From 9fa253b8af9640e39dc7026e5bdc400b98c0b8e8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aur=C3=A9lien=20Grimpard?= <aurelien@grimpard.net>
Date: Wed, 21 Jun 2023 15:19:51 +0200
Subject: [PATCH 01/10] Update cas.py

Manage configuration for CAS protocol version.
---
 synapse/config/cas.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/synapse/config/cas.py b/synapse/config/cas.py
index 9152c06bd6fe..00fed93a227e 100644
--- a/synapse/config/cas.py
+++ b/synapse/config/cas.py
@@ -41,6 +41,7 @@ def read_config(self, config: JsonDict, **kwargs: Any) -> None:
             public_baseurl = self.root.server.public_baseurl
             self.cas_service_url = public_baseurl + "_matrix/client/r0/login/cas/ticket"
 
+            self.cas_protocol_version = cas_config.get("protocol_version")
             self.cas_displayname_attribute = cas_config.get("displayname_attribute")
             required_attributes = cas_config.get("required_attributes") or {}
             self.cas_required_attributes = _parsed_required_attributes_def(
@@ -50,6 +51,7 @@ def read_config(self, config: JsonDict, **kwargs: Any) -> None:
         else:
             self.cas_server_url = None
             self.cas_service_url = None
+            self.cas_protocol_version = None
             self.cas_displayname_attribute = None
             self.cas_required_attributes = []
 

From e04ede797634f45109ecdeb414a8fc3960967507 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aur=C3=A9lien=20Grimpard?= <aurelien@grimpard.net>
Date: Wed, 21 Jun 2023 15:21:20 +0200
Subject: [PATCH 02/10] Update cas.py

Manage configuration for CAS protocol version.
---
 synapse/handlers/cas.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/synapse/handlers/cas.py b/synapse/handlers/cas.py
index fc467bc7c13e..e5ad825126c3 100644
--- a/synapse/handlers/cas.py
+++ b/synapse/handlers/cas.py
@@ -67,6 +67,7 @@ def __init__(self, hs: "HomeServer"):
 
         self._cas_server_url = hs.config.cas.cas_server_url
         self._cas_service_url = hs.config.cas.cas_service_url
+        self._cas_protocol_version = hs.config.cas.cas_protocol_version
         self._cas_displayname_attribute = hs.config.cas.cas_displayname_attribute
         self._cas_required_attributes = hs.config.cas.cas_required_attributes
 
@@ -120,7 +121,10 @@ async def _validate_ticket(
         Returns:
             The parsed CAS response.
         """
-        uri = self._cas_server_url + "/proxyValidate"
+        if self._cas_protocol_version == 3:
+            uri = self._cas_server_url + "/p3/proxyValidate"
+        else:
+            uri = self._cas_server_url + "/proxyValidate"
         args = {
             "ticket": ticket,
             "service": self._build_service_param(service_args),

From f3d22cc043fba0ff16ff47b6cc29b6f3fad36bbd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aur=C3=A9lien=20Grimpard?= <aurelien@grimpard.net>
Date: Wed, 21 Jun 2023 15:25:33 +0200
Subject: [PATCH 03/10] Create 15807.feature

---
 changelog.d/15807.feature | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 changelog.d/15807.feature

diff --git a/changelog.d/15807.feature b/changelog.d/15807.feature
new file mode 100644
index 000000000000..0812c8759224
--- /dev/null
+++ b/changelog.d/15807.feature
@@ -0,0 +1 @@
+Add configuration setting for CAS protocol version. Contributed by Aurélien Grimpard

From eb0a7abb0971372089ae70cba2d0abe12d2ee888 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aur=C3=A9lien=20Grimpard?= <aurelien@grimpard.net>
Date: Wed, 21 Jun 2023 15:40:54 +0200
Subject: [PATCH 04/10] Update config_documentation.md

Update documentation
---
 docs/usage/configuration/config_documentation.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docs/usage/configuration/config_documentation.md b/docs/usage/configuration/config_documentation.md
index 26d7c7900cbe..743ab3233cf1 100644
--- a/docs/usage/configuration/config_documentation.md
+++ b/docs/usage/configuration/config_documentation.md
@@ -3337,6 +3337,7 @@ Has the following sub-options:
 * `enabled`: Set this to true to enable authorization against a CAS server.
    Defaults to false.
 * `server_url`: The URL of the CAS authorization endpoint.
+* `protocol_version`: The CAS protocol version, defaults to none (version 3 is required if you want to use "required_attributes").
 * `displayname_attribute`: The attribute of the CAS response to use as the display name.
    If no name is given here, no displayname will be set.
 * `required_attributes`:  It is possible to configure Synapse to only allow logins if CAS attributes
@@ -3350,6 +3351,7 @@ Example configuration:
 cas_config:
   enabled: true
   server_url: "https://cas-server.com"
+  protocol_version: 3
   displayname_attribute: name
   required_attributes:
     userGroup: "staff"

From 62ab53a43a3e3dfd0bbe2679eb8e0c9d70d8c8c5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aur=C3=A9lien=20Grimpard?= <aurelien@grimpard.net>
Date: Wed, 21 Jun 2023 17:48:29 +0200
Subject: [PATCH 05/10] Update 15807.feature

Add end dot
---
 changelog.d/15807.feature | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/changelog.d/15807.feature b/changelog.d/15807.feature
index 0812c8759224..9248dd6792cc 100644
--- a/changelog.d/15807.feature
+++ b/changelog.d/15807.feature
@@ -1 +1 @@
-Add configuration setting for CAS protocol version. Contributed by Aurélien Grimpard
+Add configuration setting for CAS protocol version. Contributed by Aurélien Grimpard.

