fix minor bugs with mas integration

.env.sample

@@ -73,9 +73,9 @@ ENABLE_REGISTRATION=false
 #COMPOSE_FILE="$COMPOSE_FILE:compose.mas.yml"
 #MAS_ENABLED=1 # !!! Leave commented if you plan to migrate an existing homeserver
 #PASSWORD_LOGIN_ENABLED=false
-#SECRET_MAS_ENCRYPTION_VERSION=v1 # length=64 # charset=hex
-#SECRET_MAS_SYNAPSE_SHARED_VERSION=v1 # length=64 # charset=hex
-# PEM private key: abra cannot generate this format — insert only (e.g. openssl genrsa 2048 | abra app secret insert …)
+#SECRET_MAS_ENCRYPTION_VERSION=v1 # length=64 charset=hex
+#SECRET_MAS_SYNAPSE_SHARED_VERSION=v1 # length=64 charset=hex
+# PEM private key: abra cannot generate this format — use `abra app cmd -l YOURAPPDOMAIN generate_mas_signing_rsa`
 #SECRET_MAS_SIGNING_RSA_VERSION=v1 # generate=false
 
 #### MAS upstream OIDC provider (e.g. Authentik)
@@ -87,7 +87,7 @@ ENABLE_REGISTRATION=false
 #MAS_UPSTREAM_HUMAN_NAME=Authentik
 # For migration from previous direct Keycloud-style config: set to oidc-<your old KEYCLOAK_ID> so syn2mas maps users correctly.
 #MAS_UPSTREAM_SYNAPSE_IDP_ID=
-#SECRET_MAS_UPSTREAM_CLIENT_SECRET_VERSION=v1
+#SECRET_MAS_UPSTREAM_CLIENT_VERSION=v1
 
 ### Shared secret auth (bridges / automation)
 

README.md

@@ -56,7 +56,7 @@ You'll need to deploy something like [this](https://git.autonomic.zone/ruangrupa
 
 - In `.env`, uncomment `compose.mas.yml` (and `compose.mas-upstream.yml` plus upstream envs if you use an external IdP), and uncomment the `SECRET_MAS_*` version lines.
 - `abra app secret generate YOURAPPDOMAIN`
-- **Manually insert** the PEM RSA key for `SECRET_MAS_SIGNING_RSA_VERSION` (`generate=false` in `.env.sample`) — abra cannot generate that format; see the comment there (e.g. `openssl genrsa 2048` piped to `abra app secret insert`).
+- `abra app cmd -l YOURAPPDOMAIN generate_mas_signing_rsa` — generates and inserts the PEM RSA key for `SECRET_MAS_SIGNING_RSA_VERSION`. Requires `openssl` on the local machine.
 - `abra app cmd YOURAPPDOMAIN db ensure_mas_database` (once, creates the `mas` database in Postgres)
 - `abra app deploy YOURAPPDOMAIN`
 

abra.sh

@@ -8,7 +8,7 @@ export TELEGRAM_BRIDGE_YAML_VERSION=v6
 export NGINX_CONFIG_VERSION=v13
 export WK_SERVER_VERSION=v1
 export WK_CLIENT_VERSION=v2
-export MAS_CONFIG_VERSION=v1
+export MAS_CONFIG_VERSION=v2
 export PG_BACKUP_VERSION=v2
 export ADMIN_CONFIG_VERSION=v1
 
@@ -19,9 +19,33 @@ ensure_mas_database () {
     fi
 }
 
+# Generate a PEM RSA private key and insert it as the MAS signing secret.
+# `abra app secret generate` can only produce random hex/charset strings, so this
+# secret is marked `generate=false` in .env.sample and handled here instead.
+generate_mas_signing_rsa() {
+    if ! command -v openssl &> /dev/null; then
+        echo "openssl is required on your local machine to generate the MAS signing key."
+        echo "It could not be found in your PATH, please install openssl to proceed."
+        exit 1
+    fi
+
+    KEY=$(openssl genrsa 2048 2>/dev/null)
+    if [ -z "$KEY" ]; then
+        echo "Failed to generate RSA private key with openssl."
+        exit 1
+    fi
+
+    if printf '%s\n' "$KEY" | abra app secret insert -C "$APP_NAME" mas_signing_rsa v1; then
+        echo "MAS signing RSA key generated and inserted as v1."
+    else
+        echo "Failed to insert MAS signing RSA key."
+        exit 1
+    fi
+}
+
 # Local helper: fetch homeserver.yaml from app, push to mas, then syn2mas check + dry-run.
 prepare_mas_migration () {
-    local hs_local syn_cfg
+    local syn_cfg
 
     syn_cfg=/tmp/homeserver.yaml
 

compose.mas-upstream.yml

@@ -13,9 +13,9 @@ services:
       - MAS_UPSTREAM_HUMAN_NAME
       - MAS_UPSTREAM_SYNAPSE_IDP_ID
     secrets:
-      - mas_upstream_client_secret
+      - mas_upstream_client
 
 secrets:
-  mas_upstream_client_secret:
+  mas_upstream_client:
     external: true
-    name: ${STACK_NAME}_mas_upstream_client_secret_${SECRET_MAS_UPSTREAM_CLIENT_SECRET_VERSION}
+    name: ${STACK_NAME}_mas_upstream_client_${SECRET_MAS_UPSTREAM_CLIENT_VERSION}

mas.config.yaml.tmpl

@@ -57,7 +57,7 @@ upstream_oauth2:
       human_name: {{ or (env "MAS_UPSTREAM_HUMAN_NAME") "SSO" }}
       issuer: {{ env "MAS_UPSTREAM_ISSUER" }}
       client_id: {{ env "MAS_UPSTREAM_CLIENT_ID" }}
-      client_secret_file: /run/secrets/mas_upstream_client_secret
+      client_secret_file: /run/secrets/mas_upstream_client
       token_endpoint_auth_method: client_secret_basic
       scope: "openid profile email"
       claims_imports: