From b930e91728a91630964a88e8168ff59b8a5bd545 Mon Sep 17 00:00:00 2001 From: Jens Sandmann <jens@sandzwerg.de> Date: Sat, 17 Oct 2020 20:39:25 +0200 Subject: [PATCH] synapse: mount the file instead of building the container --- webserver/docker_matrix/tasks/main.yml | 7 +- webserver/docker_matrix/templates/README | 1 + .../templates/docker-compose.yml | 18 +- .../templates/rest_auth_provider.py | 217 ++++++++++++++++++ 4 files changed, 231 insertions(+), 12 deletions(-) create mode 100644 webserver/docker_matrix/templates/README create mode 100644 webserver/docker_matrix/templates/rest_auth_provider.py diff --git a/webserver/docker_matrix/tasks/main.yml b/webserver/docker_matrix/tasks/main.yml index 6d58730c..d5bd8b72 100644 --- a/webserver/docker_matrix/tasks/main.yml +++ b/webserver/docker_matrix/tasks/main.yml @@ -8,7 +8,7 @@ - name: create folder struct for matrix - file: + file: path: "{{ item }}" state: "directory" owner: www-data @@ -21,11 +21,12 @@ - "/srv/matrix/synapse-data/" -- name: Konfig-Dateien erstellen +- name: Konfig-Dateien erstellen template: src={{ item }} dest=/srv/matrix/{{ item }} - with_items: + with_items: - Dockerfile - docker-compose.yml + - rest_auth_provider.py - mxisd-config/mxisd.yaml - synapse-data/homeserver.log.config - synapse-data/homeserver.yaml diff --git a/webserver/docker_matrix/templates/README b/webserver/docker_matrix/templates/README new file mode 100644 index 00000000..cbf322fa --- /dev/null +++ b/webserver/docker_matrix/templates/README @@ -0,0 +1 @@ +the rest-auth_provider is from https://githubcom/ma1uta/matrix-synapse-rest-password-provider/ diff --git a/webserver/docker_matrix/templates/docker-compose.yml b/webserver/docker_matrix/templates/docker-compose.yml index 513a495b..552a39ba 100644 --- a/webserver/docker_matrix/templates/docker-compose.yml +++ b/webserver/docker_matrix/templates/docker-compose.yml @@ -11,13 +11,12 @@ services: environment: POSTGRES_DB: synapse POSTGRES_USER: synapse - POSTGRES_PASSWORD: {{ postgres_user_pass }} + POSTGRES_PASSWORD: "{{ postgres_user_pass }}" POSTGRES_INITDB_ARGS: --encoding=UTF-8 --lc-collate=C --lc-ctype=C synapse: - build: . - image: "synapse--{{ ansible_date_time.date }}--{{ ansible_date_time.hour }}-{{ ansible_date_time.minute }}-{{ ansible_date_time.second }}" + image: matrixdotorg/synapse:v1.12.4-py3 restart: always depends_on: - db @@ -26,18 +25,19 @@ services: - 127.0.0.1:18008:8008 - 127.0.0.1:18448:8448 volumes: - - /srv/matrix/synapse-data/:/data + - /srv/matrix/synapse-data/:/data + # Python version can be found in the dockerfile: https://hub.docker.com/r/matrixdotorg/synapse/dockerfile + - /srv/matrix/rest_auth_provider.py:/usr/local/lib/python3.7/site-packages/rest_auth_provider.py environment: - SYNAPSE_CONFIG_PATH: "/data/homeserver.yaml" + SYNAPSE_CONFIG_PATH: "/data/homeserver.yaml" mxisd: - + # TODO: Migrate to https://github.com/ma1uta/ma1sd image: kamax/mxisd:1.4.6 restart: always ports: - 127.0.0.1:18090:8090 volumes: - - /srv/matrix/mxisd-config/:/etc/mxisd - - /srv/matrix/mxisd-data/:/var/mxisd - + - /srv/matrix/mxisd-config/:/etc/mxisd + - /srv/matrix/mxisd-data/:/var/mxisd diff --git a/webserver/docker_matrix/templates/rest_auth_provider.py b/webserver/docker_matrix/templates/rest_auth_provider.py new file mode 100644 index 00000000..5f6f583a --- /dev/null +++ b/webserver/docker_matrix/templates/rest_auth_provider.py @@ -0,0 +1,217 @@ +# -*- coding: utf-8 -*- +# +# REST endpoint Authentication module for Matrix synapse +# Copyright (C) 2017 Kamax Sarl +# +# https://www.kamax.io/ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + +import logging +from twisted.internet import defer +import requests +import json +import time + +logger = logging.getLogger(__name__) + + +class RestAuthProvider(object): + + def __init__(self, config, account_handler): + self.account_handler = account_handler + + if not config.endpoint: + raise RuntimeError('Missing endpoint config') + + self.endpoint = config.endpoint + self.regLower = config.regLower + self.config = config + + logger.info('Endpoint: %s', self.endpoint) + logger.info('Enforce lowercase username during registration: %s', self.regLower) + + @defer.inlineCallbacks + def check_password(self, user_id, password): + logger.info("Got password check for " + user_id) + data = {'user': {'id': user_id, 'password': password}} + r = requests.post(self.endpoint + '/_matrix-internal/identity/v1/check_credentials', json=data) + r.raise_for_status() + r = r.json() + if not r["auth"]: + reason = "Invalid JSON data returned from REST endpoint" + logger.warning(reason) + raise RuntimeError(reason) + + auth = r["auth"] + if not auth["success"]: + logger.info("User not authenticated") + defer.returnValue(False) + + localpart = user_id.split(":", 1)[0][1:] + logger.info("User %s authenticated", user_id) + + registration = False + if not (yield self.account_handler.check_user_exists(user_id)): + logger.info("User %s does not exist yet, creating...", user_id) + + if localpart != localpart.lower() and self.regLower: + logger.info('User %s was cannot be created due to username lowercase policy', localpart) + defer.returnValue(False) + + user_id, access_token = (yield self.account_handler.register(localpart=localpart)) + registration = True + logger.info("Registration based on REST data was successful for %s", user_id) + else: + logger.info("User %s already exists, registration skipped", user_id) + + if auth["profile"]: + logger.info("Handling profile data") + profile = auth["profile"] + + # fixme: temporary fix + try: + store = yield self.account_handler._hs.get_profile_handler().store # for synapse >= 1.9.0 + except AttributeError: + store = yield self.account_handler.hs.get_profile_handler().store # for synapse < 1.9.0 + + if "display_name" in profile and ((registration and self.config.setNameOnRegister) or (self.config.setNameOnLogin)): + display_name = profile["display_name"] + logger.info("Setting display name to '%s' based on profile data", display_name) + yield store.set_profile_displayname(localpart, display_name) + else: + logger.info("Display name was not set because it was not given or policy restricted it") + + if (self.config.updateThreepid): + if "three_pids" in profile: + logger.info("Handling 3PIDs") + + external_3pids = [] + for threepid in profile["three_pids"]: + medium = threepid["medium"].lower() + address = threepid["address"].lower() + external_3pids.append({"medium": medium, "address": address}) + logger.info("Looking for 3PID %s:%s in user profile", medium, address) + + validated_at = time_msec() + if not (yield store.get_user_id_by_threepid(medium, address)): + logger.info("3PID is not present, adding") + yield store.user_add_threepid( + user_id, + medium, + address, + validated_at, + validated_at + ) + else: + logger.info("3PID is present, skipping") + + if (self.config.replaceThreepid): + for threepid in (yield store.user_get_threepids(user_id)): + medium = threepid["medium"].lower() + address = threepid["address"].lower() + if {"medium": medium, "address": address} not in external_3pids: + logger.info("3PID is not present in external datastore, deleting") + yield store.user_delete_threepid( + user_id, + medium, + address + ) + + else: + logger.info("3PIDs were not updated due to policy") + else: + logger.info("No profile data") + + defer.returnValue(True) + + @staticmethod + def parse_config(config): + # verify config sanity + _require_keys(config, ["endpoint"]) + + class _RestConfig(object): + endpoint = '' + regLower = True + setNameOnRegister = True + setNameOnLogin = False + updateThreepid = True + replaceThreepid = False + + rest_config = _RestConfig() + rest_config.endpoint = config["endpoint"] + + try: + rest_config.regLower = config['policy']['registration']['username']['enforceLowercase'] + except TypeError: + # we don't care + pass + except KeyError: + # we don't care + pass + + try: + rest_config.setNameOnRegister = config['policy']['registration']['profile']['name'] + except TypeError: + # we don't care + pass + except KeyError: + # we don't care + pass + + try: + rest_config.setNameOnLogin = config['policy']['login']['profile']['name'] + except TypeError: + # we don't care + pass + except KeyError: + # we don't care + pass + + try: + rest_config.updateThreepid = config['policy']['all']['threepid']['update'] + except TypeError: + # we don't care + pass + except KeyError: + # we don't care + pass + + try: + rest_config.replaceThreepid = config['policy']['all']['threepid']['replace'] + except TypeError: + # we don't care + pass + except KeyError: + # we don't care + pass + + return rest_config + + +def _require_keys(config, required): + missing = [key for key in required if key not in config] + if missing: + raise Exception( + "REST Auth enabled but missing required config values: {}".format( + ", ".join(missing) + ) + ) + + +def time_msec(): + """Get the current timestamp in milliseconds + """ + return int(time.time() * 1000) -- GitLab