summary refs log tree commit diff
path: root/synapse/config (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Add an experimental room version to support restricted join rules. (#9717)Patrick Cloke2021-03-311-1/+6
| | | Per MSC3083.
* Make sample config allowed_local_3pids regex stricter. (#9719)Denis Kasak2021-03-311-2/+2
| | | | | | | The regex should be terminated so that subdomain matches of another domain are not accepted. Just ensuring that someone doesn't shoot themselves in the foot by copying our example. Signed-off-by: Denis Kasak <dkasak@termina.org.uk>
* Include m.room.create in invite_room_state for Spaces (#9710)Richard van der Hoff2021-03-301-0/+4
|
* Replace `room_invite_state_types` with `room_prejoin_state` (#9700)Richard van der Hoff2021-03-301-23/+112
| | | | | | | `room_invite_state_types` was inconvenient as a configuration setting, because anyone that ever set it would not receive any new types that were added to the defaults. Here, we deprecate the old setting, and replace it with a couple of new settings under `room_prejoin_state`.
* Update the OIDC sample config (#9695)Richard van der Hoff2021-03-291-31/+3
| | | | | | | I've reiterated the advice about using `oidc` to migrate, since I've seen a few people caught by this. I've also removed a couple of the examples as they are duplicating the OIDC documentation, and I think they might be leading people astray.
* Make it possible to use dmypy (#9692)Erik Johnston2021-03-261-2/+4
| | | | | | | | | Running `dmypy run` will do a `mypy` check while spinning up a daemon that makes rerunning `dmypy run` a lot faster. `dmypy` doesn't support `follow_imports = silent` and has `local_partial_types` enabled, so this PR enables those options and fixes the issues that were newly raised. Note that `local_partial_types` will be enabled by default in upcoming mypy releases.
* Increase default join burst ratelimiting (#9674)Erik Johnston2021-03-231-4/+4
| | | It's legitimate behaviour to try and join a bunch of rooms at once.
* Merge branch 'develop' into babolivier/msc3026Brendan Abolivier2021-03-191-0/+2
|\
| * Initial spaces summary API (#9643)Richard van der Hoff2021-03-181-0/+3
| | | | | | This is very bare-bones for now: federation will come soon, while pagination is descoped for now but will come later.
* | Move support for MSC3026 behind an experimental flagBrendan Abolivier2021-03-181-0/+2
|/
* Enable flake8-bugbear, but disable most checks. (#9499)Jonathan de Jong2021-03-166-6/+20
| | | | * Adds B00 to ignored checks. * Fixes remaining issues.
* Add SSO attribute requirements for OIDC providers (#9609)Hubbe2021-03-161-1/+39
| | | | Allows limiting who can login using OIDC via the claims made from the IdP.
* Add support for stable MSC2858 API (#9617)Richard van der Hoff2021-03-161-2/+11
| | | | | The stable format uses different brand identifiers, so we need to support two identifiers for each IdP.
* Clean up config settings for stats (#9604)Richard van der Hoff2021-03-161-17/+28
| | | ... and complain if people try to turn it off.
* JWT OIDC secrets for Sign in with Apple (#9549)Richard van der Hoff2021-03-093-11/+118
| | | | | Apple had to be special. They want a client secret which is generated from an EC key. Fixes #9220. Also fixes #9212 while I'm here.
* Fix additional type hints. (#9543)Patrick Cloke2021-03-091-1/+4
| | | Type hint fixes due to Twisted 21.2.0 adding type hints.
* quick config comment tweak to clarify allow_profile_lookup_over_federationMatthew Hodgson2021-03-081-2/+1
|
* Clean up `ShardedWorkerHandlingConfig` (#9466)Erik Johnston2021-02-245-21/+116
| | | | | | | | | | | | | | | | | * Split ShardedWorkerHandlingConfig This is so that we have a type level understanding of when it is safe to call `get_instance(..)` (as opposed to `should_handle(..)`). * Remove special cases in ShardedWorkerHandlingConfig. `ShardedWorkerHandlingConfig` tried to handle the various different ways it was possible to configure federation senders and pushers. This led to special cases that weren't hit during testing. To fix this the handling of the different cases is moved from there and `generic_worker` into the worker config class. This allows us to have the logic in one place and allows the rest of the code to ignore the different cases.
* Remove vestiges of uploads_path config (#9462)Richard van der Hoff2021-02-221-1/+0
| | | | `uploads_path` was a thing that was never used; most of it was removed in #6628 but a few vestiges remained.
* Clean up the user directory sample config section (#9385)Andrew Morgan2021-02-221-32/+37
| | | | | The user directory sample config section was a little messy, and didn't adhere to our [recommended config format guidelines](https://github.com/matrix-org/synapse/blob/develop/docs/code_style.md#configuration-file-format). This PR cleans that up a bit.
* Ratelimit cross-user key sharing requests. (#8957)Patrick Cloke2021-02-191-0/+10
|
* Add documentation and type hints to parse_duration. (#9432)Patrick Cloke2021-02-191-2/+15
|
* Add a config option to prioritise local users in user directory search ↵Andrew Morgan2021-02-191-0/+9
| | | | | | | | | results (#9383) This PR adds a homeserver config option, `user_directory.prefer_local_users`, that when enabled will show local users higher in user directory search results than remote users. This option is off by default. Note that turning this on doesn't necessarily mean that remote users will always be put below local users, but they should be assuming all other ranking factors (search query match, profile information present etc) are identical. This is useful for, say, University networks that are openly federating, but want to prioritise local students and staff in the user directory over other random users.
