From ca4087ffcf3c7ff1aac49154b17c374345fd5fd4 Mon Sep 17 00:00:00 2001 From: Andrew Morgan Date: Tue, 3 Sep 2019 11:54:36 +0100 Subject: [PATCH 01/15] Change account_threepid_delegate to a dictionary --- UPGRADE.rst | 32 +++++++++-------- docs/sample_config.yaml | 37 ++++++++++++------- synapse/config/emailconfig.py | 16 +++++---- synapse/config/registration.py | 45 +++++++++++++++++------ synapse/rest/client/v2_alpha/account.py | 46 +++++++++++------------- synapse/rest/client/v2_alpha/register.py | 45 +++++++++++------------ 6 files changed, 126 insertions(+), 95 deletions(-) diff --git a/UPGRADE.rst b/UPGRADE.rst index 99e8da4b525f..1ede45d13955 100644 --- a/UPGRADE.rst +++ b/UPGRADE.rst @@ -66,21 +66,23 @@ its own, phone-based password resets and registration will be disabled. For Syna emails, the ``email`` block of the config must be filled out. If not, then password resets and registration via email will be disabled entirely. -This release also deprecates the ``email.trust_identity_server_for_password_resets`` option -and replaces it with ``account_threepid_delegate``. This option defines whether the homeserver -should delegate an external server (typically an `identity server -`_) to handle sending password reset -or registration messages via email or SMS. - -If ``email.trust_identity_server_for_password_resets`` was changed from its default to -``true``, and ``account_threepid_delegate`` is not set to an identity server domain, then the -server handling password resets and registration via third-party addresses will be set to the -first entry in the Synapse config's ``trusted_third_party_id_servers`` entry. If no domains are -configured, Synapse will throw an error on startup. - -If ``email.trust_identity_server_for_password_resets`` is not set to ``true`` and -``account_threepid_delegate`` is not set to a domain, then Synapse will attempt to send -password reset and registration messages itself. +This release also deprecates the ``email.trust_identity_server_for_password_resets`` option and +replaces it with the ``account_threepid_delegates`` dictionary. This option defines whether the +homeserver should delegate an external server (typically an `identity server +`_) to handle sending password reset or +registration messages via email and SMS. + +Specifically for email, if ``email.trust_identity_server_for_password_resets`` was changed from +its default to ``true``, and ``account_threepid_delegates.email`` is not set, then the server +handling password resets and registration via third-party addresses will be set to the first +entry in the Synapse config's ``trusted_third_party_id_servers`` entry. This is to ensure that +people who set up an external server for handling these tasks before v1.4.0 will not have their +setups mysteriously stop working. However, if no trusted identity server domains are +configured, Synapse will throw an error. + +If ``email.trust_identity_server_for_password_resets`` is not set to ``true`` and a type in +``account_threepid_delegates`` is not set to a domain, then Synapse will attempt to send +password reset and registration messages itself for that type. Email templates --------------- diff --git a/docs/sample_config.yaml b/docs/sample_config.yaml index 8603008ec048..79b5bd1d74ad 100644 --- a/docs/sample_config.yaml +++ b/docs/sample_config.yaml @@ -903,19 +903,30 @@ uploads_path: "DATADIR/uploads" # - matrix.org # - vector.im -# Handle threepid (email/phone etc) registration and password resets -# through a *trusted* identity server. Note that this allows the configured -# identity server to reset passwords for accounts. -# -# If this option is not defined and SMTP options have not been -# configured, registration by email and resetting user passwords via -# email will be disabled -# -# Otherwise, to enable set this option to the reachable domain name, including protocol -# definition, for an identity server -# (e.g "https://matrix.org", "http://localhost:8090") -# -#account_threepid_delegate: "" +# Handle threepid (email/phone etc) registration and password resets through a set of +# *trusted* identity servers. Note that this allows the configured identity server to +# reset passwords for accounts! +# +# Also be aware that if email is not set to a domain, and SMTP options have not been +# configured in the email config block, registration and resetting user passwords via +# email will be globally disabled. +# +# Additionally, if msisdn is not set to a domain, registration and password resets via +# msisdn will be disabled regardless. This is due to Synapse currently not supporting +# any method of sending SMS messages on its own. +# +# To enable using an identity server for operations regarding a particular third-party +# identifier type, set the value to the reachable domain name of that identity server, +# including protocol definition, e.g: +# email: "https://matrix.org" # Let matrix.org handle sending emails for my users +# msisdn: "http://localhost:8090" # Delegate contacting SMS numbers to this process +# +# Servers handling the above requests must answer the .../requestToken endpoints +# defined by the Matrix Identity Service API specification: +# https://matrix.org/docs/spec/identity_service/latest +#account_threepid_delegates: +# email: "" +# msisdn: "" # Users who register on this homeserver will automatically be joined # to these rooms diff --git a/synapse/config/emailconfig.py b/synapse/config/emailconfig.py index 874166b57938..062bde9c8756 100644 --- a/synapse/config/emailconfig.py +++ b/synapse/config/emailconfig.py @@ -75,11 +75,13 @@ def read_config(self, config, **kwargs): "renew_at" ) - self.threepid_behaviour = ( - # Have Synapse handle the email sending if account_threepid_delegate + self.threepid_behaviour_email = ( + # Have Synapse handle the email sending if account_threepid_delegates.email # is not defined + # msisdn is currently always remote while Synapse does not support any method of + # sending SMS messages ThreepidBehaviour.REMOTE - if self.account_threepid_delegate + if self.account_threepid_delegate_email else ThreepidBehaviour.LOCAL ) # Prior to Synapse v1.4.0, there was another option that defined whether Synapse would @@ -88,14 +90,16 @@ def read_config(self, config, **kwargs): # identity server in the process. self.using_identity_server_from_trusted_list = False if ( - not self.account_threepid_delegate + not self.account_threepid_delegate_email and config.get("trust_identity_server_for_password_resets", False) is True ): # Use the first entry in self.trusted_third_party_id_servers instead if self.trusted_third_party_id_servers: - # XXX: It's a little confusing that account_threepid_delegate is modifed + # XXX: It's a little confusing that account_threepid_delegates is modified # both in RegistrationConfig and here. We should factor this bit out - self.account_threepid_delegate = self.trusted_third_party_id_servers[0] + self.account_threepid_delegate_email = self.trusted_third_party_id_servers[ + 0 + ] self.using_identity_server_from_trusted_list = True else: raise ConfigError( diff --git a/synapse/config/registration.py b/synapse/config/registration.py index b9d5e81b1dd5..db7ccd0f79fa 100644 --- a/synapse/config/registration.py +++ b/synapse/config/registration.py @@ -99,7 +99,19 @@ def read_config(self, config, **kwargs): self.trusted_third_party_id_servers = config.get( "trusted_third_party_id_servers", ["matrix.org", "vector.im"] ) - self.account_threepid_delegate = config.get("account_threepid_delegate") + account_threepid_delegates = config.get( + "account_threepid_delegates", {"email": "", "msisdn": ""} + ) + self.account_threepid_delegate_email = account_threepid_delegates.get("email") + self.account_threepid_delegate_msisdn = account_threepid_delegates.get("msisdn") + if ( + self.account_threepid_delegate_email is None + or self.account_threepid_delegate_msisdn is None + ): + raise ConfigError( + "account_threepid_delegates must contain fields: email, msisdn" + ) + self.default_identity_server = config.get("default_identity_server") self.allow_guest_access = config.get("allow_guest_access", False) @@ -270,19 +282,30 @@ def generate_config_section(self, generate_secrets=False, **kwargs): # - matrix.org # - vector.im - # Handle threepid (email/phone etc) registration and password resets - # through a *trusted* identity server. Note that this allows the configured - # identity server to reset passwords for accounts. + # Handle threepid (email/phone etc) registration and password resets through a set of + # *trusted* identity servers. Note that this allows the configured identity server to + # reset passwords for accounts! + # + # Also be aware that if email is not set to a domain, and SMTP options have not been + # configured in the email config block, registration and resetting user passwords via + # email will be globally disabled. # - # If this option is not defined and SMTP options have not been - # configured, registration by email and resetting user passwords via - # email will be disabled + # Additionally, if msisdn is not set to a domain, registration and password resets via + # msisdn will be disabled regardless. This is due to Synapse currently not supporting + # any method of sending SMS messages on its own. # - # Otherwise, to enable set this option to the reachable domain name, including protocol - # definition, for an identity server - # (e.g "https://matrix.org", "http://localhost:8090") + # To enable using an identity server for operations regarding a particular third-party + # identifier type, set the value to the reachable domain name of that identity server, + # including protocol definition, e.g: + # email: "https://matrix.org" # Let matrix.org handle sending emails for my users + # msisdn: "http://localhost:8090" # Delegate contacting SMS numbers to this process # - #account_threepid_delegate: "" + # Servers handling the above requests must answer the .../requestToken endpoints + # defined by the Matrix Identity Service API specification: + # https://matrix.org/docs/spec/identity_service/latest + #account_threepid_delegates: + # email: "" + # msisdn: "" # Users who register on this homeserver will automatically be joined # to these rooms diff --git a/synapse/rest/client/v2_alpha/account.py b/synapse/rest/client/v2_alpha/account.py index 552ba7cc621a..dc79f4b034ea 100644 --- a/synapse/rest/client/v2_alpha/account.py +++ b/synapse/rest/client/v2_alpha/account.py @@ -102,17 +102,17 @@ def on_POST(self, request): if self.config.threepid_behaviour == ThreepidBehaviour.REMOTE: # Have the configured identity server handle the request - if not self.hs.config.account_threepid_delegate: + if not self.hs.config.account_threepid_delegate_email: logger.warn( - "No upstream account_threepid_delegate configured on the server to handle " - "this request" + "No upstream email account_threepid_delegate configured on the server to " + "handle this request" ) raise SynapseError( 400, "Password reset by email is not supported on this homeserver" ) ret = yield self.identity_handler.requestEmailToken( - self.hs.config.account_threepid_delegate, + self.hs.config.account_threepid_delegate_email, email, client_secret, send_attempt, @@ -172,31 +172,27 @@ def on_POST(self, request): if existing_user_id is None: raise SynapseError(400, "MSISDN not found", Codes.THREEPID_NOT_FOUND) - if self.config.threepid_behaviour == ThreepidBehaviour.REMOTE: - if not self.hs.config.account_threepid_delegate: - logger.warn( - "No upstream account_threepid_delegate configured on the server to handle " - "this request" - ) - raise SynapseError( - 400, - "Password reset by phone number is not supported on this homeserver", - ) - - ret = yield self.identity_handler.requestMsisdnToken( - self.config.account_threepid_delegate, - country, - phone_number, - client_secret, - send_attempt, - next_link, + if not self.hs.config.account_threepid_delegate_msisdn: + logger.warn( + "No upstream msisdn account_threepid_delegate configured on the server to " + "handle this request" + ) + raise SynapseError( + 400, + "Password reset by phone number is not supported on this homeserver", ) - return (200, ret) - raise SynapseError( - 400, "Password reset by phone number is not supported on this homeserver" + ret = yield self.identity_handler.requestMsisdnToken( + self.config.account_threepid_delegate_msisdn, + country, + phone_number, + client_secret, + send_attempt, + next_link, ) + return 200, ret + class PasswordResetSubmitTokenServlet(RestServlet): """Handles 3PID validation token submission""" diff --git a/synapse/rest/client/v2_alpha/register.py b/synapse/rest/client/v2_alpha/register.py index a5d560516e4e..462203b1c1e8 100644 --- a/synapse/rest/client/v2_alpha/register.py +++ b/synapse/rest/client/v2_alpha/register.py @@ -125,17 +125,17 @@ def on_POST(self, request): raise SynapseError(400, "Email is already in use", Codes.THREEPID_IN_USE) if self.config.threepid_behaviour == ThreepidBehaviour.REMOTE: - if not self.hs.config.account_threepid_delegate: + if not self.hs.config.account_threepid_delegate_email: logger.warn( - "No upstream account_threepid_delegate configured on the server to handle " - "this request" + "No upstream email account_threepid_delegate configured on the server to " + "handle this request" ) raise SynapseError( 400, "Registration by email is not supported on this homeserver" ) ret = yield self.identity_handler.requestEmailToken( - self.hs.config.account_threepid_delegate, + self.hs.config.account_threepid_delegate_email, email, client_secret, send_attempt, @@ -200,31 +200,26 @@ def on_POST(self, request): 400, "Phone number is already in use", Codes.THREEPID_IN_USE ) - if self.config.threepid_behaviour == ThreepidBehaviour.REMOTE: - if not self.hs.config.account_threepid_delegate: - logger.warn( - "No upstream account_threepid_delegate configured on the server to handle " - "this request" - ) - raise SynapseError( - 400, - "Registration by phone number is not supported on this homeserver", - ) - - ret = yield self.identity_handler.requestMsisdnToken( - self.config.account_threepid_delegate, - country, - phone_number, - client_secret, - send_attempt, - next_link, + if not self.hs.config.account_threepid_delegate_msisdn: + logger.warn( + "No upstream msisdn account_threepid_delegate configured on the server to " + "handle this request" + ) + raise SynapseError( + 400, "Registration by phone number is not supported on this homeserver" ) - return (200, ret) - raise SynapseError( - 400, "Registration by phone number is not supported on this homeserver" + ret = yield self.identity_handler.requestMsisdnToken( + self.hs.config.account_threepid_delegate_msisdn, + country, + phone_number, + client_secret, + send_attempt, + next_link, ) + return 200, ret + class RegistrationSubmitTokenServlet(RestServlet): """Handles registration 3PID validation token submission""" From 7e6e1e648220985f50547174f2f867636b17b869 Mon Sep 17 00:00:00 2001 From: Andrew Morgan Date: Tue, 3 Sep 2019 12:02:49 +0100 Subject: [PATCH 02/15] Add changelog --- changelog.d/5969.misc | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog.d/5969.misc diff --git a/changelog.d/5969.misc b/changelog.d/5969.misc new file mode 100644 index 000000000000..6410fc397321 --- /dev/null +++ b/changelog.d/5969.misc @@ -0,0 +1 @@ +Change account_threepid_delegate to account_threepid_delegates to handle the case of Synapse handling email verification, and an external server handling msisdn verification. \ No newline at end of file From deed108bbaefe011d7c89836b9711a59c30fa40b Mon Sep 17 00:00:00 2001 From: Andrew Morgan Date: Tue, 3 Sep 2019 12:18:18 +0100 Subject: [PATCH 03/15] Change more instances of account_threepid_behaviour to account_threepid_behaviour_email --- synapse/config/emailconfig.py | 8 ++++---- synapse/handlers/auth.py | 4 ++-- synapse/rest/client/v2_alpha/account.py | 8 ++++---- synapse/rest/client/v2_alpha/register.py | 8 ++++---- 4 files changed, 14 insertions(+), 14 deletions(-) diff --git a/synapse/config/emailconfig.py b/synapse/config/emailconfig.py index 062bde9c8756..6d3bbac634ae 100644 --- a/synapse/config/emailconfig.py +++ b/synapse/config/emailconfig.py @@ -108,12 +108,12 @@ def read_config(self, config, **kwargs): ) self.local_threepid_handling_disabled_due_to_email_config = False - if self.threepid_behaviour == ThreepidBehaviour.LOCAL and email_config == {}: + if self.threepid_behaviour_email == ThreepidBehaviour.LOCAL and email_config == {}: # We cannot warn the user this has happened here # Instead do so when a user attempts to reset their password self.local_threepid_handling_disabled_due_to_email_config = True - self.threepid_behaviour = ThreepidBehaviour.OFF + self.threepid_behaviour_email = ThreepidBehaviour.OFF # Get lifetime of a validation token in milliseconds self.email_validation_token_lifetime = self.parse_duration( @@ -123,7 +123,7 @@ def read_config(self, config, **kwargs): if ( self.email_enable_notifs or account_validity_renewal_enabled - or self.threepid_behaviour == ThreepidBehaviour.LOCAL + or self.threepid_behaviour_email == ThreepidBehaviour.LOCAL ): # make sure we can import the required deps import jinja2 @@ -133,7 +133,7 @@ def read_config(self, config, **kwargs): jinja2 bleach - if self.threepid_behaviour == ThreepidBehaviour.LOCAL: + if self.threepid_behaviour_email == ThreepidBehaviour.LOCAL: required = ["smtp_host", "smtp_port", "notif_from"] missing = [] diff --git a/synapse/handlers/auth.py b/synapse/handlers/auth.py index a59cd4e7f58c..9b95cc8c3825 100644 --- a/synapse/handlers/auth.py +++ b/synapse/handlers/auth.py @@ -461,10 +461,10 @@ def _check_threepid(self, medium, authdict, password_servlet=False, **kwargs): logger.info("Getting validated threepid. threepidcreds: %r", (threepid_creds,)) if ( not password_servlet - or self.hs.config.threepid_behaviour == ThreepidBehaviour.REMOTE + or self.hs.config.threepid_behaviour_email== ThreepidBehaviour.REMOTE ): threepid = yield identity_handler.threepid_from_creds(threepid_creds) - elif self.hs.config.threepid_behaviour == ThreepidBehaviour.LOCAL: + elif self.hs.config.threepid_behaviour_email== ThreepidBehaviour.LOCAL: row = yield self.store.get_threepid_validation_session( medium, threepid_creds["client_secret"], diff --git a/synapse/rest/client/v2_alpha/account.py b/synapse/rest/client/v2_alpha/account.py index dc79f4b034ea..80113c2609ff 100644 --- a/synapse/rest/client/v2_alpha/account.py +++ b/synapse/rest/client/v2_alpha/account.py @@ -50,7 +50,7 @@ def __init__(self, hs): self.config = hs.config self.identity_handler = hs.get_handlers().identity_handler - if self.config.threepid_behaviour == ThreepidBehaviour.LOCAL: + if self.config.threepid_behaviour_email== ThreepidBehaviour.LOCAL: from synapse.push.mailer import Mailer, load_jinja2_templates templates = load_jinja2_templates( @@ -67,7 +67,7 @@ def __init__(self, hs): @defer.inlineCallbacks def on_POST(self, request): - if self.config.threepid_behaviour == ThreepidBehaviour.OFF: + if self.config.threepid_behaviour_email== ThreepidBehaviour.OFF: if self.config.local_threepid_handling_disabled_due_to_email_config: logger.warn( "User password resets have been disabled due to lack of email config" @@ -100,7 +100,7 @@ def on_POST(self, request): if existing_user_id is None: raise SynapseError(400, "Email not found", Codes.THREEPID_NOT_FOUND) - if self.config.threepid_behaviour == ThreepidBehaviour.REMOTE: + if self.config.threepid_behaviour_email== ThreepidBehaviour.REMOTE: # Have the configured identity server handle the request if not self.hs.config.account_threepid_delegate_email: logger.warn( @@ -219,7 +219,7 @@ def on_GET(self, request, medium): raise SynapseError( 400, "This medium is currently not supported for password resets" ) - if self.config.threepid_behaviour == ThreepidBehaviour.OFF: + if self.config.threepid_behaviour_email== ThreepidBehaviour.OFF: if self.config.local_threepid_handling_disabled_due_to_email_config: logger.warn( "Password reset emails have been disabled due to lack of an email config" diff --git a/synapse/rest/client/v2_alpha/register.py b/synapse/rest/client/v2_alpha/register.py index 462203b1c1e8..2d433231b5ba 100644 --- a/synapse/rest/client/v2_alpha/register.py +++ b/synapse/rest/client/v2_alpha/register.py @@ -75,7 +75,7 @@ def __init__(self, hs): self.identity_handler = hs.get_handlers().identity_handler self.config = hs.config - if self.hs.config.threepid_behaviour == ThreepidBehaviour.LOCAL: + if self.hs.config.threepid_behaviour_email== ThreepidBehaviour.LOCAL: from synapse.push.mailer import Mailer, load_jinja2_templates templates = load_jinja2_templates( @@ -92,7 +92,7 @@ def __init__(self, hs): @defer.inlineCallbacks def on_POST(self, request): - if self.hs.config.threepid_behaviour == ThreepidBehaviour.OFF: + if self.hs.config.threepid_behaviour_email== ThreepidBehaviour.OFF: if self.hs.config.local_threepid_handling_disabled_due_to_email_config: logger.warn( "Email registration has been disabled due to lack of email config" @@ -124,7 +124,7 @@ def on_POST(self, request): if existing_user_id is not None: raise SynapseError(400, "Email is already in use", Codes.THREEPID_IN_USE) - if self.config.threepid_behaviour == ThreepidBehaviour.REMOTE: + if self.config.threepid_behaviour_email== ThreepidBehaviour.REMOTE: if not self.hs.config.account_threepid_delegate_email: logger.warn( "No upstream email account_threepid_delegate configured on the server to " @@ -246,7 +246,7 @@ def on_GET(self, request, medium): raise SynapseError( 400, "This medium is currently not supported for registration" ) - if self.config.threepid_behaviour == ThreepidBehaviour.OFF: + if self.config.threepid_behaviour_email== ThreepidBehaviour.OFF: if self.config.local_threepid_handling_disabled_due_to_email_config: logger.warn( "User registration via email has been disabled due to lack of email config" From 6e588b71c62f4c754919e9b3bad8b7c47d1ae54c Mon Sep 17 00:00:00 2001 From: Andrew Morgan Date: Tue, 3 Sep 2019 12:24:55 +0100 Subject: [PATCH 04/15] lint --- synapse/config/emailconfig.py | 5 ++++- synapse/handlers/auth.py | 4 ++-- synapse/rest/client/v2_alpha/account.py | 8 ++++---- synapse/rest/client/v2_alpha/register.py | 8 ++++---- 4 files changed, 14 insertions(+), 11 deletions(-) diff --git a/synapse/config/emailconfig.py b/synapse/config/emailconfig.py index 6d3bbac634ae..35038c67c5e3 100644 --- a/synapse/config/emailconfig.py +++ b/synapse/config/emailconfig.py @@ -108,7 +108,10 @@ def read_config(self, config, **kwargs): ) self.local_threepid_handling_disabled_due_to_email_config = False - if self.threepid_behaviour_email == ThreepidBehaviour.LOCAL and email_config == {}: + if ( + self.threepid_behaviour_email == ThreepidBehaviour.LOCAL + and email_config == {} + ): # We cannot warn the user this has happened here # Instead do so when a user attempts to reset their password self.local_threepid_handling_disabled_due_to_email_config = True diff --git a/synapse/handlers/auth.py b/synapse/handlers/auth.py index 9b95cc8c3825..6231d021dd49 100644 --- a/synapse/handlers/auth.py +++ b/synapse/handlers/auth.py @@ -461,10 +461,10 @@ def _check_threepid(self, medium, authdict, password_servlet=False, **kwargs): logger.info("Getting validated threepid. threepidcreds: %r", (threepid_creds,)) if ( not password_servlet - or self.hs.config.threepid_behaviour_email== ThreepidBehaviour.REMOTE + or self.hs.config.threepid_behaviour_email == ThreepidBehaviour.REMOTE ): threepid = yield identity_handler.threepid_from_creds(threepid_creds) - elif self.hs.config.threepid_behaviour_email== ThreepidBehaviour.LOCAL: + elif self.hs.config.threepid_behaviour_email == ThreepidBehaviour.LOCAL: row = yield self.store.get_threepid_validation_session( medium, threepid_creds["client_secret"], diff --git a/synapse/rest/client/v2_alpha/account.py b/synapse/rest/client/v2_alpha/account.py index 80113c2609ff..4d9f8305ea15 100644 --- a/synapse/rest/client/v2_alpha/account.py +++ b/synapse/rest/client/v2_alpha/account.py @@ -50,7 +50,7 @@ def __init__(self, hs): self.config = hs.config self.identity_handler = hs.get_handlers().identity_handler - if self.config.threepid_behaviour_email== ThreepidBehaviour.LOCAL: + if self.config.threepid_behaviour_email == ThreepidBehaviour.LOCAL: from synapse.push.mailer import Mailer, load_jinja2_templates templates = load_jinja2_templates( @@ -67,7 +67,7 @@ def __init__(self, hs): @defer.inlineCallbacks def on_POST(self, request): - if self.config.threepid_behaviour_email== ThreepidBehaviour.OFF: + if self.config.threepid_behaviour_email == ThreepidBehaviour.OFF: if self.config.local_threepid_handling_disabled_due_to_email_config: logger.warn( "User password resets have been disabled due to lack of email config" @@ -100,7 +100,7 @@ def on_POST(self, request): if existing_user_id is None: raise SynapseError(400, "Email not found", Codes.THREEPID_NOT_FOUND) - if self.config.threepid_behaviour_email== ThreepidBehaviour.REMOTE: + if self.config.threepid_behaviour_email == ThreepidBehaviour.REMOTE: # Have the configured identity server handle the request if not self.hs.config.account_threepid_delegate_email: logger.warn( @@ -219,7 +219,7 @@ def on_GET(self, request, medium): raise SynapseError( 400, "This medium is currently not supported for password resets" ) - if self.config.threepid_behaviour_email== ThreepidBehaviour.OFF: + if self.config.threepid_behaviour_email == ThreepidBehaviour.OFF: if self.config.local_threepid_handling_disabled_due_to_email_config: logger.warn( "Password reset emails have been disabled due to lack of an email config" diff --git a/synapse/rest/client/v2_alpha/register.py b/synapse/rest/client/v2_alpha/register.py index 2d433231b5ba..3120c153e91b 100644 --- a/synapse/rest/client/v2_alpha/register.py +++ b/synapse/rest/client/v2_alpha/register.py @@ -75,7 +75,7 @@ def __init__(self, hs): self.identity_handler = hs.get_handlers().identity_handler self.config = hs.config - if self.hs.config.threepid_behaviour_email== ThreepidBehaviour.LOCAL: + if self.hs.config.threepid_behaviour_email == ThreepidBehaviour.LOCAL: from synapse.push.mailer import Mailer, load_jinja2_templates templates = load_jinja2_templates( @@ -92,7 +92,7 @@ def __init__(self, hs): @defer.inlineCallbacks def on_POST(self, request): - if self.hs.config.threepid_behaviour_email== ThreepidBehaviour.OFF: + if self.hs.config.threepid_behaviour_email == ThreepidBehaviour.OFF: if self.hs.config.local_threepid_handling_disabled_due_to_email_config: logger.warn( "Email registration has been disabled due to lack of email config" @@ -124,7 +124,7 @@ def on_POST(self, request): if existing_user_id is not None: raise SynapseError(400, "Email is already in use", Codes.THREEPID_IN_USE) - if self.config.threepid_behaviour_email== ThreepidBehaviour.REMOTE: + if self.config.threepid_behaviour_email == ThreepidBehaviour.REMOTE: if not self.hs.config.account_threepid_delegate_email: logger.warn( "No upstream email account_threepid_delegate configured on the server to " @@ -246,7 +246,7 @@ def on_GET(self, request, medium): raise SynapseError( 400, "This medium is currently not supported for registration" ) - if self.config.threepid_behaviour_email== ThreepidBehaviour.OFF: + if self.config.threepid_behaviour_email == ThreepidBehaviour.OFF: if self.config.local_threepid_handling_disabled_due_to_email_config: logger.warn( "User registration via email has been disabled due to lack of email config" From 523aa1f5c90761fedbf860972e5a54d64f1fa38f Mon Sep 17 00:00:00 2001 From: Andrew Morgan Date: Tue, 3 Sep 2019 12:28:27 +0100 Subject: [PATCH 05/15] change changelog --- changelog.d/5969.misc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/changelog.d/5969.misc b/changelog.d/5969.misc index 6410fc397321..86508802c267 100644 --- a/changelog.d/5969.misc +++ b/changelog.d/5969.misc @@ -1 +1 @@ -Change account_threepid_delegate to account_threepid_delegates to handle the case of Synapse handling email verification, and an external server handling msisdn verification. \ No newline at end of file +Change account_threepid_delegate to an account_threepid_delegates dictionary to handle the case of Synapse handling email verification, and an external server handling msisdn verification. \ No newline at end of file From 575a08950ee1d165bc62d35a2de9611a11b7b63f Mon Sep 17 00:00:00 2001 From: Andrew Morgan Date: Tue, 3 Sep 2019 12:44:01 +0100 Subject: [PATCH 06/15] fix versions --- synapse/rest/client/versions.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/synapse/rest/client/versions.py b/synapse/rest/client/versions.py index e7f488376f35..4e58368e5e4b 100644 --- a/synapse/rest/client/versions.py +++ b/synapse/rest/client/versions.py @@ -59,9 +59,7 @@ def on_GET(self, request): # also requires `id_server`. If the homeserver is handling 3PID # verification itself, there is no need to ask the user for `id_server` to # be supplied. - "m.require_identity_server": ( - self.config.account_threepid_delegate is None - ), + "m.require_identity_server": False }, }, ) From fc287e68484dde2de05c167747246e4a7aad6b78 Mon Sep 17 00:00:00 2001 From: Andrew Morgan Date: Tue, 3 Sep 2019 12:46:50 +0100 Subject: [PATCH 07/15] lint --- synapse/rest/client/versions.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/synapse/rest/client/versions.py b/synapse/rest/client/versions.py index 4e58368e5e4b..003e65418754 100644 --- a/synapse/rest/client/versions.py +++ b/synapse/rest/client/versions.py @@ -59,7 +59,7 @@ def on_GET(self, request): # also requires `id_server`. If the homeserver is handling 3PID # verification itself, there is no need to ask the user for `id_server` to # be supplied. - "m.require_identity_server": False + "m.require_identity_server": False, }, }, ) From 80417af8f053a9cce35d7f6eb8c33d472800dccf Mon Sep 17 00:00:00 2001 From: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com> Date: Wed, 4 Sep 2019 10:52:48 +0100 Subject: [PATCH 08/15] Update synapse/config/registration.py Co-Authored-By: Richard van der Hoff <1389908+richvdh@users.noreply.github.com> --- synapse/config/registration.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/synapse/config/registration.py b/synapse/config/registration.py index db7ccd0f79fa..7d0b4772733c 100644 --- a/synapse/config/registration.py +++ b/synapse/config/registration.py @@ -286,7 +286,7 @@ def generate_config_section(self, generate_secrets=False, **kwargs): # *trusted* identity servers. Note that this allows the configured identity server to # reset passwords for accounts! # - # Also be aware that if email is not set to a domain, and SMTP options have not been + # Be aware that if `email` is not set, and SMTP options have not been # configured in the email config block, registration and resetting user passwords via # email will be globally disabled. # From 209a4e9614af586f7b9098fa76eac7a88645e399 Mon Sep 17 00:00:00 2001 From: Andrew Morgan Date: Wed, 4 Sep 2019 11:20:37 +0100 Subject: [PATCH 09/15] Address review comments --- changelog.d/{5876.misc => 5876.feature} | 2 +- changelog.d/5969.feature | 1 + changelog.d/5969.misc | 1 - synapse/config/registration.py | 25 ++++++++----------------- synapse/rest/client/versions.py | 4 +++- 5 files changed, 13 insertions(+), 20 deletions(-) rename changelog.d/{5876.misc => 5876.feature} (64%) create mode 100644 changelog.d/5969.feature delete mode 100644 changelog.d/5969.misc diff --git a/changelog.d/5876.misc b/changelog.d/5876.feature similarity index 64% rename from changelog.d/5876.misc rename to changelog.d/5876.feature index c1c289d05a26..df88193fbd82 100644 --- a/changelog.d/5876.misc +++ b/changelog.d/5876.feature @@ -1 +1 @@ -Replace `trust_identity_server_for_password_resets` config option with `account_threepid_delegate`. \ No newline at end of file +Replace `trust_identity_server_for_password_resets` config option with `account_threepid_delegates`. \ No newline at end of file diff --git a/changelog.d/5969.feature b/changelog.d/5969.feature new file mode 100644 index 000000000000..cf603fa0c6a5 --- /dev/null +++ b/changelog.d/5969.feature @@ -0,0 +1 @@ +Replace `trust_identity_server_for_password_resets` config option with `account_threepid_delegates`. diff --git a/changelog.d/5969.misc b/changelog.d/5969.misc deleted file mode 100644 index 86508802c267..000000000000 --- a/changelog.d/5969.misc +++ /dev/null @@ -1 +0,0 @@ -Change account_threepid_delegate to an account_threepid_delegates dictionary to handle the case of Synapse handling email verification, and an external server handling msisdn verification. \ No newline at end of file diff --git a/synapse/config/registration.py b/synapse/config/registration.py index db7ccd0f79fa..0ce749f02a1d 100644 --- a/synapse/config/registration.py +++ b/synapse/config/registration.py @@ -99,18 +99,9 @@ def read_config(self, config, **kwargs): self.trusted_third_party_id_servers = config.get( "trusted_third_party_id_servers", ["matrix.org", "vector.im"] ) - account_threepid_delegates = config.get( - "account_threepid_delegates", {"email": "", "msisdn": ""} - ) + account_threepid_delegates = config.get("account_threepid_delegates") or {} self.account_threepid_delegate_email = account_threepid_delegates.get("email") self.account_threepid_delegate_msisdn = account_threepid_delegates.get("msisdn") - if ( - self.account_threepid_delegate_email is None - or self.account_threepid_delegate_msisdn is None - ): - raise ConfigError( - "account_threepid_delegates must contain fields: email, msisdn" - ) self.default_identity_server = config.get("default_identity_server") self.allow_guest_access = config.get("allow_guest_access", False) @@ -295,17 +286,17 @@ def generate_config_section(self, generate_secrets=False, **kwargs): # any method of sending SMS messages on its own. # # To enable using an identity server for operations regarding a particular third-party - # identifier type, set the value to the reachable domain name of that identity server, - # including protocol definition, e.g: - # email: "https://matrix.org" # Let matrix.org handle sending emails for my users - # msisdn: "http://localhost:8090" # Delegate contacting SMS numbers to this process + # identifier type, set the value to the URL of that identity server, e.g: + # email: https://matrix.org # Let matrix.org handle sending emails for my users + # msisdn: http://localhost:8090 # Delegate contacting SMS numbers to this process # # Servers handling the above requests must answer the .../requestToken endpoints # defined by the Matrix Identity Service API specification: # https://matrix.org/docs/spec/identity_service/latest - #account_threepid_delegates: - # email: "" - # msisdn: "" + # + account_threepid_delegates: + #email: https://example.com + #msisdn: http://localhost:8090 # Users who register on this homeserver will automatically be joined # to these rooms diff --git a/synapse/rest/client/versions.py b/synapse/rest/client/versions.py index 003e65418754..e7f488376f35 100644 --- a/synapse/rest/client/versions.py +++ b/synapse/rest/client/versions.py @@ -59,7 +59,9 @@ def on_GET(self, request): # also requires `id_server`. If the homeserver is handling 3PID # verification itself, there is no need to ask the user for `id_server` to # be supplied. - "m.require_identity_server": False, + "m.require_identity_server": ( + self.config.account_threepid_delegate is None + ), }, }, ) From 36e5cb4a5caba398259169ed4c6426f0a9438266 Mon Sep 17 00:00:00 2001 From: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com> Date: Wed, 4 Sep 2019 11:21:12 +0100 Subject: [PATCH 10/15] Apply suggestions from code review Co-Authored-By: Richard van der Hoff <1389908+richvdh@users.noreply.github.com> --- synapse/config/emailconfig.py | 2 +- synapse/config/registration.py | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/synapse/config/emailconfig.py b/synapse/config/emailconfig.py index 35038c67c5e3..e5de768b0ce1 100644 --- a/synapse/config/emailconfig.py +++ b/synapse/config/emailconfig.py @@ -95,7 +95,7 @@ def read_config(self, config, **kwargs): ): # Use the first entry in self.trusted_third_party_id_servers instead if self.trusted_third_party_id_servers: - # XXX: It's a little confusing that account_threepid_delegates is modified + # XXX: It's a little confusing that account_threepid_delegate_email is modified # both in RegistrationConfig and here. We should factor this bit out self.account_threepid_delegate_email = self.trusted_third_party_id_servers[ 0 diff --git a/synapse/config/registration.py b/synapse/config/registration.py index 7d0b4772733c..2d1a0dac5c6a 100644 --- a/synapse/config/registration.py +++ b/synapse/config/registration.py @@ -287,7 +287,7 @@ def generate_config_section(self, generate_secrets=False, **kwargs): # reset passwords for accounts! # # Be aware that if `email` is not set, and SMTP options have not been - # configured in the email config block, registration and resetting user passwords via + # configured in the email config block, registration and user password resets via # email will be globally disabled. # # Additionally, if msisdn is not set to a domain, registration and password resets via @@ -303,6 +303,7 @@ def generate_config_section(self, generate_secrets=False, **kwargs): # Servers handling the above requests must answer the .../requestToken endpoints # defined by the Matrix Identity Service API specification: # https://matrix.org/docs/spec/identity_service/latest + # #account_threepid_delegates: # email: "" # msisdn: "" From 877a8f7ae981a057d808f95e45d8cc24ab9a0a71 Mon Sep 17 00:00:00 2001 From: Andrew Morgan Date: Wed, 4 Sep 2019 14:12:31 +0100 Subject: [PATCH 11/15] Clean up config wording --- docs/sample_config.yaml | 17 ++++++++--------- synapse/config/registration.py | 17 ++++++++--------- 2 files changed, 16 insertions(+), 18 deletions(-) diff --git a/docs/sample_config.yaml b/docs/sample_config.yaml index 0259bd508db2..038bb62a706c 100644 --- a/docs/sample_config.yaml +++ b/docs/sample_config.yaml @@ -911,22 +911,21 @@ uploads_path: "DATADIR/uploads" # configured in the email config block, registration and user password resets via # email will be globally disabled. # -# Additionally, if msisdn is not set to a domain, registration and password resets via -# msisdn will be disabled regardless. This is due to Synapse currently not supporting -# any method of sending SMS messages on its own. +# Additionally, if `msisdn` is not set, registration and password resets via msisdn +# will be disabled regardless. This is due to Synapse currently not supporting any +# method of sending SMS messages on its own. # # To enable using an identity server for operations regarding a particular third-party -# identifier type, set the value to the URL of that identity server, e.g: -# email: https://matrix.org # Let matrix.org handle sending emails for my users -# msisdn: http://localhost:8090 # Delegate contacting SMS numbers to this process +# identifier type, set the value to the URL of that identity server as shown in the +# examples below. # -# Servers handling the above requests must answer the .../requestToken endpoints +# Servers handling the above requests must answer the `/requestToken` endpoints # defined by the Matrix Identity Service API specification: # https://matrix.org/docs/spec/identity_service/latest # account_threepid_delegates: - #email: https://example.com - #msisdn: http://localhost:8090 + #email: https://example.com # Delegate email sending to matrix.org + #msisdn: http://localhost:8090 # Delegate SMS sending to this local process # Users who register on this homeserver will automatically be joined # to these rooms diff --git a/synapse/config/registration.py b/synapse/config/registration.py index 12412317957e..29501d0abe85 100644 --- a/synapse/config/registration.py +++ b/synapse/config/registration.py @@ -281,22 +281,21 @@ def generate_config_section(self, generate_secrets=False, **kwargs): # configured in the email config block, registration and user password resets via # email will be globally disabled. # - # Additionally, if msisdn is not set to a domain, registration and password resets via - # msisdn will be disabled regardless. This is due to Synapse currently not supporting - # any method of sending SMS messages on its own. + # Additionally, if `msisdn` is not set, registration and password resets via msisdn + # will be disabled regardless. This is due to Synapse currently not supporting any + # method of sending SMS messages on its own. # # To enable using an identity server for operations regarding a particular third-party - # identifier type, set the value to the URL of that identity server, e.g: - # email: https://matrix.org # Let matrix.org handle sending emails for my users - # msisdn: http://localhost:8090 # Delegate contacting SMS numbers to this process + # identifier type, set the value to the URL of that identity server as shown in the + # examples below. # - # Servers handling the above requests must answer the .../requestToken endpoints + # Servers handling the above requests must answer the `/requestToken` endpoints # defined by the Matrix Identity Service API specification: # https://matrix.org/docs/spec/identity_service/latest # account_threepid_delegates: - #email: https://example.com - #msisdn: http://localhost:8090 + #email: https://example.com # Delegate email sending to matrix.org + #msisdn: http://localhost:8090 # Delegate SMS sending to this local process # Users who register on this homeserver will automatically be joined # to these rooms From d7de66bdaf8fc2d424a284a240dc0fcc21e6086b Mon Sep 17 00:00:00 2001 From: Andrew Morgan Date: Wed, 4 Sep 2019 14:14:28 +0100 Subject: [PATCH 12/15] Return /versions back to the state develop has it --- synapse/rest/client/versions.py | 16 +--------------- 1 file changed, 1 insertion(+), 15 deletions(-) diff --git a/synapse/rest/client/versions.py b/synapse/rest/client/versions.py index e7f488376f35..0058b6b4590d 100644 --- a/synapse/rest/client/versions.py +++ b/synapse/rest/client/versions.py @@ -48,21 +48,7 @@ def on_GET(self, request): "r0.5.0", ], # as per MSC1497: - "unstable_features": { - "m.lazy_load_members": True, - # Advertise to clients whether they need not include an `id_server` - # parameter during registration or password reset, as Synapse now decides - # itself which identity server to use (or none at all). - # - # This is also used by a client when they wish to bind a 3PID to their - # account, but not bind it to an identity server, the endpoint for which - # also requires `id_server`. If the homeserver is handling 3PID - # verification itself, there is no need to ask the user for `id_server` to - # be supplied. - "m.require_identity_server": ( - self.config.account_threepid_delegate is None - ), - }, + "unstable_features": {"m.lazy_load_members": True}, }, ) From 49153b8bb157758a4fa89d45558cab9cad9131a0 Mon Sep 17 00:00:00 2001 From: Andrew Morgan Date: Wed, 4 Sep 2019 14:16:25 +0100 Subject: [PATCH 13/15] Slight word change --- docs/sample_config.yaml | 4 ++-- synapse/config/registration.py | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/sample_config.yaml b/docs/sample_config.yaml index 038bb62a706c..13eb532fd331 100644 --- a/docs/sample_config.yaml +++ b/docs/sample_config.yaml @@ -919,8 +919,8 @@ uploads_path: "DATADIR/uploads" # identifier type, set the value to the URL of that identity server as shown in the # examples below. # -# Servers handling the above requests must answer the `/requestToken` endpoints -# defined by the Matrix Identity Service API specification: +# Servers handling the these requests must answer the `/requestToken` endpoints defined +# by the Matrix Identity Service API specification: # https://matrix.org/docs/spec/identity_service/latest # account_threepid_delegates: diff --git a/synapse/config/registration.py b/synapse/config/registration.py index 29501d0abe85..4524ce85d4a5 100644 --- a/synapse/config/registration.py +++ b/synapse/config/registration.py @@ -289,8 +289,8 @@ def generate_config_section(self, generate_secrets=False, **kwargs): # identifier type, set the value to the URL of that identity server as shown in the # examples below. # - # Servers handling the above requests must answer the `/requestToken` endpoints - # defined by the Matrix Identity Service API specification: + # Servers handling the these requests must answer the `/requestToken` endpoints defined + # by the Matrix Identity Service API specification: # https://matrix.org/docs/spec/identity_service/latest # account_threepid_delegates: From 9289373a49d828d499232ae04848bff52ce66421 Mon Sep 17 00:00:00 2001 From: Andrew Morgan Date: Wed, 4 Sep 2019 14:18:03 +0100 Subject: [PATCH 14/15] lint --- synapse/config/registration.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/synapse/config/registration.py b/synapse/config/registration.py index 4524ce85d4a5..9548560edb10 100644 --- a/synapse/config/registration.py +++ b/synapse/config/registration.py @@ -286,7 +286,7 @@ def generate_config_section(self, generate_secrets=False, **kwargs): # method of sending SMS messages on its own. # # To enable using an identity server for operations regarding a particular third-party - # identifier type, set the value to the URL of that identity server as shown in the + # identifier type, set the value to the URL of that identity server as shown in the # examples below. # # Servers handling the these requests must answer the `/requestToken` endpoints defined From 2bee17046300d63feb411e05e62ce40634d5dd79 Mon Sep 17 00:00:00 2001 From: Andrew Morgan Date: Wed, 4 Sep 2019 14:28:37 +0100 Subject: [PATCH 15/15] Generate sample config. I should use a git hook --- docs/sample_config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/sample_config.yaml b/docs/sample_config.yaml index 13eb532fd331..186cdbedd2de 100644 --- a/docs/sample_config.yaml +++ b/docs/sample_config.yaml @@ -916,7 +916,7 @@ uploads_path: "DATADIR/uploads" # method of sending SMS messages on its own. # # To enable using an identity server for operations regarding a particular third-party -# identifier type, set the value to the URL of that identity server as shown in the +# identifier type, set the value to the URL of that identity server as shown in the # examples below. # # Servers handling the these requests must answer the `/requestToken` endpoints defined