Introduced flags to (1) enable/disable Auth (2) enable/disable openid_server_name pinning. Updated validate_config.yml and added new checks to verify.
This commit is contained in:
parent
96dd86d33b
commit
70bea81df7
@ -63,9 +63,9 @@ To get an access token for the UVS user, you can follow the documentation on [ho
|
|||||||
matrix_user_verification_service_uvs_access_token: "YOUR ACCESS TOKEN HERE"
|
matrix_user_verification_service_uvs_access_token: "YOUR ACCESS TOKEN HERE"
|
||||||
```
|
```
|
||||||
|
|
||||||
### (Optional) Auth Token
|
### (Optional) Custom Auth Token
|
||||||
|
|
||||||
It is possible to set an API Auth Token to restrict access to the UVS. If this is set, anyone making a request to UVS must provide it via the header "Authorization: Bearer TOKEN"
|
It is possible to set an API Auth Token to restrict access to the UVS. If this is enabled, anyone making a request to UVS must provide it via the header "Authorization: Bearer TOKEN"
|
||||||
|
|
||||||
By default, the token will be derived from `matrix_homeserver_generic_secret_key` in `group_vars/matrix_servers`.
|
By default, the token will be derived from `matrix_homeserver_generic_secret_key` in `group_vars/matrix_servers`.
|
||||||
To set your own Token, simply put the following in your host_vars.
|
To set your own Token, simply put the following in your host_vars.
|
||||||
@ -76,12 +76,21 @@ matrix_user_verification_service_uvs_auth_token: "TOKEN"
|
|||||||
|
|
||||||
In case Jitsi is also managed by this playbook and 'matrix' authentication in Jitsi is enabled, this collection will automatically configure Jitsi to use the configured auth token.
|
In case Jitsi is also managed by this playbook and 'matrix' authentication in Jitsi is enabled, this collection will automatically configure Jitsi to use the configured auth token.
|
||||||
|
|
||||||
|
### (Optional) Disable Auth
|
||||||
|
Authorization is enabled by default. To disable set
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
matrix_user_verification_service_uvs_require_auth: false
|
||||||
|
```
|
||||||
|
|
||||||
|
in your host_vars.
|
||||||
|
|
||||||
### (Optional) Federation
|
### (Optional) Federation
|
||||||
|
|
||||||
In theory (however currently untested), UVS can handle federation. Simply set:
|
In theory (however currently untested), UVS can handle federation. Simply set:
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
matrix_user_verification_service_uvs_openid_verify_server_name: ""
|
matrix_user_verification_service_uvs_pin_openid_verify_server_name: false
|
||||||
```
|
```
|
||||||
|
|
||||||
in your host_vars.
|
in your host_vars.
|
||||||
|
@ -43,13 +43,17 @@ matrix_user_verification_service_uvs_disable_ip_blacklist: false
|
|||||||
|
|
||||||
## OPTIONAL
|
## OPTIONAL
|
||||||
|
|
||||||
|
# Require an Auth-Token with API calls. If set to false, UVS will reply to any API call.
|
||||||
|
# The Auth-Token is defined via: matrix_user_verification_service_uvs_auth_token
|
||||||
|
matrix_user_verification_service_uvs_require_auth: true
|
||||||
# Auth token to protect the API
|
# Auth token to protect the API
|
||||||
# If this is set any calls to the provided API endpoints
|
# If enabled any calls to the provided API endpoints need have the header "Authorization: Bearer TOKEN".
|
||||||
# need have the header "Authorization: Bearer changeme".
|
# A Token will be derived from matrix_homeserver_generic_secret_key in group_vars/matrix_servers
|
||||||
# matrix_user_verification_service_uvs_auth_token: changeme
|
matrix_user_verification_service_uvs_auth_token: ''
