summary refs log tree commit diff
path: root/synapse/config (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Remove unstable MSC3283 flags (#12018)Erik Johnston2022-02-171-3/+0
| | | Fixes #11962
* Faster joins: parse msc3706 fields in send_join response (#12011)Richard van der Hoff2022-02-171-0/+4
| | | Part of my work on #11249: add code to handle the new fields added in MSC3706.
* Remove support for the legacy structured logging configuration. (#12008)Patrick Cloke2022-02-171-4/+8
|
* remove empty file, reword/rename newsfragment, and add line to upgrade docH. Shay2022-02-141-0/+0
|
* Use version string helper from matrix-common (#11979)David Robertson2022-02-141-3/+6
| | | | * Require latest matrix-common * Use the common function
* Implement MSC3706: partial state in `/send_join` response (#11967)Richard van der Hoff2022-02-121-0/+3
| | | | | | | | | | | | * Make `get_auth_chain_ids` return a Set It has a set internally, and a set is often useful where it gets used, so let's avoid converting to an intermediate list. * Minor refactors in `on_send_join_request` A little bit of non-functional groundwork * Implement MSC3706: partial state in /send_join response
* Enable cache time-based expiry by default (#11849)Shay2022-02-112-7/+33
|
* Experimental support to include bundled aggregations in search results ↵Patrick Cloke2022-02-081-0/+2
| | | | (MSC3666) (#11837)
* Remove support for the webclient listener. (#11895)Patrick Cloke2022-02-031-36/+12
| | | Also remove support for non-HTTP(S) web_client_location.
* Add a ratelimiter for 3pid invite (#11892)Brendan Abolivier2022-02-031-0/+15
|
* Revert experimental push rules from #7997. (#11884)Patrick Cloke2022-02-021-13/+0
| | | Manually reverts the merge from cdbb8e6d6e36e0b6bc36e676d8fe66c96986b399.
* Send to-device messages to application services (#11215)Andrew Morgan2022-02-011-0/+7
| | | Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>
* Remove the obsolete MSC1849 configuration flag. (#11843)Patrick Cloke2022-01-311-2/+0
| | | | | MSC1849 was replaced by MSC2675, which was merged. The configuration flag, which defaulted to true, is no longer useful.
* Configurable limits on avatars (#11846)Brendan Abolivier2022-01-281-0/+27
| | | | | | Only allow files which file size and content types match configured limits to be set as avatar. Most of the inspiration from the non-test code comes from matrix-org/synapse-dinsic#19
* Fix some indentation inconsistencies in the sample config (modules) (#11838)Dirk Klimpel2022-01-271-5/+5
|
* Add a config flag to inhibit `M_USER_IN_USE` during registration (#11743)Brendan Abolivier2022-01-261-0/+12
| | | | | | | This is mostly motivated by the tchap use case, where usernames are automatically generated from the user's email address (in a way that allows figuring out the email address from the username). Therefore, it's an issue if we respond to requests on /register and /register/available with M_USER_IN_USE, because it can potentially leak email addresses (which include the user's real name and place of work). This commit adds a flag to inhibit the M_USER_IN_USE errors that are raised both by /register/available, and when providing a username early into the registration process. This error will still be raised if the user completes the registration process but the username conflicts. This is particularly useful when using modules (https://github.com/matrix-org/synapse/pull/11790 adds a module callback to set the username of users at registration) or SSO, since they can ensure the username is unique. More context is available in the PR that introduced this behaviour to synapse-dinsic: matrix-org/synapse-dinsic#48 - as well as the issue in the matrix-dinsic repo: matrix-org/matrix-dinsic#476
* Add deprecation warnings for `webclient` listener and non-HTTP(S) ↵Patrick Cloke2022-01-201-14/+20
| | | | | | | `web_client_location`. (#11774) This changes the behaviour of the root endpoint to redirect directly to the configuration of `web_client_location` if it is given an HTTP(S) URL.
* Fix up docs for `track_puppeted_user_ips` (again) (#11757)Richard van der Hoff2022-01-171-4/+12
| | | Fixes #11741
* Update documentation for configuring facebook login (#11755)Richard van der Hoff2022-01-171-3/+6
| | | ... and a minor thinko fix in the sample config.
* Fix sample_config.yaml in regards track_puppeted_user_ips (#11749)Jason Robinson2022-01-141-5/+6
| | | | | | | * Fix sample_config.yaml in regards track_puppeted_user_ips Closes #11741 Signed-off-by: Jason Robinson <jasonr@matrix.org>
* update room spec url in config files (#11739)qwertyforce2022-01-131-1/+1
| | | | | | | * change spec url in config files * Create 11739.txt * .txt -> .doc
* Use auto_attribs/native type hints for attrs classes. (#11692)Patrick Cloke2022-01-133-29/+23
|
* Allow tracking puppeted users for MAU (#11561)Jason Robinson2022-01-121-0/+10
| | | | | | | | | | | | | | | Currently when puppeting another user, the user doing the puppeting is tracked for client IPs and MAU (if configured). When tracking MAU is important, it becomes necessary to be possible to also track the client IPs and MAU of puppeted users. As an example a client that manages user creation and creation of tokens via the Synapse admin API, passing those tokens for the client to use. This PR adds optional configuration to enable tracking of puppeted users into monthly active users. The default behaviour stays the same. Signed-off-by: Jason Robinson <jasonr@matrix.org>
* Fix link from generated configuration file to documentation (#11678)Philipp Matthias Schäfer2022-01-051-1/+1
| | | | Co-authored-by: reivilibre <olivier@librepush.net> Co-authored-by: reivilibre <oliverw@matrix.org>
* Re-apply: Move glob_to_regex and re_word_boundary to matrix-python-common ↵reivilibre2022-01-052-2/+4
| | | | | #11505 (#11687) Co-authored-by: Sean Quah <seanq@element.io>
* Include the topic event in the prejoin state, per MSC3173. (#11666)Patrick Cloke2022-01-041-0/+2
| | | | Invites and knocks will now include the topic in the stripped state send to clients before joining the room.
* Convert all namedtuples to attrs. (#11665)Patrick Cloke2021-12-301-16/+18
| | | To improve type hints throughout the code.
* Add MSC2716 and MSC3030 to `/versions` -> `unstable_features` (#11582)Eric Eastwood2021-12-161-1/+1
| | | | As suggested in https://github.com/matrix-org/matrix-react-sdk/pull/7372#discussion_r769523369
* Add experimental support for MSC3202: allowing application services to ↵reivilibre2021-12-151-0/+5
| | | | masquerade as specific devices. (#11538)
* Add missing type hints to `synapse.appservice` (#11360)Patrick Cloke2021-12-141-2/+1
|
* Additional type hints for the config module, part 2. (#11480)Patrick Cloke2021-12-094-19/+27
|
* Revert "Move `glob_to_regex` and `re_word_boundary` to ↵Sean Quah2021-12-072-4/+2
| | | | | | `matrix-python-common` (#11505) (#11527) This reverts commit a77c36989785c0d5565ab9a1169f4f88e512ce8a.
* Stabilise support for MSC2918 refresh tokens as they have now been merged ↵reivilibre2021-12-061-0/+38
| | | | into the Matrix specification. (#11435)
* Move `glob_to_regex` and `re_word_boundary` to `matrix-python-common` (#11505)Sean Quah2021-12-062-2/+4
|
* Support configuring the lifetime of non-refreshable access tokens separately ↵reivilibre2021-12-031-0/+49
| | | | to refreshable access tokens. (#11445)
* Add MSC3030 experimental client and federation API endpoints to get the ↵Eric Eastwood2021-12-021-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | closest event to a given timestamp (#9445) MSC3030: https://github.com/matrix-org/matrix-doc/pull/3030 Client API endpoint. This will also go and fetch from the federation API endpoint if unable to find an event locally or we found an extremity with possibly a closer event we don't know about. ``` GET /_matrix/client/unstable/org.matrix.msc3030/rooms/<roomID>/timestamp_to_event?ts=<timestamp>&dir=<direction> { "event_id": ... "origin_server_ts": ... } ``` Federation API endpoint: ``` GET /_matrix/federation/unstable/org.matrix.msc3030/timestamp_to_event/<roomID>?ts=<timestamp>&dir=<direction> { "event_id": ... "origin_server_ts": ... } ``` Co-authored-by: Erik Johnston <erik@matrix.org>
* Additional type hints for config module. (#11465)Patrick Cloke2021-12-0113-98/+126
| | | | This adds some misc. type hints to helper methods used in the `synapse.config` module.
