Merge pull request #336 from YunoHost-Apps/testing

v1.68, add administration API protection, various fixes

README.md

@@ -20,8 +20,7 @@ Instant messaging server matrix network.
 Yunohost chatroom with matrix : [https://matrix.to/#/#yunohost:matrix.org](https://matrix.to/#/#yunohost:matrix.org)
 
 
-**Shipped version:** 1.67.0~ynh1
-
+**Shipped version:** 1.69.0~ynh1
 ## Disclaimers / important information
 
 ## Configuration
@@ -131,6 +130,70 @@ This app doesn't provide any real good web interface. So it's recommended to use
 
 ## Additional information
 
+## Administration
+
+**All documentation of this section is not warranted. A bad use of command could break the app and all the data. So use these commands at your own risk.**
+
+Before any manipulation it's recommended to do a backup by this following command :
+
+`sudo yunohost backup create --apps synapse`
+
+### Set user as admin
+
+Actually there are no functions in the client interface to set a user as admin. So it's possible to enable it manually in the database.
+
+The following command will grant admin privilege to the specified user:
+```
+su --command="psql matrix_synapse" postgres <<< "UPDATE users SET admin = 1 WHERE name = '@user_to_be_admin:domain.tld'"
+```
+
+### Administration API
+
+Synapse's administration API endpoints are under `/_synapse` path and protected with the `admin_api` permission.
+By default, no one has access to this path.
+
+If you wish to access it, for example to use [Synapse Admin](https://github.com/YunoHost-Apps/synapse-admin_ynh),
+you need to give this permission to visitors.
+
+Then, to log in the API with your credentials, you need to set your user as admin (cf. precedent section).
+
+### Upgrade
+
+By default a backup is made before the upgrade. To avoid this you have theses following possibilites:
+- Call the command with the `-b` flag: `yunohost app upgrade synapse -b`
+- Set the settings `disable_backup_before_upgrade` to `1`. You can set this with this command:
+
+`yunohost app setting synapse disable_backup_before_upgrade -v 1`
+
+After this settings will be applied for **all** next upgrade.
+
+From command line:
+
+`yunohost app upgrade synapse`
+
+### Backup
+
+This app use now the core-only feature of the backup. To keep the integrity of the data and to have a better guarantee of the restoration is recommended to proceed like this:
+
+- Stop synapse service with theses following command:
+
+`systemctl stop synapse.service`
+
+- Launch the backup of synapse with this following command:
+
+`yunohost backup create --app synapse`
+
+- Do a backup of your data with your specific strategy (could be with rsync, borg backup or just cp). The data is generally stored in `/home/yunohost.app/matrix-synapse`.
+- Restart the synapse service with these command:
+
+`systemctl start synapse.service`
+
+### Remove
+
+Due of the backup core only feature the data directory in `/home/yunohost.app/matrix-synapse` **is not removed**.
+
+Use the `--purge` flag with the command, or remove it manually to purge app user data.
+
 ### Multi instance support
 
 To give a possibility to have multiple domains you can use multiple instances of synapse. In this case all instances will run on different ports so it's really important to put a SRV record in your domain. You can get the port that you need to put in your SRV record with this following command:

README_fr.md

@@ -20,8 +20,7 @@ Instant messaging server matrix network.
 Yunohost chatroom with matrix : [https://matrix.to/#/#yunohost:matrix.org](https://matrix.to/#/#yunohost:matrix.org)
 
 
-**Version incluse :** 1.67.0~ynh1
-
+**Version incluse :** 1.69.0~ynh1
 ## Avertissements / informations importantes
 
