Skip to content
This repository has been archived by the owner on Apr 12, 2024. It is now read-only.

Commit

Permalink
Merge branch 'dinsic' of github.com:matrix-org/synapse-dinsic into di…
Browse files Browse the repository at this point in the history
…nsic-release-v1.8.x

* 'dinsic' of github.com:matrix-org/synapse-dinsic:
  Fixes an attribute error when using the default display name during registration. (#32)
  Share SSL contexts for non-federation requests (#30)
  Share SSL options for well-known requests (#29)
  Fix buggy condition in account validity handler (#28)
  • Loading branch information
anoadragon453 committed Mar 24, 2020
2 parents e8e76ea + e24928d commit 83451da
Show file tree
Hide file tree
Showing 14 changed files with 96 additions and 37 deletions.
1 change: 1 addition & 0 deletions changelog.d/28.bugfix
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Fix a bug causing account validity renewal emails to be sent even if the feature is turned off in some cases.
1 change: 1 addition & 0 deletions changelog.d/29.misc
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Improve performance when making `.well-known` requests by sharing the SSL options between requests.
1 change: 1 addition & 0 deletions changelog.d/30.misc
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Improve performance when making HTTP requests to sygnal, sydent, etc, by sharing the SSL context object between connections.
1 change: 1 addition & 0 deletions changelog.d/32.bugfix
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Fixes a bug when using the default display name during registration.
2 changes: 2 additions & 0 deletions synapse/app/client_reader.py
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@
from synapse.replication.slave.storage.registration import SlavedRegistrationStore
from synapse.replication.slave.storage.room import RoomStore
from synapse.replication.slave.storage.transactions import SlavedTransactionStore
from synapse.replication.slave.storage.user_directory import SlavedUserDirectoryStore
from synapse.replication.tcp.client import ReplicationClientHandler
from synapse.rest.client.v1.login import LoginRestServlet
from synapse.rest.client.v1.push_rule import PushRuleRestServlet
Expand Down Expand Up @@ -85,6 +86,7 @@ class ClientReaderSlavedStore(
SlavedTransactionStore,
SlavedProfileStore,
SlavedClientIpStore,
SlavedUserDirectoryStore,
BaseSlavedStore,
):
pass
Expand Down
64 changes: 45 additions & 19 deletions synapse/crypto/context_factory.py
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ def getContext(self):


@implementer(IPolicyForHTTPS)
class ClientTLSOptionsFactory(object):
class FederationPolicyForHTTPS(object):
"""Factory for Twisted SSLClientConnectionCreators that are used to make connections
to remote servers for federation.
Expand Down Expand Up @@ -107,11 +107,11 @@ def __init__(self, config):
trustRoot=trust_root, insecurelyLowerMinimumTo=minTLS
)
self._verify_ssl_context = self._verify_ssl.getContext()
self._verify_ssl_context.set_info_callback(self._context_info_cb)
self._verify_ssl_context.set_info_callback(_context_info_cb)

self._no_verify_ssl = CertificateOptions(insecurelyLowerMinimumTo=minTLS)
self._no_verify_ssl_context = self._no_verify_ssl.getContext()
self._no_verify_ssl_context.set_info_callback(self._context_info_cb)
self._no_verify_ssl_context.set_info_callback(_context_info_cb)

def get_options(self, host: bytes):

Expand All @@ -136,22 +136,48 @@ def get_options(self, host: bytes):

return SSLClientConnectionCreator(host, ssl_context, should_verify)

@staticmethod
def _context_info_cb(ssl_connection, where, ret):
"""The 'information callback' for our openssl context object."""
# we assume that the app_data on the connection object has been set to
# a TLSMemoryBIOProtocol object. (This is done by SSLClientConnectionCreator)
tls_protocol = ssl_connection.get_app_data()
try:
# ... we further assume that SSLClientConnectionCreator has set the
# '_synapse_tls_verifier' attribute to a ConnectionVerifier object.
tls_protocol._synapse_tls_verifier.verify_context_info_cb(
ssl_connection, where
)
except: # noqa: E722, taken from the twisted implementation
logger.exception("Error during info_callback")
f = Failure()
tls_protocol.failVerification(f)
def creatorForNetloc(self, hostname, port):
"""Implements the IPolicyForHTTPS interace so that this can be passed
directly to agents.
"""
return self.get_options(hostname)


