Home Explore Help
Register Sign In
RISCI_ATOM
/
synapse
mirror of https://github.com/matrix-org/synapse.git
1
0
Fork 0
Files Issues 3 Wiki
Browse Source

Add an admin API endpoint to find a user based on its external ID in an auth provider. (#13810)

Quentin Gliech 1 year ago
parent
f7a77ad717
commit
74f60cec92
5 changed files with 155 additions and 0 deletions
Split View Show Diff Stats
  1. 1 0
      changelog.d/13810.feature
  2. 38 0
      docs/admin_api/user_admin_api.md
  3. 2 0
      synapse/rest/admin/__init__.py
  4. 27 0
      synapse/rest/admin/users.py
  5. 87 0
      tests/rest/admin/test_user.py

+ 1 - 0
changelog.d/13810.feature
View File 

@@ -0,0 +1 @@
 
+Add an admin API endpoint to find a user based on its external ID in an auth provider.

+ 38 - 0
docs/admin_api/user_admin_api.md
View File 

@@ -1155,3 +1155,41 @@ GET /_synapse/admin/v1/username_available?username=$localpart
 
 
 The request and response format is the same as the
 
 [/_matrix/client/r0/register/available](https://matrix.org/docs/spec/client_server/r0.6.0#get-matrix-client-r0-register-available) API.
 
+
 
+### Find a user based on their ID in an auth provider
 
+
 
+The API is:
 
+
 
+```
 
+GET /_synapse/admin/v1/auth_providers/$provider/users/$external_id
 
+```
 
+
 
+When a user matched the given ID for the given provider, an HTTP code `200` with a response body like the following is returned:
 
+
 
+```json
 
+{
 
+    "user_id": "@hello:example.org"
 
+}
 
+```
 
+
 
+**Parameters**
 
+
 
+The following parameters should be set in the URL:
 
+
 
+- `provider` - The ID of the authentication provider, as advertised by the [`GET /_matrix/client/v3/login`](https://spec.matrix.org/latest/client-server-api/#post_matrixclientv3login) API in the `m.login.sso` authentication method.
 
+- `external_id` - The user ID from the authentication provider. Usually corresponds to the `sub` claim for OIDC providers, or to the `uid` attestation for SAML2 providers.
 
+
 
+The `external_id` may have characters that are not URL-safe (typically `/`, `:` or `@`), so it is advised to URL-encode those parameters.
 
+
 
+**Errors**
 
+
 
+Returns a `404` HTTP status code if no user was found, with a response body like this:
 
+
 
+```json
 
+{
 
+    "errcode":"M_NOT_FOUND",
 
+    "error":"User not found"
 
+}
 
+```
 
+
 
+_Added in Synapse 1.68.0._

+ 2 - 0
synapse/rest/admin/__init__.py
View File 

@@ -80,6 +80,7 @@ from synapse.rest.admin.users import (
 
     SearchUsersRestServlet,
 
     ShadowBanRestServlet,
 
     UserAdminServlet,
 
+    UserByExternalId,
 
     UserMembershipRestServlet,
 
     UserRegisterServlet,
 
     UserRestServletV2,
 
@@ -275,6 +276,7 @@ def register_servlets(hs: "HomeServer", http_server: HttpServer) -> None:
 
     ListDestinationsRestServlet(hs).register(http_server)
 
     RoomMessagesRestServlet(hs).register(http_server)
 
     RoomTimestampToEventRestServlet(hs).register(http_server)
 
+    UserByExternalId(hs).register(http_server)
 
 
     # Some servlets only get registered for the main process.
 
     if hs.config.worker.worker_app is None:

+ 27 - 0
synapse/rest/admin/users.py
View File 

@@ -1156,3 +1156,30 @@ class AccountDataRestServlet(RestServlet):
 
                 "rooms": by_room_data,
 
             },
 
         }
 
+
 
+
 
+class UserByExternalId(RestServlet):
 
+    """Find a user based on an external ID from an auth provider"""
 
+
 
+    PATTERNS = admin_patterns(
 
+        "/auth_providers/(?P<provider>[^/]*)/users/(?P<external_id>[^/]*)"
 
+    )
 
+
 
+    def __init__(self, hs: "HomeServer"):
 
+        self._auth = hs.get_auth()
 
+        self._store = hs.get_datastores().main
 
+
 
+    async def on_GET(
 
+        self,
 
+        request: SynapseRequest,
 
+        provider: str,
 
+        external_id: str,
 
+    ) -> Tuple[int, JsonDict]:
 
+        await assert_requester_is_admin(self._auth, request)
 
+
 
+        user_id = await self._store.get_user_by_external_id(provider, external_id)
 
+
 
+        if user_id is None:
 
+            raise NotFoundError("User not found")
 
+
 
+        return HTTPStatus.OK, {"user_id": user_id}

+ 87 - 0
tests/rest/admin/test_user.py
View File 

@@ -4140,3 +4140,90 @@ class AccountDataTestCase(unittest.HomeserverTestCase):
 
             {"b": 2},
 
             channel.json_body["account_data"]["rooms"]["test_room"]["m.per_room"],
 
         )
 
+
 
+
 
+class UsersByExternalIdTestCase(unittest.HomeserverTestCase):
 
+
 
+    servlets = [
 
+        synapse.rest.admin.register_servlets,
 
+        login.register_servlets,
 
+    ]
 
+
 
+    def prepare(self, reactor: MemoryReactor, clock: Clock, hs: HomeServer) -> None:
 
+        self.store = hs.get_datastores().main
 
+
 
+        self.admin_user = self.register_user("admin", "pass", admin=True)
 
+        self.admin_user_tok = self.login("admin", "pass")
 
+
 
+        self.other_user = self.register_user("user", "pass")
 
+        self.get_success(
 
+            self.store.record_user_external_id(
 
+                "the-auth-provider", "the-external-id", self.other_user
 
+            )
 
+        )
 
+        self.get_success(
 
+            self.store.record_user_external_id(
 
+                "another-auth-provider", "a:complex@external/id", self.other_user
 
+            )
 
+        )
 
+
 
+    def test_no_auth(self) -> None:
 
+        """Try to lookup a user without authentication."""
 
+        url = (
 
+            "/_synapse/admin/v1/auth_providers/the-auth-provider/users/the-external-id"
 
+        )
 
+
 
+        channel = self.make_request(
 
+            "GET",
 
+            url,
 
+        )
 
+
 
+        self.assertEqual(401, channel.code, msg=channel.json_body)
 
+        self.assertEqual(Codes.MISSING_TOKEN, channel.json_body["errcode"])
 
+
 
+    def test_binding_does_not_exist(self) -> None:
 
+        """Tests that a lookup for an external ID that does not exist returns a 404"""
 
+        url = "/_synapse/admin/v1/auth_providers/the-auth-provider/users/unknown-id"
 
+
 
+        channel = self.make_request(
 
+            "GET",
 
+            url,
 
+            access_token=self.admin_user_tok,
 
+        )
 
+
 
+        self.assertEqual(404, channel.code, msg=channel.json_body)
 
+        self.assertEqual(Codes.NOT_FOUND, channel.json_body["errcode"])
 
+
 
+    def test_success(self) -> None:
 
+        """Tests a successful external ID lookup"""
 
+        url = (
 
+            "/_synapse/admin/v1/auth_providers/the-auth-provider/users/the-external-id"
 
+        )
 
+
 
+        channel = self.make_request(
 
+            "GET",
 
+            url,
 
+            access_token=self.admin_user_tok,
 
+        )
 
+
 
+        self.assertEqual(200, channel.code, msg=channel.json_body)
 
+        self.assertEqual(
 
+            {"user_id": self.other_user},
 
+            channel.json_body,
 
+        )
 
+
 
+    def test_success_urlencoded(self) -> None:
 
+        """Tests a successful external ID lookup with an url-encoded ID"""
 
+        url = "/_synapse/admin/v1/auth_providers/another-auth-provider/users/a%3Acomplex%40external%2Fid"
 
+
 
+        channel = self.make_request(
 
+            "GET",
 
+            url,
 
+            access_token=self.admin_user_tok,
 
+        )
 
+
 
+        self.assertEqual(200, channel.code, msg=channel.json_body)
 
+        self.assertEqual(
 
+            {"user_id": self.other_user},
 
+            channel.json_body,
 
+        )