From dbafb7c9062c868ee7079d67319b878af4b42d27 Mon Sep 17 00:00:00 2001 From: Tulir Asokan Date: Sat, 30 Oct 2021 14:06:15 +0300 Subject: [PATCH] Replace also_allow_user with a global config option Basically reverts 088977f67607186da8e14232f9f17fa22ccc16c9. This way is more suitable for self-hosting where there's no gateway to manage the query parameter. --- README.md | 3 +++ synapse/api/auth.py | 6 +++--- synapse/config/_base.pyi | 2 ++ synapse/config/experimental.py | 2 -- synapse/config/meow.py | 3 +++ synapse/handlers/room_batch.py | 26 +++++++++----------------- synapse/rest/client/room_batch.py | 5 ----- 7 files changed, 20 insertions(+), 27 deletions(-) diff --git a/README.md b/README.md index 5cdf1a101..2859eb204 100644 --- a/README.md +++ b/README.md @@ -29,6 +29,7 @@ use the specific release tags. filtered away (e.g. `org.matrix.dummy_event` and `m.room.aliases`). * Config option to allow specific users to use timestamp massaging without being appservice users. +* Config option to allow appservices to use MSC2716 batch sending as any local user. * Removed bad pusher URL validation. * webp images are thumbnailed to webp instead of jpeg to avoid losing transparency. @@ -53,4 +54,6 @@ meow: # List of users who can use timestamp massaging without being appservices timestamp_override: - "@you:example.com" + # Whether appservices should be allowed to use MSC2716 batch sending as any local user. + appservice_batch_send_any: false ``` diff --git a/synapse/api/auth.py b/synapse/api/auth.py index a1d623d9c..3207a4afd 100644 --- a/synapse/api/auth.py +++ b/synapse/api/auth.py @@ -244,7 +244,7 @@ class Auth: raise MissingClientTokenError() async def validate_appservice_can_control_user_id( - self, app_service: ApplicationService, user_id: str, also_allow_user: Optional[str] = None + self, app_service: ApplicationService, user_id: str, allow_any: bool = False ) -> None: """Validates that the app service is allowed to control the given user. @@ -252,7 +252,7 @@ class Auth: Args: app_service: The app service that controls the user user_id: The author MXID that the app service is controlling - also_allow_user: An additional user ID that the appservice can temporarily control + allow_any: Allow the appservice to control any local user Raises: AuthError: If the application service is not allowed to control the user @@ -264,7 +264,7 @@ class Auth: if app_service.sender == user_id: pass # Check to make sure the app service is allowed to control the user - elif not app_service.is_interested_in_user(user_id) and user_id != also_allow_user: + elif not app_service.is_interested_in_user(user_id) and not allow_any: raise AuthError( 403, "Application service cannot masquerade as this user (%s)." % user_id, diff --git a/synapse/config/_base.pyi b/synapse/config/_base.pyi index c1d906979..e3119c0fb 100644 --- a/synapse/config/_base.pyi +++ b/synapse/config/_base.pyi @@ -17,6 +17,7 @@ from synapse.config import ( jwt, key, logger, + meow, metrics, modules, oidc, @@ -65,6 +66,7 @@ class RootConfig: voip: voip.VoipConfig registration: registration.RegistrationConfig account_validity: account_validity.AccountValidityConfig + meow: meow.MeowConfig metrics: metrics.MetricsConfig api: api.ApiConfig appservice: appservice.AppServiceConfig diff --git a/synapse/config/experimental.py b/synapse/config/experimental.py index 48f58fab2..8b098ad48 100644 --- a/synapse/config/experimental.py +++ b/synapse/config/experimental.py @@ -35,8 +35,6 @@ class ExperimentalConfig(Config): # MSC2716 (backfill existing history) self.msc2716_enabled: bool = experimental.get("msc2716_enabled", False) - self.msc2716_also_allow_user: bool = experimental.get("com.beeper.msc2716_also_allow_user", False) - # MSC2285 (hidden read receipts) self.msc2285_enabled: bool = experimental.get("msc2285_enabled", False) diff --git a/synapse/config/meow.py b/synapse/config/meow.py index 8c2cba47e..cc58478ce 100644 --- a/synapse/config/meow.py +++ b/synapse/config/meow.py @@ -29,6 +29,7 @@ class MeowConfig(Config): self.filter_override = set(meow_config.get("filter_override", [])) self.timestamp_override = set(meow_config.get("timestamp_override", [])) self.admin_api_register_invalid = meow_config.get("admin_api_register_invalid", True) + self.appservice_batch_send_any = meow_config.get("appservice_batch_send_any", False) def generate_config_section(self, config_dir_path, server_name, **kwargs): return """ @@ -46,4 +47,6 @@ class MeowConfig(Config): # - "@you:example.com" # # Whether or not the admin API should be able to register invalid user IDs. # admin_api_register_invalid: true + # # Whether appservices should be allowed to use MSC2716 batch sending as any local user. + # appservice_batch_send_any: false """ diff --git a/synapse/handlers/room_batch.py b/synapse/handlers/room_batch.py index 79cf72952..4fa8fbd20 100644 --- a/synapse/handlers/room_batch.py +++ b/synapse/handlers/room_batch.py @@ -1,5 +1,5 @@ import logging -from typing import TYPE_CHECKING, List, Tuple, Optional +from typing import TYPE_CHECKING, List, Tuple from synapse.api.constants import EventContentFields, EventTypes from synapse.appservice import ApplicationService @@ -25,6 +25,7 @@ class RoomBatchHandler: self.event_creation_handler = hs.get_event_creation_handler() self.room_member_handler = hs.get_room_member_handler() self.auth = hs.get_auth() + self.allow_send_any = self.hs.config.meow.appservice_batch_send_any async def inherit_depth_from_prev_ids(self, prev_event_ids: List[str]) -> int: """Finds the depth which would sort it after the most-recent @@ -107,7 +108,7 @@ class RoomBatchHandler: return insertion_event async def create_requester_for_user_id_from_app_service( - self, user_id: str, app_service: ApplicationService, also_allow_user: Optional[str] = None, + self, user_id: str, app_service: ApplicationService ) -> Requester: """Creates a new requester for the given user_id and validates that the app service is allowed to control @@ -116,13 +117,13 @@ class RoomBatchHandler: Args: user_id: The author MXID that the app service is controlling app_service: The app service that controls the user - also_allow_user: An additional user ID that the appservice can temporarily control Returns: Requester object """ - await self.auth.validate_appservice_can_control_user_id(app_service, user_id, also_allow_user) + await self.auth.validate_appservice_can_control_user_id(app_service, user_id, + allow_any=self.allow_send_any) return create_requester(user_id, app_service=app_service) @@ -160,7 +161,6 @@ class RoomBatchHandler: room_id: str, initial_auth_event_ids: List[str], app_service_requester: Requester, - also_allow_user: Optional[str], ) -> List[str]: """Takes all `state_events_at_start` event dictionaries and creates/persists them as floating state events which don't resolve into the current room state. @@ -175,7 +175,6 @@ class RoomBatchHandler: added to the list of auth events for the next state event created. app_service_requester: The requester of an application service. - also_allow_user: An additional user ID that the appservice can temporarily control Returns: List of state event ID's we just persisted @@ -217,8 +216,7 @@ class RoomBatchHandler: membership = event_dict["content"].get("membership", None) event_id, _ = await self.room_member_handler.update_membership( await self.create_requester_for_user_id_from_app_service( - state_event["sender"], app_service_requester.app_service, - also_allow_user, + state_event["sender"], app_service_requester.app_service ), target=UserID.from_string(event_dict["state_key"]), room_id=room_id, @@ -240,8 +238,7 @@ class RoomBatchHandler: _, ) = await