diff --git a/synapse/events/validator.py b/synapse/events/validator.py
index a637fadfab..83d9fb5813 100644
--- a/synapse/events/validator.py
+++ b/synapse/events/validator.py
@@ -39,9 +39,9 @@ from synapse.events.utils import (
CANONICALJSON_MIN_INT,
validate_canonicaljson,
)
-from synapse.federation.federation_server import server_matches_acl_event
from synapse.http.servlet import validate_json_object
from synapse.rest.models import RequestBodyModel
+from synapse.storage.controllers.state import server_acl_evaluator_from_event
from synapse.types import EventID, JsonDict, RoomID, StrCollection, UserID
@@ -106,7 +106,10 @@ class EventValidator:
self._validate_retention(event)
elif event.type == EventTypes.ServerACL:
- if not server_matches_acl_event(config.server.server_name, event):
+ server_acl_evaluator = server_acl_evaluator_from_event(event)
+ if not server_acl_evaluator.server_matches_acl_event(
+ config.server.server_name
+ ):
raise SynapseError(
400, "Can't create an ACL event that denies the local server"
)
diff --git a/synapse/federation/federation_server.py b/synapse/federation/federation_server.py
index f9915e5a3f..ec8e770430 100644
--- a/synapse/federation/federation_server.py
+++ b/synapse/federation/federation_server.py
@@ -29,10 +29,8 @@ from typing import (
Union,
)
-from matrix_common.regex import glob_to_regex
from prometheus_client import Counter, Gauge, Histogram
-from twisted.internet.abstract import isIPAddress
from twisted.python import failure
from synapse.api.constants import (
@@ -1324,75 +1322,13 @@ class FederationServer(FederationBase):
Raises:
AuthError if the server does not match the ACL
"""
- acl_event = await self._storage_controllers.state.get_current_state_event(
- room_id, EventTypes.ServerACL, ""
+ server_acl_evaluator = (
+ await self._storage_controllers.state.get_server_acl_for_room(room_id)
)
- if not acl_event or server_matches_acl_event(server_name, acl_event):
- return
-
- raise AuthError(code=403, msg="Server is banned from room")
-
-
-def server_matches_acl_event(server_name: str, acl_event: EventBase) -> bool:
- """Check if the given server is allowed by the ACL event
-
- Args:
- server_name: name of server, without any port part
- acl_event: m.room.server_acl event
-
- Returns:
- True if this server is allowed by the ACLs
- """
- logger.debug("Checking %s against acl %s", server_name, acl_event.content)
-
- # first of all, check if literal IPs are blocked, and if so, whether the
- # server name is a literal IP
- allow_ip_literals = acl_event.content.get("allow_ip_literals", True)
- if not isinstance(allow_ip_literals, bool):
- logger.warning("Ignoring non-bool allow_ip_literals flag")
- allow_ip_literals = True
- if not allow_ip_literals:
- # check for ipv6 literals. These start with '['.
- if server_name[0] == "[":
- return False
-
- # check for ipv4 literals. We can just lift the routine from twisted.
- if isIPAddress(server_name):
- return False
-
- # next, check the deny list
- deny = acl_event.content.get("deny", [])
- if not isinstance(deny, (list, tuple)):
- logger.warning("Ignoring non-list deny ACL %s", deny)
- deny = []
- for e in deny:
- if _acl_entry_matches(server_name, e):
- # logger.info("%s matched deny rule %s", server_name, e)
- return False
-
- # then the allow list.
- allow = acl_event.content.get("allow", [])
- if not isinstance(allow, (list, tuple)):
- logger.warning("Ignoring non-list allow ACL %s", allow)
- allow = []
- for e in allow:
- if _acl_entry_matches(server_name, e):
- # logger.info("%s matched allow rule %s", server_name, e)
- return True
-
- # everything else should be rejected.
- # logger.info("%s fell through", server_name)
- return False
-
-
-def _acl_entry_matches(server_name: str, acl_entry: Any) -> bool:
- if not isinstance(acl_entry, str):
- logger.warning(
- "Ignoring non-str ACL entry '%s' (is %s)", acl_entry, type(acl_entry)
- )
- return False
- regex = glob_to_regex(acl_entry)
- return bool(regex.match(server_name))
+ if server_acl_evaluator and not server_acl_evaluator.server_matches_acl_event(
+ server_name
+ ):
+ raise AuthError(code=403, msg="Server is banned from room")
class FederationHandlerRegistry:
diff --git a/synapse/handlers/federation_event.py b/synapse/handlers/federation_event.py
index 7c62cdfaef..0cc8e990d9 100644
--- a/synapse/handlers/federation_event.py
+++ b/synapse/handlers/federation_event.py
@@ -2342,6 +2342,12 @@ class FederationEventHandler:
# TODO retrieve the previous state, and exclude join -> join transitions
self._notifier.notify_user_joined_room(event.event_id, event.room_id)
+ # If this is a server ACL event, clear the cache in the storage controller.
