Add the ability to update user passwords with ansible (when using the matrix-postgres container).

6 anos atrás · 134faa3139
--- a/docs/README.md
+++ b/docs/README.md
@@ -12,6 +12,8 @@

 - [Registering users](registering-users.md)

 - [Updating users passwords](updating-users-passwords.md)

 - [Configuring service discovery via .well-known](configuring-well-known.md)

 - [Maintenance / checking if services work](maintenance-checking-services.md)
--- a/docs/updating-users-passwords.md
+++ b/docs/updating-users-passwords.md
@@ -0,0 +1,19 @@
 # Updating users passwords

 If you are using the matrix-postgres container(default), you can do it via this Ansible playbook (make sure to edit the `<your-username>` and `<your-password>` part below):

 	ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=<your-username> password=<your-password>' --tags=update-user-password

 **Note**: `<your-username>` is just a plain username (like `john`), not your full `@<username>:<your-domain>` identifier.

 **You can then log in with that user** via the riot-web service that this playbook has created for you at a URL like this: `https://riot.<domain>/`.

 If you are NOT using the matrix-postgres container, you can generate the password hash by using the command-line after **SSH**-ing to your server (requires that [all services have been started](#starting-the-services)):

 	docker exec -it matrix-synapse /usr/local/bin/hash_password -c /data/homeserver.yaml

 and then connecting to the postgres server and executing:

 	UPDATE users SET password_hash = '<password-hash>' WHERE name = '@someone:server.com'

 where `<password-hash>` is the hash returned by the docker command above.
--- a/roles/matrix-base/defaults/main.yml
+++ b/roles/matrix-base/defaults/main.yml
@@ -48,6 +48,7 @@ run_import_postgres: true
 run_upgrade_postgres: true
 run_start: true
 run_register_user: true
 run_update_user_password: true
 run_import_sqlite_db: true
 run_import_media_store: true
 run_self_check: true
--- a/roles/matrix-base/tasks/setup_server_base.yml
+++ b/roles/matrix-base/tasks/setup_server_base.yml
@@ -25,6 +25,7 @@
      - docker-python
      - ntp
      - fuse
      - expect
    state: latest
    update_cache: yes
  when: ansible_distribution == 'CentOS'
@@ -62,13 +63,14 @@
      - python-docker
      - ntp
      - fuse
      - expect
    state: latest
    update_cache: yes
  when: ansible_os_family == 'Debian'

 - name: Ensure Docker is started and autoruns
  service:
    name: docker 
    name: docker
    state: started
    enabled: yes

--- a/roles/matrix-postgres/tasks/setup_postgres.yml
+++ b/roles/matrix-postgres/tasks/setup_postgres.yml
@@ -123,3 +123,10 @@
  debug:
    msg: "Note: You are not using a local PostgreSQL database, but some old data remains from before in `{{ matrix_postgres_data_path }}`. Feel free to delete it."
  when: "not matrix_postgres_enabled and matrix_postgres_data_path_stat.stat.exists"

 - name: Ensure matrix-postgres-update-user-password-hash script created
  template:
    src: "{{ role_path }}/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2"
    dest: "/usr/local/bin/matrix-postgres-update-user-password-hash"
    mode: 0750
  when: matrix_postgres_enabled
--- a/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2
+++ b/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2
@@ -0,0 +1,15 @@
 #!/bin/bash

 if [ $# -ne 2 ]; then
 	echo "Usage: "$0" <username> <password_hash>"
 	exit 1
 fi

 docker run \
 	--rm \
 	--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
    --cap-drop=ALL \
 	--env-file={{ matrix_postgres_base_path }}/env-postgres-psql \
 	--network {{ matrix_docker_network }} \
 	{{ matrix_postgres_docker_image_to_use }} \
 	psql -h {{ matrix_postgres_connection_hostname }} -c "UPDATE users set password_hash='$2' WHERE name = '@$1:{{ matrix_domain }}'"
--- a/roles/matrix-synapse/tasks/main.yml
+++ b/roles/matrix-synapse/tasks/main.yml
@@ -37,3 +37,8 @@
  when: run_self_check
  tags:
    - self-check

 - import_tasks: "{{ role_path }}/tasks/update_user_password.yml"
  when: run_update_user_password
  tags:
    - update-user-password
--- a/roles/matrix-synapse/tasks/setup_synapse_main.yml
+++ b/roles/matrix-synapse/tasks/setup_synapse_main.yml
@@ -79,3 +79,9 @@
    dest: "/usr/local/bin/matrix-synapse-register-user"
    mode: 0750

 - name: Ensure matrix-synapse-generate-password-hash script created
  template:
    src: "{{ role_path }}/templates/synapse/usr-local-bin/matrix-synapse-generate-password-hash.j2"
    dest: "/usr/local/bin/matrix-synapse-generate-password-hash"
    mode: 0750

--- a/roles/matrix-synapse/tasks/update_user_password.yml
+++ b/roles/matrix-synapse/tasks/update_user_password.yml
@@ -0,0 +1,48 @@
 ---

 - name: Fail if playbook called incorrectly
  fail:
    msg: "The `username` variable needs to be provided to this playbook, via --extra-vars"
  when: "username is not defined or username == '<your-username>'"

 - name: Fail if playbook called incorrectly
  fail:
    msg: "The `password` variable needs to be provided to this playbook, via --extra-vars"
  when: "password is not defined or password == '<your-password>'"

 - name: Fail if not using matrix-postgres container
  fail:
    msg: "This command is working only when matrix-postgres container is being used"
  when: "not matrix_postgres_enabled"

 - name: Ensure matrix-synapse is started
  service:
    name: matrix-synapse
    state: started
    daemon_reload: yes
  register: start_result

 - name: Ensure matrix-postgres is started
  service:
    name: matrix-postgres
    state: started
    daemon_reload: yes
  register: postgres_start_result


 - name: Wait a while, so that Matrix Synapse can manage to start
  pause:
    seconds: 7
  when: start_result.changed

 - name: Wait a while, so that Matrix Postgres can manage to start
  pause:
    seconds: 7
  when: postgres_start_result.changed

 - name: Generate password hash
  shell: "/usr/local/bin/matrix-synapse-generate-password-hash {{ password }}"
  register: password_hash

 - name: Update user password hash
  shell: "/usr/local/bin/matrix-postgres-update-user-password-hash {{ username }} '{{ password_hash.stdout }}'"
--- a/roles/matrix-synapse/templates/synapse/usr-local-bin/matrix-synapse-generate-password-hash.j2
+++ b/roles/matrix-synapse/templates/synapse/usr-local-bin/matrix-synapse-generate-password-hash.j2
@@ -0,0 +1,31 @@
 #!/usr/bin/env expect

 # Read the password string
 set pass [lindex $argv 0]

 # Check if password was provided
 if { $pass == "" }  {
  puts "Usage: $argv0 <password>"
  exit 1
 }

 # Disable output
 log_user 0

 # Execute password hashing script
 spawn docker exec -it matrix-synapse /usr/local/bin/hash_password -c /data/homeserver.yaml
 expect "Password: "
 send "$pass\r"
 expect "Confirm password: "
 send "$pass\r"
 expect "%"

 # Save the hash output to a variable
 set output $expect_out(buffer)

 # Trim the whitespace
 regexp {\S+} $output passwordHash

 # Output the password hash
 puts -nonewline stdout $passwordHash
 close stdout