-
-
Notifications
You must be signed in to change notification settings - Fork 2.1k
Add configuration setting for CAS protocol version #15816
Conversation
Manage configuration for CAS protocol version.
Manage configuration for CAS protocol version.
Update documentation
I made a new pull request, taking into account Clokep's comment. I've added the possibility of configuring the CAS protocol version and, in the case of version 3, the CAS ticket validation url is modified to allow CAS attributes to be retrieved, which is not possible with version 2. It solve this issue : #15807 Old PR : #15811 |
Add end dot
@@ -0,0 +1 @@ | |||
Add configuration setting for CAS protocol version. Contributed by Aurélien Grimpard. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Helpful docs for anyone looking at this: https://github.com/matrix-org/synapse/blob/d53547352063c3e66302f7bdc40d7ac7270e605c/docs/development/cas.md
@@ -120,7 +121,10 @@ async def _validate_ticket( | |||
Returns: | |||
The parsed CAS response. | |||
""" | |||
uri = self._cas_server_url + "/proxyValidate" | |||
if self._cas_protocol_version == 3: | |||
uri = self._cas_server_url + "/p3/proxyValidate" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems legit -> spec docs for CAS protocol version 3: https://apereo.github.io/cas/6.6.x/protocol/CAS-Protocol-Specification.html#29-p3proxyvalidate-cas-30
2.9. /p3/proxyValidate [CAS 3.0]
/p3/proxyValidate
MUST perform the same validation tasks as/p3/serviceValidate
and additionally validate proxy tickets. See Section 2.8.
2.8. /p3/serviceValidate [CAS 3.0]
/p3/serviceValidate
MUST perform the same validation tasks as /serviceValidate and additionally return user attributes in the CAS response. See Section 2.5 and Section 2.5.7 for details.
2.5.7 Example response with custom attributes
<cas:serviceResponse xmlns:cas="http://www.yale.edu/tp/cas"> <cas:authenticationSuccess> <cas:user>username</cas:user> <cas:attributes> <cas:firstname>John</cas:firstname> <cas:lastname>Doe</cas:lastname> <cas:title>Mr.</cas:title> <cas:email>jdoe@example.org</cas:email> <cas:affiliation>staff</cas:affiliation> <cas:affiliation>faculty</cas:affiliation> </cas:attributes> <cas:proxyGrantingTicket>PGTIOU-84678-8a9d...</cas:proxyGrantingTicket> </cas:authenticationSuccess> </cas:serviceResponse>
@agrimpard Are you interested in finishing this up? |
I'm sorry i'm a bit new there, what should be done ? I'm interested to have this PR in prod :) |
There's a comment left above which needs to be handled: #15816 (comment) You should be able to just push additional commits to this branch (or perhaps just commit what was suggested via the GitHub UI, if you agree with it). |
Co-authored-by: Eric Eastwood <madlittlemods@gmail.com>
Co-authored-by: Patrick Cloke <clokep@users.noreply.github.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good if CI is happy! 👍 Thanks for sticking w/ this.
Thanks for your contribution! 🎉 It should be part of Synapse 1.92.0. |
- Add configuration setting for CAS protocol version. Contributed by Aurélien Grimpard. ([\#15816](#15816)) - Suppress notifications from message edits per [MSC3958](matrix-org/matrix-spec-proposals#3958). ([\#16113](#16113)) - Return a `Retry-After` with `M_LIMIT_EXCEEDED` error responses. ([\#16136](#16136)) - Add `last_seen_ts` to the [admin users API](https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html). ([\#16218](#16218)) - Improve resource usage when sending data to a large number of remote hosts that are marked as "down". ([\#16223](#16223)) - Fix IPv6-related bugs on SMTP settings, adding groundwork to fix similar issues. Contributed by @evilham and @telmich (ungleich.ch). ([\#16155](#16155)) - Fix a spec compliance issue where requests to the `/publicRooms` federation API would specify `include_all_networks` as a string. ([\#16185](#16185)) - Fix inaccurate error message while attempting to ban or unban a user with the same or higher PL by spliting the conditional statements. Contributed by @leviosacz. ([\#16205](#16205)) - Fix a rare bug that broke looping calls, which could lead to e.g. linearly increasing memory usage. Introduced in v1.90.0. ([\#16210](#16210)) - Fix a long-standing bug where uploading images would fail if we could not generate thumbnails for them. ([\#16211](#16211)) - Fix a long-standing bug where we did not correctly back off from servers that had "gone" if they returned 4xx series error codes. ([\#16221](#16221)) - Update links to the [matrix.org blog](https://matrix.org/blog/). ([\#16008](#16008)) - Document which [admin APIs](https://matrix-org.github.io/synapse/latest/usage/administration/admin_api/index.html) are disabled when experimental [MSC3861](matrix-org/matrix-spec-proposals#3861) support is enabled. ([\#16168](#16168)) - Document [`exclude_rooms_from_sync`](https://matrix-org.github.io/synapse/v1.92/usage/configuration/config_documentation.html#exclude_rooms_from_sync) configuration option. ([\#16178](#16178)) - Prepare unit tests for Python 3.12. ([\#16099](#16099)) - Fix nightly CI jobs. ([\#16121](#16121), [\#16213](#16213)) - Describe which rate limiter was hit in logs. ([\#16135](#16135)) - Simplify presence code when using workers. ([\#16170](#16170)) - Track per-device information in the presence code. ([\#16171](#16171), [\#16172](#16172)) - Stop using the `event_txn_id` table. ([\#16175](#16175)) - Use `AsyncMock` instead of custom code. ([\#16179](#16179), [\#16180](#16180)) - Improve error reporting of invalid data passed to `/_matrix/key/v2/query`. ([\#16183](#16183)) - Task scheduler: add replication notify for new task to launch ASAP. ([\#16184](#16184)) - Improve type hints. ([\#16186](#16186), [\#16188](#16188), [\#16201](#16201)) - Bump black version to 23.7.0. ([\#16187](#16187)) - Log the details of background update failures. ([\#16212](#16212)) - Cache device resync requests over replication. ([\#16241](#16241)) * Bump anyhow from 1.0.72 to 1.0.75. ([\#16141](#16141)) * Bump furo from 2023.7.26 to 2023.8.19. ([\#16238](#16238)) * Bump phonenumbers from 8.13.18 to 8.13.19. ([\#16237](#16237)) * Bump psycopg2 from 2.9.6 to 2.9.7. ([\#16196](#16196)) * Bump regex from 1.9.3 to 1.9.4. ([\#16195](#16195)) * Bump ruff from 0.0.277 to 0.0.286. ([\#16198](#16198)) * Bump sentry-sdk from 1.29.2 to 1.30.0. ([\#16236](#16236)) * Bump serde from 1.0.184 to 1.0.188. ([\#16194](#16194)) * Bump serde_json from 1.0.104 to 1.0.105. ([\#16140](#16140)) * Bump types-psycopg2 from 2.9.21.10 to 2.9.21.11. ([\#16200](#16200)) * Bump types-pyyaml from 6.0.12.10 to 6.0.12.11. ([\#16199](#16199))
Add configuration setting for CAS protocol version
I made a new pull request, taking into account Clokep's comment. I've added the possibility of configuring the CAS protocol version and, in the case of version 3, the CAS ticket validation url is modified to allow CAS attributes to be retrieved, which is not possible with version 2.
Fix #15807
Old PR : #15811
Pull Request Checklist
EventStore
toEventWorkerStore
.".code blocks
.(run the linters)
Signed-off-by: Aurélien Grimpard aurelien@grimpard.net