mirror of
https://git.anonymousland.org/anonymousland/synapse.git
synced 2024-10-01 11:49:51 -04:00
158d73ebdd
Revert "Sort internal changes in changelog" Revert "Update CHANGES.md" Revert "1.49.0rc1" Revert "Revert "Move `glob_to_regex` and `re_word_boundary` to `matrix-python-common` (#11505) (#11527)" Revert "Refactors in `_generate_sync_entry_for_rooms` (#11515)" Revert "Correctly register shutdown handler for presence workers (#11518)" Revert "Fix `ModuleApi.looping_background_call` for non-async functions (#11524)" Revert "Fix 'delete room' admin api to work on incomplete rooms (#11523)" Revert "Correctly ignore invites from ignored users (#11511)" Revert "Fix the test breakage introduced by #11435 as a result of concurrent PRs (#11522)" Revert "Stabilise support for MSC2918 refresh tokens as they have now been merged into the Matrix specification. (#11435)" Revert "Save the OIDC session ID (sid) with the device on login (#11482)" Revert "Add admin API to get some information about federation status (#11407)" Revert "Include bundled aggregations in /sync and related fixes (#11478)" Revert "Move `glob_to_regex` and `re_word_boundary` to `matrix-python-common` (#11505)" Revert "Update backward extremity docs to make it clear that it does not indicate whether we have fetched an events' `prev_events` (#11469)" Revert "Support configuring the lifetime of non-refreshable access tokens separately to refreshable access tokens. (#11445)" Revert "Add type hints to `synapse/tests/rest/admin` (#11501)" Revert "Revert accidental commits to develop." Revert "Newsfile" Revert "Give `tests.server.setup_test_homeserver` (nominally!) the same behaviour" Revert "Move `tests.utils.setup_test_homeserver` to `tests.server`" Revert "Convert one of the `setup_test_homeserver`s to `make_test_homeserver_synchronous`" Revert "Disambiguate queries on `state_key` (#11497)" Revert "Comments on the /sync tentacles (#11494)" Revert "Clean up tests.storage.test_appservice (#11492)" Revert "Clean up `tests.storage.test_main` to remove use of legacy code. (#11493)" Revert "Clean up `tests.test_visibility` to remove legacy code. (#11495)" Revert "Minor cleanup on recently ported doc pages (#11466)" Revert "Add most of the missing type hints to `synapse.federation`. (#11483)" Revert "Avoid waiting for zombie processes in `synctl stop` (#11490)" Revert "Fix media repository failing when media store path contains symlinks (#11446)" Revert "Add type annotations to `tests.storage.test_appservice`. (#11488)" Revert "`scripts-dev/sign_json`: support for signing events (#11486)" Revert "Add MSC3030 experimental client and federation API endpoints to get the closest event to a given timestamp (#9445)" Revert "Port wiki pages to documentation website (#11402)" Revert "Add a license header and comment. (#11479)" Revert "Clean-up get_version_string (#11468)" Revert "Link background update controller docs to summary (#11475)" Revert "Additional type hints for config module. (#11465)" Revert "Register the login redirect endpoint for v3. (#11451)" Revert "Update openid.md" Revert "Remove mention of OIDC certification from Dex (#11470)" Revert "Add a note about huge pages to our Postgres doc (#11467)" Revert "Don't start Synapse master process if `worker_app` is set (#11416)" Revert "Expose worker & homeserver as entrypoints in `setup.py` (#11449)" Revert "Bundle relations of relations into the `/relations` result. (#11284)" Revert "Fix `LruCache` corruption bug with a `size_callback` that can return 0 (#11454)" Revert "Eliminate a few `Any`s in `LruCache` type hints (#11453)" Revert "Remove unnecessary `json.dumps` from `tests.rest.admin` (#11461)" Revert "Merge branch 'master' into develop" This reverts commit26b5d2320f. This reverts commitbce4220f38. This reverts commit966b5d0fa0. This reverts commit088d748f2c. This reverts commit14d593f72d. This reverts commit2a3ec6facf. This reverts commiteccc49d755. This reverts commitb1ecd19c5d. This reverts commit9c55dedc8c. This reverts commit2d42e586a8. This reverts commit2f053f3f82. This reverts commita15a893df8. This reverts commit8b4b153c9e. This reverts commit494ebd7347. This reverts commita77c369897. This reverts commit4eb77965cd. This reverts commit637df95de6. This reverts commite5f426cd54. This reverts commit8cd68b8102. This reverts commit6cae125e20. This reverts commit7be88fbf48. This reverts commitb3fd99b74a. This reverts commitf7ec6e7d9e. This reverts commit5640992d17. This reverts commitd26808dd85. This reverts commitf91624a595. This reverts commit16d39a5490. This reverts commit8a4c296987. This reverts commit49e1356ee3. This reverts commitd2279f471b. This reverts commitb50e39df57. This reverts commit858d80bf0f. This reverts commit435f044807. This reverts commitf61462e1be. This reverts commita6f1a3abec. This reverts commit84dc50e160. This reverts commited635d3285. This reverts commit7b62791e00. This reverts commit153194c771. This reverts commitf44d729d4c. This reverts commita265fbd397. This reverts commitb9fef1a7cd. This reverts commitb0eb64ff7b. This reverts commitf1795463bf. This reverts commit70cbb1a5e3. This reverts commit42bf020463. This reverts commit379f2650cf. This reverts commit7ff22d6da4. This reverts commit5a0b652d36. This reverts commit432a174bc1. This reverts commitb14f8a1baf, reversing changes made toe713855dca.
