Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow SAML username provider plugins #6411

Merged
merged 37 commits into from Dec 10, 2019
Merged

Conversation

@anoadragon453
Copy link
Member

anoadragon453 commented Nov 25, 2019

Fixes: #6477

Allows the ability for an external python module to handle the mapping between a SAML auth response attribute to the localpart of a new mxid.

Done so we don't have to keep adding options to Synapse for tiny regex changes :)

If a module is provided, Synapse will use it's implementation of mxid_source_to_mxid_localpart (a new method that was split out of SamlHandler._map_saml_response_to_user. Otherwise it'll use the built-in one.

The config option saml_config.mxid_source_attribute determines which attribute to pull out of the SAML response object for creating the mxid, then whatever the value of that is handed to mxid_source_to_mxid_localpart to get the mxid localpart. If a user with the generated mxid already exists, mxid_source_to_mxid_localpart will be run again but with the failures argument incremented. This will continue until Synapse will eventually give up after 1000 failures to generate an mxid.

@anoadragon453 anoadragon453 requested a review from matrix-org/synapse-core Nov 25, 2019
@anoadragon453 anoadragon453 self-assigned this Nov 25, 2019
@anoadragon453 anoadragon453 added this to In progress in Homeserver Task Board via automation Nov 25, 2019
@anoadragon453 anoadragon453 moved this from In progress to Review in Homeserver Task Board Nov 25, 2019
synapse/config/saml2_config.py Outdated Show resolved Hide resolved
synapse/config/saml2_config.py Outdated Show resolved Hide resolved
synapse/config/saml2_config.py Outdated Show resolved Hide resolved
synapse/config/saml2_config.py Outdated Show resolved Hide resolved
synapse/handlers/saml_handler.py Outdated Show resolved Hide resolved
synapse/handlers/saml_handler.py Outdated Show resolved Hide resolved
synapse/handlers/saml_handler.py Outdated Show resolved Hide resolved
Copy link
Member

richvdh left a comment

/me grumbles at github for eating my first attempt at this comment

Looks like a great start! A few nits above. More generally though:

We need a way to map the displayName. I suggest the mapper return a dict (which will allow for easier addition of new features in the future: avatar url anyone?)

The day is probably not far off where the mapping for mxid and displayName will require more than a single saml attribute. Easier to pass the entire saml2_auth object into the module (and then the lookups from _mxid_source_attr (?) and displayName can move into the default mapper).

anoadragon453 and others added 17 commits Nov 27, 2019
Co-Authored-By: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>
…ynapse into anoa/saml_username_provider
@anoadragon453 anoadragon453 force-pushed the anoa/saml_username_provider branch 2 times, most recently from 6be2f08 to 169d369 Nov 28, 2019
@anoadragon453

This comment has been minimized.

Copy link
Member Author

anoadragon453 commented Nov 28, 2019

Ok! The plugin now gets the auth response, returns a dict that we pull from. You can provide it a custom config. And there's documentation to boot!

from synapse.util.async_helpers import Linearizer

logger = logging.getLogger(__name__)


@attr.s
class Saml2SessionData:

This comment has been minimized.

Copy link
@anoadragon453

anoadragon453 Dec 6, 2019

Author Member

Note that this was just cut and pasted.

@anoadragon453 anoadragon453 requested a review from richvdh Dec 9, 2019
Copy link
Member

richvdh left a comment

this looks... untested?

synapse/config/saml2_config.py Outdated Show resolved Hide resolved
synapse/config/saml2_config.py Outdated Show resolved Hide resolved
synapse/config/saml2_config.py Outdated Show resolved Hide resolved
synapse/config/saml2_config.py Show resolved Hide resolved
synapse/config/saml2_config.py Outdated Show resolved Hide resolved
docs/saml_mapping_providers.md Outdated Show resolved Hide resolved
synapse/handlers/saml_handler.py Outdated Show resolved Hide resolved
synapse/handlers/saml_handler.py Outdated Show resolved Hide resolved
synapse/handlers/saml_handler.py Outdated Show resolved Hide resolved
synapse/util/module_loader.py Outdated Show resolved Hide resolved
@anoadragon453

This comment has been minimized.

Copy link
Member Author

anoadragon453 commented Dec 9, 2019

this looks... untested?

Ahhh, I knew there was a reason I didn't review request this on friday. Sorry :/

@anoadragon453

This comment has been minimized.

Copy link
Member Author

anoadragon453 commented Dec 10, 2019

Tested with success!

@anoadragon453 anoadragon453 requested a review from richvdh Dec 10, 2019
docs/sample_config.yaml Outdated Show resolved Hide resolved
synapse/handlers/saml_handler.py Outdated Show resolved Hide resolved
SamlConfig: A custom config object for this module
"""
# Parse config options and use defaults where necessary
# We use the 'or' syntax here as these options could be a valid value of None

This comment has been minimized.

Copy link
@richvdh

richvdh Dec 10, 2019

Member

what do you mean by "could be a valid value of None" ? None isn't valid for these options?

This comment has been minimized.

Copy link
@anoadragon453

anoadragon453 Dec 10, 2019

Author Member

Mm, I mean that if we do config.get("mxid_source_attribute", "uid"), None could still be returned as the config could be:

user_mapping_provider:
  config:
    mxid_source_attribute:

Thus, we use mxid_source_attribute = config.get("mxid_source_attribute") or "uid instead, such that if config.get("mxid_source_attribute") returns None, we set mxid_source_attribute to "uid" instead.

Yeah the comment is confusing. I've changed it, let me know what you think.

Copy link
Member

richvdh left a comment

lgtm otherwise!

synapse/handlers/saml_handler.py Outdated Show resolved Hide resolved
@anoadragon453 anoadragon453 merged commit 4947de5 into develop Dec 10, 2019
22 checks passed
22 checks passed
buildkite/synapse Build #6060 passed (23 minutes, 42 seconds)
Details
buildkite/synapse/check-sample-config Passed (1 minute, 43 seconds)
Details
buildkite/synapse/check-style Passed (2 minutes, 22 seconds)
Details
buildkite/synapse/isort Passed (44 seconds)
Details
buildkite/synapse/mypy Passed (47 seconds)
Details
buildkite/synapse/newspaper-newsfile Passed (41 seconds)
Details
buildkite/synapse/packaging Passed (43 seconds)
Details
buildkite/synapse/pipeline Passed (10 seconds)
Details
buildkite/synapse/python-3-dot-5-slash-postgres-9-dot-5 Passed (18 minutes, 37 seconds)
Details
buildkite/synapse/python-3-dot-5-slash-sqlite Passed (6 minutes, 54 seconds)
Details
buildkite/synapse/python-3-dot-5-slash-sqlite-slash-old-deps Passed (7 minutes, 30 seconds)
Details
buildkite/synapse/python-3-dot-6-slash-sqlite Passed (6 minutes, 28 seconds)
Details
buildkite/synapse/python-3-dot-7-slash-postgres-11 Passed (17 minutes, 38 seconds)
Details
buildkite/synapse/python-3-dot-7-slash-postgres-9-dot-5 Passed (19 minutes, 5 seconds)
Details
buildkite/synapse/python-3-dot-7-slash-sqlite Passed (6 minutes, 32 seconds)
Details
buildkite/synapse/synapse-port-db-slash-python-3-dot-5-slash-postgres-9-dot-5 Passed (1 minute, 38 seconds)
Details
buildkite/synapse/synapse-port-db-slash-python-3-dot-7-slash-postgres-11 Passed (1 minute, 43 seconds)
Details
buildkite/synapse/sytest-python-3-dot-5-slash-postgres-9-dot-6-slash-monolith Passed (12 minutes, 38 seconds)
Details
buildkite/synapse/sytest-python-3-dot-5-slash-postgres-9-dot-6-slash-workers Passed (15 minutes, 1 second)
Details
buildkite/synapse/sytest-python-3-dot-5-slash-sqlite-slash-monolith Passed (12 minutes, 14 seconds)
Details
buildkite/synapse/sytest-python-3-dot-7-slash-postgres-11-slash-monolith Passed (12 minutes, 2 seconds)
Details
buildkite/synapse/sytest-python-3-dot-7-slash-postgres-11-slash-workers Passed (11 minutes, 10 seconds)
Details
@anoadragon453 anoadragon453 deleted the anoa/saml_username_provider branch Dec 10, 2019
anoadragon453 added a commit that referenced this pull request Dec 11, 2019
…rch_redacted_events

* 'develop' of github.com:matrix-org/synapse: (100 commits)
  Move get_state methods into FederationHandler (#6503)
  Allow SAML username provider plugins (#6411)
  Fix race which caused deleted devices to reappear (#6514)
  Refactor get_events_from_store_or_dest to return a dict (#6501)
  Remove redundant code from event authorisation implementation. (#6502)
  Newsfile
  Silence mypy errors for files outside those specified
  Newsfile
  Phone home stats DB reporting should not assume a single DB.
  Update comment
  Drop unused index
  Convert _censor_redactions to async since it awaits on coroutines
  Only start censor background job after indices are created
  Newsfile
  Newsfile
  Fix make_deferred_yieldable to work with coroutines
  Newsfile
  Fix support for SQLite 3.7.
  Better errors regarding changing avatar_url (#6497)
  1.7.0rc1
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.