Add Tchap Configuration + Account Linking - Check if email is authorized by Tchap (#21)

* add tchap configuration

* add :tchap: comment

Author: mcalinghee

Cargo.lock

@@ -9,7 +9,14 @@ use std::{convert::Infallible, net::IpAddr, sync::Arc};
 use axum::extract::{FromRef, FromRequestParts};
 use ipnetwork::IpNetwork;
 use mas_context::LogContext;
-use mas_data_model::{BoxClock, BoxRng, SiteConfig, SystemClock};
+use mas_data_model::{
+    BoxClock,
+    BoxRng,
+    SiteConfig,
+    SystemClock,
+    //:tchap:
+    TchapConfig, //:tchap:end
+};
 use mas_handlers::{
     ActivityTracker, BoundActivityTracker, CookieManager, ErrorWrapper, GraphQLSchema, Limiter,
     MetadataCache, RequesterFingerprint, passwords::PasswordManager,
@@ -47,6 +54,9 @@ pub struct AppState {
     pub activity_tracker: ActivityTracker,
     pub trusted_proxies: Vec<IpNetwork>,
     pub limiter: Limiter,
+    //:tchap:
+    pub tchap_config: TchapConfig,
+    //:tchap: end
 }
 
 impl AppState {
@@ -214,6 +224,14 @@ impl FromRef<AppState> for Arc<dyn HomeserverConnection> {
     }
 }
 
+//:tchap:
+impl FromRef<AppState> for TchapConfig {
+    fn from_ref(input: &AppState) -> Self {
+        input.tchap_config.clone()
+    }
+}
+//:tchap:end
+
 impl FromRequestParts<AppState> for BoxClock {
     type Rejection = Infallible;
 

crates/cli/src/app_state.rs

@@ -11,10 +11,21 @@ use clap::Parser;
 use figment::Figment;
 use itertools::Itertools;
 use mas_config::{
-    AppConfig, ClientsConfig, ConfigurationSection, ConfigurationSectionExt, UpstreamOAuth2Config,
+    AppConfig,
+    ClientsConfig,
+    ConfigurationSection,
+    ConfigurationSectionExt,
+    //:tchap:
+    TchapAppConfig,
+    // :tchap: end
+    UpstreamOAuth2Config,
 };
 use mas_context::LogContext;
-use mas_data_model::SystemClock;
+use mas_data_model::{
+    SystemClock,
+    //:tchap:
+    TchapConfig, // :tchap: end
+};
 use mas_handlers::{ActivityTracker, CookieManager, Limiter, MetadataCache};
 use mas_listener::server::Server;
 use mas_router::UrlBuilder;
@@ -59,6 +70,10 @@ impl Options {
         let span = info_span!("cli.run.init").entered();
         let mut shutdown = LifecycleManager::new()?;
         let config = AppConfig::extract(figment).map_err(anyhow::Error::from_boxed)?;
+        //:tchap:
+        let tchap_app_config =
+            TchapAppConfig::extract(figment).map_err(anyhow::Error::from_boxed)?;
+        //:tchap: end
 
         info!(version = crate::VERSION, "Starting up");
 
@@ -159,6 +174,10 @@ impl Options {
             &config.captcha,
         )?;
 
+        //:tchap:
+        let tchap_config = tchap_config_from_tchap_app_config(&tchap_app_config);
+        //:tchap: end
+
         // Load and compile the templates
         let templates =
             templates_from_config(&config.templates, &site_config, &url_builder).await?;
@@ -246,6 +265,9 @@ impl Options {
                 activity_tracker,
                 trusted_proxies,
                 limiter,
+                //:tchap:
+                tchap_config,
+                //:tchap:end
             };
             s.init_metrics();
             s.init_metadata_cache();
@@ -334,3 +356,11 @@ impl Options {
         Ok(exit_code)
     }
 }
+
+//:tchap:
+fn tchap_config_from_tchap_app_config(tchap_app_config: &TchapAppConfig) -> TchapConfig {
+    TchapConfig {
+        identity_server_url: tchap_app_config.identity_server_url.clone(),
+    }
+}
+//:tchap: end

crates/cli/src/commands/server.rs

@@ -21,6 +21,9 @@ mod passwords;
 mod policy;
 mod rate_limiting;
 mod secrets;
+//:tchap:
+mod tchap;
+//:tchap:end
 mod telemetry;
 mod templates;
 mod upstream_oauth2;
@@ -44,6 +47,9 @@ pub use self::{
     policy::PolicyConfig,
     rate_limiting::RateLimitingConfig,
     secrets::SecretsConfig,
+    //:tchap:
+    tchap::TchapAppConfig,
+    //:tchap:end
     telemetry::{
         MetricsConfig, MetricsExporterKind, Propagator, TelemetryConfig, TracingConfig,
         TracingExporterKind,

