Tighten the restrictions on idp_id (#9177)

2021-01-20 13:55:14 +00:00 · 2021-01-20 13:55:14 +00:00 · e51b2f3f91
commit e51b2f3f91
parent 0cd2938bc8
2 changed files with 10 additions and 3 deletions
--- a/changelog.d/9177.feature
+++ b/changelog.d/9177.feature
@ -0,0 +1 @@
+Add support for multiple SSO Identity Providers.
--- a/synapse/config/oidc_config.py
+++ b/synapse/config/oidc_config.py
@ -331,17 +331,23 @@ def _parse_oidc_config_dict(
            config_path + ("user_mapping_provider", "module"),
        )

-    # MSC2858 will appy certain limits in what can be used as an IdP id, so let's
+    # MSC2858 will apply certain limits in what can be used as an IdP id, so let's
    # enforce those limits now.
+    # TODO: factor out this stuff to a generic function
    idp_id = oidc_config.get("idp_id", "oidc")
-    valid_idp_chars = set(string.ascii_letters + string.digits + "-._~")
+    valid_idp_chars = set(string.ascii_lowercase + string.digits + "-._")

    if any(c not in valid_idp_chars for c in idp_id):
        raise ConfigError(
-            'idp_id may only contain A-Z, a-z, 0-9, "-", ".", "_", "~"',
+            'idp_id may only contain a-z, 0-9, "-", ".", "_"',
            config_path + ("idp_id",),
        )

+    if idp_id[0] not in string.ascii_lowercase:
+        raise ConfigError(
+            "idp_id must start with a-z", config_path + ("idp_id",),
+        )
+
    # MSC2858 also specifies that the idp_icon must be a valid MXC uri
    idp_icon = oidc_config.get("idp_icon")
    if idp_icon is not None:
				`@ -0,0 +1 @@`
				`Add support for multiple SSO Identity Providers.`