Mirrors
/
synapse
mirror of https://github.com/element-hq/synapse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add jsonschema verification for the oidc provider config

This commit is contained in:
Richard van der Hoff 2020-12-18 13:34:59 +00:00
parent 7cc9509eca
commit dc3c83a933
1 changed files with 50 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
synapse/config/oidc_config.py
View File

@ -18,6 +18,7 @@ from typing import Optional, Type
import attr import attr
from synapse.config._util import validate_config
from synapse.python_dependencies import DependencyException, check_requirements from synapse.python_dependencies import DependencyException, check_requirements
from synapse.types import Collection, JsonDict from synapse.types import Collection, JsonDict
from synapse.util.module_loader import load_module from synapse.util.module_loader import load_module
@ -31,10 +32,13 @@ class OIDCConfig(Config):
section = "oidc" section = "oidc"
def read_config(self, config, **kwargs): def read_config(self, config, **kwargs):
validate_config(MAIN_CONFIG_SCHEMA, config, ())
self.oidc_provider = None # type: Optional[OidcProviderConfig] self.oidc_provider = None # type: Optional[OidcProviderConfig]
oidc_config = config.get("oidc_config") oidc_config = config.get("oidc_config")
if oidc_config and oidc_config.get("enabled", False): if oidc_config and oidc_config.get("enabled", False):
validate_config(OIDC_PROVIDER_CONFIG_SCHEMA, oidc_config, "oidc_config")
self.oidc_provider = _parse_oidc_config_dict(oidc_config) self.oidc_provider = _parse_oidc_config_dict(oidc_config)
if not self.oidc_provider: if not self.oidc_provider:
@ -196,6 +200,52 @@ class OIDCConfig(Config):
) )
# jsonschema definition of the configuration settings for an oidc identity provider
OIDC_PROVIDER_CONFIG_SCHEMA = {
"type": "object",
"required": ["issuer", "client_id", "client_secret"],
"properties": {
"discover": {"type": "boolean"},
"issuer": {"type": "string"},
"client_id": {"type": "string"},
"client_secret": {"type": "string"},
"client_auth_method": {
"type": "string",
# the following list is the same as the keys of
# authlib.oauth2.auth.ClientAuth.DEFAULT_AUTH_METHODS. We inline it
# to avoid importing authlib here.
"enum": ["client_secret_basic", "client_secret_post", "none"],
},
"scopes": {"type": "array", "items": {"type": "string"}},
"authorization_endpoint": {"type": "string"},
"token_endpoint": {"type": "string"},
"userinfo_endpoint": {"type": "string"},
"jwks_uri": {"type": "string"},
"skip_verification": {"type": "boolean"},
"user_profile_method": {
"type": "string",
"enum": ["auto", "userinfo_endpoint"],
},
"allow_existing_users": {"type": "boolean"},
"user_mapping_provider": {"type": ["object", "null"]},
},
}
# the `oidc_config` setting can either be None (as it is in the default
# config), or an object. If an object, it is ignored unless it has an "enabled: True"
# property.
#
# It's *possible* to represent this with jsonschema, but the resultant errors aren't
# particularly clear, so we just check for either an object or a null here, and do
# additional checks in the code.
OIDC_CONFIG_SCHEMA = {"oneOf": [{"type": "null"}, {"type": "object"}]}
MAIN_CONFIG_SCHEMA = {
"type": "object",
"properties": {"oidc_config": OIDC_CONFIG_SCHEMA},
}
def _parse_oidc_config_dict(oidc_config: JsonDict) -> "OidcProviderConfig": def _parse_oidc_config_dict(oidc_config: JsonDict) -> "OidcProviderConfig":
"""Take the configuration dict and parse it into an OidcProviderConfig """Take the configuration dict and parse it into an OidcProviderConfig