From 881f49852fd61af3939d2ca834c50d3e655b115a Mon Sep 17 00:00:00 2001 From: Sebastian Hugentobler Date: Fri, 11 Dec 2020 10:07:43 +0100 Subject: [PATCH] try oidc provider --- README.md | 66 ++- rootfs/etc/confd/templates/server.yaml.tmpl | 527 ++++++++++++------ .../nextcloud_oicd_mapping_provider.py | 22 + 3 files changed, 434 insertions(+), 181 deletions(-) create mode 100644 rootfs/usr/lib/python3.8/site-packages/nextcloud_oicd_mapping_provider.py diff --git a/README.md b/README.md index a34c285..dc039ab 100644 --- a/README.md +++ b/README.md @@ -65,17 +65,63 @@ Whether to generate new thumbnails on the fly to precisely match the resolution ## REGISTRATIONS - default: [] -Comma seperated list of registration files to load. +Semi colon seperated list of registration files to load. -Whether to report statistics. +## OIDC_ENABLED +- default: false + +Whether to enable authorization against an OpenID Connect server. + +## OIDC_DISCOVER +- default: true + +Whether to use the OIDC discovery mechanism to discover endpoints. + +## OIDC_ISSUER +The OIDC issuer. Used to validate tokens and (if discovery is enabled) to discover the provider's endpoints. + +## OIDC_CLIENT_ID +oauth2 client id. + +## OIDC_CLIENT_SECRET +oauth2 client secret. + +## OIDC_SCOPES +- default: "\"openid\"" + +Comma separated list of scopes to request. + +## OIDC_AUTH_ENDPOINT +oauth2 authorization endpoint. Required if provider discovery is disabled. + +## OIDC_TOKEN_ENDPOINT +oauth2 token endpoint. Required if provider discovery is disabled. + +## OIDC_USERINFO_ENDPOINT +OIDC userinfo endpoint. Required if discovery is disabled and the "openid" scope +is not requested. + +## OIDC_JWKS_URI +URI where to fetch the JWKS. Required if discovery is disabled and the "openid" +scope is used. + +## OIDC_MAPPING_PROVIDER +- default: synapse.handlers.oidc_handler.JinjaOidcMappingProvider + +Python module for mapping attributes returned from a OIDC provider onto a matrix +user. + +## OIDC_ALLOW_EXISTING_USER +- default: false + +Whether to allow a user logging in via OIDC to match a pre-existing account +instead of failing. + +## SSO_CLIENT_WHITELIST +- default: [] + +A semi colon separated list of client URLs which are whitelisted so that the user does not have to +confirm giving access to their account to the URL. # Ports - 8008 - -# Capabilities -- CHOWN -- DAC_OVERRIDE -- FOWNER -- NET_BIND_SERVICE -- SETGID -- SETUID diff --git a/rootfs/etc/confd/templates/server.yaml.tmpl b/rootfs/etc/confd/templates/server.yaml.tmpl index f51f30b..182e9fe 100644 --- a/rootfs/etc/confd/templates/server.yaml.tmpl +++ b/rootfs/etc/confd/templates/server.yaml.tmpl @@ -1,17 +1,3 @@ -# This file is maintained as an up-to-date snapshot of the default -# homeserver.yaml configuration generated by Synapse. -# -# It is intended to act as a reference for the default configuration, -# helping admins keep track of new options and other changes, and compare -# their configs with the current default. As such, many of the actual -# config values shown are placeholders. -# -# It is *not* intended to be copied and used as the basis for a real -# homeserver.yaml. Instead, if you are starting from scratch, please generate -# a fresh config using Synapse by following the instructions in INSTALL.md. - -################################################################################ - # Configuration file for Synapse. # # This is a YAML file: see [1] for a quick introduction. Note in particular @@ -22,10 +8,23 @@ ## Server ## -# The domain name of the server, with optional explicit port. -# This is used by remote servers to connect to this server, -# e.g. matrix.org, localhost:8080, etc. -# This is also the last part of your UserID. +# The public-facing domain of the server +# +# The server_name name will appear at the end of usernames and room addresses +# created on this server. For example if the server_name was example.com, +# usernames on this server would be in the format @user:example.com +# +# In most cases you should avoid using a matrix specific subdomain such as +# matrix.example.com or synapse.example.com as the server_name for the same +# reasons you wouldn't use user@email.example.com as your email address. +# See https://github.com/matrix-org/synapse/blob/master/docs/delegate.md +# for information on how to host Synapse on a subdomain while preserving +# a clean server_name. +# +# The server_name cannot be changed later so it is important to +# configure this correctly before you start Synapse. It should be all +# lowercase and may contain an explicit port. +# Examples: matrix.org, localhost:8080 # server_name: "{{getenv "SERVER_NAME"}}" @@ -95,7 +94,7 @@ use_presence: true # For example, for room version 1, default_room_version should be set # to "1". # -#default_room_version: "5" +#default_room_version: "6" # The GC threshold parameters to pass to `gc.set_threshold`, if defined # @@ -314,6 +313,10 @@ limit_remote_rooms: # #complexity_error: "This room is too complex." + # allow server admins to join complex rooms. Default is false. + # + #admins_can_join: true + # Whether to require a user to be in the room to add an alias to it. # Defaults to 'true'. # @@ -363,11 +366,10 @@ retention: # min_lifetime: 1d # max_lifetime: 1y - # Retention policy limits. If set, a user won't be able to send a - # 'm.room.retention' event which features a 'min_lifetime' or a 'max_lifetime' - # that's not within this range. This is especially useful in closed federations, - # in which server admins can make sure every federating server applies the same - # rules. + # Retention policy limits. If set, and the state of a room contains a + # 'm.room.retention' event in its state which contains a 'min_lifetime' or a + # 'max_lifetime' that's out of these bounds, Synapse will cap the room's policy + # to these limits when running purge jobs. # #allowed_lifetime_min: 1d #allowed_lifetime_max: 1y @@ -393,12 +395,19 @@ retention: # (e.g. every 12h), but not want that purge to be performed by a job that's # iterating over every room it knows, which could be heavy on the server. # + # If any purge job is configured, it is strongly recommended to have at least + # a single job with neither 'shortest_max_lifetime' nor 'longest_max_lifetime' + # set, or one job without 'shortest_max_lifetime' and one job without + # 'longest_max_lifetime' set. Otherwise some rooms might be ignored, even if + # 'allowed_lifetime_min' and 'allowed_lifetime_max' are set, because capping a + # room's policy to these values is done after the policies are retrieved from + # Synapse's database (which is done using the range specified in a purge job's + # configuration). + # #purge_jobs: - # - shortest_max_lifetime: 1d - # longest_max_lifetime: 3d + # - longest_max_lifetime: 3d # interval: 12h # - shortest_max_lifetime: 3d - # longest_max_lifetime: 1y # interval: 1d # Inhibits the /requestToken endpoints from returning an error that might leak @@ -411,6 +420,24 @@ retention: # #request_token_inhibit_3pid_errors: true +# A list of domains that the domain portion of 'next_link' parameters +# must match. +# +# This parameter is optionally provided by clients while requesting +# validation of an email or phone number, and maps to a link that +# users will be automatically redirected to after validation +# succeeds. Clients can make use this parameter to aid the validation +# process. +# +# The whitelist is applied whether the homeserver or an +# identity server is handling validation. +# +# The default value is no whitelist functionality; all domains are +# allowed. Setting this value to an empty list will instead disallow +# all domains. +# +#next_link_domain_whitelist: ["matrix.org"] + ## TLS ## @@ -426,11 +453,11 @@ retention: # instance, if using certbot, use `fullchain.pem` as your certificate, # not `cert.pem`). # -#tls_certificate_path: "CONFDIR/SERVERNAME.tls.crt" +#tls_certificate_path: "/my.domain.name.tls.crt" # PEM-encoded private key for TLS # -#tls_private_key_path: "CONFDIR/SERVERNAME.tls.key" +#tls_private_key_path: "/my.domain.name.tls.key" # Whether to verify TLS server certificates for outbound federation requests. # @@ -547,7 +574,7 @@ acme: # # If unspecified, we will use CONFDIR/client.key. # - account_key_file: DATADIR/acme_account.key + account_key_file: /acme_account.key # List of allowed TLS fingerprints for this server to publish along # with the signing keys for this server. Other matrix servers that @@ -577,6 +604,7 @@ acme: #tls_fingerprints: [{"sha256": ""}] +## Federation ## # Restrict