devture / matrix-synapse-shared-secret-auth Goto Github PK
View Code? Open in Web Editor NEWShared Secret Authenticator password provider module for Matrix Synapse
License: GNU Affero General Public License v3.0
Shared Secret Authenticator password provider module for Matrix Synapse
License: GNU Affero General Public License v3.0
Hi,
I'm guessing not but is there a way to install this when using the official matrixdotorg/synapse docker image ?
Thanks
Ever since the latest Synapse release a few hours ago, the module simply fails to load:
synapse_1 | 2020-11-18T18:15:15.523461690Z Traceback (most recent call last):
synapse_1 | 2020-11-18T18:15:15.523503767Z File "/usr/local/lib/python3.8/runpy.py", line 194, in _run_module_as_main
synapse_1 | 2020-11-18T18:15:15.523509063Z return _run_code(code, main_globals, None,
synapse_1 | 2020-11-18T18:15:15.523512497Z File "/usr/local/lib/python3.8/runpy.py", line 87, in _run_code
synapse_1 | 2020-11-18T18:15:15.523515924Z exec(code, run_globals)
synapse_1 | 2020-11-18T18:15:15.523519157Z File "/usr/local/lib/python3.8/site-packages/synapse/app/homeserver.py", line 512, in <module>
synapse_1 | 2020-11-18T18:15:15.523522937Z main()
synapse_1 | 2020-11-18T18:15:15.523526080Z File "/usr/local/lib/python3.8/site-packages/synapse/app/homeserver.py", line 507, in main
synapse_1 | 2020-11-18T18:15:15.523529522Z hs = setup(sys.argv[1:])
synapse_1 | 2020-11-18T18:15:15.523532589Z File "/usr/local/lib/python3.8/site-packages/synapse/app/homeserver.py", line 341, in setup
synapse_1 | 2020-11-18T18:15:15.523536136Z config = HomeServerConfig.load_or_generate_config(
synapse_1 | 2020-11-18T18:15:15.523539350Z File "/usr/local/lib/python3.8/site-packages/synapse/config/_base.py", line 721, in load_or_generate_config
synapse_1 | 2020-11-18T18:15:15.523542743Z obj.parse_config_dict(
synapse_1 | 2020-11-18T18:15:15.523545784Z File "/usr/local/lib/python3.8/site-packages/synapse/config/_base.py", line 740, in parse_config_dict
synapse_1 | 2020-11-18T18:15:15.523549061Z self.invoke_all(
synapse_1 | 2020-11-18T18:15:15.523552117Z File "/usr/local/lib/python3.8/site-packages/synapse/config/_base.py", line 369, in invoke_all
synapse_1 | 2020-11-18T18:15:15.523555491Z res[name] = getattr(config, func_name)(*args, **kwargs)
synapse_1 | 2020-11-18T18:15:15.523558683Z File "/usr/local/lib/python3.8/site-packages/synapse/config/password_auth_providers.py", line 47, in read_config
synapse_1 | 2020-11-18T18:15:15.523562078Z (provider_class, provider_config) = load_module(
synapse_1 | 2020-11-18T18:15:15.523565299Z File "/usr/local/lib/python3.8/site-packages/synapse/util/module_loader.py", line 33, in load_module
synapse_1 | 2020-11-18T18:15:15.523568720Z module = importlib.import_module(module)
synapse_1 | 2020-11-18T18:15:15.523571943Z File "/usr/local/lib/python3.8/importlib/__init__.py", line 127, in import_module
synapse_1 | 2020-11-18T18:15:15.523575200Z return _bootstrap._gcd_import(name[level:], package, level)
synapse_1 | 2020-11-18T18:15:15.523578511Z File "<frozen importlib._bootstrap>", line 1014, in _gcd_import
synapse_1 | 2020-11-18T18:15:15.523581881Z File "<frozen importlib._bootstrap>", line 991, in _find_and_load
synapse_1 | 2020-11-18T18:15:15.523585156Z File "<frozen importlib._bootstrap>", line 973, in _find_and_load_unlocked
synapse_1 | 2020-11-18T18:15:15.523588456Z ModuleNotFoundError: No module named 'shared_secret_authenticator'
There's nothing in the logs that shows what sort of load error it's encountering, just that it can't load it. Reverting back to Synapse v1.22.1 solves the problem, so presumably there's some breaking change in the Synapse API?
