forked from MirrorHub/synapse
Add account expiration feature
This commit is contained in:
parent
35442efb75
commit
747aa9f8ca
10 changed files with 144 additions and 4 deletions
1
changelog.d/5027.feature
Normal file
1
changelog.d/5027.feature
Normal file
|
@ -0,0 +1 @@
|
||||||
|
Add time-based account expiration.
|
|
@ -643,6 +643,12 @@ uploads_path: "DATADIR/uploads"
|
||||||
#
|
#
|
||||||
#enable_registration: false
|
#enable_registration: false
|
||||||
|
|
||||||
|
# Optional account validity parameter. This allows for, e.g., accounts to
|
||||||
|
# be denied any request after a given period.
|
||||||
|
#
|
||||||
|
#account_validity:
|
||||||
|
# period: 6w
|
||||||
|
|
||||||
# The user must provide all of the below types of 3PID when registering.
|
# The user must provide all of the below types of 3PID when registering.
|
||||||
#
|
#
|
||||||
#registrations_require_3pid:
|
#registrations_require_3pid:
|
||||||
|
|
|
@ -64,6 +64,8 @@ class Auth(object):
|
||||||
self.token_cache = LruCache(CACHE_SIZE_FACTOR * 10000)
|
self.token_cache = LruCache(CACHE_SIZE_FACTOR * 10000)
|
||||||
register_cache("cache", "token_cache", self.token_cache)
|
register_cache("cache", "token_cache", self.token_cache)
|
||||||
|
|
||||||
|
self._account_validity = hs.config.account_validity
|
||||||
|
|
||||||
@defer.inlineCallbacks
|
@defer.inlineCallbacks
|
||||||
def check_from_context(self, room_version, event, context, do_sig_check=True):
|
def check_from_context(self, room_version, event, context, do_sig_check=True):
|
||||||
prev_state_ids = yield context.get_prev_state_ids(self.store)
|
prev_state_ids = yield context.get_prev_state_ids(self.store)
|
||||||
|
@ -226,6 +228,16 @@ class Auth(object):
|
||||||
token_id = user_info["token_id"]
|
token_id = user_info["token_id"]
|
||||||
is_guest = user_info["is_guest"]
|
is_guest = user_info["is_guest"]
|
||||||
|
|
||||||
|
# Deny the request if the user account has expired.
|
||||||
|
if self._account_validity.enabled:
|
||||||
|
expiration_ts = yield self.store.get_expiration_ts_for_user(user)
|
||||||
|
if self.clock.time_msec() >= expiration_ts:
|
||||||
|
raise AuthError(
|
||||||
|
403,
|
||||||
|
"User account has expired",
|
||||||
|
errcode=Codes.EXPIRED_ACCOUNT,
|
||||||
|
)
