From 591b75bee4acfbd4f9f6c523e03615557496ac43 Mon Sep 17 00:00:00 2001 From: Richard van der Hoff Date: Wed, 20 Jan 2021 18:22:03 +0000 Subject: [PATCH 1/8] Add some type annotations to HttpServer interface --- synapse/http/server.py | 44 ++++++++++++++++++++++++++++++++++-------- tests/utils.py | 3 +-- 2 files changed, 37 insertions(+), 10 deletions(-) diff --git a/synapse/http/server.py b/synapse/http/server.py index e464bfe6c715..d69d579b3a39 100644 --- a/synapse/http/server.py +++ b/synapse/http/server.py @@ -22,10 +22,22 @@ import urllib from http import HTTPStatus from io import BytesIO -from typing import Any, Callable, Dict, Iterator, List, Tuple, Union +from typing import ( + Any, + Awaitable, + Callable, + Dict, + Iterable, + Iterator, + List, + Pattern, + Tuple, + Union, +) import jinja2 from canonicaljson import iterencode_canonical_json +from typing_extensions import Protocol from zope.interface import implementer from twisted.internet import defer, interfaces @@ -168,11 +180,25 @@ async def wrapped_async_request_handler(self, request): return preserve_fn(wrapped_async_request_handler) -class HttpServer: +# Type of a callback method for processing requests +# it is actually called with a SynapseRequest and a kwargs dict for the params, +# but I can't figure out how to represent that. +ServletCallback = Callable[ + ..., Union[None, Awaitable[None], Tuple[int, Any], Awaitable[Tuple[int, Any]]] +] + + +class HttpServer(Protocol): """ Interface for registering callbacks on a HTTP server """ - def register_paths(self, method, path_patterns, callback): + def register_paths( + self, + method: str, + path_patterns: Iterable[Pattern], + callback: ServletCallback, + servlet_classname: str, + ) -> None: """ Register a callback that gets fired if we receive a http request with the given method for a path that matches the given regex. @@ -180,12 +206,14 @@ def register_paths(self, method, path_patterns, callback): an unpacked tuple. Args: - method (str): The method to listen to. - path_patterns (list): The regex used to match requests. - callback (function): The function to fire if we receive a matched + method: The HTTP method to listen to. + path_patterns: The regex used to match requests. + callback: The function to fire if we receive a matched request. The first argument will be the request object and subsequent arguments will be any matched groups from the regex. - This should return a tuple of (code, response). + This should return either tuple of (code, response), or None. + servlet_classname (str): The name of the handler to be used in prometheus + and opentracing logs. """ pass @@ -354,7 +382,7 @@ def register_paths(self, method, path_patterns, callback, servlet_classname): def _get_handler_for_request( self, request: SynapseRequest - ) -> Tuple[Callable, str, Dict[str, str]]: + ) -> Tuple[ServletCallback, str, Dict[str, str]]: """Finds a callback method to handle the given request. Returns: diff --git a/tests/utils.py b/tests/utils.py index 09614093bcb8..022223cf24ba 100644 --- a/tests/utils.py +++ b/tests/utils.py @@ -33,7 +33,6 @@ from synapse.config.database import DatabaseConnectionConfig from synapse.config.homeserver import HomeServerConfig from synapse.config.server import DEFAULT_ROOM_VERSION -from synapse.http.server import HttpServer from synapse.logging.context import current_context, set_current_context from synapse.server import HomeServer from synapse.storage import DataStore @@ -351,7 +350,7 @@ def getRawHeaders(name, default=None): # This is a mock /resource/ not an entire