gitlord
/
synapse
Mirror von https://github.com/matrix-org/synapse.git
1
0
Fork 0
Code Issues 0 Releases 671 Wiki Aktivität
Du kannst nicht mehr als 25 Themen auswählen Themen müssen entweder mit einem Buchstaben oder einer Ziffer beginnen. Sie können Bindestriche („-“) enthalten und bis zu 35 Zeichen lang sein.
23441 Commits
842 Branches
428 MiB
 
 
 
 
 
 
Branch: develop
Branches Tags
${ item.name }
Erstelle Branch ${ searchTerm }
von „develop“
${ noResults }
synapse/synapse/config/oidc.py

427 Zeilen
16 KiB
Originalformat Permalink Blame Verlauf 

  1. # Copyright 2020 Quentin Gliech

  2. # Copyright 2020-2021 The Matrix.org Foundation C.I.C.

  3. #

  4. # Licensed under the Apache License, Version 2.0 (the "License");

  5. # you may not use this file except in compliance with the License.

  6. # You may obtain a copy of the License at

  7. #

  8. #     http://www.apache.org/licenses/LICENSE-2.0

  9. #

  10. # Unless required by applicable law or agreed to in writing, software

  11. # distributed under the License is distributed on an "AS IS" BASIS,

  12. # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  13. # See the License for the specific language governing permissions and

  14. # limitations under the License.

  15. 

  16. from collections import Counter

  17. from typing import Any, Collection, Iterable, List, Mapping, Optional, Tuple, Type

  18. 

  19. import attr

  20. 

  21. from synapse.config._util import validate_config

  22. from synapse.config.sso import SsoAttributeRequirement

  23. from synapse.types import JsonDict

  24. from synapse.util.module_loader import load_module

  25. from synapse.util.stringutils import parse_and_validate_mxc_uri

  26. 

  27. from ..util.check_dependencies import check_requirements

  28. from ._base import Config, ConfigError, read_file

  29. 

  30. DEFAULT_USER_MAPPING_PROVIDER = "synapse.handlers.oidc.JinjaOidcMappingProvider"

  31. # The module that JinjaOidcMappingProvider is in was renamed, we want to

  32. # transparently handle both the same.

  33. LEGACY_USER_MAPPING_PROVIDER = "synapse.handlers.oidc_handler.JinjaOidcMappingProvider"

  34. 

  35. 

  36. class OIDCConfig(Config):

  37.     section = "oidc"

  38. 

  39.     def read_config(self, config: JsonDict, **kwargs: Any) -> None:

  40.         self.oidc_providers = tuple(_parse_oidc_provider_configs(config))

  41.         if not self.oidc_providers:

  42.             return

  43. 

  44.         check_requirements("oidc")

  45. 

  46.         # check we don't have any duplicate idp_ids now. (The SSO handler will also

  47.         # check for duplicates when the REST listeners get registered, but that happens

  48.         # after synapse has forked so doesn't give nice errors.)

  49.         c = Counter([i.idp_id for i in self.oidc_providers])

  50.         for idp_id, count in c.items():

  51.             if count > 1:

  52.                 raise ConfigError(

  53.                     "Multiple OIDC providers have the idp_id %r." % idp_id

  54.                 )

  55. 

  56.         public_baseurl = self.root.server.public_baseurl

  57.         self.oidc_callback_url = public_baseurl + "_synapse/client/oidc/callback"

  58. 

  59.     @property

  60.     def oidc_enabled(self) -> bool:

  61.         # OIDC is enabled if we have a provider

  62.         return bool(self.oidc_providers)

  63. 

  64. 

