gitlord
/
synapse
espelho de https://github.com/matrix-org/synapse.git
1
0
Derivar 0
Código Questões 0 Lançamentos 671 Wiki Trabalho
Não pode escolher mais do que 25 tópicos Os tópicos devem começar com uma letra ou um número, podem incluir traços ('-') e podem ter até 35 caracteres.
20893 Cometimentos
842 Ramos
494 MiB
 
 
 
 
 
 
Árvore: 493c2fc44a
Ramos Etiquetas
${ item.name }
Criar ramo ${ searchTerm }
de '493c2fc44a'
${ noResults }
synapse/synapse/config/oidc.py

396 linhas
15 KiB
Em bruto Responsabilidade Histórico 

  1. # Copyright 2020 Quentin Gliech

  2. # Copyright 2020-2021 The Matrix.org Foundation C.I.C.

  3. #

  4. # Licensed under the Apache License, Version 2.0 (the "License");

  5. # you may not use this file except in compliance with the License.

  6. # You may obtain a copy of the License at

  7. #

  8. #     http://www.apache.org/licenses/LICENSE-2.0

  9. #

  10. # Unless required by applicable law or agreed to in writing, software

  11. # distributed under the License is distributed on an "AS IS" BASIS,

  12. # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  13. # See the License for the specific language governing permissions and

  14. # limitations under the License.

  15. 

  16. from collections import Counter

  17. from typing import Any, Collection, Iterable, List, Mapping, Optional, Tuple, Type

  18. 

  19. import attr

  20. 

  21. from synapse.config._util import validate_config

  22. from synapse.config.sso import SsoAttributeRequirement

  23. from synapse.types import JsonDict

  24. from synapse.util.module_loader import load_module

  25. from synapse.util.stringutils import parse_and_validate_mxc_uri

  26. 

  27. from ..util.check_dependencies import DependencyException, check_requirements

  28. from ._base import Config, ConfigError, read_file

  29. 

  30. DEFAULT_USER_MAPPING_PROVIDER = "synapse.handlers.oidc.JinjaOidcMappingProvider"

  31. # The module that JinjaOidcMappingProvider is in was renamed, we want to

  32. # transparently handle both the same.

  33. LEGACY_USER_MAPPING_PROVIDER = "synapse.handlers.oidc_handler.JinjaOidcMappingProvider"

  34. 

  35. 

  36. class OIDCConfig(Config):

  37.     section = "oidc"

  38. 

  39.     def read_config(self, config: JsonDict, **kwargs: Any) -> None:

  40.         self.oidc_providers = tuple(_parse_oidc_provider_configs(config))

  41.         if not self.oidc_providers:

  42.             return

  43. 

  44.         try:

  45.             check_requirements("oidc")

  46.         except DependencyException as e:

  47.             raise ConfigError(

  48.                 e.message  # noqa: B306, DependencyException.message is a property

  49.             ) from e

  50. 

  51.         # check we don't have any duplicate idp_ids now. (The SSO handler will also

  52.         # check for duplicates when the REST listeners get registered, but that happens

  53.         # after synapse has forked so doesn't give nice errors.)

  54.         c = Counter([i.idp_id for i in self.oidc_providers])

  55.         for idp_id, count in c.items():

  56.             if count > 1:

  57.                 raise ConfigError(

  58.                     "Multiple OIDC providers have the idp_id %r." % idp_id

  59.                 )

  60. 

  61.         public_baseurl = self.root.server.public_baseurl

  62.         self.oidc_callback_url = public_baseurl + "_synapse/client/oidc/callback"

  63. 

  64.     @property

  65.     def oidc_enabled(self) -> bool:

  66.         # OIDC is enabled if we have a provider

  67.         return bool(self.oidc_providers)

  68. 

  69. 

  70. # jsonschema definition of the configuration settings for an oidc identity provider

  71. OIDC_PROVIDER_CONFIG_SCHEMA = {

  72.     "type": "object",

  73.     "required": ["issuer", "client_id"],

  74.     "properties": {

  75.         "idp_id": {

  76.             "type": "string",

  77.             "minLength": 1,

  78.             # MSC2858 allows a maxlen of 255, but we prefix with "oidc-"

  79.             "maxLength": 250,

  80.             "pattern": "^[A-Za-z0-9._~-]+$",

  81.         },

  82.         "idp_name": {"type": "string"},

  83.         "idp_icon": {"type": "string"},

  84.         "idp_brand": {

  85.             "type": "string",

  86.             "minLength": 1,

  87.             "maxLength": 255,

  88.             "pattern": "^[a-z][a-z0-9_.-]*$",

  89.         },

  90.         "discover": {"type": "boolean"},

  91.         "issuer": {"type": "string"},

  92.         "client_id": {"type": "string"},

  93.         "client_secret": {"type": "string"},

  94.         "client_secret_jwt_key": {

  95.             "type": "object",

  96.             "required": ["jwt_header"],

  97.             "oneOf": [

  98.                 {"required": ["key"]},

  99.                 {"required": ["key_file"]},

  100.             ],

  101.             "properties": {

  102.                 "key": {"type": "string"},

  103.                 "key_file": {"type": "string"},

  104.                 "jwt_header": {

  105.                     "type": "object",

  106.                     "required": ["alg"],

  107.                     "properties": {

  108.                         "alg": {"type": "string"},

  109.                     },

  110.                     "additionalProperties": {"type": "string"},

  111.                 },

  112.                 "jwt_payload": {

  113.                     "type": "object",

  114.                     "additionalProperties": {"type": "string"},

  115.                 },

  116.             },

  117.         },

  118.         "client_auth_method": {

  119.             "type": "string",

  120.             # the following list is the same as the keys of

  121.             # authlib.oauth2.auth.ClientAuth.DEFAULT_AUTH_METHODS. We inline it

  122.             # to avoid importing authlib here.

  123.             "enum": ["client_secret_basic", "client_secret_post", "none"],

  124.         },

  125.         "scopes": {"type": "array", "items": {"type": "string"}},

  126.         "authorization_endpoint": {"type": "string"},

  127.         "token_endpoint": {"type": "string"},

  128.         "userinfo_endpoint": {"type": "string"},

  129.         "jwks_uri": {"type": "string"},

  130.         "skip_verification": {"type": "boolean"},

  131.         "user_profile_method": {

  132.             "type": "string",

  133.             "enum": ["auto", "userinfo_endpoint"],

  134.         },

  135.         "allow_existing_users": {"type": "boolean"},

  136.         "user_mapping_provider": {"type": ["object", "null"]},

  137.         "attribute_requirements": {

  138.             "type": "array",

  139.             "items": SsoAttributeRequirement.JSON_SCHEMA,

  140.         },

  141.     },

  142. }

  143. 

  144. # the same as OIDC_PROVIDER_CONFIG_SCHEMA, but with compulsory idp_id and idp_name

  145. OIDC_PROVIDER_CONFIG_WITH_ID_SCHEMA = {

  146.     "allOf": [OIDC_PROVIDER_CONFIG_SCHEMA, {"required": ["idp_id", "idp_name"]}]

  147. }

  148. 

  149. 

  150. # the `oidc_providers` list can either be None (as it is in the default config), or

  151. # a list of provider configs, each of which requires an explicit ID and name.

  152. OIDC_PROVIDER_LIST_SCHEMA = {

  153.     "oneOf": [

  154.         {"type": "null"},

  155.         {"type": "array", "items": OIDC_PROVIDER_CONFIG_WITH_ID_SCHEMA},

  156.     ]

  157. }

  158. 

  159. # the `oidc_config` setting can either be None (which it used to be in the default

  160. # config), or an object. If an object, it is ignored unless it has an "enabled: True"

  161. # property.

  162. #

  163. # It's *possible* to represent this with jsonschema, but the resultant errors aren't

  164. # particularly clear, so we just check for either an object or a null here, and do

  165. # additional checks in the code.

  166. OIDC_CONFIG_SCHEMA = {"oneOf": [{"type": "null"}, {"type": "object"}]}

  167. 

  168. # the top-level schema can contain an "oidc_config" and/or an "oidc_providers".

  169. MAIN_CONFIG_SCHEMA = {

  170.     "type": "object",

  171.     "properties": {

  172.         "oidc_config": OIDC_CONFIG_SCHEMA,

  173.         "oidc_providers": OIDC_PROVIDER_LIST_SCHEMA,

  174.     },

  175. }

  176. 

  177. 

  178. def _parse_oidc_provider_configs(config: JsonDict) -> Iterable["OidcProviderConfig"]:

  179.     """extract and parse the OIDC provider configs from the config dict

  180. 

  181.     The configuration may contain either a single `oidc_config` object with an

  182.     `enabled: True` property, or a list of provider configurations under

  183.     `oidc_providers`, *or both*.

  184. 

  185.     Returns a generator which yields the OidcProviderConfig objects

  186.     """

  187.     validate_config(MAIN_CONFIG_SCHEMA, config, ())

  188. 

  189.     for i, p in enumerate(config.get("oidc_providers") or []):

  190.         yield _parse_oidc_config_dict(p, ("oidc_providers", "<item %i>" % (i,)))

  191. 

  192.     # for backwards-compatibility, it is also possible to provide a single "oidc_config"

  193.     # object with an "enabled: True" property.

