| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
| |
Rearrange the comments to try to clarify them, and expand on what some of it
means.
Use a sensible default 'bind_addresses' setting.
For the insecure port, only bind to localhost, and enable x_forwarded, since
apparently it's for use behind a load-balancer.
|
| |
|
| |
|
|\
| |
| | |
New listener resource for the federation API "openid/userinfo" endpoint
|
| |
| |
| |
| | |
Signed-off-by: Jason Robinson <jasonr@matrix.org>
|
| |
| |
| |
| |
| |
| | |
Instead document it commented out.
Signed-off-by: Jason Robinson <jasonr@matrix.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This allows the OpenID userinfo endpoint to be active even if the
federation resource is not active. The OpenID userinfo endpoint
is called by integration managers to verify user actions using the
client API OpenID access token. Without this verification, the
integration manager cannot know that the access token is valid.
The OpenID userinfo endpoint will be loaded in the case that either
"federation" or "openid" resource is defined. The new "openid"
resource is defaulted to active in default configuration.
Signed-off-by: Jason Robinson <jasonr@matrix.org>
|
| | |
|
|\ \ |
|
| | |
| | |
| | | |
Fixes #4559
|
| | | |
|
|/ /
| |
| |
| |
| |
| |
| |
| | |
* by default include m.room.encryption on invites
* fix constant
* changelog
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Handle listening for ACME requests on IPv6 addresses
the weird url-but-not-actually-a-url-string doesn't handle IPv6 addresses
without extra quoting. Building a string which you are about to parse again
seems like a weird choice. Let's just use listenTCP, which is consistent with
what we do elsewhere.
* Clean up the default ACME config
make it look a bit more consistent with everything else, and tweak the defaults
to listen on port 80.
* newsfile
|
| | |
|
|\ \
| | |
| | | |
Check consent dir path on startup
|
| | | |
|
|\ \ \
| |/ /
|/| | |
Don't recommend :8448 to people on public_baseurl
|
| | | |
|
|/ / |
|
| |
| |
| |
| |
| |
| |
| | |
If you use double-quotes here, you have to escape your backslashes. It's much
easier with single-quotes.
(Note that the existing double-backslashes are already interpreted by python's
""" parsing.)
|
|\ \
| | |
| | | |
Neilj/fix threepid auth check
|
| | | |
|
| |/ |
|
| |
| |
| |
| |
| |
| | |
This is leading to problems with people upgrading to clients that
support MSC1730 because people have this misconfigured, so try
to make the docs completely unambiguous.
|
|/ |
|
|\
| |
| | |
Config option to disable requesting MSISDN on registration
|
| | |
|
| | |
|
|/
|
| |
* remove dh_params and set better cipher string
|
| |
|
|\
| |
| |
| | |
Fixes #4371
|
| |
| |
| |
| |
| |
| | |
This is already fixed in 0.34.1, by 59f93bb
This reverts commit efc522c55e996e420271de2d9094835dda52ade4.
|
| |\ |
|
| | | |
|
| | | |
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* Raise a ConfigError if an invalid resource is specified
* Require Jinja 2.9 for the consent resource
* changelog
|
| | | |
|
| | |
| | |
| | | |
These settings are not supposed to be under 'listeners'.
|
|\| | |
|
| | |
| | |
| | |
| | | |
This is based on the work done by @krombel in #2601.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This implements both a SAML2 metadata endpoint (at
`/_matrix/saml2/metadata.xml`), and a SAML2 response receiver (at
`/_matrix/saml2/authn_response`). If the SAML2 response matches what's been
configured, we complete the SSO login flow by redirecting to the client url
(aka `RelayState` in SAML2 jargon) with a login token.
What we don't yet have is anything to build a SAML2 request and redirect the
user to the identity provider. That is left as an exercise for the reader.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* Rip out half-implemented m.login.saml2 support
This was implemented in an odd way that left most of the work to the client, in
a way that I really didn't understand. It's going to be a pain to maintain, so
let's start by ripping it out.
* drop undocumented dependency on dateutil
It turns out we were relying on dateutil being pulled in transitively by
pysaml2. There's no need for that bloat.
|
|/ /
| |
| |
| | |
Sometimes it's useful for synapse to generate its own .well-known file.
|
| | |
|
| |
| |
| |
| |
| |
| | |
in it (#4230)
This is useful for homeservers not intended for users, such as bot-only homeservers or ones that only process IoT data.
|
| |
| |
| |
| | |
configuration (#4207)
|
| | |
|
| |
| |
| |
| | |
So people can still collect consent the old way if they want to.
|
| | |
|
|\ \
| | |
| | |
| | | |
erikj/alias_disallow_list
|
| |\ \
| | | |
| | | |
| | | | |
matthew/autocreate_autojoin
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Broadly three things here:
* disable W504 which seems a bit whacko
* remove a bunch of `as e` expressions from exception handlers that don't use
them
* use `r""` for strings which include backslashes
Also, we don't use pep8 any more, so we can get rid of the duplicate config
there.
|
| | | |
| | | |
| | | |
| | | | |
on py3) (#4068)
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | | |
|
| |/ /
|/| | |
|
| | | |
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| | |
move the example email templates into the synapse package so that they can be
used as package data, which should mean that all of the packaging mechanisms
(pip, docker, debian, arch, etc) should now come with the example templates.
In order to grandfather in people who relied on the templates being in the old
place, check for that situation and fall back to using the defaults if the
templates directory does not exist.
|
| |
| |
| |
| | |
Signed-off-by: Schnuffle <schnuffle@github.com>
|
| | |
|
| |
| |
| |
| |
| |
| |
| | |
This handy code attempted to check that we could import jwt, but utterly failed
to check it was the right jwt.
Fixes https://github.com/matrix-org/synapse/issues/3793
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| | |
AuthError in all cases
|
| |
| |
| |
| |
| |
| | |
return AuthError in all cases"
This reverts commit 0d43f991a19840a224d3dac78d79f13d78212ee6.
|
| |
| |
| |
| | |
AuthError in all cases
|
| |
| |
| |
| | |
... because logging *before* reloading means the log message gets lost in the old MemoryLogger
|
|\ \ |
|
| | | |
|
| | | |
|
|/ / |
|
|/ |
|
|\ |
|
| |\
| | |
| | | |
document that the affinity package is required for the cpu_affinity setting
|
| | | |
|
| | |\
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Changes in synapse v0.31.0 (2018-06-06)
======================================
Most notable change from v0.30.0 is to switch to python prometheus library to improve system
stats reporting. WARNING this changes a number of prometheus metrics in a
backwards-incompatible manner. For more details, see
`docs/metrics-howto.rst <docs/metrics-howto.rst#removal-of-deprecated-metrics--time-based-counters-becoming-histograms-in-0310>`_.
Bug Fixes:
* Fix metric documentation tables (PR #3341)
* Fix LaterGuage error handling (694968f)
* Fix replication metrics (b7e7fd2)
Changes in synapse v0.31.0-rc1 (2018-06-04)
==========================================
Features:
* Switch to the Python Prometheus library (PR #3256, #3274)
* Let users leave the server notice room after joining (PR #3287)
Changes:
* daily user type phone home stats (PR #3264)
* Use iter* methods for _filter_events_for_server (PR #3267)
* Docs on consent bits (PR #3268)
* Remove users from user directory on deactivate (PR #3277)
* Avoid sending consent notice to guest users (PR #3288)
* disable CPUMetrics if no /proc/self/stat (PR #3299)
* Add local and loopback IPv6 addresses to url_preview_ip_range_blacklist (PR #3312) Thanks to @thegcat!
* Consistently use six's iteritems and wrap lazy keys/values in list() if they're not meant to be lazy (PR #3307)
* Add private IPv6 addresses to example config for url preview blacklist (PR #3317) Thanks to @thegcat!
* Reduce stuck read-receipts: ignore depth when updating (PR #3318)
* Put python's logs into Trial when running unit tests (PR #3319)
Changes, python 3 migration:
* Replace some more comparisons with six (PR #3243) Thanks to @NotAFile!
* replace some iteritems with six (PR #3244) Thanks to @NotAFile!
* Add batch_iter to utils (PR #3245) Thanks to @NotAFile!
* use repr, not str (PR #3246) Thanks to @NotAFile!
* Misc Python3 fixes (PR #3247) Thanks to @NotAFile!
* Py3 storage/_base.py (PR #3278) Thanks to @NotAFile!
* more six iteritems (PR #3279) Thanks to @NotAFile!
* More Misc. py3 fixes (PR #3280) Thanks to @NotAFile!
* remaining isintance fixes (PR #3281) Thanks to @NotAFile!
* py3-ize state.py (PR #3283) Thanks to @NotAFile!
* extend tox testing for py3 to avoid regressions (PR #3302) Thanks to @krombel!
* use memoryview in py3 (PR #3303) Thanks to @NotAFile!
Bugs:
* Fix federation backfill bugs (PR #3261)
* federation: fix LaterGauge usage (PR #3328) Thanks to @intelfx!
|
| | | | |
|
| | | | |
|
| | | | |
|
|/ / /
| | |
| | |
| | |
| | |
| | |
| | | |
This default config is parsed and used a base before the actual
config is overlaid, so with these values not commented out, the
code to detect when no turn params were set and refuse to generate
credentials was never firing because the dummy default was always set.
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
We need to do a bit more validation when we get a server name, but don't want
to be re-doing it all over the shop, so factor out a separate
parse_and_validate_server_name, and do the extra validation.
Also, use it to verify the server name in the config file.
|
| | | |
|
| | | |
|
| | |
| | |
| | |
| | |
| | | |
I'm fed up with never being able to find the point a server restarted in the
logs.
|
|\| |
| |/
|/| |
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| | |
The added addresses are expected to be local or loopback addresses and
shouldn't be spidered for previews.
Signed-off-by: Felix Schäfer <felix@thegcat.net>
|
| | |
|
| |
| |
| |
| | |
bool("False") == True...
|
|/
|
|
| |
we think it makes sense not to send the notices to guest users.
|
|
|
|
| |
probably should have done this in the first place, like @turt2live suggested.
|
|
|
|
|
| |
Make it possible to put the URI in the error message and the server notice that
get sent by the server
|
|
|
|
|
|
| |
Returns an M_CONSENT_NOT_GIVEN error (cf
https://github.com/matrix-org/matrix-doc/issues/1252) if consent is not yet
given.
|
|
|
|
| |
turns out we need to reuse this, so it's better in the config class.
|
|
|
|
|
| |
When a user first syncs, we will send them a server notice asking them to
consent to the privacy policy if they have not already done so.
|
|
|
|
| |
we're going to use it for the version we require too.
|
| |
|
|
|
|
|
|
|
| |
Server Notices use a special room which the user can't dismiss. They are
created on demand when some other bit of the code calls send_notice.
(This doesn't actually do much yet becuse we don't call send_notice anywhere)
|
|
|
|
|
| |
Hopefully there are enough comments and docs in this that it makes sense on its
own.
|
|\
| |
| | |
Open config file in non-bytes mode
|
| |
| |
| |
| | |
Signed-off-by: Adrian Tschira <nota@notafile.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Nothing written into it is encoded, so it makes little sense, but it
does break in python3 the way it was before.
The variable names were adjusted to be less misleading.
Signed-off-by: Adrian Tschira <nota@notafile.com>
|
|\ \
| | |
| | | |
Open certificate files as bytes
|
| |/
| |
| |
| |
| |
| | |
That's what pyOpenSSL expects on python3
Signed-off-by: Adrian Tschira <nota@notafile.com>
|
|/
|
|
|
|
| |
The imports were shuffled around a bunch in py3
Signed-off-by: Adrian Tschira <nota@notafile.com>
|
|\
| |
| | |
use python3-compatible prints
|
| | |
|
|/
|
|
| |
Signed-off-by: Adrian Tschira <nota@notafile.com>
|
| |
|
| |
|
|
|
|
|
|
| |
Add federation_domain_whitelist
gives a way to restrict which domains your HS is allowed to federate with.
useful mainly for gracefully preventing a private but internet-connected HS from trying to federate to the wider public Matrix network
|
|\
| |
| | |
add registrations_require_3pid and allow_local_3pids
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* [ ] split config options into allowed_local_3pids and registrations_require_3pid
* [ ] simplify and comment logic for picking registration flows
* [ ] fix docstring and move check_3pid_allowed into a new util module
* [ ] use check_3pid_allowed everywhere
@erikjohnston PTAL
|
| |
| |
| |
| |
| | |
lets homeservers specify a whitelist for 3PIDs that users are allowed to associate with.
Typically useful for stopping people from registering with non-work emails
|
| | |
|
| | |
|
| | |
|
|/ |
|
| |
|
| |
|
|\
| |
| | |
Fix broken config UTs
|
| |
| |
| |
| |
| | |
https://github.com/matrix-org/synapse/pull/2755 broke log-config generation,
which in turn broke the unit tests.
|
|/
|
|
| |
(we had a mix of 2- and 4-space indents)
|
|
|
|
|
|
| |
... because these only really exist to confuse people nowadays.
Also bring log config more into line with the generated log config, by making `level_for_storage`
apply to the `synapse.storage.SQL` logger rather than `synapse.storage`.
|
|\
| |
| | |
synapse/config/password_auth_providers: Fixed bracket typo
|
| |
| |
| |
| | |
Signed-off-by: Richard von Seck <richard.von-seck@gmx.net>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Binding on 0.0.0.0 when :: is specified in the bind_addresses is now allowed.
This causes a warning explaining the behaviour.
Configuration changed to match.
See #2232
Signed-off-by: Silke Hofstra <silke@slxh.eu>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Most deployments are on Linux (or Mac OS), so this would actually bind
on both IPv4 and IPv6.
Resolves #1886.
Signed-off-by: Willem Mulder <willemmaster@hotmail.com>
|
| | |
|
| | |
|
|\ \ |
|
| | |
| | |
| | |
| | | |
... to stop us doing the cache cleanup jobs on the master.
|
| | | |
|
| | | |
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| | |
additional users
Initial commit; this doesn't work yet - the LIKE filtering seems too aggressive.
It also needs _do_initial_spam to be aware of prepopulating the whole user_directory_search table with all users...
...and it needs a handle_user_signup() or something to be added so that new signups get incrementally added to the table too.
Committing it here as a WIP
|
|/ |
|
|
|
|
| |
because we had to wait until the logger was set up
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The redact_content option never worked because it read the wrong config
section. The PR introducing it
(https://github.com/matrix-org/synapse/pull/2301) had feedback suggesting the
name be changed to not re-use the term 'redact' but this wasn't
incorporated.
This reanmes the option to give it a less confusing name, and also
means that people who've set the redact_content option won't suddenly
see a behaviour change when upgrading synapse, but instead can set
include_content if they want to.
This PR also updates the wording of the config comment to clarify
that this has no effect on event_id_only push.
Includes https://github.com/matrix-org/synapse/pull/2422
|
|
|
|
|
| |
Let the user specify custom modules which can be used for implementing extra
endpoints.
|
|
|
|
|
|
|
| |
try to make the backwards-compat flows follow the same code paths as the modern
impl.
This commit should be non-functional.
|
| |
|
|
|
|
| |
Fixes 'UnboundLocalError: local variable 'sighup' referenced before assignment'
|
| |
|
|
|
|
| |
what could possibly go wrong
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
`os.path.exists` doesn't allow us to distinguish between permissions errors and
the path actually not existing, which repeatedly confuses people. It also means
that we try to overwrite existing key files, which is super-confusing. (cf
issues #2455, #2379). Use os.stat instead.
Also, don't recomemnd the the use of --generate-config, which screws everything
up if you're using debian (cf #2455).
|
| |
|
|
|
|
|
| |
New users who register on the server will be dumped into all rooms in
auto_join_rooms in the config.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
So it can be reused
|
|
|
|
|
| |
- allows sysadmins the ability to lock down their servers so that people can't
send their users room invites.
|
|
|
|
| |
escape the % that got added in 92168cb so that the process starts up ok.
|
| |
|
|
|
|
|
| |
Make it possible to set the CPU affinity in the config file, so that we don't
need to remember to do it manually every time.
|
| |
|
|
|
|
| |
push.redact_content
|
| |
|
| |
|
|
|
|
| |
for google/apple devices
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Set the limit on the returned events in the timeline in the get and sync
operations. The default value is -1, means no upper limit.
For example, using `filter_timeline_limit: 5000`:
POST /_matrix/client/r0/user/user:id/filter
{
room: {
timeline: {
limit: 1000000000000000000
}
}
}
GET /_matrix/client/r0/user/user:id/filter/filter:id
{
room: {
timeline: {
limit: 5000
}
}
}
The server cuts down the room.timeline.limit.
|
|
|
|
| |
Signed-off-by: Matthew Wolff <matthewjwolff@gmail.com>
|
| |
|
|\
| |
| | |
Support authenticated SMTP
|
| |
| |
| |
| |
| |
| | |
Closes (SYN-714) #1385
Signed-off-by: Daniel Dent <matrixcontrib@contactdaniel.net>
|
|\ \
| |/
|/| |
Move to using TCP replication
|
| | |
|
| | |
|
| | |
|
| | |
|
|/ |
|
| |
|
|\
| |
| | |
Add an option to disable stdio redirect
|
| |
| |
| |
| | |
This makes it tractable to run synapse under pdb.
|
| |
| |
| |
| | |
- to make it easier to add more config options.
|
|/
|
|
| |
When we are using a log_config file, reread it on SIGHUP.
|
|
|
|
| |
Signed-off-by: Tyler Smith <tylersmith.me@gmail.com>
|
|\
| |
| | |
Make worker listener config backwards compat
|
| | |
|
| | |
|
|/
|
|
|
| |
It makes it possible to use a turn server that needs a username and
password instead of a token.
|
|
|
|
|
|
|
|
|
|
| |
The URLs used for notification emails were hardcoded to use either matrix.to
or vector.im; but for self-hosted setups where Riot is also self-hosted it
may be desirable to allow configuring an alternative Riot URL.
Fixes #1809.
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
|
|\
| |
| | |
Restore default bind address
|
| | |
|
| | |
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The debug 'full_twisted_stacktraces' flag caused synapse to rewrite
twisted deferreds to always fire the callback on the next reactor tick.
This was to force the deferred to always store the stacktraces on
exceptions, and thus be more likely to have a full stacktrace when it
reaches the final error handlers and gets printed to the logs.
Dynamically rewriting things is generally bad, and in particular this
change violates assumptions of various bits of Twisted. This wouldn't
necessarily be so bad, but it turns out this option has been turned on
on some production servers.
Turning the option can cause e.g. #1778.
For now, lets just entirely nuke this option.
|
|\ |
|
| |
| |
| |
| |
| | |
Hopefully adding an observer to the new framework will avoid a memory
leak https://twistedmatrix.com/trac/ticket/8164
|
| |
| |
| |
| | |
Signed-off-by: Johannes Löthberg <johannes@kyriasis.com>
|
|/
|
|
| |
Signed-off-by: Johannes Löthberg <johannes@kyriasis.com>
|
| |
|
|
|
|
|
|
|
|
| |
The 'time' caveat on the access tokens was something of a lie, since we weren't
enforcing it; more pertinently its presence stops us ever adding useful time
caveats.
Let's move in the right direction by not lying in our caveats.
|
| |
|
| |
|
|\
| |
| | |
Add support for durations in minutes
|
| | |
|
| | |
|
|/ |
|
|
|
|
| |
This adds a flag loaded from the registration file of an AS that will determine whether or not its users are rate limited (by ratelimit in _base.py). Needed for IRC bridge reasons - see https://github.com/matrix-org/matrix-appservice-irc/issues/240.
|
|\
| |
| | |
Add config option for adding additional TLS fingerprints
|
| | |
|
| | |
|
| | |
|
|/
|
|
|
|
| |
Allows delegating the password auth to an external module. This also
moves the LDAP auth to using this system, allowing it to be removed from
the synapse tree entirely in the future.
|
| |
|
| |
|
|
|
|
| |
Change how we validate the 'url' field as a result.
|
| |
|
|
|
|
|
|
| |
If 'url' is not specified, they will not be pushed for events or queries. This
is useful for bots who simply wish to reserve large chunks of user/alias
namespace, and don't care about being pushed for events.
|
|\
| |
| | |
3rd party entity lookup
|
| | |
|
|/ |
|
|
|
|
| |
Signed-off-by: Kent Shikama <kent@kentshikama.com>
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
Signed-off-by: Kent Shikama <kent@kentshikama.com>
|
| |
|
|\ |
|
| |\ |
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Use the pure-python ldap3 library, which eliminates the need for a
system dependency.
Offer both a `search` and `simple_bind` mode, for more sophisticated
ldap scenarios.
- `search` tries to find a matching DN within the `user_base` while
employing the `user_filter`, then tries the bind when a single
matching DN was found.
- `simple_bind` tries the bind against a specific DN by combining the
localpart and `user_base`
Offer support for STARTTLS on a plain connection.
The configuration was changed to reflect these new possibilities.
Signed-off-by: Martin Weinelt <hexa@darmstadt.ccc.de>
|
| |/
|/|
| |
| |
| |
| | |
The existing content can still be downloaded. The last upload to the
matrix.org server was in January 2015, so it is probably safe to remove
the upload API.
|