federation to the following whitelist of domains. # N.B. we recommend also firewalling your federation listener to limit @@ -610,6 +638,17 @@ federation_ip_range_blacklist: - 'fe80::/64' - 'fc00::/7' +# Report prometheus metrics on the age of PDUs being sent to and received from +# the following domains. This can be used to give an idea of "delay" on inbound +# and outbound federation, though be aware that any delay can be due to problems +# at either end or with the intermediate network. +# +# By default, no domains are monitored in this way. +# +#federation_metrics_domains: +# - matrix.org +# - example.com + ## Caching ## @@ -622,7 +661,7 @@ federation_ip_range_blacklist: # The number of events to cache in memory. Not affected by # caches.global_factor. # -event_cache_size: 10K +#event_cache_size: 10K caches: # Controls the global cache factor, which is the default cache factor @@ -734,6 +773,10 @@ log_config: "/var/lib/matrix-synapse/log.config" # - one for ratelimiting redactions by room admins. If this is not explicitly # set then it uses the same ratelimiting as per rc_message. This is useful # to allow room admins to deal with abuse quickly. +# - two for ratelimiting number of rooms a user can join, "local" for when +# users are joining rooms the server is already in (this is cheap) vs +# "remote" for when users are trying to join rooms not on the server (which +# can be more expensive) # # The defaults are as shown below. # @@ -759,6 +802,14 @@ log_config: "/var/lib/matrix-synapse/log.config" #rc_admin_redaction: # per_second: 1 # burst_count: 50 +# +#rc_joins: +# local: +# per_second: 0.1 +# burst_count: 3 +# remote: +# per_second: 0.01 +# burst_count: 3 # Ratelimiting settings for incoming federation @@ -987,11 +1038,11 @@ url_preview_accept_language: # The public URIs of the TURN server to give to clients # -turn_uris: [{{getenv "TURN_URIS" "[]"}}] +#turn_uris: [{{getenv "TURN_URIS" ""}}] # The shared secret used to compute passwords for the TURN server # -turn_shared_secret: "{{getenv "TURN_SHARED_SECRET"}}" +#turn_shared_secret: "{{getenv "TURN_SHARED_SECRET"}}" # The Username and password if the TURN server needs them and # does not use a token @@ -1124,7 +1175,7 @@ account_validity: # If set, allows registration of standard or admin accounts by anyone who # has the shared secret, even if registration is otherwise disabled. # -#registration_shared_secret: +registration_shared_secret: "BdTL~rq@=X1B#WKaj;U*oP,Bjz8MM7oolJE*8qN@xB4cwCL#EQ" # Set the number of bcrypt rounds used to generate password hash. # Larger numbers increase the work factor needed to generate the hash. @@ -1148,24 +1199,6 @@ account_validity: # default_identity_server: https://matrix.org -# The list of identity servers trusted to verify third party -# identifiers by this server. -# -# Also defines the ID server which will be called when an account is -# deactivated (one will be picked arbitrarily). -# -# Note: This option is deprecated. Since v0.99.4, Synapse has tracked which identity -# server a 3PID has been bound to. For 3PIDs bound before then, Synapse runs a -# background migration script, informing itself that the identity server all of its -# 3PIDs have been bound to is likely one of the below. -# -# As of Synapse v1.4.0, all other functionality of this option has been deprecated, and -# it is now solely used for the purposes of the background migration script, and can be -# removed once it has run. -#trusted_third_party_id_servers: -# - matrix.org -# - vector.im - # Handle threepid (email/phone etc) registration and password resets through a set of # *trusted* identity servers. Note that this allows the configured identity server to # reset passwords for accounts! @@ -1175,8 +1208,9 @@ default_identity_server: https://matrix.org # email will be globally disabled. # # Additionally, if `msisdn` is not set, registration and password resets via msisdn -# will be disabled regardless. This is due to Synapse currently not supporting any -# method of sending SMS messages on its own. +# will be disabled regardless, and users will not be able to associate an msisdn +# identifier to their account. This is due to Synapse currently not supporting +# any method of sending SMS messages on its own. # # To enable using