From 70bea81df753f281ae844239529b3b6bc94c95cc Mon Sep 17 00:00:00 2001
From: Paul N <92150859+stift-n2@users.noreply.github.com>
Date: Mon, 6 Feb 2023 15:59:32 +0100
Subject: [PATCH] Introduced flags to (1) enable/disable Auth (2)
 enable/disable openid_server_name pinning. Updated validate_config.yml and
 added new checks to verify.

---
 ...ring-playbook-user-verification-service.md | 15 +++++++++---
 .../defaults/main.yml                         | 12 ++++++----
 .../tasks/validate_config.yml                 | 23 ++++++++++++++++---
 .../templates/.env.j2                         |  6 +++--
 4 files changed, 44 insertions(+), 12 deletions(-)

diff --git a/docs/configuring-playbook-user-verification-service.md b/docs/configuring-playbook-user-verification-service.md
index 451f54f4b..d33c7147d 100644
--- a/docs/configuring-playbook-user-verification-service.md
+++ b/docs/configuring-playbook-user-verification-service.md
@@ -63,9 +63,9 @@ To get an access token for the UVS user, you can follow the documentation on [ho
 matrix_user_verification_service_uvs_access_token: "YOUR ACCESS TOKEN HERE"
 ```
 
-### (Optional) Auth Token
+### (Optional) Custom Auth Token
 
-It is possible to set an API Auth Token to restrict access to the UVS. If this is set, anyone making a request to UVS must provide it via the header "Authorization: Bearer TOKEN"
+It is possible to set an API Auth Token to restrict access to the UVS. If this is enabled, anyone making a request to UVS must provide it via the header "Authorization: Bearer TOKEN"
 
 By default, the token will be derived from `matrix_homeserver_generic_secret_key` in `group_vars/matrix_servers`.
 To set your own Token, simply put the following in your host_vars.
@@ -76,12 +76,21 @@ matrix_user_verification_service_uvs_auth_token: "TOKEN"
 
 In case Jitsi is also managed by this playbook and 'matrix' authentication in Jitsi is enabled, this collection will automatically configure Jitsi to use the configured auth token.
 
+###  (Optional) Disable Auth
+Authorization is enabled by default. To disable set
+
+```yaml
+matrix_user_verification_service_uvs_require_auth: false
+```
+
+in your host_vars.
+
 ### (Optional) Federation
 
 In theory (however currently untested), UVS can handle federation. Simply set:
 
