summary refs log tree commit diff
diff options
context:
space:
mode:
authorBrendan Abolivier <contact@brendanabolivier.com>2019-04-04 17:25:47 +0100
committerErik Johnston <erik@matrix.org>2019-04-05 14:25:27 +0100
commit0fcf7e5c57571c8b98a26b0ddeac5e06cd575e22 (patch)
tree5a9094de656d646ebf1109ae22920c17b1179c39
parentMerge branch 'master' of github.com:matrix-org/synapse into dinsic (diff)
downloadsynapse-0fcf7e5c57571c8b98a26b0ddeac5e06cd575e22.tar.xz
Add config option to block users from looking up 3PIDs (#5010) dinsic_2019-04-05
-rw-r--r--changelog.d/5010.feature1
-rw-r--r--docs/sample_config.yaml4
-rw-r--r--synapse/config/registration.py5
-rw-r--r--synapse/handlers/room_member.py5
-rw-r--r--tests/rest/client/test_identity.py65
-rw-r--r--tests/unittest.py2
6 files changed, 81 insertions, 1 deletions
diff --git a/changelog.d/5010.feature b/changelog.d/5010.feature
new file mode 100644
index 0000000000..65ab198b71
--- /dev/null
+++ b/changelog.d/5010.feature
@@ -0,0 +1 @@
+Add config option to block users from looking up 3PIDs.
diff --git a/docs/sample_config.yaml b/docs/sample_config.yaml
index b48a63e5f8..ff9f687b3c 100644
--- a/docs/sample_config.yaml
+++ b/docs/sample_config.yaml
@@ -693,6 +693,10 @@ uploads_path: "DATADIR/uploads"
 #
 #disable_3pid_changes: False
 
+# Enable 3PIDs lookup requests to identity servers from this server.
+#
+#enable_3pid_lookup: true
+
 # If set, allows registration of standard or admin accounts by anyone who
 # has the shared secret, even if registration is otherwise disabled.
 #
diff --git a/synapse/config/registration.py b/synapse/config/registration.py
index e5c0ccb2af..8faf5b62e2 100644
--- a/synapse/config/registration.py
+++ b/synapse/config/registration.py
@@ -40,6 +40,7 @@ class RegistrationConfig(Config):
 
         self.disable_3pid_changes = config.get("disable_3pid_changes", False)
 
+        self.enable_3pid_lookup = config.get("enable_3pid_lookup", True)
         self.registration_shared_secret = config.get("registration_shared_secret")
         self.register_mxid_from_3pid = config.get("register_mxid_from_3pid")
         self.register_just_use_email_for_display_name = config.get(
@@ -146,6 +147,10 @@ class RegistrationConfig(Config):
         #
         #disable_3pid_changes: False
 
+        # Enable 3PIDs lookup requests to identity servers from this server.
+        #
+        #enable_3pid_lookup: true
+
         # If set, allows registration of standard or admin accounts by anyone who
         # has the shared secret, even if registration is otherwise disabled.
         #
diff --git a/synapse/handlers/room_member.py b/synapse/handlers/room_member.py
index 382fe3a449..04ece8f4ce 100644
--- a/synapse/handlers/room_member.py
+++ b/synapse/handlers/room_member.py
@@ -71,6 +71,7 @@ class RoomMemberHandler(object):
         self.spam_checker = hs.get_spam_checker()
         self._server_notices_mxid = self.config.server_notices_mxid
         self.rewrite_identity_server_urls = self.config.rewrite_identity_server_urls
+        self._enable_lookup = hs.config.enable_3pid_lookup
 
     @abc.abstractmethod
     def _remote_join(self, requester, remote_room_hosts, room_id, user, content):
@@ -808,6 +809,10 @@ class RoomMemberHandler(object):
         Returns:
             str: the matrix ID of the 3pid, or None if it is not recognized.
         """
+        if not self._enable_lookup:
+            raise SynapseError(
+                403, "Looking up third-party identifiers is denied from this server",
+            )
         try:
             target = self._get_id_server_target(id_server)
             data = yield self.simple_http_client.get_json(
diff --git a/tests/rest/client/test_identity.py b/tests/rest/client/test_identity.py
new file mode 100644
index 0000000000..ca63b2e6ed
--- /dev/null
+++ b/tests/rest/client/test_identity.py
@@ -0,0 +1,65 @@
+# -*- coding: utf-8 -*-
+# Copyright 2019 New Vector Ltd
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import json
+
+from synapse.rest.client.v1 import admin, login, room
+
+from tests import unittest
+
+
+class IdentityTestCase(unittest.HomeserverTestCase):
+
+    servlets = [
+        admin.register_servlets,
+        room.register_servlets,
+        login.register_servlets,
+    ]
+
+    def make_homeserver(self, reactor, clock):
+
+        config = self.default_config()
+        config.enable_3pid_lookup = False
+        self.hs = self.setup_test_homeserver(config=config)
+
+        return self.hs
+
+    def test_3pid_lookup_disabled(self):
+        self.hs.config.enable_3pid_lookup = False
+
+        self.register_user("kermit", "monkey")
+        tok = self.login("kermit", "monkey")
+
+        request, channel = self.make_request(
+            b"POST", "/createRoom", b"{}", access_token=tok,
+        )
+        self.render(request)
+        self.assertEquals(channel.result["code"], b"200", channel.result)
+        room_id = channel.json_body["room_id"]
+
+        params = {
+            "id_server": "testis",
+            "medium": "email",
+            "address": "test@example.com",
+        }
+        request_data = json.dumps(params)
+        request_url = (
+            "/rooms/%s/invite" % (room_id)
+        ).encode('ascii')
+        request, channel = self.make_request(
+            b"POST", request_url, request_data, access_token=tok,
+        )
+        self.render(request)
+        self.assertEquals(channel.result["code"], b"403", channel.result)
diff --git a/tests/unittest.py b/tests/unittest.py
index 27403de908..8c65736a51 100644
--- a/tests/unittest.py
+++ b/tests/unittest.py
@@ -410,7 +410,7 @@ class HomeserverTestCase(TestCase):
             "POST", "/_matrix/client/r0/login", json.dumps(body).encode('utf8')
         )
         self.render(request)
-        self.assertEqual(channel.code, 200)
+        self.assertEqual(channel.code, 200, channel.result)
 
         access_token = channel.json_body["access_token"]
         return access_token