Merge remote-tracking branch 'origin/release-v1.26.0' into matrix-org-hotfixes
This commit is contained in:
commit
bde75f5f66
87
CHANGES.md
87
CHANGES.md
|
@ -1,3 +1,90 @@
|
|||
Synapse 1.26.0rc1 (2021-01-20)
|
||||
==============================
|
||||
|
||||
This release brings a new schema version for Synapse and rolling back to a previous
|
||||
version is not trivial. Please review [UPGRADE.rst](UPGRADE.rst) for more details
|
||||
on these changes and for general upgrade guidance.
|
||||
|
||||
Features
|
||||
--------
|
||||
|
||||
- Add support for multiple SSO Identity Providers. ([\#9015](https://github.com/matrix-org/synapse/issues/9015), [\#9017](https://github.com/matrix-org/synapse/issues/9017), [\#9036](https://github.com/matrix-org/synapse/issues/9036), [\#9067](https://github.com/matrix-org/synapse/issues/9067), [\#9081](https://github.com/matrix-org/synapse/issues/9081), [\#9082](https://github.com/matrix-org/synapse/issues/9082), [\#9105](https://github.com/matrix-org/synapse/issues/9105), [\#9107](https://github.com/matrix-org/synapse/issues/9107), [\#9109](https://github.com/matrix-org/synapse/issues/9109), [\#9110](https://github.com/matrix-org/synapse/issues/9110), [\#9127](https://github.com/matrix-org/synapse/issues/9127), [\#9153](https://github.com/matrix-org/synapse/issues/9153), [\#9154](https://github.com/matrix-org/synapse/issues/9154), [\#9177](https://github.com/matrix-org/synapse/issues/9177))
|
||||
- During user-interactive authentication via single-sign-on, give a better error if the user uses the wrong account on the SSO IdP. ([\#9091](https://github.com/matrix-org/synapse/issues/9091))
|
||||
- Give the `public_baseurl` a default value, if it is not explicitly set in the configuration file. ([\#9159](https://github.com/matrix-org/synapse/issues/9159))
|
||||
- Improve performance when calculating ignored users in large rooms. ([\#9024](https://github.com/matrix-org/synapse/issues/9024))
|
||||
- Implement [MSC2176](https://github.com/matrix-org/matrix-doc/pull/2176) in an experimental room version. ([\#8984](https://github.com/matrix-org/synapse/issues/8984))
|
||||
- Add an admin API for protecting local media from quarantine. ([\#9086](https://github.com/matrix-org/synapse/issues/9086))
|
||||
- Remove a user's avatar URL and display name when deactivated with the Admin API. ([\#8932](https://github.com/matrix-org/synapse/issues/8932))
|
||||
- Update `/_synapse/admin/v1/users/<user_id>/joined_rooms` to work for both local and remote users. ([\#8948](https://github.com/matrix-org/synapse/issues/8948))
|
||||
- Add experimental support for handling to-device messages on worker processes. ([\#9042](https://github.com/matrix-org/synapse/issues/9042), [\#9043](https://github.com/matrix-org/synapse/issues/9043), [\#9044](https://github.com/matrix-org/synapse/issues/9044), [\#9130](https://github.com/matrix-org/synapse/issues/9130))
|
||||
- Add experimental support for handling `/keys/claim` and `/room_keys` APIs on worker processes. ([\#9068](https://github.com/matrix-org/synapse/issues/9068))
|
||||
- Add experimental support for handling `/devices` API on worker processes. ([\#9092](https://github.com/matrix-org/synapse/issues/9092))
|
||||
- Add experimental support for moving off receipts and account data persistence off master. ([\#9104](https://github.com/matrix-org/synapse/issues/9104), [\#9166](https://github.com/matrix-org/synapse/issues/9166))
|
||||
|
||||
|
||||
Bugfixes
|
||||
--------
|
||||
|
||||
- Fix a long-standing issue where an internal server error would occur when requesting a profile over federation that did not include a display name / avatar URL. ([\#9023](https://github.com/matrix-org/synapse/issues/9023))
|
||||
- Fix a long-standing bug where some caches could grow larger than configured. ([\#9028](https://github.com/matrix-org/synapse/issues/9028))
|
||||
- Fix error handling during insertion of client IPs into the database. ([\#9051](https://github.com/matrix-org/synapse/issues/9051))
|
||||
- Fix bug where we didn't correctly record CPU time spent in `on_new_event` block. ([\#9053](https://github.com/matrix-org/synapse/issues/9053))
|
||||
- Fix a minor bug which could cause confusing error messages from invalid configurations. ([\#9054](https://github.com/matrix-org/synapse/issues/9054))
|
||||
- Fix incorrect exit code when there is an error at startup. ([\#9059](https://github.com/matrix-org/synapse/issues/9059))
|
||||
- Fix `JSONDecodeError` spamming the logs when sending transactions to remote servers. ([\#9070](https://github.com/matrix-org/synapse/issues/9070))
|
||||
- Fix "Failed to send request" errors when a client provides an invalid room alias. ([\#9071](https://github.com/matrix-org/synapse/issues/9071))
|
||||
- Fix bugs in federation catchup logic that caused outbound federation to be delayed for large servers after start up. Introduced in v1.8.0 and v1.21.0. ([\#9114](https://github.com/matrix-org/synapse/issues/9114), [\#9116](https://github.com/matrix-org/synapse/issues/9116))
|
||||
- Fix corruption of `pushers` data when a postgres bouncer is used. ([\#9117](https://github.com/matrix-org/synapse/issues/9117))
|
||||
- Fix minor bugs in handling the `clientRedirectUrl` parameter for SSO login. ([\#9128](https://github.com/matrix-org/synapse/issues/9128))
|
||||
- Fix "Unhandled error in Deferred: BodyExceededMaxSize" errors when .well-known files that are too large. ([\#9108](https://github.com/matrix-org/synapse/issues/9108))
|
||||
- Fix "UnboundLocalError: local variable 'length' referenced before assignment" errors when the response body exceeds the expected size. This bug was introduced in v1.25.0. ([\#9145](https://github.com/matrix-org/synapse/issues/9145))
|
||||
- Fix a long-standing bug "ValueError: invalid literal for int() with base 10" when `/publicRooms` is requested with an invalid `server` parameter. ([\#9161](https://github.com/matrix-org/synapse/issues/9161))
|
||||
|
||||
|
||||
Improved Documentation
|
||||
----------------------
|
||||
|
||||
- Add some extra docs for getting Synapse running on macOS. ([\#8997](https://github.com/matrix-org/synapse/issues/8997))
|
||||
- Correct a typo in the `systemd-with-workers` documentation. ([\#9035](https://github.com/matrix-org/synapse/issues/9035))
|
||||
- Correct a typo in `INSTALL.md`. ([\#9040](https://github.com/matrix-org/synapse/issues/9040))
|
||||
- Add missing `user_mapping_provider` configuration to the Keycloak OIDC example. Contributed by @chris-ruecker. ([\#9057](https://github.com/matrix-org/synapse/issues/9057))
|
||||
- Quote `pip install` packages when extras are used to avoid shells interpreting bracket characters. ([\#9151](https://github.com/matrix-org/synapse/issues/9151))
|
||||
|
||||
|
||||
Deprecations and Removals
|
||||
-------------------------
|
||||
|
||||
- Remove broken and unmaintained `demo/webserver.py` script. ([\#9039](https://github.com/matrix-org/synapse/issues/9039))
|
||||
|
||||
|
||||
Internal Changes
|
||||
----------------
|
||||
|
||||
- Improve efficiency of large state resolutions. ([\#8868](https://github.com/matrix-org/synapse/issues/8868), [\#9029](https://github.com/matrix-org/synapse/issues/9029), [\#9115](https://github.com/matrix-org/synapse/issues/9115), [\#9118](https://github.com/matrix-org/synapse/issues/9118), [\#9124](https://github.com/matrix-org/synapse/issues/9124))
|
||||
- Various clean-ups to the structured logging and logging context code. ([\#8939](https://github.com/matrix-org/synapse/issues/8939))
|
||||
- Ensure rejected events get added to some metadata tables. ([\#9016](https://github.com/matrix-org/synapse/issues/9016))
|
||||
- Ignore date-rotated homeserver logs saved to disk. ([\#9018](https://github.com/matrix-org/synapse/issues/9018))
|
||||
- Remove an unused column from `access_tokens` table. ([\#9025](https://github.com/matrix-org/synapse/issues/9025))
|
||||
- Add a `-noextras` factor to `tox.ini`, to support running the tests with no optional dependencies. ([\#9030](https://github.com/matrix-org/synapse/issues/9030))
|
||||
- Fix running unit tests when optional dependencies are not installed. ([\#9031](https://github.com/matrix-org/synapse/issues/9031))
|
||||
- Allow bumping schema version when using split out state database. ([\#9033](https://github.com/matrix-org/synapse/issues/9033))
|
||||
- Configure the linters to run on a consistent set of files. ([\#9038](https://github.com/matrix-org/synapse/issues/9038))
|
||||
- Various cleanups to device inbox store. ([\#9041](https://github.com/matrix-org/synapse/issues/9041))
|
||||
- Drop unused database tables. ([\#9055](https://github.com/matrix-org/synapse/issues/9055))
|
||||
- Remove unused `SynapseService` class. ([\#9058](https://github.com/matrix-org/synapse/issues/9058))
|
||||
- Remove unnecessary declarations in the tests for the admin API. ([\#9063](https://github.com/matrix-org/synapse/issues/9063))
|
||||
- Remove `SynapseRequest.get_user_agent`. ([\#9069](https://github.com/matrix-org/synapse/issues/9069))
|
||||
- Remove redundant `Homeserver.get_ip_from_request` method. ([\#9080](https://github.com/matrix-org/synapse/issues/9080))
|
||||
- Add type hints to media repository. ([\#9093](https://github.com/matrix-org/synapse/issues/9093))
|
||||
- Fix the wrong arguments being passed to `BlacklistingAgentWrapper` from `MatrixFederationAgent`. Contributed by Timothy Leung. ([\#9098](https://github.com/matrix-org/synapse/issues/9098))
|
||||
- Reduce the scope of caught exceptions in `BlacklistingAgentWrapper`. ([\#9106](https://github.com/matrix-org/synapse/issues/9106))
|
||||
- Improve `UsernamePickerTestCase`. ([\#9112](https://github.com/matrix-org/synapse/issues/9112))
|
||||
- Remove dependency on `distutils`. ([\#9125](https://github.com/matrix-org/synapse/issues/9125))
|
||||
- Enforce that replication HTTP clients are called with keyword arguments only. ([\#9144](https://github.com/matrix-org/synapse/issues/9144))
|
||||
- Fix the Python 3.5 / old dependencies build in CI. ([\#9146](https://github.com/matrix-org/synapse/issues/9146))
|
||||
- Replace the old `perspectives` option in the Synapse docker config file template with `trusted_key_servers`. ([\#9157](https://github.com/matrix-org/synapse/issues/9157))
|
||||
|
||||
|
||||
Synapse 1.25.0 (2021-01-13)
|
||||
===========================
|
||||
|
||||
|
|
|
@ -286,7 +286,7 @@ We recommend using the demo which starts 3 federated instances running on ports
|
|||
|
||||
(to stop, you can use `./demo/stop.sh`)
|
||||
|
||||
If you just want to start a single instance of the app and run it directly:
|
||||
If you just want to start a single instance of the app and run it directly::
|
||||
|
||||
# Create the homeserver.yaml config once
|
||||
python -m synapse.app.homeserver \
|
||||
|
|
50
UPGRADE.rst
50
UPGRADE.rst
|
@ -85,6 +85,56 @@ for example:
|
|||
wget https://packages.matrix.org/debian/pool/main/m/matrix-synapse-py3/matrix-synapse-py3_1.3.0+stretch1_amd64.deb
|
||||
dpkg -i matrix-synapse-py3_1.3.0+stretch1_amd64.deb
|
||||
|
||||
Upgrading to v1.26.0
|
||||
====================
|
||||
|
||||
Rolling back to v1.25.0 after a failed upgrade
|
||||
----------------------------------------------
|
||||
|
||||
v1.26.0 includes a lot of large changes. If something problematic occurs, you
|
||||
may want to roll-back to a previous version of Synapse. Because v1.26.0 also
|
||||
includes a new database schema version, reverting that version is also required
|
||||
alongside the generic rollback instructions mentioned above. In short, to roll
|
||||
back to v1.25.0 you need to:
|
||||
|
||||
1. Stop the server
|
||||
2. Decrease the schema version in the database:
|
||||
|
||||
.. code:: sql
|
||||
|
||||
UPDATE schema_version SET version = 58;
|
||||
|
||||
3. Delete the ignored users & chain cover data:
|
||||
|
||||
.. code:: sql
|
||||
|
||||
DROP TABLE IF EXISTS ignored_users;
|
||||
UPDATE rooms SET has_auth_chain_index = false;
|
||||
|
||||
For PostgreSQL run:
|
||||
|
||||
.. code:: sql
|
||||
|
||||
TRUNCATE event_auth_chain_links;
|
||||
TRUNCATE event_auth_chains;
|
||||
|
||||
For SQLite run:
|
||||
|
||||
.. code:: sql
|
||||
|
||||
DELETE FROM event_auth_chain_links;
|
||||
DELETE FROM event_auth_chains;
|
||||
|
||||
4. Mark the deltas as not run (so they will re-run on upgrade).
|
||||
|
||||
.. code:: sql
|
||||
|
||||
DELETE FROM applied_schema_deltas WHERE version = 59 AND file = "59/01ignored_user.py";
|
||||
DELETE FROM applied_schema_deltas WHERE version = 59 AND file = "59/06chain_cover_index.sql";
|
||||
|
||||
5. Downgrade Synapse by following the instructions for your installation method
|
||||
in the "Rolling back to older versions" section above.
