Merge pull request #5 from nordeck/nic/feat/add-synapse-module

Migrate the guest module to a proper synapse module

.github/workflows/ci.yml

@@ -11,9 +11,6 @@ jobs:
     name: Build Javascript
     runs-on: ubuntu-latest
     timeout-minutes: 15
-    permissions:
-      contents: read
-      packages: write
     steps:
       - uses: actions/checkout@v4
 
@@ -45,12 +42,76 @@ jobs:
       - name: build
         run: yarn build
 
+  build-py:
+    name: Build Python
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    defaults:
+      run:
+        working-directory: ./synapse-guest-module/
+    env:
+      DOCKER_IMAGE: ghcr.io/nordeck/synapse-guest-module
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v4
+        with:
+          python-version: '3.x'
+
+      - run: python -m pip install tox
+
+      - name: lint
+        run: tox -e check_codestyle
+
+      - name: type checking and declarations
+        run: tox -e check_types
+
+      - name: test
+        run: tox -e py
+
+      - name: Login to ghcr.io
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Generate Docker metadata
+        id: meta
+        uses: docker/metadata-action@v4
+        env:
+          DOCKER_METADATA_PR_HEAD_SHA: true
+        with:
+          images: ${{ env.DOCKER_IMAGE }}
+          labels: |
+            org.opencontainers.image.title=Synapse Guest Module
+            org.opencontainers.image.description=A synapse module to restrict the actions of guests
+            org.opencontainers.image.vendor=Nordeck IT + Consulting GmbH
+          tags: |
+            type=sha,prefix=
+
+      - name: Docker build and push
+        uses: docker/build-push-action@v4
+        id: dockerBuild
+        with:
+          push: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' || github.event_name == 'pull_request' && secrets.GH_APP_OS_APP_ID != '' }}
+          context: synapse-guest-module
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          platforms: linux/amd64,linux/arm64,linux/s390x
+          sbom: true
+          provenance: true
+
   run-changesets:
     runs-on: ubuntu-latest
     if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
     timeout-minutes: 5
     needs:
       - build-js
+      - build-py
     steps:
       - uses: actions/checkout@v4
         with:
@@ -80,6 +141,7 @@ jobs:
       - name: Create Release Pull Request or Publish Packages
         uses: changesets/action@f13b1baaa620fde937751f5d2c3572b9da32af23 # @v1.4.5
         with:
+          version: yarn run version
           publish: yarn release
         env:
           GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}

.github/workflows/publish-release-synapse-module.yml

@@ -0,0 +1,76 @@
+# This pipeline runs for every new tag. It will pull the docker container for
+# the commit hash of the tag, and will publish it as `:<tag-name>` and `latest`.
+name: Release Synapse Guest Module
+
+on:
+  push:
+    tags:
+      - '@nordeck/synapse-guest-module@*'
+
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+    env:
+      DOCKER_IMAGE: ghcr.io/nordeck/synapse-guest-module
+    steps:
+      - name: Generate Docker metadata of the existing image
+        id: meta-existing-tag
+        uses: docker/metadata-action@v4
+        with:
+          images: ${{ env.DOCKER_IMAGE }}
+          tags: |
+            type=sha,prefix=
+
+      - name: Generate Docker metadata of the new image
+        id: meta-new-tags
+        uses: docker/metadata-action@v4
+        with:
+          images: ${{ env.DOCKER_IMAGE }}
+          labels: |
+            org.opencontainers.image.title=Synapse Guest Module
+            org.opencontainers.image.description=A synapse module to restrict the actions of guests
+            org.opencontainers.image.vendor=Nordeck IT + Consulting GmbH
+          tags: |
+            type=match,pattern=@nordeck/synapse-guest-module@(.*),group=1
+
+      - name: Generate Dockerfile
+        env:
+          SOURCE_IMAGE: ${{ fromJSON(steps.meta-existing-tag.outputs.json).tags[0] }}
+        run: |
+          echo "FROM $SOURCE_IMAGE" > Dockerfile
+
+      - name: Login to ghcr.io
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # @v3.1.2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Build and push
+        id: build_and_push
+        uses: docker/build-push-action@v4
+        with:
+          push: true
+          context: .
+          tags: ${{ steps.meta-new-tags.outputs.tags }}
+          labels: ${{ steps.meta-new-tags.outputs.labels }}
+          platforms: linux/amd64,linux/arm64,linux/s390x
+          sbom: true
+          provenance: true
+
+      - name: Sign the images with GitHub OIDC Token
+        env:
+          DIGEST: ${{ steps.build_and_push.outputs.digest }}
+        run: cosign sign --yes "${DOCKER_IMAGE}@${DIGEST}"

.gitignore

@@ -138,3 +138,11 @@ package.json-prepack
 
 # mics
 .DS_Store
+
+# Python
+.venv
+__pycache__/
+.tox/
+*.egg-info/
+_trial_temp/
+.mypy_cache/

README.md

@@ -23,7 +23,7 @@ Development on the module happens at [GitHub](https://github.com/nordeck/element
 You need to install two modules, one each for Element and Synapse to get all features:
 
 - See the [Readme of the `element-web-guest-module`](./element-web-guest-module/README.md) for instructions on how to install it in Element.
-- TODO: create a Synapse Module
+- See the [Readme of the `synapse-guest-module`](./synapse-guest-module/README.md) for instructions on how to install it in your Synapse homeserver.
 
 ### How to Contribute
 
@@ -54,6 +54,7 @@ In the project directory, you can run:
 - `yarn deduplicate`: Deduplicate dependencies in the `yarn.lock` file.
 - `yarn changeset`: Generate a changeset that provides a description of a
   change.
+- `yarn docker:build`: Builds a container from the output of `yarn build`.
 
