From b930e91728a91630964a88e8168ff59b8a5bd545 Mon Sep 17 00:00:00 2001
From: Jens Sandmann <jens@sandzwerg.de>
Date: Sat, 17 Oct 2020 20:39:25 +0200
Subject: [PATCH] synapse: mount the file instead of building the container

---
 webserver/docker_matrix/tasks/main.yml        |   7 +-
 webserver/docker_matrix/templates/README      |   1 +
 .../templates/docker-compose.yml              |  18 +-
 .../templates/rest_auth_provider.py           | 217 ++++++++++++++++++
 4 files changed, 231 insertions(+), 12 deletions(-)
 create mode 100644 webserver/docker_matrix/templates/README
 create mode 100644 webserver/docker_matrix/templates/rest_auth_provider.py

diff --git a/webserver/docker_matrix/tasks/main.yml b/webserver/docker_matrix/tasks/main.yml
index 6d58730c..d5bd8b72 100644
--- a/webserver/docker_matrix/tasks/main.yml
+++ b/webserver/docker_matrix/tasks/main.yml
@@ -8,7 +8,7 @@
 
 
 - name: create folder struct for matrix
-  file: 
+  file:
     path: "{{ item }}"
     state: "directory"
     owner: www-data
@@ -21,11 +21,12 @@
     - "/srv/matrix/synapse-data/"
 
 
-- name: Konfig-Dateien erstellen 
+- name: Konfig-Dateien erstellen
   template: src={{ item }} dest=/srv/matrix/{{ item }}
-  with_items: 
+  with_items:
     - Dockerfile
     - docker-compose.yml
+    - rest_auth_provider.py
     - mxisd-config/mxisd.yaml
     - synapse-data/homeserver.log.config
     - synapse-data/homeserver.yaml
diff --git a/webserver/docker_matrix/templates/README b/webserver/docker_matrix/templates/README
new file mode 100644
index 00000000..cbf322fa
--- /dev/null
+++ b/webserver/docker_matrix/templates/README
@@ -0,0 +1 @@
+the rest-auth_provider is from https://githubcom/ma1uta/matrix-synapse-rest-password-provider/
diff --git a/webserver/docker_matrix/templates/docker-compose.yml b/webserver/docker_matrix/templates/docker-compose.yml
index 513a495b..552a39ba 100644
--- a/webserver/docker_matrix/templates/docker-compose.yml
+++ b/webserver/docker_matrix/templates/docker-compose.yml
@@ -11,13 +11,12 @@ services:
     environment:
       POSTGRES_DB: synapse
       POSTGRES_USER: synapse
-      POSTGRES_PASSWORD: {{ postgres_user_pass }} 
+      POSTGRES_PASSWORD: "{{ postgres_user_pass }}"
       POSTGRES_INITDB_ARGS: --encoding=UTF-8 --lc-collate=C --lc-ctype=C
 
   synapse:
 
-    build: .
-    image: "synapse--{{ ansible_date_time.date }}--{{ ansible_date_time.hour }}-{{ ansible_date_time.minute }}-{{ ansible_date_time.second }}"
+    image: matrixdotorg/synapse:v1.12.4-py3
     restart: always
     depends_on:
       - db
@@ -26,18 +25,19 @@ services:
       - 127.0.0.1:18008:8008
       - 127.0.0.1:18448:8448
     volumes:
-      - /srv/matrix/synapse-data/:/data      
+      - /srv/matrix/synapse-data/:/data
+      # Python version can be found in the dockerfile: https://hub.docker.com/r/matrixdotorg/synapse/dockerfile
+      - /srv/matrix/rest_auth_provider.py:/usr/local/lib/python3.7/site-packages/rest_auth_provider.py
     environment:
-      SYNAPSE_CONFIG_PATH: "/data/homeserver.yaml" 
+      SYNAPSE_CONFIG_PATH: "/data/homeserver.yaml"
 
