Config templating (#5900)
Template config files * Imagine a system composed entirely of x, y, z etc and the basic operations.. Wait George, why XOR? Why not just neq? George: Eh, I didn't think of that.. Co-Authored-By: Erik Johnston <erik@matrix.org>
This commit is contained in:
parent
7dc398586c
commit
6d97843793
|
@ -0,0 +1 @@
|
||||||
|
Add support for config templating.
|
|
@ -205,9 +205,9 @@ listeners:
|
||||||
#
|
#
|
||||||
- port: 8008
|
- port: 8008
|
||||||
tls: false
|
tls: false
|
||||||
bind_addresses: ['::1', '127.0.0.1']
|
|
||||||
type: http
|
type: http
|
||||||
x_forwarded: true
|
x_forwarded: true
|
||||||
|
bind_addresses: ['::1', '127.0.0.1']
|
||||||
|
|
||||||
resources:
|
resources:
|
||||||
- names: [client, federation]
|
- names: [client, federation]
|
||||||
|
@ -392,10 +392,10 @@ listeners:
|
||||||
# permission to listen on port 80.
|
# permission to listen on port 80.
|
||||||
#
|
#
|
||||||
acme:
|
acme:
|
||||||
# ACME support is disabled by default. Uncomment the following line
|
# ACME support is disabled by default. Set this to `true` and uncomment
|
||||||
# (and tls_certificate_path and tls_private_key_path above) to enable it.
|
# tls_certificate_path and tls_private_key_path above to enable it.
|
||||||
#
|
#
|
||||||
#enabled: true
|
enabled: False
|
||||||
|
|
||||||
# Endpoint to use to request certificates. If you only want to test,
|
# Endpoint to use to request certificates. If you only want to test,
|
||||||
# use Let's Encrypt's staging url:
|
# use Let's Encrypt's staging url:
|
||||||
|
@ -406,17 +406,17 @@ acme:
|
||||||
# Port number to listen on for the HTTP-01 challenge. Change this if
|
# Port number to listen on for the HTTP-01 challenge. Change this if
|
||||||
# you are forwarding connections through Apache/Nginx/etc.
|
# you are forwarding connections through Apache/Nginx/etc.
|
||||||
#
|
#
|
||||||
#port: 80
|
port: 80
|
||||||
|
|
||||||
# Local addresses to listen on for incoming connections.
|
# Local addresses to listen on for incoming connections.
|
||||||
# Again, you may want to change this if you are forwarding connections
|
# Again, you may want to change this if you are forwarding connections
|
||||||
# through Apache/Nginx/etc.
|
# through Apache/Nginx/etc.
|
||||||
#
|
#
|
||||||
#bind_addresses: ['::', '0.0.0.0']
|
bind_addresses: ['::', '0.0.0.0']
|
||||||
|
|
||||||
# How many days remaining on a certificate before it is renewed.
|
# How many days remaining on a certificate before it is renewed.
|
||||||
#
|
#
|
||||||
#reprovision_threshold: 30
|
reprovision_threshold: 30
|
||||||
|
|
||||||
# The domain that the certificate should be for. Normally this
|
# The domain that the certificate should be for. Normally this
|
||||||
# should be the same as your Matrix domain (i.e., 'server_name'), but,
|
# should be the same as your Matrix domain (i.e., 'server_name'), but,
|
||||||
|
@ -430,7 +430,7 @@ acme:
