forked-synapse/synapse/rest/client/v1/login.py

# -*- coding: utf-8 -*-
# Copyright 2014, 2015 OpenMarket Ltd
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

from twisted.internet import defer

from synapse.api.errors import SynapseError
from synapse.types import UserID
from base import ClientV1RestServlet, client_path_pattern

import simplejson as json
import urllib

import logging
from saml2 import BINDING_HTTP_POST
from saml2 import config
from saml2.client import Saml2Client


logger = logging.getLogger(__name__)


class LoginRestServlet(ClientV1RestServlet):
    PATTERN = client_path_pattern("/login$")
    PASS_TYPE = "m.login.password"
    SAML2_TYPE = "m.login.saml2"

    def __init__(self, hs):
        super(LoginRestServlet, self).__init__(hs)
        self.idp_redirect_url = hs.config.saml2_idp_redirect_url
        self.saml2_enabled = hs.config.saml2_enabled

    def on_GET(self, request):
        flows = [{"type": LoginRestServlet.PASS_TYPE}]
        if self.saml2_enabled:
            flows.append({"type": LoginRestServlet.SAML2_TYPE})
        return (200, {"flows": flows})

    def on_OPTIONS(self, request):
        return (200, {})

    @defer.inlineCallbacks
    def on_POST(self, request):
        login_submission = _parse_json(request)
        try:
            if login_submission["type"] == LoginRestServlet.PASS_TYPE:
                result = yield self.do_password_login(login_submission)
                defer.returnValue(result)
            elif self.saml2_enabled and (login_submission["type"] ==
                                         LoginRestServlet.SAML2_TYPE):
                relay_state = ""
                if "relay_state" in login_submission:
                    relay_state = "&RelayState="+urllib.quote(
                                  login_submission["relay_state"])
                result = {
                    "uri": "%s%s" % (self.idp_redirect_url, relay_state)
                }
                defer.returnValue((200, result))
            else:
                raise SynapseError(400, "Bad login type.")
        except KeyError:
            raise SynapseError(400, "Missing JSON keys.")

    @defer.inlineCallbacks
    def do_password_login(self, login_submission):
        if 'medium' in login_submission and 'address' in login_submission:
            user_id = yield self.hs.get_datastore().get_user_id_by_threepid(
                login_submission['medium'], login_submission['address']
            )
        else:
            user_id = login_submission['user']

        if not user_id.startswith('@'):
            user_id = UserID.create(
                user_id, self.hs.hostname
            ).to_string()

        auth_handler = self.handlers.auth_handler
        user_id, access_token, refresh_token = yield auth_handler.login_with_password(
            user_id=user_id,
            password=login_submission["password"])

        result = {
            "user_id": user_id,  # may have changed
            "access_token": access_token,
            "refresh_token": refresh_token,
            "home_server": self.hs.hostname,
        }

        defer.returnValue((200, result))


class LoginFallbackRestServlet(ClientV1RestServlet):
    PATTERN = client_path_pattern("/login/fallback$")

    def on_GET(self, request):
        # TODO(kegan): This should be returning some HTML which is capable of
        # hitting LoginRestServlet
        return (200, {})


class PasswordResetRestServlet(ClientV1RestServlet):
    PATTERN = client_path_pattern("/login/reset")

    @defer.inlineCallbacks
    def on_POST(self, request):
        reset_info = _parse_json(request)
        try:
            email = reset_info["email"]
            user_id = reset_info["user_id"]
            handler = self.handlers.login_handler
            yield handler.reset_password(user_id, email)
            # purposefully give no feedback to avoid people hammering different
            # combinations.
            defer.returnValue((200, {}))
        except KeyError:
            raise SynapseError(
                400,
                "Missing keys. Requires 'email' and 'user_id'."
            )


class SAML2RestServlet(ClientV1RestServlet):
    PATTERN = client_path_pattern("/login/saml2")

    def __init__(self, hs):
        super(SAML2RestServlet, self).__init__(hs)
        self.sp_config = hs.config.saml2_config_path

    @defer.inlineCallbacks
    def on_POST(self, request):
        saml2_auth = None
        try:
            conf = config.SPConfig()
            conf.load_file(self.sp_config)
            SP = Saml2Client(conf)
            saml2_auth = SP.parse_authn_request_response(
                request.args['SAMLResponse'][0], BINDING_HTTP_POST)
        except Exception, e:        # Not authenticated
            logger.exception(e)
        if saml2_auth and saml2_auth.status_ok() and not saml2_auth.not_signed:
            username = saml2_auth.name_id.text
            handler = self.handlers.registration_handler
            (user_id, token) = yield handler.register_saml2(username)
            # Forward to the RelayState callback along with ava
            if 'RelayState' in request.args:
                request.redirect(urllib.unquote(
                                 request.args['RelayState'][0]) +
                                 '?status=authenticated&access_token=' +
                                 token + '&user_id=' + user_id + '&ava=' +
                                 urllib.quote(json.dumps(saml2_auth.ava)))
                request.finish()
                defer.returnValue(None)
            defer.returnValue((200, {"status": "authenticated",
                                     "user_id": user_id, "token": token,
                                     "ava": saml2_auth.ava}))
        elif 'RelayState' in request.args:
            request.redirect(urllib.unquote(
                             request.args['RelayState'][0]) +
                             '?status=not_authenticated')
            request.finish()
            defer.returnValue(None)
        defer.returnValue((200, {"status": "not_authenticated"}))


