From 134faa3139c16ccae648fed34638ddd108d7c97e Mon Sep 17 00:00:00 2001 From: Lyubomir Popov Date: Tue, 30 Apr 2019 16:30:26 +0300 Subject: [PATCH] Add the ability to update user passwords with ansible (when using the matrix-postgres container). --- docs/README.md | 2 + docs/updating-users-passwords.md | 19 ++++++++ roles/matrix-base/defaults/main.yml | 1 + roles/matrix-base/tasks/setup_server_base.yml | 4 +- .../matrix-postgres/tasks/setup_postgres.yml | 7 +++ ...trix-postgres-update-user-password-hash.j2 | 15 ++++++ roles/matrix-synapse/tasks/main.yml | 5 ++ .../tasks/setup_synapse_main.yml | 6 +++ .../tasks/update_user_password.yml | 48 +++++++++++++++++++ .../matrix-synapse-generate-password-hash.j2 | 31 ++++++++++++ 10 files changed, 137 insertions(+), 1 deletion(-) create mode 100644 docs/updating-users-passwords.md create mode 100644 roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2 create mode 100644 roles/matrix-synapse/tasks/update_user_password.yml create mode 100644 roles/matrix-synapse/templates/synapse/usr-local-bin/matrix-synapse-generate-password-hash.j2 diff --git a/docs/README.md b/docs/README.md index 1718c6ac..f623085b 100644 --- a/docs/README.md +++ b/docs/README.md @@ -12,6 +12,8 @@ - [Registering users](registering-users.md) +- [Updating users passwords](updating-users-passwords.md) + - [Configuring service discovery via .well-known](configuring-well-known.md) - [Maintenance / checking if services work](maintenance-checking-services.md) diff --git a/docs/updating-users-passwords.md b/docs/updating-users-passwords.md new file mode 100644 index 00000000..72b1f278 --- /dev/null +++ b/docs/updating-users-passwords.md @@ -0,0 +1,19 @@ +# Updating users passwords + +If you are using the matrix-postgres container(default), you can do it via this Ansible playbook (make sure to edit the `` and `` part below): + + ansible-playbook -i inventory/hosts setup.yml --extra-vars='username= password=' --tags=update-user-password + +**Note**: `` is just a plain username (like `john`), not your full `@:` identifier. + +**You can then log in with that user** via the riot-web service that this playbook has created for you at a URL like this: `https://riot./`. + +If you are NOT using the matrix-postgres container, you can generate the password hash by using the command-line after **SSH**-ing to your server (requires that [all services have been started](#starting-the-services)): + + docker exec -it matrix-synapse /usr/local/bin/hash_password -c /data/homeserver.yaml + +and then connecting to the postgres server and executing: + + UPDATE users SET password_hash = '' WHERE name = '@someone:server.com' + +where `` is the hash returned by the docker command above. diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index 86369408..ab38084b 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -48,6 +48,7 @@ run_import_postgres: true run_upgrade_postgres: true run_start: true run_register_user: true +run_update_user_password: true run_import_sqlite_db: true run_import_media_store: true run_self_check: true diff --git a/roles/matrix-base/tasks/setup_server_base.yml b/roles/matrix-base/tasks/setup_server_base.yml index f4a8352f..2ccdbd83 100644 --- a/roles/matrix-base/tasks/setup_server_base.yml +++ b/roles/matrix-base/tasks/setup_server_base.yml @@ -25,6 +25,7 @@ - docker-python - ntp - fuse + - expect state: latest update_cache: yes when: ansible_distribution == 'CentOS' @@ -62,13 +63,14 @@ - python-docker - ntp - fuse + - expect state: latest update_cache: yes when: ansible_os_family == 'Debian' - name: Ensure Docker is started and autoruns service: - name: docker + name: docker state: started enabled: yes diff --git a/roles/matrix-postgres/tasks/setup_postgres.yml b/roles/matrix-postgres/tasks/setup_postgres.yml index e22e1024..659650db 100644 --- a/roles/matrix-postgres/tasks/setup_postgres.yml +++ b/roles/matrix-postgres/tasks/setup_postgres.yml @@ -123,3 +123,10 @@ debug: msg: "Note: You are not using a local PostgreSQL database, but some old data remains from before in `{{ matrix_postgres_data_path }}`. Feel free to delete it." when: "not matrix_postgres_enabled and matrix_postgres_data_path_stat.stat.exists" + +- name: Ensure matrix-postgres-update-user-password-hash script created + template: + src: "{{ role_path }}/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2" + dest: "/usr/local/bin/matrix-postgres-update-user-password-hash" + mode: 0750 + when: matrix_postgres_enabled \ No newline at end of file diff --git a/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2 b/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2 new file mode 100644 index 00000000..bd99211c --- /dev/null +++ b/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2 @@ -0,0 +1,15 @@ +#!/bin/bash + +if [ $# -ne 2 ]; then + echo "Usage: "$0" " + exit 1 +fi + +docker run \ + --rm \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --env-file={{ matrix_postgres_base_path }}/env-postgres-psql \ + --network {{ matrix_docker_network }} \ + {{ matrix_postgres_docker_image_to_use }} \ + psql -h {{ matrix_postgres_connection_hostname }} -c "UPDATE users set password_hash='$2' WHERE name = '@$1:{{ matrix_domain }}'" diff --git a/roles/matrix-synapse/tasks/main.yml b/roles/matrix-synapse/tasks/main.yml index 1049cb5f..058cf05f 100644 --- a/roles/matrix-synapse/tasks/main.yml +++ b/roles/matrix-synapse/tasks/main.yml @@ -37,3 +37,8 @@ when: run_self_check tags: - self-check + +- import_tasks: "{{ role_path }}/tasks/update_user_password.yml" + when: run_update_user_password + tags: + - update-user-password \ No newline at end of file diff --git a/roles/matrix-synapse/tasks/setup_synapse_main.yml b/roles/matrix-synapse/tasks/setup_synapse_main.yml index 6e56b659..7be5f045 100644 --- a/roles/matrix-synapse/tasks/setup_synapse_main.yml +++ b/roles/matrix-synapse/tasks/setup_synapse_main.yml @@ -79,3 +79,9 @@ dest: "/usr/local/bin/matrix-synapse-register-user" mode: 0750 +- name: Ensure matrix-synapse-generate-password-hash script created + template: + src: "{{ role_path }}/templates/synapse/usr-local-bin/matrix-synapse-generate-password-hash.j2" + dest: "/usr/local/bin/matrix-synapse-generate-password-hash" + mode: 0750 + diff --git a/roles/matrix-synapse/tasks/update_user_password.yml b/roles/matrix-synapse/tasks/update_user_password.yml new file mode 100644 index 00000000..c464e0d7 --- /dev/null +++ b/roles/matrix-synapse/tasks/update_user_password.yml @@ -0,0 +1,48 @@ +--- + +- name: Fail if playbook called incorrectly + fail: + msg: "The `username` variable needs to be provided to this playbook, via --extra-vars" + when: "username is not defined or username == ''" + +- name: Fail if playbook called incorrectly + fail: + msg: "The `password` variable needs to be provided to this playbook, via --extra-vars" + when: "password is not defined or password == ''" + +- name: Fail if not using matrix-postgres container + fail: + msg: "This command is working only when matrix-postgres container is being used" + when: "not matrix_postgres_enabled" + +- name: Ensure matrix-synapse is started + service: + name: matrix-synapse + state: started + daemon_reload: yes + register: start_result + +- name: Ensure matrix-postgres is started + service: + name: matrix-postgres + state: started + daemon_reload: yes + register: postgres_start_result + + +- name: Wait a while, so that Matrix Synapse can manage to start + pause: + seconds: 7 + when: start_result.changed + +- name: Wait a while, so that Matrix Postgres can manage to start + pause: + seconds: 7 + when: postgres_start_result.changed + +- name: Generate password hash + shell: "/usr/local/bin/matrix-synapse-generate-password-hash {{ password }}" + register: password_hash + +- name: Update user password hash + shell: "/usr/local/bin/matrix-postgres-update-user-password-hash {{ username }} '{{ password_hash.stdout }}'" diff --git a/roles/matrix-synapse/templates/synapse/usr-local-bin/matrix-synapse-generate-password-hash.j2 b/roles/matrix-synapse/templates/synapse/usr-local-bin/matrix-synapse-generate-password-hash.j2 new file mode 100644 index 00000000..c6858aa8 --- /dev/null +++ b/roles/matrix-synapse/templates/synapse/usr-local-bin/matrix-synapse-generate-password-hash.j2 @@ -0,0 +1,31 @@ +#!/usr/bin/env expect + +# Read the password string +set pass [lindex $argv 0] + +# Check if password was provided +if { $pass == "" } { + puts "Usage: $argv0 " + exit 1 +} + +# Disable output +log_user 0 + +# Execute password hashing script +spawn docker exec -it matrix-synapse /usr/local/bin/hash_password -c /data/homeserver.yaml +expect "Password: " +send "$pass\r" +expect "Confirm password: " +send "$pass\r" +expect "%" + +# Save the hash output to a variable +set output $expect_out(buffer) + +# Trim the whitespace +regexp {\S+} $output passwordHash + +# Output the password hash +puts -nonewline stdout $passwordHash +close stdout