diff options
| -rw-r--r-- | docs/modules/spam_checker_callbacks.md | 11 | ||||
| -rw-r--r-- | synapse/events/spamcheck.py | 207 | ||||
| -rw-r--r-- | synapse/federation/federation_base.py | 5 | ||||
| -rw-r--r-- | synapse/handlers/directory.py | 17 | ||||
| -rw-r--r-- | synapse/handlers/federation.py | 10 | ||||
| -rw-r--r-- | synapse/handlers/message.py | 11 | ||||
| -rw-r--r-- | synapse/handlers/room.py | 6 | ||||
| -rw-r--r-- | synapse/handlers/room_member.py | 35 | ||||
| -rw-r--r-- | synapse/handlers/user_directory.py | 3 | ||||
| -rw-r--r-- | synapse/rest/media/v1/media_storage.py | 9 | ||||
| -rw-r--r-- | synapse/spam_checker_api/__init__.py | 20 |
11 files changed, 224 insertions, 110 deletions
diff --git a/docs/modules/spam_checker_callbacks.md b/docs/modules/spam_checker_callbacks.md index 472d957180..d0db863ff8 100644 --- a/docs/modules/spam_checker_callbacks.md +++ b/docs/modules/spam_checker_callbacks.md @@ -18,6 +18,17 @@ async def check_event_for_spam(event: "synapse.events.EventBase") -> Union[bool, Called when receiving an event from a client or via federation. The callback must return either: + - on `Decision.ALLOW`, the action is permitted. + - on `Decision.DENY`, the action is rejected with a default error message/code. + - on `Codes`, the action is rejected with a specific error message/code. In case + of doubt, use `Codes.FORBIDDEN`. + - (deprecated) on `False`, behave as `Decision.ALLOW`. Deprecated as methods in + this API are inconsistent, some expect `True` for `ALLOW` and others `True` + for `DENY`. + - (deprecated) on `True`, behave as `Decision.DENY`. Deprecated as methods in + this API are inconsistent, some expect `True` for `ALLOW` and others `True` + for `DENY`. + - an error message string, to indicate the event must be rejected because of spam and give a rejection reason to forward to clients; - the boolean `True`, to indicate that the event is spammy, but not provide further details; or diff --git a/synapse/events/spamcheck.py b/synapse/events/spamcheck.py index 3b6795d40f..b15dbe1489 100644 --- a/synapse/events/spamcheck.py +++ b/synapse/events/spamcheck.py @@ -27,9 +27,10 @@ from typing import ( Union, ) +from synapse.api.errors import Codes from synapse.rest.media.v1._base import FileInfo from synapse.rest.media.v1.media_storage import ReadableFileWrapper -from synapse.spam_checker_api import RegistrationBehaviour +from synapse.spam_checker_api import ALLOW, Decision, RegistrationBehaviour from synapse.types import RoomAlias, UserProfile from synapse.util.async_helpers import delay_cancellation, maybe_awaitable @@ -39,17 +40,34 @@ if TYPE_CHECKING: logger = logging.getLogger(__name__) + +DEPRECATED_BOOL = bool + CHECK_EVENT_FOR_SPAM_CALLBACK = Callable[ ["synapse.events.EventBase"], - Awaitable[Union[bool, str]], + Awaitable[Union[ALLOW, Codes, str, DEPRECATED_BOOL]], +] +USER_MAY_JOIN_ROOM_CALLBACK = Callable[ + [str, str, bool], Awaitable[Union[ALLOW, Codes, DEPRECATED_BOOL]] +] +USER_MAY_INVITE_CALLBACK = Callable[ + [str, str, str], Awaitable[Union[ALLOW, Codes, DEPRECATED_BOOL]] +] +USER_MAY_SEND_3PID_INVITE_CALLBACK = Callable[ + [str, str, str, str], Awaitable[Union[ALLOW, Codes, DEPRECATED_BOOL]] +] +USER_MAY_CREATE_ROOM_CALLBACK = Callable[ + [str], Awaitable[Union[ALLOW, Codes, DEPRECATED_BOOL]] +] +USER_MAY_CREATE_ROOM_ALIAS_CALLBACK = Callable[ + [str, RoomAlias], Awaitable[Union[ALLOW, Codes, DEPRECATED_BOOL]] +] +USER_MAY_PUBLISH_ROOM_CALLBACK = Callable[ + [str, str], Awaitable[Union[ALLOW, Codes, DEPRECATED_BOOL]] +] +CHECK_USERNAME_FOR_SPAM_CALLBACK = Callable[ + [UserProfile], Awaitable[Union[ALLOW, Codes, DEPRECATED_BOOL]] ] -USER_MAY_JOIN_ROOM_CALLBACK = Callable[[str, str, bool], Awaitable[bool]] -USER_MAY_INVITE_CALLBACK = Callable[[str, str, str], Awaitable[bool]] -USER_MAY_SEND_3PID_INVITE_CALLBACK = Callable[[str, str, str, str], Awaitable[bool]] -USER_MAY_CREATE_ROOM_CALLBACK = Callable[[str], Awaitable[bool]] -USER_MAY_CREATE_ROOM_ALIAS_CALLBACK = Callable[[str, RoomAlias], Awaitable[bool]] -USER_MAY_PUBLISH_ROOM_CALLBACK = Callable[[str, str], Awaitable[bool]] -CHECK_USERNAME_FOR_SPAM_CALLBACK = Callable[[UserProfile], Awaitable[bool]] LEGACY_CHECK_REGISTRATION_FOR_SPAM_CALLBACK = Callable[ [ Optional[dict], @@ -65,11 +83,11 @@ CHECK_REGISTRATION_FOR_SPAM_CALLBACK = Callable[ Collection[Tuple[str, str]], Optional[str], ], - Awaitable[RegistrationBehaviour], + Awaitable[Union[RegistrationBehaviour, Codes]], ] CHECK_MEDIA_FILE_FOR_SPAM_CALLBACK = Callable[ [ReadableFileWrapper, FileInfo], - Awaitable[bool], + Awaitable[Union[ALLOW, Codes, DEPRECATED_BOOL]], ] @@ -240,7 +258,7 @@ class SpamChecker: async def check_event_for_spam( self, event: "synapse.events.EventBase" - ) -> Union[bool, str]: + ) -> Union[ALLOW, Codes, str]: """Checks if a given event is considered "spammy" by this server. If the server considers an event spammy, then it will be rejected if @@ -251,19 +269,29 @@ class SpamChecker: event: the event to be checked Returns: - True or a string if the event is spammy. If a string is returned it - will be used as the error message returned to the user. + - on `ALLOW`, the event is considered good (non-spammy) and should + be let through. Other spamcheck filters may still reject it. + - on `Codes`, the event is considered spammy and is rejected with a specific + error message/code. + - on `str`, the event is considered spammy and the string is used as error + message. """ for callback in self._check_event_for_spam_callbacks: - res: Union[bool, str] = await delay_cancellation(callback(event)) - if res: + res: Union[ALLOW, Codes, str, DEPRECATED_BOOL] = await delay_cancellation( + callback(event) + ) + if res is False or res is ALLOW: + continue + elif res is True: + return Codes.FORBIDDEN + else: return res - return False + return ALLOW async def user_may_join_room( self, user_id: str, room_id: str, is_invited: bool - ) -> bool: + ) -> Decision: """Checks if a given users is allowed to join a room. Not called when a user creates a room. @@ -273,48 +301,54 @@ class SpamChecker: is_invited: Whether the user is invited into the room Returns: - Whether the user may join the room + - on `ALLOW`, the action is permitted. + - on `Codes`, the action is rejected with a specific error message/code. """ for callback in self._user_may_join_room_callbacks: may_join_room = await delay_cancellation( callback(user_id, room_id, is_invited) ) - if may_join_room is False: - return False + if may_join_room is True or may_join_room is ALLOW: + continue + elif may_join_room is False: + return Codes.FORBIDDEN + else: + return may_join_room - return True + return ALLOW async def user_may_invite( self, inviter_userid: str, invitee_userid: str, room_id: str - ) -> bool: + ) -> Decision: """Checks if a given user may send an invite - If this method returns false, the invite will be rejected. - Args: inviter_userid: The user ID of the sender of the invitation invitee_userid: The user ID targeted in the invitation room_id: The room ID Returns: - True if the user may send an invite, otherwise False + - on `ALLOW`, the action is permitted. + - on `Codes`, the action is rejected with a specific error message/code. """ for callback in self._user_may_invite_callbacks: may_invite = await delay_cancellation( callback(inviter_userid, invitee_userid, room_id) ) - if may_invite is False: - return False + if may_invite is True or may_invite is ALLOW: + continue + elif may_invite is False: + return Codes.FORBIDDEN + else: + return may_invite - return True + return ALLOW async def user_may_send_3pid_invite( self, inviter_userid: str, medium: str, address: str, room_id: str - ) -> bool: + ) -> Decision: """Checks if a given user may invite a given threepid into the room - If this method returns false, the threepid invite will be rejected. - Note that if the threepid is already associated with a Matrix user ID, Synapse will call user_may_invite with said user ID instead. @@ -325,78 +359,94 @@ class SpamChecker: room_id: The room ID Returns: - True if the user may send the invite, otherwise False + - on `ALLOW`, the action is permitted. + - on `Codes`, the action is rejected with a specific error message/code. """ for callback in self._user_may_send_3pid_invite_callbacks: may_send_3pid_invite = await delay_cancellation( callback(inviter_userid, medium, address, room_id) ) - if may_send_3pid_invite is False: - return False + if may_send_3pid_invite is True or may_send_3pid_invite is ALLOW: + continue + elif may_send_3pid_invite is False: + return Codes.FORBIDDEN + else: + return may_send_3pid_invite - return True + return ALLOW - async def user_may_create_room(self, userid: str) -> bool: + async def user_may_create_room(self, userid: str) -> Decision: """Checks if a given user may create a room - If this method returns false, the creation request will be rejected. - Args: userid: The ID of the user attempting to create a room Returns: - True if the user may create a room, otherwise False + - on `ALLOW`, the action is permitted. + - on `Codes`, the action is rejected with a specific error message/code. """ for callback in self._user_may_create_room_callbacks: may_create_room = await delay_cancellation(callback(userid)) - if may_create_room is False: - return False + if may_create_room is True or may_create_room is ALLOW: + continue + elif may_create_room is False: + return Codes.FORBIDDEN + else: + return may_create_room - return True + return ALLOW async def user_may_create_room_alias( self, userid: str, room_alias: RoomAlias - ) -> bool: + ) -> Decision: """Checks if a given user may create a room alias - If this method returns false, the association request will be rejected. - Args: userid: The ID of the user attempting to create a room alias room_alias: The alias to be created Returns: - True if the user may create a room alias, otherwise False + - on `ALLOW`, the action is permitted. + - on `Codes`, the action is rejected with a specific error message/code. """ for callback in self._user_may_create_room_alias_callbacks: may_create_room_alias = await delay_cancellation( callback(userid, room_alias) ) - if may_create_room_alias is False: - return False - - return True - - async def user_may_publish_room(self, userid: str, room_id: str) -> bool: + if may_create_room_alias is True or may_create_room_alias is ALLOW: + continue + elif may_create_room_alias is False: + return Codes.FORBIDDEN + else: + return may_create_room_alias + + return ALLOW + + async def user_may_publish_room( + self, userid: str, room_id: str + ) -> Union[ALLOW, Codes, DEPRECATED_BOOL]: """Checks if a given user may publish a room to the directory - If this method returns false, the publish request will be rejected. - Args: userid: The user ID attempting to publish the room room_id: The ID of the room that would be published Returns: - True if the user may publish the room, otherwise False + - on `ALLOW`, the action is permitted. + - on `Codes`, the action is rejected with a specific error message/code. """ for callback in self._user_may_publish_room_callbacks: may_publish_room = await delay_cancellation(callback(userid, room_id)) - if may_publish_room is False: - return False + if may_publish_room is True or may_publish_room is ALLOW: + continue + elif may_publish_room is False: + return Codes.FORBIDDEN + else: + return may_publish_room - return True + return ALLOW - async def check_username_for_spam(self, user_profile: UserProfile) -> bool: + async def check_username_for_spam(self, user_profile: UserProfile) -> Decision: """Checks if a user ID or display name are considered "spammy" by this server. If the server considers a username spammy, then it will not be included in @@ -409,15 +459,21 @@ class SpamChecker: * avatar_url Returns: - True if the user is spammy. + - on `ALLOW`, the action is permitted. + - on `Codes`, the action is rejected with a specific error message/code. """ for callback in self._check_username_for_spam_callbacks: # Make a copy of the user profile object to ensure the spam checker cannot # modify it. - if await delay_cancellation(callback(user_profile.copy())): - return True + is_spam = await delay_cancellation(callback(user_profile.copy())) + if is_spam is False or is_spam is ALLOW: + continue + elif is_spam is True: + return Codes.FORBIDDEN + else: + return is_spam - return False + return ALLOW async def check_registration_for_spam( self, @@ -445,6 +501,8 @@ class SpamChecker: behaviour = await delay_cancellation( callback(email_threepid, username, request_info, auth_provider_id) ) + if isinstance(behaviour, Codes): + return behaviour assert isinstance(behaviour, RegistrationBehaviour) if behaviour != RegistrationBehaviour.ALLOW: return behaviour @@ -453,7 +511,7 @@ class SpamChecker: async def check_media_file_for_spam( self, file_wrapper: ReadableFileWrapper, file_info: FileInfo - ) -> bool: + ) -> Decision: """Checks if a piece of newly uploaded media should be blocked. This will be called for local uploads, downloads of remote media, each @@ -475,19 +533,22 @@ class SpamChecker: return False - Args: file: An object that allows reading the contents of the media. file_info: Metadata about the file. Returns: - True if the media should be blocked or False if it should be - allowed. + - on `ALLOW`, the action is permitted. + - on `Codes`, the action is rejected with a specific error message/code. """ for callback in self._check_media_file_for_spam_callbacks: - spam = await delay_cancellation(callback(file_wrapper, file_info)) - if spam: - return True - - return False + is_spam = await delay_cancellation(callback(file_wrapper, file_info)) + if is_spam is False or is_spam is ALLOW: + continue + elif is_spam is True: + return Codes.FORBIDDEN + else: + return is_spam + + return ALLOW diff --git a/synapse/federation/federation_base.py b/synapse/federation/federation_base.py index 41ac49fdc8..45c2777117 100644 --- a/synapse/federation/federation_base.py +++ b/synapse/federation/federation_base.py @@ -15,6 +15,7 @@ import logging from typing import TYPE_CHECKING +import synapse from synapse.api.constants import MAX_DEPTH, EventContentFields, EventTypes, Membership from synapse.api.errors import Codes, SynapseError from synapse.api.room_versions import EventFormatVersions, RoomVersion @@ -98,9 +99,9 @@ class FederationBase: ) return redacted_event - result = await self.spam_checker.check_event_for_spam(pdu) + spam_check = await self.spam_checker.check_event_for_spam(pdu) - if result: + if spam_check is not synapse.spam_checker_api.ALLOW: logger.warning("Event contains spam, soft-failing %s", pdu.event_id) # we redact (to save disk space) as well as soft-failing (to stop # using the event in prev_events). diff --git a/synapse/handlers/directory.py b/synapse/handlers/directory.py index 33d827a45b..fbbb667cd4 100644 --- a/synapse/handlers/directory.py +++ b/synapse/handlers/directory.py @@ -16,6 +16,7 @@ import logging import string from typing import TYPE_CHECKING, Iterable, List, Optional +import synapse from synapse.api.constants import MAX_ALIAS_LENGTH, EventTypes from synapse.api.errors import ( AuthError, @@ -137,10 +138,13 @@ class DirectoryHandler: 403, "You must be in the room to create an alias for it" ) - if not await self.spam_checker.user_may_create_room_alias( + spam_check = await self.spam_checker.user_may_create_room_alias( user_id, room_alias - ): - raise AuthError(403, "This user is not permitted to create this alias") + ) + if spam_check is not synapse.spam_checker_api.ALLOW: + raise AuthError( + 403, "This alias creation request has been rejected", spam_check + ) if not self.config.roomdirectory.is_alias_creation_allowed( user_id, room_id, room_alias_str @@ -426,9 +430,12 @@ class DirectoryHandler: """ user_id = requester.user.to_string() - if not await self.spam_checker.user_may_publish_room(user_id, room_id): + spam_check = await self.spam_checker.user_may_publish_room(user_id, room_id) + if spam_check is not synapse.spam_checker_api.ALLOW: raise AuthError( - 403, "This user is not permitted to publish rooms to the room list" + 403, + "This request to publish a room to the room list has been rejected", + spam_check, ) if requester.is_guest: diff --git a/synapse/handlers/federation.py b/synapse/handlers/federation.py index be5099b507..aa3be099a5 100644 --- a/synapse/handlers/federation.py +++ b/synapse/handlers/federation.py @@ -27,6 +27,7 @@ from signedjson.key import decode_verify_key_bytes from signedjson.sign import verify_signed_json from unpaddedbase64 import