syn2mas/synapse_reader/config/
mod.rs

1// Copyright 2025 New Vector Ltd.
2//
3// SPDX-License-Identifier: AGPL-3.0-only
4// Please see LICENSE in the repository root for full details.
5
6mod oidc;
7
8use std::collections::BTreeMap;
9
10use camino::Utf8PathBuf;
11use chrono::{DateTime, Utc};
12use figment::providers::{Format, Yaml};
13use mas_config::{PasswordAlgorithm, PasswordHashingScheme};
14use rand::Rng;
15use serde::Deserialize;
16use sqlx::postgres::PgConnectOptions;
17use tracing::warn;
18use url::Url;
19
20pub use self::oidc::OidcProvider;
21
22/// The root of a Synapse configuration.
23/// This struct only includes fields which the Synapse-to-MAS migration is
24/// interested in.
25///
26/// See: <https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html>
27#[derive(Deserialize)]
28#[expect(clippy::struct_excessive_bools)]
29pub struct Config {
30    pub database: DatabaseSection,
31
32    #[serde(default)]
33    pub password_config: PasswordSection,
34
35    pub bcrypt_rounds: Option<u32>,
36
37    #[serde(default)]
38    pub allow_guest_access: bool,
39
40    #[serde(default)]
41    pub enable_registration: bool,
42
43    #[serde(default)]
44    pub enable_registration_captcha: bool,
45    pub recaptcha_public_key: Option<String>,
46    pub recaptcha_private_key: Option<String>,
47
48    /// Normally this defaults to true, but when MAS integration is enabled in
49    /// Synapse it defaults to false.
50    #[serde(default)]
51    pub enable_3pid_changes: Option<bool>,
52
53    #[serde(default = "default_true")]
54    enable_set_display_name: bool,
55
56    #[serde(default)]
57    pub user_consent: Option<UserConsentSection>,
58
59    #[serde(default)]
60    pub registrations_require_3pid: Vec<String>,
61
62    #[serde(default)]
63    pub registration_requires_token: bool,
64
65    pub registration_shared_secret: Option<String>,
66
67    #[serde(default)]
68    pub login_via_existing_session: EnableableSection,
69
70    #[serde(default)]
71    pub cas_config: EnableableSection,
72
73    #[serde(default)]
74    pub saml2_config: EnableableSection,
75
76    #[serde(default)]
77    pub jwt_config: EnableableSection,
78
79    #[serde(default)]
80    pub oidc_config: Option<OidcProvider>,
81
82    #[serde(default)]
83    pub oidc_providers: Vec<OidcProvider>,
84
85    pub server_name: String,
86
87    pub public_baseurl: Option<Url>,
88}
89
90impl Config {
91    /// Load a Synapse configuration from the given list of configuration files.
92    ///
93    /// # Errors
94    ///
95    /// - If there is a problem reading any of the files.
96    /// - If the configuration is not valid.
97    pub fn load(files: &[Utf8PathBuf]) -> Result<Config, figment::Error> {
98        let mut figment = figment::Figment::new();
99        for file in files {
100            // TODO this is not exactly correct behaviour — Synapse does not merge anything
101            // other than the top level dict.
102            // https://github.com/element-hq/matrix-authentication-service/pull/3805#discussion_r1922680825
103            // https://github.com/element-hq/synapse/blob/develop/synapse/config/_base.py?rgh-link-date=2025-01-20T17%3A02%3A56Z#L870
104            figment = figment.merge(Yaml::file(file));
105        }
106        figment.extract::<Config>()
107    }
108
109    /// Returns a map of all OIDC providers from the Synapse configuration.
110    ///
111    /// The keys are the `auth_provider` IDs as they would have been stored in
112    /// Synapse's database.
113    ///
114    /// These are compatible with the `synapse_idp_id` field of
115    /// [`mas_config::UpstreamOAuth2Provider`].
116    #[must_use]
117    pub fn all_oidc_providers(&self) -> BTreeMap<String, OidcProvider> {
118        let mut out = BTreeMap::new();
119
120        if let Some(provider) = &self.oidc_config {
121            if provider.has_required_fields() {
122                let mut provider = provider.clone();
123                // The legacy configuration has an implied IdP ID of `oidc`.
