mirror of
https://mau.dev/maunium/synapse.git
synced 2024-10-01 01:36:05 -04:00
158d73ebdd
Revert "Sort internal changes in changelog" Revert "Update CHANGES.md" Revert "1.49.0rc1" Revert "Revert "Move `glob_to_regex` and `re_word_boundary` to `matrix-python-common` (#11505) (#11527)" Revert "Refactors in `_generate_sync_entry_for_rooms` (#11515)" Revert "Correctly register shutdown handler for presence workers (#11518)" Revert "Fix `ModuleApi.looping_background_call` for non-async functions (#11524)" Revert "Fix 'delete room' admin api to work on incomplete rooms (#11523)" Revert "Correctly ignore invites from ignored users (#11511)" Revert "Fix the test breakage introduced by #11435 as a result of concurrent PRs (#11522)" Revert "Stabilise support for MSC2918 refresh tokens as they have now been merged into the Matrix specification. (#11435)" Revert "Save the OIDC session ID (sid) with the device on login (#11482)" Revert "Add admin API to get some information about federation status (#11407)" Revert "Include bundled aggregations in /sync and related fixes (#11478)" Revert "Move `glob_to_regex` and `re_word_boundary` to `matrix-python-common` (#11505)" Revert "Update backward extremity docs to make it clear that it does not indicate whether we have fetched an events' `prev_events` (#11469)" Revert "Support configuring the lifetime of non-refreshable access tokens separately to refreshable access tokens. (#11445)" Revert "Add type hints to `synapse/tests/rest/admin` (#11501)" Revert "Revert accidental commits to develop." Revert "Newsfile" Revert "Give `tests.server.setup_test_homeserver` (nominally!) the same behaviour" Revert "Move `tests.utils.setup_test_homeserver` to `tests.server`" Revert "Convert one of the `setup_test_homeserver`s to `make_test_homeserver_synchronous`" Revert "Disambiguate queries on `state_key` (#11497)" Revert "Comments on the /sync tentacles (#11494)" Revert "Clean up tests.storage.test_appservice (#11492)" Revert "Clean up `tests.storage.test_main` to remove use of legacy code. (#11493)" Revert "Clean up `tests.test_visibility` to remove legacy code. (#11495)" Revert "Minor cleanup on recently ported doc pages (#11466)" Revert "Add most of the missing type hints to `synapse.federation`. (#11483)" Revert "Avoid waiting for zombie processes in `synctl stop` (#11490)" Revert "Fix media repository failing when media store path contains symlinks (#11446)" Revert "Add type annotations to `tests.storage.test_appservice`. (#11488)" Revert "`scripts-dev/sign_json`: support for signing events (#11486)" Revert "Add MSC3030 experimental client and federation API endpoints to get the closest event to a given timestamp (#9445)" Revert "Port wiki pages to documentation website (#11402)" Revert "Add a license header and comment. (#11479)" Revert "Clean-up get_version_string (#11468)" Revert "Link background update controller docs to summary (#11475)" Revert "Additional type hints for config module. (#11465)" Revert "Register the login redirect endpoint for v3. (#11451)" Revert "Update openid.md" Revert "Remove mention of OIDC certification from Dex (#11470)" Revert "Add a note about huge pages to our Postgres doc (#11467)" Revert "Don't start Synapse master process if `worker_app` is set (#11416)" Revert "Expose worker & homeserver as entrypoints in `setup.py` (#11449)" Revert "Bundle relations of relations into the `/relations` result. (#11284)" Revert "Fix `LruCache` corruption bug with a `size_callback` that can return 0 (#11454)" Revert "Eliminate a few `Any`s in `LruCache` type hints (#11453)" Revert "Remove unnecessary `json.dumps` from `tests.rest.admin` (#11461)" Revert "Merge branch 'master' into develop" This reverts commit26b5d2320f
. This reverts commitbce4220f38
. This reverts commit966b5d0fa0
. This reverts commit088d748f2c
. This reverts commit14d593f72d
. This reverts commit2a3ec6facf
. This reverts commiteccc49d755
. This reverts commitb1ecd19c5d
. This reverts commit9c55dedc8c
. This reverts commit2d42e586a8
. This reverts commit2f053f3f82
. This reverts commita15a893df8
. This reverts commit8b4b153c9e
. This reverts commit494ebd7347
. This reverts commita77c369897
. This reverts commit4eb77965cd
. This reverts commit637df95de6
. This reverts commite5f426cd54
. This reverts commit8cd68b8102
. This reverts commit6cae125e20
. This reverts commit7be88fbf48
. This reverts commitb3fd99b74a
. This reverts commitf7ec6e7d9e
. This reverts commit5640992d17
. This reverts commitd26808dd85
. This reverts commitf91624a595
. This reverts commit16d39a5490
. This reverts commit8a4c296987
. This reverts commit49e1356ee3
. This reverts commitd2279f471b
. This reverts commitb50e39df57
. This reverts commit858d80bf0f
. This reverts commit435f044807
. This reverts commitf61462e1be
. This reverts commita6f1a3abec
. This reverts commit84dc50e160
. This reverts commited635d3285
. This reverts commit7b62791e00
. This reverts commit153194c771
. This reverts commitf44d729d4c
. This reverts commita265fbd397
. This reverts commitb9fef1a7cd
. This reverts commitb0eb64ff7b
. This reverts commitf1795463bf
. This reverts commit70cbb1a5e3
. This reverts commit42bf020463
. This reverts commit379f2650cf
. This reverts commit7ff22d6da4
. This reverts commit5a0b652d36
. This reverts commit432a174bc1
. This reverts commitb14f8a1baf
, reversing changes made toe713855dca
.
148 lines
5.9 KiB
Python
148 lines
5.9 KiB
Python
# Copyright 2020 The Matrix.org Foundation C.I.C.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
import logging
|
|
from typing import Any, Dict, Optional
|
|
|
|
import attr
|
|
|
|
from ._base import Config
|
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
LEGACY_TEMPLATE_DIR_WARNING = """
|
|
This server's configuration file is using the deprecated 'template_dir' setting in the
|
|
'sso' section. Support for this setting has been deprecated and will be removed in a
|
|
future version of Synapse. Server admins should instead use the new
|
|
'custom_templates_directory' setting documented here:
|
|
https://matrix-org.github.io/synapse/latest/templates.html
|
|
---------------------------------------------------------------------------------------"""
|
|
|
|
|
|
@attr.s(frozen=True)
|
|
class SsoAttributeRequirement:
|
|
"""Object describing a single requirement for SSO attributes."""
|
|
|
|
attribute = attr.ib(type=str)
|
|
# If a value is not given, than the attribute must simply exist.
|
|
value = attr.ib(type=Optional[str])
|
|
|
|
JSON_SCHEMA = {
|
|
"type": "object",
|
|
"properties": {"attribute": {"type": "string"}, "value": {"type": "string"}},
|
|
"required": ["attribute", "value"],
|
|
}
|
|
|
|
|
|
class SSOConfig(Config):
|
|
"""SSO Configuration"""
|
|
|
|
section = "sso"
|
|
|
|
def read_config(self, config, **kwargs):
|
|
sso_config: Dict[str, Any] = config.get("sso") or {}
|
|
|
|
# The sso-specific template_dir
|
|
self.sso_template_dir = sso_config.get("template_dir")
|
|
if self.sso_template_dir is not None:
|
|
logger.warning(LEGACY_TEMPLATE_DIR_WARNING)
|
|
|
|
# Read templates from disk
|
|
custom_template_directories = (
|
|
self.root.server.custom_template_directory,
|
|
self.sso_template_dir,
|
|
)
|
|
|
|
(
|
|
self.sso_login_idp_picker_template,
|
|
self.sso_redirect_confirm_template,
|
|
self.sso_auth_confirm_template,
|
|
self.sso_error_template,
|
|
sso_account_deactivated_template,
|
|
sso_auth_success_template,
|
|
self.sso_auth_bad_user_template,
|
|
) = self.read_templates(
|
|
[
|
|
"sso_login_idp_picker.html",
|
|
"sso_redirect_confirm.html",
|
|
"sso_auth_confirm.html",
|
|
"sso_error.html",
|
|
"sso_account_deactivated.html",
|
|
"sso_auth_success.html",
|
|
"sso_auth_bad_user.html",
|
|
],
|
|
(td for td in custom_template_directories if td),
|
|
)
|
|
|
|
# These templates have no placeholders, so render them here
|
|
self.sso_account_deactivated_template = (
|
|
sso_account_deactivated_template.render()
|
|
)
|
|
self.sso_auth_success_template = sso_auth_success_template.render()
|
|
|
|
self.sso_client_whitelist = sso_config.get("client_whitelist") or []
|
|
|
|
self.sso_update_profile_information = (
|
|
sso_config.get("update_profile_information") or False
|
|
)
|
|
|
|
# Attempt to also whitelist the server's login fallback, since that fallback sets
|
|
# the redirect URL to itself (so it can process the login token then return
|
|
# gracefully to the client). This would make it pointless to ask the user for
|
|
# confirmation, since the URL the confirmation page would be showing wouldn't be
|
|
# the client's.
|
|
login_fallback_url = (
|
|
self.root.server.public_baseurl + "_matrix/static/client/login"
|
|
)
|
|
self.sso_client_whitelist.append(login_fallback_url)
|
|
|
|
def generate_config_section(self, **kwargs):
|
|
return """\
|
|
# Additional settings to use with single-sign on systems such as OpenID Connect,
|
|
# SAML2 and CAS.
|
|
#
|
|
# Server admins can configure custom templates for pages related to SSO. See
|
|
# https://matrix-org.github.io/synapse/latest/templates.html for more information.
|
|
#
|
|
sso:
|
|
# A list of client URLs which are whitelisted so that the user does not
|
|
# have to confirm giving access to their account to the URL. Any client
|
|
# whose URL starts with an entry in the following list will not be subject
|
|
# to an additional confirmation step after the SSO login is completed.
|
|
#
|
|
# WARNING: An entry such as "https://my.client" is insecure, because it
|
|
# will also match "https://my.client.evil.site", exposing your users to
|
|
# phishing attacks from evil.site. To avoid this, include a slash after the
|
|
# hostname: "https://my.client/".
|
|
#
|
|
# The login fallback page (used by clients that don't natively support the
|
|
# required login flows) is whitelisted in addition to any URLs in this list.
|
|
#
|
|
# By default, this list contains only the login fallback page.
|
|
#
|
|
#client_whitelist:
|
|
# - https://riot.im/develop
|
|
# - https://my.custom.client/
|
|
|
|
# Uncomment to keep a user's profile fields in sync with information from
|
|
# the identity provider. Currently only syncing the displayname is
|
|
# supported. Fields are checked on every SSO login, and are updated
|
|
# if necessary.
|
|
#
|
|
# Note that enabling this option will override user profile information,
|
|
# regardless of whether users have opted-out of syncing that
|
|
# information when first signing in. Defaults to false.
|
|
#
|
|
#update_profile_information: true
|
|
"""
|