Federation fixes for virtual hosting

2025-07-29 12:42:46 +00:00 · 2022-11-15 15:05:23 +00:00 · 2022-11-15 15:05:23 +00:00 · 6650712a1c
commit 6650712a1c
parent f4ee397734
73 changed files with 736 additions and 420 deletions
--- a/setup/config/config.go
+++ b/setup/config/config.go
@ -231,6 +231,21 @@ func loadConfig(
 		return nil, err
 	}

+	for _, v := range c.Global.VirtualHosts {
+		if v.KeyValidityPeriod == 0 {
+			v.KeyValidityPeriod = c.Global.KeyValidityPeriod
+		}
+		if v.PrivateKeyPath == "" {
+			v.KeyID = c.Global.KeyID
+			v.PrivateKey = c.Global.PrivateKey
+			continue
+		}
+		privateKeyPath := absPath(basePath, v.PrivateKeyPath)
+		if v.KeyID, v.PrivateKey, err = LoadMatrixKey(privateKeyPath, readFile); err != nil {
+			return nil, err
+		}
+	}
+
 	for _, key := range c.Global.OldVerifyKeys {
 		switch {
 		case key.PrivateKeyPath != "":
--- a/setup/config/config_global.go
+++ b/setup/config/config_global.go
@ -1,6 +1,7 @@
 package config

 import (
+	"fmt"
 	"math/rand"
 	"strconv"
 	"strings"
@ -15,7 +16,7 @@ type Global struct {
 	ServerName gomatrixserverlib.ServerName `yaml:"server_name"`

 	// The secondary server names, used for virtual hosting.
-	SecondaryServerNames []gomatrixserverlib.ServerName `yaml:"-"`
+	VirtualHosts []*VirtualHost `yaml:"virtual_hosts"`

 	// Path to the private key which will be used to sign requests and events.
 	PrivateKeyPath Path `yaml:"private_key"`
@ -114,6 +115,10 @@ func (c *Global) Verify(configErrs *ConfigErrors, isMonolith bool) {
 	checkNotEmpty(configErrs, "global.server_name", string(c.ServerName))
 	checkNotEmpty(configErrs, "global.private_key", string(c.PrivateKeyPath))

+	for _, v := range c.VirtualHosts {
+		v.Verify(configErrs)
+	}
+
 	c.JetStream.Verify(configErrs, isMonolith)
 	c.Metrics.Verify(configErrs, isMonolith)
 	c.Sentry.Verify(configErrs, isMonolith)
@ -127,14 +132,85 @@ func (c *Global) IsLocalServerName(serverName gomatrixserverlib.ServerName) bool
 	if c.ServerName == serverName {
 		return true
 	}
-	for _, secondaryName := range c.SecondaryServerNames {
-		if secondaryName == serverName {
+	for _, v := range c.VirtualHosts {
+		if v.ServerName == serverName {
 			return true
 		}
 	}
 	return false
 }

+func (c *Global) SplitLocalID(sigil byte, id string) (string, gomatrixserverlib.ServerName, error) {
+	u, s, err := gomatrixserverlib.SplitID(sigil, id)
+	if err != nil {
+		return u, s, err
+	}
+	if !c.IsLocalServerName(s) {
+		return u, s, fmt.Errorf("server name %q not known", s)
+	}
+	return u, s, nil
+}
+
+func (c *Global) SigningIdentityFor(serverName gomatrixserverlib.ServerName) (*gomatrixserverlib.SigningIdentity, error) {
+	for _, id := range c.SigningIdentities() {
+		if id.ServerName == serverName {
+			return id, nil
+		}
+	}
+	return nil, fmt.Errorf("no signing identity %q", serverName)
+}
+
+func (c *Global) SigningIdentities() []*gomatrixserverlib.SigningIdentity {
+	identities := make([]*gomatrixserverlib.SigningIdentity, 0, len(c.VirtualHosts)+1)
+	identities = append(identities, &gomatrixserverlib.SigningIdentity{
+		ServerName: c.ServerName,
+		KeyID:      c.KeyID,
+		PrivateKey: c.PrivateKey,
+	})
+	for _, v := range c.VirtualHosts {
+		identities = append(identities, v.SigningIdentity())
+	}
+	return identities
+}
+
+type VirtualHost struct {
+	// The server name of the virtual host.
+	ServerName gomatrixserverlib.ServerName `yaml:"server_name"`
+
+	// The key ID of the private key. If not specified, the default global key ID
+	// will be used instead.
+	KeyID gomatrixserverlib.KeyID `yaml:"key_id"`
+
+	// Path to the private key. If not specified, the default global private key
+	// will be used instead.
+	PrivateKeyPath Path `yaml:"private_key"`
+
+	// The private key itself.
+	PrivateKey ed25519.PrivateKey `yaml:"-"`
+
+	// How long a remote server can cache our server key for before requesting it again.
+	// Increasing this number will reduce the number of requests made by remote servers
+	// for our key, but increases the period a compromised key will be considered valid
+	// by remote servers.
+	// Defaults to 24 hours.
+	KeyValidityPeriod time.Duration `yaml:"key_validity_period"`
+
+	// Is registration enabled on this virtual host?
+	AllowRegistration bool `json:"allow_registration"`
+}
+
+func (v *VirtualHost) Verify(configErrs *ConfigErrors) {
+	checkNotEmpty(configErrs, "virtual_host.*.server_name", string(v.ServerName))
+}
+
+func (v *VirtualHost) SigningIdentity() *gomatrixserverlib.SigningIdentity {
+	return &gomatrixserverlib.SigningIdentity{
+		ServerName: v.ServerName,
+		KeyID:      v.KeyID,
+		PrivateKey: v.PrivateKey,
+	}
+}
+
 type OldVerifyKeys struct {
 	// Path to the private key.
 	PrivateKeyPath Path `yaml:"private_key"`