Replace trust_identity_server_for_password_resets with account_threepid_delegate

changelog.d/5876.misc

@@ -0,0 +1 @@
+Replace `trust_identity_server_for_password_resets` config option with `account_threepid_delegate`.

docs/sample_config.yaml

@@ -894,6 +894,25 @@ uploads_path: "DATADIR/uploads"
 #  - matrix.org
 #  - vector.im
 
+# Handle threepid (email/phone etc) registration and password resets
+# through an identity server. Only change if you know what you are
+# doing
+#
+# IMPORTANT! This will give a malicious or overtaken identity server
+# the ability to reset passwords for your users and/or learn your
+# user's email/phone numbers! Make absolutely sure that you want to do
+# this! It is strongly recommended that these messages be sent by the
+# homeserver instead
+#
+# If this option is an empty string and SMTP options have not been
+# configured, registration by email and resetting user passwords via
+# email will be disabled
+#
+# Otherwise, to enable set this option to the reachable domain name, including protocol
+# definition, for an identity server (e.g "https://matrix.org")
+#
+#account_threepid_delegate: ""
+
 # Users who register on this homeserver will automatically be joined
 # to these rooms
 #
@@ -1155,19 +1174,6 @@ password_config:
 #   #
 #   riot_base_url: "http://localhost/riot"
 #
-#   # Enable sending password reset emails via the configured, trusted
-#   # identity servers
-#   #
-#   # IMPORTANT! This will give a malicious or overtaken identity server
-#   # the ability to reset passwords for your users! Make absolutely sure
-#   # that you want to do this! It is strongly recommended that password
-#   # reset emails be sent by the homeserver instead
-#   #
-#   # If this option is set to false and SMTP options have not been
-#   # configured, resetting user passwords via email will be disabled
-#   #
-#   #trust_identity_server_for_password_resets: false
-#
 #   # Configure the time that a validation email or text message code
 #   # will expire after sending
 #   #

synapse/config/emailconfig.py

@@ -74,19 +74,33 @@ def read_config(self, config, **kwargs):
             "renew_at"
         )
 
-        email_trust_identity_server_for_password_resets = email_config.get(
-            "trust_identity_server_for_password_resets", False
+        self.email_threepid_behaviour = (
+            # Have Synapse handle the email sending if account_threepid_delegate
+            # is not defined
+            "remote"
+            if self.account_threepid_delegate
+            else "local"
         )
-        self.email_password_reset_behaviour = (
-            "remote" if email_trust_identity_server_for_password_resets else "local"
-        )
-        self.password_resets_were_disabled_due_to_email_config = False
-        if self.email_password_reset_behaviour == "local" and email_config == {}:
+        # Prior to Synapse v1.4.0, there used to be another option that defined whether Synapse
+        # would use an identity server to password reset tokens on its behalf. We now warn the
+        # user if they have this set and tell them to use the updated option.
+        # TODO: Eventually we want to remove the functionality of having an identity server
+        #  send tokens on behalf of the homeserver. At that point, we should remove this check
+        if config.get("trust_identity_server_for_password_resets", False) is True:
+            raise ConfigError(
+                'The config option "trust_identity_server_for_password_resets" '
+                'has been replaced by "account_threepid_delegate". Please '
+                "consult the default config at docs/sample_config.yaml for "
+                "details and update your config file."
+            )
+
+        self.local_threepid_emails_disabled_due_to_config = False
+        if self.email_threepid_behaviour == "local" and email_config == {}:
             # We cannot warn the user this has happened here
             # Instead do so when a user attempts to reset their password
-            self.password_resets_were_disabled_due_to_email_config = True
+            self.local_threepid_emails_disabled_due_to_config = True
 
-            self.email_password_reset_behaviour = "off"
+            self.email_threepid_behaviour = "off"
 
         # Get lifetime of a validation token in milliseconds
         self.email_validation_token_lifetime = self.parse_duration(
@@ -96,7 +110,7 @@ def read_config(self, config, **kwargs):
         if (
             self.email_enable_notifs
             or account_validity_renewal_enabled
-            or self.email_password_reset_behaviour == "local"
+            or self.email_threepid_behaviour == "local"
         ):
             # make sure we can import the required deps
             import jinja2
@@ -106,7 +120,7 @@ def read_config(self, config, **kwargs):
             jinja2
             bleach
 
