Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
94 changes: 19 additions & 75 deletions .github/workflows/release-artifacts.yml
Original file line number Diff line number Diff line change
@@ -1,17 +1,19 @@
# GitHub actions workflow which builds the release artifacts.

name: Build release artifacts
name: Build Tchap release artifacts

on:
# we build on PRs and develop to (hopefully) get early warning
# of things breaking (but only build one set of debs). PRs skip
# building wheels on ARM.
pull_request:
push:
branches: ["develop", "release-*"]
branches: [tchap, develop_tchap]

# we do the full build on releases.
release:
types: [published]

# we do the full build on tags.
tags: ["v*"]
merge_group:
workflow_dispatch:

Expand Down Expand Up @@ -44,74 +46,17 @@ jobs:
outputs:
distros: ${{ steps.set-distros.outputs.distros }}

# now build the packages with a matrix build.
build-debs:
needs: get-distros
name: "Build .deb packages"
runs-on: ubuntu-latest
strategy:
matrix:
distro: ${{ fromJson(needs.get-distros.outputs.distros) }}

steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
path: src

- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0

- name: Set up docker layer caching
uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-buildx-${{ github.sha }}
restore-keys: |
${{ runner.os }}-buildx-

- name: Set up python
uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
with:
python-version: "3.x"

- name: Build the packages
# see https://github.com/docker/build-push-action/issues/252
# for the cache magic here
run: |
./src/scripts-dev/build_debian_packages.py \
--docker-build-arg=--cache-from=type=local,src=/tmp/.buildx-cache \
--docker-build-arg=--cache-to=type=local,mode=max,dest=/tmp/.buildx-cache-new \
--docker-build-arg=--progress=plain \
--docker-build-arg=--load \
"${{ matrix.distro }}"
rm -rf /tmp/.buildx-cache
mv /tmp/.buildx-cache-new /tmp/.buildx-cache

- name: Artifact name
id: artifact-name
# We can't have colons in the upload name of the artifact, so we convert
# e.g. `debian:sid` to `sid`.
env:
DISTRO: ${{ matrix.distro }}
run: |
echo "ARTIFACT_NAME=${DISTRO#*:}" >> "$GITHUB_OUTPUT"

- name: Upload debs as artifacts
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
with:
name: debs-${{ steps.artifact-name.outputs.ARTIFACT_NAME }}
path: debs/*
### Deactivate build-debs pipeline : not required for Tchap Synapse ###

build-wheels:
name: Build wheels on ${{ matrix.os }}
runs-on: ${{ matrix.os }}
strategy:
matrix:
os:
- ubuntu-24.04
- ubuntu-24.04-arm
### Deactivate macos pipeline : not required for Tchap Synapse ###
os: [ubuntu-24.04]
### Deactivate aarch64 pipeline : not required for Tchap Synapse ###
arch: [x86_64]
# is_pr is a flag used to exclude certain jobs from the matrix on PRs.
# It is not read by the rest of the workflow.
is_pr:
Expand Down Expand Up @@ -144,6 +89,9 @@ jobs:
# The platforms that we build for are determined by the
# `tool.cibuildwheel.skip` option in `pyproject.toml`.

### Deactivate other version : not required for Tchap Synapse ###
CIBW_BUILD: cp310-manylinux_x86_64

# We skip testing wheels for the following platforms in CI:
#
# pp3*-* (PyPy wheels) broke in CI (TODO: investigate).
Expand Down Expand Up @@ -181,26 +129,22 @@ jobs:
name: "Attach assets to release"
if: ${{ !failure() && !cancelled() && startsWith(github.ref, 'refs/tags/') }}
needs:
- build-debs
### Deactivate pipeline : not required for Tchap Synapse ###
# - build-debs
- build-wheels
- build-sdist
runs-on: ubuntu-latest
steps:
- name: Download all workflow run artifacts
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
- name: Build a tarball for the debs
# We need to merge all the debs uploads into one folder, then compress
# that.
run: |
mkdir debs
mv debs*/* debs/
tar -cvJf debs.tar.xz debs
### Deactivate debs archiving : not required for Tchap Synapse ###
- name: Attach to release
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh release upload "${{ github.ref_name }}" \
Sdist/* \
Wheel*/* \
debs.tar.xz \
--repo ${{ github.repository }}
### Deactivate debs archiving : not required for Tchap Synapse ###
# debs.tar.xz \
3 changes: 3 additions & 0 deletions docs/usage/configuration/config_documentation.md
Original file line number Diff line number Diff line change
Expand Up @@ -657,12 +657,15 @@ This setting has the following sub-options:

* `secret_path` (string|null): Alternative to `secret`, reading the shared secret from a file. The file should be a plain text file, containing only the secret. Synapse reads the secret from the given file once at startup.

* `token_introspection_cache_timeout` (integer|120_000): timeout of th token introspection cache in milliseconds. token introspection cache remembers what users/devices are represented by which access tokens in order to reduce overall system load.

Example configuration:
```yaml
matrix_authentication_service:
enabled: true
secret: someverysecuresecret
endpoint: http://localhost:8080
token_introspection_cache_timeout: 120_000
```
---
### `dummy_events_threshold`
Expand Down
20 changes: 19 additions & 1 deletion synapse/api/auth/mas.py
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@
from synapse.api.auth.base import BaseAuth
from synapse.api.errors import (
AuthError,
Codes, #:tchap:
HttpResponseException,
InvalidClientTokenError,
SynapseError,
Expand Down Expand Up @@ -105,6 +106,7 @@ def __init__(self, hs: "HomeServer"):
self.server_name = hs.hostname
self._clock = hs.get_clock()
self._config = hs.config.mas
self._account_validity_handler = hs.get_account_validity_handler() #:tchap:

self._http_client = hs.get_proxied_http_client()
self._rust_http_client = HttpClient(
Expand Down Expand Up @@ -139,7 +141,7 @@ def __init__(self, hs: "HomeServer"):
clock=self._clock,
name="mas_token_introspection",
server_name=self.server_name,
timeout_ms=120_000,
timeout_ms=self._config.token_introspection_cache_timeout, #:tchap:
# don't log because the keys are access tokens
enable_logging=False,
)
Expand Down Expand Up @@ -290,6 +292,22 @@ async def get_user_by_req(
allow_expired=allow_expired,
)

#:tchap:
# Deny the request if the user account has expired.
if not allow_expired:
if await self._account_validity_handler.is_user_expired(
requester.user.to_string()
):
# Raise the error if either an account validity module has determined
# the account has expired, or the legacy account validity
# implementation is enabled and determined the account has expired
raise AuthError(
403,
"User account has expired",
errcode=Codes.EXPIRED_ACCOUNT,
)
#:tchap: end

await self._record_request(request, requester)

request.requester = requester
Expand Down
2 changes: 1 addition & 1 deletion synapse/api/constants.py
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@
#
# in short, we somewhat arbitrarily limit requests to 200 * 64K (about 12.5M)
#
MAX_REQUEST_SIZE = 200 * MAX_PDU_SIZE
MAX_REQUEST_SIZE = 1000 * MAX_PDU_SIZE

# Max/min size of ints in canonical JSON
CANONICALJSON_MAX_INT = (2**53) - 1
Expand Down
5 changes: 5 additions & 0 deletions synapse/config/mas.py
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
Field,
FilePath,
StrictBool,
StrictInt, #:tchap:
StrictStr,
ValidationError,
model_validator,
Expand All @@ -39,6 +40,7 @@ class MasConfigModel(ParseModel):
secret: StrictStr | None = Field(default=None)
# We set `strict=False` to allow `str` instances.
secret_path: FilePath | None = Field(default=None, strict=False)
token_introspection_cache_timeout: StrictInt = Field(default=120_000) #:tchap:

@model_validator(mode="after")
def verify_secret(self) -> Self:
Expand Down Expand Up @@ -84,6 +86,9 @@ def read_config(
self.endpoint = parsed.endpoint
self._secret = parsed.secret
self._secret_path = parsed.secret_path
self.token_introspection_cache_timeout = (
parsed.token_introspection_cache_timeout
) #:tchap:

self.check_config_conflicts(self.root)

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -286,7 +286,13 @@ async def check_event_allowed(
# Ensure that the event is frozen, to make sure that the module is not tempted
# to try to modify it. Any attempt to modify it at this point will invalidate
# the hashes and signatures.
event.freeze()
#:tchap:
# unable to create the event once it is frozen
# quick fix, do not freeze the event before passing it to the external modules
# not ideal but for tchap we control what we do in the module
# should
# event.freeze()
#:tchap:end

for callback in self._check_event_allowed_callbacks:
try:
Expand Down
Loading