0
0
Fork 0
mirror of https://github.com/matrix-construct/construct synced 2025-01-13 16:33:53 +01:00

modules: Implement 13.29 room server access control list checks.

fixes #47.
This commit is contained in:
Jason Volk 2019-05-26 20:36:26 -07:00
parent f11126613e
commit 645ce4d8e2
15 changed files with 131 additions and 13 deletions

View file

@ -78,6 +78,12 @@ get__backfill(client &client,
url::decode(room_id, request.parv[0])
};
if(m::room::server_acl::enable_read && !m::room::server_acl::check(room_id, request.node_id))
throw m::ACCESS_DENIED
{
"You are not permitted by the room's server access control list."
};
m::event::id::buf event_id
{
request.query["v"]?

View file

@ -74,6 +74,12 @@ get__backfill_ids(client &client,
url::decode(room_id, request.parv[0])
};
if(m::room::server_acl::enable_read && !m::room::server_acl::check(room_id, request.node_id))
throw m::ACCESS_DENIED
{
"You are not permitted by the room's server access control list."
};
m::event::id::buf event_id
{
request.query["v"]?

View file

@ -48,6 +48,12 @@ get__event_auth(client &client,
url::decode(room_id, request.parv[0])
};
if(m::room::server_acl::enable_read && !m::room::server_acl::check(room_id, request.node_id))
throw m::ACCESS_DENIED
{
"You are not permitted by the room's server access control list."
};
if(request.parv.size() < 2)
throw m::NEED_MORE_PARAMS
{

View file

@ -75,6 +75,12 @@ get__missing_events(client &client,
url::decode(room_id, request.parv[0])
};
if(m::room::server_acl::enable_read && !m::room::server_acl::check(room_id, request.node_id))
throw m::ACCESS_DENIED
{
"You are not permitted by the room's server access control list."
};
ssize_t limit
{
request["limit"]?

View file

@ -96,6 +96,12 @@ put__invite(client &client,
"ID of room in request body does not match the path parameter."
};
if(m::room::server_acl::enable_write && !m::room::server_acl::check(room_id, request.node_id))
throw m::ACCESS_DENIED
{
"You are not permitted by the room's server access control list."
};
check_event(request, event);
thread_local char sigs[4_KiB];

View file

@ -79,6 +79,12 @@ get__make_join(client &client,
string_view{room_id}
};
if(m::room::server_acl::enable_read && !m::room::server_acl::check(room_id, request.node_id))
throw m::ACCESS_DENIED
{
"You are not permitted by the room's server access control list."
};
if(!room.visible(user_id))
throw m::ACCESS_DENIED
{

View file

@ -67,6 +67,12 @@ get__make_leave(client &client,
"You are not permitted to spoof users on other hosts."
};
if(m::room::server_acl::enable_read && !m::room::server_acl::check(room_id, request.node_id))
throw m::ACCESS_DENIED
{
"You are not permitted by the room's server access control list."
};
const m::room room
{
room_id

View file

@ -54,6 +54,12 @@ post__query_auth(client &client,
url::decode(room_id, request.parv[0])
};
if(m::room::server_acl::enable_read && !m::room::server_acl::check(room_id, request.node_id))
throw m::ACCESS_DENIED
{
"You are not permitted by the room's server access control list."
};
if(request.parv.size() < 2)
throw m::NEED_MORE_PARAMS
{

View file

@ -101,6 +101,12 @@ put__send_join(client &client,
"Event origin must be you."
};
if(m::room::server_acl::enable_write && !m::room::server_acl::check(room_id, request.node_id))
throw m::ACCESS_DENIED
{
"You are not permitted by the room's server access control list."
};
m::vm::opts vmopts;
vmopts.non_conform.set(m::event::conforms::MISSING_PREV_STATE);
m::vm::eval eval

View file

@ -101,6 +101,12 @@ put__send_leave(client &client,
"Event origin must be you."
};
if(m::room::server_acl::enable_write && !m::room::server_acl::check(room_id, request.node_id))
throw m::ACCESS_DENIED
{
"You are not permitted by the room's server access control list."
};
m::vm::opts vmopts;
vmopts.non_conform.set(m::event::conforms::MISSING_PREV_STATE);
m::vm::eval eval

