Add support to deprovision matrix/synapse users

Author: doobry-systemli

.env.example

@@ -6,3 +6,6 @@ NEXTCLOUD_OIDC_PROVIDER_ID="1"
 NEXTCLOUD_USER_DOMAIN="example.org"
 NEXTCLOUD_ADMIN_USERNAME="admin"
 NEXTCLOUD_ADMIN_PASSWORD="admin"
+SYNAPSE_USER_ADMIN_API_URL="https://matrix.example.org/_synapse/admin/v1"
+SYNAPSE_USER_DOMAIN="example.org"
+SYNAPSE_ADMIN_ACCESS_TOKEN="token"

config.go

@@ -7,13 +7,15 @@ type Config struct {
 	ListenAddr    string
 	WebhookSecret string
 	Nextcloud     *NextcloudConfig
+	Synapse       *SynapseConfig
 }
 
 func BuildConfig() *Config {
 	cfg := &Config{
 		LogLevel:   "info",
 		ListenAddr: ":8080",
 		Nextcloud:  &NextcloudConfig{},
+		Synapse:    &SynapseConfig{},
 	}
 
 	if os.Getenv("LOG_LEVEL") != "" {
@@ -30,6 +32,11 @@ func BuildConfig() *Config {
 		ProviderID: getEnvOrFatal("NEXTCLOUD_OIDC_PROVIDER_ID"),
 		Domain:     getEnvOrFatal("NEXTCLOUD_USER_DOMAIN"),
 	}
+	cfg.Synapse = &SynapseConfig{
+		ApiUrl:      getEnvOrFatal("SYNAPSE_USER_ADMIN_API_URL"),
+		AccessToken: getEnvOrFatal("SYNAPSE_ADMIN_ACCESS_TOKEN"),
+		Domain:      getEnvOrFatal("SYNAPSE_USER_DOMAIN"),
+	}
 
 	return cfg
 }

config_test.go

@@ -20,6 +20,9 @@ func (s *ConfigSuite) TestBuildConfig() {
 	os.Setenv("NEXTCLOUD_ADMIN_PASSWORD", "password")
 	os.Setenv("NEXTCLOUD_OIDC_PROVIDER_ID", "1")
 	os.Setenv("NEXTCLOUD_USER_DOMAIN", "example.com")
+	os.Setenv("SYNAPSE_USER_ADMIN_API_URL", "https://example.com/_synapse/admin/v1")
+	os.Setenv("SYNAPSE_ADMIN_ACCESS_TOKEN", "token")
+	os.Setenv("SYNAPSE_USER_DOMAIN", "example.com")
 
 	cfg := BuildConfig()
 
@@ -33,6 +36,11 @@ func (s *ConfigSuite) TestBuildConfig() {
 	s.Equal("password", cfg.Nextcloud.Password)
 	s.Equal("1", cfg.Nextcloud.ProviderID)
 	s.Equal("example.com", cfg.Nextcloud.Domain)
+
+	s.NotNil(cfg.Synapse)
+	s.Equal("https://example.com/_synapse/admin/v1", cfg.Synapse.ApiUrl)
+	s.Equal("token", cfg.Synapse.AccessToken)
+	s.Equal("example.com", cfg.Synapse.Domain)
 }
 
 func TestConfig(t *testing.T) {

main.go

@@ -33,7 +33,8 @@ func main() {
 	config := BuildConfig()
 	logger.Info("Starting server", zap.String("listenAddr", config.ListenAddr))
 	nc := NewNextcloud(config.Nextcloud)
-	s := NewServer(config.WebhookSecret, nc)
+	sy := NewSynapse(config.Synapse)
+	s := NewServer(config.WebhookSecret, nc, sy)
 	if err := s.Start(config.ListenAddr); err != nil {
 		logger.Fatal("Failed to start server", zap.Error(err))
 	}

server.go

@@ -16,14 +16,16 @@ import (
 type Server struct {
 	router        *chi.Mux
 	nextcloud     *Nextcloud
+	synapse       *Synapse
 	webhookSecret string
 }
 
-func NewServer(webhookSecret string, nextcloud *Nextcloud) *Server {
+func NewServer(webhookSecret string, nextcloud *Nextcloud, synapse *Synapse) *Server {
 	return &Server{
 		router:        chi.NewRouter(),
 		webhookSecret: webhookSecret,
 		nextcloud:     nextcloud,
+		synapse:       synapse,
 	}
 }
 
@@ -75,6 +77,11 @@ func (s *Server) handleUserDeleted(event UserEvent) {
 	if err != nil {
 		logger.Error("Failed to deprovision user in Nextcloud")
 	}
+
+	err = s.synapse.DeprovisionUser(event.Data.Email)
+	if err != nil {
+		logger.Error("Failed to deprovision user in Synapse")
+	}
 }
 
 func (s *Server) Authmiddleware(next http.Handler) http.Handler {

server_test.go

@@ -23,16 +23,23 @@ func (s *ServerSuite) SetupTest() {
 	gock.DisableNetworking()
 	defer gock.Off()
 
