Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add /_synapse path permission for administration API #301

Merged
merged 8 commits into from
Sep 20, 2022
Merged

Add /_synapse path permission for administration API #301

merged 8 commits into from
Sep 20, 2022

Conversation

tituspijean
Copy link
Member

Problem

Closes #291
Will fix Synapse Admin package with YunoHost-Apps/synapse-admin_ynh#13

Solution

Add a new permission, with no access by default, to protect /_synapse path.

PR Status

  • Code finished and ready to be reviewed/tested
  • The fix/enhancement were manually tested (if applicable)

Automatic tests

Automatic tests can be triggered on https://ci-apps-dev.yunohost.org/ after creating the PR, by commenting "!testme", "!gogogadgetoci" or "By the power of systemd, I invoke The Great App CI to test this Pull Request!". (N.B. : for this to work you need to be a member of the Yunohost-Apps organization)

@collector-ynh
Copy link

Even after installing synapse from this branch and synapse-admin from it YunoHost-Apps/synapse-admin_ynh#13 , https://example.tld/_synapse still remains unreachable, and the synapse-admin application still returns the error
: NetworkError when attempting to fetch resource

@Josue-T
Copy link

Josue-T commented Apr 1, 2022

!testme

@yunohost-bot

This comment was marked as outdated.

Sign in to view
Josue-T
Josue-T requested changes Apr 1, 2022
View reviewed changes
Copy link

@Josue-T Josue-T left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Look me ok, but I think you forgot to edit the change-url script

@collector-ynh
Copy link

Unable to install this branch, the error related to the package "jinja2" has still not been fixed, here are the logs : https://paste.yunohost.org/raw/yanemipanu

@tituspijean tituspijean requested a review from Josue-T April 9, 2022 21:11
@Josue-T
Copy link

Josue-T commented Apr 22, 2022

!testme

@yunohost-bot

This comment was marked as outdated.

Sign in to view
Josue-T
Josue-T approved these changes Apr 22, 2022
View reviewed changes
Copy link

@Josue-T Josue-T left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok for me, still need to check the CI

@nathanael-h
Copy link

I upgraded to this branch, no problem on upgrade.
But I am SSOed on the /_synapse path:

curl -I https://matrix.server.fr/_synapse
HTTP/2 302 
server: nginx
date: Fri, 22 Apr 2022 21:56:09 GMT
content-type: text/html
content-length: 154
location: https://server.fr/yunohost/sso/?r=aHR0cHM6Ly9tYXRyaxxxxxxydXMuZnIvX3N5bmFwc2U=
x-sso-wat: You've just been SSOed
content-security-policy: upgrade-insecure-requests
content-security-policy-report-only: default-src https: data: blob: ; object-src https: data: 'unsafe-inline'; style-src https: data: 'unsafe-inline' ; script-src https: data: 'unsafe-inline' 'unsafe-eval'
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
x-download-options: noopen
x-permitted-cross-domain-policies: none
x-frame-options: SAMEORIGIN
permissions-policy: interest-cohort=()
strict-transport-security: max-age=63072000; includeSubDomains; preload

Shouldn't this location open?
Here are upgrade logs: https://paste.yunohost.org/raw/kokecelola

Also this:

root@server:~# yunohost user permission info synapse.admin_api
additional_urls: 
allowed: 
auth_header: False
corresponding_users: 
label: Matrix (serveur de chat) (Server administration API.)
protected: False
show_tile: False
sublabel: Server administration API.
url: matrix.server.fr/_synapse

@nathanael-h nathanael-h mentioned this pull request Apr 22, 2022
Merged
2 tasks
@nathanael-h
Copy link

I added this permission Matrix (serveur de chat) (Server administration API.) to the group visitors But the same call with curl is SSOed

@nathanael-h
Copy link

nathanael-h commented Apr 22, 2022
edited
Loading

[EDIT] : synapse-admin works !!! 👏 🍾 🎆
Sorry I was not using a valid endpoint I think.
This works:

curl https://matrix.server.fr/_synapse/admin/v1/server_version   
{"server_version":"1.56.0","python_version":"3.7.3"}%


Headers:
HTTP/2 200 
server: nginx
date: Fri, 22 Apr 2022 22:23:41 GMT
content-type: application/json
x-sso-wat: You've just been SSOed
cache-control: no-cache, no-store, must-revalidate
access-control-allow-origin: *
access-control-allow-methods: GET, HEAD, POST, PUT, DELETE, OPTIONS
access-control-allow-headers: X-Requested-With, Content-Type, Authorization, Date
content-security-policy: upgrade-insecure-requests
content-security-policy-report-only: default-src https: data: blob: ; object-src https: data: 'unsafe-inline'; style-src https: data: 'unsafe-inline' ; script-src https: data: 'unsafe-inline' 'unsafe-eval'
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
x-download-options: noopen
x-permitted-cross-domain-policies: none
x-frame-options: SAMEORIGIN
permissions-policy: interest-cohort=()
strict-transport-security: max-age=63072000; includeSubDomains; preload

@collector-ynh
Copy link

collector-ynh commented May 1, 2022
edited
Loading

I have several synapse instances installed in stable version, and which have not yet received the update of this branch https://github.com/YunoHost-Apps/synapse_ynh/tree/add-_synapse-perm to have the permissions /_synapse/admin , I would like to know how to give them these permissions? Or how to update them to this branch without data loss?

The following permission is not good :

yunohost tools shell -c "from yunohost.permission import permission_create; permission_create('synapse.admin_api', url='/_synapse', auth_header=False, allowed=['visitors'], label='Server administration API.', show_tile=False, protected=False)"

For she creates a path https://synapse.domain.tld/_matrix/_synapse while what we are looking for is https://synapse.domain.tld/_synapse

@collector-ynh
Copy link

I have a server that I installed with the latest test repositories and that works very well with redirection domain.tld/_synapse

ksnip_20220502-025512

but I have a second which I have installed with old repositories, but that Admin API redirection is domain.tld/_matrix/_synapse what doesn't work not.

ksnip_20220502-025557

How to change the redirection of the second Synapse server, so that it is similar to the first?

@lapineige
Copy link
Member

Hello,

What is the procedure to beta-test this ? How can we do it once we upgrade to this version ?

@lapineige
Copy link
Member

lapineige commented Jun 22, 2022
edited
Loading

I have several synapse instances installed in stable version, and which have not yet received the update of this branch https://github.com/YunoHost-Apps/synapse_ynh/tree/add-_synapse-perm to have the permissions /_synapse/admin , I would like to know how to give them these permissions? Or how to update them to this branch without data loss?

The following permission is not good :

yunohost tools shell -c "from yunohost.permission import permission_create; permission_create('synapse.admin_api', url='/_synapse', auth_header=False, allowed=['visitors'], label='Server administration API.', show_tile=False, protected=False)"

For she creates a path https://synapse.domain.tld/_matrix/_synapse while what we are looking for is https://synapse.domain.tld/_synapse

I did that but it still can't fetch any content. What should I do ?

curl https://matrix.server.fr/_synapse/admin/v1/server_version

Adapted to my situation, this command gives me a 302 Found html page.

@tituspijean
Copy link
Member Author

!testme

@yunohost-bot

This comment was marked as outdated.

Sign in to view
@tituspijean
Copy link
Member Author

!testme

@yunohost-bot
Copy link

Meow 🐈
Test Badge

@tituspijean
Copy link
Member Author

tituspijean commented Sep 18, 2022
edited
Loading

@Josue-T I fixed the upgrade issues in the CI. It's ready to be merged.

I noticed some parts (make a user admin, etc.) of "Additional information" section of the README are missing now that we use the doc/ files. Is that voluntary? (e.g. these from an old commit: https://github.com/YunoHost-Apps/synapse_ynh/blob/7a5a9cc4bf652e11c21389981a3419d82eb3f57b/README.md#set-user-as-admin)

@Josue-T
Copy link

Josue-T commented Sep 20, 2022

@Josue-T I fixed the upgrade issues in the CI. It's ready to be merged.

I noticed some parts (make a user admin, etc.) of "Additional information" section of the README are missing now that we use the doc/ files. Is that voluntary? (e.g. these from an old commit: https://github.com/YunoHost-Apps/synapse_ynh/blob/7a5a9cc4bf652e11c21389981a3419d82eb3f57b/README.md#set-user-as-admin)

No it's an error while the migration it should be restored except the "Migration from old package" section as it's really old probably not more useful for anybody.

@tituspijean
Copy link
Member Author

OK I will add them again here and merge to testing.

@tituspijean tituspijean merged commit b9c53ea into testing Sep 20, 2022
@tituspijean tituspijean deleted the add-_synapse-perm branch September 20, 2022 19:07
@Josue-T Josue-T mentioned this pull request Sep 12, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Josue-T Josue-T Josue-T approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@tituspijean @collector-ynh @Josue-T @yunohost-bot @nathanael-h @lapineige