Compare commits

..

12 Commits

Author SHA1 Message Date
Anatoly Sablin
b4776b50e2 https://github.com/ma1uta/ma1sd/issues/3 Allow extended character sets for backward compatibility. 2019-10-23 00:09:29 +03:00
Anatoly Sablin
2458b38b75 Add the configuration description for enable/disable unbind feature in the session.md 2019-10-22 23:54:53 +03:00
ma1uta
249e28a8b5 Merge pull request #5 from eyecreate/patch-2
Allow configuring unbind notifications to be sent or not.
2019-10-22 20:52:46 +00:00
ma1uta
ba9e2d6121 Merge pull request #4 from eyecreate/patch-1
make sure destination only contains the hostname value and not whole URL
2019-10-21 20:27:33 +00:00
eyecreate
f042b82a50 add missing import 2019-10-21 16:06:23 -04:00
eyecreate
59071177ad typo 2019-10-21 15:33:28 -04:00
eyecreate
6450cd1f20 have session manager check session config for sending notifications on unbinds. 2019-10-21 15:30:46 -04:00
eyecreate
90bc244f3e update docs to something that works. 2019-10-21 15:29:55 -04:00
eyecreate
6e52a509db update session config to allow unbindin emails to not be sent. 2019-10-21 15:28:30 -04:00
eyecreate
5ca666981a make sure destination only contains the hostname value and not whole URL
When testing this, the public URL is containing the protocol "https://" which differs from synapse's values. This code makes sure to remove that extra data to signatures match. Is there ever a situation in which the public url is any different?
2019-10-21 14:31:40 -04:00
Anatoly Sablin
36f22e5ca6 Update remarks of the fork. 2019-08-15 22:46:53 +03:00
Anatoly Sablin
a112a5e57c Improve request verification. Allow unbind only for configured matrix domain. 2019-08-07 21:47:10 +03:00
5 changed files with 35 additions and 17 deletions

View File

@@ -15,7 +15,8 @@ ma1sd - Federated Matrix Identity Server
---
* This project is a fork of the https://github.com/kamax-matrix/mxisd which has been archived and no longer supported. *
* This project is a fork (not successor) of the https://github.com/kamax-matrix/mxisd, which has been archived and no longer maintained as a standalone product.
Also, ma1sd is supported by the volunteer not developers of the original project.
---

View File

@@ -103,8 +103,8 @@ session:
validation:
enabled: true
unbind:
notification:
enabled: true
notifications: true
enabled: true
# DO NOT COPY/PASTE AS-IS IN YOUR CONFIGURATION
# CONFIGURATION EXAMPLE
@@ -115,7 +115,7 @@ are allowed to do in terms of 3PID sessions. The policy has a global on/off swit
---
`unbind` controls warning notifications for 3PID removal.
`unbind` controls warning notifications for 3PID removal. Setting `notifications` for `unbind` to false will prevent unbind emails from sending.
### Web views
Once a user click on a validation link, it is taken to the Identity Server validation page where the token is submitted.

View File

@@ -140,7 +140,7 @@ public class AuthManager {
}
try {
MatrixID.asValid(mxId);
MatrixID.asAcceptable(mxId);
} catch (IllegalArgumentException e) {
log.warn("The returned User ID {} is not a valid Matrix ID. Login might fail at the Homeserver level", mxId);
}

View File

@@ -47,6 +47,8 @@ public class SessionConfig {
public static class PolicyUnbind {
private boolean enabled = true;
private boolean notifications = true;
public boolean getEnabled() {
return enabled;
@@ -55,11 +57,20 @@ public class SessionConfig {
public void setEnabled(boolean enabled) {
this.enabled = enabled;
}
public boolean shouldNotify() {
return notifications;
}
public void setNotifications(boolean notifications) {
this.notifications = notifications;
}
}
public Policy() {
validation.enabled = true;
unbind.enabled = true;
unbind.notifications = true;
}
private PolicyTemplate validation = new PolicyTemplate();

View File

@@ -57,6 +57,7 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import java.io.IOException;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import java.util.Calendar;
@@ -218,8 +219,15 @@ public class SessionManager {
throw new BadRequestException("Missing required 3PID");
}
// We only allow unbind for the domain we manage, mirroring bind
final CharSequence domain = cfg.getMatrix().getDomain();
if (!StringUtils.equalsIgnoreCase(domain, mxid.getDomain())) {
throw new NotAllowedException("Only Matrix IDs from domain " + domain + " can be unbound");
}
log.info("Request was authorized.");
if (StringUtils.isNotBlank(sid) && StringUtils.isNotBlank(secret)) {
checkSession(sid, secret, tpid, mxid);
checkSession(sid, secret, tpid);
} else if (StringUtils.isNotBlank(auth)) {
checkAuthorization(auth, reqData);
} else {
@@ -227,7 +235,9 @@ public class SessionManager {
}
log.info("Unbinding of {} {} to {} is accepted", tpid.getMedium(), tpid.getAddress(), mxid.getId());
notifMgr.sendForUnbind(tpid);
if (cfg.getSession().getPolicy().getUnbind().shouldNotify()) {
notifMgr.sendForUnbind(tpid);
}
}
private void checkAuthorization(String auth, JsonObject reqData) {
@@ -269,11 +279,15 @@ public class SessionManager {
throw new BadRequestException("Missing required header parameters");
}
if (!cfg.getMatrix().getDomain().equalsIgnoreCase(origin)) {
throw new NotAllowedException("Only Matrix IDs from domain " + origin + " can be unbound");
}
JsonObject jsonObject = new JsonObject();
jsonObject.addProperty("method", "POST");
jsonObject.addProperty("uri", "/_matrix/identity/api/v1/3pid/unbind");
jsonObject.addProperty("origin", origin);
jsonObject.addProperty("destination_is", cfg.getServer().getPublicUrl());
jsonObject.addProperty("destination_is", URI.create(cfg.getServer().getPublicUrl()).getHost());
jsonObject.add("content", reqData);
String canonical = MatrixJson.encodeCanonical(jsonObject);
@@ -340,7 +354,7 @@ public class SessionManager {
log.info("Request was authorized.");
}
private void checkSession(String sid, String secret, ThreePid tpid, _MatrixID mxid) {
private void checkSession(String sid, String secret, ThreePid tpid) {
// We ensure the session was validated
ThreePidSession session = getSessionIfValidated(sid, secret);
@@ -348,13 +362,5 @@ public class SessionManager {
if (!session.getThreePid().equals(tpid)) {
throw new BadRequestException("3PID to unbind does not match the one from the validated session");
}
// We only allow unbind for the domain we manage, mirroring bind
final CharSequence domain = cfg.getMatrix().getDomain();
if (!StringUtils.equalsIgnoreCase(domain, mxid.getDomain())) {
throw new NotAllowedException("Only Matrix IDs from domain " + domain + " can be unbound");
}
log.info("Request was authorized.");
}
}