mirror of
https://github.com/element-hq/synapse.git
synced 2026-01-11 19:56:31 +00:00
fcac7e0282
Some checks are pending
Build docker images / Build and push image for linux/amd64 (push) Waiting to run
Build docker images / Build and push image for linux/arm64 (push) Waiting to run
Build docker images / Push merged images to docker.io/matrixdotorg/synapse (push) Blocked by required conditions
Build docker images / Push merged images to ghcr.io/element-hq/synapse (push) Blocked by required conditions
Deploy the documentation / Calculate variables for GitHub Pages deployment (push) Waiting to run
Deploy the documentation / GitHub Pages (push) Blocked by required conditions
Build release artifacts / Calculate list of debian distros (push) Waiting to run
Build release artifacts / Build .deb packages (push) Blocked by required conditions
Build release artifacts / Build wheels on macos-14 (push) Waiting to run
Build release artifacts / Build wheels on macos-15-intel (push) Waiting to run
Build release artifacts / Build wheels on ubuntu-24.04 (push) Waiting to run
Build release artifacts / Build wheels on ubuntu-24.04-arm (push) Waiting to run
Build release artifacts / Build sdist (push) Waiting to run
Build release artifacts / Attach assets to release (push) Blocked by required conditions
Schema / Ensure Synapse config schema is valid (push) Waiting to run
Schema / Ensure generated documentation is up-to-date (push) Waiting to run
Tests / lint (push) Blocked by required conditions
Tests / lint-readme (push) Blocked by required conditions
Tests / linting-done (push) Blocked by required conditions
Tests / calculate-test-jobs (push) Blocked by required conditions
Tests / changes (push) Waiting to run
Tests / check-sampleconfig (push) Blocked by required conditions
Tests / check-schema-delta (push) Blocked by required conditions
Tests / check-lockfile (push) Waiting to run
Tests / Typechecking (push) Blocked by required conditions
Tests / lint-crlf (push) Waiting to run
Tests / lint-newsfile (push) Waiting to run
Tests / lint-clippy (push) Blocked by required conditions
Tests / lint-clippy-nightly (push) Blocked by required conditions
Tests / lint-rust (push) Blocked by required conditions
Tests / lint-rustfmt (push) Blocked by required conditions
Tests / trial (push) Blocked by required conditions
Tests / trial-olddeps (push) Blocked by required conditions
Tests / trial-pypy (all, pypy-3.10) (push) Blocked by required conditions
Tests / sytest (push) Blocked by required conditions
Tests / export-data (push) Blocked by required conditions
Tests / portdb (13, 3.10) (push) Blocked by required conditions
Tests / portdb (17, 3.14) (push) Blocked by required conditions
Tests / complement (monolith, Postgres) (push) Blocked by required conditions
Tests / complement (monolith, SQLite) (push) Blocked by required conditions
Tests / complement (workers, Postgres) (push) Blocked by required conditions
Tests / cargo-test (push) Blocked by required conditions
Tests / cargo-bench (push) Blocked by required conditions
Tests / tests-done (push) Blocked by required conditions
aka PEP 604, added in Python 3.10
118 lines
4.2 KiB
Python
118 lines
4.2 KiB
Python
#
|
|
# This file is licensed under the Affero General Public License (AGPL) version 3.
|
|
#
|
|
# Copyright 2014-2016 OpenMarket Ltd
|
|
# Copyright (C) 2023 New Vector, Ltd
|
|
#
|
|
# This program is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU Affero General Public License as
|
|
# published by the Free Software Foundation, either version 3 of the
|
|
# License, or (at your option) any later version.
|
|
#
|
|
# See the GNU Affero General Public License for more details:
|
|
# <https://www.gnu.org/licenses/agpl-3.0.html>.
|
|
#
|
|
# Originally licensed under the Apache License, Version 2.0:
|
|
# <http://www.apache.org/licenses/LICENSE-2.0>.
|
|
#
|
|
# [This file includes modifications made by New Vector Limited]
|
|
#
|
|
#
|
|
|
|
"""Contains the URL paths to prefix various aspects of the server with."""
|
|
|
|
import hmac
|
|
import urllib.parse
|
|
from hashlib import sha256
|
|
from urllib.parse import urlencode, urljoin
|
|
|
|
from synapse.config import ConfigError
|
|
from synapse.config.homeserver import HomeServerConfig
|
|
|
|
SYNAPSE_CLIENT_API_PREFIX = "/_synapse/client"
|
|
CLIENT_API_PREFIX = "/_matrix/client"
|
|
FEDERATION_PREFIX = "/_matrix/federation"
|
|
FEDERATION_V1_PREFIX = FEDERATION_PREFIX + "/v1"
|
|
FEDERATION_V2_PREFIX = FEDERATION_PREFIX + "/v2"
|
|
FEDERATION_UNSTABLE_PREFIX = FEDERATION_PREFIX + "/unstable"
|
|
STATIC_PREFIX = "/_matrix/static"
|
|
SERVER_KEY_PREFIX = "/_matrix/key"
|
|
MEDIA_R0_PREFIX = "/_matrix/media/r0"
|
|
MEDIA_V3_PREFIX = "/_matrix/media/v3"
|
|
LEGACY_MEDIA_PREFIX = "/_matrix/media/v1"
|
|
|
|
|
|
class ConsentURIBuilder:
|
|
def __init__(self, hs_config: HomeServerConfig):
|
|
if hs_config.key.form_secret is None:
|
|
raise ConfigError("form_secret not set in config")
|
|
self._hmac_secret = hs_config.key.form_secret.encode("utf-8")
|
|
self._public_baseurl = hs_config.server.public_baseurl
|
|
|
|
def build_user_consent_uri(self, user_id: str) -> str:
|
|
"""Build a URI which we can give to the user to do their privacy
|
|
policy consent
|
|
|
|
Args:
|
|
user_id: mxid or username of user
|
|
|
|
Returns
|
|
The URI where the user can do consent
|
|
"""
|
|
mac = hmac.new(
|
|
key=self._hmac_secret, msg=user_id.encode("ascii"), digestmod=sha256
|
|
).hexdigest()
|
|
consent_uri = "%s_matrix/consent?%s" % (
|
|
self._public_baseurl,
|
|
urlencode({"u": user_id, "h": mac}),
|
|
)
|
|
return consent_uri
|
|
|
|
|
|
class LoginSSORedirectURIBuilder:
|
|
def __init__(self, hs_config: HomeServerConfig):
|
|
self._public_baseurl = hs_config.server.public_baseurl
|
|
|
|
def build_login_sso_redirect_uri(
|
|
self, *, idp_id: str | None, client_redirect_url: str
|
|
) -> str:
|
|
"""Build a `/login/sso/redirect` URI for the given identity provider.
|
|
|
|
Builds `/_matrix/client/v3/login/sso/redirect/{idpId}?redirectUrl=xxx` when `idp_id` is specified.
|
|
Otherwise, builds `/_matrix/client/v3/login/sso/redirect?redirectUrl=xxx` when `idp_id` is `None`.
|
|
|
|
Args:
|
|
idp_id: Optional ID of the identity provider
|
|
client_redirect_url: URL to redirect the user to after login
|
|
|
|
Returns
|
|
The URI to follow when choosing a specific identity provider.
|
|
"""
|
|
base_url = urljoin(
|
|
self._public_baseurl,
|
|
f"{CLIENT_API_PREFIX}/v3/login/sso/redirect",
|
|
)
|
|
|
|
serialized_query_parameters = urlencode({"redirectUrl": client_redirect_url})
|
|
|
|
if idp_id:
|
|
# Since this is a user-controlled string, make it safe to include in a URL path.
|
|
url_encoded_idp_id = urllib.parse.quote(
|
|
idp_id,
|
|
# Since this defaults to `safe="/"`, we have to override it. We're
|
|
# working with an individual URL path parameter so there shouldn't be
|
|
# any slashes in it which could change the request path.
|
|
safe="",
|
|
encoding="utf8",
|
|
)
|
|
|
|
resultant_url = urljoin(
|
|
# We have to add a trailing slash to the base URL to ensure that the
|
|
# last path segment is not stripped away when joining with another path.
|
|
f"{base_url}/",
|
|
f"{url_encoded_idp_id}?{serialized_query_parameters}",
|
|
)
|
|
else:
|
|
resultant_url = f"{base_url}?{serialized_query_parameters}"
|
|
|
|
return resultant_url
|