cqrenet/mxids
3
0
Fork 0
Code Pull Requests 10 Actions Releases Activity

Add support for username rewrite (Fix #103)

Browse Source
This commit is contained in:
Max Dor
2018-12-21 14:22:51 +01:00
parent f13748abeb
commit e9c29f1c03
4 changed files with 358 additions and 126 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
docs/features/authentication.md
View File

@@ -74,7 +74,15 @@ See your Identity store [documentation](../stores/README.md) on how to enable th
## Advanced ## Advanced
The Authentication feature allows users to login to their Homeserver by using their 3PIDs in a configured Identity store. The Authentication feature allows users to:
- Rewrite usernames matching a pattern to be mapped to another username via a 3PID.
- login to their Homeserver by using their 3PIDs in a configured Identity store.
This feature also allows to work around the following issues:
- Lowercase all usernames for synapse, allowing case-insensitive login
- Unable to login on synapse if username is numerical
- Any generic transformation of username prior to sending to synapse, bypassing the restriction that password providers
cannot change the localpart being authenticated.
### Overview ### Overview
This is performed by intercepting the Homeserver endpoint `/_matrix/client/r0/login` as depicted below: This is performed by intercepting the Homeserver endpoint `/_matrix/client/r0/login` as depicted below:
@@ -109,10 +117,10 @@ Steps of user authentication using a 3PID:
4. The response from the Homeserver is sent back to the client, believing it was the HS which directly answered. 4. The response from the Homeserver is sent back to the client, believing it was the HS which directly answered.
### Requirements ### Requirements
- [Basic Authentication configured and working](#basic)
- Reverse proxy setup
- Homeserver
- Compatible [Identity store](../stores/README.md) - Compatible [Identity store](../stores/README.md)
- [Basic Authentication configured and working](#basic)
- Client and Homeserver using the [C2S API r0.4.x](https://matrix.org/docs/spec/client_server/r0.4.0.html) or later
- Reverse proxy setup
### Configuration ### Configuration
#### Reverse Proxy #### Reverse Proxy
@@ -153,3 +161,40 @@ In case the hostname is the same as your Matrix domain and `server.name` is not
`matrix.domain` and will still probably have the correct value. `matrix.domain` and will still probably have the correct value.
`value` is the base internal URL of the Homeserver, without any `/_matrix/..` or trailing `/`. `value` is the base internal URL of the Homeserver, without any `/_matrix/..` or trailing `/`.
#### Username rewrite
In mxisd config:
```yaml
auth:
rewrite:
user:
rules:
- regex: <your regexp>
medium: 'your.custom.medium.type'
```
`rules` takes a list of rules. Rules have two properties:
- `regexp`: The regex pattern to match. This **MUST** match the full string. See [Java regex](https://docs.oracle.com/javase/8/docs/api/java/util/regex/Pattern.html) for syntax.
- `medium`: Custom 3PID type that will be used in the 3PID lookup. This can be anything you want and needs to be supported
by your Identity store config and/or code.
Rules are matched in listed order.
