diff --git a/.env.sample b/.env.sample index e6bea9f..9c0c782 100644 --- a/.env.sample +++ b/.env.sample @@ -73,9 +73,9 @@ ENABLE_REGISTRATION=false #COMPOSE_FILE="$COMPOSE_FILE:compose.mas.yml" #MAS_ENABLED=1 # !!! Leave commented if you plan to migrate an existing homeserver #PASSWORD_LOGIN_ENABLED=false -#SECRET_MAS_ENCRYPTION_VERSION=v1 # length=64 # charset=hex -#SECRET_MAS_SYNAPSE_SHARED_VERSION=v1 # length=64 # charset=hex -# PEM private key: abra cannot generate this format — insert only (e.g. openssl genrsa 2048 | abra app secret insert …) +#SECRET_MAS_ENCRYPTION_VERSION=v1 # length=64 charset=hex +#SECRET_MAS_SYNAPSE_SHARED_VERSION=v1 # length=64 charset=hex +# PEM private key: abra cannot generate this format — use `abra app cmd -l YOURAPPDOMAIN generate_mas_signing_rsa` #SECRET_MAS_SIGNING_RSA_VERSION=v1 # generate=false #### MAS upstream OIDC provider (e.g. Authentik) @@ -87,7 +87,7 @@ ENABLE_REGISTRATION=false #MAS_UPSTREAM_HUMAN_NAME=Authentik # For migration from previous direct Keycloud-style config: set to oidc- so syn2mas maps users correctly. #MAS_UPSTREAM_SYNAPSE_IDP_ID= -#SECRET_MAS_UPSTREAM_CLIENT_SECRET_VERSION=v1 +#SECRET_MAS_UPSTREAM_CLIENT_VERSION=v1 ### Shared secret auth (bridges / automation) diff --git a/README.md b/README.md index 4ac257d..ed026b4 100644 --- a/README.md +++ b/README.md @@ -56,7 +56,7 @@ You'll need to deploy something like [this](https://git.autonomic.zone/ruangrupa - In `.env`, uncomment `compose.mas.yml` (and `compose.mas-upstream.yml` plus upstream envs if you use an external IdP), and uncomment the `SECRET_MAS_*` version lines. - `abra app secret generate YOURAPPDOMAIN` -- **Manually insert** the PEM RSA key for `SECRET_MAS_SIGNING_RSA_VERSION` (`generate=false` in `.env.sample`) — abra cannot generate that format; see the comment there (e.g. `openssl genrsa 2048` piped to `abra app secret insert`). +- `abra app cmd -l YOURAPPDOMAIN generate_mas_signing_rsa` — generates and inserts the PEM RSA key for `SECRET_MAS_SIGNING_RSA_VERSION`. Requires `openssl` on the local machine. - `abra app cmd YOURAPPDOMAIN db ensure_mas_database` (once, creates the `mas` database in Postgres) - `abra app deploy YOURAPPDOMAIN` diff --git a/abra.sh b/abra.sh index fa799ff..3d9e95a 100644 --- a/abra.sh +++ b/abra.sh @@ -8,7 +8,7 @@ export TELEGRAM_BRIDGE_YAML_VERSION=v6 export NGINX_CONFIG_VERSION=v13 export WK_SERVER_VERSION=v1 export WK_CLIENT_VERSION=v2 -export MAS_CONFIG_VERSION=v1 +export MAS_CONFIG_VERSION=v2 export PG_BACKUP_VERSION=v2 export ADMIN_CONFIG_VERSION=v1 @@ -19,9 +19,33 @@ ensure_mas_database () { fi } +# Generate a PEM RSA private key and insert it as the MAS signing secret. +# `abra app secret generate` can only produce random hex/charset strings, so this +# secret is marked `generate=false` in .env.sample and handled here instead. +generate_mas_signing_rsa() { + if ! command -v openssl &> /dev/null; then + echo "openssl is required on your local machine to generate the MAS signing key." + echo "It could not be found in your PATH, please install openssl to proceed." + exit 1 + fi + + KEY=$(openssl genrsa 2048 2>/dev/null) + if [ -z "$KEY" ]; then + echo "Failed to generate RSA private key with openssl." + exit 1 + fi + + if printf '%s\n' "$KEY" | abra app secret insert -C "$APP_NAME" mas_signing_rsa v1; then + echo "MAS signing RSA key generated and inserted as v1." + else + echo "Failed to insert MAS signing RSA key." + exit 1 + fi +} + # Local helper: fetch homeserver.yaml from app, push to mas, then syn2mas check + dry-run. prepare_mas_migration () { - local hs_local syn_cfg + local syn_cfg syn_cfg=/tmp/homeserver.yaml diff --git a/compose.mas-upstream.yml b/compose.mas-upstream.yml index 317761c..fbb86db 100644 --- a/compose.mas-upstream.yml +++ b/compose.mas-upstream.yml @@ -13,9 +13,9 @@ services: - MAS_UPSTREAM_HUMAN_NAME - MAS_UPSTREAM_SYNAPSE_IDP_ID secrets: - - mas_upstream_client_secret + - mas_upstream_client secrets: - mas_upstream_client_secret: + mas_upstream_client: external: true - name: ${STACK_NAME}_mas_upstream_client_secret_${SECRET_MAS_UPSTREAM_CLIENT_SECRET_VERSION} + name: ${STACK_NAME}_mas_upstream_client_${SECRET_MAS_UPSTREAM_CLIENT_VERSION} diff --git a/mas.config.yaml.tmpl b/mas.config.yaml.tmpl index 7a344b1..7766856 100644 --- a/mas.config.yaml.tmpl +++ b/mas.config.yaml.tmpl @@ -57,7 +57,7 @@ upstream_oauth2: human_name: {{ or (env "MAS_UPSTREAM_HUMAN_NAME") "SSO" }} issuer: {{ env "MAS_UPSTREAM_ISSUER" }} client_id: {{ env "MAS_UPSTREAM_CLIENT_ID" }} - client_secret_file: /run/secrets/mas_upstream_client_secret + client_secret_file: /run/secrets/mas_upstream_client token_endpoint_auth_method: client_secret_basic scope: "openid profile email" claims_imports: