Matrix-Mirrors/forked-synapse
1
0
Fork 0
mirror of https://mau.dev/maunium/synapse.git synced 2024-10-01 01:36:05 -04:00
Code Issues Packages Projects Releases Wiki Activity
208251956d
forked-synapse/synapse/handlers/identity.py

308 lines
10 KiB
Python
Raw Normal View History

Regstration with email in v2
2015-04-15 10:50:38 -04:00
# -*- coding: utf-8 -*-
copyrights
2016-01-06 23:26:29 -05:00
# Copyright 2015, 2016 OpenMarket Ltd
Support registration / login with phone number Changes from https://github.com/matrix-org/synapse/pull/1971
2017-03-13 13:27:51 -04:00
# Copyright 2017 Vector Creations Ltd
Hit the 3pid unbind endpoint on deactivation
2018-05-23 09:38:56 -04:00
# Copyright 2018 New Vector Ltd
Regstration with email in v2
2015-04-15 10:50:38 -04:00
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Utilities for interacting with Identity Servers"""
Use simplejson throughout Let's use simplejson rather than json, for consistency.
2018-03-29 17:45:52 -04:00
import logging
Attempt to be more performant on PyPy (#3462)
2018-06-28 09:49:57 -04:00
from canonicaljson import json
Use simplejson throughout Let's use simplejson rather than json, for consistency.
2018-03-29 17:45:52 -04:00
Regstration with email in v2
2015-04-15 10:50:38 -04:00
from twisted.internet import defer
from synapse.api.errors import (
run isort
2018-07-09 02:09:20 -04:00
CodeMessageException,
Codes,
Kill off MatrixCodeMessageException This code brings the SimpleHttpClient into line with the MatrixFederationHttpClient by having it raise HttpResponseExceptions when a request fails (rather than trying to parse for matrix errors and maybe raising MatrixCodeMessageException). Then, whenever we were checking for MatrixCodeMessageException and turning them into SynapseErrors, we now need to check for HttpResponseExceptions and call to_synapse_error.
2018-08-01 10:04:50 -04:00
HttpResponseException,
run isort
2018-07-09 02:09:20 -04:00
SynapseError,
Regstration with email in v2
2015-04-15 10:50:38 -04:00
)
run isort
2018-07-09 02:09:20 -04:00
Regstration with email in v2
2015-04-15 10:50:38 -04:00
from ._base import BaseHandler
logger = logging.getLogger(__name__)
class IdentityHandler(BaseHandler):
def __init__(self, hs):
super(IdentityHandler, self).__init__(hs)
Use CodeMessageException subclass instead Parse json errors from get_json client methods and throw special errors.
2017-04-25 14:30:55 -04:00
self.http_client = hs.get_simple_http_client()
Hit the 3pid unbind endpoint on deactivation
2018-05-23 09:38:56 -04:00
self.federation_http_client = hs.get_http_client()
Reuse a single http client, rather than creating new ones
2015-12-02 06:36:02 -05:00
Add config option for setting the trusted id servers, disabling checking the ID server in integration tests
2016-01-29 09:12:26 -05:00
self.trusted_id_servers = set(hs.config.trusted_third_party_id_servers)
self.trust_any_id_server_just_for_testing_do_not_use = (
hs.config.use_insecure_ssl_client_just_for_testing_do_not_use
)
requestToken update Don't send requestToken request to untrusted ID servers Also correct the THREEPID_IN_USE error to add the M_ prefix. This is a backwards incomaptible change, but the only thing using this is the angular client which is now unmaintained, so it's probably better to just do this now.