def _parse_json(request):
    try:
        content = json.loads(request.content.read())
        if type(content) != dict:
            raise SynapseError(400, "Content must be a JSON object.")
        return content
    except ValueError:
        raise SynapseError(400, "Content not JSON.")


def register_servlets(hs, http_server):
    LoginRestServlet(hs).register(http_server)
    if hs.config.saml2_enabled:
        SAML2RestServlet(hs).register(http_server)
    # TODO PasswordResetRestServlet(hs).register(http_server)
Reference Matrix Home Server 2014-08-12 14:10:52 +00:00			`# -- coding: utf-8 --`
Update copyright notices 2015-01-06 13:21:39 +00:00			`# Copyright 2014, 2015 OpenMarket Ltd`
Reference Matrix Home Server 2014-08-12 14:10:52 +00:00			`#`
			`# Licensed under the Apache License, Version 2.0 (the "License");`
			`# you may not use this file except in compliance with the License.`
			`# You may obtain a copy of the License at`
			`#`
			`# http://www.apache.org/licenses/LICENSE-2.0`
			`#`
			`# Unless required by applicable law or agreed to in writing, software`
			`# distributed under the License is distributed on an "AS IS" BASIS,`
			`# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`# See the License for the specific language governing permissions and`
			`# limitations under the License.`
add in whitespace after copyright statements to improve legibility 2014-08-13 02:14:34 +00:00
Reference Matrix Home Server 2014-08-12 14:10:52 +00:00			`from twisted.internet import defer`

			`from synapse.api.errors import SynapseError`
Pass back the user_id in the response to /login in case it has changed. Store and use that on the webclient rather than the input field. 2014-08-14 15:40:15 +00:00			`from synapse.types import UserID`
Extract the client v1 base RestServlet to a separate class 2015-01-23 14:09:51 +00:00			`from base import ClientV1RestServlet, client_path_pattern`
Reference Matrix Home Server 2014-08-12 14:10:52 +00:00
Blunty replace json with simplejson 2015-02-11 14:23:10 +00:00			`import simplejson as json`
Integrate SAML2 basic authentication - uses pysaml2 2015-07-07 12:10:30 +00:00			`import urllib`

			`import logging`
			`from saml2 import BINDING_HTTP_POST`
			`from saml2 import config`
			`from saml2.client import Saml2Client`
code beautify 2015-07-09 07:28:15 +00:00

			`logger = logging.getLogger(__name__)`
Reference Matrix Home Server 2014-08-12 14:10:52 +00:00

Extract the client v1 base RestServlet to a separate class 2015-01-23 14:09:51 +00:00			`class LoginRestServlet(ClientV1RestServlet):`
Reference Matrix Home Server 2014-08-12 14:10:52 +00:00			`PATTERN = client_path_pattern("/login$")`
			`PASS_TYPE = "m.login.password"`
Integrate SAML2 basic authentication - uses pysaml2 2015-07-07 12:10:30 +00:00			`SAML2_TYPE = "m.login.saml2"`

			`def __init__(self, hs):`
			`super(LoginRestServlet, self).__init__(hs)`
Small tweaks to SAML2 configuration. - Add saml2 config docs to default config. - Use existence of saml2 config to indicate if saml2 should be enabled. 2015-07-10 09:50:03 +00:00			`self.idp_redirect_url = hs.config.saml2_idp_redirect_url`
			`self.saml2_enabled = hs.config.saml2_enabled`
Reference Matrix Home Server 2014-08-12 14:10:52 +00:00
			`def on_GET(self, request):`
Make SAML2 optional and add some references/comments 2015-07-09 08:04:47 +00:00			`flows = [{"type": LoginRestServlet.PASS_TYPE}]`
			`if self.saml2_enabled:`
			`flows.append({"type": LoginRestServlet.SAML2_TYPE})`
			`return (200, {"flows": flows})`
Reference Matrix Home Server 2014-08-12 14:10:52 +00:00
			`def on_OPTIONS(self, request):`
			`return (200, {})`

