From eaf4d11af9da7d6d9ce71cb83f70424bb38e0703 Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Thu, 14 Feb 2019 16:02:23 +0000 Subject: Add configurable room list publishing rules This allows specifying who and what is allowed to be published onto the public room list --- synapse/config/room_directory.py | 94 ++++++++++++++++++++++++++++++++-------- 1 file changed, 77 insertions(+), 17 deletions(-) (limited to 'synapse/config') diff --git a/synapse/config/room_directory.py b/synapse/config/room_directory.py index 9da13ab11b..a0869ed6ab 100644 --- a/synapse/config/room_directory.py +++ b/synapse/config/room_directory.py @@ -23,70 +23,121 @@ class RoomDirectoryConfig(Config): alias_creation_rules = config["alias_creation_rules"] self._alias_creation_rules = [ - _AliasRule(rule) + _RoomDirectoryRule("alias_creation_rules", rule) for rule in alias_creation_rules ] + room_list_publication_rules = config["room_list_publication_rules"] + + self._room_list_publication_rules = [ + _RoomDirectoryRule("room_list_publication_rules", rule) + for rule in room_list_publication_rules + ] + def default_config(self, config_dir_path, server_name, **kwargs): return """ # The `alias_creation` option controls who's allowed to create aliases # on this server. # # The format of this option is a list of rules that contain globs that - # match against user_id and the new alias (fully qualified with server - # name). The action in the first rule that matches is taken, which can - # currently either be "allow" or "deny". + # match against user_id, room_id and the new alias (fully qualified with + # server name). The action in the first rule that matches is taken, + # which can currently either be "allow" or "deny". + # + # Missing user_id/room_id/alias fields default to "*". # # If no rules match the request is denied. alias_creation_rules: - user_id: "*" - alias: "*" + alias: "*" # This matches alias being created + room_id: "*" + action: allow + + # The `room_list_publication_rules` option control who and what can be + # published in the public room list. + # + # The format of this option is the same as that for + # `alias_creation_rules` + room_list_publication_rules: + - user_id: "*" + alias: "*" # This matches any local or canonical alias + # associated with the room + room_id: "*" action: allow """ - def is_alias_creation_allowed(self, user_id, alias): + def is_alias_creation_allowed(self, user_id, room_id, alias): """Checks if the given user is allowed to create the given alias Args: user_id (str) + room_id (str) alias (str) Returns: boolean: True if user is allowed to crate the alias """ for rule in self._alias_creation_rules: - if rule.matches(user_id, alias): + if rule.matches(user_id, room_id, [alias]): + return rule.action == "allow" + + return False + + def is_publishing_room_allowed(self, user_id, room_id, aliases): + """Checks if the given user is allowed to publish the room + + Args: + user_id (str) + room_id (str) + aliases (list[str]): any local aliases associated with the room + + Returns: + boolean: True if user can publish room + """ + for rule in self._room_list_publication_rules: + if rule.matches(user_id, room_id, aliases): return rule.action == "allow" return False -class _AliasRule(object): - def __init__(self, rule): +class _RoomDirectoryRule(object): + """Helper class to test whether a room directory action is allowed, like + creating an alias or publishing a room. + """ + + def __init__(self, option_name, rule): action = rule["action"] - user_id = rule["user_id"] - alias = rule["alias"] + user_id = rule.get("user_id", "*") + room_id = rule.get("room_id", "*") + alias = rule.get("alias", "*") if action in ("allow", "deny"): self.action = action else: raise ConfigError( - "alias_creation_rules rules can only have action of 'allow'" - " or 'deny'" + "%s rules can only have action of 'allow'" + " or 'deny'" % (option_name,) ) + self._alias_matches_all = alias == "*" + try: self._user_id_regex = glob_to_regex(user_id) self._alias_regex = glob_to_regex(alias) + self._room_id_regex = glob_to_regex(room_id) except Exception as e: raise ConfigError("Failed to parse glob into regex: %s", e) - def matches(self, user_id, alias): - """Tests if this rule matches the given user_id and alias. + def matches(self, user_id, room_id, aliases): + """Tests if this rule matches the given user_id, room_id and aliases. Args: user_id (str) - alias (str) + room_id (str) + aliases (list[str]): The associated aliases to the room. Will be a + single element for testing alias creation, and can be empty for + testing room publishing. Returns: boolean @@ -96,7 +147,16 @@ class _AliasRule(object): if not self._user_id_regex.match(user_id): return False - if not self._alias_regex.match(alias): + # If we are not given any aliases then this rule only matches if the + # alias glob matches all aliases + if not aliases and not self._alias_matches_all: + return False + + for alias in aliases: + if not self._alias_regex.match(alias): + return False + + if not self._room_id_regex.match(room_id): return False return True -- cgit 1.5.1 From f666fe36d7a17d12e962461aeba61f5b7ca43ccf Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Thu, 14 Feb 2019 18:07:24 +0000 Subject: Fixup comments --- synapse/config/room_directory.py | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) (limited to 'synapse/config') diff --git a/synapse/config/room_directory.py b/synapse/config/room_directory.py index a0869ed6ab..719892be7a 100644 --- a/synapse/config/room_directory.py +++ b/synapse/config/room_directory.py @@ -48,20 +48,21 @@ class RoomDirectoryConfig(Config): # # If no rules match the request is denied. alias_creation_rules: - - user_id: "*" - alias: "*" # This matches alias being created - room_id: "*" + - user_id: "*" # Matches agaisnt the creator of the alias + alias: "*" # Matches against the alias being created + room_id: "*" # Matches against the room ID the alias is being + # pointed at action: allow - # The `room_list_publication_rules` option control who and what can be - # published in the public room list. + # The `room_list_publication_rules` option controls who can publish and + # which rooms can be published in the public room list. # # The format of this option is the same as that for # `alias_creation_rules` room_list_publication_rules: - - user_id: "*" - alias: "*" # This matches any local or canonical alias - # associated with the room + - user_id: "*" # Matches against the user publishing the room + alias: "*" # Matches against any current local or canonical + # aliases associated with the room room_id: "*" action: allow """ @@ -107,6 +108,12 @@ class _RoomDirectoryRule(object): """ def __init__(self, option_name, rule): + """ + Args: + option_name (str): Name of the config option this rule belongs to + rule (dict): The rule as specified in the config + """ + action = rule["action"] user_id = rule.get("user_id", "*") room_id = rule.get("room_id", "*") -- cgit 1.5.1 From cb12a377082f2241ee8a8280810e9e38fb69778d Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Thu, 14 Feb 2019 18:16:32 +0000 Subject: Clarify and fix behaviour when there are multiple aliases --- synapse/config/room_directory.py | 24 ++++++++++++++++++------ tests/config/test_room_directory.py | 6 ++++++ 2 files changed, 24 insertions(+), 6 deletions(-) (limited to 'synapse/config') diff --git a/synapse/config/room_directory.py b/synapse/config/room_directory.py index 719892be7a..af84adf5fa 100644 --- a/synapse/config/room_directory.py +++ b/synapse/config/room_directory.py @@ -58,7 +58,11 @@ class RoomDirectoryConfig(Config): # which rooms can be published in the public room list. # # The format of this option is the same as that for - # `alias_creation_rules` + # `alias_creation_rules`. + # + # If the room has one or more aliases associated with it, the rules are + # run against each alias. If there are no aliases then only rules with + # `alias: *` match. room_list_publication_rules: - user_id: "*" # Matches against the user publishing the room alias: "*" # Matches against any current local or canonical @@ -156,11 +160,19 @@ class _RoomDirectoryRule(object): # If we are not given any aliases then this rule only matches if the # alias glob matches all aliases - if not aliases and not self._alias_matches_all: - return False - - for alias in aliases: - if not self._alias_regex.match(alias): + matched = False + if not aliases: + if not self._alias_matches_all: + return False + else: + # Otherwise, we just need one alias to match + matched = False + for alias in aliases: + if self._alias_regex.match(alias): + matched = True + break + + if not matched: return False if not self._room_id_regex.match(room_id): diff --git a/tests/config/test_room_directory.py b/tests/config/test_room_directory.py index 1d4ca0055c..3dc2631523 100644 --- a/tests/config/test_room_directory.py +++ b/tests/config/test_room_directory.py @@ -138,3 +138,9 @@ class RoomDirectoryConfigTestCase(unittest.TestCase): room_id="!test-deny", aliases=[], )) + + self.assertTrue(rd_config.is_publishing_room_allowed( + user_id="@test:example.com", + room_id="!test", + aliases=["#unofficial_st:example.com", "#blah:example.com"], + )) -- cgit 1.5.1 From 8e32f26cb8f8de8554b8b75870026fe80f45add3 Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Thu, 14 Feb 2019 18:21:24 +0000 Subject: Clarify comments --- synapse/config/room_directory.