|
||||||
|
|
||||||
# device_id may not be present if get_user_by_access_token has been
|
# device_id may not be present if get_user_by_access_token has been
|
||||||
# stubbed out.
|
# stubbed out.
|
||||||
device_id = user_info.get("device_id")
|
device_id = user_info.get("device_id")
|
||||||
|
|
|
@ -60,6 +60,7 @@ class Codes(object):
|
||||||
UNSUPPORTED_ROOM_VERSION = "M_UNSUPPORTED_ROOM_VERSION"
|
UNSUPPORTED_ROOM_VERSION = "M_UNSUPPORTED_ROOM_VERSION"
|
||||||
INCOMPATIBLE_ROOM_VERSION = "M_INCOMPATIBLE_ROOM_VERSION"
|
INCOMPATIBLE_ROOM_VERSION = "M_INCOMPATIBLE_ROOM_VERSION"
|
||||||
WRONG_ROOM_KEYS_VERSION = "M_WRONG_ROOM_KEYS_VERSION"
|
WRONG_ROOM_KEYS_VERSION = "M_WRONG_ROOM_KEYS_VERSION"
|
||||||
|
EXPIRED_ACCOUNT = "ORG_MATRIX_EXPIRED_ACCOUNT"
|
||||||
|
|
||||||
|
|
||||||
class CodeMessageException(RuntimeError):
|
class CodeMessageException(RuntimeError):
|
||||||
|
|
|
@ -20,6 +20,15 @@ from synapse.types import RoomAlias
|
||||||
from synapse.util.stringutils import random_string_with_symbols
|
from synapse.util.stringutils import random_string_with_symbols
|
||||||
|
|
||||||
|
|
||||||
|
class AccountValidityConfig(Config):
|
||||||
|
def __init__(self, config):
|
||||||
|
self.enabled = (len(config) > 0)
|
||||||
|
|
||||||
|
period = config.get("period", None)
|
||||||
|
if period:
|
||||||
|
self.period = self.parse_duration(period)
|
||||||
|
|
||||||
|
|
||||||
class RegistrationConfig(Config):
|
class RegistrationConfig(Config):
|
||||||
|
|
||||||
def read_config(self, config):
|
def read_config(self, config):
|
||||||
|
@ -31,6 +40,8 @@ class RegistrationConfig(Config):
|
||||||
strtobool(str(config["disable_registration"]))
|
strtobool(str(config["disable_registration"]))
|
||||||
)
|
)
|
||||||
|
|
||||||
|
self.account_validity = AccountValidityConfig(config.get("account_validity", {}))
|
||||||
|
|
||||||
self.registrations_require_3pid = config.get("registrations_require_3pid", [])
|
self.registrations_require_3pid = config.get("registrations_require_3pid", [])
|
||||||
self.allowed_local_3pids = config.get("allowed_local_3pids", [])
|
self.allowed_local_3pids = config.get("allowed_local_3pids", [])
|
||||||
self.registration_shared_secret = config.get("registration_shared_secret")
|
self.registration_shared_secret = config.get("registration_shared_secret")
|
||||||
|
@ -75,6 +86,12 @@ class RegistrationConfig(Config):
|
||||||
#
|
#
|
||||||
#enable_registration: false
|
#enable_registration: false
|
||||||
|
|
||||||
|
# Optional account validity parameter. This allows for, e.g., accounts to
|
||||||
|
# be denied any request after a given period.
|
||||||
|
#
|
||||||
|
#account_validity:
|
||||||
|
# period: 6w
|
||||||
|
|
||||||
# The user must provide all of the below types of 3PID when registering.
|
# The user must provide all of the below types of 3PID when registering.
|
||||||
#
|
#
|
||||||
#registrations_require_3pid:
|
#registrations_require_3pid:
|
||||||
|
|
|
@ -25,7 +25,7 @@ logger = logging.getLogger(__name__)
|
||||||
|
|
||||||
# Remember to update this number every time a change is made to database
|
# Remember to update this number every time a change is made to database
|
||||||
# schema files, so the users will be informed on server restarts.
|
# schema files, so the users will be informed on server restarts.
|
||||||
SCHEMA_VERSION = 53
|
SCHEMA_VERSION = 54
|
||||||
|
|
||||||
dir_path = os.path.abspath(os.path.dirname(__file__))
|
dir_path = os.path.abspath(os.path.dirname(__file__))
|
||||||
|
|
||||||
|
|
|
@ -86,6 +86,26 @@ class RegistrationWorkerStore(SQLBaseStore):
|
||||||
token
|
token
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@cachedInlineCallbacks()
|
||||||
|
def get_expiration_ts_for_user(self, user):
|
||||||
|
"""Get the expiration timestamp for the account bearing a given user ID.
|
||||||
|
|
||||||
|
Args:
|
||||||
|
user (str): The ID of the user.
|
||||||
|
Returns:
|
||||||
|
defer.Deferred: None, if the account has no expiration timestamp,
|
||||||
|
otherwise int representation of the timestamp (as a number of
|
||||||
|
milliseconds since epoch).