decode_base64 +import synapse from synapse import event_auth from synapse.api.constants import EventContentFields, EventTypes, Membership from synapse.api.errors import ( @@ -799,11 +800,14 @@ class FederationHandler: if self.hs.config.server.block_non_admin_invites: raise SynapseError(403, "This server does not accept room invites") - if not await self.spam_checker.user_may_invite( + spam_check = await self.spam_checker.user_may_invite( event.sender, event.state_key, event.room_id - ): + ) + if spam_check is not synapse.spam_checker_api.ALLOW: raise SynapseError( - 403, "This user is not permitted to send invites to this server/user" + 403, + "This user is not permitted to send invites to this server/user", + spam_check, ) membership = event.content.get("membership") diff --git a/synapse/handlers/message.py b/synapse/handlers/message.py index e47799e7f9..9f51212e4e 100644 --- a/synapse/handlers/message.py +++ b/synapse/handlers/message.py @@ -23,6 +23,7 @@ from canonicaljson import encode_canonical_json from twisted.internet.interfaces import IDelayedCall +import synapse from synapse import event_auth from synapse.api.constants import ( EventContentFields, @@ -881,11 +882,11 @@ class EventCreationHandler: event.sender, ) - spam_error = await self.spam_checker.check_event_for_spam(event) - if spam_error: - if not isinstance(spam_error, str): - spam_error = "Spam is not permitted here" - raise SynapseError(403, spam_error, Codes.FORBIDDEN) + spam_check = await self.spam_checker.check_event_for_spam(event) + if spam_check is not synapse.spam_checker_api.ALLOW: + raise SynapseError( + 403, "This message had been rejected as probable spam", spam_check + ) ev = await self.handle_new_client_event( requester=requester, diff --git a/synapse/handlers/room.py b/synapse/handlers/room.py index 604eb6ec15..53a2a5df46 100644 --- a/synapse/handlers/room.py +++ b/synapse/handlers/room.py @@ -33,6 +33,7 @@ from typing import ( import attr from typing_extensions import TypedDict +import synapse from synapse.api.constants import ( EventContentFields, EventTypes, @@ -407,9 +408,10 @@ class RoomCreationHandler: """ user_id = requester.user.to_string() - if not await self.spam_checker.user_may_create_room(user_id): + spam_check = await self.spam_checker.user_may_create_room(user_id) + if spam_check is not synapse.spam_checker_api.ALLOW: raise SynapseError( - 403, "You are not permitted to create rooms", Codes.FORBIDDEN + 403, "This room creation request has been rejected", spam_check ) creation_content: JsonDict = { diff --git a/synapse/handlers/room_member.py b/synapse/handlers/room_member.py index 802e57c4d0..d3ef6a05ca 100644 --- a/synapse/handlers/room_member.py +++ b/synapse/handlers/room_member.py @@ -18,6 +18,7 @@ import random from http import HTTPStatus from typing import TYPE_CHECKING, Iterable, List, Optional, Set, Tuple +import synapse from synapse import types from synapse.api.constants import ( AccountDataTypes, @@ -679,8 +680,6 @@ class RoomMemberHandler(metaclass=abc.ABCMeta): if target_id == self._server_notices_mxid: raise SynapseError(HTTPStatus.FORBIDDEN, "Cannot invite this user") - block_invite = False - if ( self._server_notices_mxid is not None and requester.user.to_string() == self._server_notices_mxid @@ -697,16 +696,18 @@ class RoomMemberHandler(metaclass=abc.ABCMeta): "Blocking invite: user is not admin and non-admin " "invites disabled" ) - block_invite = True + raise SynapseError(403, "Invites have been disabled on this server") - if not await self.spam_checker.user_may_invite( + spam_check = await self.spam_checker.user_may_invite( requester.user.to_string(), target_id, room_id - ): + ) + if spam_check is not synapse.spam_checker_api.ALLOW: logger.info("Blocking invite due to spam checker") - block_invite = True - - if block_invite: - raise SynapseError(403, "Invites have been disabled on this server") + raise SynapseError( + 403, + "This invite has been rejected as probable spam", + spam_check, + ) # An empty prev_events list is allowed as long as the auth_event_ids are present if prev_event_ids is not None: @@ -814,11 +815,14 @@ class