devture / matrix-corporal Goto Github PK

Hi. We are trying to use the UserPrincipalName entry from MS AD as the UID field. In this case Synapse replaces the @ in the username with a slash (/) and performs the url_encode operation when accessing the API. Thus, the string /%40name%2Fdomain%3Adomain is formed in the URL.
However, matrix_corporal does not do this, and when we using name/domain format names, it substitutes them directly into the URL. As a result, for "id": "@name/domain:domain" record in policy.json the API is accessed at /_synapse/admin/v1
/users/@name/domain:domain/login which results in the error code=400 wrapped=M_UNRECOGNIZED: Unrecognized request

I would like to use Corporal to manage the creation of certain communities and their members on my server.

However, I do not want to manage anything else regarding the user, like the users password (authType/authCredential), avatarUri, displayName, joinedRoomIds.

I imagine a configuration like this:

{
	"schemaVersion": 1,

	"flags": {
		"allowCustomUserDisplayNames": true,
		"allowCustomUserAvatars": true
	},

	"managedRoomIds": [
		"!roomA:example.com",
		"!roomB:example.com",
	],

	"managedCommunityIds": [
		"+a:example.com",
		"+b:example.com"
	],

	"users": [
		{
			"id": "@john:example.com",
			"joinedCommunityIds": ["+a:example.com"],
		},
		{
			"id": "@peter:example.com",
			"joinedCommunityIds": ["+b:example.com"],
		},
		{
			"id": "@george:example.com",
			"joinedCommunityIds": ["+a:example.com", "+b:example.com"],
		}
	]
}

Is this possible?

When Synapse implement E2EE features, there are still no ways to disable all E2EE stuff on per-server level, here is issue about this matrix-org/synapse#4401. For example, some corporate instances need that all messages will be available on server, so want to force disable all abilities to encrypt messages.

Before this will fixed in Synapse (and SPEC), for solve this problem will be good to implement some middleware in Matrix Corporal, that will stop all client-server messages, related to using E2EE stuff.

Is this possible and hard to implement via current Matrix Corporal features?

Current Matrix-Synapse home server version 1.97.0
Recently the reconciliation started to fail. I am not sure of the cause. It might be a bug of synapse home server 1.97.0 or maybe it is a different problem in my setup. Everything was working just a few weeks back in time...
WARN[0000] Reconciliation failed: Failure determining current state: json: cannot unmarshal bool into Go struct field ApiAdminEntityUser.users.is_guest of type int

The license this project uses makes it unusable for corporate internal deployments. Would you be willing to relicense as GPLv3 or even better Apache v2?

Hello,

I get the following error:

DEBU[0008] HTTP gateway (catch-all): proxying method=GET uri=/_matrix/client/versions
DEBU[0008] HTTP gateway (intercepted): proxying handler=login method=POST type=m.login.password uri=/_matrix/client/r0/login userId="@matrix-corporal:matrix.xxxxxx.de"
DEBU[0008] HTTP gateway (intercepted): proxying handler=login method=POST type=m.login.password uri=/_matrix/client/r0/login userId="@matrix-corporal:matrix.xxxxx.de"
DEBU[0008] HTTP gateway (catch-all): proxying method=GET uri=/_matrix/client/versions
ERRO[0008] HTTP Reverse Proxy: failed proxying [GET] https://matrix.xxxxx.de/_matrix/client/versions: context canceled
ERRO[0008] HTTP Reverse Proxy: failed proxying [GET] https://matrix.xxxxx.de/_matrix/client/versions: context canceled
DEBU[0008] HTTP gateway (catch-all): proxying method=GET uri=/_matrix/client/versions
ERRO[0008] HTTP Reverse Proxy: failed proxying [GET] https://matrix.xxxxx.de/_matrix/client/versions: context canceled
ERRO[0008] HTTP Reverse Proxy: failed proxying [GET] https://matrix.xxxxx.de/_matrix/client/versions: context canceled
ERRO[0008] HTTP Reverse Proxy: failed proxying [GET] https://matrix.xxxxx.de/_matrix/client/versions: context canceled
ERRO[0008] HTTP Reverse Proxy: failed proxying [GET] https://matrix.xxxxx.de/_matrix/client/versions: context canceled

I currently have no idea where to fix this. The error message comes when I enter the server path in element.

Thank you in advance for the help.

Edit: Can anyone help me here? Even for a small donation?

Hello,

I can't get the Matrix Corporal to work. When I try to start it I get the following error message:

WARN[0000] Reconciliation failed: Failure determining current state: Post "http://localhost:8008/_matrix/client/r0/login": dial tcp 127.0.0.1:8008: connect: connection refused

Does anyone have an idea?

I'm using Matrix: 1.78.0

And does Matrix also have to run in Docker or does it not matter?

I installed matrix-corporal in a docker container and it is working alright.
Homeserver is installed on docker host and accessible via local ip and port.

I wanted to use the REST API Hook and installed a minimum REST API with flask on the docker host. The API is running and it reacts to curl get requests curl -Xget http://local-ip:5000/restapi

from the docker host as well as inside the matrix-corporal container when i use curl.

However, the ConsultRestAPI that i setup in the policy file never connects to the API on local-ip:5000. There is not even a request that arrives at the flask api.
What am I doing wrong? or why does the http module from go not connect..?

I tried spinning up your dev environment using the instructions and ran in to a couple of problems.

The first problem was that the postgres container crashed on start up because it couldn't access the necessary files as it didn't have root access. I fixed this by removing the line user: ${CURRENT_USER_UID}:${CURRENT_USER_GID} for postgres in docker-compose.yaml and managed to get everything up and running.

I then followed the instructions to create a user and start the matrix-corporal container, which is where I ran into another problem: When I went to log in to Element, it gave me an error saying the Homeserver URL wasn't pointing to a valid Homeserver, so logging in wasn't possible. Not really sure what to do about this. Is there something that I've missed?

When using Corporal to manage user passwords, using the interactive auth APIs does not work.
To quote @spantaleev ,

A potential problem might be that some routes require "interactive authentication" on the Synapse side.. and you probably can't do that, because the password that you use (the one in Corporal's policy.json file) is different than the one that Synapse sees.. And Synapse thinks that your password is wrong.
During normal /login, Corporal intercepts the request, does password checking on its on, and then calls Synapse's /login with a password that Shared Secret Auth understands and allows to go through.
For these other routes requiring "interactive auth", I wonder what a good solution would be.. Maybe we should intercept such requests as well on the Corporal side, check the password, rewrite it in a way that Shared Secret Auth would understand, and then hope that Synapse uses password providers for this "interactive auth" part as well (and not just its own database; it probably does..).

Hi,
I've been going back and forth through synapse docs and issues and corporal.
I want to use matrix-corporal but disable password-login auth flow. I'm using only Keycloak as an auth-provider and have non-technical users, so I'd like them not to have the option of typing in a username-password, because they have to log in via SSO-button.

However, to deactivate the username-password-flow I have to deactivate password-login in synapse altogether. This makes it impossible for matrix-corporal to get the access-tokens and manage the users.

Is there any way to solve this?
I wondered if I could:

• leave on the username-password-flow but automatically pass them on to keycloak in the background (is that possible?)
• get the access token with matrix-corporal in some other way

Synapse could be configured to listen on two ports: One for proxied requests and one for reconciliation requests. The reconciliation one could have no rate limit, thus solving the rate limit problem.

Seems like Matrix Corporal might solve a few issues. The first which comes to mind is:

In-Band Vetting Prior to Unrestricted MXID Whitelisting

Is there a possibility to combine this product with mxisd and authorise users in LDAP instead of using password from config file?

For a API access token request I get my token from the homeserver.
But its not working from corporal side. I get following output from the corporal

INFO[0000] Starting HTTP Gateway Server on 0.0.0.0:41080
INFO[0000] Starting HTTP API Server on 0.0.0.0:41081
INFO[0000] Started store-driven reconciler
INFO[0000] Starting policy provider: static_file
INFO[0000] Store-driven reconciler received a new policy from the store
INFO[0000] Reconciling..
INFO[0000] Request user.obtain_access_token hit a rate limit, will retry in 5 seconds
INFO[0005] Request user.obtain_access_token hit a rate limit, will retry in 10 seconds
INFO[0015] Request user.obtain_access_token hit a rate limit, will retry in 15 seconds
INFO[0030] Request user.obtain_access_token hit a rate limit, will retry in 20 seconds
DEBU[0030] HTTP gateway: serving Matrix Corporal info page  method=GET uri=/_matrix/client/corporal
INFO[0050] Request user.obtain_access_token hit a rate limit, will retry in 25 seconds
DEBU[0060] HTTP gateway: serving Matrix Corporal info page  method=GET uri=/_matrix/client/corporal
ERRO[0075] Request user.obtain_access_token failed after 5 retries: contents=[123 34 101 114 114 99 111 100 101 34 58 34 77 95 76 73 77 73 84 95 69 88 67 69 69 68 69 68 34 44 34 101 114 114 111 114 34 58 34 84 111 111 32 77 97 110 121 32 82 101 113 117 101 115 116 115 34 44 34 114 101 116 114 121 95 97 102 116 101 114 95 109 115 34 58 50 48 49 49 50 50 125] msg=Failed to POST JSON to /_matrix/client/r0/login code=429 wrapped=M_LIMIT_EXCEEDED: Too Many Requests
WARN[0075] Reconciliation failed: Failure determining current state: could not obtain access token for `@waldcorporal:myserver.de`, necessary for obtaining a token for `@tester.mueller:myserver.de`: contents=[123 34 101 114 114 99 111 100 101 34 58 34 77 95 76 73 77 73 84 95 69 88 67 69 69 68 69 68 34 44 34 101 114 114 111 114 34 58 34 84 111 111 32 77 97 110 121 32 82 101 113 117 101 115 116 115 34 44 34 114 101 116 114 121 95 97 102 116 101 114 95 109 115 34 58 50 48 49 49 50 50 125] msg=Failed to POST JSON to /_matrix/client/r0/login code=429 wrapped=M_LIMIT_EXCEEDED: Too Many Requests
INFO[0075] Will retry reconciliation after 3000 ms..
INFO[0078] Retrying reconciliation..
INFO[0078] Request user.obtain_access_token hit a rate limit, will retry in 5 seconds

