Merge pull request #119 from sebadob/cust-root-ca-matrix-client

Cust root ca matrix client
sebadob · Oct 29, 2023 · f657e37 · f657e37
2 parents 9c5c172 + a54cd3c
commit f657e37
Show file tree

Hide file tree

Showing 13 changed files with 154 additions and 71 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/docs/config/config.html b/docs/config/config.html
@@ -7,7 +7,7 @@
 
 
         <!-- Custom HTML head -->
-
+        
         <meta name="description" content="">
         <meta name="viewport" content="width=device-width, initial-scale=1">
         <meta name="theme-color" content="#ffffff" />
@@ -172,7 +172,7 @@ <h1 id="reference-config"><a class="header" href="#reference-config">Reference C
 # registrations with '[email protected]' (default: '')
 #USER_REG_DOMAIN_RESTRICTION=some-domain.com
 
-# If set to 'true', this will validate the remote peer IP address with each request
+# If set to 'true', this will validate the remote peer IP address with each request 
 # and compare it with the IP which was used during the initial session creation / login.
 # If the IP is different, the session will be rejected.
 # This is a security hardening and prevents stolen access credentials, for instance if
@@ -181,10 +181,10 @@ <h1 id="reference-config"><a class="header" href="#reference-config">Reference C
 # only happen if an attacker has direct access to the machine itself.
 #
 # If your users are using mobile networks and get new IP addresses all the time, this
-# means they have to do a new login each time. This is no big deal at all with
+# means they have to do a new login each time. This is no big deal at all with 
 # Webauthn / FIDO keys anyway and should not be a reason to deactivate this feature.
 #
-# Caution: If you are running behind a reverse proxy which does not provide the
+# Caution: If you are running behind a reverse proxy which does not provide the 
 # X-FORWARDED-FOR header correctly, or you have the PROXY_MODE in this config disabled,
 # this feature will not work. You can validate the IPs for each session in the Admin
 # UI. If these are correct, your setup is okay.
@@ -301,7 +301,7 @@ <h1 id="reference-config"><a class="header" href="#reference-config">Reference C
 # will be DELETED and OVERWRITTEN with a migration from the
 # given database with this variable. Can be used to migrate
 # between different databases.
-#
+# 
 # !!! USE WITH CARE !!!
 #MIGRATE_DB_FROM=sqlite:data/rauthy.db
 
@@ -312,7 +312,7 @@ <h1 id="reference-config"><a class="header" href="#reference-config">Reference C
 ############# E-MAIL ################
 #####################################
 
-# Will be used as the prefix for the E-Mail subject for each E-Mail
+# Will be used as the prefix for the E-Mail subject for each E-Mail 
 # that will be sent out to a client.
 # This can be used to further customize your deployment.
 # default: &quot;Rauthy IAM&quot;
@@ -353,16 +353,16 @@ <h1 id="reference-config"><a class="header" href="#reference-config">Reference C
 
 # The time in ms when to log a warning, if a request waited
 # longer than this time. This is an indicator, that you have
-# more concurrent logins than allowed and may need config
+# more concurrent logins than allowed and may need config 
 # adjustments,
 # if this happens more often. (default: 500)
 #HASH_AWAIT_WARN_TIME=500
 
-# JWKS auto rotate cronjob. This will (by default) rotate
-# all JWKs every 1. day of the month. If you need smaller
+# JWKS auto rotate cronjob. This will (by default) rotate 
+# all JWKs every 1. day of the month. If you need smaller 
 # intervals, you may adjust this value. For security reasons,
 # you cannot fully disable it.
-# In a HA deployment, this job will only be executed on the
+# In a HA deployment, this job will only be executed on the 
 # current cache leader at that time.
 # Format: &quot;sec min hour day_of_month month day_of_week year&quot;
 # default: &quot;0 30 3 1 * * *&quot;
@@ -392,13 +392,18 @@ <h1 id="reference-config"><a class="header" href="#reference-config">Reference C
 #EVENT_MATRIX_ROOM_ID=
 #EVENT_MATRIX_ACCESS_TOKEN=
 #EVENT_MATRIX_USER_PASSWORD=
+# Optional path to a PEM Root CA certificate file for the Matrix client.
+#EVENT_MATRIX_ROOT_CA_PATH=path/to/my/root_ca_cert.pem
+# May be set to disable the TLS validation for the Matrix client.
+# default: false
+#EVENT_MATRIX_DANGER_DISABLE_TLS_VALIDATION=false
 
 # The Webhook for Slack Notifications.
 # If left empty, no messages will be sent to Slack.
 #EVENT_SLACK_WEBHOOK=
 
-# The notification level for events. Works the same way as a logging level.
-# For instance: 'notice' means send out a notifications for all events with
+# The notification level for events. Works the same way as a logging level. 
+# For instance: 'notice' means send out a notifications for all events with 
 # the info level or higher.
 # Possible values:
 # - info
@@ -413,8 +418,8 @@ <h1 id="reference-config"><a class="header" href="#reference-config">Reference C
 # default: 'notice'
 EVENT_NOTIFY_LEVEL_SLACK=notice
 
