Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Complete the SAML2 implementation #5422

Merged
merged 15 commits into from
Jul 2, 2019
Merged

Complete the SAML2 implementation #5422

merged 15 commits into from
Jul 2, 2019

Conversation

richvdh
Copy link
Member

@richvdh richvdh commented Jun 10, 2019

This PR builds heavily on #5316, to fix #5130 by providing the 'client' part of the SAML flow by redirecting to the SAML identity provider.

galexrt and others added 5 commits June 2, 2019 18:14
@galexrt
SAML2 Improvements and redirect stuff
dc3e586 
Signed-off-by: Alexander Trost <galexrt@googlemail.com>
@richvdh
Merge remote-tracking branch 'origin/develop' into rav/saml2_client
69a43d9
@richvdh
Code cleanups and simplifications.
4260492 
Also: share the saml client between redirect and response handlers.
@richvdh
Merge tag 'v1.0.0rc3' into rav/saml2_client
b55e884 
Synapse 1.0.0rc3 (2019-06-10)
=============================

Security: Fix authentication bug introduced in 1.0.0rc1. Please upgrade to rc3 immediately
@richvdh
changelog
880005c
@richvdh richvdh changed the base branch from master to develop June 10, 2019 23:44
@richvdh richvdh mentioned this pull request Jun 10, 2019
Closed
6 tasks
@ineiti
Copy link

ineiti commented Jun 13, 2019

Can you give an example on how to activate sso in the configuration file?

@ara4n
Copy link
Member

ara4n commented Jun 20, 2019

(ftr i'm aware of at least 4 parties who are anxious for this to merge :)

@galexrt
Copy link
Contributor

galexrt commented Jun 20, 2019

@ineiti I'm currently writing up a blog post about how I got it to work with Keycloak at least. I'll keep you updated in this comment.

@ineiti
Copy link

ineiti commented Jun 20, 2019

@galexrt - I did my own SSO integration with CAS - I had to write the server-side anyway. It works fine with the web-interface.

Unfortunately the apps don't work, as our service provides a passwordless login, and it depends on the storageDB that is in the browser. And the apps use an own instance of the browser that doesn't have access to the storageDB :( I looked quickly into it, but it seemed more than half a day's work.

@galexrt
Copy link
Contributor

galexrt commented Jun 21, 2019

Unfortunately the apps don't work [...]

@ineiti Are you talking about the Riot Web, Android and so on Apps?
The login through SSO worked fine for me with my original PR (haven't tried with this one yet, but it has the "same" changes in it), see #2257 (comment) for how it looks. It looked the same on my Android phone using the Riot Android app.

From the Matrix API spec it seems the apps need to implement the m.login.sso and then use the returned token for the m.login.token login, which is fine I guess:

If the homeserver advertises m.login.sso as a viable flow, and the client supports it, the client should redirect the user to the /redirect endpoint for Single Sign-On. After authentication is complete, the client will need to submit a /login request matching m.login.token.

@ineiti
Copy link

ineiti commented Jun 24, 2019

@galexrt

@ineiti Are you talking about the Riot Web, Android and so on Apps?

The Riot web app works fine! But the android and desktop app do not.

Most often, SSO services ask the user about a login-name and a password. This works fine with the current android and desktop app.

However, our SSO solution doesn't ask for a login-name and a password, but depends on a private key that is stored in the storageDB of the browser. And this is a problem, because the android and desktop app don't use the same browser as the user, and so the SSO page they show doesn't have access to the private key that is stored in the storageDB of the browser.

So the android and desktop app would have to call the default browser of the user, and then be redirected from there back to the app. Probably not impossible, but if somebody gives me some pointers, I'd be more than happy to give it a try.

Unfortunately matrix-react-sdk doesn't allow me to open an issue, but I guess that I would have to change the method here:

https://github.com/matrix-org/matrix-react-sdk/blob/3836a3e2e293e29b3d9635fcb9c530e21fcc79b2/src/components/structures/auth/Login.js#L544

@jryans
Copy link
Contributor

jryans commented Jun 24, 2019

Unfortunately matrix-react-sdk doesn't allow me to open an issue, but I guess that I would have to change the method here:

https://github.com/matrix-org/matrix-react-sdk/blob/3836a3e2e293e29b3d9635fcb9c530e21fcc79b2/src/components/structures/auth/Login.js#L544

React SDK issues are currently tracked in the Riot Web repo.

@csett86
Copy link

csett86 commented Jun 24, 2019

@richvdh

Can I do anything to move this forward? Testing anything special?

@richvdh
Copy link
Member Author

richvdh commented Jun 24, 2019

a time machine would help :/

@csett86
Copy link

csett86 commented Jun 24, 2019
edited
Loading

Test results: This pull request worked fine with phpsimplesaml 1.17.2 and current riot-web and riot-ios.

Only problem I had: Initially synapse always complained that the authn response was unsolicited, although it had the correct InResponseTo ID set. So I had to allow unsolicited responses in the sp_config:

  service:
      sp:
          allow_unsolicited: True

@kyrisu
Copy link

kyrisu commented Jun 25, 2019
edited
Loading

Could anyone post a valid SAML response? I'm particularly interested in AttributeStatement section.
I have:

<saml:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
    <saml:AttributeValue xsi:type="xs:string">some_unique_user_id_from_my_system</saml:AttributeValue>
</saml:Attribute>

but synapse is still complaining about uid not in SAML2 response.

Update:
Made it work by setting

sp_config:
    allow_unknown_attributes: true

but I'm open for a better solution.