Common regexp patterns:
- Numerical usernames: `[0-9]+`
##### LDAP Example
If your users use their numerical employee IDs, which cannot be used with synapse, you can make it work with (relevant config only):
```yaml
auth:
rewrite:
user:
rules:
- regex: '[0-9]+'
medium: 'kmx.employee.id'
ldap:
attribute:
threepid:
kmx.employee.id:
- 'ldapAttributeForEmployeeId'
```

192
src/main/java/io/kamax/mxisd/auth/AuthManager.java
View File

@@ -20,37 +20,95 @@
package io.kamax.mxisd.auth; package io.kamax.mxisd.auth;
import com.google.gson.Gson;
import com.google.gson.JsonObject;
import com.google.gson.JsonParser;
import com.google.gson.JsonSyntaxException;
import com.google.i18n.phonenumbers.NumberParseException;
import com.google.i18n.phonenumbers.PhoneNumberUtil;
import com.google.i18n.phonenumbers.Phonenumber;
import io.kamax.matrix.MatrixID; import io.kamax.matrix.MatrixID;
import io.kamax.matrix.ThreePid; import io.kamax.matrix.ThreePid;
import io.kamax.matrix._MatrixID; import io.kamax.matrix._MatrixID;
import io.kamax.matrix._ThreePid; import io.kamax.matrix._ThreePid;
import io.kamax.matrix.json.GsonUtil;
import io.kamax.mxisd.UserIdType; import io.kamax.mxisd.UserIdType;
import io.kamax.mxisd.auth.provider.AuthenticatorProvider; import io.kamax.mxisd.auth.provider.AuthenticatorProvider;
import io.kamax.mxisd.auth.provider.BackendAuthResult; import io.kamax.mxisd.auth.provider.BackendAuthResult;
import io.kamax.mxisd.config.AuthenticationConfig;
import io.kamax.mxisd.config.MatrixConfig; import io.kamax.mxisd.config.MatrixConfig;
import io.kamax.mxisd.dns.ClientDnsOverwrite;
import io.kamax.mxisd.exception.RemoteLoginException;
import io.kamax.mxisd.invitation.InvitationManager; import io.kamax.mxisd.invitation.InvitationManager;
import io.kamax.mxisd.lookup.ThreePidMapping; import io.kamax.mxisd.lookup.ThreePidMapping;
import io.kamax.mxisd.lookup.strategy.LookupStrategy;
import io.kamax.mxisd.util.RestClientUtils;
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.http.HttpEntity;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.client.utils.URIBuilder;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.util.EntityUtils;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service; import org.springframework.stereotype.Service;
import java.io.IOException;
import java.net.URI;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.List; import java.util.List;
import java.util.Objects;
@Service @Service
public class AuthManager { public class AuthManager {
private Logger log = LoggerFactory.getLogger(AuthManager.class); private static final String TypeKey = "type";
private static final String UserKey = "user";
private static final String IdentifierKey = "identifier";
private static final String ThreepidMediumKey = "medium";
private static final String ThreepidAddressKey = "address";
private static final String UserIdTypeValue = "m.id.user";
private static final String ThreepidTypeValue = "m.id.thirdparty";
@Autowired private final Logger log = LoggerFactory.getLogger(AuthManager.class);
private List<AuthenticatorProvider> providers = new ArrayList<>(); private final Gson gson = GsonUtil.get();
@Autowired private List<AuthenticatorProvider> providers;
private MatrixConfig mxCfg; private MatrixConfig mxCfg;
private AuthenticationConfig cfg;
private InvitationManager invMgr;
private ClientDnsOverwrite dns;
private LookupStrategy strategy;
private CloseableHttpClient client;
@Autowired @Autowired
private InvitationManager invMgr; public AuthManager(
AuthenticationConfig cfg,
MatrixConfig mxCfg,
List<AuthenticatorProvider> providers,
LookupStrategy strategy,
InvitationManager invMgr,
ClientDnsOverwrite dns,
CloseableHttpClient client
) {
this.cfg = cfg;
this.mxCfg = mxCfg;
this.providers = new ArrayList<>(providers);
this.strategy = strategy;
this.invMgr = invMgr;
this.dns = dns;
this.client = client;
}
public String resolveProxyUrl(URI target) {
URIBuilder builder = dns.transform(target);
String urlToLogin = builder.toString();
log.info("Proxy resolution: {} to {}", target.toString(), urlToLogin);
return urlToLogin;
}
public UserAuthResult authenticate(String id, String password) { public UserAuthResult authenticate(String id, String password) {
_MatrixID mxid = MatrixID.asAcceptable(id); _MatrixID mxid = MatrixID.asAcceptable(id);
@@ -92,4 +150,128 @@ public class AuthManager {
return new UserAuthResult().failure(); return new UserAuthResult().failure();
} }
public String proxyLogin(URI target, String body) {
JsonObject reqJsonObject = io.kamax.matrix.json.GsonUtil.parseObj(body);
GsonUtil.findObj(reqJsonObject, IdentifierKey).ifPresent(obj -> {
GsonUtil.findString(obj, TypeKey).ifPresent(type -> {
if (StringUtils.equals(type, UserIdTypeValue)) {
log.info("Login request is User ID type");
if (cfg.getRewrite().getUser().getRules().isEmpty()) {
log.info("No User ID rewrite rules to apply");
} else {
log.info("User ID rewrite rules: checking for a match");
String userId = GsonUtil.getStringOrThrow(obj, UserKey);
for (AuthenticationConfig.Rule m : cfg.getRewrite().getUser().getRules()) {
if (m.getPattern().matcher(userId).matches()) {
log.info("Found matching pattern, resolving to 3PID with medium {}", m.getMedium());
// Remove deprecated login info on the top object if exists to avoid duplication
reqJsonObject.remove(UserKey);
obj.addProperty(TypeKey, ThreepidTypeValue);
obj.addProperty(ThreepidMediumKey, m.getMedium());
obj.addProperty(ThreepidAddressKey, userId);
log.info("Rewrite to 3PID done");
}
}
log.info("User ID rewrite rules: done checking rules");
}
}
});
});
GsonUtil.findObj(reqJsonObject, IdentifierKey).ifPresent(obj -> {
GsonUtil.findString(obj, TypeKey).ifPresent(type -> {
if (StringUtils.equals(type, ThreepidTypeValue)) {
// Remove deprecated login info if exists to avoid duplication
reqJsonObject.remove(ThreepidMediumKey);
reqJsonObject.remove(ThreepidAddressKey);
GsonUtil.findPrimitive(obj, ThreepidMediumKey).ifPresent(medium -> {
GsonUtil.findPrimitive(obj, ThreepidAddressKey).ifPresent(address -> {
log.info("Login request with medium '{}' and address '{}'", medium.getAsString(), address.getAsString());
strategy.findLocal(medium.getAsString(), address.getAsString()).ifPresent(lookupDataOpt -> {
obj.remove(ThreepidMediumKey);
obj.remove(ThreepidAddressKey);
obj.addProperty(TypeKey, UserIdTypeValue);
obj.addProperty(UserKey, lookupDataOpt.getMxid().getLocalPart());
});
});
});
}
if (StringUtils.equals(type, "m.id.phone")) {
// Remove deprecated login info if exists to avoid duplication
reqJsonObject.remove(ThreepidMediumKey);
reqJsonObject.remove(ThreepidAddressKey);
GsonUtil.findPrimitive(obj, "number").ifPresent(number -> {
GsonUtil.findPrimitive(obj, "country").ifPresent(country -> {
log.info("Login request with phone '{}'-'{}'", country.getAsString(), number.getAsString());
try {
PhoneNumberUtil phoneUtil = PhoneNumberUtil.getInstance();
Phonenumber.PhoneNumber phoneNumber = phoneUtil.parse(number.getAsString(), country.getAsString());
String msisdn = phoneUtil.format(phoneNumber, PhoneNumberUtil.PhoneNumberFormat.E164).replace("+", "");
String medium = "msisdn";
strategy.findLocal(medium, msisdn).ifPresent(lookupDataOpt -> {
obj.remove("country");
obj.remove("number");
obj.addProperty(TypeKey, UserIdTypeValue);
obj.addProperty(UserKey, lookupDataOpt.getMxid().getLocalPart());
});
} catch (NumberParseException e) {
log.error("Not a valid phone number");
throw new RuntimeException(e);
}
});
});
}
});
});
// invoke 'login' on homeserver
HttpPost httpPost = RestClientUtils.post(resolveProxyUrl(target), gson, reqJsonObject);
try (CloseableHttpResponse httpResponse = client.execute(httpPost)) {
// check http status
int status = httpResponse.getStatusLine().getStatusCode();
log.info("http status = {}", status);
if (status != 200) {
// try to get possible json error message from response
// otherwise just get returned plain error message
String errcode = String.valueOf(httpResponse.getStatusLine().getStatusCode());
String error = EntityUtils.toString(httpResponse.getEntity());
if (httpResponse.getEntity() != null) {
try {
JsonObject bodyJson = new JsonParser().parse(error).getAsJsonObject();
if (bodyJson.has("errcode")) {
errcode = bodyJson.get("errcode").getAsString();
}
if (bodyJson.has("error")) {
error = bodyJson.get("error").getAsString();
}
throw new RemoteLoginException(status, errcode, error, bodyJson);
} catch (JsonSyntaxException e) {
log.warn("Response body is not JSON");
}
}
throw new RemoteLoginException(status, errcode, error);
}
// return response
HttpEntity entity = httpResponse.getEntity();
if (Objects.isNull(entity)) {
log.warn("Expected HS to return data but got nothing");
return "";
} else {
return IOUtils.toString(httpResponse.getEntity().getContent(), httpResponse.getEntity().getContentType().getValue());
}
} catch (IOException e) {
throw new RuntimeException(e);
}
}
} }

110
src/main/java/io/kamax/mxisd/config/AuthenticationConfig.java Normal file
View File

@@ -0,0 +1,110 @@
/*
* mxisd - Matrix Identity Server Daemon
* Copyright (C) 2018 Kamax Sarl
*
* https://www.kamax.io/
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
package io.kamax.mxisd.config;
import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.context.annotation.Configuration;
import javax.annotation.PostConstruct;
import java.util.ArrayList;
import java.util.List;
import java.util.regex.Pattern;
@Configuration
@ConfigurationProperties(prefix = "auth")
public class AuthenticationConfig {
public static class Rule {
private String regex;
private transient Pattern pattern;
private String medium;
public String getRegex() {
return regex;
}
public void setRegex(String regex) {
this.regex = regex;
}
public Pattern getPattern() {
return pattern;
}
public void setPattern(Pattern pattern) {
this.pattern = pattern;
}
public String getMedium() {
return medium;
}
public void setMedium(String medium) {
this.medium = medium;
}
}
public static class User {
private List<Rule> rules = new ArrayList<>();
public List<Rule> getRules() {
return rules;
}
public void setRules(List<Rule> mappings) {
this.rules = mappings;
}
}
public static class Rewrite {
private User user = new User();
public User getUser() {
return user;
}
public void setUser(User user) {
this.user = user;
}
}
private Rewrite rewrite = new Rewrite();
public Rewrite getRewrite() {
return rewrite;
}
public void setRewrite(Rewrite rewrite) {
this.rewrite = rewrite;
}
@PostConstruct
public void build() {
getRewrite().getUser().getRules().forEach(mapping -> mapping.setPattern(Pattern.compile(mapping.getRegex())));
}
}

129
src/main/java/io/kamax/mxisd/controller/auth/v1/AuthController.java
View File

@@ -20,25 +20,18 @@
package io.kamax.mxisd.controller.auth.v1; package io.kamax.mxisd.controller.auth.v1;
import com.google.gson.*; import com.google.gson.Gson;
import com.google.i18n.phonenumbers.NumberParseException; import com.google.gson.JsonElement;
import com.google.i18n.phonenumbers.PhoneNumberUtil; import com.google.gson.JsonObject;
import com.google.i18n.phonenumbers.Phonenumber;
import io.kamax.mxisd.auth.AuthManager; import io.kamax.mxisd.auth.AuthManager;
import io.kamax.mxisd.auth.UserAuthResult; import io.kamax.mxisd.auth.UserAuthResult;
