mirror of
https://git.anonymousland.org/anonymousland/synapse.git
synced 2024-12-25 21:09:25 -05:00
Fix a regression that mapping providers should be able to redirect users. (#8878)
This was broken in #8801.
This commit is contained in:
parent
295c209cdd
commit
22c6c19f91
1
changelog.d/8878.bugfix
Normal file
1
changelog.d/8878.bugfix
Normal file
@ -0,0 +1 @@
|
|||||||
|
Fix a regression in v1.24.0rc1 which failed to allow SAML mapping providers which were unable to redirect users to an additional page.
|
@ -169,6 +169,13 @@ A custom mapping provider must specify the following methods:
|
|||||||
* `emails` - A list of emails for the new user. If not provided, will
|
* `emails` - A list of emails for the new user. If not provided, will
|
||||||
default to an empty list.
|
default to an empty list.
|
||||||
|
|
||||||
|
Alternatively it can raise a `synapse.api.errors.RedirectException` to
|
||||||
|
redirect the user to another page. This is useful to prompt the user for
|
||||||
|
additional information, e.g. if you want them to provide their own username.
|
||||||
|
It is the responsibility of the mapping provider to either redirect back
|
||||||
|
to `client_redirect_url` (including any additional information) or to
|
||||||
|
complete registration using methods from the `ModuleApi`.
|
||||||
|
|
||||||
### Default SAML Mapping Provider
|
### Default SAML Mapping Provider
|
||||||
|
|
||||||
Synapse has a built-in SAML mapping provider if a custom provider isn't
|
Synapse has a built-in SAML mapping provider if a custom provider isn't
|
||||||
|
@ -888,7 +888,7 @@ class OidcHandler(BaseHandler):
|
|||||||
# continue to already be in use. Note that the error raised is
|
# continue to already be in use. Note that the error raised is
|
||||||
# arbitrary and will get turned into a MappingException.
|
# arbitrary and will get turned into a MappingException.
|
||||||
if failures:
|
if failures:
|
||||||
raise RuntimeError(
|
raise MappingException(
|
||||||
"Mapping provider does not support de-duplicating Matrix IDs"
|
"Mapping provider does not support de-duplicating Matrix IDs"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -17,6 +17,7 @@ from typing import TYPE_CHECKING, Awaitable, Callable, List, Optional
|
|||||||
|
|
||||||
import attr
|
import attr
|
||||||
|
|
||||||
|
from synapse.api.errors import RedirectException
|
||||||
from synapse.handlers._base import BaseHandler
|
from synapse.handlers._base import BaseHandler
|
||||||
from synapse.http.server import respond_with_html
|
from synapse.http.server import respond_with_html
|
||||||
from synapse.types import UserID, contains_invalid_mxid_characters
|
from synapse.types import UserID, contains_invalid_mxid_characters
|
||||||
@ -28,7 +29,9 @@ logger = logging.getLogger(__name__)
|
|||||||
|
|
||||||
|
|
||||||
class MappingException(Exception):
|
class MappingException(Exception):
|
||||||
"""Used to catch errors when mapping the UserInfo object
|
"""Used to catch errors when mapping an SSO response to user attributes.
|
||||||
|
|
||||||
|
Note that the msg that is raised is shown to end-users.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
|
||||||
@ -145,6 +148,14 @@ class SsoHandler(BaseHandler):
|
|||||||
sso_to_matrix_id_mapper: A callable to generate the user attributes.
|
sso_to_matrix_id_mapper: A callable to generate the user attributes.
|
||||||
The only parameter is an integer which represents the amount of
|
The only parameter is an integer which represents the amount of
|
||||||
times the returned mxid localpart mapping has failed.
|
times the returned mxid localpart mapping has failed.
|
||||||
|
|
||||||
|
It is expected that the mapper can raise two exceptions, which
|
||||||
|
will get passed through to the caller:
|
||||||
|
|
||||||
|
MappingException if there was a problem mapping the response
|
||||||
|
to the user.
|
||||||
|
RedirectException to redirect to an additional page (e.g.
|
||||||
|
to prompt the user for more information).
|
||||||
grandfather_existing_users: A callable which can return an previously
|
grandfather_existing_users: A callable which can return an previously
|
||||||
existing matrix ID. The SSO ID is then linked to the returned
|
existing matrix ID. The SSO ID is then linked to the returned
|
||||||
matrix ID.
|
matrix ID.
|
||||||
@ -154,8 +165,8 @@ class SsoHandler(BaseHandler):
|
|||||||
|
|
||||||
Raises:
|
Raises:
|
||||||
MappingException if there was a problem mapping the response to a user.
|
MappingException if there was a problem mapping the response to a user.
|
||||||
RedirectException: some mapping providers may raise this if they need
|
RedirectException: if the mapping provider needs to redirect the user
|
||||||
to redirect to an interstitial page.