self.event_creation_handler.create_and_send_nonmember_event( await self.create_requester_for_user_id_from_app_service( - state_event["sender"], app_service_requester.app_service, - also_allow_user, + state_event["sender"], app_service_requester.app_service ), event_dict, outlier=True, @@ -268,7 +265,6 @@ class RoomBatchHandler: inherited_depth: int, auth_event_ids: List[str], app_service_requester: Requester, - also_allow_user: Optional[str], ) -> List[str]: """Create and persists all events provided sequentially. Handles the complexity of creating events in chronological order so they can @@ -289,7 +285,6 @@ class RoomBatchHandler: auth_event_ids: Define which events allow you to create the given event in the room. app_service_requester: The requester of an application service. - also_allow_user: An additional user ID that the appservice can temporarily control Returns: List of persisted event IDs @@ -321,7 +316,7 @@ class RoomBatchHandler: event, context = await self.event_creation_handler.create_event( await self.create_requester_for_user_id_from_app_service( - ev["sender"], app_service_requester.app_service, also_allow_user, + ev["sender"], app_service_requester.app_service ), event_dict, prev_event_ids=event_dict.get("prev_events"), @@ -362,7 +357,7 @@ class RoomBatchHandler: for (event, context) in reversed(events_to_persist): await self.event_creation_handler.handle_new_client_event( await self.create_requester_for_user_id_from_app_service( - event["sender"], app_service_requester.app_service, also_allow_user, + event["sender"], app_service_requester.app_service ), event=event, context=context, @@ -379,7 +374,6 @@ class RoomBatchHandler: inherited_depth: int, auth_event_ids: List[str], app_service_requester: Requester, - also_allow_user: Optional[str], ) -> Tuple[List[str], str]: """ Handles creating and persisting all of the historical events as well @@ -399,7 +393,6 @@ class RoomBatchHandler: auth_event_ids: Define which events allow you to create the given event in the room. app_service_requester: The requester of an application service. - also_allow_user: An additional user ID that the appservice can temporarily control Returns: Tuple containing a list of created events and the next_batch_id @@ -447,7 +440,6 @@ class RoomBatchHandler: inherited_depth=inherited_depth, auth_event_ids=auth_event_ids, app_service_requester=app_service_requester, - also_allow_user=also_allow_user, ) return event_ids, next_batch_id diff --git a/synapse/rest/client/room_batch.py b/synapse/rest/client/room_batch.py index 6cac53824..99f8156ad 100644 --- a/synapse/rest/client/room_batch.py +++ b/synapse/rest/client/room_batch.py @@ -80,7 +80,6 @@ class RoomBatchSendEventRestServlet(RestServlet): self.auth = hs.get_auth() self.room_batch_handler = hs.get_room_batch_handler() self.txns = HttpTransactionCache(hs) - self.enable_also_allow_user = hs.config.experimental.msc2716_also_allow_user async def on_POST( self, request: SynapseRequest, room_id: str @@ -101,8 +100,6 @@ class RoomBatchSendEventRestServlet(RestServlet): request.args, "prev_event_id" ) batch_id_from_query = parse_string(request, "batch_id") - also_allow_from_query = (parse_string(request, "com.beeper.also_allow_user") - if self.enable_also_allow_user else None) if prev_event_ids_from_query is None: raise SynapseError( @@ -143,7 +140,6 @@ class RoomBatchSendEventRestServlet(RestServlet): room_id=room_id, initial_auth_event_ids=auth_event_ids, app_service_requester=requester, - also_allow_user=also_allow_from_query, ) ) # Update our ongoing auth event ID list with all of the new state we @@ -214,7 +210,6 @@ class RoomBatchSendEventRestServlet(RestServlet): inherited_depth=inherited_depth, auth_event_ids=auth_event_ids, app_service_requester=requester, - also_allow_user=also_allow_from_query, ) insertion_event_id = event_ids[0]