an identity server for operations regarding a particular third-party # identifier type, set the value to the URL of that identity server as shown in the @@ -1321,7 +1355,7 @@ metrics_flags: # Whether or not to report anonymized homeserver usage statistics. # -report_stats: true +report_stats: false # The endpoint to report the anonymized homeserver usage statistics to. # Defaults to https://matrix.org/report-usage-stats/push @@ -1350,7 +1384,6 @@ app_service_config_files: {{if not (getenv "REGISTRATIONS")}}[]{{end}} {{end}} {{end}} - # Uncomment to enable tracking of application service IP addresses. Implicitly # enables MAU tracking for application service users. # @@ -1454,16 +1487,22 @@ suppress_key_server_warning: true ## Single sign-on integration ## +# The following settings can be used to make Synapse use a single sign-on +# provider for authentication, instead of its internal password database. +# +# You will probably also want to set the following options to `false` to +# disable the regular login/registration flows: +# * enable_registration +# * password_config.enabled +# +# You will also want to investigate the settings under the "sso" configuration +# section below. + # Enable SAML2 for registration and login. Uses pysaml2. # # At least one of `sp_config` or `config_path` must be set in this section to # enable SAML login. # -# (You will probably also want to set the following options to `false` to -# disable the regular login/registration flows: -# * enable_registration -# * password_config.enabled -# # Once SAML support is enabled, a metadata file will be exposed at # https://:/_matrix/saml2/metadata.xml, which you may be able to # use to configure your SAML IdP with. Alternatively, you can manually configure @@ -1478,45 +1517,75 @@ saml2_config: # so it is not normally necessary to specify them unless you need to # override them. # - #sp_config: - # # point this to the IdP's metadata. You can use either a local file or - # # (preferably) a URL. - # metadata: - # #local: ["saml2/idp.xml"] - # remote: - # - url: https://our_idp/metadata.xml - # - # # By default, the user has to go to our login page first. If you'd like - # # to allow IdP-initiated login, set 'allow_unsolicited: true' in a - # # 'service.sp' section: - # # - # #service: - # # sp: - # # allow_unsolicited: true - # - # # The examples below are just used to generate our metadata xml, and you - # # may well not need them, depending on your setup. Alternatively you - # # may need a whole lot more detail - see the pysaml2 docs! - # - # description: ["My awesome SP", "en"] - # name: ["Test SP", "en"] - # - # organization: - # name: Example com - # display_name: - # - ["Example co", "en"] - # url: "http://example.com" - # - # contact_person: - # - given_name: Bob - # sur_name: "the Sysadmin" - # email_address": ["admin@example.com"] - # contact_type": technical + sp_config: + # Point this to the IdP's metadata. You must provide either a local + # file via the `local` attribute or (preferably) a URL via the + # `remote` attribute. + # + #metadata: + # local: ["saml2/idp.xml"] + # remote: + # - url: https://our_idp/metadata.xml + + # Allowed clock difference in seconds between the homeserver and IdP. + # + # Uncomment the below to increase the accepted time difference from 0 to 3 seconds. + # + #accepted_time_diff: 3 + + # By default, the user has to go to our login page first. If you'd like + # to allow IdP-initiated login, set 'allow_unsolicited: true' in a + # 'service.sp' section: + # + #service: + # sp: + # allow_unsolicited: true + + # The examples below are just used to generate our metadata xml, and you + # may well not need them, depending on your setup. Alternatively you + # may need a whole lot more detail - see the pysaml2 docs! + + #description: ["My awesome SP", "en"] + #name: ["Test SP", "en"] + + #ui_info: + # display_name: + # - lang: en + # text: "Display Name is the descriptive name of your service." + # description: + # - lang: en + # text: "Description should be a short paragraph explaining the purpose of the service." + # information_url: + # - lang: en + # text: "https://example.com/terms-of-service" + # privacy_statement_url: + # - lang: en + # text: "https://example.com/privacy-policy" + # keywords: + # - lang: en + # text: ["Matrix", "Element"] + # logo: + # - lang: en + # text: "https://example.com/logo.svg" + # width: "200" + # height: "80" + + #organization: + # name: Example com + # display_name: + # - ["Example co", "en"] + # url: "http://example.com" + + #contact_person: + # - given_name: Bob + # sur_name: "the Sysadmin" + # email_address": ["admin@example.com"] + # contact_type": technical # Instead of putting the config inline as above, you can specify a # separate pysaml2 configuration file: # - #config_path: "CONFDIR/sp_conf.py" + #config_path: "//sp_conf.py" # The lifetime of a SAML session. This defines how long a user has to # complete the authentication process, if allow_unsolicited is unset. @@ -1575,67 +1644,60 @@ saml2_config: # #grandfathered_mxid_source_attribute: upn - # Directory in which Synapse will try to find the template files below. - # If not set, default templates from within the Synapse package will be used. + # It is possible to configure Synapse to only allow logins if SAML attributes + # match particular values. The requirements can be listed under + # `attribute_requirements` as shown below. All of the listed attributes must + # match for the login to be permitted. # - # DO NOT UNCOMMENT THIS SETTING unless you want to customise the templates. - # If you *do* uncomment it, you will need to make sure that all the templates - # below are in the directory. + #attribute_requirements: + # - attribute: userGroup + # value: "staff" + # - attribute: department + # value: "sales" + + # If the metadata XML contains multiple IdP entities then the `idp_entityid` + # option must be set to the entity to redirect users to. # - # Synapse will look for the following templates in this directory: + # Most deployments only have a single IdP entity and so should omit this + # option. # - # * HTML page to display to users if something goes wrong during the - # authentication process: 'saml_error.html'. - # - # When rendering, this template is given the following variables: - # * code: an HTML error code corresponding to the error that is being - # returned (typically 400 or 500) - # - # * msg: a textual message describing the error. - # - # The variables will automatically be HTML-escaped. - # - # You can see the default templates at: - # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates - # - #template_dir: "res/templates" + #idp_entityid: 'https://our_idp/entityid' -# OpenID Connect integration. The following settings can be used to make Synapse -# use an OpenID Connect Provider for authentication, instead of its internal -# password database. +# Enable OpenID Connect (OIDC) / OAuth 2.0 for registration and login. # -# See https://github.com/matrix-org/synapse/blob/master/docs/openid.md. +# See https://github.com/matrix-org/synapse/blob/master/docs/openid.md +# for some example configurations. # oidc_config: # Uncomment the following to enable authorization against an OpenID Connect # server. Defaults to false. # - #enabled: true + enabled: "{{getenv "OIDC_ENABLED" "false"}}" # Uncomment the following to disable use of the OIDC discovery mechanism to # discover endpoints. Defaults to true. # - #discover: false + discover: "{{getenv "OIDC_DISCOVER" "true"}}" # the OIDC issuer. Used to validate tokens and (if discovery is enabled) to # discover the provider's endpoints. # # Required if 'enabled' is true. # - #issuer: "https://accounts.example.com/" + issuer: "{{getenv "OIDC_ISSUER" "true"}}" # oauth2 client id to use. # # Required if 'enabled' is true. # - #client_id: "provided-by-your-issuer" + client_id: "{{getenv "OIDC_CLIENT_ID"}}" # oauth2 client secret to use. # # Required if 'enabled' is true. # - #client_secret: "provided-by-your-issuer" + client_secret: "{{getenv "OIDC_CLIENT_SECRET"}}" # auth method to use when exchanging the token. # Valid values are 'client_secret_basic' (default), 'client_secret_post' and @@ -1646,25 +1708,25 @@ oidc_config: # list of scopes to request. This should normally include the "openid" scope. # Defaults to ["openid"]. # - #scopes: ["openid", "profile"] + scopes: [{{getenv "OIDC_SCOPES" "\"openid\""}}] # the oauth2 authorization endpoint. Required if provider discovery is disabled. # - #authorization_endpoint: "https://accounts.example.com/oauth2/auth" + authorization_endpoint: "{{getenv "OIDC_AUTH_ENDPOINT"}}" # the oauth2 token endpoint. Required if provider discovery is disabled. # - #token_endpoint: "https://accounts.example.com/oauth2/token" + token_endpoint: "{{getenv "OIDC_TOKEN_ENDPOINT"}}" # the OIDC userinfo endpoint. Required if discovery is disabled and the # "openid" scope is not requested. # - #userinfo_endpoint: "https://accounts.example.com/userinfo" + userinfo_endpoint: "{{getenv "OIDC_USERINFO_ENDPOINT"}}" # URI where to fetch the JWKS. Required if discovery is disabled and the # "openid" scope is used. # - #jwks_uri: "https://accounts.example.com/.well-known/jwks.json" + jwks_uri: "{{getenv "OIDC_JWKS_URI"}}" # Uncomment to skip metadata verification. Defaults to false. # @@ -1674,6 +1736,19 @@ oidc_config: # #skip_verification: true + # Whether to fetch the user profile from the userinfo endpoint. Valid + # values are: "auto" or "userinfo_endpoint". + # + # Defaults to "auto", which fetches the userinfo endpoint if "openid" is included + # in `scopes`. Uncomment the following to always fetch the userinfo endpoint. + # + #user_profile_method: "userinfo_endpoint" + + # Uncomment to allow a user logging in via OIDC to match a pre-existing account instead + # of failing. This could be used if switching from password logins to OIDC. Defaults to false. + # + allow_existing_users: "{{getenv "OIDC_ALLOW_EXISTING_USER", "false"}}" + # An external module can be provided here as a custom solution to mapping # attributes returned from a OIDC provider onto a matrix user. # @@ -1684,7 +1759,7 @@ oidc_config: # See https://github.com/matrix-org/synapse/blob/master/docs/sso_mapping_providers.md#openid-mapping-providers # for information on implementing a custom mapping provider. # - #module: mapping_provider.OidcMappingProvider + module: "{{getenv "OIDC_MAPPING_PROVIDER", "synapse.handlers.oidc_handler.JinjaOidcMappingProvider"}}" # Custom configuration values for the module. This section will be passed as # a Python dictionary to the user mapping provider module's `parse_config` @@ -1707,25 +1782,55 @@ oidc_config: # # This must be configured if using the default mapping provider. # - localpart_template: "user.preferred_username" + localpart_template: "{{ user.preferred_username }}" # Jinja2 template for the display name to set on first login. # # If unset, no displayname will be set. # - #display_name_template: "user.given_name user.last_name" + #display_name_template: "{{ user.given_name }} {{ user.last_name }}" + + # Jinja2 templates for extra attributes to send back to the client during + # login. + # + # Note that these are non-standard and clients will ignore them without modifications. + # + #extra_attributes: + #birthdate: "{{ user.birthdate }}" -# Enable CAS for registration and login. +# Enable Central Authentication Service (CAS) for registration and login. # -#cas_config: -# enabled: true -# server_url: "https://cas-server.com" -# service_url: "https://homeserver.domain.com:8448" -# #displayname_attribute: name -# #required_attributes: -# # name: value +cas_config: + # Uncomment the following to enable authorization against a CAS server. + # Defaults to false. + # + #enabled: true + + # The URL of the CAS authorization endpoint. + # + #server_url: "https://cas-server.com" + + # The public URL of the homeserver. + # + #service_url: "https://homeserver.domain.com:8448" + + # The attribute of the CAS response to use as the display name. + # + # If unset, no displayname will be set. + # + #displayname_attribute: name + + # It is possible to configure Synapse to only allow logins if CAS attributes + # match particular values. All of the keys in the mapping below must exist + # and the values must match the given value. Alternately if the given value + # is None then any value is allowed (the attribute just must exist). + # All of the listed attributes must match for the login to be permitted. + # + #required_attributes: + # userGroup: "staff" + # department: None # Additional settings to use with single-sign on systems such as OpenID Connect, @@ -1748,9 +1853,12 @@ sso: # # By default, this list is empty. # - #client_whitelist: - # - https://riot.im/develop - # - https://my.custom.client/ + client_whitelist: {{if not (getenv "SSO_CLIENT_WHITELIST")}}[]{{end}} + {{- if (getenv "SSO_CLIENT_WHITELIST")}} + {{- range $client := split (getenv "SSO_CLIENT_WHITELIST") ";"}} + - {{ $client -}} + {{end}} + {{end}} # Directory in which Synapse will try to find the template files below. # If not set, default templates from within the Synapse package will be used. @@ -1825,7 +1933,7 @@ sso: # and issued at ("iat") claims are validated if present. # # Note that this is a non-standard login type and client support is -# expected to be non-existant. +# expected to be non-existent. # # See https://github.com/matrix-org/synapse/blob/master/docs/jwt.md. # @@ -1873,7 +1981,7 @@ sso: password_config: # Uncomment to disable password login # - #enabled: false + enabled: {{ not (getenv "OIDC_ENABLED" "false") }} # Uncomment to disable authentication against the local password # database. This is ignored if `enabled` is false, and is only useful @@ -1989,9 +2097,7 @@ email: # Directory in which Synapse will try to find the template files below. # If not set, default templates from within the Synapse package will be used. # - # DO NOT UNCOMMENT THIS SETTING unless you want to customise the templates. - # If you *do* uncomment it, you will need to make sure that all the templates - # below are in the directory. + # Do not uncomment this setting unless you want to customise the templates. # # Synapse will look for the following templates in this directory: # @@ -2004,9 +2110,13 @@ email: # * The contents of password reset emails sent by the homeserver: # 'password_reset.html' and 'password_reset.txt' # - # * HTML pages for success and failure that a user will see when they follow - # the link in the password reset email: 'password_reset_success.html' and - # 'password_reset_failure.html' + # * An HTML page that a user will see when they follow the link in the password + # reset email. The user will be asked to confirm the action before their + # password is reset: 'password_reset_confirmation.html' + # + # * HTML pages for success and failure that a user will see when they confirm + # the password reset flow using the page above: 'password_reset_success.html' + # and 'password_reset_failure.html' # # * The contents of address verification emails sent during registration: # 'registration.html' and 'registration.txt' @@ -2125,20 +2235,35 @@ password_providers: -# Clients requesting push notifications can either have the body of -# the message sent in the notification poke along with other details -# like the sender, or just the event ID and room ID (`event_id_only`). -# If clients choose the former, this option controls whether the -# notification request includes the content of the event (other details -# like the sender are still included). For `event_id_only` push, it -# has no effect. -# -# For modern android devices the notification content will still appear -# because it is loaded by the app. iPhone, however will send a -# notification saying only that a message arrived and who it came from. -# -#push: -# include_content: true +## Push ## + +push: + # Clients requesting push notifications can either have the body of + # the message sent in the notification poke along with other details + # like the sender, or just the event ID and room ID (`event_id_only`). + # If clients choose the former, this option controls whether the + # notification request includes the content of the event (other details + # like the sender are still included). For `event_id_only` push, it + # has no effect. + # + # For modern android devices the notification content will still appear + # because it is loaded by the app. iPhone, however will send a + # notification saying only that a message arrived and who it came from. + # + # The default value is "true" to include message details. Uncomment to only + # include the event ID and room ID in push notification payloads. + # + #include_content: false + + # When a push notification is received, an unread count is also sent. + # This number can either be calculated as the number of unread messages + # for the user, or the number of *rooms* the user has unread messages in. + # + # The default value is "true", meaning push clients will see the number of + # rooms with unread messages in them. Uncomment to instead send the number + # of unread messages. + # + #group_unread_count_by_room: false # Spam checkers are third-party modules that can block specific actions @@ -2171,7 +2296,7 @@ spam_checker: # Note that this option will only affect rooms created after it is set. It # will also not affect rooms created by other servers. # -encryption_enabled_by_default_for_room_type: "off" +#encryption_enabled_by_default_for_room_type: invite # Uncomment to allow non-server-admin users to create groups on this server @@ -2339,7 +2464,7 @@ encryption_enabled_by_default_for_room_type: "off" # # Options for the rules include: # -# user_id: Matches agaisnt the creator of the alias +# user_id: Matches against the creator of the alias # room_id: Matches against the room ID being published # alias: Matches against any current local or canonical aliases # associated with the room @@ -2369,7 +2494,7 @@ encryption_enabled_by_default_for_room_type: "off" ## Opentracing ## -# These settings enable opentracing, which im plements distributed tracing. +# These settings enable opentracing, which implements distributed tracing. # This allows you to observe the causal chains of events across servers # including requests, key lookups etc., across any server running # synapse or any other other services which supports opentracing @@ -2385,7 +2510,7 @@ opentracing: # This is a list of regexes which are matched against the server_name of the # homeserver. # - # By defult, it is empty, so no servers are matched. + # By default, it is empty, so no servers are matched. # #homeserver_whitelist: # - ".*" @@ -2405,3 +2530,63 @@ opentracing: # # logging: # false + + +## Workers ## + +# Disables sending of outbound federation transactions on the main process. +# Uncomment if using a federation sender worker. +# +#send_federation: false + +# It is possible to run multiple federation sender workers, in which case the +# work is balanced across them. +# +# This configuration must be shared between all federation sender workers, and if +# changed all federation sender workers must be stopped at the same time and then +# started, to ensure that all instances are running with the same config (otherwise +# events may be dropped). +# +#federation_sender_instances: +# - federation_sender1 + +# When using workers this should be a map from `worker_name` to the +# HTTP replication listener of the worker, if configured. +# +#instance_map: +# worker1: +# host: localhost +# port: 8034 + +# Experimental: When using workers you can define which workers should +# handle event persistence and typing notifications. Any worker +# specified here must also be in the `instance_map`. +# +#stream_writers: +# events: worker1 +# typing: worker1 + +# The worker that is used to run background tasks (e.g. cleaning up expired +# data). If not provided this defaults to the main process. +# +#run_background_tasks_on: worker1 + + +# Configuration for Redis when using workers. This *must* be enabled when +# using workers (unless using old style direct TCP configuration). +# +redis: + # Uncomment the below to enable Redis support. + # + #enabled: true + + # Optional host and port to use to connect to redis. Defaults to + # localhost and 6379 + # + #host: localhost + #port: 6379 + + # Optional password if configured on the Redis instance + # + #password: + diff --git a/rootfs/usr/lib/python3.8/site-packages/nextcloud_oicd_mapping_provider.py b/rootfs/usr/lib/python3.8/site-packages/nextcloud_oicd_mapping_provider.py new file mode 100644 index 0000000..7a4ab5c --- /dev/null +++ b/rootfs/usr/lib/python3.8/site-packages/nextcloud_oicd_mapping_provider.py @@ -0,0 +1,22 @@ +from synapse.handlers.oidc_handler import OidcMappingProvider + + +class NextcloudOidcMappingProvider(OidcMappingProvider): + def __init__(self, config): + self._config = config + + @staticmethod + def parse_config(config): + return {} + + def get_remote_user_id(self, userinfo): + return userinfo["ocs"]["data"]["id"] + + async def map_user_attributes(self, userinfo, token): + localpart = userinfo["ocs"]["data"]["id"] + display_name = userinfo["ocs"]["data"]["display-name"] + return {"localpart": localpart, "display_name": display_name} + + async def get_extra_attributes(self, userinfo, token): + extras = {} + return extras