Add a admin flag to the compatibility session

Also adds a CLI tool to issue a compatibility token.
2025-07-28 11:02:02 +03:00 · 2023-06-16 14:30:40 +02:00
parent 08d9b0b886
commit 2a514cf452
13 changed files with 185 additions and 70 deletions
--- a/crates/cli/src/commands/manage.rs
+++ b/crates/cli/src/commands/manage.rs
@ -15,9 +15,11 @@
 use anyhow::Context;
 use clap::{Parser, ValueEnum};
 use mas_config::{DatabaseConfig, PasswordsConfig, RootConfig};
+use mas_data_model::{Device, TokenType};
 use mas_iana::{jose::JsonWebSignatureAlg, oauth::OAuthClientAuthenticationMethod};
 use mas_router::UrlBuilder;
 use mas_storage::{
+    compat::{CompatAccessTokenRepository, CompatSessionRepository},
    oauth2::OAuth2ClientRepository,
    upstream_oauth2::UpstreamOAuthProviderRepository,
    user::{UserEmailRepository, UserPasswordRepository, UserRepository},
@ -182,6 +184,20 @@ enum Subcommand {
        #[arg(long)]
        client_secret: Option<String>,
    },
+
+    /// Issue a compatibility token
+    IssueCompatibilityToken {
+        /// User for which to issue the token
+        username: String,
+
+        /// Device ID to set in the token. If not specified, a random device ID
+        /// will be generated.
+        device_id: Option<String>,
+
+        /// Whether that token should be admin
+        #[arg(long = "yes-i-want-to-grant-synapse-admin-privileges")]
+        admin: bool,
+    },
 }

 impl Options {
@ -375,6 +391,53 @@ impl Options {

                Ok(())
            }
+
+            SC::IssueCompatibilityToken {
+                username,
+                admin,
+                device_id,
+            } => {
+                let config: DatabaseConfig = root.load_config()?;
+                let pool = database_from_config(&config).await?;
+                let mut repo = PgRepository::from_pool(&pool).await?.boxed();
+
+                let user = repo
+                    .user()
+                    .find_by_username(username)
+                    .await?
+                    .context("User not found")?;
+
+                let device = if let Some(device_id) = device_id {
+                    device_id.clone().try_into()?
+                } else {
+                    Device::generate(&mut rng)
+                };
+
+                let compat_session = repo
+                    .compat_session()
+                    .add(&mut rng, &clock, &user, device, *admin)
+                    .await?;
+
+                let token = TokenType::CompatAccessToken.generate(&mut rng);
+
+                let compat_access_token = repo
+                    .compat_access_token()
+                    .add(&mut rng, &clock, &compat_session, token, None)
+                    .await?;
+
+                repo.save().await?;
+
+                info!(
+                    %compat_access_token.id,
+                    %compat_session.id,
+                    %compat_session.device,
+                    %user.id,
+                    %user.username,
+                    "Compatibility token issued: {}", compat_access_token.token
+                );
+
+                Ok(())
+            }
        }
    }
 }