devture / matrix-synapse-shared-secret-auth Goto Github PK

View Code? Open in Web Editor NEW

77.0 77.0 15.0 64 KB

Shared Secret Authenticator password provider module for Matrix Synapse

License: GNU Affero General Public License v3.0

Python 100.00%

matrix-org python synapse

matrix-synapse-shared-secret-auth's People

Contributors

Stargazers

Watchers

Forkers

halkeye flukiluke vsatmydynipnet themanagementfirm abuttino cincodenada geoffreyfrogeye gregblake qcasey iqorqua dylychill psylou luxnk azikdeveloper timshel

matrix-synapse-shared-secret-auth's Issues

Install on docker matrixdotorg/synapse

Hi,

I'm guessing not but is there a way to install this when using the official matrixdotorg/synapse docker image ?

Thanks

The module no longer loads in Synapse v1.23.0

Ever since the latest Synapse release a few hours ago, the module simply fails to load:

synapse_1           | 2020-11-18T18:15:15.523461690Z Traceback (most recent call last):
synapse_1           | 2020-11-18T18:15:15.523503767Z   File "/usr/local/lib/python3.8/runpy.py", line 194, in _run_module_as_main
synapse_1           | 2020-11-18T18:15:15.523509063Z     return _run_code(code, main_globals, None,
synapse_1           | 2020-11-18T18:15:15.523512497Z   File "/usr/local/lib/python3.8/runpy.py", line 87, in _run_code
synapse_1           | 2020-11-18T18:15:15.523515924Z     exec(code, run_globals)
synapse_1           | 2020-11-18T18:15:15.523519157Z   File "/usr/local/lib/python3.8/site-packages/synapse/app/homeserver.py", line 512, in <module>
synapse_1           | 2020-11-18T18:15:15.523522937Z     main()
synapse_1           | 2020-11-18T18:15:15.523526080Z   File "/usr/local/lib/python3.8/site-packages/synapse/app/homeserver.py", line 507, in main
synapse_1           | 2020-11-18T18:15:15.523529522Z     hs = setup(sys.argv[1:])
synapse_1           | 2020-11-18T18:15:15.523532589Z   File "/usr/local/lib/python3.8/site-packages/synapse/app/homeserver.py", line 341, in setup
synapse_1           | 2020-11-18T18:15:15.523536136Z     config = HomeServerConfig.load_or_generate_config(
synapse_1           | 2020-11-18T18:15:15.523539350Z   File "/usr/local/lib/python3.8/site-packages/synapse/config/_base.py", line 721, in load_or_generate_config
synapse_1           | 2020-11-18T18:15:15.523542743Z     obj.parse_config_dict(
synapse_1           | 2020-11-18T18:15:15.523545784Z   File "/usr/local/lib/python3.8/site-packages/synapse/config/_base.py", line 740, in parse_config_dict
synapse_1           | 2020-11-18T18:15:15.523549061Z     self.invoke_all(
synapse_1           | 2020-11-18T18:15:15.523552117Z   File "/usr/local/lib/python3.8/site-packages/synapse/config/_base.py", line 369, in invoke_all
synapse_1           | 2020-11-18T18:15:15.523555491Z     res[name] = getattr(config, func_name)(*args, **kwargs)
synapse_1           | 2020-11-18T18:15:15.523558683Z   File "/usr/local/lib/python3.8/site-packages/synapse/config/password_auth_providers.py", line 47, in read_config
synapse_1           | 2020-11-18T18:15:15.523562078Z     (provider_class, provider_config) = load_module(
synapse_1           | 2020-11-18T18:15:15.523565299Z   File "/usr/local/lib/python3.8/site-packages/synapse/util/module_loader.py", line 33, in load_module
synapse_1           | 2020-11-18T18:15:15.523568720Z     module = importlib.import_module(module)
synapse_1           | 2020-11-18T18:15:15.523571943Z   File "/usr/local/lib/python3.8/importlib/__init__.py", line 127, in import_module
synapse_1           | 2020-11-18T18:15:15.523575200Z     return _bootstrap._gcd_import(name[level:], package, level)
synapse_1           | 2020-11-18T18:15:15.523578511Z   File "<frozen importlib._bootstrap>", line 1014, in _gcd_import
synapse_1           | 2020-11-18T18:15:15.523581881Z   File "<frozen importlib._bootstrap>", line 991, in _find_and_load
synapse_1           | 2020-11-18T18:15:15.523585156Z   File "<frozen importlib._bootstrap>", line 973, in _find_and_load_unlocked
synapse_1           | 2020-11-18T18:15:15.523588456Z ModuleNotFoundError: No module named 'shared_secret_authenticator'

