mirror of
https://mau.dev/maunium/synapse.git
synced 2024-12-21 02:53:56 +01:00
Add an experimental room version to support restricted join rules. (#9717)
Per MSC3083.
This commit is contained in:
parent
e32294f54b
commit
35c5ef2d24
6 changed files with 297 additions and 11 deletions
1
changelog.d/9717.feature
Normal file
1
changelog.d/9717.feature
Normal file
|
@ -0,0 +1 @@
|
||||||
|
Add experimental support for [MSC3083](https://github.com/matrix-org/matrix-doc/pull/3083): restricting room access via group membership.
|
|
@ -59,6 +59,8 @@ class JoinRules:
|
||||||
KNOCK = "knock"
|
KNOCK = "knock"
|
||||||
INVITE = "invite"
|
INVITE = "invite"
|
||||||
PRIVATE = "private"
|
PRIVATE = "private"
|
||||||
|
# As defined for MSC3083.
|
||||||
|
MSC3083_RESTRICTED = "restricted"
|
||||||
|
|
||||||
|
|
||||||
class LoginType:
|
class LoginType:
|
||||||
|
|
|
@ -57,7 +57,7 @@ class RoomVersion:
|
||||||
state_res = attr.ib(type=int) # one of the StateResolutionVersions
|
state_res = attr.ib(type=int) # one of the StateResolutionVersions
|
||||||
enforce_key_validity = attr.ib(type=bool)
|
enforce_key_validity = attr.ib(type=bool)
|
||||||
|
|
||||||
# bool: before MSC2261/MSC2432, m.room.aliases had special auth rules and redaction rules
|
# Before MSC2261/MSC2432, m.room.aliases had special auth rules and redaction rules
|
||||||
special_case_aliases_auth = attr.ib(type=bool)
|
special_case_aliases_auth = attr.ib(type=bool)
|
||||||
# Strictly enforce canonicaljson, do not allow:
|
# Strictly enforce canonicaljson, do not allow:
|
||||||
# * Integers outside the range of [-2 ^ 53 + 1, 2 ^ 53 - 1]
|
# * Integers outside the range of [-2 ^ 53 + 1, 2 ^ 53 - 1]
|
||||||
|
@ -69,6 +69,8 @@ class RoomVersion:
|
||||||
limit_notifications_power_levels = attr.ib(type=bool)
|
limit_notifications_power_levels = attr.ib(type=bool)
|
||||||
# MSC2174/MSC2176: Apply updated redaction rules algorithm.
|
# MSC2174/MSC2176: Apply updated redaction rules algorithm.
|
||||||
msc2176_redaction_rules = attr.ib(type=bool)
|
msc2176_redaction_rules = attr.ib(type=bool)
|
||||||
|
# MSC3083: Support the 'restricted' join_rule.
|
||||||
|
msc3083_join_rules = attr.ib(type=bool)
|
||||||
|
|
||||||
|
|
||||||
class RoomVersions:
|
class RoomVersions:
|
||||||
|
@ -82,6 +84,7 @@ class RoomVersions:
|
||||||
strict_canonicaljson=False,
|
strict_canonicaljson=False,
|
||||||
limit_notifications_power_levels=False,
|
limit_notifications_power_levels=False,
|
||||||
msc2176_redaction_rules=False,
|
msc2176_redaction_rules=False,
|
||||||
|
msc3083_join_rules=False,
|
||||||
)
|
)
|
||||||
V2 = RoomVersion(
|
V2 = RoomVersion(
|
||||||
"2",
|
"2",
|
||||||
|
@ -93,6 +96,7 @@ class RoomVersions:
|
||||||
strict_canonicaljson=False,
|
strict_canonicaljson=False,
|
||||||
limit_notifications_power_levels=False,
|
limit_notifications_power_levels=False,
|
||||||
msc2176_redaction_rules=False,
|
msc2176_redaction_rules=False,
|
||||||
|
msc3083_join_rules=False,
|
||||||
)
|
)
|
||||||
V3 = RoomVersion(
|
V3 = RoomVersion(
|
||||||
"3",
|
"3",
|
||||||
|
@ -104,6 +108,7 @@ class RoomVersions:
|
||||||
strict_canonicaljson=False,
|
strict_canonicaljson=False,
|
||||||
limit_notifications_power_levels=False,
|
limit_notifications_power_levels=False,
|
||||||
msc2176_redaction_rules=False,
|
msc2176_redaction_rules=False,
|
||||||
|
msc3083_join_rules=False,
|
||||||
)
|
)
|
||||||
V4 = RoomVersion(
|
V4 = RoomVersion(
|
||||||
"4",
|
"4",
|
||||||
|
@ -115,6 +120,7 @@ class RoomVersions:
|
||||||
strict_canonicaljson=False,
|
strict_canonicaljson=False,
|
||||||
limit_notifications_power_levels=False,
|
limit_notifications_power_levels=False,
|
||||||
msc2176_redaction_rules=False,
|
msc2176_redaction_rules=False,
|
||||||
|
msc3083_join_rules=False,
|
||||||
)
|
)
|
||||||
V5 = RoomVersion(
|
V5 = RoomVersion(
|
||||||
"5",
|
"5",
|
||||||
|
@ -126,6 +132,7 @@ class RoomVersions:
|
||||||
strict_canonicaljson=False,
|
strict_canonicaljson=False,
|
||||||
limit_notifications_power_levels=False,
|
limit_notifications_power_levels=False,
|
||||||
msc2176_redaction_rules=False,
|
msc2176_redaction_rules=False,
|
||||||
|
msc3083_join_rules=False,
|
||||||
)
|
)
|
||||||
V6 = RoomVersion(
|
V6 = RoomVersion(
|
||||||
"6",
|
"6",
|
||||||
|
@ -137,6 +144,7 @@ class RoomVersions:
|
||||||
strict_canonicaljson=True,
|
strict_canonicaljson=True,
|
||||||
limit_notifications_power_levels=True,
|
limit_notifications_power_levels=True,
|
||||||
msc2176_redaction_rules=False,
|
msc2176_redaction_rules=False,
|
||||||
|
msc3083_join_rules=False,
|
||||||
)
|
)
|
||||||
MSC2176 = RoomVersion(
|
MSC2176 = RoomVersion(
|
||||||
"org.matrix.msc2176",
|
"org.matrix.msc2176",
|
||||||
|
@ -148,6 +156,19 @@ class RoomVersions:
|
||||||
strict_canonicaljson=True,
|
strict_canonicaljson=True,
|
||||||
limit_notifications_power_levels=True,
|
limit_notifications_power_levels=True,
|
||||||
msc2176_redaction_rules=True,
|
msc2176_redaction_rules=True,
|
||||||
|
msc3083_join_rules=False,
|
||||||
|
)
|
||||||
|
MSC3083 = RoomVersion(
|
||||||
|
"org.matrix.msc3083",
|
||||||
|
RoomDisposition.UNSTABLE,
|
||||||
|
EventFormatVersions.V3,
|
||||||
|
StateResolutionVersions.V2,
|
||||||
|
enforce_key_validity=True,
|
||||||
|
special_case_aliases_auth=False,
|
||||||
|
strict_canonicaljson=True,
|
||||||
|
limit_notifications_power_levels=True,
|
||||||
|
msc2176_redaction_rules=False,
|
||||||
|
msc3083_join_rules=True,
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
|
@ -162,4 +183,5 @@ KNOWN_ROOM_VERSIONS = {
|
||||||
RoomVersions.V6,
|
RoomVersions.V6,
|
||||||
RoomVersions.MSC2176,
|
RoomVersions.MSC2176,
|
||||||
)
|
)
|
||||||
|
# Note that we do not include MSC3083 here unless it is enabled in the config.
|
||||||
} # type: Dict[str, RoomVersion]
|
} # type: Dict[str, RoomVersion]
|
||||||
|
|
|
@ -13,6 +13,7 @@
|
||||||
# See the License for the specific language governing permissions and
|
# See the License for the specific language governing permissions and
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
|
from synapse.api.room_versions import KNOWN_ROOM_VERSIONS, RoomVersions
|
||||||
from synapse.config._base import Config
|
from synapse.config._base import Config
|
||||||
from synapse.types import JsonDict
|
from synapse.types import JsonDict
|
||||||
|
|
||||||
|
@ -27,7 +28,11 @@ class ExperimentalConfig(Config):
|
||||||
|
|
||||||
# MSC2858 (multiple SSO identity providers)
|
# MSC2858 (multiple SSO identity providers)
|
||||||
self.msc2858_enabled = experimental.get("msc2858_enabled", False) # type: bool
|
self.msc2858_enabled = experimental.get("msc2858_enabled", False) # type: bool
|
||||||
# Spaces (MSC1772, MSC2946, etc)
|
|
||||||
|
# Spaces (MSC1772, MSC2946, MSC3083, etc)
|
||||||
self.spaces_enabled = experimental.get("spaces_enabled", False) # type: bool
|
self.spaces_enabled = experimental.get("spaces_enabled", False) # type: bool
|
||||||
|
if self.spaces_enabled:
|
||||||
|
KNOWN_ROOM_VERSIONS[RoomVersions.MSC3083.identifier] = RoomVersions.MSC3083
|
||||||
|
|
||||||
# MSC3026 (busy presence state)
|
# MSC3026 (busy presence state)
|
||||||
self.msc3026_enabled = experimental.get("msc3026_enabled", False) # type: bool
|
self.msc3026_enabled = experimental.get("msc3026_enabled", False) # type: bool
|
||||||
|
|
|
@ -162,7 +162,7 @@ def check(
|
||||||
logger.debug("Auth events: %s", [a.event_id for a in auth_events.values()])
|
logger.debug("Auth events: %s", [a.event_id for a in auth_events.values()])
|
||||||
|
|
||||||
if event.type == EventTypes.Member:
|
if event.type == EventTypes.Member:
|
||||||
_is_membership_change_allowed(event, auth_events)
|
_is_membership_change_allowed(room_version_obj, event, auth_events)
|
||||||
logger.debug("Allowing! %s", event)
|
logger.debug("Allowing! %s", event)
|
||||||
return
|
return
|
||||||
|
|
||||||
|
@ -220,8 +220,19 @@ def _can_federate(event: EventBase, auth_events: StateMap[EventBase]) -> bool:
|
||||||
|
|
||||||
|
|
||||||
def _is_membership_change_allowed(
|
def _is_membership_change_allowed(
|
||||||
event: EventBase, auth_events: StateMap[EventBase]
|
room_version: RoomVersion, event: EventBase, auth_events: StateMap[EventBase]
|
||||||
) -> None:
|
) -> None:
|
||||||
|
"""
|
||||||
|
Confirms that the event which changes membership is an allowed change.
|
||||||
|
|
||||||
|
Args:
|
||||||
|
room_version: The version of the room.
|
||||||
|
event: The event to check.
|
||||||
|
auth_events: The current auth events of the room.
|
||||||
|
|
||||||
|
Raises:
|
||||||
|
AuthError if the event is not allowed.
|
||||||
|
"""
|
||||||
membership = event.content["membership"]
|
membership = event.content["membership"]
|
||||||
|
|
||||||
# Check if this is the room creator joining:
|
# Check if this is the room creator joining:
|
||||||
|
@ -315,14 +326,19 @@ def _is_membership_change_allowed(
|
||||||
if user_level < invite_level:
|
if user_level < invite_level:
|
||||||
raise AuthError(403, "You don't have permission to invite users")
|
raise AuthError(403, "You don't have permission to invite users")
|
||||||
elif Membership.JOIN == membership:
|
elif Membership.JOIN == membership:
|
||||||
# Joins are valid iff caller == target and they were:
|
# Joins are valid iff caller == target and:
|
||||||
# invited: They are accepting the invitation
|
# * They are not banned.
|
||||||
# joined: It's a NOOP
|
# * They are accepting a previously sent invitation.
|
||||||
|
# * They are already joined (it's a NOOP).
|
||||||
|
# * The room is public or restricted.
|
||||||
if event.user_id != target_user_id:
|
if event.user_id != target_user_id:
|
||||||
raise AuthError(403, "Cannot force another user to join.")
|
raise AuthError(403, "Cannot force another user to join.")
|
||||||
elif target_banned:
|
elif target_banned:
|
||||||
raise AuthError(403, "You are banned from this room")
|
raise AuthError(403, "You are banned from this room")
|
||||||
elif join_rule == JoinRules.PUBLIC:
|
elif join_rule == JoinRules.PUBLIC or (
|
||||||
|
room_version.msc3083_join_rules
|
||||||
|
and join_rule == JoinRules.MSC3083_RESTRICTED
|
||||||
|
):
|
||||||
pass
|
pass
|
||||||
elif join_rule == JoinRules.INVITE:
|
elif join_rule == JoinRules.INVITE:
|
||||||
if not caller_in_room and not caller_invited:
|
if not caller_in_room and not caller_invited:
|
||||||
|
|
|
@ -207,6 +207,226 @@ class EventAuthTestCase(unittest.TestCase):
|
||||||
do_sig_check=False,
|
do_sig_check=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
|
def test_join_rules_public(self):
|
||||||
|
"""
|
||||||
|
Test joining a public room.
|
||||||
|
"""
|
||||||
|
creator = "@creator:example.com"
|
||||||
|
pleb = "@joiner:example.com"
|
||||||
|
|
||||||
|
auth_events = {
|
||||||
|
("m.room.create", ""): _create_event(creator),
|
||||||
|
("m.room.member", creator): _join_event(creator),
|
||||||
|
("m.room.join_rules", ""): _join_rules_event(creator, "public"),
|
||||||
|
}
|
||||||
|
|
||||||
|
# Check join.
|
||||||
|
event_auth.check(
|
||||||
|
RoomVersions.V6,
|
||||||
|
_join_event(pleb),
|
||||||
|
auth_events,
|
||||||
|
do_sig_check=False,
|
||||||
|
)
|
||||||
|
|
||||||
|
# A user cannot be force-joined to a room.
|
||||||
|
with self.assertRaises(AuthError):
|
||||||
|
event_auth.check(
|
||||||
|
RoomVersions.V6,
|
||||||
|
_member_event(pleb, "join", sender=creator),
|
||||||
|
auth_events,
|
||||||
|
do_sig_check=False,
|
||||||
|
)
|
||||||
|
|
||||||
|
# Banned should be rejected.
|
||||||
|
auth_events[("m.room.member", pleb)] = _member_event(pleb, "ban")
|
||||||
|
with self.assertRaises(AuthError):
|
||||||
|
event_auth.check(
|
||||||
|
RoomVersions.V6,
|
||||||
|
_join_event(pleb),
|
||||||
|
auth_events,
|
||||||
|
do_sig_check=False,
|
||||||
|
)
|
||||||
|
|
||||||
|
# A user who left can re-join.
|
||||||
|
auth_events[("m.room.member", pleb)] = _member_event(pleb, "leave")
|
||||||
|
event_auth.check(
|
||||||
|
RoomVersions.V6,
|
||||||
|
_join_event(pleb),
|
||||||
|
auth_events,
|
||||||
|
do_sig_check=False,
|
||||||
|
)
|
||||||
|
|
||||||
|
# A user can send a join if they're in the room.
|
||||||
|
auth_events[("m.room.member", pleb)] = _member_event(pleb, "join")
|
||||||
|
event_auth.check(
|
||||||
|
RoomVersions.V6,
|
||||||
|
_join_event(pleb),
|
||||||
|
auth_events,
|
||||||
|
do_sig_check=False,
|
||||||
|
)
|
||||||
|
|
||||||
|
# A user can accept an invite.
|
||||||
|
auth_events[("m.room.member", pleb)] = _member_event(
|
||||||
|
pleb, "invite", sender=creator
|
||||||
|
)
|
||||||
|
event_auth.check(
|
||||||
|
RoomVersions.V6,
|
||||||
|
_join_event(pleb),
|
||||||
|
auth_events,
|
||||||
|
do_sig_check=False,
|
||||||
|
)
|
||||||
|
|
||||||
|
def test_join_rules_invite(self):
|
||||||
|
"""
|
||||||
|
Test joining an invite only room.
|
||||||
|
"""
|
||||||
|
creator = "@creator:example.com"
|
||||||
|
pleb = "@joiner:example.com"
|
||||||
|
|
||||||
|
auth_events = {
|
||||||
|
("m.room.create", ""): _create_event(creator),
|
||||||
|
("m.room.member", creator): _join_event(creator),
|
||||||
|
("m.room.join_rules", ""): _join_rules_event(creator, "invite"),
|
||||||
|
}
|
||||||
|
|
||||||
|
# A join without an invite is rejected.
|
||||||
|
with self.assertRaises(AuthError):
|
||||||
|
event_auth.check(
|
||||||
|
RoomVersions.V6,
|
||||||
|
_join_event(pleb),
|
||||||
|
auth_events,
|
||||||
|
do_sig_check=False,
|
||||||
|
)
|
||||||
|
|
||||||
|
# A user cannot be force-joined to a room.
|
||||||
|
with self.assertRaises(AuthError):
|
||||||
|
event_auth.check(
|
||||||
|
RoomVersions.V6,
|
||||||
|
_member_event(pleb, "join", sender=creator),
|
||||||
|
auth_events,
|
||||||
|
do_sig_check=False,
|
||||||
|
)
|
||||||
|
|
||||||
|
# Banned should be rejected.
|
||||||
|
auth_events[("m.room.member", pleb)] = _member_event(pleb, "ban")
|
||||||
|
with self.assertRaises(AuthError):
|
||||||
|
event_auth.check(
|
||||||
|
RoomVersions.V6,
|
||||||
|
_join_event(pleb),
|
||||||
|
auth_events,
|
||||||
|
do_sig_check=False,
|
||||||
|
)
|
||||||
|
|
||||||
|
# A user who left cannot re-join.
|
||||||
|
auth_events[("m.room.member", pleb)] = _member_event(pleb, "leave")
|
||||||
|
with self.assertRaises(AuthError):
|
||||||
|
event_auth.check(
|
||||||
|
RoomVersions.V6,
|
||||||
|
_join_event(pleb),
|
||||||
|
auth_events,
|
||||||
|
do_sig_check=False,
|
||||||
|
)
|
||||||
|
|
||||||
|
# A user can send a join if they're in the room.
|
||||||
|
auth_events[("m.room.member", pleb)] = _member_event(pleb, "join")
|
||||||
|
event_auth.check(
|
||||||
|
RoomVersions.V6,
|
||||||
|
_join_event(pleb),
|
||||||
|
auth_events,
|
||||||
|
do_sig_check=False,
|
||||||
|
)
|
||||||
|
|
||||||
|
# A user can accept an invite.
|
||||||
|
auth_events[("m.room.member", pleb)] = _member_event(
|
||||||
|
pleb, "invite", sender=creator
|
||||||
|
)
|
||||||
|
event_auth.check(
|
||||||
|
RoomVersions.V6,
|
||||||
|
_join_event(pleb),
|
||||||
|
auth_events,
|
||||||
|
do_sig_check=False,
|
||||||
|
)
|
||||||
|
|
||||||
|
def test_join_rules_msc3083_restricted(self):
|
||||||
|
"""
|
||||||
|
Test joining a restricted room from MSC3083.
|
||||||
|
|
||||||
|
This is pretty much the same test as public.
|
||||||
|
"""
|
||||||
|
creator = "@creator:example.com"
|
||||||
|
pleb = "@joiner:example.com"
|
||||||
|
|
||||||
|
auth_events = {
|
||||||
|
("m.room.create", ""): _create_event(creator),
|
||||||
|
("m.room.member", creator): _join_event(creator),
|
||||||
|
("m.room.join_rules", ""): _join_rules_event(creator, "restricted"),
|
||||||
|
}
|
||||||
|
|
||||||
|
# Older room versions don't understand this join rule
|
||||||
|
with self.assertRaises(AuthError):
|
||||||
|
event_auth.check(
|
||||||
|
RoomVersions.V6,
|
||||||
|
_join_event(pleb),
|
||||||
|
auth_events,
|
||||||
|
do_sig_check=False,
|
||||||
|
)
|
||||||
|
|
||||||
|
# Check join.
|
||||||
|
event_auth.check(
|
||||||
|
RoomVersions.MSC3083,
|
||||||
|
_join_event(pleb),
|
||||||
|
auth_events,
|
||||||
|
do_sig_check=False,
|
||||||
|
)
|
||||||
|
|
||||||
|
# A user cannot be force-joined to a room.
|
||||||
|
with self.assertRaises(AuthError):
|
||||||
|
event_auth.check(
|
||||||
|
RoomVersions.MSC3083,
|
||||||
|
_member_event(pleb, "join", sender=creator),
|
||||||
|
auth_events,
|
||||||
|
do_sig_check=False,
|
||||||
|
)
|
||||||
|
|
||||||
|
# Banned should be rejected.
|
||||||
|
auth_events[("m.room.member", pleb)] = _member_event(pleb, "ban")
|
||||||
|
with self.assertRaises(AuthError):
|
||||||
|
event_auth.check(
|
||||||
|
RoomVersions.MSC3083,
|
||||||
|
_join_event(pleb),
|
||||||
|
auth_events,
|
||||||
|
do_sig_check=False,
|
||||||
|
)
|
||||||
|
|
||||||
|
# A user who left can re-join.
|
||||||
|
auth_events[("m.room.member", pleb)] = _member_event(pleb, "leave")
|
||||||
|
event_auth.check(
|
||||||
|
RoomVersions.MSC3083,
|
||||||
|
_join_event(pleb),
|
||||||
|
auth_events,
|
||||||
|
do_sig_check=False,
|
||||||
|
)
|
||||||
|
|
||||||
|
# A user can send a join if they're in the room.
|
||||||
|
auth_events[("m.room.member", pleb)] = _member_event(pleb, "join")
|
||||||
|
event_auth.check(
|
||||||
|
RoomVersions.MSC3083,
|
||||||
|
_join_event(pleb),
|
||||||
|
auth_events,
|
||||||
|
do_sig_check=False,
|
||||||
|
)
|
||||||
|
|
||||||
|
# A user can accept an invite.
|
||||||
|
auth_events[("m.room.member", pleb)] = _member_event(
|
||||||
|
pleb, "invite", sender=creator
|
||||||
|
)
|
||||||
|
event_auth.check(
|
||||||
|
RoomVersions.MSC3083,
|
||||||
|
_join_event(pleb),
|
||||||
|
auth_events,
|
||||||
|
do_sig_check=False,
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
# helpers for making events
|
# helpers for making events
|
||||||
|
|
||||||
|
@ -225,19 +445,24 @@ def _create_event(user_id):
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
def _join_event(user_id):
|
def _member_event(user_id, membership, sender=None):
|
||||||
return make_event_from_dict(
|
return make_event_from_dict(
|
||||||
{
|
{
|
||||||
"room_id": TEST_ROOM_ID,
|
"room_id": TEST_ROOM_ID,
|
||||||
"event_id": _get_event_id(),
|
"event_id": _get_event_id(),
|
||||||
"type": "m.room.member",
|
"type": "m.room.member",
|
||||||
"sender": user_id,
|
"sender": sender or user_id,
|
||||||
"state_key": user_id,
|
"state_key": user_id,
|
||||||
"content": {"membership": "join"},
|
"content": {"membership": membership},
|
||||||
|
"prev_events": [],
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
|
def _join_event(user_id):
|
||||||
|
return _member_event(user_id, "join")
|
||||||
|
|
||||||
|
|
||||||
def _power_levels_event(sender, content):
|
def _power_levels_event(sender, content):
|
||||||
return make_event_from_dict(
|
return make_event_from_dict(
|
||||||
{
|
{
|
||||||
|
@ -277,6 +502,21 @@ def _random_state_event(sender):
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
|
def _join_rules_event(sender, join_rule):
|
||||||
|
return make_event_from_dict(
|
||||||
|
{
|
||||||
|
"room_id": TEST_ROOM_ID,
|
||||||
|
"event_id": _get_event_id(),
|
||||||
|
"type": "m.room.join_rules",
|
||||||
|
"sender": sender,
|
||||||
|
"state_key": "",
|
||||||
|
"content": {
|
||||||
|
"join_rule": join_rule,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
event_count = 0
|
event_count = 0
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue