Matrix-Mirrors/forked-synapse
1
0
Fork 0
mirror of https://mau.dev/maunium/synapse.git synced 2024-10-01 01:36:05 -04:00
Code Issues Packages Projects Releases Wiki Activity
1db9282dfa
forked-synapse/synapse/rest/client/auth.py

185 lines
7.0 KiB
Python
Raw Normal View History

copyrights
2016-01-06 23:26:29 -05:00
# Copyright 2015, 2016 OpenMarket Ltd
Completely replace fallback auth for C/S V2: * Now only the auth part goes to fallback, not the whole operation * Auth fallback is a normal API endpoint, not a static page * Params like the recaptcha pubkey can just live in the config Involves a little engineering on JsonResource so its servlets aren't always forced to return JSON. I should document this more, in fact I'll do that now.
2015-04-01 10:05:30 -04:00
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
run isort
2018-07-09 02:09:20 -04:00
import logging
Combine the SSO Redirect Servlets (#9015) * Implement CasHandler.handle_redirect_request ... to make it match OidcHandler and SamlHandler * Clean up interface for OidcHandler.handle_redirect_request Make it accept `client_redirect_url=None`. * Clean up interface for `SamlHandler.handle_redirect_request` ... bring it into line with CAS and OIDC by making it take a Request parameter, move the magic for `client_redirect_url` for UIA into the handler, and fix the return type to be a `str` rather than a `bytes`. * Define a common protocol for SSO auth provider impls * Give SsoIdentityProvider an ID and register them * Combine the SSO Redirect servlets Now that the SsoHandler knows about the identity providers, we can combine the various *RedirectServlets into a single implementation which delegates to the right IdP. * changelog
2021-01-04 13:13:49 -05:00
from typing import TYPE_CHECKING
run isort
2018-07-09 02:09:20 -04:00
Additional type hints for REST servlets (part 2). (#10674) Applies the changes from #10665 to additional modules.
2021-08-26 07:53:52 -04:00
from twisted.web.server import Request
Completely replace fallback auth for C/S V2: * Now only the auth part goes to fallback, not the whole operation * Auth fallback is a normal API endpoint, not a static page * Params like the recaptcha pubkey can just live in the config Involves a little engineering on JsonResource so its servlets aren't always forced to return JSON. I should document this more, in fact I'll do that now.
2015-04-01 10:05:30 -04:00
from synapse.api.constants import LoginType
Display an error page during failure of fallback UIA. (#10561)
2021-08-18 08:13:35 -04:00
from synapse.api.errors import LoginError, SynapseError
Drop support for v2_alpha API prefix (#5190)
2019-05-15 12:37:46 -04:00
from synapse.api.urls import CLIENT_API_PREFIX
Additional type hints for REST servlets (part 2). (#10674) Applies the changes from #10665 to additional modules.
2021-08-26 07:53:52 -04:00
from synapse.http.server import HttpServer, respond_with_html
Fix fallback auth on Python 3 (#4197)
2018-11-19 13:27:33 -05:00
from synapse.http.servlet import RestServlet, parse_string
Additional type hints for REST servlets (part 2). (#10674) Applies the changes from #10665 to additional modules.
2021-08-26 07:53:52 -04:00
from synapse.http.site import SynapseRequest
Completely replace fallback auth for C/S V2: * Now only the auth part goes to fallback, not the whole operation * Auth fallback is a normal API endpoint, not a static page * Params like the recaptcha pubkey can just live in the config Involves a little engineering on JsonResource so its servlets aren't always forced to return JSON. I should document this more, in fact I'll do that now.
2015-04-01 10:05:30 -04:00
Unify v1 and v2 REST client APIs (#5226)
2019-06-03 07:28:59 -04:00
from ._base import client_patterns
Completely replace fallback auth for C/S V2: * Now only the auth part goes to fallback, not the whole operation * Auth fallback is a normal API endpoint, not a static page * Params like the recaptcha pubkey can just live in the config Involves a little engineering on JsonResource so its servlets aren't always forced to return JSON. I should document this more, in fact I'll do that now.
