Merge branch 'anoa/reg_email' into anoa/reg_email_account_threepid_de…

…legate * anoa/reg_email: Remove trusted_third_party_id_servers functionality (#5875)
matrix-org · Aug 19, 2019 · e65faf5 · e65faf5
2 parents cfe7309 + 8a3175f
commit e65faf5
Show file tree

Hide file tree

Showing 5 changed files with 22 additions and 27 deletions.
diff --git a/changelog.d/5875.misc b/changelog.d/5875.misc
@@ -0,0 +1 @@
+Deprecate the `trusted_third_party_id_servers` option.
diff --git a/contrib/cmdclient/console.py b/contrib/cmdclient/console.py
@@ -37,6 +37,8 @@
 
 CONFIG_JSON = "cmdclient_config.json"
 
+# TODO: The concept of trusted identity servers has been deprecated. This option and checks
+#  should be removed
 TRUSTED_ID_SERVERS = ["localhost:8001"]
 
 

diff --git a/docs/sample_config.yaml b/docs/sample_config.yaml
@@ -890,6 +890,14 @@ uploads_path: "DATADIR/uploads"
 # Also defines the ID server which will be called when an account is
 # deactivated (one will be picked arbitrarily).
 #
+# Note: This option is deprecated. Since v0.99.4, Synapse has tracked which identity
+# server a 3PID has been bound to. For 3PIDs bound before then, Synapse runs a
+# background migration script, informing itself that the identity server all of its
+# 3PIDs have been bound to is likely one of the below.
+#
+# As of Synapse v1.4.0, all other functionality of this option has been deprecated, and
+# it is now solely used for the purposes of the background migration script, and can be
+# removed once it has run.
 #trusted_third_party_id_servers:
 #  - matrix.org
 #  - vector.im

diff --git a/synapse/config/registration.py b/synapse/config/registration.py
@@ -258,6 +258,14 @@ def generate_config_section(self, generate_secrets=False, **kwargs):
         # Also defines the ID server which will be called when an account is
         # deactivated (one will be picked arbitrarily).
         #
+        # Note: This option is deprecated. Since v0.99.4, Synapse has tracked which identity
+        # server a 3PID has been bound to. For 3PIDs bound before then, Synapse runs a
+        # background migration script, informing itself that the identity server all of its
+        # 3PIDs have been bound to is likely one of the below.
+        #
+        # As of Synapse v1.4.0, all other functionality of this option has been deprecated, and
+        # it is now solely used for the purposes of the background migration script, and can be
+        # removed once it has run.
         #trusted_third_party_id_servers:
         #  - matrix.org
         #  - vector.im

diff --git a/synapse/handlers/identity.py b/synapse/handlers/identity.py
@@ -37,25 +37,6 @@ def __init__(self, hs):
         self.http_client = hs.get_simple_http_client()
         self.federation_http_client = hs.get_http_client()
 
-        self.trusted_id_servers = set(hs.config.trusted_third_party_id_servers)
-        self.trust_any_id_server_just_for_testing_do_not_use = (
-            hs.config.use_insecure_ssl_client_just_for_testing_do_not_use
-        )
-
-    def _should_trust_id_server(self, id_server):
-        if id_server not in self.trusted_id_servers:
-            if self.trust_any_id_server_just_for_testing_do_not_use:
-                logger.warn(
-                    "Trusting untrustworthy ID server %r even though it isn't"
-                    " in the trusted id list for testing because"
-                    " 'use_insecure_ssl_client_just_for_testing_do_not_use'"
-                    " is set in the config",
-                    id_server,
-                )
-            else:
-                return False
-        return True
-
     @defer.inlineCallbacks
     def threepid_from_creds(self, creds):
         if "id_server" in creds:
@@ -72,13 +53,6 @@ def threepid_from_creds(self, creds):
         else:
             raise SynapseError(400, "No client_secret in creds")
 
-        if not self._should_trust_id_server(id_server):
-            logger.warn(
-                "%s is not a trusted ID server: rejecting 3pid " + "credentials",
-                id_server,
-            )
-            return None
-
         try:
             data = yield self.http_client.get_json(
                 "https://%s%s"
@@ -222,7 +196,9 @@ def try_unbind_threepid_with_id_server(self, mxid, threepid, id_server):
         return changed
 
     @defer.inlineCallbacks
-    def requestEmailToken(self, email, client_secret, send_attempt, next_link=None, **kwargs):
+    def requestEmailToken(
+        self, email, client_secret, send_attempt, next_link=None, **kwargs
+    ):
         """
         Request an external server send an email on our behalf for the purposes of threepid
         validation.