|
||||||
|
"""
|
||||||
|
res = yield self._simple_select_one_onecol(
|
||||||
|
table="account_validity",
|
||||||
|
keyvalues={"user_id": user.to_string()},
|
||||||
|
retcol="expiration_ts_ms",
|
||||||
|
allow_none=True,
|
||||||
|
desc="get_expiration_date_for_user",
|
||||||
|
)
|
||||||
|
defer.returnValue(res)
|
||||||
|
|
||||||
@defer.inlineCallbacks
|
@defer.inlineCallbacks
|
||||||
def is_server_admin(self, user):
|
def is_server_admin(self, user):
|
||||||
res = yield self._simple_select_one_onecol(
|
res = yield self._simple_select_one_onecol(
|
||||||
|
@ -351,6 +371,8 @@ class RegistrationStore(RegistrationWorkerStore,
|
||||||
columns=["creation_ts"],
|
columns=["creation_ts"],
|
||||||
)
|
)
|
||||||
|
|
||||||
|
self._account_validity = hs.config.account_validity
|
||||||
|
|
||||||
# we no longer use refresh tokens, but it's possible that some people
|
# we no longer use refresh tokens, but it's possible that some people
|
||||||
# might have a background update queued to build this index. Just
|
# might have a background update queued to build this index. Just
|
||||||
# clear the background update.
|
# clear the background update.
|
||||||
|
@ -485,6 +507,18 @@ class RegistrationStore(RegistrationWorkerStore,
|
||||||
"user_type": user_type,
|
"user_type": user_type,
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
|
|
||||||
|
if self._account_validity.enabled:
|
||||||
|
now_ms = self.clock.time_msec()
|
||||||
|
expiration_ts = now_ms + self._account_validity.period
|
||||||
|
self._simple_insert_txn(
|
||||||
|
txn,
|
||||||
|
"account_validity",
|
||||||
|
values={
|
||||||
|
"user_id": user_id,
|
||||||
|
"expiration_ts_ms": expiration_ts,
|
||||||
|
}
|
||||||
|
)
|
||||||
except self.database_engine.module.IntegrityError:
|
except self.database_engine.module.IntegrityError:
|
||||||
raise StoreError(
|
raise StoreError(
|
||||||
400, "User ID already taken.", errcode=Codes.USER_IN_USE
|
400, "User ID already taken.", errcode=Codes.USER_IN_USE
|
||||||
|
|
20
synapse/storage/schema/delta/54/account_validity.sql
Normal file
20
synapse/storage/schema/delta/54/account_validity.sql
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
/* Copyright 2019 New Vector Ltd
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
-- Track what users are in public rooms.
|
||||||
|
CREATE TABLE IF NOT EXISTS account_validity (
|
||||||
|
user_id TEXT PRIMARY KEY,
|
||||||
|
expiration_ts_ms BIGINT NOT NULL
|
||||||
|
);
|
|
@ -1,15 +1,18 @@
|
||||||
|
import datetime
|
||||||
import json
|
import json
|
||||||
|
|
||||||
from synapse.api.constants import LoginType
|
from synapse.api.constants import LoginType
|
||||||
|
from synapse.api.errors import Codes
|
||||||
from synapse.appservice import ApplicationService
|
from synapse.appservice import ApplicationService
|
||||||
from synapse.rest.client.v2_alpha.register import register_servlets
|
from synapse.rest.client.v1 import admin, login
|
||||||
|
from synapse.rest.client.v2_alpha import register, sync
|
||||||
|
|
||||||
from tests import unittest
|
from tests import unittest
|
||||||
|
|
||||||
|
|
||||||
class RegisterRestServletTestCase(unittest.HomeserverTestCase):
|
class RegisterRestServletTestCase(unittest.HomeserverTestCase):
|
||||||
|
|
||||||
servlets = [register_servlets]
|
