From c67abc23a8adc716f7f0dfd51face31b1249c6b1 Mon Sep 17 00:00:00 2001
From: Norbert Szulc <not7cd@hackerspace.pl>
Date: Sun, 8 Nov 2020 16:46:56 +0100
Subject: [PATCH] app/matrix enable cas proxy for matrix.0x3c.pl

Change-Id: I63c8172dbc93b9f6781aa03f7924be944b8f1846
---
 app/matrix/lib/matrix.libsonnet               |  2 +
 app/matrix/matrix.0x3c.pl.jsonnet             | 15 ++++---
 .../cipher/cas-proxy-0x3c-0auth2-secret       | 40 +++++++++++++++++++
 3 files changed, 52 insertions(+), 5 deletions(-)
 create mode 100644 app/matrix/secrets/cipher/cas-proxy-0x3c-0auth2-secret

diff --git a/app/matrix/lib/matrix.libsonnet b/app/matrix/lib/matrix.libsonnet
index 4190941b..5f9ecd22 100644
--- a/app/matrix/lib/matrix.libsonnet
+++ b/app/matrix/lib/matrix.libsonnet
@@ -51,6 +51,8 @@ local postgres = import "../../../kube/postgres.libsonnet";
             appserviceTelegram: "dock.mau.dev/tulir/mautrix-telegram@sha256:9e68eaa80c9e4a75d9a09ec92dc4898b12d48390e01efa4de40ce882a6f7e330",
         },
 
+        # Central Authentication Scheme, a single-sign-on system. Note: this flow is now called 'SSO' in Matrix, we keep this name for legacy reasons.
+        # Refer to https://matrix.org/docs/spec/client_server/r0.6.1#sso-client-login
         cas: {
             # whether to enable the CAS proxy (ie. connect to hswaw sso via OAuth)
             enable: false,
diff --git a/app/matrix/matrix.0x3c.pl.jsonnet b/app/matrix/matrix.0x3c.pl.jsonnet
index 76de45f4..b84bbfb0 100644
--- a/app/matrix/matrix.0x3c.pl.jsonnet
+++ b/app/matrix/matrix.0x3c.pl.jsonnet
@@ -9,11 +9,16 @@ matrix {
         namespace: "matrix-0x3c",
         webDomain: "matrix.0x3c.pl",
         serverName: "0x3c.pl",
-    },
-
-    synapseConfig+:: {
-        password_config: {
-            enabled: true,
+        cas: {
+            enable: true,
+            oauth2: {
+                clientID: "YCWg1Qor9YstKn_yAHB_NT3GFAGqbnDFzIwyI_fCUWI",
+                clientSecret: (std.split(importstr "secrets/cipher/cas-proxy-0x3c-0auth2-secret", "\n"))[0],
+                scope: "read:accounts",
+                authorizeURL: "https://0x3c.pl/oauth/authorize",
+                tokenURL: "https://0x3c.pl/oauth/token",
+                userinfoURL: "https://0x3c.pl/api/v1/accounts/verify_credentials",
+            },
         },
     },
 
