mirror of
https://git.anonymousland.org/anonymousland/synapse-product.git
synced 2025-01-17 23:57:11 -05:00
9c715a5f19
Fixes #8966. * Factor out build_synapse_client_resource_tree Start a function which will mount resources common to all workers. * Move sso init into build_synapse_client_resource_tree ... so that we don't have to do it for each worker * Fix SSO-login-via-a-worker Expose the SSO login endpoints on workers, like the documentation says. * Update workers config for new endpoints Add documentation for endpoints recently added (#8942, #9017, #9262) * remove submit_token from workers endpoints list this *doesn't* work on workers (yet). * changelog * Add a comment about the odd path for SAML2Resource
508 lines
18 KiB
Python
508 lines
18 KiB
Python
#!/usr/bin/env python
|
|
# -*- coding: utf-8 -*-
|
|
# Copyright 2014-2016 OpenMarket Ltd
|
|
# Copyright 2019 New Vector Ltd
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
import logging
|
|
import os
|
|
import sys
|
|
from typing import Iterable, Iterator
|
|
|
|
from twisted.internet import reactor
|
|
from twisted.web.resource import EncodingResourceWrapper, IResource
|
|
from twisted.web.server import GzipEncoderFactory
|
|
from twisted.web.static import File
|
|
|
|
import synapse
|
|
import synapse.config.logger
|
|
from synapse import events
|
|
from synapse.api.urls import (
|
|
FEDERATION_PREFIX,
|
|
LEGACY_MEDIA_PREFIX,
|
|
MEDIA_PREFIX,
|
|
SERVER_KEY_V2_PREFIX,
|
|
STATIC_PREFIX,
|
|
WEB_CLIENT_PREFIX,
|
|
)
|
|
from synapse.app import _base
|
|
from synapse.app._base import listen_ssl, listen_tcp, quit_with_error, register_start
|
|
from synapse.config._base import ConfigError
|
|
from synapse.config.emailconfig import ThreepidBehaviour
|
|
from synapse.config.homeserver import HomeServerConfig
|
|
from synapse.config.server import ListenerConfig
|
|
from synapse.federation.transport.server import TransportLayerServer
|
|
from synapse.http.additional_resource import AdditionalResource
|
|
from synapse.http.server import (
|
|
OptionsResource,
|
|
RootOptionsRedirectResource,
|
|
RootRedirect,
|
|
StaticResource,
|
|
)
|
|
from synapse.http.site import SynapseSite
|
|
from synapse.logging.context import LoggingContext
|
|
from synapse.metrics import METRICS_PREFIX, MetricsResource, RegistryProxy
|
|
from synapse.python_dependencies import check_requirements
|
|
from synapse.replication.http import REPLICATION_PREFIX, ReplicationRestResource
|
|
from synapse.replication.tcp.resource import ReplicationStreamProtocolFactory
|
|
from synapse.rest import ClientRestResource
|
|
from synapse.rest.admin import AdminRestResource
|
|
from synapse.rest.health import HealthResource
|
|
from synapse.rest.key.v2 import KeyApiV2Resource
|
|
from synapse.rest.synapse.client import build_synapse_client_resource_tree
|
|
from synapse.rest.well_known import WellKnownResource
|
|
from synapse.server import HomeServer
|
|
from synapse.storage import DataStore
|
|
from synapse.storage.engines import IncorrectDatabaseSetup
|
|
from synapse.storage.prepare_database import UpgradeDatabaseException
|
|
from synapse.util.httpresourcetree import create_resource_tree
|
|
from synapse.util.manhole import manhole
|
|
from synapse.util.module_loader import load_module
|
|
from synapse.util.versionstring import get_version_string
|
|
|
|
logger = logging.getLogger("synapse.app.homeserver")
|
|
|
|
|
|
def gz_wrap(r):
|
|
return EncodingResourceWrapper(r, [GzipEncoderFactory()])
|
|
|
|
|
|
class SynapseHomeServer(HomeServer):
|
|
DATASTORE_CLASS = DataStore
|
|
|
|
def _listener_http(self, config: HomeServerConfig, listener_config: ListenerConfig):
|
|
port = listener_config.port
|
|
bind_addresses = listener_config.bind_addresses
|
|
tls = listener_config.tls
|
|
site_tag = listener_config.http_options.tag
|
|
if site_tag is None:
|
|
site_tag = str(port)
|
|
|
|
# We always include a health resource.
|
|
resources = {"/health": HealthResource()}
|
|
|
|
for res in listener_config.http_options.resources:
|
|
for name in res.names:
|
|
if name == "openid" and "federation" in res.names:
|
|
# Skip loading openid resource if federation is defined
|
|
# since federation resource will include openid
|
|
continue
|
|
resources.update(self._configure_named_resource(name, res.compress))
|
|
|
|
additional_resources = listener_config.http_options.additional_resources
|
|
logger.debug("Configuring additional resources: %r", additional_resources)
|
|
module_api = self.get_module_api()
|
|
for path, resmodule in additional_resources.items():
|
|
handler_cls, config = load_module(
|
|
resmodule,
|
|
("listeners", site_tag, "additional_resources", "<%s>" % (path,)),
|
|
)
|
|
handler = handler_cls(config, module_api)
|
|
if IResource.providedBy(handler):
|
|
resource = handler
|
|
elif hasattr(handler, "handle_request"):
|
|
resource = AdditionalResource(self, handler.handle_request)
|
|
else:
|
|
raise ConfigError(
|
|
"additional_resource %s does not implement a known interface"
|
|
% (resmodule["module"],)
|
|
)
|
|
resources[path] = resource
|
|
|
|
# try to find something useful to redirect '/' to
|
|
if WEB_CLIENT_PREFIX in resources:
|
|
root_resource = RootOptionsRedirectResource(WEB_CLIENT_PREFIX)
|
|
elif STATIC_PREFIX in resources:
|
|
root_resource = RootOptionsRedirectResource(STATIC_PREFIX)
|
|
else:
|
|
root_resource = OptionsResource()
|
|
|
|
root_resource = create_resource_tree(resources, root_resource)
|
|
|
|
if tls:
|
|
ports = listen_ssl(
|
|
bind_addresses,
|
|
port,
|
|
SynapseSite(
|
|
"synapse.access.https.%s" % (site_tag,),
|
|
site_tag,
|
|
listener_config,
|
|
root_resource,
|
|
self.version_string,
|
|
),
|
|
self.tls_server_context_factory,
|
|
reactor=self.get_reactor(),
|
|
)
|
|
logger.info("Synapse now listening on TCP port %d (TLS)", port)
|
|
|
|
else:
|
|
ports = listen_tcp(
|
|
bind_addresses,
|
|
port,
|
|
SynapseSite(
|
|
"synapse.access.http.%s" % (site_tag,),
|
|
site_tag,
|
|
listener_config,
|
|
root_resource,
|
|
self.version_string,
|
|
),
|
|
reactor=self.get_reactor(),
|
|
)
|
|
logger.info("Synapse now listening on TCP port %d", port)
|
|
|
|
return ports
|
|
|
|
def _configure_named_resource(self, name, compress=False):
|
|
"""Build a resource map for a named resource
|
|
|
|
Args:
|
|
name (str): named resource: one of "client", "federation", etc
|
|
compress (bool): whether to enable gzip compression for this
|
|
resource
|
|
|
|
Returns:
|
|
dict[str, Resource]: map from path to HTTP resource
|
|
"""
|
|
resources = {}
|
|
if name == "client":
|
|
client_resource = ClientRestResource(self)
|
|
if compress:
|
|
client_resource = gz_wrap(client_resource)
|
|
|
|
resources.update(
|
|
{
|
|
"/_matrix/client/api/v1": client_resource,
|
|
"/_matrix/client/r0": client_resource,
|
|
"/_matrix/client/unstable": client_resource,
|
|
"/_matrix/client/v2_alpha": client_resource,
|
|
"/_matrix/client/versions": client_resource,
|
|
"/.well-known/matrix/client": WellKnownResource(self),
|
|
"/_synapse/admin": AdminRestResource(self),
|
|
**build_synapse_client_resource_tree(self),
|
|
}
|
|
)
|
|
|
|
if self.get_config().threepid_behaviour_email == ThreepidBehaviour.LOCAL:
|
|
from synapse.rest.synapse.client.password_reset import (
|
|
PasswordResetSubmitTokenResource,
|
|
)
|
|
|
|
resources[
|
|
"/_synapse/client/password_reset/email/submit_token"
|
|
] = PasswordResetSubmitTokenResource(self)
|
|
|
|
if name == "consent":
|
|
from synapse.rest.consent.consent_resource import ConsentResource
|
|
|
|
consent_resource = ConsentResource(self)
|
|
if compress:
|
|
consent_resource = gz_wrap(consent_resource)
|
|
resources.update({"/_matrix/consent": consent_resource})
|
|
|
|
if name == "federation":
|
|
resources.update({FEDERATION_PREFIX: TransportLayerServer(self)})
|
|
|
|
if name == "openid":
|
|
resources.update(
|
|
{
|
|
FEDERATION_PREFIX: TransportLayerServer(
|
|
self, servlet_groups=["openid"]
|
|
)
|
|
}
|
|
)
|
|
|
|
if name in ["static", "client"]:
|
|
resources.update(
|
|
{
|
|
STATIC_PREFIX: StaticResource(
|
|
os.path.join(os.path.dirname(synapse.__file__), "static")
|
|
)
|
|
}
|
|
)
|
|
|
|
if name in ["media", "federation", "client"]:
|
|
if self.get_config().enable_media_repo:
|
|
media_repo = self.get_media_repository_resource()
|
|
resources.update(
|
|
{MEDIA_PREFIX: media_repo, LEGACY_MEDIA_PREFIX: media_repo}
|
|
)
|
|
elif name == "media":
|
|
raise ConfigError(
|
|
"'media' resource conflicts with enable_media_repo=False"
|
|
)
|
|
|
|
if name in ["keys", "federation"]:
|
|
resources[SERVER_KEY_V2_PREFIX] = KeyApiV2Resource(self)
|
|
|
|
if name == "webclient":
|
|
webclient_loc = self.get_config().web_client_location
|
|
|
|
if webclient_loc is None:
|
|
logger.warning(
|
|
"Not enabling webclient resource, as web_client_location is unset."
|
|
)
|
|
elif webclient_loc.startswith("http://") or webclient_loc.startswith(
|
|
"https://"
|
|
):
|
|
resources[WEB_CLIENT_PREFIX] = RootRedirect(webclient_loc)
|
|
else:
|
|
logger.warning(
|
|
"Running webclient on the same domain is not recommended: "
|
|
"https://github.com/matrix-org/synapse#security-note - "
|
|
"after you move webclient to different host you can set "
|
|
"web_client_location to its full URL to enable redirection."
|
|
)
|
|
# GZip is disabled here due to
|
|
# https://twistedmatrix.com/trac/ticket/7678
|
|
resources[WEB_CLIENT_PREFIX] = File(webclient_loc)
|
|
|
|
if name == "metrics" and self.get_config().enable_metrics:
|
|
resources[METRICS_PREFIX] = MetricsResource(RegistryProxy)
|
|
|
|
if name == "replication":
|
|
resources[REPLICATION_PREFIX] = ReplicationRestResource(self)
|
|
|
|
return resources
|
|
|
|
def start_listening(self, listeners: Iterable[ListenerConfig]):
|
|
config = self.get_config()
|
|
|
|
if config.redis_enabled:
