Merge pull request #158 from YunoHost-Apps/block_public_rooms

Block public rooms options and fix security issues
2024-09-03 20:26:38 +02:00 · 2019-12-14 00:52:49 +01:00 · 2019-12-14 00:52:49 +01:00 · 1e441b5aa1
commit 1e441b5aa1
parent 9e604bf888 bd2b63f86d
7 changed files with 1365 additions and 396 deletions
--- a/conf/homeserver.yaml
+++ b/conf/homeserver.yaml
--- a/conf/matrix-synapse.service
+++ b/conf/matrix-synapse.service
@ -11,6 +11,7 @@ ExecStartPre=/opt/yunohost/matrix-__APP__/bin/python -m synapse.app.homeserver -
 ExecStart=/opt/yunohost/matrix-__APP__/bin/python -m synapse.app.homeserver --config-path=/etc/matrix-__APP__/homeserver.yaml --config-path=/etc/matrix-__APP__/conf.d/
 Restart=always
 RestartSec=3
+RuntimeDirectory=%i

 [Install]
-WantedBy=multi-user.target
+WantedBy=multi-user.target
--- a/config_panel.json
+++ b/config_panel.json
@ -19,6 +19,12 @@
                "type": "bool",
                "help": "Is it a public server",
                "default": false
+            },{
+                "name": "Server public",
+                "id": "allow_public_rooms",
+                "type": "bool",
+                "help": "If set to 'false', requires authentication to access the server's public rooms directory through the client API and forbids any other homeserver to fetch the server's public rooms directory via federation.",
+                "default": false
            }]
        }]
    },{
--- a/manifest.json
+++ b/manifest.json
@ -14,7 +14,7 @@
 		"email": "josue@tille.ch"
 	},
 	"requirements": {
-		"yunohost": ">= 3.5"
+		"yunohost": ">= 3.6"
 	},
 	"multi_instance": true,
 	"services": [
--- a/scripts/config
+++ b/scripts/config
@ -12,7 +12,6 @@ source /usr/share/yunohost/helpers
 ynh_abort_if_errors

 # Import common fonctions
-source ./psql.sh
 source ./experimental_helper.sh
 source ./_common.sh

@ -21,6 +20,10 @@ source ./_common.sh
 #=================================================

 app=$YNH_APP_INSTANCE_NAME
+report_stats=$(ynh_app_setting_get --app $app --key report_stats)
+allow_public_rooms=$(ynh_app_setting_get --app=$app --key=allow_public_rooms)
+backup_before_upgrade=$(ynh_app_setting_get --app $app --key disable_backup_before_upgrade)
+is_public=$(ynh_app_setting_get --app $app --key is_public)

 #=================================================
 # SHOW_CONFIG FUNCTION FOR 'SHOW' COMMAND
@ -28,22 +31,22 @@ app=$YNH_APP_INSTANCE_NAME

 show_config() {
    # here you are supposed to read some config file/database/other then print the values
-    # echo "YNH_CONFIG_${PANEL_ID}_${SECTION_ID}_${OPTION_ID}=value"
-    echo "YNH_CONFIG_SYNAPSE_CONFIG_SERVER_CONFIG_SERVER_STATISTICS=$(ynh_app_setting_get --app $app --key report_stats)"
+    # ynh_return "YNH_CONFIG_${PANEL_ID}_${SECTION_ID}_${OPTION_ID}=value"
+    ynh_return "YNH_CONFIG_SYNAPSE_CONFIG_SERVER_CONFIG_SERVER_STATISTICS=$report_stats"
+    ynh_return "YNH_CONFIG_SYNAPSE_CONFIG_SERVER_CONFIG_ALLOW_PUBLIC_ROOMS=$allow_public_rooms"