124                let idp_id = provider.idp_id.take().unwrap_or("oidc".to_owned());
125                provider.idp_id = Some(idp_id.clone());
126                out.insert(idp_id, provider);
127            }
128        }
129
130        for provider in &self.oidc_providers {
131            let mut provider = provider.clone();
132            let idp_id = match provider.idp_id.take() {
133                None => "oidc".to_owned(),
134                Some(idp_id) if idp_id == "oidc" => idp_id,
135                // Synapse internally prefixes the IdP IDs with `oidc-`.
136                Some(idp_id) => format!("oidc-{idp_id}"),
137            };
138            provider.idp_id = Some(idp_id.clone());
139            out.insert(idp_id, provider);
140        }
141
142        out
143    }
144
145    /// Adjust a MAS configuration to match this Synapse configuration.
146    #[must_use]
147    pub fn adjust_mas_config(
148        self,
149        mut mas_config: mas_config::RootConfig,
150        rng: &mut impl Rng,
151        now: DateTime<Utc>,
152    ) -> mas_config::RootConfig {
153        let providers = self.all_oidc_providers();
154        for provider in providers.into_values() {
155            let Some(mas_provider_config) = provider.into_mas_config(rng, now) else {
156                // TODO: better log message
157                warn!("Could not convert OIDC provider to MAS config");
158                continue;
159            };
160
161            mas_config
162                .upstream_oauth2
163                .providers
164                .push(mas_provider_config);
165        }
166
167        // TODO: manage when the option is not set
168        if let Some(enable_3pid_changes) = self.enable_3pid_changes {
169            mas_config.account.email_change_allowed = enable_3pid_changes;
170        }
171        mas_config.account.displayname_change_allowed = self.enable_set_display_name;
172        if self.password_config.enabled {
173            mas_config.passwords.enabled = true;
174            mas_config.passwords.schemes = vec![
175                // This is the password hashing scheme synapse uses
176                PasswordHashingScheme {
177                    version: 1,
178                    algorithm: PasswordAlgorithm::Bcrypt,
179                    cost: self.bcrypt_rounds,
180                    secret: self.password_config.pepper,
181                    secret_file: None,
182                },
183                // Use the default algorithm MAS uses as a second hashing scheme, so that users
184                // will get their password hash upgraded to a more modern algorithm over time
185                PasswordHashingScheme {
186                    version: 2,
187                    algorithm: PasswordAlgorithm::default(),
188                    cost: None,
189                    secret: None,
190                    secret_file: None,
191                },
192            ];
193
194            mas_config.account.password_registration_enabled = self.enable_registration;
195        } else {
196            mas_config.passwords.enabled = false;
197        }
198
199        if self.enable_registration_captcha {
200            mas_config.captcha.service = Some(mas_config::CaptchaServiceKind::RecaptchaV2);
201            mas_config.captcha.site_key = self.recaptcha_public_key;
202            mas_config.captcha.secret_key = self.recaptcha_private_key;
203        }
204
205        mas_config.matrix.homeserver = self.server_name;
206        if let Some(public_baseurl) = self.public_baseurl {
207            mas_config.matrix.endpoint = public_baseurl;
208        }
209
210        mas_config
211    }
212}
213
214/// The `database` section of the Synapse configuration.
215///
216/// See: <https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#database>
217#[derive(Deserialize)]
218pub struct DatabaseSection {
219    /// Expecting `psycopg2` for Postgres or `sqlite3` for `SQLite3`, but may be
220    /// an arbitrary string and future versions of Synapse may support other
221    /// database drivers, e.g. psycopg3.
222    pub name: String,
223    #[serde(default)]
224    pub args: DatabaseArgsSuboption,
225}
226
227/// The database driver name for Synapse when it is using Postgres via psycopg2.
228pub const SYNAPSE_DATABASE_DRIVER_NAME_PSYCOPG2: &str = "psycopg2";
229/// The database driver name for Synapse when it is using SQLite 3.
230pub const SYNAPSE_DATABASE_DRIVER_NAME_SQLITE3: &str = "sqlite3";
231
232impl DatabaseSection {
233    /// Process the configuration into Postgres connection options.
234    ///
235    /// Environment variables and libpq defaults will be used as fallback for
236    /// any missing values; this should match what Synapse does.
237    /// But note that if syn2mas is not run in the same context (host, user,
238    /// environment variables) as Synapse normally runs, then the connection
239    /// options may not be valid.
240    ///
241    /// Returns `None` if this database configuration is not configured for
242    /// Postgres.
