Merge branch 'quenting/hotfix-delegated-auth-admin' of https://github…

….com/matrix-org/synapse into quenting/hotfix-delegated-auth-admin

.ci/scripts/calculate_jobs.py

@@ -47,10 +47,9 @@ def set_output(key: str, value: str):
             "database": "sqlite",
             "extras": "all",
         }
-        for version in ("3.9", "3.10", "3.11")
+        for version in ("3.9", "3.10", "3.11", "3.12.0-rc.1")
     )
 
-
 trial_postgres_tests = [
     {
         "python-version": "3.8",

.github/workflows/latest_deps.yml

@@ -57,8 +57,8 @@ jobs:
       # `pip install matrix-synapse[all]` as closely as possible.
       - run: poetry update --no-dev
       - run: poetry run pip list > after.txt && (diff -u before.txt after.txt || true)
-      - name: Remove warn_unused_ignores from mypy config
-        run: sed '/warn_unused_ignores = True/d' -i mypy.ini
+      - name: Remove unhelpful options from mypy config
+        run: sed -e '/warn_unused_ignores = True/d' -e '/warn_redundant_casts = True/d' -i mypy.ini
       - run: poetry run mypy
   trial:
     needs: check_repo

.github/workflows/twisted_trunk.yml

@@ -54,8 +54,8 @@ jobs:
           poetry remove twisted
           poetry add --extras tls git+https://github.com/twisted/twisted.git#${{ inputs.twisted_ref || 'trunk' }}
           poetry install --no-interaction --extras "all test"
-      - name: Remove warn_unused_ignores from mypy config
-        run: sed '/warn_unused_ignores = True/d' -i mypy.ini
+      - name: Remove unhelpful options from mypy config
+        run: sed -e '/warn_unused_ignores = True/d' -e '/warn_redundant_casts = True/d' -i mypy.ini
       - run: poetry run mypy
 
   trial:

changelog.d/15816.feature

@@ -0,0 +1 @@
+Add configuration setting for CAS protocol version. Contributed by Aurélien Grimpard.

changelog.d/16008.doc

@@ -0,0 +1 @@
+Update links to the matrix.org blog.

changelog.d/16099.misc

@@ -0,0 +1 @@
+Prepare unit tests for Python 3.12.

changelog.d/16113.feature

@@ -0,0 +1 @@
+Suppress notifications from message edits per [MSC3958](https://github.com/matrix-org/matrix-spec-proposals/pull/3958).

changelog.d/16121.misc

@@ -0,0 +1 @@
+Attempt to fix the twisted trunk job.

changelog.d/16135.misc

@@ -0,0 +1 @@
+Describe which rate limiter was hit in logs.

changelog.d/16136.feature

@@ -0,0 +1 @@
+Return a `Retry-After` with `M_LIMIT_EXCEEDED` error responses.

changelog.d/16155.bugfix

@@ -0,0 +1 @@
+Fix IPv6-related bugs on SMTP settings, adding groundwork to fix similar issues. Contributed by @evilham and @telmich (ungleich.ch).

changelog.d/16168.doc

@@ -0,0 +1 @@
+Document which admin APIs are disabled when experimental [MSC3861](https://github.com/matrix-org/matrix-spec-proposals/pull/3861) support is enabled.

changelog.d/16170.misc

@@ -0,0 +1 @@
+Simplify presence code when using workers.

changelog.d/16171.misc

@@ -0,0 +1 @@
+Track per-device information in the presence code.

changelog.d/16172.misc

@@ -0,0 +1 @@
+Track per-device information in the presence code.

changelog.d/16175.misc

@@ -0,0 +1 @@
+Stop using the `event_txn_id` table.

changelog.d/16178.doc

@@ -0,0 +1 @@
+Document `exclude_rooms_from_sync` configuration option.

changelog.d/16179.misc

@@ -0,0 +1 @@
+Use `AsyncMock` instead of custom code.

changelog.d/16180.misc

@@ -0,0 +1 @@
+Use `AsyncMock` instead of custom code.

changelog.d/16183.misc

@@ -0,0 +1 @@
+Improve error reporting of invalid data passed to `/_matrix/key/v2/query`.

changelog.d/16184.misc

@@ -0,0 +1 @@
+Task scheduler: add replication notify for new task to launch ASAP.

changelog.d/16185.bugfix

@@ -0,0 +1 @@
+Fix a spec compliance issue where requests to the `/publicRooms` federation API would specify `include_all_networks` as a string.

changelog.d/16186.misc

@@ -0,0 +1 @@
+Improve type hints.

changelog.d/16187.misc

@@ -0,0 +1 @@
+Bump black version to 23.7.0.

changelog.d/16188.misc

@@ -0,0 +1 @@
+Improve type hints.

changelog.d/16201.misc

@@ -0,0 +1 @@
+Improve type hints.

changelog.d/16205.bugfix

@@ -0,0 +1 @@
+Fix inaccurate error message while attempting to ban or unban a user with the same or higher PL by spliting the conditional statements. Contributed by @leviosacz.

changelog.d/16210.bugfix

@@ -0,0 +1 @@
+Fix rare bug that broke looping calls, which could lead to e.g. linearly increasing memory usage. Introduced in v1.90.0.

changelog.d/16211.bugfix

@@ -0,0 +1 @@
+Fix a long-standing bug where uploading images would fail if we could not generate thumbnails for them.

changelog.d/16212.misc

@@ -0,0 +1 @@
+Log the details of background update failures.

changelog.d/16213.misc

@@ -0,0 +1 @@
+Fix the latest-deps CI job.

changelog.d/16220.bugfix

@@ -0,0 +1 @@
+Fix a performance regression introduced in Synapse 1.91.0 where event persistence would cause excessive CPU usage over time.

changelog.d/16241.misc

@@ -0,0 +1 @@
+Cache device resync requests over replication.

docs/admin_api/account_validity.md

@@ -1,5 +1,7 @@
 # Account validity API
 
+**Note:** This API is disabled when MSC3861 is enabled. [See #15582](https://github.com/matrix-org/synapse/pull/15582)
+
 This API allows a server administrator to manage the validity of an account. To
 use it, you must enable the account validity feature (under
 `account_validity`) in Synapse's configuration.

docs/admin_api/register_api.md

@@ -1,5 +1,7 @@
 # Shared-Secret Registration
 
+**Note:** This API is disabled when MSC3861 is enabled. [See #15582](https://github.com/matrix-org/synapse/pull/15582)
+
 This API allows for the creation of users in an administrative and
 non-interactive way. This is generally used for bootstrapping a Synapse
 instance with administrator accounts.

docs/admin_api/user_admin_api.md

@@ -218,7 +218,7 @@ The following parameters should be set in the URL:
 - `name` - Is optional and filters to only return users with user ID localparts
   **or** displaynames that contain this value.
 - `guests` - string representing a bool - Is optional and if `false` will **exclude** guest users.
-  Defaults to `true` to include guest users.
+  Defaults to `true` to include guest users. This parameter is not supported when MSC3861 is enabled. [See #15582](https://github.com/matrix-org/synapse/pull/15582)
 - `admins` - Optional flag to filter admins. If `true`, only admins are queried. If `false`, admins are excluded from 
   the query. When the flag is absent (the default), **both** admins and non-admins are included in the search results.
 - `deactivated` - string representing a bool - Is optional and if `true` will **include** deactivated users.
@@ -390,6 +390,8 @@ The following actions are **NOT** performed. The list may be incomplete.
 
 ## Reset password
 
+**Note:** This API is disabled when MSC3861 is enabled. [See #15582](https://github.com/matrix-org/synapse/pull/15582)
+
 Changes the password of another user. This will automatically log the user out of all their devices.
 
 The api is:
@@ -413,6 +415,8 @@ The parameter `logout_devices` is optional and defaults to `true`.
 
 ## Get whether a user is a server administrator or not
 
+**Note:** This API is disabled when MSC3861 is enabled. [See #15582](https://github.com/matrix-org/synapse/pull/15582)
+
 The api is:
 
 ```
@@ -430,6 +434,8 @@ A response body like the following is returned:
 
 ## Change whether a user is a server administrator or not
 
+**Note:** This API is disabled when MSC3861 is enabled. [See #15582](https://github.com/matrix-org/synapse/pull/15582)
+
 Note that you cannot demote yourself.
 
 The api is:
@@ -723,6 +729,8 @@ delete largest/smallest or newest/oldest files first.
 
 ## Login as a user
 
+**Note:** This API is disabled when MSC3861 is enabled. [See #15582](https://github.com/matrix-org/synapse/pull/15582)
+
 Get an access token that can be used to authenticate as that user. Useful for
 when admins wish to do actions on behalf of a user.
 

docs/development/releases.md

@@ -12,7 +12,7 @@ Note that this schedule might be modified depending on the availability of the
 Synapse team, e.g. releases may be skipped to avoid holidays.
 
 Release announcements can be found in the
-[release category of the Matrix blog](https://matrix.org/blog/category/releases).
+[release category of the Matrix blog](https://matrix.org/category/releases).
 
 ## Bugfix releases
 
@@ -34,4 +34,4 @@ be held to be released together.
 
 In some cases, a pre-disclosure of a security release will be issued as a notice
 to Synapse operators that there is an upcoming security release. These can be
-found in the [security category of the Matrix blog](https://matrix.org/blog/category/security).
+found in the [security category of the Matrix blog](https://matrix.org/category/security).

docs/usage/administration/admin_api/registration_tokens.md

@@ -1,5 +1,7 @@
 # Registration Tokens
 
+**Note:** This API is disabled when MSC3861 is enabled. [See #15582](https://github.com/matrix-org/synapse/pull/15582)
+
 This API allows you to manage tokens which can be used to authenticate
 registration requests, as proposed in
 [MSC3231](https://github.com/matrix-org/matrix-doc/blob/main/proposals/3231-token-authenticated-registration.md)

docs/usage/configuration/config_documentation.md

@@ -3420,6 +3420,7 @@ Has the following sub-options:
    to style the login flow according to the identity provider in question.
    See the [spec](https://spec.matrix.org/latest/) for possible options here.
 * `server_url`: The URL of the CAS authorization endpoint.
+* `protocol_version`: The CAS protocol version, defaults to none (version 3 is required if you want to use "required_attributes").
 * `displayname_attribute`: The attribute of the CAS response to use as the display name.
    If no name is given here, no displayname will be set.
 * `required_attributes`:  It is possible to configure Synapse to only allow logins if CAS attributes
@@ -3433,6 +3434,7 @@ Example configuration:
 cas_config:
   enabled: true
   server_url: "https://cas-server.com"
+  protocol_version: 3
   displayname_attribute: name
   required_attributes:
     userGroup: "staff"
@@ -3865,6 +3867,19 @@ Example configuration:
 ```yaml
 forget_rooms_on_leave: false
 ```
+---
+### `exclude_rooms_from_sync`
+A list of rooms to exclude from sync responses. This is useful for server
+administrators wishing to group users into a room without these users being able
+to see it from their client.
+
+By default, no room is excluded.
+
+Example configuration:
+```yaml
+exclude_rooms_from_sync:
+    - !foo:example.com
+```
 
 ---
 ## Opentracing

mypy.ini

@@ -87,18 +87,9 @@ ignore_missing_imports = True
 [mypy-saml2.*]
 ignore_missing_imports = True
 
-[mypy-service_identity.*]
-ignore_missing_imports = True
-
 [mypy-srvlookup.*]
 ignore_missing_imports = True
 
 # https://github.com/twisted/treq/pull/366
 [mypy-treq.*]
 ignore_missing_imports = True
-
-[mypy-incremental.*]
-ignore_missing_imports = True
-
-[mypy-setuptools_rust.*]
-ignore_missing_imports = True