 ## Configuration
@@ -131,6 +130,70 @@ This app doesn't provide any real good web interface. So it's recommended to use
 
 ## Additional information
 
+## Administration
+
+**All documentation of this section is not warranted. A bad use of command could break the app and all the data. So use these commands at your own risk.**
+
+Before any manipulation it's recommended to do a backup by this following command :
+
+`sudo yunohost backup create --apps synapse`
+
+### Set user as admin
+
+Actually there are no functions in the client interface to set a user as admin. So it's possible to enable it manually in the database.
+
+The following command will grant admin privilege to the specified user:
+```
+su --command="psql matrix_synapse" postgres <<< "UPDATE users SET admin = 1 WHERE name = '@user_to_be_admin:domain.tld'"
+```
+
+### Administration API
+
+Synapse's administration API endpoints are under `/_synapse` path and protected with the `admin_api` permission.
+By default, no one has access to this path.
+
+If you wish to access it, for example to use [Synapse Admin](https://github.com/YunoHost-Apps/synapse-admin_ynh),
+you need to give this permission to visitors.
+
+Then, to log in the API with your credentials, you need to set your user as admin (cf. precedent section).
+
+### Upgrade
+
+By default a backup is made before the upgrade. To avoid this you have theses following possibilites:
+- Call the command with the `-b` flag: `yunohost app upgrade synapse -b`
+- Set the settings `disable_backup_before_upgrade` to `1`. You can set this with this command:
+
+`yunohost app setting synapse disable_backup_before_upgrade -v 1`
+
+After this settings will be applied for **all** next upgrade.
+
+From command line:
+
+`yunohost app upgrade synapse`
+
+### Backup
+
+This app use now the core-only feature of the backup. To keep the integrity of the data and to have a better guarantee of the restoration is recommended to proceed like this:
+
+- Stop synapse service with theses following command:
+
+`systemctl stop synapse.service`
+
+- Launch the backup of synapse with this following command:
+
+`yunohost backup create --app synapse`
+
+- Do a backup of your data with your specific strategy (could be with rsync, borg backup or just cp). The data is generally stored in `/home/yunohost.app/matrix-synapse`.
+- Restart the synapse service with these command:
+
+`systemctl start synapse.service`
+
+### Remove
+
+Due of the backup core only feature the data directory in `/home/yunohost.app/matrix-synapse` **is not removed**.
+
+Use the `--purge` flag with the command, or remove it manually to purge app user data.
+
 ### Multi instance support
 
 To give a possibility to have multiple domains you can use multiple instances of synapse. In this case all instances will run on different ports so it's really important to put a SRV record in your domain. You can get the port that you need to put in your SRV record with this following command:

conf/armv7_bullseye.src

@@ -1,5 +1,5 @@
-SOURCE_URL=https://github.com/YunoHost-Apps/synapse_python_build/releases/download/v1.67.0/matrix-synapse_1.67.0-bullseye-bin1_armv7l.tar.gz
-SOURCE_SUM=3b156833ac280aac5b958257deef0b537ebe52d2b0530aa4934bd06af9f5b7e0
+SOURCE_URL=https://github.com/YunoHost-Apps/synapse_python_build/releases/download/v1.69.0/matrix-synapse_1.69.0-bullseye-bin1_armv7l.tar.gz
+SOURCE_SUM=d390ac7900e545e5fb58f243c98a1c2cfe6d8dba4fd58775c8e73e931d20afe2
 # (Optional) Program to check the integrity (sha256sum, md5sum...)
 # default: sha256
 SOURCE_SUM_PRG=sha256sum

conf/armv7_buster.src

@@ -1,5 +1,5 @@
-SOURCE_URL=https://github.com/YunoHost-Apps/synapse_python_build/releases/download/v1.67.0/matrix-synapse_1.67.0-buster-bin1_armv7l.tar.gz
-SOURCE_SUM=bcc0d6eedd3688f0f92aff5acbac9adfba588fd2352ba03fc7b02fdf5ea579c5
+SOURCE_URL=https://github.com/YunoHost-Apps/synapse_python_build/releases/download/v1.69.0/matrix-synapse_1.69.0-buster-bin1_armv7l.tar.gz
+SOURCE_SUM=e99f100a3446b9ceff29a5c3ea55657342a2ee22cf2eb5821e75716ede9bea8b
 # (Optional) Program to check the integrity (sha256sum, md5sum...)
 # default: sha256
 SOURCE_SUM_PRG=sha256sum

conf/homeserver.yaml

@@ -2246,7 +2246,7 @@ password_providers:
           uid: "uid"
           mail: "mail"
           name: "givenName"
-       bind_dn: __SYNAPSE_USER_APP__
+       bind_dn: "uid=__SYNAPSE_USER_APP__,ou=users,dc=yunohost,dc=org"
        bind_password: __SYNAPSE_USER_APP_PWD__
        filter: "(&(objectClass=posixAccount)(permission=cn=__APP__.main,ou=permission,dc=yunohost,dc=org))"
 

conf/turnserver.conf

@@ -18,7 +18,6 @@ no-sslv3
 no-tlsv1
 no-tlsv1_1
 
-no-loopback-peers
 no-multicast-peers
 
 no-cli

doc/DISCLAIMER.md

@@ -105,6 +105,70 @@ This app doesn't provide any real good web interface. So it's recommended to use
 
 ## Additional information
 
+## Administration
+
+**All documentation of this section is not warranted. A bad use of command could break the app and all the data. So use these commands at your own risk.**
+
+Before any manipulation it's recommended to do a backup by this following command :
+
+`sudo yunohost backup create --apps synapse`
+
+### Set user as admin
+
+Actually there are no functions in the client interface to set a user as admin. So it's possible to enable it manually in the database.
+
+The following command will grant admin privilege to the specified user:
+```
+su --command="psql matrix_synapse" postgres <<< "UPDATE users SET admin = 1 WHERE name = '@user_to_be_admin:domain.tld'"
+```
+
+### Administration API
+
+Synapse's administration API endpoints are under `/_synapse` path and protected with the `admin_api` permission.
+By default, no one has access to this path.
+
+If you wish to access it, for example to use [Synapse Admin](https://github.com/YunoHost-Apps/synapse-admin_ynh),
+you need to give this permission to visitors.
+
+Then, to log in the API with your credentials, you need to set your user as admin (cf. precedent section).
+
+### Upgrade
+
+By default a backup is made before the upgrade. To avoid this you have theses following possibilites:
+- Call the command with the `-b` flag: `yunohost app upgrade synapse -b`
+- Set the settings `disable_backup_before_upgrade` to `1`. You can set this with this command:
+
+`yunohost app setting synapse disable_backup_before_upgrade -v 1`
+
+After this settings will be applied for **all** next upgrade.
+
+From command line:
+
+`yunohost app upgrade synapse`
+
+### Backup
+
+This app use now the core-only feature of the backup. To keep the integrity of the data and to have a better guarantee of the restoration is recommended to proceed like this:
+
+- Stop synapse service with theses following command:
+
+`systemctl stop synapse.service`
+
+- Launch the backup of synapse with this following command:
+
+`yunohost backup create --app synapse`
+
+- Do a backup of your data with your specific strategy (could be with rsync, borg backup or just cp). The data is generally stored in `/home/yunohost.app/matrix-synapse`.
+- Restart the synapse service with these command:
+
+`systemctl start synapse.service`
+
+### Remove
+
+Due of the backup core only feature the data directory in `/home/yunohost.app/matrix-synapse` **is not removed**.
+
+Use the `--purge` flag with the command, or remove it manually to purge app user data.
+
 ### Multi instance support
 
 To give a possibility to have multiple domains you can use multiple instances of synapse. In this case all instances will run on different ports so it's really important to put a SRV record in your domain. You can get the port that you need to put in your SRV record with this following command:

manifest.json

@@ -6,7 +6,7 @@
 		"en": "Instant messaging server which uses Matrix",
 		"fr": "Un serveur de messagerie instantané basé sur Matrix"
 	},
-	"version": "1.67.0~ynh1",
+	"version": "1.69.0~ynh1",
 	"url": "http://matrix.org",
 	"license": "Apache-2.0",
 	"maintainer": {
@@ -19,7 +19,7 @@
         "code": "https://github.com/matrix-org/synapse"
     },
 	"requirements": {
-		"yunohost": ">= 4.1"
+		"yunohost": ">= 4.1.2"
 	},
 	"multi_instance": true,
 	"services": [

scripts/change_url

@@ -117,12 +117,12 @@ ynh_add_config --template="homeserver.yaml" --destination="/etc/matrix-$app/home
 ynh_add_config --template="log.yaml" --destination="/etc/matrix-$app/log.yaml"
 
 #=================================================
-# SETUP PERMISSIONS
+# SECURE FILES AND DIRECTORIES
 #=================================================
 
-ynh_script_progression --message="Configuring permissions..." --weight=1
-ynh_permission_url --permission=server_api --clear_urls
-ynh_permission_url --permission=server_api --url=$domain/_matrix --additional_urls=$server_name/.well-known/matrix \
+# Only setting permissions for the two config files updated above
+chown $synapse_user:root -R /etc/matrix-$app
+chmod u=rwX,g=rX,o= -R /etc/matrix-$app
 
 #=================================================
 # RELOAD SERVICES

scripts/install

@@ -336,6 +336,9 @@ ynh_permission_update --permission=main --show_tile=false --protected=true
 ynh_permission_create --permission=server_api --url=$domain/_matrix \
                       --label="Server access for client apps." --show_tile=false --allowed=visitors \
                       --auth_header=false --protected=true
+ynh_permission_create --permission=admin_api --url=$domain/_synapse \
+                      --label="Server administration API." --show_tile=false \
+                      --auth_header=false --allowed=visitors
 if yunohost --output-as plain domain list | grep -q "^$server_name$"; then
     ynh_permission_create --permission=server_client_infos --url=$server_name/.well-known/matrix \
                           --label="Server info for clients. (well-known)" --show_tile=false --allowed=visitors \

scripts/upgrade

@@ -439,6 +439,12 @@ elif yunohost --output-as plain domain list | grep -q "^$server_name"'$'; then
                           --protected=true
 fi
 
+if ! ynh_permission_exists --permission=admin_api; then
+    ynh_permission_create --permission=admin_api --url=$domain/_synapse \
+                          --label="Server administration API." --show_tile=false \
+                          --auth_header=false --allowed=visitors
+fi
+
 #=================================================
 # SECURE FILES AND DIRECTORIES
 #=================================================