server -class MockHttpResource(HttpServer): +class MockHttpResource: def __init__(self, prefix=""): self.callbacks = [] # 3-tuple of method/pattern/function self.prefix = prefix From 6daa63ab750ecadef2312e05af06f9cefe5e9b01 Mon Sep 17 00:00:00 2001 From: Richard van der Hoff Date: Wed, 20 Jan 2021 18:20:50 +0000 Subject: [PATCH 2/8] Advertise identity providers for login, per MSC2858. --- synapse/config/sso.py | 5 +++ synapse/rest/client/v1/login.py | 29 ++++++++++++++-- tests/rest/client/v1/test_login.py | 55 ++++++++++++++++++++++++++++++ 3 files changed, 87 insertions(+), 2 deletions(-) diff --git a/synapse/config/sso.py b/synapse/config/sso.py index 59be825532f5..b9047f242774 100644 --- a/synapse/config/sso.py +++ b/synapse/config/sso.py @@ -67,6 +67,11 @@ def read_config(self, config, **kwargs): login_fallback_url = self.public_baseurl + "_matrix/static/client/login" self.sso_client_whitelist.append(login_fallback_url) + # experimental support for MSC2858 (multiple SSO identity providers) + self.experimental_msc2858_support_enabled = config.get( + "experimental_msc2858_support_enabled", False + ) + def generate_config_section(self, **kwargs): return """\ # Additional settings to use with single-sign on systems such as OpenID Connect, diff --git a/synapse/rest/client/v1/login.py b/synapse/rest/client/v1/login.py index be938df962f4..84eb356cb075 100644 --- a/synapse/rest/client/v1/login.py +++ b/synapse/rest/client/v1/login.py @@ -19,6 +19,7 @@ from synapse.api.errors import Codes, LoginError, SynapseError from synapse.api.ratelimiting import Ratelimiter from synapse.appservice import ApplicationService +from synapse.handlers.sso import SsoIdentityProvider from synapse.http.server import finish_request from synapse.http.servlet import ( RestServlet, @@ -60,11 +61,14 @@ def __init__(self, hs: "HomeServer"): self.saml2_enabled = hs.config.saml2_enabled self.cas_enabled = hs.config.cas_enabled self.oidc_enabled = hs.config.oidc_enabled + self._msc2858_enabled = hs.config.sso.experimental_msc2858_support_enabled self.auth = hs.get_auth() self.auth_handler = self.hs.get_auth_handler() self.registration_handler = hs.get_registration_handler() + self._sso_handler = hs.get_sso_handler() + self._well_known_builder = WellKnownBuilder(hs) self._address_ratelimiter = Ratelimiter( clock=hs.get_clock(), @@ -89,8 +93,17 @@ def on_GET(self, request: SynapseRequest): flows.append({"type": LoginRestServlet.CAS_TYPE}) if self.cas_enabled or self.saml2_enabled or self.oidc_enabled: - flows.append({"type": LoginRestServlet.SSO_TYPE}) - # While its valid for us to advertise this login type generally, + sso_flow = {"type": LoginRestServlet.SSO_TYPE} # type: JsonDict + + if self._msc2858_enabled: + sso_flow["org.matrix.msc2858.identity_providers"] = [ + _get_auth_flow_dict_for_idp(idp) + for idp in self._sso_handler.get_identity_providers().values() + ] + + flows.append(sso_flow) + + # While it's valid for us to advertise this login type generally, # synapse currently only gives out these tokens as part of the # SSO login flow. # Generally we don't want to advertise login flows that clients @@ -311,6 +324,18 @@ async def _do_jwt_login(self, login_submission: JsonDict) -> Dict[str, str]: return result +def _get_auth_flow_dict_for_idp(idp: SsoIdentityProvider) -> JsonDict: + """Return an entry for the login flow dict + + Returns an entry suitable for inclusion in "identity_providers" in the + response to GET /_matrix/client/r0/login + """ + e = {"id": idp.idp_id, "name": idp.idp_name} # type: JsonDict + if idp.idp_icon: + e["icon"] = idp.idp_icon + return e + + class SsoRedirectServlet(RestServlet): PATTERNS = client_patterns("/login/(cas|sso)/redirect", v1=True) diff --git a/tests/rest/client/v1/test_login.py b/tests/rest/client/v1/test_login.py index 2672ce24c62c..ddbbf0bc7908 100644 --- a/tests/rest/client/v1/test_login.py +++ b/tests/rest/client/v1/test_login.py @@ -75,6 +75,10 @@ # the query params in TEST_CLIENT_REDIRECT_URL EXPECTED_CLIENT_REDIRECT_URL_PARAMS = [("", ""), ('q" =+"', '"fö&=o"')] +# (possibly experimental) login flows we expect to appear in the list after the normal +# ones +ADDITIONAL_LOGIN_FLOWS = [{"type": "uk.half-shot.msc2778.login.application_service"}] + class LoginRestServletTestCase(unittest.HomeserverTestCase): @@ -426,6 +430,57 @@ def create_resource_dict(self) -> Dict[str, Resource]: d["/_synapse/oidc"] = OIDCResource(self.hs) return d + def test_get_login_flows(self): + """GET /login should return password and SSO flows""" + channel = self.make_request("GET", "/_matrix/client/r0/login") + self.assertEqual(channel.code, 200, channel.result) + + expected_flows = [ + {"type": "m.login.cas"}, + {"type": "m.login.sso"}, + {"type": "m.login.token"}, + {"type": "m.login.password"}, + ] + ADDITIONAL_LOGIN_FLOWS + + self.assertCountEqual(channel.json_body["flows"], expected_flows) + + @override_config({"experimental_msc2858_support_enabled": True}) + def test_get_msc2858_login_flows(self): + """The SSO flow should include IdP info if MSC2858 is enabled""" + channel = self.make_request("GET", "/_matrix/client/r0/login") + self.assertEqual(channel.code, 200, channel.result) + + # stick the flows results in a dict by type + flow_results = {} + for f in channel.json_body["flows"]: + flow_type = f["type"] + self.assertNotIn( + flow_type, flow_results, "duplicate flow type %s" % (flow_type,) + ) + flow_results[flow_type] = f + + self.assertIn("m.login.sso", flow_results, "m.login.sso was not returned") + sso_flow = flow_results.pop("m.login.sso") + # we should have a set of IdPs + self.assertCountEqual( + sso_flow["org.matrix.msc2858.identity_providers"], + [ + {"id": "cas", "name": "CAS"}, + {"id": "saml", "name": "SAML"}, + {"id": "oidc-idp1", "name": "IDP1"}, + {"id": "oidc", "name": "OIDC"}, + ], + ) + + # the rest of the flows are simple + expected_flows = [ + {"type": "m.login.cas"}, + {"type": "m.login.token"}, + {"type": "m.login.password"}, + ] + ADDITIONAL_LOGIN_FLOWS + + self.assertCountEqual(flow_results.values(), expected_flows) + def test_multi_sso_redirect(self): """/login/sso/redirect should redirect to an identity picker""" # first hit the redirect url, which should redirect to our idp picker From 8158d2c0a63a3548555a0027667fa8cdb0ab11a6 Mon Sep 17 00:00:00 2001 From: Richard van der Hoff Date: Wed, 20 Jan 2021 18:31:05 +0000 Subject: [PATCH 3/8] Allow clients to pick an IdP per MSC2858 --- synapse/handlers/sso.py | 23 +++++++++++++++---- synapse/rest/client/v1/login.py | 26 +++++++++++++++++---- tests/rest/client/v1/test_login.py | 37 ++++++++++++++++++++++++++++++ 3 files changed, 77 insertions(+), 9 deletions(-) diff --git a/synapse/handlers/sso.py b/synapse/handlers/sso.py index d493327a10d8..afc1341d0947 100644 --- a/synapse/handlers/sso.py +++ b/synapse/handlers/sso.py @@ -23,7 +23,7 @@ from twisted.web.http import Request from synapse.api.constants import LoginType -from synapse.api.errors import Codes, RedirectException, SynapseError +from synapse.api.errors import Codes, NotFoundError, RedirectException, SynapseError from synapse.handlers.ui_auth import UIAuthSessionDataConstants