* Add configs to make profile data more private (#9203)AndrewFerr2021-02-192-0/+24
| | | | | | | Add off-by-default configuration settings to: - disable putting an invitee's profile info in invite events - disable profile lookup via federation Signed-off-by: Andrew Ferrazzutti <fair@miscworks.net>
* Parse ui_auth.session_timeout as a duration (instead of treating it as ms) ↵Rishabh Arya2021-02-181-4/+6
| | | | (#9426)
* Update black, and run auto formatting over the codebase (#9381)Eric Eastwood2021-02-1610-28/+55
| | | | | | | - Update black version to the latest - Run black auto formatting over the codebase - Run autoformatting according to [`docs/code_style.md `](https://github.com/matrix-org/synapse/blob/80d6dc9783aa80886a133756028984dbf8920168/docs/code_style.md) - Update `code_style.md` docs around installing black to use the correct version
* Fix some typos.Patrick Cloke2021-02-122-2/+2
|
* Merge tag 'v1.27.0rc2' into developPatrick Cloke2021-02-117-26/+52
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Synapse 1.27.0rc2 (2021-02-11) ============================== Features -------- - Further improvements to the user experience of registration via single sign-on. ([\#9297](https://github.com/matrix-org/synapse/issues/9297)) Bugfixes -------- - Fix ratelimiting introduced in v1.27.0rc1 for invites to respect the `ratelimit` flag on application services. ([\#9302](https://github.com/matrix-org/synapse/issues/9302)) - Do not automatically calculate `public_baseurl` since it can be wrong in some situations. Reverts behaviour introduced in v1.26.0. ([\#9313](https://github.com/matrix-org/synapse/issues/9313)) Improved Documentation ---------------------- - Clarify the sample configuration for changes made to the template loading code. ([\#9310](https://github.com/matrix-org/synapse/issues/9310))
| * Backout changes for automatically calculating the public baseurl. (#9313)Patrick Cloke2021-02-117-26/+52
| | | | | | | | This breaks some people's configurations (if their Client-Server API is not accessed via port 443).
* | Combine the CAS & SAML implementations for required attributes. (#9326)Patrick Cloke2021-02-113-23/+53
| |
* | Fix escaping of braces in OIDC sample config. (#9317)Patrick Cloke2021-02-041-5/+5
| | | | | | This fixes the Jinja2 templates for the mapping provider.
* | Merge branch 'social_login_hotfixes' into developRichard van der Hoff2021-02-031-10/+4
|\|
| * Clarify documentation about escaping URLs in templates. (#9310)Patrick Cloke2021-02-031-10/+4
| |
* | config: Add detail to auto_join_rooms comment (#9291)dykstranet2021-02-031-0/+2
| | | | | | | | | | config: Add detail to auto_join_rooms comment Signed-off-by: Gary Dykstra <gary@dykstranet.com>
* | Convert blacklisted IPv4 addresses to compatible IPv6 addresses. (#9240)Patrick Cloke2021-02-032-27/+91
|/ | | Also add a few more IP ranges to the default blacklist.
* Put SAML callback URI under /_synapse/client. (#9289)Richard van der Hoff2021-02-021-4/+4
|
* Put OIDC callback URI under /_synapse/client. (#9288)Richard van der Hoff2021-02-011-1/+1
|
* Merge branch 'social_login' into developRichard van der Hoff2021-02-011-0/+37
|\
| * Collect terms consent from the user during SSO registration (#9276)Richard van der Hoff2021-02-011-0/+22
| |
| * Improve styling and wording of SSO UIA templates (#9286)Richard van der Hoff2021-02-011-0/+15
| | | | | | fixes #9171
* | Merge branch 'social_login' into developRichard van der Hoff2021-02-013-39/+50
|\|
| * Replace username picker with a template (#9275)Richard van der Hoff2021-02-013-38/+37
| | | | | | | | | | There's some prelimiary work here to pull out the construction of a jinja environment to a separate function. I wanted to load the template at display time rather than load time, so that it's easy to update on the fly. Honestly, I think we should do this with all our templates: the risk of ending up with malformed templates is far outweighed by the improved turnaround time for an admin trying to update them.
| * Improve styling and wording of SSO redirect confirm template (#9272)Richard van der Hoff2021-02-011-1/+13
| |
* | Ratelimit invites by room and target user (#9258)Erik Johnston2021-01-291-0/+19
| |
* | Merge branch 'social_login' into developRichard van der Hoff2021-01-281-28/+39
|\|
| * Add 'brand' field to MSC2858 response (#9242)Richard van der Hoff2021-01-271-25/+27
| | | | | | | | | | | | We've decided to add a 'brand' field to help clients decide how to style the buttons. Also, fix up the allowed characters for idp_id, while I'm in the area.
| * Support for scraping email addresses from OIDC providers (#9245)Richard van der Hoff2021-01-271-3/+12
| |
* | Ratelimit 3PID /requestToken API (#9238)Erik Johnston2021-01-282-3/+12
| |
* | Merge branch 'social_login' into developRichard van der Hoff2021-01-273-0/+33
|\|
| * Implement MSC2858 support (#9183)Richard van der Hoff2021-01-273-0/+33
| | | | | | Fixes #8928.
* | Clean-up the template loading code. (#9200)Patrick Cloke2021-01-274-23/+29
| | | | | | | | | | * Enables autoescape by default for HTML files. * Adds a new read_template method for reading a single template. * Some logic clean-up.
* | Do not require the CAS service URL setting (use public_baseurl instead). (#9199)Patrick Cloke2021-01-262-7/+8
| | | | | | | | The current configuration is handled for backwards compatibility, but is considered deprecated.
* | Precompute joined hosts and store in Redis (#9198)Erik Johnston2021-01-261-0/+2
|/
* Add a check for duplicate IdP ids (#9184)Richard van der Hoff2021-01-211-0/+11
|
* Prefix idp_id with "oidc-" (#9189)Richard van der Hoff2021-01-211-4/+24
| | | ... to avoid clashes with other SSO mechanisms
* Tighten the restrictions on `idp_id` (#9177)Richard van der Hoff2021-01-201-3/+9
|
* Support icons for Identity Providers (#9154)Richard van der Hoff2021-01-202-1/+21
|
* Give `public_baseurl` a default value (#9159)Richard van der Hoff2021-01-207-51/+30
|
* Fix error messages from OIDC config parsing (#9153)Richard van der Hoff2021-01-191-10/+15
| | | | Make sure we report the correct config path for errors in the OIDC configs.
* Allow moving account data and receipts streams off master (#9104)Erik Johnston2021-01-181-1/+17
|
* Land support for multiple OIDC providers (#9110)Richard van der Hoff2021-01-152-143/+188
| | | | | | | | | | | | | | | | | | | | | | | This is the final step for supporting multiple OIDC providers concurrently. First of all, we reorganise the config so that you can specify a list of OIDC providers, instead of a single one. Before: oidc_config: enabled: true issuer: "https://oidc_provider" # etc After: oidc_providers: - idp_id: prov1 issuer: "https://oidc_provider" - idp_id: prov2 issuer: "https://another_oidc_provider" The old format is still grandfathered in. With that done, it's then simply a matter of having OidcHandler instantiate a new OidcProvider for each configured provider.