|
||||||
|
|
||||||
# Matrix server name to verify OpenID tokens against.
|
|
||||||
# Pin UVS to only check openId Tokens for the matrix_server_name configured by this playbook.
|
# Pin UVS to only check openId Tokens for the matrix_server_name configured by this playbook.
|
||||||
|
matrix_user_verification_service_uvs_pin_openid_verify_server_name: true
|
||||||
|
# Matrix server name to verify OpenID tokens against.
|
||||||
# This is not the homeserverURL, but rather the domain in the matrix "user ID"
|
# This is not the homeserverURL, but rather the domain in the matrix "user ID"
|
||||||
# UVS can also be instructed to verify against the Matrix server name passed in the token, to enable set to ""
|
# UVS can also be instructed to verify against the Matrix server name passed in the token, to enable set to ""
|
||||||
matrix_user_verification_service_uvs_openid_verify_server_name: "{{ matrix_domain }}"
|
matrix_user_verification_service_uvs_openid_verify_server_name: "{{ matrix_domain }}"
|
||||||
|
@ -1,8 +1,25 @@
|
|||||||
---
|
---
|
||||||
|
|
||||||
- name: verify all necessary variables are present
|
- name: Verify homeserver_url is not empty
|
||||||
assert:
|
assert:
|
||||||
that:
|
that:
|
||||||
- matrix_user_verification_service_uvs_access_token is defined and matrix_user_verification_service_uvs_access_token|length
|
- matrix_user_verification_service_uvs_homeserver_url|length > 0
|
||||||
- matrix_user_verification_service_uvs_homeserver_url is defined and matrix_user_verification_service_uvs_homeserver_url|length
|
|
||||||
fail_msg: "Missing variable in {{ matrix_user_verification_service_ansible_name }} role"
|
fail_msg: "Missing variable in {{ matrix_user_verification_service_ansible_name }} role"
|
||||||
|
|
||||||
|
- name: Verify Auth is configured properly or disabled
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- matrix_user_verification_service_uvs_access_token|length > 0 or not matrix_user_verification_service_uvs_require_auth|bool
|
||||||
|
fail_msg: "If Auth is enabled, a valid (non empty) TOKEN must be given in 'matrix_user_verification_service_uvs_access_token'."
|
||||||
|
|
||||||
|
- name: Verify server_name for openid verification is given, if pinning a single server_name is enabled.
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- matrix_user_verification_service_uvs_openid_verify_server_name|length > 0 or not matrix_user_verification_service_uvs_pin_openid_verify_server_name|bool
|
||||||
|
fail_msg: "If pinning a single server_name is enabled, a valid (non empty) server_name must be given in 'matrix_user_verification_service_uvs_openid_verify_server_name'."
|
||||||
|
|
||||||
|
- name: Verify the homeserver implementation is synapse
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- matrix_homeserver_implementation == 'synapse'
|
||||||
|
fail_msg: "The User-Verification-Service requires Synapse as homeserver implementation"
|
||||||
|
@ -2,8 +2,10 @@ UVS_ACCESS_TOKEN={{ matrix_user_verification_service_uvs_access_token }}
|
|||||||
UVS_HOMESERVER_URL={{ matrix_user_verification_service_uvs_homeserver_url }}
|
UVS_HOMESERVER_URL={{ matrix_user_verification_service_uvs_homeserver_url }}
|
||||||
UVS_DISABLE_IP_BLACKLIST={{ matrix_user_verification_service_uvs_disable_ip_blacklist }}
|
UVS_DISABLE_IP_BLACKLIST={{ matrix_user_verification_service_uvs_disable_ip_blacklist }}
|
||||||
UVS_LOG_LEVEL={{ matrix_user_verification_service_uvs_log_level }}
|
UVS_LOG_LEVEL={{ matrix_user_verification_service_uvs_log_level }}
|
||||||
|
{% if matrix_user_verification_service_uvs_require_auth | bool %}
|
||||||
UVS_AUTH_TOKEN={{ matrix_user_verification_service_uvs_auth_token }}
|
UVS_AUTH_TOKEN={{ matrix_user_verification_service_uvs_auth_token }}
|
||||||
{% if matrix_user_verification_service_uvs_openid_verify_server_name | length > 0 %}
|
{% endif %}
|
||||||
|
{% if matrix_user_verification_service_uvs_pin_openid_verify_server_name | bool %}
|
||||||
UVS_OPENID_VERIFY_SERVER_NAME={{ matrix_user_verification_service_uvs_openid_verify_server_name }}
|
UVS_OPENID_VERIFY_SERVER_NAME={{ matrix_user_verification_service_uvs_openid_verify_server_name }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user