View file

@ -48,6 +48,12 @@ get__state(client &client,
url::decode(room_id, request.parv[0])
};
if(m::room::server_acl::enable_read && !m::room::server_acl::check(room_id, request.node_id))
throw m::ACCESS_DENIED
{
"You are not permitted by the room's server access control list."
};
m::event::id::buf event_id;
if(request.query["event_id"])
event_id = url::decode(event_id, request.query.at("event_id"));

View file

@ -41,6 +41,12 @@ get__state_ids(client &client,
url::decode(room_id, request.parv[0])
};
if(m::room::server_acl::enable_read && !m::room::server_acl::check(room_id, request.node_id))
throw m::ACCESS_DENIED
{
"You are not permitted by the room's server access control list."
};
m::event::id::buf event_id;
if(request.query["event_id"])
event_id = url::decode(event_id, request.query.at("event_id"));

View file

@ -72,6 +72,18 @@ handle_edu_m_receipt(const m::event &event,
unquote(member.first)
};
if(m::room::server_acl::enable_write && !m::room::server_acl::check(room_id, origin))
{
log::dwarning
{
receipt_log, "Ignoring m.receipt from '%s' in %s :denied by m.room.server_acl.",
json::get<"origin"_>(event),
string_view{room_id},
};
continue;
}
handle_m_receipt(event, room_id, member.second);
}
}

View file

@ -173,25 +173,46 @@ _handle_edu_m_typing(const m::event &event,
at<"user_id"_>(edu)
};
const auto &origin
{
at<"origin"_>(event)
};
// Check if this server can send an edu for this user. We make an exception
// for our server to allow the timeout worker to use this codepath.
if(!my_host(at<"origin"_>(event)) && user_id.host() != at<"origin"_>(event))
if(!my_host(origin))
if(user_id.host() != origin)
{
log::dwarning
{
typing_log, "Ignoring %s from %s for alien %s",
at<"type"_>(event),
at<"origin"_>(event),
origin,
string_view{user_id}
};
return;
}
// Check if this server can write to the room based on the m.room.server_acl.
if(!my_host(origin))
if(m::room::server_acl::enable_write && !m::room::server_acl::check(room_id, origin))
{
log::dwarning
{
typing_log, "Ignoring %s from '%s' in %s :denied by m.room.server_acl.",
at<"type"_>(event),
origin,
string_view{room_id},
};
return;
}
// Update the typing state map for edu's from other servers only; the
// state map was already updated for our clients in the committer. Also
// condition for skipping redundant updates here too based on the state.
if(!my_host(at<"origin"_>(event)))
if(!my_host(origin))
{
// Check if the user is actually in the room. The check is in this
// branch for remote servers only because our committer above did this
@ -203,7 +224,7 @@ _handle_edu_m_typing(const m::event &event,
{
typing_log, "Ignoring %s from %s for user %s because not in room '%s'",
at<"type"_>(event),
at<"origin"_>(event),
origin,
string_view{user_id},
string_view{room_id},
};
@ -223,7 +244,7 @@ _handle_edu_m_typing(const m::event &event,
log::info
{
typing_log, "%s %s %s typing in %s",
at<"origin"_>(event),
origin,
string_view{user_id},
json::get<"typing"_>(edu)? "started"_sv : "stopped"_sv,
string_view{room_id}

View file

@ -638,6 +638,11 @@ ircd::m::vm::execute_pdu(eval &eval,
at<"room_id"_>(event)
};
const string_view &origin
{
at<"origin"_>(event)
};
const string_view &type
{
at<"type"_>(event)
@ -655,6 +660,14 @@ ircd::m::vm::execute_pdu(eval &eval,
fault::EXISTS, "Event has already been evaluated."
};
if(m::room::server_acl::enable_write && !m::room::server_acl::check(room_id, origin))
throw m::ACCESS_DENIED
{
"Execution denied for '%s' by room %s server access control list.",
origin,
string_view{room_id}
};
if(opts.verify && !verify(event))
throw m::BAD_SIGNATURE
{