mirror of
https://git.anonymousland.org/anonymousland/synapse.git
synced 2025-01-06 18:57:51 -05:00
Implement login blocking based on SAML attributes (#8052)
Hopefully this mostly speaks for itself. I also did a bit of cleaning up of the error handling. Fixes #8047
This commit is contained in:
parent
aa827b6ad7
commit
0cb169900e
1
changelog.d/8052.feature
Normal file
1
changelog.d/8052.feature
Normal file
@ -0,0 +1 @@
|
|||||||
|
Allow login to be blocked based on the values of SAML attributes.
|
@ -1577,6 +1577,17 @@ saml2_config:
|
|||||||
#
|
#
|
||||||
#grandfathered_mxid_source_attribute: upn
|
#grandfathered_mxid_source_attribute: upn
|
||||||
|
|
||||||
|
# It is possible to configure Synapse to only allow logins if SAML attributes
|
||||||
|
# match particular values. The requirements can be listed under
|
||||||
|
# `attribute_requirements` as shown below. All of the listed attributes must
|
||||||
|
# match for the login to be permitted.
|
||||||
|
#
|
||||||
|
#attribute_requirements:
|
||||||
|
# - attribute: userGroup
|
||||||
|
# value: "staff"
|
||||||
|
# - attribute: department
|
||||||
|
# value: "sales"
|
||||||
|
|
||||||
# Directory in which Synapse will try to find the template files below.
|
# Directory in which Synapse will try to find the template files below.
|
||||||
# If not set, default templates from within the Synapse package will be used.
|
# If not set, default templates from within the Synapse package will be used.
|
||||||
#
|
#
|
||||||
|
49
synapse/config/_util.py
Normal file
49
synapse/config/_util.py
Normal file
@ -0,0 +1,49 @@
|
|||||||
|
# -*- coding: utf-8 -*-
|
||||||
|
# Copyright 2020 The Matrix.org Foundation C.I.C.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
from typing import Any, List
|
||||||
|
|
||||||
|
import jsonschema
|
||||||
|
|
||||||
|
from synapse.config._base import ConfigError
|
||||||
|
from synapse.types import JsonDict
|
||||||
|
|
||||||
|
|
||||||
|
def validate_config(json_schema: JsonDict, config: Any, config_path: List[str]) -> None:
|
||||||
|
"""Validates a config setting against a JsonSchema definition
|
||||||
|
|
||||||
|
This can be used to validate a section of the config file against a schema
|
||||||
|
definition. If the validation fails, a ConfigError is raised with a textual
|
||||||
|
description of the problem.
|
||||||
|
|
||||||
|
Args:
|
||||||
|
json_schema: the schema to validate against
|
||||||
|
config: the configuration value to be validated
|
||||||
|
config_path: the path within the config file. This will be used as a basis
|
||||||
|
for the error message.
|
||||||
|
"""
|
||||||
|
try:
|
||||||
|
jsonschema.validate(config, json_schema)
|
||||||
|
except jsonschema.ValidationError as e:
|
||||||
|
# copy `config_path` before modifying it.
|
||||||
|
path = list(config_path)
|
||||||
|
for p in list(e.path):
|
||||||
|
if isinstance(p, int):
|
||||||
|
path.append("<item %i>" % p)
|
||||||
|
else:
|
||||||
|
path.append(str(p))
|
||||||
|
|
||||||
|
raise ConfigError(
|
||||||
|
"Unable to parse configuration: %s at %s" % (e.message, ".".join(path))
|
||||||
|
)
|
@ -15,7 +15,9 @@
|
|||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
import logging
|
import logging
|
||||||
|
from typing import Any, List
|
||||||
|
|
||||||
|
import attr
|
||||||
import jinja2
|
import jinja2
|
||||||
import pkg_resources
|
import pkg_resources
|
||||||
|
|
||||||
@ -23,6 +25,7 @@ from synapse.python_dependencies import DependencyException, check_requirements
|
|||||||
from synapse.util.module_loader import load_module, load_python_module
|
from synapse.util.module_loader import load_module, load_python_module
|
||||||
|
|
||||||
from ._base import Config, ConfigError
|
from ._base import Config, ConfigError
|
||||||
|
from ._util import validate_config
|
||||||
|
|
||||||
logger = logging.getLogger(__name__)
|
logger = logging.getLogger(__name__)
|
||||||
|
|
||||||
@ -80,6 +83,11 @@ class SAML2Config(Config):
|
|||||||
|
|
||||||
self.saml2_enabled = True
|
self.saml2_enabled = True
|
||||||
|
|
||||||
|
attribute_requirements = saml2_config.get("attribute_requirements") or []
|
||||||
|
self.attribute_requirements = _parse_attribute_requirements_def(
|
||||||
|
attribute_requirements
|
||||||
|
)
|
||||||
|
|
||||||
self.saml2_grandfathered_mxid_source_attribute = saml2_config.get(
|
self.saml2_grandfathered_mxid_source_attribute = saml2_config.get(
|
||||||
"grandfathered_mxid_source_attribute", "uid"
|
"grandfathered_mxid_source_attribute", "uid"
|
||||||
)
|
)
|
||||||
@ -341,6 +349,17 @@ class SAML2Config(Config):
|
|||||||
#
|
#
|
||||||
#grandfathered_mxid_source_attribute: upn
|
#grandfathered_mxid_source_attribute: upn
|
||||||
|
|
||||||
|
# It is possible to configure Synapse to only allow logins if SAML attributes
|
||||||
|
# match particular values. The requirements can be listed under
|
||||||
|
# `attribute_requirements` as shown below. All of the listed attributes must
|
||||||
|
# match for the login to be permitted.
|
||||||
|
#
|
||||||
|
#attribute_requirements:
|
||||||
|
# - attribute: userGroup
|
||||||
|
# value: "staff"
|
||||||
|
# - attribute: department
|
||||||
|
# value: "sales"
|
||||||
|
|
||||||
# Directory in which Synapse will try to find the template files below.
|
# Directory in which Synapse will try to find the template files below.
|
||||||
# If not set, default templates from within the Synapse package will be used.
|
# If not set, default templates from within the Synapse package will be used.
|
||||||
#
|
#
|
||||||
@ -368,3 +387,34 @@ class SAML2Config(Config):
|
|||||||
""" % {
|
""" % {
|
||||||
"config_dir_path": config_dir_path
|
"config_dir_path": config_dir_path
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@attr.s(frozen=True)
|
||||||
|
class SamlAttributeRequirement:
|
||||||
|
"""Object describing a single requirement for SAML attributes."""
|
||||||
|
|
||||||
|
attribute = attr.ib(type=str)
|
||||||
|
value = attr.ib(type=str)
|
||||||
|
|
||||||
|
JSON_SCHEMA = {
|
||||||
|
"type": "object",
|
||||||
|
"properties": {"attribute": {"type": "string"}, "value": {"type": "string"}},
|
||||||
|
"required": ["attribute", "value"],
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
ATTRIBUTE_REQUIREMENTS_SCHEMA = {
|
||||||
|
"type": "array",
|
||||||
|
"items": SamlAttributeRequirement.JSON_SCHEMA,
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
def _parse_attribute_requirements_def(
|
||||||
|
attribute_requirements: Any,
|
||||||
|
) -> List[SamlAttributeRequirement]:
|
||||||
|
validate_config(
|
||||||
|
ATTRIBUTE_REQUIREMENTS_SCHEMA,
|
||||||
|
attribute_requirements,
|
||||||
|
config_path=["saml2_config", "attribute_requirements"],
|
||||||
|
)
|
||||||
|
return [SamlAttributeRequirement(**x) for x in attribute_requirements]
