forked-synapse/synapse/config/registration.py

# -*- coding: utf-8 -*-
# Copyright 2015, 2016 OpenMarket Ltd
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

from distutils.util import strtobool

from synapse.util.stringutils import random_string_with_symbols

from ._base import Config


class RegistrationConfig(Config):

    def read_config(self, config):
        self.enable_registration = bool(
            strtobool(str(config["enable_registration"]))
        )
        if "disable_registration" in config:
            self.enable_registration = not bool(
                strtobool(str(config["disable_registration"]))
            )

        self.registrations_require_3pid = config.get("registrations_require_3pid", [])
        self.allowed_local_3pids = config.get("allowed_local_3pids", [])
        self.registration_shared_secret = config.get("registration_shared_secret")

        self.bcrypt_rounds = config.get("bcrypt_rounds", 12)
        self.trusted_third_party_id_servers = config["trusted_third_party_id_servers"]
        self.allow_guest_access = config.get("allow_guest_access", False)

        self.invite_3pid_guest = (
            self.allow_guest_access and config.get("invite_3pid_guest", False)
        )

        self.auto_join_rooms = config.get("auto_join_rooms", [])

    def default_config(self, **kwargs):
        registration_shared_secret = random_string_with_symbols(50)

        return """\
        ## Registration ##

        # Enable registration for new users.
        enable_registration: False

        # The user must provide all of the below types of 3PID when registering.
        #
        # registrations_require_3pid:
        #     - email
        #     - msisdn

        # Mandate that users are only allowed to associate certain formats of
        # 3PIDs with accounts on this server.
        #
        # allowed_local_3pids:
        #     - medium: email
        #       pattern: ".*@matrix\\.org"
        #     - medium: email
        #       pattern: ".*@vector\\.im"
        #     - medium: msisdn
        #       pattern: "\\+44"

        # If set, allows registration by anyone who also has the shared
        # secret, even if registration is otherwise disabled.
        registration_shared_secret: "%(registration_shared_secret)s"

        # Set the number of bcrypt rounds used to generate password hash.
        # Larger numbers increase the work factor needed to generate the hash.
        # The default number is 12 (which equates to 2^12 rounds).
        # N.B. that increasing this will exponentially increase the time required
        # to register or login - e.g. 24 => 2^24 rounds which will take >20 mins.
        bcrypt_rounds: 12

        # Allows users to register as guests without a password/email/etc, and
        # participate in rooms hosted on this server which have been made
        # accessible to anonymous users.
        allow_guest_access: False

        # The list of identity servers trusted to verify third party
        # identifiers by this server.
        trusted_third_party_id_servers:
            - matrix.org
            - vector.im
            - riot.im

        # Users who register on this homeserver will automatically be joined
        # to these rooms
        #auto_join_rooms:
        #    - "#example:example.com"
        """ % locals()

    def add_arguments(self, parser):
        reg_group = parser.add_argument_group("registration")
        reg_group.add_argument(
            "--enable-registration", action="store_true", default=None,
            help="Enable registration for new users."
        )

    def read_arguments(self, args):
        if args.enable_registration is not None:
            self.enable_registration = bool(
                strtobool(str(args.enable_registration))
            )
Add config option to disable registration. 2015-02-19 09:16:53 -05:00			`# -- coding: utf-8 --`
copyrights 2016-01-06 23:26:29 -05:00			`# Copyright 2015, 2016 OpenMarket Ltd`
Add config option to disable registration. 2015-02-19 09:16:53 -05:00			`#`
			`# Licensed under the Apache License, Version 2.0 (the "License");`
			`# you may not use this file except in compliance with the License.`
			`# You may obtain a copy of the License at`
			`#`
			`# http://www.apache.org/licenses/LICENSE-2.0`
			`#`
			`# Unless required by applicable law or agreed to in writing, software`
			`# distributed under the License is distributed on an "AS IS" BASIS,`
			`# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`# See the License for the specific language governing permissions and`
			`# limitations under the License.`

run isort 2018-07-09 02:09:20 -04:00			`from distutils.util import strtobool`
Add config option to disable registration. 2015-02-19 09:16:53 -05:00
Implement registering with shared secret. 2015-03-13 11:23:37 -04:00			`from synapse.util.stringutils import random_string_with_symbols`

run isort 2018-07-09 02:09:20 -04:00			`from ._base import Config`
Allow enabling of registration with --disable-registration false 2015-03-13 12:49:18 -04:00
Add config option to disable registration. 2015-02-19 09:16:53 -05:00
			`class RegistrationConfig(Config):`