|
|
# If redis is enabled we connect via the replication command handler
|
|
# in the same way as the workers (since we're effectively a client
|
|
# rather than a server).
|
|
self.get_tcp_replication().start_replication(self)
|
|
|
|
for listener in listeners:
|
|
if listener.type == "http":
|
|
self._listening_services.extend(self._listener_http(config, listener))
|
|
elif listener.type == "manhole":
|
|
listen_tcp(
|
|
listener.bind_addresses,
|
|
listener.port,
|
|
manhole(
|
|
username="matrix", password="rabbithole", globals={"hs": self}
|
|
),
|
|
)
|
|
elif listener.type == "replication":
|
|
services = listen_tcp(
|
|
listener.bind_addresses,
|
|
listener.port,
|
|
ReplicationStreamProtocolFactory(self),
|
|
)
|
|
for s in services:
|
|
reactor.addSystemEventTrigger("before", "shutdown", s.stopListening)
|
|
elif listener.type == "metrics":
|
|
if not self.get_config().enable_metrics:
|
|
logger.warning(
|
|
(
|
|
"Metrics listener configured, but "
|
|
"enable_metrics is not True!"
|
|
)
|
|
)
|
|
else:
|
|
_base.listen_metrics(listener.bind_addresses, listener.port)
|
|
else:
|
|
# this shouldn't happen, as the listener type should have been checked
|
|
# during parsing
|
|
logger.warning("Unrecognized listener type: %s", listener.type)
|
|
|
|
|
|
def setup(config_options):
|
|
"""
|
|
Args:
|
|
config_options_options: The options passed to Synapse. Usually
|
|
`sys.argv[1:]`.
|
|
|
|
Returns:
|
|
HomeServer
|
|
"""
|
|
try:
|
|
config = HomeServerConfig.load_or_generate_config(
|
|
"Synapse Homeserver", config_options
|
|
)
|
|
except ConfigError as e:
|
|
sys.stderr.write("\n")
|
|
for f in format_config_error(e):
|
|
sys.stderr.write(f)
|
|
sys.stderr.write("\n")
|
|
sys.exit(1)
|
|
|
|
if not config:
|
|
# If a config isn't returned, and an exception isn't raised, we're just
|
|
# generating config files and shouldn't try to continue.
|
|
sys.exit(0)
|
|
|
|
events.USE_FROZEN_DICTS = config.use_frozen_dicts
|
|
|
|
hs = SynapseHomeServer(
|
|
config.server_name,
|
|
config=config,
|
|
version_string="Synapse/" + get_version_string(synapse),
|
|
)
|
|
|
|
synapse.config.logger.setup_logging(hs, config, use_worker_options=False)
|
|
|
|
logger.info("Setting up server")
|
|
|
|
try:
|
|
hs.setup()
|
|
except IncorrectDatabaseSetup as e:
|
|
quit_with_error(str(e))
|
|
except UpgradeDatabaseException as e:
|
|
quit_with_error("Failed to upgrade database: %s" % (e,))
|
|
|
|
async def do_acme() -> bool:
|
|
"""
|
|
Reprovision an ACME certificate, if it's required.
|
|
|
|
Returns:
|
|
Whether the cert has been updated.
|
|
"""
|
|
acme = hs.get_acme_handler()
|
|
|
|
# Check how long the certificate is active for.
|
|
cert_days_remaining = hs.config.is_disk_cert_valid(allow_self_signed=False)
|
|
|
|
# We want to reprovision if cert_days_remaining is None (meaning no
|
|
# certificate exists), or the days remaining number it returns
|
|
# is less than our re-registration threshold.
|
|
provision = False
|
|
|
|
if (
|
|
cert_days_remaining is None
|
|
or cert_days_remaining < hs.config.acme_reprovision_threshold
|
|
):
|
|
provision = True
|
|
|
|
if provision:
|
|
await acme.provision_certificate()
|
|
|
|
return provision
|
|
|
|
async def reprovision_acme():
|
|
"""
|
|
Provision a certificate from ACME, if required, and reload the TLS
|
|
certificate if it's renewed.
|
|
"""
|
|
reprovisioned = await do_acme()
|
|
if reprovisioned:
|
|
_base.refresh_certificate(hs)
|
|
|
|
async def start():
|
|
# Run the ACME provisioning code, if it's enabled.
|
|
if hs.config.acme_enabled:
|
|
acme = hs.get_acme_handler()
|
|
# Start up the webservices which we will respond to ACME
|
|
# challenges with, and then provision.
|
|
await acme.start_listening()
|
|
await do_acme()
|
|
|
|
# Check if it needs to be reprovisioned every day.
|
|
hs.get_clock().looping_call(reprovision_acme, 24 * 60 * 60 * 1000)
|
|
|
|
# Load the OIDC provider metadatas, if OIDC is enabled.
|
|
if hs.config.oidc_enabled:
|
|
oidc = hs.get_oidc_handler()
|
|
# Loading the provider metadata also ensures the provider config is valid.
|
|
await oidc.load_metadata()
|
|
|
|
await _base.start(hs, config.listeners)
|
|
|
|
hs.get_datastore().db_pool.updates.start_doing_background_updates()
|
|
|
|
register_start(start)
|
|
|
|
return hs
|
|
|
|
|
|
def format_config_error(e: ConfigError) -> Iterator[str]:
|
|
"""
|
|
Formats a config error neatly
|
|
|
|
The idea is to format the immediate error, plus the "causes" of those errors,
|
|
hopefully in a way that makes sense to the user. For example:
|
|
|
|
Error in configuration at 'oidc_config.user_mapping_provider.config.display_name_template':
|
|
Failed to parse config for module 'JinjaOidcMappingProvider':
|
|
invalid jinja template:
|
|
unexpected end of template, expected 'end of print statement'.
|
|
|
|
Args:
|
|
e: the error to be formatted
|
|
|
|
Returns: An iterator which yields string fragments to be formatted
|
|
"""
|
|
yield "Error in configuration"
|
|
|
|
if e.path:
|
|
yield " at '%s'" % (".".join(e.path),)
|
|
|
|
yield ":\n %s" % (e.msg,)
|
|
|
|
e = e.__cause__
|
|
indent = 1
|
|
while e:
|
|
indent += 1
|
|
yield ":\n%s%s" % (" " * indent, str(e))
|
|
e = e.__cause__
|
|
|
|
|
|
def run(hs):
|
|
PROFILE_SYNAPSE = False
|
|
if PROFILE_SYNAPSE:
|
|
|
|
def profile(func):
|
|
from cProfile import Profile
|
|
from threading import current_thread
|
|
|
|
def profiled(*args, **kargs):
|
|
profile = Profile()
|
|
profile.enable()
|
|
func(*args, **kargs)
|
|
profile.disable()
|
|
ident = current_thread().ident
|
|
profile.dump_stats(
|
|
"/tmp/%s.%s.%i.pstat" % (hs.hostname, func.__name__, ident)
|
|
)
|
|
|
|
return profiled
|
|
|
|
from twisted.python.threadpool import ThreadPool
|
|
|
|
ThreadPool._worker = profile(ThreadPool._worker)
|
|
reactor.run = profile(reactor.run)
|
|
|
|
_base.start_reactor(
|
|
"synapse-homeserver",
|
|
soft_file_limit=hs.config.soft_file_limit,
|
|
gc_thresholds=hs.config.gc_thresholds,
|
|
pid_file=hs.config.pid_file,
|
|
daemonize=hs.config.daemonize,
|
|
print_pidfile=hs.config.print_pidfile,
|
|
logger=logger,
|
|
)
|
|
|
|
|
|
def main():
|
|
with LoggingContext("main"):
|
|
# check base requirements
|
|
check_requirements()
|
|
hs = setup(sys.argv[1:])
|
|
run(hs)
|
|
|
|
|
|
if __name__ == "__main__":
|
|
main()
|