diff --git a/.github/workflows/release-artifacts.yml b/.github/workflows/release-artifacts.yml index 5f5b64dc643..e03922d6383 100644 --- a/.github/workflows/release-artifacts.yml +++ b/.github/workflows/release-artifacts.yml @@ -1,6 +1,6 @@ # GitHub actions workflow which builds the release artifacts. -name: Build release artifacts +name: Build Tchap release artifacts on: # we build on PRs and develop to (hopefully) get early warning @@ -8,10 +8,12 @@ on: # building wheels on ARM. pull_request: push: - branches: ["develop", "release-*"] + branches: [tchap, develop_tchap] + + # we do the full build on releases. + release: + types: [published] - # we do the full build on tags. - tags: ["v*"] merge_group: workflow_dispatch: @@ -44,74 +46,17 @@ jobs: outputs: distros: ${{ steps.set-distros.outputs.distros }} - # now build the packages with a matrix build. - build-debs: - needs: get-distros - name: "Build .deb packages" - runs-on: ubuntu-latest - strategy: - matrix: - distro: ${{ fromJson(needs.get-distros.outputs.distros) }} - - steps: - - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - path: src - - - name: Set up Docker Buildx - id: buildx - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - - - name: Set up docker layer caching - uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 - with: - path: /tmp/.buildx-cache - key: ${{ runner.os }}-buildx-${{ github.sha }} - restore-keys: | - ${{ runner.os }}-buildx- - - - name: Set up python - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 - with: - python-version: "3.x" - - - name: Build the packages - # see https://github.com/docker/build-push-action/issues/252 - # for the cache magic here - run: | - ./src/scripts-dev/build_debian_packages.py \ - --docker-build-arg=--cache-from=type=local,src=/tmp/.buildx-cache \ - --docker-build-arg=--cache-to=type=local,mode=max,dest=/tmp/.buildx-cache-new \ - --docker-build-arg=--progress=plain \ - --docker-build-arg=--load \ - "${{ matrix.distro }}" - rm -rf /tmp/.buildx-cache - mv /tmp/.buildx-cache-new /tmp/.buildx-cache - - - name: Artifact name - id: artifact-name - # We can't have colons in the upload name of the artifact, so we convert - # e.g. `debian:sid` to `sid`. - env: - DISTRO: ${{ matrix.distro }} - run: | - echo "ARTIFACT_NAME=${DISTRO#*:}" >> "$GITHUB_OUTPUT" - - - name: Upload debs as artifacts - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 - with: - name: debs-${{ steps.artifact-name.outputs.ARTIFACT_NAME }} - path: debs/* +### Deactivate build-debs pipeline : not required for Tchap Synapse ### build-wheels: name: Build wheels on ${{ matrix.os }} runs-on: ${{ matrix.os }} strategy: matrix: - os: - - ubuntu-24.04 - - ubuntu-24.04-arm +### Deactivate macos pipeline : not required for Tchap Synapse ### + os: [ubuntu-24.04] +### Deactivate aarch64 pipeline : not required for Tchap Synapse ### + arch: [x86_64] # is_pr is a flag used to exclude certain jobs from the matrix on PRs. # It is not read by the rest of the workflow. is_pr: @@ -144,6 +89,9 @@ jobs: # The platforms that we build for are determined by the # `tool.cibuildwheel.skip` option in `pyproject.toml`. + ### Deactivate other version : not required for Tchap Synapse ### + CIBW_BUILD: cp310-manylinux_x86_64 + # We skip testing wheels for the following platforms in CI: # # pp3*-* (PyPy wheels) broke in CI (TODO: investigate). @@ -181,20 +129,15 @@ jobs: name: "Attach assets to release" if: ${{ !failure() && !cancelled() && startsWith(github.ref, 'refs/tags/') }} needs: - - build-debs +### Deactivate pipeline : not required for Tchap Synapse ### +# - build-debs - build-wheels - build-sdist runs-on: ubuntu-latest steps: - name: Download all workflow run artifacts uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 - - name: Build a tarball for the debs - # We need to merge all the debs uploads into one folder, then compress - # that. - run: | - mkdir debs - mv debs*/* debs/ - tar -cvJf debs.tar.xz debs +### Deactivate debs archiving : not required for Tchap Synapse ### - name: Attach to release env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -202,5 +145,6 @@ jobs: gh release upload "${{ github.ref_name }}" \ Sdist/* \ Wheel*/* \ - debs.tar.xz \ --repo ${{ github.repository }} +### Deactivate debs archiving : not required for Tchap Synapse ### +# debs.tar.xz \ diff --git a/docs/usage/configuration/config_documentation.md b/docs/usage/configuration/config_documentation.md index 84fd3dad54d..8a4be4339db 100644 --- a/docs/usage/configuration/config_documentation.md +++ b/docs/usage/configuration/config_documentation.md @@ -657,12 +657,15 @@ This setting has the following sub-options: * `secret_path` (string|null): Alternative to `secret`, reading the shared secret from a file. The file should be a plain text file, containing only the secret. Synapse reads the secret from the given file once at startup. +* `token_introspection_cache_timeout` (integer|120_000): timeout of th token introspection cache in milliseconds. token introspection cache remembers what users/devices are represented by which access tokens in order to reduce overall system load. + Example configuration: ```yaml matrix_authentication_service: enabled: true secret: someverysecuresecret endpoint: http://localhost:8080 + token_introspection_cache_timeout: 120_000 ``` --- ### `dummy_events_threshold` diff --git a/synapse/api/auth/mas.py b/synapse/api/auth/mas.py index c4cca3723c6..a382f6ec687 100644 --- a/synapse/api/auth/mas.py +++ b/synapse/api/auth/mas.py @@ -28,6 +28,7 @@ from synapse.api.auth.base import BaseAuth from synapse.api.errors import ( AuthError, + Codes, #:tchap: HttpResponseException, InvalidClientTokenError, SynapseError, @@ -105,6 +106,7 @@ def __init__(self, hs: "HomeServer"): self.server_name = hs.hostname self._clock = hs.get_clock() self._config = hs.config.mas + self._account_validity_handler = hs.get_account_validity_handler() #:tchap: self._http_client = hs.get_proxied_http_client() self._rust_http_client = HttpClient( @@ -139,7 +141,7 @@ def __init__(self, hs: "HomeServer"): clock=self._clock, name="mas_token_introspection", server_name=self.server_name, - timeout_ms=120_000, + timeout_ms=self._config.token_introspection_cache_timeout, #:tchap: # don't log because the keys are access tokens enable_logging=False, ) @@ -290,6 +292,22 @@ async def get_user_by_req( allow_expired=allow_expired, ) + #:tchap: + # Deny the request if the user account has expired. + if not allow_expired: + if await self._account_validity_handler.is_user_expired( + requester.user.to_string() + ): + # Raise the error if either an account validity module has determined + # the account has expired, or the legacy account validity + # implementation is enabled and determined the account has expired + raise AuthError( + 403, + "User account has expired", + errcode=Codes.EXPIRED_ACCOUNT, + ) + #:tchap: end + await self._record_request(request, requester) request.requester = requester diff --git a/synapse/api/constants.py b/synapse/api/constants.py index 9b6a68e929c..4663f8850e5 100644 --- a/synapse/api/constants.py +++ b/synapse/api/constants.py @@ -40,7 +40,7 @@ # # in short, we somewhat arbitrarily limit requests to 200 * 64K (about 12.5M) # -MAX_REQUEST_SIZE = 200 * MAX_PDU_SIZE +MAX_REQUEST_SIZE = 1000 * MAX_PDU_SIZE # Max/min size of ints in canonical JSON CANONICALJSON_MAX_INT = (2**53) - 1 diff --git a/synapse/config/mas.py b/synapse/config/mas.py index 104ba17ab79..063fb7fb4cb 100644 --- a/synapse/config/mas.py +++ b/synapse/config/mas.py @@ -20,6 +20,7 @@ Field, FilePath, StrictBool, + StrictInt, #:tchap: StrictStr, ValidationError, model_validator, @@ -39,6 +40,7 @@ class MasConfigModel(ParseModel): secret: StrictStr | None = Field(default=None) # We set `strict=False` to allow `str` instances. secret_path: FilePath | None = Field(default=None, strict=False) + token_introspection_cache_timeout: StrictInt = Field(default=120_000) #:tchap: @model_validator(mode="after") def verify_secret(self) -> Self: @@ -84,6 +86,9 @@ def read_config( self.endpoint = parsed.endpoint self._secret = parsed.secret self._secret_path = parsed.secret_path + self.token_introspection_cache_timeout = ( + parsed.token_introspection_cache_timeout + ) #:tchap: self.check_config_conflicts(self.root) diff --git a/synapse/module_api/callbacks/third_party_event_rules_callbacks.py b/synapse/module_api/callbacks/third_party_event_rules_callbacks.py index 65f5a6b1837..ca8d8b2d140 100644 --- a/synapse/module_api/callbacks/third_party_event_rules_callbacks.py +++ b/synapse/module_api/callbacks/third_party_event_rules_callbacks.py @@ -286,7 +286,13 @@ async def check_event_allowed( # Ensure that the event is frozen, to make sure that the module is not tempted # to try to modify it. Any attempt to modify it at this point will invalidate # the hashes and signatures. - event.freeze() + #:tchap: + # unable to create the event once it is frozen + # quick fix, do not freeze the event before passing it to the external modules + # not ideal but for tchap we control what we do in the module + # should + # event.freeze() + #:tchap:end for callback in self._check_event_allowed_callbacks: try: