From e6b77284f2dd4d9b5549601947d9b9d09f5375e5 Mon Sep 17 00:00:00 2001 From: Wolfgang Winter Date: Fri, 13 Aug 2021 17:46:37 +0200 Subject: [PATCH 01/15] Relay bot configurable + permissions Enable / disable relay bot functionality as configuratoin paramter; set bridge permissions for base domain users to user level --- .../matrix-bridge-mautrix-signal/templates/config.yaml.j2 | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 index d4f64c79..ef66ee91 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 @@ -188,14 +188,13 @@ bridge: # * - All Matrix users # domain - All users on that homeserver # mxid - Specific user - permissions: - '{{ matrix_mautrix_signal_homeserver_domain }}': relay - '{{ matrix_mautrix_signal_homeserver_domain }}': user + permissions: + {{ matrix_mautrix_signal_homeserver_domain }}: user relay: # Whether or not relay mode should be allowed. If allowed, `!signal set-relay` can be used to turn any # authenticated user into a relaybot for that chat. - enabled: true + enabled: {{ matrix_mautrix_signal_relaybot_enabled }} # The formats to use when sending messages to Signal via a relay user. # # Available variables: From 5ca28ba87249951e24cd226e4ccfdf81aadd98d3 Mon Sep 17 00:00:00 2001 From: Wolfgang Winter Date: Fri, 13 Aug 2021 17:48:05 +0200 Subject: [PATCH 02/15] Default relay bot functionality setting Per default relay bot functionality is disabled; the bridge user permissions depends on the relay bot, if enabled the base domain users are on level relay, else remain on user; --- .../defaults/main.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/roles/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/matrix-bridge-mautrix-signal/defaults/main.yml index 8ff2fbb6..157922c6 100644 --- a/roles/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-signal/defaults/main.yml @@ -78,6 +78,9 @@ matrix_mautrix_signal_appservice_database: "{{ # Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth). matrix_mautrix_signal_login_shared_secret: '' +# Enable bridge relay bot functionality +matrix_mautrix_signal_relaybot_enabled: false + # Default configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. # @@ -93,6 +96,21 @@ matrix_mautrix_signal_configuration_extension_yaml: | # # If you need something more special, you can take full control by # completely redefining `matrix_mautrix_signal_configuration_yaml`. + # + # Permissions for using the bridge. + # Permitted values: + # relay - Allowed to be relayed through the bridge, no access to commands. + # user - Use the bridge with puppeting. + # admin - Use and administrate the bridge. + # Permitted keys: + # * - All Matrix users + # domain - All users on that homeserver + # mxid - Specific user + # + bridge: + permissions: + {{ matrix_mautrix_signal_homeserver_domain }}: "{{ "relay" if matrix_mautrix_signal_relaybot_enabled else "user" }}" + matrix_mautrix_signal_configuration_extension: "{{ matrix_mautrix_signal_configuration_extension_yaml|from_yaml if matrix_mautrix_signal_configuration_extension_yaml|from_yaml is mapping else {} }}" From c3b4a1a66d7796d84b8c0b2eaf4970405a6d28fc Mon Sep 17 00:00:00 2001 From: Wolfgang Winter Date: Fri, 13 Aug 2021 17:48:28 +0200 Subject: [PATCH 03/15] Augment documentation for relay bot --- ...figuring-playbook-bridge-mautrix-signal.md | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/docs/configuring-playbook-bridge-mautrix-signal.md b/docs/configuring-playbook-bridge-mautrix-signal.md index 6d3c4dfb..e91487fa 100644 --- a/docs/configuring-playbook-bridge-mautrix-signal.md +++ b/docs/configuring-playbook-bridge-mautrix-signal.md @@ -12,6 +12,27 @@ Use the following playbook configuration: matrix_mautrix_signal_enabled: true ``` +There are some additional things you may wish to configure about the bridge before you continue. + +The relay bot functionality is off by default. If you would like to enable the relay bot, add the following to your `vars.yml` file: +```yaml +matrix_mautrix_signal_relaybot_enabled: true +``` + +Additionally the permissions for the bridge grant user rights to all base domain users in case the relay bot is disabled, or relay rights in case the relay bot is enabled. + +If you would like to have a more specific setting of the permissions you can set the permissions as follows (example). For more details see also [mautrix-bridge documentation](https://docs.mau.fi/bridges/python/signal/relay-mode.html) +```yaml +matrix_mautrix_signal_configuration_extension_yaml: | + bridge: + permissions: + '@YOUR_USERNAME:YOUR_DOMAIN': admin + '*': user + YOUR_DOMAIN: relay +``` + +You may wish to look at `roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2` to find more information on the permissions settings and other options you would like to configure. + ## Set up Double Puppeting If you'd like to use [Double Puppeting](https://github.com/tulir/mautrix-signal/wiki/Authentication#double-puppeting) (hint: you most likely do), you have 2 ways of going about it. From bb931493eeb26a55f8dd60e26d2cbea04885b99b Mon Sep 17 00:00:00 2001 From: WobbelTheBear Date: Fri, 13 Aug 2021 20:15:19 +0200 Subject: [PATCH 04/15] Update as per suggestion --- docs/configuring-playbook-bridge-mautrix-signal.