|
||||||
#
|
#
|
||||||
# If not set, defaults to your 'server_name'.
|
# If not set, defaults to your 'server_name'.
|
||||||
#
|
#
|
||||||
#domain: matrix.example.com
|
domain: matrix.example.com
|
||||||
|
|
||||||
# file to use for the account key. This will be generated if it doesn't
|
# file to use for the account key. This will be generated if it doesn't
|
||||||
# exist.
|
# exist.
|
||||||
|
|
|
@ -181,6 +181,11 @@ class Config(object):
|
||||||
generate_secrets=False,
|
generate_secrets=False,
|
||||||
report_stats=None,
|
report_stats=None,
|
||||||
open_private_ports=False,
|
open_private_ports=False,
|
||||||
|
listeners=None,
|
||||||
|
database_conf=None,
|
||||||
|
tls_certificate_path=None,
|
||||||
|
tls_private_key_path=None,
|
||||||
|
acme_domain=None,
|
||||||
):
|
):
|
||||||
"""Build a default configuration file
|
"""Build a default configuration file
|
||||||
|
|
||||||
|
@ -207,6 +212,33 @@ class Config(object):
|
||||||
open_private_ports (bool): True to leave private ports (such as the non-TLS
|
open_private_ports (bool): True to leave private ports (such as the non-TLS
|
||||||
HTTP listener) open to the internet.
|
HTTP listener) open to the internet.
|
||||||
|
|
||||||
|
listeners (list(dict)|None): A list of descriptions of the listeners
|
||||||
|
synapse should start with each of which specifies a port (str), a list of
|
||||||
|
resources (list(str)), tls (bool) and type (str). For example:
|
||||||
|
[{
|
||||||
|
"port": 8448,
|
||||||
|
"resources": [{"names": ["federation"]}],
|
||||||
|
"tls": True,
|
||||||
|
"type": "http",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"port": 443,
|
||||||
|
"resources": [{"names": ["client"]}],
|
||||||
|
"tls": False,
|
||||||
|
"type": "http",
|
||||||
|
}],
|
||||||
|
|
||||||
|
|
||||||
|
database (str|None): The database type to configure, either `psycog2`
|
||||||
|
or `sqlite3`.
|
||||||
|
|
||||||
|
tls_certificate_path (str|None): The path to the tls certificate.
|
||||||
|
|
||||||
|
tls_private_key_path (str|None): The path to the tls private key.
|
||||||
|
|
||||||
|
acme_domain (str|None): The domain acme will try to validate. If
|
||||||
|
specified acme will be enabled.
|
||||||
|
|
||||||
Returns:
|
Returns:
|
||||||
str: the yaml config file
|
str: the yaml config file
|
||||||
"""
|
"""
|
||||||
|
@ -220,6 +252,11 @@ class Config(object):
|
||||||
generate_secrets=generate_secrets,
|
generate_secrets=generate_secrets,
|
||||||
report_stats=report_stats,
|
report_stats=report_stats,
|
||||||
open_private_ports=open_private_ports,
|
open_private_ports=open_private_ports,
|
||||||
|
listeners=listeners,
|
||||||
|
database_conf=database_conf,
|
||||||
|
tls_certificate_path=tls_certificate_path,
|
||||||
|
tls_private_key_path=tls_private_key_path,
|
||||||
|
acme_domain=acme_domain,
|
||||||
)
|
)
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
|
@ -13,6 +13,9 @@
|
||||||
# See the License for the specific language governing permissions and
|
# See the License for the specific language governing permissions and
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
import os
|
import os
|
||||||
|
from textwrap import indent
|
||||||
|
|
||||||
|
import yaml
|
||||||
|
|
||||||
from ._base import Config
|
from ._base import Config
|
||||||
|
|
||||||
|
@ -38,20 +41,28 @@ class DatabaseConfig(Config):
|
||||||
|
|
||||||
self.set_databasepath(config.get("database_path"))
|
self.set_databasepath(config.get("database_path"))
|
||||||
|
|
||||||
def generate_config_section(self, data_dir_path, **kwargs):
|
def generate_config_section(self, data_dir_path, database_conf, **kwargs):
|
||||||
database_path = os.path.join(data_dir_path, "homeserver.db")
|
if not database_conf:
|
||||||
return (
|
database_path = os.path.join(data_dir_path, "homeserver.db")
|
||||||
"""\
|
database_conf = (
|
||||||
## Database ##
|
"""# The database engine name
|
||||||
|
|
||||||
database:
|
|
||||||
# The database engine name
|
|
||||||
name: "sqlite3"
|
name: "sqlite3"
|
||||||
# Arguments to pass to the engine
|
# Arguments to pass to the engine
|
||||||
args:
|
args:
|
||||||
# Path to the database
|
# Path to the database
|
||||||
database: "%(database_path)s"
|
database: "%(database_path)s"
|
||||||
|
"""
|
||||||
|
% locals()
|
||||||
|
)
|
||||||
|
else:
|
||||||
|
database_conf = indent(yaml.dump(database_conf), " " * 10).lstrip()
|
||||||
|
|
||||||
|
return (
|
||||||
|
"""\
|
||||||
|
## Database ##
|
||||||
|
|
||||||
|
database:
