From 28d86e3aaa9cb314fa41eff70548c2ffb8fcd5a0 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 16 Jan 2021 23:47:14 +0200 Subject: [PATCH] Initial work on support for matrix-corporal v2 --- docs/configuring-playbook-matrix-corporal.md | 17 ++++++++++++++--- group_vars/matrix_servers | 3 +++ roles/matrix-corporal/defaults/main.yml | 10 ++++++++-- roles/matrix-corporal/tasks/validate_config.yml | 2 +- roles/matrix-corporal/templates/config.json.j2 | 10 ++++++++-- 5 files changed, 34 insertions(+), 8 deletions(-) diff --git a/docs/configuring-playbook-matrix-corporal.md b/docs/configuring-playbook-matrix-corporal.md index 6d7faad0..15de634e 100644 --- a/docs/configuring-playbook-matrix-corporal.md +++ b/docs/configuring-playbook-matrix-corporal.md @@ -11,7 +11,9 @@ The playbook can install and configure [matrix-corporal](https://github.com/devt In short, it's a sort of automation and firewalling service, which is helpful if you're instaling Matrix services in a controlled corporate environment. See that project's documentation to learn what it does and why it might be useful to you. -If you decide that you'd like to let this playbook install it for you, you'd need to also [set up the Shared Secret Auth password provider module](configuring-playbook-shared-secret-auth.md). +If you decide that you'd like to let this playbook install it for you, you'd need to also: +- (required) [set up the Shared Secret Auth password provider module](configuring-playbook-shared-secret-auth.md) +- (optional, but encouraged) [set up the REST authentication password provider module](configuring-playbook-rest-auth.md) ## Playbook configuration @@ -24,6 +26,15 @@ You would then need some configuration like this: matrix_synapse_ext_password_provider_shared_secret_auth_enabled: true matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: YOUR_SHARED_SECRET_GOES_HERE +# When matrix-corporal is acting as the primary authentication provider, +# you need to set up the REST authentication password provider module +# to make Interactive User Authentication work. +# This is necessary for certain user actions (like E2EE, device management, etc). +# +# See configuring-playbook-rest-auth.md +matrix_synapse_ext_password_provider_rest_auth_enabled: true +matrix_synapse_ext_password_provider_rest_auth_endpoint: "http://matrix-corporal:41080/_matrix/corporal" + matrix_corporal_enabled: true matrix_corporal_policy_provider_config: | @@ -40,9 +51,9 @@ matrix_corporal_policy_provider_config: | matrix_corporal_http_api_enabled: true matrix_corporal_http_api_auth_token: "AUTH_TOKEN_HERE" -# If you need to change the reconciliator user's id from the default (matrix-corporal).. +# If you need to change matrix-corporal's user id from the default (matrix-corporal). # In any case, you need to make sure this Matrix user is created on your server. -matrix_corporal_reconciliation_user_id_local_part: "matrix-corporal" +matrix_corporal_corporal_user_id_local_part: "matrix-corporal" # Because Corporal peridoically performs lots of user logins from the same IP, # you may need raise Synapse's ratelimits. diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index b43ed11f..e5517084 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -674,6 +674,9 @@ matrix_corporal_matrix_homeserver_api_endpoint: "http://matrix-synapse:8008" matrix_corporal_matrix_auth_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}" +# This is only useful if there's REST auth provider to make use of it. +matrix_corporal_http_gateway_internal_rest_auth_enabled: "{{ matrix_synapse_ext_password_provider_rest_auth_enabled }}" + matrix_corporal_matrix_registration_shared_secret: "{{ matrix_synapse_registration_shared_secret }}" ###################################################################### diff --git a/roles/matrix-corporal/defaults/main.yml b/roles/matrix-corporal/defaults/main.yml index cccaadd0..9e73f1f1 100644 --- a/roles/matrix-corporal/defaults/main.yml +++ b/roles/matrix-corporal/defaults/main.yml @@ -24,7 +24,7 @@ matrix_corporal_systemd_required_services_list: ['docker.service'] matrix_corporal_docker_image: "{{ matrix_corporal_docker_image_name_prefix }}devture/matrix-corporal:{{ matrix_corporal_docker_image_tag }}" matrix_corporal_docker_image_name_prefix: "{{ 'localhost/' if matrix_corporal_container_image_self_build else 'docker.io/' }}" -matrix_corporal_docker_image_tag: "1.11.0" +matrix_corporal_docker_image_tag: "2.0.0" matrix_corporal_docker_image_force_pull: "{{ matrix_corporal_docker_image.endswith(':latest') }}" matrix_corporal_base_path: "{{ matrix_base_data_path }}/corporal" @@ -50,10 +50,16 @@ matrix_corporal_matrix_registration_shared_secret: "" matrix_corporal_matrix_timeout_milliseconds: 45000 matrix_corporal_reconciliation_retry_interval_milliseconds: 30000 -matrix_corporal_reconciliation_user_id_local_part: "matrix-corporal" +matrix_corporal_corporal_user_id_local_part: "matrix-corporal" matrix_corporal_http_gateway_timeout_milliseconds: 60000 +# If enabled, matrix-corporal exposes a `POST /_matrix/corporal/_matrix-internal/identity/v1/check_credentials` API +# on the gateway (Client-Server API) server. +# This API can then be used together with the REST Auth password provider by pointing it to matrix-corporal (e.g. `http://matrix-corporal:41080/_matrix/corporal`). +# Doing so allows Interactive Authentication to work. +matrix_corporal_http_gateway_internal_rest_auth_enabled: false + matrix_corporal_http_api_enabled: false matrix_corporal_http_api_auth_token: "" matrix_corporal_http_api_timeout_milliseconds: 15000 diff --git a/roles/matrix-corporal/tasks/validate_config.yml b/roles/matrix-corporal/tasks/validate_config.yml index 9c6b295e..a8930e7e 100644 --- a/roles/matrix-corporal/tasks/validate_config.yml +++ b/roles/matrix-corporal/tasks/validate_config.yml @@ -16,7 +16,6 @@ msg: "The Matrix Corporal HTTP API is enabled (`matrix_corporal_http_api_enabled`), but no auth token has been set in `matrix_corporal_http_api_auth_token`" when: "matrix_corporal_http_api_enabled|bool and matrix_corporal_http_api_auth_token == ''" - - name: (Deprecation) Catch and report renamed corporal variables fail: msg: >- @@ -25,3 +24,4 @@ when: "item.old in vars" with_items: - {'old': 'matrix_corporal_container_expose_ports', 'new': ''} + - {'old': 'matrix_corporal_reconciliation_user_id_local_part', 'new': 'matrix_corporal_corporal_user_id_local_part'} diff --git a/roles/matrix-corporal/templates/config.json.j2 b/roles/matrix-corporal/templates/config.json.j2 index dff73830..d8d22f66 100644 --- a/roles/matrix-corporal/templates/config.json.j2 +++ b/roles/matrix-corporal/templates/config.json.j2 @@ -7,14 +7,20 @@ "TimeoutMilliseconds": {{ matrix_corporal_matrix_timeout_milliseconds }} }, + "Corporal": { + "UserId": "@{{ matrix_corporal_corporal_user_id_local_part }}:{{ matrix_domain }}" + }, + "Reconciliation": { - "UserId": "@{{ matrix_corporal_reconciliation_user_id_local_part }}:{{ matrix_domain }}", "RetryIntervalMilliseconds": {{ matrix_corporal_reconciliation_retry_interval_milliseconds }} }, "HttpGateway": { "ListenAddress": "0.0.0.0:41080", - "TimeoutMilliseconds": {{ matrix_corporal_http_gateway_timeout_milliseconds }} + "TimeoutMilliseconds": {{ matrix_corporal_http_gateway_timeout_milliseconds }}, + "InternalRESTAuth": { + "Enabled": {{ matrix_corporal_http_gateway_internal_rest_auth_enabled|to_json }} + } }, "HttpApi": {