From 8b5158520c9bbc97d9fdb69cf4296d86b0fc2fb0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aur=C3=A9lien=20Grimpard?= <aurelien@grimpard.net>
Date: Thu, 22 Jun 2023 14:41:14 +0200
Subject: [PATCH 06/10] Rename 15807.feature to 15816.feature (issuer to PR)

---
 changelog.d/{15807.feature => 15816.feature} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename changelog.d/{15807.feature => 15816.feature} (100%)

diff --git a/changelog.d/15807.feature b/changelog.d/15816.feature
similarity index 100%
rename from changelog.d/15807.feature
rename to changelog.d/15816.feature

From f0794623d727b99c662a441182da7811c3d189df Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aur=C3=A9lien=20Grimpard?= <aurelien@grimpard.net>
Date: Thu, 24 Aug 2023 16:41:43 +0200
Subject: [PATCH 07/10] Handle CAS protocol version 1, 2 and 3 else it raise an
 error

Co-authored-by: Eric Eastwood <madlittlemods@gmail.com>
---
 synapse/config/cas.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/synapse/config/cas.py b/synapse/config/cas.py
index 00fed93a227e..3e2d4528beeb 100644
--- a/synapse/config/cas.py
+++ b/synapse/config/cas.py
@@ -42,6 +42,12 @@ def read_config(self, config: JsonDict, **kwargs: Any) -> None:
             self.cas_service_url = public_baseurl + "_matrix/client/r0/login/cas/ticket"
 
             self.cas_protocol_version = cas_config.get("protocol_version")
+            if self.cas_protocol_version not in [1, 2, 3]:
+                raise ConfigError(
+                    "Unsupported CAS protocol version %s (only versions 1, 2, 3 are supported)"
+                    % (self.cas_protocol_version,),
+                    ("cas_config", "protocol_version"),
+                )
             self.cas_displayname_attribute = cas_config.get("displayname_attribute")
             required_attributes = cas_config.get("required_attributes") or {}
             self.cas_required_attributes = _parsed_required_attributes_def(

From f806669234257fb3d989fff2992424eccb5153ac Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aur=C3=A9lien=20Grimpard?= <aurelien@grimpard.net>
Date: Thu, 24 Aug 2023 16:51:25 +0200
Subject: [PATCH 08/10] Handle default CAS protocol version "none"

Co-authored-by: Patrick Cloke <clokep@users.noreply.github.com>
---
 synapse/config/cas.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/synapse/config/cas.py b/synapse/config/cas.py
index 67747ff9e8d6..d273a378748d 100644
--- a/synapse/config/cas.py
+++ b/synapse/config/cas.py
@@ -42,7 +42,7 @@ def read_config(self, config: JsonDict, **kwargs: Any) -> None:
             self.cas_service_url = public_baseurl + "_matrix/client/r0/login/cas/ticket"
 
             self.cas_protocol_version = cas_config.get("protocol_version")
-            if self.cas_protocol_version not in [1, 2, 3]:
+            if self.cas_protocol_version is not None and self.cas_protocol_version not in [1, 2, 3]:
                 raise ConfigError(
                     "Unsupported CAS protocol version %s (only versions 1, 2, 3 are supported)"
                     % (self.cas_protocol_version,),

From 02acd2bb7975ee392deb7d2a45ca48580482602c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aur=C3=A9lien=20Grimpard?= <aurelien@grimpard.net>
Date: Thu, 24 Aug 2023 17:02:44 +0200
Subject: [PATCH 09/10] Import ConfigError since we eventually raise error

---
 synapse/config/cas.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/synapse/config/cas.py b/synapse/config/cas.py
index d273a378748d..c636a34e0a30 100644
--- a/synapse/config/cas.py
+++ b/synapse/config/cas.py
@@ -18,7 +18,7 @@
 from synapse.config.sso import SsoAttributeRequirement
 from synapse.types import JsonDict
 
-from ._base import Config
+from ._base import Config, ConfigError
 from ._util import validate_config
 
 

From d2f271bad82490d5a6aac92b07674460a7edc3d4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aur=C3=A9lien=20Grimpard?= <aurelien@grimpard.net>
Date: Thu, 24 Aug 2023 17:14:48 +0200
Subject: [PATCH 10/10] lint !

---
 synapse/config/cas.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/synapse/config/cas.py b/synapse/config/cas.py
index c636a34e0a30..6e2d9addbf4c 100644
--- a/synapse/config/cas.py
+++ b/synapse/config/cas.py
@@ -42,7 +42,10 @@ def read_config(self, config: JsonDict, **kwargs: Any) -> None:
             self.cas_service_url = public_baseurl + "_matrix/client/r0/login/cas/ticket"
 
             self.cas_protocol_version = cas_config.get("protocol_version")
-            if self.cas_protocol_version is not None and self.cas_protocol_version not in [1, 2, 3]:
+            if (
+                self.cas_protocol_version is not None
+                and self.cas_protocol_version not in [1, 2, 3]
+            ):
                 raise ConfigError(
                     "Unsupported CAS protocol version %s (only versions 1, 2, 3 are supported)"
                     % (self.cas_protocol_version,),