Add config option to block users from looking up 3PIDs (#5010)
This commit is contained in:
parent
a33a5abc4c
commit
8e85493b0c
|
@ -0,0 +1 @@
|
||||||
|
Add config option to block users from looking up 3PIDs.
|
|
@ -665,6 +665,10 @@ uploads_path: "DATADIR/uploads"
|
||||||
# - medium: msisdn
|
# - medium: msisdn
|
||||||
# pattern: '\+44'
|
# pattern: '\+44'
|
||||||
|
|
||||||
|
# Enable 3PIDs lookup requests to identity servers from this server.
|
||||||
|
#
|
||||||
|
#enable_3pid_lookup: true
|
||||||
|
|
||||||
# If set, allows registration of standard or admin accounts by anyone who
|
# If set, allows registration of standard or admin accounts by anyone who
|
||||||
# has the shared secret, even if registration is otherwise disabled.
|
# has the shared secret, even if registration is otherwise disabled.
|
||||||
#
|
#
|
||||||
|
|
|
@ -33,6 +33,7 @@ class RegistrationConfig(Config):
|
||||||
|
|
||||||
self.registrations_require_3pid = config.get("registrations_require_3pid", [])
|
self.registrations_require_3pid = config.get("registrations_require_3pid", [])
|
||||||
self.allowed_local_3pids = config.get("allowed_local_3pids", [])
|
self.allowed_local_3pids = config.get("allowed_local_3pids", [])
|
||||||
|
self.enable_3pid_lookup = config.get("enable_3pid_lookup", True)
|
||||||
self.registration_shared_secret = config.get("registration_shared_secret")
|
self.registration_shared_secret = config.get("registration_shared_secret")
|
||||||
|
|
||||||
self.bcrypt_rounds = config.get("bcrypt_rounds", 12)
|
self.bcrypt_rounds = config.get("bcrypt_rounds", 12)
|
||||||
|
@ -97,6 +98,10 @@ class RegistrationConfig(Config):
|
||||||
# - medium: msisdn
|
# - medium: msisdn
|
||||||
# pattern: '\\+44'
|
# pattern: '\\+44'
|
||||||
|
|
||||||
|
# Enable 3PIDs lookup requests to identity servers from this server.
|
||||||
|
#
|
||||||
|
#enable_3pid_lookup: true
|
||||||
|
|
||||||
# If set, allows registration of standard or admin accounts by anyone who
|
# If set, allows registration of standard or admin accounts by anyone who
|
||||||
# has the shared secret, even if registration is otherwise disabled.
|
# has the shared secret, even if registration is otherwise disabled.
|
||||||
#
|
#
|
||||||
|
|
|
@ -70,6 +70,7 @@ class RoomMemberHandler(object):
|
||||||
self.clock = hs.get_clock()
|
self.clock = hs.get_clock()
|
||||||
self.spam_checker = hs.get_spam_checker()
|
self.spam_checker = hs.get_spam_checker()
|
||||||
self._server_notices_mxid = self.config.server_notices_mxid
|
self._server_notices_mxid = self.config.server_notices_mxid
|
||||||
|
self._enable_lookup = hs.config.enable_3pid_lookup
|
||||||
|
|
||||||
@abc.abstractmethod
|
@abc.abstractmethod
|
||||||
def _remote_join(self, requester, remote_room_hosts, room_id, user, content):
|
def _remote_join(self, requester, remote_room_hosts, room_id, user, content):
|
||||||
|
@ -738,6 +739,10 @@ class RoomMemberHandler(object):
|
||||||
Returns:
|
Returns:
|
||||||
str: the matrix ID of the 3pid, or None if it is not recognized.
|
str: the matrix ID of the 3pid, or None if it is not recognized.
|
||||||
"""
|
"""
|
||||||
|
if not self._enable_lookup:
|
||||||
|
raise SynapseError(
|
||||||
|
403, "Looking up third-party identifiers is denied from this server",
|
||||||
|
)
|
||||||
try:
|
try:
|
||||||
data = yield self.simple_http_client.get_json(
|
data = yield self.simple_http_client.get_json(
|
||||||
"%s%s/_matrix/identity/api/v1/lookup" % (id_server_scheme, id_server,),
|
"%s%s/_matrix/identity/api/v1/lookup" % (id_server_scheme, id_server,),
|
||||||
|
|
|
@ -0,0 +1,65 @@
|
||||||
|
# -*- coding: utf-8 -*-
|
||||||
|
# Copyright 2019 New Vector Ltd
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
import json
|
||||||
|
|
||||||
|
from synapse.rest.client.v1 import admin, login, room
|
||||||
|
|
||||||
|
from tests import unittest
|
||||||
|
|
||||||
|
|
||||||
|
class IdentityTestCase(unittest.HomeserverTestCase):
|
||||||
|
|
||||||
|
servlets = [
|
||||||
|
admin.register_servlets,
|
||||||
|
room.register_servlets,
|
||||||
|
login.register_servlets,
|
||||||
|
]
|
||||||
|
|
||||||
|
def make_homeserver(self, reactor, clock):
|
||||||
|
|
||||||
|
config = self.default_config()
|
||||||
|
config.enable_3pid_lookup = False
|
||||||
|
self.hs = self.setup_test_homeserver(config=config)
|
||||||
|
|
||||||
|
return self.hs
|
||||||
|
|
||||||
|
def test_3pid_lookup_disabled(self):
|
||||||
|
self.hs.config.enable_3pid_lookup = False
|
||||||
|
|
||||||
|
self.register_user("kermit", "monkey")
|
||||||
|
tok = self.login("kermit", "monkey")
|
||||||
|
|
||||||
|
request, channel = self.make_request(
|
||||||
|
b"POST", "/createRoom", b"{}", access_token=tok,
|
||||||
|
)
|
||||||
|
self.render(request)
|
||||||
|
self.assertEquals(channel.result["code"], b"200", channel.result)
|
||||||
|
room_id = channel.json_body["room_id"]
|
||||||
|
|
||||||
|
params = {
|
||||||
|
"id_server": "testis",
|
||||||
|
"medium": "email",
|
||||||
|
"address": "test@example.com",
|
||||||
|
}
|
||||||
|
request_data = json.dumps(params)
|
||||||
|
request_url = (
|
||||||
|
"/rooms/%s/invite" % (room_id)
|
||||||
|
).encode('ascii')
|
||||||
|
request, channel = self.make_request(
|
||||||
|
b"POST", request_url, request_data, access_token=tok,
|
||||||
|
)
|
||||||
|
self.render(request)
|
||||||
|
self.assertEquals(channel.result["code"], b"403", channel.result)
|
|
@ -410,7 +410,7 @@ class HomeserverTestCase(TestCase):
|
||||||
"POST", "/_matrix/client/r0/login", json.dumps(body).encode('utf8')
|
"POST", "/_matrix/client/r0/login", json.dumps(body).encode('utf8')
|
||||||
)
|
)
|
||||||
self.render(request)
|
self.render(request)
|
||||||
self.assertEqual(channel.code, 200)
|
self.assertEqual(channel.code, 200, channel.result)
|
||||||
|
|
||||||
access_token = channel.json_body["access_token"]
|
access_token = channel.json_body["access_token"]
|
||||||
return access_token
|
return access_token
|
||||||
|
|
Loading…
Reference in New Issue