servlets = [register.register_servlets]
|
||||||
|
|
||||||
def make_homeserver(self, reactor, clock):
|
def make_homeserver(self, reactor, clock):
|
||||||
|
|
||||||
|
@ -181,3 +184,47 @@ class RegisterRestServletTestCase(unittest.HomeserverTestCase):
|
||||||
self.render(request)
|
self.render(request)
|
||||||
|
|
||||||
self.assertEquals(channel.result["code"], b"200", channel.result)
|
self.assertEquals(channel.result["code"], b"200", channel.result)
|
||||||
|
|
||||||
|
|
||||||
|
class AccountValidityTestCase(unittest.HomeserverTestCase):
|
||||||
|
|
||||||
|
servlets = [
|
||||||
|
register.register_servlets,
|
||||||
|
admin.register_servlets,
|
||||||
|
login.register_servlets,
|
||||||
|
sync.register_servlets,
|
||||||
|
]
|
||||||
|
|
||||||
|
def make_homeserver(self, reactor, clock):
|
||||||
|
config = self.default_config()
|
||||||
|
config.enable_registration = True
|
||||||
|
config.account_validity.enabled = True
|
||||||
|
config.account_validity.period = 604800000 # Time in ms for 1 week
|
||||||
|
self.hs = self.setup_test_homeserver(config=config)
|
||||||
|
|
||||||
|
return self.hs
|
||||||
|
|
||||||
|
def test_validity_period(self):
|
||||||
|
self.register_user("kermit", "monkey")
|
||||||
|
tok = self.login("kermit", "monkey")
|
||||||
|
|
||||||
|
# The specific endpoint doesn't matter, all we need is an authenticated
|
||||||
|
# endpoint.
|
||||||
|
request, channel = self.make_request(
|
||||||
|
b"GET", "/sync", access_token=tok,
|
||||||
|
)
|
||||||
|
self.render(request)
|
||||||
|
|
||||||
|
self.assertEquals(channel.result["code"], b"200", channel.result)
|
||||||
|
|
||||||
|
self.reactor.advance(datetime.timedelta(weeks=1).total_seconds())
|
||||||
|
|
||||||
|
request, channel = self.make_request(
|
||||||
|
b"GET", "/sync", access_token=tok,
|
||||||
|
)
|
||||||
|
self.render(request)
|
||||||
|
|
||||||
|
self.assertEquals(channel.result["code"], b"403", channel.result)
|
||||||
|
self.assertEquals(
|
||||||
|
channel.json_body["errcode"], Codes.EXPIRED_ACCOUNT, channel.result,
|
||||||
|
)
|
||||||
|
|
|
@ -24,7 +24,7 @@ from synapse.state import StateHandler, StateResolutionHandler
|
||||||
|
|
||||||
from tests import unittest
|
from tests import unittest
|
||||||
|
|
||||||
from .utils import MockClock
|
from .utils import MockClock, default_config
|
||||||
|
|
||||||
_next_event_id = 1000
|
_next_event_id = 1000
|
||||||
|
|
||||||
|
@ -159,6 +159,7 @@ class StateTestCase(unittest.TestCase):
|
||||||
self.store = StateGroupStore()
|
self.store = StateGroupStore()
|
||||||
hs = Mock(
|
hs = Mock(
|
||||||
spec_set=[
|
spec_set=[
|
||||||
|
"config",
|
||||||
"get_datastore",
|
"get_datastore",
|
||||||
"get_auth",
|
"get_auth",
|
||||||
"get_state_handler",
|
"get_state_handler",
|
||||||
|
@ -166,6 +167,7 @@ class StateTestCase(unittest.TestCase):
|
||||||
"get_state_resolution_handler",
|
"get_state_resolution_handler",
|
||||||
]
|
]
|
||||||
)
|
)
|
||||||
|
hs.config = default_config("tesths")
|
||||||
hs.get_datastore.return_value = self.store
|
hs.get_datastore.return_value = self.store
|
||||||
hs.get_state_handler.return_value = None
|
hs.get_state_handler.return_value = None
|
||||||
hs.get_clock.return_value = MockClock()
|
hs.get_clock.return_value = MockClock()
|
||||||
|
|
Loading…
Reference in a new issue