2015-04-01 10:05:30 -04:00
Combine the SSO Redirect Servlets (#9015) * Implement CasHandler.handle_redirect_request ... to make it match OidcHandler and SamlHandler * Clean up interface for OidcHandler.handle_redirect_request Make it accept `client_redirect_url=None`. * Clean up interface for `SamlHandler.handle_redirect_request` ... bring it into line with CAS and OIDC by making it take a Request parameter, move the magic for `client_redirect_url` for UIA into the handler, and fix the return type to be a `str` rather than a `bytes`. * Define a common protocol for SSO auth provider impls * Give SsoIdentityProvider an ID and register them * Combine the SSO Redirect servlets Now that the SsoHandler knows about the identity providers, we can combine the various *RedirectServlets into a single implementation which delegates to the right IdP. * changelog
2021-01-04 13:13:49 -05:00
if TYPE_CHECKING:
from synapse.server import HomeServer
Completely replace fallback auth for C/S V2: * Now only the auth part goes to fallback, not the whole operation * Auth fallback is a normal API endpoint, not a static page * Params like the recaptcha pubkey can just live in the config Involves a little engineering on JsonResource so its servlets aren't always forced to return JSON. I should document this more, in fact I'll do that now.
2015-04-01 10:05:30 -04:00
logger = logging.getLogger(__name__)
pep8
2015-04-02 12:06:17 -04:00
Completely replace fallback auth for C/S V2: * Now only the auth part goes to fallback, not the whole operation * Auth fallback is a normal API endpoint, not a static page * Params like the recaptcha pubkey can just live in the config Involves a little engineering on JsonResource so its servlets aren't always forced to return JSON. I should document this more, in fact I'll do that now.
2015-04-01 10:05:30 -04:00
class AuthRestServlet(RestServlet):
"""
Handles Client / Server API authentication in any situations where it
cannot be handled in the normal flow (with requests to the same endpoint).
Current use is for web fallback auth.
"""
Run Black. (#5482)
2019-06-20 05:32:02 -04:00
Unify v1 and v2 REST client APIs (#5226)
2019-06-03 07:28:59 -04:00
PATTERNS = client_patterns(r"/auth/(?P<stagetype>[\w\.]*)/fallback/web")
Completely replace fallback auth for C/S V2: * Now only the auth part goes to fallback, not the whole operation * Auth fallback is a normal API endpoint, not a static page * Params like the recaptcha pubkey can just live in the config Involves a little engineering on JsonResource so its servlets aren't always forced to return JSON. I should document this more, in fact I'll do that now.
2015-04-01 10:05:30 -04:00
Combine the SSO Redirect Servlets (#9015) * Implement CasHandler.handle_redirect_request ... to make it match OidcHandler and SamlHandler * Clean up interface for OidcHandler.handle_redirect_request Make it accept `client_redirect_url=None`. * Clean up interface for `SamlHandler.handle_redirect_request` ... bring it into line with CAS and OIDC by making it take a Request parameter, move the magic for `client_redirect_url` for UIA into the handler, and fix the return type to be a `str` rather than a `bytes`. * Define a common protocol for SSO auth provider impls * Give SsoIdentityProvider an ID and register them * Combine the SSO Redirect servlets Now that the SsoHandler knows about the identity providers, we can combine the various *RedirectServlets into a single implementation which delegates to the right IdP. * changelog
2021-01-04 13:13:49 -05:00
def __init__(self, hs: "HomeServer"):
Simplify super() calls to Python 3 syntax. (#8344) This converts calls like super(Foo, self) -> super(). Generated with: sed -i "" -Ee 's/super\([^\(]+\)/super()/g' **/*.py
2020-09-18 09:56:44 -04:00
super().__init__()
Completely replace fallback auth for C/S V2: * Now only the auth part goes to fallback, not the whole operation * Auth fallback is a normal API endpoint, not a static page * Params like the recaptcha pubkey can just live in the config Involves a little engineering on JsonResource so its servlets aren't always forced to return JSON. I should document this more, in fact I'll do that now.