424 lines
16 KiB
Python
424 lines
16 KiB
Python
# Copyright 2018 New Vector Ltd
|
|
# Copyright 2019 The Matrix.org Foundation C.I.C.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
import logging
|
|
from typing import Any, List
|
|
|
|
from synapse.config.sso import SsoAttributeRequirement
|
|
from synapse.python_dependencies import DependencyException, check_requirements
|
|
from synapse.util.module_loader import load_module, load_python_module
|
|
|
|
from ._base import Config, ConfigError
|
|
from ._util import validate_config
|
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
DEFAULT_USER_MAPPING_PROVIDER = "synapse.handlers.saml.DefaultSamlMappingProvider"
|
|
# The module that DefaultSamlMappingProvider is in was renamed, we want to
|
|
# transparently handle both the same.
|
|
LEGACY_USER_MAPPING_PROVIDER = (
|
|
"synapse.handlers.saml_handler.DefaultSamlMappingProvider"
|
|
)
|
|
|
|
|
|
def _dict_merge(merge_dict, into_dict):
|
|
"""Do a deep merge of two dicts
|
|
|
|
Recursively merges `merge_dict` into `into_dict`:
|
|
* For keys where both `merge_dict` and `into_dict` have a dict value, the values
|
|
are recursively merged
|
|
* For all other keys, the values in `into_dict` (if any) are overwritten with
|
|
the value from `merge_dict`.
|
|
|
|
Args:
|
|
merge_dict (dict): dict to merge
|
|
into_dict (dict): target dict
|
|
"""
|
|
for k, v in merge_dict.items():
|
|
if k not in into_dict:
|
|
into_dict[k] = v
|
|
continue
|
|
|
|
current_val = into_dict[k]
|
|
|
|
if isinstance(v, dict) and isinstance(current_val, dict):
|
|
_dict_merge(v, current_val)
|
|
continue
|
|
|
|
# otherwise we just overwrite
|
|
into_dict[k] = v
|
|
|
|
|
|
class SAML2Config(Config):
|
|
section = "saml2"
|
|
|
|
def read_config(self, config, **kwargs):
|
|
self.saml2_enabled = False
|
|
|
|
saml2_config = config.get("saml2_config")
|
|
|
|
if not saml2_config or not saml2_config.get("enabled", True):
|
|
return
|
|
|
|
if not saml2_config.get("sp_config") and not saml2_config.get("config_path"):
|
|
return
|
|
|
|
try:
|
|
check_requirements("saml2")
|
|
except DependencyException as e:
|
|
raise ConfigError(
|
|
e.message # noqa: B306, DependencyException.message is a property
|
|
)
|
|
|
|
self.saml2_enabled = True
|
|
|
|
attribute_requirements = saml2_config.get("attribute_requirements") or []
|
|
self.attribute_requirements = _parse_attribute_requirements_def(
|
|
attribute_requirements
|
|
)
|
|
|
|
self.saml2_grandfathered_mxid_source_attribute = saml2_config.get(
|
|
"grandfathered_mxid_source_attribute", "uid"
|
|
)
|
|
|
|
self.saml2_idp_entityid = saml2_config.get("idp_entityid", None)
|
|
|
|
# user_mapping_provider may be None if the key is present but has no value
|
|
ump_dict = saml2_config.get("user_mapping_provider") or {}
|
|
|
|
# Use the default user mapping provider if not set
|
|
ump_dict.setdefault("module", DEFAULT_USER_MAPPING_PROVIDER)
|
|
if ump_dict.get("module") == LEGACY_USER_MAPPING_PROVIDER:
|
|
ump_dict["module"] = DEFAULT_USER_MAPPING_PROVIDER
|
|
|
|
# Ensure a config is present
|
|
ump_dict["config"] = ump_dict.get("config") or {}
|
|
|
|
if ump_dict["module"] == DEFAULT_USER_MAPPING_PROVIDER:
|
|
# Load deprecated options for use by the default module
|
|
old_mxid_source_attribute = saml2_config.get("mxid_source_attribute")
|
|
if old_mxid_source_attribute:
|
|
logger.warning(
|
|
"The config option saml2_config.mxid_source_attribute is deprecated. "
|
|
"Please use saml2_config.user_mapping_provider.config"
|
|
".mxid_source_attribute instead."
