forked-synapse/synapse/config/auth.py

# Copyright 2015, 2016 OpenMarket Ltd
# Copyright 2020 The Matrix.org Foundation C.I.C.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

from ._base import Config


class AuthConfig(Config):
    """Password and login configuration"""

    section = "auth"

    def read_config(self, config, **kwargs):
        password_config = config.get("password_config", {})
        if password_config is None:
            password_config = {}

        self.password_enabled = password_config.get("enabled", True)
        self.password_localdb_enabled = password_config.get("localdb_enabled", True)
        self.password_pepper = password_config.get("pepper", "")

        # Password policy
        self.password_policy = password_config.get("policy") or {}
        self.password_policy_enabled = self.password_policy.get("enabled", False)

        # User-interactive authentication
        ui_auth = config.get("ui_auth") or {}
        self.ui_auth_session_timeout = self.parse_duration(
            ui_auth.get("session_timeout", 0)
        )

    def generate_config_section(self, config_dir_path, server_name, **kwargs):
        return """\
        password_config:
           # Uncomment to disable password login
           #
           #enabled: false

           # Uncomment to disable authentication against the local password
           # database. This is ignored if `enabled` is false, and is only useful
           # if you have other password_providers.
           #
           #localdb_enabled: false

           # Uncomment and change to a secret random string for extra security.
           # DO NOT CHANGE THIS AFTER INITIAL SETUP!
           #
           #pepper: "EVEN_MORE_SECRET"

           # Define and enforce a password policy. Each parameter is optional.
           # This is an implementation of MSC2000.
           #
           policy:
              # Whether to enforce the password policy.
              # Defaults to 'false'.
              #
              #enabled: true

              # Minimum accepted length for a password.
              # Defaults to 0.
              #
              #minimum_length: 15

              # Whether a password must contain at least one digit.
              # Defaults to 'false'.
              #
              #require_digit: true

              # Whether a password must contain at least one symbol.
              # A symbol is any character that's not a number or a letter.
              # Defaults to 'false'.
              #
              #require_symbol: true

              # Whether a password must contain at least one lowercase letter.
              # Defaults to 'false'.
              #
              #require_lowercase: true

              # Whether a password must contain at least one uppercase letter.
              # Defaults to 'false'.
              #
              #require_uppercase: true

        ui_auth:
            # The amount of time to allow a user-interactive authentication session
            # to be active.
            #
            # This defaults to 0, meaning the user is queried for their credentials
            # before every action, but this can be overridden to allow a single
            # validation to be re-used.  This weakens the protections afforded by
            # the user-interactive authentication process, by allowing for multiple
            # (and potentially different) operations to use the same validation session.
            #
            # This is ignored for potentially "dangerous" operations (including
            # deactivating an account, modifying an account password, and
            # adding a 3PID).
            #
            # Uncomment below to allow for credential validation to last for 15
            # seconds.
            #
            #session_timeout: "15s"
        """
copyrights 2016-01-06 23:26:29 -05:00			`# Copyright 2015, 2016 OpenMarket Ltd`
Allow re-using a UI auth validation for a period of time (#8970) 2020-12-18 07:33:57 -05:00			`# Copyright 2020 The Matrix.org Foundation C.I.C.`
Add config option to disable password login 2015-10-22 05:37:04 -04:00			`#`
			`# Licensed under the Apache License, Version 2.0 (the "License");`
			`# you may not use this file except in compliance with the License.`
			`# You may obtain a copy of the License at`
			`#`
			`# http://www.apache.org/licenses/LICENSE-2.0`
			`#`
			`# Unless required by applicable law or agreed to in writing, software`
			`# distributed under the License is distributed on an "AS IS" BASIS,`
			`# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`# See the License for the specific language governing permissions and`
			`# limitations under the License.`