from synapse.http import get_request_user_agent from synapse.http.server import respond_with_html @@ -235,7 +235,10 @@ def render_error( respond_with_html(request, code, html) async def handle_redirect_request( - self, request: SynapseRequest, client_redirect_url: bytes, + self, + request: SynapseRequest, + client_redirect_url: bytes, + idp_id: Optional[str], ) -> str: """Handle a request to /login/sso/redirect @@ -243,6 +246,7 @@ async def handle_redirect_request( request: incoming HTTP request client_redirect_url: the URL that we should redirect the client to after login. + idp_id: optional identity provider chosen by the client Returns: the URI to redirect to @@ -252,10 +256,19 @@ async def handle_redirect_request( 400, "Homeserver not configured for SSO.", errcode=Codes.UNRECOGNIZED ) + # if the client chose an IdP, use that + idp = None # type: Optional[SsoIdentityProvider] + if idp_id: + idp = self._identity_providers.get(idp_id) + if not idp: + raise NotFoundError("Unknown identity provider") + # if we only have one auth provider, redirect to it directly - if len(self._identity_providers) == 1: - ap = next(iter(self._identity_providers.values())) - return await ap.handle_redirect_request(request, client_redirect_url) + elif len(self._identity_providers) == 1: + idp = next(iter(self._identity_providers.values())) + + if idp: + return await idp.handle_redirect_request(request, client_redirect_url) # otherwise, redirect to the IDP picker return "/_synapse/client/pick_idp?" + urlencode( diff --git a/synapse/rest/client/v1/login.py b/synapse/rest/client/v1/login.py index 84eb356cb075..9b27f8d89c6b 100644 --- a/synapse/rest/client/v1/login.py +++ b/synapse/rest/client/v1/login.py @@ -20,7 +20,7 @@ from synapse.api.ratelimiting import Ratelimiter from synapse.appservice import ApplicationService from synapse.handlers.sso import SsoIdentityProvider -from synapse.http.server import finish_request +from synapse.http.server import HttpServer, finish_request from synapse.http.servlet import ( RestServlet, parse_json_object_from_request, @@ -337,7 +337,7 @@ def _get_auth_flow_dict_for_idp(idp: SsoIdentityProvider) -> JsonDict: class SsoRedirectServlet(RestServlet): - PATTERNS = client_patterns("/login/(cas|sso)/redirect", v1=True) + PATTERNS = client_patterns("/login/(cas|sso)/redirect$", v1=True) def __init__(self, hs: "HomeServer"): # make sure that the relevant handlers are instantiated, so that they @@ -349,13 +349,31 @@ def __init__(self, hs: "HomeServer"): if hs.config.oidc_enabled: hs.get_oidc_handler() self._sso_handler = hs.get_sso_handler() + self._msc2858_enabled = hs.config.sso.experimental_msc2858_support_enabled + + def register(self, http_server: HttpServer) -> None: + super().register(http_server) + if self._msc2858_enabled: + # expose additional endpoint for MSC2858 support + http_server.register_paths( + "GET", + client_patterns( + "/org.matrix.msc2858/login/sso/redirect/(?P[A-Za-z0-9_.~-]+)$", + releases=(), + unstable=True, + ), + self.on_GET, + self.__class__.__name__, + ) - async def on_GET(self, request: SynapseRequest): + async def on_GET( + self, request: SynapseRequest, idp_id: Optional[str] = None + ) -> None: client_redirect_url = parse_string( request, "redirectUrl", required=True, encoding=None ) sso_url = await self._sso_handler.handle_redirect_request( - request, client_redirect_url + request, client_redirect_url, idp_id, ) logger.info("Redirecting to %s", sso_url) request.redirect(sso_url) diff --git a/tests/rest/client/v1/test_login.py b/tests/rest/client/v1/test_login.py