""):
|
||||
self._default_request = request
|
||||
|
||||
def filter(self, record) -> Literal[True]:
|
||||
def filter(self, record: logging.LogRecord) -> Literal[True]:
|
||||
"""Add each fields from the logging contexts to the record.
|
||||
Returns:
|
||||
True to include the record in the log output.
|
||||
"""
|
||||
context = current_context()
|
||||
record.request = self._default_request
|
||||
record.request = self._default_request # type: ignore
|
||||
|
||||
# context should never be None, but if it somehow ends up being, then
|
||||
# we end up in a death spiral of infinite loops, so let's check, for
|
||||
# robustness' sake.
|
||||
if context is not None:
|
||||
# Logging is interested in the request.
|
||||
record.request = context.request
|
||||
record.request = context.request # type: ignore
|
||||
|
||||
return True
|
||||
|
||||
|
|
@ -616,9 +621,7 @@ def set_current_context(context: LoggingContextOrSentinel) -> LoggingContextOrSe
|
|||
return current
|
||||
|
||||
|
||||
def nested_logging_context(
|
||||
suffix: str, parent_context: Optional[LoggingContext] = None
|
||||
) -> LoggingContext:
|
||||
def nested_logging_context(suffix: str) -> LoggingContext:
|
||||
"""Creates a new logging context as a child of another.
|
||||
|
||||
The nested logging context will have a 'request' made up of the parent context's
|
||||
|
|
@ -632,20 +635,23 @@ def nested_logging_context(
|
|||
# ... do stuff
|
||||
|
||||
Args:
|
||||
suffix (str): suffix to add to the parent context's 'request'.
|
||||
parent_context (LoggingContext|None): parent context. Will use the current context
|
||||
if None.
|
||||
suffix: suffix to add to the parent context's 'request'.
|
||||
|
||||
Returns:
|
||||
LoggingContext: new logging context.
|
||||
"""
|
||||
if parent_context is not None:
|
||||
context = parent_context # type: LoggingContextOrSentinel
|
||||
curr_context = current_context()
|
||||
if not curr_context:
|
||||
logger.warning(
|
||||
"Starting nested logging context from sentinel context: metrics will be lost"
|
||||
)
|
||||
parent_context = None
|
||||
prefix = ""
|
||||
else:
|
||||
context = current_context()
|
||||
return LoggingContext(
|
||||
parent_context=context, request=str(context.request) + "-" + suffix
|
||||
)
|
||||
assert isinstance(curr_context, LoggingContext)
|
||||
parent_context = curr_context
|
||||
prefix = str(parent_context.request)
|
||||
return LoggingContext(parent_context=parent_context, request=prefix + "-" + suffix)
|
||||
|
||||
|
||||
def preserve_fn(f):
|
||||
|
|
@ -822,10 +828,18 @@ def defer_to_threadpool(reactor, threadpool, f, *args, **kwargs):
|
|||
Deferred: A Deferred which fires a callback with the result of `f`, or an
|
||||
errback if `f` throws an exception.
|
||||
"""
|
||||
logcontext = current_context()
|
||||
curr_context = current_context()
|
||||
if not curr_context:
|
||||
logger.warning(
|
||||
"Calling defer_to_threadpool from sentinel context: metrics will be lost"
|
||||
)
|
||||
parent_context = None
|
||||
else:
|
||||
assert isinstance(curr_context, LoggingContext)
|
||||
parent_context = curr_context
|
||||
|
||||
def g():
|
||||
with LoggingContext(parent_context=logcontext):
|
||||
with LoggingContext(parent_context=parent_context):
|
||||
return f(*args, **kwargs)
|
||||
|
||||
return make_deferred_yieldable(threads.deferToThreadPool(reactor, threadpool, g))
|
||||
|
|
|
|||
28
synapse/res/templates/sso_login_idp_picker.html
Normal file
28
synapse/res/templates/sso_login_idp_picker.html
Normal file
|
|
@ -0,0 +1,28 @@
|
|||
<!DOCTYPE html>
|
||||
<html lang="en">
|
||||
<head>
|
||||
<meta charset="UTF-8">
|
||||
<link rel="stylesheet" href="/_matrix/static/client/login/style.css">
|
||||
<title>{{server_name | e}} Login</title>
|
||||
</head>
|
||||
<body>
|
||||
<div id="container">
|
||||
<h1 id="title">{{server_name | e}} Login</h1>
|
||||
<div class="login_flow">
|
||||
<p>Choose one of the following identity providers:</p>
|
||||
<form>
|
||||
<input type="hidden" name="redirectUrl" value="{{redirect_url | e}}">
|
||||
<ul class="radiobuttons">
|
||||
{% for p in providers %}
|
||||
<li>
|
||||
<input type="radio" name="idp" id="prov{{loop.index}}" value="{{p.idp_id}}">
|
||||
<label for="prov{{loop.index}}">{{p.idp_name | e}}</label>
|
||||
</li>
|
||||
{% endfor %}
|
||||
</ul>
|
||||
<input type="submit" class="button button--full-width" id="button-submit" value="Submit">
|
||||
</form>
|
||||
</div>
|
||||
</div>
|
||||
</body>
|
||||
</html>
|
||||
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue