Matrix-Mirrors/forked-synapse
1
0
Fork 0
mirror of https://mau.dev/maunium/synapse.git synced 2024-10-01 01:36:05 -04:00
Code Issues Packages Projects Releases Wiki Activity
5dbaa520a5
forked-synapse/synapse/handlers/register.py

450 lines
16 KiB
Python
Raw Normal View History

Reference Matrix Home Server
2014-08-12 10:10:52 -04:00
# -*- coding: utf-8 -*-
Allow guests to upgrade their accounts
2016-01-05 13:01:18 -05:00
# Copyright 2014 - 2016 OpenMarket Ltd
Reference Matrix Home Server
2014-08-12 10:10:52 -04:00
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
add in whitespace after copyright statements to improve legibility
2014-08-12 22:14:34 -04:00
Reference Matrix Home Server
2014-08-12 10:10:52 -04:00
"""Contains functions for registering clients."""
Add `create_requester` function Wrap the `Requester` constructor with a function which provides sensible defaults, and use it throughout
2016-07-26 11:46:53 -04:00
import logging
import urllib
Reference Matrix Home Server
2014-08-12 10:10:52 -04:00
from twisted.internet import defer
80 chars please
2014-09-06 01:55:29 -04:00
from synapse.api.errors import (
pep8
2015-04-17 11:46:45 -04:00
AuthError, Codes, SynapseError, RegistrationError, InvalidCaptchaError
80 chars please
2014-09-06 01:55:29 -04:00
)
Split PlainHttpClient into separate clients for talking to Identity servers and talking to Capatcha servers
2014-10-02 08:57:48 -04:00
from synapse.http.client import CaptchaServerHttpClient
Add `create_requester` function Wrap the `Requester` constructor with a function which provides sensible defaults, and use it throughout
2016-07-26 11:46:53 -04:00
from synapse.types import UserID
from synapse.util.async import run_on_reactor
from ._base import BaseHandler
Add support for registering with a threepid to the HS (get credentials from the client and check them against an ID server).
2014-09-03 13:22:27 -04:00
logger = logging.getLogger(__name__)
Reference Matrix Home Server
2014-08-12 10:10:52 -04:00
class RegistrationHandler(BaseHandler):
def __init__(self, hs):
super(RegistrationHandler, self).__init__(hs)
Allow guests to upgrade their accounts
2016-01-05 13:01:18 -05:00
self.auth = hs.get_auth()
Fix typo that broke registration on the mobile clients
2015-12-18 05:06:56 -05:00
self.captcha_client = CaptchaServerHttpClient(hs)
Reference Matrix Home Server
2014-08-12 10:10:52 -04:00
Allocate guest user IDs numericcally The current random IDs are ugly and confusing when presented in UIs. This makes them prettier and easier to read. Also, disable non-automated registration of numeric IDs so that we don't need to worry so much about people carving out our automated address space and us needing to keep retrying ID registration.
2016-02-05 06:22:30 -05:00
self._next_generated_user_id = None
Fix email push in pusher worker This was broken when device list updates were implemented, as Mailer could no longer instantiate an AuthHandler due to a dependency on federation sending.
2017-02-02 05:53:36 -05:00
self.macaroon_gen = hs.get_macaroon_generator()
Return user ID in use error straight away
2015-04-16 14:56:44 -04:00
@defer.inlineCallbacks
Make registration idempotent, part 2: be idempotent if the client specifies a username.
2016-03-16 15:36:57 -04:00
def check_username(self, localpart, guest_access_token=None,
assigned_user_id=None):
Return user ID in use error straight away
2015-04-16 14:56:44 -04:00
yield run_on_reactor()
Don't explode when given a unicode username in /register/
2016-01-20 10:40:25 -05:00
if urllib.quote(localpart.encode('utf-8')) != localpart:
Return user ID in use error straight away
2015-04-16 14:56:44 -04:00
raise SynapseError(
400,
Underscores are allowed in user ids
2016-01-22 09:59:49 -05:00
"User ID can only contain characters a-z, 0-9, or '_-./'",
M_INVALID_USERNAME to be consistent with the parameter name
2016-01-15 05:06:34 -05:00
Codes.INVALID_USERNAME
Return user ID in use error straight away
2015-04-16 14:56:44 -04:00
)
Modify condition on empty localpart
2017-05-10 12:34:30 -04:00
if not localpart:
Modify register/available to be GET with query param - GET is now the method for register/available - a query parameter "username" is now used Also, empty usernames are now handled with an error message on registration or via register/available: `User ID cannot be empty`
2017-05-10 12:17:12 -04:00
raise SynapseError(
400,
"User ID cannot be empty",
Codes.INVALID_USERNAME
)
Forbid non-ASes from registering users whose names begin with '_' (SYN-738)
2016-07-27 12:54:26 -04:00
if localpart[0] == '_':
raise SynapseError(
400,
"User ID may not begin with _",
Codes.INVALID_USERNAME
)
Return user ID in use error straight away
2015-04-16 14:56:44 -04:00
user = UserID(localpart, self.hs.hostname)
user_id = user.to_string()
Make registration idempotent, part 2: be idempotent if the client specifies a username.
2016-03-16 15:36:57 -04:00
if assigned_user_id:
if user_id == assigned_user_id:
return
else:
raise SynapseError(
400,
"A different user ID has already been registered for this session",
)
Enforce user_id exclusivity for AS registrations This whole set of checks is kind of an ugly mess, which I may clean up at some point, but for now let's be correct.
2016-02-11 12:37:38 -05:00
yield self.check_user_id_not_appservice_exclusive(user_id)
Return user ID in use error straight away
2015-04-16 14:56:44 -04:00
Merge erikj/user_dedup to develop
2015-08-26 08:42:45 -04:00
users = yield self.store.get_users_by_id_case_insensitive(user_id)
if users:
Allow guests to upgrade their accounts
2016-01-05 13:01:18 -05:00
if not guest_access_token:
raise SynapseError(
400,
"User ID already taken.",
errcode=Codes.USER_IN_USE,
)
Prevent user tokens being used as guest tokens (#1675) Make sure that a user cannot pretend to be a guest by adding 'guest = True' caveats.
2016-12-06 10:31:37 -05:00
user_data = yield self.auth.get_user_by_access_token(guest_access_token)
Allow guests to upgrade their accounts
2016-01-05 13:01:18 -05:00
if not user_data["is_guest"] or user_data["user"].localpart != localpart:
raise AuthError(
403,
"Cannot register taken user ID without valid guest "
"credentials for that user.",
errcode=Codes.FORBIDDEN,
)
Return user ID in use error straight away
2015-04-16 14:56:44 -04:00
Reference Matrix Home Server
2014-08-12 10:10:52 -04:00
@defer.inlineCallbacks
Allow guests to upgrade their accounts
2016-01-05 13:01:18 -05:00
def register(
self,
localpart=None,
password=None,
generate_token=True,
Add is_guest flag to users db to track whether a user is a guest user or not. Use this so we can run _filter_events_for_client when calculating event_push_actions.
2016-01-06 06:38:09 -05:00
guest_access_token=None,
Add an admin option to shared secret registration
2016-07-05 12:30:22 -04:00
make_guest=False,
admin=False,
Allow guests to upgrade their accounts
2016-01-05 13:01:18 -05:00
):
Reference Matrix Home Server
2014-08-12 10:10:52 -04:00
"""Registers a new client on the server.
Args:
localpart : The local part of the user ID to register. If None,
Allocate guest user IDs numericcally The current random IDs are ugly and confusing when presented in UIs. This makes them prettier and easier to read. Also, disable non-automated registration of numeric IDs so that we don't need to worry so much about people carving out our automated address space and us needing to keep retrying ID registration.
2016-02-05 06:22:30 -05:00
one will be generated.
Reference Matrix Home Server
2014-08-12 10:10:52 -04:00
password (str) : The password to assign to this user so they can
Further registration refactoring * `RegistrationHandler.appservice_register` no longer issues an access token: instead it is left for the caller to do it. (There are two of these, one in `synapse/rest/client/v1/register.py`, which now simply calls `AuthHandler.issue_access_token`, and the other in `synapse/rest/client/v2_alpha/register.py`, which is covered below). * In `synapse/rest/client/v2_alpha/register.py`, move the generation of access_tokens into `_create_registration_details`. This means that the normal flow no longer needs to call `AuthHandler.issue_access_token`; the shared-secret flow can tell `RegistrationHandler.register` not to generate a token; and the appservice flow continues to work despite the above change.
2016-07-19 13:46:19 -04:00
login again. This can be None which means they cannot login again
via a password (e.g. the user is an application service user).
generate_token (bool): Whether a new access token should be
generated. Having this be True should be considered deprecated,
since it offers no means of associating a device_id with the
access_token. Instead you should call auth_handler.issue_access_token
after registration.
Reference Matrix Home Server
2014-08-12 10:10:52 -04:00
Returns:
A tuple of (user_id, access_token).
Raises:
RegistrationError if there was a problem registering.
"""
Fix registration
2014-12-08 04:24:37 -05:00
yield run_on_reactor()
Reference Matrix Home Server
2014-08-12 10:10:52 -04:00
password_hash = None
if password:
Swap out bcrypt for md5 in tests This reduces our ~8 second sequential test time down to ~7 seconds
2015-08-26 10:59:32 -04:00
password_hash = self.auth_handler().hash(password)
Reference Matrix Home Server
2014-08-12 10:10:52 -04:00
if localpart:
Allow guests to upgrade their accounts
2016-01-05 13:01:18 -05:00
yield self.check_username(localpart, guest_access_token=guest_access_token)
Factor out user id validation checks
2015-03-18 07:33:46 -04:00
Allocate guest user IDs numericcally The current random IDs are ugly and confusing when presented in UIs. This makes them prettier and easier to read. Also, disable non-automated registration of numeric IDs so that we don't need to worry so much about people carving out our automated address space and us needing to keep retrying ID registration.
2016-02-05 06:22:30 -05:00
was_guest = guest_access_token is not None
if not was_guest:
try:
int(localpart)
raise RegistrationError(
400,
"Numeric user IDs are reserved for guest users."
)
except ValueError:
pass
Fix registration
2014-12-08 04:24:37 -05:00
user = UserID(localpart, self.hs.hostname)
Reference Matrix Home Server
2014-08-12 10:10:52 -04:00
user_id = user.to_string()
Allow guests to register and call /events?room_id= This follows the same flows-based flow as regular registration, but as the only implemented flow has no requirements, it auto-succeeds. In the future, other flows (e.g. captcha) may be required, so clients should treat this like the regular registration flow choices.
2015-11-04 12:29:07 -05:00
token = None
if generate_token:
Fix email push in pusher worker This was broken when device list updates were implemented, as Mailer could no longer instantiate an AuthHandler due to a dependency on federation sending.
2017-02-02 05:53:36 -05:00
token = self.macaroon_gen.generate_access_token(user_id)
Fix pep8 warnings
2014-10-30 07:10:17 -04:00
yield self.store.register(
user_id=user_id,
Reference Matrix Home Server
2014-08-12 10:10:52 -04:00
token=token,
Allow guests to upgrade their accounts
2016-01-05 13:01:18 -05:00
password_hash=password_hash,
Allocate guest user IDs numericcally The current random IDs are ugly and confusing when presented in UIs. This makes them prettier and easier to read. Also, disable non-automated registration of numeric IDs so that we don't need to worry so much about people carving out our automated address space and us needing to keep retrying ID registration.
2016-02-05 06:22:30 -05:00
was_guest=was_guest,
comma style
2016-01-06 12:44:10 -05:00
make_guest=make_guest,
Remove registered_users from the distributor. The only place that was observed was to set the profile. I've made it so that the profile is set within store.register in the same transaction that creates the user. This required some slight changes to the registration code for upgrading guest users, since it previously relied on the distributor swallowing errors if the profile already existed.
2016-06-17 14:14:16 -04:00
create_profile_with_localpart=(
Add a comment on why we don't create a profile for upgrading users
2016-06-17 14:18:53 -04:00
# If the user was a guest then they already have a profile
Remove registered_users from the distributor. The only place that was observed was to set the profile. I've made it so that the profile is set within store.register in the same transaction that creates the user. This required some slight changes to the registration code for upgrading guest users, since it previously relied on the distributor swallowing errors if the profile already existed.
2016-06-17 14:14:16 -04:00
None if was_guest else user.localpart
),
Add an admin option to shared secret registration
2016-07-05 12:30:22 -04:00
admin=admin,
Fix pep8 warnings
2014-10-30 07:10:17 -04:00
)
Reference Matrix Home Server
2014-08-12 10:10:52 -04:00
else:
Allocate guest user IDs numericcally The current random IDs are ugly and confusing when presented in UIs. This makes them prettier and easier to read. Also, disable non-automated registration of numeric IDs so that we don't need to worry so much about people carving out our automated address space and us needing to keep retrying ID registration.
2016-02-05 06:22:30 -05:00
# autogen a sequential user ID
Reference Matrix Home Server
2014-08-12 10:10:52 -04:00
attempts = 0
token = None
Allocate guest user IDs numericcally The current random IDs are ugly and confusing when presented in UIs. This makes them prettier and easier to read. Also, disable non-automated registration of numeric IDs so that we don't need to worry so much about people carving out our automated address space and us needing to keep retrying ID registration.
2016-02-05 06:22:30 -05:00
user = None
while not user:
localpart = yield self._generate_user_id(attempts > 0)
user = UserID(localpart, self.hs.hostname)
user_id = user.to_string()
Enforce user_id exclusivity for AS registrations This whole set of checks is kind of an ugly mess, which I may clean up at some point, but for now let's be correct.
2016-02-11 12:37:38 -05:00
yield self.check_user_id_not_appservice_exclusive(user_id)
Allocate guest user IDs numericcally The current random IDs are ugly and confusing when presented in UIs. This makes them prettier and easier to read. Also, disable non-automated registration of numeric IDs so that we don't need to worry so much about people carving out our automated address space and us needing to keep retrying ID registration.
2016-02-05 06:22:30 -05:00
if generate_token:
Fix email push in pusher worker This was broken when device list updates were implemented, as Mailer could no longer instantiate an AuthHandler due to a dependency on federation sending.
2017-02-02 05:53:36 -05:00
token = self.macaroon_gen.generate_access_token(user_id)
Reference Matrix Home Server
2014-08-12 10:10:52 -04:00
try:
yield self.store.register(
user_id=user_id,
token=token,
Pass make_guest whne we autogen a user ID
2016-02-02 09:42:31 -05:00
password_hash=password_hash,
Remove registered_users from the distributor. The only place that was observed was to set the profile. I've made it so that the profile is set within store.register in the same transaction that creates the user. This required some slight changes to the registration code for upgrading guest users, since it previously relied on the distributor swallowing errors if the profile already existed.
2016-06-17 14:14:16 -04:00
make_guest=make_guest,
create_profile_with_localpart=user.localpart,
Pass make_guest whne we autogen a user ID
2016-02-02 09:42:31 -05:00
)
Reference Matrix Home Server
2014-08-12 10:10:52 -04:00
except SynapseError:
# if user id is taken, just generate another
handlers/register: make sure another user id is generated when a collision occurs Signed-off-by: Patrik Oldsberg <patrik.oldsberg@ericsson.com>
2016-02-29 17:11:06 -05:00
user = None
Reference Matrix Home Server
2014-08-12 10:10:52 -04:00
user_id = None
token = None
attempts += 1
fix indentation level
2015-12-17 18:04:53 -05:00
# We used to generate default identicons here, but nowadays
# we want clients to generate their own as part of their branding
# rather than there being consistent matrix-wide ones, so we don't.
Code-style fixes
2015-02-10 11:30:48 -05:00
Add support for registering with a threepid to the HS (get credentials from the client and check them against an ID server).
2014-09-03 13:22:27 -04:00
defer.returnValue((user_id, token))
Add m.login.application_service registration procedure. This allows known application services to register any user ID under their own user namespace(s).
2015-02-05 12:29:27 -05:00
@defer.inlineCallbacks
def appservice_register(self, user_localpart, as_token):
user = UserID(user_localpart, self.hs.hostname)
user_id = user.to_string()
storage/appservice: make appservice methods only relying on the cache synchronous
2016-10-06 04:43:32 -04:00
service = self.store.get_app_service_by_token(as_token)
Add m.login.application_service registration procedure. This allows known application services to register any user ID under their own user namespace(s).
2015-02-05 12:29:27 -05:00
if not service:
Add errcodes for appservice registrations.
2015-02-06 12:10:04 -05:00
raise AuthError(403, "Invalid application service token.")
Add m.login.application_service registration procedure. This allows known application services to register any user ID under their own user namespace(s).
2015-02-05 12:29:27 -05:00
if not service.is_interested_in_user(user_id):
raise SynapseError(
Add errcodes for appservice registrations.
2015-02-06 12:10:04 -05:00
400, "Invalid user localpart for this application service.",
errcode=Codes.EXCLUSIVE
Add m.login.application_service registration procedure. This allows known application services to register any user ID under their own user namespace(s).
2015-02-05 12:29:27 -05:00
)
Enforce user_id exclusivity for AS registrations This whole set of checks is kind of an ugly mess, which I may clean up at some point, but for now let's be correct.
2016-02-11 12:37:38 -05:00
Store appservice ID on register
2016-03-10 10:58:22 -05:00
service_id = service.id if service.is_exclusive_user(user_id) else None
Enforce user_id exclusivity for AS registrations This whole set of checks is kind of an ugly mess, which I may clean up at some point, but for now let's be correct.
2016-02-11 12:37:38 -05:00
yield self.check_user_id_not_appservice_exclusive(
user_id, allowed_appservice=service
)
Add m.login.application_service registration procedure. This allows known application services to register any user ID under their own user namespace(s).
2015-02-05 12:29:27 -05:00
yield self.store.register(
user_id=user_id,
Store appservice ID on register
2016-03-10 10:58:22 -05:00
password_hash="",
appservice_id=service_id,
Remove registered_users from the distributor. The only place that was observed was to set the profile. I've made it so that the profile is set within store.register in the same transaction that creates the user. This required some slight changes to the registration code for upgrading guest users, since it previously relied on the distributor swallowing errors if the profile already existed.
2016-06-17 14:14:16 -04:00
create_profile_with_localpart=user.localpart,
Add m.login.application_service registration procedure. This allows known application services to register any user ID under their own user namespace(s).
2015-02-05 12:29:27 -05:00
)
Further registration refactoring * `RegistrationHandler.appservice_register` no longer issues an access token: instead it is left for the caller to do it. (There are two of these, one in `synapse/rest/client/v1/register.py`, which now simply calls `AuthHandler.issue_access_token`, and the other in `synapse/rest/client/v2_alpha/register.py`, which is covered below). * In `synapse/rest/client/v2_alpha/register.py`, move the generation of access_tokens into `_create_registration_details`. This means that the normal flow no longer needs to call `AuthHandler.issue_access_token`; the shared-secret flow can tell `RegistrationHandler.register` not to generate a token; and the appservice flow continues to work despite the above change.
2016-07-19 13:46:19 -04:00
defer.returnValue(user_id)
Add m.login.application_service registration procedure. This allows known application services to register any user ID under their own user namespace(s).
2015-02-05 12:29:27 -05:00
Split out password/captcha/email logic.
2014-09-15 07:42:36 -04:00
@defer.inlineCallbacks
def check_recaptcha(self, ip, private_key, challenge, response):
New registration for C/S API v2. Only ReCAPTCHA working currently.
2015-03-30 13:13:10 -04:00
"""
Checks a recaptcha is correct.
Used only by c/s api v1
"""
Split out password/captcha/email logic.
2014-09-15 07:42:36 -04:00
captcha_response = yield self._validate_captcha(
ip,
private_key,
challenge,
response
)
if not captcha_response["valid"]:
logger.info("Invalid captcha entered from %s. Error: %s",
ip, captcha_response["error_url"])
raise InvalidCaptchaError(
error_url=captcha_response["error_url"]
)
else:
logger.info("Valid captcha entered from %s", ip)
Integrate SAML2 basic authentication - uses pysaml2
2015-07-07 08:10:30 -04:00
@defer.inlineCallbacks
def register_saml2(self, localpart):
"""
Registers email_id as SAML2 Based Auth.
"""
if urllib.quote(localpart) != localpart:
raise SynapseError(
400,
"User ID must only contain characters which do not"
" require URL encoding."
Fix flake8 warnings for new flake8
2016-02-02 12:18:50 -05:00
)
Integrate SAML2 basic authentication - uses pysaml2
2015-07-07 08:10:30 -04:00
user = UserID(localpart, self.hs.hostname)
user_id = user.to_string()
Enforce user_id exclusivity for AS registrations This whole set of checks is kind of an ugly mess, which I may clean up at some point, but for now let's be correct.
2016-02-11 12:37:38 -05:00
yield self.check_user_id_not_appservice_exclusive(user_id)
Fix email push in pusher worker This was broken when device list updates were implemented, as Mailer could no longer instantiate an AuthHandler due to a dependency on federation sending.
2017-02-02 05:53:36 -05:00
token = self.macaroon_gen.generate_access_token(user_id)
Integrate SAML2 basic authentication - uses pysaml2
2015-07-07 08:10:30 -04:00
try:
yield self.store.register(
user_id=user_id,
token=token,
Remove registered_users from the distributor. The only place that was observed was to set the profile. I've made it so that the profile is set within store.register in the same transaction that creates the user. This required some slight changes to the registration code for upgrading guest users, since it previously relied on the distributor swallowing errors if the profile already existed.
2016-06-17 14:14:16 -04:00
password_hash=None,
create_profile_with_localpart=user.localpart,
Integrate SAML2 basic authentication - uses pysaml2
2015-07-07 08:10:30 -04:00
)
Use syntax that works on both py2.7 and py3
2016-03-07 15:13:10 -05:00
except Exception as e:
Integrate SAML2 basic authentication - uses pysaml2
2015-07-07 08:10:30 -04:00
yield self.store.add_access_token_to_user(user_id, token)
# Ignore Registration errors
logger.exception(e)
defer.returnValue((user_id, token))
Split out password/captcha/email logic.
2014-09-15 07:42:36 -04:00
@defer.inlineCallbacks
def register_email(self, threepidCreds):
Regstration with email in v2
2015-04-15 10:50:38 -04:00
"""
Registers emails with an identity server.
Used only by c/s api v1
"""
Split out password/captcha/email logic.
2014-09-15 07:42:36 -04:00
for c in threepidCreds:
logger.info("validating theeepidcred sid %s on id server %s",
c['sid'], c['idServer'])
try:
Return user ID in use error straight away
2015-04-16 14:56:44 -04:00
identity_handler = self.hs.get_handlers().identity_handler
threepid = yield identity_handler.threepid_from_creds(c)
Split out password/captcha/email logic.
2014-09-15 07:42:36 -04:00
except:
Use python logger, not the twisted logger
2014-11-03 05:16:28 -05:00
logger.exception("Couldn't validate 3pid")
Split out password/captcha/email logic.
2014-09-15 07:42:36 -04:00
raise RegistrationError(400, "Couldn't validate 3pid")
if not threepid:
raise RegistrationError(400, "Couldn't validate 3pid")
Separate out the matrix http client completely because just about all of its code it now separate from the simple case we need for standard HTTP(S)
2014-11-20 12:41:56 -05:00
logger.info("got threepid with medium '%s' and address '%s'",
Split out password/captcha/email logic.
2014-09-15 07:42:36 -04:00
threepid['medium'], threepid['address'])
@defer.inlineCallbacks
def bind_emails(self, user_id, threepidCreds):
Return user ID in use error straight away
2015-04-16 14:56:44 -04:00
"""Links emails with a user ID and informs an identity server.
Used only by c/s api v1
"""
Split out password/captcha/email logic.
2014-09-15 07:42:36 -04:00
# Now we have a matrix ID, bind it to the threepids we were given
for c in threepidCreds:
Return user ID in use error straight away
2015-04-16 14:56:44 -04:00
identity_handler = self.hs.get_handlers().identity_handler
Split out password/captcha/email logic.
2014-09-15 07:42:36 -04:00
# XXX: This should be a deferred list, shouldn't it?
Return user ID in use error straight away
2015-04-16 14:56:44 -04:00
yield identity_handler.bind_threepid(c, user_id)
Split out password/captcha/email logic.
2014-09-15 07:42:36 -04:00
Enforce user_id exclusivity for AS registrations This whole set of checks is kind of an ugly mess, which I may clean up at some point, but for now let's be correct.
2016-02-11 12:37:38 -05:00
def check_user_id_not_appservice_exclusive(self, user_id, allowed_appservice=None):
Prevent user IDs in AS namespaces being created/deleted by humans.
2015-02-05 11:46:56 -05:00
# valid user IDs must not clash with any user ID namespaces claimed by
# application services.
storage/appservice: make appservice methods only relying on the cache synchronous
2016-10-06 04:43:32 -04:00
services = self.store.get_app_services()
Prevent user IDs in AS namespaces being created/deleted by humans.
2015-02-05 11:46:56 -05:00
interested_services = [
Enforce user_id exclusivity for AS registrations This whole set of checks is kind of an ugly mess, which I may clean up at some point, but for now let's be correct.
2016-02-11 12:37:38 -05:00
s for s in services
if s.is_interested_in_user(user_id)
and s != allowed_appservice
Prevent user IDs in AS namespaces being created/deleted by humans.
2015-02-05 11:46:56 -05:00
]
Implement exclusive namespace checks.
2015-02-27 08:51:41 -05:00
for service in interested_services:
if service.is_exclusive_user(user_id):
raise SynapseError(
400, "This user ID is reserved by an application service.",
errcode=Codes.EXCLUSIVE
)
Prevent user IDs in AS namespaces being created/deleted by humans.
2015-02-05 11:46:56 -05:00
Allocate guest user IDs numericcally The current random IDs are ugly and confusing when presented in UIs. This makes them prettier and easier to read. Also, disable non-automated registration of numeric IDs so that we don't need to worry so much about people carving out our automated address space and us needing to keep retrying ID registration.
2016-02-05 06:22:30 -05:00
@defer.inlineCallbacks
def _generate_user_id(self, reseed=False):
if reseed or self._next_generated_user_id is None:
self._next_generated_user_id = (
yield self.store.find_next_generated_user_id_localpart()
)
id = self._next_generated_user_id
self._next_generated_user_id += 1
defer.returnValue(str(id))
Add support for registering with a threepid to the HS (get credentials from the client and check them against an ID server).
2014-09-03 13:22:27 -04:00
Captchas now work on registration. Missing x-forwarded-for config arg support. Missing reloading a new captcha on the web client / displaying a sensible error message.
2014-09-05 22:18:23 -04:00
@defer.inlineCallbacks
def _validate_captcha(self, ip_addr, private_key, challenge, response):
"""Validates the captcha provided.
Split out password/captcha/email logic.
2014-09-15 07:42:36 -04:00
New registration for C/S API v2. Only ReCAPTCHA working currently.
2015-03-30 13:13:10 -04:00
Used only by c/s api v1
Captchas now work on registration. Missing x-forwarded-for config arg support. Missing reloading a new captcha on the web client / displaying a sensible error message.
2014-09-05 22:18:23 -04:00
Returns:
dict: Containing 'valid'(bool) and 'error_url'(str) if invalid.
Split out password/captcha/email logic.
2014-09-15 07:42:36 -04:00
Captchas now work on registration. Missing x-forwarded-for config arg support. Missing reloading a new captcha on the web client / displaying a sensible error message.
2014-09-05 22:18:23 -04:00
"""
Split out password/captcha/email logic.
2014-09-15 07:42:36 -04:00
response = yield self._submit_captcha(ip_addr, private_key, challenge,
80 chars please
2014-09-06 01:55:29 -04:00
response)
Captchas now work on registration. Missing x-forwarded-for config arg support. Missing reloading a new captcha on the web client / displaying a sensible error message.
2014-09-05 22:18:23 -04:00
# parse Google's response. Lovely format..
lines = response.split('\n')
json = {
"valid": lines[0] == 'true',
Split out password/captcha/email logic.
2014-09-15 07:42:36 -04:00
"error_url": "http://www.google.com/recaptcha/api/challenge?" +
80 chars please
2014-09-06 01:55:29 -04:00
"error=%s" % lines[1]
Captchas now work on registration. Missing x-forwarded-for config arg support. Missing reloading a new captcha on the web client / displaying a sensible error message.
2014-09-05 22:18:23 -04:00
}
defer.returnValue(json)
Split out password/captcha/email logic.
2014-09-15 07:42:36 -04:00
Captchas now work on registration. Missing x-forwarded-for config arg support. Missing reloading a new captcha on the web client / displaying a sensible error message.
2014-09-05 22:18:23 -04:00
@defer.inlineCallbacks
def _submit_captcha(self, ip_addr, private_key, challenge, response):
New registration for C/S API v2. Only ReCAPTCHA working currently.
2015-03-30 13:13:10 -04:00
"""
Used only by c/s api v1
"""
Reuse the captcha client rather than creating a new one for each request
2015-12-03 08:47:50 -05:00
data = yield self.captcha_client.post_urlencoded_get_raw(
Separate out the matrix http client completely because just about all of its code it now separate from the simple case we need for standard HTTP(S)
2014-11-20 12:41:56 -05:00
"http://www.google.com:80/recaptcha/api/verify",
Split out password/captcha/email logic.
2014-09-15 07:42:36 -04:00
args={
'privatekey': private_key,
Captchas now work on registration. Missing x-forwarded-for config arg support. Missing reloading a new captcha on the web client / displaying a sensible error message.
2014-09-05 22:18:23 -04:00
'remoteip': ip_addr,
'challenge': challenge,
'response': response
}
)
defer.returnValue(data)
Move token generation to auth handler I prefer the auth handler to worry about all auth, and register to call into it as needed, than to smatter auth logic between the two.
2015-08-20 06:35:56 -04:00
Create user with expiry - Add unittests for client, api and handler Signed-off-by: Negar Fazeli <negar.fazeli@ericsson.com>
2016-04-20 10:21:40 -04:00
@defer.inlineCallbacks
Stop putting a time caveat on access tokens The 'time' caveat on the access tokens was something of a lie, since we weren't enforcing it; more pertinently its presence stops us ever adding useful time caveats. Let's move in the right direction by not lying in our caveats.
2016-11-28 04:55:21 -05:00
def get_or_create_user(self, requester, localpart, displayname,
Fix style violations Signed-off-by: Kent Shikama <kent@kentshikama.com>
2016-07-04 09:07:11 -04:00
password_hash=None):
Fix set profile error with Requester. Replace flush_user with delete access token due to function removal Add a new test case for if the user is already registered
2016-05-23 05:14:11 -04:00
"""Creates a new user if the user does not exist,
else revokes all previous access tokens and generates a new one.
Create user with expiry - Add unittests for client, api and handler Signed-off-by: Negar Fazeli <negar.fazeli@ericsson.com>
2016-04-20 10:21:40 -04:00
Args:
localpart : The local part of the user ID to register. If None,
one will be randomly generated.
Returns:
A tuple of (user_id, access_token).
Raises:
RegistrationError if there was a problem registering.
"""
yield run_on_reactor()
if localpart is None:
raise SynapseError(400, "Request must include user id")
need_register = True
try:
yield self.check_username(localpart)
except SynapseError as e:
if e.errcode == Codes.USER_IN_USE:
need_register = False
else:
raise
user = UserID(localpart, self.hs.hostname)
user_id = user.to_string()
Fix email push in pusher worker This was broken when device list updates were implemented, as Mailer could no longer instantiate an AuthHandler due to a dependency on federation sending.
2017-02-02 05:53:36 -05:00
token = self.macaroon_gen.generate_access_token(user_id)
Create user with expiry - Add unittests for client, api and handler Signed-off-by: Negar Fazeli <negar.fazeli@ericsson.com>
2016-04-20 10:21:40 -04:00
if need_register:
yield self.store.register(
user_id=user_id,
token=token,
Optionally include password hash in createUser endpoint Signed-off-by: Kent Shikama <kent@kentshikama.com>
2016-07-03 02:08:15 -04:00
password_hash=password_hash,
Remove registered_users from the distributor. The only place that was observed was to set the profile. I've made it so that the profile is set within store.register in the same transaction that creates the user. This required some slight changes to the registration code for upgrading guest users, since it previously relied on the distributor swallowing errors if the profile already existed.
2016-06-17 14:14:16 -04:00
create_profile_with_localpart=user.localpart,
Create user with expiry - Add unittests for client, api and handler Signed-off-by: Negar Fazeli <negar.fazeli@ericsson.com>
2016-04-20 10:21:40 -04:00
)
else:
Fix set profile error with Requester. Replace flush_user with delete access token due to function removal Add a new test case for if the user is already registered
2016-05-23 05:14:11 -04:00
yield self.store.user_delete_access_tokens(user_id=user_id)
Create user with expiry - Add unittests for client, api and handler Signed-off-by: Negar Fazeli <negar.fazeli@ericsson.com>
2016-04-20 10:21:40 -04:00
yield self.store.add_access_token_to_user(user_id=user_id, token=token)
if displayname is not None:
logger.info("setting user display name: %s -> %s", user_id, displayname)
profile_handler = self.hs.get_handlers().profile_handler
yield profile_handler.set_displayname(
rest/client/v1/register: use the correct requester in createUser Signed-off-by: Patrik Oldsberg <patrik.oldsberg@ericsson.com>
2016-10-04 16:32:58 -04:00
user, requester, displayname, by_admin=True,
Create user with expiry - Add unittests for client, api and handler Signed-off-by: Negar Fazeli <negar.fazeli@ericsson.com>
2016-04-20 10:21:40 -04:00
)
defer.returnValue((user_id, token))
Move token generation to auth handler I prefer the auth handler to worry about all auth, and register to call into it as needed, than to smatter auth logic between the two.
2015-08-20 06:35:56 -04:00
def auth_handler(self):
Split out the auth handler
2016-06-02 08:31:45 -04:00
return self.hs.get_auth_handler()
Generate guest access token on 3pid invites This means that following the same link across multiple sessions or devices can re-use the same guest account. Note that this is somewhat of an abuse vector; we can't throw up captchas on this flow, so this is a way of registering ephemeral accounts for spam, whose sign-up we don't rate limit.
2016-02-24 09:41:25 -05:00
@defer.inlineCallbacks
def guest_access_token_for(self, medium, address, inviter_user_id):
access_token = yield self.store.get_3pid_guest_access_token(medium, address)
if access_token:
defer.returnValue(access_token)
_, access_token = yield self.register(
generate_token=True,
make_guest=True
)
access_token = yield self.store.save_or_get_3pid_guest_access_token(
medium, address, access_token, inviter_user_id
)
defer.returnValue(access_token)
Reference in New Issue Copy Permalink