forked-synapse/synapse/config/auth.py

#
# This file is licensed under the Affero General Public License (AGPL) version 3.
#
# Copyright 2020 The Matrix.org Foundation C.I.C.
# Copyright 2015, 2016 OpenMarket Ltd
# Copyright (C) 2023 New Vector, Ltd
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# See the GNU Affero General Public License for more details:
# <https://www.gnu.org/licenses/agpl-3.0.html>.
#
# Originally licensed under the Apache License, Version 2.0:
# <http://www.apache.org/licenses/LICENSE-2.0>.
#
# [This file includes modifications made by New Vector Limited]
#
#
from typing import Any

from synapse.types import JsonDict

from ._base import Config


class AuthConfig(Config):
    """Password and login configuration"""

    section = "auth"

    def read_config(self, config: JsonDict, **kwargs: Any) -> None:
        password_config = config.get("password_config", {})
        if password_config is None:
            password_config = {}

        # The default value of password_config.enabled is True, unless msc3861 is enabled.
        msc3861_enabled = (
            (config.get("experimental_features") or {})
            .get("msc3861", {})
            .get("enabled", False)
        )
        passwords_enabled = password_config.get("enabled", not msc3861_enabled)

        # 'only_for_reauth' allows users who have previously set a password to use it,
        # even though passwords would otherwise be disabled.
        passwords_for_reauth_only = passwords_enabled == "only_for_reauth"

        self.password_enabled_for_login = (
            passwords_enabled and not passwords_for_reauth_only
        )
        self.password_enabled_for_reauth = (
            passwords_for_reauth_only or passwords_enabled
        )

        self.password_localdb_enabled = password_config.get("localdb_enabled", True)
        self.password_pepper = password_config.get("pepper", "")

        # Password policy
        self.password_policy = password_config.get("policy") or {}
        self.password_policy_enabled = self.password_policy.get("enabled", False)

        # User-interactive authentication
        ui_auth = config.get("ui_auth") or {}
        self.ui_auth_session_timeout = self.parse_duration(
            ui_auth.get("session_timeout", 0)
        )

        # Logging in with an existing session.
        login_via_existing = config.get("login_via_existing_session", {})
        self.login_via_existing_enabled = login_via_existing.get("enabled", False)
        self.login_via_existing_require_ui_auth = login_via_existing.get(
            "require_ui_auth", True
        )
        self.login_via_existing_token_timeout = self.parse_duration(
            login_via_existing.get("token_timeout", "5m")
        )
Add config option to disable password login 2015-10-22 05:37:04 -04:00			`#`
Update license headers 2023-11-21 15:29:58 -05:00			`# This file is licensed under the Affero General Public License (AGPL) version 3.`
			`#`
Correctly mention previous copyright (#16820) During the migration the automated script to update the copyright headers accidentally got rid of some of the existing copyright lines. Reinstate them. 2024-01-23 06:26:48 -05:00			`# Copyright 2020 The Matrix.org Foundation C.I.C.`
			`# Copyright 2015, 2016 OpenMarket Ltd`
Update license headers 2023-11-21 15:29:58 -05:00			`# Copyright (C) 2023 New Vector, Ltd`
			`#`
			`# This program is free software: you can redistribute it and/or modify`
			`# it under the terms of the GNU Affero General Public License as`
			`# published by the Free Software Foundation, either version 3 of the`
			`# License, or (at your option) any later version.`
			`#`
			`# See the GNU Affero General Public License for more details:`
			`# <https://www.gnu.org/licenses/agpl-3.0.html>.`
			`#`
			`# Originally licensed under the Apache License, Version 2.0:`
			`# <http://www.apache.org/licenses/LICENSE-2.0>.`
			`#`
			`# [This file includes modifications made by New Vector Limited]`
Add config option to disable password login 2015-10-22 05:37:04 -04:00			`#`
			`#`
Add missing type hints to config classes. (#12402) 2022-04-11 12:07:23 -04:00			`from typing import Any`

			`from synapse.types import JsonDict`
Add config option to disable password login 2015-10-22 05:37:04 -04:00
Refactor config to be an experimental feature Also enforce you can't combine it with incompatible config options 2023-05-09 10:20:04 -04:00			`from ._base import Config`
Add config option to disable password login 2015-10-22 05:37:04 -04:00

