Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Add admin API for logging in as a user #8617

Merged
merged 12 commits into from
Nov 17, 2020
Merged

Add admin API for logging in as a user #8617

merged 12 commits into from
Nov 17, 2020

Conversation

erikjohnston
Copy link
Member

@erikjohnston erikjohnston commented Oct 21, 2020

Based on #8616, #8614. Fixes #6054.

I think reviewing this commit by commit makes the most sense. The PR is a bit large, I'm hesitant to split it up but can do if people struggle.

@erikjohnston erikjohnston force-pushed the erikj/puppet_api branch 2 times, most recently from 7461e43 to 986d03b Compare October 29, 2020 17:52
@erikjohnston erikjohnston requested a review from a team October 30, 2020 11:07
synapse/rest/admin/users.py Outdated Show resolved Hide resolved
if valid_until_ms and not isinstance(valid_until_ms, int):
raise SynapseError(400, "'valid_until_ms' parameter must be an int")

if auth_user.to_string() == user_id:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there any case-sensitivity concerns with this comparison?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

User IDs are case sensitive, we fudge it a bit at log in but that's about it. Plus I don't think its the end of the world to puppet it yourself, its just a weird thing to try and do.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well the case sensitivity is only there for backwards compatibility, I think? But yeah I get your point of it not really being an error, just weird.

synapse/rest/admin/users.py Outdated Show resolved Hide resolved
synapse/handlers/message.py Show resolved Hide resolved
synapse/api/auth_blocking.py Outdated Show resolved Hide resolved
Comment on lines 206 to +209
if by_admin:
requester = create_requester(target_user)
requester = create_requester(
target_user, authenticated_entity=requester.authenticated_entity,
)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should the caller be updated to pass in a different requester instead of having the by_admin flag?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's a bit of an edge case tbh. The original request has kinda the "right" requester, we could fudge it but then it is a bit less clear whether the admin user is using a puppeted token vs authenticating as themselves 🤷

synapse/handlers/register.py Show resolved Hide resolved
Comment on lines +340 to +342
requester = create_requester(
event_dict["sender"], authenticated_entity=self._server_name
)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this gives callers (which might be 3rd party code) significantly increased powers? Maybe in reality that doesn't matter, but thought it was worth calling out.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes 👍, in the sense that they aren't subject to rate limits or MAU limits, which I think is what you'd expect.

tests/rest/admin/test_user.py Outdated Show resolved Hide resolved
Comment on lines 1761 to 1762
# Logging in as the other user and joining a room should work, even
# though they should be denied.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Meaning that the admin can allow this even though it normally wouldn't be allowed? Does this bump the mau to 2?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've rejigged the wording. The MAU limit would stop the real user from joining (or doing other actions) as the server has reached the MAU limit, but the admin user is still allowed to puppet them. The MAU isn't bumped to 2 as we base those off the authenticated entity, which is always the admin user in this case.

@clokep
Copy link
Member

clokep commented Oct 30, 2020

Seems pretty reasonable overall! I think this actually fixes some other oddities now that we can say "the server is doing this"?

@erikjohnston erikjohnston requested a review from clokep November 2, 2020 10:41
@Twi1ightSparkle
Copy link

Will this also allow logging in as @server:homeserver.tld? I understand that this is a bit of a special user?

@anoadragon453
Copy link
Member

Will this also allow logging in as @server:homeserver.tld? I understand that this is a bit of a special user?

I believe this is the auto_join_mxid_localpart user (docs) that you're referring to. Yes, this should allow retrieving an access token for this user if I understand things correctly.

@erikjohnston erikjohnston requested a review from a team November 2, 2020 13:58
Copy link
Member

@clokep clokep left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this looks fine. One thought though -- is there a way to get a list of your access tokens that refer to other accounts? This seems like it would be a useful thing to look up after the fact? (E.g. if you wanted to have an admin API to logout of other access tokens easily.)

if valid_until_ms and not isinstance(valid_until_ms, int):
raise SynapseError(400, "'valid_until_ms' parameter must be an int")

if auth_user.to_string() == user_id:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well the case sensitivity is only there for backwards compatibility, I think? But yeah I get your point of it not really being an error, just weird.

@clokep
Copy link
Member

clokep commented Nov 16, 2020

This will need develop merged as we discussed! 😄

@erikjohnston
Copy link
Member Author

I think this looks fine. One thought though -- is there a way to get a list of your access tokens that refer to other accounts? This seems like it would be a useful thing to look up after the fact? (E.g. if you wanted to have an admin API to logout of other access tokens easily.)

Yeah, probably, though I'm inclined to leave that for now.

@erikjohnston erikjohnston merged commit f737368 into develop Nov 17, 2020
@erikjohnston erikjohnston deleted the erikj/puppet_api branch November 17, 2020 10:51
erikjohnston added a commit that referenced this pull request Nov 18, 2020
This was broken due to #8617 and #8761.
erikjohnston added a commit that referenced this pull request Nov 18, 2020
This was broken due to #8617 and #8761.
netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this pull request Dec 9, 2020
Synapse 1.24.0 (2020-12-09)
===========================

Due to the two security issues highlighted below, server administrators are
encouraged to update Synapse. We are not aware of these vulnerabilities being
exploited in the wild.

Security advisory
-----------------

The following issues are fixed in v1.23.1 and v1.24.0.

- There is a denial of service attack
  ([CVE-2020-26257](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26257))
  against the federation APIs in which future events will not be correctly sent
  to other servers over federation. This affects all servers that participate in
  open federation. (Fixed in [#8776](matrix-org/synapse#8776)).

- Synapse may be affected by OpenSSL
  [CVE-2020-1971](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1971).
  Synapse administrators should ensure that they have the latest versions of
  the cryptography Python package installed.

To upgrade Synapse along with the cryptography package:

* Administrators using the [`matrix.org` Docker
  image](https://hub.docker.com/r/matrixdotorg/synapse/) or the [Debian/Ubuntu
  packages from
  `matrix.org`](https://github.com/matrix-org/synapse/blob/master/INSTALL.md#matrixorg-packages)
  should ensure that they have version 1.24.0 or 1.23.1 installed: these images include
  the updated packages.
* Administrators who have [installed Synapse from
  source](https://github.com/matrix-org/synapse/blob/master/INSTALL.md#installing-from-source)
  should upgrade the cryptography package within their virtualenv by running:
  ```sh
  <path_to_virtualenv>/bin/pip install 'cryptography>=3.3'
  ```
* Administrators who have installed Synapse from distribution packages should
  consult the information from their distributions.

Internal Changes
----------------

- Add a maximum version for pysaml2 on Python 3.5. ([\#8898](matrix-org/synapse#8898))


Synapse 1.24.0rc2 (2020-12-04)
==============================

Bugfixes
--------

- Fix a regression in v1.24.0rc1 which failed to allow SAML mapping providers which were unable to redirect users to an additional page. ([\#8878](matrix-org/synapse#8878))


Internal Changes
----------------

- Add support for the `prometheus_client` newer than 0.9.0. Contributed by Jordan Bancino. ([\#8875](matrix-org/synapse#8875))


Synapse 1.24.0rc1 (2020-12-02)
==============================

Features
--------

- Add admin API for logging in as a user. ([\#8617](matrix-org/synapse#8617))
- Allow specification of the SAML IdP if the metadata returns multiple IdPs. ([\#8630](matrix-org/synapse#8630))
- Add support for re-trying generation of a localpart for OpenID Connect mapping providers. ([\#8801](matrix-org/synapse#8801), [\#8855](matrix-org/synapse#8855))
- Allow the `Date` header through CORS. Contributed by Nicolas Chamo. ([\#8804](matrix-org/synapse#8804))
- Add a config option, `push.group_by_unread_count`, which controls whether unread message counts in push notifications are defined as "the number of rooms with unread messages" or "total unread messages". ([\#8820](matrix-org/synapse#8820))
- Add `force_purge` option to delete-room admin api. ([\#8843](matrix-org/synapse#8843))


Bugfixes
--------

- Fix a bug where appservices may be sent an excessive amount of read receipts and presence. Broke in v1.22.0. ([\#8744](matrix-org/synapse#8744))
- Fix a bug in some federation APIs which could lead to unexpected behaviour if different parameters were set in the URI and the request body. ([\#8776](matrix-org/synapse#8776))
- Fix a bug where synctl could spawn duplicate copies of a worker. Contributed by Waylon Cude. ([\#8798](matrix-org/synapse#8798))
- Allow per-room profiles to be used for the server notice user. ([\#8799](matrix-org/synapse#8799))
- Fix a bug where logging could break after a call to SIGHUP. ([\#8817](matrix-org/synapse#8817))
- Fix `register_new_matrix_user` failing with "Bad Request" when trailing slash is included in server URL. Contributed by @angdraug. ([\#8823](matrix-org/synapse#8823))
- Fix a minor long-standing bug in login, where we would offer the `password` login type if a custom auth provider supported it, even if password login was disabled. ([\#8835](matrix-org/synapse#8835))
- Fix a long-standing bug which caused Synapse to require unspecified parameters during user-interactive authentication. ([\#8848](matrix-org/synapse#8848))
- Fix a bug introduced in v1.20.0 where the user-agent and IP address reported during user registration for CAS, OpenID Connect, and SAML were of the wrong form. ([\#8784](matrix-org/synapse#8784))


Improved Documentation
----------------------

- Clarify the usecase for a msisdn delegate. Contributed by Adrian Wannenmacher. ([\#8734](matrix-org/synapse#8734))
- Remove extraneous comma from JSON example in User Admin API docs. ([\#8771](matrix-org/synapse#8771))
- Update `turn-howto.md` with troubleshooting notes. ([\#8779](matrix-org/synapse#8779))
- Fix the example on how to set the `Content-Type` header in nginx for the Client Well-Known URI. ([\#8793](matrix-org/synapse#8793))
- Improve the documentation for the admin API to list all media in a room with respect to encrypted events. ([\#8795](matrix-org/synapse#8795))
- Update the formatting of the `push` section of the homeserver config file to better align with the [code style guidelines](https://github.com/matrix-org/synapse/blob/develop/docs/code_style.md#configuration-file-format). ([\#8818](matrix-org/synapse#8818))
- Improve documentation how to configure prometheus for workers. ([\#8822](matrix-org/synapse#8822))
- Update example prometheus console. ([\#8824](matrix-org/synapse#8824))


Deprecations and Removals
-------------------------

- Remove old `/_matrix/client/*/admin` endpoints which were deprecated since Synapse 1.20.0. ([\#8785](matrix-org/synapse#8785))
- Disable pretty printing JSON responses for curl. Users who want pretty-printed output should use [jq](https://stedolan.github.io/jq/) in combination with curl. Contributed by @tulir. ([\#8833](matrix-org/synapse#8833))


Internal Changes
----------------

- Simplify the way the `HomeServer` object caches its internal attributes. ([\#8565](matrix-org/synapse#8565), [\#8851](matrix-org/synapse#8851))
- Add an example and documentation for clock skew to the SAML2 sample configuration to allow for clock/time difference between the homserver and IdP. Contributed by @localguru. ([\#8731](matrix-org/synapse#8731))
- Generalise `RoomMemberHandler._locally_reject_invite` to apply to more flows than just invite. ([\#8751](matrix-org/synapse#8751))
- Generalise `RoomStore.maybe_store_room_on_invite` to handle other, non-invite membership events. ([\#8754](matrix-org/synapse#8754))
- Refactor test utilities for injecting HTTP requests. ([\#8757](matrix-org/synapse#8757), [\#8758](matrix-org/synapse#8758), [\#8759](matrix-org/synapse#8759), [\#8760](matrix-org/synapse#8760), [\#8761](matrix-org/synapse#8761), [\#8777](matrix-org/synapse#8777))
- Consolidate logic between the OpenID Connect and SAML code. ([\#8765](matrix-org/synapse#8765))
- Use `TYPE_CHECKING` instead of magic `MYPY` variable. ([\#8770](matrix-org/synapse#8770))
- Add a commandline script to sign arbitrary json objects. ([\#8772](matrix-org/synapse#8772))
- Minor log line improvements for the SSO mapping code used to generate Matrix IDs from SSO IDs. ([\#8773](matrix-org/synapse#8773))
- Add additional error checking for OpenID Connect and SAML mapping providers. ([\#8774](matrix-org/synapse#8774), [\#8800](matrix-org/synapse#8800))
- Add type hints to HTTP abstractions. ([\#8806](matrix-org/synapse#8806), [\#8812](matrix-org/synapse#8812))
- Remove unnecessary function arguments and add typing to several membership replication classes. ([\#8809](matrix-org/synapse#8809))
- Optimise the lookup for an invite from another homeserver when trying to reject it. ([\#8815](matrix-org/synapse#8815))
- Add tests for `password_auth_provider`s. ([\#8819](matrix-org/synapse#8819))
- Drop redundant database index on `event_json`. ([\#8845](matrix-org/synapse#8845))
- Simplify `uk.half-shot.msc2778.login.application_service` login handler. ([\#8847](matrix-org/synapse#8847))
- Refactor `password_auth_provider` support code. ([\#8849](matrix-org/synapse#8849))
- Add missing `ordering` to background database updates. ([\#8850](matrix-org/synapse#8850))
- Allow for specifying a room version when creating a room in unit tests via `RestHelper.create_room_as`. ([\#8854](matrix-org/synapse#8854))
spantaleev added a commit to devture/matrix-corporal that referenced this pull request Jan 16, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Admin API to return an access token for any user of the server
4 participants