diff options
| author | H. Shay <hillerys@element.io> | 2023-08-16 15:05:54 -0700 |
|---|---|---|
| committer | H. Shay <hillerys@element.io> | 2023-08-16 15:05:54 -0700 |
| commit | 072ae11c5cd62f3b4b72c81db3913e6f76ff19f5 (patch) | |
| tree | d3432b3774f788142e79224afd92ee6bf0a3aff2 | |
| parent | Rename pagination&purge locks and add comments explaining them (#16112) (diff) | |
| download | synapse-072ae11c5cd62f3b4b72c81db3913e6f76ff19f5.tar.xz | |
add an admin endpoint for authorizing server to signal token revocations
| -rw-r--r-- | synapse/rest/admin/__init__.py | 3 | ||||
| -rw-r--r-- | synapse/rest/admin/oidc.py | 50 |
2 files changed, 53 insertions, 0 deletions
diff --git a/synapse/rest/admin/__init__.py b/synapse/rest/admin/__init__.py index fe8177ed4d..55e752fda8 100644 --- a/synapse/rest/admin/__init__.py +++ b/synapse/rest/admin/__init__.py @@ -47,6 +47,7 @@ from synapse.rest.admin.federation import ( ListDestinationsRestServlet, ) from synapse.rest.admin.media import ListMediaInRoom, register_servlets_for_media_repo +from synapse.rest.admin.oidc import OIDCTokenRevocationRestServlet from synapse.rest.admin.registration_tokens import ( ListRegistrationTokensRestServlet, NewRegistrationTokenRestServlet, @@ -297,6 +298,8 @@ def register_servlets(hs: "HomeServer", http_server: HttpServer) -> None: BackgroundUpdateRestServlet(hs).register(http_server) BackgroundUpdateStartJobRestServlet(hs).register(http_server) ExperimentalFeaturesRestServlet(hs).register(http_server) + if hs.config.experimental.msc3861.enabled: + OIDCTokenRevocationRestServlet(hs).register(http_server) def register_servlets_for_client_rest_resource( diff --git a/synapse/rest/admin/oidc.py b/synapse/rest/admin/oidc.py new file mode 100644 index 0000000000..a8e3d7ead3 --- /dev/null +++ b/synapse/rest/admin/oidc.py @@ -0,0 +1,50 @@ +# Copyright 2023 The Matrix.org Foundation C.I.C +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +from http import HTTPStatus +from typing import TYPE_CHECKING, Dict, Tuple + +from synapse.api.errors import InvalidClientTokenError +from synapse.http.servlet import RestServlet +from synapse.http.site import SynapseRequest +from synapse.rest.admin._base import admin_patterns, assert_requester_is_admin + +if TYPE_CHECKING: + from synapse.server import HomeServer + + +class OIDCTokenRevocationRestServlet(RestServlet): + """ + Delete a given token introspection response - identified by the `jti` field - from the + introspection token cache when a token is revoked at the authorizing server + """ + + PATTERNS = admin_patterns("/OIDC_token_revocation/(?P<token_id>[^/]*)") + + def __init__(self, hs: "HomeServer"): + super().__init__() + self.auth = hs.get_auth() + + async def on_DELETE( + self, request: SynapseRequest, token_id: str + ) -> Tuple[HTTPStatus, Dict]: + await assert_requester_is_admin(self.auth, request) + + try: + # mypy ignore - this attribute is defined on MSC3861DelegatedAuth, which is loaded via a config flag + # this endpoint will only be loaded if the same config flag is present + self.auth._token_cache.pop(token_id) # type: ignore[attr-defined] + except KeyError: + raise InvalidClientTokenError("Token not found.") + + return HTTPStatus.OK, {} |