mirror of
https://github.com/element-hq/synapse.git
synced 2024-12-19 17:56:19 +03:00
Merge pull request #2973 from matrix-org/matthew/dinsic_3pid_check
Delegate 3PID registration determination to experimental IS API
This commit is contained in:
commit
ef5193e0cb
5 changed files with 44 additions and 12 deletions
|
@ -33,6 +33,10 @@ class RegistrationConfig(Config):
|
||||||
|
|
||||||
self.registrations_require_3pid = config.get("registrations_require_3pid", [])
|
self.registrations_require_3pid = config.get("registrations_require_3pid", [])
|
||||||
self.allowed_local_3pids = config.get("allowed_local_3pids", [])
|
self.allowed_local_3pids = config.get("allowed_local_3pids", [])
|
||||||
|
self.check_is_for_allowed_local_3pids = config.get(
|
||||||
|
"check_is_for_allowed_local_3pids", None
|
||||||
|
)
|
||||||
|
self.allow_invited_3pids = config.get("allow_invited_3pids", False)
|
||||||
self.registration_shared_secret = config.get("registration_shared_secret")
|
self.registration_shared_secret = config.get("registration_shared_secret")
|
||||||
|
|
||||||
self.bcrypt_rounds = config.get("bcrypt_rounds", 12)
|
self.bcrypt_rounds = config.get("bcrypt_rounds", 12)
|
||||||
|
@ -63,6 +67,16 @@ class RegistrationConfig(Config):
|
||||||
# Mandate that users are only allowed to associate certain formats of
|
# Mandate that users are only allowed to associate certain formats of
|
||||||
# 3PIDs with accounts on this server.
|
# 3PIDs with accounts on this server.
|
||||||
#
|
#
|
||||||
|
# Use an Identity Server to establish which 3PIDs are allowed to register?
|
||||||
|
# Overrides allowed_local_3pids below.
|
||||||
|
# check_is_for_allowed_local_3pids: matrix.org
|
||||||
|
#
|
||||||
|
# If you are using an IS you can also check whether that IS registers
|
||||||
|
# pending invites for the given 3PID (and then allow it to sign up on
|
||||||
|
# the platform):
|
||||||
|
#
|
||||||
|
# allow_invited_3pids: False
|
||||||
|
#
|
||||||
# allowed_local_3pids:
|
# allowed_local_3pids:
|
||||||
# - medium: email
|
# - medium: email
|
||||||
# pattern: ".*@matrix\\.org"
|
# pattern: ".*@matrix\\.org"
|
||||||
|
|
|
@ -308,7 +308,9 @@ class RegistrationHandler(BaseHandler):
|
||||||
logger.info("got threepid with medium '%s' and address '%s'",
|
logger.info("got threepid with medium '%s' and address '%s'",
|
||||||
threepid['medium'], threepid['address'])
|
threepid['medium'], threepid['address'])
|
||||||
|
|
||||||
if not check_3pid_allowed(self.hs, threepid['medium'], threepid['address']):
|
if not (
|
||||||
|
yield check_3pid_allowed(self.hs, threepid['medium'], threepid['address'])
|
||||||
|
):
|
||||||
raise RegistrationError(
|
raise RegistrationError(
|
||||||
403, "Third party identifier is not allowed"
|
403, "Third party identifier is not allowed"
|
||||||
)
|
)
|
||||||
|
|
|
@ -48,7 +48,7 @@ class EmailPasswordRequestTokenRestServlet(RestServlet):
|
||||||
'id_server', 'client_secret', 'email', 'send_attempt'
|
'id_server', 'client_secret', 'email', 'send_attempt'
|
||||||
])
|
])
|
||||||
|
|
||||||
if not check_3pid_allowed(self.hs, "email", body['email']):
|
if not (yield check_3pid_allowed(self.hs, "email", body['email'])):
|
||||||
raise SynapseError(
|
raise SynapseError(
|
||||||
403, "Third party identifier is not allowed", Codes.THREEPID_DENIED,
|
403, "Third party identifier is not allowed", Codes.THREEPID_DENIED,
|
||||||
)
|
)
|
||||||
|
@ -84,7 +84,7 @@ class MsisdnPasswordRequestTokenRestServlet(RestServlet):
|
||||||
|
|
||||||
msisdn = phone_number_to_msisdn(body['country'], body['phone_number'])
|
msisdn = phone_number_to_msisdn(body['country'], body['phone_number'])
|
||||||
|
|
||||||
if not check_3pid_allowed(self.hs, "msisdn", msisdn):
|
if not (yield check_3pid_allowed(self.hs, "msisdn", msisdn)):
|
||||||
raise SynapseError(
|
raise SynapseError(
|
||||||
403, "Third party identifier is not allowed", Codes.THREEPID_DENIED,
|
403, "Third party identifier is not allowed", Codes.THREEPID_DENIED,
|
||||||
)
|
)
|
||||||
|
@ -228,7 +228,7 @@ class EmailThreepidRequestTokenRestServlet(RestServlet):
|
||||||
if absent:
|
if absent:
|
||||||
raise SynapseError(400, "Missing params: %r" % absent, Codes.MISSING_PARAM)
|
raise SynapseError(400, "Missing params: %r" % absent, Codes.MISSING_PARAM)
|
||||||
|
|
||||||
if not check_3pid_allowed(self.hs, "email", body['email']):
|
if not (yield check_3pid_allowed(self.hs, "email", body['email'])):
|
||||||
raise SynapseError(
|
raise SynapseError(
|
||||||
403, "Third party identifier is not allowed", Codes.THREEPID_DENIED,
|
403, "Third party identifier is not allowed", Codes.THREEPID_DENIED,
|
||||||
)
|
)
|
||||||
|
@ -271,7 +271,7 @@ class MsisdnThreepidRequestTokenRestServlet(RestServlet):
|
||||||
|
|
||||||
msisdn = phone_number_to_msisdn(body['country'], body['phone_number'])
|
msisdn = phone_number_to_msisdn(body['country'], body['phone_number'])
|
||||||
|
|
||||||
if not check_3pid_allowed(self.hs, "msisdn", msisdn):
|
if not (yield check_3pid_allowed(self.hs, "msisdn", msisdn)):
|
||||||
raise SynapseError(
|
raise SynapseError(
|
||||||
403, "Third party identifier is not allowed", Codes.THREEPID_DENIED,
|
403, "Third party identifier is not allowed", Codes.THREEPID_DENIED,
|
||||||
)
|
)
|
||||||
|
|
|
@ -71,7 +71,7 @@ class EmailRegisterRequestTokenRestServlet(RestServlet):
|
||||||
'id_server', 'client_secret', 'email', 'send_attempt'
|
'id_server', 'client_secret', 'email', 'send_attempt'
|
||||||
])
|
])
|
||||||
|
|
||||||
if not check_3pid_allowed(self.hs, "email", body['email']):
|
if not (yield check_3pid_allowed(self.hs, "email", body['email'])):
|
||||||
raise SynapseError(
|
raise SynapseError(
|
||||||
403, "Third party identifier is not allowed", Codes.THREEPID_DENIED,
|
403, "Third party identifier is not allowed", Codes.THREEPID_DENIED,
|
||||||
)
|
)
|
||||||
|
@ -111,7 +111,7 @@ class MsisdnRegisterRequestTokenRestServlet(RestServlet):
|
||||||
|
|
||||||
msisdn = phone_number_to_msisdn(body['country'], body['phone_number'])
|
msisdn = phone_number_to_msisdn(body['country'], body['phone_number'])
|
||||||
|
|
||||||
if not check_3pid_allowed(self.hs, "msisdn", msisdn):
|
if not (yield check_3pid_allowed(self.hs, "msisdn", msisdn)):
|
||||||
raise SynapseError(
|
raise SynapseError(
|
||||||
403, "Third party identifier is not allowed", Codes.THREEPID_DENIED,
|
403, "Third party identifier is not allowed", Codes.THREEPID_DENIED,
|
||||||
)
|
)
|
||||||
|
@ -371,7 +371,7 @@ class RegisterRestServlet(RestServlet):
|
||||||
medium = auth_result[login_type]['medium']
|
medium = auth_result[login_type]['medium']
|
||||||
address = auth_result[login_type]['address']
|
address = auth_result[login_type]['address']
|
||||||
|
|
||||||
if not check_3pid_allowed(self.hs, medium, address):
|
if not (yield check_3pid_allowed(self.hs, medium, address)):
|
||||||
raise SynapseError(
|
raise SynapseError(
|
||||||
403, "Third party identifier is not allowed",
|
403, "Third party identifier is not allowed",
|
||||||
Codes.THREEPID_DENIED,
|
Codes.THREEPID_DENIED,
|
||||||
|
|
|
@ -16,9 +16,12 @@
|
||||||
import logging
|
import logging
|
||||||
import re
|
import re
|
||||||
|
|
||||||
|
from twisted.internet import defer
|
||||||
|
|
||||||
logger = logging.getLogger(__name__)
|
logger = logging.getLogger(__name__)
|
||||||
|
|
||||||
|
|
||||||
|
@defer.inlineCallbacks
|
||||||
def check_3pid_allowed(hs, medium, address):
|
def check_3pid_allowed(hs, medium, address):
|
||||||
"""Checks whether a given format of 3PID is allowed to be used on this HS
|
"""Checks whether a given format of 3PID is allowed to be used on this HS
|
||||||
|
|
||||||
|
@ -28,9 +31,22 @@ def check_3pid_allowed(hs, medium, address):
|
||||||
address (str): address within that medium (e.g. "wotan@matrix.org")
|
address (str): address within that medium (e.g. "wotan@matrix.org")
|
||||||
msisdns need to first have been canonicalised
|
msisdns need to first have been canonicalised
|
||||||
Returns:
|
Returns:
|
||||||
bool: whether the 3PID medium/address is allowed to be added to this HS
|
defered bool: whether the 3PID medium/address is allowed to be added to this HS
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
if hs.config.check_is_for_allowed_local_3pids:
|
||||||
|
data = yield hs.get_simple_http_client().get_json(
|
||||||
|
"https://%s%s" % (
|
||||||
|
hs.config.check_is_for_allowed_local_3pids,
|
||||||
|
"/_matrix/identity/api/v1/info"
|
||||||
|
),
|
||||||
|
{'medium': medium, 'address': address}
|
||||||
|
)
|
||||||
|
if hs.config.allow_invited_3pids and data.get('invited'):
|
||||||
|
defer.returnValue(True)
|
||||||
|
else:
|
||||||
|
defer.returnValue(data['hs'] == hs.config.server_name)
|
||||||
|
|
||||||
if hs.config.allowed_local_3pids:
|
if hs.config.allowed_local_3pids:
|
||||||
for constraint in hs.config.allowed_local_3pids:
|
for constraint in hs.config.allowed_local_3pids:
|
||||||
logger.debug(
|
logger.debug(
|
||||||
|
@ -41,8 +57,8 @@ def check_3pid_allowed(hs, medium, address):
|
||||||
medium == constraint['medium'] and
|
medium == constraint['medium'] and
|
||||||
re.match(constraint['pattern'], address)
|
re.match(constraint['pattern'], address)
|
||||||
):
|
):
|
||||||
return True
|
defer.returnValue(True)
|
||||||
else:
|
else:
|
||||||
return True
|
defer.returnValue(True)
|
||||||
|
|
||||||
return False
|
defer.returnValue(False)
|
||||||
|
|
Loading…
Reference in a new issue