Merge remote-tracking branch 'origin/develop' into matrix-org-hotfixes

2025-02-05 14:20:31 +00:00
parent 87bd7ae707 6fe41d2b47
commit 95f5f2bc10
26 changed files with 183 additions and 33 deletions
@@ -21,7 +21,7 @@ jobs:
          # We use nightly so that `fmt` correctly groups together imports, and
          # clippy correctly fixes up the benchmarks.
          toolchain: nightly-2022-12-01
-          components: rustfmt
+          components: clippy, rustfmt
      - uses: Swatinem/rust-cache@v2

      - name: Setup Poetry
@@ -1,3 +1,30 @@
+# Synapse 1.124.0rc1 (2025-02-04)
+
+### Bugfixes
+
+- Add rate limit `rc_presence.per_user`. This prevents load from excessive presence updates sent by clients via sync api. Also rate limit `/_matrix/client/v3/presence` as per the spec. Contributed by @rda0. ([\#18000](https://github.com/element-hq/synapse/issues/18000))
+- Deactivated users will no longer automatically accept an invite when `auto_accept_invites` is enabled. ([\#18073](https://github.com/element-hq/synapse/issues/18073))
+- Fix join being denied after being invited over federation. Also fixes other out-of-band membership transitions. ([\#18075](https://github.com/element-hq/synapse/issues/18075))
+- Updates contributed `docker-compose.yml` file to PostgreSQL v15, as v12 is no longer supported by Synapse.
+  Contributed by @maxkratz. ([\#18089](https://github.com/element-hq/synapse/issues/18089))
+- Fix rare edge case where state groups could be deleted while we are persisting new events that reference them. ([\#18107](https://github.com/element-hq/synapse/issues/18107), [\#18130](https://github.com/element-hq/synapse/issues/18130), [\#18131](https://github.com/element-hq/synapse/issues/18131))
+- Raise an error if someone is using an incorrect suffix in a config duration string. ([\#18112](https://github.com/element-hq/synapse/issues/18112))
+- Fix a bug where the [Delete Room Admin API](https://element-hq.github.io/synapse/latest/admin_api/rooms.html#version-2-new-version) would fail if the `block` parameter was set to `true` and a worker other than the main process was configured to handle background tasks. ([\#18119](https://github.com/element-hq/synapse/issues/18119))
+
+### Internal Changes
+
+- Increase the length of the generated `nonce` parameter when perfoming OIDC logins to comply with the TI-Messenger spec. ([\#18109](https://github.com/element-hq/synapse/issues/18109))
+
+
+
+### Updates to locked dependencies
+
+* Bump dawidd6/action-download-artifact from 7 to 8. ([\#18108](https://github.com/element-hq/synapse/issues/18108))
+* Bump log from 0.4.22 to 0.4.25. ([\#18098](https://github.com/element-hq/synapse/issues/18098))
+* Bump python-multipart from 0.0.18 to 0.0.20. ([\#18096](https://github.com/element-hq/synapse/issues/18096))
+* Bump serde_json from 1.0.135 to 1.0.137. ([\#18099](https://github.com/element-hq/synapse/issues/18099))
+* Bump types-bleach from 6.1.0.20240331 to 6.2.0.20241123. ([\#18082](https://github.com/element-hq/synapse/issues/18082))
+
 # Synapse 1.123.0 (2025-01-28)

 No significant changes since 1.123.0rc1.
@@ -0,0 +1,6 @@
+Licensees holding a valid commercial license with Element may use this
+software in accordance with the terms contained in a written agreement
+between you and Element.
+
+To purchase a commercial license please contact our sales team at
+licensing@element.io
@@ -10,14 +10,15 @@ implementation, written and maintained by `Element <https://element.io>`_.
 `Matrix <https://github.com/matrix-org>`__ is the open standard for
 secure and interoperable real time communications. You can directly run
 and manage the source code in this repository, available under an AGPL
-license. There is no support provided from Element unless you have a
-subscription.
+license (or alternatively under a commercial license from Element).
+There is no support provided by Element unless you have a
+subscription from Element.

-Subscription alternative
-========================
+Subscription
+============

-Alternatively, for those that need an enterprise-ready solution, Element
-Server Suite (ESS) is `available as a subscription <https://element.io/pricing>`_.
+For those that need an enterprise-ready solution, Element
+Server Suite (ESS) is `available via subscription <https://element.io/pricing>`_.
 ESS builds on Synapse to offer a complete Matrix-based backend including the full
 `Admin Console product <https://element.io/enterprise-functionality/admin-console>`_,
 giving admins the power to easily manage an organization-wide
@@ -249,6 +250,20 @@ Developers might be particularly interested in:
 Alongside all that, join our developer community on Matrix:
 `#synapse-dev:matrix.org <https://matrix.to/#/#synapse-dev:matrix.org>`_, featuring real humans!

+Copyright and Licensing
+=======================
+
+Copyright 2014-2017 OpenMarket Ltd
+Copyright 2017 Vector Creations Ltd
+Copyright 2017-2025 New Vector Ltd 
+
+This software is dual-licensed by New Vector Ltd (Element). It can be used either:
+  
+(1) for free under the terms of the GNU Affero General Public License (as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version); OR
+  
+(2) under the terms of a paid-for Element Commercial License agreement between you and Element (the terms of which may vary depending on what you and Element have agreed to).
+Unless required by applicable law or agreed to in writing, software distributed under the Licenses is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the Licenses for the specific language governing permissions and limitations under the Licenses.
+

 .. |support| image:: https://img.shields.io/badge/matrix-community%20support-success
  :alt: (get community support in #synapse:matrix.org)
@@ -1 +0,0 @@
-Add rate limit `rc_presence.per_user`. This prevents load from excessive presence updates sent by clients via sync api. Also rate limit `/_matrix/client/v3/presence` as per the spec. Contributed by @rda0.
@@ -0,0 +1 @@
+Add experimental config options `admin_token_path` and `client_secret_path` for MSC 3861.
@@ -1 +0,0 @@
-Deactivated users will no longer automatically accept an invite when `auto_accept_invites` is enabled.
@@ -1 +0,0 @@
-Fix join being denied after being invited over federation. Also fixes other out-of-band membership transitions.
@@ -1,2 +0,0 @@
-Updates contributed `docker-compose.yml` file to PostgreSQL v15, as v12 is no longer supported by Synapse.
-Contributed by @maxkratz.
@@ -1 +0,0 @@
-Fix rare edge case where state groups could be deleted while we are persisting new events that reference them.
@@ -1 +0,0 @@
-Increase the length of the generated `nonce` parameter when perfoming OIDC logins to comply with the TI-Messenger spec.
@@ -1 +0,0 @@
-Raise an error if someone is using an incorrect suffix in a config duration string.
@@ -1 +0,0 @@
-Fix a bug where the [Delete Room Admin API](https://element-hq.github.io/synapse/latest/admin_api/rooms.html#version-2-new-version) would fail if the `block` parameter was set to `true` and a worker other than the main process was configured to handle background tasks.
@@ -1 +0,0 @@
-Fix rare edge case where state groups could be deleted while we are persisting new events that reference them.
@@ -1 +0,0 @@
-Fix rare edge case where state groups could be deleted while we are persisting new events that reference them.
@@ -0,0 +1 @@
+Make it explicit that you can buy an AGPL-alternative commercial license from Element.
@@ -0,0 +1 @@
+Fix user directory search when using a legacy module with a `check_username_for_spam` callback. Broke in v1.122.0.
@@ -0,0 +1 @@
+Fix the 'Fix linting' GitHub Actions workflow.
@@ -1,3 +1,9 @@
+matrix-synapse-py3 (1.124.0~rc1) stable; urgency=medium
+
+  * New Synapse release 1.124.0rc1.
+
+ -- Synapse Packaging team <packages@matrix.org>  Tue, 04 Feb 2025 11:53:05 +0000
+
 matrix-synapse-py3 (1.123.0) stable; urgency=medium

  * New Synapse release 1.123.0.
@@ -97,7 +97,7 @@ module-name = "synapse.synapse_rust"

 [tool.poetry]
 name = "matrix-synapse"
-version = "1.123.0"
+version = "1.124.0rc1"
 description = "Homeserver for the Matrix decentralised comms protocol"
 authors = ["Matrix.org Team and Contributors <packages@matrix.org>"]
 license = "AGPL-3.0-or-later"
@@ -19,7 +19,7 @@
 #
 #
 import logging
-from typing import TYPE_CHECKING, Any, Dict, List, Optional
+from typing import TYPE_CHECKING, Any, Callable, Dict, List, Optional
 from urllib.parse import urlencode

 from authlib.oauth2 import ClientAuth
@@ -119,7 +119,7 @@ class MSC3861DelegatedAuth(BaseAuth):
        self._clock = hs.get_clock()
        self._http_client = hs.get_proxied_http_client()
        self._hostname = hs.hostname
-        self._admin_token = self._config.admin_token
+        self._admin_token: Callable[[], Optional[str]] = self._config.admin_token

        self._issuer_metadata = RetryOnExceptionCachedCall[OpenIDProviderMetadata](
            self._load_metadata
@@ -133,9 +133,10 @@ class MSC3861DelegatedAuth(BaseAuth):
            )
        else:
            # Else use the client secret
-            assert self._config.client_secret, "No client_secret provided"
+            client_secret = self._config.client_secret()
+            assert client_secret, "No client_secret provided"
            self._client_auth = ClientAuth(
-                self._config.client_id, self._config.client_secret, auth_method
+                self._config.client_id, client_secret, auth_method
            )

    async def _load_metadata(self) -> OpenIDProviderMetadata:
@@ -283,7 +284,7 @@ class MSC3861DelegatedAuth(BaseAuth):
            requester = await self.get_user_by_access_token(access_token, allow_expired)

        # Do not record requests from MAS using the virtual `__oidc_admin` user.
-        if access_token != self._admin_token:
+        if access_token != self._admin_token():
            await self._record_request(request, requester)

        if not allow_guest and requester.is_guest:
@@ -324,7 +325,8 @@ class MSC3861DelegatedAuth(BaseAuth):
        token: str,
        allow_expired: bool = False,
    ) -> Requester:
-        if self._admin_token is not None and token == self._admin_token:
+        admin_token = self._admin_token()
+        if admin_token is not None and token == admin_token:
            # XXX: This is a temporary solution so that the admin API can be called by
            # the OIDC provider. This will be removed once we have OIDC client
            # credentials grant support in matrix-authentication-service.
@@ -20,14 +20,15 @@
 #

 import enum
-from typing import TYPE_CHECKING, Any, Optional
+from functools import cache
+from typing import TYPE_CHECKING, Any, Iterable, Optional

 import attr
 import attr.validators

 from synapse.api.room_versions import KNOWN_ROOM_VERSIONS, RoomVersions
 from synapse.config import ConfigError
-from synapse.config._base import Config, RootConfig
+from synapse.config._base import Config, RootConfig, read_file
 from synapse.types import JsonDict

 # Determine whether authlib is installed.
@@ -43,6 +44,12 @@ if TYPE_CHECKING:
    from authlib.jose.rfc7517 import JsonWebKey


+@cache
+def read_secret_from_file_once(file_path: Any, config_path: Iterable[str]) -> str:
+    """Returns the memoized secret read from file."""
+    return read_file(file_path, config_path).strip()
+
+
 class ClientAuthMethod(enum.Enum):
    """List of supported client auth methods."""

@@ -63,6 +70,40 @@ def _parse_jwks(jwks: Optional[JsonDict]) -> Optional["JsonWebKey"]:
    return JsonWebKey.import_key(jwks)


+def _check_client_secret(
+    instance: "MSC3861", _attribute: attr.Attribute, _value: Optional[str]
+) -> None:
+    if instance._client_secret and instance._client_secret_path:
+        raise ConfigError(
+            (
+                "You have configured both "
+                "`experimental_features.msc3861.client_secret` and "
+                "`experimental_features.msc3861.client_secret_path`. "
+                "These are mutually incompatible."
+            ),
+            ("experimental", "msc3861", "client_secret"),
+        )
+    # Check client secret can be retrieved
+    instance.client_secret()
+
+
+def _check_admin_token(
+    instance: "MSC3861", _attribute: attr.Attribute, _value: Optional[str]
+) -> None:
+    if instance._admin_token and instance._admin_token_path:
+        raise ConfigError(
+            (
+                "You have configured both "
+                "`experimental_features.msc3861.admin_token` and "
+                "`experimental_features.msc3861.admin_token_path`. "
+                "These are mutually incompatible."
+            ),
+            ("experimental", "msc3861", "admin_token"),
+        )
+    # Check client secret can be retrieved
+    instance.admin_token()
+
+
@attr.s(slots=True, frozen=True)
 class MSC3861:
    """Configuration for MSC3861: Matrix architecture change to delegate authentication via OIDC"""
@@ -97,15 +138,30 @@ class MSC3861:
    )
    """The auth method used when calling the introspection endpoint."""

-    client_secret: Optional[str] = attr.ib(
+    _client_secret: Optional[str] = attr.ib(
        default=None,
-        validator=attr.validators.optional(attr.validators.instance_of(str)),
+        validator=[
+            attr.validators.optional(attr.validators.instance_of(str)),
+            _check_client_secret,
+        ],
    )
    """
    The client secret to use when calling the introspection endpoint,
    when using any of the client_secret_* client auth methods.
    """

+    _client_secret_path: Optional[str] = attr.ib(
+        default=None,
+        validator=[
+            attr.validators.optional(attr.validators.instance_of(str)),
+            _check_client_secret,
+        ],
+    )
+    """
+    Alternative to `client_secret`: allows the secret to be specified in an
+    external file.
+    """
+
    jwk: Optional["JsonWebKey"] = attr.ib(default=None, converter=_parse_jwks)
    """
    The JWKS to use when calling the introspection endpoint,
@@ -133,7 +189,7 @@ class MSC3861:
                ClientAuthMethod.CLIENT_SECRET_BASIC,
                ClientAuthMethod.CLIENT_SECRET_JWT,
            )
-            and self.client_secret is None
+            and self.client_secret() is None
        ):
            raise ConfigError(
                f"A client secret must be provided when using the {value} client auth method",
@@ -152,15 +208,48 @@ class MSC3861:
    )
    """The URL of the My Account page on the OIDC Provider as per MSC2965."""

-    admin_token: Optional[str] = attr.ib(
+    _admin_token: Optional[str] = attr.ib(
        default=None,
-        validator=attr.validators.optional(attr.validators.instance_of(str)),
+        validator=[
+            attr.validators.optional(attr.validators.instance_of(str)),
+            _check_admin_token,
+        ],
    )
    """
    A token that should be considered as an admin token.
    This is used by the OIDC provider, to make admin calls to Synapse.
    """

+    _admin_token_path: Optional[str] = attr.ib(
+        default=None,
+        validator=[
+            attr.validators.optional(attr.validators.instance_of(str)),
+            _check_admin_token,
+        ],
+    )
+    """
+    Alternative to `admin_token`: allows the secret to be specified in an
+    external file.
+    """
+
+    def client_secret(self) -> Optional[str]:
+        """Returns the secret given via `client_secret` or `client_secret_path`."""
+        if self._client_secret_path:
+            return read_secret_from_file_once(
+                self._client_secret_path,
+                ("experimental_features", "msc3861", "client_secret_path"),
+            )
+        return self._client_secret
+
+    def admin_token(self) -> Optional[str]:
+        """Returns the admin token given via `admin_token` or `admin_token_path`."""
+        if self._admin_token_path:
+            return read_secret_from_file_once(
+                self._admin_token_path,
+                ("experimental_features", "msc3861", "admin_token_path"),
+            )
+        return self._admin_token
+
    def check_config_conflicts(self, root: RootConfig) -> None:
        """Checks for any configuration conflicts with other parts of Synapse.

@@ -19,6 +19,7 @@
 #
 #

+import functools
 import inspect
 import logging
 from typing import (
@@ -297,6 +298,7 @@ def load_legacy_spam_checkers(hs: "synapse.server.HomeServer") -> None:
                        "Bad signature for callback check_registration_for_spam",
                    )

+            @functools.wraps(wrapped_func)
            def run(*args: Any, **kwargs: Any) -> Awaitable:
                # Assertion required because mypy can't prove we won't change `f`
                # back to `None`. See
@@ -132,6 +132,8 @@ class ConfigLoadingFileTestCase(ConfigFileTestCase):
            "turn_shared_secret_path: /does/not/exist",
            "registration_shared_secret_path: /does/not/exist",
            "macaroon_secret_key_path: /does/not/exist",
+            "experimental_features:\n  msc3861:\n    client_secret_path: /does/not/exist",
+            "experimental_features:\n  msc3861:\n    admin_token_path: /does/not/exist",
            *["redis:\n  enabled: true\n  password_path: /does/not/exist"]
            * (hiredis is not None),
        ]
@@ -157,6 +159,14 @@ class ConfigLoadingFileTestCase(ConfigFileTestCase):
                "macaroon_secret_key_path: {}",
                lambda c: c.key.macaroon_secret_key,
            ),
+            (
+                "experimental_features:\n  msc3861:\n    client_secret_path: {}",
+                lambda c: c.experimental.msc3861.client_secret().encode("utf-8"),
+            ),
+            (
+                "experimental_features:\n  msc3861:\n    admin_token_path: {}",
+                lambda c: c.experimental.msc3861.admin_token().encode("utf-8"),
+            ),
            *[
                (
                    "redis:\n  enabled: true\n  password_path: {}",
@@ -795,7 +795,7 @@ class MSC3861OAuthDelegation(HomeserverTestCase):
        req = SynapseRequest(channel, self.site)  # type: ignore[arg-type]
        req.client.host = MAS_IPV4_ADDR
        req.requestHeaders.addRawHeader(
-            "Authorization", f"Bearer {self.auth._admin_token}"
+            "Authorization", f"Bearer {self.auth._admin_token()}"
        )
        req.requestHeaders.addRawHeader("User-Agent", MAS_USER_AGENT)
        req.content = BytesIO(b"")
				`@@ -1 +0,0 @@`
				Add rate limit `rc_presence.per_user`. This prevents load from excessive presence updates sent by clients via sync api. Also rate limit `/_matrix/client/v3/presence` as per the spec. Contributed by @rda0.
				`@@ -0,0 +1 @@`
				Add experimental config options `admin_token_path` and `client_secret_path` for MSC 3861.
				`@@ -1 +0,0 @@`
				Deactivated users will no longer automatically accept an invite when `auto_accept_invites` is enabled.
				`@@ -1 +0,0 @@`
				`Fix join being denied after being invited over federation. Also fixes other out-of-band membership transitions.`
				`@@ -1 +0,0 @@`
				`Fix rare edge case where state groups could be deleted while we are persisting new events that reference them.`
				`@@ -1 +0,0 @@`
				Increase the length of the generated `nonce` parameter when perfoming OIDC logins to comply with the TI-Messenger spec.
				`@@ -1 +0,0 @@`
				`Raise an error if someone is using an incorrect suffix in a config duration string.`
				`@@ -1 +0,0 @@`
				Fix a bug where the [Delete Room Admin API](https://element-hq.github.io/synapse/latest/admin_api/rooms.html#version-2-new-version) would fail if the `block` parameter was set to `true` and a worker other than the main process was configured to handle background tasks.
				`@@ -0,0 +1 @@`
				`Make it explicit that you can buy an AGPL-alternative commercial license from Element.`
				`@@ -0,0 +1 @@`
				Fix user directory search when using a legacy module with a `check_username_for_spam` callback. Broke in v1.122.0.