 ```yaml
-matrix_user_verification_service_uvs_openid_verify_server_name: ""
+matrix_user_verification_service_uvs_pin_openid_verify_server_name: false
 ```
 
 in your host_vars.
diff --git a/roles/custom/matrix-user-verification-service/defaults/main.yml b/roles/custom/matrix-user-verification-service/defaults/main.yml
index cdef8f399..6f7be0d1f 100644
--- a/roles/custom/matrix-user-verification-service/defaults/main.yml
+++ b/roles/custom/matrix-user-verification-service/defaults/main.yml
@@ -43,13 +43,17 @@ matrix_user_verification_service_uvs_disable_ip_blacklist: false
 
 ## OPTIONAL
 
+# Require an Auth-Token with API calls. If set to false, UVS will reply to any API call.
+# The Auth-Token is defined via: matrix_user_verification_service_uvs_auth_token
+matrix_user_verification_service_uvs_require_auth: true
 # Auth token to protect the API
-# If this is set any calls to the provided API endpoints
-# need have the header "Authorization: Bearer changeme".
-# matrix_user_verification_service_uvs_auth_token: changeme
+# If enabled any calls to the provided API endpoints need have the header "Authorization: Bearer TOKEN".
+# A Token will be derived from matrix_homeserver_generic_secret_key in group_vars/matrix_servers
+matrix_user_verification_service_uvs_auth_token: ''
 
-# Matrix server name to verify OpenID tokens against.
 # Pin UVS to only check openId Tokens for the matrix_server_name configured by this playbook.
+matrix_user_verification_service_uvs_pin_openid_verify_server_name: true
+# Matrix server name to verify OpenID tokens against.
 # This is not the homeserverURL, but rather the domain in the matrix "user ID"
 # UVS can also be instructed to verify against the Matrix server name passed in the token, to enable set to ""
 matrix_user_verification_service_uvs_openid_verify_server_name: "{{ matrix_domain }}"
diff --git a/roles/custom/matrix-user-verification-service/tasks/validate_config.yml b/roles/custom/matrix-user-verification-service/tasks/validate_config.yml
index e4349fa6b..40e9090cb 100644
--- a/roles/custom/matrix-user-verification-service/tasks/validate_config.yml
+++ b/roles/custom/matrix-user-verification-service/tasks/validate_config.yml
@@ -1,8 +1,25 @@
 ---
 
-- name: verify all necessary variables are present
+- name: Verify homeserver_url is not empty
   assert:
     that:
-      - matrix_user_verification_service_uvs_access_token is defined and matrix_user_verification_service_uvs_access_token|length
-      - matrix_user_verification_service_uvs_homeserver_url is defined and matrix_user_verification_service_uvs_homeserver_url|length
+      - matrix_user_verification_service_uvs_homeserver_url|length > 0
     fail_msg: "Missing variable in {{ matrix_user_verification_service_ansible_name }} role"
+
+- name: Verify Auth is configured properly or disabled
+  assert:
+    that:
+      - matrix_user_verification_service_uvs_access_token|length > 0 or not matrix_user_verification_service_uvs_require_auth|bool
+    fail_msg: "If Auth is enabled, a valid (non empty) TOKEN must be given in 'matrix_user_verification_service_uvs_access_token'."
+
+- name: Verify server_name for openid verification is given, if pinning a single server_name is enabled.
+  assert:
+    that:
+      - matrix_user_verification_service_uvs_openid_verify_server_name|length > 0 or not matrix_user_verification_service_uvs_pin_openid_verify_server_name|bool
+    fail_msg: "If pinning a single server_name is enabled, a valid (non empty) server_name must be given in 'matrix_user_verification_service_uvs_openid_verify_server_name'."
+
+- name: Verify the homeserver implementation is synapse
+  assert:
+    that:
+      - matrix_homeserver_implementation == 'synapse'
+    fail_msg: "The User-Verification-Service requires Synapse as homeserver implementation"
diff --git a/roles/custom/matrix-user-verification-service/templates/.env.j2 b/roles/custom/matrix-user-verification-service/templates/.env.j2
index 8119c1e98..359eed2a1 100644
--- a/roles/custom/matrix-user-verification-service/templates/.env.j2
+++ b/roles/custom/matrix-user-verification-service/templates/.env.j2
@@ -2,8 +2,10 @@ UVS_ACCESS_TOKEN={{ matrix_user_verification_service_uvs_access_token }}
 UVS_HOMESERVER_URL={{ matrix_user_verification_service_uvs_homeserver_url }}
 UVS_DISABLE_IP_BLACKLIST={{ matrix_user_verification_service_uvs_disable_ip_blacklist }}
 UVS_LOG_LEVEL={{ matrix_user_verification_service_uvs_log_level }}
-UVS_AUTH_TOKEN={{ matrix_user_verification_service_uvs_auth_token }}
-{% if matrix_user_verification_service_uvs_openid_verify_server_name | length > 0 %}
+{% if matrix_user_verification_service_uvs_require_auth | bool %}
+  UVS_AUTH_TOKEN={{ matrix_user_verification_service_uvs_auth_token }}
+{% endif %}
+{% if matrix_user_verification_service_uvs_pin_openid_verify_server_name | bool %}
   UVS_OPENID_VERIFY_SERVER_NAME={{ matrix_user_verification_service_uvs_openid_verify_server_name }}
 {% endif %}