manymjolnir appservice (#364)

Mjolnir can now be run as an application service,
meaning it will host multiple independent mjolnirs that can be requested by users.
If the user is on the same homeserver as the appservice is deployed on,
then they can provision a mjolnir via a widget https://github.com/matrix-org/mjolnir-widget.
Otherwise they can invite the appservice bot to a room they want to protect.
This will create them a mjolnir, a management room and a policy list.

The appservice shares the same docker image as the bot,
but is started slightly differently by specifying "appservice"
as the first argument to docker run (this s managed by `mjolnir-entrypoint.sh`. 
We could have used another Dockerfile for the appservice,
extending the existing one but we decided not to because there
would have been lots of fiddling around the entrypoint
and logistics involved around adding a tag for it via github actions.
Not to mention that this would be duplicating the image
just to run it with a different binary.

A list of followup issues can be found here https://github.com/issues?q=is%3Aopen+is%3Aissue+author%3AGnuxie+archived%3Afalse+label%3AA-Appservice.

Somewhat relevant and squashed commit messages(regrettably squashing because frankly these won't make sense in isolation): 

* draft widget backend

* add `managementRoomId` to `provisionNewMjolnir`

* remove ratelimits from appservice mjolnirs

* add /join endpoint to api backend


* tighter guard around room type in PolicyList

matrix-bot-sdk imporved the types for this

* enable esModuleInterop

* launch and use postgres in a container whilst using mx-tester


* limited access control

policy list used for access control

* Redesign initialization API of many mjolnir.

It's much harder to forget to initialize the components now that you have to in order to construct them in the first place.


* Ammend config not to clash with existing CI

this means that the appsrvice bot is now called 'mjolnir-bot' by default
which was easier than going through old code base and renaming


* Change entrypoint in Dockerfile so that we can start the appservice.

We could have used another Dockerfile for the appservice,
extending the exising one but we decided not to because there
would have been lots of fiddling around the entrypoint
and logistics involved around adding a tag for it via github actions.
Not to mention that this would be duplicating the image
just to run it with a different binary.

This solution is much simpler, backwards compatible, and conscious about the future.


Co-authored-by: gnuxie <[email protected]>

Author: jesopo

.github/workflows/mjolnir.yml

@@ -56,3 +56,25 @@ jobs:
       run: RUST_LOG=debug,hyper=info,rusttls=info mx-tester run
     - name: Cleanup
       run: mx-tester down
+  appservice-integration:
+    name: Application Service Integration tests
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+    - uses: actions/checkout@v3
+    - uses: actions/setup-node@v3
+      with:
+        node-version: '16'
+    - name: Fetch and build mx-tester (cached across runs)
+      uses: baptiste0928/cargo-install@v1
+      with:
+        crate: mx-tester
+        version: "0.3.3"
+    - name: Setup image
+      run: RUST_LOG=debug,hyper=info,rusttls=info mx-tester build up
+    - name: Setup dependencies
+      run: yarn install
+    - name: Run tests
+      run: yarn test:appservice:integration
+    - name: Cleanup
+      run: mx-tester down

Dockerfile

@@ -1,15 +1,18 @@
-FROM node:16-alpine
+# We can't use alpine anymore because crypto has rust deps.
+FROM node:16-slim
 COPY . /tmp/src
 RUN cd /tmp/src \
     && yarn install \
     && yarn build \
     && mv lib/ /mjolnir/ \
     && mv node_modules / \
+    && mv mjolnir-entrypoint.sh / \
     && cd / \
     && rm -rf /tmp/*
 
 ENV NODE_ENV=production
 ENV NODE_CONFIG_DIR=/data/config
 
-CMD node /mjolnir/index.js
+CMD ["bot"]
+ENTRYPOINT ["./mjolnir-entrypoint.sh"]
 VOLUME ["/data"]

