ircd:Ⓜ️:fetch: Add result check opts to request interface opts; feature authoritative_redactions.

include/ircd/m/fetch.h

@@ -106,6 +106,29 @@ struct ircd::m::fetch::opts
 	/// by the user here. The default of 0 will be replaced by some internal
 	/// configured limit like 8 or 16 etc.
 	size_t backfill_limit {0};
+
+	/// Whether to hash the result for event_id (ignored for v1/v2); this is
+	/// important to ignore poisonous results and continuing.
+	bool check_event_id {true};
+
+	/// Whether to run the conforms checks on the result; this is important
+	/// to screen out poisonous results while continuing to try other servers.
+	bool check_conforms {true};
+
+	/// Whether to check if the content hash matches. This might not match if
+	/// the event is redacted (or junk), so other servers will then be tried.
+	/// Note the case of authoriative redactions below; and if true that may
+	/// allow a condition for forcing check_hashes=false.
+	bool check_hashes {true};
+
+	/// Whether to allow content hash mismatch iff the result was received from
+	/// the event's origin. If the origin of the event wants to redact the
+	/// event we accept; otherwise we continue to look for an unredacted copy.
+	bool authoritative_redaction {true};
+
+	/// Whether to verify signature of result before accepting; this is
+	/// important to ignore poisonous results and continuing.
+	bool check_signature {true};
 };
 
 struct ircd::m::fetch::result

matrix/fetch.cc

@@ -728,7 +728,8 @@ namespace ircd::m::fetch
 	extern conf::item<bool> check_event_id;
 	extern conf::item<bool> check_conforms;
 	extern conf::item<bool> check_signature;
-	extern conf::item<bool> check_redacted;
+	extern conf::item<bool> check_hashes;
+	extern conf::item<bool> check_authoritative_redaction;
 }
 
 decltype(ircd::m::fetch::check_event_id)
@@ -745,11 +746,18 @@ ircd::m::fetch::check_conforms
 	{ "default",  true                          },
 };
 
-decltype(ircd::m::fetch::check_redacted)
-ircd::m::fetch::check_redacted
+decltype(ircd::m::fetch::check_hashes)
+ircd::m::fetch::check_hashes
 {
-	{ "name",     "ircd.m.fetch.check.redacted" },
-	{ "default",  true                          },
+	{ "name",     "ircd.m.fetch.check.hashes" },
+	{ "default",  true                        },
+};
+
+decltype(ircd::m::fetch::check_authoritative_redaction)
+ircd::m::fetch::check_authoritative_redaction
+{
+	{ "name",     "ircd.m.fetch.check.authoritative_redaction" },
+	{ "default",  true                                         },
 };
 
 decltype(ircd::m::fetch::check_signature)
@@ -861,7 +869,7 @@ void
 ircd::m::fetch::_check_event(const request &request,
                              const m::event &event)
 {
-	if(check_event_id && !m::check_id(event))
+	if(request.opts.check_event_id && check_event_id && !m::check_id(event))
 	{
 		event::id::buf buf;
 		const m::event &claim
@@ -877,21 +885,29 @@ ircd::m::fetch::_check_event(const request &request,
 		};
 	}
 
-	if(check_conforms)
+	if(request.opts.check_conforms && check_conforms)
 	{
 		m::event::conforms conforms
 		{
 			event
 		};
 
-		const bool redacted
+		const bool mismatch_hashes
 		{
-			check_redacted && conforms.has(m::event::conforms::MISMATCH_HASHES)?
-				bool(m::redacted(request.opts.event_id)):
-				false
+			check_hashes
+			&& request.opts.check_hashes
+			&& conforms.has(m::event::conforms::MISMATCH_HASHES)
 		};
 
-		if(redacted || !check_redacted)
+		const bool authoritative_redaction
+		{
+			check_authoritative_redaction
+			&& request.opts.authoritative_redaction
+			&& mismatch_hashes
+			&& json::get<"origin"_>(event) == request.origin
+		};
+
+		if(authoritative_redaction)
 			conforms.del(m::event::conforms::MISMATCH_HASHES);
 
 		thread_local char buf[128];
@@ -910,7 +926,7 @@ ircd::m::fetch::_check_event(const request &request,
 	}
 
 	// only check signature for v1 events
-	if(check_signature && request.opts.event_id.version() == "1")
+	if(request.opts.check_signature && check_signature && request.opts.event_id.version() == "1")
 	{
 		const string_view &server
 		{