2016-06-30 12:51:28 -04:00
def _should_trust_id_server(self, id_server):
if id_server not in self.trusted_id_servers:
if self.trust_any_id_server_just_for_testing_do_not_use:
logger.warn(
"Trusting untrustworthy ID server %r even though it isn't"
" in the trusted id list for testing because"
" 'use_insecure_ssl_client_just_for_testing_do_not_use'"
" is set in the config",
id_server,
)
else:
return False
return True
Regstration with email in v2
2015-04-15 10:50:38 -04:00
@defer.inlineCallbacks
def threepid_from_creds(self, creds):
Accept both camelcase and underscore threepid creds for transition
2015-04-29 10:40:35 -04:00
if 'id_server' in creds:
id_server = creds['id_server']
elif 'idServer' in creds:
id_server = creds['idServer']
else:
raise SynapseError(400, "No id_server in creds")
if 'client_secret' in creds:
client_secret = creds['client_secret']
elif 'clientSecret' in creds:
client_secret = creds['clientSecret']
else:
raise SynapseError(400, "No client_secret in creds")
requestToken update Don't send requestToken request to untrusted ID servers Also correct the THREEPID_IN_USE error to add the M_ prefix. This is a backwards incomaptible change, but the only thing using this is the angular client which is now unmaintained, so it's probably better to just do this now.
2016-06-30 12:51:28 -04:00
if not self._should_trust_id_server(id_server):
logger.warn(
'%s is not a trusted ID server: rejecting 3pid ' +
'credentials', id_server
)
defer.returnValue(None)
Regstration with email in v2
2015-04-15 10:50:38 -04:00
try:
Use CodeMessageException subclass instead Parse json errors from get_json client methods and throw special errors.
2017-04-25 14:30:55 -04:00
data = yield self.http_client.get_json(
Revert accidental commit
2017-04-26 06:43:16 -04:00
"https://%s%s" % (
Accept both camelcase and underscore threepid creds for transition
2015-04-29 10:40:35 -04:00
id_server,
Regstration with email in v2
2015-04-15 10:50:38 -04:00
"/_matrix/identity/api/v1/3pid/getValidated3pid"
),
Accept both camelcase and underscore threepid creds for transition
2015-04-29 10:40:35 -04:00
{'sid': creds['sid'], 'client_secret': client_secret}
Regstration with email in v2
2015-04-15 10:50:38 -04:00
)
Kill off MatrixCodeMessageException This code brings the SimpleHttpClient into line with the MatrixFederationHttpClient by having it raise HttpResponseExceptions when a request fails (rather than trying to parse for matrix errors and maybe raising MatrixCodeMessageException). Then, whenever we were checking for MatrixCodeMessageException and turning them into SynapseErrors, we now need to check for HttpResponseExceptions and call to_synapse_error.
2018-08-01 10:04:50 -04:00
except HttpResponseException as e:
Use CodeMessageException subclass instead Parse json errors from get_json client methods and throw special errors.
2017-04-25 14:30:55 -04:00
logger.info("getValidated3pid failed with Matrix error: %r", e)
Kill off MatrixCodeMessageException This code brings the SimpleHttpClient into line with the MatrixFederationHttpClient by having it raise HttpResponseExceptions when a request fails (rather than trying to parse for matrix errors and maybe raising MatrixCodeMessageException). Then, whenever we were checking for MatrixCodeMessageException and turning them into SynapseErrors, we now need to check for HttpResponseExceptions and call to_synapse_error.
2018-08-01 10:04:50 -04:00
raise e.to_synapse_error()
Regstration with email in v2
2015-04-15 10:50:38 -04:00
if 'medium' in data:
defer.returnValue(data)
Return user ID in use error straight away
2015-04-16 14:56:44 -04:00
defer.returnValue(None)
@defer.inlineCallbacks
def bind_threepid(self, creds, mxid):
logger.debug("binding threepid %r to %s", creds, mxid)
data = None
Accept camelcase + underscores in binding too
2015-04-29 10:57:09 -04:00
if 'id_server' in creds:
id_server = creds['id_server']
elif 'idServer' in creds:
id_server = creds['idServer']
else:
raise SynapseError(400, "No id_server in creds")
if 'client_secret' in creds:
client_secret = creds['client_secret']
elif 'clientSecret' in creds:
client_secret = creds['clientSecret']
else:
raise SynapseError(400, "No client_secret in creds")
Return user ID in use error straight away
2015-04-16 14:56:44 -04:00
try:
Use CodeMessageException subclass instead Parse json errors from get_json client methods and throw special errors.
