From f64d3f87955e71f5c3dae587f0e3064ad9e844c8 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 11 Feb 2022 20:06:11 +0200 Subject: [PATCH] Add support for matrix_encryption_disabler Related to https://github.com/matrix-org/synapse/issues/4401 Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1621 --- roles/matrix-synapse/defaults/main.yml | 17 ++++++++++ .../tasks/ext/encryption-disabler/setup.yml | 7 ++++ .../ext/encryption-disabler/setup_install.yml | 33 +++++++++++++++++++ .../encryption-disabler/setup_uninstall.yml | 6 ++++ roles/matrix-synapse/tasks/ext/setup.yml | 2 ++ 5 files changed, 65 insertions(+) create mode 100644 roles/matrix-synapse/tasks/ext/encryption-disabler/setup.yml create mode 100644 roles/matrix-synapse/tasks/ext/encryption-disabler/setup_install.yml create mode 100644 roles/matrix-synapse/tasks/ext/encryption-disabler/setup_uninstall.yml diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 834d9866a71..8111c40a6db 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -542,6 +542,23 @@ matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_usernames: false matrix_synapse_ext_spam_checker_mjolnir_antispam_config_ban_lists: [] +# Enable this to activate the E2EE disabling Synapse module. +# See: https://github.com/digitalentity/matrix_encryption_disabler +matrix_synapse_ext_encryption_disabler_enabled: false +matrix_synapse_ext_encryption_disabler_download_url: "https://raw.githubusercontent.com/digitalentity/matrix_encryption_disabler/ee80beedc5084a5fabf3c91d8df6d59457d3a790/matrix_e2ee_filter.py" +# A list of server domain names for which to deny encryption if the event sender's domain matches the domain in the list. +# By default, with the configuration below, we prevent all homeserver users from initiating encryption in ANY room. +matrix_synapse_ext_encryption_disabler_deny_encryption_for_users_of: ["{{ matrix_domain }}"] +# A list of server domain names for which to deny encryption if the destination room id's domain matches the domain in the list. +# By default, with the configuration below, we prevent locally-created encryption events by ANY user encrypt rooms on the homeserver. +# Note: foreign users with enough room privileges will still be able to send an encryption event to your rooms and encrypt them. +matrix_synapse_ext_encryption_disabler_deny_encryption_for_rooms_of: ["{{ matrix_domain }}"] +matrix_synapse_ext_encryption_config: "{{ matrix_synapse_ext_encryption_config_yaml|from_yaml }}" +matrix_synapse_ext_encryption_config_yaml: | + deny_encryption_for_users_of: {{ matrix_synapse_ext_encryption_disabler_deny_encryption_for_users_of|to_json }} + deny_encryption_for_rooms_of: {{ matrix_synapse_ext_encryption_disabler_deny_encryption_for_rooms_of|to_json }} + + matrix_s3_media_store_enabled: false matrix_s3_media_store_custom_endpoint_enabled: false matrix_s3_goofys_docker_image: "ewoutp/goofys:latest" diff --git a/roles/matrix-synapse/tasks/ext/encryption-disabler/setup.yml b/roles/matrix-synapse/tasks/ext/encryption-disabler/setup.yml new file mode 100644 index 00000000000..8fda082da67 --- /dev/null +++ b/roles/matrix-synapse/tasks/ext/encryption-disabler/setup.yml @@ -0,0 +1,7 @@ +--- + +- import_tasks: "{{ role_path }}/tasks/ext/encryption-disabler/setup_install.yml" + when: matrix_synapse_ext_encryption_disabler_enabled|bool + +- import_tasks: "{{ role_path }}/tasks/ext/encryption-disabler/setup_uninstall.yml" + when: "not matrix_synapse_ext_encryption_disabler_enabled|bool" diff --git a/roles/matrix-synapse/tasks/ext/encryption-disabler/setup_install.yml b/roles/matrix-synapse/tasks/ext/encryption-disabler/setup_install.yml new file mode 100644 index 00000000000..dfc15a2070b --- /dev/null +++ b/roles/matrix-synapse/tasks/ext/encryption-disabler/setup_install.yml @@ -0,0 +1,33 @@ +--- + +- name: Download matrix_encryption_disabler + get_url: + url: "{{ matrix_synapse_ext_encryption_disabler_download_url }}" + dest: "{{ matrix_synapse_ext_path }}/matrix_e2ee_filter.py" + force: true + mode: 0440 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- set_fact: + matrix_synapse_modules: | + {{ + matrix_synapse_modules|default([]) + + + [ + { + "module": "matrix_e2ee_filter.EncryptedRoomFilter", + "config": matrix_synapse_ext_encryption_config + } + ] + }} + + matrix_synapse_container_extra_arguments: > + {{ matrix_synapse_container_extra_arguments|default([]) }} + + + ["--mount type=bind,src={{ matrix_synapse_ext_path }}/matrix_e2ee_filter.py,dst={{ matrix_synapse_in_container_python_packages_path }}/matrix_e2ee_filter.py,ro"] + + matrix_synapse_additional_loggers: > + {{ matrix_synapse_additional_loggers }} + + + {{ [{'name': 'matrix_e2ee_filter', 'level': 'INFO'}] }} diff --git a/roles/matrix-synapse/tasks/ext/encryption-disabler/setup_uninstall.yml b/roles/matrix-synapse/tasks/ext/encryption-disabler/setup_uninstall.yml new file mode 100644 index 00000000000..a532464d8e7 --- /dev/null +++ b/roles/matrix-synapse/tasks/ext/encryption-disabler/setup_uninstall.yml @@ -0,0 +1,6 @@ +--- + +- name: Ensure matrix_encryption_disabler doesn't exist + file: + path: "{{ matrix_synapse_ext_path }}/matrix_e2ee_filter.py" + state: absent diff --git a/roles/matrix-synapse/tasks/ext/setup.yml b/roles/matrix-synapse/tasks/ext/setup.yml index 31637fa9752..25c8809d3cc 100644 --- a/roles/matrix-synapse/tasks/ext/setup.yml +++ b/roles/matrix-synapse/tasks/ext/setup.yml @@ -1,5 +1,7 @@ --- +- import_tasks: "{{ role_path }}/tasks/ext/encryption-disabler/setup.yml" + - import_tasks: "{{ role_path }}/tasks/ext/rest-auth/setup.yml" - import_tasks: "{{ role_path }}/tasks/ext/shared-secret-auth/setup.yml"