Fix Complement not using HSPortBindingIP (127.0.0.1) for the homeserver BaseURL#781
Merged
MadLittleMods merged 15 commits intomainfrom May 29, 2025
Merged
Fix Complement not using HSPortBindingIP (127.0.0.1) for the homeserver BaseURL#781MadLittleMods merged 15 commits intomainfrom
HSPortBindingIP (127.0.0.1) for the homeserver BaseURL#781MadLittleMods merged 15 commits intomainfrom
Conversation
…server `BaseURL` Regressed in #776 which started using the Docker default (`0.0.0.0`). This caused downstream issues in some of our out-of-repo Complement tests which stress some SSO/OIDC login flows and expect to be using the canonical `public_baseurl` configured in Synapse.
MadLittleMods
commented
May 26, 2025
internal/docker/deployer.go
Outdated
Comment on lines
+316
to
+320
| err = waitForPorts(ctx, d.Docker, hsDep.ContainerID) | ||
| if err != nil { | ||
| return fmt.Errorf("failed to get ports for container %s: %s", hsDep.ContainerID, err) | ||
| return fmt.Errorf("failed to wait for ports on container %s: %s", hsDep.ContainerID, err) | ||
| } | ||
| baseURL, fedBaseURL, err := getHostAccessibleHomeserverUrls(ctx, d.Docker, hsDep.ContainerID, d.config.HSPortBindingIP) |
Collaborator
Author
There was a problem hiding this comment.
To clean things up, I've refactored waitForPorts(...) to only do the waiting part as described. We now assemble BaseURL and FedBaseUrl via getHostAccessibleHomeserverUrls(...)
As discovered by @richvdh Spawning from - #779 (comment) - #779 (comment)
richvdh
reviewed
May 28, 2025
Member
richvdh
left a comment
There was a problem hiding this comment.
A few nitpicks and questions.
This reverts commit da98b90.
Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>
Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>
Collaborator
Author
|
Thanks for the review @richvdh 🦘 |
jevolk
pushed a commit
to matrix-construct/complement
that referenced
this pull request
Jul 22, 2025
…server `BaseURL` (matrix-org#781) Regressed in matrix-org#776 which started using the Docker default `HostIP` (`0.0.0.0`) because we removed the specific `HSPortBindingIP` port bindings for `8008` and `8448` (see "Root cause" section below). ### Problem This caused downstream issues in some of our out-of-repo Complement tests (Element internal) which stress some SSO/OIDC login flows with Synapse. Before matrix-org#776, [`SsoRedirectServlet`](https://github.com/element-hq/synapse/blob/33ba8860c43d4770ea119a09a4fcbbf366f3b32e/synapse/rest/client/login.py#L645-L683) received a request like this `http://127.0.0.1:8008/_matrix/client/v3/login/sso/redirect/oidc-test_idp?redirectUrl=http%3A%2F%2Fapp.my-fake-client.io%2Fclient-callback`. But now it's seeing `http://0.0.0.0:8008/_matrix/client/v3/login/sso/redirect/oidc-test_idp?redirectUrl=http%3A%2F%2Fapp.my-fake-client.io%2Fclient-callback` and tries to redirect to the canonical `http://127.0.0.1:8008/` address which would then go to the step we expect in the tests (authorization endpoint). Basically, the `host` header in the request used to be set to `127.0.0.1:8008` but now it's `0.0.0.0:8008`. Synapse wants to use the canonical URL so the cookies are available so it redirects you to the canonical `public_baseurl` version first. Relevant Synapse code that cares about using the canonical URL to get cookies back -> [`SsoRedirectServlet`](https://github.com/element-hq/synapse/blob/33ba8860c43d4770ea119a09a4fcbbf366f3b32e/synapse/rest/client/login.py#L645-L683) We could alternatively, update our out-of-repo tests to account for this extra redirect but it seems more appropriate to update Complement to use the the configured `HSPortBindingIP` as expected. ### Root cause The host name used in the requests during the Complement tests is from the `client.BaseURL` which is sourced from the [Docker container port mapping/bindings](https://github.com/matrix-org/complement/blob/28a09014afd1f9c75a3549b4cd9d8fc480ba1149/internal/docker/deployer.go#L521) in Complement. In matrix-org#776, we removed the explicit port bindings for `8008` with `HSPortBindingIP` ([`127.0.0.1`](https://github.com/matrix-org/complement/blob/28a09014afd1f9c75a3549b4cd9d8fc480ba1149/config/config.go#L180)) so now it uses Docker's default `0.0.0.0`. ```patch diff --git a/internal/docker/deployer.go b/internal/docker/deployer.go index cdcf51a..a186b30 100644 --- a/internal/docker/deployer.go +++ b/internal/docker/deployer.go @@ -382,20 +380,8 @@ func deployImage( }, &container.HostConfig{ CapAdd: []string{"NET_ADMIN"}, // TODO : this should be some sort of option PublishAllPorts: true, - PortBindings: nat.PortMap{ - nat.Port("8008/tcp"): []nat.PortBinding{ - { - HostIP: cfg.HSPortBindingIP, - }, - }, - nat.Port("8448/tcp"): []nat.PortBinding{ - { - HostIP: cfg.HSPortBindingIP, - }, - }, - }, ```
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fix Complement not using
config.HSPortBindingIP(127.0.0.1) for the homeserverBaseURL.Regressed in #776 which started using the Docker default
HostIP(0.0.0.0) because we removed the specificHSPortBindingIPport bindings for8008and8448(see "Root cause" section below).Problem
This caused downstream issues in some of our out-of-repo Complement tests (Element internal) which stress some SSO/OIDC login flows with Synapse.
Before #776,
SsoRedirectServletreceived a request like thishttp://127.0.0.1:8008/_matrix/client/v3/login/sso/redirect/oidc-test_idp?redirectUrl=http%3A%2F%2Fapp.my-fake-client.io%2Fclient-callback. But now it's seeinghttp://0.0.0.0:8008/_matrix/client/v3/login/sso/redirect/oidc-test_idp?redirectUrl=http%3A%2F%2Fapp.my-fake-client.io%2Fclient-callbackand tries to redirect to the canonicalhttp://127.0.0.1:8008/address which would then go to the step we expect in the tests (authorization endpoint).Basically, the
hostheader in the request used to be set to127.0.0.1:8008but now it's0.0.0.0:8008. Synapse wants to use the canonical URL so the cookies are available so it redirects you to the canonicalpublic_baseurlversion first. Relevant Synapse code that cares about using the canonical URL to get cookies back ->SsoRedirectServletWe could alternatively, update our out-of-repo tests to account for this extra redirect but it seems more appropriate to update Complement to use the the configured
HSPortBindingIPas expected.Root cause
The host name used in the requests during the Complement tests is from the
client.BaseURLwhich is sourced from the Docker container port mapping/bindings in Complement.In #776, we removed the explicit port bindings for
8008withHSPortBindingIP(127.0.0.1) so now it uses Docker's default0.0.0.0.Dev notes
Locally link Complement package into your tests
See https://thewebivore.com/using-replace-in-go-mod-to-point-to-your-local-module/
So you can edit the Complement source code and use it in the tests.
complement/go.modcd complement && go mod tidy && cd ..Pull Request Checklist