@galexrt
Copy link
Contributor

galexrt commented Jun 25, 2019

@kyrias You need to use the attribute_map_dir param and create a attribute map to map the uid attribute to actually be the uid attribute.
Example:

MAP = {
    "identifier": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
    "fro": {
        'uid': 'uid',
    },
    "to": {
        'uid': 'uid',
    }
}

I'll have the blog post with such details hopefully after the upcoming weekend.

@csett86
Copy link

csett86 commented Jun 26, 2019

@kyrisu

What works for me is the following, the oid format:

     <saml:AttributeStatement>
       <saml:Attribute Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
         <saml:AttributeValue xsi:type="xs:string">eva</saml:AttributeValue>
       </saml:Attribute>
       <saml:Attribute Name="urn:oid:1.2.840.113549.1.9.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
         <saml:AttributeValue xsi:type="xs:string">eva@example.org</saml:AttributeValue>
       </saml:Attribute>
       <saml:Attribute Name="urn:oid:2.16.840.1.113730.3.1.241" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
         <saml:AttributeValue xsi:type="xs:string">Eva</saml:AttributeValue>
       </saml:Attribute>
       <saml:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
         <saml:AttributeValue xsi:type="xs:string">admin</saml:AttributeValue>
         <saml:AttributeValue xsi:type="xs:string">examle</saml:AttributeValue>
       </saml:Attribute>
     </saml:AttributeStatement>

@codecov
Copy link

codecov bot commented Jun 26, 2019

Codecov Report

Merging #5422 into develop will decrease coverage by 1.14%.
The diff coverage is 31.7%.

@@             Coverage Diff             @@
##           develop    #5422      +/-   ##
===========================================
- Coverage    63.19%   62.05%   -1.15%     
===========================================
  Files          328      326       -2     
  Lines        35925    35699     -226     
  Branches      5908     5856      -52     
===========================================
- Hits         22703    22153     -550     
- Misses       11596    11968     +372     
+ Partials      1626     1578      -48

@codecov
Copy link

codecov bot commented Jun 26, 2019
edited
Loading

Codecov Report

Merging #5422 into develop will increase coverage by 0.02%.
The diff coverage is 34.28%.

@@             Coverage Diff             @@
##           develop    #5422      +/-   ##
===========================================
+ Coverage    63.15%   63.17%   +0.02%     
===========================================
  Files          328      328              
  Lines        35901    35929      +28     
  Branches      5914     5916       +2     
===========================================
+ Hits         22672    22697      +25     
- Misses       11604    11607       +3     
  Partials      1625     1625

@richvdh richvdh requested a review from a team June 26, 2019 23:44
@csett86
Copy link

csett86 commented Jun 27, 2019

Retested with phpsimplesaml 1.17.2 and current riot-web 1.2.2, session handling works as expected. Thank you, @richvdh!

@menturion
Copy link

menturion commented Jun 27, 2019
edited
Loading

@csett86

It would be great if you could provide a blog post or a Gist of how to set up Matrix Synapse SAML with phpsimplesaml 1.17.2.

I think that this would be very helpful for many people.

@galexrt
Copy link
Contributor

galexrt commented Jun 30, 2019

For people using Keycloak, I have published this blog post as a rough writeup of the steps: https://edenmal.moe/post/2019/Matrix-Synapse-SAML2-Login/

erikjohnston
erikjohnston previously requested changes Jul 1, 2019
View reviewed changes
Copy link
Member

@erikjohnston erikjohnston left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good apart from some of the exceptions.

synapse/handlers/saml_handler.py Show resolved Hide resolved
synapse/handlers/saml_handler.py Outdated
outstanding=self._outstanding_requests_dict,
)
except Exception as e:
logger.warning("Exception parsing SAML2 response", exc_info=1)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Logging a stack trace as a warning seems a bit odd, since it won't go to sentry.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

worth noting that this stuff has just moved from https://github.com/matrix-org/synapse/pull/5422/files/79b9d9076dc37c259fe1682878ef5ebd8a73f1d4#diff-bc86f7c8dc0a9a987830eda22318b9f3L57, though I don't disagree...

synapse/handlers/saml_handler.py Outdated
raise CodeMessageException(400, "SAML2 response was not signed")

if "uid" not in saml2_auth.ava:
raise CodeMessageException(400, "uid not in SAML2 response")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why CodeMessageException and not SynapseError? It looks like CodeMessageException will still log a stack trace for json requests?

Copy link
Member Author

@richvdh richvdh Jul 1, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no idea. some crank wrote this back in 2018. (#4267)

@richvdh richvdh requested a review from erikjohnston July 1, 2019 13:23
@richvdh richvdh merged commit 6eecb6e into develop Jul 2, 2019
@menturion
Copy link

menturion commented Jul 2, 2019
edited
Loading

How can one update to a Release Candidate (e.g. Synapse 1.1.0rc1 -> SAML support) through pip?
"pip install -U matrix-synapse" prompts "Requirement already satisfied, skipping upgrade".
Is it possible to select a certain channel?

@richvdh
Copy link
Member Author

richvdh commented Jul 2, 2019

@menturion: pip install --pre -U matrix-synapse, I believe. Beware that there are a couple of regressions in rc1 though. I suggest waiting for rc2.

@menturion
Copy link

@richvdh

Many thanks(!), this worked.

@volvicoasis
Copy link

For people using Keycloak, I have published this blog post as a rough writeup of the steps: https://edenmal.moe/post/2019/Matrix-Synapse-SAML2-Login/

Hey thanks for your dev on synapse, just finish implementing it with your blog, but still facing on this :
saml2.client_base - 720 - ERROR - POST-180 - XML parse error: Failed to verify signature

or with riot :
Unable to parse SAML2 response: Failed to verify signature

Just a question, how do you extract pem from your keycloak ?

@galexrt
Copy link
Contributor

galexrt commented Jul 3, 2019

@volvicoasis Please use the comment section of the blog post instead of the PR for such questions. Thanks!

I have gone ahead and updated the post with instructions on how to extract the key and cert from the Keycloak Client, and fixed some issues around the Encrypt Assertions option configuration.

hawkowl added a commit that referenced this pull request Jul 5, 2019
@hawkowl
Merge tag 'v1.1.0' into shhs
a1de642 
Synapse 1.1.0 (2019-07-04)
==========================

As of v1.1.0, Synapse no longer supports Python 2, nor Postgres version 9.4.
See the [upgrade notes](UPGRADE.rst#upgrading-to-v110) for more details.

This release also deprecates the use of environment variables to configure the
docker image. See the [docker README](https://github.com/matrix-org/synapse/blob/release-v1.1.0/docker/README.md#legacy-dynamic-configuration-file-support)
for more details.

No changes since 1.1.0rc2.

Synapse 1.1.0rc2 (2019-07-03)
=============================

Bugfixes
--------

- Fix regression in 1.1rc1 where OPTIONS requests to the media repo would fail. ([\#5593](#5593))
- Removed the `SYNAPSE_SMTP_*` docker container environment variables. Using these environment variables prevented the docker container from starting in Synapse v1.0, even though they didn't actually allow any functionality anyway. ([\#5596](#5596))
- Fix a number of "Starting txn from sentinel context" warnings. ([\#5605](#5605))

Internal Changes
----------------

- Update github templates. ([\#5552](#5552))

Synapse 1.1.0rc1 (2019-07-02)
=============================

As of v1.1.0, Synapse no longer supports Python 2, nor Postgres version 9.4.
See the [upgrade notes](UPGRADE.rst#upgrading-to-v110) for more details.

Features
--------

- Added possibilty to disable local password authentication. Contributed by Daniel Hoffend. ([\#5092](#5092))
- Add monthly active users to phonehome stats. ([\#5252](#5252))
- Allow expired user to trigger renewal email sending manually. ([\#5363](#5363))
- Statistics on forward extremities per room are now exposed via Prometheus. ([\#5384](#5384), [\#5458](#5458), [\#5461](#5461))
- Add --no-daemonize option to run synapse in the foreground, per issue #4130. Contributed by Soham Gumaste. ([\#5412](#5412), [\#5587](#5587))
- Fully support SAML2 authentication. Contributed by [Alexander Trost](https://github.com/galexrt) - thank you! ([\#5422](#5422))
- Allow server admins to define implementations of extra rules for allowing or denying incoming events. ([\#5440](#5440), [\#5474](#5474), [\#5477](#5477))
- Add support for handling pagination APIs on client reader worker. ([\#5505](#5505), [\#5513](#5513), [\#5531](#5531))
- Improve help and cmdline option names for --generate-config options. ([\#5512](#5512))
- Allow configuration of the path used for ACME account keys. ([\#5516](#5516), [\#5521](#5521), [\#5522](#5522))
- Add --data-dir and --open-private-ports options. ([\#5524](#5524))
- Split public rooms directory auth config in two settings, in order to manage client auth independently from the federation part of it. Obsoletes the "restrict_public_rooms_to_local_users" configuration setting. If "restrict_public_rooms_to_local_users" is set in the config, Synapse will act as if both new options are enabled, i.e. require authentication through the client API and deny federation requests. ([\#5534](#5534))
- The minimum TLS version used for outgoing federation requests can now be set with `federation_client_minimum_tls_version`. ([\#5550](#5550))
- Optimise devices changed query to not pull unnecessary rows from the database, reducing database load. ([\#5559](#5559))
- Add new metrics for number of forward extremities being persisted and number of state groups involved in resolution. ([\#5476](#5476))

Bugfixes
--------

- Fix bug processing incoming events over federation if call to `/get_missing_events` fails. ([\#5042](#5042))
- Prevent more than one room upgrade happening simultaneously on the same room. ([\#5051](#5051))
- Fix a bug where running synapse_port_db would cause the account validity feature to fail because it didn't set the type of the email_sent column to boolean. ([\#5325](#5325))
- Warn about disabling email-based password resets when a reset occurs, and remove warning when someone attempts a phone-based reset. ([\#5387](#5387))
- Fix email notifications for unnamed rooms with multiple people. ([\#5388](#5388))
- Fix exceptions in federation reader worker caused by attempting to renew attestations, which should only happen on master worker. ([\#5389](#5389))
- Fix handling of failures fetching remote content to not log failures as exceptions. ([\#5390](#5390))
- Fix a bug where deactivated users could receive renewal emails if the account validity feature is on. ([\#5394](#5394))
- Fix missing invite state after exchanging 3PID invites over federaton. ([\#5464](#5464))
- Fix intermittent exceptions on Apple hardware. Also fix bug that caused database activity times to be under-reported in log lines. ([\#5498](#5498))
- Fix logging error when a tampered event is detected. ([\#5500](#5500))
- Fix bug where clients could tight loop calling `/sync` for a period. ([\#5507](#5507))
- Fix bug with `jinja2` preventing Synapse from starting. Users who had this problem should now simply need to run `pip install matrix-synapse`. ([\#5514](#5514))
- Fix a regression where homeservers on private IP addresses were incorrectly blacklisted. ([\#5523](#5523))
- Fixed m.login.jwt using unregistred user_id and added pyjwt>=1.6.4 as jwt conditional dependencies. Contributed by Pau Rodriguez-Estivill. ([\#5555](#5555), [\#5586](#5586))
- Fix a bug that would cause invited users to receive several emails for a single 3PID invite in case the inviter is rate limited. ([\#5576](#5576))