  65. # jsonschema definition of the configuration settings for an oidc identity provider

  66. OIDC_PROVIDER_CONFIG_SCHEMA = {

  67.     "type": "object",

  68.     "required": ["issuer", "client_id"],

  69.     "properties": {

  70.         "idp_id": {

  71.             "type": "string",

  72.             "minLength": 1,

  73.             # MSC2858 allows a maxlen of 255, but we prefix with "oidc-"

  74.             "maxLength": 250,

  75.             "pattern": "^[A-Za-z0-9._~-]+$",

  76.         },

  77.         "idp_name": {"type": "string"},

  78.         "idp_icon": {"type": "string"},

  79.         "idp_brand": {

  80.             "type": "string",

  81.             "minLength": 1,

  82.             "maxLength": 255,

  83.             "pattern": "^[a-z][a-z0-9_.-]*$",

  84.         },

  85.         "discover": {"type": "boolean"},

  86.         "issuer": {"type": "string"},

  87.         "client_id": {"type": "string"},

  88.         "client_secret": {"type": "string"},

  89.         "client_secret_jwt_key": {

  90.             "type": "object",

  91.             "required": ["jwt_header"],

  92.             "oneOf": [

  93.                 {"required": ["key"]},

  94.                 {"required": ["key_file"]},

  95.             ],

  96.             "properties": {

  97.                 "key": {"type": "string"},

  98.                 "key_file": {"type": "string"},

  99.                 "jwt_header": {

  100.                     "type": "object",

  101.                     "required": ["alg"],

  102.                     "properties": {

  103.                         "alg": {"type": "string"},

  104.                     },

  105.                     "additionalProperties": {"type": "string"},

  106.                 },

  107.                 "jwt_payload": {

  108.                     "type": "object",

  109.                     "additionalProperties": {"type": "string"},

  110.                 },

  111.             },

  112.         },

  113.         "client_auth_method": {

  114.             "type": "string",

  115.             # the following list is the same as the keys of

  116.             # authlib.oauth2.auth.ClientAuth.DEFAULT_AUTH_METHODS. We inline it

  117.             # to avoid importing authlib here.

  118.             "enum": ["client_secret_basic", "client_secret_post", "none"],

  119.         },

  120.         "pkce_method": {"type": "string", "enum": ["auto", "always", "never"]},

  121.         "scopes": {"type": "array", "items": {"type": "string"}},

  122.         "authorization_endpoint": {"type": "string"},

  123.         "token_endpoint": {"type": "string"},

  124.         "userinfo_endpoint": {"type": "string"},

  125.         "jwks_uri": {"type": "string"},

  126.         "skip_verification": {"type": "boolean"},

  127.         "backchannel_logout_enabled": {"type": "boolean"},

  128.         "backchannel_logout_ignore_sub": {"type": "boolean"},

  129.         "user_profile_method": {

  130.             "type": "string",

  131.             "enum": ["auto", "userinfo_endpoint"],

  132.         },

  133.         "allow_existing_users": {"type": "boolean"},

  134.         "user_mapping_provider": {"type": ["object", "null"]},

  135.         "attribute_requirements": {

  136.             "type": "array",

  137.             "items": SsoAttributeRequirement.JSON_SCHEMA,

  138.         },

  139.         "enable_registration": {"type": "boolean"},

  140.     },

  141. }

  142. 

  143. # the same as OIDC_PROVIDER_CONFIG_SCHEMA, but with compulsory idp_id and idp_name

  144. OIDC_PROVIDER_CONFIG_WITH_ID_SCHEMA = {

  145.     "allOf": [OIDC_PROVIDER_CONFIG_SCHEMA, {"required": ["idp_id", "idp_name"]}]

  146. }

  147. 

  148. # the `oidc_providers` list can either be None (as it is in the default config), or

  149. # a list of provider configs, each of which requires an explicit ID and name.

  150. OIDC_PROVIDER_LIST_SCHEMA = {

  151.     "oneOf": [

  152.         {"type": "null"},

  153.         {"type": "array", "items": OIDC_PROVIDER_CONFIG_WITH_ID_SCHEMA},

  154.     ]

  155. }

  156. 

  157. # the `oidc_config` setting can either be None (which it used to be in the default

  158. # config), or an object. If an object, it is ignored unless it has an "enabled: True"

  159. # property.

  160. #

  161. # It's *possible* to represent this with jsonschema, but the resultant errors aren't

  162. # particularly clear, so we just check for either an object or a null here, and do

  163. # additional checks in the code.

  164. OIDC_CONFIG_SCHEMA = {"oneOf": [{"type": "null"}, {"type": "object"}]}

  165. 

  166. # the top-level schema can contain an "oidc_config" and/or an "oidc_providers".

  167. MAIN_CONFIG_SCHEMA = {

  168.     "type": "object",

  169.     "properties": {

  170.         "oidc_config": OIDC_CONFIG_SCHEMA,

  171.         "oidc_providers": OIDC_PROVIDER_LIST_SCHEMA,

  172.     },

  173. }

  174. 

  175. 

  176. def _parse_oidc_provider_configs(config: JsonDict) -> Iterable["OidcProviderConfig"]:

  177.     """extract and parse the OIDC provider configs from the config dict

  178. 

  179.     The configuration may contain either a single `oidc_config` object with an

  180.     `enabled: True` property, or a list of provider configurations under

  181.     `oidc_providers`, *or both*.

  182. 

  183.     Returns a generator which yields the OidcProviderConfig objects

  184.     """

  185.     validate_config(MAIN_CONFIG_SCHEMA, config, ())

  186. 

  187.     for i, p in enumerate(config.get("oidc_providers") or []):

  188.         yield _parse_oidc_config_dict(p, ("oidc_providers", "<item %i>" % (i,)))

  189. 

  190.     # for backwards-compatibility, it is also possible to provide a single "oidc_config"

  191.     # object with an "enabled: True" property.

  192.     oidc_config = config.get("oidc_config")

  193.     if oidc_config and oidc_config.get("enabled", False):

  194.         # MAIN_CONFIG_SCHEMA checks that `oidc_config` is an object, but not that

  195.         # it matches OIDC_PROVIDER_CONFIG_SCHEMA (see the comments on OIDC_CONFIG_SCHEMA

  196.         # above), so now we need to validate it.

  197.         validate_config(OIDC_PROVIDER_CONFIG_SCHEMA, oidc_config, ("oidc_config",))

  198.         yield _parse_oidc_config_dict(oidc_config, ("oidc_config",))

  199. 

  200. 

  201. def _parse_oidc_config_dict(

  202.     oidc_config: JsonDict, config_path: Tuple[str, ...]

  203. ) -> "OidcProviderConfig":

  204.     """Take the configuration dict and parse it into an OidcProviderConfig

  205. 

  206.     Raises:

  207.         ConfigError if the configuration is malformed.

  208.     """

  209.     ump_config = oidc_config.get("user_mapping_provider", {})

  210.     ump_config.setdefault("module", DEFAULT_USER_MAPPING_PROVIDER)

  211.     if ump_config.get("module") == LEGACY_USER_MAPPING_PROVIDER:

  212.         ump_config["module"] = DEFAULT_USER_MAPPING_PROVIDER

  213.     ump_config.setdefault("config", {})

  214. 

  215.     (

  216.         user_mapping_provider_class,

  217.         user_mapping_provider_config,

  218.     ) = load_module(ump_config, config_path + ("user_mapping_provider",))

  219. 

  220.     # Ensure loaded user mapping module has defined all necessary methods

  221.     required_methods = [

  222.         "get_remote_user_id",

  223.         "map_user_attributes",

  224.     ]

  225.     missing_methods = [

  226.         method

  227.         for method in required_methods

  228.         if not hasattr(user_mapping_provider_class, method)

  229.     ]

  230.     if missing_methods:

  231.         raise ConfigError(

  232.             "Class %s is missing required "

  233.             "methods: %s"

  234.             % (

  235.                 user_mapping_provider_class,

  236.                 ", ".join(missing_methods),

  237.             ),

  238.             config_path + ("user_mapping_provider", "module"),

  239.         )

  240. 

  241.     idp_id = oidc_config.get("idp_id", "oidc")

  242. 

  243.     # prefix the given IDP with a prefix specific to the SSO mechanism, to avoid

  244.     # clashes with other mechs (such as SAML, CAS).

  245.     #

  246.     # We allow "oidc" as an exception so that people migrating from old-style

  247.     # "oidc_config" format (which has long used "oidc" as its idp_id) can migrate to

  248.     # a new-style "oidc_providers" entry without changing the idp_id for their provider

  249.     # (and thereby invalidating their user_external_ids data).

  250. 

  251.     if idp_id != "oidc":

  252.         idp_id = "oidc-" + idp_id

  253. 

  254.     # MSC2858 also specifies that the idp_icon must be a valid MXC uri

  255.     idp_icon = oidc_config.get("idp_icon")

  256.     if idp_icon is not None:

  257.         try:

  258.             parse_and_validate_mxc_uri(idp_icon)

  259.         except ValueError as e:

  260.             raise ConfigError(

  261.                 "idp_icon must be a valid MXC URI", config_path + ("idp_icon",)

  262.             ) from e

  263. 

  264.     client_secret_jwt_key_config = oidc_config.get("client_secret_jwt_key")

  265.     client_secret_jwt_key: Optional[OidcProviderClientSecretJwtKey] = None

  266.     if client_secret_jwt_key_config is not None:

  267.         keyfile = client_secret_jwt_key_config.get("key_file")

  268.         if keyfile:

  269.             key = read_file(keyfile, config_path + ("client_secret_jwt_key",))

  270.         else:

  271.             key = client_secret_jwt_key_config["key"]

  272.         client_secret_jwt_key = OidcProviderClientSecretJwtKey(

  273.             key=key,

  274.             jwt_header=client_secret_jwt_key_config["jwt_header"],

  275.             jwt_payload=client_secret_jwt_key_config.get("jwt_payload", {}),

  276.         )

  277.     # parse attribute_requirements from config (list of dicts) into a list of SsoAttributeRequirement

  278.     attribute_requirements = [

  279.         SsoAttributeRequirement(**x)

  280.         for x in oidc_config.get("attribute_requirements", [])

  281.     ]

  282. 

  283.     # Read from either `client_secret_path` or `client_secret`. If both exist, error.

  284.     client_secret = oidc_config.get("client_secret")

  285.     client_secret_path = oidc_config.get("client_secret_path")

  286.     if client_secret_path is not None:

  287.         if client_secret is None:

  288.             client_secret = read_file(

  289.                 client_secret_path, config_path + ("client_secret_path",)

  290.             ).rstrip("\n")

  291.         else:

  292.             raise ConfigError(

  293.                 "Cannot specify both client_secret and client_secret_path",

  294.                 config_path + ("client_secret",),

  295.             )

  296. 

  297.     return OidcProviderConfig(

  298.         idp_id=idp_id,

  299.         idp_name=oidc_config.get("idp_name", "OIDC"),

  300.         idp_icon=idp_icon,

  301.         idp_brand=oidc_config.get("idp_brand"),

  302.         discover=oidc_config.get("discover", True),

  303.         issuer=oidc_config["issuer"],

  304.         client_id=oidc_config["client_id"],

  305.         client_secret=client_secret,

  306.         client_secret_jwt_key=client_secret_jwt_key,

  307.         client_auth_method=oidc_config.get("client_auth_method", "client_secret_basic"),

  308.         pkce_method=oidc_config.get("pkce_method", "auto"),

  309.         scopes=oidc_config.get("scopes", ["openid"]),

  310.         authorization_endpoint=oidc_config.get("authorization_endpoint"),

  311.         token_endpoint=oidc_config.get("token_endpoint"),

  312.         userinfo_endpoint=oidc_config.get("userinfo_endpoint"),

  313.         jwks_uri=oidc_config.get("jwks_uri"),

  314.         backchannel_logout_enabled=oidc_config.get("backchannel_logout_enabled", False),

  315.         backchannel_logout_ignore_sub=oidc_config.get(

  316.             "backchannel_logout_ignore_sub", False

  317.         ),

  318.         skip_verification=oidc_config.get("skip_verification", False),

  319.         user_profile_method=oidc_config.get("user_profile_method", "auto"),

  320.         allow_existing_users=oidc_config.get("allow_existing_users", False),

  321.         user_mapping_provider_class=user_mapping_provider_class,

  322.         user_mapping_provider_config=user_mapping_provider_config,

  323.         attribute_requirements=attribute_requirements,

  324.         enable_registration=oidc_config.get("enable_registration", True),

  325.     )

  326. 

  327. 

  328. @attr.s(slots=True, frozen=True, auto_attribs=True)

  329. class OidcProviderClientSecretJwtKey:

  330.     # a pem-encoded signing key

  331.     key: str

  332. 

  333.     # properties to include in the JWT header

  334.     jwt_header: Mapping[str, str]

  335. 

  336.     # properties to include in the JWT payload.

  337.     jwt_payload: Mapping[str, str]

  338. 

  339. 

  340. @attr.s(slots=True, frozen=True, auto_attribs=True)

  341. class OidcProviderConfig:

  342.     # a unique identifier for this identity provider. Used in the 'user_external_ids'

  343.     # table, as well as the query/path parameter used in the login protocol.

  344.     idp_id: str

  345. 

  346.     # user-facing name for this identity provider.

  347.     idp_name: str

  348. 

  349.     # Optional MXC URI for icon for this IdP.

  350.     idp_icon: Optional[str]

  351. 

  352.     # Optional brand identifier for this IdP.

  353.     idp_brand: Optional[str]

  354. 

  355.     # whether the OIDC discovery mechanism is used to discover endpoints

  356.     discover: bool

  357. 

  358.     # the OIDC issuer. Used to validate tokens and (if discovery is enabled) to

  359.     # discover the provider's endpoints.

  360.     issuer: str

  361. 

  362.     # oauth2 client id to use

  363.     client_id: str

  364. 

  365.     # oauth2 client secret to use. if `None`, use client_secret_jwt_key to generate

  366.     # a secret.

  367.     client_secret: Optional[str]

  368. 

  369.     # key to use to construct a JWT to use as a client secret. May be `None` if

  370.     # `client_secret` is set.

  371.     client_secret_jwt_key: Optional[OidcProviderClientSecretJwtKey]

  372. 

  373.     # auth method to use when exchanging the token.

  374.     # Valid values are 'client_secret_basic', 'client_secret_post' and

  375.     # 'none'.

  376.     client_auth_method: str

  377. 

  378.     # Whether to enable PKCE when exchanging the authorization & token.

  379.     # Valid values are 'auto', 'always', and 'never'.

  380.     pkce_method: str

  381. 

  382.     # list of scopes to request

  383.     scopes: Collection[str]

  384. 

  385.     # the oauth2 authorization endpoint. Required if discovery is disabled.

  386.     authorization_endpoint: Optional[str]

  387. 

  388.     # the oauth2 token endpoint. Required if discovery is disabled.

  389.     token_endpoint: Optional[str]

  390. 

  391.     # the OIDC userinfo endpoint. Required if discovery is disabled and the

  392.     # "openid" scope is not requested.

  393.     userinfo_endpoint: Optional[str]

  394. 

  395.     # URI where to fetch the JWKS. Required if discovery is disabled and the

  396.     # "openid" scope is used.

  397.     jwks_uri: Optional[str]

  398. 

  399.     # Whether Synapse should react to backchannel logouts

  400.     backchannel_logout_enabled: bool

  401. 

  402.     # Whether Synapse should ignore the `sub` claim in backchannel logouts or not.

  403.     backchannel_logout_ignore_sub: bool

  404. 

  405.     # Whether to skip metadata verification

  406.     skip_verification: bool

  407. 

  408.     # Whether to fetch the user profile from the userinfo endpoint. Valid

  409.     # values are: "auto" or "userinfo_endpoint".

  410.     user_profile_method: str

  411. 

  412.     # whether to allow a user logging in via OIDC to match a pre-existing account

  413.     # instead of failing

  414.     allow_existing_users: bool

  415. 

  416.     # the class of the user mapping provider

  417.     user_mapping_provider_class: Type

  418. 

  419.     # the config of the user mapping provider

  420.     user_mapping_provider_config: Any

  421. 

  422.     # required attributes to require in userinfo to allow login/registration

  423.     attribute_requirements: List[SsoAttributeRequirement]

  424. 

  425.     # Whether automatic registrations are enabled in the ODIC flow. Defaults to True

  426.     enable_registration: bool