* Add type annotations to some of the configuration surrounding refresh ↵reivilibre2021-11-291-2/+5
| | | | tokens. (#11428)
* Support expiry of refresh tokens and expiry of the overall session when ↵reivilibre2021-11-261-17/+7
| | | | refresh tokens are in use. (#11425)
* Rename unstable `access_token_lifetime` configuration option to ↵reivilibre2021-11-231-8/+15
| | | | `refreshable_access_token_lifetime` to make it clear it only concerns refreshable access tokens. (#11388)
* Add missing type hints to config base classes (#11377)Patrick Cloke2021-11-237-99/+162
|
* Add config for customizing the claim used for JWT logins. (#11361)Kostas2021-11-221-0/+9
| | | | | Allows specifying a different claim (from the default "sub") to use when calculating the localpart of the Matrix ID used during the JWT login.
* Add an admin API to run background jobs. (#11352)Dirk Klimpel2021-11-191-2/+2
| | | | | | Instead of having admins poke into the database directly. Can currently run jobs to populate stats and to populate the user directory.
* Fix checking whether a room can be published on creation. (#11392)Patrick Cloke2021-11-191-22/+28
| | | | | | | | If `room_list_publication_rules` was configured with a rule with a non-wildcard alias and a room was created with an alias then an internal server error would have been thrown. This fixes the error and properly applies the publication rules during room creation.
* Remove dead code from acme support. (#11393)Patrick Cloke2021-11-191-50/+0
|
* Remove legacy code related to deprecated ↵Shay2021-11-182-29/+8
| | | | | | | | | | | | | | | | | | | | | `trust_identity_server_for_password_resets` config flag (#11333) * remove code legacy code related to deprecated config flag "trust_identity_server_for_password_resets" from synapse/config/emailconfig.py * remove legacy code supporting depreciated config flag "trust_identity_server_for_password_resets" from synapse/config/registration.py * remove legacy code supporting depreciated config flag "trust_identity_server_for_password_resets" from synapse/handlers/identity.py * add tests to ensure config error is thrown and synapse refuses to start when depreciated config flag is found * add changelog * slightly change behavior to only check for deprecated flag if set to 'true' * Update changelog.d/11333.misc Co-authored-by: reivilibre <oliverw@matrix.org> Co-authored-by: reivilibre <oliverw@matrix.org>
* Docs: Quote wildcard `federation_certificate_verification_whitelist` (#11381)Nicolai Søborg2021-11-181-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Otherwise I get this beautiful stacktrace: ``` python3 -m synapse.app.homeserver --config-path /etc/matrix/homeserver.yaml Traceback (most recent call last): File "/usr/lib/python3.8/runpy.py", line 194, in _run_module_as_main return _run_code(code, main_globals, None, File "/usr/lib/python3.8/runpy.py", line 87, in _run_code exec(code, run_globals) File "/root/synapse/synapse/app/homeserver.py", line 455, in <module> main() File "/root/synapse/synapse/app/homeserver.py", line 445, in main hs = setup(sys.argv[1:]) File "/root/synapse/synapse/app/homeserver.py", line 345, in setup config = HomeServerConfig.load_or_generate_config( File "/root/synapse/synapse/config/_base.py", line 671, in load_or_generate_config config_dict = read_config_files(config_files) File "/root/synapse/synapse/config/_base.py", line 717, in read_config_files yaml_config = yaml.safe_load(file_stream) File "/root/synapse/env/lib/python3.8/site-packages/yaml/__init__.py", line 125, in safe_load return load(stream, SafeLoader) File "/root/synapse/env/lib/python3.8/site-packages/yaml/__init__.py", line 81, in load return loader.get_single_data() File "/root/synapse/env/lib/python3.8/site-packages/yaml/constructor.py", line 49, in get_single_data node = self.get_single_node() File "/root/synapse/env/lib/python3.8/site-packages/yaml/composer.py", line 36, in get_single_node document = self.compose_document() File "/root/synapse/env/lib/python3.8/site-packages/yaml/composer.py", line 55, in compose_document node = self.compose_node(None, None) File "/root/synapse/env/lib/python3.8/site-packages/yaml/composer.py", line 84, in compose_node node = self.compose_mapping_node(anchor) File "/root/synapse/env/lib/python3.8/site-packages/yaml/composer.py", line 133, in compose_mapping_node item_value = self.compose_node(node, item_key) File "/root/synapse/env/lib/python3.8/site-packages/yaml/composer.py", line 82, in compose_node node = self.compose_sequence_node(anchor) File "/root/synapse/env/lib/python3.8/site-packages/yaml/composer.py", line 110, in compose_sequence_node while not self.check_event(SequenceEndEvent): File "/root/synapse/env/lib/python3.8/site-packages/yaml/parser.py", line 98, in check_event self.current_event = self.state() File "/root/synapse/env/lib/python3.8/site-packages/yaml/parser.py", line 379, in parse_block_sequence_first_entry return self.parse_block_sequence_entry() File "/root/synapse/env/lib/python3.8/site-packages/yaml/parser.py", line 384, in parse_block_sequence_entry if not self.check_token(BlockEntryToken, BlockEndToken): File "/root/synapse/env/lib/python3.8/site-packages/yaml/scanner.py", line 116, in check_token self.fetch_more_tokens() File "/root/synapse/env/lib/python3.8/site-packages/yaml/scanner.py", line 227, in fetch_more_tokens return self.fetch_alias() File "/root/synapse/env/lib/python3.8/site-packages/yaml/scanner.py", line 610, in fetch_alias self.tokens.append(self.scan_anchor(AliasToken)) File "/root/synapse/env/lib/python3.8/site-packages/yaml/scanner.py", line 922, in scan_anchor raise ScannerError("while scanning an %s" % name, start_mark, yaml.scanner.ScannerError: while scanning an alias in "/etc/matrix/homeserver.yaml", line 614, column 5 expected alphabetic or numeric character, but found '.' in "/etc/matrix/homeserver.yaml", line 614, column 6 ``` Signed-off-by: Nicolai Søborg <git@xn--sb-lka.org>
* Default value for `public_baseurl` (#11210)Richard van der Hoff2021-11-088-54/+53
| | | | | We might as well use a default value for `public_baseurl` based on `server_name` - in many cases, it will be correct.
* Enable passing typing stream writers as a list. (#11237)Nick Barrett2021-11-031-3/+15
| | | | This makes the typing stream writer config match the other stream writers that only currently support a single worker.
* Support for serving server well-known files (#11211)Richard van der Hoff2021-11-011-0/+19
| | | | Fixes https://github.com/matrix-org/synapse/issues/8308
* Add type hints for most `HomeServer` parameters (#11095)Sean Quah2021-10-221-1/+8
|
* Fix synapse.config module "read" command (#11145)Jason Robinson2021-10-221-13/+33
| | | | | | | | | | `synapse.config.__main__` has the possibility to read a config item. This can be used to conveniently also validate the config is valid before trying to start Synapse. The "read" command broke in https://github.com/matrix-org/synapse/pull/10916 as it now requires passing in "server.server_name" for example. Also made the read command optional so one can just call this with just the confirm file reference and get a "Config parses OK" if things are ok. Signed-off-by: Jason Robinson <jasonr@matrix.org> Co-authored-by: Brendan Abolivier <babolivier@matrix.org>
* Add a thread relation type per MSC3440. (#11088)Patrick Cloke2021-10-211-0/+2
| | | | Adds experimental support for MSC3440's `io.element.thread` relation type (and the aggregation for it).
* Move experimental & retention config out of the server module. (#11070)Patrick Cloke2021-10-155-201/+233
|
* Port the Password Auth Providers module interface to the new generic ↵Azrenbeth2021-10-131-30/+23
| | | | | | interface (#10548) Co-authored-by: Azrenbeth <7782548+Azrenbeth@users.noreply.github.com> Co-authored-by: Brendan Abolivier <babolivier@matrix.org>
* Relax `ignore-missing-imports` for modules that have stubs now and update ↵David Robertson2021-10-081-3/+6
| | | | | | | | | | | | mypy (#11006) Updating mypy past version 0.9 means that third-party stubs are no-longer distributed with typeshed. See http://mypy-lang.blogspot.com/2021/06/mypy-0900-released.html for details. We therefore pull in stub packages in setup.py Additionally, some modules that we were previously ignoring import failures for now have stubs. So let's use them. The rest of this change consists of fixups to make the newer mypy + stubs pass CI. Co-authored-by: Patrick Cloke <clokep@users.noreply.github.com>
* Require direct references to configuration variables. (#10985)Patrick Cloke2021-10-0611-73/+33
| | | | | | This removes the magic allowing accessing configurable variables directly from the config object. It is now required that a specific configuration class is used (e.g. `config.foo` must be replaced with `config.server.foo`).
* Use direct references for configuration variables (part 6). (#10916)Patrick Cloke2021-09-292-4/+2
|
* Clean-up type hints in server config (#10915)Patrick Cloke2021-09-281-51/+49
| | | | | | By using attrs instead of dicts to store configuration. Also updates some of the attrs classes to use proper type hints and auto_attribs.
* Fix race conditions when creating media store and config directories (#10913)Sean Quah2021-09-271-7/+2
|
* Use direct references for configuration variables (part 5). (#10897)Patrick Cloke2021-09-241-1/+3
|
* Use direct references for configuration variables (part 4). (#10893)Patrick Cloke2021-09-231-1/+1
|
* Use direct references for some configuration variables (part 3) (#10885)Patrick Cloke2021-09-231-3/+6
| | | | | | | | This avoids the overhead of searching through the various configuration classes by directly referencing the class that the attributes are in. It also improves type hints since mypy can now resolve the types of the configuration variables.
* Remove unnecessary parentheses around tuples returned from methods (#10889)Andrew Morgan2021-09-231-1/+1
|
* Always add local users to the user directory (#10796)David Robertson2021-09-211-5/+9
| | | | | | | | | | | | | | | | | | | | | | | It's a simplification, but one that'll help make the user directory logic easier to follow with the other changes upcoming. It's not strictly required for those changes, but this will help simplify the resulting logic that listens for `m.room.member` events and generally make the logic easier to follow. This means the config option `search_all_users` ends up controlling the search query only, and not the data we store. The cost of doing so is an extra row in the `user_directory` and `user_directory_search` tables for each local user which - belongs to no public rooms - belongs to no private rooms of size ≥ 2 I think the cost of this will be marginal (since they'll already have entries in `users` and `profiles` anyway). As a small upside, a homeserver whose directory was built with this change can toggle `search_all_users` without having to rebuild their directory. Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>
* Require type hints in the handlers module. (#10831)Patrick Cloke2021-09-201-2/+2
| | | | | | | Adds missing type hints to methods in the synapse.handlers module and requires all methods to have type hints there. This also removes the unused construct_auth_difference method from the FederationHandler.
* Use direct references for some configuration variables (#10798)Patrick Cloke2021-09-131-2/+2
| | | | Instead of proxying through the magic getter of the RootConfig object. This should be more performant (and is more explicit).
* Fix copy-paste error in the password section of the sample-config. (#10804)BramvdnHeuvel2021-09-131-1/+1
|
* Add types to synapse.util. (#10601)reivilibre2021-09-101-16/+17
|
* Remove unstable MSC2858 API, including `experimental.msc2858_enabled` config ↵Sean2021-09-092-13/+0
| | | | | option (#10693) Signed-off-by: Sean Quah <seanq@element.io>
* Request JSON for oEmbed requests (and ignore XML only providers). (#10759)Patrick Cloke2021-09-081-4/+20
| | | | | | | | This adds the format to the request arguments / URL to ensure that JSON data is returned (which is all that Synapse supports). This also adds additional error checking / filtering to the configuration file to ignore XML-only providers.
* Merge tag 'v1.42.0rc2' into developBrendan Abolivier2021-09-063-0/+41
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Synapse 1.42.0rc2 (2021-09-06) ============================== This version of Synapse removes deprecated room-management admin APIs, removes out-of-date email pushers, and improves error handling for fallback templates for user-interactive authentication. For more information on these points, server administrators are encouraged to read [the upgrade notes](docs/upgrade.md#upgrading-to-v1420). Features -------- - Support room version 9 from [MSC3375](https://github.com/matrix-org/matrix-doc/pull/3375). ([\#10747](https://github.com/matrix-org/synapse/issues/10747)) Internal Changes ---------------- - Print a warning when using one of the deprecated `template_dir` settings. ([\#10768](https://github.com/matrix-org/synapse/issues/10768))
| * Add a warning when using deprecated template_dir settings (#10768)Brendan Abolivier2021-09-063-0/+41
| | | | | | The deprecation itself happened in #10596 which shipped with Synapse v1.41.0. However, it doesn't seem fair to suddenly drop support for these settings in ~4-6w without being more vocal about said deprecation.
* | Add config option to use non-default manhole password and keys (#10643)Azrenbeth2021-09-061-2/+85
| |
* | Allow configuration of the oEmbed URLs. (#10714)Patrick Cloke2021-08-312-0/+182
|/ | | | | This adds configuration options (under an `oembed` section) to configure which URLs are matched to use oEmbed for URL previews.
* Merge branch 'master' into developErik Johnston2021-08-241-1/+1
|\
| * Set room version 8 as preferred for restricted rooms. (#10571)Patrick Cloke2021-08-201-1/+1
| |
* | Implement MSC3231: Token authenticated registration (#10142)Callum Brown2021-08-212-0/+26
| | | | | | | | | | Signed-off-by: Callum Brown <callum@calcuode.com> This is part of my GSoC project implementing [MSC3231](https://github.com/matrix-org/matrix-doc/pull/3231).
* | Support MSC3283: Expose `enable_set_displayname` in capabilities (#10452)Dirk Klimpel2021-08-191-0/+3
| |
* | Merge branch 'release-v1.41' into developErik Johnston2021-08-185-218/+85
|\|
| * Centralise the custom template directory (#10596)Brendan Abolivier2021-08-174-211/+65
| | | | | | Several configuration sections are using separate settings for custom template directories, which can be confusing. This PR adds a new top-level configuration for a custom template directory which is then used for every module. The only exception is the consent templates, since the consent template directory require a specific hierarchy, so it's probably better that it stays separate from everything else.
| * Make `PeriodicallyFlushingMemoryHandler` the default logging handler. (#10518)reivilibre2021-08-171-7/+20
| |
* | Port the PresenceRouter module interface to the new generic interface (#10524)Azrenbeth2021-08-171-14/+1
|/ | | Port the PresenceRouter module interface to the new generic interface introduced in v1.37.0
* Allow using several custom template directories (#10587)Brendan Abolivier2021-08-174-23/+32
| | | Allow using several directories in read_templates.
* Experimental support for MSC3266 Room Summary API. (#10394)Michael Telatynski2021-08-161-0/+3
|
* Add a setting to disable TLS for sending email (#10546)Richard van der Hoff2021-08-061-0/+14
| | | This is mostly useful in case the server offers TLS, but doesn't present a valid certificate.
* Add warnings to ip_range_blacklist usage with proxies (#10129)Kento Okamoto2021-08-032-5/+21
| | | | | | | | Per issue #9812 using `url_preview_ip_range_blacklist` with a proxy via `HTTPS_PROXY` or `HTTP_PROXY` environment variables has some inconsistent bahavior than mentioned. This PR changes the following: - Changes the Sample Config file to include a note mentioning that `url_preview_ip_range_blacklist` and `ip_range_blacklist` is ignored when using a proxy - Changes some logic in synapse/config/repository.py to send a warning when both `*ip_range_blacklist` configs and a proxy environment variable are set and but no longer throws an error. Signed-off-by: Kento Okamoto <kentokamoto@protonmail.com>
* Make sync response cache time configurable. (#10513)Richard van der Hoff2021-08-031-0/+13
|
* Revert use of PeriodicallyFlushingMemoryHandler by default (#10515)reivilibre2021-08-031-4/+1
|
* Allow setting transaction limit for db connections (#10440)Toni Spets2021-08-021-0/+4
| | | | | | | Setting the value will help PostgreSQL free up memory by recycling the connections in the connection pool. Signed-off-by: Toni Spets <toni.spets@iki.fi>
* Support for MSC2285 (hidden read receipts) (#10413)Šimon Brandner2021-07-281-0/+3
| | | Implementation of matrix-org/matrix-doc#2285
* Add a PeriodicallyFlushingMemoryHandler to prevent logging silence (#10407)reivilibre2021-07-271-1/+4
| | | Signed-off-by: Olivier Wilkinson (reivilibre) <olivier@librepush.net>
* Update the notification email subject when invited to a space. (#10426)Patrick Cloke2021-07-211-1/+3
|
* MSC3244 room capabilities implementation (#10283)Michael Telatynski2021-07-201-0/+3
|
* Port the ThirdPartyEventRules module interface to the new generic interface ↵Brendan Abolivier2021-07-201-15/+0
| | | | | (#10386) Port the third-party event rules interface to the generic module interface introduced in v1.37.0
* [pyupgrade] `synapse/` (#10348)Jonathan de Jong2021-07-192-5/+3
| | | | | | | | | This PR is tantamount to running ``` pyupgrade --py36-plus --keep-percent-format `find synapse/ -type f -name "*.py"` ``` Part of #9744
* Add a module type for account validity (#9884)Brendan Abolivier2021-07-161-87/+15
| | | | | This adds an API for third-party plugin modules to implement account validity, so they can provide this feature instead of Synapse. The module implementing the current behaviour for this feature can be found at https://github.com/matrix-org/synapse-email-account-validity. To allow for a smooth transition between the current feature and the new module, hooks have been added to the existing account validity endpoints to allow their behaviours to be overridden by a module.
* Use inline type hints in various other places (in `synapse/`) (#10380)Jonathan de Jong2021-07-1512-28/+26
|
* Remove functionality associated with unused historical stats tables (#9721)Cristina2021-07-081-9/+0
| | | Fixes #9602
* Update links to documentation in sample config (#10287)Dirk Klimpel2021-07-0713-24/+26
| | | Signed-off-by: Dirk Klimpel dirk@klimpel.org
* Add support for evicting cache entries based on last access time. (#10205)Erik Johnston2021-07-052-29/+43
|
* MSC2918 Refresh tokens implementation (#9450)Quentin Gliech2021-06-241-0/+21
| | | | | | | | | | This implements refresh tokens, as defined by MSC2918 This MSC has been implemented client side in Hydrogen Web: vector-im/hydrogen-web#235 The basics of the MSC works: requesting refresh tokens on login, having the access tokens expire, and using the refresh token to get a new one. Signed-off-by: Quentin Gliech <quentingliech@gmail.com>
* Warn users trying to use the deprecated spam checker interface (#10210)Brendan Abolivier2021-06-221-0/+15
| | | So admins aren't surprised if things break when we remove this code in a couple of months.
* Add endpoints for backfilling history (MSC2716) (#9247)Eric Eastwood2021-06-221-0/+3
| | | Work on https://github.com/matrix-org/matrix-doc/pull/2716
* Implement config option `sso.update_profile_information` (#10108)jkanefendt2021-06-211-0/+15
| | | | | | Implemented config option sso.update_profile_information to keep user's display name in sync with the SSO displayname. Signed-off-by: Johannes Kanefendt <johannes.kanefendt@krzn.de>
* Fix performance of responding to user key requests over federation (#10221)Erik Johnston2021-06-211-0/+2
| | | | | We were repeatedly looking up a config option in a loop (using the unclassed config style), which is expensive enough that it can cause large CPU usage.
* Ensure that errors during startup are written to the logs and the console. ↵Richard van der Hoff2021-06-211-3/+1
| | | | | | | | (#10191) * Defer stdio redirection until we are about to start the reactor * Catch and handle exceptions during startup
* Standardise the module interface (#10062)Brendan Abolivier2021-06-184-17/+54
| | | This PR adds a common configuration section for all modules (see docs). These modules are then loaded at startup by the homeserver. Modules register their hooks and web resources using the new `register_[...]_callbacks` and `register_web_resource` methods of the module API.
* Remove support for ACME v1 (#10194)Brendan Abolivier2021-06-173-151/+6
| | | | | Fixes #9778 ACME v1 has been fully decommissioned for existing installs on June 1st 2021(see https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430/27), so we can now safely remove it from Synapse.
* Always require users to re-authenticate for dangerous operations. (#10184)Patrick Cloke2021-06-161-0/+4
| | | | | | | Dangerous actions means deactivating an account, modifying an account password, or adding a 3PID. Other actions (deleting devices, uploading keys) can re-use the same UI auth session if ui_auth.session_timeout is configured.
* Remove the experimental flag for knocking and use stable prefixes / ↵Patrick Cloke2021-06-151-7/+0
| | | | | | | endpoints. (#10167) * Room version 7 for knocking. * Stable prefixes and endpoints (both client and federation) for knocking. * Removes the experimental configuration flag.
* Fix 'ip_range_whitelist' not working for federation servers (#10115)Michael Kutzner2021-06-151-12/+15
| | | | | Add 'federation_ip_range_whitelist'. This allows backwards-compatibility, If 'federation_ip_range_blacklist' is set. Otherwise 'ip_range_whitelist' will be used for federation servers. Signed-off-by: Michael Kutzner 1mikure@gmail.com
* Mention that you need to configure max upload size in reverse proxy as well ↵Aaron Raimist2021-06-101-0/+4
| | | | | (#10122) Signed-off-by: Aaron Raimist <aaron@raim.ist>
* Implement knock feature (#6739)Sorunome2021-06-092-1/+7
| | | | | | This PR aims to implement the knock feature as proposed in https://github.com/matrix-org/matrix-doc/pull/2403 Signed-off-by: Sorunome mail@sorunome.de Signed-off-by: Andrew Morgan andrewm@element.io
* Remove redundant code to reload tls cert (#10054)Richard van der Hoff2021-05-271-19/+3
| | | | | we don't need to reload the tls cert if we don't have any tls listeners. Follow-up to #9280.
* Remove the experimental spaces enabled flag. (#10063)Patrick Cloke2021-05-261-23/+0
| | | | In lieu of just always enabling the unstable spaces endpoint and unstable room version.
* Add missing type hints to synapse.util (#9982)Patrick Cloke2021-05-241-1/+7
|
* Remove tls_fingerprints option (#9280)Jerin J Titus2021-05-241-50/+0
| | | | Signed-off-by: Jerin J Titus <72017981+jerinjtitus@users.noreply.github.com>
* Enable experimental spaces by default. (#10011)Patrick Cloke2021-05-242-2/+19
| | | | The previous spaces_enabled flag now defaults to true and is exposed in the sample config.