-# Define the level from which on events should be persisted inside the
-# database. All events with a lower level will be lost, if there is no
+# Define the level from which on events should be persisted inside the 
+# database. All events with a lower level will be lost, if there is no 
 # active event subscriber.
 # Possible values:
 # - info
@@ -437,7 +442,7 @@ <h1 id="reference-config"><a class="header" href="#reference-config">Reference C
 # The level for the generated Event after a user has reset its password
 # default: notice
 EVENT_LEVEL_USER_PASSWORD_RESET=notice
-# The level for the generated Event after a user has been given the
+# The level for the generated Event after a user has been given the 
 # 'rauthy_admin' role
 # default: notice
 EVENT_LEVEL_RAUTHY_ADMIN=notice
@@ -447,26 +452,26 @@ <h1 id="reference-config"><a class="header" href="#reference-config">Reference C
 # The level for the generated Event after the JWKS has been rotated
 # default: notice
 EVENT_LEVEL_JWKS_ROTATE=notice
-# The level for the generated Event after DB secrets have been migrated
+# The level for the generated Event after DB secrets have been migrated 
 # to a new key
 # default: notice
 EVENT_LEVEL_SECRETS_MIGRATED=notice
-# The level for the generated Event after a Rauthy instance has been
+# The level for the generated Event after a Rauthy instance has been 
 # started
 # default: info
 EVENT_LEVEL_RAUTHY_START=info
-# The level for the generated Event after a Rauthy entered a healthy
+# The level for the generated Event after a Rauthy entered a healthy 
 # state (again)
 # default: notice
 EVENT_LEVEL_RAUTHY_HEALTHY=notice
-# The level for the generated Event after a Rauthy entered an unhealthy
+# The level for the generated Event after a Rauthy entered an unhealthy 
 #state
 # default: critical
 EVENT_LEVEL_RAUTHY_UNHEALTHY=critical
 # The level for the generated Event after an IP has been blacklisted
 # default: warning
 EVENT_LEVEL_IP_BLACKLISTED=warning
-# The level for the generated Event after certain amounts of false
+# The level for the generated Event after certain amounts of false 
 # logins from an IP
 # default: criticao
 EVENT_LEVEL_FAILED_LOGINS_25=critical

diff --git a/docs/print.html b/docs/print.html
@@ -1551,13 +1551,16 @@ <h4 id="config-adjustements---rest-api"><a class="header" href="#config-adjustem
 #EVENT_MATRIX_ROOM_ID=
 #EVENT_MATRIX_ACCESS_TOKEN=
 #EVENT_MATRIX_USER_PASSWORD=
+# Optional path to a PEM Root CA certificate file for the Matrix client.
+#EVENT_MATRIX_ROOT_CA_PATH=path/to/my/root_ca_cert.pem
+# May be set to disable the TLS validation for the Matrix client.
+# default: false
+#EVENT_MATRIX_DANGER_DISABLE_TLS_VALIDATION=false
 
 # The Webhook for Slack Notifications.
 # If left empty, no messages will be sent to Slack.
 #EVENT_SLACK_WEBHOOK=
 
-# TODO Matrix
-
 # The notification level for events. Works the same way as a logging level. 
 # For instance: 'notice' means send out a notifications for all events with 
 # the info level or higher.

diff --git a/docs/searchindex.js b/docs/searchindex.js
diff --git a/docs/searchindex.json b/docs/searchindex.json
diff --git a/rauthy-book/src/config/config.md b/rauthy-book/src/config/config.md
@@ -243,6 +243,8 @@ JWK_AUTOROTATE_CRON="0 30 3 1 * * *"
 #EVENT_MATRIX_ROOM_ID=
 #EVENT_MATRIX_ACCESS_TOKEN=
 #EVENT_MATRIX_USER_PASSWORD=
+# Optional path to a PEM Root CA certificate file for the Matrix client.
+#EVENT_MATRIX_ROOT_CA_PATH=path/to/my/root_ca_cert.pem
 # May be set to disable the TLS validation for the Matrix client.
 # default: false
 #EVENT_MATRIX_DANGER_DISABLE_TLS_VALIDATION=false

diff --git a/rauthy-models/src/events/notifier.rs b/rauthy-models/src/events/notifier.rs
@@ -128,13 +128,15 @@ impl EventNotifier {
                 .unwrap_or_else(|_| "false".to_string())
                 .parse::<bool>()
                 .expect("Cannot parse EVENT_MATRIX_DANGER_DISABLE_TLS_VALIDATION to bool");
+            let root_ca_path = env::var("EVENT_MATRIX_ROOT_CA_PATH").ok();
 
             let notifier = NotifierMatrix::try_new(
                 &user_id,
                 &room_id,
                 access_token,
                 user_password,
                 disable_tls_validation,
+                root_ca_path.as_deref(),
             )
             .await?;
             NOTIFIER_MATRIX

diff --git a/rauthy-notify/Cargo.toml b/rauthy-notify/Cargo.toml
@@ -11,7 +11,7 @@ chrono = { workspace = true }
 flume = { workspace = true }
 # we currently need to use the git version to resolve a conflict on zeroize
 # switch back to stable as soon as a new version comes out
-matrix-sdk = { git = "https://github.com/sebadob/matrix-rust-sdk", default-features = false, features = [
+matrix-sdk = { git = "https://github.com/sebadob/matrix-rust-sdk", branch = "rauthy-v0.17.0", default-features = false, features = [
     "e2e-encryption", "markdown", "rustls-tls"
 ] }
 rauthy-common = { path = "../rauthy-common" }