index ddbbf0bc7908..e115ffb50329 100644 --- a/tests/rest/client/v1/test_login.py +++ b/tests/rest/client/v1/test_login.py @@ -619,6 +619,43 @@ def test_multi_sso_redirect_to_unknown(self): ) self.assertEqual(channel.code, 400, channel.result) + def test_client_idp_redirect_msc2858_disabled(self): + """If the client tries to pick an IdP but MSC2858 is disabled, return a 400""" + channel = self.make_request( + "GET", + "/_matrix/client/unstable/org.matrix.msc2858/login/sso/redirect/oidc?redirectUrl=" + + urllib.parse.quote_plus(TEST_CLIENT_REDIRECT_URL), + ) + self.assertEqual(channel.code, 400, channel.result) + self.assertEqual(channel.json_body["errcode"], "M_UNRECOGNIZED") + + @override_config({"experimental_msc2858_support_enabled": True}) + def test_client_idp_redirect_to_unknown(self): + """If the client tries to pick an unknown IdP, return a 404""" + channel = self.make_request( + "GET", + "/_matrix/client/unstable/org.matrix.msc2858/login/sso/redirect/xxx?redirectUrl=" + + urllib.parse.quote_plus(TEST_CLIENT_REDIRECT_URL), + ) + self.assertEqual(channel.code, 404, channel.result) + self.assertEqual(channel.json_body["errcode"], "M_NOT_FOUND") + + @override_config({"experimental_msc2858_support_enabled": True}) + def test_client_idp_redirect_to_oidc(self): + """If the client pick a known IdP, redirect to it""" + channel = self.make_request( + "GET", + "/_matrix/client/unstable/org.matrix.msc2858/login/sso/redirect/oidc?redirectUrl=" + + urllib.parse.quote_plus(TEST_CLIENT_REDIRECT_URL), + ) + + self.assertEqual(channel.code, 302, channel.result) + oidc_uri = channel.headers.getRawHeaders("Location")[0] + oidc_uri_path, oidc_uri_query = oidc_uri.split("?", 1) + + # it should redirect us to the auth page of the OIDC server + self.assertEqual(oidc_uri_path, TEST_OIDC_AUTH_ENDPOINT) + @staticmethod def _get_value_from_macaroon(macaroon: pymacaroons.Macaroon, key: str) -> str: prefix = key + " = " From 5c0db41054c458685d3ec310a44d343fca9bbbd0 Mon Sep 17 00:00:00 2001 From: Richard van der Hoff Date: Wed, 20 Jan 2021 18:42:52 +0000 Subject: [PATCH 4/8] changelog --- changelog.d/9183.feature | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog.d/9183.feature diff --git a/changelog.d/9183.feature b/changelog.d/9183.feature new file mode 100644 index 000000000000..408bb04bb9d0 --- /dev/null +++ b/changelog.d/9183.feature @@ -0,0 +1 @@ +Add support for allowing clients to pick an SSO Identity Provider ([MSC2858](https://github.com/matrix-org/matrix-doc/pull/2858). From ad6ebf30019e0a61a52f47d5938a2ce6199ba2c0 Mon Sep 17 00:00:00 2001 From: Richard van der Hoff Date: Tue, 26 Jan 2021 10:12:17 +0000 Subject: [PATCH 5/8] Fix mypy fail --- tests/rest/client/v1/test_login.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/rest/client/v1/test_login.py b/tests/rest/client/v1/test_login.py index e115ffb50329..34e2bdb62147 100644 --- a/tests/rest/client/v1/test_login.py +++ b/tests/rest/client/v1/test_login.py @@ -451,7 +451,7 @@ def test_get_msc2858_login_flows(self): self.assertEqual(channel.code, 200, channel.result) # stick the flows results in a dict by type - flow_results = {} + flow_results = {} # type: Dict[str, Any] for f in channel.json_body["flows"]: flow_type = f["type"] self.assertNotIn( From b587fd00a0f3d47e9b2dcad1ad6f42901651a17b Mon Sep 17 00:00:00 2001 From: Richard van der Hoff <1389908+richvdh@users.noreply.github.com> Date: Tue, 26 Jan 2021 17:45:37 +0000 Subject: [PATCH 6/8] Update changelog.d/9183.feature Co-authored-by: Erik Johnston --- changelog.d/9183.feature | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/changelog.d/9183.feature b/changelog.d/9183.feature index 408bb04bb9d0..2d5c7350422a 100644 --- a/changelog.d/9183.feature +++ b/changelog.d/9183.feature @@ -1 +1 @@ -Add support for allowing clients to pick an SSO Identity Provider ([MSC2858](https://github.com/matrix-org/matrix-doc/pull/2858). +Add experimental support for allowing clients to pick an SSO Identity Provider ([MSC2858](https://github.com/matrix-org/matrix-doc/pull/2858). From 25939d207867a690cbd157fa708086ce8bd6aa41 Mon Sep 17 00:00:00 2001 From: Richard van der Hoff Date: Tue, 26 Jan 2021 18:11:47 +0000 Subject: [PATCH 7/8] Move msc2858 to an `experimental` config section --- synapse/config/_base.pyi | 2 ++ synapse/config/experimental.py | 33 ++++++++++++++++++++++++++++++ synapse/config/homeserver.py | 2 ++ synapse/config/sso.py | 5 ----- synapse/rest/client/v1/login.py | 4 ++-- tests/rest/client/v1/test_login.py | 6 +++--- 6 files changed, 42 insertions(+), 10 deletions(-) create mode 100644 synapse/config/experimental.py diff --git a/synapse/config/_base.pyi b/synapse/config/_base.pyi index 29aa064e571b..3ccea4b02d5e 100644 --- a/synapse/config/_base.pyi +++ b/synapse/config/_base.pyi @@ -9,6 +9,7 @@ from synapse.config import ( consent_config, database, emailconfig, + experimental, groups, jwt_config, key, @@ -48,6 +49,7 @@ def path_exists(file_path: str): ... class RootConfig: server: server.ServerConfig + experimental: experimental.ExperimentalConfig tls: tls.TlsConfig database: database.DatabaseConfig logging: logger.LoggingConfig diff --git a/synapse/config/experimental.py b/synapse/config/experimental.py new file mode 100644 index 000000000000..c4d67c9a4c42 --- /dev/null +++ b/synapse/config/experimental.py @@ -0,0 +1,33 @@ +# -*- coding: utf-8 -*- +# Copyright 2021 The Matrix.org Foundation C.I.C. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from synapse.config._base import Config +from synapse.types import JsonDict + + +class ExperimentalConfig(Config): + """Config section for enabling experimental features""" + + section = "experimental" + + # MSC2858 (multiple SSO identity providers) + msc2858_enabled = False + + def read_config(self, config: JsonDict, **kwargs): + experimental = config.get("experimental_features") + if not experimental: + return + + self.msc2858_enabled = experimental.get("msc2858_enabled", False) diff --git a/synapse/config/homeserver.py b/synapse/config/homeserver.py index 4bd2b3587b17..64a2429f7787 100644 --- a/synapse/config/homeserver.py +++ b/synapse/config/homeserver.py @@ -24,6 +24,7 @@ from .consent_config import ConsentConfig from .database import DatabaseConfig from .emailconfig import EmailConfig +from .experimental import ExperimentalConfig from .federation import FederationConfig from .groups import GroupsConfig from .jwt_config import JWTConfig @@ -57,6 +58,7 @@ class HomeServerConfig(RootConfig): config_classes = [ ServerConfig, + ExperimentalConfig, TlsConfig, FederationConfig, CacheConfig, diff --git a/synapse/config/sso.py b/synapse/config/sso.py index b9047f242774..59be825532f5 100644 --- a/synapse/config/sso.py +++ b/synapse/config/sso.py @@ -67,11 +67,6 @@ def read_config(self, config, **kwargs): login_fallback_url = self.public_baseurl + "_matrix/static/client/login" self.sso_client_whitelist.append(login_fallback_url) - # experimental support for MSC2858 (multiple SSO identity providers) - self.experimental_msc2858_support_enabled = config.get( - "experimental_msc2858_support_enabled", False - ) - def generate_config_section(self, **kwargs): return """\ # Additional settings to use with single-sign on systems such as OpenID Connect, diff --git a/synapse/rest/client/v1/login.py b/synapse/rest/client/v1/login.py index 9b27f8d89c6b..0a561eea601a 100644 --- a/synapse/rest/client/v1/login.py +++ b/synapse/rest/client/v1/login.py @@ -61,7 +61,7 @@ def __init__(self, hs: "HomeServer"): self.saml2_enabled = hs.config.saml2_enabled self.cas_enabled = hs.config.cas_enabled self.oidc_enabled = hs.config.oidc_enabled - self._msc2858_enabled = hs.config.sso.experimental_msc2858_support_enabled + self._msc2858_enabled = hs.config.experimental.msc2858_enabled self.auth = hs.get_auth() @@ -349,7 +349,7 @@ def __init__(self, hs: "HomeServer"): if hs.config.oidc_enabled: hs.get_oidc_handler() self._sso_handler = hs.get_sso_handler() - self._msc2858_enabled = hs.config.sso.experimental_msc2858_support_enabled + self._msc2858_enabled = hs.config.experimental.msc2858_enabled def register(self, http_server: HttpServer) -> None: super().register(http_server) diff --git a/tests/rest/client/v1/test_login.py b/tests/rest/client/v1/test_login.py index 34e2bdb62147..e2bb945453dd 100644 --- a/tests/rest/client/v1/test_login.py +++ b/tests/rest/client/v1/test_login.py @@ -444,7 +444,7 @@ def test_get_login_flows(self): self.assertCountEqual(channel.json_body["flows"], expected_flows) - @override_config({"experimental_msc2858_support_enabled": True}) + @override_config({"experimental_features": {"msc2858_enabled": True}}) def test_get_msc2858_login_flows(self): """The SSO flow should include IdP info if MSC2858 is enabled""" channel = self.make_request("GET", "/_matrix/client/r0/login") @@ -629,7 +629,7 @@ def test_client_idp_redirect_msc2858_disabled(self): self.assertEqual(channel.code, 400, channel.result) self.assertEqual(channel.json_body["errcode"], "M_UNRECOGNIZED") - @override_config({"experimental_msc2858_support_enabled": True}) + @override_config({"experimental_features": {"msc2858_enabled": True}}) def test_client_idp_redirect_to_unknown(self): """If the client tries to pick an unknown IdP, return a 404""" channel = self.make_request( @@ -640,7 +640,7 @@ def test_client_idp_redirect_to_unknown(self): self.assertEqual(channel.code, 404, channel.result) self.assertEqual(channel.json_body["errcode"], "M_NOT_FOUND") - @override_config({"experimental_msc2858_support_enabled": True}) + @override_config({"experimental_features": {"msc2858_enabled": True}}) def test_client_idp_redirect_to_oidc(self): """If the client pick a known IdP, redirect to it""" channel = self.make_request( From 0ba5153d319f3b89bb741f9d6e00434df77c40af Mon Sep 17 00:00:00 2001 From: Richard van der Hoff Date: Wed, 27 Jan 2021 11:35:21 +0000 Subject: [PATCH 8/8] switch around ExperimentalConfig logic --- synapse/config/experimental.py | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/synapse/config/experimental.py b/synapse/config/experimental.py index c4d67c9a4c42..b1c1c51e4dcc 100644 --- a/synapse/config/experimental.py +++ b/synapse/config/experimental.py @@ -22,12 +22,8 @@ class ExperimentalConfig(Config): section = "experimental" - # MSC2858 (multiple SSO identity providers) - msc2858_enabled = False - def read_config(self, config: JsonDict, **kwargs): - experimental = config.get("experimental_features") - if not experimental: - return + experimental = config.get("experimental_features") or {} - self.msc2858_enabled = experimental.get("msc2858_enabled", False) + # MSC2858 (multiple SSO identity providers) + self.msc2858_enabled = experimental.get("msc2858_enabled", False) # type: bool