matrix/authentication-service
1
0
Fork 0
mirror of https://github.com/matrix-org/matrix-authentication-service.git synced 2025-08-09 04:22:45 +03:00
Code Activity

Introduce config to restrict user capabilities

Browse Source
This commit is contained in:
Quentin Gliech
2024-03-29 12:52:11 +01:00
parent 4d1b6aeded
commit 90080235da
5 changed files with 45 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
crates/cli/src/util.rs
View File

@@ -135,6 +135,10 @@ pub fn site_config_from_config(
password_login_enabled: password_config.enabled(), password_login_enabled: password_config.enabled(),
password_registration_enabled: password_config.enabled() password_registration_enabled: password_config.enabled()
&& experimental_config.password_registration_enabled, && experimental_config.password_registration_enabled,
email_change_allowed: experimental_config.email_change_allowed,
displayname_change_allowed: experimental_config.displayname_change_allowed,
password_change_allowed: password_config.enabled()
&& experimental_config.password_change_allowed,
} }
} }

23
crates/config/src/sections/experimental.rs
View File

@@ -1,4 +1,4 @@
// Copyright 2023 The Matrix.org Foundation C.I.C. // Copyright 2023, 2024 The Matrix.org Foundation C.I.C.
// //
// Licensed under the Apache License, Version 2.0 (the "License"); // Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License. // you may not use this file except in compliance with the License.
@@ -40,6 +40,7 @@ const fn is_default_true(value: &bool) -> bool {
/// ///
/// Do not change these options unless you know what you are doing. /// Do not change these options unless you know what you are doing.
#[serde_as] #[serde_as]
#[allow(clippy::struct_excessive_bools)]
#[derive(Clone, Debug, Deserialize, JsonSchema, Serialize)] #[derive(Clone, Debug, Deserialize, JsonSchema, Serialize)]
pub struct ExperimentalConfig { pub struct ExperimentalConfig {
/// Time-to-live of access tokens in seconds. Defaults to 5 minutes. /// Time-to-live of access tokens in seconds. Defaults to 5 minutes.
@@ -65,6 +66,20 @@ pub struct ExperimentalConfig {
/// if password authentication is enabled. /// if password authentication is enabled.
#[serde(default = "default_true", skip_serializing_if = "is_default_true")] #[serde(default = "default_true", skip_serializing_if = "is_default_true")]
pub password_registration_enabled: bool, pub password_registration_enabled: bool,
/// Whether users are allowed to change their email addresses. Defaults to
/// `true`.
#[serde(default = "default_true", skip_serializing_if = "is_default_true")]
pub email_change_allowed: bool,
/// Whether users are allowed to change their display names. Defaults to
/// `true`.
#[serde(default = "default_true", skip_serializing_if = "is_default_true")]
pub displayname_change_allowed: bool,
/// Whether users are allowed to change their passwords. Defaults to `true`.
#[serde(default = "default_true", skip_serializing_if = "is_default_true")]
pub password_change_allowed: bool,
} }
impl Default for ExperimentalConfig { impl Default for ExperimentalConfig {
@@ -73,6 +88,9 @@ impl Default for ExperimentalConfig {
access_token_ttl: default_token_ttl(), access_token_ttl: default_token_ttl(),
compat_token_ttl: default_token_ttl(), compat_token_ttl: default_token_ttl(),
password_registration_enabled: default_true(), password_registration_enabled: default_true(),
email_change_allowed: default_true(),
displayname_change_allowed: default_true(),
password_change_allowed: default_true(),
} }
} }
} }
@@ -82,6 +100,9 @@ impl ExperimentalConfig {
is_default_token_ttl(&self.access_token_ttl) is_default_token_ttl(&self.access_token_ttl)
&& is_default_token_ttl(&self.compat_token_ttl) && is_default_token_ttl(&self.compat_token_ttl)
&& is_default_true(&self.password_registration_enabled) && is_default_true(&self.password_registration_enabled)
&& is_default_true(&self.email_change_allowed)
&& is_default_true(&self.displayname_change_allowed)
&& is_default_true(&self.password_change_allowed)
} }
} }

4
crates/handlers/src/site_config.rs
View File

@@ -17,6 +17,7 @@ use mas_templates::{SiteBranding, SiteFeatures};
use url::Url; use url::Url;
/// Random site configuration we don't now where to put yet. /// Random site configuration we don't now where to put yet.
#[allow(clippy::struct_excessive_bools)]
#[derive(Debug, Clone)] #[derive(Debug, Clone)]
pub struct SiteConfig { pub struct SiteConfig {
pub access_token_ttl: Duration, pub access_token_ttl: Duration,
@@ -27,6 +28,9 @@ pub struct SiteConfig {
pub imprint: Option<String>, pub imprint: Option<String>,
pub password_login_enabled: bool, pub password_login_enabled: bool,
pub password_registration_enabled: bool, pub password_registration_enabled: bool,
pub email_change_allowed: bool,
pub displayname_change_allowed: bool,
pub password_change_allowed: bool,
} }
impl SiteConfig { impl SiteConfig {

3
crates/handlers/src/test_utils.rs
View File

@@ -129,6 +129,9 @@ pub fn test_site_config() -> SiteConfig {
imprint: None, imprint: None,
password_login_enabled: true, password_login_enabled: true,
password_registration_enabled: true, password_registration_enabled: true,
email_change_allowed: true,
displayname_change_allowed: true,
password_change_allowed: true,
} }
} }

12
docs/config.schema.json
View File

@@ -1970,6 +1970,18 @@
"password_registration_enabled": { "password_registration_enabled": {
"description": "Whether to enable self-service password registration. Defaults to `true` if password authentication is enabled.", "description": "Whether to enable self-service password registration. Defaults to `true` if password authentication is enabled.",
"type": "boolean" "type": "boolean"
},
"email_change_allowed": {
"description": "Whether users are allowed to change their email addresses. Defaults to `true`.",
"type": "boolean"
},
"displayname_change_allowed": {
"description": "Whether users are allowed to change their display names. Defaults to `true`.",
"type": "boolean"
},
"password_change_allowed": {
"description": "Whether users are allowed to change their passwords. Defaults to `true`.",
"type": "boolean"
} }
} }
} }