|
||||||
|
@ -14,15 +14,16 @@
|
|||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
import logging
|
import logging
|
||||||
import re
|
import re
|
||||||
from typing import Callable, Dict, Optional, Set, Tuple
|
from typing import TYPE_CHECKING, Callable, Dict, Optional, Set, Tuple
|
||||||
|
|
||||||
import attr
|
import attr
|
||||||
import saml2
|
import saml2
|
||||||
import saml2.response
|
import saml2.response
|
||||||
from saml2.client import Saml2Client
|
from saml2.client import Saml2Client
|
||||||
|
|
||||||
from synapse.api.errors import SynapseError
|
from synapse.api.errors import AuthError, SynapseError
|
||||||
from synapse.config import ConfigError
|
from synapse.config import ConfigError
|
||||||
|
from synapse.config.saml2_config import SamlAttributeRequirement
|
||||||
from synapse.http.servlet import parse_string
|
from synapse.http.servlet import parse_string
|
||||||
from synapse.http.site import SynapseRequest
|
from synapse.http.site import SynapseRequest
|
||||||
from synapse.module_api import ModuleApi
|
from synapse.module_api import ModuleApi
|
||||||
@ -34,6 +35,9 @@ from synapse.types import (
|
|||||||
from synapse.util.async_helpers import Linearizer
|
from synapse.util.async_helpers import Linearizer
|
||||||
from synapse.util.iterutils import chunk_seq
|
from synapse.util.iterutils import chunk_seq
|
||||||
|
|
||||||
|
if TYPE_CHECKING:
|
||||||
|
import synapse.server
|
||||||
|
|
||||||
logger = logging.getLogger(__name__)
|
logger = logging.getLogger(__name__)
|
||||||
|
|
||||||
|
|
||||||
@ -49,7 +53,7 @@ class Saml2SessionData:
|
|||||||
|
|
||||||
|
|
||||||
class SamlHandler:
|
class SamlHandler:
|
||||||
def __init__(self, hs):
|
def __init__(self, hs: "synapse.server.HomeServer"):
|
||||||
self._saml_client = Saml2Client(hs.config.saml2_sp_config)
|
self._saml_client = Saml2Client(hs.config.saml2_sp_config)
|
||||||
self._auth = hs.get_auth()
|
self._auth = hs.get_auth()
|
||||||
self._auth_handler = hs.get_auth_handler()
|
self._auth_handler = hs.get_auth_handler()
|
||||||
@ -62,6 +66,7 @@ class SamlHandler:
|
|||||||
self._grandfathered_mxid_source_attribute = (
|
self._grandfathered_mxid_source_attribute = (
|
||||||
hs.config.saml2_grandfathered_mxid_source_attribute
|
hs.config.saml2_grandfathered_mxid_source_attribute
|
||||||
)
|
)
|
||||||
|
self._saml2_attribute_requirements = hs.config.saml2.attribute_requirements
|
||||||
|
|
||||||
# plugin to do custom mapping from saml response to mxid
|
# plugin to do custom mapping from saml response to mxid
|
||||||
self._user_mapping_provider = hs.config.saml2_user_mapping_provider_class(
|
self._user_mapping_provider = hs.config.saml2_user_mapping_provider_class(
|
||||||
@ -73,7 +78,7 @@ class SamlHandler:
|
|||||||
self._auth_provider_id = "saml"
|
self._auth_provider_id = "saml"
|
||||||
|
|
||||||
# a map from saml session id to Saml2SessionData object
|
# a map from saml session id to Saml2SessionData object
|
||||||
self._outstanding_requests_dict = {}
|
self._outstanding_requests_dict = {} # type: Dict[str, Saml2SessionData]
|
||||||
|
|
||||||
# a lock on the mappings
|
# a lock on the mappings
|
||||||
self._mapping_lock = Linearizer(name="saml_mapping", clock=self._clock)
|
self._mapping_lock = Linearizer(name="saml_mapping", clock=self._clock)
|
||||||
@ -165,11 +170,18 @@ class SamlHandler:
|
|||||||
saml2.BINDING_HTTP_POST,
|
saml2.BINDING_HTTP_POST,
|
||||||
outstanding=self._outstanding_requests_dict,
|
outstanding=self._outstanding_requests_dict,
|
||||||
)
|
)
|
||||||
|
except saml2.response.UnsolicitedResponse as e:
|
||||||
|
# the pysaml2 library helpfully logs an ERROR here, but neglects to log
|
||||||
|
# the session ID. I don't really want to put the full text of the exception
|
||||||
|
# in the (user-visible) exception message, so let's log the exception here
|
||||||
|
# so we can track down the session IDs later.
|
||||||
|
logger.warning(str(e))
|
||||||
|
raise SynapseError(400, "Unexpected SAML2 login.")
