Merge branch 'develop' of github.com:matrix-org/synapse into erikj/cleanup_user_ips_2

4fb3c129 · Erik Johnston · 39b50ad4 · 9614d3c9 · 4fb3c129 · 4fb3c129
Commit 4fb3c129 authored 5 years ago by Erik Johnston
--- a/changelog.d/5884.feature
+++ b/changelog.d/5884.feature
+Enable cleaning up extremities with dummy events by default to prevent undue build up of forward extremities.
--- a/changelog.d/5972.misc
+++ b/changelog.d/5972.misc
+Add m.require_identity_server flag to /version's unstable_features.
\ No newline at end of file
--- a/changelog.d/5974.feature
+++ b/changelog.d/5974.feature
+Add m.id_access_token to unstable_features in /versions as per MSC2264.
\ No newline at end of file
--- a/changelog.d/6000.feature
+++ b/changelog.d/6000.feature
+Apply the federation blacklist to requests to identity servers.
\ No newline at end of file
--- a/changelog.d/6037.feature
+++ b/changelog.d/6037.feature
+Make the process for mapping SAML2 users to matrix IDs more flexible.
--- a/changelog.d/6043.feature
+++ b/changelog.d/6043.feature
+Implement new Client Server API endpoints `/account/3pid/add` and `/account/3pid/bind` as per [MSC2290](https://github.com/matrix-org/matrix-doc/pull/2290).
\ No newline at end of file
--- a/changelog.d/6044.feature
+++ b/changelog.d/6044.feature
+Add an unstable feature flag for separate add/bind 3pid APIs.
\ No newline at end of file
--- a/changelog.d/6064.misc
+++ b/changelog.d/6064.misc
+Clean up the sample config for SAML authentication.
--- a/changelog.d/6069.bugfix
+++ b/changelog.d/6069.bugfix
+Fix a bug which caused SAML attribute maps to be overridden by defaults.
--- a/changelog.d/6078.feature
+++ b/changelog.d/6078.feature
+Add `POST /add_threepid/msisdn/submit_token` endpoint for proxying submitToken on an account_threepid_handler.
\ No newline at end of file
--- a/changelog.d/6079.feature
+++ b/changelog.d/6079.feature
+Add `submit_url` response parameter to `*/msisdn/requestToken` endpoints.
--- a/changelog.d/6092.bugfix
+++ b/changelog.d/6092.bugfix
+Fix the logged number of updated items for the users_set_deactivated_flag background update.
--- a/changelog.d/6097.bugfix
+++ b/changelog.d/6097.bugfix
+Add sid to next_link for email validation.
--- a/changelog.d/6099.misc
+++ b/changelog.d/6099.misc
+Remove unused parameter to get_user_id_by_threepid.
--- a/changelog.d/6104.bugfix
+++ b/changelog.d/6104.bugfix
+Threepid validity checks on msisdns should not be dependent on 'threepid_behaviour_email'.
--- a/changelog.d/6105.misc
+++ b/changelog.d/6105.misc
+Refactor the user-interactive auth handling.
--- a/changelog.d/6106.misc
+++ b/changelog.d/6106.misc
+Refactor code for calculating registration flows.
--- a/changelog.d/6107.bugfix
+++ b/changelog.d/6107.bugfix
+Ensure that servers which are not configured to support email address verification do not offer it in the registration flows.
\ No newline at end of file
--- a/docs/sample_config.yaml
+++ b/docs/sample_config.yaml
@@ -110,6 +110,9 @@ pid_file: DATADIR/homeserver.pid
 # blacklist IP address CIDR ranges. If this option is not specified, or
 # specified with an empty list, no ip range blacklist will be enforced.
 #
+# As of Synapse v1.4.0 this option also affects any outbound requests to identity
+# servers provided by user input.
+#
 # (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly
 # listed here, since they correspond to unroutable addresses.)
 #
@@ -943,6 +946,8 @@ uploads_path: "DATADIR/uploads"
 # by the Matrix Identity Service API specification:
 # https://matrix.org/docs/spec/identity_service/latest
 #
+# If a delegate is specified, the config option public_baseurl must also be filled out.
+#
 account_threepid_delegates:
    #email: https://example.com     # Delegate email sending to example.org
    #msisdn: http://localhost:8090  # Delegate SMS sending to this local process
@@ -1107,12 +1112,13 @@ signing_key_path: "CONFDIR/SERVERNAME.signing.key"

 # Enable SAML2 for registration and login. Uses pysaml2.
 #
-# `sp_config` is the configuration for the pysaml2 Service Provider.
-# See pysaml2 docs for format of config.
+# At least one of `sp_config` or `config_path` must be set in this section to
+# enable SAML login.
 #
-# Default values will be used for the 'entityid' and 'service' settings,
-# so it is not normally necessary to specify them unless you need to
-# override them.
+# (You will probably also want to set the following options to `false` to
+# disable the regular login/registration flows:
+#   * enable_registration
+#   * password_config.enabled
 #
 # Once SAML support is enabled, a metadata file will be exposed at
 # https://<server>:<port>/_matrix/saml2/metadata.xml, which you may be able to
@@ -1120,52 +1126,85 @@ signing_key_path: "CONFDIR/SERVERNAME.signing.key"
 # the IdP to use an ACS location of
 # https://<server>:<port>/_matrix/saml2/authn_response.
 #
-#saml2_config:
-#  sp_config:
-#    # point this to the IdP's metadata. You can use either a local file or
-#    # (preferably) a URL.
-#    metadata:
-#      #local: ["saml2/idp.xml"]
-#      remote:
-#        - url: https://our_idp/metadata.xml
-#
-#    # By default, the user has to go to our login page first. If you'd like to
-#    # allow IdP-initiated login, set 'allow_unsolicited: True' in a
-#    # 'service.sp' section:
-#    #
-#    #service:
-#    #  sp:
-#    #    allow_unsolicited: True
-#
-#    # The examples below are just used to generate our metadata xml, and you
-#    # may well not need it, depending on your setup. Alternatively you
-#    # may need a whole lot more detail - see the pysaml2 docs!
-#
-#    description: ["My awesome SP", "en"]
-#    name: ["Test SP", "en"]
-#
-#    organization:
-#      name: Example com
-#      display_name:
-#        - ["Example co", "en"]
-#      url: "http://example.com"
-#
-#    contact_person:
-#      - given_name: Bob
-#        sur_name: "the Sysadmin"
-#        email_address": ["admin@example.com"]
-#        contact_type": technical
-#
-#  # Instead of putting the config inline as above, you can specify a
-#  # separate pysaml2 configuration file:
-#  #
-#  config_path: "CONFDIR/sp_conf.py"
-#
-#  # the lifetime of a SAML session. This defines how long a user has to
-#  # complete the authentication process, if allow_unsolicited is unset.
-#  # The default is 5 minutes.
-#  #
-#  # saml_session_lifetime: 5m
+saml2_config:
+  # `sp_config` is the configuration for the pysaml2 Service Provider.
+  # See pysaml2 docs for format of config.
+  #
+  # Default values will be used for the 'entityid' and 'service' settings,
+  # so it is not normally necessary to specify them unless you need to
+  # override them.
+  #
+  #sp_config:
+  #  # point this to the IdP's metadata. You can use either a local file or
+  #  # (preferably) a URL.
+  #  metadata:
+  #    #local: ["saml2/idp.xml"]
+  #    remote:
+  #      - url: https://our_idp/metadata.xml
+  #
+  #    # By default, the user has to go to our login page first. If you'd like
+  #    # to allow IdP-initiated login, set 'allow_unsolicited: True' in a
+  #    # 'service.sp' section:
+  #    #
+  #    #service:
+  #    #  sp:
+  #    #    allow_unsolicited: true
+  #
+  #    # The examples below are just used to generate our metadata xml, and you
+  #    # may well not need them, depending on your setup. Alternatively you
+  #    # may need a whole lot more detail - see the pysaml2 docs!
+  #
+  #    description: ["My awesome SP", "en"]
+  #    name: ["Test SP", "en"]
+  #
+  #    organization:
+  #      name: Example com
+  #      display_name:
+  #        - ["Example co", "en"]
+  #      url: "http://example.com"
+  #
+  #    contact_person:
+  #      - given_name: Bob
+  #        sur_name: "the Sysadmin"
+  #        email_address": ["admin@example.com"]
+  #        contact_type": technical
+
+  # Instead of putting the config inline as above, you can specify a
+  # separate pysaml2 configuration file:
+  #
+  #config_path: "CONFDIR/sp_conf.py"
+
+  # the lifetime of a SAML session. This defines how long a user has to
+  # complete the authentication process, if allow_unsolicited is unset.
+  # The default is 5 minutes.
+  #
+  #saml_session_lifetime: 5m
+
+  # The SAML attribute (after mapping via the attribute maps) to use to derive
+  # the Matrix ID from. 'uid' by default.
+  #
+  #mxid_source_attribute: displayName
+
+  # The mapping system to use for mapping the saml attribute onto a matrix ID.
+  # Options include:
+  #  * 'hexencode' (which maps unpermitted characters to '=xx')
+  #  * 'dotreplace' (which replaces unpermitted characters with '.').
+  # The default is 'hexencode'.
+  #
+  #mxid_mapping: dotreplace
+
+  # In previous versions of synapse, the mapping from SAML attribute to MXID was
+  # always calculated dynamically rather than stored in a table. For backwards-
+  # compatibility, we will look for user_ids matching such a pattern before
+  # creating a new account.
+  #
+  # This setting controls the SAML attribute which will be used for this
+  # backwards-compatibility lookup. Typically it should be 'uid', but if the
+  # attribute maps are changed, it may be necessary to change it.
+  #
+  # The default is 'uid'.
+  #
+  #grandfathered_mxid_source_attribute: upn




--- a/synapse/config/registration.py
+++ b/synapse/config/registration.py
@@ -293,6 +293,8 @@ class RegistrationConfig(Config):
        # by the Matrix Identity Service API specification:
        # https://matrix.org/docs/spec/identity_service/latest
        #
+        # If a delegate is specified, the config option public_baseurl must also be filled out.
+        #
        account_threepid_delegates:
            #email: https://example.com     # Delegate email sending to example.org
            #msisdn: http://localhost:8090  # Delegate SMS sending to this local process