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'synapse/config') diff --git a/synapse/config/room_directory.py b/synapse/config/room_directory.py index af84adf5fa..f86626c354 100644 --- a/synapse/config/room_directory.py +++ b/synapse/config/room_directory.py @@ -60,9 +60,9 @@ class RoomDirectoryConfig(Config): # The format of this option is the same as that for # `alias_creation_rules`. # - # If the room has one or more aliases associated with it, the rules are - # run against each alias. If there are no aliases then only rules with - # `alias: *` match. + # If the room has one or more aliases associated with it, only one of + # the aliases needs to match the alias rule. If there are no aliases + # then only rules with `alias: *` match. room_list_publication_rules: - user_id: "*" # Matches against the user publishing the room alias: "*" # Matches against any current local or canonical -- cgit 1.5.1 From 02c46acc6a63b9e56039b5d7e24cc97ed9a4636d Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Fri, 15 Feb 2019 10:17:13 +0000 Subject: Fixup comments --- synapse/config/room_directory.py | 35 +++++++++++++++++++++++++++-------- 1 file changed, 27 insertions(+), 8 deletions(-) (limited to 'synapse/config') diff --git a/synapse/config/room_directory.py b/synapse/config/room_directory.py index f86626c354..6815d6e9b7 100644 --- a/synapse/config/room_directory.py +++ b/synapse/config/room_directory.py @@ -46,12 +46,20 @@ class RoomDirectoryConfig(Config): # # Missing user_id/room_id/alias fields default to "*". # - # If no rules match the request is denied. + # If no rules match the request is denied. An empty list means no one + # can create aliases. + # + # Options for the rules include: + # + # user_id: Matches against the creator of the alias + # alias: Matches against the alias being created + # room_id: Matches against the room ID the alias is being pointed at + # action: Whether to "allow" or "deny" the request if the rule matches + # alias_creation_rules: - - user_id: "*" # Matches agaisnt the creator of the alias - alias: "*" # Matches against the alias being created - room_id: "*" # Matches against the room ID the alias is being - # pointed at + - user_id: "*" + alias: "*" + room_id: "*" action: allow # The `room_list_publication_rules` option controls who can publish and @@ -63,10 +71,21 @@ class RoomDirectoryConfig(Config): # If the room has one or more aliases associated with it, only one of # the aliases needs to match the alias rule. If there are no aliases # then only rules with `alias: *` match. + # + # If no rules match the request is denied. An empty list means no one + # can publish rooms. + # + # Options for the rules include: + # + # user_id: Matches agaisnt the creator of the alias + # room_id: Matches against the room ID being published + # alias: Matches against any current local or canonical aliases + # associated with the room + # action: Whether to "allow" or "deny" the request if the rule matches + # room_list_publication_rules: - - user_id: "*" # Matches against the user publishing the room - alias: "*" # Matches against any current local or canonical - # aliases associated with the room + - user_id: "*" + alias: "*" room_id: "*" action: allow """ -- cgit 1.5.1 From 02c729d6b0f6b8f41455737cde0b8aeb39782a7e Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Fri, 15 Feb 2019 10:17:43 +0000 Subject: Hoist up checks to reduce overall work --- synapse/config/room_directory.py | 32 +++++++++++++++----------------- 1 file changed, 15 insertions(+), 17 deletions(-) (limited to 'synapse/config') diff --git a/synapse/config/room_directory.py b/synapse/config/room_directory.py index 6815d6e9b7..aa113f0edf 100644 --- a/synapse/config/room_directory.py +++ b/synapse/config/room_directory.py @@ -177,24 +177,22 @@ class _RoomDirectoryRule(object): if not self._user_id_regex.match(user_id): return False - # If we are not given any aliases then this rule only matches if the - # alias glob matches all aliases - matched = False - if not aliases: - if not self._alias_matches_all: - return False - else: - # Otherwise, we just need one alias to match - matched = False - for alias in aliases: - if self._alias_regex.match(alias): - matched = True - break + if not self._room_id_regex.match(room_id): + return False - if not matched: - return False + # We only have alias checks left, so we can short circuit if the alias + # rule matches everything. + if self._alias_matches_all: + return True - if not self._room_id_regex.match(room_id): + # If we are not given any aliases then this rule only matches if the + # alias glob matches all aliases, which we checked above. + if not aliases: return False - return True + # Otherwise, we just need one alias to match + for alias in aliases: + if self._alias_regex.match(alias): + return True + + return False -- cgit 1.5.1 From b99c532c1c5d79cdaea20e68bf65945f056a156d Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Fri, 15 Feb 2019 10:53:39 +0000 Subject: Move defaults up into code --- synapse/config/room_directory.py | 66 ++++++++++++++++++++++++++-------------- 1 file changed, 44 insertions(+), 22 deletions(-) (limited to 'synapse/config') diff --git a/synapse/config/room_directory.py b/synapse/config/room_directory.py index aa113f0edf..c8e0abbae7 100644 --- a/synapse/config/room_directory.py +++ b/synapse/config/room_directory.py @@ -20,19 +20,37 @@ from ._base import Config, ConfigError class RoomDirectoryConfig(Config): def read_config(self, config): - alias_creation_rules = config["alias_creation_rules"] + alias_creation_rules = config.get("alias_creation_rules") - self._alias_creation_rules = [ - _RoomDirectoryRule("alias_creation_rules", rule) - for rule in alias_creation_rules - ] - - room_list_publication_rules = config["room_list_publication_rules"] - - self._room_list_publication_rules = [ - _RoomDirectoryRule("room_list_publication_rules", rule) - for rule in room_list_publication_rules - ] + if alias_creation_rules is not None: + self._alias_creation_rules = [ + _RoomDirectoryRule("alias_creation_rules", rule) + for rule in alias_creation_rules + ] + else: + self._alias_creation_rules = [ + _RoomDirectoryRule( + "alias_creation_rules", { + "action": "allow", + } + ) + ] + + room_list_publication_rules = config.get("room_list_publication_rules") + + if room_list_publication_rules is not None: + self._room_list_publication_rules = [ + _RoomDirectoryRule("room_list_publication_rules", rule) + for rule in room_list_publication_rules + ] + else: + self._room_list_publication_rules = [ + _RoomDirectoryRule( + "room_list_publication_rules", { + "action": "allow", + } + ) + ] def default_config(self, config_dir_path, server_name, **kwargs): return """ @@ -56,11 +74,13 @@ class RoomDirectoryConfig(Config): # room_id: Matches against the room ID the alias is being pointed at # action: Whether to "allow" or "deny" the request if the rule matches # - alias_creation_rules: - - user_id: "*" - alias: "*" - room_id: "*" - action: allow + # The default is: + # + # alias_creation_rules: + # - user_id: "*" + # alias: "*" + # room_id: "*" + # action: allow # The `room_list_publication_rules` option controls who can publish and # which rooms can be published in the public room list. @@ -83,11 +103,13 @@ class RoomDirectoryConfig(Config): # associated with the room # action: Whether to "allow" or "deny" the request if the rule matches # - room_list_publication_rules: - - user_id: "*" - alias: "*" - room_id: "*" - action: allow + # The default is: + # + # room_list_publication_rules: + # - user_id: "*" + # alias: "*" + # room_id: "*" + # action: allow """ def is_alias_creation_allowed(self, user_id, room_id, alias): -- cgit 1.5.1 From 68d2869c8dd2358270d3eb45f06658ceea59b907 Mon Sep 17 00:00:00 2001 From: "Juuso \"Linda\" Lapinlampi" Date: Wed, 13 Feb 2019 12:09:57 +0000 Subject: config: Remove a repeated word from a logger warning The warning for missing macaroon_secret_key was "missing missing". --- synapse/config/key.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'synapse/config') diff --git a/synapse/config/key.py b/synapse/config/key.py index dce4b19a2d..499ffd4e06 100644 --- a/synapse/config/key.py +++ b/synapse/config/key.py @@ -56,7 +56,7 @@ class KeyConfig(Config): if not self.macaroon_secret_key: # Unfortunately, there are people out there that don't have this # set. Lets just be "nice" and derive one from their secret key. - logger.warn("Config is missing missing macaroon_secret_key") + logger.warn("Config is missing macaroon_secret_key") seed = bytes(self.signing_key[0]) self.macaroon_secret_key = hashlib.sha256(seed).digest() -- cgit 1.5.1