import io.kamax.mxisd.controller.auth.v1.io.CredentialsValidationResponse; import io.kamax.mxisd.controller.auth.v1.io.CredentialsValidationResponse;
import io.kamax.mxisd.dns.ClientDnsOverwrite;
import io.kamax.mxisd.exception.JsonMemberNotFoundException; import io.kamax.mxisd.exception.JsonMemberNotFoundException;
import io.kamax.mxisd.exception.RemoteLoginException;
import io.kamax.mxisd.lookup.strategy.LookupStrategy;
import io.kamax.mxisd.util.GsonParser; import io.kamax.mxisd.util.GsonParser;
import io.kamax.mxisd.util.GsonUtil; import io.kamax.mxisd.util.GsonUtil;
import io.kamax.mxisd.util.RestClientUtils; import org.apache.commons.io.IOUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.http.client.methods.CloseableHttpResponse; import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpGet; import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.client.utils.URIBuilder;
import org.apache.http.impl.client.CloseableHttpClient; import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.util.EntityUtils; import org.apache.http.util.EntityUtils;
import org.slf4j.Logger; import org.slf4j.Logger;
@@ -54,10 +47,11 @@ import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
import java.io.IOException; import java.io.IOException;
import java.net.URI; import java.net.URI;
import java.nio.charset.StandardCharsets;
@RestController @RestController
@CrossOrigin @CrossOrigin
@RequestMapping(produces = MediaType.APPLICATION_JSON_UTF8_VALUE) @RequestMapping(produces = MediaType.APPLICATION_JSON_VALUE)
public class AuthController { public class AuthController {
// TODO export into SDK // TODO export into SDK
@@ -71,23 +65,9 @@ public class AuthController {
@Autowired @Autowired
private AuthManager mgr; private AuthManager mgr;
@Autowired
private LookupStrategy strategy;
@Autowired
private ClientDnsOverwrite dns;
@Autowired @Autowired
private CloseableHttpClient client; private CloseableHttpClient client;
private String resolveProxyUrl(HttpServletRequest req) {
URI target = URI.create(req.getRequestURL().toString());
URIBuilder builder = dns.transform(target);
String urlToLogin = builder.toString();
log.info("Proxy resolution: {} to {}", target.toString(), urlToLogin);
return urlToLogin;
}
@RequestMapping(value = "/_matrix-internal/identity/v1/check_credentials", method = RequestMethod.POST) @RequestMapping(value = "/_matrix-internal/identity/v1/check_credentials", method = RequestMethod.POST)
public String checkCredentials(HttpServletRequest req) { public String checkCredentials(HttpServletRequest req) {
try { try {
@@ -120,7 +100,9 @@ public class AuthController {
@RequestMapping(value = logV1Url, method = RequestMethod.GET) @RequestMapping(value = logV1Url, method = RequestMethod.GET)
public String getLogin(HttpServletRequest req, HttpServletResponse res) { public String getLogin(HttpServletRequest req, HttpServletResponse res) {
try (CloseableHttpResponse hsResponse = client.execute(new HttpGet(resolveProxyUrl(req)))) { URI target = URI.create(req.getRequestURL().toString());
try (CloseableHttpResponse hsResponse = client.execute(new HttpGet(mgr.resolveProxyUrl(target)))) {
res.setStatus(hsResponse.getStatusLine().getStatusCode()); res.setStatus(hsResponse.getStatusLine().getStatusCode());
return EntityUtils.toString(hsResponse.getEntity()); return EntityUtils.toString(hsResponse.getEntity());
} catch (IOException e) { } catch (IOException e) {
@@ -130,98 +112,11 @@ public class AuthController {
@RequestMapping(value = logV1Url, method = RequestMethod.POST) @RequestMapping(value = logV1Url, method = RequestMethod.POST)
public String login(HttpServletRequest req) { public String login(HttpServletRequest req) {
URI target = URI.create(req.getRequestURL().toString());
try { try {
JsonObject reqJsonObject = parser.parse(req.getInputStream()); return mgr.proxyLogin(target, IOUtils.toString(req.getInputStream(), StandardCharsets.UTF_8));
// find 3PID in main object
GsonUtil.findPrimitive(reqJsonObject, "medium").ifPresent(medium -> {
GsonUtil.findPrimitive(reqJsonObject, "address").ifPresent(address -> {
log.info("Login request with medium '{}' and address '{}'", medium.getAsString(), address.getAsString());
strategy.findLocal(medium.getAsString(), address.getAsString()).ifPresent(lookupDataOpt -> {
reqJsonObject.addProperty("user", lookupDataOpt.getMxid().getLocalPart());
reqJsonObject.remove("medium");
reqJsonObject.remove("address");
});
});
});
// find 3PID in 'identifier' object
GsonUtil.findObj(reqJsonObject, "identifier").ifPresent(identifier -> {
GsonUtil.findPrimitive(identifier, "type").ifPresent(type -> {
if (StringUtils.equals(type.getAsString(), "m.id.thirdparty")) {
GsonUtil.findPrimitive(identifier, "medium").ifPresent(medium -> {
GsonUtil.findPrimitive(identifier, "address").ifPresent(address -> {
log.info("Login request with medium '{}' and address '{}'", medium.getAsString(), address.getAsString());
strategy.findLocal(medium.getAsString(), address.getAsString()).ifPresent(lookupDataOpt -> {
identifier.addProperty("type", "m.id.user");
identifier.addProperty("user", lookupDataOpt.getMxid().getLocalPart());
identifier.remove("medium");
identifier.remove("address");
});
});
});
}
if (StringUtils.equals(type.getAsString(), "m.id.phone")) {
GsonUtil.findPrimitive(identifier, "number").ifPresent(number -> {
GsonUtil.findPrimitive(identifier, "country").ifPresent(country -> {
log.info("Login request with phone '{}'-'{}'", country.getAsString(), number.getAsString());
try {
PhoneNumberUtil phoneUtil = PhoneNumberUtil.getInstance();
Phonenumber.PhoneNumber phoneNumber = phoneUtil.parse(number.getAsString(), country.getAsString());
String canon_phoneNumber = phoneUtil.format(phoneNumber, PhoneNumberUtil.PhoneNumberFormat.E164).replace("+", "");
String medium = "msisdn";
strategy.findLocal(medium, canon_phoneNumber).ifPresent(lookupDataOpt -> {
identifier.addProperty("type", "m.id.user");
identifier.addProperty("user", lookupDataOpt.getMxid().getLocalPart());
identifier.remove("country");
identifier.remove("number");
});
} catch (NumberParseException e) {
throw new RuntimeException(e);
}
});
});
}
});
});
// invoke 'login' on homeserver
HttpPost httpPost = RestClientUtils.post(resolveProxyUrl(req), gson, reqJsonObject);
try (CloseableHttpResponse httpResponse = client.execute(httpPost)) {
// check http status
int status = httpResponse.getStatusLine().getStatusCode();
log.info("http status = {}", status);
if (status != 200) {
// try to get possible json error message from response
// otherwise just get returned plain error message
String errcode = String.valueOf(httpResponse.getStatusLine().getStatusCode());
String error = EntityUtils.toString(httpResponse.getEntity());
if (httpResponse.getEntity() != null) {
try {
JsonObject bodyJson = new JsonParser().parse(error).getAsJsonObject();
if (bodyJson.has("errcode")) {
errcode = bodyJson.get("errcode").getAsString();
}
if (bodyJson.has("error")) {
error = bodyJson.get("error").getAsString();
}
throw new RemoteLoginException(status, errcode, error, bodyJson);
} catch (JsonSyntaxException e) {
log.warn("Response body is not JSON");
}
}
throw new RemoteLoginException(status, errcode, error);
}
/// return response
JsonObject respJsonObject = parser.parseOptional(httpResponse).get();
return gson.toJson(respJsonObject);
} catch (IOException e) {
throw new RuntimeException(e);
}
} catch (IOException e) { } catch (IOException e) {
log.error("Unable to read input data from client");
throw new RuntimeException(e); throw new RuntimeException(e);
} }
} }