I added a tracking issue for the problem mentioned in the readme
Dec 04 14:29:07 localhost.localdomain matrix-synapse[12295]: 2021-12-04 13:29:07,194 - shared_secret_authenticator - 41 - INFO - POST-2028 - Authenticating user: @me:chagai.website
Dec 04 14:29:07 localhost.localdomain matrix-synapse[12295]: 2021-12-04 13:29:07,195 - shared_secret_authenticator - 54 - INFO - POST-2028 - Bad hmac value for user: @me:chagai.website
The Readme.md tells users of docker-compose to mount the python file into python3.8 directory, whereas the latest synapse uses python3.9
Please see element-hq/element-web#20292
I recently attempted to update from an older version of this module to the latest. matrix-synapse refuses to start with the following error:
TypeError: SharedSecretAuthProvider.__init__() got an unexpected keyword argument 'account_handler'
What am I doing wrong?
Added this for the WhatsApp Bridge but definitely miss account include / exclude list to make it possible shared secret only works for defined accounts.
Thank you.
It looks like the argument api
got renamed to account_handler
, causing matrix-synapse
to refuse to start:
Feb 18 00:56:19 cloudbox systemd[1]: Starting Synapse Matrix homeserver...
Feb 18 00:56:21 cloudbox synapse_homeserver[2315949]: This server is configured to use 'matrix.org' as its trusted key server via the
Feb 18 00:56:21 cloudbox synapse_homeserver[2315949]: 'trusted_key_servers' config option. 'matrix.org' is a good choice for a key
Feb 18 00:56:21 cloudbox synapse_homeserver[2315949]: server since it is long-lived, stable and trusted. However, some admins may
Feb 18 00:56:21 cloudbox synapse_homeserver[2315949]: wish to use another server for this purpose.
Feb 18 00:56:21 cloudbox synapse_homeserver[2315949]: To suppress this warning and continue using 'matrix.org', admins should set
Feb 18 00:56:21 cloudbox synapse_homeserver[2315949]: 'suppress_key_server_warning' to 'true' in homeserver.yaml.
Feb 18 00:56:21 cloudbox synapse_homeserver[2315949]: --------------------------------------------------------------------------------
Feb 18 00:56:21 cloudbox synapse[2315949]: root: [main] ***** STARTING SERVER *****
Feb 18 00:56:21 cloudbox synapse[2315949]: root: [main] Server /nix/store/h2gxxs9f2lfwkwcmmkyi4swzyp18jvca-matrix-synapse-1.52.0/bin/synapse_homeserver version 1.52.0
Feb 18 00:56:21 cloudbox synapse[2315949]: synapse.handlers.auth: [sentinel] Error while initializing <class 'shared_secret_authenticator.SharedSecretAuthProvider'>: __init__() got an unexpected keyword argument 'account_handler'
Feb 18 00:56:21 cloudbox synapse[2315949]: synapse.app._base: [sentinel] Error during startup
Traceback (most recent call last):
File "/nix/store/h2gxxs9f2lfwkwcmmkyi4swzyp18jvca-matrix-synapse-1.52.0/lib/python3.9/site-packages/synapse/app/_base.py", line 227, in wrapper
await cb(*args, **kwargs)
File "/nix/store/h2gxxs9f2lfwkwcmmkyi4swzyp18jvca-matrix-synapse-1.52.0/lib/python3.9/site-packages/synapse/app/homeserver.py", line 405, in start
await _base.start(hs)
File "/nix/store/h2gxxs9f2lfwkwcmmkyi4swzyp18jvca-matrix-synapse-1.52.0/lib/python3.9/site-packages/synapse/app/_base.py", line 444, in start
