From 70bea81df753f281ae844239529b3b6bc94c95cc Mon Sep 17 00:00:00 2001 From: Paul N <92150859+stift-n2@users.noreply.github.com> Date: Mon, 6 Feb 2023 15:59:32 +0100 Subject: [PATCH] Introduced flags to (1) enable/disable Auth (2) enable/disable openid_server_name pinning. Updated validate_config.yml and added new checks to verify. --- ...ring-playbook-user-verification-service.md | 15 +++++++++--- .../defaults/main.yml | 12 ++++++---- .../tasks/validate_config.yml | 23 ++++++++++++++++--- .../templates/.env.j2 | 6 +++-- 4 files changed, 44 insertions(+), 12 deletions(-) diff --git a/docs/configuring-playbook-user-verification-service.md b/docs/configuring-playbook-user-verification-service.md index 451f54f4b..d33c7147d 100644 --- a/docs/configuring-playbook-user-verification-service.md +++ b/docs/configuring-playbook-user-verification-service.md @@ -63,9 +63,9 @@ To get an access token for the UVS user, you can follow the documentation on [ho matrix_user_verification_service_uvs_access_token: "YOUR ACCESS TOKEN HERE" ``` -### (Optional) Auth Token +### (Optional) Custom Auth Token -It is possible to set an API Auth Token to restrict access to the UVS. If this is set, anyone making a request to UVS must provide it via the header "Authorization: Bearer TOKEN" +It is possible to set an API Auth Token to restrict access to the UVS. If this is enabled, anyone making a request to UVS must provide it via the header "Authorization: Bearer TOKEN" By default, the token will be derived from `matrix_homeserver_generic_secret_key` in `group_vars/matrix_servers`. To set your own Token, simply put the following in your host_vars. @@ -76,12 +76,21 @@ matrix_user_verification_service_uvs_auth_token: "TOKEN" In case Jitsi is also managed by this playbook and 'matrix' authentication in Jitsi is enabled, this collection will automatically configure Jitsi to use the configured auth token. +### (Optional) Disable Auth +Authorization is enabled by default. To disable set + +```yaml +matrix_user_verification_service_uvs_require_auth: false +``` + +in your host_vars. + ### (Optional) Federation In theory (however currently untested), UVS can handle federation. Simply set: ```yaml -matrix_user_verification_service_uvs_openid_verify_server_name: "" +matrix_user_verification_service_uvs_pin_openid_verify_server_name: false ``` in your host_vars. diff --git a/roles/custom/matrix-user-verification-service/defaults/main.yml b/roles/custom/matrix-user-verification-service/defaults/main.yml index cdef8f399..6f7be0d1f 100644 --- a/roles/custom/matrix-user-verification-service/defaults/main.yml +++ b/roles/custom/matrix-user-verification-service/defaults/main.yml @@ -43,13 +43,17 @@ matrix_user_verification_service_uvs_disable_ip_blacklist: false ## OPTIONAL +# Require an Auth-Token with API calls. If set to false, UVS will reply to any API call. +# The Auth-Token is defined via: matrix_user_verification_service_uvs_auth_token +matrix_user_verification_service_uvs_require_auth: true # Auth token to protect the API -# If this is set any calls to the provided API endpoints -# need have the header "Authorization: Bearer changeme". -# matrix_user_verification_service_uvs_auth_token: changeme +# If enabled any calls to the provided API endpoints need have the header "Authorization: Bearer TOKEN". +# A Token will be derived from matrix_homeserver_generic_secret_key in group_vars/matrix_servers +matrix_user_verification_service_uvs_auth_token: '' -# Matrix server name to verify OpenID tokens against. # Pin UVS to only check openId Tokens for the matrix_server_name configured by this playbook. +matrix_user_verification_service_uvs_pin_openid_verify_server_name: true +# Matrix server name to verify OpenID tokens against. # This is not the homeserverURL, but rather the domain in the matrix "user ID" # UVS can also be instructed to verify against the Matrix server name passed in the token, to enable set to "" matrix_user_verification_service_uvs_openid_verify_server_name: "{{ matrix_domain }}" diff --git a/roles/custom/matrix-user-verification-service/tasks/validate_config.yml b/roles/custom/matrix-user-verification-service/tasks/validate_config.yml index e4349fa6b..40e9090cb 100644 --- a/roles/custom/matrix-user-verification-service/tasks/validate_config.yml +++ b/roles/custom/matrix-user-verification-service/tasks/validate_config.yml @@ -1,8 +1,25 @@ --- -- name: verify all necessary variables are present +- name: Verify homeserver_url is not empty assert: that: - - matrix_user_verification_service_uvs_access_token is defined and matrix_user_verification_service_uvs_access_token|length - - matrix_user_verification_service_uvs_homeserver_url is defined and matrix_user_verification_service_uvs_homeserver_url|length + - matrix_user_verification_service_uvs_homeserver_url|length > 0 fail_msg: "Missing variable in {{ matrix_user_verification_service_ansible_name }} role" + +- name: Verify Auth is configured properly or disabled + assert: + that: + - matrix_user_verification_service_uvs_access_token|length > 0 or not matrix_user_verification_service_uvs_require_auth|bool + fail_msg: "If Auth is enabled, a valid (non empty) TOKEN must be given in 'matrix_user_verification_service_uvs_access_token'." + +- name: Verify server_name for openid verification is given, if pinning a single server_name is enabled. + assert: + that: + - matrix_user_verification_service_uvs_openid_verify_server_name|length > 0 or not matrix_user_verification_service_uvs_pin_openid_verify_server_name|bool + fail_msg: "If pinning a single server_name is enabled, a valid (non empty) server_name must be given in 'matrix_user_verification_service_uvs_openid_verify_server_name'." + +- name: Verify the homeserver implementation is synapse + assert: + that: + - matrix_homeserver_implementation == 'synapse' + fail_msg: "The User-Verification-Service requires Synapse as homeserver implementation" diff --git a/roles/custom/matrix-user-verification-service/templates/.env.j2 b/roles/custom/matrix-user-verification-service/templates/.env.j2 index 8119c1e98..359eed2a1 100644 --- a/roles/custom/matrix-user-verification-service/templates/.env.j2 +++ b/roles/custom/matrix-user-verification-service/templates/.env.j2 @@ -2,8 +2,10 @@ UVS_ACCESS_TOKEN={{ matrix_user_verification_service_uvs_access_token }} UVS_HOMESERVER_URL={{ matrix_user_verification_service_uvs_homeserver_url }} UVS_DISABLE_IP_BLACKLIST={{ matrix_user_verification_service_uvs_disable_ip_blacklist }} UVS_LOG_LEVEL={{ matrix_user_verification_service_uvs_log_level }} -UVS_AUTH_TOKEN={{ matrix_user_verification_service_uvs_auth_token }} -{% if matrix_user_verification_service_uvs_openid_verify_server_name | length > 0 %} +{% if matrix_user_verification_service_uvs_require_auth | bool %} + UVS_AUTH_TOKEN={{ matrix_user_verification_service_uvs_auth_token }} +{% endif %} +{% if matrix_user_verification_service_uvs_pin_openid_verify_server_name | bool %} UVS_OPENID_VERIFY_SERVER_NAME={{ matrix_user_verification_service_uvs_openid_verify_server_name }} {% endif %}