docs/appservice.md

@@ -0,0 +1,32 @@
+Mjolnir can be run as an appservice, allowing users you trust or on your homeserver to run their own Mjolnir without hosting anything themselves.
+This module is currently alpha quality and is subject to rapid changes,
+it is not recommended currently and support will be limited.
+
+# Prerequisites
+
+This guide assumes you will be using Docker and that you are able to provide a postgres database for Mjolnir to connect to in application service mode.
+
+# Setup
+
+1. Create a new Matrix room that will act as a policy list for who can use the appservice.
+   FIXME: Currently required to be aliased.
+   FIXME: Should really be created and managed by the admin room, but waiting for command refactor before doing that. 
+
+2. Decide on a spare local TCP port number to use that will listen for messages from the matrix homeserver. Take care to configure firewalls appropriately. We will call this port `$MATRIX_PORT` in the remaining instructions.
+
+3. Create a `config/config.appservice.yaml` file that can be copied from the example in `src/appservice/config/config.example.yaml`. Your config file needs to be accessible to the docker container later on. To do this you could create a directory called `mjolnir-data` so we can map it to a volume when we launch the container later on.
+
+4. Generate the appservice registration file. This will be used by both the appservice and your homeserver.
+   Here, you must specify the direct link the Matrix Homeserver can use to access the appservice, including the Matrix port it will send messages through (if this bridge runs on the same machine you can use `localhost` as the `$HOST` name):
+   
+   `docker run -rm -v /your/path/to/mjolnir-data:/data matrixdotorg/mjolnir appservice -r -u "http://$HOST:$MATRIX_PORT" -f /data/config/mjolnir-registration.yaml`
+
+5. Step 4 created an application service bot. This will be a bot iwth the mxid specified in `mjolnir-registration.yaml` under `sender_localpart`. You now need to invite it in the access control room that you have created in Step 1.
+   
+6. Start the application service `docker run -v /your/path/to/mjolnir-data/:/data/ matrixdotorg/mjolnir appservice -c /data/config/config.appservice.yaml -f /data/config/mjolnir-registration.yaml -p $MATRIX_PORT`
+
+7. Copy the `mjolnir-registration.yaml` to your matrix homeserver and refer to it in `homeserver.yaml` like so:
+```
+  app_service_config_files:
+    - "/data/mjolnir-registration.yaml"
+```

mjolnir-entrypoint.sh

@@ -0,0 +1,14 @@
+#!/bin/sh
+
+# This is used as the entrypoint in the mjolnir Dockerfile.
+# We want to transition away form people running the image without specifying `bot` or `appservice`.
+# So if eventually cli arguments are provided for the bot version, we want this to be the opportunity to move to `bot`.
+# Therefore using arguments without specifying `bot` (or appservice) is unsupported.
+# We maintain the behaviour where if it looks like someone is providing an executable to `docker run`, then we will execute that instead.
+# This aids configuration and debugging of the image if for example node needed to be started via another method.
+case "$1" in
+  bot) shift; set -- node /mjolnir/index.js "$@";;
+  appservice) shift; set -- node /mjolnir/appservice/cli.js "$@";;
+esac
+
+exec "$@";

mx-tester.yml

@@ -2,8 +2,16 @@ name: mjolnir
 
 up:
   before:
+    - docker run --rm --network $MX_TEST_NETWORK_NAME --name mjolnir-test-postgres --domainname mjolnir-test-postgres -e POSTGRES_PASSWORD=mjolnir-test -e POSTGRES_USER=mjolnir-tester -e POSTGRES_DB=mjolnir-test-db -d -p 127.0.0.1:8083:5432 postgres
+    # Wait until postgresql is ready
+    - until psql postgres://mjolnir-tester:mjolnir-test@localhost:8083/mjolnir-test-db -c ""; do echo "Waiting for psql..."; sleep 1s; done
+    # Make table in postgres
+    - psql postgres://mjolnir-tester:mjolnir-test@localhost:8083/mjolnir-test-db -c "CREATE TABLE mjolnir (local_part VARCHAR(255), owner VARCHAR(255), management_room TEXT)"
     # Launch the reverse proxy, listening for connections *only* on the local host.
     - docker run --rm --network host --name mjolnir-test-reverse-proxy -p 127.0.0.1:8081:80 -v $MX_TEST_CWD/test/nginx.conf:/etc/nginx/nginx.conf:ro -d nginx
+    - yarn install
+    - npx ts-node src/appservice/cli.ts -r -u "http://host.docker.internal:9000"
+    - cp mjolnir-registration.yaml $MX_TEST_SYNAPSE_DIR/data/
   after:
     # Wait until Synapse is ready
     - until curl localhost:9999 --stderr /dev/null > /dev/null; do echo "Waiting for Synapse..."; sleep 1s; done
@@ -14,12 +22,13 @@ run:
 
 down:
   finally:
+    - docker stop mjolnir-test-postgres || true
     - docker stop mjolnir-test-reverse-proxy || true
 
 modules:
   - name: mjolnir
     build:
-      - cp -r synapse_antispam $MX_TEST_MODULE_DIR
+      - cp -r synapse_antispam $MX_TEST_MODULE_DIR/
     config:
       module: mjolnir.Module
       config: {}
@@ -34,6 +43,9 @@ homeserver:
   enable_registration: true
   enable_registration_without_verification: true
 
+  app_service_config_files:
+    - "/data/mjolnir-registration.yaml"
+
   # We remove rc_message so we can test rate limiting,
   # but we keep the others because of https://github.com/matrix-org/synapse/issues/11785
   # and we don't want to slow integration tests down.