|
||||||
|
%(database_conf)s
|
||||||
# Number of events to cache in memory.
|
# Number of events to cache in memory.
|
||||||
#
|
#
|
||||||
#event_cache_size: 10K
|
#event_cache_size: 10K
|
||||||
|
|
|
@ -17,8 +17,11 @@
|
||||||
|
|
||||||
import logging
|
import logging
|
||||||
import os.path
|
import os.path
|
||||||
|
import re
|
||||||
|
from textwrap import indent
|
||||||
|
|
||||||
import attr
|
import attr
|
||||||
|
import yaml
|
||||||
from netaddr import IPSet
|
from netaddr import IPSet
|
||||||
|
|
||||||
from synapse.api.room_versions import KNOWN_ROOM_VERSIONS
|
from synapse.api.room_versions import KNOWN_ROOM_VERSIONS
|
||||||
|
@ -352,7 +355,7 @@ class ServerConfig(Config):
|
||||||
return any(l["tls"] for l in self.listeners)
|
return any(l["tls"] for l in self.listeners)
|
||||||
|
|
||||||
def generate_config_section(
|
def generate_config_section(
|
||||||
self, server_name, data_dir_path, open_private_ports, **kwargs
|
self, server_name, data_dir_path, open_private_ports, listeners, **kwargs
|
||||||
):
|
):
|
||||||
_, bind_port = parse_and_validate_server_name(server_name)
|
_, bind_port = parse_and_validate_server_name(server_name)
|
||||||
if bind_port is not None:
|
if bind_port is not None:
|
||||||
|
@ -366,11 +369,68 @@ class ServerConfig(Config):
|
||||||
# Bring DEFAULT_ROOM_VERSION into the local-scope for use in the
|
# Bring DEFAULT_ROOM_VERSION into the local-scope for use in the
|
||||||
# default config string
|
# default config string
|
||||||
default_room_version = DEFAULT_ROOM_VERSION
|
default_room_version = DEFAULT_ROOM_VERSION
|
||||||
|
secure_listeners = []
|
||||||
|
unsecure_listeners = []
|
||||||
|
private_addresses = ["::1", "127.0.0.1"]
|
||||||
|
if listeners:
|
||||||
|
for listener in listeners:
|
||||||
|
if listener["tls"]:
|
||||||
|
secure_listeners.append(listener)
|
||||||
|
else:
|
||||||
|
# If we don't want open ports we need to bind the listeners
|
||||||
|
# to some address other than 0.0.0.0. Here we chose to use
|
||||||
|
# localhost.
|
||||||
|
# If the addresses are already bound we won't overwrite them
|
||||||
|
# however.
|
||||||
|
if not open_private_ports:
|
||||||
|
listener.setdefault("bind_addresses", private_addresses)
|
||||||
|
|
||||||
unsecure_http_binding = "port: %i\n tls: false" % (unsecure_port,)
|
unsecure_listeners.append(listener)
|
||||||
if not open_private_ports:
|
|
||||||
unsecure_http_binding += (
|
secure_http_bindings = indent(
|
||||||
"\n bind_addresses: ['::1', '127.0.0.1']"
|
yaml.dump(secure_listeners), " " * 10
|
||||||
|
).lstrip()
|
||||||
|
|
||||||
|
unsecure_http_bindings = indent(
|
||||||
|
yaml.dump(unsecure_listeners), " " * 10
|
||||||
|
).lstrip()
|
||||||
|
|
||||||
|
if not unsecure_listeners:
|
||||||
|
unsecure_http_bindings = (
|
||||||
|
"""- port: %(unsecure_port)s
|
||||||
|
tls: false
|
||||||
|
type: http
|
||||||
|
x_forwarded: true"""
|
||||||
|
% locals()
|
||||||
|
)
|
||||||
|
|
||||||
|
if not open_private_ports:
|
||||||
|
unsecure_http_bindings += (
|
||||||
|
"\n bind_addresses: ['::1', '127.0.0.1']"
|
||||||
|
)
|
||||||
|
|
||||||
|
unsecure_http_bindings += """
|
||||||
|
|
||||||
|
resources:
|
||||||
|
- names: [client, federation]
|
||||||
|
compress: false"""
|
||||||
|
|
||||||
|
if listeners:
|
||||||
|
# comment out this block
|
||||||
|
unsecure_http_bindings = "#" + re.sub(
|
||||||
|
"\n {10}",
|
||||||
|
lambda match: match.group(0) + "#",
|
||||||
|
unsecure_http_bindings,
|
||||||
|
)
|
||||||
|
|
||||||
|
if not secure_listeners:
|
||||||
|
secure_http_bindings = (
|
||||||
|
"""#- port: %(bind_port)s
|
||||||
|
# type: http
|
||||||
|
# tls: true
|
||||||
|
# resources:
|
||||||
|
# - names: [client, federation]"""
|
||||||
|
% locals()
|
||||||
)
|
)
|
||||||
|
|
||||||
return (
|
return (
|
||||||
|
@ -556,11 +616,7 @@ class ServerConfig(Config):
|
||||||
# will also need to give Synapse a TLS key and certificate: see the TLS section
|
# will also need to give Synapse a TLS key and certificate: see the TLS section
|
||||||
# below.)
|
# below.)
|
||||||
#
|
#
|
||||||
#- port: %(bind_port)s
|
%(secure_http_bindings)s
|
||||||
# type: http
|
|
||||||
# tls: true
|
|
||||||
# resources:
|
|
||||||
# - names: [client, federation]
|
|
||||||
|
|
||||||
# Unsecure HTTP listener: for when matrix traffic passes through a reverse proxy
|
# Unsecure HTTP listener: for when matrix traffic passes through a reverse proxy
|
||||||
# that unwraps TLS.
|
# that unwraps TLS.
|
||||||
|
@ -568,13 +624,7 @@ class ServerConfig(Config):
|
||||||
# If you plan to use a reverse proxy, please see
|
# If you plan to use a reverse proxy, please see
|
||||||
# https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.rst.
|
# https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.rst.
|
||||||
#
|
#
|
||||||
- %(unsecure_http_binding)s
|
%(unsecure_http_bindings)s
|
||||||
type: http
|
|
||||||
x_forwarded: true
|
|
||||||
|
|
||||||
resources:
|
|
||||||
- names: [client, federation]
|
|
||||||
compress: false
|
|
||||||
|
|
||||||
# example additional_resources:
|
# example additional_resources:
|
||||||
#
|
#
|
||||||
|
|
|
@ -239,12 +239,38 @@ class TlsConfig(Config):
|
||||||
self.tls_fingerprints.append({"sha256": sha256_fingerprint})
|
self.tls_fingerprints.append({"sha256": sha256_fingerprint})
|
||||||
|
|
||||||
def generate_config_section(
|
def generate_config_section(
|
||||||
self, config_dir_path, server_name, data_dir_path, **kwargs
|
self,
|
||||||
|
config_dir_path,
|
||||||
|
server_name,
|
||||||
|
data_dir_path,
|
||||||
|
tls_certificate_path,
|
||||||
|
tls_private_key_path,
|
||||||
|
acme_domain,
|
||||||
|
**kwargs
|
||||||
):
|
):
|
||||||
|
"""If the acme_domain is specified acme will be enabled.