Updates to the Docker image
---------------------------
- Add ability to change Docker containers [timezone](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) with the `TZ` variable. ([\#5383](#5383))
- Update docker image to use Python 3.7. ([\#5546](#5546))
- Deprecate the use of environment variables for configuration, and make the use of a static configuration the default. ([\#5561](#5561), [\#5562](#5562), [\#5566](#5566), [\#5567](#5567))
- Increase default log level for docker image to INFO. It can still be changed by editing the generated log.config file. ([\#5547](#5547))
- Send synapse logs to the docker logging system, by default. ([\#5565](#5565))
- Open the non-TLS port by default. ([\#5568](#5568))
- Fix failure to start under docker with SAML support enabled. ([\#5490](#5490))
- Use a sensible location for data files when generating a config file. ([\#5563](#5563))

Deprecations and Removals
-------------------------

- Python 2.7 is no longer a supported platform. Synapse now requires Python 3.5+ to run. ([\#5425](#5425))
- PostgreSQL 9.4 is no longer supported. Synapse requires Postgres 9.5+ or above for Postgres support. ([\#5448](#5448))
- Remove support for cpu_affinity setting. ([\#5525](#5525))

Improved Documentation
----------------------
- Improve README section on performance troubleshooting. ([\#4276](#4276))
- Add information about how to install and run `black` on the codebase to code_style.rst. ([\#5537](#5537))
- Improve install docs on choosing server_name. ([\#5558](#5558))

Internal Changes
----------------

- Add logging to 3pid invite signature verification. ([\#5015](#5015))
- Update example haproxy config to a more compatible setup. ([\#5313](#5313))
- Track deactivated accounts in the database. ([\#5378](#5378), [\#5465](#5465), [\#5493](#5493))
- Clean up code for sending federation EDUs. ([\#5381](#5381))
- Add a sponsor button to the repo. ([\#5382](#5382), [\#5386](#5386))
- Don't log non-200 responses from federation queries as exceptions. ([\#5383](#5383))
- Update Python syntax in contrib/ to Python 3. ([\#5446](#5446))
- Update federation_client dev script to support `.well-known` and work with python3. ([\#5447](#5447))
- SyTest has been moved to Buildkite. ([\#5459](#5459))
- Demo script now uses python3. ([\#5460](#5460))
- Synapse can now handle RestServlets that return coroutines. ([\#5475](#5475), [\#5585](#5585))
- The demo servers talk to each other again. ([\#5478](#5478))
- Add an EXPERIMENTAL config option to try and periodically clean up extremities by sending dummy events. ([\#5480](#5480))
- Synapse's codebase is now formatted by `black`. ([\#5482](#5482))
- Some cleanups and sanity-checking in the CPU and database metrics. ([\#5499](#5499))
- Improve email notification logging. ([\#5502](#5502))
- Fix "Unexpected entry in 'full_schemas'" log warning. ([\#5509](#5509))
- Improve logging when generating config files. ([\#5510](#5510))
- Refactor and clean up Config parser for maintainability. ([\#5511](#5511))
- Make the config clearer in that email.template_dir is relative to the Synapse's root directory, not the `synapse/` folder within it. ([\#5543](#5543))
- Update v1.0.0 release changelog to include more information about changes to password resets. ([\#5545](#5545))
- Remove non-functioning check_event_hash.py dev script. ([\#5548](#5548))
- Synapse will now only allow TLS v1.2 connections when serving federation, if it terminates TLS. As Synapse's allowed ciphers were only able to be used in TLSv1.2 before, this does not change behaviour. ([\#5550](#5550))
- Logging when running GC collection on generation 0 is now at the DEBUG level, not INFO. ([\#5557](#5557))
- Reduce the amount of stuff we send in the docker context. ([\#5564](#5564))
- Point the reverse links in the Purge History contrib scripts at the intended location. ([\#5570](#5570))
@richvdh richvdh deleted the rav/saml2_client branch July 8, 2019 17:56
@volvicoasis
Copy link

volvicoasis commented Jul 11, 2019
edited
Loading

@galexrt Thank you for your update, just to provide my research to synapse community, you must use alpine3.9 when you build synapse in a container.
=> my test below :
I use debug mode on sp_config, extract saml response and check it with xmlsec1 binary and it's a failed...
Here you can see this bug on alpine https://bugs.alpinelinux.org/issues/9110

``bash-4.4# xmlsec1 --verify --id-attr:ID "urn:oasis:names:tc:SAML:2.0:protocol:Response" test.xml
func=xmlSecCryptoDLLibraryCreate:file=dl.c:line=130:obj=unknown:subj=lt_dlopenext:error=7:io function failed:name="libxmlsec1-openssl"; errno=2
func=xmlSecCryptoDLGetLibraryFunctions:file=dl.c:line=436:obj=unknown:subj=xmlSecCryptoDLLibraryCreate:error=1:xmlsec library function failed:crypto=openssl
func=xmlSecCryptoDLLoadLibrary:file=dl.c:line=393:obj=unknown:subj=xmlSecCryptoDLGetLibraryFunctions:error=1:xmlsec library function failed:
Error: unable to load xmlsec-openssl library. Make sure that you have
this it installed, check shared libraries path (LD_LIBRARY_PATH)
envornment variable or use "--crypto" option to specify different
crypto engine.
Error: initialization failed
Usage: xmlsec [] []

xmlsec is a command line tool for signing, verifying, encrypting and
decrypting XML documents. The allowed values are:
--help display this help information and exit
--help-all display help information for all commands/options and exit
--help- display help information for command and exit
--version print version information and exit
--keys keys XML file manipulation
--sign sign data and output XML document
--verify verify signed document
--sign-tmpl create and sign dynamicaly generated signature template
--encrypt encrypt data and output XML document
--decrypt decrypt data from XML document

Report bugs to http://www.aleksey.com/xmlsec/bugs.html

Written by Aleksey Sanin aleksey@aleksey.com.

Copyright (C) 2002-2016 Aleksey Sanin aleksey@aleksey.com. All Rights Reserved..
This is free software: see the source for copying information.

func=xmlSecCryptoShutdown:file=app.c:line=65:obj=unknown:subj=unknown:error=9:feature is not implemented:details=cryptoShutdown
Error: xmlSecCryptoShutdown failed
Error: xmlsec crypto shutdown failed.
``

Voila, again thank you.

@menturion
Copy link

menturion commented Jul 12, 2019
edited
Loading

Is there a documentation of how to configure it inline?
I am getting a bunch of errors on homeserver startup when trying to configure a remote SP URL inline.

@richvdh richvdh mentioned this pull request Jul 16, 2019
Closed
@eorlovsky
Copy link

For people using Keycloak, I have published this blog post as a rough writeup of the steps: https://edenmal.moe/post/2019/Matrix-Synapse-SAML2-Login/

@galexrt Hi Alex, the link below is down. Could you please republish it. Thanks

@galexrt
Copy link
Contributor

galexrt commented Jul 17, 2019

@eorlovsky Fixed. It is back online again.

hawkowl added a commit that referenced this pull request Jul 29, 2019
@hawkowl
Squashed commit of the following:
0bfd099 
commit c2ca163
Author: Amber H. Brown <hawkowl@atleastfornow.net>
Date:   Fri Jul 26 22:48:20 2019 +1000

    don't block

commit 8d9a56e
Merge: b50d8a9 4a5fb54
Author: Amber H. Brown <hawkowl@atleastfornow.net>
Date:   Fri Jul 26 21:35:42 2019 +1000

    Merge branch 'shhs' of ssh://github.com/matrix-org/synapse into shhs

commit 4a5fb54
Merge: 95a0386 992333b
Author: Amber Brown <hawkowl@atleastfornow.net>
Date:   Fri Jul 26 20:59:41 2019 +1000

    Merge tag 'v1.2.1' into shhs

    Synapse 1.2.1 (2019-07-26)
    ==========================

    Security update
    ---------------

    This release includes *four* security fixes:

    - Prevent an attack where a federated server could send redactions for arbitrary events in v1 and v2 rooms. ([\#5767](#5767))
    - Prevent a denial-of-service attack where cycles of redaction events would make Synapse spin infinitely. Thanks to `@lrizika:matrix.org` for identifying and responsibly disclosing this issue. ([0f2ecb9](0f2ecb961))
    - Prevent an attack where users could be joined or parted from public rooms without their consent. Thanks to @dylanger for identifying and responsibly disclosing this issue. ([\#5744](#5744))
    - Fix a vulnerability where a federated server could spoof read-receipts from
      users on other servers. Thanks to @dylanger for identifying this issue too. ([\#5743](#5743))

    Additionally, the following fix was in Synapse **1.2.0**, but was not correctly
    identified during the original release:

    - It was possible for a room moderator to send a redaction for an `m.room.create` event, which would downgrade the room to version 1. Thanks to `/dev/ponies` for identifying and responsibly disclosing this issue! ([\#5701](#5701))

commit 95a0386
Author: Amber Brown <hawkowl@atleastfornow.net>
Date:   Fri Jul 26 20:27:31 2019 +1000

    don't have a circleci config

commit b50d8a9
Author: Amber H. Brown <hawkowl@atleastfornow.net>
Date:   Fri Jul 26 02:26:23 2019 +1000

    fix merging forward

commit 3edf6e9
Author: Amber H. Brown <hawkowl@atleastfornow.net>
Date:   Fri Jul 26 02:07:05 2019 +1000

    fix this

commit f61cdc1
Merge: 43cf234 c0a1301
Author: Amber H. Brown <hawkowl@atleastfornow.net>
Date:   Fri Jul 26 01:48:50 2019 +1000

    Merge tag 'v1.2.0' into shhs

    No changes since v1.2.0rc2.

commit 43cf234
Author: Amber H. Brown <hawkowl@atleastfornow.net>
Date:   Fri Jul 26 01:48:20 2019 +1000

    dockerfile update

commit b7962f5
Author: Amber H. Brown <hawkowl@atleastfornow.net>
Date:   Thu Jul 18 23:23:12 2019 +1000

    add a wait

commit 9bbf2d2
Author: Amber H. Brown <hawkowl@atleastfornow.net>
Date:   Wed Jul 17 04:46:20 2019 +1000

    fix

commit 5daee2e
Author: Amber H. Brown <hawkowl@atleastfornow.net>
Date:   Wed Jul 17 04:41:00 2019 +1000

    fix

commit 14c8b03
Author: Amber H. Brown <hawkowl@atleastfornow.net>
Date:   Wed Jul 17 04:36:27 2019 +1000

    fix

commit 7fcd6c1
Author: Amber H. Brown <hawkowl@atleastfornow.net>
Date:   Wed Jul 17 04:32:50 2019 +1000

    fix

commit c43c1ad
Author: Amber H. Brown <hawkowl@atleastfornow.net>
Date:   Wed Jul 17 04:28:11 2019 +1000

    fix

commit a025abe
Author: Amber H. Brown <hawkowl@atleastfornow.net>
Date:   Wed Jul 17 04:02:15 2019 +1000

    try now

commit c1777f5
Author: Amber H. Brown <hawkowl@atleastfornow.net>
Date:   Wed Jul 17 04:00:34 2019 +1000

    try now

commit 646292c
Author: Amber H. Brown <hawkowl@atleastfornow.net>
Date:   Wed Jul 17 03:58:34 2019 +1000

    see if we can do a build!

commit a175e60
Merge: 9b3a63e 0e54342
Author: Amber H. Brown <hawkowl@atleastfornow.net>
Date:   Fri Jul 5 23:49:13 2019 +1000

    Merge remote-tracking branch 'origin/develop' into shhs

commit 9b3a63e
Author: Amber H. Brown <hawkowl@atleastfornow.net>
Date:   Fri Jul 5 23:36:41 2019 +1000

    linting

commit 3d89feb
Author: Amber H. Brown <hawkowl@atleastfornow.net>
Date:   Fri Jul 5 23:34:24 2019 +1000

    linting

commit 400bc06
Author: Amber H. Brown <hawkowl@atleastfornow.net>
Date:   Fri Jul 5 22:44:22 2019 +1000

    linting

commit a1de642
Merge: f4343c7 54283f3
Author: Amber H. Brown <hawkowl@atleastfornow.net>
Date:   Fri Jul 5 19:46:11 2019 +1000

    Merge tag 'v1.1.0' into shhs

    Synapse 1.1.0 (2019-07-04)
    ==========================

    As of v1.1.0, Synapse no longer supports Python 2, nor Postgres version 9.4.
    See the [upgrade notes](UPGRADE.rst#upgrading-to-v110) for more details.

    This release also deprecates the use of environment variables to configure the
    docker image. See the [docker README](https://github.com/matrix-org/synapse/blob/release-v1.1.0/docker/README.md#legacy-dynamic-configuration-file-support)
    for more details.

    No changes since 1.1.0rc2.

    Synapse 1.1.0rc2 (2019-07-03)
    =============================

    Bugfixes
    --------

    - Fix regression in 1.1rc1 where OPTIONS requests to the media repo would fail. ([\#5593](#5593))
    - Removed the `SYNAPSE_SMTP_*` docker container environment variables. Using these environment variables prevented the docker container from starting in Synapse v1.0, even though they didn't actually allow any functionality anyway. ([\#5596](#5596))
    - Fix a number of "Starting txn from sentinel context" warnings. ([\#5605](#5605))

    Internal Changes
    ----------------

    - Update github templates. ([\#5552](#5552))

    Synapse 1.1.0rc1 (2019-07-02)
    =============================

    As of v1.1.0, Synapse no longer supports Python 2, nor Postgres version 9.4.
    See the [upgrade notes](UPGRADE.rst#upgrading-to-v110) for more details.

    Features
    --------

    - Added possibilty to disable local password authentication. Contributed by Daniel Hoffend. ([\#5092](#5092))
    - Add monthly active users to phonehome stats. ([\#5252](#5252))
    - Allow expired user to trigger renewal email sending manually. ([\#5363](#5363))
    - Statistics on forward extremities per room are now exposed via Prometheus. ([\#5384](#5384), [\#5458](#5458), [\#5461](#5461))
    - Add --no-daemonize option to run synapse in the foreground, per issue #4130. Contributed by Soham Gumaste. ([\#5412](#5412), [\#5587](#5587))
    - Fully support SAML2 authentication. Contributed by [Alexander Trost](https://github.com/galexrt) - thank you! ([\#5422](#5422))
    - Allow server admins to define implementations of extra rules for allowing or denying incoming events. ([\#5440](#5440), [\#5474](#5474), [\#5477](#5477))
    - Add support for handling pagination APIs on client reader worker. ([\#5505](#5505), [\#5513](#5513), [\#5531](#5531))
    - Improve help and cmdline option names for --generate-config options. ([\#5512](#5512))
    - Allow configuration of the path used for ACME account keys. ([\#5516](#5516), [\#5521](#5521), [\#5522](#5522))
    - Add --data-dir and --open-private-ports options. ([\#5524](#5524))
    - Split public rooms directory auth config in two settings, in order to manage client auth independently from the federation part of it. Obsoletes the "restrict_public_rooms_to_local_users" configuration setting. If "restrict_public_rooms_to_local_users" is set in the config, Synapse will act as if both new options are enabled, i.e. require authentication through the client API and deny federation requests. ([\#5534](#5534))
    - The minimum TLS version used for outgoing federation requests can now be set with `federation_client_minimum_tls_version`. ([\#5550](#5550))
    - Optimise devices changed query to not pull unnecessary rows from the database, reducing database load. ([\#5559](#5559))
    - Add new metrics for number of forward extremities being persisted and number of state groups involved in resolution. ([\#5476](#5476))

    Bugfixes
    --------

    - Fix bug processing incoming events over federation if call to `/get_missing_events` fails. ([\#5042](#5042))
    - Prevent more than one room upgrade happening simultaneously on the same room. ([\#5051](#5051))
    - Fix a bug where running synapse_port_db would cause the account validity feature to fail because it didn't set the type of the email_sent column to boolean. ([\#5325](#5325))
    - Warn about disabling email-based password resets when a reset occurs, and remove warning when someone attempts a phone-based reset. ([\#5387](#5387))
    - Fix email notifications for unnamed rooms with multiple people. ([\#5388](#5388))
    - Fix exceptions in federation reader worker caused by attempting to renew attestations, which should only happen on master worker. ([\#5389](#5389))
    - Fix handling of failures fetching remote content to not log failures as exceptions. ([\#5390](#5390))
    - Fix a bug where deactivated users could receive renewal emails if the account validity feature is on. ([\#5394](#5394))
    - Fix missing invite state after exchanging 3PID invites over federaton. ([\#5464](#5464))
    - Fix intermittent exceptions on Apple hardware. Also fix bug that caused database activity times to be under-reported in log lines. ([\#5498](#5498))
    - Fix logging error when a tampered event is detected. ([\#5500](#5500))
    - Fix bug where clients could tight loop calling `/sync` for a period. ([\#5507](#5507))
    - Fix bug with `jinja2` preventing Synapse from starting. Users who had this problem should now simply need to run `pip install matrix-synapse`. ([\#5514](#5514))
    - Fix a regression where homeservers on private IP addresses were incorrectly blacklisted. ([\#5523](#5523))
    - Fixed m.login.jwt using unregistred user_id and added pyjwt>=1.6.4 as jwt conditional dependencies. Contributed by Pau Rodriguez-Estivill. ([\#5555](#5555), [\#5586](#5586))
    - Fix a bug that would cause invited users to receive several emails for a single 3PID invite in case the inviter is rate limited. ([\#5576](#5576))

    Updates to the Docker image
    ---------------------------
    - Add ability to change Docker containers [timezone](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) with the `TZ` variable. ([\#5383](#5383))
    - Update docker image to use Python 3.7. ([\#5546](#5546))
    - Deprecate the use of environment variables for configuration, and make the use of a static configuration the default. ([\#5561](#5561), [\#5562](#5562), [\#5566](#5566), [\#5567](#5567))
    - Increase default log level for docker image to INFO. It can still be changed by editing the generated log.config file. ([\#5547](#5547))
    - Send synapse logs to the docker logging system, by default. ([\#5565](#5565))
    - Open the non-TLS port by default. ([\#5568](#5568))
    - Fix failure to start under docker with SAML support enabled. ([\#5490](#5490))
    - Use a sensible location for data files when generating a config file. ([\#5563](#5563))

    Deprecations and Removals
    -------------------------

    - Python 2.7 is no longer a supported platform. Synapse now requires Python 3.5+ to run. ([\#5425](#5425))
    - PostgreSQL 9.4 is no longer supported. Synapse requires Postgres 9.5+ or above for Postgres support. ([\#5448](#5448))
    - Remove support for cpu_affinity setting. ([\#5525](#5525))

    Improved Documentation
    ----------------------
    - Improve README section on performance troubleshooting. ([\#4276](#4276))
    - Add information about how to install and run `black` on the codebase to code_style.rst. ([\#5537](#5537))
    - Improve install docs on choosing server_name. ([\#5558](#5558))

    Internal Changes
    ----------------

    - Add logging to 3pid invite signature verification. ([\#5015](#5015))
    - Update example haproxy config to a more compatible setup. ([\#5313](#5313))
    - Track deactivated accounts in the database. ([\#5378](#5378), [\#5465](#5465), [\#5493](#5493))
    - Clean up code for sending federation EDUs. ([\#5381](#5381))
    - Add a sponsor button to the repo. ([\#5382](#5382), [\#5386](#5386))
    - Don't log non-200 responses from federation queries as exceptions. ([\#5383](#5383))
    - Update Python syntax in contrib/ to Python 3. ([\#5446](#5446))
    - Update federation_client dev script to support `.well-known` and work with python3. ([\#5447](#5447))
    - SyTest has been moved to Buildkite. ([\#5459](#5459))
    - Demo script now uses python3. ([\#5460](#5460))
    - Synapse can now handle RestServlets that return coroutines. ([\#5475](#5475), [\#5585](#5585))
    - The demo servers talk to each other again. ([\#5478](#5478))
    - Add an EXPERIMENTAL config option to try and periodically clean up extremities by sending dummy events. ([\#5480](#5480))
    - Synapse's codebase is now formatted by `black`. ([\#5482](#5482))
    - Some cleanups and sanity-checking in the CPU and database metrics. ([\#5499](#5499))
    - Improve email notification logging. ([\#5502](#5502))
    - Fix "Unexpected entry in 'full_schemas'" log warning. ([\#5509](#5509))
    - Improve logging when generating config files. ([\#5510](#5510))
    - Refactor and clean up Config parser for maintainability. ([\#5511](#5511))
    - Make the config clearer in that email.template_dir is relative to the Synapse's root directory, not the `synapse/` folder within it. ([\#5543](#5543))
    - Update v1.0.0 release changelog to include more information about changes to password resets. ([\#5545](#5545))
    - Remove non-functioning check_event_hash.py dev script. ([\#5548](#5548))
    - Synapse will now only allow TLS v1.2 connections when serving federation, if it terminates TLS. As Synapse's allowed ciphers were only able to be used in TLSv1.2 before, this does not change behaviour. ([\#5550](#5550))
    - Logging when running GC collection on generation 0 is now at the DEBUG level, not INFO. ([\#5557](#5557))
    - Reduce the amount of stuff we send in the docker context. ([\#5564](#5564))
    - Point the reverse links in the Purge History contrib scripts at the intended location. ([\#5570](#5570))

commit f4343c7
Merge: 4689408 463d5a8
Author: Amber H. Brown <hawkowl@atleastfornow.net>
Date:   Wed Jul 3 22:39:30 2019 +1000

    Merge remote-tracking branch 'origin/develop' into shhs

commit 4689408
Merge: bed45ab b491468
Author: Amber H. Brown <hawkowl@atleastfornow.net>
Date:   Tue Jul 2 18:31:29 2019 +1000

    Merge remote-tracking branch 'origin/develop' into shhs

commit bed45ab
Author: Amber H. Brown <hawkowl@atleastfornow.net>
Date:   Tue Jul 2 18:18:09 2019 +1000

    release shhs on tags

commit 0993b05
Author: Amber H. Brown <hawkowl@atleastfornow.net>
Date:   Mon Jul 1 23:13:21 2019 +1000

    improve error text when room is too large

commit e001115
Author: Amber H. Brown <hawkowl@atleastfornow.net>
Date:   Tue Jun 18 21:24:56 2019 +1000

    fix

commit e60aab1
Merge: e7c1171 82d9d52
Author: Amber H. Brown <hawkowl@atleastfornow.net>
Date:   Tue Jun 18 21:20:13 2019 +1000

    Merge remote-tracking branch 'origin/develop' into shhs

commit e7c1171
Merge: 8fe26db c831748
Author: Amber Brown <hawkowl@atleastfornow.net>
Date:   Tue Jun 4 20:41:59 2019 +1000

    Merge remote-tracking branch 'origin/master' into shhs

commit 8fe26db
Merge: c99c105 4a30e4a
Author: Amber Brown <hawkowl@atleastfornow.net>
Date:   Tue May 21 14:30:47 2019 -0500

    Merge remote-tracking branch 'origin/develop' into HEAD

commit c99c105
Author: Amber Brown <hawkowl@atleastfornow.net>
Date:   Mon May 20 17:01:50 2019 -0500

    SHHS - Room Join Complexity (#5072)

commit d142e51
Merge: d424ba9 24b93b9
Author: Amber Brown <hawkowl@atleastfornow.net>
Date:   Mon May 20 15:43:08 2019 -0500

    Merge remote-tracking branch 'origin/develop' into shhs

commit d424ba9
Merge: a1b8767 f1e5b41
Author: Amber Brown <hawkowl@atleastfornow.net>
Date:   Wed May 15 23:30:22 2019 -0500

    Merge remote-tracking branch 'origin/develop' into shhs

commit a1b8767
Merge: faee1e9 df2ebd7
Author: Amber Brown <hawkowl@atleastfornow.net>
Date:   Mon May 13 15:01:58 2019 -0500

    Merge remote-tracking branch 'origin/develop' into shhs

commit faee1e9
Merge: 12875f9 d216a36
Author: Amber Brown <hawkowl@atleastfornow.net>
Date:   Wed May 8 16:29:45 2019 -0500

    Merge remote-tracking branch 'origin/develop' into shhs

commit 12875f9
Merge: ed38141 c1799b0
Author: Amber Brown <hawkowl@atleastfornow.net>
Date:   Wed May 1 10:55:14 2019 -0400

    Merge remote-tracking branch 'origin/develop' into shhs

commit ed38141
Author: Amber Brown <hawkowl@atleastfornow.net>
Date:   Mon Apr 29 20:57:42 2019 +1000

    target better for the shhs release docker hub, pt 3

commit bd5f624
Author: Amber Brown <hawkowl@atleastfornow.net>
Date:   Mon Apr 29 20:43:17 2019 +1000

    target better for the shhs release docker hub, pt 2

commit c0f57ca
Author: Amber Brown <hawkowl@atleastfornow.net>
Date:   Mon Apr 29 20:36:35 2019 +1000

    target better for the shhs release docker hub

commit 1d5cf66
Author: Amber Brown <hawkowl@atleastfornow.net>
Date:   Mon Apr 29 20:33:36 2019 +1000

    no media repo == no path checks

commit 25256f9
Author: Amber Brown <hawkowl@atleastfornow.net>
Date:   Mon Apr 29 20:30:55 2019 +1000

    release shhs as a release

commit a32aa2c
Author: Amber Brown <hawkowl@atleastfornow.net>
Date:   Mon Apr 29 20:28:40 2019 +1000

    patch up docker

commit cbc866a
Author: Amber Brown <hawkowl@atleastfornow.net>
Date:   Fri Apr 26 01:40:01 2019 +1000

    Remove Python 2 from the SHHS branch CI (#5099)
@vsatmydynipnet
Copy link

Is there any simplesamlphp config samlple?
my idp is simplesamlphp 1.17.6 using Wodpress Database. phpBB is already added as SP
I setup a new synpase server and want to get this going. users should be able to login, but if idp does not allow to login they should fail till account is reenabled.

anoadragon453 added a commit that referenced this pull request Feb 14, 2020
@anoadragon453
Complete the SAML2 implementation (#5422)
7d2d2a1
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@galexrt galexrt galexrt left review comments

@erikjohnston erikjohnston erikjohnston approved these changes

Assignees

@richvdh richvdh

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.