Integrate Matrix Authentication Service in test environment

README.md

@@ -18,13 +18,20 @@ docker run --rm -it docker.io/pierre42100/matrix_gateway --help
 
 ## Setup dev environment
 ```
-mkdir -p storage/postgres storage/synapse storage/minio
+mkdir -p storage/maspostgres storage/synapse storage/minio
 docker compose up
 ```
 
+To create default account, in another terminal, run the following command:
+
+```bash
+docker compose --profile create-accounts up -d
+```
+
 URLs:
 * Element: http://localhost:8080/
 * Synapse: http://localhost:8448/
+* Matrix Authentication Service: http://localhost:8778/
 * OpenID configuration: http://127.0.0.1:9001/dex/.well-known/openid-configuration
 * Minio console: http://localhost:9002/
 

docker-compose.yml

@@ -1,15 +1,48 @@
 services:
+  mas:
+    image: ghcr.io/element-hq/matrix-authentication-service:main
+    user: "1000"
+    restart: unless-stopped
+    depends_on:
+      - masdb
+    volumes:
+      - ./docker/mas:/config:ro
+    command: server -c /config/config.yaml
+    ports:
+      - "8778:8778/tcp"
+
+  mas_create_admin1:
+    image: ghcr.io/element-hq/matrix-authentication-service:main
+    user: "1000"
+    restart: no
+    profiles: ["create-accounts"]
+    depends_on:
+      - mas
+    volumes:
+      - ./docker/mas:/config:ro
+    command: |
+      manage register-user -c /config/config.yaml -y --ignore-password-complexity 
+      -p admin1 -e admin1@admin1.local --admin -d "Admin One" admin1
+
+  mas_create_user1:
+    image: ghcr.io/element-hq/matrix-authentication-service:main
+    user: "1000"
+    restart: no
+    profiles: ["create-accounts"]
+    depends_on:
+      - mas
+    volumes:
+      - ./docker/mas:/config:ro
+    command: |
+      manage register-user -c /config/config.yaml -y --ignore-password-complexity 
+      -p user1 -e user1@user1.local -d "User One" user1
+
   synapse:
     image: docker.io/matrixdotorg/synapse:latest
     user: "1000"
     # Since synapse does not retry to connect to the database, restart upon
     # failure
     restart: unless-stopped
-    entrypoint: /bin/bash
-    command: >
-      -c "nohup bash -c 'sleep 10; /config/delayed_accounts_creation.sh' \&
-        ./start.py"
-
     # See the readme for a full documentation of the environment settings
     # NOTE: You must edit homeserver.yaml to use postgres, it defaults to sqlite
     environment:
@@ -22,25 +55,25 @@ services:
       # - ./files:/data
       # - /path/to/ssd:/data/uploads
       # - /path/to/large_hdd:/data/media
-    depends_on:
-      - db
     # In order to expose Synapse, remove one of the following, you might for
     # instance expose the TLS port directly:
     ports:
-      - 8448:8448/tcp
+      - "8448:8448/tcp"
 
-  db:
+  masdb:
     image: docker.io/postgres:18-alpine
     user: "1000"
     environment:
-      - POSTGRES_USER=synapse
+      - POSTGRES_DB=masdb
+      - POSTGRES_USER=masdb
       - POSTGRES_PASSWORD=changeme
       # ensure the database gets created correctly
       # https://element-hq.github.io/synapse/latest/postgres.html#set-up-database
       - POSTGRES_INITDB_ARGS=--encoding=UTF-8 --lc-collate=C --lc-ctype=C
+      - PGDATA=/data
     volumes:
       # You may store the database tables in a local folder..
-      - ./storage/postgres:/var/lib/postgresql/data
+      - ./storage/maspostgres:/data
       # .. or store them on some high performance storage for better results
       # - /path/to/ssd/storage:/var/lib/postgresql/data
 

docker/mas/config.yaml

@@ -0,0 +1,113 @@
+http:
+  listeners:
+  - name: web
+    resources:
+    - name: discovery
+    - name: human
+    - name: oauth
+    - name: compat
+    - name: graphql
+    - name: assets
+    binds:
+    - address: '[::]:8778'
+    proxy_protocol: false
+  - name: internal
+    resources:
+    - name: health
+    binds:
+    - host: localhost
+      port: 8081
+    proxy_protocol: false
+  trusted_proxies:
+  - 192.168.0.0/16
+  - 172.16.0.0/12
+  - 10.0.0.0/10
+  - 127.0.0.1/8
+  - fd00::/8
+  - ::1/128
+  public_base: http://localhost:8778/
+  issuer: http://localhost:8778/
+database:
+  uri: postgresql://masdb:changeme@masdb/masdb
+  max_connections: 10
+  min_connections: 0
+  connect_timeout: 30
+  idle_timeout: 600
+  max_lifetime: 1800
+email:
+  from: '"Authentication Service" <root@localhost>'
+  reply_to: '"Authentication Service" <root@localhost>'
+  transport: blackhole
+secrets:
+  encryption: 12de9ad7bc2bacfa2ab9b1e3f7f1b3feb802195c8ebe66a8293cdb27f00be471
+  keys:
+  - kid: Bj2PICQ7mf
+    key: |
+      -----BEGIN RSA PRIVATE KEY-----
+      MIIEogIBAAKCAQEAsCYCrrCJA7IuGbTYzP5yZN74QszbzudBUCX6MyN/+36HO2r6
+      xL8x1PRJ+Klx9Y90J9pWuo+cIuEmFLqO+Yfblo9fSQgZVvkWAFpO6Xh8J4z9qg49
+      M8xm0Ct8EnRDZDCEOBnwoDaAB9RTbpJGa1RPVCiamfi+xU+j47Zl4Er5jvLm81O7
+      DSlH9eK8Eih8AxuKTkAbKE1zyXquImE26Mj2dmMRfjDrWV/I8oqE3WFViAKR12Av
+      zw6TUyduiz8nK9pONCF3NIcQvBdHntBz1HlDXv6i0fRvlGIhjNL5LBgo6XQ3rNM1
+      bW2KYOw/iFP0YbfD4/xRjkBPvK2coQ8aRzK2VwIDAQABAoH/G4XU5Xav8ePlUB7x
+      wRYAycINCGL59Vos2lkUvujNFn6uopoUlKlLH/sLk87l/3hqrc9vvbayrsB/Mr3z
+      mQmhReUg/khFrVE+Hs/9hH1O6N8ew3N2HKHTbrNcr4V7AiySfDGRZ3ccihyi7KPu
+      XNbPjlbJ0UUMicfn06ysPl94nt0So0UAmXg+c7sDDqyzh3cY8emedYZ5FCljo/jA
+      F8k40rs7CywLJYMJB9O1vtomgt1xkDRO4F8UrZrriMIcYn0iFKe7i4AH8D6nkgNu
+      /v9Z43Leu8yRKrUvbpH3NaX8DlUSFWAXKpwUWr4sAQgWcLkVgjAXG1v9jCE97qW2
+      f0nBAoGBAOaKrnY5rWeZ74dERnPhSCsYiqRMneQAh7eJR+Er+xu1yF/bxwkhq2tK
+      /txheTK448DqhQRtr095t/v7TMZcPl3bSmybT1CQg/wiMJsgDMZqlC9tofvcq6uz
+      xP8vxMFHd0YSMSP693dkny4MzNY6LuoVWDLT+HxKPJyzGs1alruzAoGBAMOZp5J2
+      3ODcHQlcsGBtj1yVpQ4UXMvrSZF2ygiGK9bagL/f1iAtwACVOh5rgmbiOLSVgmR2
+      n4nupTgSAXMYkjmAmDyEh0PDaRl4WWvYEKp8GMvTPVPvjc6N0dT+y8Mf9bu+LcEt
+      +uZqPOZNbO5Vi+UgGeM9zZpxq/K7dpJmM/jNAoGBALsYHRGxKTsEwFEkZZCxaWIg
+      HpPL4e8hRwL6FC13BeitFBpHQDX27yi5yi+Lo1I4ngz3xk+bvERhYaDLhrkML0j4
+      KGQPfsTBI3vBO3UJA5Ua9XuwG19M7L0BvYPjfmfk2bUyGlM63w4zyMMUfD/3JA+w
+      ls1ZHTWxAZOh/sRdGirlAoGAX16B1+XgmDp6ZeAtlzaUGd5U1eKTxFF6U1SJ+VIB
+      +gYblHI84v+riB06cy6ULDnM0C+9neJAs24KXKZa0pV+Zk8O6yLrGN0kV2jYoL5+
+      kcFkDa13T3+TssxvLNz22LKyi9GUWYZjuQi/nMLPg/1t8k+Oj7/Iia822WkRzRvL
+      51kCgYEAwrN5Us8LR+fThm3C0vhvwv2wap6ccw0qq5+FTN+igAZAmmvKKvhow2Vi
+      LnPKBkc7QvxvQSNoXkdUo4qs3zOQ7DGvJLqSG9pwxFW5X1+78pNEm5OWe8AlT1uZ
+      Jz8Z1/Ae7fr/fFaucW9LkWjcuoPwPLiZ3b7ZQ6phs8qzoL+FpBI=
+      -----END RSA PRIVATE KEY-----
+  - kid: HcRvLHat12
+    key: |
+      -----BEGIN EC PRIVATE KEY-----
+      MHcCAQEEIOCCFSnkfz1ksln6kus8enQstBTu0q62IGJVzuX0WiXPoAoGCCqGSM49
+      AwEHoUQDQgAEVWPLbvSdxquLAjU3zJLcCWdaxr6QK1tPVbV1IS+87QUMv/zKiCMa
+      fNpwgBXwU7dF0gY507R2yY9pcdTmRtnRug==
+      -----END EC PRIVATE KEY-----
+  - kid: YjMITk5VSn
+    key: |
+      -----BEGIN EC PRIVATE KEY-----
+      MIGkAgEBBDCoPSjaN7qqnPz+vdzHeIy8RZCCtFOqLTkvylM1gz6xOGaVsS63VJw9
+      Td9BtpolZ0egBwYFK4EEACKhZANiAAT8tH88HYBHNiQTSqZzlxElSuSDC0+Xn0O9
+      ukj0xTTVBp8rUM9lCJQAlB8PjS2XK/n0YvYdzysQb3AYqszJa45/rOGvSar30YNE
+      gwpJvu36xNIKZT+nHalNwg069FdjNBc=
+      -----END EC PRIVATE KEY-----
+  - kid: NvFzzeMRU3
+    key: |
+      -----BEGIN EC PRIVATE KEY-----
+      MHQCAQEEILJEmFPDGFZoBVBQf1P6h4YfasYsFiu8a6FrFxiJvKXPoAcGBSuBBAAK
+      oUQDQgAE4NY5H3+D8r9GNOhrpbUn2dvLZIzi4A+SiwfqvtvPEmZkW+KDbd2tzKmx
+      maydZBn52QWedVY65snGAEoh9mV1TQ==
+      -----END EC PRIVATE KEY-----
+passwords:
+  enabled: true
+  schemes:
+  - version: 1
+    algorithm: argon2id
+  minimum_complexity: 0
+account:
+  password_registration_enabled: true
+  password_registration_email_required: false
+matrix:
+  kind: synapse
+  homeserver: localhost
+  secret: IhKoLn6jWf1qRRZWvqgaKuIdwD6H0Mvx
+  endpoint: http://synapse:8448/
+
+policy:
+  data:
+    client_registration:
+      allow_insecure_uris: true

docker/synapse/delayed_accounts_creation.sh

@@ -1,2 +0,0 @@
-register_new_matrix_user -a --user admin1 --password admin1 --config /config/homeserver.yaml;
-register_new_matrix_user --no-admin --user user1 --password user1 --config /config/homeserver.yaml;

docker/synapse/homeserver.yaml

@@ -33,3 +33,9 @@ signing_key_path: "/config/localhost.signing.key"
 trusted_key_servers:
   - server_name: "matrix.org"
 # vim:ft=yaml
+matrix_authentication_service:
+  enabled: true
+  endpoint: http://mas:8778/
+  secret: "IhKoLn6jWf1qRRZWvqgaKuIdwD6H0Mvx"
+  # Alternatively, using a file:
+  #secret_file: /path/to/secret.txt