+ if event.type == EventTypes.ServerACL:
+ self._state_storage_controller.get_server_acl_for_room.invalidate(
+ (event.room_id,)
+ )
+
def _sanity_check_event(self, ev: EventBase) -> None:
"""
Do some early sanity checks of a received event
diff --git a/synapse/handlers/message.py b/synapse/handlers/message.py
index c036578a3d..44dbbf81dd 100644
--- a/synapse/handlers/message.py
+++ b/synapse/handlers/message.py
@@ -1730,6 +1730,11 @@ class EventCreationHandler:
event.event_id, event.room_id
)
+ if event.type == EventTypes.ServerACL:
+ self._storage_controllers.state.get_server_acl_for_room.invalidate(
+ (event.room_id,)
+ )
+
await self._maybe_kick_guest_users(event, context)
if event.type == EventTypes.CanonicalAlias:
diff --git a/synapse/replication/tcp/client.py b/synapse/replication/tcp/client.py
index ca8a76f77c..1c7946522a 100644
--- a/synapse/replication/tcp/client.py
+++ b/synapse/replication/tcp/client.py
@@ -205,6 +205,12 @@ class ReplicationDataHandler:
self.notifier.notify_user_joined_room(
row.data.event_id, row.data.room_id
)
+
+ # If this is a server ACL event, clear the cache in the storage controller.
+ if row.data.type == EventTypes.ServerACL:
+ self._state_storage_controller.get_server_acl_for_room.invalidate(
+ (row.data.room_id,)
+ )
elif stream_name == UnPartialStatedRoomStream.NAME:
for row in rows:
assert isinstance(row, UnPartialStatedRoomStreamRow)
diff --git a/synapse/storage/controllers/state.py b/synapse/storage/controllers/state.py
index 10d219c045..46957723a1 100644
--- a/synapse/storage/controllers/state.py
+++ b/synapse/storage/controllers/state.py
@@ -37,6 +37,7 @@ from synapse.storage.util.partial_state_events_tracker import (
PartialCurrentStateTracker,
PartialStateEventsTracker,
)
+from synapse.synapse_rust.acl import ServerAclEvaluator
from synapse.types import MutableStateMap, StateMap, get_domain_from_id
from synapse.types.state import StateFilter
from synapse.util.async_helpers import Linearizer
@@ -501,6 +502,31 @@ class StateStorageController:
return event.content.get("alias")
+ @cached()
+ async def get_server_acl_for_room(
+ self, room_id: str
+ ) -> Optional[ServerAclEvaluator]:
+ """Get the server ACL evaluator for room, if any
+
+ This does up-front parsing of the content to ignore bad data and pre-compile
+ regular expressions.
+
+ Args:
+ room_id: The room ID
+
+ Returns:
+ The server ACL evaluator, if any
+ """
+
+ acl_event = await self.get_current_state_event(
+ room_id, EventTypes.ServerACL, ""
+ )
+
+ if not acl_event:
+ return None
+
+ return server_acl_evaluator_from_event(acl_event)
+
@trace
@tag_args
async def get_current_state_deltas(
@@ -760,3 +786,36 @@ class StateStorageController:
cache.state_group = object()
return frozenset(cache.hosts_to_joined_users)
+
+
+def server_acl_evaluator_from_event(acl_event: EventBase) -> "ServerAclEvaluator":
+ """
+ Create a ServerAclEvaluator from a m.room.server_acl event's content.
+
+ This does up-front parsing of the content to ignore bad data. It then creates
+ the ServerAclEvaluator which will pre-compile regular expressions from the globs.
+ """
+
+ # first of all, parse if literal IPs are blocked.
+ allow_ip_literals = acl_event.content.get("allow_ip_literals", True)
+ if not isinstance(allow_ip_literals, bool):
+ logger.warning("Ignoring non-bool allow_ip_literals flag")
+ allow_ip_literals = True
+
+ # next, parse the deny list by ignoring any non-strings.
+ deny = acl_event.content.get("deny", [])
+ if not isinstance(deny, (list, tuple)):
+ logger.warning("Ignoring non-list deny ACL %s", deny)
+ deny = []
+ else:
+ deny = [s for s in deny if isinstance(s, str)]
+
+ # then the allow list.
+ allow = acl_event.content.get("allow", [])
+ if not isinstance(allow, (list, tuple)):
+ logger.warning("Ignoring non-list allow ACL %s", allow)
+ allow = []
+ else:
+ allow = [s for s in allow if isinstance(s, str)]
+
+ return ServerAclEvaluator(allow_ip_literals, allow, deny)
|