@implementer(IPolicyForHTTPS)
class RegularPolicyForHTTPS(object):
"""Factory for Twisted SSLClientConnectionCreators that are used to make connections
to remote servers, for other than federation.
Always uses the same OpenSSL context object, which uses the default OpenSSL CA
trust root.
"""

def __init__(self):
trust_root = platformTrust()
self._ssl_context = CertificateOptions(trustRoot=trust_root).getContext()
self._ssl_context.set_info_callback(_context_info_cb)

def creatorForNetloc(self, hostname, port):
return SSLClientConnectionCreator(hostname, self._ssl_context, True)


def _context_info_cb(ssl_connection, where, ret):
"""The 'information callback' for our openssl context objects.
Note: Once this is set as the info callback on a Context object, the Context should
only be used with the SSLClientConnectionCreator.
"""
# we assume that the app_data on the connection object has been set to
# a TLSMemoryBIOProtocol object. (This is done by SSLClientConnectionCreator)
tls_protocol = ssl_connection.get_app_data()
try:
# ... we further assume that SSLClientConnectionCreator has set the
# '_synapse_tls_verifier' attribute to a ConnectionVerifier object.
tls_protocol._synapse_tls_verifier.verify_context_info_cb(ssl_connection, where)
except: # noqa: E722, taken from the twisted implementation
logger.exception("Error during info_callback")
f = Failure()
tls_protocol.failVerification(f)

def creatorForNetloc(self, hostname, port):
"""Implements the IPolicyForHTTPS interace so that this can be passed
Expand Down
6 changes: 5 additions & 1 deletion synapse/handlers/account_validity.py
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,11 @@ def __init__(self, hs):
self._show_users_in_user_directory = self.hs.config.show_users_in_user_directory
self.profile_handler = self.hs.get_profile_handler()

if self._account_validity.renew_by_email_enabled and load_jinja2_templates:
if (
self._account_validity.enabled
and self._account_validity.renew_by_email_enabled
and load_jinja2_templates
):
# Don't do email-specific configuration if renewal by email is disabled.
try:
app_name = self.hs.config.email_app_name
Expand Down
3 changes: 0 additions & 3 deletions synapse/http/client.py
Original file line number Diff line number Diff line change
Expand Up @@ -244,9 +244,6 @@ def __getattr__(_self, attr):
pool.maxPersistentPerHost = max((100 * CACHE_SIZE_FACTOR, 5))
pool.cachedConnectionTimeout = 2 * 60

# The default context factory in Twisted 14.0.0 (which we require) is
# BrowserLikePolicyForHTTPS which will do regular cert validation
# 'like a browser'
self.agent = ProxyAgent(
self.reactor,
connectTimeout=15,
Expand Down
2 changes: 1 addition & 1 deletion synapse/http/federation/matrix_federation_agent.py
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ class MatrixFederationAgent(object):
Args:
reactor (IReactor): twisted reactor to use for underlying requests
tls_client_options_factory (ClientTLSOptionsFactory|None):
tls_client_options_factory (FederationPolicyForHTTPS|None):
factory to use for fetching client tls options, or none to disable TLS.
_srv_resolver (SrvResolver|None):
Expand Down
4 changes: 3 additions & 1 deletion synapse/python_dependencies.py
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,9 @@
"frozendict>=1",
"unpaddedbase64>=1.1.0",
"canonicaljson>=1.1.3",
"signedjson>=1.0.0",
# Pin signedjson to 1.0.0 because this version of Synapse relies on a function that's
# been removed in 1.1.0. Hopefully, this will be fixed by the upcoming mainline merge.
"signedjson==1.0.0",
"pynacl>=1.2.1",
"idna>=2.5",
# validating SSL certs for IP addresses requires service_identity 18.1.
Expand Down
22 changes: 22 additions & 0 deletions synapse/replication/slave/storage/user_directory.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
# -*- coding: utf-8 -*-
# Copyright 2020 The Matrix.org Foundation C.I.C.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

from synapse.storage.user_directory import UserDirectoryStore

from ._base import BaseSlavedStore


class SlavedUserDirectoryStore(UserDirectoryStore, BaseSlavedStore):
pass
6 changes: 3 additions & 3 deletions synapse/server.py
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,6 @@
import os

from twisted.mail.smtp import sendmail
from twisted.web.client import BrowserLikePolicyForHTTPS

from synapse.api.auth import Auth
from synapse.api.filtering import Filtering
Expand All @@ -35,6 +34,7 @@
from synapse.appservice.scheduler import ApplicationServiceScheduler
from synapse.config.homeserver import HomeServerConfig
from synapse.crypto import context_factory
from synapse.crypto.context_factory import RegularPolicyForHTTPS
from synapse.crypto.keyring import Keyring
from synapse.events.builder import EventBuilderFactory
from synapse.events.spamcheck import SpamChecker
Expand Down Expand Up @@ -313,7 +313,7 @@ def build_http_client_context_factory(self):
return (
InsecureInterceptableContextFactory()
if self.config.use_insecure_ssl_client_just_for_testing_do_not_use
else BrowserLikePolicyForHTTPS()
else RegularPolicyForHTTPS()
)

def build_simple_http_client(self):
Expand Down Expand Up @@ -423,7 +423,7 @@ def build_pusherpool(self):
return PusherPool(self)

def build_http_client(self):
tls_client_options_factory = context_factory.ClientTLSOptionsFactory(
tls_client_options_factory = context_factory.FederationPolicyForHTTPS(
self.config
)
return MatrixFederationHttpClient(self, tls_client_options_factory)
Expand Down
8 changes: 4 additions & 4 deletions tests/config/test_tls.py
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@

from synapse.config._base import Config, RootConfig
from synapse.config.tls import ConfigError, TlsConfig
from synapse.crypto.context_factory import ClientTLSOptionsFactory
from synapse.crypto.context_factory import FederationPolicyForHTTPS

from tests.unittest import TestCase

Expand Down Expand Up @@ -180,7 +180,7 @@ def test_tls_client_minimum_set_passed_through_1_2(self):
t = TestConfig()
t.read_config(config, config_dir_path="", data_dir_path="")

cf = ClientTLSOptionsFactory(t)
cf = FederationPolicyForHTTPS(t)

# The context has had NO_TLSv1_1 and NO_TLSv1_0 set, but not NO_TLSv1_2
self.assertNotEqual(cf._verify_ssl._options & SSL.OP_NO_TLSv1, 0)
Expand All @@ -195,7 +195,7 @@ def test_tls_client_minimum_set_passed_through_1_0(self):
t = TestConfig()
t.read_config(config, config_dir_path="", data_dir_path="")

cf = ClientTLSOptionsFactory(t)
cf = FederationPolicyForHTTPS(t)

# The context has not had any of the NO_TLS set.
self.assertEqual(cf._verify_ssl._options & SSL.OP_NO_TLSv1, 0)
Expand Down Expand Up @@ -273,7 +273,7 @@ def test_whitelist_idna_result(self):
t = TestConfig()
t.read_config(config, config_dir_path="", data_dir_path="")

cf = ClientTLSOptionsFactory(t)
cf = FederationPolicyForHTTPS(t)

# Not in the whitelist
opts = cf.get_options(b"notexample.com")
Expand Down
12 changes: 7 additions & 5 deletions tests/http/federation/test_matrix_federation_agent.py
Original file line number Diff line number Diff line change
Expand Up @@ -31,8 +31,10 @@
from twisted.web.iweb import IPolicyForHTTPS

from synapse.config.homeserver import HomeServerConfig
from synapse.crypto.context_factory import ClientTLSOptionsFactory
from synapse.http.federation.matrix_federation_agent import MatrixFederationAgent
from synapse.crypto.context_factory import FederationPolicyForHTTPS
from synapse.http.federation.matrix_federation_agent import (
MatrixFederationAgent,
)
from synapse.http.federation.srv_resolver import Server
from synapse.http.federation.well_known_resolver import (
WellKnownResolver,
Expand Down Expand Up @@ -79,7 +81,7 @@ def setUp(self):
self._config = config = HomeServerConfig()
config.parse_config_dict(config_dict, "", "")

self.tls_factory = ClientTLSOptionsFactory(config)
self.tls_factory = FederationPolicyForHTTPS(config)

self.well_known_cache = TTLCache("test_cache", timer=self.reactor.seconds)
self.had_well_known_cache = TTLCache("test_cache", timer=self.reactor.seconds)
Expand All @@ -92,7 +94,7 @@ def setUp(self):

self.agent = MatrixFederationAgent(
reactor=self.reactor,
tls_client_options_factory=self.tls_factory,
tls_client_options_factory=FederationPolicyForHTTPS(config),
_srv_resolver=self.mock_resolver,
_well_known_resolver=self.well_known_resolver,
)
Expand Down Expand Up @@ -715,7 +717,7 @@ def test_get_well_known_unsigned_cert(self):
config = default_config("test", parse=True)

# Build a new agent and WellKnownResolver with a different tls factory
tls_factory = ClientTLSOptionsFactory(config)
tls_factory = FederationPolicyForHTTPS(config)
agent = MatrixFederationAgent(
reactor=self.reactor,
tls_client_options_factory=tls_factory,
Expand Down

0 comments on commit 83451da

Please sign in to comment.