diff --git a/CHANGES.md b/CHANGES.md
index 16c11ff0cb7a51aaf2fbfd86bdcf632dbadcc00b..b71d4641b40fb05256c87101c6deb3ae57030f30 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1,7 +1,29 @@
+Synapse 1.27.0rc2 (2021-02-11)
+==============================
+
+Features
+--------
+
+- Further improvements to the user experience of registration via single sign-on. ([\#9297](https://github.com/matrix-org/synapse/issues/9297))
+
+
+Bugfixes
+--------
+
+- Fix ratelimiting introduced in v1.27.0rc1 for invites to respect the `ratelimit` flag on application services. ([\#9302](https://github.com/matrix-org/synapse/issues/9302))
+- Do not automatically calculate `public_baseurl` since it can be wrong in some situations. Reverts behaviour introduced in v1.26.0. ([\#9313](https://github.com/matrix-org/synapse/issues/9313))
+
+
+Improved Documentation
+----------------------
+
+- Clarify the sample configuration for changes made to the template loading code. ([\#9310](https://github.com/matrix-org/synapse/issues/9310))
+
+
Synapse 1.27.0rc1 (2021-02-02)
==============================
-Note that this release includes a change in Synapse to use Redis as a cache ─ as well as a pub/sub mechanism ─ if Redis support is enabled. No action is needed by server administrators, and we do not expect resource usage of the Redis instance to change dramatically.
+Note that this release includes a change in Synapse to use Redis as a cache ─ as well as a pub/sub mechanism ─ if Redis support is enabled for workers. No action is needed by server administrators, and we do not expect resource usage of the Redis instance to change dramatically.
This release also changes the callback URI for OpenID Connect (OIDC) identity providers. If your server is configured to use single sign-on via an OIDC/OAuth2 IdP, you may need to make configuration changes. Please review [UPGRADE.rst](UPGRADE.rst) for more details on these changes.
diff --git a/changelog.d/9297.feature b/changelog.d/9297.feature
deleted file mode 100644
index a2d0b27da47a18dbc0e5fa0838cf35941abf0184..0000000000000000000000000000000000000000
--- a/changelog.d/9297.feature
+++ /dev/null
@@ -1 +0,0 @@
-Further improvements to the user experience of registration via single sign-on.
diff --git a/changelog.d/9302.bugfix b/changelog.d/9302.bugfix
deleted file mode 100644
index c1cdea52a350a3273ea84bb64f16c79d75cc18de..0000000000000000000000000000000000000000
--- a/changelog.d/9302.bugfix
+++ /dev/null
@@ -1 +0,0 @@
-Fix new ratelimiting for invites to respect the `ratelimit` flag on application services. Introduced in v1.27.0rc1.
diff --git a/changelog.d/9310.doc b/changelog.d/9310.doc
deleted file mode 100644
index f61705b73abfd72c52ec4b6e9a21f195642dc95b..0000000000000000000000000000000000000000
--- a/changelog.d/9310.doc
+++ /dev/null
@@ -1 +0,0 @@
-Clarify the sample configuration for changes made to the template loading code.
diff --git a/docs/sample_config.yaml b/docs/sample_config.yaml
index fbbf71edd9fc96df3cc419cad6efc5ffdd386b9f..71c3af287517a5e408ecfa2c054bac1e98315f17 100644
--- a/docs/sample_config.yaml
+++ b/docs/sample_config.yaml
@@ -74,10 +74,6 @@ pid_file: DATADIR/homeserver.pid
# Otherwise, it should be the URL to reach Synapse's client HTTP listener (see
# 'listeners' below).
#
-# If this is left unset, it defaults to 'https://<server_name>/'. (Note that
-# that will not work unless you configure Synapse or a reverse-proxy to listen
-# on port 443.)
-#
#public_baseurl: https://example.com/
# Set the soft limit on the number of file descriptors synapse can use
@@ -1177,9 +1173,8 @@ account_validity:
# send an email to the account's email address with a renewal link. By
# default, no such emails are sent.
#
- # If you enable this setting, you will also need to fill out the 'email'
- # configuration section. You should also check that 'public_baseurl' is set
- # correctly.
+ # If you enable this setting, you will also need to fill out the 'email' and
+ # 'public_baseurl' configuration sections.
#
#renew_at: 1w
@@ -1270,7 +1265,8 @@ account_validity:
# The identity server which we suggest that clients should use when users log
# in on this server.
#
-# (By default, no suggestion is made, so it is left up to the client.)
+# (By default, no suggestion is made, so it is left up to the client.
+# This setting is ignored unless public_baseurl is also set.)
#
#default_identity_server: https://matrix.org
@@ -1295,6 +1291,8 @@ account_validity:
# by the Matrix Identity Service API specification:
# https://matrix.org/docs/spec/identity_service/latest
#
+# If a delegate is specified, the config option public_baseurl must also be filled out.
+#
account_threepid_delegates:
#email: https://example.com # Delegate email sending to example.com
#msisdn: http://localhost:8090 # Delegate SMS sending to this local process
@@ -1948,9 +1946,9 @@ sso:
# phishing attacks from evil.site. To avoid this, include a slash after the
# hostname: "https://my.client/".
#
- # The login fallback page (used by clients that don't natively support the
- # required login flows) is automatically whitelisted in addition to any URLs
- # in this list.
+ # If public_baseurl is set, then the login fallback page (used by clients
+ # that don't natively support the required login flows) is whitelisted in
+ # addition to any URLs in this list.
#
# By default, this list is empty.
#
diff --git a/synapse/__init__.py b/synapse/__init__.py
index 06b3820be56bb88131bd78b60972868eaf7d8a5c..283d6ffeffebff3769cea1459d34d6f5af38db18 100644
--- a/synapse/__init__.py
+++ b/synapse/__init__.py
@@ -48,7 +48,7 @@ try:
except ImportError:
pass
-__version__ = "1.27.0rc1"
+__version__ = "1.27.0rc2"
if bool(os.environ.get("SYNAPSE_TEST_PATCH_LOG_CONTEXTS", False)):
# We import here so that we don't have to install a bunch of deps when
diff --git a/synapse/api/urls.py b/synapse/api/urls.py
index e36aeef31f8712c0b1bb68ec33766b517b9709df..6379c86ddea0063048d970c2084d1a809814a7fd 100644
--- a/synapse/api/urls.py
+++ b/synapse/api/urls.py
@@ -42,6 +42,8 @@ class ConsentURIBuilder:
"""
if hs_config.form_secret is None:
raise ConfigError("form_secret not set in config")
+ if hs_config.public_baseurl is None:
+ raise ConfigError("public_baseurl not set in config")
self._hmac_secret = hs_config.form_secret.encode("utf-8")
self._public_baseurl = hs_config.public_baseurl
diff --git a/synapse/config/cas.py b/synapse/config/cas.py
index daea848d24dd79c36a6724afe2cdc2f576e43bc7..dbf50859659f0324a008120380a54e42ba3ef439 100644
--- a/synapse/config/cas.py
+++ b/synapse/config/cas.py
@@ -17,7 +17,7 @@ from typing import Any, List
from synapse.config.sso import SsoAttributeRequirement
-from ._base import Config
+from ._base import Config, ConfigError
from ._util import validate_config
@@ -35,13 +35,15 @@ class CasConfig(Config):
if self.cas_enabled:
self.cas_server_url = cas_config["server_url"]
- public_base_url = cas_config.get("service_url") or self.public_baseurl
- if public_base_url[-1] != "/":
- public_base_url += "/"
+
+ # The public baseurl is required because it is used by the redirect
+ # template.
+ public_baseurl = self.public_baseurl
+ if not public_baseurl:
+ raise ConfigError("cas_config requires a public_baseurl to be set")
