From 4e2c562774cb9b213e1177fad67ff0d5f7356e37 Mon Sep 17 00:00:00 2001 From: Daniel Hoffend Date: Mon, 22 Apr 2019 21:33:43 +0200 Subject: [PATCH 1/6] Added possibilty to disable local password authentication Signed-off-by: Daniel Hoffend --- synapse/config/password.py | 6 ++++++ synapse/handlers/auth.py | 2 +- synapse/handlers/set_password.py | 4 ++++ 3 files changed, 11 insertions(+), 1 deletion(-) diff --git a/synapse/config/password.py b/synapse/config/password.py index eea59e772ba8..2fa1b48ccece 100644 --- a/synapse/config/password.py +++ b/synapse/config/password.py @@ -26,6 +26,7 @@ def read_config(self, config): password_config = {} self.password_enabled = password_config.get("enabled", True) + self.password_localdb_enabled = password_config.get("localdb_enabled", True) self.password_pepper = password_config.get("pepper", "") def default_config(self, config_dir_path, server_name, **kwargs): @@ -35,6 +36,11 @@ def default_config(self, config_dir_path, server_name, **kwargs): # #enabled: false + # set to false if you do not want to authenticate + # against the local db (when using other password_providers + # + localdb_enabled: true + # Uncomment and change to a secret random string for extra security. # DO NOT CHANGE THIS AFTER INITIAL SETUP! # diff --git a/synapse/handlers/auth.py b/synapse/handlers/auth.py index aa5d89a9ac90..6004b40a5544 100644 --- a/synapse/handlers/auth.py +++ b/synapse/handlers/auth.py @@ -717,7 +717,7 @@ def validate_login(self, username, login_submission): result = (result, None) defer.returnValue(result) - if login_type == LoginType.PASSWORD: + if login_type == LoginType.PASSWORD and self.hs.config.password_localdb_enabled: known_login_type = True canonical_user_id = yield self._check_local_password( diff --git a/synapse/handlers/set_password.py b/synapse/handlers/set_password.py index 7ecdede4dc00..292077bec490 100644 --- a/synapse/handlers/set_password.py +++ b/synapse/handlers/set_password.py @@ -32,6 +32,10 @@ def __init__(self, hs): @defer.inlineCallbacks def set_password(self, user_id, newpassword, requester=None): + if not self.hs.config.password_localdb_enabled: + raise SynapseError(403, "Password change disabled", + errcode=Codes.FORBIDDEN) + password_hash = yield self._auth_handler.hash(newpassword) except_device_id = requester.device_id if requester else None From 27e67b822b2490e0d8367e264526eb01a14c233d Mon Sep 17 00:00:00 2001 From: Daniel Hoffend Date: Mon, 22 Apr 2019 22:07:03 +0200 Subject: [PATCH 2/6] Added changelog for pull request #5092 Signed-off-by: Daniel Hoffend --- changelog.d/5092.feature | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 changelog.d/5092.feature diff --git a/changelog.d/5092.feature b/changelog.d/5092.feature new file mode 100644 index 000000000000..5bafc0dd1950 --- /dev/null +++ b/changelog.d/5092.feature @@ -0,0 +1,6 @@ +Added possibilty to disable local password authentication + +I've picked up the old pull requests #3485 and implimented @richvdh comments. + +This change allows to disable the local password authentication which is useful +when password providers are used. From 7f3d04c770327a9089fe1966c32ff4783459b4b6 Mon Sep 17 00:00:00 2001 From: Daniel Hoffend Date: Mon, 22 Apr 2019 22:20:21 +0200 Subject: [PATCH 3/6] update sample_config Signed-off-by: Daniel Hoffend --- docs/sample_config.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docs/sample_config.yaml b/docs/sample_config.yaml index ab02e8f20e2e..98b8787e1a19 100644 --- a/docs/sample_config.yaml +++ b/docs/sample_config.yaml @@ -910,6 +910,11 @@ password_config: # #enabled: false + # set to false if you do not want to authenticate + # against the local db (when using other password_providers + # + localdb_enabled: true + # Uncomment and change to a secret random string for extra security. # DO NOT CHANGE THIS AFTER INITIAL SETUP! # From e53d896528107643dd94da6a075367b087ec6710 Mon Sep 17 00:00:00 2001 From: Richard van der Hoff Date: Thu, 27 Jun 2019 17:38:48 +0100 Subject: [PATCH 4/6] Update sample config wording --- docs/sample_config.yaml | 7 ++++--- synapse/config/password.py | 7 ++++--- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/docs/sample_config.yaml b/docs/sample_config.yaml index 98b8787e1a19..ea90b99f521d 100644 --- a/docs/sample_config.yaml +++ b/docs/sample_config.yaml @@ -910,10 +910,11 @@ password_config: # #enabled: false - # set to false if you do not want to authenticate - # against the local db (when using other password_providers + # Uncomment to disable authentication against the local password + # database. This is ignored if `enabled` is false, and is only useful + # if you have other password_providers. # - localdb_enabled: true + #localdb_enabled: false # Uncomment and change to a secret random string for extra security. # DO NOT CHANGE THIS AFTER INITIAL SETUP! diff --git a/synapse/config/password.py b/synapse/config/password.py index 2fa1b48ccece..0045feac168b 100644 --- a/synapse/config/password.py +++ b/synapse/config/password.py @@ -36,10 +36,11 @@ def default_config(self, config_dir_path, server_name, **kwargs): # #enabled: false - # set to false if you do not want to authenticate - # against the local db (when using other password_providers + # Uncomment to disable authentication against the local password + # database. This is ignored if `enabled` is false, and is only useful + # if you have other password_providers. # - localdb_enabled: true + #localdb_enabled: false # Uncomment and change to a secret random string for extra security. # DO NOT CHANGE THIS AFTER INITIAL SETUP! From c7cd8718e018e838f528d703b13c8d9bcc16ac38 Mon Sep 17 00:00:00 2001 From: Richard van der Hoff Date: Thu, 27 Jun 2019 17:26:30 +0100 Subject: [PATCH 5/6] Fix up changelog --- changelog.d/5092.feature | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/changelog.d/5092.feature b/changelog.d/5092.feature index 5bafc0dd1950..c22f586d0800 100644 --- a/changelog.d/5092.feature +++ b/changelog.d/5092.feature @@ -1,6 +1 @@ -Added possibilty to disable local password authentication - -I've picked up the old pull requests #3485 and implimented @richvdh comments. - -This change allows to disable the local password authentication which is useful -when password providers are used. +Added possibilty to disable local password authentication. Contributed by Daniel Hoffend. From 43528f477e124f1c4ff4710dbe03e30e48a77ced Mon Sep 17 00:00:00 2001 From: Richard van der Hoff Date: Thu, 27 Jun 2019 18:09:22 +0100 Subject: [PATCH 6/6] fix formatting --- synapse/handlers/set_password.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/synapse/handlers/set_password.py b/synapse/handlers/set_password.py index f768ae0e93d9..d90c9e0108f6 100644 --- a/synapse/handlers/set_password.py +++ b/synapse/handlers/set_password.py @@ -34,8 +34,7 @@ def __init__(self, hs): @defer.inlineCallbacks def set_password(self, user_id, newpassword, requester=None): if not self.hs.config.password_localdb_enabled: - raise SynapseError(403, "Password change disabled", - errcode=Codes.FORBIDDEN) + raise SynapseError(403, "Password change disabled", errcode=Codes.FORBIDDEN) password_hash = yield self._auth_handler.hash(newpassword)