Awesome-Technologies / synapse-admin

Admin console for synapse Matrix homeserver
https://awesome-technologies.github.io/synapse-admin/
Apache License 2.0
841 stars 125 forks source link

MAS compatibility issues #429

Open qwertzdenek opened 11 months ago

qwertzdenek commented 11 months ago

Prerequisites

Steps to Reproduce

Problem

MAS doesn't let you get "synapse admin" rights through the legacy auth flow, as the legacy flow doesn't have a way to specify whether the session should have the admin rights or not. Best option would be native OIDC implementation in Synapse-Admin to work with MAS.

Or you can add possibility to use static pre-generated admin token which can be issued using CLI.

mas-cli manage issue-compatibility-token --yes-i-want-to-grant-synapse-admin-privileges [username]
dklimpel commented 9 months ago

It is related to: https://github.com/matrix-org/matrix-authentication-service/issues/2187#issuecomment-1879831757

jacotec commented 8 months ago

Is there any workaround? I can't use synapse-admin on any of my two servers which both use MAS due to Element-X capability. Any way to access them with admin?

jacotec commented 8 months ago

@awesome-manuel I really need to access my server admin panels ... is there any workaround or tweak to log in on a server running MAS?

CyberPingU commented 6 months ago

This is a big issue for me too: I'm not goint into MAS due to the fact I cannot admin the server .

schwadim commented 6 months ago

Is there any workaround? I can't use synapse-admin on any of my two servers which both use MAS due to Element-X capability. Any way to access them with admin?

As soon as the adminAPI responses with the first "You are not a server admin", synapse admin will terminate the session (did not check if this behavior is configurable).

There is quite a dirty workaround:

If you temporary block the adminAPI (either on the client- or the server side), the session will be kept open. Then one can navigate to the compat_sessions table of the MAS DB and set the Flag is_synapse_admin for the given session to true. After unblocking the adminAPI, the session should work as intended.

awesome-manuel commented 6 months ago

@schwadim do you have a log of the browser debug console to share?

schwadim commented 6 months ago

@awesome-manuel I am working on a testing environment with lots of issues and moving parts. Therefore I doubt that my personal browser debug console would be of any help. But let me know if you want me to provide one anyway.

In essence all I'm doing is:

awesome-manuel commented 6 months ago

I need to know the exact answer of synpase that you need to block. Maybe this can be detected to be a MAS request.

schwadim commented 6 months ago

I am blocking all requests towards /_synapse/admin as all of them would be answered with the 403 response: {"errcode":"M_FORBIDDEN","error":"You are not a server admin"}

Receiving such a response, synapse-admin silently performs a logout.

If not blocked, the first request leading to a logout happens to be: https://my_synapse/_synapse/admin/v2/users?deactivated=false&dir=f&from=0&guests=true&limit=10&order_by=name

So I'm simply gaining time to actually assign the required permissions to the session. It is just a hacky workaround.

schwadim commented 6 months ago

Instead of tweaking the MAS database, one can also generate a new token via mas-cli and change device_id and access_token in the browser local storage while being logged in with blocked /_synapse/admin path. After reloading and unblocking one is able to work with the new token.

Yet another workaround would be:

dklimpel commented 2 months ago

A real OIDC login workflow is required for synapse-admin with MAS. An example could be under certain circumstances

jacotec commented 1 month ago

@awesome-manuel Just asking if this is genrally planned to be fixed? Would be great to be able to use Synapse-Admin again after 10 months ... ;-)

dklimpel commented 3 weeks ago

First step is to add identifier to login flow. PR #601

A helpful guide could be: https://areweoidcyet.com/client-implementation-guide/