2015-04-01 10:05:30 -04:00
self.hs = hs
self.auth = hs.get_auth()
Split out the auth handler
2016-06-02 08:31:45 -04:00
self.auth_handler = hs.get_auth_handler()
Fix registration on workers (#4682) * Move RegistrationHandler init to HomeServer * Move post registration actions to RegistrationHandler * Add post regisration replication endpoint * Newsfile
2019-02-20 02:47:31 -05:00
self.registration_handler = hs.get_registration_handler()
Use direct references for some configuration variables (part 3) (#10885) This avoids the overhead of searching through the various configuration classes by directly referencing the class that the attributes are in. It also improves type hints since mypy can now resolve the types of the configuration variables.
2021-09-23 07:13:34 -04:00
self.recaptcha_template = hs.config.captcha.recaptcha_template
Require direct references to configuration variables. (#10985) This removes the magic allowing accessing configurable variables directly from the config object. It is now required that a specific configuration class is used (e.g. `config.foo` must be replaced with `config.server.foo`).
2021-10-06 10:47:41 -04:00
self.terms_template = hs.config.consent.terms_template
Use direct references for configuration variables (part 7). (#10959)
2021-10-04 07:18:54 -04:00
self.registration_token_template = (
hs.config.registration.registration_token_template
)
self.success_template = hs.config.registration.fallback_success_template
Convert additional templates to Jinja (#8444) This converts a few more of our inline HTML templates to Jinja. This is somewhat part of #7280 and should make it a bit easier to customize these in the future.
2020-10-02 06:15:53 -04:00
Additional type hints for REST servlets (part 2). (#10674) Applies the changes from #10665 to additional modules.
2021-08-26 07:53:52 -04:00
async def on_GET(self, request: SynapseRequest, stagetype: str) -> None:
Fix fallback auth on Python 3 (#4197)
2018-11-19 13:27:33 -05:00
session = parse_string(request, "session")
if not session:
raise SynapseError(400, "No session supplied")
Completely replace fallback auth for C/S V2: * Now only the auth part goes to fallback, not the whole operation * Auth fallback is a normal API endpoint, not a static page * Params like the recaptcha pubkey can just live in the config Involves a little engineering on JsonResource so its servlets aren't always forced to return JSON. I should document this more, in fact I'll do that now.
2015-04-01 10:05:30 -04:00
Fix fallback auth on Python 3 (#4197)
2018-11-19 13:27:33 -05:00
if stagetype == LoginType.RECAPTCHA:
Convert additional templates to Jinja (#8444) This converts a few more of our inline HTML templates to Jinja. This is somewhat part of #7280 and should make it a bit easier to customize these in the future.
2020-10-02 06:15:53 -04:00
html = self.recaptcha_template.render(
session=session,
myurl="%s/r0/auth/%s/fallback/web"
Run Black. (#5482)
2019-06-20 05:32:02 -04:00
% (CLIENT_API_PREFIX, LoginType.RECAPTCHA),
Use direct references for some configuration variables (part 3) (#10885) This avoids the overhead of searching through the various configuration classes by directly referencing the class that the attributes are in. It also improves type hints since mypy can now resolve the types of the configuration variables.
2021-09-23 07:13:34 -04:00
sitekey=self.hs.config.captcha.recaptcha_public_key,
Convert additional templates to Jinja (#8444) This converts a few more of our inline HTML templates to Jinja. This is somewhat part of #7280 and should make it a bit easier to customize these in the future.
2020-10-02 06:15:53 -04:00
)
Incorporate Dave's work for GDPR login flows As per https://github.com/vector-im/riot-web/issues/7168#issuecomment-419996117
2018-09-27 16:53:58 -04:00
elif stagetype == LoginType.TERMS:
Convert additional templates to Jinja (#8444) This converts a few more of our inline HTML templates to Jinja. This is somewhat part of #7280 and should make it a bit easier to customize these in the future.
2020-10-02 06:15:53 -04:00
html = self.terms_template.render(
session=session,
terms_url="%s_matrix/consent?v=%s"
Use direct references for some configuration variables (#10798) Instead of proxying through the magic getter of the RootConfig object. This should be more performant (and is more explicit).
2021-09-13 13:07:12 -04:00
% (
self.hs.config.server.public_baseurl,
Use direct references for some configuration variables (part 3) (#10885) This avoids the overhead of searching through the various configuration classes by directly referencing the class that the attributes are in. It also improves type hints since mypy can now resolve the types of the configuration variables.