|
||||
|
||||
Upgrading to v1.25.0
|
||||
====================
|
||||
|
||||
|
|
|
@ -1 +0,0 @@
|
|||
Improve efficiency of large state resolutions.
|
|
@ -1 +0,0 @@
|
|||
Remove a user's avatar URL and display name when deactivated with the Admin API.
|
|
@ -1 +0,0 @@
|
|||
Various clean-ups to the structured logging and logging context code.
|
|
@ -1 +0,0 @@
|
|||
Update `/_synapse/admin/v1/users/<user_id>/joined_rooms` to work for both local and remote users.
|
|
@ -1 +0,0 @@
|
|||
Implement [MSC2176](https://github.com/matrix-org/matrix-doc/pull/2176) in an experimental room version.
|
|
@ -1 +0,0 @@
|
|||
Add some extra docs for getting Synapse running on macOS.
|
|
@ -1 +0,0 @@
|
|||
Add support for multiple SSO Identity Providers.
|
|
@ -1 +0,0 @@
|
|||
Ensure rejected events get added to some metadata tables.
|
|
@ -1 +0,0 @@
|
|||
Add support for multiple SSO Identity Providers.
|
|
@ -1 +0,0 @@
|
|||
Ignore date-rotated homeserver logs saved to disk.
|
|
@ -1 +0,0 @@
|
|||
Fix a longstanding issue where an internal server error would occur when requesting a profile over federation that did not include a display name / avatar URL.
|
|
@ -1 +0,0 @@
|
|||
Improved performance when calculating ignored users in large rooms.
|
|
@ -1 +0,0 @@
|
|||
Removed an unused column from `access_tokens` table.
|
|
@ -1 +0,0 @@
|
|||
Fix a long-standing bug where some caches could grow larger than configured.
|
|
@ -1 +0,0 @@
|
|||
Improve efficiency of large state resolutions.
|
|
@ -1 +0,0 @@
|
|||
Add a `-noextras` factor to `tox.ini`, to support running the tests with no optional dependencies.
|
|
@ -1 +0,0 @@
|
|||
Fix running unit tests when optional dependencies are not installed.
|
|
@ -1 +0,0 @@
|
|||
Allow bumping schema version when using split out state database.
|
|
@ -1 +0,0 @@
|
|||
Corrected a typo in the `systemd-with-workers` documentation.
|
|
@ -1 +0,0 @@
|
|||
Add support for multiple SSO Identity Providers.
|
|
@ -1 +0,0 @@
|
|||
Configure the linters to run on a consistent set of files.
|
|
@ -1 +0,0 @@
|
|||
Remove broken and unmaintained `demo/webserver.py` script.
|
|
@ -1 +0,0 @@
|
|||
Corrected a typo in `INSTALL.md`.
|
|
@ -1 +0,0 @@
|
|||
Various cleanups to device inbox store.
|
|
@ -1 +0,0 @@
|
|||
Add experimental support for handling and persistence of to-device messages to happen on worker processes.
|
|
@ -1 +0,0 @@
|
|||
Add experimental support for handling and persistence of to-device messages to happen on worker processes.
|
|
@ -1 +0,0 @@
|
|||
Add experimental support for handling and persistence of to-device messages to happen on worker processes.
|
|
@ -1 +0,0 @@
|
|||
Fix error handling during insertion of client IPs into the database.
|
|
@ -1 +0,0 @@
|
|||
Fix bug where we didn't correctly record CPU time spent in 'on_new_event' block.
|
|
@ -1 +0,0 @@
|
|||
Fix a minor bug which could cause confusing error messages from invalid configurations.
|
|
@ -1 +0,0 @@
|
|||
Drop unused database tables.
|
|
@ -1 +0,0 @@
|
|||
Add missing user_mapping_provider configuration to the Keycloak OIDC example. Contributed by @chris-ruecker.
|
|
@ -1 +0,0 @@
|
|||
Remove unused `SynapseService` class.
|
|
@ -1 +0,0 @@
|
|||
Fix incorrect exit code when there is an error at startup.
|
|
@ -1 +0,0 @@
|
|||
Removes unnecessary declarations in the tests for the admin API.
|
|
@ -1 +0,0 @@
|
|||
Add support for multiple SSO Identity Providers.
|
|
@ -1 +0,0 @@
|
|||
Add experimental support for handling `/keys/claim` and `/room_keys` APIs on worker processes.
|
|
@ -1 +0,0 @@
|
|||
Remove `SynapseRequest.get_user_agent`.
|
|
@ -1 +0,0 @@
|
|||
Fix `JSONDecodeError` spamming the logs when sending transactions to remote servers.
|
|
@ -1 +0,0 @@
|
|||
Fix "Failed to send request" errors when a client provides an invalid room alias.
|
|
@ -1 +0,0 @@
|
|||
Remove redundant `Homeserver.get_ip_from_request` method.
|
|
@ -1 +0,0 @@
|
|||
Add support for multiple SSO Identity Providers.
|
|
@ -1 +0,0 @@
|
|||
Add support for multiple SSO Identity Providers.
|
|
@ -1 +0,0 @@
|
|||
Add an admin API for protecting local media from quarantine.
|
|
@ -1 +0,0 @@
|
|||
During user-interactive authentication via single-sign-on, give a better error if the user uses the wrong account on the SSO IdP.
|
|
@ -1 +0,0 @@
|
|||
Add experimental support for handling `/devices` API on worker processes.
|
|
@ -1 +0,0 @@
|
|||
Add type hints to media repository.
|
|
@ -1 +0,0 @@
|
|||
Fix the wrong arguments being passed to `BlacklistingAgentWrapper` from `MatrixFederationAgent`. Contributed by Timothy Leung.
|
|
@ -1 +0,0 @@
|
|||
Add experimental support for moving off receipts and account data persistence off master.
|
|
@ -1 +0,0 @@
|
|||
Add support for multiple SSO Identity Providers.
|
|
@ -1 +0,0 @@
|
|||
Reduce the scope of caught exceptions in `BlacklistingAgentWrapper`.
|
|
@ -1 +0,0 @@
|
|||
Add support for multiple SSO Identity Providers.
|
|
@ -1 +0,0 @@
|
|||
Fix "Unhandled error in Deferred: BodyExceededMaxSize" errors when .well-known files that are too large.
|
|
@ -1 +0,0 @@
|
|||
Add support for multiple SSO Identity Providers.
|
|
@ -1 +0,0 @@
|
|||
Add support for multiple SSO Identity Providers.
|
|
@ -1 +0,0 @@
|
|||
Improve `UsernamePickerTestCase`.
|
|
@ -1 +0,0 @@
|
|||
Fix bugs in federation catchup logic that caused outbound federation to be delayed for large servers after start up. Introduced in v1.8.0 and v1.21.0.
|
|
@ -1 +0,0 @@
|
|||
Improve efficiency of large state resolutions.
|
|
@ -1 +0,0 @@
|
|||
Fix bugs in federation catchup logic that caused outbound federation to be delayed for large servers after start up. Introduced in v1.8.0 and v1.21.0.
|
|
@ -1 +0,0 @@
|
|||
Fix corruption of `pushers` data when a postgres bouncer is used.
|
|
@ -1 +0,0 @@
|
|||
Improve efficiency of large state resolutions.
|
|
@ -1 +0,0 @@
|
|||
Improve efficiency of large state resolutions.
|
|
@ -1 +0,0 @@
|
|||
Remove dependency on `distutils`.
|
|
@ -1 +0,0 @@
|
|||
Add support for multiple SSO Identity Providers.
|
|
@ -1 +0,0 @@
|
|||
Fix minor bugs in handling the `clientRedirectUrl` parameter for SSO login.
|
|
@ -1 +0,0 @@
|
|||
Add experimental support for handling and persistence of to-device messages to happen on worker processes.
|
|
@ -1 +0,0 @@
|
|||
Enforce that replication HTTP clients are called with keyword arguments only.
|
|
@ -1 +0,0 @@
|
|||
Fix "UnboundLocalError: local variable 'length' referenced before assignment" errors when the response body exceeds the expected size. This bug was introduced in v1.25.0.
|
|
@ -1 +0,0 @@
|
|||
Fix the Python 3.5 + old dependencies build in CI.
|
|
@ -1 +0,0 @@
|
|||
Quote `pip install` packages when extras are used to avoid shells interpreting bracket characters.
|
|
@ -1 +0,0 @@
|
|||
Add support for multiple SSO Identity Providers.
|
|
@ -1 +0,0 @@
|
|||
Replace the old `perspectives` option in the Synapse docker config file template with `trusted_key_servers`.
|
|
@ -1 +0,0 @@
|
|||
Fix a long-standing bug "ValueError: invalid literal for int() with base 10" when `/publicRooms` is requested with an invalid `server` parameter.
|
|
@ -1 +0,0 @@
|
|||
Add experimental support for moving off receipts and account data persistence off master.
|
1
changelog.d/9189.misc
Normal file
1
changelog.d/9189.misc
Normal file
|
@ -0,0 +1 @@
|
|||
Add an `oidc-` prefix to any `idp_id`s which are given in the `oidc_providers` configuration.
|
1
changelog.d/9193.bugfix
Normal file
1
changelog.d/9193.bugfix
Normal file
|
@ -0,0 +1 @@
|
|||
Fix receipts or account data not being sent down sync. Introduced in v1.26.0rc1.
|
1
changelog.d/9195.bugfix
Normal file
1
changelog.d/9195.bugfix
Normal file
|
@ -0,0 +1 @@
|
|||
Fix receipts or account data not being sent down sync. Introduced in v1.26.0rc1.
|
|
@ -67,11 +67,16 @@ pid_file: DATADIR/homeserver.pid
|
|||
#
|
||||
#web_client_location: https://riot.example.com/
|
||||
|
||||
# The public-facing base URL that clients use to access this HS
|
||||
# (not including _matrix/...). This is the same URL a user would
|
||||
# enter into the 'custom HS URL' field on their client. If you
|
||||
# use synapse with a reverse proxy, this should be the URL to reach
|
||||
# synapse via the proxy.
|
||||
# The public-facing base URL that clients use to access this Homeserver (not
|
||||
# including _matrix/...). This is the same URL a user might enter into the
|
||||
# 'Custom Homeserver URL' field on their client. If you use Synapse with a
|
||||
# reverse proxy, this should be the URL to reach Synapse via the proxy.
|
||||
# Otherwise, it should be the URL to reach Synapse's client HTTP listener (see
|
||||
# 'listeners' below).
|
||||
#
|
||||
# If this is left unset, it defaults to 'https://<server_name>/'. (Note that
|
||||
# that will not work unless you configure Synapse or a reverse-proxy to listen
|
||||
# on port 443.)
|
||||
#
|
||||
#public_baseurl: https://example.com/
|
||||
|
||||
|
@ -1150,8 +1155,9 @@ account_validity:
|
|||
# send an email to the account's email address with a renewal link. By
|
||||
# default, no such emails are sent.
|
||||
#
|
||||
# If you enable this setting, you will also need to fill out the 'email' and
|
||||
# 'public_baseurl' configuration sections.
|
||||
# If you enable this setting, you will also need to fill out the 'email'
|
||||
# configuration section. You should also check that 'public_baseurl' is set
|
||||
# correctly.
|
||||
#
|
||||
#renew_at: 1w
|
||||
|
||||
|
@ -1242,8 +1248,7 @@ account_validity:
|
|||
# The identity server which we suggest that clients should use when users log
|
||||
# in on this server.
|
||||
#
|
||||
# (By default, no suggestion is made, so it is left up to the client.
|
||||
# This setting is ignored unless public_baseurl is also set.)
|
||||
# (By default, no suggestion is made, so it is left up to the client.)
|
||||
#
|
||||
#default_identity_server: https://matrix.org
|
||||
|
||||
|
@ -1268,8 +1273,6 @@ account_validity:
|
|||
# by the Matrix Identity Service API specification:
|
||||
# https://matrix.org/docs/spec/identity_service/latest
|
||||
#
|
||||
# If a delegate is specified, the config option public_baseurl must also be filled out.
|
||||
#
|
||||
account_threepid_delegates:
|
||||
#email: https://example.com # Delegate email sending to example.com
|
||||
#msisdn: http://localhost:8090 # Delegate SMS sending to this local process
|
||||
|
@ -1723,6 +1726,12 @@ saml2_config:
|
|||
# idp_name: A user-facing name for this identity provider, which is used to
|
||||
# offer the user a choice of login mechanisms.
|
||||
#
|
||||
# idp_icon: An optional icon for this identity provider, which is presented
|
||||
# by identity picker pages. If given, must be an MXC URI of the format
|
||||
# mxc://<server-name>/<media-id>. (An easy way to obtain such an MXC URI
|
||||
# is to upload an image to an (unencrypted) room and then copy the "url"
|
||||
# from the source of the event.)
|
||||
#
|
||||
# discover: set to 'false' to disable the use of the OIDC discovery mechanism
|
||||
# to discover endpoints. Defaults to true.
|
||||
#
|
||||
|
@ -1807,13 +1816,16 @@ saml2_config:
|
|||
#
|
||||
# For backwards compatibility, it is also possible to configure a single OIDC
|
||||
# provider via an 'oidc_config' setting. This is now deprecated and admins are
|
||||
# advised to migrate to the 'oidc_providers' format.
|
||||
# advised to migrate to the 'oidc_providers' format. (When doing that migration,
|
||||
# use 'oidc' for the idp_id to ensure that existing users continue to be
|
||||
# recognised.)
|
||||
#
|
||||
oidc_providers:
|
||||
# Generic example
|
||||
#
|
||||
#- idp_id: my_idp
|
||||
# idp_name: "My OpenID provider"
|
||||
# idp_icon: "mxc://example.com/mediaid"
|
||||
# discover: false
|
||||
# issuer: "https://accounts.example.com/"
|
||||
# client_id: "provided-by-your-issuer"
|
||||
|
@ -1837,8 +1849,8 @@ oidc_providers:
|
|||
|
||||
# For use with Github
|
||||
#
|
||||
#- idp_id: google
|
||||
# idp_name: Google
|
||||
#- idp_id: github
|
||||
# idp_name: Github
|
||||
# discover: false
|
||||
# issuer: "https://github.com/"
|
||||
# client_id: "your-client-id" # TO BE FILLED
|
||||
|
@ -1901,9 +1913,9 @@ sso:
|
|||
# phishing attacks from evil.site. To avoid this, include a slash after the
|
||||
# hostname: "https://my.client/".
|
||||
#
|
||||
# If public_baseurl is set, then the login fallback page (used by clients
|
||||
# that don't natively support the required login flows) is whitelisted in
|
||||
# addition to any URLs in this list.
|
||||
# The login fallback page (used by clients that don't natively support the
|
||||
# required login flows) is automatically whitelisted in addition to any URLs
|
||||
# in this list.
|
||||
#
|
||||
# By default, this list is empty.
|
||||
#
|
||||
|
|
1
mypy.ini
1
mypy.ini
|
@ -100,6 +100,7 @@ files =
|
|||
synapse/util/async_helpers.py,
|
||||
synapse/util/caches,
|
||||
synapse/util/metrics.py,
|
||||
synapse/util/stringutils.py,
|
||||
tests/replication,
|
||||
tests/test_utils,
|
||||
tests/handlers/test_password_providers.py,
|
||||
|
|
|
@ -48,7 +48,7 @@ try:
|
|||
except ImportError:
|
||||
pass
|
||||
|
||||
__version__ = "1.25.0"
|
||||
__version__ = "1.26.0rc1"
|
||||
|
||||
if bool(os.environ.get("SYNAPSE_TEST_PATCH_LOG_CONTEXTS", False)):
|
||||
# We import here so that we don't have to install a bunch of deps when
|
||||
|
|
|
@ -42,8 +42,6 @@ class ConsentURIBuilder:
|
|||
"""
|
||||
if hs_config.form_secret is None:
|
||||
raise ConfigError("form_secret not set in config")
|
||||
if hs_config.public_baseurl is None:
|
||||
raise ConfigError("public_baseurl not set in config")
|
||||
|
||||
self._hmac_secret = hs_config.form_secret.encode("utf-8")
|
||||
self._public_baseurl = hs_config.public_baseurl
|
||||
|
|
|
@ -252,11 +252,12 @@ class Config:
|
|||
env = jinja2.Environment(loader=loader, autoescape=autoescape)
|
||||
|
||||
# Update the environment with our custom filters
|
||||
env.filters.update({"format_ts": _format_ts_filter})
|
||||
if self.public_baseurl:
|
||||
env.filters.update(
|
||||
{"mxc_to_http": _create_mxc_to_http_filter(self.public_baseurl)}
|
||||
)
|
||||
env.filters.update(
|
||||
{
|
||||
"format_ts": _format_ts_filter,
|
||||
"mxc_to_http": _create_mxc_to_http_filter(self.public_baseurl),
|
||||
}
|
||||
)
|
||||
|
||||
for filename in filenames:
|
||||
# Load the template
|
||||
|
|
|
@ -166,11 +166,6 @@ class EmailConfig(Config):
|
|||
if not self.email_notif_from:
|
||||
missing.append("email.notif_from")
|
||||
|
||||
# public_baseurl is required to build password reset and validation links that
|
||||
# will be emailed to users
|
||||
if config.get("public_baseurl") is None:
|
||||
missing.append("public_baseurl")
|
||||
|
||||
if missing:
|
||||
raise ConfigError(
|
||||
MISSING_PASSWORD_RESET_CONFIG_ERROR % (", ".join(missing),)
|
||||
|
@ -269,9 +264,6 @@ class EmailConfig(Config):
|
|||
if not self.email_notif_from:
|
||||
missing.append("email.notif_from")
|
||||
|
||||
if config.get("public_baseurl") is None:
|
||||
missing.append("public_baseurl")
|
||||
|
||||
if missing:
|
||||
raise ConfigError(
|
||||
"email.enable_notifs is True but required keys are missing: %s"
|
||||
|
|
|
@ -23,6 +23,7 @@ from synapse.config._util import validate_config
|
|||
from synapse.python_dependencies import DependencyException, check_requirements
|
||||
from synapse.types import Collection, JsonDict
|
||||
from synapse.util.module_loader import load_module
|
||||
from synapse.util.stringutils import parse_and_validate_mxc_uri
|
||||
|
||||
from ._base import Config, ConfigError
|
||||
|
||||
|
@ -43,8 +44,6 @@ class OIDCConfig(Config):
|
|||
raise ConfigError(e.message) from e
|
||||
|
||||
public_baseurl = self.public_baseurl
|
||||
if public_baseurl is None:
|
||||
raise ConfigError("oidc_config requires a public_baseurl to be set")
|
||||
self.oidc_callback_url = public_baseurl + "_synapse/oidc/callback"
|
||||
|
||||
@property
|
||||
|
@ -68,6 +67,12 @@ class OIDCConfig(Config):
|
|||
# idp_name: A user-facing name for this identity provider, which is used to
|
||||
# offer the user a choice of login mechanisms.
|
||||
#
|
||||
# idp_icon: An optional icon for this identity provider, which is presented
|
||||
# by identity picker pages. If given, must be an MXC URI of the format
|
||||
# mxc://<server-name>/<media-id>. (An easy way to obtain such an MXC URI
|
||||
# is to upload an image to an (unencrypted) room and then copy the "url"
|
||||
# from the source of the event.)
|
||||
#
|
||||
# discover: set to 'false' to disable the use of the OIDC discovery mechanism
|
||||
# to discover endpoints. Defaults to true.
|
||||
#
|
||||
|
@ -152,13 +157,16 @@ class OIDCConfig(Config):
