diff options
author | Ben Banfield-Zanin <benbz@matrix.org> | 2020-04-30 08:24:15 +0100 |
---|---|---|
committer | Ben Banfield-Zanin <benbz@matrix.org> | 2020-04-30 08:24:15 +0100 |
commit | 80c66c4bca3ba494ab1ae194640b647bf95effb1 (patch) | |
tree | bb0266d950f5dc49d6501a43406973dada4a80a9 | |
parent | 1.12.4 (diff) | |
parent | Improve error message (diff) | |
download | synapse-80c66c4bca3ba494ab1ae194640b647bf95effb1.tar.xz |
Merge remote-tracking branch 'origin/babolivier/info_mainline' into bbz/info-mainline2 github/bbz/info-mainline2 bbz/info-mainline2
-rw-r--r-- | docs/sample_config.yaml | 5 | ||||
-rw-r--r-- | synapse/config/registration.py | 8 | ||||
-rw-r--r-- | synapse/rest/client/v2_alpha/account.py | 6 | ||||
-rw-r--r-- | synapse/rest/client/v2_alpha/register.py | 8 | ||||
-rw-r--r-- | synapse/util/threepids.py | 28 |
5 files changed, 47 insertions, 8 deletions
diff --git a/docs/sample_config.yaml b/docs/sample_config.yaml index 2ff0dd05a2..bf1ec4ece9 100644 --- a/docs/sample_config.yaml +++ b/docs/sample_config.yaml @@ -974,6 +974,11 @@ account_validity: # Mandate that users are only allowed to associate certain formats of # 3PIDs with accounts on this server. # +# Use an Identity Server to establish which 3PIDs are allowed to register? +# Overrides allowed_local_3pids below. +# +#check_is_for_allowed_local_3pids: matrix.org +# #allowed_local_3pids: # - medium: email # pattern: '.*@matrix\.org' diff --git a/synapse/config/registration.py b/synapse/config/registration.py index 9bb3beedbc..f255b58c8a 100644 --- a/synapse/config/registration.py +++ b/synapse/config/registration.py @@ -99,6 +99,9 @@ class RegistrationConfig(Config): self.registrations_require_3pid = config.get("registrations_require_3pid", []) self.allowed_local_3pids = config.get("allowed_local_3pids", []) + self.check_is_for_allowed_local_3pids = config.get( + "check_is_for_allowed_local_3pids", None + ) self.enable_3pid_lookup = config.get("enable_3pid_lookup", True) self.registration_shared_secret = config.get("registration_shared_secret") @@ -247,6 +250,11 @@ class RegistrationConfig(Config): # Mandate that users are only allowed to associate certain formats of # 3PIDs with accounts on this server. # + # Use an Identity Server to establish which 3PIDs are allowed to register? + # Overrides allowed_local_3pids below. + # + #check_is_for_allowed_local_3pids: matrix.org + # #allowed_local_3pids: # - medium: email # pattern: '.*@matrix\\.org' diff --git a/synapse/rest/client/v2_alpha/account.py b/synapse/rest/client/v2_alpha/account.py index 631cc74cb4..3b99fbf6c2 100644 --- a/synapse/rest/client/v2_alpha/account.py +++ b/synapse/rest/client/v2_alpha/account.py @@ -88,7 +88,7 @@ class EmailPasswordRequestTokenRestServlet(RestServlet): send_attempt = body["send_attempt"] next_link = body.get("next_link") # Optional param - if not check_3pid_allowed(self.hs, "email", email): + if not await check_3pid_allowed(self.hs, "email", email): raise SynapseError( 403, "Your email domain is not authorized on this server", @@ -366,7 +366,7 @@ class EmailThreepidRequestTokenRestServlet(RestServlet): send_attempt = body["send_attempt"] next_link = body.get("next_link") # Optional param - if not check_3pid_allowed(self.hs, "email", email): + if not await check_3pid_allowed(self.hs, "email", email): raise SynapseError( 403, "Your email domain is not authorized on this server", @@ -431,7 +431,7 @@ class MsisdnThreepidRequestTokenRestServlet(RestServlet): msisdn = phone_number_to_msisdn(country, phone_number) - if not check_3pid_allowed(self.hs, "msisdn", msisdn): + if not await check_3pid_allowed(self.hs, "msisdn", msisdn): raise SynapseError( 403, "Account phone numbers are not authorized on this server", diff --git a/synapse/rest/client/v2_alpha/register.py b/synapse/rest/client/v2_alpha/register.py index a09189b1b4..8e207dec40 100644 --- a/synapse/rest/client/v2_alpha/register.py +++ b/synapse/rest/client/v2_alpha/register.py @@ -123,10 +123,10 @@ class EmailRegisterRequestTokenRestServlet(RestServlet): send_attempt = body["send_attempt"] next_link = body.get("next_link") # Optional param - if not check_3pid_allowed(self.hs, "email", email): + if not await check_3pid_allowed(self.hs, "email", email): raise SynapseError( 403, - "Your email domain is not authorized to register on this server", + "You currently can't create an account with this email address", Codes.THREEPID_DENIED, ) @@ -190,7 +190,7 @@ class MsisdnRegisterRequestTokenRestServlet(RestServlet): msisdn = phone_number_to_msisdn(country, phone_number) - if not check_3pid_allowed(self.hs, "msisdn", msisdn): + if not await check_3pid_allowed(self.hs, "msisdn", msisdn): raise SynapseError( 403, "Phone numbers are not authorized to register on this server", @@ -514,7 +514,7 @@ class RegisterRestServlet(RestServlet): medium = auth_result[login_type]["medium"] address = auth_result[login_type]["address"] - if not check_3pid_allowed(self.hs, medium, address): + if not await check_3pid_allowed(self.hs, medium, address): raise SynapseError( 403, "Third party identifiers (email/phone numbers)" diff --git a/synapse/util/threepids.py b/synapse/util/threepids.py index 3ec1dfb0c2..20cf4c4a81 100644 --- a/synapse/util/threepids.py +++ b/synapse/util/threepids.py @@ -19,7 +19,7 @@ import re logger = logging.getLogger(__name__) -def check_3pid_allowed(hs, medium, address): +async def check_3pid_allowed(hs, medium, address): """Checks whether a given format of 3PID is allowed to be used on this HS Args: @@ -31,6 +31,32 @@ def check_3pid_allowed(hs, medium, address): bool: whether the 3PID medium/address is allowed to be added to this HS """ + if hs.config.check_is_for_allowed_local_3pids: + data = await hs.get_simple_http_client().get_json( + "https://%s%s" % ( + hs.config.check_is_for_allowed_local_3pids, + "/_matrix/identity/api/v1/internal-info" + ), + {'medium': medium, 'address': address} + ) + + # Check for invalid response + if 'hs' not in data and 'shadow_hs' not in data: + return False + + # Check if this user is intended to register for this homeserver + if ( + data.get('hs') != hs.config.server_name + and data.get('shadow_hs') != hs.config.server_name + ): + return False + + if data.get('requires_invite', False) and not data.get('invited', False): + # Requires an invite but hasn't been invited + return False + + return True + if hs.config.allowed_local_3pids: for constraint in hs.config.allowed_local_3pids: logger.debug( |