Manually generate the default config yaml, remove most of the commandline arguments for synapse anticipating that people will use the yaml instead. Simpify implementing config options by not requiring the classes to hit the super class 2015-04-29 23:24:44 -04:00			`def read_config(self, config):`
Rename config field to reflect yaml name 2016-02-03 09:42:01 -05:00			`self.enable_registration = bool(`
Allow --enable-registration to be passed on the commandline 2015-04-30 10:04:06 -04:00			`strtobool(str(config["enable_registration"]))`
Add config option to disable registration. 2015-02-19 09:16:53 -05:00			`)`
Use disable_registration keys if they are present 2015-04-30 09:34:09 -04:00			`if "disable_registration" in config:`
Rename config field to reflect yaml name 2016-02-03 09:42:01 -05:00			`self.enable_registration = not bool(`
Allow --enable-registration to be passed on the commandline 2015-04-30 10:04:06 -04:00			`strtobool(str(config["disable_registration"]))`
Use disable_registration keys if they are present 2015-04-30 09:34:09 -04:00			`)`

add registrations_require_3pid lets homeservers specify a whitelist for 3PIDs that users are allowed to associate with. Typically useful for stopping people from registering with non-work emails 2018-01-18 19:19:58 -05:00			`self.registrations_require_3pid = config.get("registrations_require_3pid", [])`
rewrite based on PR feedback: * [ ] split config options into allowed_local_3pids and registrations_require_3pid * [ ] simplify and comment logic for picking registration flows * [ ] fix docstring and move check_3pid_allowed into a new util module * [ ] use check_3pid_allowed everywhere @erikjohnston PTAL 2018-01-19 10:33:55 -05:00			`self.allowed_local_3pids = config.get("allowed_local_3pids", [])`
Manually generate the default config yaml, remove most of the commandline arguments for synapse anticipating that people will use the yaml instead. Simpify implementing config options by not requiring the classes to hit the super class 2015-04-29 23:24:44 -04:00			`self.registration_shared_secret = config.get("registration_shared_secret")`
Derive macaroon_secret_key from signing key. Unfortunately, there are people that are running synapse without a `macaroon_sercret_key` set. Mandating they set one is a good solution, except that breaking auto upgrades is annoying. 2016-02-08 11:35:44 -05:00
Add config for how many bcrypt rounds to use for password hashes By default we leave it at the default value of 12. But now we can reduce it for preparing users for loadtests or running integration tests. 2015-10-16 09:52:08 -04:00			`self.bcrypt_rounds = config.get("bcrypt_rounds", 12)`
Add config option for setting the trusted id servers, disabling checking the ID server in integration tests 2016-01-29 09:12:26 -05:00			`self.trusted_third_party_id_servers = config["trusted_third_party_id_servers"]`
Allow guests to register and call /events?room_id= This follows the same flows-based flow as regular registration, but as the only implemented flow has no requirements, it auto-succeeds. In the future, other flows (e.g. captcha) may be required, so clients should treat this like the regular registration flow choices. 2015-11-04 12:29:07 -05:00			`self.allow_guest_access = config.get("allow_guest_access", False)`
Manually generate the default config yaml, remove most of the commandline arguments for synapse anticipating that people will use the yaml instead. Simpify implementing config options by not requiring the classes to hit the super class 2015-04-29 23:24:44 -04:00
Add config to create guest account on 3pid invite Currently, when a 3pid invite request is sent to an identity server, it includes a provisioned guest access token. This allows the link in the, say, invite email to include the guest access token ensuring that the same account is used each time the link is clicked. This flow has a number of flaws, including when using different servers or servers that have guest access disabled. For now, we keep this implementation but hide it behind a config option until a better flow is implemented. 2016-03-14 11:50:40 -04:00			`self.invite_3pid_guest = (`
			`self.allow_guest_access and config.get("invite_3pid_guest", False)`
			`)`

