Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Audit registrations #7

Merged
merged 3 commits into from
Nov 4, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions inventory/group_vars/matrix_servers.yml
Original file line number Diff line number Diff line change
Expand Up @@ -86,3 +86,9 @@ postgres_connection_password: !vault |
# Example: `matrix_coturn_turn_external_ip_addresses: ['1.2.3.4', '4.5.6.7']`
#
# matrix_coturn_turn_external_ip_address: ''

# Audit user registrations
matrix_synapse_ext_audit_registrations_enabled: true
matrix_synapse_ext_audit_registrations_config:
room_alias: "#audit:{{ now(fmt='%Y') }}.seagl.org"
user_id: "@notifications:{{ now(fmt='%Y') }}.seagl.org"
3 changes: 3 additions & 0 deletions roles/custom/matrix-synapse/defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -1342,6 +1342,9 @@ matrix_synapse_ext_synapse_auto_accept_invite_worker_to_run_on: null
# If it is, the Synapse media repo and media-repo workers will be disabled automatically.
matrix_synapse_ext_media_repo_enabled: false

# Auditing of user registrations
matrix_synapse_ext_audit_registrations_enabled: false

matrix_s3_media_store_enabled: false
matrix_s3_media_store_custom_endpoint_enabled: false
matrix_s3_goofys_docker_image: "{{ matrix_s3_goofys_docker_image_name_prefix }}ewoutp/goofys:latest"
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
---

- name: Install audit registrations module
ansible.builtin.copy:
dest: "{{ matrix_synapse_ext_path }}/audit_registrations.py"
owner: "{{ matrix_synapse_uid }}"
group: "{{ matrix_synapse_gid }}"
mode: 0440
content: |
import logging
from synapse.module_api.errors import SynapseError

logger = logging.getLogger(__name__)


class AuditRegistrations:
def __init__(self, config, api):
self._api = api
self._room_alias = config["room_alias"]
self._user_id = config["user_id"]

self._api.register_account_validity_callbacks(
on_user_registration=self.on_user_registration
)

async def on_user_registration(self, user_id):
try:
(room_id, _) = await self._api.lookup_room_alias(self._room_alias)

await self._api.create_and_send_event_into_room(
{
"sender": self._user_id,
"room_id": room_id,
"type": "m.room.message",
"content": {
"msgtype": "m.notice",
"body": f"User registration: {user_id}",
},
}
)
except SynapseError as e:
logger.error("Failed to report user registration %s: %s", user_id, e)

- ansible.builtin.set_fact:
matrix_synapse_modules: |
{{
matrix_synapse_modules | default([])
+
[
{
"module": "audit_registrations.AuditRegistrations",
"config": matrix_synapse_ext_audit_registrations_config
}
]
}}

matrix_synapse_container_extra_arguments: >
{{
matrix_synapse_container_extra_arguments | default([])
+
["--mount type=bind,src={{ matrix_synapse_ext_path }}/audit_registrations.py,dst={{ matrix_synapse_in_container_python_packages_path }}/audit_registrations.py,ro"]
}}

matrix_synapse_additional_loggers_auto: >
{{
matrix_synapse_additional_loggers_auto
+
[{'name': 'audit_registrations', 'level': 'INFO'}]
}}
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
---

- name: Uninstall audit registrations module
ansible.builtin.file:
path: "{{ matrix_synapse_ext_path }}/audit_registrations.py"
state: absent
10 changes: 10 additions & 0 deletions roles/custom/matrix-synapse/tasks/ext/setup_install.yml
Original file line number Diff line number Diff line change
Expand Up @@ -82,3 +82,13 @@
block:
- when: matrix_synapse_ext_synapse_auto_accept_invite_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/synapse-auto-accept-invite/setup_install.yml"

# audit-registrations
- tags:
- setup-all
- setup-synapse
- install-all
- install-synapse
block:
- when: matrix_synapse_ext_audit_registrations_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/audit-registrations/setup_install.yml"
8 changes: 8 additions & 0 deletions roles/custom/matrix-synapse/tasks/ext/setup_uninstall.yml
Original file line number Diff line number Diff line change
Expand Up @@ -50,3 +50,11 @@
block:
- when: not matrix_synapse_ext_synapse_s3_storage_provider_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/s3-storage-provider/setup_uninstall.yml"

# audit-registrations
- tags:
- setup-all
- setup-synapse
block:
- when: not matrix_synapse_ext_audit_registrations_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/audit-registrations/setup_uninstall.yml"
Loading