Commit Graph

376 Commits

Author SHA1 Message Date
Quentin Gliech
eaed4e6113
Remove unused method in synapse.api.auth.Auth. ()
Clean-up from b19060a29b ()
and 73af10f419 () which removed
all callers.
2022-09-14 10:33:54 -04:00
Eric Eastwood
a911ffb42c
Tag trace with instance name ()
We tag the Synapse instance name so that it's an easy jumping off point into the logs. Can also be used to filter for an instance that is under load.

As suggested by @clokep and @reivilibre in,

 - https://github.com/matrix-org/synapse/pull/13729#discussion_r964719258
 - https://github.com/matrix-org/synapse/pull/13729#discussion_r964733578
2022-09-09 11:31:37 -05:00
reivilibre
d3d9ca156e
Cancel the processing of key query requests when they time out. () 2022-09-07 12:03:32 +01:00
Quentin Gliech
3dd175b628
synapse.api.auth.Auth cleanup: make permission-related methods use Requester instead of the UserID ()
Part of 

This changes all the permission-related methods to rely on the Requester instead of the UserID. This is a first step towards enabling scoped access tokens at some point, since I expect the Requester to have scope-related informations in it.

It also changes methods which figure out the user/device/appservice out of the access token to return a Requester instead of something else. This avoids having store-related objects in the methods signatures.
2022-08-22 14:17:59 +01:00
Eric Eastwood
92d21faf12
Instrument /messages for understandable traces in Jaeger ()
In Jaeger:

 - Before: huge list of uncategorized database calls
 - After: nice and collapsible into units of work
2022-08-03 10:57:38 -05:00
Will Hunt
502f075e96
Implement MSC3848: Introduce errcodes for specific event sending failures ()
Implements MSC3848
2022-07-27 13:44:40 +01:00
Quentin Gliech
fe1daad672
Move the "email unsubscribe" resource, refactor the macaroon generator & simplify the access token verification logic. ()
This simplifies the access token verification logic by removing the `rights`
parameter which was only ever used for the unsubscribe link in email
notifications. The latter has been moved under the `/_synapse` namespace,
since it is not a standard API.

This also makes the email verification link more secure, by embedding the
app_id and pushkey in the macaroon and verifying it. This prevents the user
from tampering the query parameters of that unsubscribe link.

Macaroon generation is refactored:

- Centralised all macaroon generation and verification logic to the
  `MacaroonGenerator`
- Moved to `synapse.utils`
- Changed the constructor to require only a `Clock`, hostname, and a secret key
  (instead of a full `Homeserver`).
- Added tests for all methods.
2022-06-14 09:12:08 -04:00
Quentin Gliech
92103cb2c8
Decouple synapse.api.auth_blocking.AuthBlocking from synapse.api.auth.Auth. () 2022-06-14 09:51:15 +01:00
Erik Johnston
e3163e2e11
Reduce the amount of state we pull from the DB () 2022-06-06 09:24:12 +01:00
reivilibre
07fa53ec40
Improve comments and error messages around access tokens. () 2022-05-05 13:39:59 +01:00
Patrick Cloke
7fbf42499d
Use getClientAddress instead of getClientIP. ()
getClientIP was deprecated in Twisted 18.4.0, which also added
getClientAddress. The Synapse minimum version for Twisted is
currently 18.9.0, so all supported versions have the new API.
2022-05-04 14:11:21 -04:00
Richard van der Hoff
e24ff8ebe3
Remove HomeServer.get_datastore() ()
The presence of this method was confusing, and mostly present for backwards
compatibility. Let's get rid of it.

Part of 
2022-02-23 11:04:02 +00:00
Jason Robinson
2560b1b6b2
Allow tracking puppeted users for MAU ()
Currently when puppeting another user, the user doing the puppeting is
tracked for client IPs and MAU (if configured).

When tracking MAU is important, it becomes necessary to be possible to
also track the client IPs and MAU of puppeted users. As an example a
client that manages user creation and creation of tokens via the Synapse
admin API, passing those tokens for the client to use.

This PR adds optional configuration to enable tracking of puppeted users
into monthly active users. The default behaviour stays the same.

Signed-off-by: Jason Robinson <jasonr@matrix.org>
2022-01-12 16:09:36 +00:00
Richard van der Hoff
2215954147
Various opentracing enhancements ()
* Wrap `auth.get_user_by_req` in an opentracing span

give `get_user_by_req` its own opentracing span, since it can result in a
non-trivial number of sub-spans which it is useful to group together.

This requires a bit of reorganisation because it also sets some tags (and may
force tracing) on the servlet span.

* Emit opentracing span for encoding json responses

This can be a significant time sink.

* Rename all sync spans with a prefix

* Write an opentracing span for encoding sync response

* opentracing span to group generate_room_entries

* opentracing spans within sync.encode_response

* changelog

* Use the `trace` decorator instead of context managers
2021-12-21 11:10:36 +00:00
reivilibre
17886d2603
Add experimental support for MSC3202: allowing application services to masquerade as specific devices. () 2021-12-15 10:40:52 +00:00
Patrick Cloke
3ab55d43bd
Add missing type hints to synapse.api. ()
* Convert UserPresenceState to attrs.
* Remove args/kwargs from error classes and explicitly pass msg/errorcode.
2021-10-18 15:01:10 -04:00
Patrick Cloke
8c7a531e27
Use direct references for some configuration variables (part 2) () 2021-09-15 08:34:52 -04:00
Brendan Abolivier
36dc15412d
Add a module type for account validity ()
This adds an API for third-party plugin modules to implement account validity, so they can provide this feature instead of Synapse. The module implementing the current behaviour for this feature can be found at https://github.com/matrix-org/synapse-email-account-validity.

To allow for a smooth transition between the current feature and the new module, hooks have been added to the existing account validity endpoints to allow their behaviours to be overridden by a module.
2021-07-16 18:11:53 +02:00
Jonathan de Jong
bf72d10dbf
Use inline type hints in various other places (in synapse/) () 2021-07-15 11:02:43 +01:00
Eric Eastwood
0d5b08ac7a
Fix messages from multiple senders in historical chunk (MSC2716) ()
Fix messages from multiple senders in historical chunk. This also means that an app service does not need to define `?user_id` when using this endpoint.

Follow-up to https://github.com/matrix-org/synapse/pull/9247

Part of MSC2716: https://github.com/matrix-org/matrix-doc/pull/2716
2021-07-13 14:12:33 -05:00
Patrick Cloke
8d609435c0
Move methods involving event authentication to EventAuthHandler. ()
Instead of mixing them with user authentication methods.
2021-07-01 14:25:37 -04:00
Patrick Cloke
aaf7d1acb8
Correct type hints for synapse.event_auth. () 2021-06-30 07:08:42 -04:00
Quentin Gliech
bd4919fb72
MSC2918 Refresh tokens implementation ()
This implements refresh tokens, as defined by MSC2918

This MSC has been implemented client side in Hydrogen Web: 

The basics of the MSC works: requesting refresh tokens on login, having the access tokens expire, and using the refresh token to get a new one.

Signed-off-by: Quentin Gliech <quentingliech@gmail.com>
2021-06-24 14:33:20 +01:00
Eric Eastwood
96f6293de5
Add endpoints for backfilling history (MSC2716) ()
Work on https://github.com/matrix-org/matrix-doc/pull/2716
2021-06-22 10:02:53 +01:00
Richard van der Hoff
9e405034e5
Make opentracing trace into event persistence ()
* Trace event persistence

When we persist a batch of events, set the parent opentracing span to the that
from the request, so that we can trace all the way in.

* changelog

* When we force tracing, set a baggage item

... so that we can check again later.

* Link in both directions between persist_events spans
2021-06-16 11:41:15 +01:00
Richard van der Hoff
ed53bf314f
Set opentracing priority before setting other tags ()
... because tags on spans which aren't being sampled get thrown away.
2021-05-28 16:14:08 +01:00
Richard van der Hoff
c14f99be46
Support enabling opentracing by user ()
Add a config option which allows enabling opentracing by user id, eg for
debugging requests made by a test user.
2021-05-14 10:51:08 +01:00
Patrick Cloke
e83627926f
Add type hints to auth and auth_blocking. () 2021-04-23 12:02:16 -04:00
Patrick Cloke
d924827da1
Check for space membership during a remote join of a restricted room ()
When receiving a /send_join request for a room with join rules set to 'restricted',
check if the user is a member of the spaces defined in the 'allow' key of the join rules.

This only applies to an experimental room version, as defined in MSC3083.
2021-04-23 07:05:51 -04:00
Andrew Morgan
71f0623de9
Port "Allow users to click account renewal links multiple times without hitting an 'Invalid Token' page " from synapse-dinsic ()
This attempts to be a direct port of https://github.com/matrix-org/synapse-dinsic/pull/74 to mainline. There was some fiddling required to deal with the changes that have been made to mainline since (mainly dealing with the split of `RegistrationWorkerStore` from `RegistrationStore`, and the changes made to `self.make_request` in test code).
2021-04-19 19:16:34 +01:00
Jonathan de Jong
4b965c862d
Remove redundant "coding: utf-8" lines ()
Part of 

Removes all redundant `# -*- coding: utf-8 -*-` lines from files, as python 3 automatically reads source code as utf-8 now.

`Signed-off-by: Jonathan de Jong <jonathan@automatia.nl>`
2021-04-14 15:34:27 +01:00
Erik Johnston
b5efcb577e
Make it possible to use dmypy ()
Running `dmypy run` will do a `mypy` check while spinning up a daemon
that makes rerunning `dmypy run` a lot faster.

`dmypy` doesn't support `follow_imports = silent` and has
`local_partial_types` enabled, so this PR enables those options and
fixes the issues that were newly raised. Note that `local_partial_types`
will be enabled by default in upcoming mypy releases.
2021-03-26 16:49:46 +00:00
Patrick Cloke
55da8df078
Fix additional type hints from Twisted 21.2.0. () 2021-03-12 11:37:57 -05:00
Richard van der Hoff
7eb6e39a8f
Record the SSO Auth Provider in the login token ()
This great big stack of commits is a a whole load of hoop-jumping to make it easier to store additional values in login tokens, and then to actually store the SSO Identity Provider in the login token. (Making use of that data will follow in a subsequent PR.)
2021-03-04 14:44:22 +00:00
Eric Eastwood
0a00b7ff14
Update black, and run auto formatting over the codebase ()
- Update black version to the latest
 - Run black auto formatting over the codebase
    - Run autoformatting according to [`docs/code_style.md
`](80d6dc9783/docs/code_style.md)
 - Update `code_style.md` docs around installing black to use the correct version
2021-02-16 22:32:34 +00:00
Richard van der Hoff
0f8945e166
Kill off HomeServer.get_ip_from_request() ()
Homeserver.get_ip_from_request() used to be a bit more complicated, but now it is totally redundant. Let's get rid of it.
2021-01-12 12:48:12 +00:00
Richard van der Hoff
2ec8ca5e60
Remove SynapseRequest.get_user_agent ()
SynapseRequest is in danger of becoming a bit of a dumping-ground for "useful stuff relating to Requests",
which isn't really its intention (its purpose is to override render, finished and connectionLost to set up the 
LoggingContext and write the right entries to the request log).

Putting utility functions inside SynapseRequest means that lots of our code ends up requiring a
SynapseRequest when there is nothing synapse-specific about the Request at all, and any old
twisted.web.iweb.IRequest will do. This increases code coupling and makes testing more difficult.

In short: move get_user_agent out to a utility function.
2021-01-12 12:34:16 +00:00
Patrick Cloke
be2db93b3c
Do not assume that the contents dictionary includes history_visibility. () 2020-12-16 08:46:37 -05:00
Erik Johnston
a8eceb01e5
Honour AS ratelimit settings for /login requests ()
Fixes .
2020-12-11 16:33:31 +00:00
Erik Johnston
f21e24ffc2
Add ability for access tokens to belong to one user but grant access to another user. ()
We do it this way round so that only the "owner" can delete the access token (i.e. `/logout/all` by the "owner" also deletes that token, but `/logout/all` by the "target user" doesn't).

A future PR will add an API for creating such a token.

When the target user and authenticated entity are different the `Processed request` log line will be logged with a: `{@admin:server as @bob:server} ...`. I'm not convinced by that format (especially since it adds spaces in there, making it harder to use `cut -d ' '` to chop off the start of log lines). Suggestions welcome.
2020-10-29 15:58:44 +00:00
Erik Johnston
c850dd9a8e
Fix handling of User-Agent headers with bad utf-8. () 2020-10-23 17:12:59 +01:00
Richard van der Hoff
0ec0bc3886 type annotations for LruCache 2020-10-16 15:56:39 +01:00
Richard van der Hoff
3ee17585cd
Make LruCache register its own metrics ()
rather than have everything that instantiates an LruCache manage metrics
separately, have LruCache do it itself.
2020-10-16 15:51:57 +01:00
Mathieu Velten
916bb9d0d1
Don't push if an user account has expired () 2020-09-23 16:06:28 +01:00
Patrick Cloke
c619253db8
Stop sub-classing object () 2020-09-04 06:54:56 -04:00
Patrick Cloke
ac77cdb64e
Add a shadow-banned flag to users. () 2020-08-14 12:37:59 -04:00
Patrick Cloke
d4a7829b12
Convert synapse.api to async/await () 2020-08-06 08:30:06 -04:00
Patrick Cloke
8553f46498
Convert a synapse.events to async/await. () 2020-07-27 13:40:22 -04:00
Patrick Cloke
b975fa2e99
Convert state resolution to async/await () 2020-07-24 10:59:51 -04:00
Patrick Cloke
38e1fac886
Fix some spelling mistakes / typos. () 2020-07-09 09:52:58 -04:00