There's nothing in the logs that shows what sort of load error it's encountering, just that it can't load it. Reverting back to Synapse v1.22.1 solves the problem, so presumably there's some breaking change in the Synapse API?

Nonce / expiry

I added a tracking issue for the problem mentioned in the readme

add twisted in dependencys of setup.py

Can not login for some reason

Dec 04 14:29:07 localhost.localdomain matrix-synapse[12295]: 2021-12-04 13:29:07,194 - shared_secret_authenticator - 41 - INFO - POST-2028 - Authenticating user: @me:chagai.website
Dec 04 14:29:07 localhost.localdomain matrix-synapse[12295]: 2021-12-04 13:29:07,195 - shared_secret_authenticator - 54 - INFO - POST-2028 - Bad hmac value for user: @me:chagai.website

update python version in docker-compose instructions

The Readme.md tells users of docker-compose to mount the python file into python3.8 directory, whereas the latest synapse uses python3.9

Missing fallback support while signing out a device

Please see element-hq/element-web#20292

account_handler error after upgrade

I recently attempted to update from an older version of this module to the latest. matrix-synapse refuses to start with the following error:
TypeError: SharedSecretAuthProvider.__init__() got an unexpected keyword argument 'account_handler'
What am I doing wrong?

Account include/exclude list

Added this for the WhatsApp Bridge but definitely miss account include / exclude list to make it possible shared secret only works for defined accounts.

Thank you.

Changed argument for `init`

It looks like the argument api got renamed to account_handler, causing matrix-synapse to refuse to start:

Feb 18 00:56:19 cloudbox systemd[1]: Starting Synapse Matrix homeserver...
Feb 18 00:56:21 cloudbox synapse_homeserver[2315949]: This server is configured to use 'matrix.org' as its trusted key server via the
Feb 18 00:56:21 cloudbox synapse_homeserver[2315949]: 'trusted_key_servers' config option. 'matrix.org' is a good choice for a key
Feb 18 00:56:21 cloudbox synapse_homeserver[2315949]: server since it is long-lived, stable and trusted. However, some admins may
Feb 18 00:56:21 cloudbox synapse_homeserver[2315949]: wish to use another server for this purpose.
Feb 18 00:56:21 cloudbox synapse_homeserver[2315949]: To suppress this warning and continue using 'matrix.org', admins should set
Feb 18 00:56:21 cloudbox synapse_homeserver[2315949]: 'suppress_key_server_warning' to 'true' in homeserver.yaml.
Feb 18 00:56:21 cloudbox synapse_homeserver[2315949]: --------------------------------------------------------------------------------
Feb 18 00:56:21 cloudbox synapse[2315949]: root: [main] ***** STARTING SERVER *****
Feb 18 00:56:21 cloudbox synapse[2315949]: root: [main] Server /nix/store/h2gxxs9f2lfwkwcmmkyi4swzyp18jvca-matrix-synapse-1.52.0/bin/synapse_homeserver version 1.52.0
Feb 18 00:56:21 cloudbox synapse[2315949]: synapse.handlers.auth: [sentinel] Error while initializing <class 'shared_secret_authenticator.SharedSecretAuthProvider'>: __init__() got an unexpected keyword argument 'account_handler'
Feb 18 00:56:21 cloudbox synapse[2315949]: synapse.app._base: [sentinel] Error during startup
                                           Traceback (most recent call last):
                                             File "/nix/store/h2gxxs9f2lfwkwcmmkyi4swzyp18jvca-matrix-synapse-1.52.0/lib/python3.9/site-packages/synapse/app/_base.py", line 227, in wrapper
                                               await cb(*args, **kwargs)
                                             File "/nix/store/h2gxxs9f2lfwkwcmmkyi4swzyp18jvca-matrix-synapse-1.52.0/lib/python3.9/site-packages/synapse/app/homeserver.py", line 405, in start
                                               await _base.start(hs)
                                             File "/nix/store/h2gxxs9f2lfwkwcmmkyi4swzyp18jvca-matrix-synapse-1.52.0/lib/python3.9/site-packages/synapse/app/_base.py", line 444, in start
                                               load_legacy_password_auth_providers(hs)
                                             File "/nix/store/h2gxxs9f2lfwkwcmmkyi4swzyp18jvca-matrix-synapse-1.52.0/lib/python3.9/site-packages/synapse/handlers/auth.py", line 1909, in load_legacy_password_auth_providers
                                               load_single_legacy_password_auth_provider(
                                             File "/nix/store/h2gxxs9f2lfwkwcmmkyi4swzyp18jvca-matrix-synapse-1.52.0/lib/python3.9/site-packages/synapse/handlers/auth.py", line 1920, in load_single_legacy_password_auth_provider
                                               provider = module(config=config, account_handler=api)
                                           TypeError: __init__() got an unexpected keyword argument 'account_handler'
Feb 18 00:56:21 cloudbox synapse_homeserver[2315949]: Error during startup:
Feb 18 00:56:21 cloudbox synapse_homeserver[2315949]: Traceback (most recent call last):
Feb 18 00:56:21 cloudbox synapse_homeserver[2315949]:   File "/nix/store/h2gxxs9f2lfwkwcmmkyi4swzyp18jvca-matrix-synapse-1.52.0/lib/python3.9/site-packages/synapse/app/_base.py", line 227, in wrapper
Feb 18 00:56:21 cloudbox synapse_homeserver[2315949]:     await cb(*args, **kwargs)
Feb 18 00:56:21 cloudbox synapse_homeserver[2315949]:   File "/nix/store/h2gxxs9f2lfwkwcmmkyi4swzyp18jvca-matrix-synapse-1.52.0/lib/python3.9/site-packages/synapse/app/homeserver.py", line 405, in start
Feb 18 00:56:21 cloudbox synapse_homeserver[2315949]:     await _base.start(hs)
Feb 18 00:56:21 cloudbox synapse_homeserver[2315949]:   File "/nix/store/h2gxxs9f2lfwkwcmmkyi4swzyp18jvca-matrix-synapse-1.52.0/lib/python3.9/site-packages/synapse/app/_base.py", line 444, in start
Feb 18 00:56:21 cloudbox synapse_homeserver[2315949]:     load_legacy_password_auth_providers(hs)
Feb 18 00:56:21 cloudbox synapse_homeserver[2315949]:   File "/nix/store/h2gxxs9f2lfwkwcmmkyi4swzyp18jvca-matrix-synapse-1.52.0/lib/python3.9/site-packages/synapse/handlers/auth.py", line 1909, in load_legacy_password_auth_providers
Feb 18 00:56:21 cloudbox synapse_homeserver[2315949]:     load_single_legacy_password_auth_provider(
Feb 18 00:56:21 cloudbox synapse_homeserver[2315949]:   File "/nix/store/h2gxxs9f2lfwkwcmmkyi4swzyp18jvca-matrix-synapse-1.52.0/lib/python3.9/site-packages/synapse/handlers/auth.py", line 1920, in load_single_legacy_password_auth_provider
Feb 18 00:56:21 cloudbox synapse_homeserver[2315949]:     provider = module(config=config, account_handler=api)
Feb 18 00:56:21 cloudbox synapse_homeserver[2315949]: TypeError: __init__() got an unexpected keyword argument 'account_handler'
Feb 18 00:56:21 cloudbox systemd[1]: matrix-synapse.service: Main process exited, code=exited, status=1/FAILURE
Feb 18 00:56:21 cloudbox systemd[1]: matrix-synapse.service: Failed with result 'exit-code'.
Feb 18 00:56:21 cloudbox systemd[1]: Failed to start Synapse Matrix homeserver.
Feb 18 00:56:21 cloudbox systemd[1]: matrix-synapse.service: Consumed 2.805s CPU time, no IP traffic.
Feb 18 00:56:22 cloudbox systemd[1]: matrix-synapse.service: Scheduled restart job, restart counter is at 3.
Feb 18 00:56:22 cloudbox systemd[1]: Stopped Synapse Matrix homeserver.
Feb 18 00:56:22 cloudbox systemd[1]: matrix-synapse.service: Consumed 2.805s CPU time, no IP traffic.

