Fix integration with Synapse

[tituspijean]

Closes #9

/_synapse/admin endpoint needs to be added in the NGINX config of Synapse's domain.

PR Status

• Code finished and ready to be reviewed/tested
• The fix/enhancement were manually tested (if applicable)

Automatic tests

Automatic tests can be triggered on https://ci-apps-dev.yunohost.org/ after creating the PR, by commenting "!testme", "!gogogadgetoci" or "By the power of systemd, I invoke The Great App CI to test this Pull Request!". (N.B. : for this to work you need to be a member of the Yunohost-Apps organization)

[nathanael-h]

I tested this branch. If I install on the same domain as synapase, the nginx.conf is overwritten by the synapse.nginx.conf because they both end is the same dir, with the same name.
Full logs : https://paste.yunohost.org/raw/iwovavemux

[tituspijean]

If I install on the same domain as synapase

What. It is supposed to be on its own domain. How could your YunoHost let you do that?!

[nathanael-h]

Mmmh I was surprised too. I tried on the same domain because of CORS issues. Will try on dedicated domain 👍

[tituspijean]

You may try again, with the commit above, but I am still flabbergasted you could install it on the same domain as Synapse.

[tituspijean]

!testme

[nathanael-h]

Cool! I'll test this new commit on same domain.
On a dedicated domain I still have the CORS error.

By the way I tested with curl, and I have the SSO. and not the json response.. :

nath@aaaaaaa:~$ curl -I -L --header "Authorization: Bearer syt_xxxxxxxxxxxxxxxxxxxxxxx" https:/matrix.isidorus.fr/_synapse/admin/v1/server_version
HTTP/2 302 
server: nginx
date: Tue, 01 Mar 2022 13:10:36 GMT
content-type: text/html
content-length: 154
location: https://domain.fr/yunohost/sso/?r=aHR0cHM6Ly9tYXRyaxxxxxxxxxxxxYWRtaW4vdjEvc2VydmVyX3ZlcnNpb24=
x-sso-wat: You've just been SSOed
content-security-policy: upgrade-insecure-requests
content-security-policy-report-only: default-src https: data: blob: ; object-src https: data: 'unsafe-inline'; style-src https: data: 'unsafe-inline' ; script-src https: data: 'unsafe-inline' 'unsafe-eval'
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
x-download-options: noopen
x-permitted-cross-domain-policies: none
x-frame-options: SAMEORIGIN
permissions-policy: interest-cohort=()
strict-transport-security: max-age=63072000; includeSubDomains; preload
``

[nathanael-h]

Different tests :

• on same domain as synapse, immediatly after login I am logged out. In dev tools I see that the request on the api got a 401 unauthorized erro
• on a different domain, I still issues with the request to the admin API. Same as the previous screenshot. Maybe we should ynh_permission_create on the admin API to make it public (meh, I am not verry keen on having it open though...)

[nathanael-h]

What about something like this in installation...?
ynh_permission_create --permission="permission" --url=${synapse_domain}/_synapse/" --auth_header=false --allowed=vistors --label="Synpase admin API"

[tituspijean]

What about something like this in installation...? ynh_permission_create --permission="permission" --url=${synapse_domain}/_synapse/" --auth_header=false --allowed=vistors --label="Synpase admin API"

That won't work, the permissions are set relatively to the main path of the app. We may run a Python command to set that one for the Synapse app though.

[nathanael-h]

That could be good. I think we need to have the _synapse/ location accessible to synapse admin's frontend (ie when running in our browser) and this without SSO.

[collector-ynh]

I see exactly the same problem as @nathanael-h , have you found any solutions to solve this problem?

[Nalla22]

I am also experiencing the same problem, thank you for help me solve it.

[nathanael-h]

As said here, YunoHost-Apps/synapse_ynh#301 (comment) , I upgraded my synapse to the branch that could help to fix our problem. But I still have issues... Facing SSO.

[nathanael-h]

I was not using a valid endpoint for my tests. The app now works using this branch https://github.com/YunoHost-Apps/synapse_ynh/tree/add-_synapse-perm.

If someone wants to test it:
sudo yunohost app upgrade synapse -u https://github.com/YunoHost-Apps/synapse_ynh/tree/add-_synapse-perm --debug

[tituspijean]

!testme

[yunohost-bot]

Meow 🐈

[tituspijean]

@ericgaspar you asked about the state of this PR in #17. I think it's ready to go, though I have a doubt about the relevance of endpoint.nginx.conf if the synapse.admin permission is included in Synapse.

[collector-ynh]

I have installed the synapse server from the following repository: https://github.com/YunoHost-Apps/synapse_ynh/tree/add-_synapse-perm , while attributing the necessary permissions for the "visitors" group.

The purpose of this is to make the /_synapse extension accessible for the Synapse-Admin application that I have installed from the following repository : https://github.com/YunoHost-Apps/synapse-admin_ynh/tree/fix But I am facing a new problem that is preventing me from accessing my session Synapse-Admin, because at the time of authentication with the user "test" (which has all the permissions, see image above), synapse-admin opens and closes immediately, while returning the following error message :

This is what the following command returns to me : curl https://matrix.server.fr/_synapse/admin/v1/server_version

I do not know how to solve this problem, because I have tested several browsers and several different networks, so the problem does not originate neither the browser nor the network. If you have a solution to solve this problem, please feel free to let me know.

[collector-ynh]

I found other people who have the same problem, with the same erroneous error message :
Awesome-Technologies/synapse-admin#63
Awesome-Technologies/synapse-admin#135

They were able to identify the problem, and apparently this is because of the fact that the user does not have admin rights on the synapse server, except that I have given all possible rights and imaginable to my user on YunoHost as you can see in picture.

What kind of privilleges do I still have to give him?

[collector-ynh]

I managed to solve the problem, by manually adding admin rights to the test user on the matrix_synapse database with the next request :

UPDATE users SET admin = 1 WHERE name = '@test:synapse.domain.tld';

It's still strange to have to grant the permission in the BDD while yunohost is supposed to provide all admin rights as seen in the image above. The question is: Do these YunoHost permissions really serve a purpose?

Anyway, it's a real miracle that synapse-admin finally works, because I've been struggling to get it to work for almost four months.

[ericgaspar]

what do we do? Do we merge?

[lapineige]

If I install on the same domain as synapase

What. It is supposed to be on its own domain. How could your YunoHost let you do that?!

I can confirm it does…

[ericgaspar]

!testme

[yunohost-bot]

🌻

[lapineige]

This should fix #15 too.

[lapineige]

In CI:

touch: cannot touch '/etc/nginx/conf.d/.d/synapse-admin.endpoint.conf': No such file or directory

Domain name issue ?

[ericgaspar]

!testme

[yunohost-bot]

🚀

[lapineige]

Is that a CI bug ?

[BobWs]

UPDATE users SET admin = 1 WHERE name = '@test:synapse.domain.tld';

Where can I find the synapse database?
Sorry for the noob question, but I'm new to Yunohost....

[oceanlover-yuno]

If I install on the same domain as synapase

What. It is supposed to be on its own domain. How could your YunoHost let you do that?!

It is still allowing this to happen!!!

[tituspijean]

!testme

[yunohost-bot]

🚀