+
# TODO Update this to a _synapse URL.
- self.cas_service_url = (
- public_base_url + "_matrix/client/r0/login/cas/ticket"
- )
+ self.cas_service_url = public_baseurl + "_matrix/client/r0/login/cas/ticket"
self.cas_displayname_attribute = cas_config.get("displayname_attribute")
required_attributes = cas_config.get("required_attributes") or {}
self.cas_required_attributes = _parsed_required_attributes_def(
diff --git a/synapse/config/emailconfig.py b/synapse/config/emailconfig.py
index 6a487afd3495fd8a6f9704c505894ffd8c2e10cb..d4328c46b9b6c0ff5ab2f9ec2ce2e02281bddc3e 100644
--- a/synapse/config/emailconfig.py
+++ b/synapse/config/emailconfig.py
@@ -166,6 +166,11 @@ class EmailConfig(Config):
if not self.email_notif_from:
missing.append("email.notif_from")
+ # public_baseurl is required to build password reset and validation links that
+ # will be emailed to users
+ if config.get("public_baseurl") is None:
+ missing.append("public_baseurl")
+
if missing:
raise ConfigError(
MISSING_PASSWORD_RESET_CONFIG_ERROR % (", ".join(missing),)
@@ -264,6 +269,9 @@ class EmailConfig(Config):
if not self.email_notif_from:
missing.append("email.notif_from")
+ if config.get("public_baseurl") is None:
+ missing.append("public_baseurl")
+
if missing:
raise ConfigError(
"email.enable_notifs is True but required keys are missing: %s"
diff --git a/synapse/config/oidc_config.py b/synapse/config/oidc_config.py
index 9d8196d8c34faa6d2cbe775ce0d9f33981111cbf..d081f36fa5d398aaf07e4f7aa03f874b74b7a635 100644
--- a/synapse/config/oidc_config.py
+++ b/synapse/config/oidc_config.py
@@ -53,7 +53,10 @@ class OIDCConfig(Config):
"Multiple OIDC providers have the idp_id %r." % idp_id
)
- self.oidc_callback_url = self.public_baseurl + "_synapse/client/oidc/callback"
+ public_baseurl = self.public_baseurl
+ if public_baseurl is None:
+ raise ConfigError("oidc_config requires a public_baseurl to be set")
+ self.oidc_callback_url = public_baseurl + "_synapse/client/oidc/callback"
@property
def oidc_enabled(self) -> bool:
diff --git a/synapse/config/registration.py b/synapse/config/registration.py
index afb3e0b2a1a5ec70aca67bd8d6fa59c2ea5eb1c1..ead007ba5afb6d660cdd7b7e6d7f1b528bca9f51 100644
--- a/synapse/config/registration.py
+++ b/synapse/config/registration.py
@@ -49,6 +49,10 @@ class AccountValidityConfig(Config):
self.startup_job_max_delta = self.period * 10.0 / 100.0
+ if self.renew_by_email_enabled:
+ if "public_baseurl" not in synapse_config:
+ raise ConfigError("Can't send renewal emails without 'public_baseurl'")
+
template_dir = config.get("template_dir")
if not template_dir:
@@ -105,6 +109,13 @@ class RegistrationConfig(Config):
account_threepid_delegates = config.get("account_threepid_delegates") or {}
self.account_threepid_delegate_email = account_threepid_delegates.get("email")
self.account_threepid_delegate_msisdn = account_threepid_delegates.get("msisdn")
+ if self.account_threepid_delegate_msisdn and not self.public_baseurl:
+ raise ConfigError(
+ "The configuration option `public_baseurl` is required if "
+ "`account_threepid_delegate.msisdn` is set, such that "
+ "clients know where to submit validation tokens to. Please "
+ "configure `public_baseurl`."
+ )
self.default_identity_server = config.get("default_identity_server")
self.allow_guest_access = config.get("allow_guest_access", False)
@@ -227,9 +238,8 @@ class RegistrationConfig(Config):
# send an email to the account's email address with a renewal link. By
# default, no such emails are sent.
#
- # If you enable this setting, you will also need to fill out the 'email'
- # configuration section. You should also check that 'public_baseurl' is set
- # correctly.
+ # If you enable this setting, you will also need to fill out the 'email' and
+ # 'public_baseurl' configuration sections.
#
#renew_at: 1w
@@ -320,7 +330,8 @@ class RegistrationConfig(Config):
# The identity server which we suggest that clients should use when users log
# in on this server.
#
- # (By default, no suggestion is made, so it is left up to the client.)
+ # (By default, no suggestion is made, so it is left up to the client.
+ # This setting is ignored unless public_baseurl is also set.)
#
#default_identity_server: https://matrix.org
@@ -345,6 +356,8 @@ class RegistrationConfig(Config):
# by the Matrix Identity Service API specification:
# https://matrix.org/docs/spec/identity_service/latest
#
+ # If a delegate is specified, the config option public_baseurl must also be filled out.
