mirror of
https://github.com/spantaleev/matrix-docker-ansible-deploy.git
synced 2024-11-14 14:32:51 +01:00
28c255539c
Self-checks against the .well-known URIs look for the HTTP header "Access-Control-Allow-Origin" indicating that the remode endpoint supports CORS. But the remote server is not required to include said header in the response if the HTTP request does not include the "Origin" header. This is in accordance with the specification [1] stating: 'A CORS request is an HTTP request that includes an "Origin" header.' This is in fact true for Gitlab pages hosting and that's why the issue was identified. Let's specify "Origin" header in the respective uri tasks performing the HTTP request and ensure a CORS request. [1] https://fetch.spec.whatwg.org/#http-requests
74 lines
4.0 KiB
YAML
74 lines
4.0 KiB
YAML
---
|
|
|
|
- set_fact:
|
|
well_known_url_matrix: "https://{{ matrix_server_fqn_matrix }}{{ well_known_file_check.path }}"
|
|
well_known_url_identity: "https://{{ matrix_domain }}{{ well_known_file_check.path }}"
|
|
|
|
# These well-known files may be served without a `Content-Type: application/json` header,
|
|
# so we can't rely on the uri module's automatic parsing of JSON.
|
|
- name: Check .well-known on the matrix hostname
|
|
uri:
|
|
url: "{{ well_known_url_matrix }}"
|
|
follow_redirects: none
|
|
return_content: true
|
|
validate_certs: "{{ well_known_file_check.validate_certs }}"
|
|
headers:
|
|
Origin: example.com
|
|
check_mode: no
|
|
register: result_well_known_matrix
|
|
ignore_errors: true
|
|
|
|
- name: Fail if .well-known not working on the matrix hostname
|
|
fail:
|
|
msg: "Failed checking that the well-known file for {{ well_known_file_check.purpose }} is configured at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ well_known_url_matrix }}`). Is port 443 open in your firewall? Full error: {{ result_well_known_matrix }}"
|
|
when: "result_well_known_matrix.failed"
|
|
|
|
- name: Parse JSON for well-known payload at the matrix hostname
|
|
set_fact:
|
|
well_known_matrix_payload: "{{ result_well_known_matrix.content|from_json }}"
|
|
|
|
- name: Fail if .well-known not CORS-aware on the matrix hostname
|
|
fail:
|
|
msg: "The well-known file for {{ well_known_file_check.purpose }} on `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ well_known_url_matrix }}`) is not CORS-aware. The file needs to be served with an Access-Control-Allow-Origin header set."
|
|
when: "well_known_file_check.cors and 'access_control_allow_origin' not in result_well_known_matrix"
|
|
|
|
- name: Report working .well-known on the matrix hostname
|
|
debug:
|
|
msg: "well-known for {{ well_known_file_check.purpose }} is configured correctly for `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ well_known_url_matrix }}`)"
|
|
|
|
- name: Check .well-known on the identity hostname
|
|
uri:
|
|
url: "{{ well_known_url_identity }}"
|
|
follow_redirects: "{{ well_known_file_check.follow_redirects }}"
|
|
return_content: true
|
|
validate_certs: "{{ well_known_file_check.validate_certs }}"
|
|
headers:
|
|
Origin: example.com
|
|
check_mode: no
|
|
register: result_well_known_identity
|
|
ignore_errors: true
|
|
|
|
- name: Fail if .well-known not working on the identity hostname
|
|
fail:
|
|
msg: "Failed checking that the well-known file for {{ well_known_file_check.purpose }} is configured at `{{ matrix_domain }}` (checked endpoint: `{{ well_known_url_identity }}`). Is port 443 open in your firewall? Full error: {{ result_well_known_identity }}"
|
|
when: "result_well_known_identity.failed"
|
|
|
|
- name: Parse JSON for well-known payload at the identity hostname
|
|
set_fact:
|
|
well_known_identity_payload: "{{ result_well_known_identity.content|from_json }}"
|
|
|
|
- name: Fail if .well-known not CORS-aware on the identity hostname
|
|
fail:
|
|
msg: "The well-known file for {{ well_known_file_check.purpose }} on `{{ matrix_domain }}` (checked endpoint: `{{ well_known_url_identity }}`) is not CORS-aware. The file needs to be served with an Access-Control-Allow-Origin header set. See docs/configuring-well-known.md"
|
|
when: "well_known_file_check.cors and 'access_control_allow_origin' not in result_well_known_identity"
|
|
|
|
# For people who manually copy the well-known file, try to detect if it's outdated
|
|
- name: Fail if well-known is different on matrix hostname and identity hostname
|
|
fail:
|
|
msg: "The well-known files for {{ well_known_file_check.purpose }} at `{{ matrix_server_fqn_matrix }}` and `{{ matrix_domain }}` are different. Perhaps you copied the file ({{ well_known_file_check.path }}) manually before and now it's outdated?"
|
|
when: "well_known_matrix_payload != well_known_identity_payload"
|
|
|
|
- name: Report working .well-known on the identity hostname
|
|
debug:
|
|
msg: "well-known for {{ well_known_file_check.purpose }} ({{ well_known_file_check.path }}) is configured correctly for `{{ matrix_domain }}` (checked endpoint: `{{ well_known_url_identity }}`)"
|