From 70e039c7aecdad06356b29c5c47c717cbef76744 Mon Sep 17 00:00:00 2001 From: Andrew Morgan Date: Mon, 18 Feb 2019 12:19:43 +0000 Subject: [PATCH 1/3] Use internal-info for identity server. Block reg on fields --- synapse/rest/client/v2_alpha/account.py | 4 ++-- synapse/rest/client/v2_alpha/register.py | 2 +- synapse/util/threepids.py | 12 ++++++++++-- 3 files changed, 13 insertions(+), 5 deletions(-) diff --git a/synapse/rest/client/v2_alpha/account.py b/synapse/rest/client/v2_alpha/account.py index d085951b23..e1745fad2d 100644 --- a/synapse/rest/client/v2_alpha/account.py +++ b/synapse/rest/client/v2_alpha/account.py @@ -55,7 +55,7 @@ class EmailPasswordRequestTokenRestServlet(RestServlet): if not (yield check_3pid_allowed(self.hs, "email", body['email'])): raise SynapseError( 403, - "Your email domain is not authorized on this server", + "Your email is not authorized on this server", Codes.THREEPID_DENIED, ) @@ -271,7 +271,7 @@ class EmailThreepidRequestTokenRestServlet(RestServlet): if not (yield check_3pid_allowed(self.hs, "email", body['email'])): raise SynapseError( 403, - "Your email domain is not authorized on this server", + "Your email is not authorized on this server", Codes.THREEPID_DENIED, ) diff --git a/synapse/rest/client/v2_alpha/register.py b/synapse/rest/client/v2_alpha/register.py index fb9441a87a..cf1b70e39e 100644 --- a/synapse/rest/client/v2_alpha/register.py +++ b/synapse/rest/client/v2_alpha/register.py @@ -78,7 +78,7 @@ class EmailRegisterRequestTokenRestServlet(RestServlet): if not (yield check_3pid_allowed(self.hs, "email", body['email'])): raise SynapseError( 403, - "Your email domain is not authorized to register on this server", + "Your email is not authorized to register on this server", Codes.THREEPID_DENIED, ) diff --git a/synapse/util/threepids.py b/synapse/util/threepids.py index 353d220bad..4f3cb9c804 100644 --- a/synapse/util/threepids.py +++ b/synapse/util/threepids.py @@ -23,7 +23,7 @@ logger = logging.getLogger(__name__) @defer.inlineCallbacks def check_3pid_allowed(hs, medium, address): - """Checks whether a given format of 3PID is allowed to be used on this HS + """Checks whether a given 3PID is allowed to be used on this HS Args: hs (synapse.server.HomeServer): server @@ -38,10 +38,18 @@ def check_3pid_allowed(hs, medium, address): data = yield hs.get_simple_http_client().get_json( "https://%s%s" % ( hs.config.check_is_for_allowed_local_3pids, - "/_matrix/identity/api/v1/info" + "/_matrix/identity/api/v1/internal-info" ), {'medium': medium, 'address': address} ) + + # Assume false if invalid response + if 'hs' not in data: + defer.returnValue(False) + + if data.get('requires_invite', False) and data.get('invited', False) == False: + # Requires an invite but hasn't been invited + defer.returnValue(False) if hs.config.allow_invited_3pids and data.get('invited'): defer.returnValue(True) else: From 13bc1e5307d0d1e09556da28b96f305fcc15f8cb Mon Sep 17 00:00:00 2001 From: Richard van der Hoff <1389908+richvdh@users.noreply.github.com> Date: Mon, 25 Feb 2019 16:08:58 +0000 Subject: [PATCH 2/3] Update synapse/util/threepids.py Co-Authored-By: anoadragon453 <1342360+anoadragon453@users.noreply.github.com> --- synapse/util/threepids.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/synapse/util/threepids.py b/synapse/util/threepids.py index 4f3cb9c804..b51ac0add8 100644 --- a/synapse/util/threepids.py +++ b/synapse/util/threepids.py @@ -47,7 +47,7 @@ def check_3pid_allowed(hs, medium, address): if 'hs' not in data: defer.returnValue(False) - if data.get('requires_invite', False) and data.get('invited', False) == False: + if data.get('requires_invite', False) and not data.get('invited', False): # Requires an invite but hasn't been invited defer.returnValue(False) if hs.config.allow_invited_3pids and data.get('invited'): From 9b13038d05b0a3ebba86e6884999bcc534c3f0e2 Mon Sep 17 00:00:00 2001 From: Andrew Morgan Date: Wed, 27 Feb 2019 15:22:41 +0000 Subject: [PATCH 3/3] Check shadow_hs as well as hs during 3pid reg --- synapse/util/threepids.py | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/synapse/util/threepids.py b/synapse/util/threepids.py index 4f3cb9c804..1db0a01e27 100644 --- a/synapse/util/threepids.py +++ b/synapse/util/threepids.py @@ -43,17 +43,19 @@ def check_3pid_allowed(hs, medium, address): {'medium': medium, 'address': address} ) - # Assume false if invalid response - if 'hs' not in data: + # Check for invalid response + if 'hs' not in data and 'shadow_hs' not in data: + defer.returnValue(False) + + # Check if this user is intended to register for this homeserver + if data['hs'] != hs.config.server_name and data['shadow_hs'] != hs.config.server_name: defer.returnValue(False) if data.get('requires_invite', False) and data.get('invited', False) == False: # Requires an invite but hasn't been invited defer.returnValue(False) - if hs.config.allow_invited_3pids and data.get('invited'): - defer.returnValue(True) - else: - defer.returnValue(data['hs'] == hs.config.server_name) + + defer.returnValue(True) if hs.config.allowed_local_3pids: for constraint in hs.config.allowed_local_3pids: