// Matrix Construct // // Copyright (C) Matrix Construct Developers, Authors & Contributors // Copyright (C) 2016-2019 Jason Volk // // Permission to use, copy, modify, and/or distribute this software for any // purpose with or without fee is hereby granted, provided that the above // copyright notice and this permission notice is present in all copies. The // full license for this software is available in the LICENSE file. using namespace ircd; static void process(client &, const resource::request &, const m::event &); static resource::response put__invite(client &client, const resource::request &request); mapi::header IRCD_MODULE { "Federation 12 :Inviting to a room (v2)" }; resource invite_resource { "/_matrix/federation/v2/invite/", { "Inviting to a room", resource::DIRECTORY } }; resource::method method_put { invite_resource, "PUT", put__invite, { method_put.VERIFY_ORIGIN } }; mods::import> stream_cross_sleeptime { "federation_invite", "stream_cross_sleeptime" }; resource::response put__invite(client &client, const resource::request &request) { if(request.parv.size() < 1) throw m::NEED_MORE_PARAMS { "room_id path parameter required" }; m::room::id::buf room_id { url::decode(room_id, request.parv[0]) }; if(request.parv.size() < 2) throw m::NEED_MORE_PARAMS { "event_id path parameter required" }; m::event::id::buf event_id { url::decode(event_id, request.parv[1]) }; const json::string &room_version { request.get("room_version", "1") }; m::event event { request["event"], event_id }; char check_buf[48]; m::event::id check_id; switch(hash(room_version)) { case "1"_: case "2"_: check_id = json::get<"event_id"_>(event)? m::event::id{json::get<"event_id"_>(event)}: event_id; // put back the event_id that synapse stripped json::get<"event_id"_>(event) = check_id; assert(json::get<"event_id"_>(event) == check_id); break; case "3"_: check_id = m::event::id::v3{check_buf, event}; break; case "4"_: case "5"_: default: check_id = m::event::id::v4{check_buf, event}; break; } if(!check_id || event_id != check_id) throw m::BAD_REQUEST { "Claimed event_id %s does not match %s", string_view{event_id}, string_view{check_id}, }; if(at<"room_id"_>(event) != room_id) throw m::error { http::NOT_MODIFIED, "M_MISMATCH_ROOM_ID", "ID of room in request body %s does not match path param %s", string_view{at<"room_id"_>(event)}, string_view{room_id}, }; if(at<"type"_>(event) != "m.room.member") throw m::error { http::NOT_MODIFIED, "M_INVALID_TYPE", "event.type must be m.room.member" }; if(unquote(at<"content"_>(event).at("membership")) != "invite") throw m::error { http::NOT_MODIFIED, "M_INVALID_CONTENT_MEMBERSHIP", "event.content.membership must be invite." }; if(at<"origin"_>(event) != request.origin) throw m::error { http::FORBIDDEN, "M_INVALID_ORIGIN", "event.origin must be you." }; const m::user::id &sender { at<"sender"_>(event) }; if(sender.host() != request.origin) throw m::error { http::FORBIDDEN, "M_INVALID_ORIGIN", "event.sender must be your user." }; const m::user::id &target { at<"state_key"_>(event) }; if(!my_host(target.host())) throw m::error { http::FORBIDDEN, "M_INVALID_STATE_KEY", "event.state_key must be my user." }; m::event::conforms non_conforms; const m::event::conforms report { event, non_conforms.report }; if(!report.clean()) throw m::error { http::NOT_MODIFIED, "M_INVALID_EVENT", "Proffered event has the following problems: %s", string(report) }; // May conduct disk IO to check ACL if(m::room::server_acl::enable_write) if(!m::room::server_acl::check(room_id, request.node_id)) throw m::ACCESS_DENIED { "You are not permitted by the room's server access control list." }; // May conduct network IO to fetch node's key; disk IO to fetch node's key if(!verify(event, request.node_id)) throw m::ACCESS_DENIED { "Invite event fails verification for %s", string_view{request.node_id}, }; thread_local char sigs[4_KiB]; m::event signed_event { signatures(sigs, event) }; signed_event.event_id = event_id; const json::strung signed_json { signed_event }; // Send back the signed event first before eval. If we eval the signed // event first: the effects will occur before the inviting server has // the signed event returned from us; they might not consider the user // invited yet, causing trouble for the eval effects. That may actually // still happen due to the two separate TCP connections being uncoordinated // (one for this request, and another when m::eval effects connect to them // and make any requests). But either way if this call fails then we will // lose the invite but that may not be such a bad thing. resource::response response { client, json::members { { "event", json::object{signed_json} } } }; // Synapse needs time to process our response otherwise our eval below may // complete before this response arrives for them and is processed. ctx::sleep(milliseconds(*stream_cross_sleeptime)); // Post processing, does not throw. process(client, request, event); // note: returning a resource response is a symbolic/indicator action to // the caller and has no real effect at the point of return. return response; } void process(client &client, const resource::request &request, const m::event &event) try { // Eval the dual-signed invite event. This will write it locally. This will // also try to sync the room as best as possible. The invitee will then be // presented with this invite request in their rooms list. m::vm::opts vmopts; vmopts.node_id = request.origin; // Synapse may 403 a fetch of the prev_event of the invite event. vmopts.fetch_prev_check = false; vmopts.fetch_prev = false; vmopts.non_conform |= m::event::conforms::INVALID_OR_MISSING_EVENT_ID; vmopts.nothrows |= m::vm::fault::EXISTS; m::vm::eval { event, vmopts }; } catch(const std::exception &e) { log::error { m::log, "Processing invite from:%s to:%s :%s", json::get<"sender"_>(event), json::get<"state_key"_>(event), e.what(), }; return; }