gitlord
/
synapse
mirror of https://github.com/matrix-org/synapse.git
1
0
Fork 0
Code Issues 0 Releases 671 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
23165 Commits
842 Branches
304 MiB
 
 
 
 
 
 
Tree: 17800a0e97
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '17800a0e97'
${ noResults }
synapse/synapse/config/experimental.py

422 lines
16 KiB
Raw Blame History 

  1. # Copyright 2021 The Matrix.org Foundation C.I.C.

  2. #

  3. # Licensed under the Apache License, Version 2.0 (the "License");

  4. # you may not use this file except in compliance with the License.

  5. # You may obtain a copy of the License at

  6. #

  7. #     http://www.apache.org/licenses/LICENSE-2.0

  8. #

  9. # Unless required by applicable law or agreed to in writing, software

  10. # distributed under the License is distributed on an "AS IS" BASIS,

  11. # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  12. # See the License for the specific language governing permissions and

  13. # limitations under the License.

  14. 

  15. import enum

  16. from typing import TYPE_CHECKING, Any, Optional

  17. 

  18. import attr

  19. import attr.validators

  20. 

  21. from synapse.api.errors import LimitExceededError

  22. from synapse.api.room_versions import KNOWN_ROOM_VERSIONS, RoomVersions

  23. from synapse.config import ConfigError

  24. from synapse.config._base import Config, RootConfig

  25. from synapse.types import JsonDict

  26. 

  27. # Determine whether authlib is installed.

  28. try:

  29.     import authlib  # noqa: F401

  30. 

  31.     HAS_AUTHLIB = True

  32. except ImportError:

  33.     HAS_AUTHLIB = False

  34. 

  35. if TYPE_CHECKING:

  36.     # Only import this if we're type checking, as it might not be installed at runtime.

  37.     from authlib.jose.rfc7517 import JsonWebKey

  38. 

  39. 

  40. class ClientAuthMethod(enum.Enum):

  41.     """List of supported client auth methods."""

  42. 

  43.     CLIENT_SECRET_POST = "client_secret_post"

  44.     CLIENT_SECRET_BASIC = "client_secret_basic"

  45.     CLIENT_SECRET_JWT = "client_secret_jwt"

  46.     PRIVATE_KEY_JWT = "private_key_jwt"

  47. 

  48. 

  49. def _parse_jwks(jwks: Optional[JsonDict]) -> Optional["JsonWebKey"]:

  50.     """A helper function to parse a JWK dict into a JsonWebKey."""

  51. 

  52.     if jwks is None:

  53.         return None

  54. 

  55.     from authlib.jose.rfc7517 import JsonWebKey

  56. 

  57.     return JsonWebKey.import_key(jwks)

  58. 

  59. 

  60. @attr.s(slots=True, frozen=True)

  61. class MSC3861:

  62.     """Configuration for MSC3861: Matrix architecture change to delegate authentication via OIDC"""

  63. 

  64.     enabled: bool = attr.ib(default=False, validator=attr.validators.instance_of(bool))

  65.     """Whether to enable MSC3861 auth delegation."""

  66. 

  67.     @enabled.validator

  68.     def _check_enabled(self, attribute: attr.Attribute, value: bool) -> None:

  69.         # Only allow enabling MSC3861 if authlib is installed

  70.         if value and not HAS_AUTHLIB:

  71.             raise ConfigError(

  72.                 "MSC3861 is enabled but authlib is not installed. "

  73.                 "Please install authlib to use MSC3861.",

  74.                 ("experimental", "msc3861", "enabled"),

  75.             )

  76. 

  77.     issuer: str = attr.ib(default="", validator=attr.validators.instance_of(str))

  78.     """The URL of the OIDC Provider."""

  79. 

  80.     issuer_metadata: Optional[JsonDict] = attr.ib(default=None)

  81.     """The issuer metadata to use, otherwise discovered from /.well-known/openid-configuration as per MSC2965."""

  82. 

  83.     client_id: str = attr.ib(

  84.         default="",

  85.         validator=attr.validators.instance_of(str),

  86.     )

  87.     """The client ID to use when calling the introspection endpoint."""

  88. 

  89.     client_auth_method: ClientAuthMethod = attr.ib(

  90.         default=ClientAuthMethod.CLIENT_SECRET_POST, converter=ClientAuthMethod

  91.     )

  92.     """The auth method used when calling the introspection endpoint."""

  93. 

  94.     client_secret: Optional[str] = attr.ib(

  95.         default=None,

  96.         validator=attr.validators.optional(attr.validators.instance_of(str)),

  97.     )

  98.     """

  99.     The client secret to use when calling the introspection endpoint,

  100.     when using any of the client_secret_* client auth methods.

  101.     """

  102. 

  103.     jwk: Optional["JsonWebKey"] = attr.ib(default=None, converter=_parse_jwks)

  104.     """

  105.     The JWKS to use when calling the introspection endpoint,

  106.     when using the private_key_jwt client auth method.

  107.     """

  108. 

  109.     @client_auth_method.validator

  110.     def _check_client_auth_method(

  111.         self, attribute: attr.Attribute, value: ClientAuthMethod

  112.     ) -> None:

  113.         # Check that the right client credentials are provided for the client auth method.

  114.         if not self.enabled:

  115.             return

  116. 

  117.         if value == ClientAuthMethod.PRIVATE_KEY_JWT and self.jwk is None:

  118.             raise ConfigError(

  119.                 "A JWKS must be provided when using the private_key_jwt client auth method",

  120.                 ("experimental", "msc3861", "client_auth_method"),

  121.             )

  122. 

  123.         if (

  124.             value

  125.             in (

  126.                 ClientAuthMethod.CLIENT_SECRET_POST,

  127.                 ClientAuthMethod.CLIENT_SECRET_BASIC,

  128.                 ClientAuthMethod.CLIENT_SECRET_JWT,

  129.             )

  130.             and self.client_secret is None

  131.         ):

  132.             raise ConfigError(

  133.                 f"A client secret must be provided when using the {value} client auth method",

  134.                 ("experimental", "msc3861", "client_auth_method"),

  135.             )

  136. 

  137.     account_management_url: Optional[str] = attr.ib(

  138.         default=None,

  139.         validator=attr.validators.optional(attr.validators.instance_of(str)),

  140.     )

  141.     """The URL of the My Account page on the OIDC Provider as per MSC2965."""

  142. 

  143.     admin_token: Optional[str] = attr.ib(

  144.         default=None,

  145.         validator=attr.validators.optional(attr.validators.instance_of(str)),

  146.     )

  147.     """

  148.     A token that should be considered as an admin token.

  149.     This is used by the OIDC provider, to make admin calls to Synapse.

  150.     """

  151. 

  152.     def check_config_conflicts(self, root: RootConfig) -> None:

  153.         """Checks for any configuration conflicts with other parts of Synapse.

  154. 

  155.         Raises:

  156.             ConfigError: If there are any configuration conflicts.

  157.         """

  158. 

  159.         if not self.enabled:

  160.             return

  161. 

  162.         if (

  163.             root.auth.password_enabled_for_reauth

  164.             or root.auth.password_enabled_for_login

  165.         ):

  166.             raise ConfigError(

  167.                 "Password auth cannot be enabled when OAuth delegation is enabled",

  168.                 ("password_config", "enabled"),

  169.             )

  170. 

  171.         if root.registration.enable_registration:

  172.             raise ConfigError(

  173.                 "Registration cannot be enabled when OAuth delegation is enabled",

  174.                 ("enable_registration",),

  175.             )

  176. 

  177.         # We only need to test the user consent version, as if it must be set if the user_consent section was present in the config

  178.         if root.consent.user_consent_version is not None:

  179.             raise ConfigError(

  180.                 "User consent cannot be enabled when OAuth delegation is enabled",

  181.                 ("user_consent",),

  182.             )

  183. 

  184.         if (

  185.             root.oidc.oidc_enabled

  186.             or root.saml2.saml2_enabled

  187.             or root.cas.cas_enabled

  188.             or root.jwt.jwt_enabled

  189.         ):

  190.             raise ConfigError("SSO cannot be enabled when OAuth delegation is enabled")

  191. 

  192.         if bool(root.authproviders.password_providers):

  193.             raise ConfigError(

  194.                 "Password auth providers cannot be enabled when OAuth delegation is enabled"

  195.             )

  196. 

  197.         if root.captcha.enable_registration_captcha:

  198.             raise ConfigError(

  199.                 "CAPTCHA cannot be enabled when OAuth delegation is enabled",

  200.                 ("captcha", "enable_registration_captcha"),

  201.             )

  202. 

  203.         if root.auth.login_via_existing_enabled:

  204.             raise ConfigError(

  205.                 "Login via existing session cannot be enabled when OAuth delegation is enabled",

  206.                 ("login_via_existing_session", "enabled"),

  207.             )

  208. 

  209.         if root.registration.refresh_token_lifetime:

  210.             raise ConfigError(

  211.                 "refresh_token_lifetime cannot be set when OAuth delegation is enabled",

  212.                 ("refresh_token_lifetime",),

  213.             )

  214. 

  215.         if root.registration.nonrefreshable_access_token_lifetime:

  216.             raise ConfigError(

  217.                 "nonrefreshable_access_token_lifetime cannot be set when OAuth delegation is enabled",

  218.                 ("nonrefreshable_access_token_lifetime",),

  219.             )

  220. 

  221.         if root.registration.session_lifetime:

  222.             raise ConfigError(

  223.                 "session_lifetime cannot be set when OAuth delegation is enabled",

  224.                 ("session_lifetime",),

  225.             )

  226. 

  227.         if root.registration.enable_3pid_changes:

  228.             raise ConfigError(

  229.                 "enable_3pid_changes cannot be enabled when OAuth delegation is enabled",

  230.                 ("enable_3pid_changes",),

  231.             )

  232. 

  233. 

  234. @attr.s(auto_attribs=True, frozen=True, slots=True)

  235. class MSC3866Config:

  236.     """Configuration for MSC3866 (mandating approval for new users)"""

  237. 

  238.     # Whether the base support for the approval process is enabled. This includes the

  239.     # ability for administrators to check and update the approval of users, even if no

  240.     # approval is currently required.

  241.     enabled: bool = False

  242.     # Whether to require that new users are approved by an admin before their account

  243.     # can be used. Note that this setting is ignored if 'enabled' is false.

  244.     require_approval_for_new_accounts: bool = False

  245. 

  246. 

  247. class ExperimentalConfig(Config):

  248.     """Config section for enabling experimental features"""

  249. 

  250.     section = "experimental"

  251. 

  252.     def read_config(self, config: JsonDict, **kwargs: Any) -> None:

  253.         experimental = config.get("experimental_features") or {}

  254. 

  255.         # MSC3026 (busy presence state)

  256.         self.msc3026_enabled: bool = experimental.get("msc3026_enabled", False)

  257. 

  258.         # MSC2697 (device dehydration)

  259.         # Enabled by default since this option was added after adding the feature.

  260.         # It is not recommended that both MSC2697 and MSC3814 both be enabled at

  261.         # once.

  262.         self.msc2697_enabled: bool = experimental.get("msc2697_enabled", True)

  263. 

  264.         # MSC3814 (dehydrated devices with SSSS)

  265.         # This is an alternative method to achieve the same goals as MSC2697.

  266.         # It is not recommended that both MSC2697 and MSC3814 both be enabled at

  267.         # once.

  268.         self.msc3814_enabled: bool = experimental.get("msc3814_enabled", False)

  269. 

  270.         if self.msc2697_enabled and self.msc3814_enabled:

  271.             raise ConfigError(

  272.                 "MSC2697 and MSC3814 should not both be enabled.",

  273.                 (

  274.                     "experimental_features",

  275.                     "msc3814_enabled",

  276.                 ),

  277.             )

  278. 

  279.         # MSC3244 (room version capabilities)

  280.         self.msc3244_enabled: bool = experimental.get("msc3244_enabled", True)

  281. 

  282.         # MSC3266 (room summary api)

  283.         self.msc3266_enabled: bool = experimental.get("msc3266_enabled", False)

  284. 

  285.         # MSC2409 (this setting only relates to optionally sending to-device messages).

  286.         # Presence, typing and read receipt EDUs are already sent to application services that

  287.         # have opted in to receive them. If enabled, this adds to-device messages to that list.

  288.         self.msc2409_to_device_messages_enabled: bool = experimental.get(

  289.             "msc2409_to_device_messages_enabled", False

  290.         )

  291. 

  292.         # The portion of MSC3202 which is related to device masquerading.

  293.         self.msc3202_device_masquerading_enabled: bool = experimental.get(

  294.             "msc3202_device_masquerading", False

  295.         )

  296. 

  297.         # The portion of MSC3202 related to transaction extensions:

  298.         # sending device list changes, one-time key counts and fallback key

  299.         # usage to application services.

  300.         self.msc3202_transaction_extensions: bool = experimental.get(

  301.             "msc3202_transaction_extensions", False

  302.         )

  303. 

  304.         # MSC3983: Proxying OTK claim requests to exclusive ASes.

  305.         self.msc3983_appservice_otk_claims: bool = experimental.get(

  306.             "msc3983_appservice_otk_claims", False

  307.         )

  308. 

  309.         # MSC3984: Proxying key queries to exclusive ASes.

  310.         self.msc3984_appservice_key_query: bool = experimental.get(

  311.             "msc3984_appservice_key_query", False

  312.         )

  313. 

  314.         # MSC3720 (Account status endpoint)

  315.         self.msc3720_enabled: bool = experimental.get("msc3720_enabled", False)

  316. 

  317.         # MSC2654: Unread counts

  318.         #

  319.         # Note that enabling this will result in an incorrect unread count for

  320.         # previously calculated push actions.

  321.         self.msc2654_enabled: bool = experimental.get("msc2654_enabled", False)

  322. 

  323.         # MSC2815 (allow room moderators to view redacted event content)

  324.         self.msc2815_enabled: bool = experimental.get("msc2815_enabled", False)

  325. 

  326.         # MSC3391: Removing account data.

  327.         self.msc3391_enabled = experimental.get("msc3391_enabled", False)

  328. 

  329.         # MSC3773: Thread notifications

  330.         self.msc3773_enabled: bool = experimental.get("msc3773_enabled", False)

  331. 

  332.         # MSC3664: Pushrules to match on related events

  333.         self.msc3664_enabled: bool = experimental.get("msc3664_enabled", False)

  334. 

  335.         # MSC3848: Introduce errcodes for specific event sending failures

  336.         self.msc3848_enabled: bool = experimental.get("msc3848_enabled", False)

  337. 

  338.         # MSC3852: Expose last seen user agent field on /_matrix/client/v3/devices.

  339.         self.msc3852_enabled: bool = experimental.get("msc3852_enabled", False)

  340. 

  341.         # MSC3866: M_USER_AWAITING_APPROVAL error code

  342.         raw_msc3866_config = experimental.get("msc3866", {})

  343.         self.msc3866 = MSC3866Config(**raw_msc3866_config)

  344. 

  345.         # MSC3881: Remotely toggle push notifications for another client

  346.         self.msc3881_enabled: bool = experimental.get("msc3881_enabled", False)

  347. 

  348.         # MSC3874: Filtering /messages with rel_types / not_rel_types.

  349.         self.msc3874_enabled: bool = experimental.get("msc3874_enabled", False)

  350. 

  351.         # MSC3886: Simple client rendezvous capability

  352.         self.msc3886_endpoint: Optional[str] = experimental.get(

  353.             "msc3886_endpoint", None

  354.         )

  355. 

  356.         # MSC3890: Remotely silence local notifications

  357.         # Note: This option requires "experimental_features.msc3391_enabled" to be

  358.         # set to "true", in order to communicate account data deletions to clients.

  359.         self.msc3890_enabled: bool = experimental.get("msc3890_enabled", False)

  360.         if self.msc3890_enabled and not self.msc3391_enabled:

  361.             raise ConfigError(

  362.                 "Option 'experimental_features.msc3391' must be set to 'true' to "

  363.                 "enable 'experimental_features.msc3890'. MSC3391 functionality is "

  364.                 "required to communicate account data deletions to clients."

  365.             )

  366. 

  367.         # MSC3381: Polls.

  368.         # In practice, supporting polls in Synapse only requires an implementation of

  369.         # MSC3930: Push rules for MSC3391 polls; which is what this option enables.

  370.         self.msc3381_polls_enabled: bool = experimental.get(

  371.             "msc3381_polls_enabled", False

  372.         )

  373. 

  374.         # MSC3912: Relation-based redactions.

  375.         self.msc3912_enabled: bool = experimental.get("msc3912_enabled", False)

  376. 

  377.         # MSC1767 and friends: Extensible Events

  378.         self.msc1767_enabled: bool = experimental.get("msc1767_enabled", False)

  379.         if self.msc1767_enabled:

  380.             # Enable room version (and thus applicable push rules from MSC3931/3932)

  381.             version_id = RoomVersions.MSC1767v10.identifier

  382.             KNOWN_ROOM_VERSIONS[version_id] = RoomVersions.MSC1767v10

  383. 

  384.         # MSC3391: Removing account data.

  385.         self.msc3391_enabled = experimental.get("msc3391_enabled", False)

  386. 

  387.         # MSC3967: Do not require UIA when first uploading cross signing keys

  388.         self.msc3967_enabled = experimental.get("msc3967_enabled", False)

  389. 

  390.         # MSC3981: Recurse relations

  391.         self.msc3981_recurse_relations = experimental.get(

  392.             "msc3981_recurse_relations", False

  393.         )

  394. 

  395.         # MSC3861: Matrix architecture change to delegate authentication via OIDC

  396.         try:

  397.             self.msc3861 = MSC3861(**experimental.get("msc3861", {}))

  398.         except ValueError as exc:

  399.             raise ConfigError(

  400.                 "Invalid MSC3861 configuration", ("experimental", "msc3861")

  401.             ) from exc

  402. 

  403.         # Check that none of the other config options conflict with MSC3861 when enabled

  404.         self.msc3861.check_config_conflicts(self.root)

  405. 

  406.         # MSC4010: Do not allow setting m.push_rules account data.

  407.         self.msc4010_push_rules_account_data = experimental.get(

  408.             "msc4010_push_rules_account_data", False

  409.         )

  410. 

  411.         # MSC4041: Use HTTP header Retry-After to enable library-assisted retry handling

  412.         #

  413.         # This is a bit hacky, but the most reasonable way to *alway* include the

  414.         # headers.

  415.         LimitExceededError.include_retry_after_header = experimental.get(

  416.             "msc4041_enabled", False

  417.         )

  418. 

  419.         self.msc4028_push_encrypted_events = experimental.get(

  420.             "msc4028_push_encrypted_events", False

  421.         )