			`from ._base import Config`


Allow re-using a UI auth validation for a period of time (#8970) 2020-12-18 07:33:57 -05:00			`class AuthConfig(Config):`
			`"""Password and login configuration"""`
Add config option to disable password login 2015-10-22 05:37:04 -04:00
Allow re-using a UI auth validation for a period of time (#8970) 2020-12-18 07:33:57 -05:00			`section = "auth"`
Refactor HomeserverConfig so it can be typechecked (#6137) 2019-10-10 04:39:35 -04:00
Pass config_dir_path and data_dir_path into Config.read_config. (#5522) * Pull config_dir_path and data_dir_path calculation out of read_config_files * Pass config_dir_path and data_dir_path into read_config 2019-06-24 06:34:45 -04:00			`def read_config(self, config, **kwargs):`
Add config option to disable password login 2015-10-22 05:37:04 -04:00			`password_config = config.get("password_config", {})`
Comment out most options in the generated config. (#4863) Make it so that most options in the config are optional, and commented out in the generated config. The reasons this is a good thing are as follows: * If we decide that we should change the default for an option, we can do so, and only those admins that have deliberately chosen to override that option will be stuck on the old setting. * It moves us towards a point where we can get rid of the super-surprising feature of synapse where the default settings for the config come from the generated yaml. * It makes setting up a test config for unit testing an order of magnitude easier (see forthcoming PR). * It makes the generated config more consistent, and hopefully easier for users to understand. 2019-03-19 06:06:40 -04:00			`if password_config is None:`
			`password_config = {}`

Add config option to disable password login 2015-10-22 05:37:04 -04:00			`self.password_enabled = password_config.get("enabled", True)`
Added possibilty to disable local password authentication (#5092) Signed-off-by: Daniel Hoffend <dh@dotlan.net> 2019-06-27 13:37:29 -04:00			`self.password_localdb_enabled = password_config.get("localdb_enabled", True)`
Fix password config 2016-07-05 06:12:53 -04:00			`self.password_pepper = password_config.get("pepper", "")`
Add config option to disable password login 2015-10-22 05:37:04 -04:00
Allow server admins to define and enforce a password policy (MSC2000). (#7118) 2020-03-26 12:51:13 -04:00			`# Password policy`
			`self.password_policy = password_config.get("policy") or {}`
			`self.password_policy_enabled = self.password_policy.get("enabled", False)`

Allow re-using a UI auth validation for a period of time (#8970) 2020-12-18 07:33:57 -05:00			`# User-interactive authentication`
			`ui_auth = config.get("ui_auth") or {}`
Parse ui_auth.session_timeout as a duration (instead of treating it as ms) (#9426) 2021-02-18 09:18:14 -05:00			`self.ui_auth_session_timeout = self.parse_duration(`
			`ui_auth.get("session_timeout", 0)`
			`)`
Allow re-using a UI auth validation for a period of time (#8970) 2020-12-18 07:33:57 -05:00
Don't load the generated config as the default. It's too confusing. 2019-06-21 19:00:20 -04:00			`def generate_config_section(self, config_dir_path, server_name, **kwargs):`
Comment out most options in the generated config. (#4863) Make it so that most options in the config are optional, and commented out in the generated config. The reasons this is a good thing are as follows: * If we decide that we should change the default for an option, we can do so, and only those admins that have deliberately chosen to override that option will be stuck on the old setting. * It moves us towards a point where we can get rid of the super-surprising feature of synapse where the default settings for the config come from the generated yaml. * It makes setting up a test config for unit testing an order of magnitude easier (see forthcoming PR). * It makes the generated config more consistent, and hopefully easier for users to understand. 2019-03-19 06:06:40 -04:00			`return """\`
Add config option to disable password login 2015-10-22 05:37:04 -04:00			`password_config:`
Comment out most options in the generated config. (#4863) Make it so that most options in the config are optional, and commented out in the generated config. The reasons this is a good thing are as follows: * If we decide that we should change the default for an option, we can do so, and only those admins that have deliberately chosen to override that option will be stuck on the old setting. * It moves us towards a point where we can get rid of the super-surprising feature of synapse where the default settings for the config come from the generated yaml. * It makes setting up a test config for unit testing an order of magnitude easier (see forthcoming PR). * It makes the generated config more consistent, and hopefully easier for users to understand. 2019-03-19 06:06:40 -04:00			`# Uncomment to disable password login`
			`#`
			`#enabled: false`

Added possibilty to disable local password authentication (#5092) Signed-off-by: Daniel Hoffend <dh@dotlan.net> 2019-06-27 13:37:29 -04:00			`# Uncomment to disable authentication against the local password`
			# database. This is ignored if `enabled` is false, and is only useful
			`# if you have other password_providers.`
			`#`
			`#localdb_enabled: false`

Update password config comment Signed-off-by: Kent Shikama <kent@kentshikama.com> 2016-07-05 23:18:19 -04:00			`# Uncomment and change to a secret random string for extra security.`
Add pepper to password hashing Signed-off-by: Kent Shikama <kent@kentshikama.com> 2016-07-04 13:13:52 -04:00			`# DO NOT CHANGE THIS AFTER INITIAL SETUP!`
Comment out most options in the generated config. (#4863) Make it so that most options in the config are optional, and commented out in the generated config. The reasons this is a good thing are as follows: * If we decide that we should change the default for an option, we can do so, and only those admins that have deliberately chosen to override that option will be stuck on the old setting. * It moves us towards a point where we can get rid of the super-surprising feature of synapse where the default settings for the config come from the generated yaml. * It makes setting up a test config for unit testing an order of magnitude easier (see forthcoming PR). * It makes the generated config more consistent, and hopefully easier for users to understand. 2019-03-19 06:06:40 -04:00			`#`
			`#pepper: "EVEN_MORE_SECRET"`
Allow server admins to define and enforce a password policy (MSC2000). (#7118) 2020-03-26 12:51:13 -04:00
			`# Define and enforce a password policy. Each parameter is optional.`
			`# This is an implementation of MSC2000.`
			`#`
			`policy:`
			`# Whether to enforce the password policy.`
			`# Defaults to 'false'.`
			`#`
			`#enabled: true`

			`# Minimum accepted length for a password.`
			`# Defaults to 0.`
			`#`
			`#minimum_length: 15`

			`# Whether a password must contain at least one digit.`
			`# Defaults to 'false'.`
			`#`
			`#require_digit: true`

			`# Whether a password must contain at least one symbol.`
			`# A symbol is any character that's not a number or a letter.`
			`# Defaults to 'false'.`
			`#`
			`#require_symbol: true`

			`# Whether a password must contain at least one lowercase letter.`
			`# Defaults to 'false'.`
			`#`
			`#require_lowercase: true`

Fix copy-paste error in the password section of the sample-config. (#10804) 2021-09-13 08:58:34 -04:00			`# Whether a password must contain at least one uppercase letter.`
Allow server admins to define and enforce a password policy (MSC2000). (#7118) 2020-03-26 12:51:13 -04:00			`# Defaults to 'false'.`
			`#`
			`#require_uppercase: true`
Allow re-using a UI auth validation for a period of time (#8970) 2020-12-18 07:33:57 -05:00
			`ui_auth:`
Parse ui_auth.session_timeout as a duration (instead of treating it as ms) (#9426) 2021-02-18 09:18:14 -05:00			`# The amount of time to allow a user-interactive authentication session`
			`# to be active.`
Allow re-using a UI auth validation for a period of time (#8970) 2020-12-18 07:33:57 -05:00			`#`
			`# This defaults to 0, meaning the user is queried for their credentials`
Fix some typos. 2021-02-12 11:01:48 -05:00			`# before every action, but this can be overridden to allow a single`
Allow re-using a UI auth validation for a period of time (#8970) 2020-12-18 07:33:57 -05:00			`# validation to be re-used. This weakens the protections afforded by`
			`# the user-interactive authentication process, by allowing for multiple`
			`# (and potentially different) operations to use the same validation session.`
			`#`
Always require users to re-authenticate for dangerous operations. (#10184) Dangerous actions means deactivating an account, modifying an account password, or adding a 3PID. Other actions (deleting devices, uploading keys) can re-use the same UI auth session if ui_auth.session_timeout is configured. 2021-06-16 11:07:28 -04:00			`# This is ignored for potentially "dangerous" operations (including`
			`# deactivating an account, modifying an account password, and`
			`# adding a 3PID).`
			`#`
Allow re-using a UI auth validation for a period of time (#8970) 2020-12-18 07:33:57 -05:00			`# Uncomment below to allow for credential validation to last for 15`
			`# seconds.`
			`#`
Parse ui_auth.session_timeout as a duration (instead of treating it as ms) (#9426) 2021-02-18 09:18:14 -05:00			`#session_timeout: "15s"`
Fix pep8 2016-07-05 06:01:00 -04:00			`"""`