2017-04-25 14:30:55 -04:00
data = yield self.http_client.post_urlencoded_get_json(
Revert accidental commit
2017-04-26 06:43:16 -04:00
"https://%s%s" % (
Accept camelcase + underscores in binding too
2015-04-29 10:57:09 -04:00
id_server, "/_matrix/identity/api/v1/3pid/bind"
Return user ID in use error straight away
2015-04-16 14:56:44 -04:00
),
{
'sid': creds['sid'],
Accept camelcase + underscores in binding too
2015-04-29 10:57:09 -04:00
'client_secret': client_secret,
Return user ID in use error straight away
2015-04-16 14:56:44 -04:00
'mxid': mxid,
}
)
logger.debug("bound threepid %r to %s", creds, mxid)
Track IS used to bind 3PIDs This will then be used to know which IS to default to when unbinding the threepid.
2019-04-01 05:16:13 -04:00
# Remember where we bound the threepid
yield self.store.add_user_bound_threepid(
user_id=mxid,
medium=data["medium"],
address=data["address"],
id_server=id_server,
)
Return user ID in use error straight away
2015-04-16 14:56:44 -04:00
except CodeMessageException as e:
Kill off MatrixCodeMessageException This code brings the SimpleHttpClient into line with the MatrixFederationHttpClient by having it raise HttpResponseExceptions when a request fails (rather than trying to parse for matrix errors and maybe raising MatrixCodeMessageException). Then, whenever we were checking for MatrixCodeMessageException and turning them into SynapseErrors, we now need to check for HttpResponseExceptions and call to_synapse_error.
2018-08-01 10:04:50 -04:00
data = json.loads(e.msg) # XXX WAT?
pep8
2015-04-17 11:46:45 -04:00
defer.returnValue(data)
Add endpoint that proxies ID server request token and errors if the given email is in use on this Home Server.
2015-08-04 09:37:09 -04:00
Hit the 3pid unbind endpoint on deactivation
2018-05-23 09:38:56 -04:00
@defer.inlineCallbacks
Don't fail requests to unbind 3pids for non supporting ID servers Older identity servers may not support the unbind 3pid request, so we shouldn't fail the requests if we received one of 400/404/501. The request still fails if we receive e.g. 500 responses, allowing clients to retry requests on transient identity server errors that otherwise do support the API. Fixes #3661
2018-08-08 06:54:55 -04:00
def try_unbind_threepid(self, mxid, threepid):
"""Removes a binding from an identity server
docstring
2018-06-04 07:00:51 -04:00
Args:
mxid (str): Matrix user ID of binding to be removed
Fixup docstrings
2019-04-02 06:15:19 -04:00
threepid (dict): Dict with medium & address of binding to be
removed, and an optional id_server.
docstring
2018-06-04 07:00:51 -04:00
Don't fail requests to unbind 3pids for non supporting ID servers Older identity servers may not support the unbind 3pid request, so we shouldn't fail the requests if we received one of 400/404/501. The request still fails if we receive e.g. 500 responses, allowing clients to retry requests on transient identity server errors that otherwise do support the API. Fixes #3661
2018-08-08 06:54:55 -04:00
Raises:
SynapseError: If we failed to contact the identity server
docstring
2018-06-04 07:00:51 -04:00
Returns:
Don't fail requests to unbind 3pids for non supporting ID servers Older identity servers may not support the unbind 3pid request, so we shouldn't fail the requests if we received one of 400/404/501. The request still fails if we receive e.g. 500 responses, allowing clients to retry requests on transient identity server errors that otherwise do support the API. Fixes #3661
2018-08-08 06:54:55 -04:00
Deferred[bool]: True on success, otherwise False if the identity
Fixup docstrings
2019-04-02 06:15:19 -04:00
server doesn't support unbinding (or no identity server found to
contact).
docstring
2018-06-04 07:00:51 -04:00
"""
Allowing specifying IS to use in unbind API. By default the homeserver will use the identity server used during the binding of the 3PID to unbind the 3PID. However, we need to allow clients to explicitly ask the homeserver to unbind via a particular identity server, for the case where the 3PID was bound out of band from the homeserver. Implements MSC915.
