Test/register OIDC

.github/workflows/build.yaml

@@ -3,8 +3,9 @@ name: Build
 on:
   push:
     branches:
-      - main
+      - main_tchap
       - "release/**"
+      - "test/**"
     tags:
       - "v*"
 
@@ -22,9 +23,9 @@ env:
   CARGO_NET_GIT_FETCH_WITH_CLI: "true"
   SCCACHE_GHA_ENABLED: "true"
   RUSTC_WRAPPER: "sccache"
-  IMAGE: ghcr.io/element-hq/matrix-authentication-service
-  IMAGE_SYN2MAS: ghcr.io/element-hq/matrix-authentication-service/syn2mas
-  BUILDCACHE: ghcr.io/element-hq/matrix-authentication-service/buildcache
+  IMAGE: ghcr.io/tchapgouv/matrix-authentication-service
+  IMAGE_SYN2MAS: ghcr.io/tchapgouv/matrix-authentication-service/syn2mas
+  BUILDCACHE: ghcr.io/tchapgouv/matrix-authentication-service/buildcache
   DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
 
 jobs:
@@ -313,7 +314,7 @@ jobs:
         # Only sign on tags and on commits on main branch
         if: |
           github.event_name != 'pull_request'
-          && (startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main')
+          && (startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main_tchap')
 
         env:
           REGULAR_DIGEST: ${{ steps.output.outputs.metadata && fromJSON(steps.output.outputs.metadata).regular.digest }}
@@ -329,7 +330,7 @@ jobs:
   syn2mas:
     name: Release syn2mas on NPM
     runs-on: ubuntu-24.04
-    if: github.event_name != 'pull_request'
+    if: 'false'
 
     permissions:
       contents: read
@@ -422,7 +423,7 @@ jobs:
 
   unstable:
     name: Update the unstable release
-    if: github.ref == 'refs/heads/main'
+    if: github.ref == 'refs/heads/main_tchap'
     runs-on: ubuntu-24.04
 
     needs:

Cargo.toml

@@ -56,6 +56,13 @@ mas-tower = { path = "./crates/tower/", version = "=0.15.0-rc.0" }
 oauth2-types = { path = "./crates/oauth2-types/", version = "=0.15.0-rc.0" }
 syn2mas = { path = "./crates/syn2mas", version = "=0.15.0-rc.0" }
 
+# :tchap:
+# [workspace.dependencies.tchap]
+# path = "./crates/tchap"
+# version = "=0.1.0"
+# :tchap:end
+
+
 # OpenAPI schema generation and validation
 [workspace.dependencies.aide]
 version = "0.14.2"

crates/cli/src/sync.rs

@@ -300,6 +300,7 @@ pub async fn config_sync(
                         fetch_userinfo: provider.fetch_userinfo,
                         userinfo_signed_response_alg: provider.userinfo_signed_response_alg,
                         response_mode,
+                        allow_existing_users: provider.allow_existing_users,
                         additional_authorization_parameters: provider
                             .additional_authorization_parameters
                             .into_iter()

crates/config/src/sections/upstream_oauth2.rs

@@ -543,6 +543,13 @@ pub struct Provider {
     #[serde(default, skip_serializing_if = "ClaimsImports::is_default")]
     pub claims_imports: ClaimsImports,
 
+    /// Whether to allow a user logging in via OIDC to match a pre-existing
+    /// account instead of failing. This could be used if switching from
+    /// password logins to OIDC.
+    //Defaults to false.
+    #[serde(default)]
+    pub allow_existing_users: bool,
+
     /// Additional parameters to include in the authorization request
     ///
     /// Orders of the keys are not preserved.

crates/data-model/src/upstream_oauth2/provider.rs

@@ -240,6 +240,7 @@ pub struct UpstreamOAuthProvider {
     pub created_at: DateTime<Utc>,
     pub disabled_at: Option<DateTime<Utc>>,
     pub claims_imports: ClaimsImports,
+    pub allow_existing_users: bool,
     pub additional_authorization_parameters: Vec<(String, String)>,
 }
 

crates/handlers/Cargo.toml

@@ -106,6 +106,11 @@ mas-templates.workspace = true
 oauth2-types.workspace = true
 zxcvbn = "3.1.0"
 
+# tchap.workspace = true
+#:tchap:
+tchap = { path = "../tchap", version = "=0.1.0" }
+#:tchap:end 
+
 [dev-dependencies]
 insta.workspace = true
 tracing-subscriber.workspace = true

crates/handlers/src/admin/v1/upstream_oauth_links/mod.rs

@@ -46,6 +46,7 @@ mod test_utils {
             token_endpoint_override: None,
             userinfo_endpoint_override: None,
             jwks_uri_override: None,
+            allow_existing_users: true,
             additional_authorization_parameters: Vec::new(),
             ui_order: 0,
         }

crates/handlers/src/upstream_oauth2/cache.rs

@@ -422,6 +422,7 @@ mod tests {
             created_at: clock.now(),
             disabled_at: None,
             claims_imports: UpstreamOAuthProviderClaimsImports::default(),
+            allow_existing_users: false,
             additional_authorization_parameters: Vec::new(),
         };
 

crates/handlers/src/upstream_oauth2/link.rs

@@ -37,10 +37,13 @@ use mas_templates::{
 use minijinja::Environment;
 use opentelemetry::{Key, KeyValue, metrics::Counter};
 use serde::{Deserialize, Serialize};
+//:tchap:
+use tchap::{self, EmailAllowedResult};
 use thiserror::Error;
 use tracing::warn;
 use ulid::Ulid;
 
+//:tchap: end
 use super::{
     UpstreamSessionsCookie,
     template::{AttributeMappingContext, environment},
@@ -434,7 +437,53 @@ pub(crate) async fn get(
                     &context,
                     provider.claims_imports.email.is_required(),
                 )? {
-                    Some(value) => ctx.with_email(value, provider.claims_imports.email.is_forced()),
+                    Some(value) => {
+                        //:tchap:
+                        let server_name = homeserver.homeserver();
+                        let email_result = check_email_allowed(&value, &server_name).await;
+
+                        match email_result {
+                            EmailAllowedResult::Allowed => {
+                                // Email is allowed, continue
+                            }
+                            EmailAllowedResult::WrongServer => {
+                                // Email is mapped to a different server
+                                let ctx = ErrorContext::new()
+                                    .with_code("wrong_server")
+                                    .with_description(format!(
+                                        "Votre adresse mail {} est associée à un autre serveur.",
+                                        value
+                                    ))
+                                    .with_details(format!("Veuillez-vous contacter le support de Tchap [email protected]"))
+                                    .with_language(&locale);
+
+                                //return error template
+                                return Ok((
+                                    cookie_jar,
+                                    Html(templates.render_error(&ctx)?).into_response(),
+                                ));
+                            }
+                            EmailAllowedResult::InvitationMissing => {
+                                // Server requires an invitation that is not present
+                                let ctx = ErrorContext::new()
+                                    .with_code("invitation_missing")
+                                    .with_description(format!(
+                                        "Vous avez besoin d'une invitation pour accéder à Tchap."
+                                    ))
+                                    .with_details(format!("Les partenaires externes peuvent accéder à Tchap uniquement avec une invitation d'un agent public."))
+                                    .with_language(&locale);
+
+                                //return error template
+                                return Ok((
+                                    cookie_jar,
+                                    Html(templates.render_error(&ctx)?).into_response(),
+                                ));
+                            }
+                        }
+                        //:tchap: end
+
+                        ctx.with_email(value, provider.claims_imports.email.is_forced())
+                    }
                     None => ctx,
                 }
             };
@@ -465,7 +514,9 @@ pub(crate) async fn get(
                             .await
                             .map_err(RouteError::HomeserverConnection)?;
 
-                        if maybe_existing_user.is_some() || !is_available {
+                        if !provider.allow_existing_users
+                            && (maybe_existing_user.is_some() || !is_available)
+                        {
                             if let Some(existing_user) = maybe_existing_user {
                                 // The mapper returned a username which already exists, but isn't
                                 // linked to this upstream user.
@@ -742,15 +793,16 @@ pub(crate) async fn post(
                         mas_templates::UpstreamRegisterFormField::Username,
                         FieldError::Required,
                     );
-                } else if repo.user().exists(&username).await? {
+                } else if !provider.allow_existing_users && repo.user().exists(&username).await? {
                     form_state.add_error_on_field(
                         mas_templates::UpstreamRegisterFormField::Username,
                         FieldError::Exists,
                     );
-                } else if !homeserver
-                    .is_localpart_available(&username)
-                    .await
-                    .map_err(RouteError::HomeserverConnection)?
+                } else if !provider.allow_existing_users
+                    && !homeserver
+                        .is_localpart_available(&username)
+                        .await
+                        .map_err(RouteError::HomeserverConnection)?
                 {
                     // The user already exists on the homeserver
                     tracing::warn!(
@@ -830,10 +882,22 @@ pub(crate) async fn post(
                     .into_response());
             }
 
-            REGISTRATION_COUNTER.add(1, &[KeyValue::new(PROVIDER, provider.id.to_string())]);
-
-            // Now we can create the user
-            let user = repo.user().add(&mut rng, &clock, username).await?;
+            let user = if provider.allow_existing_users {
+                // If the provider allows existing users, we can use the existing user
+                let existing_user = repo.user().find_by_username(&username).await?;
+                if existing_user.is_some() {
+                    existing_user.unwrap()
+                } else {
+                    REGISTRATION_COUNTER
+                        .add(1, &[KeyValue::new(PROVIDER, provider.id.to_string())]);
+                    // This case should not happen
+                    repo.user().add(&mut rng, &clock, username).await?
+                }
+            } else {
+                REGISTRATION_COUNTER.add(1, &[KeyValue::new(PROVIDER, provider.id.to_string())]);
+                // Now we can create the user
+                repo.user().add(&mut rng, &clock, username).await?
+            };
 
             if let Some(terms_url) = &site_config.tos_uri {
                 repo.user_terms()
@@ -889,6 +953,19 @@ pub(crate) async fn post(
     Ok((cookie_jar, post_auth_action.go_next(&url_builder)).into_response())
 }
 
+//:tchap:
+///real function used when not testing
+#[cfg(not(test))]
+async fn check_email_allowed(email: &str, server_name: &str) -> EmailAllowedResult {
+    tchap::is_email_allowed(email, server_name).await
+}
+///mock function used when testing
+#[cfg(test)]
+async fn check_email_allowed(_email: &str, _server_name: &str) -> EmailAllowedResult {
+    EmailAllowedResult::Allowed
+}
+//:tchap:end
+
 #[cfg(test)]
 mod tests {
     use hyper::{Request, StatusCode, header::CONTENT_TYPE};
@@ -975,6 +1052,7 @@ mod tests {
                     discovery_mode: mas_data_model::UpstreamOAuthProviderDiscoveryMode::Oidc,
                     pkce_mode: mas_data_model::UpstreamOAuthProviderPkceMode::Auto,
                     response_mode: None,
+                    allow_existing_users: true,
                     additional_authorization_parameters: Vec::new(),
                     ui_order: 0,
                 },

crates/handlers/src/upstream_oauth2/template.rs

@@ -11,6 +11,7 @@ use minijinja::{
     Environment, Error, ErrorKind, Value,
     value::{Enumerator, Object},
 };
+use tchap;
 
 /// Context passed to the attribute mapping template
 ///
@@ -187,6 +188,12 @@ pub fn environment() -> Environment<'static> {
     env.add_filter("tlvdecode", tlvdecode);
     env.add_filter("string", string);
     env.add_filter("from_json", from_json);
+
+    // Add Tchap-specific filters, this could be a generic config submitted 
+    // to upstream allowing all users to add their own filters without upstream code modifications
+    // tester les fonctions async pour le reseau
+    env.add_filter("email_to_display_name", |s: &str| tchap::email_to_display_name(s));
+    env.add_filter("email_to_mxid_localpart", |s: &str| tchap::email_to_mxid_localpart(s));
 
     env.set_unknown_method_callback(minijinja_contrib::pycompat::unknown_method_callback);
 

crates/handlers/src/views/login.rs

@@ -494,6 +494,7 @@ mod test {
                     discovery_mode: mas_data_model::UpstreamOAuthProviderDiscoveryMode::Oidc,
                     pkce_mode: mas_data_model::UpstreamOAuthProviderPkceMode::Auto,
                     response_mode: None,
+                    allow_existing_users: true,
                     additional_authorization_parameters: Vec::new(),
                     ui_order: 0,
                 },
@@ -535,6 +536,7 @@ mod test {
                     discovery_mode: mas_data_model::UpstreamOAuthProviderDiscoveryMode::Oidc,
                     pkce_mode: mas_data_model::UpstreamOAuthProviderPkceMode::Auto,
                     response_mode: None,
+                    allow_existing_users: true,
                     additional_authorization_parameters: Vec::new(),
                     ui_order: 1,
                 },