|
to an additional page. (e.g. to prompt for more information)
|
||||||
|
|
||||||
"""
|
"""
|
||||||
# first of all, check if we already have a mapping for this user
|
# first of all, check if we already have a mapping for this user
|
||||||
@ -179,10 +190,16 @@ class SsoHandler(BaseHandler):
|
|||||||
for i in range(self._MAP_USERNAME_RETRIES):
|
for i in range(self._MAP_USERNAME_RETRIES):
|
||||||
try:
|
try:
|
||||||
attributes = await sso_to_matrix_id_mapper(i)
|
attributes = await sso_to_matrix_id_mapper(i)
|
||||||
|
except (RedirectException, MappingException):
|
||||||
|
# Mapping providers are allowed to issue a redirect (e.g. to ask
|
||||||
|
# the user for more information) and can issue a mapping exception
|
||||||
|
# if a name cannot be generated.
|
||||||
|
raise
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
|
# Any other exception is unexpected.
|
||||||
raise MappingException(
|
raise MappingException(
|
||||||
"Could not extract user attributes from SSO response: " + str(e)
|
"Could not extract user attributes from SSO response."
|
||||||
)
|
) from e
|
||||||
|
|
||||||
logger.debug(
|
logger.debug(
|
||||||
"Retrieved user attributes from user mapping provider: %r (attempt %d)",
|
"Retrieved user attributes from user mapping provider: %r (attempt %d)",
|
||||||
|
@ -705,8 +705,7 @@ class OidcHandlerTestCase(HomeserverTestCase):
|
|||||||
MappingException,
|
MappingException,
|
||||||
)
|
)
|
||||||
self.assertEqual(
|
self.assertEqual(
|
||||||
str(e.value),
|
str(e.value), "Mapping provider does not support de-duplicating Matrix IDs",
|
||||||
"Could not extract user attributes from SSO response: Mapping provider does not support de-duplicating Matrix IDs",
|
|
||||||
)
|
)
|
||||||
|
|
||||||
@override_config({"oidc_config": {"allow_existing_users": True}})
|
@override_config({"oidc_config": {"allow_existing_users": True}})
|
||||||
|
@ -14,6 +14,7 @@
|
|||||||
|
|
||||||
import attr
|
import attr
|
||||||
|
|
||||||
|
from synapse.api.errors import RedirectException
|
||||||
from synapse.handlers.sso import MappingException
|
from synapse.handlers.sso import MappingException
|
||||||
|
|
||||||
from tests.unittest import HomeserverTestCase, override_config
|
from tests.unittest import HomeserverTestCase, override_config
|
||||||
@ -49,6 +50,13 @@ class TestMappingProvider:
|
|||||||
return {"mxid_localpart": localpart, "displayname": None}
|
return {"mxid_localpart": localpart, "displayname": None}
|
||||||
|
|
||||||
|
|
||||||
|
class TestRedirectMappingProvider(TestMappingProvider):
|
||||||
|
def saml_response_to_user_attributes(
|
||||||
|
self, saml_response, failures, client_redirect_url
|
||||||
|
):
|
||||||
|
raise RedirectException(b"https://custom-saml-redirect/")
|
||||||
|
|
||||||
|
|
||||||
class SamlHandlerTestCase(HomeserverTestCase):
|
class SamlHandlerTestCase(HomeserverTestCase):
|
||||||
def default_config(self):
|
def default_config(self):
|
||||||
config = super().default_config()
|
config = super().default_config()
|
||||||
@ -166,3 +174,23 @@ class SamlHandlerTestCase(HomeserverTestCase):
|
|||||||
self.assertEqual(
|
self.assertEqual(
|
||||||
str(e.value), "Unable to generate a Matrix ID from the SSO response"
|
str(e.value), "Unable to generate a Matrix ID from the SSO response"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@override_config(
|
||||||
|
{
|
||||||
|
"saml2_config": {
|
||||||
|
"user_mapping_provider": {
|
||||||
|
"module": __name__ + ".TestRedirectMappingProvider"
|
||||||
|
},
|
||||||
|
}
|
||||||
|
}
|
||||||
|
)
|
||||||
|
def test_map_saml_response_redirect(self):
|
||||||
|
saml_response = FakeAuthnResponse({"uid": "test", "username": "test_user"})
|
||||||
|
redirect_url = ""
|
||||||
|
e = self.get_failure(
|
||||||
|
self.handler._map_saml_response_to_user(
|
||||||
|
saml_response, redirect_url, "user-agent", "10.10.10.10"
|
||||||
|
),
|
||||||
|
RedirectException,
|
||||||
|
)
|
||||||
|
self.assertEqual(e.value.location, b"https://custom-saml-redirect/")
|
||||||
|
Loading…
Reference in New Issue
Block a user