Integrate MAS with Synapse

start.sh

@@ -6,6 +6,34 @@ mkdir -p /app/data/data /app/data/configs /run/synapse
 
 source /app/code/env/bin/activate
 
+MAS_PORT=${MAS_PORT:-4000}
+MAS_DOMAIN=${MAS_DOMAIN:-auth.${CLOUDRON_APP_DOMAIN}}
+MAS_SECRET_FILE=/app/data/configs/mas-client-secret
+MAS_CONFIG_TEMPLATE=/app/pkg/mas/mas-config.template.yaml
+MAS_CONFIG_OUTPUT=/app/data/configs/mas.yaml
+MAS_CLI_BIN=/app/pkg/mas/mas-cli
+MAS_OIDC_CLIENT_ID=${MAS_OIDC_CLIENT_ID:-synapse}
+MAS_OIDC_ISSUER=${MAS_OIDC_ISSUER:-https://${MAS_DOMAIN}}
+MAS_OIDC_AUTH_ENDPOINT=${MAS_OIDC_AUTH_ENDPOINT:-${MAS_OIDC_ISSUER}/oauth2/authorize}
+MAS_OIDC_TOKEN_ENDPOINT=${MAS_OIDC_TOKEN_ENDPOINT:-${MAS_OIDC_ISSUER}/oauth2/token}
+MAS_OIDC_USERINFO_ENDPOINT=${MAS_OIDC_USERINFO_ENDPOINT:-${MAS_OIDC_ISSUER}/oauth2/userinfo}
+MAS_OIDC_SCOPES=${MAS_OIDC_SCOPES:-"openid profile email"}
+export MAS_PORT MAS_DOMAIN MAS_CONFIG_TEMPLATE MAS_CONFIG_OUTPUT MAS_CLI_BIN
+export MAS_OIDC_CLIENT_ID MAS_OIDC_CLIENT_SECRET MAS_OIDC_ISSUER MAS_OIDC_AUTH_ENDPOINT MAS_OIDC_TOKEN_ENDPOINT MAS_OIDC_USERINFO_ENDPOINT MAS_OIDC_SCOPES
+
+# ensure we have a persistent MAS client secret for the Synapse OIDC client
+if [[ -f "${MAS_SECRET_FILE}" ]]; then
+    MAS_OIDC_CLIENT_SECRET=$(cat "${MAS_SECRET_FILE}")
+else
+    MAS_OIDC_CLIENT_SECRET=$(pwgen -1s 64)
+    echo "${MAS_OIDC_CLIENT_SECRET}" > "${MAS_SECRET_FILE}"
+    chmod 600 "${MAS_SECRET_FILE}"
+fi
+export MAS_OIDC_CLIENT_SECRET
+
+# ensure postgres port is always defined for the MAS template
+export CLOUDRON_POSTGRESQL_PORT=${CLOUDRON_POSTGRESQL_PORT:-5432}
+
 if [[ ! -f /app/data/configs/homeserver.yaml ]]; then
     echo "==> Detected first run"
 
@@ -90,6 +118,33 @@ else
     yq eval -i ".password_config.localdb_enabled=true" /app/data/configs/homeserver.yaml
 fi
 
+if [[ -x "${MAS_CLI_BIN}" ]]; then
+    echo "==> Configuring Synapse to trust MAS"
+    # ensure oidc_providers[0] exists
+    yq eval -i '.oidc_providers[0] = (.oidc_providers[0] // {})' /app/data/configs/homeserver.yaml
+
+    yq eval -i ".enable_registration=false" /app/data/configs/homeserver.yaml
+    yq eval -i ".password_config.enabled=false" /app/data/configs/homeserver.yaml
+    yq eval -i ".password_config.localdb_enabled=false" /app/data/configs/homeserver.yaml
+
+    yq eval -i ".oidc_providers[0].idp_id=\"mas\"" /app/data/configs/homeserver.yaml
+    yq eval -i ".oidc_providers[0].idp_name=\"MAS\"" /app/data/configs/homeserver.yaml
+    yq eval -i ".oidc_providers[0].issuer=\"${MAS_OIDC_ISSUER}\"" /app/data/configs/homeserver.yaml
+    yq eval -i ".oidc_providers[0].client_id=\"${MAS_OIDC_CLIENT_ID}\"" /app/data/configs/homeserver.yaml
+    yq eval -i ".oidc_providers[0].client_secret=\"${MAS_OIDC_CLIENT_SECRET}\"" /app/data/configs/homeserver.yaml
+
+    yq eval -i ".oidc_providers[0].scopes=[\"openid\", \"profile\", \"email\"]" /app/data/configs/homeserver.yaml
+    yq eval -i ".oidc_providers[0].authorization_endpoint=\"${MAS_OIDC_AUTH_ENDPOINT}\"" /app/data/configs/homeserver.yaml
+    yq eval -i ".oidc_providers[0].token_endpoint=\"${MAS_OIDC_TOKEN_ENDPOINT}\"" /app/data/configs/homeserver.yaml
+    yq eval -i ".oidc_providers[0].userinfo_endpoint=\"${MAS_OIDC_USERINFO_ENDPOINT}\"" /app/data/configs/homeserver.yaml
+
+    yq eval -i ".oidc_providers[0].allow_existing_users=true" /app/data/configs/homeserver.yaml
+    yq eval -i ".oidc_providers[0].skip_verification=true" /app/data/configs/homeserver.yaml
+    yq eval -i ".oidc_providers[0].user_mapping_provider.config.localpart_template=\"{{ user.sub }}\"" /app/data/configs/homeserver.yaml
+    yq eval -i ".oidc_providers[0].user_mapping_provider.config.display_name_template=\"{{ user.name }}\"" /app/data/configs/homeserver.yaml
+    yq eval -i ".oidc_providers[0].user_mapping_provider.config.email_template=\"{{ user.email }}\"" /app/data/configs/homeserver.yaml
+fi
+
 # turn (https://github.com/matrix-org/synapse/blob/master/docs/turn-howto.md#synapse-setup)
 if [[ -n "${CLOUDRON_TURN_SERVER:-}" ]]; then
     yq eval -i ".turn_uris=[]" /app/data/configs/homeserver.yaml
@@ -98,9 +153,46 @@ if [[ -n "${CLOUDRON_TURN_SERVER:-}" ]]; then
     yq eval -i ".turn_shared_secret=\"${CLOUDRON_TURN_SECRET}\"" /app/data/configs/homeserver.yaml
 fi
 
+if [[ -f "${MAS_CONFIG_TEMPLATE}" && ! -f "${MAS_CONFIG_OUTPUT}" ]]; then
+    python3 - <<'PY'
+import os
+from pathlib import Path
+from string import Template
+
+template = Path(os.environ["MAS_CONFIG_TEMPLATE"])
+dest = Path(os.environ["MAS_CONFIG_OUTPUT"])
+dest.write_text(Template(template.read_text()).substitute(os.environ))
+PY
+fi
+
 # fix permissions
 echo "==> Fixing permissions"
 chown -R cloudron:cloudron /app/data /run/synapse
 
 echo "==> Starting synapse"
-exec gosu cloudron:cloudron python3 -m synapse.app.homeserver --config-path /app/data/configs/homeserver.yaml -n
+mas_pid=
+synapse_pid=
+
+terminate_services() {
+    [[ -n "${synapse_pid}" ]] && kill -TERM "${synapse_pid}" 2>/dev/null || true
+    [[ -n "${mas_pid}" ]] && kill -TERM "${mas_pid}" 2>/dev/null || true
+}
+trap 'terminate_services' TERM INT
+trap '[[ -n "${mas_pid}" ]] && kill -TERM "${mas_pid}" 2>/dev/null || true' EXIT
+
+if [[ -x "${MAS_CLI_BIN}" ]]; then
+    echo "==> Launching MAS server"
+    gosu cloudron:cloudron "${MAS_CLI_BIN}" server --config "${MAS_CONFIG_OUTPUT}" &
+    mas_pid=$!
+else
+    echo "==> MAS CLI not present at ${MAS_CLI_BIN}; skipping MAS launch"
+fi
+
+gosu cloudron:cloudron python3 -m synapse.app.homeserver --config-path /app/data/configs/homeserver.yaml -n &
+synapse_pid=$!
+
+wait "${synapse_pid}"
+status=$?
+
+terminate_services
+exit "${status}"