2019-04-01 05:21:12 -04:00
if threepid.get("id_server"):
id_servers = [threepid["id_server"]]
else:
id_servers = yield self.store.get_id_servers_user_bound(
user_id=mxid,
medium=threepid["medium"],
address=threepid["address"],
)
For unbind poke IS used during binding of 3PID This changes the behaviour from using the server specified trusted identity server to using the IS that used during the binding of the 3PID, if known. This is the behaviour specified by MSC1915.
2019-04-01 05:18:40 -04:00
# We don't know where to unbind, so we don't have a choice but to return
if not id_servers:
Hit the 3pid unbind endpoint on deactivation
2018-05-23 09:38:56 -04:00
defer.returnValue(False)
comment
2018-05-24 06:19:59 -04:00
For unbind poke IS used during binding of 3PID This changes the behaviour from using the server specified trusted identity server to using the IS that used during the binding of the 3PID, if known. This is the behaviour specified by MSC1915.
2019-04-01 05:18:40 -04:00
changed = True
for id_server in id_servers:
changed &= yield self.try_unbind_threepid_with_id_server(
mxid, threepid, id_server,
)
defer.returnValue(changed)
@defer.inlineCallbacks
def try_unbind_threepid_with_id_server(self, mxid, threepid, id_server):
"""Removes a binding from an identity server
Args:
mxid (str): Matrix user ID of binding to be removed
threepid (dict): Dict with medium & address of binding to be removed
id_server (str): Identity server to unbind from
Raises:
SynapseError: If we failed to contact the identity server
Hit the 3pid unbind endpoint on deactivation
2018-05-23 09:38:56 -04:00
For unbind poke IS used during binding of 3PID This changes the behaviour from using the server specified trusted identity server to using the IS that used during the binding of the 3PID, if known. This is the behaviour specified by MSC1915.
2019-04-01 05:18:40 -04:00
Returns:
Deferred[bool]: True on success, otherwise False if the identity
server doesn't support unbinding
"""
Hit the 3pid unbind endpoint on deactivation
2018-05-23 09:38:56 -04:00
url = "https://%s/_matrix/identity/api/v1/3pid/unbind" % (id_server,)
content = {
"mxid": mxid,
For unbind poke IS used during binding of 3PID This changes the behaviour from using the server specified trusted identity server to using the IS that used during the binding of the 3PID, if known. This is the behaviour specified by MSC1915.
2019-04-01 05:18:40 -04:00
"threepid": {
"medium": threepid["medium"],
"address": threepid["address"],
},
Hit the 3pid unbind endpoint on deactivation
2018-05-23 09:38:56 -04:00
}
sign_request -> build_auth_headers (#4408) Just got very confused about the fact that the headers are only an output, not an input.
2019-01-17 07:40:09 -05:00
Hit the 3pid unbind endpoint on deactivation
2018-05-23 09:38:56 -04:00
# we abuse the federation http client to sign the request, but we have to send it
# using the normal http client since we don't want the SRV lookup and want normal
# 'browser-like' HTTPS.
sign_request -> build_auth_headers (#4408) Just got very confused about the fact that the headers are only an output, not an input.
2019-01-17 07:40:09 -05:00
auth_headers = self.federation_http_client.build_auth_headers(
Hit the 3pid unbind endpoint on deactivation
2018-05-23 09:38:56 -04:00
destination=None,
method='POST',
url_bytes='/_matrix/identity/api/v1/3pid/unbind'.encode('ascii'),
content=content,
destination_is=id_server,
)
sign_request -> build_auth_headers (#4408) Just got very confused about the fact that the headers are only an output, not an input.
