search

YunoHost-Apps / synapse_ynh

Matrix server (synapse) package for YunoHost
https://matrix.org/
GNU General Public License v3.0
79 stars 42 forks source link

Add /_synapse path permission for administration API #301

Closed tituspijean closed 1 year ago

tituspijean commented 2 years ago

Problem

Closes #291 Will fix Synapse Admin package with https://github.com/YunoHost-Apps/synapse-admin_ynh/pull/13

Solution

Add a new permission, with no access by default, to protect /_synapse path.

PR Status

Automatic tests

Automatic tests can be triggered on https://ci-apps-dev.yunohost.org/ after creating the PR, by commenting "!testme", "!gogogadgetoci" or "By the power of systemd, I invoke The Great App CI to test this Pull Request!". (N.B. : for this to work you need to be a member of the Yunohost-Apps organization)

collector-ynh commented 2 years ago

Even after installing synapse from this branch and synapse-admin from it https://github.com/YunoHost-Apps/synapse-admin_ynh/pull/13 , https://example.tld/_synapse still remains unreachable, and the synapse-admin application still returns the error : NetworkError when attempting to fetch resource

Josue-T commented 2 years ago

!testme

yunohost-bot commented 2 years ago

Meow :cat2: Test Badge

collector-ynh commented 2 years ago

Unable to install this branch, the error related to the package "jinja2" has still not been fixed, here are the logs : https://paste.yunohost.org/raw/yanemipanu

Josue-T commented 2 years ago

!testme

yunohost-bot commented 2 years ago

:stuck_out_tongue_winking_eye: Test Badge

nathanael-h commented 2 years ago

I upgraded to this branch, no problem on upgrade. But I am SSOed on the /_synapse path: 

curl -I https://matrix.server.fr/_synapse
HTTP/2 302 
server: nginx
date: Fri, 22 Apr 2022 21:56:09 GMT
content-type: text/html
content-length: 154
location: https://server.fr/yunohost/sso/?r=aHR0cHM6Ly9tYXRyaxxxxxxydXMuZnIvX3N5bmFwc2U=
x-sso-wat: You've just been SSOed
content-security-policy: upgrade-insecure-requests
content-security-policy-report-only: default-src https: data: blob: ; object-src https: data: 'unsafe-inline'; style-src https: data: 'unsafe-inline' ; script-src https: data: 'unsafe-inline' 'unsafe-eval'
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
x-download-options: noopen
x-permitted-cross-domain-policies: none
x-frame-options: SAMEORIGIN
permissions-policy: interest-cohort=()
strict-transport-security: max-age=63072000; includeSubDomains; preload

Shouldn't this location open? Here are upgrade logs: https://paste.yunohost.org/raw/kokecelola

Also this: 

root@server:~# yunohost user permission info synapse.admin_api
additional_urls: 
allowed: 
auth_header: False
corresponding_users: 
label: Matrix (serveur de chat) (Server administration API.)
protected: False
show_tile: False
sublabel: Server administration API.
url: matrix.server.fr/_synapse
nathanael-h commented 2 years ago

I added this permission Matrix (serveur de chat) (Server administration API.) to the group visitors But the same call with curl is SSOed

nathanael-h commented 2 years ago

[EDIT] : synapse-admin works !!! :clap: :champagne: :fireworks: Sorry I was not using a valid endpoint I think. This works: 

curl https://matrix.server.fr/_synapse/admin/v1/server_version   
{"server_version":"1.56.0","python_version":"3.7.3"}%

Headers:
HTTP/2 200 
server: nginx
date: Fri, 22 Apr 2022 22:23:41 GMT
content-type: application/json
x-sso-wat: You've just been SSOed
cache-control: no-cache, no-store, must-revalidate
access-control-allow-origin: *
access-control-allow-methods: GET, HEAD, POST, PUT, DELETE, OPTIONS
access-control-allow-headers: X-Requested-With, Content-Type, Authorization, Date
content-security-policy: upgrade-insecure-requests
content-security-policy-report-only: default-src https: data: blob: ; object-src https: data: 'unsafe-inline'; style-src https: data: 'unsafe-inline' ; script-src https: data: 'unsafe-inline' 'unsafe-eval'
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
x-download-options: noopen
x-permitted-cross-domain-policies: none
x-frame-options: SAMEORIGIN
permissions-policy: interest-cohort=()
strict-transport-security: max-age=63072000; includeSubDomains; preload
collector-ynh commented 2 years ago

I have several synapse instances installed in stable version, and which have not yet received the update of this branch https://github.com/YunoHost-Apps/synapse_ynh/tree/add-_synapse-perm to have the permissions /_synapse/admin , I would like to know how to give them these permissions? Or how to update them to this branch without data loss?

The following permission is not good :

yunohost tools shell -c "from yunohost.permission import permission_create; permission_create('synapse.admin_api', url='/_synapse', auth_header=False, allowed=['visitors'], label='Server administration API.', show_tile=False, protected=False)"

For she creates a path https://synapse.domain.tld/_matrix/_synapse while what we are looking for is https://synapse.domain.tld/_synapse

collector-ynh commented 2 years ago

I have a server that I installed with the latest test repositories and that works very well with redirection domain.tld/_synapse

ksnip_20220502-025512

but I have a second which I have installed with old repositories, but that Admin API redirection is domain.tld/_matrix/_synapsewhat doesn't work not.

ksnip_20220502-025557

How to change the redirection of the second Synapse server, so that it is similar to the first?

lapineige commented 2 years ago

Hello,

What is the procedure to beta-test this ? How can we do it once we upgrade to this version ?

lapineige commented 2 years ago

I have several synapse instances installed in stable version, and which have not yet received the update of this branch https://github.com/YunoHost-Apps/synapse_ynh/tree/add-_synapse-perm to have the permissions /_synapse/admin , I would like to know how to give them these permissions? Or how to update them to this branch without data loss?

The following permission is not good :

yunohost tools shell -c "from yunohost.permission import permission_create; permission_create('synapse.admin_api', url='/_synapse', auth_header=False, allowed=['visitors'], label='Server administration API.', show_tile=False, protected=False)"

For she creates a path https://synapse.domain.tld/_matrix/_synapse while what we are looking for is https://synapse.domain.tld/_synapse

I did that but it still can't fetch any content. What should I do ?

curl https://matrix.server.fr/_synapse/admin/v1/server_version

Adapted to my situation, this command gives me a 302 Found html page.

tituspijean commented 1 year ago

!testme

yunohost-bot commented 1 year ago

Alrighty! Test Badge

tituspijean commented 1 year ago

!testme

yunohost-bot commented 1 year ago

Meow :cat2: Test Badge

tituspijean commented 1 year ago

@Josue-T I fixed the upgrade issues in the CI. It's ready to be merged.

I noticed some parts (make a user admin, etc.) of "Additional information" section of the README are missing now that we use the doc/ files. Is that voluntary? (e.g. these from an old commit: https://github.com/YunoHost-Apps/synapse_ynh/blob/7a5a9cc4bf652e11c21389981a3419d82eb3f57b/README.md#set-user-as-admin)

Josue-T commented 1 year ago

@Josue-T I fixed the upgrade issues in the CI. It's ready to be merged.

I noticed some parts (make a user admin, etc.) of "Additional information" section of the README are missing now that we use the doc/ files. Is that voluntary? (e.g. these from an old commit: https://github.com/YunoHost-Apps/synapse_ynh/blob/7a5a9cc4bf652e11c21389981a3419d82eb3f57b/README.md#set-user-as-admin)

No it's an error while the migration it should be restored except the "Migration from old package" section as it's really old probably not more useful for anybody.

tituspijean commented 1 year ago

OK I will add them again here and merge to testing.