* Remove superfluous call to bool() (#9986)Dan Callahan2021-05-141-1/+1
| | | | | Our strtobool already returns a bool, so no need to re-cast here Signed-off-by: Dan Callahan <danc@element.io>
* Support enabling opentracing by user (#9978)Richard van der Hoff2021-05-141-6/+31
| | | | | Add a config option which allows enabling opentracing by user id, eg for debugging requests made by a test user.
* Send the `m.room.create` stripped event with invites (support MSC1772). (#9966)Patrick Cloke2021-05-111-4/+2
| | | | | MSC1772 specifies the m.room.create event should be sent as part of the invite_state. This was done optionally behind an experimental flag, but is now done by default due to MSC1772 being approved.
* Merge branch 'master' into developBrendan Abolivier2021-05-111-2/+2
|\
| * Merge pull request from GHSA-x345-32rc-8h85Richard van der Hoff2021-05-111-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * tests for push rule pattern matching * tests for acl pattern matching * factor out common `re.escape` * Factor out common re.compile * Factor out common anchoring code * add word_boundary support to `glob_to_regex` * Use `glob_to_regex` in push rule evaluator NB that this drops support for character classes. I don't think anyone ever used them. * Improve efficiency of globs with multiple wildcards The idea here is that we compress multiple `*` globs into a single `.*`. We also need to consider `?`, since `*?*` is as hard to implement efficiently as `**`. * add assertion on regex pattern * Fix mypy * Simplify glob_to_regex * Inline the glob_to_regex helper function Signed-off-by: Dan Callahan <danc@element.io> * Moar comments Signed-off-by: Dan Callahan <danc@element.io> Co-authored-by: Dan Callahan <danc@element.io>
* | Add config option to hide device names over federation (#9945)Aaron Raimist2021-05-111-0/+10
| | | | | | | | | | Now that cross signing exists there is much less of a need for other people to look at devices and verify them individually. This PR adds a config option to allow you to prevent device display names from being shared with other servers. Signed-off-by: Aaron Raimist <aaron@raim.ist>
* | Optionally track memory usage of each LruCache (#9881)Erik Johnston2021-05-051-0/+11
| | | | | | | | | | This will double count slightly in the presence of interned strings. It's off by default as it can consume a lot of resources.
* | Limit how often GC happens by time. (#9902)Erik Johnston2021-05-051-1/+30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Synapse can be quite memory intensive, and unless care is taken to tune the GC thresholds it can end up thrashing, causing noticable performance problems for large servers. We fix this by limiting how often we GC a given generation, regardless of current counts/thresholds. This does not help with the reverse problem where the thresholds are set too high, but that should only happen in situations where they've been manually configured. Adds a `gc_min_seconds_between` config option to override the defaults. Fixes #9890.
* | Add port parameter to the sample config for psycopg2 args (#9911)Andrew Morgan2021-05-041-0/+1
|/ | | Adds the `port` option with the default value to the sample config file.
* Improved validation for received requests (#9817)Richard van der Hoff2021-04-231-1/+2
| | | | | | * Simplify `start_listening` callpath * Correctly check the size of uploaded files
* Allow OIDC cookies to work on non-root public baseurls (#9726)Andrew Morgan2021-04-231-4/+4
| | | | | Applied a (slightly modified) patch from https://github.com/matrix-org/synapse/issues/9574. As far as I understand this would allow the cookie set during the OIDC flow to work on deployments using public baseurls that do not sit at the URL path root.
* Split presence out of master (#9820)Erik Johnston2021-04-231-1/+26
|
* Remove `synapse.types.Collection` (#9856)Richard van der Hoff2021-04-221-2/+2
| | | This is no longer required, since we have dropped support for Python 3.5.
* Rename handler and config modules which end in handler/config. (#9816)Patrick Cloke2021-04-207-17/+27
|
* Port "Allow users to click account renewal links multiple times without ↵Andrew Morgan2021-04-195-131/+170
| | | | | hitting an 'Invalid Token' page #74" from synapse-dinsic (#9832) This attempts to be a direct port of https://github.com/matrix-org/synapse-dinsic/pull/74 to mainline. There was some fiddling required to deal with the changes that have been made to mainline since (mainly dealing with the split of `RegistrationWorkerStore` from `RegistrationStore`, and the changes made to `self.make_request` in test code).
* More robust handling of the Content-Type header for thumbnail generation (#9788)rkfg2021-04-141-0/+1
| | | | Signed-off-by: Sergey Shpikin <rkfg@rkfg.me>
* Remove redundant "coding: utf-8" lines (#9786)Jonathan de Jong2021-04-1437-37/+0
| | | | | | | Part of #9744 Removes all redundant `# -*- coding: utf-8 -*-` lines from files, as python 3 automatically reads source code as utf-8 now. `Signed-off-by: Jonathan de Jong <jonathan@automatia.nl>`
* Bump black configuration to target py36 (#9781)Dan Callahan2021-04-131-1/+1
| | | Signed-off-by: Dan Callahan <danc@element.io>
* Bugbear: Add Mutable Parameter fixes (#9682)Jonathan de Jong2021-04-081-2/+4
| | | | | | | Part of #9366 Adds in fixes for B006 and B008, both relating to mutable parameter lint errors. Signed-off-by: Jonathan de Jong <jonathan@automatia.nl>
* Add a Synapse Module for configuring presence update routing (#9491)Andrew Morgan2021-04-061-3/+36
| | | | | | | | | | | | At the moment, if you'd like to share presence between local or remote users, those users must be sharing a room together. This isn't always the most convenient or useful situation though. This PR adds a module to Synapse that will allow deployments to set up extra logic on where presence updates should be routed. The module must implement two methods, `get_users_for_states` and `get_interested_users`. These methods are given presence updates or user IDs and must return information that Synapse will use to grant passing presence updates around. A method is additionally added to `ModuleApi` which allows triggering a set of users to receive the current, online presence information for all users they are considered interested in. This is the equivalent of that user receiving presence information during an initial sync. The goal of this module is to be fairly generic and useful for a variety of applications, with hard requirements being: * Sending state for a specific set or all known users to a defined set of local and remote users. * The ability to trigger an initial sync for specific users, so they receive all current state.
* Add an experimental room version to support restricted join rules. (#9717)Patrick Cloke2021-03-311-1/+6
| | | Per MSC3083.
* Make sample config allowed_local_3pids regex stricter. (#9719)Denis Kasak2021-03-311-2/+2
| | | | | | | The regex should be terminated so that subdomain matches of another domain are not accepted. Just ensuring that someone doesn't shoot themselves in the foot by copying our example. Signed-off-by: Denis Kasak <dkasak@termina.org.uk>
* Include m.room.create in invite_room_state for Spaces (#9710)Richard van der Hoff2021-03-301-0/+4
|
* Replace `room_invite_state_types` with `room_prejoin_state` (#9700)Richard van der Hoff2021-03-301-23/+112
| | | | | | | `room_invite_state_types` was inconvenient as a configuration setting, because anyone that ever set it would not receive any new types that were added to the defaults. Here, we deprecate the old setting, and replace it with a couple of new settings under `room_prejoin_state`.
* Update the OIDC sample config (#9695)Richard van der Hoff2021-03-291-31/+3
| | | | | | | I've reiterated the advice about using `oidc` to migrate, since I've seen a few people caught by this. I've also removed a couple of the examples as they are duplicating the OIDC documentation, and I think they might be leading people astray.
* Make it possible to use dmypy (#9692)Erik Johnston2021-03-261-2/+4
| | | | | | | | | Running `dmypy run` will do a `mypy` check while spinning up a daemon that makes rerunning `dmypy run` a lot faster. `dmypy` doesn't support `follow_imports = silent` and has `local_partial_types` enabled, so this PR enables those options and fixes the issues that were newly raised. Note that `local_partial_types` will be enabled by default in upcoming mypy releases.
* Increase default join burst ratelimiting (#9674)Erik Johnston2021-03-231-4/+4
| | | It's legitimate behaviour to try and join a bunch of rooms at once.