|
|
)
|
|
ump_dict["config"]["mxid_source_attribute"] = old_mxid_source_attribute
|
|
|
|
old_mxid_mapping = saml2_config.get("mxid_mapping")
|
|
if old_mxid_mapping:
|
|
logger.warning(
|
|
"The config option saml2_config.mxid_mapping is deprecated. Please "
|
|
"use saml2_config.user_mapping_provider.config.mxid_mapping instead."
|
|
)
|
|
ump_dict["config"]["mxid_mapping"] = old_mxid_mapping
|
|
|
|
# Retrieve an instance of the module's class
|
|
# Pass the config dictionary to the module for processing
|
|
(
|
|
self.saml2_user_mapping_provider_class,
|
|
self.saml2_user_mapping_provider_config,
|
|
) = load_module(ump_dict, ("saml2_config", "user_mapping_provider"))
|
|
|
|
# Ensure loaded user mapping module has defined all necessary methods
|
|
# Note parse_config() is already checked during the call to load_module
|
|
required_methods = [
|
|
"get_saml_attributes",
|
|
"saml_response_to_user_attributes",
|
|
"get_remote_user_id",
|
|
]
|
|
missing_methods = [
|
|
method
|
|
for method in required_methods
|
|
if not hasattr(self.saml2_user_mapping_provider_class, method)
|
|
]
|
|
if missing_methods:
|
|
raise ConfigError(
|
|
"Class specified by saml2_config."
|
|
"user_mapping_provider.module is missing required "
|
|
"methods: %s" % (", ".join(missing_methods),)
|
|
)
|
|
|
|
# Get the desired saml auth response attributes from the module
|
|
saml2_config_dict = self._default_saml_config_dict(
|
|
*self.saml2_user_mapping_provider_class.get_saml_attributes(
|
|
self.saml2_user_mapping_provider_config
|
|
)
|
|
)
|
|
_dict_merge(
|
|
merge_dict=saml2_config.get("sp_config", {}), into_dict=saml2_config_dict
|
|
)
|
|
|
|
config_path = saml2_config.get("config_path", None)
|
|
if config_path is not None:
|
|
mod = load_python_module(config_path)
|
|
config = getattr(mod, "CONFIG", None)
|
|
if config is None:
|
|
raise ConfigError(
|
|
"Config path specified by saml2_config.config_path does not "
|
|
"have a CONFIG property."
|
|
)
|
|
_dict_merge(merge_dict=config, into_dict=saml2_config_dict)
|
|
|
|
import saml2.config
|
|
|
|
self.saml2_sp_config = saml2.config.SPConfig()
|
|
self.saml2_sp_config.load(saml2_config_dict)
|
|
|
|
# session lifetime: in milliseconds
|
|
self.saml2_session_lifetime = self.parse_duration(
|
|
saml2_config.get("saml_session_lifetime", "15m")
|
|
)
|
|
|
|
def _default_saml_config_dict(
|
|
self, required_attributes: set, optional_attributes: set
|
|
):
|
|
"""Generate a configuration dictionary with required and optional attributes that
|
|
will be needed to process new user registration
|
|
|
|
Args:
|
|
required_attributes: SAML auth response attributes that are
|
|
necessary to function
|
|
optional_attributes: SAML auth response attributes that can be used to add
|
|
additional information to Synapse user accounts, but are not required
|
|
|
|
Returns:
|
|
dict: A SAML configuration dictionary
|
|
"""
|
|
import saml2
|
|
|
|
if self.saml2_grandfathered_mxid_source_attribute:
|
|
optional_attributes.add(self.saml2_grandfathered_mxid_source_attribute)
|
|
optional_attributes -= required_attributes
|
|
|
|
public_baseurl = self.root.server.public_baseurl
|
|
metadata_url = public_baseurl + "_synapse/client/saml2/metadata.xml"
|
|
response_url = public_baseurl + "_synapse/client/saml2/authn_response"
|
|
return {
|
|
"entityid": metadata_url,
|
|
"service": {
|
|
"sp": {
|
|
"endpoints": {
|
|
"assertion_consumer_service": [
|
|
(response_url, saml2.BINDING_HTTP_POST)
|
|
]
|
|
},
|
|
"required_attributes": list(required_attributes),
|
|
"optional_attributes": list(optional_attributes),
|
|
# "name_id_format": saml2.saml.NAMEID_FORMAT_PERSISTENT,
|
|
}
|
|
},
|
|
}
|
|
|
|
def generate_config_section(self, config_dir_path, server_name, **kwargs):
|
|
return """\
|
|
## Single sign-on integration ##
|
|
|
|
# The following settings can be used to make Synapse use a single sign-on
|
|
# provider for authentication, instead of its internal password database.
|
|
#
|
|
# You will probably also want to set the following options to `false` to
|
|
# disable the regular login/registration flows:
|
|
# * enable_registration
|
|
# * password_config.enabled
|
|
#
|
|
# You will also want to investigate the settings under the "sso" configuration
|
|
# section below.
|
|
|
|
# Enable SAML2 for registration and login. Uses pysaml2.
|
|
#
|
|
# At least one of `sp_config` or `config_path` must be set in this section to
|
|
# enable SAML login.
|
|
#
|
|
# Once SAML support is enabled, a metadata file will be exposed at
|
|
# https://<server>:<port>/_synapse/client/saml2/metadata.xml, which you may be able to
|
|
# use to configure your SAML IdP with. Alternatively, you can manually configure
|
|
# the IdP to use an ACS location of
|
|
# https://<server>:<port>/_synapse/client/saml2/authn_response.
|
|
#
|
|
saml2_config:
|
|
# `sp_config` is the configuration for the pysaml2 Service Provider.
|
|
# See pysaml2 docs for format of config.
|
|
#
|
|
# Default values will be used for the 'entityid' and 'service' settings,
|
|
# so it is not normally necessary to specify them unless you need to
|
|
# override them.
|
|
#
|
|
sp_config:
|
|
# Point this to the IdP's metadata. You must provide either a local
|
|
# file via the `local` attribute or (preferably) a URL via the
|
|
# `remote` attribute.
|
|
#
|
|
#metadata:
|
|
# local: ["saml2/idp.xml"]
|
|
# remote:
|
|
# - url: https://our_idp/metadata.xml
|
|
|
|
# Allowed clock difference in seconds between the homeserver and IdP.
|
|
#
|
|
# Uncomment the below to increase the accepted time difference from 0 to 3 seconds.
|
|
#
|
|
#accepted_time_diff: 3
|
|
|
|
# By default, the user has to go to our login page first. If you'd like
|
|
# to allow IdP-initiated login, set 'allow_unsolicited: true' in a
|
|
# 'service.sp' section:
|
|
#
|
|
#service:
|
|
# sp:
|
|
# allow_unsolicited: true
|
|
|
|
# The examples below are just used to generate our metadata xml, and you
|
|
# may well not need them, depending on your setup. Alternatively you
|
|
# may need a whole lot more detail - see the pysaml2 docs!
|
|
|
|
#description: ["My awesome SP", "en"]
|
|
#name: ["Test SP", "en"]
|
|
|
|
#ui_info:
|
|
# display_name:
|
|
# - lang: en
|
|
# text: "Display Name is the descriptive name of your service."
|
|
# description:
|
|
# - lang: en
|
|
# text: "Description should be a short paragraph explaining the purpose of the service."
|
|
# information_url:
|
|
# - lang: en
|
|
# text: "https://example.com/terms-of-service"
|
|
# privacy_statement_url:
|
|
# - lang: en
|
|
# text: "https://example.com/privacy-policy"
|
|
# keywords:
|
|
# - lang: en
|
|
# text: ["Matrix", "Element"]
|
|
# logo:
|
|
# - lang: en
|
|
# text: "https://example.com/logo.svg"
|
|
# width: "200"
|
|
# height: "80"
|
|
|
|
#organization:
|
|
# name: Example com
|
|
# display_name:
|
|
# - ["Example co", "en"]
|
|
# url: "http://example.com"
|
|
|
|
#contact_person:
|
|
# - given_name: Bob
|
|
# sur_name: "the Sysadmin"
|
|
# email_address": ["admin@example.com"]
|
|
# contact_type": technical
|
|
|
|
# Instead of putting the config inline as above, you can specify a
|
|
# separate pysaml2 configuration file:
|
|
#
|
|
#config_path: "%(config_dir_path)s/sp_conf.py"
|
|
|
|
# The lifetime of a SAML session. This defines how long a user has to
|
|
# complete the authentication process, if allow_unsolicited is unset.
|
|
# The default is 15 minutes.
|
|
#
|
|
#saml_session_lifetime: 5m
|
|
|
|
# An external module can be provided here as a custom solution to
|
|
# mapping attributes returned from a saml provider onto a matrix user.
|
|
#
|
|
user_mapping_provider:
|
|
# The custom module's class. Uncomment to use a custom module.
|
|
#
|
|
#module: mapping_provider.SamlMappingProvider
|
|
|
|
# Custom configuration values for the module. Below options are
|
|
# intended for the built-in provider, they should be changed if
|
|
# using a custom module. This section will be passed as a Python
|
|
# dictionary to the module's `parse_config` method.
|
|
#
|
|
config:
|
|
# The SAML attribute (after mapping via the attribute maps) to use
|
|
# to derive the Matrix ID from. 'uid' by default.
|
|
#
|
|
# Note: This used to be configured by the
|
|
# saml2_config.mxid_source_attribute option. If that is still
|
|
# defined, its value will be used instead.
|
|
#
|
|
#mxid_source_attribute: displayName
|
|
|
|
# The mapping system to use for mapping the saml attribute onto a
|
|
# matrix ID.
|
|
#
|
|
# Options include:
|
|
# * 'hexencode' (which maps unpermitted characters to '=xx')
|
|
# * 'dotreplace' (which replaces unpermitted characters with
|
|
# '.').
|
|
# The default is 'hexencode'.
|
|
#
|
|
# Note: This used to be configured by the
|
|
# saml2_config.mxid_mapping option. If that is still defined, its
|
|
# value will be used instead.
|
|
#
|
|
#mxid_mapping: dotreplace
|
|
|
|
# In previous versions of synapse, the mapping from SAML attribute to
|
|
# MXID was always calculated dynamically rather than stored in a
|
|
# table. For backwards- compatibility, we will look for user_ids
|
|
# matching such a pattern before creating a new account.
|
|
#
|
|
# This setting controls the SAML attribute which will be used for this
|
|
# backwards-compatibility lookup. Typically it should be 'uid', but if
|
|
# the attribute maps are changed, it may be necessary to change it.
|
|
#
|
|
# The default is 'uid'.
|
|
#
|
|
#grandfathered_mxid_source_attribute: upn
|
|
|
|
# It is possible to configure Synapse to only allow logins if SAML attributes
|
|
# match particular values. The requirements can be listed under
|
|
# `attribute_requirements` as shown below. All of the listed attributes must
|
|
# match for the login to be permitted.
|
|
#
|
|
#attribute_requirements:
|
|
# - attribute: userGroup
|
|
# value: "staff"
|
|
# - attribute: department
|
|
# value: "sales"
|
|
|
|
# If the metadata XML contains multiple IdP entities then the `idp_entityid`
|
|
# option must be set to the entity to redirect users to.
|
|
#
|
|
# Most deployments only have a single IdP entity and so should omit this
|
|
# option.
|
|
#
|
|
#idp_entityid: 'https://our_idp/entityid'
|
|
""" % {
|
|
"config_dir_path": config_dir_path
|
|
}
|
|
|
|
|
|
ATTRIBUTE_REQUIREMENTS_SCHEMA = {
|
|
"type": "array",
|
|
"items": SsoAttributeRequirement.JSON_SCHEMA,
|
|
}
|
|
|
|
|
|
def _parse_attribute_requirements_def(
|
|
attribute_requirements: Any,
|
|
) -> List[SsoAttributeRequirement]:
|
|
validate_config(
|
|
ATTRIBUTE_REQUIREMENTS_SCHEMA,
|
|
attribute_requirements,
|
|
config_path=("saml2_config", "attribute_requirements"),
|
|
)
|
|
return [SsoAttributeRequirement(**x) for x in attribute_requirements]
|