diff --git a/synapse/api/auth/msc3861_delegated.py b/synapse/api/auth/msc3861_delegated.py
index 14cba50c90..ef5d3f9b81 100644
--- a/synapse/api/auth/msc3861_delegated.py
+++ b/synapse/api/auth/msc3861_delegated.py
@@ -28,7 +28,6 @@ from twisted.web.http_headers import Headers
from synapse.api.auth.base import BaseAuth
from synapse.api.errors import (
AuthError,
- Codes,
HttpResponseException,
InvalidClientTokenError,
OAuthInsufficientScopeError,
@@ -40,7 +39,6 @@ from synapse.logging.context import make_deferred_yieldable
from synapse.types import Requester, UserID, create_requester
from synapse.util import json_decoder
from synapse.util.caches.cached_call import RetryOnExceptionCachedCall
-from synapse.util.caches.expiringcache import ExpiringCache
if TYPE_CHECKING:
from synapse.server import HomeServer
@@ -109,20 +107,13 @@ class MSC3861DelegatedAuth(BaseAuth):
assert self._config.client_id, "No client_id provided"
assert auth_method is not None, "Invalid client_auth_method provided"
+ self._clock = hs.get_clock()
self._http_client = hs.get_proxied_http_client()
self._hostname = hs.hostname
self._admin_token = self._config.admin_token
self._issuer_metadata = RetryOnExceptionCachedCall(self._load_metadata)
- self._clock = hs.get_clock()
- self._token_cache: ExpiringCache[str, IntrospectionToken] = ExpiringCache(
- cache_name="introspection_token_cache",
- clock=self._clock,
- max_len=10000,
- expiry_ms=5 * 60 * 1000,
- )
-
if isinstance(auth_method, PrivateKeyJWTWithKid):
# Use the JWK as the client secret when using the private_key_jwt method
assert self._config.jwk, "No JWK provided"
@@ -161,20 +152,6 @@ class MSC3861DelegatedAuth(BaseAuth):
Returns:
The introspection response
"""
- # check the cache before doing a request
- introspection_token = self._token_cache.get(token, None)
-
- if introspection_token:
- # check the expiration field of the token (if it exists)
- exp = introspection_token.get("exp", None)
- if exp:
- time_now = self._clock.time()
- expired = time_now > exp
- if not expired:
- return introspection_token
- else:
- return introspection_token
-
metadata = await self._issuer_metadata.get()
introspection_endpoint = metadata.get("introspection_endpoint")
raw_headers: Dict[str, str] = {
@@ -188,10 +165,7 @@ class MSC3861DelegatedAuth(BaseAuth):
# Fill the body/headers with credentials
uri, raw_headers, body = self._client_auth.prepare(
- method="POST",
- uri=introspection_endpoint,
- headers=raw_headers,
- body=body,
+ method="POST", uri=introspection_endpoint, headers=raw_headers, body=body
)
headers = Headers({k: [v] for (k, v) in raw_headers.items()})
@@ -233,20 +207,10 @@ class MSC3861DelegatedAuth(BaseAuth):
"The introspection endpoint returned an invalid JSON response."
)
- expiration = resp.get("exp", None)
- if expiration:
- if self._clock.time() > expiration:
- raise InvalidClientTokenError("Token is expired.")
-
- introspection_token = IntrospectionToken(**resp)
-
- # add token to cache
- self._token_cache[token] = introspection_token
-
- return introspection_token
+ return IntrospectionToken(**resp)
async def is_server_admin(self, requester: Requester) -> bool:
- return SCOPE_SYNAPSE_ADMIN in requester.scope
+ return "urn:synapse:admin:*" in requester.scope
async def get_user_by_req(
self,
@@ -263,36 +227,6 @@ class MSC3861DelegatedAuth(BaseAuth):
# so that we don't provision the user if they don't have enough permission:
requester = await self.get_user_by_access_token(access_token, allow_expired)
- # Allow impersonation by an admin user using `_oidc_admin_impersonate_user_id` query parameter
- if request.args is not None:
- user_id_params = request.args.get(b"_oidc_admin_impersonate_user_id")
- if user_id_params:
- if await self.is_server_admin(requester):
- user_id_str = user_id_params[0].decode("ascii")
- impersonated_user_id = UserID.from_string(user_id_str)
- logging.info(f"Admin impersonation of user {user_id_str}")
- requester = create_requester(
- user_id=impersonated_user_id,
- scope=[SCOPE_MATRIX_API],
- authenticated_entity=requester.user.to_string(),
- )
- else:
- raise AuthError(
- 401,
- "Impersonation not possible by a non admin user",
- )
-
- # Deny the request if the user account is locked.
- if not allow_locked and await self.store.get_user_locked_status(
- requester.user.to_string()
- ):
- raise AuthError(
- 401,
- "User account has been locked",
- errcode=Codes.USER_LOCKED,
- additional_fields={"soft_logout": True},
- )
-
if not allow_guest and requester.is_guest:
raise OAuthInsufficientScopeError([SCOPE_MATRIX_API])
@@ -309,14 +243,14 @@ class MSC3861DelegatedAuth(BaseAuth):
# XXX: This is a temporary solution so that the admin API can be called by
# the OIDC provider. This will be removed once we have OIDC client
# credentials grant support in matrix-authentication-service.
- logging.info("Admin token used")
+ logging.info("Admin toked used")
# XXX: that user doesn't exist and won't be provisioned.
# This is mostly fine for admin calls, but we should also think about doing
# requesters without a user_id.
admin_user = UserID("__oidc_admin", self._hostname)
return create_requester(
user_id=admin_user,
- scope=[SCOPE_SYNAPSE_ADMIN],
+ scope=["urn:synapse:admin:*"],
)
try:
@@ -438,16 +372,3 @@ class MSC3861DelegatedAuth(BaseAuth):
scope=scope,
is_guest=(has_guest_scope and not has_user_scope),
)
-
- def invalidate_cached_tokens(self, keys: List[str]) -> None:
- """
- Invalidate the entry(s) in the introspection token cache corresponding to the given key
- """
- for key in keys:
- self._token_cache.invalidate(key)
-
- def invalidate_token_cache(self) -> None:
- """
- Invalidate the entire token cache.
- """
- self._token_cache.invalidate_all()
diff --git a/synapse/api/ratelimiting.py b/synapse/api/ratelimiting.py
index 887b214d64..02ae45e8b3 100644
--- a/synapse/api/ratelimiting.py
+++ b/synapse/api/ratelimiting.py
@@ -40,7 +40,7 @@ class Ratelimiter:
- the cost C of this request in tokens.
Then, if there is room in the bucket for C tokens (T + C <= `burst_count`),
the request is permitted and `cost` tokens are added to the bucket.
- Otherwise the request is denied, and the bucket continues to hold T tokens.
+ Otherwise, the request is denied, and the bucket continues to hold T tokens.
This means that the limiter enforces an average request frequency of `rate_hz`,
while accumulating a buffer of up to `burst_count` requests which can be consumed
@@ -55,9 +55,10 @@ class Ratelimiter:
request.
Args:
+ store: The datastore providing get_ratelimit_for_user.
clock: A homeserver clock, for retrieving the current time
- rate_hz: The long term number of actions that can be performed in a second.
- burst_count: How many actions that can be performed before being limited.
+ cfg: The ratelimit configuration for this rate limiter including the
+ allowed rate and burst count.
"""
def __init__(
|