 ### Versioning
 

e2e/README.md

@@ -13,7 +13,10 @@ Running the e2e tests requires Docker to be installed.
 The e2e tests are testing the guest module for Element and for Synapse.
 Make sure to always run `yarn build` in the root folder before initially running the tests or after changing a component.
 
-1. **Element Module**: It uses the module that is packaged by `yarn build`.
+1. **Synapse Module**: By default, it uses the image that was built by running `yarn docker:build` in the root folder of this repository.
+   Building the container at least once is required to run the tests.
+   Alternatively, you can set the `MODULE_CONTAINER_IMAGE` environment variable to use a custom container image for the Synapse Guest Module.
+2. **Element Module**: It uses the module that is packaged by `yarn build`.
    Only run this if there are actual changes in the module to not
 
 Afterwards you can run `yarn e2e` to perform the tests.

e2e/package.json

@@ -18,7 +18,8 @@
   },
   "scripts": {
     "clean": "echo \"Nothing to clean\"",
-    "build": "yarn workspace @nordeck/element-web-guest-module build && yarn workspace @nordeck/element-web-guest-module package && shx cp ../element-web-guest-module/*.tgz src/deploy/elementWeb/module.tgz",
+    "build": "yarn workspace @nordeck/element-web-guest-module build && yarn workspace @nordeck/element-web-guest-module package && shx cp ../element-web-guest-module/*.tgz src/deploy/elementWeb/module.tgz && yarn workspace @nordeck/synapse-guest-module docker:build",
+    "docker:build": "echo \"Nothing to build\"",
     "tsc": "tsc",
     "lint": "eslint . --max-warnings=0",
     "depcheck": "depcheck --ignores=typescript",

e2e/src/deploy/setup.ts

@@ -19,7 +19,9 @@ import { startElementWeb } from './elementWeb';
 import { startSynapse } from './synapse';
 
 export default async function globalSetup(_config: FullConfig) {
-  const { synapseUrl, registrationSecret } = await startSynapse();
+  const { synapseUrl, registrationSecret } = await startSynapse({
+    moduleContainerImage: process.env.MODULE_CONTAINER_IMAGE,
+  });
   process.env.SYNAPSE_URL = synapseUrl;
   process.env.SYNAPSE_REGISTRATION_SECRET = registrationSecret;
 

e2e/src/deploy/synapse/homeserver.yaml

@@ -75,5 +75,5 @@ suppress_key_server_warning: true
 allow_guest_access: true
 
 modules:
-  - module: phoenix_guest.GuestAuthProvider
+  - module: synapse_guest_module.GuestModule
     config: {}

e2e/src/deploy/synapse/index.ts

@@ -16,7 +16,7 @@
 
 import fetch from 'cross-fetch';
 import { randomBytes } from 'crypto';
-import { readFile } from 'fs/promises';
+import { readFile, rm } from 'fs/promises';
 import path from 'path';
 import { GenericContainer, StartedTestContainer, Wait } from 'testcontainers';
 
@@ -28,6 +28,7 @@ function randB64Bytes(numBytes: number): string {
 
 export async function startSynapse({
   containerImage = 'matrixdotorg/synapse:v1.90.0',
+  moduleContainerImage = 'nordeck/synapse-guest-module',
 }: { containerImage?: string; moduleContainerImage?: string } = {}): Promise<{
   synapseUrl: string;
   synapseHostUrl: string;
@@ -49,6 +50,9 @@ export async function startSynapse({
     .replace(/{{MACAROON_SECRET_KEY}}/g, macaroonSecret)
     .replace(/{{FORM_SECRET}}/g, formSecret);
 
+  // Load the module from the docker container to the local folder
+  const modulesFolder = await loadModuleToTmp(moduleContainerImage);
+
   container = await new GenericContainer(containerImage)
     // Load addition python modules from the /modules folder
     .withEnvironment({ PYTHONPATH: '/modules' })
@@ -57,7 +61,7 @@ export async function startSynapse({
     ])
     .withCopyDirectoriesToContainer([
       {
-        source: path.resolve(__dirname, 'modules'),
+        source: modulesFolder,
         target: '/modules',
       },
     ])
@@ -119,3 +123,24 @@ export async function stopSynapse() {
     console.log('Stopped synapse');
   }
 }
+
+async function loadModuleToTmp(containerImage: string): Promise<string> {
+  const modulesFolder = path.resolve(__dirname, './.tmp/modules');
+
+  await rm(path.resolve(modulesFolder, './*'), {
+    recursive: true,
+    force: true,
+  });
+
+  await new GenericContainer(containerImage)
+    .withBindMounts([
+      {
+        source: modulesFolder,
+        target: '/modules',
+        mode: 'rw',
+      },
+    ])
+    .start();
+
+  return modulesFolder;
+}

element-web-guest-module/package.json

@@ -12,6 +12,7 @@
     "build": "yarn clean && yarn build:compile && yarn build:types",
     "build:types": "tsc --emitDeclarationOnly && api-extractor run --verbose --local",
     "build:compile": "node build.js",
+    "docker:build": "echo \"Nothing to build\"",
     "tsc": "tsc",
     "lint": "eslint . --max-warnings=0",
     "test": "jest --watch",

package.json

@@ -3,6 +3,7 @@
   "private": true,
   "workspaces": [
     "element-web-guest-module",
+    "synapse-guest-module",
     "e2e"
   ],
   "scripts": {
@@ -18,6 +19,8 @@
     "deduplicate": "yarn-deduplicate",
     "prepare": "husky install",
     "release": "node ./scripts/publishAllPackages.js",
+    "version": "node ./scripts/versionAllPackages.js",
+    "docker:build": "yarn workspaces run docker:build",
     "e2e": "yarn workspace e2e e2e"
   },
   "devDependencies": {