* Merge branch 'develop' into babolivier/msc3026Brendan Abolivier2021-03-191-0/+2
|\
| * Initial spaces summary API (#9643)Richard van der Hoff2021-03-181-0/+3
| | | | | | This is very bare-bones for now: federation will come soon, while pagination is descoped for now but will come later.
* | Move support for MSC3026 behind an experimental flagBrendan Abolivier2021-03-181-0/+2
|/
* Enable flake8-bugbear, but disable most checks. (#9499)Jonathan de Jong2021-03-166-6/+20
| | | | * Adds B00 to ignored checks. * Fixes remaining issues.
* Add SSO attribute requirements for OIDC providers (#9609)Hubbe2021-03-161-1/+39
| | | | Allows limiting who can login using OIDC via the claims made from the IdP.
* Add support for stable MSC2858 API (#9617)Richard van der Hoff2021-03-161-2/+11
| | | | | The stable format uses different brand identifiers, so we need to support two identifiers for each IdP.
* Clean up config settings for stats (#9604)Richard van der Hoff2021-03-161-17/+28
| | | ... and complain if people try to turn it off.
* JWT OIDC secrets for Sign in with Apple (#9549)Richard van der Hoff2021-03-093-11/+118
| | | | | Apple had to be special. They want a client secret which is generated from an EC key. Fixes #9220. Also fixes #9212 while I'm here.
* Fix additional type hints. (#9543)Patrick Cloke2021-03-091-1/+4
| | | Type hint fixes due to Twisted 21.2.0 adding type hints.
* quick config comment tweak to clarify allow_profile_lookup_over_federationMatthew Hodgson2021-03-081-2/+1
|
* Clean up `ShardedWorkerHandlingConfig` (#9466)Erik Johnston2021-02-245-21/+116
| | | | | | | | | | | | | | | | | * Split ShardedWorkerHandlingConfig This is so that we have a type level understanding of when it is safe to call `get_instance(..)` (as opposed to `should_handle(..)`). * Remove special cases in ShardedWorkerHandlingConfig. `ShardedWorkerHandlingConfig` tried to handle the various different ways it was possible to configure federation senders and pushers. This led to special cases that weren't hit during testing. To fix this the handling of the different cases is moved from there and `generic_worker` into the worker config class. This allows us to have the logic in one place and allows the rest of the code to ignore the different cases.
* Remove vestiges of uploads_path config (#9462)Richard van der Hoff2021-02-221-1/+0
| | | | `uploads_path` was a thing that was never used; most of it was removed in #6628 but a few vestiges remained.
* Clean up the user directory sample config section (#9385)Andrew Morgan2021-02-221-32/+37
| | | | | The user directory sample config section was a little messy, and didn't adhere to our [recommended config format guidelines](https://github.com/matrix-org/synapse/blob/develop/docs/code_style.md#configuration-file-format). This PR cleans that up a bit.
* Ratelimit cross-user key sharing requests. (#8957)Patrick Cloke2021-02-191-0/+10
|
* Add documentation and type hints to parse_duration. (#9432)Patrick Cloke2021-02-191-2/+15
|
* Add a config option to prioritise local users in user directory search ↵Andrew Morgan2021-02-191-0/+9
| | | | | | | | | results (#9383) This PR adds a homeserver config option, `user_directory.prefer_local_users`, that when enabled will show local users higher in user directory search results than remote users. This option is off by default. Note that turning this on doesn't necessarily mean that remote users will always be put below local users, but they should be assuming all other ranking factors (search query match, profile information present etc) are identical. This is useful for, say, University networks that are openly federating, but want to prioritise local students and staff in the user directory over other random users.
* Add configs to make profile data more private (#9203)AndrewFerr2021-02-192-0/+24
| | | | | | | Add off-by-default configuration settings to: - disable putting an invitee's profile info in invite events - disable profile lookup via federation Signed-off-by: Andrew Ferrazzutti <fair@miscworks.net>
* Parse ui_auth.session_timeout as a duration (instead of treating it as ms) ↵Rishabh Arya2021-02-181-4/+6
| | | | (#9426)
* Update black, and run auto formatting over the codebase (#9381)Eric Eastwood2021-02-1610-28/+55
| | | | | | | - Update black version to the latest - Run black auto formatting over the codebase - Run autoformatting according to [`docs/code_style.md `](https://github.com/matrix-org/synapse/blob/80d6dc9783aa80886a133756028984dbf8920168/docs/code_style.md) - Update `code_style.md` docs around installing black to use the correct version
* Fix some typos.Patrick Cloke2021-02-122-2/+2
|
* Merge tag 'v1.27.0rc2' into developPatrick Cloke2021-02-117-26/+52
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Synapse 1.27.0rc2 (2021-02-11) ============================== Features -------- - Further improvements to the user experience of registration via single sign-on. ([\#9297](https://github.com/matrix-org/synapse/issues/9297)) Bugfixes -------- - Fix ratelimiting introduced in v1.27.0rc1 for invites to respect the `ratelimit` flag on application services. ([\#9302](https://github.com/matrix-org/synapse/issues/9302)) - Do not automatically calculate `public_baseurl` since it can be wrong in some situations. Reverts behaviour introduced in v1.26.0. ([\#9313](https://github.com/matrix-org/synapse/issues/9313)) Improved Documentation ---------------------- - Clarify the sample configuration for changes made to the template loading code. ([\#9310](https://github.com/matrix-org/synapse/issues/9310))
| * Backout changes for automatically calculating the public baseurl. (#9313)Patrick Cloke2021-02-117-26/+52
| | | | | | | | This breaks some people's configurations (if their Client-Server API is not accessed via port 443).
* | Combine the CAS & SAML implementations for required attributes. (#9326)Patrick Cloke2021-02-113-23/+53
| |
* | Fix escaping of braces in OIDC sample config. (#9317)Patrick Cloke2021-02-041-5/+5
| | | | | | This fixes the Jinja2 templates for the mapping provider.
* | Merge branch 'social_login_hotfixes' into developRichard van der Hoff2021-02-031-10/+4
|\|
| * Clarify documentation about escaping URLs in templates. (#9310)Patrick Cloke2021-02-031-10/+4
| |
* | config: Add detail to auto_join_rooms comment (#9291)dykstranet2021-02-031-0/+2
| | | | | | | | | | config: Add detail to auto_join_rooms comment Signed-off-by: Gary Dykstra <gary@dykstranet.com>
* | Convert blacklisted IPv4 addresses to compatible IPv6 addresses. (#9240)Patrick Cloke2021-02-032-27/+91
|/ | | Also add a few more IP ranges to the default blacklist.
* Put SAML callback URI under /_synapse/client. (#9289)Richard van der Hoff2021-02-021-4/+4
|
* Put OIDC callback URI under /_synapse/client. (#9288)Richard van der Hoff2021-02-011-1/+1
|
* Merge branch 'social_login' into developRichard van der Hoff2021-02-011-0/+37
|\
| * Collect terms consent from the user during SSO registration (#9276)Richard van der Hoff2021-02-011-0/+22
| |
| * Improve styling and wording of SSO UIA templates (#9286)Richard van der Hoff2021-02-011-0/+15
| | | | | | fixes #9171
* | Merge branch 'social_login' into developRichard van der Hoff2021-02-013-39/+50
|\|
| * Replace username picker with a template (#9275)Richard van der Hoff2021-02-013-38/+37
| | | | | | | | | | There's some prelimiary work here to pull out the construction of a jinja environment to a separate function. I wanted to load the template at display time rather than load time, so that it's easy to update on the fly. Honestly, I think we should do this with all our templates: the risk of ending up with malformed templates is far outweighed by the improved turnaround time for an admin trying to update them.
| * Improve styling and wording of SSO redirect confirm template (#9272)Richard van der Hoff2021-02-011-1/+13
| |
* | Ratelimit invites by room and target user (#9258)Erik Johnston2021-01-291-0/+19
| |
* | Merge branch 'social_login' into developRichard van der Hoff2021-01-281-28/+39
|\|
| * Add 'brand' field to MSC2858 response (#9242)Richard van der Hoff2021-01-271-25/+27
| | | | | | | | | | | | We've decided to add a 'brand' field to help clients decide how to style the buttons. Also, fix up the allowed characters for idp_id, while I'm in the area.
| * Support for scraping email addresses from OIDC providers (#9245)Richard van der Hoff2021-01-271-3/+12
| |
* | Ratelimit 3PID /requestToken API (#9238)Erik Johnston2021-01-282-3/+12
| |
* | Merge branch 'social_login' into developRichard van der Hoff2021-01-273-0/+33
|\|
| * Implement MSC2858 support (#9183)Richard van der Hoff2021-01-273-0/+33
| | | | | | Fixes #8928.
* | Clean-up the template loading code. (#9200)Patrick Cloke2021-01-274-23/+29
| | | | | | | | | | * Enables autoescape by default for HTML files. * Adds a new read_template method for reading a single template. * Some logic clean-up.
* | Do not require the CAS service URL setting (use public_baseurl instead). (#9199)Patrick Cloke2021-01-262-7/+8
| | | | | | | | The current configuration is handled for backwards compatibility, but is considered deprecated.
* | Precompute joined hosts and store in Redis (#9198)Erik Johnston2021-01-261-0/+2
|/
* Add a check for duplicate IdP ids (#9184)Richard van der Hoff2021-01-211-0/+11
|
* Prefix idp_id with "oidc-" (#9189)Richard van der Hoff2021-01-211-4/+24
| | | ... to avoid clashes with other SSO mechanisms
* Tighten the restrictions on `idp_id` (#9177)Richard van der Hoff2021-01-201-3/+9
|
* Support icons for Identity Providers (#9154)Richard van der Hoff2021-01-202-1/+21
|
* Give `public_baseurl` a default value (#9159)Richard van der Hoff2021-01-207-51/+30
|
* Fix error messages from OIDC config parsing (#9153)Richard van der Hoff2021-01-191-10/+15
| | | | Make sure we report the correct config path for errors in the OIDC configs.
* Allow moving account data and receipts streams off master (#9104)Erik Johnston2021-01-181-1/+17
|
* Land support for multiple OIDC providers (#9110)Richard van der Hoff2021-01-152-143/+188
| | | | | | | | | | | | | | | | | | | | | | | This is the final step for supporting multiple OIDC providers concurrently. First of all, we reorganise the config so that you can specify a list of OIDC providers, instead of a single one. Before: oidc_config: enabled: true issuer: "https://oidc_provider" # etc After: oidc_providers: - idp_id: prov1 issuer: "https://oidc_provider" - idp_id: prov2 issuer: "https://another_oidc_provider" The old format is still grandfathered in. With that done, it's then simply a matter of having OidcHandler instantiate a new OidcProvider for each configured provider.
* Remote dependency on distutils (#9125)Richard van der Hoff2021-01-151-6/+5
| | | | | | | | | `distutils` is pretty much deprecated these days, and replaced with `setuptools`. It's also annoying because it's you can't `pip install` it, and it's hard to figure out which debian package we should depend on to make sure it's there. Since we only use it for a tiny function anyway, let's just vendor said function into our codebase.
* Store an IdP ID in the OIDC session (#9109)Richard van der Hoff2021-01-151-3/+23
| | | | | Again in preparation for handling more than one OIDC provider, add a new caveat to the macaroon used as an OIDC session cookie, which remembers which OIDC provider we are talking to. In future, when we get a callback, we'll need it to make sure we talk to the right IdP. As part of this, I'm adding an idp_id and idp_name field to the OIDC configuration object. They aren't yet documented, and we'll just use the old values by default.
* Give the user a better error when they present bad SSO credsRichard van der Hoff2021-01-131-0/+10
| | | | | | | | | If a user tries to do UI Auth via SSO, but uses the wrong account on the SSO IdP, try to give them a better error. Previously, the UIA would claim to be successful, but then the operation in question would simply fail with "auth fail". Instead, serve up an error page which explains the failure.
* Add jsonschema verification for the oidc provider configRichard van der Hoff2021-01-131-0/+50
|
* Extract OIDCProviderConfig objectRichard van der Hoff2021-01-131-45/+120
| | | | | Collect all the config options which related to an OIDC provider into a single object.
* Fix validate_config on nested objects (#9054)Richard van der Hoff2021-01-081-1/+1
|
* Allow running sendToDevice on workers (#9044)Erik Johnston2021-01-071-1/+9
|
* Add initial support for a "pick your IdP" page (#9017)Richard van der Hoff2021-01-051-0/+27
| | | | | During login, if there are multiple IdPs enabled, offer the user a choice of IdPs.
* Update the value of group_creation_prefix in sample config. (#8992)Jerin J Titus2020-12-291-1/+1
| | | Removes the trailing slash with causes issues with matrix.to/Element.
* Send the location of the web client to the IS when inviting via 3PIDs. (#8930)Patrick Cloke2020-12-181-0/+22
| | | | Adds a new setting `email.invite_client_location` which, if defined, is passed to the identity server during invites.
* Implement a username picker for synapse (#8942)Richard van der Hoff2020-12-181-2/+3
| | | | | | | | | | | | | | The final part (for now) of my work to implement a username picker in synapse itself. The idea is that we allow `UsernameMappingProvider`s to return `localpart=None`, in which case, rather than redirecting the browser back to the client, we redirect to a username-picker resource, which allows the user to enter a username. We *then* complete the SSO flow (including doing the client permission checks). The static resources for the username picker itself (in https://github.com/matrix-org/synapse/tree/rav/username_picker/synapse/res/username_picker) are essentially lifted wholesale from https://github.com/matrix-org/matrix-synapse-saml-mozilla/tree/master/matrix_synapse_saml_mozilla/res. As the comment says, we might want to think about making them customisable, but that can be a follow-up. Fixes #8876.
* Allow re-using a UI auth validation for a period of time (#8970)Patrick Cloke2020-12-183-7/+27
|
* Fix the sample config location for the ip_range_whitelist setting. (#8954)Patrick Cloke2020-12-162-12/+12
| | | | Move it from the federation section to the server section to match ip_range_blacklist.
* Various clean-ups to the logging context code (#8935)Patrick Cloke2020-12-141-1/+1
|
* Default to blacklisting reserved IP ranges and add a whitelist. (#8870)Patrick Cloke2020-12-093-61/+98
| | | | This defaults `ip_range_blacklist` to reserved IP ranges and also adds an `ip_range_whitelist` setting to override it.
* Better formatting for config errors from modules (#8874)Richard van der Hoff2020-12-0810-27/+59
| | | | | | | | | | The idea is that the parse_config method of extension modules can raise either a ConfigError or a JsonValidationError, and it will be magically turned into a legible error message. There's a few components to it: * Separating the "path" and the "message" parts of a ConfigError, so that we can fiddle with the path bit to turn it into an absolute path. * Generally improving the way ConfigErrors get printed. * Passing in the config path to load_module so that it can wrap any exceptions that get caught appropriately.
* Clarify config template comments (#8891)Richard van der Hoff2020-12-082-8/+4
|
* Add authentication to replication endpoints. (#8853)Patrick Cloke2020-12-041-0/+10
| | | | Authentication is done by checking a shared secret provided in the Synapse configuration file.
* Apply an IP range blacklist to push and key revocation requests. (#8821)Patrick Cloke2020-12-021-15/+25
| | | | | | | | | | | | Replaces the `federation_ip_range_blacklist` configuration setting with an `ip_range_blacklist` setting with wider scope. It now applies to: * Federation * Identity servers * Push notifications * Checking key validitity for third-party invite events The old `federation_ip_range_blacklist` setting is still honored if present, but with reduced scope (it only applies to federation and identity servers).
* Add a config option to change whether unread push notification counts are ↵Andrew Morgan2020-11-301-0/+13
| | | | | | | | per-message or per-room (#8820) This PR adds a new config option to the `push` section of the homeserver config, `group_unread_count_by_room`. By default Synapse will group push notifications by room (so if you have 1000 unread messages, if they lie in 55 rooms, you'll see an unread count on your phone of 55). However, it is also useful to be able to send out the true count of unread messages if desired. If `group_unread_count_by_room` is set to `false`, then with the above example, one would see an unread count of 1000 (email anyone?).
* Fix the formatting of push config section (#8818)Andrew Morgan2020-11-251-15/+20
| | | This PR updates the push config's formatting to better align with our [code style guidelines](https://github.com/matrix-org/synapse/blob/develop/docs/code_style.md#configuration-file-format).
* SAML: Allow specifying the IdP entityid to use. (#8630)Ben Banfield-Zanin2020-11-191-0/+10
| | | | If the SAML metadata includes multiple IdPs it is necessary to specify which IdP to redirect users to for authentication.
* SAML: Document allowing a clock/time difference from IdP (#8731)Marcus Schopen2020-11-181-0/+6
| | | | Updates the sample configuration with the pysaml2 configuration for accepting clock skew/drift between the homeserver and IdP.
* Clarify the usecase for an msisdn delegate (#8734)Adrian Wannenmacher2020-11-141-2/+3
| | | Signed-off-by: Adrian Wannenmacher <tfld@tfld.dev>
* SAML: add <mdui:UIInfo> element examples (#8718)Marcus Schopen2020-11-131-0/+22
| | | add some mdui:UIInfo element examples for saml2_config in homeserver.yaml
* Improve the sample config for SSO (OIDC, SAML, and CAS). (#8635)Patrick Cloke2020-10-303-54/+80
|
* Support generating structured logs in addition to standard logs. (#8607)Patrick Cloke2020-10-291-48/+48
| | | | | | | This modifies the configuration of structured logging to be usable from the standard Python logging configuration. This also separates the formatting of logs from the transport allowing JSON logs to files or standard logs to sockets.
* Fix typos and spelling errors. (#8639)Patrick Cloke2020-10-235-5/+5
|
* Send some ephemeral events to appservices (#8437)Will Hunt2020-10-151-0/+3
| | | Optionally sends typing, presence, and read receipt information to appservices.
* Increase default max_upload_size from 10M to 50M (#8502)Mateusz Przybyłowicz2020-10-091-2/+2
| | | Signed-off-by: Mateusz Przybyłowicz <uamfhq@gmail.com>
* Update default room version to 6 (#8461)Richard van der Hoff2020-10-051-1/+1
| | | | Per https://github.com/matrix-org/matrix-doc/pull/2788
* Allow background tasks to be run on a separate worker. (#8369)Patrick Cloke2020-10-021-0/+18
|
* Merge tag 'v1.21.0rc2' into developRichard van der Hoff2020-10-024-6/+15
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Synapse 1.21.0rc2 (2020-10-02) ============================== Features -------- - Convert additional templates from inline HTML to Jinja2 templates. ([\#8444](https://github.com/matrix-org/synapse/issues/8444)) Bugfixes -------- - Fix a regression in v1.21.0rc1 which broke thumbnails of remote media. ([\#8438](https://github.com/matrix-org/synapse/issues/8438)) - Do not expose the experimental `uk.half-shot.msc2778.login.application_service` flow in the login API, which caused a compatibility problem with Element iOS. ([\#8440](https://github.com/matrix-org/synapse/issues/8440)) - Fix malformed log line in new federation "catch up" logic. ([\#8442](https://github.com/matrix-org/synapse/issues/8442)) - Fix DB query on startup for negative streams which caused long start up times. Introduced in [\#8374](https://github.com/matrix-org/synapse/issues/8374). ([\#8447](https://github.com/matrix-org/synapse/issues/8447))
| * Convert additional templates to Jinja (#8444)Patrick Cloke2020-10-024-6/+15
| | | | | | This converts a few more of our inline HTML templates to Jinja. This is somewhat part of #7280 and should make it a bit easier to customize these in the future.
* | Add config option for always using "userinfo endpoint" for OIDC (#7658)BBBSnowball2020-10-011-0/+9
| | | | | | This allows for connecting to certain IdPs, e.g. GitLab.
* | Enable mypy checking for unreachable code and fix instances. (#8432)Patrick Cloke2020-10-011-9/+9
|/
* Add prometheus metrics to track federation delays (#8430)Richard van der Hoff2020-10-014-5/+30
| | | | | Add a pair of federation metrics to track the delays in sending PDUs to/from particular servers.
* Allow additional SSO properties to be passed to the client (#8413)Patrick Cloke2020-09-301-0/+8
|
* Update description of server_name config option (#8415)Aaron Raimist2020-09-291-4/+17
|
* Allow existing users to login via OpenID Connect. (#8345)Tdxdxoz2020-09-251-0/+6
| | | | | | | Co-authored-by: Benjamin Koch <bbbsnowball@gmail.com> This adds configuration flags that will match a user to pre-existing users when logging in via OpenID Connect. This is useful when switching to an existing SSO system.
* Merge branch 'master' into developAndrew Morgan2020-09-241-2/+8
|\
| * Hotfix: disable autoescape by default when rendering Jinja2 templates (#8394)Andrew Morgan2020-09-242-3/+11
| | | | | | | | | | #8037 changed the default `autoescape` option when rendering Jinja2 templates from `False` to `True`. This caused some bugs, noticeably around redirect URLs being escaped in SAML2 auth confirmation templates, causing those URLs to break for users. This change returns the previous behaviour as it stood. We may want to look at each template individually and see whether autoescaping is a good idea at some point, but for now lets just fix the breakage.
* | Simplify super() calls to Python 3 syntax. (#8344)Patrick Cloke2020-09-183-3/+3
| | | | | | | | | | | | | | This converts calls like super(Foo, self) -> super(). Generated with: sed -i "" -Ee 's/super\([^\(]+\)/super()/g' **/*.py
* | Remove obsolete __future__ imports (#8337)Jonathan de Jong2020-09-172-3/+0
| |
* | Improve SAML error messages (#8248)Patrick Cloke2020-09-141-30/+4
| |
* | Add experimental support for sharding event persister. Again. (#8294)Erik Johnston2020-09-143-13/+46
| | | | | | | | | | | | This is *not* ready for production yet. Caveats: 1. We should write some tests... 2. The stream token that we use for events can get stalled at the minimum position of all writers. This means that new events may not be processed and e.g. sent down sync streams if a writer isn't writing or is slow.
* | Show a confirmation page during user password reset (#8004)Andrew Morgan2020-09-101-3/+9
| | | | | | | | | | This PR adds a confirmation step to resetting your user password between clicking the link in your email and your password actually being reset. This is to better align our password reset flow with the industry standard of requiring a confirmation from the user after email validation.
* | Add a config option for validating 'next_link' parameters against a domain ↵Andrew Morgan2020-09-081-1/+32
| | | | | | | | | | | | | | | | | | | | | | whitelist (#8275) This is a config option ported over from DINUM's Sydent: https://github.com/matrix-org/sydent/pull/285 They've switched to validating 3PIDs via Synapse rather than Sydent, and would like to retain this functionality. This original purpose for this change is phishing prevention. This solution could also potentially be replaced by a similar one to https://github.com/matrix-org/synapse/pull/8004, but across all `*/submit_token` endpoint. This option may still be useful to enterprise even with that safeguard in place though, if they want to be absolutely sure that their employees don't follow links to other domains.
* | Fix stack overflow when logging system encounters an error (#8268)Richard van der Hoff2020-09-071-2/+23
|/
* Fix a regression from calling read_templates. (#8252)Patrick Cloke2020-09-041-1/+1
| | | Regressed in #8037.