load_legacy_password_auth_providers(hs)
File "/nix/store/h2gxxs9f2lfwkwcmmkyi4swzyp18jvca-matrix-synapse-1.52.0/lib/python3.9/site-packages/synapse/handlers/auth.py", line 1909, in load_legacy_password_auth_providers
load_single_legacy_password_auth_provider(
File "/nix/store/h2gxxs9f2lfwkwcmmkyi4swzyp18jvca-matrix-synapse-1.52.0/lib/python3.9/site-packages/synapse/handlers/auth.py", line 1920, in load_single_legacy_password_auth_provider
provider = module(config=config, account_handler=api)
TypeError: __init__() got an unexpected keyword argument 'account_handler'
Feb 18 00:56:21 cloudbox synapse_homeserver[2315949]: Error during startup:
Feb 18 00:56:21 cloudbox synapse_homeserver[2315949]: Traceback (most recent call last):
Feb 18 00:56:21 cloudbox synapse_homeserver[2315949]: File "/nix/store/h2gxxs9f2lfwkwcmmkyi4swzyp18jvca-matrix-synapse-1.52.0/lib/python3.9/site-packages/synapse/app/_base.py", line 227, in wrapper
Feb 18 00:56:21 cloudbox synapse_homeserver[2315949]: await cb(*args, **kwargs)
Feb 18 00:56:21 cloudbox synapse_homeserver[2315949]: File "/nix/store/h2gxxs9f2lfwkwcmmkyi4swzyp18jvca-matrix-synapse-1.52.0/lib/python3.9/site-packages/synapse/app/homeserver.py", line 405, in start
Feb 18 00:56:21 cloudbox synapse_homeserver[2315949]: await _base.start(hs)
Feb 18 00:56:21 cloudbox synapse_homeserver[2315949]: File "/nix/store/h2gxxs9f2lfwkwcmmkyi4swzyp18jvca-matrix-synapse-1.52.0/lib/python3.9/site-packages/synapse/app/_base.py", line 444, in start
Feb 18 00:56:21 cloudbox synapse_homeserver[2315949]: load_legacy_password_auth_providers(hs)
Feb 18 00:56:21 cloudbox synapse_homeserver[2315949]: File "/nix/store/h2gxxs9f2lfwkwcmmkyi4swzyp18jvca-matrix-synapse-1.52.0/lib/python3.9/site-packages/synapse/handlers/auth.py", line 1909, in load_legacy_password_auth_providers
Feb 18 00:56:21 cloudbox synapse_homeserver[2315949]: load_single_legacy_password_auth_provider(
Feb 18 00:56:21 cloudbox synapse_homeserver[2315949]: File "/nix/store/h2gxxs9f2lfwkwcmmkyi4swzyp18jvca-matrix-synapse-1.52.0/lib/python3.9/site-packages/synapse/handlers/auth.py", line 1920, in load_single_legacy_password_auth_provider
Feb 18 00:56:21 cloudbox synapse_homeserver[2315949]: provider = module(config=config, account_handler=api)
Feb 18 00:56:21 cloudbox synapse_homeserver[2315949]: TypeError: __init__() got an unexpected keyword argument 'account_handler'
Feb 18 00:56:21 cloudbox systemd[1]: matrix-synapse.service: Main process exited, code=exited, status=1/FAILURE
Feb 18 00:56:21 cloudbox systemd[1]: matrix-synapse.service: Failed with result 'exit-code'.
Feb 18 00:56:21 cloudbox systemd[1]: Failed to start Synapse Matrix homeserver.
Feb 18 00:56:21 cloudbox systemd[1]: matrix-synapse.service: Consumed 2.805s CPU time, no IP traffic.
Feb 18 00:56:22 cloudbox systemd[1]: matrix-synapse.service: Scheduled restart job, restart counter is at 3.
Feb 18 00:56:22 cloudbox systemd[1]: Stopped Synapse Matrix homeserver.
Feb 18 00:56:22 cloudbox systemd[1]: matrix-synapse.service: Consumed 2.805s CPU time, no IP traffic.
I got it working with renaming the argument appropriately:
diff --git a/shared_secret_authenticator.py b/shared_secret_authenticator.py
index c24d8dd..55efc0e 100644
--- a/shared_secret_authenticator.py
+++ b/shared_secret_authenticator.py
@@ -30,7 +30,7 @@ from synapse import module_api
logger = logging.getLogger(__name__)
class SharedSecretAuthProvider:
- def __init__(self, config: dict, api: module_api):
+ def __init__(self, config: dict, account_handler: module_api):
for k in ('shared_secret',):
if k not in config:
raise KeyError('Required `{0}` configuration key not found'.format(k))
@@ -38,7 +38,7 @@ class SharedSecretAuthProvider:
m_login_password_support_enabled = bool(config['m_login_password_support_enabled']) if 'm_login_password_support_enabled' in config else False
com_devture_shared_secret_auth_support_enabled = bool(config['com_devture_shared_secret_auth_support_enabled']) if 'com_devture_shared_secret_auth_support_enabled' in config else True
- self.api = api
+ self.api = account_handler
self.shared_secret = config['shared_secret']
auth_checkers: Optional[Dict[Tuple[str, Tuple], CHECK_AUTH_CALLBACK]] = {}
@@ -54,7 +54,7 @@ class SharedSecretAuthProvider:
logger.info('Enabled login types: %s', enabled_login_types)
- api.register_password_auth_provider_callbacks(
+ self.api.register_password_auth_provider_callbacks(
auth_checkers=auth_checkers,
)
Sorry that I didn't bother bisecting the synapse version that introduced the behavior, it just appeared when switching to 1.52.0.
This auth provider makes identity confirmation impossible when not using local passwords: see matrix-org/synapse#9605 and element-hq/element-web#21007.
Hello,
is this also possible for dendrite?
The docker image for dendrite does not include python, so maybe there will be a native go version?
Thank you very much!
It's the old "Module not found" error whenever they upgrade their bundled Python ver.
The thing that makes this not an evil backdoor is the fact that it's not circumventing end-to-end encryption. Logging into the user's account doesn't mean that the server is reading the user's encrypted messages. Element sends encrypted messages to unverified sessions by default, so it's possible to eavesdrop on conversations by logging into the user's account and creating device keys. But those would be visible as unverified sessions, and this module doesn't do that anyway. Is that all correct?
The FAQ as it stands isn't reassuring to someone who doesn't understand Matrix as much as you do. "data that they already host and own" is vague about what data we're talking about, and "Your data is on my server so I can do what I want," isn't an argument โ people rely on Matrix for private, secure communication, and subverting that expectation would be evil.
This module isn't an evil backdoor. I just think that the current documentation could do a much better job of explaining why that is by pointing out how it doesn't circumvent E2EE and generally can't do anything the user wouldn't notice (probably?).
Hey people,
I am currently using the matrixdotorg/synapse docker image.
In order to modify the configuration file (homeserver.yaml), this needs to be mounted in the container as a volume. Also this file is readable by others but i'm pretty fine with it (until now) since this file is basically the default configuration that comes with the container - so it doesn't contain any sensitive data.
However, putting the shared secret directly into that file is probably dangerous. This also applies to my bridge configurations since the same setup roughly applies to them as well, so I also need to add that secret here - also readable for everyone.
Is there a safer way to store this via an environment variable and interpolate this on startup? That way I can store this into docker secrets, Kubernetes, gpg whatever ...
Since Version 1.54.0 Synapse uses Python 3.9 in its docker images by default.
This causes the Synapse server to fail starting, logging "Module not found" when using the mount path described in this projects installation instructions (needs to be /usr/local/lib/python3.9/site-packages/shared_secret_authenticator.py
).
i want to add an aur package for arch linux. but installing without a setup.py isn't nice. so it would be nice to have a release with the setup.py included so that the package isn't using master.
The README says:
In v2 we don't
but the rest of this sentence appears to be cut off.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.