From 96dd86d33b943c381d5ffebca256b2bdec9a1780 Mon Sep 17 00:00:00 2001 From: Paul N <92150859+stift-n2@users.noreply.github.com> Date: Mon, 6 Feb 2023 15:19:58 +0100 Subject: [PATCH] Set default values where sensible and remove unnecessary conditionals in .env.j2. Check for empty string instead of Null to verify if an openid_server_name is pinned. --- ...onfiguring-playbook-user-verification-service.md | 4 ++-- group_vars/matrix_servers | 4 ---- .../defaults/main.yml | 13 +++++++------ .../templates/.env.j2 | 11 +++-------- 4 files changed, 12 insertions(+), 20 deletions(-) diff --git a/docs/configuring-playbook-user-verification-service.md b/docs/configuring-playbook-user-verification-service.md index 1990e891..451f54f4 100644 --- a/docs/configuring-playbook-user-verification-service.md +++ b/docs/configuring-playbook-user-verification-service.md @@ -81,10 +81,10 @@ In case Jitsi is also managed by this playbook and 'matrix' authentication in Ji In theory (however currently untested), UVS can handle federation. Simply set: ```yaml -matrix_user_verification_service_uvs_openid_verify_server_name: ~ +matrix_user_verification_service_uvs_openid_verify_server_name: "" ``` -using host_vars to override the group_vars. +in your host_vars. This will instruct UVS to verify the OpenID token against any domain given in a request. Homeserver discovery is done via '.well-known/matrix/server' of the given domain. diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 060ffbca..988af72e 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -3212,10 +3212,6 @@ matrix_user_verification_service_uvs_disable_ip_blacklist: "{{'true' if matrix_s matrix_user_verification_service_uvs_auth_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'uvs.auth.token', rounds=655555) | to_uuid }}" -# Pin UVS to only check openId Tokens for the matrix_server_name configured by this playbook. -# This is not the homeserverURL, but rather the domain in the matrix "user ID" -matrix_user_verification_service_uvs_openid_verify_server_name: "{{ matrix_domain }}" - ###################################################################### # # /matrix-user-verification-service diff --git a/roles/custom/matrix-user-verification-service/defaults/main.yml b/roles/custom/matrix-user-verification-service/defaults/main.yml index 2b2cbcb2..cdef8f39 100644 --- a/roles/custom/matrix-user-verification-service/defaults/main.yml +++ b/roles/custom/matrix-user-verification-service/defaults/main.yml @@ -48,14 +48,15 @@ matrix_user_verification_service_uvs_disable_ip_blacklist: false # need have the header "Authorization: Bearer changeme". # matrix_user_verification_service_uvs_auth_token: changeme -# Matrix server name to verify OpenID tokens against. See below section. -# Defaults to empty value which means verification is made against -# whatever Matrix server name passed in with the token -# matrix_user_verification_service_uvs_openid_verify_server_name: matrix.org +# Matrix server name to verify OpenID tokens against. +# Pin UVS to only check openId Tokens for the matrix_server_name configured by this playbook. +# This is not the homeserverURL, but rather the domain in the matrix "user ID" +# UVS can also be instructed to verify against the Matrix server name passed in the token, to enable set to "" +matrix_user_verification_service_uvs_openid_verify_server_name: "{{ matrix_domain }}" -# Log level, defaults to 'info' +# Log level # See choices here: https://github.com/winstonjs/winston#logging-levels -matrix_user_verification_service_uvs_log_level: warning +matrix_user_verification_service_uvs_log_level: info ###################################################################### diff --git a/roles/custom/matrix-user-verification-service/templates/.env.j2 b/roles/custom/matrix-user-verification-service/templates/.env.j2 index b2f2aaab..8119c1e9 100644 --- a/roles/custom/matrix-user-verification-service/templates/.env.j2 +++ b/roles/custom/matrix-user-verification-service/templates/.env.j2 @@ -1,14 +1,9 @@ UVS_ACCESS_TOKEN={{ matrix_user_verification_service_uvs_access_token }} UVS_HOMESERVER_URL={{ matrix_user_verification_service_uvs_homeserver_url }} UVS_DISABLE_IP_BLACKLIST={{ matrix_user_verification_service_uvs_disable_ip_blacklist }} - -{% if matrix_user_verification_service_uvs_auth_token is defined and matrix_user_verification_service_uvs_auth_token|length %} - UVS_AUTH_TOKEN={{ matrix_user_verification_service_uvs_auth_token }} -{% endif %} -{% if matrix_user_verification_service_uvs_openid_verify_server_name is defined and matrix_user_verification_service_uvs_openid_verify_server_name|length %} +UVS_LOG_LEVEL={{ matrix_user_verification_service_uvs_log_level }} +UVS_AUTH_TOKEN={{ matrix_user_verification_service_uvs_auth_token }} +{% if matrix_user_verification_service_uvs_openid_verify_server_name | length > 0 %} UVS_OPENID_VERIFY_SERVER_NAME={{ matrix_user_verification_service_uvs_openid_verify_server_name }} {% endif %} -{% if matrix_user_verification_service_uvs_log_level is defined and matrix_user_verification_service_uvs_log_level|length %} - UVS_LOG_LEVEL={{ matrix_user_verification_service_uvs_log_level }} -{% endif %}