crates/config/src/sections/mod.rs

@@ -0,0 +1,90 @@
+//
+// MIT License
+//
+// Copyright (c) 2025, Direction interministérielle du numérique - Gouvernement
+// Français
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to
+// deal in the Software without restriction, including without limitation the
+// rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+// sell copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+// EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+// IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
+// DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
+// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
+// USE OR OTHER DEALINGS IN THE SOFTWARE.
+//
+
+use schemars::JsonSchema;
+use serde::{Deserialize, Serialize};
+use serde_with::serde_as;
+use url::Url;
+
+use super::ConfigurationSection;
+
+fn default_identity_server_url() -> Url {
+    Url::parse("http://localhost:8090/").unwrap()
+}
+
+/// Tchap specific configuration
+#[serde_as]
+#[derive(Debug, Clone, Serialize, Deserialize, JsonSchema)]
+pub struct TchapAppConfig {
+    /// Identity Server Url
+    #[serde(default = "default_identity_server_url")]
+    pub identity_server_url: Url,
+}
+
+impl ConfigurationSection for TchapAppConfig {
+    const PATH: Option<&'static str> = Some("tchap");
+
+    // NOTE: implement this function to perform validation on config
+    fn validate(
+        &self,
+        _figment: &figment::Figment,
+    ) -> Result<(), Box<dyn std::error::Error + Send + Sync + 'static>> {
+        Ok(())
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use figment::{
+        Figment, Jail,
+        providers::{Format, Yaml},
+    };
+
+    use super::*;
+
+    #[test]
+    fn load_config() {
+        Jail::expect_with(|jail| {
+            jail.create_file(
+                "config.yaml",
+                r"
+                    tchap:
+                      identity_server_url: http://localhost:8091
+                ",
+            )?;
+
+            let config = Figment::new()
+                .merge(Yaml::file("config.yaml"))
+                .extract_inner::<TchapAppConfig>("tchap")?;
+
+            assert_eq!(
+                &config.identity_server_url.as_str().to_owned(),
+                "http://localhost:8091/"
+            );
+
+            Ok(())
+        });
+    }
+}

crates/config/src/sections/tchap.rs

@@ -13,6 +13,9 @@ pub(crate) mod compat;
 pub mod oauth2;
 pub(crate) mod policy_data;
 mod site_config;
+//:tchap:
+pub(crate) mod tchap_config;
+//:tchap:end
 pub(crate) mod tokens;
 pub(crate) mod upstream_oauth2;
 pub(crate) mod user_agent;
@@ -38,6 +41,9 @@ pub use self::{
     },
     policy_data::PolicyData,
     site_config::{CaptchaConfig, CaptchaService, SessionExpirationConfig, SiteConfig},
+    //:tchap:
+    tchap_config::*,
+    //:tchap:end
     tokens::{
         AccessToken, AccessTokenState, RefreshToken, RefreshTokenState, TokenFormatError, TokenType,
     },

crates/data-model/src/lib.rs

@@ -0,0 +1,34 @@
+//
+// MIT License
+//
+// Copyright (c) 2025, Direction interministérielle du numérique - Gouvernement
+// Français
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to
+// deal in the Software without restriction, including without limitation the
+// rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+// sell copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+// EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+// IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
+// DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
+// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
+// USE OR OTHER DEALINGS IN THE SOFTWARE.
+//
+
+use url::Url;
+
+/// Random tchap configuration we want accessible in various places.
+#[allow(clippy::struct_excessive_bools)]
+#[derive(Debug, Clone)]
+pub struct TchapConfig {
+    /// Identity Server Url
+    pub identity_server_url: Url,
+}

crates/data-model/src/tchap_config.rs

@@ -36,7 +36,11 @@ use hyper::{
     },
 };
 use mas_axum_utils::{InternalError, cookies::CookieJar};
-use mas_data_model::SiteConfig;
+use mas_data_model::{
+    SiteConfig,
+    //:tchap:
+    TchapConfig, //:tchap:end
+};
 use mas_http::CorsLayerExt;
 use mas_keystore::{Encrypter, Keystore};
 use mas_matrix::HomeserverConnection;
@@ -350,6 +354,9 @@ where
     BoxClock: FromRequestParts<S>,
     BoxRng: FromRequestParts<S>,
     Policy: FromRequestParts<S>,
+    //:tchap:
+    TchapConfig: FromRef<S>,
+    //:tchap:end
 {
     Router::new()
         // XXX: hard-coded redirect from /account to /account/

crates/handlers/src/lib.rs

@@ -28,7 +28,15 @@ use mas_axum_utils::{
     cookies::{CookieJar, CookieManager},
 };
 use mas_config::RateLimitingConfig;
-use mas_data_model::{BoxClock, BoxRng, SiteConfig, clock::MockClock};
+use mas_data_model::{
+    BoxClock,
+    BoxRng,
+    SiteConfig,
+    //:tchap:
+    TchapConfig,
+    //:tchap:end
+    clock::MockClock,
+};
 use mas_email::{MailTransport, Mailer};
 use mas_i18n::Translator;
 use mas_keystore::{Encrypter, JsonWebKey, JsonWebKeySet, Keystore, PrivateKey};
@@ -112,6 +120,9 @@ pub(crate) struct TestState {
     pub rng: Arc<Mutex<ChaChaRng>>,
     pub http_client: reqwest::Client,
     pub task_tracker: TaskTracker,
+    //:tchap:
+    pub tchap_config: TchapConfig,
+    //:tchap:end
     queue_worker: Arc<tokio::sync::Mutex<QueueWorker>>,
 
     #[allow(dead_code)] // It is used, as it will cancel the CancellationToken when dropped
@@ -256,6 +267,10 @@ impl TestState {
 
         let queue_worker = Arc::new(tokio::sync::Mutex::new(queue_worker));
 
+        //:tchap:
+        let tchap_config = tchap::test_tchap_config();
+        //:tchap:end
+
         Ok(Self {
             repository_factory: PgRepositoryFactory::new(pool),
             templates,
@@ -277,6 +292,9 @@ impl TestState {
             task_tracker,
             queue_worker,
             cancellation_drop_guard: Arc::new(shutdown_token.drop_guard()),
+            //:tchap:
+            tchap_config,
+            //:tchap:end
         })
     }
 
@@ -575,6 +593,14 @@ impl FromRef<TestState> for reqwest::Client {
     }
 }
 
+//:tchap:
+impl FromRef<TestState> for TchapConfig {
+    fn from_ref(input: &TestState) -> Self {
+        input.tchap_config.clone()
+    }
+}
+//:tchap:end
+
 impl FromRequestParts<TestState> for ActivityTracker {
     type Rejection = Infallible;