			`@defer.inlineCallbacks`
			`def on_POST(self, request):`
			`login_submission = _parse_json(request)`
			`try:`
			`if login_submission["type"] == LoginRestServlet.PASS_TYPE:`
			`result = yield self.do_password_login(login_submission)`
			`defer.returnValue(result)`
Make SAML2 optional and add some references/comments 2015-07-09 08:04:47 +00:00			`elif self.saml2_enabled and (login_submission["type"] ==`
			`LoginRestServlet.SAML2_TYPE):`
Integrate SAML2 basic authentication - uses pysaml2 2015-07-07 12:10:30 +00:00			`relay_state = ""`
			`if "relay_state" in login_submission:`
code beautify 2015-07-08 10:35:20 +00:00			`relay_state = "&RelayState="+urllib.quote(`
			`login_submission["relay_state"])`
Integrate SAML2 basic authentication - uses pysaml2 2015-07-07 12:10:30 +00:00			`result = {`
code beautify 2015-07-08 10:35:20 +00:00			`"uri": "%s%s" % (self.idp_redirect_url, relay_state)`
Integrate SAML2 basic authentication - uses pysaml2 2015-07-07 12:10:30 +00:00			`}`
			`defer.returnValue((200, result))`
Reference Matrix Home Server 2014-08-12 14:10:52 +00:00			`else:`
			`raise SynapseError(400, "Bad login type.")`
			`except KeyError:`
			`raise SynapseError(400, "Missing JSON keys.")`

			`@defer.inlineCallbacks`
			`def do_password_login(self, login_submission):`
Allow sign in using email address 2015-08-04 15:29:54 +00:00			`if 'medium' in login_submission and 'address' in login_submission:`
			`user_id = yield self.hs.get_datastore().get_user_id_by_threepid(`
			`login_submission['medium'], login_submission['address']`
			`)`
			`else:`
			`user_id = login_submission['user']`

			`if not user_id.startswith('@'):`
			`user_id = UserID.create(`
Merge erikj/user_dedup to develop 2015-08-26 12:42:45 +00:00			`user_id, self.hs.hostname`
			`).to_string()`
Pass back the user_id in the response to /login in case it has changed. Store and use that on the webclient rather than the input field. 2014-08-14 15:40:15 +00:00
/tokenrefresh POST endpoint This allows refresh tokens to be exchanged for (access_token, refresh_token). It also starts issuing them on login, though no clients currently interpret them. 2015-08-20 15:21:35 +00:00			`auth_handler = self.handlers.auth_handler`
Merge erikj/user_dedup to develop 2015-08-26 12:42:45 +00:00			`user_id, access_token, refresh_token = yield auth_handler.login_with_password(`
Comma comma comma comma comma chameleon 2015-08-20 09:31:18 +00:00			`user_id=user_id,`
Reference Matrix Home Server 2014-08-12 14:10:52 +00:00			`password=login_submission["password"])`

			`result = {`
Return fully qualified user_id as per spec 2015-08-20 20:54:53 +00:00			`"user_id": user_id, # may have changed`
/tokenrefresh POST endpoint This allows refresh tokens to be exchanged for (access_token, refresh_token). It also starts issuing them on login, though no clients currently interpret them. 2015-08-20 15:21:35 +00:00			`"access_token": access_token,`
			`"refresh_token": refresh_token,`
Reference Matrix Home Server 2014-08-12 14:10:52 +00:00			`"home_server": self.hs.hostname,`
			`}`

			`defer.returnValue((200, result))`


Extract the client v1 base RestServlet to a separate class 2015-01-23 14:09:51 +00:00			`class LoginFallbackRestServlet(ClientV1RestServlet):`
Reference Matrix Home Server 2014-08-12 14:10:52 +00:00			`PATTERN = client_path_pattern("/login/fallback$")`

			`def on_GET(self, request):`
			`# TODO(kegan): This should be returning some HTML which is capable of`
			`# hitting LoginRestServlet`
Empty string is not a valid JSON object, so don't return them in HTTP responses. 2014-09-04 17:09:17 +00:00			`return (200, {})`
Reference Matrix Home Server 2014-08-12 14:10:52 +00:00

Extract the client v1 base RestServlet to a separate class 2015-01-23 14:09:51 +00:00			`class PasswordResetRestServlet(ClientV1RestServlet):`
Added PasswordResetRestServlet. Hit the IS to confirm the email/user. Need to send email. 2014-09-16 10:22:40 +00:00			`PATTERN = client_path_pattern("/login/reset")`

			`@defer.inlineCallbacks`
			`def on_POST(self, request):`
			`reset_info = _parse_json(request)`
			`try:`
			`email = reset_info["email"]`
			`user_id = reset_info["user_id"]`
			`handler = self.handlers.login_handler`
			`yield handler.reset_password(user_id, email)`
			`# purposefully give no feedback to avoid people hammering different`
			`# combinations.`
			`defer.returnValue((200, {}))`
			`except KeyError:`
			`raise SynapseError(`
			`400,`
			`"Missing keys. Requires 'email' and 'user_id'."`
			`)`

code beautify 2015-07-08 10:35:20 +00:00
Integrate SAML2 basic authentication - uses pysaml2 2015-07-07 12:10:30 +00:00			`class SAML2RestServlet(ClientV1RestServlet):`
			`PATTERN = client_path_pattern("/login/saml2")`

			`def __init__(self, hs):`
			`super(SAML2RestServlet, self).__init__(hs)`
Small tweaks to SAML2 configuration. - Add saml2 config docs to default config. - Use existence of saml2 config to indicate if saml2 should be enabled. 2015-07-10 09:50:03 +00:00			`self.sp_config = hs.config.saml2_config_path`
Integrate SAML2 basic authentication - uses pysaml2 2015-07-07 12:10:30 +00:00
			`@defer.inlineCallbacks`
			`def on_POST(self, request):`
			`saml2_auth = None`
			`try:`
			`conf = config.SPConfig()`
			`conf.load_file(self.sp_config)`
			`SP = Saml2Client(conf)`
code beautify 2015-07-08 10:35:20 +00:00			`saml2_auth = SP.parse_authn_request_response(`
code beautify 2015-07-09 07:28:15 +00:00			`request.args['SAMLResponse'][0], BINDING_HTTP_POST)`
code beautify 2015-07-08 10:35:20 +00:00			`except Exception, e: # Not authenticated`
Integrate SAML2 basic authentication - uses pysaml2 2015-07-07 12:10:30 +00:00			`logger.exception(e)`
code beautify 2015-07-08 10:35:20 +00:00			`if saml2_auth and saml2_auth.status_ok() and not saml2_auth.not_signed:`
Integrate SAML2 basic authentication - uses pysaml2 2015-07-07 12:10:30 +00:00			`username = saml2_auth.name_id.text`
			`handler = self.handlers.registration_handler`
			`(user_id, token) = yield handler.register_saml2(username)`
			`# Forward to the RelayState callback along with ava`
			`if 'RelayState' in request.args:`
code beautify 2015-07-08 10:35:20 +00:00			`request.redirect(urllib.unquote(`
			`request.args['RelayState'][0]) +`
			`'?status=authenticated&access_token=' +`
			`token + '&user_id=' + user_id + '&ava=' +`
			`urllib.quote(json.dumps(saml2_auth.ava)))`
Integrate SAML2 basic authentication - uses pysaml2 2015-07-07 12:10:30 +00:00			`request.finish()`
			`defer.returnValue(None)`
code beautify 2015-07-08 10:35:20 +00:00			`defer.returnValue((200, {"status": "authenticated",`
			`"user_id": user_id, "token": token,`
			`"ava": saml2_auth.ava}))`
Integrate SAML2 basic authentication - uses pysaml2 2015-07-07 12:10:30 +00:00			`elif 'RelayState' in request.args:`
code beautify 2015-07-08 10:35:20 +00:00			`request.redirect(urllib.unquote(`
			`request.args['RelayState'][0]) +`
			`'?status=not_authenticated')`
Integrate SAML2 basic authentication - uses pysaml2 2015-07-07 12:10:30 +00:00			`request.finish()`
			`defer.returnValue(None)`
code beautify 2015-07-08 10:35:20 +00:00			`defer.returnValue((200, {"status": "not_authenticated"}))`

Added PasswordResetRestServlet. Hit the IS to confirm the email/user. Need to send email. 2014-09-16 10:22:40 +00:00
Reference Matrix Home Server 2014-08-12 14:10:52 +00:00			`def _parse_json(request):`
			`try:`
			`content = json.loads(request.content.read())`
			`if type(content) != dict:`
			`raise SynapseError(400, "Content must be a JSON object.")`
			`return content`
			`except ValueError:`
			`raise SynapseError(400, "Content not JSON.")`


			`def register_servlets(hs, http_server):`
			`LoginRestServlet(hs).register(http_server)`
Small tweaks to SAML2 configuration. - Add saml2 config docs to default config. - Use existence of saml2 config to indicate if saml2 should be enabled. 2015-07-10 09:50:03 +00:00			`if hs.config.saml2_enabled:`
Make SAML2 optional and add some references/comments 2015-07-09 08:04:47 +00:00			`SAML2RestServlet(hs).register(http_server)`
Comment out password reset for now, until the mechanism is fully discussed (IS token auth vs HS auth) 2014-09-16 12:32:33 +00:00			`# TODO PasswordResetRestServlet(hs).register(http_server)`