   mxisd:
-    
+
     # TODO: Migrate to https://github.com/ma1uta/ma1sd
     image: kamax/mxisd:1.4.6
     restart: always
     ports:
       - 127.0.0.1:18090:8090
     volumes:
-      - /srv/matrix/mxisd-config/:/etc/mxisd 
-      - /srv/matrix/mxisd-data/:/var/mxisd 
-
+      - /srv/matrix/mxisd-config/:/etc/mxisd
+      - /srv/matrix/mxisd-data/:/var/mxisd
diff --git a/webserver/docker_matrix/templates/rest_auth_provider.py b/webserver/docker_matrix/templates/rest_auth_provider.py
new file mode 100644
index 00000000..5f6f583a
--- /dev/null
+++ b/webserver/docker_matrix/templates/rest_auth_provider.py
@@ -0,0 +1,217 @@
+# -*- coding: utf-8 -*-
+#
+# REST endpoint Authentication module for Matrix synapse
+# Copyright (C) 2017 Kamax Sarl
+#
+# https://www.kamax.io/
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+import logging
+from twisted.internet import defer
+import requests
+import json
+import time
+
+logger = logging.getLogger(__name__)
+
+
+class RestAuthProvider(object):
+
+    def __init__(self, config, account_handler):
+        self.account_handler = account_handler
+
+        if not config.endpoint:
+            raise RuntimeError('Missing endpoint config')
+
+        self.endpoint = config.endpoint
+        self.regLower = config.regLower
+        self.config = config
+
+        logger.info('Endpoint: %s', self.endpoint)
+        logger.info('Enforce lowercase username during registration: %s', self.regLower)
+
+    @defer.inlineCallbacks
+    def check_password(self, user_id, password):
+        logger.info("Got password check for " + user_id)
+        data = {'user': {'id': user_id, 'password': password}}
+        r = requests.post(self.endpoint + '/_matrix-internal/identity/v1/check_credentials', json=data)
+        r.raise_for_status()
+        r = r.json()
+        if not r["auth"]:
+            reason = "Invalid JSON data returned from REST endpoint"
+            logger.warning(reason)
+            raise RuntimeError(reason)
+
+        auth = r["auth"]
+        if not auth["success"]:
+            logger.info("User not authenticated")
+            defer.returnValue(False)
+
+        localpart = user_id.split(":", 1)[0][1:]
+        logger.info("User %s authenticated", user_id)
+
+        registration = False
+        if not (yield self.account_handler.check_user_exists(user_id)):
+            logger.info("User %s does not exist yet, creating...", user_id)
+
+            if localpart != localpart.lower() and self.regLower:
+                logger.info('User %s was cannot be created due to username lowercase policy', localpart)
+                defer.returnValue(False)
+
+            user_id, access_token = (yield self.account_handler.register(localpart=localpart))
+            registration = True
+            logger.info("Registration based on REST data was successful for %s", user_id)
+        else:
+            logger.info("User %s already exists, registration skipped", user_id)
+
+        if auth["profile"]:
+            logger.info("Handling profile data")
+            profile = auth["profile"]
+
+            # fixme: temporary fix
+            try:
+                store = yield self.account_handler._hs.get_profile_handler().store  # for synapse >= 1.9.0
+            except AttributeError:
+                store = yield self.account_handler.hs.get_profile_handler().store   # for synapse < 1.9.0
+
+            if "display_name" in profile and ((registration and self.config.setNameOnRegister) or (self.config.setNameOnLogin)):
+                display_name = profile["display_name"]
+                logger.info("Setting display name to '%s' based on profile data", display_name)
+                yield store.set_profile_displayname(localpart, display_name)
+            else:
+                logger.info("Display name was not set because it was not given or policy restricted it")
+
+            if (self.config.updateThreepid):
+                if "three_pids" in profile:
+                    logger.info("Handling 3PIDs")
+
+                    external_3pids = []
+                    for threepid in profile["three_pids"]:
+                        medium = threepid["medium"].lower()
+                        address = threepid["address"].lower()
+                        external_3pids.append({"medium": medium, "address": address})
+                        logger.info("Looking for 3PID %s:%s in user profile", medium, address)
+
+                        validated_at = time_msec()
+                        if not (yield store.get_user_id_by_threepid(medium, address)):
+                            logger.info("3PID is not present, adding")
+                            yield store.user_add_threepid(
+                                user_id,
+                                medium,
+                                address,
+                                validated_at,
+                                validated_at
+                            )
+                        else:
+                            logger.info("3PID is present, skipping")
+
+                    if (self.config.replaceThreepid):
+                        for threepid in (yield store.user_get_threepids(user_id)):
+                            medium = threepid["medium"].lower()
+                            address = threepid["address"].lower()
+                            if {"medium": medium, "address": address} not in external_3pids:
+                                logger.info("3PID is not present in external datastore, deleting")
+                                yield store.user_delete_threepid(
+                                    user_id,
+                                    medium,
+                                    address
+                                )
+
+            else:
+                logger.info("3PIDs were not updated due to policy")
+        else:
+            logger.info("No profile data")
+
+        defer.returnValue(True)
+
+    @staticmethod
+    def parse_config(config):
+        # verify config sanity
+        _require_keys(config, ["endpoint"])
+
+        class _RestConfig(object):
+            endpoint = ''
+            regLower = True
+            setNameOnRegister = True
+            setNameOnLogin = False
+            updateThreepid = True
+            replaceThreepid = False
+
+        rest_config = _RestConfig()
+        rest_config.endpoint = config["endpoint"]
+
+        try:
+            rest_config.regLower = config['policy']['registration']['username']['enforceLowercase']
+        except TypeError:
+            # we don't care
+            pass
+        except KeyError:
+            # we don't care
+            pass
+
+        try:
+            rest_config.setNameOnRegister = config['policy']['registration']['profile']['name']
+        except TypeError:
+            # we don't care
+            pass
+        except KeyError:
+            # we don't care
+            pass
+
+        try:
+            rest_config.setNameOnLogin = config['policy']['login']['profile']['name']
+        except TypeError:
+            # we don't care
+            pass
+        except KeyError:
+            # we don't care
+            pass
+
+        try:
+            rest_config.updateThreepid = config['policy']['all']['threepid']['update']
+        except TypeError:
+            # we don't care
+            pass
+        except KeyError:
+            # we don't care
+            pass
+
+        try:
+            rest_config.replaceThreepid = config['policy']['all']['threepid']['replace']
+        except TypeError:
+            # we don't care
+            pass
+        except KeyError:
+            # we don't care
+            pass
+
+        return rest_config
+
+
+def _require_keys(config, required):
+    missing = [key for key in required if key not in config]
+    if missing:
+        raise Exception(
+            "REST Auth enabled but missing required config values: {}".format(
+                ", ".join(missing)
+            )
+        )
+
+
+def time_msec():
+    """Get the current timestamp in milliseconds
+    """
+    return int(time.time() * 1000)
-- 
GitLab