Merge branch 'develop' into rav/saml2_client

2025-09-20 12:14:40 -04:00 · 2019-07-01 14:21:03 +01:00 · 2019-07-01 14:21:03 +01:00 · b4fd86a9b4
commit b4fd86a9b4
parent 3bcb13edd0 f40a7dc41f
55 changed files with 835 additions and 453 deletions
--- a/synapse/config/emailconfig.py
+++ b/synapse/config/emailconfig.py
@ -233,11 +233,13 @@ class EmailConfig(Config):
        #   app_name: Matrix
        #
        #   # Enable email notifications by default
+        #   #
        #   notif_for_new_users: True
        #
        #   # Defining a custom URL for Riot is only needed if email notifications
        #   # should contain links to a self-hosted installation of Riot; when set
        #   # the "app_name" setting is ignored
+        #   #
        #   riot_base_url: "http://localhost/riot"
        #
        #   # Enable sending password reset emails via the configured, trusted
@ -250,16 +252,22 @@ class EmailConfig(Config):
        #   #
        #   # If this option is set to false and SMTP options have not been
        #   # configured, resetting user passwords via email will be disabled
+        #   #
        #   #trust_identity_server_for_password_resets: false
        #
        #   # Configure the time that a validation email or text message code
        #   # will expire after sending
        #   #
        #   # This is currently used for password resets
+        #   #
        #   #validation_token_lifetime: 1h
        #
        #   # Template directory. All template files should be stored within this
-        #   # directory
+        #   # directory. If not set, default templates from within the Synapse
+        #   # package will be used
+        #   #
+        #   # For the list of default templates, please see
+        #   # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates
        #   #
        #   #template_dir: res/templates
        #
--- a/synapse/config/password.py
+++ b/synapse/config/password.py
@ -26,6 +26,7 @@ class PasswordConfig(Config):
            password_config = {}

        self.password_enabled = password_config.get("enabled", True)
+        self.password_localdb_enabled = password_config.get("localdb_enabled", True)
        self.password_pepper = password_config.get("pepper", "")

    def generate_config_section(self, config_dir_path, server_name, **kwargs):
@ -35,6 +36,12 @@ class PasswordConfig(Config):
           #
           #enabled: false

+           # Uncomment to disable authentication against the local password
+           # database. This is ignored if `enabled` is false, and is only useful
+           # if you have other password_providers.
+           #
+           #localdb_enabled: false
+
           # Uncomment and change to a secret random string for extra security.
           # DO NOT CHANGE THIS AFTER INITIAL SETUP!
           #
--- a/synapse/config/tls.py
+++ b/synapse/config/tls.py
@ -23,7 +23,7 @@ import six

 from unpaddedbase64 import encode_base64

-from OpenSSL import crypto
+from OpenSSL import SSL, crypto
 from twisted.internet._sslverify import Certificate, trustRootFromCertificates

 from synapse.config._base import Config, ConfigError
@ -81,6 +81,27 @@ class TlsConfig(Config):
            "federation_verify_certificates", True
        )

+        # Minimum TLS version to use for outbound federation traffic
+        self.federation_client_minimum_tls_version = str(
+            config.get("federation_client_minimum_tls_version", 1)
+        )
+
+        if self.federation_client_minimum_tls_version not in ["1", "1.1", "1.2", "1.3"]:
+            raise ConfigError(
+                "federation_client_minimum_tls_version must be one of: 1, 1.1, 1.2, 1.3"
+            )
+
+        # Prevent people shooting themselves in the foot here by setting it to
+        # the biggest number blindly
+        if self.federation_client_minimum_tls_version == "1.3":
+            if getattr(SSL, "OP_NO_TLSv1_3", None) is None:
+                raise ConfigError(
+                    (
+                        "federation_client_minimum_tls_version cannot be 1.3, "
+                        "your OpenSSL does not support it"
+                    )
+                )
+
        # Whitelist of domains to not verify certificates for
        fed_whitelist_entries = config.get(
            "federation_certificate_verification_whitelist", []
@ -261,6 +282,15 @@ class TlsConfig(Config):
        #
        #federation_verify_certificates: false

+        # The minimum TLS version that will be used for outbound federation requests.
+        #
+        # Defaults to `1`. Configurable to `1`, `1.1`, `1.2`, or `1.3`. Note
+        # that setting this value higher than `1.2` will prevent federation to most
+        # of the public Matrix network: only configure it to `1.3` if you have an
+        # entirely private federation setup and you can ensure TLS 1.3 support.
+        #
+        #federation_client_minimum_tls_version: 1.2
+
        # Skip federation certificate verification on the following whitelist
        # of domains.
        #