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/configuring-playbook-bridge-mautrix-signal.md b/docs/configuring-playbook-bridge-mautrix-signal.md index e91487fa..30b7bba8 100644 --- a/docs/configuring-playbook-bridge-mautrix-signal.md +++ b/docs/configuring-playbook-bridge-mautrix-signal.md @@ -27,8 +27,8 @@ matrix_mautrix_signal_configuration_extension_yaml: | bridge: permissions: '@YOUR_USERNAME:YOUR_DOMAIN': admin - '*': user - YOUR_DOMAIN: relay + YOUR_DOMAIN: user + '*': relay ``` You may wish to look at `roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2` to find more information on the permissions settings and other options you would like to configure. From a34241e4ccbbdeb982ceb662d320da7a0b995480 Mon Sep 17 00:00:00 2001 From: Wolfgang Winter Date: Fri, 13 Aug 2021 21:11:41 +0200 Subject: [PATCH 05/15] Remove intial permissions seting Permissions, when set in the template, will be augmented rahter than replaced when using matrix_mautrix_signal_configuration_extension_yaml. Therefore, permissions shall only be set in the defaults/vars.yml or in the HS specific vars.yml file --- roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 index ef66ee91..f0b9af86 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 @@ -188,8 +188,10 @@ bridge: # * - All Matrix users # domain - All users on that homeserver # mxid - Specific user - permissions: - {{ matrix_mautrix_signal_homeserver_domain }}: user + #permissions: + # + # Remark: permissions will be set in the defaults/main.yml file of this role + # (see matrix_mautrix_signal_configuration_extension_yaml) relay: # Whether or not relay mode should be allowed. If allowed, `!signal set-relay` can be used to turn any From d9e8be7c7997042963382dea0b8da1c38b5b8b5c Mon Sep 17 00:00:00 2001 From: WobbelTheBear Date: Sat, 14 Aug 2021 17:32:54 +0200 Subject: [PATCH 06/15] Update docs/configuring-playbook-bridge-mautrix-signal.md Document how to enable relay functionality in a room Co-authored-by: Jan <31133207+Jaffex@users.noreply.github.com> --- docs/configuring-playbook-bridge-mautrix-signal.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/configuring-playbook-bridge-mautrix-signal.md b/docs/configuring-playbook-bridge-mautrix-signal.md index 30b7bba8..06881b60 100644 --- a/docs/configuring-playbook-bridge-mautrix-signal.md +++ b/docs/configuring-playbook-bridge-mautrix-signal.md @@ -18,7 +18,8 @@ The relay bot functionality is off by default. If you would like to enable the r ```yaml matrix_mautrix_signal_relaybot_enabled: true ``` - +If you want to activate the relay bot in a room, use `!signal set-relay`. +Use `!signal unset-relay` to deactivate. Additionally the permissions for the bridge grant user rights to all base domain users in case the relay bot is disabled, or relay rights in case the relay bot is enabled. If you would like to have a more specific setting of the permissions you can set the permissions as follows (example). For more details see also [mautrix-bridge documentation](https://docs.mau.fi/bridges/python/signal/relay-mode.html) From ae9639585ccedc1e303fb28e03b844432d4c380e Mon Sep 17 00:00:00 2001 From: WobbelTheBear Date: Sat, 14 Aug 2021 17:35:49 +0200 Subject: [PATCH 07/15] Update roles/matrix-bridge-mautrix-signal/defaults/main.yml Improved setup through template file Co-authored-by: Jan <31133207+Jaffex@users.noreply.github.com> --- .../defaults/main.yml | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/roles/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/matrix-bridge-mautrix-signal/defaults/main.yml index 157922c6..48aa2566 100644 --- a/roles/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-signal/defaults/main.yml @@ -96,21 +96,6 @@ matrix_mautrix_signal_configuration_extension_yaml: | # # If you need something more special, you can take full control by # completely redefining `matrix_mautrix_signal_configuration_yaml`. - # - # Permissions for using the bridge. - # Permitted values: - # relay - Allowed to be relayed through the bridge, no access to commands. - # user - Use the bridge with puppeting. - # admin - Use and administrate the bridge. - # Permitted keys: - # * - All Matrix users - # domain - All users on that homeserver - # mxid - Specific user - # - bridge: - permissions: - {{ matrix_mautrix_signal_homeserver_domain }}: "{{ "relay" if matrix_mautrix_signal_relaybot_enabled else "user" }}" - matrix_mautrix_signal_configuration_extension: "{{ matrix_mautrix_signal_configuration_extension_yaml|from_yaml if matrix_mautrix_signal_configuration_extension_yaml|from_yaml is mapping else {} }}" From d249fe874ede76f244c2701e42ab8c2199a5f5af Mon Sep 17 00:00:00 2001 From: WobbelTheBear Date: Sat, 14 Aug 2021 17:36:43 +0200 Subject: [PATCH 08/15] Update roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 Updated settings in template file: * relay for any user * user permissions only for HS domain users Co-authored-by: Jan <31133207+Jaffex@users.noreply.github.com> --- .../matrix-bridge-mautrix-signal/templates/config.yaml.j2 | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 index f0b9af86..5628b942 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 @@ -188,10 +188,9 @@ bridge: # * - All Matrix users # domain - All users on that homeserver # mxid - Specific user - #permissions: - # - # Remark: permissions will be set in the defaults/main.yml file of this role - # (see matrix_mautrix_signal_configuration_extension_yaml) + permissions: + *: relay + '{{ matrix_mautrix_signal_homeserver_domain }}': user relay: # Whether or not relay mode should be allowed. If allowed, `!signal set-relay` can be used to turn any From 30aa8c2c3f88ae0c2725b8c069f1ecef5639bce9 Mon Sep 17 00:00:00 2001 From: WobbelTheBear Date: Sat, 14 Aug 2021 17:38:58 +0200 Subject: [PATCH 09/15] Update docs/configuring-playbook-bridge-mautrix-signal.md Improvement of documentation Co-authored-by: Jan <31133207+Jaffex@users.noreply.github.com> --- docs/configuring-playbook-bridge-mautrix-signal.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/configuring-playbook-bridge-mautrix-signal.md b/docs/configuring-playbook-bridge-mautrix-signal.md index 06881b60..efd4d96f 100644 --- a/docs/configuring-playbook-bridge-mautrix-signal.md +++ b/docs/configuring-playbook-bridge-mautrix-signal.md @@ -20,7 +20,8 @@ matrix_mautrix_signal_relaybot_enabled: true ``` If you want to activate the relay bot in a room, use `!signal set-relay`. Use `!signal unset-relay` to deactivate. -Additionally the permissions for the bridge grant user rights to all base domain users in case the relay bot is disabled, or relay rights in case the relay bot is enabled. +By default, any user on your homeserver will be able to use the bridge. +If you enable the relay bot functionality, it will relay every user's messages in a portal room - no matter which homeserver they're from. If you would like to have a more specific setting of the permissions you can set the permissions as follows (example). For more details see also [mautrix-bridge documentation](https://docs.mau.fi/bridges/python/signal/relay-mode.html) ```yaml From f988fd33391f923ec997fc6f71ba663dc6dc03e9 Mon Sep 17 00:00:00 2001 From: WobbelTheBear Date: Sat, 14 Aug 2021 17:47:31 +0200 Subject: [PATCH 10/15] Change sequence of permissions As per earlier comment (see from tulir) the sequence has been changed. --- roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 index 5628b942..2adfd520 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 @@ -189,8 +189,8 @@ bridge: # domain - All users on that homeserver # mxid - Specific user permissions: - *: relay '{{ matrix_mautrix_signal_homeserver_domain }}': user + *: relay relay: # Whether or not relay mode should be allowed. If allowed, `!signal set-relay` can be used to turn any From 7486db0d1a88d40bd9d02bfd96be7386f99e1fae Mon Sep 17 00:00:00 2001 From: Wolfgang Winter Date: Sat, 14 Aug 2021 17:58:08 +0200 Subject: [PATCH 11/15] Missing ticks --- roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 index 2adfd520..ecd5902b 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 @@ -190,7 +190,7 @@ bridge: # mxid - Specific user permissions: '{{ matrix_mautrix_signal_homeserver_domain }}': user - *: relay + '*': relay relay: # Whether or not relay mode should be allowed. If allowed, `!signal set-relay` can be used to turn any From d0b557eb6f0c56ad86c20bab642e29dcfb0e430c Mon Sep 17 00:00:00 2001 From: Wolfgang Winter Date: Sun, 15 Aug 2021 08:42:21 +0200 Subject: [PATCH 12/15] Replace tabs to spaces to prevent problems in YAML --- roles/matrix-bridge-mautrix-signal/defaults/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/matrix-bridge-mautrix-signal/defaults/main.yml index 48aa2566..93472d51 100644 --- a/roles/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-signal/defaults/main.yml @@ -70,9 +70,9 @@ matrix_mautrix_signal_database_name: 'matrix_mautrix_signal' matrix_mautrix_signal_database_connection_string: 'postgres://{{ matrix_mautrix_signal_database_username }}:{{ matrix_mautrix_signal_database_password }}@{{ matrix_mautrix_signal_database_hostname }}:{{ matrix_mautrix_signal_database_port }}/{{ matrix_mautrix_signal_database_name }}' matrix_mautrix_signal_appservice_database: "{{ - { - 'postgres': matrix_mautrix_signal_database_connection_string, - }[matrix_mautrix_signal_database_engine] + { + 'postgres': matrix_mautrix_signal_database_connection_string, + }[matrix_mautrix_signal_database_engine] }}" # Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth). From b1c94efcd8bfba5047765c53f19a1af585153a34 Mon Sep 17 00:00:00 2001 From: Wolfgang Winter Date: Mon, 16 Aug 2021 18:23:40 +0200 Subject: [PATCH 13/15] Make template generic for the pemission settings --- roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 index ecd5902b..1c7a637f 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 @@ -189,8 +189,7 @@ bridge: # domain - All users on that homeserver # mxid - Specific user permissions: - '{{ matrix_mautrix_signal_homeserver_domain }}': user - '*': relay + {{ matrix_mautrix_signal_bridge_permissions|from_yaml }} relay: # Whether or not relay mode should be allowed. If allowed, `!signal set-relay` can be used to turn any From 4b7506ca1a0c13a31adf4e4eaea1e6f79c02b9b3 Mon Sep 17 00:00:00 2001 From: Wolfgang Winter Date: Mon, 16 Aug 2021 18:24:12 +0200 Subject: [PATCH 14/15] Preset the permissions inline with other bridges --- .../matrix-bridge-mautrix-signal/defaults/main.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/roles/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/matrix-bridge-mautrix-signal/defaults/main.yml index 93472d51..93993fa1 100644 --- a/roles/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-signal/defaults/main.yml @@ -81,6 +81,19 @@ matrix_mautrix_signal_login_shared_secret: '' # Enable bridge relay bot functionality matrix_mautrix_signal_relaybot_enabled: false +# Permissions for using the bridge. +# Permitted values: +# relay - Allowed to be relayed through the bridge, no access to commands. +# user - Use the bridge with puppeting. +# admin - Use and administrate the bridge. +# Permitted keys: +# * - All Matrix users +# domain - All users on that homeserver +# mxid - Specific user +matrix_mautrix_signal_bridge_permissions: | + '*': relay + '{{ matrix_mautrix_signal_homeserver_domain }}': user + # Default configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. # From 5a828f36a6226c4a44449b355a1e3fa2d3f5957a Mon Sep 17 00:00:00 2001 From: Wolfgang Winter Date: Mon, 16 Aug 2021 18:24:55 +0200 Subject: [PATCH 15/15] Document the permissions settings. Distinguish between augmenting and overwriting. --- ...figuring-playbook-bridge-mautrix-signal.md | 28 +++++++++++++++++-- 1 file changed, 25 insertions(+), 3 deletions(-) diff --git a/docs/configuring-playbook-bridge-mautrix-signal.md b/docs/configuring-playbook-bridge-mautrix-signal.md index efd4d96f..131d3aba 100644 --- a/docs/configuring-playbook-bridge-mautrix-signal.md +++ b/docs/configuring-playbook-bridge-mautrix-signal.md @@ -23,14 +23,36 @@ Use `!signal unset-relay` to deactivate. By default, any user on your homeserver will be able to use the bridge. If you enable the relay bot functionality, it will relay every user's messages in a portal room - no matter which homeserver they're from. -If you would like to have a more specific setting of the permissions you can set the permissions as follows (example). For more details see also [mautrix-bridge documentation](https://docs.mau.fi/bridges/python/signal/relay-mode.html) +Different levels of permission can be granted to users: + +* relay - Allowed to be relayed through the bridge, no access to commands; +* user - Use the bridge with puppeting; +* admin - Use and administer the bridge. + +The permissions are following the sequence: nothing < relay < user < admin. + +The default permissions are set as follows: +```yaml +permissions: + '*': relay + YOUR_DOMAIN: user +``` + +If you want to augment the preset permissions, you might want to set the additional permissions with the following settings in your `vars.yml` file: ```yaml matrix_mautrix_signal_configuration_extension_yaml: | bridge: permissions: '@YOUR_USERNAME:YOUR_DOMAIN': admin - YOUR_DOMAIN: user - '*': relay +``` + +This will add the admin permission to the specific user, while keepting the default permissions. + +In case you want to replace the default permissions settings **completely**, populate the following item within your `vars.yml` file: +```yaml +matrix_mautrix_signal_bridge_permissions: | + '@ADMIN:YOUR_DOMAIN': admin + '@USER:YOUR_DOMAIN' : user ``` You may wish to look at `roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2` to find more information on the permissions settings and other options you would like to configure.