2021-09-23 07:13:34 -04:00
self.hs.config.consent.user_consent_version,
Use direct references for some configuration variables (#10798) Instead of proxying through the magic getter of the RootConfig object. This should be more performant (and is more explicit).
2021-09-13 13:07:12 -04:00
),
Convert additional templates to Jinja (#8444) This converts a few more of our inline HTML templates to Jinja. This is somewhat part of #7280 and should make it a bit easier to customize these in the future.
2020-10-02 06:15:53 -04:00
myurl="%s/r0/auth/%s/fallback/web"
Run Black. (#5482)
2019-06-20 05:32:02 -04:00
% (CLIENT_API_PREFIX, LoginType.TERMS),
Convert additional templates to Jinja (#8444) This converts a few more of our inline HTML templates to Jinja. This is somewhat part of #7280 and should make it a bit easier to customize these in the future.
2020-10-02 06:15:53 -04:00
)
Support SAML in the user interactive authentication workflow. (#7102)
2020-04-01 08:48:00 -04:00
Support CAS in UI Auth flows. (#7186)
2020-04-03 15:35:05 -04:00
elif stagetype == LoginType.SSO:
Support SAML in the user interactive authentication workflow. (#7102)
2020-04-01 08:48:00 -04:00
# Display a confirmation page which prompts the user to
# re-authenticate with their SSO provider.
UI Auth via SSO: redirect the user to an appropriate SSO. (#9081) If we have integrations with multiple identity providers, when the user does a UI Auth, we need to redirect them to the right one. There are a few steps to this. First of all we actually need to store the userid of the user we are trying to validate in the UIA session, since the /auth/sso/fallback/web request is unauthenticated. Then, once we get the /auth/sso/fallback/web request, we can fish the user id out of the session, and use it to look up the external id mappings, and hence pick an SSO provider for them.
2021-01-12 12:38:03 -05:00
html = await self.auth_handler.start_sso_ui_auth(request, session)
Support CAS in UI Auth flows. (#7186)
2020-04-03 15:35:05 -04:00
Implement MSC3231: Token authenticated registration (#10142) Signed-off-by: Callum Brown <callum@calcuode.com> This is part of my GSoC project implementing [MSC3231](https://github.com/matrix-org/matrix-doc/pull/3231).
2021-08-21 17:14:43 -04:00
elif stagetype == LoginType.REGISTRATION_TOKEN:
html = self.registration_token_template.render(
session=session,
myurl=f"{CLIENT_API_PREFIX}/r0/auth/{LoginType.REGISTRATION_TOKEN}/fallback/web",
)
Completely replace fallback auth for C/S V2: * Now only the auth part goes to fallback, not the whole operation * Auth fallback is a normal API endpoint, not a static page * Params like the recaptcha pubkey can just live in the config Involves a little engineering on JsonResource so its servlets aren't always forced to return JSON. I should document this more, in fact I'll do that now.
2015-04-01 10:05:30 -04:00
else:
raise SynapseError(404, "Unknown auth stage type")
Clean-up some auth/login REST code (#7115)
2020-03-20 16:22:47 -04:00
# Render the HTML and return.
Ensure that HTML pages served from Synapse include headers to avoid embedding.
2020-07-01 09:10:23 -04:00
respond_with_html(request, 200, html)
Clean-up some auth/login REST code (#7115)
2020-03-20 16:22:47 -04:00
return None
Additional type hints for REST servlets (part 2). (#10674) Applies the changes from #10665 to additional modules.
2021-08-26 07:53:52 -04:00
async def on_POST(self, request: Request, stagetype: str) -> None:
Fix fallback auth on Python 3 (#4197)
2018-11-19 13:27:33 -05:00
session = parse_string(request, "session")
if not session:
raise SynapseError(400, "No session supplied")
Flesh out the fallback auth for terms
2018-10-03 17:54:19 -04:00
if stagetype == LoginType.RECAPTCHA:
Fix fallback auth on Python 3 (#4197)
2018-11-19 13:27:33 -05:00
response = parse_string(request, "g-recaptcha-response")
Completely replace fallback auth for C/S V2: * Now only the auth part goes to fallback, not the whole operation * Auth fallback is a normal API endpoint, not a static page * Params like the recaptcha pubkey can just live in the config Involves a little engineering on JsonResource so its servlets aren't always forced to return JSON. I should document this more, in fact I'll do that now.
2015-04-01 10:05:30 -04:00
Fix fallback auth on Python 3 (#4197)
2018-11-19 13:27:33 -05:00
if not response:
raise SynapseError(400, "No captcha response supplied")
Completely replace fallback auth for C/S V2: * Now only the auth part goes to fallback, not the whole operation * Auth fallback is a normal API endpoint, not a static page * Params like the recaptcha pubkey can just live in the config Involves a little engineering on JsonResource so its servlets aren't always forced to return JSON. I should document this more, in fact I'll do that now.
2015-04-01 10:05:30 -04:00
Run Black. (#5482)
2019-06-20 05:32:02 -04:00
authdict = {"response": response, "session": session}
Completely replace fallback auth for C/S V2: * Now only the auth part goes to fallback, not the whole operation * Auth fallback is a normal API endpoint, not a static page * Params like the recaptcha pubkey can just live in the config Involves a little engineering on JsonResource so its servlets aren't always forced to return JSON. I should document this more, in fact I'll do that now.
2015-04-01 10:05:30 -04:00
Display an error page during failure of fallback UIA. (#10561)
2021-08-18 08:13:35 -04:00
try:
await self.auth_handler.add_oob_auth(
LoginType.RECAPTCHA, authdict, request.getClientIP()
)
except LoginError as e:
# Authentication failed, let user try again
Convert additional templates to Jinja (#8444) This converts a few more of our inline HTML templates to Jinja. This is somewhat part of #7280 and should make it a bit easier to customize these in the future.
2020-10-02 06:15:53 -04:00
html = self.recaptcha_template.render(
session=session,
myurl="%s/r0/auth/%s/fallback/web"
Run Black. (#5482)
2019-06-20 05:32:02 -04:00
% (CLIENT_API_PREFIX, LoginType.RECAPTCHA),
Use direct references for some configuration variables (part 3) (#10885) This avoids the overhead of searching through the various configuration classes by directly referencing the class that the attributes are in. It also improves type hints since mypy can now resolve the types of the configuration variables.
2021-09-23 07:13:34 -04:00
sitekey=self.hs.config.captcha.recaptcha_public_key,
Display an error page during failure of fallback UIA. (#10561)
2021-08-18 08:13:35 -04:00
error=e.msg,
Convert additional templates to Jinja (#8444) This converts a few more of our inline HTML templates to Jinja. This is somewhat part of #7280 and should make it a bit easier to customize these in the future.
2020-10-02 06:15:53 -04:00
)
Display an error page during failure of fallback UIA. (#10561)
2021-08-18 08:13:35 -04:00
else:
# No LoginError was raised, so authentication was successful
html = self.success_template.render()
Flesh out the fallback auth for terms
2018-10-03 17:54:19 -04:00
elif stagetype == LoginType.TERMS:
Run Black. (#5482)
2019-06-20 05:32:02 -04:00
authdict = {"session": session}
Flesh out the fallback auth for terms
2018-10-03 17:54:19 -04:00
Display an error page during failure of fallback UIA. (#10561)
2021-08-18 08:13:35 -04:00
try:
await self.auth_handler.add_oob_auth(
LoginType.TERMS, authdict, request.getClientIP()
)
except LoginError as e:
# Authentication failed, let user try again
Convert additional templates to Jinja (#8444) This converts a few more of our inline HTML templates to Jinja. This is somewhat part of #7280 and should make it a bit easier to customize these in the future.
2020-10-02 06:15:53 -04:00
html = self.terms_template.render(
session=session,
terms_url="%s_matrix/consent?v=%s"
Run Black. (#5482)
2019-06-20 05:32:02 -04:00
% (
Use direct references for some configuration variables (#10798) Instead of proxying through the magic getter of the RootConfig object. This should be more performant (and is more explicit).
2021-09-13 13:07:12 -04:00
self.hs.config.server.public_baseurl,
Use direct references for some configuration variables (part 3) (#10885) This avoids the overhead of searching through the various configuration classes by directly referencing the class that the attributes are in. It also improves type hints since mypy can now resolve the types of the configuration variables.