RoomMemberHandler(metaclass=abc.ABCMeta): # We assume that if the spam checker allowed the user to create # a room then they're allowed to join it. and not new_room - and not await self.spam_checker.user_may_join_room( + ): + spam_check = await self.spam_checker.user_may_join_room( target.to_string(), room_id, is_invited=inviter is not None ) - ): - raise SynapseError(403, "Not allowed to join this room") + if spam_check is not synapse.spam_checker_api.ALLOW: + raise SynapseError( + 403, "This request to join room has been rejected", spam_check + ) # Check if a remote join should be performed. remote_join, remote_room_hosts = await self._should_perform_remote_join( @@ -1372,13 +1376,14 @@ class RoomMemberHandler(metaclass=abc.ABCMeta): ) else: # Check if the spamchecker(s) allow this invite to go through. - if not await self.spam_checker.user_may_send_3pid_invite( + spam_check = await self.spam_checker.user_may_send_3pid_invite( inviter_userid=requester.user.to_string(), medium=medium, address=address, room_id=room_id, - ): - raise SynapseError(403, "Cannot send threepid invite") + ) + if spam_check is not synapse.spam_checker_api.ALLOW: + raise SynapseError(403, "Cannot send threepid invite", spam_check) stream_id = await self._make_and_store_3pid_invite( requester, diff --git a/synapse/handlers/user_directory.py b/synapse/handlers/user_directory.py index 74f7fdfe6c..b7ece32958 100644 --- a/synapse/handlers/user_directory.py +++ b/synapse/handlers/user_directory.py @@ -100,7 +100,8 @@ class UserDirectoryHandler(StateDeltasHandler): # Remove any spammy users from the results. non_spammy_users = [] for user in results["results"]: - if not await self.spam_checker.check_username_for_spam(user): + spam_check = await self.spam_checker.check_username_for_spam(user) + if spam_check is synapse.spam_checker_api.ALLOW: non_spammy_users.append(user) results["results"] = non_spammy_users diff --git a/synapse/rest/media/v1/media_storage.py b/synapse/rest/media/v1/media_storage.py index 604f18bf52..c85a8a636b 100644 --- a/synapse/rest/media/v1/media_storage.py +++ b/synapse/rest/media/v1/media_storage.py @@ -36,6 +36,7 @@ from twisted.internet.defer import Deferred from twisted.internet.interfaces import IConsumer from twisted.protocols.basic import FileSender +import synapse from synapse.api.errors import NotFoundError from synapse.logging.context import defer_to_thread, make_deferred_yieldable from synapse.util import Clock @@ -145,15 +146,17 @@ class MediaStorage: f.flush() f.close() - spam = await self.spam_checker.check_media_file_for_spam( + spam_check = await self.spam_checker.check_media_file_for_spam( ReadableFileWrapper(self.clock, fname), file_info ) - if spam: + if spam_check is not synapse.spam_checker_api.ALLOW: logger.info("Blocking media due to spam checker") # Note that we'll delete the stored media, due to the # try/except below. The media also won't be stored in # the DB. - raise SpamMediaException() + raise SpamMediaException( + "File rejected as probable spam", spam_check + ) for provider in self.storage_providers: await provider.store_file(path, file_info) diff --git a/synapse/spam_checker_api/__init__.py b/synapse/spam_checker_api/__init__.py index 73018f2d00..074f4356f7 100644 --- a/synapse/spam_checker_api/__init__.py +++ b/synapse/spam_checker_api/__init__.py @@ -12,13 +12,31 @@ # See the License for the specific language governing permissions and # limitations under the License. from enum import Enum +from typing import NewType, Union + +from synapse.api.errors import Codes class RegistrationBehaviour(Enum): """ - Enum to define whether a registration request should allowed, denied, or shadow-banned. + Enum to define whether a registration request should be allowed, denied, or shadow-banned. """ ALLOW = "allow" SHADOW_BAN = "shadow_ban" DENY = "deny" + + +Allow = NewType("Allow", str) + +ALLOW = Allow("Allow") +""" +Return this constant to allow a message to pass. +""" + +Decision = Union[ALLOW, Codes] +""" +Union to define whether a request should be allowed or rejected. + +To reject a request without any specific information, use `Codes.FORBIDDEN`. +""" |