OpenCloud
/
MatrixSynapse
mirror of https://github.com/matrix-org/synapse
1
0
Fork 0
Code Issues Releases Wiki Activity

Add an experimental room version to support restricted join rules. (#9717) 

Per MSC3083.
pull/9725/head
Patrick Cloke 2021-03-31 16:39:08 -04:00 committed by GitHub
parent e32294f54b
commit 35c5ef2d24
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 297 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
changelog.d/9717.feature Normal file
View File

@ -0,0 +1 @@
Add experimental support for [MSC3083](https://github.com/matrix-org/matrix-doc/pull/3083): restricting room access via group membership.

2
synapse/api/constants.py
View File

@ -59,6 +59,8 @@ class JoinRules:
KNOCK = "knock" KNOCK = "knock"
INVITE = "invite" INVITE = "invite"
PRIVATE = "private" PRIVATE = "private"
# As defined for MSC3083.
MSC3083_RESTRICTED = "restricted"
class LoginType: class LoginType:

24
synapse/api/room_versions.py
View File

@ -57,7 +57,7 @@ class RoomVersion:
state_res = attr.ib(type=int) # one of the StateResolutionVersions state_res = attr.ib(type=int) # one of the StateResolutionVersions
enforce_key_validity = attr.ib(type=bool) enforce_key_validity = attr.ib(type=bool)
# bool: before MSC2261/MSC2432, m.room.aliases had special auth rules and redaction rules # Before MSC2261/MSC2432, m.room.aliases had special auth rules and redaction rules
special_case_aliases_auth = attr.ib(type=bool) special_case_aliases_auth = attr.ib(type=bool)
# Strictly enforce canonicaljson, do not allow: # Strictly enforce canonicaljson, do not allow:
# * Integers outside the range of [-2 ^ 53 + 1, 2 ^ 53 - 1] # * Integers outside the range of [-2 ^ 53 + 1, 2 ^ 53 - 1]
@ -69,6 +69,8 @@ class RoomVersion:
limit_notifications_power_levels = attr.ib(type=bool) limit_notifications_power_levels = attr.ib(type=bool)
# MSC2174/MSC2176: Apply updated redaction rules algorithm. # MSC2174/MSC2176: Apply updated redaction rules algorithm.
msc2176_redaction_rules = attr.ib(type=bool) msc2176_redaction_rules = attr.ib(type=bool)
# MSC3083: Support the 'restricted' join_rule.
msc3083_join_rules = attr.ib(type=bool)
class RoomVersions: class RoomVersions:
@ -82,6 +84,7 @@ class RoomVersions:
strict_canonicaljson=False, strict_canonicaljson=False,
limit_notifications_power_levels=False, limit_notifications_power_levels=False,
msc2176_redaction_rules=False, msc2176_redaction_rules=False,
msc3083_join_rules=False,
) )
V2 = RoomVersion( V2 = RoomVersion(
"2", "2",
@ -93,6 +96,7 @@ class RoomVersions:
strict_canonicaljson=False, strict_canonicaljson=False,
limit_notifications_power_levels=False, limit_notifications_power_levels=False,
msc2176_redaction_rules=False, msc2176_redaction_rules=False,
msc3083_join_rules=False,
) )
V3 = RoomVersion( V3 = RoomVersion(
"3", "3",
@ -104,6 +108,7 @@ class RoomVersions:
strict_canonicaljson=False, strict_canonicaljson=False,
limit_notifications_power_levels=False, limit_notifications_power_levels=False,
msc2176_redaction_rules=False, msc2176_redaction_rules=False,
msc3083_join_rules=False,
) )
V4 = RoomVersion( V4 = RoomVersion(
"4", "4",
@ -115,6 +120,7 @@ class RoomVersions:
strict_canonicaljson=False, strict_canonicaljson=False,
limit_notifications_power_levels=False, limit_notifications_power_levels=False,
msc2176_redaction_rules=False, msc2176_redaction_rules=False,
msc3083_join_rules=False,
) )
V5 = RoomVersion( V5 = RoomVersion(
"5", "5",
@ -126,6 +132,7 @@ class RoomVersions:
strict_canonicaljson=False, strict_canonicaljson=False,
limit_notifications_power_levels=False, limit_notifications_power_levels=False,
msc2176_redaction_rules=False, msc2176_redaction_rules=False,
msc3083_join_rules=False,
) )
V6 = RoomVersion( V6 = RoomVersion(
"6", "6",
@ -137,6 +144,7 @@ class RoomVersions:
strict_canonicaljson=True, strict_canonicaljson=True,
limit_notifications_power_levels=True, limit_notifications_power_levels=True,
msc2176_redaction_rules=False, msc2176_redaction_rules=False,
msc3083_join_rules=False,
) )
MSC2176 = RoomVersion( MSC2176 = RoomVersion(
"org.matrix.msc2176", "org.matrix.msc2176",
@ -148,6 +156,19 @@ class RoomVersions:
strict_canonicaljson=True, strict_canonicaljson=True,
limit_notifications_power_levels=True, limit_notifications_power_levels=True,
msc2176_redaction_rules=True, msc2176_redaction_rules=True,
msc3083_join_rules=False,
)
MSC3083 = RoomVersion(
"org.matrix.msc3083",
RoomDisposition.UNSTABLE,
EventFormatVersions.V3,
StateResolutionVersions.V2,
enforce_key_validity=True,
special_case_aliases_auth=False,
strict_canonicaljson=True,
limit_notifications_power_levels=True,
msc2176_redaction_rules=False,
msc3083_join_rules=True,
) )
@ -162,4 +183,5 @@ KNOWN_ROOM_VERSIONS = {
RoomVersions.V6, RoomVersions.V6,
RoomVersions.MSC2176, RoomVersions.MSC2176,
) )
# Note that we do not include MSC3083 here unless it is enabled in the config.
} # type: Dict[str, RoomVersion] } # type: Dict[str, RoomVersion]