  194.     oidc_config = config.get("oidc_config")

  195.     if oidc_config and oidc_config.get("enabled", False):

  196.         # MAIN_CONFIG_SCHEMA checks that `oidc_config` is an object, but not that

  197.         # it matches OIDC_PROVIDER_CONFIG_SCHEMA (see the comments on OIDC_CONFIG_SCHEMA

  198.         # above), so now we need to validate it.

  199.         validate_config(OIDC_PROVIDER_CONFIG_SCHEMA, oidc_config, ("oidc_config",))

  200.         yield _parse_oidc_config_dict(oidc_config, ("oidc_config",))

  201. 

  202. 

  203. def _parse_oidc_config_dict(

  204.     oidc_config: JsonDict, config_path: Tuple[str, ...]

  205. ) -> "OidcProviderConfig":

  206.     """Take the configuration dict and parse it into an OidcProviderConfig

  207. 

  208.     Raises:

  209.         ConfigError if the configuration is malformed.

  210.     """

  211.     ump_config = oidc_config.get("user_mapping_provider", {})

  212.     ump_config.setdefault("module", DEFAULT_USER_MAPPING_PROVIDER)

  213.     if ump_config.get("module") == LEGACY_USER_MAPPING_PROVIDER:

  214.         ump_config["module"] = DEFAULT_USER_MAPPING_PROVIDER

  215.     ump_config.setdefault("config", {})

  216. 

  217.     (

  218.         user_mapping_provider_class,

  219.         user_mapping_provider_config,

  220.     ) = load_module(ump_config, config_path + ("user_mapping_provider",))

  221. 

  222.     # Ensure loaded user mapping module has defined all necessary methods

  223.     required_methods = [

  224.         "get_remote_user_id",

  225.         "map_user_attributes",

  226.     ]

  227.     missing_methods = [

  228.         method

  229.         for method in required_methods

  230.         if not hasattr(user_mapping_provider_class, method)

  231.     ]

  232.     if missing_methods:

  233.         raise ConfigError(

  234.             "Class %s is missing required "

  235.             "methods: %s"

  236.             % (

  237.                 user_mapping_provider_class,

  238.                 ", ".join(missing_methods),

  239.             ),

  240.             config_path + ("user_mapping_provider", "module"),

  241.         )

  242. 

  243.     idp_id = oidc_config.get("idp_id", "oidc")

  244. 

  245.     # prefix the given IDP with a prefix specific to the SSO mechanism, to avoid

  246.     # clashes with other mechs (such as SAML, CAS).

  247.     #

  248.     # We allow "oidc" as an exception so that people migrating from old-style

  249.     # "oidc_config" format (which has long used "oidc" as its idp_id) can migrate to

  250.     # a new-style "oidc_providers" entry without changing the idp_id for their provider

  251.     # (and thereby invalidating their user_external_ids data).

  252. 

  253.     if idp_id != "oidc":

  254.         idp_id = "oidc-" + idp_id

  255. 

  256.     # MSC2858 also specifies that the idp_icon must be a valid MXC uri

  257.     idp_icon = oidc_config.get("idp_icon")

  258.     if idp_icon is not None:

  259.         try:

  260.             parse_and_validate_mxc_uri(idp_icon)

  261.         except ValueError as e:

  262.             raise ConfigError(

  263.                 "idp_icon must be a valid MXC URI", config_path + ("idp_icon",)

  264.             ) from e

  265. 

  266.     client_secret_jwt_key_config = oidc_config.get("client_secret_jwt_key")

  267.     client_secret_jwt_key: Optional[OidcProviderClientSecretJwtKey] = None

  268.     if client_secret_jwt_key_config is not None:

  269.         keyfile = client_secret_jwt_key_config.get("key_file")

  270.         if keyfile:

  271.             key = read_file(keyfile, config_path + ("client_secret_jwt_key",))

  272.         else:

  273.             key = client_secret_jwt_key_config["key"]

  274.         client_secret_jwt_key = OidcProviderClientSecretJwtKey(

  275.             key=key,

  276.             jwt_header=client_secret_jwt_key_config["jwt_header"],

  277.             jwt_payload=client_secret_jwt_key_config.get("jwt_payload", {}),

  278.         )

  279.     # parse attribute_requirements from config (list of dicts) into a list of SsoAttributeRequirement

  280.     attribute_requirements = [

  281.         SsoAttributeRequirement(**x)

  282.         for x in oidc_config.get("attribute_requirements", [])

  283.     ]

  284. 

  285.     return OidcProviderConfig(

  286.         idp_id=idp_id,

  287.         idp_name=oidc_config.get("idp_name", "OIDC"),

  288.         idp_icon=idp_icon,

  289.         idp_brand=oidc_config.get("idp_brand"),

  290.         discover=oidc_config.get("discover", True),

  291.         issuer=oidc_config["issuer"],

  292.         client_id=oidc_config["client_id"],

  293.         client_secret=oidc_config.get("client_secret"),

  294.         client_secret_jwt_key=client_secret_jwt_key,

  295.         client_auth_method=oidc_config.get("client_auth_method", "client_secret_basic"),

  296.         scopes=oidc_config.get("scopes", ["openid"]),

  297.         authorization_endpoint=oidc_config.get("authorization_endpoint"),

  298.         token_endpoint=oidc_config.get("token_endpoint"),

  299.         userinfo_endpoint=oidc_config.get("userinfo_endpoint"),

  300.         jwks_uri=oidc_config.get("jwks_uri"),

  301.         skip_verification=oidc_config.get("skip_verification", False),

  302.         user_profile_method=oidc_config.get("user_profile_method", "auto"),

  303.         allow_existing_users=oidc_config.get("allow_existing_users", False),

  304.         user_mapping_provider_class=user_mapping_provider_class,

  305.         user_mapping_provider_config=user_mapping_provider_config,

  306.         attribute_requirements=attribute_requirements,

  307.     )

  308. 

  309. 

  310. @attr.s(slots=True, frozen=True, auto_attribs=True)

  311. class OidcProviderClientSecretJwtKey:

  312.     # a pem-encoded signing key

  313.     key: str

  314. 

  315.     # properties to include in the JWT header

  316.     jwt_header: Mapping[str, str]

  317. 

  318.     # properties to include in the JWT payload.

  319.     jwt_payload: Mapping[str, str]

  320. 

  321. 

  322. @attr.s(slots=True, frozen=True, auto_attribs=True)

  323. class OidcProviderConfig:

  324.     # a unique identifier for this identity provider. Used in the 'user_external_ids'

  325.     # table, as well as the query/path parameter used in the login protocol.

  326.     idp_id: str

  327. 

  328.     # user-facing name for this identity provider.

  329.     idp_name: str

  330. 

  331.     # Optional MXC URI for icon for this IdP.

  332.     idp_icon: Optional[str]

  333. 

  334.     # Optional brand identifier for this IdP.

  335.     idp_brand: Optional[str]

  336. 

  337.     # whether the OIDC discovery mechanism is used to discover endpoints

  338.     discover: bool

  339. 

  340.     # the OIDC issuer. Used to validate tokens and (if discovery is enabled) to

  341.     # discover the provider's endpoints.

  342.     issuer: str

  343. 

  344.     # oauth2 client id to use

  345.     client_id: str

  346. 

  347.     # oauth2 client secret to use. if `None`, use client_secret_jwt_key to generate

  348.     # a secret.

  349.     client_secret: Optional[str]

  350. 

  351.     # key to use to construct a JWT to use as a client secret. May be `None` if

  352.     # `client_secret` is set.

  353.     client_secret_jwt_key: Optional[OidcProviderClientSecretJwtKey]

  354. 

  355.     # auth method to use when exchanging the token.

  356.     # Valid values are 'client_secret_basic', 'client_secret_post' and

  357.     # 'none'.

  358.     client_auth_method: str

  359. 

  360.     # list of scopes to request

  361.     scopes: Collection[str]

  362. 

  363.     # the oauth2 authorization endpoint. Required if discovery is disabled.

  364.     authorization_endpoint: Optional[str]

  365. 

  366.     # the oauth2 token endpoint. Required if discovery is disabled.

  367.     token_endpoint: Optional[str]

  368. 

  369.     # the OIDC userinfo endpoint. Required if discovery is disabled and the

  370.     # "openid" scope is not requested.

  371.     userinfo_endpoint: Optional[str]

  372. 

  373.     # URI where to fetch the JWKS. Required if discovery is disabled and the

  374.     # "openid" scope is used.

  375.     jwks_uri: Optional[str]

  376. 

  377.     # Whether to skip metadata verification

  378.     skip_verification: bool

  379. 

  380.     # Whether to fetch the user profile from the userinfo endpoint. Valid

  381.     # values are: "auto" or "userinfo_endpoint".

  382.     user_profile_method: str

  383. 

  384.     # whether to allow a user logging in via OIDC to match a pre-existing account

  385.     # instead of failing

  386.     allow_existing_users: bool

  387. 

  388.     # the class of the user mapping provider

  389.     user_mapping_provider_class: Type

  390. 

  391.     # the config of the user mapping provider

  392.     user_mapping_provider_config: Any

  393. 

  394.     # required attributes to require in userinfo to allow login/registration

  395.     attribute_requirements: List[SsoAttributeRequirement]