2021-09-23 07:13:34 -04:00
self.hs.config.consent.user_consent_version,
Flesh out the fallback auth for terms
2018-10-03 17:54:19 -04:00
),
Convert additional templates to Jinja (#8444) This converts a few more of our inline HTML templates to Jinja. This is somewhat part of #7280 and should make it a bit easier to customize these in the future.
2020-10-02 06:15:53 -04:00
myurl="%s/r0/auth/%s/fallback/web"
Run Black. (#5482)
2019-06-20 05:32:02 -04:00
% (CLIENT_API_PREFIX, LoginType.TERMS),
Display an error page during failure of fallback UIA. (#10561)
2021-08-18 08:13:35 -04:00
error=e.msg,
Convert additional templates to Jinja (#8444) This converts a few more of our inline HTML templates to Jinja. This is somewhat part of #7280 and should make it a bit easier to customize these in the future.
2020-10-02 06:15:53 -04:00
)
Display an error page during failure of fallback UIA. (#10561)
2021-08-18 08:13:35 -04:00
else:
# No LoginError was raised, so authentication was successful
html = self.success_template.render()
Support SAML in the user interactive authentication workflow. (#7102)
2020-04-01 08:48:00 -04:00
elif stagetype == LoginType.SSO:
# The SSO fallback workflow should not post here,
raise SynapseError(404, "Fallback SSO auth does not support POST requests.")
Display an error page during failure of fallback UIA. (#10561)
2021-08-18 08:13:35 -04:00
Implement MSC3231: Token authenticated registration (#10142) Signed-off-by: Callum Brown <callum@calcuode.com> This is part of my GSoC project implementing [MSC3231](https://github.com/matrix-org/matrix-doc/pull/3231).
2021-08-21 17:14:43 -04:00
elif stagetype == LoginType.REGISTRATION_TOKEN:
token = parse_string(request, "token", required=True)
authdict = {"session": session, "token": token}
try:
await self.auth_handler.add_oob_auth(
LoginType.REGISTRATION_TOKEN, authdict, request.getClientIP()
)
except LoginError as e:
html = self.registration_token_template.render(
session=session,
myurl=f"{CLIENT_API_PREFIX}/r0/auth/{LoginType.REGISTRATION_TOKEN}/fallback/web",
error=e.msg,
)
else:
html = self.success_template.render()
Completely replace fallback auth for C/S V2: * Now only the auth part goes to fallback, not the whole operation * Auth fallback is a normal API endpoint, not a static page * Params like the recaptcha pubkey can just live in the config Involves a little engineering on JsonResource so its servlets aren't always forced to return JSON. I should document this more, in fact I'll do that now.
2015-04-01 10:05:30 -04:00
else:
raise SynapseError(404, "Unknown auth stage type")
Clean-up some auth/login REST code (#7115)
2020-03-20 16:22:47 -04:00
# Render the HTML and return.
Ensure that HTML pages served from Synapse include headers to avoid embedding.
2020-07-01 09:10:23 -04:00
respond_with_html(request, 200, html)
Clean-up some auth/login REST code (#7115)
2020-03-20 16:22:47 -04:00
return None
Completely replace fallback auth for C/S V2: * Now only the auth part goes to fallback, not the whole operation * Auth fallback is a normal API endpoint, not a static page * Params like the recaptcha pubkey can just live in the config Involves a little engineering on JsonResource so its servlets aren't always forced to return JSON. I should document this more, in fact I'll do that now.
2015-04-01 10:05:30 -04:00
Additional type hints for REST servlets (part 2). (#10674) Applies the changes from #10665 to additional modules.
2021-08-26 07:53:52 -04:00
def register_servlets(hs: "HomeServer", http_server: HttpServer) -> None:
Completely replace fallback auth for C/S V2: * Now only the auth part goes to fallback, not the whole operation * Auth fallback is a normal API endpoint, not a static page * Params like the recaptcha pubkey can just live in the config Involves a little engineering on JsonResource so its servlets aren't always forced to return JSON. I should document this more, in fact I'll do that now.
2015-04-01 10:05:30 -04:00
AuthRestServlet(hs).register(http_server)
Reference in New Issue Copy Permalink