package.json

@@ -14,37 +14,44 @@
     "start:dev": "yarn build && node --async-stack-traces lib/index.js",
     "test": "ts-mocha --project ./tsconfig.json test/commands/**/*.ts",
     "test:integration": "NODE_ENV=harness ts-mocha --async-stack-traces --require test/integration/fixtures.ts --timeout 300000 --project ./tsconfig.json \"test/integration/**/*Test.ts\"",
+    "test:appservice:integration": "NODE_ENV=harness ts-mocha --async-stack-traces --timeout 300000 --project ./tsconfig.json \"test/appservice/integration/**/*Test.ts\"",
     "test:manual": "NODE_ENV=harness ts-node test/integration/manualLaunchScript.ts",
     "version": "sed -i '/# version automated/s/[0-9][0-9]*\\.[0-9][0-9]*\\.[0-9][0-9]*/'$npm_package_version'/' synapse_antispam/setup.py && git add synapse_antispam/setup.py && cat synapse_antispam/setup.py"
   },
   "devDependencies": {
     "@types/crypto-js": "^4.0.2",
+    "@types/express": "^4.17.13",
     "@types/html-to-text": "^8.0.1",
     "@types/humanize-duration": "^3.27.1",
     "@types/js-yaml": "^4.0.5",
     "@types/jsdom": "^16.2.11",
     "@types/mocha": "^9.0.0",
+    "@types/nedb": "^1.8.12",
     "@types/node": "^16.7.10",
+    "@types/pg": "^8.6.5",
+    "@types/request": "^2.48.8",
     "@types/shell-quote": "1.7.1",
     "crypto-js": "^4.1.1",
     "eslint": "^7.32",
     "expect": "^27.0.6",
     "mocha": "^9.0.1",
     "ts-mocha": "^9.0.2",
     "tslint": "^6.1.3",
-    "typescript": "^4.3.5",
+    "typescript": "^4.8.4",
     "typescript-formatter": "^7.2"
   },
   "dependencies": {
     "await-lock": "^2.2.2",
+    "body-parser": "^1.20.1",
     "express": "^4.17",
     "html-to-text": "^8.0.0",
     "humanize-duration": "^3.27.1",
     "humanize-duration-ts": "^2.1.1",
     "js-yaml": "^4.1.0",
     "jsdom": "^16.6.0",
-    "matrix-bot-sdk": "^0.5.19",
+    "matrix-appservice-bridge": "^5.0.0",
     "parse-duration": "^1.0.2",
+    "pg": "^8.8.0",
     "shell-quote": "^1.7.3",
     "yaml": "^2.1.1"
   },

src/appservice/AccessControl.ts

@@ -0,0 +1,66 @@
+/*
+Copyright 2022 The Matrix.org Foundation C.I.C.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+import { Bridge } from "matrix-appservice-bridge";
+import AccessControlUnit, { EntityAccess } from "../models/AccessControlUnit";
+import PolicyList from "../models/PolicyList";
+import { Permalinks } from "matrix-bot-sdk";
+
+/**
+ * Utility to manage which users have access to the application service,
+ * meaning whether a user is able to provision a mjolnir or continue to use one.
+ * Internally we use a policy list within matrix to determine who has access via the `AccessControlUnit`.
+ */
+export class AccessControl {
+
+    private constructor(
+        private readonly accessControlList: PolicyList,
+        private readonly accessControlUnit: AccessControlUnit
+        ) {
+    }
+
+    /**
+     * Construct and initialize access control for the `MjolnirAppService`.
+     * @param accessControlListId The room id of a policy list used to manage access to the appservice (who can provision & use mjolniren)
+     * @param bridge The matrix-appservice-bridge, used to get the appservice bot.
+     * @returns A new instance of `AccessControl` to be used by `MjolnirAppService`.
+     */
+    public static async setupAccessControl(
+        /** The room id for the access control list. */
+        accessControlListId: string,
+        bridge: Bridge,
+    ): Promise<AccessControl> {
+        await bridge.getBot().getClient().joinRoom(accessControlListId);
+        const accessControlList = new PolicyList(
+            accessControlListId,
+            Permalinks.forRoom(accessControlListId),
+            bridge.getBot().getClient()
+        );
+        const accessControlUnit = new AccessControlUnit([accessControlList]);
+        await accessControlList.updateList();
+        return new AccessControl(accessControlList, accessControlUnit);
+    }
+
+    public handleEvent(roomId: string, event: any) {
+        if (roomId === this.accessControlList.roomId) {
+            this.accessControlList.updateForEvent(event);
+        }
+    }
+
+    public getUserAccess(mxid: string): EntityAccess {
+        return this.accessControlUnit.getAccessForUser(mxid, "CHECK_SERVER");
+    }
+}