|
||||||
|
If the TLS paths are not specified the default will be certs in the
|
||||||
|
config directory"""
|
||||||
|
|
||||||
base_key_name = os.path.join(config_dir_path, server_name)
|
base_key_name = os.path.join(config_dir_path, server_name)
|
||||||
|
|
||||||
tls_certificate_path = base_key_name + ".tls.crt"
|
if bool(tls_certificate_path) != bool(tls_private_key_path):
|
||||||
tls_private_key_path = base_key_name + ".tls.key"
|
raise ConfigError(
|
||||||
|
"Please specify both a cert path and a key path or neither."
|
||||||
|
)
|
||||||
|
|
||||||
|
tls_enabled = (
|
||||||
|
"" if tls_certificate_path and tls_private_key_path or acme_domain else "#"
|
||||||
|
)
|
||||||
|
|
||||||
|
if not tls_certificate_path:
|
||||||
|
tls_certificate_path = base_key_name + ".tls.crt"
|
||||||
|
if not tls_private_key_path:
|
||||||
|
tls_private_key_path = base_key_name + ".tls.key"
|
||||||
|
|
||||||
|
acme_enabled = bool(acme_domain)
|
||||||
|
acme_domain = "matrix.example.com"
|
||||||
|
|
||||||
default_acme_account_file = os.path.join(data_dir_path, "acme_account.key")
|
default_acme_account_file = os.path.join(data_dir_path, "acme_account.key")
|
||||||
|
|
||||||
# this is to avoid the max line length. Sorrynotsorry
|
# this is to avoid the max line length. Sorrynotsorry
|
||||||
|
@ -269,11 +295,11 @@ class TlsConfig(Config):
|
||||||
# instance, if using certbot, use `fullchain.pem` as your certificate,
|
# instance, if using certbot, use `fullchain.pem` as your certificate,
|
||||||
# not `cert.pem`).
|
# not `cert.pem`).
|
||||||
#
|
#
|
||||||
#tls_certificate_path: "%(tls_certificate_path)s"
|
%(tls_enabled)stls_certificate_path: "%(tls_certificate_path)s"
|
||||||
|
|
||||||
# PEM-encoded private key for TLS
|
# PEM-encoded private key for TLS
|
||||||
#
|
#
|
||||||
#tls_private_key_path: "%(tls_private_key_path)s"
|
%(tls_enabled)stls_private_key_path: "%(tls_private_key_path)s"
|
||||||
|
|
||||||
# Whether to verify TLS server certificates for outbound federation requests.
|
# Whether to verify TLS server certificates for outbound federation requests.
|
||||||
#
|
#
|
||||||
|
@ -340,10 +366,10 @@ class TlsConfig(Config):
|
||||||
# permission to listen on port 80.
|
# permission to listen on port 80.
|
||||||
#
|
#
|
||||||
acme:
|
acme:
|
||||||
# ACME support is disabled by default. Uncomment the following line
|
# ACME support is disabled by default. Set this to `true` and uncomment
|
||||||
# (and tls_certificate_path and tls_private_key_path above) to enable it.
|
# tls_certificate_path and tls_private_key_path above to enable it.
|
||||||
#
|
#
|
||||||
#enabled: true
|
enabled: %(acme_enabled)s
|
||||||
|
|
||||||
# Endpoint to use to request certificates. If you only want to test,
|
# Endpoint to use to request certificates. If you only want to test,
|
||||||
# use Let's Encrypt's staging url:
|
# use Let's Encrypt's staging url:
|
||||||
|
@ -354,17 +380,17 @@ class TlsConfig(Config):
|
||||||
# Port number to listen on for the HTTP-01 challenge. Change this if
|
# Port number to listen on for the HTTP-01 challenge. Change this if
|
||||||
# you are forwarding connections through Apache/Nginx/etc.
|
# you are forwarding connections through Apache/Nginx/etc.
|
||||||
#
|
#
|
||||||
#port: 80
|
port: 80
|
||||||
|
|
||||||
# Local addresses to listen on for incoming connections.
|
# Local addresses to listen on for incoming connections.
|
||||||
# Again, you may want to change this if you are forwarding connections
|
# Again, you may want to change this if you are forwarding connections
|
||||||
# through Apache/Nginx/etc.
|
# through Apache/Nginx/etc.
|
||||||
#
|
#
|
||||||
#bind_addresses: ['::', '0.0.0.0']
|
bind_addresses: ['::', '0.0.0.0']
|
||||||
|
|
||||||
# How many days remaining on a certificate before it is renewed.
|
# How many days remaining on a certificate before it is renewed.
|
||||||
#
|
#
|
||||||
#reprovision_threshold: 30
|
reprovision_threshold: 30
|
||||||
|
|
||||||
# The domain that the certificate should be for. Normally this
|
# The domain that the certificate should be for. Normally this
|
||||||
# should be the same as your Matrix domain (i.e., 'server_name'), but,
|
# should be the same as your Matrix domain (i.e., 'server_name'), but,
|
||||||
|
@ -378,7 +404,7 @@ class TlsConfig(Config):
|
||||||
#
|
#
|
||||||
# If not set, defaults to your 'server_name'.
|
# If not set, defaults to your 'server_name'.
|
||||||
#
|
#
|
||||||
#domain: matrix.example.com
|
domain: %(acme_domain)s
|
||||||
|
|
||||||
# file to use for the account key. This will be generated if it doesn't
|
# file to use for the account key. This will be generated if it doesn't
|
||||||
# exist.
|
# exist.
|
||||||
|
|
|
@ -0,0 +1,52 @@
|
||||||
|
# -*- coding: utf-8 -*-
|
||||||
|
# Copyright 2019 New Vector Ltd
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
import yaml
|
||||||
|
|
||||||
|
from synapse.config.database import DatabaseConfig
|
||||||
|
|
||||||
|
from tests import unittest
|
||||||
|
|
||||||
|
|
||||||
|
class DatabaseConfigTestCase(unittest.TestCase):
|
||||||
|
def test_database_configured_correctly_no_database_conf_param(self):
|
||||||
|
conf = yaml.safe_load(
|
||||||
|
DatabaseConfig().generate_config_section("/data_dir_path", None)
|
||||||
|
)
|
||||||
|
|
||||||
|
expected_database_conf = {
|
||||||
|
"name": "sqlite3",
|
||||||
|
"args": {"database": "/data_dir_path/homeserver.db"},
|
||||||
|
}
|
||||||
|
|
||||||
|
self.assertEqual(conf["database"], expected_database_conf)
|
||||||
|
|
||||||
|
def test_database_configured_correctly_database_conf_param(self):
|
||||||
|
|
||||||
|
database_conf = {
|
||||||
|
"name": "my super fast datastore",
|
||||||
|
"args": {
|
||||||
|
"user": "matrix",
|
||||||
|
"password": "synapse_database_password",
|
||||||
|
"host": "synapse_database_host",
|
||||||
|
"database": "matrix",
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
conf = yaml.safe_load(
|
||||||
|
DatabaseConfig().generate_config_section("/data_dir_path", database_conf)
|
||||||
|
)
|
