Apply an IP range blacklist to push and key revocation requests. (#8821)

Replaces the `federation_ip_range_blacklist` configuration setting with an `ip_range_blacklist` setting with wider scope. It now applies to: * Federation * Identity servers * Push notifications * Checking key validitity for third-party invite events The old `federation_ip_range_blacklist` setting is still honored if present, but with reduced scope (it only applies to federation and identity servers).
author: Patrick Cloke <clokep@users.noreply.github.com> 2020-12-02 11:09:24 -0500
committer: GitHub <noreply@github.com> 2020-12-02 11:09:24 -0500
commit: 30fba6210834a4ecd91badf0c8f3eb278b72e746 (patch)
tree: 3396057c52cf6372d4bec0d32fe08f767f6f5d31 /synapse/http/federation
parent: Correctly handle unpersisted events when calculating auth chain difference. (... (diff)
download: synapse-30fba6210834a4ecd91badf0c8f3eb278b72e746.tar.xz
1 files changed, 12 insertions, 4 deletions
diff --git a/synapse/http/federation/matrix_federation_agent.py b/synapse/http/federation/matrix_federation_agent.py
index e77f9587d0..3b756a7dc2 100644
--- a/synapse/http/federation/matrix_federation_agent.py
+++ b/synapse/http/federation/matrix_federation_agent.py
@@ -16,7 +16,7 @@ import logging
 import urllib.parse
 from typing import List, Optional
 
-from netaddr import AddrFormatError, IPAddress
+from netaddr import AddrFormatError, IPAddress, IPSet
 from zope.interface import implementer
 
 from twisted.internet import defer
@@ -31,6 +31,7 @@ from twisted.web.http_headers import Headers
 from twisted.web.iweb import IAgent, IAgentEndpointFactory, IBodyProducer
 
 from synapse.crypto.context_factory import FederationPolicyForHTTPS
+from synapse.http.client import BlacklistingAgentWrapper
 from synapse.http.federation.srv_resolver import Server, SrvResolver
 from synapse.http.federation.well_known_resolver import WellKnownResolver
 from synapse.logging.context import make_deferred_yieldable, run_in_background
@@ -70,6 +71,7 @@ class MatrixFederationAgent:
         reactor: IReactorCore,
         tls_client_options_factory: Optional[FederationPolicyForHTTPS],
         user_agent: bytes,
+        ip_blacklist: IPSet,
         _srv_resolver: Optional[SrvResolver] = None,
         _well_known_resolver: Optional[WellKnownResolver] = None,
     ):
@@ -90,12 +92,18 @@ class MatrixFederationAgent:
         self.user_agent = user_agent
 
         if _well_known_resolver is None:
+            # Note that the name resolver has already been wrapped in a
+            # IPBlacklistingResolver by MatrixFederationHttpClient.
             _well_known_resolver = WellKnownResolver(
                 self._reactor,
-                agent=Agent(
+                agent=BlacklistingAgentWrapper(
+                    Agent(
+                        self._reactor,
+                        pool=self._pool,
+                        contextFactory=tls_client_options_factory,
+                    ),
                     self._reactor,
-                    pool=self._pool,
-                    contextFactory=tls_client_options_factory,
+                    ip_blacklist=ip_blacklist,
                 ),
                 user_agent=self.user_agent,
             )
author	Patrick Cloke <clokep@users.noreply.github.com>	2020-12-02 11:09:24 -0500
committer	GitHub <noreply@github.com>	2020-12-02 11:09:24 -0500
commit	30fba6210834a4ecd91badf0c8f3eb278b72e746 (patch)
tree	3396057c52cf6372d4bec0d32fe08f767f6f5d31 /synapse/http/federation
parent	Correctly handle unpersisted events when calculating auth chain difference. (... (diff)
download	synapse-30fba6210834a4ecd91badf0c8f3eb278b72e746.tar.xz