|
|||
#
|
||||
# For backwards compatibility, it is also possible to configure a single OIDC
|
||||
# provider via an 'oidc_config' setting. This is now deprecated and admins are
|
||||
# advised to migrate to the 'oidc_providers' format.
|
||||
# advised to migrate to the 'oidc_providers' format. (When doing that migration,
|
||||
# use 'oidc' for the idp_id to ensure that existing users continue to be
|
||||
# recognised.)
|
||||
#
|
||||
oidc_providers:
|
||||
# Generic example
|
||||
#
|
||||
#- idp_id: my_idp
|
||||
# idp_name: "My OpenID provider"
|
||||
# idp_icon: "mxc://example.com/mediaid"
|
||||
# discover: false
|
||||
# issuer: "https://accounts.example.com/"
|
||||
# client_id: "provided-by-your-issuer"
|
||||
|
@ -182,8 +190,8 @@ class OIDCConfig(Config):
|
|||
|
||||
# For use with Github
|
||||
#
|
||||
#- idp_id: google
|
||||
# idp_name: Google
|
||||
#- idp_id: github
|
||||
# idp_name: Github
|
||||
# discover: false
|
||||
# issuer: "https://github.com/"
|
||||
# client_id: "your-client-id" # TO BE FILLED
|
||||
|
@ -207,8 +215,11 @@ OIDC_PROVIDER_CONFIG_SCHEMA = {
|
|||
"type": "object",
|
||||
"required": ["issuer", "client_id", "client_secret"],
|
||||
"properties": {
|
||||
# TODO: fix the maxLength here depending on what MSC2528 decides
|
||||
# remember that we prefix the ID given here with `oidc-`
|
||||
"idp_id": {"type": "string", "minLength": 1, "maxLength": 128},
|
||||
"idp_name": {"type": "string"},
|
||||
"idp_icon": {"type": "string"},
|
||||
"discover": {"type": "boolean"},
|
||||
"issuer": {"type": "string"},
|
||||
"client_id": {"type": "string"},
|
||||
|
@ -327,20 +338,50 @@ def _parse_oidc_config_dict(
|
|||
config_path + ("user_mapping_provider", "module"),
|
||||
)
|
||||
|
||||
# MSC2858 will appy certain limits in what can be used as an IdP id, so let's
|
||||
# MSC2858 will apply certain limits in what can be used as an IdP id, so let's
|
||||
# enforce those limits now.
|
||||
# TODO: factor out this stuff to a generic function
|
||||
idp_id = oidc_config.get("idp_id", "oidc")
|
||||
valid_idp_chars = set(string.ascii_letters + string.digits + "-._~")
|
||||
|
||||
# TODO: update this validity check based on what MSC2858 decides.
|
||||
valid_idp_chars = set(string.ascii_lowercase + string.digits + "-._")
|
||||
|
||||
if any(c not in valid_idp_chars for c in idp_id):
|
||||
raise ConfigError(
|
||||
'idp_id may only contain A-Z, a-z, 0-9, "-", ".", "_", "~"',
|
||||
'idp_id may only contain a-z, 0-9, "-", ".", "_"',
|
||||
config_path + ("idp_id",),
|
||||
)
|
||||
|
||||
if idp_id[0] not in string.ascii_lowercase:
|
||||
raise ConfigError(
|
||||
"idp_id must start with a-z", config_path + ("idp_id",),
|
||||
)
|
||||
|
||||
# prefix the given IDP with a prefix specific to the SSO mechanism, to avoid
|
||||
# clashes with other mechs (such as SAML, CAS).
|
||||
#
|
||||
# We allow "oidc" as an exception so that people migrating from old-style
|
||||
# "oidc_config" format (which has long used "oidc" as its idp_id) can migrate to
|
||||
# a new-style "oidc_providers" entry without changing the idp_id for their provider
|
||||
# (and thereby invalidating their user_external_ids data).
|
||||
|
||||
if idp_id != "oidc":
|
||||
idp_id = "oidc-" + idp_id
|
||||
|
||||
# MSC2858 also specifies that the idp_icon must be a valid MXC uri
|
||||
idp_icon = oidc_config.get("idp_icon")
|
||||
if idp_icon is not None:
|
||||
try:
|
||||
parse_and_validate_mxc_uri(idp_icon)
|
||||
except ValueError as e:
|
||||
raise ConfigError(
|
||||
"idp_icon must be a valid MXC URI", config_path + ("idp_icon",)
|
||||
) from e
|
||||
|
||||
return OidcProviderConfig(
|
||||
idp_id=idp_id,
|
||||
idp_name=oidc_config.get("idp_name", "OIDC"),
|
||||
idp_icon=idp_icon,
|
||||
discover=oidc_config.get("discover", True),
|
||||
issuer=oidc_config["issuer"],
|
||||
client_id=oidc_config["client_id"],
|
||||
|
@ -368,6 +409,9 @@ class OidcProviderConfig:
|
|||
# user-facing name for this identity provider.
|
||||
idp_name = attr.ib(type=str)
|
||||
|
||||
# Optional MXC URI for icon for this IdP.
|
||||
idp_icon = attr.ib(type=Optional[str])
|
||||
|
||||
# whether the OIDC discovery mechanism is used to discover endpoints
|
||||
discover = attr.ib(type=bool)
|
||||
|
||||
|
|
|
@ -49,10 +49,6 @@ class AccountValidityConfig(Config):
|
|||
|
||||
self.startup_job_max_delta = self.period * 10.0 / 100.0
|
||||
|
||||
if self.renew_by_email_enabled:
|
||||
if "public_baseurl" not in synapse_config:
|
||||
raise ConfigError("Can't send renewal emails without 'public_baseurl'")
|
||||
|
||||
template_dir = config.get("template_dir")
|
||||
|
||||
if not template_dir:
|
||||
|
@ -109,13 +105,6 @@ class RegistrationConfig(Config):
|
|||
account_threepid_delegates = config.get("account_threepid_delegates") or {}
|
||||
self.account_threepid_delegate_email = account_threepid_delegates.get("email")
|
||||
self.account_threepid_delegate_msisdn = account_threepid_delegates.get("msisdn")
|
||||
if self.account_threepid_delegate_msisdn and not self.public_baseurl:
|
||||
raise ConfigError(
|
||||
"The configuration option `public_baseurl` is required if "
|
||||
"`account_threepid_delegate.msisdn` is set, such that "
|
||||
"clients know where to submit validation tokens to. Please "
|
||||
"configure `public_baseurl`."