Any idea what couold cause this?
Thanks

Related to: matrix-org/synapse#5119

matrix-corporal support for this will come a bit later, because:

• the old API endpoints still work. Using the new endpoints may fail on older versions of Synapse. I'd rather not break support just yet.
• some admin endpoints (like /whois) are still under the /_matrix namespace (see matrix-org/synapse#5280). Maybe it's better to wait until that one moves over too.

It would be nice to specify which PLs users should have in rooms along with their membership.

Currently, I have to log in to Corporal's account and join rooms if they're invite-only. It would be nice if Matrix Corporal would auto-join rooms when invited if the room is in managedRoomIds. This could be done by constantly syncing to find new invites, but that seems like it would waste CPU since every sent message would be sent to Matrix Corporal. I think that the fastest way to do this is to poll the server when managedRoomIds changes and with a fixed time (in case any are missed), but I really don't know how Matrix Corporal is structured.

If user removed from policy file, it doesn't automatically kicked of from managed rooms. What scenario is intented to work with fired employees ? If I was supposed to deactivate them, then list of deactivated users will endlessly grow.

Due to mandatory E2EE I have to find some solution to pregenerate keys for my users and store them somewhere in a safe place. Normally they forget passwords on a weekly basis, giving them additional "passphrase" to remember will practically block the entire enterprise :)

In the FAQ I've noticed that you are saying that even with shared_secret_auth it's impossible to submit 3PIDs (e.g. E-Mail) for the users. Is it still actual? From what I see in the Client-Server-API - it's now perfectly possible...

And if yes, what would you think about a possibility to pre-generate E2EE recovery keys?

Hi,
I would need to pre-populate the server with a set of user that will be authorized to use the system.
Each user has a user-id, a display name and an e-mail address.
Is it possible, using matrix-corporal, to configure a policy whithout specifying the password (or specifying a random generated one) so as that at the first login the user can set a new password and confirm it by following the validation link received by e-mail? If not, which approach would you suggest?

Many thanks!

(the stack would includes ma1sd from your awesome ansible playbook...)

Hi there, i can't bring the Reconciliation to work, as it keeps throwing and Invalid password error.
I have followed the instructions and/but built corporal by hand on the latest release branch.

The error in synapse and corporal suggests that it uses a wrong password, but corporal does not have a password field for the Reconciliation-user and after trying multiple users with admin permissions and double-triple-checking my setup, i am kinda out of ideas right now. :(

Hi, I am trying to run the matrix corporal module, and now its time to ask for help ;-)
I am running the matrix and corporate on the same webserver and servername. but I get always 404.
Reconciliation failed: Failure determining current state:

contents=[.......] msg=Failed to POST JSON to /_matrix/client/r0/login: <html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx</center>
</body>
</html>

what else can I provide to explain my problem?
I run Homeserver v1.95.0 with latest modul of the corporal.

in homeserver.log I get following messages:

023-10-27 19:53:34,965 - synapse.rest.client.login - 333 - INFO - POST-479 - Got login request with identifier: {'type': 'm.id.user', 'user': 'test.mueller'}, medium: None, address: None, user: None
2023-10-27 19:53:34,966 - shared_secret_authenticator - 102 - INFO - POST-479 - Authenticating user test.mueller with login type m.login.password
2023-10-27 19:53:34,966 - shared_secret_authenticator - 113 - INFO - POST-479 - Bad hmac value for user: [@test.mueller:server.de](https://matrix.to/#/@test.mueller:server.de)
2023-10-27 19:53:34,966 - rest_auth_provider - 46 - INFO - POST-479 - Got password check for [@test.mueller:server.de](https://matrix.to/#/@test.mueller:server.de)
2023-10-27 19:53:34,971 - synapse.handlers.auth - 2164 - WARNING - POST-479 - Failed to run module API callback <function load_single_legacy_password_auth_provider.<locals>.async_wrapper.<locals>.wrapped_check_password at 0x7f7ed44dfd90>: 404 Client Error: Not Found for url: http://corporal.server.de/_matrix/corporal/_matrix-internal/identity/v1/check_credentials

2023-10-27 19:53:35,243 - synapse.handlers.auth - 1427 - WARNING - POST-479 - Failed password login for user 
```[@test.mueller:server.de](https://matrix.to/#/@test.mueller:server.de)