diff --git a/docs/website_files/version-picker.css b/docs/website_files/version-picker.css
new file mode 100644
index 0000000000..28e5d5219a
--- /dev/null
+++ b/docs/website_files/version-picker.css
@@ -0,0 +1,78 @@
+.version-picker {
+ display: flex;
+ align-items: center;
+}
+
+.version-picker .dropdown {
+ width: 130px;
+ max-height: 29px;
+ margin-left: 10px;
+ display: inline-block;
+ border-radius: 4px;
+ border: 1px solid var(--theme-popup-border);
+ position: relative;
+ font-size: 13px;
+ color: var(--fg);
+ height: 100%;
+ text-align: left;
+}
+.version-picker .dropdown .select {
+ cursor: pointer;
+ display: block;
+ padding: 5px 2px 5px 15px;
+}
+.version-picker .dropdown .select > i {
+ font-size: 10px;
+ color: var(--fg);
+ cursor: pointer;
+ float: right;
+ line-height: 20px !important;
+}
+.version-picker .dropdown:hover {
+ border: 1px solid var(--theme-popup-border);
+}
+.version-picker .dropdown:active {
+ background-color: var(--theme-popup-bg);
+}
+.version-picker .dropdown.active:hover,
+.version-picker .dropdown.active {
+ border: 1px solid var(--theme-popup-border);
+ border-radius: 2px 2px 0 0;
+ background-color: var(--theme-popup-bg);
+}
+.version-picker .dropdown.active .select > i {
+ transform: rotate(-180deg);
+}
+.version-picker .dropdown .dropdown-menu {
+ position: absolute;
+ background-color: var(--theme-popup-bg);
+ width: 100%;
+ left: -1px;
+ right: 1px;
+ margin-top: 1px;
+ border: 1px solid var(--theme-popup-border);
+ border-radius: 0 0 4px 4px;
+ overflow: hidden;
+ display: none;
+ max-height: 300px;
+ overflow-y: auto;
+ z-index: 9;
+}
+.version-picker .dropdown .dropdown-menu li {
+ font-size: 12px;
+ padding: 6px 20px;
+ cursor: pointer;
+}
+.version-picker .dropdown .dropdown-menu {
+ padding: 0;
+ list-style: none;
+}
+.version-picker .dropdown .dropdown-menu li:hover {
+ background-color: var(--theme-hover);
+}
+.version-picker .dropdown .dropdown-menu li.active::before {
+ display: inline-block;
+ content: "✓";
+ margin-inline-start: -14px;
+ width: 14px;
+}
\ No newline at end of file
diff --git a/docs/website_files/version-picker.js b/docs/website_files/version-picker.js
new file mode 100644
index 0000000000..bb35a7d896
--- /dev/null
+++ b/docs/website_files/version-picker.js
@@ -0,0 +1,127 @@
+
+const dropdown = document.querySelector('.version-picker .dropdown');
+const dropdownMenu = dropdown.querySelector('.dropdown-menu');
+
+fetchVersions(dropdown, dropdownMenu).then(() => {
+ initializeVersionDropdown(dropdown, dropdownMenu);
+});
+
+/**
+ * Initialize the dropdown functionality for version selection.
+ *
+ * @param {Element} dropdown - The dropdown element.
+ * @param {Element} dropdownMenu - The dropdown menu element.
+ */
+function initializeVersionDropdown(dropdown, dropdownMenu) {
+ // Toggle the dropdown menu on click
+ dropdown.addEventListener('click', function () {
+ this.setAttribute('tabindex', 1);
+ this.classList.toggle('active');
+ dropdownMenu.style.display = (dropdownMenu.style.display === 'block') ? 'none' : 'block';
+ });
+
+ // Remove the 'active' class and hide the dropdown menu on focusout
+ dropdown.addEventListener('focusout', function () {
+ this.classList.remove('active');
+ dropdownMenu.style.display = 'none';
+ });
+
+ // Handle item selection within the dropdown menu
+ const dropdownMenuItems = dropdownMenu.querySelectorAll('li');
+ dropdownMenuItems.forEach(function (item) {
+ item.addEventListener('click', function () {
+ dropdownMenuItems.forEach(function (item) {
+ item.classList.remove('active');
+ });
+ this.classList.add('active');
+ dropdown.querySelector('span').textContent = this.textContent;
+ dropdown.querySelector('input').value = this.getAttribute('id');
+
+ window.location.href = changeVersion(window.location.href, this.textContent);
+ });
+ });
+};
+
+/**
+ * This function fetches the available versions from a GitHub repository
+ * and inserts them into the version picker.
+ *
+ * @param {Element} dropdown - The dropdown element.
+ * @param {Element} dropdownMenu - The dropdown menu element.
+ * @returns {Promise>} A promise that resolves with an array of available versions.
+ */
+function fetchVersions(dropdown, dropdownMenu) {
+ return new Promise((resolve, reject) => {
+ window.addEventListener("load", () => {
+
+ fetch("https://api.github.com/repos/matrix-org/synapse/git/trees/gh-pages", {
+ cache: "force-cache",
+ }).then(res =>
+ res.json()
+ ).then(resObject => {
+ const excluded = ['dev-docs', 'v1.91.0', 'v1.80.0', 'v1.69.0'];
+ const tree = resObject.tree.filter(item => item.type === "tree" && !excluded.includes(item.path));
+ const versions = tree.map(item => item.path).sort(sortVersions);
+
+ // Create a list of
items for versions
+ versions.forEach((version) => {
+ const li = document.createElement("li");
+ li.textContent = version;
+ li.id = version;
+
+ if (window.SYNAPSE_VERSION === version) {
+ li.classList.add('active');
+ dropdown.querySelector('span').textContent = version;
+ dropdown.querySelector('input').value = version;
+ }
+
+ dropdownMenu.appendChild(li);
+ });
+
+ resolve(versions);
+
+ }).catch(ex => {
+ console.error("Failed to fetch version data", ex);
+ reject(ex);
+ })
+ });
+ });
+}
+
+/**
+ * Custom sorting function to sort an array of version strings.
+ *
+ * @param {string} a - The first version string to compare.
+ * @param {string} b - The second version string to compare.
+ * @returns {number} - A negative number if a should come before b, a positive number if b should come before a, or 0 if they are equal.
+ */
+function sortVersions(a, b) {
+ // Put 'develop' and 'latest' at the top
+ if (a === 'develop' || a === 'latest') return -1;
+ if (b === 'develop' || b === 'latest') return 1;
+
+ const versionA = (a.match(/v\d+(\.\d+)+/) || [])[0];
+ const versionB = (b.match(/v\d+(\.\d+)+/) || [])[0];
+
+ return versionB.localeCompare(versionA);
+}
+
+/**
+ * Change the version in a URL path.
+ *
+ * @param {string} url - The original URL to be modified.
+ * @param {string} newVersion - The new version to replace the existing version in the URL.
+ * @returns {string} The updated URL with the new version.
+ */
+function changeVersion(url, newVersion) {
+ const parsedURL = new URL(url);
+ const pathSegments = parsedURL.pathname.split('/');
+
+ // Modify the version
+ pathSegments[2] = newVersion;
+
+ // Reconstruct the URL
+ parsedURL.pathname = pathSegments.join('/');
+
+ return parsedURL.href;
+}
\ No newline at end of file
diff --git a/docs/website_files/version.js b/docs/website_files/version.js
new file mode 100644
index 0000000000..9065afcdbf
--- /dev/null
+++ b/docs/website_files/version.js
@@ -0,0 +1 @@
+window.SYNAPSE_VERSION = "latest";
\ No newline at end of file
diff --git a/synapse/_scripts/generate_signing_key.py b/synapse/_scripts/generate_signing_key.py
index 3f8f5da75f..581b991505 100755
--- a/synapse/_scripts/generate_signing_key.py
+++ b/synapse/_scripts/generate_signing_key.py
@@ -13,6 +13,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.
import argparse
+import os
import sys
from signedjson.key import generate_signing_key, write_signing_keys
@@ -26,15 +27,21 @@ def main() -> None:
parser.add_argument(
"-o",
"--output_file",
- type=argparse.FileType("w"),
- default=sys.stdout,
+ type=str,
+ default="-",
help="Where to write the output to",
)
args = parser.parse_args()
key_id = "a_" + random_string(4)
key = (generate_signing_key(key_id),)
- write_signing_keys(args.output_file, key)
+ if args.output_file == "-":
+ write_signing_keys(sys.stdout, key)
+ else:
+ with open(
+ args.output_file, "w", opener=lambda p, f: os.open(p, f, mode=0o640)
+ ) as signing_key_file:
+ write_signing_keys(signing_key_file, key)
if __name__ == "__main__":
diff --git a/synapse/config/key.py b/synapse/config/key.py
index f3dc4df695..1920498cd1 100644
--- a/synapse/config/key.py
+++ b/synapse/config/key.py
@@ -263,7 +263,9 @@ class KeyConfig(Config):
if not self.path_exists(signing_key_path):
print("Generating signing key file %s" % (signing_key_path,))
- with open(signing_key_path, "w") as signing_key_file:
+ with open(
+ signing_key_path, "w", opener=lambda p, f: os.open(p, f, mode=0o640)
+ ) as signing_key_file:
key_id = "a_" + random_string(4)
write_signing_keys(signing_key_file, (generate_signing_key(key_id),))
else:
@@ -274,7 +276,9 @@ class KeyConfig(Config):
key = decode_signing_key_base64(
NACL_ED25519, key_id, signing_keys.split("\n")[0]
)
- with open(signing_key_path, "w") as signing_key_file:
+ with open(
+ signing_key_path, "w", opener=lambda p, f: os.open(p, f, mode=0o640)
+ ) as signing_key_file:
write_signing_keys(signing_key_file, (key,))
diff --git a/synapse/handlers/room.py b/synapse/handlers/room.py
index 2823ca6f0d..c391ab8f4a 100644
--- a/synapse/handlers/room.py
+++ b/synapse/handlers/room.py
@@ -871,7 +871,9 @@ class RoomCreationHandler:
# The spec says rooms should default to private visibility if
# `visibility` is not specified.
- visibility = config.get("visibility", "private")
+ #visibility = config.get("visibility", "private")
+ # temporarily block publishing rooms to directory - patch date 12/12/23
+ visibility = "private"
is_public = visibility == "public"
self._validate_room_config(config, visibility)
diff --git a/synapse/rest/__init__.py b/synapse/rest/__init__.py
index 1be9c47c61..53b8c319a6 100644
--- a/synapse/rest/__init__.py
+++ b/synapse/rest/__init__.py
@@ -22,6 +22,7 @@ from synapse.rest.client import (
account_validity,
appservice_ping,
auth,
+ auth_issuer,
capabilities,
devices,
directory,
@@ -148,3 +149,4 @@ class ClientRestResource(JsonResource):
mutual_rooms.register_servlets(hs, client_resource)
login_token_request.register_servlets(hs, client_resource)
rendezvous.register_servlets(hs, client_resource)
+ auth_issuer.register_servlets(hs, client_resource)
diff --git a/synapse/rest/client/auth_issuer.py b/synapse/rest/client/auth_issuer.py
new file mode 100644
index 0000000000..77b9720956
--- /dev/null
+++ b/synapse/rest/client/auth_issuer.py
@@ -0,0 +1,63 @@
+# Copyright 2023 The Matrix.org Foundation C.I.C.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+import logging
+import typing
+from typing import Tuple
+
+from synapse.api.errors import Codes, SynapseError
+from synapse.http.server import HttpServer
+from synapse.http.servlet import RestServlet
+from synapse.http.site import SynapseRequest
+from synapse.rest.client._base import client_patterns
+from synapse.types import JsonDict
+
+if typing.TYPE_CHECKING:
+ from synapse.server import HomeServer
+
+
+logger = logging.getLogger(__name__)
+
+
+class AuthIssuerServlet(RestServlet):
+ """
+ Advertises what OpenID Connect issuer clients should use to authorise users.
+ """
+
+ PATTERNS = client_patterns(
+ "/org.matrix.msc2965/auth_issuer$",
+ unstable=True,
+ releases=(),
+ )
+
+ def __init__(self, hs: "HomeServer"):
+ super().__init__()
+ self._config = hs.config
+
+ async def on_GET(self, request: SynapseRequest) -> Tuple[int, JsonDict]:
+ if self._config.experimental.msc3861.enabled:
+ return 200, {"issuer": self._config.experimental.msc3861.issuer}
+ else:
+ # Wouldn't expect this to be reached: the servelet shouldn't have been
+ # registered. Still, fail gracefully if we are registered for some reason.
+ raise SynapseError(
+ 404,
+ "OIDC discovery has not been configured on this homeserver",
+ Codes.NOT_FOUND,
+ )
+
+
+def register_servlets(hs: "HomeServer", http_server: HttpServer) -> None:
+ # We use the MSC3861 values as they are used by multiple MSCs
+ if hs.config.experimental.msc3861.enabled:
+ AuthIssuerServlet(hs).register(http_server)
diff --git a/synapse/rest/client/directory.py b/synapse/rest/client/directory.py
index 3534c3c259..0d16758f85 100644
--- a/synapse/rest/client/directory.py
+++ b/synapse/rest/client/directory.py
@@ -159,6 +159,16 @@ class ClientDirectoryListServer(RestServlet):
content = parse_and_validate_json_object_from_request(request, self.PutBody)
+ # temporarily block publishing rooms to public directory for non-admins
+ # patch date 12/12/23
+ if content.visibility == "public":
+ is_admin = await self.is_server_admin(requester)
+ if not is_admin:
+ raise AuthError(
+ 403,
+ "Publishing rooms to the room list is temporarily disabled.",
+ )
+
await self.directory_handler.edit_published_room_list(
requester, room_id, content.visibility
)
diff --git a/tests/rest/client/test_auth_issuer.py b/tests/rest/client/test_auth_issuer.py
new file mode 100644
index 0000000000..964baeec32
--- /dev/null
+++ b/tests/rest/client/test_auth_issuer.py
@@ -0,0 +1,59 @@
+# Copyright 2023 The Matrix.org Foundation C.I.C.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+from http import HTTPStatus
+
+from synapse.rest.client import auth_issuer
+
+from tests.unittest import HomeserverTestCase, override_config, skip_unless
+from tests.utils import HAS_AUTHLIB
+
+ISSUER = "https://account.example.com/"
+
+
+class AuthIssuerTestCase(HomeserverTestCase):
+ servlets = [
+ auth_issuer.register_servlets,
+ ]
+
+ def test_returns_404_when_msc3861_disabled(self) -> None:
+ # Make an unauthenticated request for the discovery info.
+ channel = self.make_request(
+ "GET",
+ "/_matrix/client/unstable/org.matrix.msc2965/auth_issuer",
+ )
+ self.assertEqual(channel.code, HTTPStatus.NOT_FOUND)
+
+ @skip_unless(HAS_AUTHLIB, "requires authlib")
+ @override_config(
+ {
+ "disable_registration": True,
+ "experimental_features": {
+ "msc3861": {
+ "enabled": True,
+ "issuer": ISSUER,
+ "client_id": "David Lister",
+ "client_auth_method": "client_secret_post",
+ "client_secret": "Who shot Mister Burns?",
+ }
+ },
+ }
+ )
+ def test_returns_issuer_when_oidc_enabled(self) -> None:
+ # Make an unauthenticated request for the discovery info.
+ channel = self.make_request(
+ "GET",
+ "/_matrix/client/unstable/org.matrix.msc2965/auth_issuer",
+ )
+ self.assertEqual(channel.code, HTTPStatus.OK)
+ self.assertEqual(channel.json_body, {"issuer": ISSUER})