Upgrade Synapse (1.30.1 -> 1.31.0)

roles/matrix-synapse/defaults/main.yml

@@ -15,7 +15,7 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont
 # amd64 gets released first.
 # arm32 relies on self-building, so the same version can be built immediately.
 # arm64 users need to wait for a prebuilt image to become available.
-matrix_synapse_version: v1.30.1
+matrix_synapse_version: v1.31.0
 matrix_synapse_version_arm64: v1.30.1
 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}"
 matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"

roles/matrix-synapse/templates/synapse/homeserver.yaml.j2

@@ -869,10 +869,10 @@ rc_admin_redaction: {{ matrix_synapse_rc_admin_redaction|to_json }}
 #rc_joins:
 #  local:
 #    per_second: 0.1
-#    burst_count: 3
+#    burst_count: 10
 #  remote:
 #    per_second: 0.01
-#    burst_count: 3
+#    burst_count: 10
 rc_joins: {{ matrix_synapse_rc_joins|to_json }}
 #
 #rc_3pid_validation:
@@ -1772,6 +1772,9 @@ saml2_config:
 #       Note that, if this is changed, users authenticating via that provider
 #       will no longer be recognised as the same user!
 #
+#       (Use "oidc" here if you are migrating from an old "oidc_config"
+#       configuration.)
+#
 #   idp_name: A user-facing name for this identity provider, which is used to
 #       offer the user a choice of login mechanisms.
 #
@@ -1887,6 +1890,24 @@ saml2_config:
 #           which is set to the claims returned by the UserInfo Endpoint and/or
 #           in the ID Token.
 #
+#   It is possible to configure Synapse to only allow logins if certain attributes
+#   match particular values in the OIDC userinfo. The requirements can be listed under
+#   `attribute_requirements` as shown below. All of the listed attributes must
+#   match for the login to be permitted. Additional attributes can be added to
+#   userinfo by expanding the `scopes` section of the OIDC config to retrieve
+#   additional information from the OIDC provider.
+#
+#   If the OIDC claim is a list, then the attribute must match any value in the list.
+#   Otherwise, it must exactly match the value of the claim. Using the example
+#   below, the `family_name` claim MUST be "Stephensson", but the `groups`
+#   claim MUST contain "admin".
+#
+#   attribute_requirements:
+#     - attribute: family_name
+#       value: "Stephensson"
+#     - attribute: groups
+#       value: "admin"
+#
 # See https://github.com/matrix-org/synapse/blob/master/docs/openid.md
 # for information on how to configure these options.
 #
@@ -1918,34 +1939,9 @@ oidc_providers:
   #      localpart_template: "{% raw %}{{ user.login }}{% endraw %}"
   #      display_name_template: "{% raw %}{{ user.name }}{% endraw %}"
   #      email_template: "{% raw %}{{ user.email }}{% endraw %}"
-
-  # For use with Keycloak
-  #
-  #- idp_id: keycloak
-  #  idp_name: Keycloak
-  #  issuer: "https://127.0.0.1:8443/auth/realms/my_realm_name"
-  #  client_id: "synapse"
-  #  client_secret: "copy secret generated in Keycloak UI"
-  #  scopes: ["openid", "profile"]
-
-  # For use with Github
-  #
-  #- idp_id: github
-  #  idp_name: Github
-  #  idp_brand: github
-  #  discover: false
-  #  issuer: "https://github.com/"
-  #  client_id: "your-client-id" # TO BE FILLED
-  #  client_secret: "your-client-secret" # TO BE FILLED
-  #  authorization_endpoint: "https://github.com/login/oauth/authorize"
-  #  token_endpoint: "https://github.com/login/oauth/access_token"
-  #  userinfo_endpoint: "https://api.github.com/user"
-  #  scopes: ["read:user"]
-  #  user_mapping_provider:
-  #    config:
-  #      subject_claim: "id"
-  #      localpart_template: "{% raw %}{{ user.login }}{% endraw %}"
-  #      display_name_template: "{% raw %}{{ user.name }}{% endraw %}"
+  #  attribute_requirements:
+  #    - attribute: userGroup
+  #      value: "synapseUsers"
 
 
 # Enable Central Authentication Service (CAS) for registration and login.

roles/matrix-synapse/vars/workers.yml

@@ -55,9 +55,6 @@ matrix_synapse_workers_generic_worker_endpoints:
   # Registration/login requests
   - ^/_matrix/client/(api/v1|r0|unstable)/login$
   - ^/_matrix/client/(r0|unstable)/register$
-  # FIXME: possible bug with SSO and multiple generic workers
-  # see https://github.com/matrix-org/synapse/issues/7530
-  # ^/_matrix/client/(r0|unstable)/auth/.*/fallback/web$
 
   # Event sending requests
   - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/redact
@@ -107,7 +104,7 @@ matrix_synapse_workers_generic_worker_endpoints:
 
   # Ensure that all SSO logins go to a single process.
   # For multiple workers not handling the SSO endpoints properly, see
-  # [#7530](https://github.com/matrix-org/synapse/issues/7530) and 
+  # [#7530](https://github.com/matrix-org/synapse/issues/7530) and
   # [#9427](https://github.com/matrix-org/synapse/issues/9427).
 
   # Note that a HTTP listener with `client` and `federation` resources must be