Allow configuring a 'read-only' connection to the homeserver (#4145)

Author: sandhose

crates/cli/src/app_state.rs

@@ -15,8 +15,7 @@ use mas_handlers::{
 };
 use mas_i18n::Translator;
 use mas_keystore::{Encrypter, Keystore};
-use mas_matrix::BoxHomeserverConnection;
-use mas_matrix_synapse::SynapseConnection;
+use mas_matrix::HomeserverConnection;
 use mas_policy::{Policy, PolicyFactory};
 use mas_router::UrlBuilder;
 use mas_storage::{BoxClock, BoxRepository, BoxRng, SystemClock};
@@ -37,7 +36,7 @@ pub struct AppState {
     pub cookie_manager: CookieManager,
     pub encrypter: Encrypter,
     pub url_builder: UrlBuilder,
-    pub homeserver_connection: SynapseConnection,
+    pub homeserver_connection: Arc<dyn HomeserverConnection>,
     pub policy_factory: Arc<PolicyFactory>,
     pub graphql_schema: GraphQLSchema,
     pub http_client: reqwest::Client,
@@ -204,9 +203,9 @@ impl FromRef<AppState> for Limiter {
     }
 }
 
-impl FromRef<AppState> for BoxHomeserverConnection {
+impl FromRef<AppState> for Arc<dyn HomeserverConnection> {
     fn from_ref(input: &AppState) -> Self {
-        Box::new(input.homeserver_connection.clone())
+        Arc::clone(&input.homeserver_connection)
     }
 }
 

crates/cli/src/commands/manage.rs

@@ -17,7 +17,6 @@ use mas_config::{
 use mas_data_model::{Device, TokenType, Ulid, UpstreamOAuthProvider, User};
 use mas_email::Address;
 use mas_matrix::HomeserverConnection;
-use mas_matrix_synapse::SynapseConnection;
 use mas_storage::{
     Clock, RepositoryAccess, SystemClock,
     compat::{CompatAccessTokenRepository, CompatSessionFilter, CompatSessionRepository},
@@ -33,7 +32,10 @@ use rand::{RngCore, SeedableRng};
 use sqlx::{Acquire, types::Uuid};
 use tracing::{error, info, info_span, warn};
 
-use crate::util::{database_connection_from_config, password_manager_from_config};
+use crate::util::{
+    database_connection_from_config, homeserver_connection_from_config,
+    password_manager_from_config,
+};
 
 const USER_ATTRIBUTES_HEADING: &str = "User attributes";
 
@@ -491,12 +493,7 @@ impl Options {
                 let matrix_config = MatrixConfig::extract(figment)?;
 
                 let password_manager = password_manager_from_config(&password_config).await?;
-                let homeserver = SynapseConnection::new(
-                    matrix_config.homeserver,
-                    matrix_config.endpoint,
-                    matrix_config.secret,
-                    http_client,
-                );
+                let homeserver = homeserver_connection_from_config(&matrix_config, http_client);
                 let mut conn = database_connection_from_config(&database_config).await?;
                 let txn = conn.begin().await?;
                 let mut repo = PgRepository::from_conn(txn);
@@ -746,7 +743,7 @@ impl std::fmt::Display for HumanReadable<&UpstreamOAuthProvider> {
 async fn check_and_normalize_username<'a>(
     localpart_or_mxid: &'a str,
     repo: &mut dyn RepositoryAccess<Error = DatabaseError>,
-    homeserver: &SynapseConnection,
+    homeserver: &dyn HomeserverConnection,
 ) -> anyhow::Result<&'a str> {
     // XXX: this is a very basic MXID to localpart conversion
     // Strip any leading '@'
@@ -828,7 +825,7 @@ impl UserCreationRequest<'_> {
     }
 
     /// Show the user creation request in a human-readable format
-    fn show(&self, term: &Term, homeserver: &SynapseConnection) -> std::io::Result<()> {
+    fn show(&self, term: &Term, homeserver: &dyn HomeserverConnection) -> std::io::Result<()> {
         let value_style = Style::new().green();
         let key_style = Style::new().bold();
         let warning_style = Style::new().italic().red().bright();

crates/cli/src/commands/server.rs

@@ -15,7 +15,6 @@ use mas_config::{
 };
 use mas_handlers::{ActivityTracker, CookieManager, Limiter, MetadataCache};
 use mas_listener::server::Server;
-use mas_matrix_synapse::SynapseConnection;
 use mas_router::UrlBuilder;
 use mas_storage::SystemClock;
 use mas_storage_pg::MIGRATOR;
@@ -26,9 +25,9 @@ use crate::{
     app_state::AppState,
     lifecycle::LifecycleManager,
     util::{
-        database_pool_from_config, mailer_from_config, password_manager_from_config,
-        policy_factory_from_config, site_config_from_config, templates_from_config,
-        test_mailer_in_background,
+        database_pool_from_config, homeserver_connection_from_config, mailer_from_config,
+        password_manager_from_config, policy_factory_from_config, site_config_from_config,
+        templates_from_config, test_mailer_in_background,
     },
 };
 