Allow re-using a UI auth validation for a period of time (#8970) 2020-12-18 07:33:57 -05:00			`class AuthConfig(Config):`
			`"""Password and login configuration"""`
Add config option to disable password login 2015-10-22 05:37:04 -04:00
Allow re-using a UI auth validation for a period of time (#8970) 2020-12-18 07:33:57 -05:00			`section = "auth"`
Refactor HomeserverConfig so it can be typechecked (#6137) 2019-10-10 04:39:35 -04:00
Add missing type hints to config classes. (#12402) 2022-04-11 12:07:23 -04:00			`def read_config(self, config: JsonDict, **kwargs: Any) -> None:`
Add config option to disable password login 2015-10-22 05:37:04 -04:00			`password_config = config.get("password_config", {})`
Comment out most options in the generated config. (#4863) Make it so that most options in the config are optional, and commented out in the generated config. The reasons this is a good thing are as follows: * If we decide that we should change the default for an option, we can do so, and only those admins that have deliberately chosen to override that option will be stuck on the old setting. * It moves us towards a point where we can get rid of the super-surprising feature of synapse where the default settings for the config come from the generated yaml. * It makes setting up a test config for unit testing an order of magnitude easier (see forthcoming PR). * It makes the generated config more consistent, and hopefully easier for users to understand. 2019-03-19 06:06:40 -04:00			`if password_config is None:`
			`password_config = {}`

Refactor config to be an experimental feature Also enforce you can't combine it with incompatible config options 2023-05-09 10:20:04 -04:00			`# The default value of password_config.enabled is True, unless msc3861 is enabled.`
			`msc3861_enabled = (`
Fix running with an empty experimental features section. (#15925) 2023-07-12 08:39:25 -04:00			`(config.get("experimental_features") or {})`
Refactor config to be an experimental feature Also enforce you can't combine it with incompatible config options 2023-05-09 10:20:04 -04:00			`.get("msc3861", {})`
			`.get("enabled", False)`
			`)`
			`passwords_enabled = password_config.get("enabled", not msc3861_enabled)`

Add an option allowing users to use their password to reauthenticate even though password authentication is disabled. (#12883) 2022-05-27 05:44:51 -04:00			`# 'only_for_reauth' allows users who have previously set a password to use it,`
			`# even though passwords would otherwise be disabled.`
			`passwords_for_reauth_only = passwords_enabled == "only_for_reauth"`

			`self.password_enabled_for_login = (`
			`passwords_enabled and not passwords_for_reauth_only`
			`)`
			`self.password_enabled_for_reauth = (`
			`passwords_for_reauth_only or passwords_enabled`
			`)`

Added possibilty to disable local password authentication (#5092) Signed-off-by: Daniel Hoffend <dh@dotlan.net> 2019-06-27 13:37:29 -04:00			`self.password_localdb_enabled = password_config.get("localdb_enabled", True)`
Fix password config 2016-07-05 06:12:53 -04:00			`self.password_pepper = password_config.get("pepper", "")`
Add config option to disable password login 2015-10-22 05:37:04 -04:00
Allow server admins to define and enforce a password policy (MSC2000). (#7118) 2020-03-26 12:51:13 -04:00			`# Password policy`
			`self.password_policy = password_config.get("policy") or {}`
			`self.password_policy_enabled = self.password_policy.get("enabled", False)`

Allow re-using a UI auth validation for a period of time (#8970) 2020-12-18 07:33:57 -05:00			`# User-interactive authentication`
			`ui_auth = config.get("ui_auth") or {}`
Parse ui_auth.session_timeout as a duration (instead of treating it as ms) (#9426) 2021-02-18 09:18:14 -05:00			`self.ui_auth_session_timeout = self.parse_duration(`
			`ui_auth.get("session_timeout", 0)`
			`)`
Implement stable support for MSC3882 to allow an existing device/session to generate a login token for use on a new device/session (#15388) Implements stable support for MSC3882; this involves updating Synapse's support to match the MSC / the spec says. Continue to support the unstable version to allow clients to transition. 2023-06-01 08:52:51 -04:00
			`# Logging in with an existing session.`
			`login_via_existing = config.get("login_via_existing_session", {})`
			`self.login_via_existing_enabled = login_via_existing.get("enabled", False)`
			`self.login_via_existing_require_ui_auth = login_via_existing.get(`
			`"require_ui_auth", True`
			`)`
			`self.login_via_existing_token_timeout = self.parse_duration(`
			`login_via_existing.get("token_timeout", "5m")`
			`)`