Compare commits
3 Commits
erikj/dock
...
bbz/info-m
| Author | SHA1 | Date | |
|---|---|---|---|
|
80c66c4bca | ||
|
|
09cb7dec5f | ||
|
|
456fa172cf |
@@ -974,6 +974,11 @@ account_validity:
|
|||||||
# Mandate that users are only allowed to associate certain formats of
|
# Mandate that users are only allowed to associate certain formats of
|
||||||
# 3PIDs with accounts on this server.
|
# 3PIDs with accounts on this server.
|
||||||
#
|
#
|
||||||
|
# Use an Identity Server to establish which 3PIDs are allowed to register?
|
||||||
|
# Overrides allowed_local_3pids below.
|
||||||
|
#
|
||||||
|
#check_is_for_allowed_local_3pids: matrix.org
|
||||||
|
#
|
||||||
#allowed_local_3pids:
|
#allowed_local_3pids:
|
||||||
# - medium: email
|
# - medium: email
|
||||||
# pattern: '.*@matrix\.org'
|
# pattern: '.*@matrix\.org'
|
||||||
|
|||||||
@@ -99,6 +99,9 @@ class RegistrationConfig(Config):
|
|||||||
|
|
||||||
self.registrations_require_3pid = config.get("registrations_require_3pid", [])
|
self.registrations_require_3pid = config.get("registrations_require_3pid", [])
|
||||||
self.allowed_local_3pids = config.get("allowed_local_3pids", [])
|
self.allowed_local_3pids = config.get("allowed_local_3pids", [])
|
||||||
|
self.check_is_for_allowed_local_3pids = config.get(
|
||||||
|
"check_is_for_allowed_local_3pids", None
|
||||||
|
)
|
||||||
self.enable_3pid_lookup = config.get("enable_3pid_lookup", True)
|
self.enable_3pid_lookup = config.get("enable_3pid_lookup", True)
|
||||||
self.registration_shared_secret = config.get("registration_shared_secret")
|
self.registration_shared_secret = config.get("registration_shared_secret")
|
||||||
|
|
||||||
@@ -247,6 +250,11 @@ class RegistrationConfig(Config):
|
|||||||
# Mandate that users are only allowed to associate certain formats of
|
# Mandate that users are only allowed to associate certain formats of
|
||||||
# 3PIDs with accounts on this server.
|
# 3PIDs with accounts on this server.
|
||||||
#
|
#
|
||||||
|
# Use an Identity Server to establish which 3PIDs are allowed to register?
|
||||||
|
# Overrides allowed_local_3pids below.
|
||||||
|
#
|
||||||
|
#check_is_for_allowed_local_3pids: matrix.org
|
||||||
|
#
|
||||||
#allowed_local_3pids:
|
#allowed_local_3pids:
|
||||||
# - medium: email
|
# - medium: email
|
||||||
# pattern: '.*@matrix\\.org'
|
# pattern: '.*@matrix\\.org'
|
||||||
|
|||||||
@@ -88,7 +88,7 @@ class EmailPasswordRequestTokenRestServlet(RestServlet):
|
|||||||
send_attempt = body["send_attempt"]
|
send_attempt = body["send_attempt"]
|
||||||
next_link = body.get("next_link") # Optional param
|
next_link = body.get("next_link") # Optional param
|
||||||
|
|
||||||
if not check_3pid_allowed(self.hs, "email", email):
|
if not await check_3pid_allowed(self.hs, "email", email):
|
||||||
raise SynapseError(
|
raise SynapseError(
|
||||||
403,
|
403,
|
||||||
"Your email domain is not authorized on this server",
|
"Your email domain is not authorized on this server",
|
||||||
@@ -366,7 +366,7 @@ class EmailThreepidRequestTokenRestServlet(RestServlet):
|
|||||||
send_attempt = body["send_attempt"]
|
send_attempt = body["send_attempt"]
|
||||||
next_link = body.get("next_link") # Optional param
|
next_link = body.get("next_link") # Optional param
|
||||||
|
|
||||||
if not check_3pid_allowed(self.hs, "email", email):
|
if not await check_3pid_allowed(self.hs, "email", email):
|
||||||
raise SynapseError(
|
raise SynapseError(
|
||||||
403,
|
403,
|
||||||
"Your email domain is not authorized on this server",
|
"Your email domain is not authorized on this server",
|
||||||
@@ -431,7 +431,7 @@ class MsisdnThreepidRequestTokenRestServlet(RestServlet):
|
|||||||
|
|
||||||
msisdn = phone_number_to_msisdn(country, phone_number)
|
msisdn = phone_number_to_msisdn(country, phone_number)
|
||||||
|
|
||||||
if not check_3pid_allowed(self.hs, "msisdn", msisdn):
|
if not await check_3pid_allowed(self.hs, "msisdn", msisdn):
|
||||||
raise SynapseError(
|
