Merge pull request #2973 from matrix-org/matthew/dinsic_3pid_check

Delegate 3PID registration determination to experimental IS API
2024-10-01 01:36:05 -04:00 · 2018-03-14 22:35:58 +00:00 · 2018-03-14 22:35:58 +00:00 · ef5193e0cb
commit ef5193e0cb
parent 7b3959c7f3 2e4a6c5aab
5 changed files with 44 additions and 12 deletions
--- a/synapse/config/registration.py
+++ b/synapse/config/registration.py
@ -33,6 +33,10 @@ class RegistrationConfig(Config):

        self.registrations_require_3pid = config.get("registrations_require_3pid", [])
        self.allowed_local_3pids = config.get("allowed_local_3pids", [])
+        self.check_is_for_allowed_local_3pids = config.get(
+            "check_is_for_allowed_local_3pids", None
+        )
+        self.allow_invited_3pids = config.get("allow_invited_3pids", False)
        self.registration_shared_secret = config.get("registration_shared_secret")

        self.bcrypt_rounds = config.get("bcrypt_rounds", 12)
@ -63,6 +67,16 @@ class RegistrationConfig(Config):
        # Mandate that users are only allowed to associate certain formats of
        # 3PIDs with accounts on this server.
        #
+        # Use an Identity Server to establish which 3PIDs are allowed to register?
+        # Overrides allowed_local_3pids below.
+        # check_is_for_allowed_local_3pids: matrix.org
+        #
+        # If you are using an IS you can also check whether that IS registers
+        # pending invites for the given 3PID (and then allow it to sign up on
+        # the platform):
+        #
+        # allow_invited_3pids: False
+        #
        # allowed_local_3pids:
        #     - medium: email
        #       pattern: ".*@matrix\\.org"
--- a/synapse/handlers/register.py
+++ b/synapse/handlers/register.py
@ -308,7 +308,9 @@ class RegistrationHandler(BaseHandler):
            logger.info("got threepid with medium '%s' and address '%s'",
                        threepid['medium'], threepid['address'])

-            if not check_3pid_allowed(self.hs, threepid['medium'], threepid['address']):
+            if not (
+                yield check_3pid_allowed(self.hs, threepid['medium'], threepid['address'])
+            ):
                raise RegistrationError(
                    403, "Third party identifier is not allowed"
                )
--- a/synapse/rest/client/v2_alpha/account.py
+++ b/synapse/rest/client/v2_alpha/account.py
@ -48,7 +48,7 @@ class EmailPasswordRequestTokenRestServlet(RestServlet):
            'id_server', 'client_secret', 'email', 'send_attempt'
        ])

-        if not check_3pid_allowed(self.hs, "email", body['email']):
+        if not (yield check_3pid_allowed(self.hs, "email", body['email'])):
            raise SynapseError(
                403, "Third party identifier is not allowed", Codes.THREEPID_DENIED,
            )
@ -84,7 +84,7 @@ class MsisdnPasswordRequestTokenRestServlet(RestServlet):

        msisdn = phone_number_to_msisdn(body['country'], body['phone_number'])

-        if not check_3pid_allowed(self.hs, "msisdn", msisdn):
+        if not (yield check_3pid_allowed(self.hs, "msisdn", msisdn)):
            raise SynapseError(
                403, "Third party identifier is not allowed", Codes.THREEPID_DENIED,
            )
@ -228,7 +228,7 @@ class EmailThreepidRequestTokenRestServlet(RestServlet):
        if absent:
            raise SynapseError(400, "Missing params: %r" % absent, Codes.MISSING_PARAM)

-        if not check_3pid_allowed(self.hs, "email", body['email']):
+        if not (yield check_3pid_allowed(self.hs, "email", body['email'])):
            raise SynapseError(
                403, "Third party identifier is not allowed", Codes.THREEPID_DENIED,
            )
@ -271,7 +271,7 @@ class MsisdnThreepidRequestTokenRestServlet(RestServlet):

        msisdn = phone_number_to_msisdn(body['country'], body['phone_number'])

-        if not check_3pid_allowed(self.hs, "msisdn", msisdn):
+        if not (yield check_3pid_allowed(self.hs, "msisdn", msisdn)):
            raise SynapseError(
                403, "Third party identifier is not allowed", Codes.THREEPID_DENIED,
            )
--- a/synapse/rest/client/v2_alpha/register.py
+++ b/synapse/rest/client/v2_alpha/register.py
@ -71,7 +71,7 @@ class EmailRegisterRequestTokenRestServlet(RestServlet):
            'id_server', 'client_secret', 'email', 'send_attempt'
        ])

-        if not check_3pid_allowed(self.hs, "email", body['email']):
+        if not (yield check_3pid_allowed(self.hs, "email", body['email'])):
            raise SynapseError(
                403, "Third party identifier is not allowed", Codes.THREEPID_DENIED,
            )
@ -111,7 +111,7 @@ class MsisdnRegisterRequestTokenRestServlet(RestServlet):

        msisdn = phone_number_to_msisdn(body['country'], body['phone_number'])

-        if not check_3pid_allowed(self.hs, "msisdn", msisdn):
+        if not (yield check_3pid_allowed(self.hs, "msisdn", msisdn)):
            raise SynapseError(
                403, "Third party identifier is not allowed", Codes.THREEPID_DENIED,
            )
@ -371,7 +371,7 @@ class RegisterRestServlet(RestServlet):
                    medium = auth_result[login_type]['medium']
                    address = auth_result[login_type]['address']

-                    if not check_3pid_allowed(self.hs, medium, address):
+                    if not (yield check_3pid_allowed(self.hs, medium, address)):
                        raise SynapseError(
                            403, "Third party identifier is not allowed",
                            Codes.THREEPID_DENIED,
--- a/synapse/util/threepids.py
+++ b/synapse/util/threepids.py
@ -16,9 +16,12 @@
 import logging
 import re

+from twisted.internet import defer
+
 logger = logging.getLogger(__name__)


+@defer.inlineCallbacks
 def check_3pid_allowed(hs, medium, address):
    """Checks whether a given format of 3PID is allowed to be used on this HS

@ -28,9 +31,22 @@ def check_3pid_allowed(hs, medium, address):
        address (str): address within that medium (e.g. "wotan@matrix.org")
            msisdns need to first have been canonicalised
    Returns:
-        bool: whether the 3PID medium/address is allowed to be added to this HS
+        defered bool: whether the 3PID medium/address is allowed to be added to this HS
    """

+    if hs.config.check_is_for_allowed_local_3pids:
+        data = yield hs.get_simple_http_client().get_json(
+            "https://%s%s" % (
+                hs.config.check_is_for_allowed_local_3pids,
+                "/_matrix/identity/api/v1/info"
+            ),
+            {'medium': medium, 'address': address}
+        )
+        if hs.config.allow_invited_3pids and data.get('invited'):
+            defer.returnValue(True)
+        else:
+            defer.returnValue(data['hs'] == hs.config.server_name)
+
    if hs.config.allowed_local_3pids:
        for constraint in hs.config.allowed_local_3pids:
            logger.debug(
@ -41,8 +57,8 @@ def check_3pid_allowed(hs, medium, address):
                medium == constraint['medium'] and
                re.match(constraint['pattern'], address)
            ):
-                return True
+                defer.returnValue(True)
    else:
-        return True
+        defer.returnValue(True)

-    return False
+    defer.returnValue(False)