From 22dce1d4cc862d9fb355de8826ad641b10ddea41 Mon Sep 17 00:00:00 2001
From: Slavi Pantaleev <slavi@devture.com>
Date: Sat, 13 Jan 2024 10:22:06 +0200
Subject: [PATCH] Upgrade matrix-reminder-bot and lock it down via the new
 allowlist setting

---
 CHANGELOG.md                                  | 24 +++++++++++++++++
 group_vars/matrix_servers                     |  7 ++++-
 .../defaults/main.yml                         | 18 ++++++++++---
 .../templates/config.yaml.j2                  | 27 +++++++++++++++++++
 4 files changed, 72 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c8a109e01..6e13148b4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,27 @@
+# 2024-01-13
+
+## matrix-reminder-bot update with more secure (backward-incompatible) default settings
+
+**TLDR**: your updated (to [v0.3.0](https://github.com/anoadragon453/matrix-reminder-bot/releases/tag/v0.3.0)) [matrix-reminder-bot](./docs/configuring-playbook-bot-matrix-reminder-bot.md) is now more secure. By default, like other bridges/bots managed by the playbook, it will only provide its services to users of your own server (not to anyone, even across the Matrix Federation). If that's fine, there's nothing you need to do.
+
+Maintenance of [matrix-reminder-bot](./docs/configuring-playbook-bot-matrix-reminder-bot.md) has been picked up by [Kim Brose](https://github.com/HarHarLinks).
+
+Thanks to Kim, a new [v0.3.0](https://github.com/anoadragon453/matrix-reminder-bot/releases/tag/v0.3.0) release is out. The new version is now available for the ARM64 architecture, so playbook users on this architecture will no longer need to wait for [self-building](./docs/self-building.md) to happen.
+
+The new version also comes with new `allowlist` and `blocklist` settings, which make it possible to restrict who can use the bot. Previously anyone, even across the Matrix Federation could talk to it and schedule reminders.
+
+The playbook defaults all bridges and bots (where possible) to only be exposed to users of the current homeserver, not users across federation.
+Thanks to the new version of this bot making such a restriction possible, we're now making use of it. The playbook (via its `group_vars/matrix_servers` file) automatically enables the `allowlist` (`matrix_bot_matrix_reminder_bot_allowlist_enabled: true`) and configures it in such a way (`matrix_bot_matrix_reminder_bot_allowlist_regexes_auto`) so as to restrict the bot to your homeserver's users.
+
+If you need **to undo or tweak these security improvements**, you can change your `vars.yml` file to:
+
+- disable the allowlist (`matrix_bot_matrix_reminder_bot_allowlist_enabled: false`), making the bot allow usage by anyone, anywhere
+
+- inject additional allowed servers or users by adding **additional** (on top of the default allowlist in `matrix_bot_matrix_reminder_bot_allowlist_regexes_auto`) custom regexes in the `matrix_bot_matrix_reminder_bot_allowlist_regexes_custom` list variable (see the [syntax reference](https://github.com/anoadragon453/matrix-reminder-bot/blob/1e910c0aa3469d280d93ee7e6c6d577227a3460c/sample.config.yaml#L43-L49))
+
+- override the default allowlist (in the `group_vars/matrix_servers` file) by redefining `matrix_bot_matrix_reminder_bot_allowlist_regexes_auto`
+
+
 # 2024-01-05
 
 ## matrix-mailer has been replaced by the exim-relay external role
diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers
index ce644ae38..f10afe678 100755
--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@@ -1681,11 +1681,16 @@ matrix_bot_matrix_reminder_bot_systemd_required_services_list: |
     (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
   }}
 
+matrix_bot_matrix_reminder_bot_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}"
+
 # Postgres is the default, except if not using internal Postgres server
 matrix_bot_matrix_reminder_bot_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}"
 matrix_bot_matrix_reminder_bot_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}"
 matrix_bot_matrix_reminder_bot_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'reminder.bot.db', rounds=655555) | to_uuid }}"
-matrix_bot_matrix_reminder_bot_container_image_self_build: "{{ matrix_architecture != 'amd64' }}"
+
+matrix_bot_matrix_reminder_bot_allowlist_enabled: true
+matrix_bot_matrix_reminder_bot_allowlist_regexes_auto:
+  - "@[a-z0-9-_.]+:{{ matrix_domain }}"
 
 ######################################################################
 #
diff --git a/roles/custom/matrix-bot-matrix-reminder-bot/defaults/main.yml b/roles/custom/matrix-bot-matrix-reminder-bot/defaults/main.yml
index 2f43024a3..f9a5a25e6 100644
--- a/roles/custom/matrix-bot-matrix-reminder-bot/defaults/main.yml
+++ b/roles/custom/matrix-bot-matrix-reminder-bot/defaults/main.yml
@@ -9,9 +9,10 @@ matrix_bot_matrix_reminder_bot_docker_repo: "https://github.com/anoadragon453/ma
 matrix_bot_matrix_reminder_bot_docker_repo_version: "{{ matrix_bot_matrix_reminder_bot_version }}"
 matrix_bot_matrix_reminder_bot_docker_src_files_path: "{{ matrix_base_data_path }}/matrix-reminder-bot/docker-src"
 
-# renovate: datasource=docker depName=anoa/matrix-reminder-bot
-matrix_bot_matrix_reminder_bot_version: release-v0.2.1
-matrix_bot_matrix_reminder_bot_docker_image: "{{ matrix_container_global_registry_prefix }}anoa/matrix-reminder-bot:{{ matrix_bot_matrix_reminder_bot_version }}"
+# renovate: datasource=docker depName=ghcr.io/anoadragon453/matrix-reminder-bot
+matrix_bot_matrix_reminder_bot_version: v0.3.0
+matrix_bot_matrix_reminder_bot_docker_image: "{{ matrix_bot_matrix_reminder_bot_docker_image_name_prefix }}anoadragon453/matrix-reminder-bot:{{ matrix_bot_matrix_reminder_bot_version }}"
+matrix_bot_matrix_reminder_bot_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_matrix_reminder_bot_container_image_self_build else 'ghcr.io/' }}"
 matrix_bot_matrix_reminder_bot_docker_image_force_pull: "{{ matrix_bot_matrix_reminder_bot_docker_image.endswith(':latest') }}"
 
 matrix_bot_matrix_reminder_bot_base_path: "{{ matrix_base_data_path }}/matrix-reminder-bot"
@@ -74,6 +75,17 @@ matrix_bot_matrix_reminder_bot_matrix_homeserver_url: "{{ matrix_homeserver_cont
 # Examples: 'Europe/London', 'Etc/UTC'
 matrix_bot_matrix_reminder_bot_reminders_timezone: ''
 
+matrix_bot_matrix_reminder_bot_allowlist_enabled: false
+matrix_bot_matrix_reminder_bot_allowlist_regexes: "{{ matrix_bot_matrix_reminder_bot_allowlist_regexes_auto + matrix_bot_matrix_reminder_bot_allowlist_regexes_custom }}"
+matrix_bot_matrix_reminder_bot_allowlist_regexes_auto: []
+matrix_bot_matrix_reminder_bot_allowlist_regexes_custom: []
+
+# If both the blocklist and whitelist are enabled at the same time, the blocklist takes precedence.
+matrix_bot_matrix_reminder_bot_blocklist_enabled: false
+matrix_bot_matrix_reminder_bot_blocklist_regexes: "{{ matrix_bot_matrix_reminder_bot_blocklist_regexes_auto + matrix_bot_matrix_reminder_bot_blocklist_regexes_custom }}"
+matrix_bot_matrix_reminder_bot_blocklist_regexes_auto: []
+matrix_bot_matrix_reminder_bot_blocklist_regexes_custom: []
+
 # Default configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
 #
diff --git a/roles/custom/matrix-bot-matrix-reminder-bot/templates/config.yaml.j2 b/roles/custom/matrix-bot-matrix-reminder-bot/templates/config.yaml.j2
index 338bffba0..8502ae753 100644
--- a/roles/custom/matrix-bot-matrix-reminder-bot/templates/config.yaml.j2
+++ b/roles/custom/matrix-bot-matrix-reminder-bot/templates/config.yaml.j2
@@ -33,6 +33,33 @@ reminders:
   # If not set, UTC will be used
   timezone: {{ matrix_bot_matrix_reminder_bot_reminders_timezone }}
 
+# Restrict the bot to only respond to certain MXIDs
+allowlist:
+  # Set to true to enable the allowlist
+  enabled: {{ matrix_bot_matrix_reminder_bot_allowlist_enabled | to_json }}
+  # A list of MXID regexes to be allowed
+  # To allow a certain homeserver:
+  #     regexes: ["@[a-z0-9-_.]+:myhomeserver.tld"]
+  # To allow a set of users:
+  #     regexes: ["@alice:someserver.tld", "@bob:anotherserver.tld"]
+  # To allow nobody (same as blocking every MXID):
+  #     regexes: []
+  regexes: {{ matrix_bot_matrix_reminder_bot_allowlist_regexes | to_json }}
+
+# Prevent the bot from responding to certain MXIDs
+# If both allowlist and blocklist are enabled, blocklist entries takes precedence
+blocklist:
+  # Set to true to enable the blocklist
+  enabled: {{ matrix_bot_matrix_reminder_bot_blocklist_enabled | to_json }}
+  # A list of MXID regexes to be blocked
+  # To block a certain homeserver:
+  #     regexes: [".*:myhomeserver.tld"]
+  # To block a set of users:
+  #     regexes: ["@alice:someserver.tld", "@bob:anotherserver.tld"]
+  # To block absolutely everyone (same as allowing nobody):
+  #     regexes: [".*"]
+  regexes: {{ matrix_bot_matrix_reminder_bot_blocklist_regexes | to_json }}
+
 # Logging setup
 logging:
   # Logging level