+ #
account_threepid_delegates:
#email: https://example.com # Delegate email sending to example.com
#msisdn: http://localhost:8090 # Delegate SMS sending to this local process
diff --git a/synapse/config/saml2_config.py b/synapse/config/saml2_config.py
index 1820614bc0ccb0ee0c94a6b9449e377527dc1b91..4b494f217f647b5838bfba3893694a393a8a408f 100644
--- a/synapse/config/saml2_config.py
+++ b/synapse/config/saml2_config.py
@@ -188,6 +188,8 @@ class SAML2Config(Config):
import saml2
public_baseurl = self.public_baseurl
+ if public_baseurl is None:
+ raise ConfigError("saml2_config requires a public_baseurl to be set")
if self.saml2_grandfathered_mxid_source_attribute:
optional_attributes.add(self.saml2_grandfathered_mxid_source_attribute)
diff --git a/synapse/config/server.py b/synapse/config/server.py
index b5e82ba3d0878ab99f6c4f35fdb2f4c62d72ae58..a635b8a7dc695b3a9e1cee9c6e4126c43fb19f4f 100644
--- a/synapse/config/server.py
+++ b/synapse/config/server.py
@@ -230,11 +230,7 @@ class ServerConfig(Config):
self.print_pidfile = config.get("print_pidfile")
self.user_agent_suffix = config.get("user_agent_suffix")
self.use_frozen_dicts = config.get("use_frozen_dicts", False)
- self.public_baseurl = config.get("public_baseurl") or "https://%s/" % (
- self.server_name,
- )
- if self.public_baseurl[-1] != "/":
- self.public_baseurl += "/"
+ self.public_baseurl = config.get("public_baseurl")
# Whether to enable user presence.
self.use_presence = config.get("use_presence", True)
@@ -386,6 +382,9 @@ class ServerConfig(Config):
config_path=("federation_ip_range_blacklist",),
)
+ if self.public_baseurl is not None:
+ if self.public_baseurl[-1] != "/":
+ self.public_baseurl += "/"
self.start_pushers = config.get("start_pushers", True)
# (undocumented) option for torturing the worker-mode replication a bit,
@@ -813,10 +812,6 @@ class ServerConfig(Config):
# Otherwise, it should be the URL to reach Synapse's client HTTP listener (see
# 'listeners' below).
#
- # If this is left unset, it defaults to 'https://<server_name>/'. (Note that
- # that will not work unless you configure Synapse or a reverse-proxy to listen
- # on port 443.)
- #
#public_baseurl: https://example.com/
# Set the soft limit on the number of file descriptors synapse can use
diff --git a/synapse/config/sso.py b/synapse/config/sso.py
index b94d3cd5e1c0c3534a3b34bbae9d267cf4e30491..07ba217f89b80cfbfa4b53e853665e2ee82814d8 100644
--- a/synapse/config/sso.py
+++ b/synapse/config/sso.py
@@ -81,8 +81,11 @@ class SSOConfig(Config):
# gracefully to the client). This would make it pointless to ask the user for
# confirmation, since the URL the confirmation page would be showing wouldn't be
# the client's.
- login_fallback_url = self.public_baseurl + "_matrix/static/client/login"
- self.sso_client_whitelist.append(login_fallback_url)
+ # public_baseurl is an optional setting, so we only add the fallback's URL to the
+ # list if it's provided (because we can't figure out what that URL is otherwise).
+ if self.public_baseurl:
+ login_fallback_url = self.public_baseurl + "_matrix/static/client/login"
+ self.sso_client_whitelist.append(login_fallback_url)
def generate_config_section(self, **kwargs):
return """\
@@ -100,9 +103,9 @@ class SSOConfig(Config):
# phishing attacks from evil.site. To avoid this, include a slash after the
# hostname: "https://my.client/".
#
- # The login fallback page (used by clients that don't natively support the
- # required login flows) is automatically whitelisted in addition to any URLs
- # in this list.
+ # If public_baseurl is set, then the login fallback page (used by clients
+ # that don't natively support the required login flows) is whitelisted in
+ # addition to any URLs in this list.
#
# By default, this list is empty.
#
diff --git a/synapse/handlers/identity.py b/synapse/handlers/identity.py
index 4f7137539beceb47b8907e5741e69cb082792071..8fc1e8b91c0a9792efee29a51a58bdd318995f65 100644
--- a/synapse/handlers/identity.py
+++ b/synapse/handlers/identity.py
@@ -504,6 +504,10 @@ class IdentityHandler(BaseHandler):
except RequestTimedOutError:
raise SynapseError(500, "Timed out contacting identity server")
+ # It is already checked that public_baseurl is configured since this code
+ # should only be used if account_threepid_delegate_msisdn is true.
+ assert self.hs.config.public_baseurl
+
# we need to tell the client to send the token back to us, since it doesn't
# otherwise know where to send it, so add submit_url response parameter
# (see also MSC2078)
diff --git a/synapse/rest/well_known.py b/synapse/rest/well_known.py
index 241fe746d996b4686a4924322b3a53fbae2a7f3c..f591cc6c5c7bff8c470c1abfe52b3fef79843640 100644
--- a/synapse/rest/well_known.py
+++ b/synapse/rest/well_known.py
@@ -34,6 +34,10 @@ class WellKnownBuilder:
self._config = hs.config
def get_well_known(self):
+ # if we don't have a public_baseurl, we can't help much here.
+ if self._config.public_baseurl is None:
+ return None
+
result = {"m.homeserver": {"base_url": self._config.public_baseurl}}
if self._config.default_identity_server:
diff --git a/synapse/util/templates.py b/synapse/util/templates.py
index 7e5109d206e521c029e6e4e0258f4c26894d6395..392dae4a40f56fb0e6c840a7617ad2ed859a5c92 100644
--- a/synapse/util/templates.py
+++ b/synapse/util/templates.py
@@ -17,7 +17,7 @@
import time
import urllib.parse
-from typing import TYPE_CHECKING, Callable, Iterable, Union
+from typing import TYPE_CHECKING, Callable, Iterable, Optional, Union
import jinja2
@@ -74,14 +74,23 @@ def build_jinja_env(
return env
-def _create_mxc_to_http_filter(public_baseurl: str) -> Callable:
+def _create_mxc_to_http_filter(
+ public_baseurl: Optional[str],
+) -> Callable[[str, int, int, str], str]:
"""Create and return a jinja2 filter that converts MXC urls to HTTP
Args:
public_baseurl: The public, accessible base URL of the homeserver
"""
- def mxc_to_http_filter(value, width, height, resize_method="crop"):
+ def mxc_to_http_filter(
+ value: str, width: int, height: int, resize_method: str = "crop"
+ ) -> str:
+ if not public_baseurl:
+ raise RuntimeError(
+ "public_baseurl must be set in the homeserver config to convert MXC URLs to HTTP URLs."
+ )
+
if value[0:6] != "mxc://":
return ""
diff --git a/tests/rest/client/v1/test_login.py b/tests/rest/client/v1/test_login.py
index ceb4ad23669037b6c31f200c52cd8dee2b508afe..49543d9acb78d140d083257c1d677acec284f819 100644
--- a/tests/rest/client/v1/test_login.py
+++ b/tests/rest/client/v1/test_login.py
@@ -680,10 +680,12 @@ class CASTestCase(unittest.HomeserverTestCase):
self.redirect_path = "_synapse/client/login/sso/redirect/confirm"
config = self.default_config()
+ config["public_baseurl"] = (
+ config.get("public_baseurl") or "https://matrix.goodserver.com:8448"
+ )
config["cas_config"] = {
"enabled": True,
"server_url": CAS_SERVER,
- "service_url": "https://matrix.goodserver.com:8448",
}
cas_user_id = "username"
diff --git a/tests/rest/test_well_known.py b/tests/rest/test_well_known.py
index c5e44af9f714fe41821158229a68becd689c9cac..14de0921be7bfb6f81f5666937382f2fe2362925 100644
--- a/tests/rest/test_well_known.py
+++ b/tests/rest/test_well_known.py
@@ -40,3 +40,12 @@ class WellKnownTests(unittest.HomeserverTestCase):
"m.identity_server": {"base_url": "https://testis"},
},
)
+
+ def test_well_known_no_public_baseurl(self):
+ self.hs.config.public_baseurl = None
+
+ channel = self.make_request(
+ "GET", "/.well-known/matrix/client", shorthand=False
+ )
+
+ self.assertEqual(channel.code, 404)
diff --git a/tests/utils.py b/tests/utils.py
index 68033d75356d2e6a268e9470479e67526865d023..840b657f825d583db23ef01444ff7521059c3848 100644
--- a/tests/utils.py
+++ b/tests/utils.py
@@ -159,6 +159,7 @@ def default_config(name, parse=False):
},
"rc_3pid_validation": {"per_second": 10000, "burst_count": 10000},
"saml2_enabled": False,
+ "public_baseurl": None,
"default_identity_server": None,
"key_refresh_interval": 24 * 60 * 60 * 1000,
"old_signing_keys": {},