7
synapse/config/experimental.py
View File

@ -13,6 +13,7 @@
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
from synapse.api.room_versions import KNOWN_ROOM_VERSIONS, RoomVersions
from synapse.config._base import Config from synapse.config._base import Config
from synapse.types import JsonDict from synapse.types import JsonDict
@ -27,7 +28,11 @@ class ExperimentalConfig(Config):
# MSC2858 (multiple SSO identity providers) # MSC2858 (multiple SSO identity providers)
self.msc2858_enabled = experimental.get("msc2858_enabled", False) # type: bool self.msc2858_enabled = experimental.get("msc2858_enabled", False) # type: bool
# Spaces (MSC1772, MSC2946, etc)
# Spaces (MSC1772, MSC2946, MSC3083, etc)
self.spaces_enabled = experimental.get("spaces_enabled", False) # type: bool self.spaces_enabled = experimental.get("spaces_enabled", False) # type: bool
if self.spaces_enabled:
KNOWN_ROOM_VERSIONS[RoomVersions.MSC3083.identifier] = RoomVersions.MSC3083
# MSC3026 (busy presence state) # MSC3026 (busy presence state)
self.msc3026_enabled = experimental.get("msc3026_enabled", False) # type: bool self.msc3026_enabled = experimental.get("msc3026_enabled", False) # type: bool

28
synapse/event_auth.py
View File

@ -162,7 +162,7 @@ def check(
logger.debug("Auth events: %s", [a.event_id for a in auth_events.values()]) logger.debug("Auth events: %s", [a.event_id for a in auth_events.values()])
if event.type == EventTypes.Member: if event.type == EventTypes.Member:
_is_membership_change_allowed(event, auth_events) _is_membership_change_allowed(room_version_obj, event, auth_events)
logger.debug("Allowing! %s", event) logger.debug("Allowing! %s", event)
return return
@ -220,8 +220,19 @@ def _can_federate(event: EventBase, auth_events: StateMap[EventBase]) -> bool:
def _is_membership_change_allowed( def _is_membership_change_allowed(
event: EventBase, auth_events: StateMap[EventBase] room_version: RoomVersion, event: EventBase, auth_events: StateMap[EventBase]
) -> None: ) -> None:
"""
Confirms that the event which changes membership is an allowed change.
Args:
room_version: The version of the room.
event: The event to check.
auth_events: The current auth events of the room.
Raises:
AuthError if the event is not allowed.
"""
membership = event.content["membership"] membership = event.content["membership"]
# Check if this is the room creator joining: # Check if this is the room creator joining:
@ -315,14 +326,19 @@ def _is_membership_change_allowed(
if user_level < invite_level: if user_level < invite_level:
raise AuthError(403, "You don't have permission to invite users") raise AuthError(403, "You don't have permission to invite users")
elif Membership.JOIN == membership: elif Membership.JOIN == membership:
# Joins are valid iff caller == target and they were: # Joins are valid iff caller == target and:
# invited: They are accepting the invitation # * They are not banned.
# joined: It's a NOOP # * They are accepting a previously sent invitation.
# * They are already joined (it's a NOOP).
# * The room is public or restricted.
if event.user_id != target_user_id: if event.user_id != target_user_id:
raise AuthError(403, "Cannot force another user to join.") raise AuthError(403, "Cannot force another user to join.")
elif target_banned: elif target_banned:
raise AuthError(403, "You are banned from this room") raise AuthError(403, "You are banned from this room")
elif join_rule == JoinRules.PUBLIC: elif join_rule == JoinRules.PUBLIC or (
room_version.msc3083_join_rules
and join_rule == JoinRules.MSC3083_RESTRICTED
):
pass pass
elif join_rule == JoinRules.INVITE: elif join_rule == JoinRules.INVITE:
if not caller_in_room and not caller_invited: if not caller_in_room and not caller_invited:

246
tests/test_event_auth.py
View File

@ -207,6 +207,226 @@ class EventAuthTestCase(unittest.TestCase):
do_sig_check=False, do_sig_check=False,
) )
def test_join_rules_public(self):
"""
Test joining a public room.
"""
creator = "@creator:example.com"
pleb = "@joiner:example.com"
auth_events = {
("m.room.create", ""): _create_event(creator),
("m.room.member", creator): _join_event(creator),
("m.room.join_rules", ""): _join_rules_event(creator, "public"),
}
# Check join.
event_auth.check(
RoomVersions.V6,
_join_event(pleb),
auth_events,
do_sig_check=False,
)
# A user cannot be force-joined to a room.
with self.assertRaises(AuthError):
event_auth.check(
RoomVersions.V6,
_member_event(pleb, "join", sender=creator),
auth_events,
do_sig_check=False,
)
# Banned should be rejected.
auth_events[("m.room.member", pleb)] = _member_event(pleb, "ban")
with self.assertRaises(AuthError):
event_auth.check(
RoomVersions.V6,
_join_event(pleb),
auth_events,
do_sig_check=False,
)
# A user who left can re-join.
auth_events[("m.room.member", pleb)] = _member_event(pleb, "leave")
event_auth.check(
RoomVersions.V6,
_join_event(pleb),
auth_events,
do_sig_check=False,
)
# A user can send a join if they're in the room.
auth_events[("m.room.member", pleb)] = _member_event(pleb, "join")
event_auth.check(
RoomVersions.V6,
_join_event(pleb),
auth_events,
do_sig_check=False,
)
# A user can accept an invite.
auth_events[("m.room.member", pleb)] = _member_event(
pleb, "invite", sender=creator
)
event_auth.check(
RoomVersions.V6,
_join_event(pleb),
auth_events,
do_sig_check=False,
)
def test_join_rules_invite(self):
"""
Test joining an invite only room.
"""
creator = "@creator:example.com"
pleb = "@joiner:example.com"
auth_events = {
("m.room.create", ""): _create_event(creator),
("m.room.member", creator): _join_event(creator),
("m.room.join_rules", ""): _join_rules_event(creator, "invite"),
}
# A join without an invite is rejected.
with self.assertRaises(AuthError):
event_auth.check(
RoomVersions.V6,
_join_event(pleb),
auth_events,
do_sig_check=False,
)
# A user cannot be force-joined to a room.
with self.assertRaises(AuthError):
event_auth.check(
RoomVersions.V6,
_member_event(pleb, "join", sender=creator),
auth_events,
do_sig_check=False,
)
# Banned should be rejected.
auth_events[("m.room.member", pleb)] = _member_event(pleb, "ban")
with self.assertRaises(AuthError):
event_auth.check(
RoomVersions.V6,
_join_event(pleb),
auth_events,
do_sig_check=False,
)
# A user who left cannot re-join.
auth_events[("m.room.member", pleb)] = _member_event(pleb, "leave")
with self.assertRaises(AuthError):
event_auth.check(
RoomVersions.V6,
_join_event(pleb),
auth_events,
do_sig_check=False,
)
# A user can send a join if they're in the room.
auth_events[("m.room.member", pleb)] = _member_event(pleb, "join")
event_auth.check(
RoomVersions.V6,
_join_event(pleb),
auth_events,
do_sig_check=False,
)
# A user can accept an invite.
auth_events[("m.room.member", pleb)] = _member_event(
pleb, "invite", sender=creator
)
event_auth.check(
RoomVersions.V6,
_join_event(pleb),
auth_events,
do_sig_check=False,
)
def test_join_rules_msc3083_restricted(self):
"""
Test joining a restricted room from MSC3083.
This is pretty much the same test as public.
"""
creator = "@creator:example.com"
pleb = "@joiner:example.com"
auth_events = {
("m.room.create", ""): _create_event(creator),
("m.room.member", creator): _join_event(creator),
("m.room.join_rules", ""): _join_rules_event(creator, "restricted"),
}
# Older room versions don't understand this join rule
with self.assertRaises(AuthError):
event_auth.check(
RoomVersions.V6,
_join_event(pleb),
auth_events,
do_sig_check=False,
)
# Check join.
event_auth.check(
RoomVersions.MSC3083,
_join_event(pleb),
auth_events,
do_sig_check=False,
)
# A user cannot be force-joined to a room.
with self.assertRaises(AuthError):
event_auth.check(
RoomVersions.MSC3083,
_member_event(pleb, "join", sender=creator),
auth_events,
do_sig_check=False,
)
# Banned should be rejected.
auth_events[("m.room.member", pleb)] = _member_event(pleb, "ban")
with self.assertRaises(AuthError):
event_auth.check(
RoomVersions.MSC3083,
_join_event(pleb),
auth_events,
do_sig_check=False,
)
# A user who left can re-join.
auth_events[("m.room.member", pleb)] = _member_event(pleb, "leave")
event_auth.check(
RoomVersions.MSC3083,
_join_event(pleb),
auth_events,
do_sig_check=False,
)
# A user can send a join if they're in the room.
auth_events[("m.room.member", pleb)] = _member_event(pleb, "join")
event_auth.check(
RoomVersions.MSC3083,
_join_event(pleb),
auth_events,
do_sig_check=False,
)
# A user can accept an invite.
auth_events[("m.room.member", pleb)] = _member_event(
pleb, "invite", sender=creator
)
event_auth.check(
RoomVersions.MSC3083,
_join_event(pleb),
auth_events,
do_sig_check=False,
)
# helpers for making events # helpers for making events
@ -225,19 +445,24 @@ def _create_event(user_id):
) )
def _join_event(user_id): def _member_event(user_id, membership, sender=None):
return make_event_from_dict( return make_event_from_dict(
{ {
"room_id": TEST_ROOM_ID, "room_id": TEST_ROOM_ID,
"event_id": _get_event_id(), "event_id": _get_event_id(),
"type": "m.room.member", "type": "m.room.member",
"sender": user_id, "sender": sender or user_id,
"state_key": user_id, "state_key": user_id,
"content": {"membership": "join"}, "content": {"membership": membership},
"prev_events": [],
} }
) )
def _join_event(user_id):
return _member_event(user_id, "join")
def _power_levels_event(sender, content): def _power_levels_event(sender, content):
return make_event_from_dict( return make_event_from_dict(
{ {
@ -277,6 +502,21 @@ def _random_state_event(sender):
) )
def _join_rules_event(sender, join_rule):
return make_event_from_dict(
{
"room_id": TEST_ROOM_ID,
"event_id": _get_event_id(),
"type": "m.room.join_rules",
"sender": sender,
"state_key": "",
"content": {
"join_rule": join_rule,
},
}
)
event_count = 0 event_count = 0