diff --git a/app/matrix/secrets/cipher/cas-proxy-0x3c-0auth2-secret b/app/matrix/secrets/cipher/cas-proxy-0x3c-0auth2-secret
new file mode 100644
index 00000000..c76bb2bf
--- /dev/null
+++ b/app/matrix/secrets/cipher/cas-proxy-0x3c-0auth2-secret
@@ -0,0 +1,40 @@
+-----BEGIN PGP MESSAGE-----
+
+hQEMAzhuiT4RC8VbAQf+MKcSbBwjRm7i8kmSBCB/uJTCpfOVMFW6Bj6LFJs3TsGA
+KSASy7hjPsWKwFSknBZkA2MjKU+otu1vpH8MeKcmo0lFLDmQZB5cTduHkJKt0WIQ
+JZhc6lOSYoiKB5spliJbdtbRrMYt3QX3niy7KDMQawZRDjAfYmJLcfYVcQBqrL+7
+KXZnBTlzUdd4XUD4z5FJb3NfwVXG1BLlpsebvJ2qDC3C6XJ1W+1zw7xN4GiM4rhy
+V5rMOwAJQNi7dYfCNQlTOVEPGSCJsoS85J65CSij7SfsT3yrV0YnwrKMXhlW7b0K
+MHCG16nrGeKMmUCXe3dPZ+EAzNw5HibAnU65wCs7ZYUBDANcG2tp6fXqvgEIALXi
+lX4YIYO/x6sFFJSeHX4209D3mzbevXUnyhm60ldzqRLTlODAGe+3hVOUWfbJTNSN
+l4Pl7ndQlVU/kdW7mwCP2iDrLA+Ez2E3F+LijR6xLtfJ8UmdD6ebEJrUuSot+h5b
+DIDFxLlnDP89JpstlcmuwzjyNoPDa1YfYkhE/owMe5VBBqDWlcPRY9spyLrq3D9a
+M5D7PaoDE7NRSnhkdJDbr6ME3hF0bcxd5pI3YNTKRGyqy/AS3idvKU2vvxkPHEXU
+QtkNthcGHlg5LBFYuqUI/+CsG3SUnNGlyfcZa8rFCfa4lFmc3X1kaiUZPa9YOZ+x
+VEFt0psxuhEC9i9hroGFAgwDodoT8VqRl4UBD/9CltJg6H+u9ItbyfNaqL7BFEPv
+0PFMWMhn2BUkLqxonwaneJn2m3t/EcOW+7RZ6NfmQoYYNivqfI2VfG4lVUvGCQlr
+Y8E8qKBF5WEJl2v8/m7VPx3w7oleVCZyS7I4QZoXRkoCmVbarzmCw5bc7+OGvKeu
+TKrufPUNVuMWjBJMsgM7JHuPefCN1JyvMY5GCoYjOViQ6X8I9GuEc9YPsTkboLm9
+9UcJlWisxO+RHipvkhtDTPiATSAXE/0y2q9fuYMWymphyCH+uFE9s83wGwFyYd/H
+j/6CCcQ0emIdD62I0xU4UOwJeACXwXAmJGDl29W+l3v4teDYHN4uSn6otcmoUVRK
+h2EsDCqMYre6eNsa6ti051GqtZroopI5vr2Z90//2r4LWjCscBOo0EV+HvkOWGwa
+1fI6kyi0SH8edRdrfcNaw7DHAHulHzZPtsBi4S4IhC5NuO7SzOe5Ff8MDaMINLF/
+F8Nmpiz10rHZjGgLLGrxWcmF/Xxt09WW6Y5R1giwno8mumDHJNr7QYtwtajuXS3s
+O0OczCJ3lE6EK9+isAmmBbOb/ifKVuE4oV0HRNPMi7TR95eHjHrjtagz247DsH1c
+rAq8E/HiegkzKFNtZf5KNHl8vjV5TO7P7bnJ92wAxk9gmC0iNzsD9knM/R41mxM4
+r2A+wiN8GC2XBr2WOIUCDAPiA8lOXOuz7wEP/1ymG4vINQJBGKFjuTmerQDYQLVF
+24PerzrlgCi07tNg7+BnEBdknWihAetmuUbD+zWbJOzehmrsyIU+azKScJOA7Ia8
+KFtKenIMWnt4II53g5KKKP8oIi6XUT4j/k2JxFBRcAv0O677gPbBxCd8M3aE7+zn
+9M3BpBbZZyPqUFcR7xsyMKvZIm6kzvuR9MBjESmo5c5AQQ1EgpPyJ3AgF6zPiAsB
+SaL/dmSG1zu6ywbp6kFBz81lOBAUclu0M9+H67s7gB8oVZSifrSxppU36Z9K+8L1
+ykcBv1C5niufZY7EGpdTwMhPAA6PtPQg91LG8JQv0GGuoqCC5flPxmCFEZr2+rw8
+IxOwN9eyyvCyHIy0AQCP5EfoPXYlRIaDB6RDde7utUf+Pz71kbWdXKXDICsIscAv
+YhNgT8hRmpMHNMvVjOrRffr0FRafNxw60nAiw1EY3eTim2cMcGi9zouGPDUucPV1
+nkAl27sm8Nnb2e0wkWTbRZTAVXYLQemiCtRhzbHS8BcPzReux8X1/CS3bTav+2h7
+RZvEDetEdKFPOVdVaoxhzF/jm4dcaxwfrHfCJGvFS2TEKvdgT/TJAfVltYsNjH0+
+0gIKOGSPJqsBcn0GJfrNeEKu/eWFeCdfp7n4nbCp18XQEU5CkxJtK9i73NEEzr2r
+mHqfnMpdNIJRKhmw0oIBjaGwldQi29p0MJx0quO/SdDJ3MZ7SnmDWZ110axEVWLP
+5V+ekuq5/qjsNNWsN8esCIUkN+q/zi7hBDTiLK+MaxwCFAauSetPqzl285mE5Wot
++vSqsmmF/zUOCr+0n5Ro1C2OadkzRMGX65YqY3oi/nBTBloEiBjNEs0bKWzyVDXA
+=lLbb
+-----END PGP MESSAGE-----