Add config option to auto-join new users to rooms New users who register on the server will be dumped into all rooms in auto_join_rooms in the config. 2017-10-16 12:57:27 -04:00			`self.auto_join_rooms = config.get("auto_join_rooms", [])`

Derive macaroon_secret_key from signing key. Unfortunately, there are people that are running synapse without a `macaroon_sercret_key` set. Mandating they set one is a good solution, except that breaking auto upgrades is annoying. 2016-02-08 11:35:44 -05:00			`def default_config(self, **kwargs):`
Manually generate the default config yaml, remove most of the commandline arguments for synapse anticipating that people will use the yaml instead. Simpify implementing config options by not requiring the classes to hit the super class 2015-04-29 23:24:44 -04:00			`registration_shared_secret = random_string_with_symbols(50)`
Error if macaroon key is missing from config Currently we store all access tokens in the DB, and fall back to that check if we can't validate the macaroon, so our fallback works here, but for guests, their macaroons don't get persisted, so we don't get to find them in the database. Each restart, we generate a new ephemeral key, so guests lose access after each server restart. I tried to fix up the config stuff to be less insane, but gave up, so instead I bolt on yet another piece of custom one-off insanity. Also, add some basic tests for config generation and loading. 2016-02-04 20:58:23 -05:00
Manually generate the default config yaml, remove most of the commandline arguments for synapse anticipating that people will use the yaml instead. Simpify implementing config options by not requiring the classes to hit the super class 2015-04-29 23:24:44 -04:00			`return """\`
			`## Registration ##`
Disable registration by default 2015-03-13 08:59:45 -04:00
Manually generate the default config yaml, remove most of the commandline arguments for synapse anticipating that people will use the yaml instead. Simpify implementing config options by not requiring the classes to hit the super class 2015-04-29 23:24:44 -04:00			`# Enable registration for new users.`
Registration should be disabled by default 2015-05-28 06:01:34 -04:00			`enable_registration: False`
Implement registering with shared secret. 2015-03-13 11:23:37 -04:00
rewrite based on PR feedback: * [ ] split config options into allowed_local_3pids and registrations_require_3pid * [ ] simplify and comment logic for picking registration flows * [ ] fix docstring and move check_3pid_allowed into a new util module * [ ] use check_3pid_allowed everywhere @erikjohnston PTAL 2018-01-19 10:33:55 -05:00			`# The user must provide all of the below types of 3PID when registering.`
add registrations_require_3pid lets homeservers specify a whitelist for 3PIDs that users are allowed to associate with. Typically useful for stopping people from registering with non-work emails 2018-01-18 19:19:58 -05:00			`#`
			`# registrations_require_3pid:`
rewrite based on PR feedback: * [ ] split config options into allowed_local_3pids and registrations_require_3pid * [ ] simplify and comment logic for picking registration flows * [ ] fix docstring and move check_3pid_allowed into a new util module * [ ] use check_3pid_allowed everywhere @erikjohnston PTAL 2018-01-19 10:33:55 -05:00			`# - email`
			`# - msisdn`

			`# Mandate that users are only allowed to associate certain formats of`
			`# 3PIDs with accounts on this server.`
			`#`
			`# allowed_local_3pids:`
add registrations_require_3pid lets homeservers specify a whitelist for 3PIDs that users are allowed to associate with. Typically useful for stopping people from registering with non-work emails 2018-01-18 19:19:58 -05:00			`# - medium: email`
			`# pattern: ".*@matrix\\.org"`
			`# - medium: email`
			`# pattern: ".*@vector\\.im"`
			`# - medium: msisdn`
			`# pattern: "\\+44"`

Manually generate the default config yaml, remove most of the commandline arguments for synapse anticipating that people will use the yaml instead. Simpify implementing config options by not requiring the classes to hit the super class 2015-04-29 23:24:44 -04:00			`# If set, allows registration by anyone who also has the shared`
			`# secret, even if registration is otherwise disabled.`
			`registration_shared_secret: "%(registration_shared_secret)s"`
Derive macaroon_secret_key from signing key. Unfortunately, there are people that are running synapse without a `macaroon_sercret_key` set. Mandating they set one is a good solution, except that breaking auto upgrades is annoying. 2016-02-08 11:35:44 -05:00
Add config for how many bcrypt rounds to use for password hashes By default we leave it at the default value of 12. But now we can reduce it for preparing users for loadtests or running integration tests. 2015-10-16 09:52:08 -04:00			`# Set the number of bcrypt rounds used to generate password hash.`
			`# Larger numbers increase the work factor needed to generate the hash.`
spell out not to massively increase bcrypt rounds 2018-03-19 05:27:36 -04:00			`# The default number is 12 (which equates to 2^12 rounds).`
			`# N.B. that increasing this will exponentially increase the time required`
			`# to register or login - e.g. 24 => 2^24 rounds which will take >20 mins.`
Add config for how many bcrypt rounds to use for password hashes By default we leave it at the default value of 12. But now we can reduce it for preparing users for loadtests or running integration tests. 2015-10-16 09:52:08 -04:00			`bcrypt_rounds: 12`
Allow guests to register and call /events?room_id= This follows the same flows-based flow as regular registration, but as the only implemented flow has no requirements, it auto-succeeds. In the future, other flows (e.g. captcha) may be required, so clients should treat this like the regular registration flow choices. 2015-11-04 12:29:07 -05:00
			`# Allows users to register as guests without a password/email/etc, and`
			`# participate in rooms hosted on this server which have been made`
			`# accessible to anonymous users.`
			`allow_guest_access: False`
Add config option for setting the trusted id servers, disabling checking the ID server in integration tests 2016-01-29 09:12:26 -05:00
			`# The list of identity servers trusted to verify third party`
			`# identifiers by this server.`
			`trusted_third_party_id_servers:`
			`- matrix.org`
			`- vector.im`
trust a hypothetical future riot.im IS 2017-04-10 12:58:28 -04:00			`- riot.im`
Add config option to auto-join new users to rooms New users who register on the server will be dumped into all rooms in auto_join_rooms in the config. 2017-10-16 12:57:27 -04:00
pep8 2017-10-17 05:13:13 -04:00			`# Users who register on this homeserver will automatically be joined`
			`# to these rooms`
Add config option to auto-join new users to rooms New users who register on the server will be dumped into all rooms in auto_join_rooms in the config. 2017-10-16 12:57:27 -04:00			`#auto_join_rooms:`
			`# - "#example:example.com"`
Manually generate the default config yaml, remove most of the commandline arguments for synapse anticipating that people will use the yaml instead. Simpify implementing config options by not requiring the classes to hit the super class 2015-04-29 23:24:44 -04:00			`""" % locals()`
Allow --enable-registration to be passed on the commandline 2015-04-30 10:04:06 -04:00
			`def add_arguments(self, parser):`
			`reg_group = parser.add_argument_group("registration")`
			`reg_group.add_argument(`
Allow generate-config to run against an existing config file to generate default keys 2015-05-01 08:54:38 -04:00			`"--enable-registration", action="store_true", default=None,`
Allow --enable-registration to be passed on the commandline 2015-04-30 10:04:06 -04:00			`help="Enable registration for new users."`
			`)`

			`def read_arguments(self, args):`
			`if args.enable_registration is not None:`
Rename config field to reflect yaml name 2016-02-03 09:42:01 -05:00			`self.enable_registration = bool(`
Allow --enable-registration to be passed on the commandline 2015-04-30 10:04:06 -04:00			`strtobool(str(args.enable_registration))`
			`)`