-        if self.email_password_reset_behaviour == "local":
+        if self.email_threepid_behaviour == "local":
             required = ["smtp_host", "smtp_port", "notif_from"]
 
             missing = []
@@ -239,19 +253,6 @@ def generate_config_section(self, config_dir_path, server_name, **kwargs):
         #   #
         #   riot_base_url: "http://localhost/riot"
         #
-        #   # Enable sending password reset emails via the configured, trusted
-        #   # identity servers
-        #   #
-        #   # IMPORTANT! This will give a malicious or overtaken identity server
-        #   # the ability to reset passwords for your users! Make absolutely sure
-        #   # that you want to do this! It is strongly recommended that password
-        #   # reset emails be sent by the homeserver instead
-        #   #
-        #   # If this option is set to false and SMTP options have not been
-        #   # configured, resetting user passwords via email will be disabled
-        #   #
-        #   #trust_identity_server_for_password_resets: false
-        #
         #   # Configure the time that a validation email or text message code
         #   # will expire after sending
         #   #

synapse/config/registration.py

@@ -99,6 +99,7 @@ def read_config(self, config, **kwargs):
         self.trusted_third_party_id_servers = config.get(
             "trusted_third_party_id_servers", ["matrix.org", "vector.im"]
         )
+        self.account_threepid_delegate = config.get("account_threepid_delegate")
         self.default_identity_server = config.get("default_identity_server")
         self.allow_guest_access = config.get("allow_guest_access", False)
 
@@ -261,6 +262,25 @@ def generate_config_section(self, generate_secrets=False, **kwargs):
         #  - matrix.org
         #  - vector.im
 
+        # Handle threepid (email/phone etc) registration and password resets
+        # through an identity server. Only change if you know what you are
+        # doing
+        #
+        # IMPORTANT! This will give a malicious or overtaken identity server
+        # the ability to reset passwords for your users and/or learn your
+        # user's email/phone numbers! Make absolutely sure that you want to do
+        # this! It is strongly recommended that these messages be sent by the
+        # homeserver instead
+        #
+        # If this option is an empty string and SMTP options have not been
+        # configured, registration by email and resetting user passwords via
+        # email will be disabled
+        #
+        # Otherwise, to enable set this option to the reachable domain name, including protocol
+        # definition, for an identity server (e.g "https://matrix.org")
+        #
+        #account_threepid_delegate: ""
+
         # Users who register on this homeserver will automatically be joined
         # to these rooms
         #

synapse/handlers/auth.py

@@ -458,12 +458,9 @@ def _check_threepid(self, medium, authdict, password_servlet=False, **kwargs):
         identity_handler = self.hs.get_handlers().identity_handler
 
         logger.info("Getting validated threepid. threepidcreds: %r", (threepid_creds,))
-        if (
-            not password_servlet
-            or self.hs.config.email_password_reset_behaviour == "remote"
-        ):
+        if not password_servlet or self.hs.config.email_threepid_behaviour == "remote":
             threepid = yield identity_handler.threepid_from_creds(threepid_creds)
-        elif self.hs.config.email_password_reset_behaviour == "local":
+        elif self.hs.config.email_threepid_behaviour == "local":
             row = yield self.store.get_threepid_validation_session(
                 medium,
                 threepid_creds["client_secret"],

synapse/handlers/identity.py

@@ -23,12 +23,7 @@
 
 from twisted.internet import defer
 
-from synapse.api.errors import (
-    CodeMessageException,
-    Codes,
-    HttpResponseException,
-    SynapseError,
-)
+from synapse.api.errors import CodeMessageException, HttpResponseException, SynapseError
 
 from ._base import BaseHandler
 
@@ -227,14 +222,19 @@ def try_unbind_threepid_with_id_server(self, mxid, threepid, id_server):
         return changed
 
     @defer.inlineCallbacks
-    def requestEmailToken(
-        self, id_server, email, client_secret, send_attempt, next_link=None
-    ):
-        if not self._should_trust_id_server(id_server):
-            raise SynapseError(
-                400, "Untrusted ID server '%s'" % id_server, Codes.SERVER_NOT_TRUSTED
-            )
-
+    def requestEmailToken(self, email, client_secret, send_attempt, next_link=None, **kwargs):
+        """
+        Request an external server send an email on our behalf for the purposes of threepid
+        validation.
+        Args:
+            email (str): The email to send the message to
+            client_secret (str): The unique client_secret sends by the user
+            send_attempt (int): Which attempt this is
+            next_link: A link to redirect the user to once they submit the token
+            kwargs: extra arguments to send to the server
+        Returns:
+            The json response body from the server
+        """
         params = {
             "email": email,
             "client_secret": client_secret,
@@ -245,9 +245,9 @@ def requestEmailToken(
             params.update({"next_link": next_link})
 
         try:
+            id_server = self.hs.config.account_threepid_delegate
             data = yield self.http_client.post_json_get_json(
-                "https://%s%s"
-                % (id_server, "/_matrix/identity/api/v1/validate/email/requestToken"),
+                id_server + "/_matrix/identity/api/v1/validate/email/requestToken",
                 params,
             )
             return data
@@ -257,13 +257,20 @@ def requestEmailToken(
 
     @defer.inlineCallbacks
     def requestMsisdnToken(
-        self, id_server, country, phone_number, client_secret, send_attempt, **kwargs
+        self, country, phone_number, client_secret, send_attempt, **kwargs
     ):
-        if not self._should_trust_id_server(id_server):
-            raise SynapseError(
-                400, "Untrusted ID server '%s'" % id_server, Codes.SERVER_NOT_TRUSTED
-            )
-
+        """
+        Request an external server send an SMS message on our behalf for the purposes of
+        threepid validation.
+        Args:
+            country (str): The country code of the phone number
+            phone_number (str): The number to send the message to
+            client_secret (str): The unique client_secret sends by the user
+            send_attempt (int): Which attempt this is
+            kwargs: extra arguments to send to the server
+        Returns:
+            The json response body from the server
+        """
         params = {
             "country": country,
             "phone_number": phone_number,
@@ -273,9 +280,9 @@ def requestMsisdnToken(
         params.update(kwargs)
 
         try:
+            id_server = self.hs.config.account_threepid_delegate
             data = yield self.http_client.post_json_get_json(
-                "https://%s%s"
-                % (id_server, "/_matrix/identity/api/v1/validate/msisdn/requestToken"),
+                id_server + "/_matrix/identity/api/v1/validate/msisdn/requestToken",
                 params,
             )
             return data

synapse/rest/client/v2_alpha/account.py

@@ -50,7 +50,7 @@ def __init__(self, hs):
         self.config = hs.config
         self.identity_handler = hs.get_handlers().identity_handler
 
-        if self.config.email_password_reset_behaviour == "local":
+        if self.config.email_threepid_behaviour == "local":
             from synapse.push.mailer import Mailer, load_jinja2_templates
 
             templates = load_jinja2_templates(
@@ -67,7 +67,7 @@ def __init__(self, hs):
 
     @defer.inlineCallbacks
     def on_POST(self, request):
-        if self.config.email_password_reset_behaviour == "off":
+        if self.config.email_threepid_behaviour == "off":
             if self.config.password_resets_were_disabled_due_to_email_config:
                 logger.warn(
                     "User password resets have been disabled due to lack of email config"
@@ -100,7 +100,7 @@ def on_POST(self, request):
         if existingUid is None:
             raise SynapseError(400, "Email not found", Codes.THREEPID_NOT_FOUND)
 
-        if self.config.email_password_reset_behaviour == "remote":
+        if self.config.email_threepid_behaviour == "remote":
             if "id_server" not in body:
                 raise SynapseError(400, "Missing 'id_server' param in body")
 
@@ -249,7 +249,7 @@ def on_GET(self, request, medium):
             raise SynapseError(
                 400, "This medium is currently not supported for password resets"
             )
-        if self.config.email_password_reset_behaviour == "off":
+        if self.config.email_threepid_behaviour == "off":
             if self.config.password_resets_were_disabled_due_to_email_config:
                 logger.warn(
                     "User password resets have been disabled due to lack of email config"