Support for server ACLs (#1261)

* First pass at server ACLs (not efficient) * Use transaction origin, update whitelist * Fix federation API test It's sufficient for us to return nothing in response to current state, so that the server ACL check returns no ACLs. * More efficient server ACLs - hopefully * Fix queries * Fix queries * Avoid panics by nil pointers * Bug fixes * Fix state event type * Fix mutex * Update logging * Ignore port when matching servername * Use read mutex * Fix bugs * Fix sync API test * Comments * Add tests, tweaks to behaviour * Fix test output
2025-08-01 05:42:46 +00:00 · 2020-08-11 18:19:11 +01:00 · 2020-08-11 18:19:11 +01:00 · bcdf9577a3
commit bcdf9577a3
parent 8b6ab272fb
20 changed files with 581 additions and 16 deletions
--- a/currentstateserver/api/api.go
+++ b/currentstateserver/api/api.go
@ -36,6 +36,8 @@ type CurrentStateInternalAPI interface {
 	QuerySharedUsers(ctx context.Context, req *QuerySharedUsersRequest, res *QuerySharedUsersResponse) error
 	// QueryKnownUsers returns a list of users that we know about from our joined rooms.
 	QueryKnownUsers(ctx context.Context, req *QueryKnownUsersRequest, res *QueryKnownUsersResponse) error
+	// QueryServerBannedFromRoom returns whether a server is banned from a room by server ACLs.
+	QueryServerBannedFromRoom(ctx context.Context, req *QueryServerBannedFromRoomRequest, res *QueryServerBannedFromRoomResponse) error
 }

 type QuerySharedUsersRequest struct {
@ -101,6 +103,15 @@ type QueryKnownUsersResponse struct {
 	Users []authtypes.FullyQualifiedProfile `json:"profiles"`
 }

+type QueryServerBannedFromRoomRequest struct {
+	ServerName gomatrixserverlib.ServerName `json:"server_name"`
+	RoomID     string                       `json:"room_id"`
+}
+
+type QueryServerBannedFromRoomResponse struct {
+	Banned bool `json:"banned"`
+}
+
 // MarshalJSON stringifies the StateKeyTuple keys so they can be sent over the wire in HTTP API mode.
 func (r *QueryCurrentStateResponse) MarshalJSON() ([]byte, error) {
 	se := make(map[string]*gomatrixserverlib.HeaderedEvent, len(r.StateEvents))
--- a/currentstateserver/api/wrapper.go
+++ b/currentstateserver/api/wrapper.go
@ -1,3 +1,17 @@
+// Copyright 2020 The Matrix.org Foundation C.I.C.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package api

 import (
@ -25,6 +39,20 @@ func GetEvent(ctx context.Context, stateAPI CurrentStateInternalAPI, roomID stri
 	return nil
 }

+// IsServerBannedFromRoom returns whether the server is banned from a room by server ACLs.
+func IsServerBannedFromRoom(ctx context.Context, stateAPI CurrentStateInternalAPI, roomID string, serverName gomatrixserverlib.ServerName) bool {
+	req := &QueryServerBannedFromRoomRequest{
+		ServerName: serverName,
+		RoomID:     roomID,
+	}
+	res := &QueryServerBannedFromRoomResponse{}
+	if err := stateAPI.QueryServerBannedFromRoom(ctx, req, res); err != nil {
+		util.GetLogger(ctx).WithError(err).Error("Failed to QueryServerBannedFromRoom")
+		return true
+	}
+	return res.Banned
+}
+
 // PopulatePublicRooms extracts PublicRoom information for all the provided room IDs. The IDs are not checked to see if they are visible in the
 // published room directory.
 // due to lots of switches