-	config := &NextcloudConfig{
+	ncConfig := &NextcloudConfig{
 		ApiUrl:     "https://example.com/ocs/v2.php/apps/user_oidc/api/v1/user",
 		Username:   "admin",
 		Password:   "password",
 		ProviderID: "provider-id",
 		Domain:     "example.com",
 	}
-	nc := NewNextcloud(config)
+	nc := NewNextcloud(ncConfig)
 
-	s.server = NewServer("secret", nc)
+	syConfig := &SynapseConfig{
+		ApiUrl:      "https://example.com/_synapse/admin/v1",
+		AccessToken: "token",
+		Domain:      "example.com",
+	}
+	sy := NewSynapse(syConfig)
+
+	s.server = NewServer("secret", nc, sy)
 }
 
 func (s *ServerSuite) TestHandleWebhook() {
@@ -92,6 +99,10 @@ func (s *ServerSuite) TestHandleUserDeleted() {
 			Delete("/ocs/v2.php/apps/user_oidc/api/v1/user/user").
 			Reply(200)
 
+		gock.New("https://example.com").
+			Post("/_synapse/admin/v1/deactivate/user").
+			Reply(200)
+
 		event := UserEvent{
 			Type: EventTypeUserDeleted,
 			Data: struct {

synapse.go

@@ -0,0 +1,72 @@
+package main
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"strings"
+)
+
+type SynapseConfig struct {
+	ApiUrl      string
+	AccessToken string
+	Domain      string
+}
+
+type Synapse struct {
+	client *http.Client
+	config *SynapseConfig
+}
+
+func NewSynapse(cfg *SynapseConfig) *Synapse {
+	client := &http.Client{}
+
+	return &Synapse{
+		client: client,
+		config: cfg,
+	}
+}
+
+func (s *Synapse) DeprovisionUser(email string) error {
+	// Extract the userId from the email
+	userId := strings.Split(email, "@")[0]
+	domain := strings.Split(email, "@")[1]
+
+	if domain != s.config.Domain {
+		return fmt.Errorf("domain not allowed: %s", domain)
+	}
+
+	body := map[string]any{
+		"erase": true,
+	}
+	jsonData, err := json.Marshal(body)
+	if err != nil {
+		return fmt.Errorf("failed to marshal request body: %v", err)
+	}
+
+	req, err := http.NewRequest(http.MethodPost, fmt.Sprintf("%s/deactivate/@%s:%s", s.config.ApiUrl, userId, domain), bytes.NewBuffer(jsonData))
+	if err != nil {
+		return fmt.Errorf("failed to create request: %v", err)
+	}
+
+	s.prepareRequest(req)
+	res, err := s.client.Do(req)
+	if err != nil {
+		return fmt.Errorf("failed to deprovision user: %v", err)
+	}
+	defer res.Body.Close()
+
+	if res.StatusCode != http.StatusOK && res.StatusCode != http.StatusNotFound {
+		return fmt.Errorf("failed to deprovision user, status code: %d", res.StatusCode)
+	}
+
+	return nil
+}
+
+func (s *Synapse) prepareRequest(req *http.Request) {
+	req.Header.Set("Authorization", fmt.Sprintf("Bearer: %s", s.config.AccessToken))
+	req.Header.Set("Accept", "application/json")
+	req.Header.Set("User-Agent", "UserliWebhookListener/1.0")
+	req.Header.Set("ocs-apirequest", "true")
+}

synapse_test.go

@@ -0,0 +1,65 @@
+package main
+
+import (
+	"testing"
+
+	"github.com/h2non/gock"
+	"github.com/stretchr/testify/suite"
+)
+
+type SynapseSuite struct {
+	suite.Suite
+
+	synapse *Synapse
+}
+
+func (s *SynapseSuite) SetupTest() {
+	gock.DisableNetworking()
+	defer gock.Off()
+
+	config := &SynapseConfig{
+		ApiUrl:      "https://example.com/_synapse/admin/v1",
+		AccessToken: "token",
+		Domain:      "example.com",
+	}
+
+	s.synapse = NewSynapse(config)
+}
+
+func (s *SynapseSuite) TestDeprovisionUser() {
+	s.Run("happy path", func() {
+		gock.New("https://example.com").
+			Post("/_synapse/admin/v1/deactivate/@user:example.com").
+			Reply(200)
+
+		err := s.synapse.DeprovisionUser("user@example.com")
+		s.NoError(err)
+	})
+
+	s.Run("wrong domain", func() {
+		err := s.synapse.DeprovisionUser("user@example.org")
+		s.Error(err)
+	})
+
+	s.Run("user not found", func() {
+		gock.New("https://example.com").
+			Post("/_synapse/admin/v1/deactivate/@user:example.com").
+			Reply(404)
+
+		err := s.synapse.DeprovisionUser("user@example.com")
+		s.NoError(err)
+	})
+
+	s.Run("error path", func() {
+		gock.New("https://example.com").
+			Delete("/_synapse/admin/v1/deactivate/user").
+			Reply(500)
+
+		err := s.synapse.DeprovisionUser("user@example.com")
+		s.Error(err)
+	})
+}
+
+func TestSynapseSuite(t *testing.T) {
+	suite.Run(t, new(SynapseSuite))
+}