|
||||
)
|
||||
|
||||
self.default_identity_server = config.get("default_identity_server")
|
||||
self.allow_guest_access = config.get("allow_guest_access", False)
|
||||
|
@ -240,8 +229,9 @@ class RegistrationConfig(Config):
|
|||
# send an email to the account's email address with a renewal link. By
|
||||
# default, no such emails are sent.
|
||||
#
|
||||
# If you enable this setting, you will also need to fill out the 'email' and
|
||||
# 'public_baseurl' configuration sections.
|
||||
# If you enable this setting, you will also need to fill out the 'email'
|
||||
# configuration section. You should also check that 'public_baseurl' is set
|
||||
# correctly.
|
||||
#
|
||||
#renew_at: 1w
|
||||
|
||||
|
@ -332,8 +322,7 @@ class RegistrationConfig(Config):
|
|||
# The identity server which we suggest that clients should use when users log
|
||||
# in on this server.
|
||||
#
|
||||
# (By default, no suggestion is made, so it is left up to the client.
|
||||
# This setting is ignored unless public_baseurl is also set.)
|
||||
# (By default, no suggestion is made, so it is left up to the client.)
|
||||
#
|
||||
#default_identity_server: https://matrix.org
|
||||
|
||||
|
@ -358,8 +347,6 @@ class RegistrationConfig(Config):
|
|||
# by the Matrix Identity Service API specification:
|
||||
# https://matrix.org/docs/spec/identity_service/latest
|
||||
#
|
||||
# If a delegate is specified, the config option public_baseurl must also be filled out.
|
||||
#
|
||||
account_threepid_delegates:
|
||||
#email: https://example.com # Delegate email sending to example.com
|
||||
#msisdn: http://localhost:8090 # Delegate SMS sending to this local process
|
||||
|
|
|
@ -189,8 +189,6 @@ class SAML2Config(Config):
|
|||
import saml2
|
||||
|
||||
public_baseurl = self.public_baseurl
|
||||
if public_baseurl is None:
|
||||
raise ConfigError("saml2_config requires a public_baseurl to be set")
|
||||
|
||||
if self.saml2_grandfathered_mxid_source_attribute:
|
||||
optional_attributes.add(self.saml2_grandfathered_mxid_source_attribute)
|
||||
|
|
|
@ -26,7 +26,7 @@ import yaml
|
|||
from netaddr import IPSet
|
||||
|
||||
from synapse.api.room_versions import KNOWN_ROOM_VERSIONS
|
||||
from synapse.http.endpoint import parse_and_validate_server_name
|
||||
from synapse.util.stringutils import parse_and_validate_server_name
|
||||
|
||||
from ._base import Config, ConfigError
|
||||
|
||||
|
@ -161,7 +161,11 @@ class ServerConfig(Config):
|
|||
self.print_pidfile = config.get("print_pidfile")
|
||||
self.user_agent_suffix = config.get("user_agent_suffix")
|
||||
self.use_frozen_dicts = config.get("use_frozen_dicts", False)
|
||||
self.public_baseurl = config.get("public_baseurl")
|
||||
self.public_baseurl = config.get("public_baseurl") or "https://%s/" % (
|
||||
self.server_name,
|
||||
)
|
||||
if self.public_baseurl[-1] != "/":
|
||||
self.public_baseurl += "/"
|
||||
|
||||
# Whether to enable user presence.
|
||||
self.use_presence = config.get("use_presence", True)
|
||||
|
@ -317,9 +321,6 @@ class ServerConfig(Config):
|
|||
# Always blacklist 0.0.0.0, ::
|
||||
self.federation_ip_range_blacklist.update(["0.0.0.0", "::"])
|
||||
|
||||
if self.public_baseurl is not None:
|
||||
if self.public_baseurl[-1] != "/":
|
||||
self.public_baseurl += "/"
|
||||
self.start_pushers = config.get("start_pushers", True)
|
||||
|
||||
# (undocumented) option for torturing the worker-mode replication a bit,
|
||||
|
@ -740,11 +741,16 @@ class ServerConfig(Config):
|
|||
#
|
||||
#web_client_location: https://riot.example.com/
|
||||
|
||||
# The public-facing base URL that clients use to access this HS
|
||||
# (not including _matrix/...). This is the same URL a user would
|
||||
# enter into the 'custom HS URL' field on their client. If you
|
||||
# use synapse with a reverse proxy, this should be the URL to reach
|
||||
# synapse via the proxy.
|
||||
# The public-facing base URL that clients use to access this Homeserver (not
|
||||
# including _matrix/...). This is the same URL a user might enter into the
|
||||
# 'Custom Homeserver URL' field on their client. If you use Synapse with a
|
||||
# reverse proxy, this should be the URL to reach Synapse via the proxy.
|
||||
# Otherwise, it should be the URL to reach Synapse's client HTTP listener (see
|
||||
# 'listeners' below).
|
||||
#
|
||||
# If this is left unset, it defaults to 'https://<server_name>/'. (Note that
|
||||
# that will not work unless you configure Synapse or a reverse-proxy to listen
|
||||
# on port 443.)
|
||||
#
|
||||
#public_baseurl: https://example.com/
|
||||
|
||||
|
|
|
@ -64,11 +64,8 @@ class SSOConfig(Config):
|
|||
# gracefully to the client). This would make it pointless to ask the user for
|
||||
# confirmation, since the URL the confirmation page would be showing wouldn't be
|
||||
# the client's.
|
||||
# public_baseurl is an optional setting, so we only add the fallback's URL to the
|
||||
# list if it's provided (because we can't figure out what that URL is otherwise).
|
||||
if self.public_baseurl:
|
||||
login_fallback_url = self.public_baseurl + "_matrix/static/client/login"
|
||||
self.sso_client_whitelist.append(login_fallback_url)
|
||||
login_fallback_url = self.public_baseurl + "_matrix/static/client/login"
|
||||
self.sso_client_whitelist.append(login_fallback_url)
|
||||
|
||||
def generate_config_section(self, **kwargs):
|
||||
return """\
|
||||
|
@ -86,9 +83,9 @@ class SSOConfig(Config):
|
|||
# phishing attacks from evil.site. To avoid this, include a slash after the
|
||||
# hostname: "https://my.client/".
|
||||
#
|
||||
# If public_baseurl is set, then the login fallback page (used by clients
|
||||
# that don't natively support the required login flows) is whitelisted in
|
||||
# addition to any URLs in this list.
|
||||
# The login fallback page (used by clients that don't natively support the
|
||||
# required login flows) is automatically whitelisted in addition to any URLs
|
||||
# in this list.
|
||||
#
|
||||
# By default, this list is empty.
|
||||
#
|
||||
|
|
|
@ -49,7 +49,6 @@ from synapse.events import EventBase
|
|||
from synapse.federation.federation_base import FederationBase, event_from_pdu_json
|
||||
from synapse.federation.persistence import TransactionActions
|
||||
from synapse.federation.units import Edu, Transaction
|
||||
from synapse.http.endpoint import parse_server_name
|
||||
from synapse.http.servlet import assert_params_in_dict
|
||||
from synapse.logging.context import (
|
||||
make_deferred_yieldable,
|
||||
|
@ -66,6 +65,7 @@ from synapse.types import JsonDict, get_domain_from_id
|
|||
from synapse.util import glob_to_regex, json_decoder, unwrapFirstError
|
||||
from synapse.util.async_helpers import Linearizer, concurrently_execute
|
||||
from synapse.util.caches.response_cache import ResponseCache
|
||||
from synapse.util.stringutils import parse_server_name
|
||||
|
||||
if TYPE_CHECKING:
|
||||
from synapse.server import HomeServer
|
||||
|
|
|
@ -28,7 +28,6 @@ from synapse.api.urls import (
|
|||
FEDERATION_V1_PREFIX,
|
||||
FEDERATION_V2_PREFIX,
|
||||
)
|
||||
from synapse.http.endpoint import parse_and_validate_server_name
|
||||
from synapse.http.server import JsonResource
|
||||
from synapse.http.servlet import (
|
||||
parse_boolean_from_args,
|
||||
|
@ -45,6 +44,7 @@ from synapse.logging.opentracing import (
|
|||
)
|
||||
from synapse.server import HomeServer
|
||||
from synapse.types import ThirdPartyInstanceID, get_domain_from_id
|
||||
from synapse.util.stringutils import parse_and_validate_server_name
|
||||
from synapse.util.versionstring import get_version_string
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
|
|
@ -80,6 +80,10 @@ class CasHandler:
|
|||
# user-facing name of this auth provider
|
||||
self.idp_name = "CAS"
|
||||
|
||||
# we do not currently support icons for CAS auth, but this is required by
|
||||
# the SsoIdentityProvider protocol type.
|
||||
self.idp_icon = None
|
||||
|
||||
self._sso_handler = hs.get_sso_handler()
|
||||
|
||||
self._sso_handler.register_identity_provider(self)
|
||||
|
|
|
@ -476,8 +476,6 @@ class IdentityHandler(BaseHandler):
|
|||
except RequestTimedOutError:
|
||||
raise SynapseError(500, "Timed out contacting identity server")
|
||||
|
||||
assert self.hs.config.public_baseurl
|
||||
|
||||
# we need to tell the client to send the token back to us, since it doesn't
|
||||
# otherwise know where to send it, so add submit_url response parameter
|
||||
# (see also MSC2078)
|
||||
|
|
|
@ -271,6 +271,9 @@ class OidcProvider:
|
|||
# user-facing name of this auth provider
|
||||
self.idp_name = provider.idp_name
|
||||
|
||||
# MXC URI for icon for this auth provider
|
||||
self.idp_icon = provider.idp_icon
|
||||
|
||||
self._sso_handler = hs.get_sso_handler()
|
||||
|
||||
self._sso_handler.register_identity_provider(self)
|
||||
|
|
|
@ -38,7 +38,6 @@ from synapse.api.filtering import Filter
|
|||
from synapse.api.room_versions import KNOWN_ROOM_VERSIONS, RoomVersion
|
||||
from synapse.events import EventBase
|
||||
from synapse.events.utils import copy_power_levels_contents
|
||||
from synapse.http.endpoint import parse_and_validate_server_name
|
||||
from synapse.storage.state import StateFilter
|
||||
from synapse.types import (
|
||||
JsonDict,
|
||||
|
@ -55,6 +54,7 @@ from synapse.types import (
|
|||
from synapse.util import stringutils
|
||||
from synapse.util.async_helpers import Linearizer
|
||||
from synapse.util.caches.response_cache import ResponseCache
|
||||
from synapse.util.stringutils import parse_and_validate_server_name
|
||||
from synapse.visibility import filter_events_for_client
|
||||
|
||||
from ._base import BaseHandler
|
||||
|
|
|
@ -78,6 +78,10 @@ class SamlHandler(BaseHandler):
|
|||
# user-facing name of this auth provider
|
||||
self.idp_name = "SAML"
|
||||
|
||||
# we do not currently support icons for SAML auth, but this is required by
|
||||
# the SsoIdentityProvider protocol type.
|
||||
self.idp_icon = None
|
||||
|
||||
# a map from saml session id to Saml2SessionData object
|
||||
self._outstanding_requests_dict = {} # type: Dict[str, Saml2SessionData]
|
||||
|
||||
|
|
|
@ -75,6 +75,11 @@ class SsoIdentityProvider(Protocol):
|
|||
def idp_name(self) -> str:
|
||||
"""User-facing name for this provider"""
|
||||
|
||||
@property
|
||||
def idp_icon(self) -> Optional[str]:
|
||||
"""Optional MXC URI for user-facing icon"""
|
||||
return None
|
||||
|
||||
@abc.abstractmethod
|
||||
async def handle_redirect_request(
|
||||
self,
|
||||
|
|
|
@ -1,79 +0,0 @@
|
|||
# -*- coding: utf-8 -*-
|
||||
# Copyright 2014-2016 OpenMarket Ltd
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
import logging
|
||||
import re
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
|
||||
def parse_server_name(server_name):
|
||||
"""Split a server name into host/port parts.
|
||||
|
||||
Args:
|
||||
server_name (str): server name to parse
|
||||
|
||||
Returns:
|
||||
Tuple[str, int|None]: host/port parts.
|
||||
|
||||
Raises:
|
||||
ValueError if the server name could not be parsed.
|
||||
"""
|
||||
try:
|
||||
if server_name[-1] == "]":
|
||||
# ipv6 literal, hopefully
|
||||
return server_name, None
|
||||
|
||||
domain_port = server_name.rsplit(":", 1)
|
||||
domain = domain_port[0]
|
||||
port = int(domain_port[1]) if domain_port[1:] else None
|
||||
return domain, port
|
||||
except Exception:
|
||||
raise ValueError("Invalid server name '%s'" % server_name)
|
||||
|
||||
|
||||
VALID_HOST_REGEX = re.compile("\\A[0-9a-zA-Z.-]+\\Z")
|
||||
|
||||
|
||||
def parse_and_validate_server_name(server_name):
|
||||
"""Split a server name into host/port parts and do some basic validation.
|
||||
|
||||
Args:
|
||||
server_name (str): server name to parse
|
||||
|
||||
Returns:
|
||||
Tuple[str, int|None]: host/port parts.
|
||||
|
||||
Raises:
|
||||
ValueError if the server name could not be parsed.
|
||||
"""
|
||||
host, port = parse_server_name(server_name)
|
||||
|
||||
# these tests don't need to be bulletproof as we'll find out soon enough
|
||||
# if somebody is giving us invalid data. What we *do* need is to be sure
|
||||
# that nobody is sneaking IP literals in that look like hostnames, etc.
|
||||
|
||||
# look for ipv6 literals
|
||||
if host[0] == "[":
|
||||
if host[-1] != "]":
|
||||
raise ValueError("Mismatched [...] in server name '%s'" % (server_name,))
|
||||
return host, port
|
||||
|
||||
# otherwise it should only be alphanumerics.
|
||||
if not VALID_HOST_REGEX.match(host):
|
||||
raise ValueError(
|
||||
"Server name '%s' contains invalid characters" % (server_name,)
|
||||
)
|
||||
|
||||
return host, port
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue