Sanity check identity server passed to bind/unbind. #9802
Conversation
Signed-off-by: Denis Kasak <dkasak@termina.org.uk>
synapse/handlers/identity.py
Outdated
| try: | ||
| parse_and_validate_server_name(id_server) | ||
| except ValueError: | ||
| raise SynapseError(400, "id_server must be a valid Matrix server name") |
There was a problem hiding this comment.
it's not (necessarily) supposed to be a valid Matrix server name.
Identity servers don't use the matrix server-name resolution algorithm (fully specced at https://matrix.org/docs/spec/server_server/r0.1.4#resolving-server-names): rather they just go straight into an https url.
so I think "what is valid here" is "what is valid in the 'authority' part of an HTTPS URL", which I think is defined by RFC3986 ?
It's also not entirely clear to me that the IS API must be exposed at the root of the path hierarchy (I don't think this is mandated anywhere in the spec), so maybe id_server should be allowed to include / components?
There was a problem hiding this comment.
Uh, sorry, I missed this. My email rules still need a bit of tweaking, it seems.
Identity servers don't use the matrix server-name resolution algorithm (fully specced at https://matrix.org/docs/spec/server_server/r0.1.4#resolving-server-names): rather they just go straight into an https url.
Ah, I missed this. I did check the C-S API spec and the "hostname plus optional port" language made me think of the Matrix server name algorithm. The language used in the spec seems inconsistent/colourful enough, so this now looks to me as a bit of a spec bug:
The identity server to unbind all of the user's 3PIDs from.
The hostname+port of the identity server which should be used for third party identifier lookups.
The hostname of the identity server to communicate with. May optionally include a port.
The identity server to use.
url of identity server authed with, e.g. 'matrix.org:8090'
It's also not entirely clear to me that the IS API must be exposed at the root of the path hierarchy (I don't think this is mandated anywhere in the spec), so maybe id_server should be allowed to include / components?
Per the above, only one place mentions the word "url" (which wouldn't work if followed literally), but then proceeds to give a hostname+port example. In other places, the wording seems to flat out disallow using a hostname + path components hybrid. I also don't see this added flexibility as being too useful practically, but maybe I'm missing some scenarios?
so I think "what is valid here" is "what is valid in the 'authority' part of an HTTPS URL", which I think is defined by RFC3986 ?
The differences of RFC3986's authority rules from the Matrix server algorithm seem very exotic:
- Allowing the optional
userinfo "@"part (which seems non-sensical in this context) - Allowing percent-encoded characters
- Allowing
sub-delims: "!" / "$" / "&" / "'" / "(" / ")" / "*" / "+" / "," / ";" / "="
I'm wondering whether the best course of action here would be to change the spec to mandate a Matrix server name here, since it seems it is overwhelmingly likely that this is what everyone running an IS is doing.
There was a problem hiding this comment.
I checked and passing either the userinfo, percent-encoded chars or the chars from sub-delims fails shortly afterwards, with either twisted or treq complaining that it isn't a valid hostname. So it seems like the remaining question is whether a root path should be allowed.
Given the existing wording of the spec, it seems unlikely to me that anyone is using that. The spec should be clarified in either case.
There was a problem hiding this comment.
The language used in the spec seems inconsistent/colourful enough, so this now looks to me as a bit of a spec bug:
The spec may be unclear, but synapse has always been very clear that we do not use the matrix federation routing algorithm for ISes. For example, if no explicit port is given, we use port 443 (federation uses 8448). Since Synapse has done this forever, that behaviour is de-facto part of the spec, even if the actual words of the spec don't make that clear.
In other places, the wording seems to flat out disallow using a hostname + path components hybrid.
Could you cite any specific examples?
I also don't see this added flexibility as being too useful practically, but maybe I'm missing some scenarios?
It's just that sometimes it's easier to deploy things at a sub-path. There are parallels to the ongoing debate about pusher URLs; we've even heard of people setting up Synapse's C-S API at a subpath (#9574).
I'm on the fence about this, tbh. I could go either way. We should make a decision and then be explicit about it, though.
I'm wondering whether the best course of action here would be to change the spec to mandate a Matrix server name here, since it seems it is overwhelmingly likely that this is what everyone running an IS is doing.
I wouldn't have any particular objection to defining a grammar for IS names which happens to be the same as the grammar for Matrix server_names - as you say the current differences are minor. However, I would oppose the use of any phrasing like "must be a valid Matrix server name", because server_names bring with them the implication of using the "Resolving server names" algorithm - which, as above, is not what happens.
There was a problem hiding this comment.
Could you cite any specific examples?
My reading of e.g. https://matrix.org/docs/spec/client_server/r0.6.1#post-matrix-client-r0-account-password-email-requesttoken, which says the following for the id_server parameter
The hostname of the identity server to communicate with. May optionally include a port.
Is that it doesn't allow a path.
I'm on the fence about this, tbh. I could go either way. We should make a decision and then be explicit about it, though.
Agreed. Since this used to allow specifying a root path, I'm going to change the PR so that it doesn't forbid it. Once a decision has been made, we can easily make it stricter again.
I wouldn't have any particular objection to defining a grammar for IS names which happens to be the same as the grammar for Matrix server_names - as you say the current differences are minor. However, I would oppose the use of any phrasing like "must be a valid Matrix server name", because server_names bring with them the implication of using the "Resolving server names" algorithm - which, as above, is not what happens.
Gotcha. I pushed a new commit which does away with this wording (but still uses the parse_and_validate_server_name function internally to enforce the same rules).
Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>
Synapse 1.33.0rc1 (2021-04-28) ============================== Features -------- - Update experimental support for [MSC3083](matrix-org/matrix-spec-proposals#3083): restricting room access via group membership. ([\#9800](#9800), [\#9814](#9814)) - Add experimental support for handling presence on a worker. ([\#9819](#9819), [\#9820](#9820), [\#9828](#9828), [\#9850](#9850)) - Return a new template when an user attempts to renew their account multiple times with the same token, stating that their account is set to expire. This replaces the invalid token template that would previously be shown in this case. This change concerns the optional account validity feature. ([\#9832](#9832)) Bugfixes -------- - Fixes the OIDC SSO flow when using a `public_baseurl` value including a non-root URL path. ([\#9726](#9726)) - Fix thumbnail generation for some sites with non-standard content types. Contributed by @rkfg. ([\#9788](#9788)) - Add some sanity checks to identity server passed to 3PID bind/unbind endpoints. ([\#9802](#9802)) - Limit the size of HTTP responses read over federation. ([\#9833](#9833)) - Fix a bug which could cause Synapse to get stuck in a loop of resyncing device lists. ([\#9867](#9867)) - Fix a long-standing bug where errors from federation did not propagate to the client. ([\#9868](#9868)) Improved Documentation ---------------------- - Add a note to the docker docs mentioning that we mirror upstream's supported Docker platforms. ([\#9801](#9801)) Internal Changes ---------------- - Add a dockerfile for running Synapse in worker-mode under Complement. ([\#9162](#9162)) - Apply `pyupgrade` across the codebase. ([\#9786](#9786)) - Move some replication processing out of `generic_worker`. ([\#9796](#9796)) - Replace `HomeServer.get_config()` with inline references. ([\#9815](#9815)) - Rename some handlers and config modules to not duplicate the top-level module. ([\#9816](#9816)) - Fix a long-standing bug which caused `max_upload_size` to not be correctly enforced. ([\#9817](#9817)) - Reduce CPU usage of the user directory by reusing existing calculated room membership. ([\#9821](#9821)) - Small speed up for joining large remote rooms. ([\#9825](#9825)) - Introduce flake8-bugbear to the test suite and fix some of its lint violations. ([\#9838](#9838)) - Only store the raw data in the in-memory caches, rather than objects that include references to e.g. the data stores. ([\#9845](#9845)) - Limit length of accepted email addresses. ([\#9855](#9855)) - Remove redundant `synapse.types.Collection` type definition. ([\#9856](#9856)) - Handle recently added rate limits correctly when using `--no-rate-limit` with the demo scripts. ([\#9858](#9858)) - Disable invite rate-limiting by default when running the unit tests. ([\#9871](#9871)) - Pass a reactor into `SynapseSite` to make testing easier. ([\#9874](#9874)) - Make `DomainSpecificString` an `attrs` class. ([\#9875](#9875)) - Add type hints to `synapse.api.auth` and `synapse.api.auth_blocking` modules. ([\#9876](#9876)) - Remove redundant `_PushHTTPChannel` test class. ([\#9878](#9878)) - Remove backwards-compatibility code for Python versions < 3.6. ([\#9879](#9879)) - Small performance improvement around handling new local presence updates. ([\#9887](#9887))
Synapse 1.33.0 (2021-05-05) =========================== Features -------- - Build Debian packages for Ubuntu 21.04 (Hirsute Hippo). ([\#9909](matrix-org/synapse#9909)) Synapse 1.33.0rc2 (2021-04-29) ============================== Bugfixes -------- - Fix tight loop when handling presence replication when using workers. Introduced in v1.33.0rc1. ([\#9900](matrix-org/synapse#9900)) Synapse 1.33.0rc1 (2021-04-28) ============================== Features -------- - Update experimental support for [MSC3083](matrix-org/matrix-spec-proposals#3083): restricting room access via group membership. ([\#9800](matrix-org/synapse#9800), [\#9814](matrix-org/synapse#9814)) - Add experimental support for handling presence on a worker. ([\#9819](matrix-org/synapse#9819), [\#9820](matrix-org/synapse#9820), [\#9828](matrix-org/synapse#9828), [\#9850](matrix-org/synapse#9850)) - Return a new template when an user attempts to renew their account multiple times with the same token, stating that their account is set to expire. This replaces the invalid token template that would previously be shown in this case. This change concerns the optional account validity feature. ([\#9832](matrix-org/synapse#9832)) Bugfixes -------- - Fixes the OIDC SSO flow when using a `public_baseurl` value including a non-root URL path. ([\#9726](matrix-org/synapse#9726)) - Fix thumbnail generation for some sites with non-standard content types. Contributed by @rkfg. ([\#9788](matrix-org/synapse#9788)) - Add some sanity checks to identity server passed to 3PID bind/unbind endpoints. ([\#9802](matrix-org/synapse#9802)) - Limit the size of HTTP responses read over federation. ([\#9833](matrix-org/synapse#9833)) - Fix a bug which could cause Synapse to get stuck in a loop of resyncing device lists. ([\#9867](matrix-org/synapse#9867)) - Fix a long-standing bug where errors from federation did not propagate to the client. ([\#9868](matrix-org/synapse#9868)) Improved Documentation ---------------------- - Add a note to the docker docs mentioning that we mirror upstream's supported Docker platforms. ([\#9801](matrix-org/synapse#9801)) Internal Changes ---------------- - Add a dockerfile for running Synapse in worker-mode under Complement. ([\#9162](matrix-org/synapse#9162)) - Apply `pyupgrade` across the codebase. ([\#9786](matrix-org/synapse#9786)) - Move some replication processing out of `generic_worker`. ([\#9796](matrix-org/synapse#9796)) - Replace `HomeServer.get_config()` with inline references. ([\#9815](matrix-org/synapse#9815)) - Rename some handlers and config modules to not duplicate the top-level module. ([\#9816](matrix-org/synapse#9816)) - Fix a long-standing bug which caused `max_upload_size` to not be correctly enforced. ([\#9817](matrix-org/synapse#9817)) - Reduce CPU usage of the user directory by reusing existing calculated room membership. ([\#9821](matrix-org/synapse#9821)) - Small speed up for joining large remote rooms. ([\#9825](matrix-org/synapse#9825)) - Introduce flake8-bugbear to the test suite and fix some of its lint violations. ([\#9838](matrix-org/synapse#9838)) - Only store the raw data in the in-memory caches, rather than objects that include references to e.g. the data stores. ([\#9845](matrix-org/synapse#9845)) - Limit length of accepted email addresses. ([\#9855](matrix-org/synapse#9855)) - Remove redundant `synapse.types.Collection` type definition. ([\#9856](matrix-org/synapse#9856)) - Handle recently added rate limits correctly when using `--no-rate-limit` with the demo scripts. ([\#9858](matrix-org/synapse#9858)) - Disable invite rate-limiting by default when running the unit tests. ([\#9871](matrix-org/synapse#9871)) - Pass a reactor into `SynapseSite` to make testing easier. ([\#9874](matrix-org/synapse#9874)) - Make `DomainSpecificString` an `attrs` class. ([\#9875](matrix-org/synapse#9875)) - Add type hints to `synapse.api.auth` and `synapse.api.auth_blocking` modules. ([\#9876](matrix-org/synapse#9876)) - Remove redundant `_PushHTTPChannel` test class. ([\#9878](matrix-org/synapse#9878)) - Remove backwards-compatibility code for Python versions < 3.6. ([\#9879](matrix-org/synapse#9879)) - Small performance improvement around handling new local presence updates. ([\#9887](matrix-org/synapse#9887))
Signed-off-by: Denis Kasak dkasak@termina.org.uk
Pull Request Checklist
EventStoretoEventWorkerStore.".code blocks.