@@ -153,12 +152,8 @@ impl Options {
 
         let http_client = mas_http::reqwest_client();
 
-        let homeserver_connection = SynapseConnection::new(
-            config.matrix.homeserver.clone(),
-            config.matrix.endpoint.clone(),
-            config.matrix.secret.clone(),
-            http_client.clone(),
-        );
+        let homeserver_connection =
+            homeserver_connection_from_config(&config.matrix, http_client.clone());
 
         if !self.no_worker {
             let mailer = mailer_from_config(&config.email, &templates)?;

crates/cli/src/commands/worker.rs

@@ -9,15 +9,14 @@ use std::{process::ExitCode, time::Duration};
 use clap::Parser;
 use figment::Figment;
 use mas_config::{AppConfig, ConfigurationSection};
-use mas_matrix_synapse::SynapseConnection;
 use mas_router::UrlBuilder;
 use tracing::{info, info_span};
 
 use crate::{
     lifecycle::LifecycleManager,
     util::{
-        database_pool_from_config, mailer_from_config, site_config_from_config,
-        templates_from_config, test_mailer_in_background,
+        database_pool_from_config, homeserver_connection_from_config, mailer_from_config,
+        site_config_from_config, templates_from_config, test_mailer_in_background,
     },
 };
 
@@ -58,12 +57,7 @@ impl Options {
         test_mailer_in_background(&mailer, Duration::from_secs(30));
 
         let http_client = mas_http::reqwest_client();
-        let conn = SynapseConnection::new(
-            config.matrix.homeserver.clone(),
-            config.matrix.endpoint.clone(),
-            config.matrix.secret.clone(),
-            http_client,
-        );
+        let conn = homeserver_connection_from_config(&config.matrix, http_client);
 
         drop(config);
 

crates/cli/src/util.rs

@@ -4,17 +4,19 @@
 // SPDX-License-Identifier: AGPL-3.0-only
 // Please see LICENSE in the repository root for full details.
 
-use std::time::Duration;
+use std::{sync::Arc, time::Duration};
 
 use anyhow::Context;
 use mas_config::{
     AccountConfig, BrandingConfig, CaptchaConfig, DatabaseConfig, EmailConfig, EmailSmtpMode,
-    EmailTransportKind, ExperimentalConfig, MatrixConfig, PasswordsConfig, PolicyConfig,
-    TemplatesConfig,
+    EmailTransportKind, ExperimentalConfig, HomeserverKind, MatrixConfig, PasswordsConfig,
+    PolicyConfig, TemplatesConfig,
 };
 use mas_data_model::{SessionExpirationConfig, SiteConfig};
 use mas_email::{MailTransport, Mailer};
 use mas_handlers::passwords::PasswordManager;
+use mas_matrix::{HomeserverConnection, ReadOnlyHomeserverConnection};
+use mas_matrix_synapse::SynapseConnection;
 use mas_policy::PolicyFactory;
 use mas_router::UrlBuilder;
 use mas_templates::{SiteConfigExt, TemplateLoadingError, Templates};
@@ -346,6 +348,32 @@ pub async fn database_connection_from_config(
         .context("could not connect to the database")
 }
 
+/// Create a clonable, type-erased [`HomeserverConnection`] from the
+/// configuration
+pub fn homeserver_connection_from_config(
+    config: &MatrixConfig,
+    http_client: reqwest::Client,
+) -> Arc<dyn HomeserverConnection> {
+    match config.kind {
+        HomeserverKind::Synapse => Arc::new(SynapseConnection::new(
+            config.homeserver.clone(),
+            config.endpoint.clone(),
+            config.secret.clone(),
+            http_client,
+        )),
+        HomeserverKind::SynapseReadOnly => {
+            let connection = SynapseConnection::new(
+                config.homeserver.clone(),
+                config.endpoint.clone(),
+                config.secret.clone(),
+                http_client,
+            );
+            let readonly = ReadOnlyHomeserverConnection::new(connection);
+            Arc::new(readonly)
+        }
+    }
+}
+
 #[cfg(test)]
 mod tests {
     use rand::SeedableRng;

crates/config/src/sections/matrix.rs

@@ -23,10 +23,29 @@ fn default_endpoint() -> Url {
     Url::parse("http://localhost:8008/").unwrap()
 }
 
+/// The kind of homeserver it is.
+#[derive(Debug, Clone, Serialize, Deserialize, JsonSchema, Default)]
+#[serde(rename_all = "snake_case")]
+pub enum HomeserverKind {
+    /// Homeserver is Synapse
+    #[default]
+    Synapse,
+
+    /// Homeserver is Synapse, in read-only mode
+    ///
+    /// This is meant for testing rolling out Matrix Authentication Service with
+    /// no risk of writing data to the homeserver.
+    SynapseReadOnly,
+}
+
 /// Configuration related to the Matrix homeserver
 #[serde_as]
 #[derive(Debug, Clone, Serialize, Deserialize, JsonSchema)]
 pub struct MatrixConfig {
+    /// The kind of homeserver it is.
+    #[serde(default)]
+    pub kind: HomeserverKind,
+
     /// The server name of the homeserver.
     #[serde(default = "default_homeserver")]
     pub homeserver: String,
@@ -49,6 +68,7 @@ impl MatrixConfig {
         R: Rng + Send,
     {
         Self {
+            kind: HomeserverKind::default(),
             homeserver: default_homeserver(),
             secret: Alphanumeric.sample_string(&mut rng, 32),
             endpoint: default_endpoint(),
@@ -57,6 +77,7 @@ impl MatrixConfig {
 
     pub(crate) fn test() -> Self {
         Self {
+            kind: HomeserverKind::default(),
             homeserver: default_homeserver(),
             secret: "test".to_owned(),
             endpoint: default_endpoint(),

crates/config/src/sections/mod.rs

@@ -37,7 +37,7 @@ pub use self::{
         BindConfig as HttpBindConfig, HttpConfig, ListenerConfig as HttpListenerConfig,
         Resource as HttpResource, TlsConfig as HttpTlsConfig, UnixOrTcp,
     },
-    matrix::MatrixConfig,
+    matrix::{HomeserverKind, MatrixConfig},
     passwords::{Algorithm as PasswordAlgorithm, PasswordsConfig},
     policy::PolicyConfig,
     rate_limiting::RateLimitingConfig,

crates/handlers/src/admin/mod.rs

@@ -4,6 +4,8 @@
 // SPDX-License-Identifier: AGPL-3.0-only
 // Please see LICENSE in the repository root for full details.
 
+use std::sync::Arc;
+
 use aide::{
     axum::ApiRouter,
     openapi::{OAuth2Flow, OAuth2Flows, OpenApi, SecurityScheme, Server, Tag},
@@ -19,7 +21,7 @@ use hyper::header::{ACCEPT, AUTHORIZATION, CONTENT_TYPE};
 use indexmap::IndexMap;
 use mas_axum_utils::FancyError;
 use mas_http::CorsLayerExt;
-use mas_matrix::BoxHomeserverConnection;
+use mas_matrix::HomeserverConnection;
 use mas_router::{
     ApiDoc, ApiDocCallback, OAuth2AuthorizationEndpoint, OAuth2TokenEndpoint, Route, SimpleRoute,
     UrlBuilder,
@@ -107,7 +109,7 @@ fn finish(t: TransformOpenApi) -> TransformOpenApi {
 pub fn router<S>() -> (OpenApi, Router<S>)
 where
     S: Clone + Send + Sync + 'static,
-    BoxHomeserverConnection: FromRef<S>,
+    Arc<dyn HomeserverConnection>: FromRef<S>,
     PasswordManager: FromRef<S>,
     BoxRng: FromRequestParts<S>,
     CallContext: FromRequestParts<S>,

crates/handlers/src/admin/v1/mod.rs

@@ -4,12 +4,14 @@
 // SPDX-License-Identifier: AGPL-3.0-only
 // Please see LICENSE in the repository root for full details.
 
+use std::sync::Arc;
+
 use aide::axum::{
     ApiRouter,
     routing::{get_with, post_with},
 };
 use axum::extract::{FromRef, FromRequestParts};
-use mas_matrix::BoxHomeserverConnection;
+use mas_matrix::HomeserverConnection;
 use mas_storage::BoxRng;
 
 use super::call_context::CallContext;
@@ -25,7 +27,7 @@ mod users;
 pub fn router<S>() -> ApiRouter<S>
 where
     S: Clone + Send + Sync + 'static,
-    BoxHomeserverConnection: FromRef<S>,
+    Arc<dyn HomeserverConnection>: FromRef<S>,
     PasswordManager: FromRef<S>,
     BoxRng: FromRequestParts<S>,
     CallContext: FromRequestParts<S>,

crates/handlers/src/admin/v1/users/add.rs

@@ -4,10 +4,12 @@
 // SPDX-License-Identifier: AGPL-3.0-only
 // Please see LICENSE in the repository root for full details.
 
+use std::sync::Arc;
+
 use aide::{NoApi, OperationIo, transform::TransformOperation};
 use axum::{Json, extract::State, response::IntoResponse};
 use hyper::StatusCode;
-use mas_matrix::BoxHomeserverConnection;
+use mas_matrix::HomeserverConnection;
 use mas_storage::{
     BoxRng,
     queue::{ProvisionUserJob, QueueJobRepositoryExt as _},
@@ -135,7 +137,7 @@ pub async fn handler(
         mut repo, clock, ..
     }: CallContext,
     NoApi(mut rng): NoApi<BoxRng>,
-    State(homeserver): State<BoxHomeserverConnection>,
+    State(homeserver): State<Arc<dyn HomeserverConnection>>,
     Json(params): Json<Request>,
 ) -> Result<(StatusCode, Json<SingleResponse<User>>), RouteError> {
     if repo.user().exists(&params.username).await? {