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
raise SynapseError(400, "Unable to parse SAML2 response: %s" % (e,))
|
raise SynapseError(400, "Unable to parse SAML2 response: %s." % (e,))
|
||||||
|
|
||||||
if saml2_auth.not_signed:
|
if saml2_auth.not_signed:
|
||||||
raise SynapseError(400, "SAML2 response was not signed")
|
raise SynapseError(400, "SAML2 response was not signed.")
|
||||||
|
|
||||||
logger.debug("SAML2 response: %s", saml2_auth.origxml)
|
logger.debug("SAML2 response: %s", saml2_auth.origxml)
|
||||||
for assertion in saml2_auth.assertions:
|
for assertion in saml2_auth.assertions:
|
||||||
@ -188,6 +200,9 @@ class SamlHandler:
|
|||||||
saml2_auth.in_response_to, None
|
saml2_auth.in_response_to, None
|
||||||
)
|
)
|
||||||
|
|
||||||
|
for requirement in self._saml2_attribute_requirements:
|
||||||
|
_check_attribute_requirement(saml2_auth.ava, requirement)
|
||||||
|
|
||||||
remote_user_id = self._user_mapping_provider.get_remote_user_id(
|
remote_user_id = self._user_mapping_provider.get_remote_user_id(
|
||||||
saml2_auth, client_redirect_url
|
saml2_auth, client_redirect_url
|
||||||
)
|
)
|
||||||
@ -294,6 +309,21 @@ class SamlHandler:
|
|||||||
del self._outstanding_requests_dict[reqid]
|
del self._outstanding_requests_dict[reqid]
|
||||||
|
|
||||||
|
|
||||||
|
def _check_attribute_requirement(ava: dict, req: SamlAttributeRequirement):
|
||||||
|
values = ava.get(req.attribute, [])
|
||||||
|
for v in values:
|
||||||
|
if v == req.value:
|
||||||
|
return
|
||||||
|
|
||||||
|
logger.info(
|
||||||
|
"SAML2 attribute %s did not match required value '%s' (was '%s')",
|
||||||
|
req.attribute,
|
||||||
|
req.value,
|
||||||
|
values,
|
||||||
|
)
|
||||||
|
raise AuthError(403, "You are not authorized to log in here.")
|
||||||
|
|
||||||
|
|
||||||
DOT_REPLACE_PATTERN = re.compile(
|
DOT_REPLACE_PATTERN = re.compile(
|
||||||
("[^%s]" % (re.escape("".join(mxid_localpart_allowed_characters)),))
|
("[^%s]" % (re.escape("".join(mxid_localpart_allowed_characters)),))
|
||||||
)
|
)
|
||||||
|
@ -2,10 +2,17 @@
|
|||||||
<html lang="en">
|
<html lang="en">
|
||||||
<head>
|
<head>
|
||||||
<meta charset="UTF-8">
|
<meta charset="UTF-8">
|
||||||
<title>SSO error</title>
|
<title>SSO login error</title>
|
||||||
</head>
|
</head>
|
||||||
<body>
|
<body>
|
||||||
<p>Oops! Something went wrong during authentication<span id="errormsg"></span>.</p>
|
{# a 403 means we have actively rejected their login #}
|
||||||
|
{% if code == 403 %}
|
||||||
|
<p>You are not allowed to log in here.</p>
|
||||||
|
{% else %}
|
||||||
|
<p>
|
||||||
|
There was an error during authentication:
|
||||||
|
</p>
|
||||||
|
<div id="errormsg" style="margin:20px 80px">{{ msg }}</div>
|
||||||
<p>
|
<p>
|
||||||
If you are seeing this page after clicking a link sent to you via email, make
|
If you are seeing this page after clicking a link sent to you via email, make
|
||||||
sure you only click the confirmation link once, and that you open the
|
sure you only click the confirmation link once, and that you open the
|
||||||
@ -37,9 +44,9 @@
|
|||||||
// to print one.
|
// to print one.
|
||||||
let errorDesc = new URLSearchParams(searchStr).get("error_description")
|
let errorDesc = new URLSearchParams(searchStr).get("error_description")
|
||||||
if (errorDesc) {
|
if (errorDesc) {
|
||||||
|
document.getElementById("errormsg").innerText = errorDesc;
|
||||||
document.getElementById("errormsg").innerText = ` ("${errorDesc}")`;
|
|
||||||
}
|
}
|
||||||
</script>
|
</script>
|
||||||
|
{% endif %}
|
||||||
</body>
|
</body>
|
||||||
</html>
|
</html>
|
Loading…
Reference in New Issue
Block a user