diff --git a/synapse/handlers/federation.py b/synapse/handlers/federation.py
index 19dec4812f..2eb28d55ac 100644
--- a/synapse/handlers/federation.py
+++ b/synapse/handlers/federation.py
@@ -148,7 +148,7 @@ class FederationHandler:
self._event_auth_handler = hs.get_event_auth_handler()
self._server_notices_mxid = hs.config.servernotices.server_notices_mxid
self.config = hs.config
- self.http_client = hs.get_proxied_blacklisted_http_client()
+ self.http_client = hs.get_proxied_blocklisted_http_client()
self._replication = hs.get_replication_data_handler()
self._federation_event_handler = hs.get_federation_event_handler()
self._device_handler = hs.get_device_handler()
diff --git a/synapse/handlers/federation_event.py b/synapse/handlers/federation_event.py
index 06343d40e4..9a08618da5 100644
--- a/synapse/handlers/federation_event.py
+++ b/synapse/handlers/federation_event.py
@@ -890,6 +890,11 @@ class FederationEventHandler:
# Continue on with the events that are new to us.
new_events.append(event)
+ set_tag(
+ SynapseTags.RESULT_PREFIX + "new_events.length",
+ str(len(new_events)),
+ )
+
# We want to sort these by depth so we process them and
# tell clients about them in order.
sorted_events = sorted(new_events, key=lambda x: x.depth)
diff --git a/synapse/handlers/identity.py b/synapse/handlers/identity.py
index bf0f7acf80..3031384d25 100644
--- a/synapse/handlers/identity.py
+++ b/synapse/handlers/identity.py
@@ -52,10 +52,10 @@ class IdentityHandler:
# An HTTP client for contacting trusted URLs.
self.http_client = SimpleHttpClient(hs)
# An HTTP client for contacting identity servers specified by clients.
- self.blacklisting_http_client = SimpleHttpClient(
+ self._http_client = SimpleHttpClient(
hs,
- ip_blacklist=hs.config.server.federation_ip_range_blacklist,
- ip_whitelist=hs.config.server.federation_ip_range_whitelist,
+ ip_blocklist=hs.config.server.federation_ip_range_blocklist,
+ ip_allowlist=hs.config.server.federation_ip_range_allowlist,
)
self.federation_http_client = hs.get_federation_http_client()
self.hs = hs
@@ -197,7 +197,7 @@ class IdentityHandler:
try:
# Use the blacklisting http client as this call is only to identity servers
# provided by a client
- data = await self.blacklisting_http_client.post_json_get_json(
+ data = await self._http_client.post_json_get_json(
bind_url, bind_data, headers=headers
)
@@ -308,9 +308,7 @@ class IdentityHandler:
try:
# Use the blacklisting http client as this call is only to identity servers
# provided by a client
- await self.blacklisting_http_client.post_json_get_json(
- url, content, headers
- )
+ await self._http_client.post_json_get_json(url, content, headers)
changed = True
except HttpResponseException as e:
changed = False
@@ -579,7 +577,7 @@ class IdentityHandler:
"""
# Check what hashing details are supported by this identity server
try:
- hash_details = await self.blacklisting_http_client.get_json(
+ hash_details = await self._http_client.get_json(
"%s%s/_matrix/identity/v2/hash_details" % (id_server_scheme, id_server),
{"access_token": id_access_token},
)
@@ -646,7 +644,7 @@ class IdentityHandler:
headers = {"Authorization": create_id_access_token_header(id_access_token)}
try:
- lookup_results = await self.blacklisting_http_client.post_json_get_json(
+ lookup_results = await self._http_client.post_json_get_json(
"%s%s/_matrix/identity/v2/lookup" % (id_server_scheme, id_server),
{
"addresses": [lookup_value],
@@ -752,7 +750,7 @@ class IdentityHandler:
url = "%s%s/_matrix/identity/v2/store-invite" % (id_server_scheme, id_server)
try:
- data = await self.blacklisting_http_client.post_json_get_json(
+ data = await self._http_client.post_json_get_json(
url,
invite_config,
{"Authorization": create_id_access_token_header(id_access_token)},
diff --git a/synapse/handlers/jwt.py b/synapse/handlers/jwt.py
new file mode 100644
index 0000000000..5fddc0e315
--- /dev/null
+++ b/synapse/handlers/jwt.py
@@ -0,0 +1,118 @@
+# Copyright 2023 Matrix.org Foundation C.I.C.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+from typing import TYPE_CHECKING
+
+from authlib.jose import JsonWebToken, JWTClaims
+from authlib.jose.errors import BadSignatureError, InvalidClaimError, JoseError
+
+from synapse.api.errors import Codes, LoginError, StoreError, UserDeactivatedError
+from synapse.types import JsonDict, UserID
+
+if TYPE_CHECKING:
+ from synapse.server import HomeServer
+
+
+class JwtHandler:
+ def __init__(self, hs: "HomeServer"):
+ self.hs = hs
+ self._main_store = hs.get_datastores().main
+
+ self.jwt_secret = hs.config.jwt.jwt_secret
+ self.jwt_subject_claim = hs.config.jwt.jwt_subject_claim
+ self.jwt_algorithm = hs.config.jwt.jwt_algorithm
+ self.jwt_issuer = hs.config.jwt.jwt_issuer
+ self.jwt_audiences = hs.config.jwt.jwt_audiences
+
+ async def validate_login(self, login_submission: JsonDict) -> str:
+ """
+ Authenticates the user for the /login API
+
+ Args:
+ login_submission: the whole of the login submission
+ (including 'type' and other relevant fields)
+
+ Returns:
+ The user ID that is logging in.
+
+ Raises:
+ LoginError if there was an authentication problem.
+ """
+ token = login_submission.get("token", None)
+ if token is None:
+ raise LoginError(
+ 403, "Token field for JWT is missing", errcode=Codes.FORBIDDEN
+ )
+
+ jwt = JsonWebToken([self.jwt_algorithm])
+ claim_options = {}
+ if self.jwt_issuer is not None:
+ claim_options["iss"] = {"value": self.jwt_issuer, "essential": True}
+ if self.jwt_audiences is not None:
+ claim_options["aud"] = {"values": self.jwt_audiences, "essential": True}
+
+ try:
+ claims = jwt.decode(
+ token,
+ key=self.jwt_secret,
+ claims_cls=JWTClaims,
+ claims_options=claim_options,
+ )
+ except BadSignatureError:
+ # We handle this case separately to provide a better error message
+ raise LoginError(
+ 403,
+ "JWT validation failed: Signature verification failed",
+ errcode=Codes.FORBIDDEN,
+ )
+ except JoseError as e:
+ # A JWT error occurred, return some info back to the client.
+ raise LoginError(
+ 403,
+ "JWT validation failed: %s" % (str(e),),
+ errcode=Codes.FORBIDDEN,
+ )
+
+ try:
+ claims.validate(leeway=120) # allows 2 min of clock skew
+
+ # Enforce the old behavior which is rolled out in productive
+ # servers: if the JWT contains an 'aud' claim but none is
+ # configured, the login attempt will fail
+ if claims.get("aud") is not None:
+ if self.jwt_audiences is None or len(self.jwt_audiences) == 0:
+ raise InvalidClaimError("aud")
+ except JoseError as e:
+ raise LoginError(
+ 403,
+ "JWT validation failed: %s" % (str(e),),
+ errcode=Codes.FORBIDDEN,
+ )
+
+ user = claims.get(self.jwt_subject_claim, None)
+ if user is None:
+ raise LoginError(403, "Invalid JWT", errcode=Codes.FORBIDDEN)
+
+ user_id = UserID(user, self.hs.hostname).to_string()
+
+ # If the account has been deactivated, do not proceed with the login
+ # flow.
+ try:
+ deactivated = await self._main_store.get_user_deactivated_status(user_id)
+ except StoreError:
+ # JWT lazily creates users, so they may not exist in the database yet.
+ deactivated = False
+ if deactivated:
+ raise UserDeactivatedError("This account has been deactivated")
+
+ return user_id
diff --git a/synapse/handlers/read_marker.py b/synapse/handlers/read_marker.py
index 6d35e61880..49a497a860 100644
--- a/synapse/handlers/read_marker.py
+++ b/synapse/handlers/read_marker.py
@@ -16,6 +16,7 @@ import logging
from typing import TYPE_CHECKING
from synapse.api.constants import ReceiptTypes
+from synapse.api.errors import SynapseError
from synapse.util.async_helpers import Linearizer
if TYPE_CHECKING:
@@ -47,12 +48,21 @@ class ReadMarkerHandler:
)
should_update = True
+ # Get event ordering, this also ensures we know about the event
+ event_ordering = await self.store.get_event_ordering(event_id)
if existing_read_marker:
- # Only update if the new marker is ahead in the stream
- should_update = await self.store.is_event_after(
- event_id, existing_read_marker["event_id"]
- )
+ try:
+ old_event_ordering = await self.store.get_event_ordering(
+ existing_read_marker["event_id"]
+ )
+ except SynapseError:
+ # Old event no longer exists, assume new is ahead. This may
+ # happen if the old event was removed due to retention.
+ pass
+ else:
+ # Only update if the new marker is ahead in the stream
+ should_update = event_ordering > old_event_ordering
if should_update:
content = {"event_id": event_id}
diff --git a/synapse/handlers/sso.py b/synapse/handlers/sso.py
index 25fd2eb3a1..c3a51722bd 100644
--- a/synapse/handlers/sso.py
+++ b/synapse/handlers/sso.py
@@ -204,7 +204,7 @@ class SsoHandler:
self._media_repo = (
hs.get_media_repository() if hs.config.media.can_load_media_repo else None
)
- self._http_client = hs.get_proxied_blacklisted_http_client()
+ self._http_client = hs.get_proxied_blocklisted_http_client()
# The following template is shown after a successful user interactive
# authentication session. It tells the user they can close the window.
|