-    backup_before_upgrade=$(ynh_app_setting_get --app $app --key disable_backup_before_upgrade)
    if [[ ${backup_before_upgrade:-0} -eq 1 ]]
    then
-        echo "YNH_CONFIG_PACKAGE_CONFIG_PACKAGE_CONFIG_BACKUP_BEFORE_UPGRADE=False"
+        ynh_return "YNH_CONFIG_PACKAGE_CONFIG_PACKAGE_CONFIG_BACKUP_BEFORE_UPGRADE=false"
    else
-        echo "YNH_CONFIG_PACKAGE_CONFIG_PACKAGE_CONFIG_BACKUP_BEFORE_UPGRADE=True"
+        ynh_return "YNH_CONFIG_PACKAGE_CONFIG_PACKAGE_CONFIG_BACKUP_BEFORE_UPGRADE=true"
    fi
-    is_public=$(ynh_app_setting_get --app $app --key is_public)
+
    if [[ ${is_public} -eq 1 ]]
    then
-        echo "YNH_CONFIG_SYNAPSE_CONFIG_SERVER_CONFIG_IS_PUBLIC=False"
+        ynh_return "YNH_CONFIG_SYNAPSE_CONFIG_SERVER_CONFIG_IS_PUBLIC=true"
    else
-        echo "YNH_CONFIG_SYNAPSE_CONFIG_SERVER_CONFIG_IS_PUBLIC=True"
+        ynh_return "YNH_CONFIG_SYNAPSE_CONFIG_SERVER_CONFIG_IS_PUBLIC=false"
    fi
 }

@ -52,20 +55,31 @@ show_config() {
 #=================================================

 apply_config() {
-    ynh_app_setting_set --app $app --key report_stats --value $YNH_CONFIG_SYNAPSE_CONFIG_SERVER_CONFIG_SERVER_STATISTICS
+    report_stats=${YNH_CONFIG_SYNAPSE_CONFIG_SERVER_CONFIG_SERVER_STATISTICS:-$report_stats}
+    allow_public_rooms=${YNH_CONFIG_SYNAPSE_CONFIG_SERVER_CONFIG_ALLOW_PUBLIC_ROOMS:-$allow_public_rooms}

-    if ${YNH_CONFIG_PACKAGE_CONFIG_PACKAGE_CONFIG_BACKUP_BEFORE_UPGRADE,,}
-    then
-        ynh_app_setting_set --app $app --key disable_backup_before_upgrade --value 0
-    else
-        ynh_app_setting_set --app $app --key disable_backup_before_upgrade --value 1
+    ynh_app_setting_set --app $app --key report_stats --value $report_stats
+    ynh_app_setting_set --app $app --key allow_public_rooms --value $allow_public_rooms
+
+    if [ -n "${YNH_CONFIG_PACKAGE_CONFIG_PACKAGE_CONFIG_BACKUP_BEFORE_UPGRADE:-}" ]; then
+        if ${YNH_CONFIG_PACKAGE_CONFIG_PACKAGE_CONFIG_BACKUP_BEFORE_UPGRADE,,}; then
+            ynh_app_setting_set --app $app --key disable_backup_before_upgrade --value 0
+            backup_before_upgrade=0
+        else
+            ynh_app_setting_set --app $app --key disable_backup_before_upgrade --value 1
+            backup_before_upgrade=1
+        fi
    fi

-    if ${YNH_CONFIG_SYNAPSE_CONFIG_SERVER_CONFIG_IS_PUBLIC,,}
-    then
-        ynh_app_setting_set --app $app --key is_public --value 1
-    else
-        ynh_app_setting_set --app $app --key is_public --value 0
+    if [ -n "${YNH_CONFIG_SYNAPSE_CONFIG_SERVER_CONFIG_IS_PUBLIC:-}" ]; then
+        if ${YNH_CONFIG_SYNAPSE_CONFIG_SERVER_CONFIG_IS_PUBLIC,,}
+        then
+            ynh_app_setting_set --app $app --key is_public --value 1
+            is_public=1
+        else
+            ynh_app_setting_set --app $app --key is_public --value 0
+            is_public=0
+        fi
    fi

    domain=$(ynh_app_setting_get --app $app --key special_domain)
@ -78,7 +92,8 @@ apply_config() {
    turnserver_pwd=$(ynh_app_setting_get --app $app --key turnserver_pwd)
    registration_shared_secret=$(ynh_app_setting_get --app $app --key registration_shared_secret)
    form_secret=$(ynh_app_setting_get --app $app --key form_secret)
-    report_stats=$(ynh_app_setting_get --app $app --key report_stats)
+    macaroon_secret_key=$(ynh_app_setting_get --app=$app --key=macaroon_secret_key)
+
    synapse_user="matrix-$app"
    synapse_db_name="matrix_$app"
    synapse_db_user="matrix_$app"
@ -99,14 +114,24 @@ apply_config() {
    ynh_replace_string --match_string __DOMAIN__ --replace_string $domain --target_file "$homeserver_config_path"
    ynh_replace_string --match_string __SERVER_NAME__ --replace_string $server_name --target_file "$homeserver_config_path"   
    ynh_replace_string --match_string __SYNAPSE_DB_USER__ --replace_string $synapse_db_user --target_file "$homeserver_config_path"
-    ynh_replace_string --match_string __SYNAPSE_DB_PWD__ --replace_string $synapse_db_pwd --target_file "$homeserver_config_path"
+    ynh_replace_special_string --match_string __SYNAPSE_DB_PWD__ --replace_string $synapse_db_pwd --target_file "$homeserver_config_path"
    ynh_replace_string --match_string __PORT__ --replace_string $port --target_file "$homeserver_config_path"
    ynh_replace_string --match_string __TLS_PORT__ --replace_string $synapse_tls_port --target_file "$homeserver_config_path"
    ynh_replace_string --match_string __TURNSERVER_TLS_PORT__ --replace_string $turnserver_tls_port --target_file "$homeserver_config_path"
-    ynh_replace_string --match_string __TURNPWD__ --replace_string $turnserver_pwd --target_file "$homeserver_config_path"
-    ynh_replace_string --match_string __REGISTRATION_SECRET__ --replace_string "$registration_shared_secret" --target_file "$homeserver_config_path"
-    ynh_replace_string --match_string __FORM_SECRET__ --replace_string "$form_secret" --target_file "$homeserver_config_path"
+    ynh_replace_special_string --match_string __TURNPWD__ --replace_string $turnserver_pwd --target_file "$homeserver_config_path"
+    ynh_replace_special_string --match_string __REGISTRATION_SECRET__ --replace_string "$registration_shared_secret" --target_file "$homeserver_config_path"
+    ynh_replace_special_string --match_string __FORM_SECRET__ --replace_string "$form_secret" --target_file "$homeserver_config_path"
    ynh_replace_string --match_string __REPORT_STATS__ --replace_string "$report_stats" --target_file "$homeserver_config_path"
+    ynh_replace_string --match_string=__ALLOW_PUBLIC_ROOMS__ --replace_string="$allow_public_rooms" --target_file="$homeserver_config_path"
+    if [ -n $macaroon_secret_key ]; then
+        # Well, in this package this value was not managed because it was not needed, synapse is able to generate this with some other secret in the config file but after some vulnerability was found with this practice.
+        # The problem is that we can't just say generate a new value if the package has not already defined a value. The reason is that changing this value logout all user. And in case of a user has enabled the encryption, the user might lost all conversation !!
+        # So for the old install we just leave this as it is. And for the new install we use a real macaroon.
+        # For more detail about this issue you can see : https://matrix.org/blog/2019/01/15/further-details-on-critical-security-update-in-synapse-affecting-all-versions-prior-to-0-34-1-cve-2019-5885/
+        ynh_replace_string --match_string='macaroon_secret_key: "__MACAROON_SECRET_KEY__"' --replace_string='# macaroon_secret_key: "__MACAROON_SECRET_KEY__"' --target_file="$homeserver_config_path"
+    else
+        ynh_replace_special_string --match_string=__MACAROON_SECRET_KEY__ --replace_string="$macaroon_secret_key" --target_file="$homeserver_config_path"
+    fi

    if [ "$is_public" = "0" ]
    then
--- a/scripts/install
+++ b/scripts/install
@ -38,7 +38,8 @@ synapse_user="matrix-$app"
 synapse_db_name="matrix_$app"
 synapse_db_user="matrix_$app"
 upstream_version=$(ynh_app_upstream_version)
-report_stats="False"
+report_stats="false"
+allow_public_rooms="false"
 default_domain_value="Same than the domain"

 #=================================================
@ -82,6 +83,7 @@ ynh_app_setting_set --app=$app --key=final_path --value=$final_path
 ynh_app_setting_set --app=$app --key=synapse_version --value=$upstream_version
 ynh_app_setting_set --app=$app --key=is_public --value=$is_public
 ynh_app_setting_set --app=$app --key=report_stats --value=$report_stats
+ynh_app_setting_set --app=$app --key=allow_public_rooms --value=$allow_public_rooms