||||||
|
|
||||||
|
self.assertEqual(conf["database"], database_conf)
|
|
@ -13,7 +13,9 @@
|
||||||
# See the License for the specific language governing permissions and
|
# See the License for the specific language governing permissions and
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
from synapse.config.server import is_threepid_reserved
|
import yaml
|
||||||
|
|
||||||
|
from synapse.config.server import ServerConfig, is_threepid_reserved
|
||||||
|
|
||||||
from tests import unittest
|
from tests import unittest
|
||||||
|
|
||||||
|
@ -29,3 +31,100 @@ class ServerConfigTestCase(unittest.TestCase):
|
||||||
self.assertTrue(is_threepid_reserved(config, user1))
|
self.assertTrue(is_threepid_reserved(config, user1))
|
||||||
self.assertFalse(is_threepid_reserved(config, user3))
|
self.assertFalse(is_threepid_reserved(config, user3))
|
||||||
self.assertFalse(is_threepid_reserved(config, user1_msisdn))
|
self.assertFalse(is_threepid_reserved(config, user1_msisdn))
|
||||||
|
|
||||||
|
def test_unsecure_listener_no_listeners_open_private_ports_false(self):
|
||||||
|
conf = yaml.safe_load(
|
||||||
|
ServerConfig().generate_config_section(
|
||||||
|
"che.org", "/data_dir_path", False, None
|
||||||
|
)
|
||||||
|
)
|
||||||
|
|
||||||
|
expected_listeners = [
|
||||||
|
{
|
||||||
|
"port": 8008,
|
||||||
|
"tls": False,
|
||||||
|
"type": "http",
|
||||||
|
"x_forwarded": True,
|
||||||
|
"bind_addresses": ["::1", "127.0.0.1"],
|
||||||
|
"resources": [{"names": ["client", "federation"], "compress": False}],
|
||||||
|
}
|
||||||
|
]
|
||||||
|
|
||||||
|
self.assertEqual(conf["listeners"], expected_listeners)
|
||||||
|
|
||||||
|
def test_unsecure_listener_no_listeners_open_private_ports_true(self):
|
||||||
|
conf = yaml.safe_load(
|
||||||
|
ServerConfig().generate_config_section(
|
||||||
|
"che.org", "/data_dir_path", True, None
|
||||||
|
)
|
||||||
|
)
|
||||||
|
|
||||||
|
expected_listeners = [
|
||||||
|
{
|
||||||
|
"port": 8008,
|
||||||
|
"tls": False,
|
||||||
|
"type": "http",
|
||||||
|
"x_forwarded": True,
|
||||||
|
"resources": [{"names": ["client", "federation"], "compress": False}],
|
||||||
|
}
|
||||||
|
]
|
||||||
|
|
||||||
|
self.assertEqual(conf["listeners"], expected_listeners)
|
||||||
|
|
||||||
|
def test_listeners_set_correctly_open_private_ports_false(self):
|
||||||
|
listeners = [
|
||||||
|
{
|
||||||
|
"port": 8448,
|
||||||
|
"resources": [{"names": ["federation"]}],
|
||||||
|
"tls": True,
|
||||||
|
"type": "http",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"port": 443,
|
||||||
|
"resources": [{"names": ["client"]}],
|
||||||
|
"tls": False,
|
||||||
|
"type": "http",
|
||||||
|
},
|
||||||
|
]
|
||||||
|
|
||||||
|
conf = yaml.safe_load(
|
||||||
|
ServerConfig().generate_config_section(
|
||||||
|
"this.one.listens", "/data_dir_path", True, listeners
|
||||||
|
)
|
||||||
|
)
|
||||||
|
|
||||||
|
self.assertEqual(conf["listeners"], listeners)
|
||||||
|
|
||||||
|
def test_listeners_set_correctly_open_private_ports_true(self):
|
||||||
|
listeners = [
|
||||||
|
{
|
||||||
|