243    #[must_use]
244    pub fn to_sqlx_postgres(&self) -> Option<PgConnectOptions> {
245        if self.name != SYNAPSE_DATABASE_DRIVER_NAME_PSYCOPG2 {
246            return None;
247        }
248        let mut opts = PgConnectOptions::new().application_name("syn2mas-synapse");
249
250        if let Some(host) = &self.args.host {
251            opts = opts.host(host);
252        }
253        if let Some(port) = self.args.port {
254            opts = opts.port(port);
255        }
256        if let Some(dbname) = &self.args.dbname {
257            opts = opts.database(dbname);
258        }
259        if let Some(user) = &self.args.user {
260            opts = opts.username(user);
261        }
262        if let Some(password) = &self.args.password {
263            opts = opts.password(password);
264        }
265
266        Some(opts)
267    }
268}
269
270/// The `args` suboption of the `database` section of the Synapse configuration.
271/// This struct assumes Postgres is in use and does not represent fields used by
272/// SQLite.
273#[derive(Deserialize, Default)]
274pub struct DatabaseArgsSuboption {
275    pub user: Option<String>,
276    pub password: Option<String>,
277    pub dbname: Option<String>,
278    pub host: Option<String>,
279    pub port: Option<u16>,
280}
281
282/// The `password_config` section of the Synapse configuration.
283///
284/// See: <https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#password_config>
285#[derive(Deserialize)]
286pub struct PasswordSection {
287    #[serde(default = "default_true")]
288    pub enabled: bool,
289    #[serde(default = "default_true")]
290    pub localdb_enabled: bool,
291    pub pepper: Option<String>,
292}
293
294impl Default for PasswordSection {
295    fn default() -> Self {
296        PasswordSection {
297            enabled: true,
298            localdb_enabled: true,
299            pepper: None,
300        }
301    }
302}
303
304/// A section that we only care about whether it's enabled or not, but is not
305/// enabled by default.
306#[derive(Default, Deserialize)]
307pub struct EnableableSection {
308    #[serde(default)]
309    pub enabled: bool,
310}
311
312fn default_true() -> bool {
313    true
314}
315
316#[cfg(test)]
317mod test {
318    use sqlx::postgres::PgConnectOptions;
319
320    use super::{DatabaseArgsSuboption, DatabaseSection};
321
322    #[test]
323    fn test_to_sqlx_postgres() {
324        #[track_caller]
325        #[expect(clippy::needless_pass_by_value)]
326        fn assert_eq_options(config: DatabaseSection, uri: &str) {
327            let config_connect_options = config
328                .to_sqlx_postgres()
329                .expect("no connection options generated by config");
330            let uri_connect_options: PgConnectOptions = uri
331                .parse()
332                .expect("example URI did not parse as PgConnectionOptions");
333
334            assert_eq!(
335                config_connect_options.get_host(),
336                uri_connect_options.get_host()
337            );
338            assert_eq!(
339                config_connect_options.get_port(),
340                uri_connect_options.get_port()
341            );
342            assert_eq!(
343                config_connect_options.get_username(),
344                uri_connect_options.get_username()
345            );
346            // The password is not public so we can't assert it. But that's hopefully fine.
347            assert_eq!(
348                config_connect_options.get_database(),
349                uri_connect_options.get_database()
350            );
351        }
352
353        // SQLite configs are not accepted
354        assert!(
355            DatabaseSection {
356                name: "sqlite3".to_owned(),
357                args: DatabaseArgsSuboption::default(),
358            }
359            .to_sqlx_postgres()
360            .is_none()
361        );
362
363        assert_eq_options(
364            DatabaseSection {
365                name: "psycopg2".to_owned(),
366                args: DatabaseArgsSuboption::default(),
367            },
368            "postgresql:///",
369        );
370        assert_eq_options(
371            DatabaseSection {
372                name: "psycopg2".to_owned(),
373                args: DatabaseArgsSuboption {
374                    user: Some("synapse_user".to_owned()),
375                    password: Some("verysecret".to_owned()),
376                    dbname: Some("synapse_db".to_owned()),
377                    host: Some("synapse-db.example.com".to_owned()),
378                    port: Some(42),
379                },
380            },
381            "postgresql://synapse_user:verysecret@synapse-db.example.com:42/synapse_db",
382        );
383    }
384}
385
386/// We don't care about any of the fields in this section,
387/// just whether it's present.
388#[derive(Deserialize)]
389pub struct UserConsentSection {}