Added possibilty to disable local password authentication (#5092)

dhoffend · richvdh · commit 9646a593ac55 · 2019-06-27T18:37:29.000+01:00
Signed-off-by: Daniel Hoffend &lt;dh@dotlan.net&gt;
diff --git a/changelog.d/5092.feature b/changelog.d/5092.feature
@@ -0,0 +1 @@
+Added possibilty to disable local password authentication. Contributed by Daniel Hoffend.
diff --git a/docs/sample_config.yaml b/docs/sample_config.yaml
@@ -1046,6 +1046,12 @@ password_config:
    #
    #enabled: false
 
+   # Uncomment to disable authentication against the local password
+   # database. This is ignored if `enabled` is false, and is only useful
+   # if you have other password_providers.
+   #
+   #localdb_enabled: false
+
    # Uncomment and change to a secret random string for extra security.
    # DO NOT CHANGE THIS AFTER INITIAL SETUP!
    #
diff --git a/synapse/config/password.py b/synapse/config/password.py
@@ -26,6 +26,7 @@ def read_config(self, config, **kwargs):
             password_config = {}
 
         self.password_enabled = password_config.get("enabled", True)
+        self.password_localdb_enabled = password_config.get("localdb_enabled", True)
         self.password_pepper = password_config.get("pepper", "")
 
     def generate_config_section(self, config_dir_path, server_name, **kwargs):
@@ -35,6 +36,12 @@ def generate_config_section(self, config_dir_path, server_name, **kwargs):
            #
            #enabled: false
 
+           # Uncomment to disable authentication against the local password
+           # database. This is ignored if `enabled` is false, and is only useful
+           # if you have other password_providers.
+           #
+           #localdb_enabled: false
+
            # Uncomment and change to a secret random string for extra security.
            # DO NOT CHANGE THIS AFTER INITIAL SETUP!
            #
diff --git a/synapse/handlers/auth.py b/synapse/handlers/auth.py
@@ -743,7 +743,7 @@ def validate_login(self, username, login_submission):
                     result = (result, None)
                 defer.returnValue(result)
 
-        if login_type == LoginType.PASSWORD:
+        if login_type == LoginType.PASSWORD and self.hs.config.password_localdb_enabled:
             known_login_type = True
 
             canonical_user_id = yield self._check_local_password(
diff --git a/synapse/handlers/set_password.py b/synapse/handlers/set_password.py
@@ -33,6 +33,9 @@ def __init__(self, hs):
 
     @defer.inlineCallbacks
     def set_password(self, user_id, newpassword, requester=None):
+        if not self.hs.config.password_localdb_enabled:
+            raise SynapseError(403, "Password change disabled", errcode=Codes.FORBIDDEN)
+
         password_hash = yield self._auth_handler.hash(newpassword)
 
         except_device_id = requester.device_id if requester else None

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Added possibilty to disable local password authentication. Contributed by Daniel Hoffend.`
Original file line number	Diff line number	Diff line change
`@@ -1046,6 +1046,12 @@ password_config:`
`1046`	`1046`	`#`
`1047`	`1047`	`#enabled: false`
`1048`	`1048`
	`1049`	`+ # Uncomment to disable authentication against the local password`
	`1050`	+ # database. This is ignored if `enabled` is false, and is only useful
	`1051`	`+ # if you have other password_providers.`
	`1052`	`+ #`
	`1053`	`+ #localdb_enabled: false`
	`1054`	`+`
`1049`	`1055`	`# Uncomment and change to a secret random string for extra security.`
`1050`	`1056`	`# DO NOT CHANGE THIS AFTER INITIAL SETUP!`
`1051`	`1057`	`#`