raise SynapseError(
|
||||||
403,
|
403,
|
||||||
"Account phone numbers are not authorized on this server",
|
"Account phone numbers are not authorized on this server",
|
||||||
|
|||||||
@@ -123,10 +123,10 @@ class EmailRegisterRequestTokenRestServlet(RestServlet):
|
|||||||
send_attempt = body["send_attempt"]
|
send_attempt = body["send_attempt"]
|
||||||
next_link = body.get("next_link") # Optional param
|
next_link = body.get("next_link") # Optional param
|
||||||
|
|
||||||
if not check_3pid_allowed(self.hs, "email", email):
|
if not await check_3pid_allowed(self.hs, "email", email):
|
||||||
raise SynapseError(
|
raise SynapseError(
|
||||||
403,
|
403,
|
||||||
"Your email domain is not authorized to register on this server",
|
"You currently can't create an account with this email address",
|
||||||
Codes.THREEPID_DENIED,
|
Codes.THREEPID_DENIED,
|
||||||
)
|
)
|
||||||
|
|
||||||
@@ -190,7 +190,7 @@ class MsisdnRegisterRequestTokenRestServlet(RestServlet):
|
|||||||
|
|
||||||
msisdn = phone_number_to_msisdn(country, phone_number)
|
msisdn = phone_number_to_msisdn(country, phone_number)
|
||||||
|
|
||||||
if not check_3pid_allowed(self.hs, "msisdn", msisdn):
|
if not await check_3pid_allowed(self.hs, "msisdn", msisdn):
|
||||||
raise SynapseError(
|
raise SynapseError(
|
||||||
403,
|
403,
|
||||||
"Phone numbers are not authorized to register on this server",
|
"Phone numbers are not authorized to register on this server",
|
||||||
@@ -514,7 +514,7 @@ class RegisterRestServlet(RestServlet):
|
|||||||
medium = auth_result[login_type]["medium"]
|
medium = auth_result[login_type]["medium"]
|
||||||
address = auth_result[login_type]["address"]
|
address = auth_result[login_type]["address"]
|
||||||
|
|
||||||
if not check_3pid_allowed(self.hs, medium, address):
|
if not await check_3pid_allowed(self.hs, medium, address):
|
||||||
raise SynapseError(
|
raise SynapseError(
|
||||||
403,
|
403,
|
||||||
"Third party identifiers (email/phone numbers)"
|
"Third party identifiers (email/phone numbers)"
|
||||||
|
|||||||
@@ -19,7 +19,7 @@ import re
|
|||||||
logger = logging.getLogger(__name__)
|
logger = logging.getLogger(__name__)
|
||||||
|
|
||||||
|
|
||||||
def check_3pid_allowed(hs, medium, address):
|
async def check_3pid_allowed(hs, medium, address):
|
||||||
"""Checks whether a given format of 3PID is allowed to be used on this HS
|
"""Checks whether a given format of 3PID is allowed to be used on this HS
|
||||||
|
|
||||||
Args:
|
Args:
|
||||||
@@ -31,6 +31,32 @@ def check_3pid_allowed(hs, medium, address):
|
|||||||
bool: whether the 3PID medium/address is allowed to be added to this HS
|
bool: whether the 3PID medium/address is allowed to be added to this HS
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
if hs.config.check_is_for_allowed_local_3pids:
|
||||||
|
data = await hs.get_simple_http_client().get_json(
|
||||||
|
"https://%s%s" % (
|
||||||
|
hs.config.check_is_for_allowed_local_3pids,
|
||||||
|
"/_matrix/identity/api/v1/internal-info"
|
||||||
|
),
|
||||||
|
{'medium': medium, 'address': address}
|
||||||
|
)
|
||||||
|
|
||||||
|
# Check for invalid response
|
||||||
|
if 'hs' not in data and 'shadow_hs' not in data:
|
||||||
|
return False
|
||||||
|
|
||||||
|
# Check if this user is intended to register for this homeserver
|
||||||
|
if (
|
||||||
|
data.get('hs') != hs.config.server_name
|
||||||
|
and data.get('shadow_hs') != hs.config.server_name
|
||||||
|
):
|
||||||
|
return False
|
||||||
|
|
||||||
|
if data.get('requires_invite', False) and not data.get('invited', False):
|
||||||
|
# Requires an invite but hasn't been invited
|
||||||
|
return False
|
||||||
|
|
||||||
|
return True
|
||||||
|
|
||||||
if hs.config.allowed_local_3pids:
|
if hs.config.allowed_local_3pids:
|
||||||
for constraint in hs.config.allowed_local_3pids:
|
for constraint in hs.config.allowed_local_3pids:
|
||||||
logger.debug(
|
logger.debug(
|
||||||
|
|||||||
Reference in New Issue
Block a user