2019-01-17 07:40:09 -05:00
headers = {
b"Authorization": auth_headers,
}
Don't fail requests to unbind 3pids for non supporting ID servers Older identity servers may not support the unbind 3pid request, so we shouldn't fail the requests if we received one of 400/404/501. The request still fails if we receive e.g. 500 responses, allowing clients to retry requests on transient identity server errors that otherwise do support the API. Fixes #3661
2018-08-08 06:54:55 -04:00
try:
yield self.http_client.post_json_get_json(
url,
content,
headers,
)
Remove threepid binding if id server returns 400/404/501
2019-04-02 06:16:57 -04:00
changed = True
Don't fail requests to unbind 3pids for non supporting ID servers Older identity servers may not support the unbind 3pid request, so we shouldn't fail the requests if we received one of 400/404/501. The request still fails if we receive e.g. 500 responses, allowing clients to retry requests on transient identity server errors that otherwise do support the API. Fixes #3661
2018-08-08 06:54:55 -04:00
except HttpResponseException as e:
Remove threepid binding if id server returns 400/404/501
2019-04-02 06:16:57 -04:00
changed = False
Don't fail requests to unbind 3pids for non supporting ID servers Older identity servers may not support the unbind 3pid request, so we shouldn't fail the requests if we received one of 400/404/501. The request still fails if we receive e.g. 500 responses, allowing clients to retry requests on transient identity server errors that otherwise do support the API. Fixes #3661
2018-08-08 06:54:55 -04:00
if e.code in (400, 404, 501,):
# The remote server probably doesn't support unbinding (yet)
Log when we 3pid/unbind request fails
2018-08-09 05:09:56 -04:00
logger.warn("Received %d response while unbinding threepid", e.code)
Don't fail requests to unbind 3pids for non supporting ID servers Older identity servers may not support the unbind 3pid request, so we shouldn't fail the requests if we received one of 400/404/501. The request still fails if we receive e.g. 500 responses, allowing clients to retry requests on transient identity server errors that otherwise do support the API. Fixes #3661
2018-08-08 06:54:55 -04:00
else:
Log when we 3pid/unbind request fails
2018-08-09 05:09:56 -04:00
logger.error("Failed to unbind threepid on identity server: %s", e)
Don't fail requests to unbind 3pids for non supporting ID servers Older identity servers may not support the unbind 3pid request, so we shouldn't fail the requests if we received one of 400/404/501. The request still fails if we receive e.g. 500 responses, allowing clients to retry requests on transient identity server errors that otherwise do support the API. Fixes #3661
2018-08-08 06:54:55 -04:00
raise SynapseError(502, "Failed to contact identity server")
Remove threepid binding if id server returns 400/404/501
2019-04-02 06:16:57 -04:00
yield self.store.remove_user_bound_threepid(
user_id=mxid,
medium=threepid["medium"],
address=threepid["address"],
id_server=id_server,
)
defer.returnValue(changed)
Hit the 3pid unbind endpoint on deactivation
2018-05-23 09:38:56 -04:00
Add endpoint that proxies ID server request token and errors if the given email is in use on this Home Server.
2015-08-04 09:37:09 -04:00
@defer.inlineCallbacks
def requestEmailToken(self, id_server, email, client_secret, send_attempt, **kwargs):
requestToken update Don't send requestToken request to untrusted ID servers Also correct the THREEPID_IN_USE error to add the M_ prefix. This is a backwards incomaptible change, but the only thing using this is the angular client which is now unmaintained, so it's probably better to just do this now.
2016-06-30 12:51:28 -04:00
if not self._should_trust_id_server(id_server):
raise SynapseError(
400, "Untrusted ID server '%s'" % id_server,
Codes.SERVER_NOT_TRUSTED
)
Add endpoint that proxies ID server request token and errors if the given email is in use on this Home Server.
2015-08-04 09:37:09 -04:00
params = {
'email': email,
'client_secret': client_secret,
'send_attempt': send_attempt,
}
params.update(kwargs)
try:
Use CodeMessageException subclass instead Parse json errors from get_json client methods and throw special errors.
2017-04-25 14:30:55 -04:00
data = yield self.http_client.post_json_get_json(
Revert accidental commit
2017-04-26 06:43:16 -04:00
"https://%s%s" % (
Add endpoint that proxies ID server request token and errors if the given email is in use on this Home Server.
2015-08-04 09:37:09 -04:00
id_server,
"/_matrix/identity/api/v1/validate/email/requestToken"
),
params
)
defer.returnValue(data)
Kill off MatrixCodeMessageException This code brings the SimpleHttpClient into line with the MatrixFederationHttpClient by having it raise HttpResponseExceptions when a request fails (rather than trying to parse for matrix errors and maybe raising MatrixCodeMessageException). Then, whenever we were checking for MatrixCodeMessageException and turning them into SynapseErrors, we now need to check for HttpResponseExceptions and call to_synapse_error.
2018-08-01 10:04:50 -04:00
except HttpResponseException as e:
Add endpoint that proxies ID server request token and errors if the given email is in use on this Home Server.
2015-08-04 09:37:09 -04:00
logger.info("Proxied requestToken failed: %r", e)
Kill off MatrixCodeMessageException This code brings the SimpleHttpClient into line with the MatrixFederationHttpClient by having it raise HttpResponseExceptions when a request fails (rather than trying to parse for matrix errors and maybe raising MatrixCodeMessageException). Then, whenever we were checking for MatrixCodeMessageException and turning them into SynapseErrors, we now need to check for HttpResponseExceptions and call to_synapse_error.
2018-08-01 10:04:50 -04:00
raise e.to_synapse_error()
Support registration / login with phone number Changes from https://github.com/matrix-org/synapse/pull/1971
2017-03-13 13:27:51 -04:00
@defer.inlineCallbacks
def requestMsisdnToken(
self, id_server, country, phone_number,
client_secret, send_attempt, **kwargs
):
if not self._should_trust_id_server(id_server):
raise SynapseError(
400, "Untrusted ID server '%s'" % id_server,
Codes.SERVER_NOT_TRUSTED
)
params = {
'country': country,
'phone_number': phone_number,
'client_secret': client_secret,
'send_attempt': send_attempt,
}
params.update(kwargs)
try:
Use CodeMessageException subclass instead Parse json errors from get_json client methods and throw special errors.
2017-04-25 14:30:55 -04:00
data = yield self.http_client.post_json_get_json(
Revert accidental commit
2017-04-26 06:43:16 -04:00
"https://%s%s" % (
Support registration / login with phone number Changes from https://github.com/matrix-org/synapse/pull/1971
2017-03-13 13:27:51 -04:00
id_server,
"/_matrix/identity/api/v1/validate/msisdn/requestToken"
),
params
)
defer.returnValue(data)
Kill off MatrixCodeMessageException This code brings the SimpleHttpClient into line with the MatrixFederationHttpClient by having it raise HttpResponseExceptions when a request fails (rather than trying to parse for matrix errors and maybe raising MatrixCodeMessageException). Then, whenever we were checking for MatrixCodeMessageException and turning them into SynapseErrors, we now need to check for HttpResponseExceptions and call to_synapse_error.
2018-08-01 10:04:50 -04:00
except HttpResponseException as e:
Support registration / login with phone number Changes from https://github.com/matrix-org/synapse/pull/1971
2017-03-13 13:27:51 -04:00
logger.info("Proxied requestToken failed: %r", e)
Kill off MatrixCodeMessageException This code brings the SimpleHttpClient into line with the MatrixFederationHttpClient by having it raise HttpResponseExceptions when a request fails (rather than trying to parse for matrix errors and maybe raising MatrixCodeMessageException). Then, whenever we were checking for MatrixCodeMessageException and turning them into SynapseErrors, we now need to check for HttpResponseExceptions and call to_synapse_error.
2018-08-01 10:04:50 -04:00
raise e.to_synapse_error()
Reference in New Issue Copy Permalink