"port": 8448,
|
||||||
|
"resources": [{"names": ["federation"]}],
|
||||||
|
"tls": True,
|
||||||
|
"type": "http",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"port": 443,
|
||||||
|
"resources": [{"names": ["client"]}],
|
||||||
|
"tls": False,
|
||||||
|
"type": "http",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"port": 1243,
|
||||||
|
"resources": [{"names": ["client"]}],
|
||||||
|
"tls": False,
|
||||||
|
"type": "http",
|
||||||
|
"bind_addresses": ["this_one_is_bound"],
|
||||||
|
},
|
||||||
|
]
|
||||||
|
|
||||||
|
expected_listeners = listeners.copy()
|
||||||
|
expected_listeners[1]["bind_addresses"] = ["::1", "127.0.0.1"]
|
||||||
|
|
||||||
|
conf = yaml.safe_load(
|
||||||
|
ServerConfig().generate_config_section(
|
||||||
|
"this.one.listens", "/data_dir_path", True, listeners
|
||||||
|
)
|
||||||
|
)
|
||||||
|
|
||||||
|
self.assertEqual(conf["listeners"], expected_listeners)
|
||||||
|
|
|
@ -16,6 +16,8 @@
|
||||||
|
|
||||||
import os
|
import os
|
||||||
|
|
||||||
|
import yaml
|
||||||
|
|
||||||
from OpenSSL import SSL
|
from OpenSSL import SSL
|
||||||
|
|
||||||
from synapse.config.tls import ConfigError, TlsConfig
|
from synapse.config.tls import ConfigError, TlsConfig
|
||||||
|
@ -191,3 +193,45 @@ s4niecZKPBizL6aucT59CsunNmmb5Glq8rlAcU+1ZTZZzGYqVYhF6axB9Qg=
|
||||||
self.assertEqual(cf._verify_ssl._options & SSL.OP_NO_TLSv1, 0)
|
self.assertEqual(cf._verify_ssl._options & SSL.OP_NO_TLSv1, 0)
|
||||||
self.assertEqual(cf._verify_ssl._options & SSL.OP_NO_TLSv1_1, 0)
|
self.assertEqual(cf._verify_ssl._options & SSL.OP_NO_TLSv1_1, 0)
|
||||||
self.assertEqual(cf._verify_ssl._options & SSL.OP_NO_TLSv1_2, 0)
|
self.assertEqual(cf._verify_ssl._options & SSL.OP_NO_TLSv1_2, 0)
|
||||||
|
|
||||||
|
def test_acme_disabled_in_generated_config_no_acme_domain_provied(self):
|
||||||
|
"""
|
||||||
|
Checks acme is disabled by default.
|
||||||
|
"""
|
||||||
|
conf = TestConfig()
|
||||||
|
conf.read_config(
|
||||||
|
yaml.safe_load(
|
||||||
|
TestConfig().generate_config_section(
|
||||||
|
"/config_dir_path",
|
||||||
|
"my_super_secure_server",
|
||||||
|
"/data_dir_path",
|
||||||
|
"/tls_cert_path",
|
||||||
|
"tls_private_key",
|
||||||
|
None, # This is the acme_domain
|
||||||
|
)
|
||||||
|
),
|
||||||
|
"/config_dir_path",
|
||||||
|
)
|
||||||
|
|
||||||
|
self.assertFalse(conf.acme_enabled)
|
||||||
|
|
||||||
|
def test_acme_enabled_in_generated_config_domain_provided(self):
|
||||||
|
"""
|
||||||
|
Checks acme is enabled if the acme_domain arg is set to some string.
|
||||||
|
"""
|
||||||
|
conf = TestConfig()
|
||||||
|
conf.read_config(
|
||||||
|
yaml.safe_load(
|
||||||
|
TestConfig().generate_config_section(
|
||||||
|
"/config_dir_path",
|
||||||
|
"my_super_secure_server",
|
||||||
|
"/data_dir_path",
|
||||||
|
"/tls_cert_path",
|
||||||
|
"tls_private_key",
|
||||||
|
"my_supe_secure_server", # This is the acme_domain
|
||||||
|
)
|
||||||
|
),
|
||||||
|
"/config_dir_path",
|
||||||
|
)
|
||||||
|
|
||||||
|
self.assertTrue(conf.acme_enabled)
|
||||||
|
|
Loading…
Reference in New Issue