sso.py 5.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147
  1. # Copyright 2020-2021 The Matrix.org Foundation C.I.C.
  2. #
  3. # Licensed under the Apache License, Version 2.0 (the "License");
  4. # you may not use this file except in compliance with the License.
  5. # You may obtain a copy of the License at
  6. #
  7. # http://www.apache.org/licenses/LICENSE-2.0
  8. #
  9. # Unless required by applicable law or agreed to in writing, software
  10. # distributed under the License is distributed on an "AS IS" BASIS,
  11. # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  12. # See the License for the specific language governing permissions and
  13. # limitations under the License.
  14. import logging
  15. from typing import Any, Dict, Optional
  16. import attr
  17. from ._base import Config
  18. logger = logging.getLogger(__name__)
  19. LEGACY_TEMPLATE_DIR_WARNING = """
  20. This server's configuration file is using the deprecated 'template_dir' setting in the
  21. 'sso' section. Support for this setting has been deprecated and will be removed in a
  22. future version of Synapse. Server admins should instead use the new
  23. 'custom_templates_directory' setting documented here:
  24. https://matrix-org.github.io/synapse/latest/templates.html
  25. ---------------------------------------------------------------------------------------"""
  26. @attr.s(frozen=True, auto_attribs=True)
  27. class SsoAttributeRequirement:
  28. """Object describing a single requirement for SSO attributes."""
  29. attribute: str
  30. # If a value is not given, than the attribute must simply exist.
  31. value: Optional[str]
  32. JSON_SCHEMA = {
  33. "type": "object",
  34. "properties": {"attribute": {"type": "string"}, "value": {"type": "string"}},
  35. "required": ["attribute", "value"],
  36. }
  37. class SSOConfig(Config):
  38. """SSO Configuration"""
  39. section = "sso"
  40. def read_config(self, config, **kwargs) -> None:
  41. sso_config: Dict[str, Any] = config.get("sso") or {}
  42. # The sso-specific template_dir
  43. self.sso_template_dir = sso_config.get("template_dir")
  44. if self.sso_template_dir is not None:
  45. logger.warning(LEGACY_TEMPLATE_DIR_WARNING)
  46. # Read templates from disk
  47. custom_template_directories = (
  48. self.root.server.custom_template_directory,
  49. self.sso_template_dir,
  50. )
  51. (
  52. self.sso_login_idp_picker_template,
  53. self.sso_redirect_confirm_template,
  54. self.sso_auth_confirm_template,
  55. self.sso_error_template,
  56. sso_account_deactivated_template,
  57. sso_auth_success_template,
  58. self.sso_auth_bad_user_template,
  59. ) = self.read_templates(
  60. [
  61. "sso_login_idp_picker.html",
  62. "sso_redirect_confirm.html",
  63. "sso_auth_confirm.html",
  64. "sso_error.html",
  65. "sso_account_deactivated.html",
  66. "sso_auth_success.html",
  67. "sso_auth_bad_user.html",
  68. ],
  69. (td for td in custom_template_directories if td),
  70. )
  71. # These templates have no placeholders, so render them here
  72. self.sso_account_deactivated_template = (
  73. sso_account_deactivated_template.render()
  74. )
  75. self.sso_auth_success_template = sso_auth_success_template.render()
  76. self.sso_client_whitelist = sso_config.get("client_whitelist") or []
  77. self.sso_update_profile_information = (
  78. sso_config.get("update_profile_information") or False
  79. )
  80. # Attempt to also whitelist the server's login fallback, since that fallback sets
  81. # the redirect URL to itself (so it can process the login token then return
  82. # gracefully to the client). This would make it pointless to ask the user for
  83. # confirmation, since the URL the confirmation page would be showing wouldn't be
  84. # the client's.
  85. login_fallback_url = (
  86. self.root.server.public_baseurl + "_matrix/static/client/login"
  87. )
  88. self.sso_client_whitelist.append(login_fallback_url)
  89. def generate_config_section(self, **kwargs) -> str:
  90. return """\
  91. # Additional settings to use with single-sign on systems such as OpenID Connect,
  92. # SAML2 and CAS.
  93. #
  94. # Server admins can configure custom templates for pages related to SSO. See
  95. # https://matrix-org.github.io/synapse/latest/templates.html for more information.
  96. #
  97. sso:
  98. # A list of client URLs which are whitelisted so that the user does not
  99. # have to confirm giving access to their account to the URL. Any client
  100. # whose URL starts with an entry in the following list will not be subject
  101. # to an additional confirmation step after the SSO login is completed.
  102. #
  103. # WARNING: An entry such as "https://my.client" is insecure, because it
  104. # will also match "https://my.client.evil.site", exposing your users to
  105. # phishing attacks from evil.site. To avoid this, include a slash after the
  106. # hostname: "https://my.client/".
  107. #
  108. # The login fallback page (used by clients that don't natively support the
  109. # required login flows) is whitelisted in addition to any URLs in this list.
  110. #
  111. # By default, this list contains only the login fallback page.
  112. #
  113. #client_whitelist:
  114. # - https://riot.im/develop
  115. # - https://my.custom.client/
  116. # Uncomment to keep a user's profile fields in sync with information from
  117. # the identity provider. Currently only syncing the displayname is
  118. # supported. Fields are checked on every SSO login, and are updated
  119. # if necessary.
  120. #
  121. # Note that enabling this option will override user profile information,
  122. # regardless of whether users have opted-out of syncing that
  123. # information when first signing in. Defaults to false.
  124. #
  125. #update_profile_information: true
  126. """