 #=================================================
 # STANDARD MODIFICATIONS
@ -218,12 +220,14 @@ deactivate

 # Get random values from config
 ynh_print_OFF
-registration_shared_secret=$(egrep "^registration_shared_secret" homeserver.yml | cut -d'"' -f2)
-form_secret=$(egrep "^form_secret" homeserver.yml | cut -d'"' -f2)
+registration_shared_secret=$(egrep "^registration_shared_secret:" homeserver.yml | cut -d'"' -f2)
+form_secret=$(egrep "^form_secret:" homeserver.yml | cut -d'"' -f2)
+macaroon_secret_key=$(egrep "^macaroon_secret_key:" homeserver.yml | cut -d'"' -f2)

 # store in yunohost settings
 ynh_app_setting_set --app=$app --key=registration_shared_secret --value="$registration_shared_secret"
 ynh_app_setting_set --app=$app --key=form_secret --value="$form_secret"
+ynh_app_setting_set --app=$app --key=macaroon_secret_key --value="$macaroon_secret_key"
 ynh_print_ON

 #=================================================
@ -274,11 +278,13 @@ ynh_replace_string --match_string=__PORT__ --replace_string=$port --target_file=
 ynh_replace_string --match_string=__TLS_PORT__ --replace_string=$synapse_tls_port --target_file="$homeserver_config_path"
 ynh_replace_string --match_string=__TURNSERVER_TLS_PORT__ --replace_string=$turnserver_tls_port --target_file="$homeserver_config_path"
 ynh_replace_string --match_string=__REPORT_STATS__ --replace_string="$report_stats" --target_file="$homeserver_config_path"
+ynh_replace_string --match_string=__ALLOW_PUBLIC_ROOMS__ --replace_string="$allow_public_rooms" --target_file="$homeserver_config_path"
 ynh_print_OFF
-ynh_replace_string --match_string=__SYNAPSE_DB_PWD__ --replace_string=$synapse_db_pwd --target_file="$homeserver_config_path"
+ynh_replace_special_string --match_string=__SYNAPSE_DB_PWD__ --replace_string=$synapse_db_pwd --target_file="$homeserver_config_path"
 ynh_replace_special_string --match_string=__TURNPWD__ --replace_string=$turnserver_pwd --target_file="$homeserver_config_path"
 ynh_replace_special_string --match_string=__REGISTRATION_SECRET__ --replace_string="$registration_shared_secret" --target_file="$homeserver_config_path"
-ynh_replace_string --match_string=__FORM_SECRET__ --replace_string="$form_secret" --target_file="$homeserver_config_path"
+ynh_replace_special_string --match_string=__FORM_SECRET__ --replace_string="$form_secret" --target_file="$homeserver_config_path"
+ynh_replace_special_string --match_string=__MACAROON_SECRET_KEY__ --replace_string="$macaroon_secret_key" --target_file="$homeserver_config_path"
 ynh_print_ON

 ynh_replace_string --match_string=__APP__ --replace_string=$app --target_file="/etc/matrix-$app/log.yaml"
--- a/scripts/upgrade
+++ b/scripts/upgrade
@ -29,11 +29,13 @@ turnserver_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_tls_port)
 turnserver_alt_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_alt_tls_port)
 cli_port=$(ynh_app_setting_get --app=$app --key=cli_port)
 report_stats=$(ynh_app_setting_get --app=$app --key=report_stats)
+allow_public_rooms=$(ynh_app_setting_get --app=$app --key=allow_public_rooms)
 ynh_print_OFF
 synapse_db_pwd=$(ynh_app_setting_get --app=$app --key=synapse_db_pwd)
 turnserver_pwd=$(ynh_app_setting_get --app=$app --key=turnserver_pwd)
 registration_shared_secret=$(ynh_app_setting_get --app=$app --key=registration_shared_secret)
 form_secret=$(ynh_app_setting_get --app=$app --key=form_secret)
+macaroon_secret_key=$(ynh_app_setting_get --app=$app --key=macaroon_secret_key)
 ynh_print_ON

