From 1722e4bd8369a552d49cec70b7131acfee57bbd1 Mon Sep 17 00:00:00 2001
From: Slavi Pantaleev <slavi@devture.com>
Date: Sat, 17 Aug 2024 19:03:38 +0300
Subject: [PATCH] Switch mautrix-slack double-puppeting method (shared secret
 auth -> appservice-double-puppet)

Since upgrading mautrix-slack (and pinning to v0.1.0) in e4b54c37fe258b17f49dd7ed58a18ef3abac1c41,
we expect double-puppeting to require the new appservice double-puppeting method.

This commit switches the mautrix-slack bridge to it.
---
 docs/configuring-playbook-bridge-mautrix-slack.md     |  4 ++--
 group_vars/matrix_servers                             |  9 ++++++++-
 .../matrix-bridge-mautrix-slack/defaults/main.yml     | 11 +++--------
 .../tasks/validate_config.yml                         | 11 +++++++++++
 .../templates/config.yaml.j2                          |  5 ++---
 5 files changed, 26 insertions(+), 14 deletions(-)

diff --git a/docs/configuring-playbook-bridge-mautrix-slack.md b/docs/configuring-playbook-bridge-mautrix-slack.md
index f53fbd104..808aca299 100644
--- a/docs/configuring-playbook-bridge-mautrix-slack.md
+++ b/docs/configuring-playbook-bridge-mautrix-slack.md
@@ -47,9 +47,9 @@ Take a look at:
 
 If you'd like to use [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do), you have 2 ways of going about it.
 
-#### Method 1: automatically, by enabling Shared Secret Auth
+#### Method 1: automatically, by enabling Appservice Double Puppet
 
-The bridge will automatically perform Double Puppeting if you enable [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) for this playbook.
+The bridge will automatically perform Double Puppeting if you enable the [Appservice Double Puppet](configuring-playbook-appservice-double-puppet.md) service for this playbook.
 
 This is the recommended way of setting up Double Puppeting, as it's easier to accomplish, works for all your users automatically, and has less of a chance of breaking in the future.
 
diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers
index 4e5b0c696..60db149b8 100755
--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@@ -1047,7 +1047,14 @@ matrix_mautrix_slack_appservice_token: "{{ '%s' | format(matrix_homeserver_gener
 matrix_mautrix_slack_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
 matrix_mautrix_slack_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mauslack.hs.tok', rounds=655555) | to_uuid }}"
 
-matrix_mautrix_slack_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
+matrix_mautrix_slack_double_puppet_secrets_auto: |-
+  {{
+    {
+      matrix_mautrix_slack_homeserver_domain: ("as_token:" + matrix_appservice_double_puppet_registration_as_token)
+    }
+    if matrix_appservice_double_puppet_enabled
+    else {}
+  }}
 
 # Postgres is the default, except if not using internal Postgres server
 matrix_mautrix_slack_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}"
diff --git a/roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml
index 360544c85..060f3defc 100644
--- a/roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml
@@ -94,14 +94,9 @@ matrix_mautrix_slack_appservice_database_uri: "{{
 	}[matrix_mautrix_slack_database_engine]
 }}"
 
-# Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth).
-matrix_mautrix_slack_login_shared_secret: ''
-matrix_mautrix_slack_bridge_login_shared_secret_map:
-  "{{ {matrix_mautrix_slack_homeserver_domain: matrix_mautrix_slack_login_shared_secret} if matrix_mautrix_slack_login_shared_secret else {} }}"
-
-# Servers to always allow double puppeting from
-matrix_mautrix_slack_bridge_double_puppet_server_map:
-  "{{ matrix_mautrix_slack_homeserver_domain :  matrix_mautrix_slack_homeserver_address }}"
+matrix_mautrix_slack_double_puppet_secrets: "{{ matrix_mautrix_slack_double_puppet_secrets_auto | combine(matrix_mautrix_slack_double_puppet_secrets_custom) }}"
+matrix_mautrix_slack_double_puppet_secrets_auto: {}
+matrix_mautrix_slack_double_puppet_secrets_custom: {}
 
 # Default mautrix-slack configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
diff --git a/roles/custom/matrix-bridge-mautrix-slack/tasks/validate_config.yml b/roles/custom/matrix-bridge-mautrix-slack/tasks/validate_config.yml
index e721dc80c..19c51c61e 100644
--- a/roles/custom/matrix-bridge-mautrix-slack/tasks/validate_config.yml
+++ b/roles/custom/matrix-bridge-mautrix-slack/tasks/validate_config.yml
@@ -20,3 +20,14 @@
       To resolve the conflict, make one of these components use a different username.
       Consider either changing `matrix_mautrix_slack_appservice_bot_username` (the bot username for the mautrix-slack component) or `matrix_appservice_slack_bot_name` (the bot username for the appservice-slack component).
       We recommend that you change the username for the newly-added (and yet unused) component.
+
+- name: (Deprecation) Catch and report renamed settings
+  ansible.builtin.fail:
+    msg: >-
+      Your configuration contains a variable, which now has a different name.
+      Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
+  when: "item.old in vars"
+  with_items:
+    - {'old': 'matrix_mautrix_slack_login_shared_secret', 'new': '<removed>'}
+    - {'old': 'matrix_mautrix_slack_bridge_login_shared_secret_map', 'new': '<superseded by matrix_mautrix_slack_double_puppet_secrets>'}
+    - {'old': 'matrix_mautrix_slack_bridge_double_puppet_server_map', 'new': '<removed>'}
diff --git a/roles/custom/matrix-bridge-mautrix-slack/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-slack/templates/config.yaml.j2
index f71a25413..75314ed35 100644
--- a/roles/custom/matrix-bridge-mautrix-slack/templates/config.yaml.j2
+++ b/roles/custom/matrix-bridge-mautrix-slack/templates/config.yaml.j2
@@ -351,15 +351,14 @@ backfill:
 double_puppet:
     # Servers to always allow double puppeting from.
     # This is only for other servers and should NOT contain the server the bridge is on.
-    servers:
-        "{{ matrix_mautrix_slack_homeserver_domain }}": {{ matrix_mautrix_slack_homeserver_address }}
+    servers: {}
     # Whether to allow client API URL discovery for other servers. When using this option,
     # users on other servers can use double puppeting even if their server URLs aren't
     # explicitly added to the servers map above.
     allow_discovery: false
     # Shared secrets for automatic double puppeting.
     # See https://docs.mau.fi/bridges/general/double-puppeting.html for instructions.
-    secrets: {{ matrix_mautrix_slack_bridge_login_shared_secret_map | to_json }}
+    secrets: {{ matrix_mautrix_slack_double_puppet_secrets | to_json }}
 
 # End-to-bridge encryption support options.
 #