I got it working with renaming the argument appropriately:

diff --git a/shared_secret_authenticator.py b/shared_secret_authenticator.py
index c24d8dd..55efc0e 100644
--- a/shared_secret_authenticator.py
+++ b/shared_secret_authenticator.py
@@ -30,7 +30,7 @@ from synapse import module_api
 logger = logging.getLogger(__name__)
 
 class SharedSecretAuthProvider:
-    def __init__(self, config: dict, api: module_api):
+    def __init__(self, config: dict, account_handler: module_api):
         for k in ('shared_secret',):
             if k not in config:
                 raise KeyError('Required `{0}` configuration key not found'.format(k))
@@ -38,7 +38,7 @@ class SharedSecretAuthProvider:
         m_login_password_support_enabled = bool(config['m_login_password_support_enabled']) if 'm_login_password_support_enabled' in config else False
         com_devture_shared_secret_auth_support_enabled = bool(config['com_devture_shared_secret_auth_support_enabled']) if 'com_devture_shared_secret_auth_support_enabled' in config else True
 
-        self.api = api
+        self.api = account_handler
         self.shared_secret = config['shared_secret']
 
         auth_checkers: Optional[Dict[Tuple[str, Tuple], CHECK_AUTH_CALLBACK]] = {}
@@ -54,7 +54,7 @@ class SharedSecretAuthProvider:
 
         logger.info('Enabled login types: %s', enabled_login_types)
 
-        api.register_password_auth_provider_callbacks(
+        self.api.register_password_auth_provider_callbacks(
             auth_checkers=auth_checkers,
         )

Sorry that I didn't bother bisecting the synapse version that introduced the behavior, it just appeared when switching to 1.52.0.

No

Confirming Identity not possible via SSO

This auth provider makes identity confirmation impossible when not using local passwords: see matrix-org/synapse#9605 and element-hq/element-web#21007.

Availability for dendrite

Hello,
is this also possible for dendrite?
The docker image for dendrite does not include python, so maybe there will be a native go version?
Thank you very much!

Synapse 1.76.0 Docker has migrated to Python 3.11

It's the old "Module not found" error whenever they upgrade their bundled Python ver.

FAQ doesn't explain why this isn't an evil backdoor (even though it's not)

The thing that makes this not an evil backdoor is the fact that it's not circumventing end-to-end encryption. Logging into the user's account doesn't mean that the server is reading the user's encrypted messages. Element sends encrypted messages to unverified sessions by default, so it's possible to eavesdrop on conversations by logging into the user's account and creating device keys. But those would be visible as unverified sessions, and this module doesn't do that anyway. Is that all correct?

The FAQ as it stands isn't reassuring to someone who doesn't understand Matrix as much as you do. "data that they already host and own" is vague about what data we're talking about, and "Your data is on my server so I can do what I want," isn't an argument – people rely on Matrix for private, secure communication, and subverting that expectation would be evil.

This module isn't an evil backdoor. I just think that the current documentation could do a much better job of explaining why that is by pointing out how it doesn't circumvent E2EE and generally can't do anything the user wouldn't notice (probably?).

Store secret key as an actual secret in docker

Hey people,

I am currently using the matrixdotorg/synapse docker image.

In order to modify the configuration file (homeserver.yaml), this needs to be mounted in the container as a volume. Also this file is readable by others but i'm pretty fine with it (until now) since this file is basically the default configuration that comes with the container - so it doesn't contain any sensitive data.

However, putting the shared secret directly into that file is probably dangerous. This also applies to my bridge configurations since the same setup roughly applies to them as well, so I also need to add that secret here - also readable for everyone.

Is there a safer way to store this via an environment variable and interpolate this on startup? That way I can store this into docker secrets, Kubernetes, gpg whatever ...

In v2 we don't

but the rest of this sentence appears to be cut off.