 #=================================================
@ -142,7 +144,7 @@ fi
 #=================================================

 ynh_print_OFF
-if [ -z "$registration_shared_secret" ]
+if [ -z "$registration_shared_secret" ] || [ "$form_secret" == "form_secret: " ]
 then
    ynh_print_ON
    ynh_script_progression --message="Generating synapse secret..." --weight=1
@ -159,8 +161,8 @@ then

    # Get random values from config
    ynh_print_OFF
-    registration_shared_secret=$(egrep "^registration_shared_secret" homeserver.yml | cut -d'"' -f2)
-    form_secret=$(egrep "^form_secret" homeserver.yml | cut -d'"' -f1)
+    registration_shared_secret=$(egrep "^registration_shared_secret:" homeserver.yml | cut -d'"' -f2)
+    form_secret=$(egrep "^form_secret:" homeserver.yml | cut -d'"' -f2)

    # store in yunohost settings
    ynh_app_setting_set --app=$app --key=registration_shared_secret --value="$registration_shared_secret"
@ -169,6 +171,18 @@ then
 fi
 ynh_print_ON

+#=================================================
+# MIGRATION 5 : DEFINE UNDEFINED SETTINGS
+#=================================================
+
+if [ -n $report_stats ]; then
+    report_stats="false"
+fi
+
+if [ -n $allow_public_rooms ]; then
+    allow_public_rooms="false"
+fi
+
 #=================================================
 # UPDATE SYNAPSE CONFIG
 #=================================================
@ -193,11 +207,21 @@ ynh_replace_string --match_string=__PORT__ --replace_string=$port --target_file=
 ynh_replace_string --match_string=__TLS_PORT__ --replace_string=$synapse_tls_port --target_file="$homeserver_config_path"
 ynh_replace_string --match_string=__TURNSERVER_TLS_PORT__ --replace_string=$turnserver_tls_port --target_file="$homeserver_config_path"
 ynh_replace_string --match_string=__REPORT_STATS__ --replace_string="$report_stats" --target_file="$homeserver_config_path"
+ynh_replace_string --match_string=__ALLOW_PUBLIC_ROOMS__ --replace_string="$allow_public_rooms" --target_file="$homeserver_config_path"
 ynh_print_OFF
-ynh_replace_string --match_string=__SYNAPSE_DB_PWD__ --replace_string=$synapse_db_pwd --target_file="$homeserver_config_path"
+ynh_replace_special_string --match_string=__SYNAPSE_DB_PWD__ --replace_string=$synapse_db_pwd --target_file="$homeserver_config_path"
 ynh_replace_special_string --match_string=__TURNPWD__ --replace_string=$turnserver_pwd --target_file="$homeserver_config_path"
 ynh_replace_special_string --match_string=__REGISTRATION_SECRET__ --replace_string="$registration_shared_secret" --target_file="$homeserver_config_path"
-ynh_replace_string --match_string=__FORM_SECRET__ --replace_string="$form_secret" --target_file="$homeserver_config_path"
+ynh_replace_special_string --match_string=__FORM_SECRET__ --replace_string="$form_secret" --target_file="$homeserver_config_path"
+if [ -n $macaroon_secret_key ]; then
+    # Well, in this package this value was not managed because it was not needed, synapse is able to generate this with some other secret in the config file but after some vulnerability was found with this practice.
+    # For more detail about this issue you can see : https://matrix.org/blog/2019/01/15/further-details-on-critical-security-update-in-synapse-affecting-all-versions-prior-to-0-34-1-cve-2019-5885/
+    # The problem is that we can't just say generate a new value if the package has not already defined a value. The reason is that changing this value logout all user. And in case of a user has enabled the encryption, the user might lost all conversation !!
+    # So for the old install we just leave this as it is. And for the new install we use a real macaroon.
+    ynh_replace_special_string --match_string='macaroon_secret_key: "__MACAROON_SECRET_KEY__"' --replace_string='# macaroon_secret_key: "__MACAROON_SECRET_KEY__"' --target_file="$homeserver_config_path"
+else
+    ynh_replace_special_string --match_string=__MACAROON_SECRET_KEY__ --replace_string="$macaroon_secret_key" --target_file="$homeserver_config_path"
+fi
 ynh_print_ON

 ynh_replace_string --match_string=__APP__ --replace_string=$app --target_file="/etc/matrix-$app/log.yaml"