Matrix-Mirrors/anonymousland-synapse
1
0
Fork 0
mirror of https://git.anonymousland.org/anonymousland/synapse.git synced 2025-12-11 00:11:10 -05:00
Code Issues Projects Releases Packages Wiki Activity

Support SAML in the user interactive authentication workflow. (#7102)

Browse source
This commit is contained in:
Patrick Cloke 2020-04-01 08:48:00 -04:00 committed by GitHub
parent 468dcc767b
commit b9930d24a0
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
11 changed files with 227 additions and 44 deletions
Download patch file Download diff file Expand all files Collapse all files

19
synapse/rest/client/v2_alpha/account.py
View file

@ -234,7 +234,11 @@ class PasswordRestServlet(RestServlet):
if self.auth.has_access_token(request):
requester = await self.auth.get_user_by_req(request)
params = await self.auth_handler.validate_user_via_ui_auth(
requester, request, body, self.hs.get_ip_from_request(request),
requester,
request,
body,
self.hs.get_ip_from_request(request),
"modify your account password",
)
user_id = requester.user.to_string()
else:
@ -244,6 +248,7 @@ class PasswordRestServlet(RestServlet):
request,
body,
self.hs.get_ip_from_request(request),
"modify your account password",
)
if LoginType.EMAIL_IDENTITY in result:
@ -311,7 +316,11 @@ class DeactivateAccountRestServlet(RestServlet):
return 200, {}
await self.auth_handler.validate_user_via_ui_auth(
requester, request, body, self.hs.get_ip_from_request(request),
requester,
request,
body,
self.hs.get_ip_from_request(request),
"deactivate your account",
)
result = await self._deactivate_account_handler.deactivate_account(
requester.user.to_string(), erase, id_server=body.get("id_server")
@ -669,7 +678,11 @@ class ThreepidAddRestServlet(RestServlet):
assert_valid_client_secret(client_secret)
await self.auth_handler.validate_user_via_ui_auth(
requester, request, body, self.hs.get_ip_from_request(request),
requester,
request,
body,
self.hs.get_ip_from_request(request),
"add a third-party identifier to your account",
)
validation_session = await self.identity_handler.validate_threepid_session(

42
synapse/rest/client/v2_alpha/auth.py
View file

@ -18,6 +18,7 @@ import logging
from synapse.api.constants import LoginType
from synapse.api.errors import SynapseError
from synapse.api.urls import CLIENT_API_PREFIX
from synapse.handlers.auth import SUCCESS_TEMPLATE
from synapse.http.server import finish_request
from synapse.http.servlet import RestServlet, parse_string
@ -89,30 +90,6 @@ TERMS_TEMPLATE = """
</html>
"""
SUCCESS_TEMPLATE = """
<html>
<head>
<title>Success!</title>
<meta name='viewport' content='width=device-width, initial-scale=1,
user-scalable=no, minimum-scale=1.0, maximum-scale=1.0'>
<link rel="stylesheet" href="/_matrix/static/client/register/style.css">
<script>
if (window.onAuthDone) {
window.onAuthDone();
} else if (window.opener && window.opener.postMessage) {
window.opener.postMessage("authDone", "*");
}
</script>
</head>
<body>
<div>
<p>Thank you</p>
<p>You may now close this window and return to the application</p>
</div>
</body>
</html>
"""
class AuthRestServlet(RestServlet):
"""
@ -130,6 +107,11 @@ class AuthRestServlet(RestServlet):
self.auth_handler = hs.get_auth_handler()
self.registration_handler = hs.get_registration_handler()
# SSO configuration.
self._saml_enabled = hs.config.saml2_enabled
if self._saml_enabled:
self._saml_handler = hs.get_saml_handler()
def on_GET(self, request, stagetype):
session = parse_string(request, "session")
if not session:
@ -150,6 +132,15 @@ class AuthRestServlet(RestServlet):
"myurl": "%s/r0/auth/%s/fallback/web"
% (CLIENT_API_PREFIX, LoginType.TERMS),
}
elif stagetype == LoginType.SSO and self._saml_enabled:
# Display a confirmation page which prompts the user to
# re-authenticate with their SSO provider.
client_redirect_url = ""
sso_redirect_url = self._saml_handler.handle_redirect_request(
client_redirect_url, session
)
html = self.auth_handler.start_sso_ui_auth(sso_redirect_url, session)
else:
raise SynapseError(404, "Unknown auth stage type")
@ -210,6 +201,9 @@ class AuthRestServlet(RestServlet):
"myurl": "%s/r0/auth/%s/fallback/web"
% (CLIENT_API_PREFIX, LoginType.TERMS),
}
elif stagetype == LoginType.SSO:
# The SSO fallback workflow should not post here,
raise SynapseError(404, "Fallback SSO auth does not support POST requests.")
else:
raise SynapseError(404, "Unknown auth stage type")

12
synapse/rest/client/v2_alpha/devices.py
View file

@ -81,7 +81,11 @@ class DeleteDevicesRestServlet(RestServlet):
assert_params_in_dict(body, ["devices"])
await self.auth_handler.validate_user_via_ui_auth(
requester, request, body, self.hs.get_ip_from_request(request),
requester,
request,
body,
self.hs.get_ip_from_request(request),
"remove device(s) from your account",
)
await self.device_handler.delete_devices(
@ -127,7 +131,11 @@ class DeviceRestServlet(RestServlet):
raise
await self.auth_handler.validate_user_via_ui_auth(
requester, request, body, self.hs.get_ip_from_request(request),
requester,
request,
body,
self.hs.get_ip_from_request(request),
"remove a device from your account",
)
await self.device_handler.delete_device(requester.user.to_string(), device_id)

6
synapse/rest/client/v2_alpha/keys.py
View file

@ -263,7 +263,11 @@ class SigningKeyUploadServlet(RestServlet):
body = parse_json_object_from_request(request)
await self.auth_handler.validate_user_via_ui_auth(
requester, request, body, self.hs.get_ip_from_request(request),
requester,
request,
body,
self.hs.get_ip_from_request(request),
"add a device signing key to your account",
)
result = await self.e2e_keys_handler.upload_signing_keys_for_user(user_id, body)

1
synapse/rest/client/v2_alpha/register.py
View file

@ -505,6 +505,7 @@ class RegisterRestServlet(RestServlet):
request,
body,
self.hs.get_ip_from_request(request),
"register a new account",
)
# Check that we're not trying to register a denied 3pid.