Add config option to block users from looking up 3PIDs (#5010)

This commit is contained in:
Brendan Abolivier 2019-04-04 17:25:47 +01:00 committed by Erik Johnston
parent 9bf49abc07
commit 0fcf7e5c57
6 changed files with 81 additions and 1 deletions

1
changelog.d/5010.feature Normal file
View file

@ -0,0 +1 @@
Add config option to block users from looking up 3PIDs.

View file

@ -693,6 +693,10 @@ uploads_path: "DATADIR/uploads"
# #
#disable_3pid_changes: False #disable_3pid_changes: False
# Enable 3PIDs lookup requests to identity servers from this server.
#
#enable_3pid_lookup: true
# If set, allows registration of standard or admin accounts by anyone who # If set, allows registration of standard or admin accounts by anyone who
# has the shared secret, even if registration is otherwise disabled. # has the shared secret, even if registration is otherwise disabled.
# #

View file

@ -40,6 +40,7 @@ class RegistrationConfig(Config):
self.disable_3pid_changes = config.get("disable_3pid_changes", False) self.disable_3pid_changes = config.get("disable_3pid_changes", False)
self.enable_3pid_lookup = config.get("enable_3pid_lookup", True)
self.registration_shared_secret = config.get("registration_shared_secret") self.registration_shared_secret = config.get("registration_shared_secret")
self.register_mxid_from_3pid = config.get("register_mxid_from_3pid") self.register_mxid_from_3pid = config.get("register_mxid_from_3pid")
self.register_just_use_email_for_display_name = config.get( self.register_just_use_email_for_display_name = config.get(
@ -146,6 +147,10 @@ class RegistrationConfig(Config):
# #
#disable_3pid_changes: False #disable_3pid_changes: False
# Enable 3PIDs lookup requests to identity servers from this server.
#
#enable_3pid_lookup: true
# If set, allows registration of standard or admin accounts by anyone who # If set, allows registration of standard or admin accounts by anyone who
# has the shared secret, even if registration is otherwise disabled. # has the shared secret, even if registration is otherwise disabled.
# #

View file

@ -71,6 +71,7 @@ class RoomMemberHandler(object):
self.spam_checker = hs.get_spam_checker() self.spam_checker = hs.get_spam_checker()
self._server_notices_mxid = self.config.server_notices_mxid self._server_notices_mxid = self.config.server_notices_mxid
self.rewrite_identity_server_urls = self.config.rewrite_identity_server_urls self.rewrite_identity_server_urls = self.config.rewrite_identity_server_urls
self._enable_lookup = hs.config.enable_3pid_lookup
@abc.abstractmethod @abc.abstractmethod
def _remote_join(self, requester, remote_room_hosts, room_id, user, content): def _remote_join(self, requester, remote_room_hosts, room_id, user, content):
@ -808,6 +809,10 @@ class RoomMemberHandler(object):
Returns: Returns:
str: the matrix ID of the 3pid, or None if it is not recognized. str: the matrix ID of the 3pid, or None if it is not recognized.
""" """
if not self._enable_lookup:
raise SynapseError(
403, "Looking up third-party identifiers is denied from this server",
)
try: try:
target = self._get_id_server_target(id_server) target = self._get_id_server_target(id_server)
data = yield self.simple_http_client.get_json( data = yield self.simple_http_client.get_json(

View file

@ -0,0 +1,65 @@
# -*- coding: utf-8 -*-
# Copyright 2019 New Vector Ltd
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import json
from synapse.rest.client.v1 import admin, login, room
from tests import unittest
class IdentityTestCase(unittest.HomeserverTestCase):
servlets = [
admin.register_servlets,
room.register_servlets,
login.register_servlets,
]
def make_homeserver(self, reactor, clock):
config = self.default_config()
config.enable_3pid_lookup = False
self.hs = self.setup_test_homeserver(config=config)
return self.hs
def test_3pid_lookup_disabled(self):
self.hs.config.enable_3pid_lookup = False
self.register_user("kermit", "monkey")
tok = self.login("kermit", "monkey")
request, channel = self.make_request(
b"POST", "/createRoom", b"{}", access_token=tok,
)
self.render(request)
self.assertEquals(channel.result["code"], b"200", channel.result)
room_id = channel.json_body["room_id"]
params = {
"id_server": "testis",
"medium": "email",
"address": "test@example.com",
}
request_data = json.dumps(params)
request_url = (
"/rooms/%s/invite" % (room_id)
).encode('ascii')
request, channel = self.make_request(
b"POST", request_url, request_data, access_token=tok,
)
self.render(request)
self.assertEquals(channel.result["code"], b"403", channel.result)

View file

@ -410,7 +410,7 @@ class HomeserverTestCase(TestCase):
"POST", "/_matrix/client/r0/login", json.dumps(body).encode('utf8') "POST", "/_matrix/client/r0/login", json.dumps(body).encode('utf8')
) )
self.render(request) self.render(request)
self.assertEqual(channel.code, 200) self.assertEqual(channel.code, 200, channel.result)
access_token = channel.json_body["access_token"] access_token = channel.json_body["access_token"]
return access_token return access_token