gitlord
/
synapse
mirror of https://github.com/matrix-org/synapse.git
1
0
Fork 0
Code Issues 0 Releases 671 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
18612 Commits
842 Branches
288 MiB
 
 
 
 
 
 
Tree: 4b965c862d
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '4b965c862d'
${ noResults }
synapse/synapse/config/sso.py

277 lines
13 KiB
Raw Blame History 

  1. # Copyright 2020 The Matrix.org Foundation C.I.C.

  2. #

  3. # Licensed under the Apache License, Version 2.0 (the "License");

  4. # you may not use this file except in compliance with the License.

  5. # You may obtain a copy of the License at

  6. #

  7. #     http://www.apache.org/licenses/LICENSE-2.0

  8. #

  9. # Unless required by applicable law or agreed to in writing, software

  10. # distributed under the License is distributed on an "AS IS" BASIS,

  11. # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  12. # See the License for the specific language governing permissions and

  13. # limitations under the License.

  14. from typing import Any, Dict, Optional

  15. 

  16. import attr

  17. 

  18. from ._base import Config

  19. 

  20. 

  21. @attr.s(frozen=True)

  22. class SsoAttributeRequirement:

  23.     """Object describing a single requirement for SSO attributes."""

  24. 

  25.     attribute = attr.ib(type=str)

  26.     # If a value is not given, than the attribute must simply exist.

  27.     value = attr.ib(type=Optional[str])

  28. 

  29.     JSON_SCHEMA = {

  30.         "type": "object",

  31.         "properties": {"attribute": {"type": "string"}, "value": {"type": "string"}},

  32.         "required": ["attribute", "value"],

  33.     }

  34. 

  35. 

  36. class SSOConfig(Config):

  37.     """SSO Configuration"""

  38. 

  39.     section = "sso"

  40. 

  41.     def read_config(self, config, **kwargs):

  42.         sso_config = config.get("sso") or {}  # type: Dict[str, Any]

  43. 

  44.         # The sso-specific template_dir

  45.         self.sso_template_dir = sso_config.get("template_dir")

  46. 

  47.         # Read templates from disk

  48.         (

  49.             self.sso_login_idp_picker_template,

  50.             self.sso_redirect_confirm_template,

  51.             self.sso_auth_confirm_template,

  52.             self.sso_error_template,

  53.             sso_account_deactivated_template,

  54.             sso_auth_success_template,

  55.             self.sso_auth_bad_user_template,

  56.         ) = self.read_templates(

  57.             [

  58.                 "sso_login_idp_picker.html",

  59.                 "sso_redirect_confirm.html",

  60.                 "sso_auth_confirm.html",

  61.                 "sso_error.html",

  62.                 "sso_account_deactivated.html",

  63.                 "sso_auth_success.html",

  64.                 "sso_auth_bad_user.html",

  65.             ],

  66.             self.sso_template_dir,

  67.         )

  68. 

  69.         # These templates have no placeholders, so render them here

  70.         self.sso_account_deactivated_template = (

  71.             sso_account_deactivated_template.render()

  72.         )

  73.         self.sso_auth_success_template = sso_auth_success_template.render()

  74. 

  75.         self.sso_client_whitelist = sso_config.get("client_whitelist") or []

  76. 

  77.         # Attempt to also whitelist the server's login fallback, since that fallback sets

  78.         # the redirect URL to itself (so it can process the login token then return

  79.         # gracefully to the client). This would make it pointless to ask the user for

  80.         # confirmation, since the URL the confirmation page would be showing wouldn't be

  81.         # the client's.

  82.         # public_baseurl is an optional setting, so we only add the fallback's URL to the

  83.         # list if it's provided (because we can't figure out what that URL is otherwise).

  84.         if self.public_baseurl:

  85.             login_fallback_url = self.public_baseurl + "_matrix/static/client/login"

  86.             self.sso_client_whitelist.append(login_fallback_url)

  87. 

  88.     def generate_config_section(self, **kwargs):

  89.         return """\

  90.         # Additional settings to use with single-sign on systems such as OpenID Connect,

  91.         # SAML2 and CAS.

  92.         #

  93.         sso:

  94.             # A list of client URLs which are whitelisted so that the user does not

  95.             # have to confirm giving access to their account to the URL. Any client

  96.             # whose URL starts with an entry in the following list will not be subject

  97.             # to an additional confirmation step after the SSO login is completed.

  98.             #

  99.             # WARNING: An entry such as "https://my.client" is insecure, because it

  100.             # will also match "https://my.client.evil.site", exposing your users to

  101.             # phishing attacks from evil.site. To avoid this, include a slash after the

  102.             # hostname: "https://my.client/".

  103.             #

  104.             # If public_baseurl is set, then the login fallback page (used by clients

  105.             # that don't natively support the required login flows) is whitelisted in

  106.             # addition to any URLs in this list.

  107.             #

  108.             # By default, this list is empty.

  109.             #

  110.             #client_whitelist:

  111.             #  - https://riot.im/develop

  112.             #  - https://my.custom.client/

  113. 

  114.             # Directory in which Synapse will try to find the template files below.

  115.             # If not set, or the files named below are not found within the template

  116.             # directory, default templates from within the Synapse package will be used.

  117.             #

  118.             # Synapse will look for the following templates in this directory:

  119.             #

  120.             # * HTML page to prompt the user to choose an Identity Provider during

  121.             #   login: 'sso_login_idp_picker.html'.

  122.             #

  123.             #   This is only used if multiple SSO Identity Providers are configured.

  124.             #

  125.             #   When rendering, this template is given the following variables:

  126.             #     * redirect_url: the URL that the user will be redirected to after

  127.             #       login.

  128.             #

  129.             #     * server_name: the homeserver's name.

  130.             #

  131.             #     * providers: a list of available Identity Providers. Each element is

  132.             #       an object with the following attributes:

  133.             #

  134.             #         * idp_id: unique identifier for the IdP

  135.             #         * idp_name: user-facing name for the IdP

  136.             #         * idp_icon: if specified in the IdP config, an MXC URI for an icon

  137.             #              for the IdP

  138.             #         * idp_brand: if specified in the IdP config, a textual identifier

  139.             #              for the brand of the IdP

  140.             #

  141.             #   The rendered HTML page should contain a form which submits its results

  142.             #   back as a GET request, with the following query parameters:

  143.             #

  144.             #     * redirectUrl: the client redirect URI (ie, the `redirect_url` passed

  145.             #       to the template)

  146.             #

  147.             #     * idp: the 'idp_id' of the chosen IDP.

  148.             #

  149.             # * HTML page to prompt new users to enter a userid and confirm other

  150.             #   details: 'sso_auth_account_details.html'. This is only shown if the

  151.             #   SSO implementation (with any user_mapping_provider) does not return

  152.             #   a localpart.

  153.             #

  154.             #   When rendering, this template is given the following variables:

  155.             #

  156.             #     * server_name: the homeserver's name.

  157.             #

  158.             #     * idp: details of the SSO Identity Provider that the user logged in

  159.             #       with: an object with the following attributes:

  160.             #

  161.             #         * idp_id: unique identifier for the IdP

  162.             #         * idp_name: user-facing name for the IdP

  163.             #         * idp_icon: if specified in the IdP config, an MXC URI for an icon

  164.             #              for the IdP

  165.             #         * idp_brand: if specified in the IdP config, a textual identifier

  166.             #              for the brand of the IdP

  167.             #

  168.             #     * user_attributes: an object containing details about the user that

  169.             #       we received from the IdP. May have the following attributes:

  170.             #

  171.             #         * display_name: the user's display_name

  172.             #         * emails: a list of email addresses

  173.             #

  174.             #   The template should render a form which submits the following fields:

  175.             #

  176.             #     * username: the localpart of the user's chosen user id

  177.             #

  178.             # * HTML page allowing the user to consent to the server's terms and

  179.             #   conditions. This is only shown for new users, and only if

  180.             #   `user_consent.require_at_registration` is set.

  181.             #

  182.             #   When rendering, this template is given the following variables:

  183.             #

  184.             #     * server_name: the homeserver's name.

  185.             #

  186.             #     * user_id: the user's matrix proposed ID.

  187.             #

  188.             #     * user_profile.display_name: the user's proposed display name, if any.

  189.             #

  190.             #     * consent_version: the version of the terms that the user will be

  191.             #       shown

  192.             #

  193.             #     * terms_url: a link to the page showing the terms.

  194.             #

  195.             #   The template should render a form which submits the following fields:

  196.             #

  197.             #     * accepted_version: the version of the terms accepted by the user

  198.             #       (ie, 'consent_version' from the input variables).

  199.             #

  200.             # * HTML page for a confirmation step before redirecting back to the client

  201.             #   with the login token: 'sso_redirect_confirm.html'.

  202.             #

  203.             #   When rendering, this template is given the following variables:

  204.             #

  205.             #     * redirect_url: the URL the user is about to be redirected to.

  206.             #

  207.             #     * display_url: the same as `redirect_url`, but with the query

  208.             #                    parameters stripped. The intention is to have a

  209.             #                    human-readable URL to show to users, not to use it as

  210.             #                    the final address to redirect to.

  211.             #

  212.             #     * server_name: the homeserver's name.

  213.             #

  214.             #     * new_user: a boolean indicating whether this is the user's first time

  215.             #          logging in.

  216.             #

  217.             #     * user_id: the user's matrix ID.

  218.             #

  219.             #     * user_profile.avatar_url: an MXC URI for the user's avatar, if any.

  220.             #           None if the user has not set an avatar.

  221.             #

  222.             #     * user_profile.display_name: the user's display name. None if the user

  223.             #           has not set a display name.

  224.             #

  225.             # * HTML page which notifies the user that they are authenticating to confirm

  226.             #   an operation on their account during the user interactive authentication

  227.             #   process: 'sso_auth_confirm.html'.

  228.             #

  229.             #   When rendering, this template is given the following variables:

  230.             #     * redirect_url: the URL the user is about to be redirected to.

  231.             #

  232.             #     * description: the operation which the user is being asked to confirm

  233.             #

  234.             #     * idp: details of the Identity Provider that we will use to confirm

  235.             #       the user's identity: an object with the following attributes:

  236.             #

  237.             #         * idp_id: unique identifier for the IdP

  238.             #         * idp_name: user-facing name for the IdP

  239.             #         * idp_icon: if specified in the IdP config, an MXC URI for an icon

  240.             #              for the IdP

  241.             #         * idp_brand: if specified in the IdP config, a textual identifier

  242.             #              for the brand of the IdP

  243.             #

  244.             # * HTML page shown after a successful user interactive authentication session:

  245.             #   'sso_auth_success.html'.

  246.             #

  247.             #   Note that this page must include the JavaScript which notifies of a successful authentication

  248.             #   (see https://matrix.org/docs/spec/client_server/r0.6.0#fallback).

  249.             #

  250.             #   This template has no additional variables.

  251.             #

  252.             # * HTML page shown after a user-interactive authentication session which

  253.             #   does not map correctly onto the expected user: 'sso_auth_bad_user.html'.

  254.             #

  255.             #   When rendering, this template is given the following variables:

  256.             #     * server_name: the homeserver's name.

  257.             #     * user_id_to_verify: the MXID of the user that we are trying to

  258.             #       validate.

  259.             #

  260.             # * HTML page shown during single sign-on if a deactivated user (according to Synapse's database)

  261.             #   attempts to login: 'sso_account_deactivated.html'.

  262.             #

  263.             #   This template has no additional variables.

  264.             #

  265.             # * HTML page to display to users if something goes wrong during the

  266.             #   OpenID Connect authentication process: 'sso_error.html'.

  267.             #

  268.             #   When rendering, this template is given two variables:

  269.             #     * error: the technical name of the error

  270.             #     * error_description: a human-readable message for the error

  271.             #

  272.             # You can see the default templates at:

  273.             # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates

  274.             #

  275.             #template_dir: "res/templates"

  276.         """