* Remote dependency on distutils (#9125)Richard van der Hoff2021-01-151-6/+5
| | | | | | | | | `distutils` is pretty much deprecated these days, and replaced with `setuptools`. It's also annoying because it's you can't `pip install` it, and it's hard to figure out which debian package we should depend on to make sure it's there. Since we only use it for a tiny function anyway, let's just vendor said function into our codebase.
* Store an IdP ID in the OIDC session (#9109)Richard van der Hoff2021-01-151-3/+23
| | | | | Again in preparation for handling more than one OIDC provider, add a new caveat to the macaroon used as an OIDC session cookie, which remembers which OIDC provider we are talking to. In future, when we get a callback, we'll need it to make sure we talk to the right IdP. As part of this, I'm adding an idp_id and idp_name field to the OIDC configuration object. They aren't yet documented, and we'll just use the old values by default.
* Give the user a better error when they present bad SSO credsRichard van der Hoff2021-01-131-0/+10
| | | | | | | | | If a user tries to do UI Auth via SSO, but uses the wrong account on the SSO IdP, try to give them a better error. Previously, the UIA would claim to be successful, but then the operation in question would simply fail with "auth fail". Instead, serve up an error page which explains the failure.
* Add jsonschema verification for the oidc provider configRichard van der Hoff2021-01-131-0/+50
|
* Extract OIDCProviderConfig objectRichard van der Hoff2021-01-131-45/+120
| | | | | Collect all the config options which related to an OIDC provider into a single object.
* Fix validate_config on nested objects (#9054)Richard van der Hoff2021-01-081-1/+1
|
* Allow running sendToDevice on workers (#9044)Erik Johnston2021-01-071-1/+9
|
* Add initial support for a "pick your IdP" page (#9017)Richard van der Hoff2021-01-051-0/+27
| | | | | During login, if there are multiple IdPs enabled, offer the user a choice of IdPs.
* Update the value of group_creation_prefix in sample config. (#8992)Jerin J Titus2020-12-291-1/+1
| | | Removes the trailing slash with causes issues with matrix.to/Element.
* Send the location of the web client to the IS when inviting via 3PIDs. (#8930)Patrick Cloke2020-12-181-0/+22
| | | | Adds a new setting `email.invite_client_location` which, if defined, is passed to the identity server during invites.
* Implement a username picker for synapse (#8942)Richard van der Hoff2020-12-181-2/+3
| | | | | | | | | | | | | | The final part (for now) of my work to implement a username picker in synapse itself. The idea is that we allow `UsernameMappingProvider`s to return `localpart=None`, in which case, rather than redirecting the browser back to the client, we redirect to a username-picker resource, which allows the user to enter a username. We *then* complete the SSO flow (including doing the client permission checks). The static resources for the username picker itself (in https://github.com/matrix-org/synapse/tree/rav/username_picker/synapse/res/username_picker) are essentially lifted wholesale from https://github.com/matrix-org/matrix-synapse-saml-mozilla/tree/master/matrix_synapse_saml_mozilla/res. As the comment says, we might want to think about making them customisable, but that can be a follow-up. Fixes #8876.
* Allow re-using a UI auth validation for a period of time (#8970)Patrick Cloke2020-12-183-7/+27
|
* Fix the sample config location for the ip_range_whitelist setting. (#8954)Patrick Cloke2020-12-162-12/+12
| | | | Move it from the federation section to the server section to match ip_range_blacklist.
* Various clean-ups to the logging context code (#8935)Patrick Cloke2020-12-141-1/+1
|
* Default to blacklisting reserved IP ranges and add a whitelist. (#8870)Patrick Cloke2020-12-093-61/+98
| | | | This defaults `ip_range_blacklist` to reserved IP ranges and also adds an `ip_range_whitelist` setting to override it.
* Better formatting for config errors from modules (#8874)Richard van der Hoff2020-12-0810-27/+59
| | | | | | | | | | The idea is that the parse_config method of extension modules can raise either a ConfigError or a JsonValidationError, and it will be magically turned into a legible error message. There's a few components to it: * Separating the "path" and the "message" parts of a ConfigError, so that we can fiddle with the path bit to turn it into an absolute path. * Generally improving the way ConfigErrors get printed. * Passing in the config path to load_module so that it can wrap any exceptions that get caught appropriately.
* Clarify config template comments (#8891)Richard van der Hoff2020-12-082-8/+4
|
* Add authentication to replication endpoints. (#8853)Patrick Cloke2020-12-041-0/+10
| | | | Authentication is done by checking a shared secret provided in the Synapse configuration file.
* Apply an IP range blacklist to push and key revocation requests. (#8821)Patrick Cloke2020-12-021-15/+25
| | | | | | | | | | | | Replaces the `federation_ip_range_blacklist` configuration setting with an `ip_range_blacklist` setting with wider scope. It now applies to: * Federation * Identity servers * Push notifications * Checking key validitity for third-party invite events The old `federation_ip_range_blacklist` setting is still honored if present, but with reduced scope (it only applies to federation and identity servers).
* Add a config option to change whether unread push notification counts are ↵Andrew Morgan2020-11-301-0/+13
| | | | | | | | per-message or per-room (#8820) This PR adds a new config option to the `push` section of the homeserver config, `group_unread_count_by_room`. By default Synapse will group push notifications by room (so if you have 1000 unread messages, if they lie in 55 rooms, you'll see an unread count on your phone of 55). However, it is also useful to be able to send out the true count of unread messages if desired. If `group_unread_count_by_room` is set to `false`, then with the above example, one would see an unread count of 1000 (email anyone?).
* Fix the formatting of push config section (#8818)Andrew Morgan2020-11-251-15/+20
| | | This PR updates the push config's formatting to better align with our [code style guidelines](https://github.com/matrix-org/synapse/blob/develop/docs/code_style.md#configuration-file-format).
* SAML: Allow specifying the IdP entityid to use. (#8630)Ben Banfield-Zanin2020-11-191-0/+10
| | | | If the SAML metadata includes multiple IdPs it is necessary to specify which IdP to redirect users to for authentication.
* SAML: Document allowing a clock/time difference from IdP (#8731)Marcus Schopen2020-11-181-0/+6
| | | | Updates the sample configuration with the pysaml2 configuration for accepting clock skew/drift between the homeserver and IdP.
* Clarify the usecase for an msisdn delegate (#8734)Adrian Wannenmacher2020-11-141-2/+3
| | | Signed-off-by: Adrian Wannenmacher <tfld@tfld.dev>
* SAML: add <mdui:UIInfo> element examples (#8718)Marcus Schopen2020-11-131-0/+22
| | | add some mdui:UIInfo element examples for saml2_config in homeserver.yaml
* Improve the sample config for SSO (OIDC, SAML, and CAS). (#8635)Patrick Cloke2020-10-303-54/+80
|
* Support generating structured logs in addition to standard logs. (#8607)Patrick Cloke2020-10-291-48/+48
| | | | | | | This modifies the configuration of structured logging to be usable from the standard Python logging configuration. This also separates the formatting of logs from the transport allowing JSON logs to files or standard logs to sockets.
* Fix typos and spelling errors. (#8639)Patrick Cloke2020-10-235-5/+5
|
* Send some ephemeral events to appservices (#8437)Will Hunt2020-10-151-0/+3
| | | Optionally sends typing, presence, and read receipt information to appservices.
* Increase default max_upload_size from 10M to 50M (#8502)Mateusz Przybyłowicz2020-10-091-2/+2
| | | Signed-off-by: Mateusz Przybyłowicz <uamfhq@gmail.com>
* Update default room version to 6 (#8461)Richard van der Hoff2020-10-051-1/+1
| | | | Per https://github.com/matrix-org/matrix-doc/pull/2788
* Allow background tasks to be run on a separate worker. (#8369)Patrick Cloke2020-10-021-0/+18
|
* Merge tag 'v1.21.0rc2' into developRichard van der Hoff2020-10-024-6/+15
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Synapse 1.21.0rc2 (2020-10-02) ============================== Features -------- - Convert additional templates from inline HTML to Jinja2 templates. ([\#8444](https://github.com/matrix-org/synapse/issues/8444)) Bugfixes -------- - Fix a regression in v1.21.0rc1 which broke thumbnails of remote media. ([\#8438](https://github.com/matrix-org/synapse/issues/8438)) - Do not expose the experimental `uk.half-shot.msc2778.login.application_service` flow in the login API, which caused a compatibility problem with Element iOS. ([\#8440](https://github.com/matrix-org/synapse/issues/8440)) - Fix malformed log line in new federation "catch up" logic. ([\#8442](https://github.com/matrix-org/synapse/issues/8442)) - Fix DB query on startup for negative streams which caused long start up times. Introduced in [\#8374](https://github.com/matrix-org/synapse/issues/8374). ([\#8447](https://github.com/matrix-org/synapse/issues/8447))
| * Convert additional templates to Jinja (#8444)Patrick Cloke2020-10-024-6/+15
| | | | | | This converts a few more of our inline HTML templates to Jinja. This is somewhat part of #7280 and should make it a bit easier to customize these in the future.
* | Add config option for always using "userinfo endpoint" for OIDC (#7658)BBBSnowball2020-10-011-0/+9
| | | | | | This allows for connecting to certain IdPs, e.g. GitLab.
* | Enable mypy checking for unreachable code and fix instances. (#8432)Patrick Cloke2020-10-011-9/+9
|/
* Add prometheus metrics to track federation delays (#8430)Richard van der Hoff2020-10-014-5/+30
| | | | | Add a pair of federation metrics to track the delays in sending PDUs to/from particular servers.
* Allow additional SSO properties to be passed to the client (#8413)Patrick Cloke2020-09-301-0/+8
|
* Update description of server_name config option (#8415)Aaron Raimist2020-09-291-4/+17
|
* Allow existing users to login via OpenID Connect. (#8345)Tdxdxoz2020-09-251-0/+6
| | | | | | | Co-authored-by: Benjamin Koch <bbbsnowball@gmail.com> This adds configuration flags that will match a user to pre-existing users when logging in via OpenID Connect. This is useful when switching to an existing SSO system.
* Merge branch 'master' into developAndrew Morgan2020-09-241-2/+8
|\
| * Hotfix: disable autoescape by default when rendering Jinja2 templates (#8394)Andrew Morgan2020-09-242-3/+11
| | | | | | | | | | #8037 changed the default `autoescape` option when rendering Jinja2 templates from `False` to `True`. This caused some bugs, noticeably around redirect URLs being escaped in SAML2 auth confirmation templates, causing those URLs to break for users. This change returns the previous behaviour as it stood. We may want to look at each template individually and see whether autoescaping is a good idea at some point, but for now lets just fix the breakage.
* | Simplify super() calls to Python 3 syntax. (#8344)Patrick Cloke2020-09-183-3/+3
| | | | | | | | | | | | | | This converts calls like super(Foo, self) -> super(). Generated with: sed -i "" -Ee 's/super\([^\(]+\)/super()/g' **/*.py
* | Remove obsolete __future__ imports (#8337)Jonathan de Jong2020-09-172-3/+0
| |
* | Improve SAML error messages (#8248)Patrick Cloke2020-09-141-30/+4
| |
* | Add experimental support for sharding event persister. Again. (#8294)Erik Johnston2020-09-143-13/+46
| | | | | | | | | | | | This is *not* ready for production yet. Caveats: 1. We should write some tests... 2. The stream token that we use for events can get stalled at the minimum position of all writers. This means that new events may not be processed and e.g. sent down sync streams if a writer isn't writing or is slow.
* | Show a confirmation page during user password reset (#8004)Andrew Morgan2020-09-101-3/+9
| | | | | | | | | | This PR adds a confirmation step to resetting your user password between clicking the link in your email and your password actually being reset. This is to better align our password reset flow with the industry standard of requiring a confirmation from the user after email validation.
* | Add a config option for validating 'next_link' parameters against a domain ↵Andrew Morgan2020-09-081-1/+32
| | | | | | | | | | | | | | | | | | | | | | whitelist (#8275) This is a config option ported over from DINUM's Sydent: https://github.com/matrix-org/sydent/pull/285 They've switched to validating 3PIDs via Synapse rather than Sydent, and would like to retain this functionality. This original purpose for this change is phishing prevention. This solution could also potentially be replaced by a similar one to https://github.com/matrix-org/synapse/pull/8004, but across all `*/submit_token` endpoint. This option may still be useful to enterprise even with that safeguard in place though, if they want to be absolutely sure that their employees don't follow links to other domains.
* | Fix stack overflow when logging system encounters an error (#8268)Richard van der Hoff2020-09-071-2/+23
|/
* Fix a regression from calling read_templates. (#8252)Patrick Cloke2020-09-041-1/+1
| | | Regressed in #8037.
* Stop sub-classing object (#8249)Patrick Cloke2020-09-048-10/+10
|
* Revert "Add experimental support for sharding event persister. (#8170)" (#8242)Brendan Abolivier2020-09-043-46/+13
| | | | | | | * Revert "Add experimental support for sharding event persister. (#8170)" This reverts commit 82c1ee1c22a87b9e6e3179947014b0f11c0a1ac3. * Changelog
* Add experimental support for sharding event persister. (#8170)Erik Johnston2020-09-023-13/+46
| | | | | | This is *not* ready for production yet. Caveats: 1. We should write some tests... 2. The stream token that we use for events can get stalled at the minimum position of all writers. This means that new events may not be processed and e.g. sent down sync streams if a writer isn't writing or is slow.
* Allow capping a room's retention policy (#8104)Brendan Abolivier2020-08-241-8/+14
|
* Add resources.consent conditional dependency back (#8107)Andrew Morgan2020-08-181-20/+0
| | | Turns out that part of the codebase (synapse.config.server) checks for this key explicitly. Remove that check.
* Use the default templates when a custom template file cannot be found (#8037)Andrew Morgan2020-08-174-105/+191
| | | Fixes https://github.com/matrix-org/synapse/issues/6583
* Move setting of Filter into code.Erik Johnston2020-08-111-8/+16
| | | | | | | | | | | | | | We do this to prevent foot guns. The default config uses a MemoryFilter, but users are free to change to logging to files directly. If they do then they have to ensure to set the `filters: [context]` on the right handler, otherwise records get written with the wrong context. Instead we move the logic to happen when we generate a record, which is when we *log* rather than *handle*. (It's possible to add filters to loggers in the config, however they don't apply to descendant loggers and so they have to be manually set on *every* logger used in the code base)
* Change the default log config to reduce disk I/O and storage (#8040)Erik Johnston2020-08-111-5/+36
| | | | | | | | | | | | | | | | | | | | * Change default log config to buffer by default. This batches up writes to the filesystem, which is more efficient for disk I/O. This means that it can take some time for logs to get written to disk. Note that ERROR logs (and above) immediately flush the buffer. This only effects new installs, as we only write the log config if started with `--generate-config` (in the same way we do for generating signing keys). * Default to keeping last 4 days of logs. This hopefully reduces the amount of logs kept for new servers. Keeping the last 1GB of logs is likely overkill for new servers, but equally may not be enough for busy ones. Instead, we keep the last four days worth of logs, enough so that admins can investigate any problems that happened over e.g. a long weekend.
* Implement login blocking based on SAML attributes (#8052)Richard van der Hoff2020-08-112-0/+99
| | | | | | | Hopefully this mostly speaks for itself. I also did a bit of cleaning up of the error handling. Fixes #8047
* TypoBrendan Abolivier2020-08-101-1/+1
|
* LintBrendan Abolivier2020-08-101-2/+2
|
* why mypy whyBrendan Abolivier2020-08-101-1/+3
|
* LintBrendan Abolivier2020-08-061-1/+1
|
* Incorporate reviewBrendan Abolivier2020-08-061-2/+2
|
* Merge branch 'develop' of github.com:matrix-org/synapse into ↵Brendan Abolivier2020-08-062-1/+25
|\ | | | | | | babolivier/new_push_rules
| * Rename database classes to make some sense (#8033)Erik Johnston2020-08-051-1/+4
| |
| * Merge branch 'develop' of github.com:matrix-org/synapse into ↵Erik Johnston2020-07-312-18/+7
| |\ | | | | | | | | | erikj/add_rate_limiting_to_joins
| * | Add ratelimiting on joinsErik Johnston2020-07-311-0/+21
| | |
* | | Incorporate reviewBrendan Abolivier2020-08-061-0/+3
| | |
* | | Back out the database hack and replace it with a temporary config settingBrendan Abolivier2020-08-031-0/+10
| |/ |/|
* | Merge branch 'master' into developOlivier Wilkinson (reivilibre)2020-07-305-15/+73
|\|
| * Update worker docs with recent enhancements (#7969)Erik Johnston2020-07-295-15/+73
| |
* | Various improvements to the docs (#7899)Aaron Raimist2020-07-291-18/+0
| |
* | Option to allow server admins to join complex rooms (#7902)lugino-emeritus2020-07-281-0/+7
|/ | | | | Fixes #7901. Signed-off-by: Niklas Tittjung <nik_t.01@web.de>
* Fix a typo in the sample config. (#7890)Adrian2020-07-201-1/+1
|
* Change sample config's postgres user to synapse_user (#7889)Andrew Morgan2020-07-201-1/+1
| | | | | | | The [postgres setup docs](https://github.com/matrix-org/synapse/blob/develop/docs/postgres.md#set-up-database) recommend setting up your database with user `synapse_user`. However, uncommenting the postgres defaults in the sample config leave you with user `synapse`. This PR switches the sample config to recommend `synapse_user`. Took a me a second to figure this out, so assume this will beneficial to others.
* Add a default limit (of 100) to get/sync operations. (#7858)Patrick Cloke2020-07-171-2/+4
|
* Allow moving typing off master (#7869)Erik Johnston2020-07-161-9/+10
|
* Add ability to run multiple pusher instances (#7855)Erik Johnston2020-07-164-37/+48
| | | This reuses the same scheme as federation sender sharding
* Allow email subjects to be customised through Synapse's configuration (#7846)Brendan Abolivier2020-07-141-6/+112
|
* Add the option to validate the `iss` and `aud` claims for JWT logins. (#7827)Patrick Cloke2020-07-141-0/+28
|
* Fix handling of "off" in encryption_enabled_by_default_for_room_type (#7822)Brendan Abolivier2020-07-131-1/+6
| | | | | | | | | | | | | | | | | Fixes https://github.com/matrix-org/synapse/issues/7821, introduced in https://github.com/matrix-org/synapse/pull/7639 Turns out PyYAML translates `off` into a `False` boolean if it's unquoted (see https://stackoverflow.com/questions/36463531/pyyaml-automatically-converting-certain-keys-to-boolean-values), which seems to be a liberal interpretation of this bit of the YAML spec: https://yaml.org/spec/1.1/current.html#id864510 An alternative fix would be to implement the solution mentioned in the SO post linked above, but I'm aware it might break existing setups (which might use these values in the configuration file) so it's probably better just to add an extra check for this one. We should be aware that this is a thing for the next times we do that though. I didn't find any other occurrence of this bug elsewhere in the codebase.
* Add ability to shard the federation sender (#7798)Erik Johnston2020-07-103-66/+132
|
* Fix some spelling mistakes / typos. (#7811)Patrick Cloke2020-07-091-1/+1
|
* Add documentation for JWT login type and improve sample config. (#7776)Patrick Cloke2020-07-061-4/+31
|
* isort 5 compatibility (#7786)Will Hunt2020-07-052-2/+2
| | | The CI appears to use the latest version of isort, which is a problem when isort gets a major version bump. Rather than try to pin the version, I've done the necessary to make isort5 happy with synapse.
* Additional configuration options for auto-join rooms (#7763)Patrick Cloke2020-06-301-3/+103
|
* Support running multiple media repos. (#7706)Erik Johnston2020-06-171-0/+6
| | | | | This requires a new config option to specify which media repo should be responsible for running background jobs to e.g. clear out expired URL preview caches.
* fix broken link in sample config (#7712)Richard van der Hoff2020-06-161-1/+1
|
* Replace all remaining six usage with native Python 3 equivalents (#7704)Dagfinn Ilmari Mannsåker2020-06-163-16/+7
|
* Create a ListenerConfig object (#7681)Richard van der Hoff2020-06-162-102/+157
| | | | | | | | | | This ended up being a bit more invasive than I'd hoped for (not helped by generic_worker duplicating some of the code from homeserver), but hopefully it's an improvement. The idea is that, rather than storing unstructured `dict`s in the config for the listener configurations, we instead parse it into a structured `ListenerConfig` object.
* Increase the default SAML session expirary time to 15 minutes. (#7664)Patrick Cloke2020-06-111-2/+2
|
* fix typo in sample_config.yaml (#7652)wondratsch2020-06-111-1/+1
| | | | | Just a simple typo fix. Signed-off-by: wondratsch 28294257+wondratsch@users.noreply.github.com
* Take out a lock before modifying _CACHES (#7663)Richard van der Hoff2020-06-101-5/+15
| | | | This should fix #7610.
* Add option to enable encryption by default for new rooms (#7639)Andrew Morgan2020-06-102-0/+82
| | | | | | | | | Fixes https://github.com/matrix-org/synapse/issues/2431 Adds config option `encryption_enabled_by_default_for_room_type`, which determines whether encryption should be enabled with the default encryption algorithm in private or public rooms upon creation. Whether the room is private or public is decided based upon the room creation preset that is used. Part of this PR is also pulling out all of the individual instances of `m.megolm.v1.aes-sha2` into a constant variable to eliminate typos ala https://github.com/matrix-org/synapse/pull/7637 Based on #7637
* Add an option to disable autojoin for guest accounts (#6637)Travis Ralston2020-06-051-0/+8
| | | | Fixes https://github.com/matrix-org/synapse/issues/3177
* Add support for webp thumbnailing (#7586)WGH2020-06-051-0/+1
| | | | | Closes #4382 Signed-off-by: Maxim Plotnikov <wgh@torlan.ru>
* Performance improvements and refactor of Ratelimiter (#7595)Andrew Morgan2020-06-051-1/+7
| | | | | | | | | | While working on https://github.com/matrix-org/synapse/issues/5665 I found myself digging into the `Ratelimiter` class and seeing that it was both: * Rather undocumented, and * causing a *lot* of config checks This PR attempts to refactor and comment the `Ratelimiter` class, as well as encourage config file accesses to only be done at instantiation. Best to be reviewed commit-by-commit.
* Cleanups to the OpenID Connect integration (#7628)Richard van der Hoff2020-06-033-76/+105
| | | | docs, default configs, comments. Nothing very significant.
* Clean up exception handling in SAML2ResponseResource (#7614)Richard van der Hoff2020-06-031-5/+13
| | | | | | | | | | | | | * Expose `return_html_error`, and allow it to take a Jinja2 template instead of a raw string * Clean up exception handling in SAML2ResponseResource * use the existing code in `return_html_error` instead of re-implementing it (giving it a jinja2 template rather than inventing a new form of template) * do the exception-catching in the REST layer rather than in the handler layer, to make sure we catch all exceptions.
* Fix sample config docs error (#7581)Jason Robinson2020-05-271-1/+1
| | | | | | 'client_auth_method' commented out value was erronously 'client_auth_basic', when code and docstring says it should be 'client_secret_basic'. Signed-off-by: Jason Robinson <jasonr@matrix.org>
* Fix up commentsErik Johnston2020-05-271-2/+2
|
* Fix specifying cache factors via env vars with * in name. (#7580)Erik Johnston2020-05-271-5/+39
| | | | | This mostly applise to `*stateGroupCache*` and co. Broke in #6391.
* Add option to move event persistence off master (#7517)Erik Johnston2020-05-222-2/+29
|
* Fix some DETECTED VIOLATIONS in the config file (#7550)Richard van der Hoff2020-05-226-29/+36
| | | consistency ftw
* Add `instance_map` config and route replication calls (#7495)Erik Johnston2020-05-141-0/+17
|
* Fix copypasted comment (#7477)Paul Tötterman2020-05-131-1/+1
| | | Signed-off-by: Paul Tötterman <paul.totterman@iki.fi>
* Fix new flake8 errors (#7470)Erik Johnston2020-05-121-1/+1
|
* Allow configuration of Synapse's cache without using synctl or environment ↵Amber Brown2020-05-113-6/+166
| | | | variables (#6391)
* Merge branch 'release-v1.13.0' into developAndrew Morgan2020-05-111-1/+0
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * release-v1.13.0: Don't UPGRADE database rows RST indenting Put rollback instructions in upgrade notes Fix changelog typo Oh yeah, RST Absolute URL it is then Fix upgrade notes link Provide summary of upgrade issues in changelog. Fix ) Move next version notes from changelog to upgrade notes Changelog fixes 1.13.0rc1 Documentation on setting up redis (#7446) Rework UI Auth session validation for registration (#7455) Fix errors from malformed log line (#7454) Drop support for redis.dbid (#7450)
| * Drop support for redis.dbid (#7450)Richard van der Hoff2020-05-071-1/+0
| | | | | | Since we only use pubsub, the dbid is irrelevant.
* | Extend spam checker to allow for multiple modules (#7435)Andrew Morgan2020-05-081-8/+30
| |
* | Implement OpenID Connect-based login (#7256)Quentin Gliech2020-05-084-7/+191
|/
* Add a configuration setting for the dummy event threshold (#7422)Brendan Abolivier2020-05-071-0/+15
| | | Add dummy_events_threshold which allows configuring the number of forward extremities a room needs for Synapse to send forward extremities in it.
* Fix fallback value for account_threepid_delegates.email (#7316)Andrew Morgan2020-04-291-3/+8
|
* Fix typo 'datbases' in ConfigErrorAndrew Morgan2020-04-281-1/+1
|
* Don't crash when one of the configuration files is empty (#7341)Brendan Abolivier2020-04-271-0/+6
| | | | | If the admin adds a `.yaml` file that's either empty or doesn't parse into a dict to a config directory (e.g. `conf.d` for debs installs), stuff like https://github.com/matrix-org/synapse/issues/7322 would happen. This PR checks that the file is correctly parsed into a dict, or ignores it with a warning if it parses into any other type (including `None` for empty files). Fixes https://github.com/matrix-org/synapse/issues/7322
* Add documentation to the sample config about the templates for SSO. (#7343)Patrick Cloke2020-04-241-0/+24
|
* Revert "Revert "Merge pull request #7315 from ↵Brendan Abolivier2020-04-231-0/+21
| | | | | | matrix-org/babolivier/request_token"" This reverts commit 1adf6a55870aa08de272591ff49db9dc49738076.
* Add ability to run replication protocol over redis. (#7040)Erik Johnston2020-04-222-0/+37
| | | This is configured via the `redis` config options.
* Fix indention in generated config file (#7300)Lars Franke2020-04-201-22/+22
| | | | | | Also adjust sample_config.yaml Signed-off-by: Lars Franke <frcl@mailbox.org>
* Use a template for the SSO success page to allow for customization. (#7279)Patrick Cloke2020-04-171-0/+6
|
* Clarify the comments for media_storage_providers options (#7272)Tristan Lins2020-04-171-4/+3
|
* Allow specifying the value of Accept-Language header for URL previews (#7265)Andrew Morgan2020-04-151-0/+29
|
* Do not allow a deactivated user to login via SSO. (#7240)Patrick Cloke2020-04-091-0/+7
|
* Fix --help commandline argument (#7249)Richard van der Hoff2020-04-091-16/+8
| | | | | | | | I don't really remember why this was so complicated; I think it dates back to the time when we had to instantiate the Config classes before we could call `add_arguments` - ie before #5597. In any case, I don't think there's a good reason for it any more, and the impact of it being complicated is that `--help` doesn't work correctly.
* Add documentation to password_providers config option (#7238)Andrew Morgan2020-04-081-2/+14
|
* Extend web_client_location to handle absolute URLs (#7006)Martin Milata2020-04-031-3/+8
| | | | | Log warning when filesystem path is used. Signed-off-by: Martin Milata <martin@martinmilata.cz>
* Fix a small typo in the `metrics_flags` config option. (#7171)Andrew Morgan2020-03-301-1/+1
|
* Always whitelist the login fallback for SSO (#7153)Richard van der Hoff2020-03-271-0/+15
| | | | | | | That fallback sets the redirect URL to itself (so it can process the login token then return gracefully to the client). This would make it pointless to ask the user for confirmation, since the URL the confirmation page would be showing wouldn't be the client's.
* Add options to prevent users from changing their profile. (#7096)Dirk Klimpel2020-03-271-0/+27
|
* Don't default to an invalid sqlite config if no database configuration is ↵Nektarios Katakis2020-03-261-22/+47
| | | | provided (#6573)
* Allow server admins to define and enforce a password policy (MSC2000). (#7118)Dirk Klimpel2020-03-261-0/+39
|
* Remove unused captcha_bypass_secret option (#7137)Aaron Raimist2020-03-251-5/+0
| | | Signed-off-by: Aaron Raimist <aaron@raim.ist>
* Improve database configuration docs (#6988)Richard van der Hoff2020-03-202-36/+59
| | | | | Attempts to clarify the sample config for databases, and add some stuff about tcp keepalives to `postgres.md`.
* Revert "Add options to disable setting profile info for prevent changes. ↵Richard van der Hoff2020-03-171-17/+0
| | | | | | | (#7053)" This reverts commit 54dd28621b070ca67de9f773fe9a89e1f4dc19da, reversing changes made to 6640460d054e8f4444046a34bdf638921b31c01e.
* LintBrendan Abolivier2020-03-111-2/+1
|
* Put the file in the templates directoryBrendan Abolivier2020-03-111-12/+21
|
* Update wording and configBrendan Abolivier2020-03-111-0/+3
|
* Move the default SAML2 error HTML to a dedicated fileBrendan Abolivier2020-03-111-18/+11
| | | | | Also add some JS to it to process any error we might have in the URI (see #6893).
* Add options to disable setting profile info for prevent changes. (#7053)Brendan Abolivier2020-03-101-0/+17
|\
| * Update synapse/config/registration.pyDirk Klimpel2020-03-101-1/+1
| | | | | | Co-Authored-By: Brendan Abolivier <github@brendanabolivier.com>
| * updates after reviewdklimpel2020-03-091-8/+8
| |
| * add disable_3pid_changesdklimpel2020-03-081-0/+6
| |
| * lint2dklimpel2020-03-081-2/+2
| |
| * changelogdklimpel2020-03-081-2/+2
| |
| * Add options to disable setting profile info for prevent changes.dklimpel2020-03-081-0/+11
| |
* | Rephrase default messageBrendan Abolivier2020-03-101-2/+2
| |
* | LintBrendan Abolivier2020-03-101-1/+1
| |
* | SAML2: render a comprehensible error page if something goes wrongBrendan Abolivier2020-03-101-0/+26
| | | | | | | | | | | | If an error happened while processing a SAML AuthN response, or a client ends up doing a `GET` request to `/authn_response`, then render a customisable error page rather than a confusing error.
* | Merge branch 'master' into developBrendan Abolivier2020-03-033-0/+96
|\ \ | |/ |/|
| * Factor out complete_sso_login and expose it to the Module APIBrendan Abolivier2020-03-031-1/+1
| |
| * Add a whitelist for the SSO confirmation step.Richard van der Hoff2020-03-021-0/+18
| |
| * Add a confirmation step to the SSO login flowBrendan Abolivier2020-03-023-0/+78
| |
* | Fix minor issues with email config (#6962)Richard van der Hoff2020-02-241-36/+30
| | | | | | | | | | | | * Give `notif_template_html`, `notif_template_text` default values (fixes #6960) * Don't complain if `smtp_host` and `smtp_port` are unset, since they have sensible defaults (fixes #6961) * Set the example for `enable_notifs` to `True`, for consistency and because it's more useful * Raise errors as ConfigError rather than RuntimeError for nicer formatting
* | Clarify list/set/dict/tuple comprehensions and enforce via flake8 (#6957)Patrick Cloke2020-02-212-3/+3
|/ | | | Ensure good comprehension hygiene using flake8-comprehensions.
* Merge pull request #6907 from matrix-org/babolivier/acme-configBrendan Abolivier2020-02-181-0/+19
|\ | | | | Add mention and warning about ACME v1 deprecation to the TLS config
| * Linters are hard but in they end they just want what's best for usBrendan Abolivier2020-02-131-1/+1
| |
| * Add a separator for the config warningBrendan Abolivier2020-02-131-1/+1
| |
| * Add mention and warning about ACME v1 deprecation to the Synapse configBrendan Abolivier2020-02-131-0/+19
| |
* | Add a warning about indentation to generated config (#6920)Richard van der Hoff2020-02-141-2/+14
|/ | | Fixes #6916.
* Allow empty federation_certificate_verification_whitelist (#6849)timfi2020-02-061-0/+2
|
* Fix empty account_validity config blockAndrew Morgan2020-01-201-1/+2
|
* Add more logging around message retention policies support (#6717)Brendan Abolivier2020-01-171-0/+8
| | | So we can debug issues like #6683 more easily
* Delegate remote_user_id mapping to the saml mapping provider (#6723)Richard van der Hoff2020-01-171-0/+1
| | | Turns out that figuring out a remote user id for the SAML user isn't quite as obvious as it seems. Factor it out to the SamlMappingProvider so that it's easy to control.
* Clarify the `account_validity` and `email` sections of the sample ↵Richard van der Hoff2020-01-173-140/+167
| | | | | | | | | | | configuration. (#6685) Generally try to make this more comprehensible, and make it match the conventions. I've removed the documentation for all the settings which allow you to change the names of the template files, because I can't really see why they are useful.
* Merge pull request #6621 from matrix-org/babolivier/purge_job_config_typoBrendan Abolivier2020-01-071-5/+5
|\ | | | | Fix a typo in the purge jobs configuration example
| * RewordBrendan Abolivier2020-01-071-3/+3
| |
| * Change the example from 5min to 12hBrendan Abolivier2020-01-071-4/+4
| | | | | | | | Have a purge job running every 5min is probably not something we want to advise admins to do as a sort-of default.
| * Fix a typo in the purge jobs configuration exampleBrendan Abolivier2020-01-031-1/+1
| |
* | Add experimental 'databases' config (#6580)Erik Johnston2020-01-061-13/+42
| |
* | Automate generation of the sample and debian log configs (#6627)Richard van der Hoff2020-01-031-1/+8
| |
* | Raise an error if someone tries to use the log_file config option (#6626)Richard van der Hoff2020-01-031-2/+15
| | | | | | | | This has caused some confusion for people who didn't notice it going away.
* | Remove unused, undocumented "content repo" resource (#6628)Richard van der Hoff2020-01-031-5/+0
|/ | | | | | This looks like it got half-killed back in #888. Fixes #6567.
* Split state groups into a separate data store (#6296)Erik Johnston2019-12-201-5/+5
|
* Add an export_signing_key script (#6546)Richard van der Hoff2019-12-191-8/+15
| | | | | I want to do some key rotation, and it is silly that we don't have a way to do this.
* Add database config class (#6513)Erik Johnston2019-12-181-16/+62
| | | | | This encapsulates config for a given database and is the way to get new connections.
* Add option to allow profile queries without sharing a room (#6523)Will Hunt2019-12-161-0/+13
|
* Bump version of mypyErik Johnston2019-12-123-4/+4
|
* Allow SAML username provider plugins (#6411)Andrew Morgan2019-12-101-60/+126
|
* privacy by default for room dir (#6355)Neil Johnson2019-12-041-12/+14
| | | | Ensure that the the default settings for the room directory are that the it is hidden from public view by default.
* Add ephemeral messages support (MSC2228) (#6409)Brendan Abolivier2019-12-031-0/+2
| | | | | | | | Implement part [MSC2228](https://github.com/matrix-org/matrix-doc/pull/2228). The parts that differ are: * the feature is hidden behind a configuration flag (`enable_ephemeral_messages`) * self-destruction doesn't happen for state events * only implement support for the `m.self_destruct_after` field (not the `m.self_destruct` one) * doesn't send synthetic redactions to clients because for this specific case we consider the clients to be able to destroy an event themselves, instead we just censor it (by pruning its JSON) in the database
* Clarifications for the email configuration settings. (#6423)Richard van der Hoff2019-11-281-1/+16
| | | Cf #6422
* Merge pull request #6358 from matrix-org/babolivier/message_retentionBrendan Abolivier2019-11-271-1/+182
|\ | | | | Implement message retention policies (MSC1763)
| * Merge branch 'develop' into babolivier/message_retentionBrendan Abolivier2019-11-265-11/+11
| |\
| * | Lint againBrendan Abolivier2019-11-191-1/+1
| | |
| * | Lint againBrendan Abolivier2019-11-191-1/+1
| | |
| * | LintBrendan Abolivier2019-11-191-15/+24
| | |
| * | Implement per-room message retention policiesBrendan Abolivier2019-11-041-0/+172
| | |