Introduced flags to (1) enable/disable Auth (2) enable/disable openid_server_name pinning. Updated validate_config.yml and added new checks to verify.

This commit is contained in:
Paul N 2023-02-06 15:59:32 +01:00
parent 96dd86d33b
commit 70bea81df7
4 changed files with 44 additions and 12 deletions

View File

@ -63,9 +63,9 @@ To get an access token for the UVS user, you can follow the documentation on [ho
matrix_user_verification_service_uvs_access_token: "YOUR ACCESS TOKEN HERE" matrix_user_verification_service_uvs_access_token: "YOUR ACCESS TOKEN HERE"
``` ```
### (Optional) Auth Token ### (Optional) Custom Auth Token
It is possible to set an API Auth Token to restrict access to the UVS. If this is set, anyone making a request to UVS must provide it via the header "Authorization: Bearer TOKEN" It is possible to set an API Auth Token to restrict access to the UVS. If this is enabled, anyone making a request to UVS must provide it via the header "Authorization: Bearer TOKEN"
By default, the token will be derived from `matrix_homeserver_generic_secret_key` in `group_vars/matrix_servers`. By default, the token will be derived from `matrix_homeserver_generic_secret_key` in `group_vars/matrix_servers`.
To set your own Token, simply put the following in your host_vars. To set your own Token, simply put the following in your host_vars.
@ -76,12 +76,21 @@ matrix_user_verification_service_uvs_auth_token: "TOKEN"
In case Jitsi is also managed by this playbook and 'matrix' authentication in Jitsi is enabled, this collection will automatically configure Jitsi to use the configured auth token. In case Jitsi is also managed by this playbook and 'matrix' authentication in Jitsi is enabled, this collection will automatically configure Jitsi to use the configured auth token.
### (Optional) Disable Auth
Authorization is enabled by default. To disable set
```yaml
matrix_user_verification_service_uvs_require_auth: false
```
in your host_vars.
### (Optional) Federation ### (Optional) Federation
In theory (however currently untested), UVS can handle federation. Simply set: In theory (however currently untested), UVS can handle federation. Simply set:
```yaml ```yaml
matrix_user_verification_service_uvs_openid_verify_server_name: "" matrix_user_verification_service_uvs_pin_openid_verify_server_name: false
``` ```
in your host_vars. in your host_vars.

View File

@ -43,13 +43,17 @@ matrix_user_verification_service_uvs_disable_ip_blacklist: false
## OPTIONAL ## OPTIONAL
# Require an Auth-Token with API calls. If set to false, UVS will reply to any API call.
# The Auth-Token is defined via: matrix_user_verification_service_uvs_auth_token
matrix_user_verification_service_uvs_require_auth: true
# Auth token to protect the API # Auth token to protect the API
# If this is set any calls to the provided API endpoints # If enabled any calls to the provided API endpoints need have the header "Authorization: Bearer TOKEN".
# need have the header "Authorization: Bearer changeme". # A Token will be derived from matrix_homeserver_generic_secret_key in group_vars/matrix_servers
# matrix_user_verification_service_uvs_auth_token: changeme matrix_user_verification_service_uvs_auth_token: ''
# Matrix server name to verify OpenID tokens against.
# Pin UVS to only check openId Tokens for the matrix_server_name configured by this playbook. # Pin UVS to only check openId Tokens for the matrix_server_name configured by this playbook.
matrix_user_verification_service_uvs_pin_openid_verify_server_name: true
# Matrix server name to verify OpenID tokens against.
# This is not the homeserverURL, but rather the domain in the matrix "user ID" # This is not the homeserverURL, but rather the domain in the matrix "user ID"
# UVS can also be instructed to verify against the Matrix server name passed in the token, to enable set to "" # UVS can also be instructed to verify against the Matrix server name passed in the token, to enable set to ""
matrix_user_verification_service_uvs_openid_verify_server_name: "{{ matrix_domain }}" matrix_user_verification_service_uvs_openid_verify_server_name: "{{ matrix_domain }}"

View File

@ -1,8 +1,25 @@
--- ---
- name: verify all necessary variables are present - name: Verify homeserver_url is not empty
assert: assert:
that: that:
- matrix_user_verification_service_uvs_access_token is defined and matrix_user_verification_service_uvs_access_token|length - matrix_user_verification_service_uvs_homeserver_url|length > 0
- matrix_user_verification_service_uvs_homeserver_url is defined and matrix_user_verification_service_uvs_homeserver_url|length
fail_msg: "Missing variable in {{ matrix_user_verification_service_ansible_name }} role" fail_msg: "Missing variable in {{ matrix_user_verification_service_ansible_name }} role"
- name: Verify Auth is configured properly or disabled
assert:
that:
- matrix_user_verification_service_uvs_access_token|length > 0 or not matrix_user_verification_service_uvs_require_auth|bool
fail_msg: "If Auth is enabled, a valid (non empty) TOKEN must be given in 'matrix_user_verification_service_uvs_access_token'."
- name: Verify server_name for openid verification is given, if pinning a single server_name is enabled.
assert:
that:
- matrix_user_verification_service_uvs_openid_verify_server_name|length > 0 or not matrix_user_verification_service_uvs_pin_openid_verify_server_name|bool
fail_msg: "If pinning a single server_name is enabled, a valid (non empty) server_name must be given in 'matrix_user_verification_service_uvs_openid_verify_server_name'."
- name: Verify the homeserver implementation is synapse
assert:
that:
- matrix_homeserver_implementation == 'synapse'
fail_msg: "The User-Verification-Service requires Synapse as homeserver implementation"

View File

@ -2,8 +2,10 @@ UVS_ACCESS_TOKEN={{ matrix_user_verification_service_uvs_access_token }}
UVS_HOMESERVER_URL={{ matrix_user_verification_service_uvs_homeserver_url }} UVS_HOMESERVER_URL={{ matrix_user_verification_service_uvs_homeserver_url }}
UVS_DISABLE_IP_BLACKLIST={{ matrix_user_verification_service_uvs_disable_ip_blacklist }} UVS_DISABLE_IP_BLACKLIST={{ matrix_user_verification_service_uvs_disable_ip_blacklist }}
UVS_LOG_LEVEL={{ matrix_user_verification_service_uvs_log_level }} UVS_LOG_LEVEL={{ matrix_user_verification_service_uvs_log_level }}
{% if matrix_user_verification_service_uvs_require_auth | bool %}
UVS_AUTH_TOKEN={{ matrix_user_verification_service_uvs_auth_token }} UVS_AUTH_TOKEN={{ matrix_user_verification_service_uvs_auth_token }}
{% if matrix_user_verification_service_uvs_openid_verify_server_name | length > 0 %} {% endif %}
{% if matrix_user_verification_service_uvs_pin_openid_verify_server_name | bool %}
UVS_OPENID_VERIFY_SERVER_NAME={{ matrix_user_verification_service_uvs_openid_verify_server_name }} UVS_OPENID_VERIFY_SERVER_NAME={{ matrix_user_verification_service_uvs_openid_verify_server_name }}
{% endif %} {% endif %}