Apply the federation_ip_range_blacklist to push.

2020-11-20 13:56:48 -05:00 · 2020-11-20 13:56:48 -05:00 · 9e8b37f1ce
parent 968939bdac
commit 9e8b37f1ce
6 changed files with 42 additions and 12 deletions
--- a/docs/sample_config.yaml
+++ b/docs/sample_config.yaml
@ -649,6 +649,9 @@ acme:
 # As of Synapse v1.4.0 this option also affects any outbound requests to identity
 # servers provided by user input.
 #
+# As of Synapse v1.24.0 this option also affects any outbound requests to push
+# servers provided by user input.
+#
 # (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly
 # listed here, since they correspond to unroutable addresses.)
 #
--- a/synapse/config/federation.py
+++ b/synapse/config/federation.py
@ -83,6 +83,9 @@ class FederationConfig(Config):
        # As of Synapse v1.4.0 this option also affects any outbound requests to identity
        # servers provided by user input.
        #
+        # As of Synapse v1.24.0 this option also affects any outbound requests to push
+        # servers provided by user input.
+        #
        # (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly
        # listed here, since they correspond to unroutable addresses.)
        #
--- a/synapse/push/httppusher.py
+++ b/synapse/push/httppusher.py
@ -99,7 +99,7 @@ class HttpPusher:
        if "url" not in self.data:
            raise PusherConfigException("'url' required in data for HTTP pusher")
        self.url = self.data["url"]
-        self.http_client = hs.get_proxied_http_client()
+        self.http_client = hs.get_proxied_blacklisted_http_client()
        self.data_minus_url = {}
        self.data_minus_url.update(self.data)
        del self.data_minus_url["url"]
--- a/synapse/server.py
+++ b/synapse/server.py
@ -351,16 +351,45 @@ class HomeServer(metaclass=abc.ABCMeta):

    @cache_in_self
    def get_simple_http_client(self) -> SimpleHttpClient:
+        """
+        An HTTP client with no special configuration.
+        """
        return SimpleHttpClient(self)

    @cache_in_self
    def get_proxied_http_client(self) -> SimpleHttpClient:
+        """
+        An HTTP client that uses configured HTTP(S) proxies.
+        """
        return SimpleHttpClient(
            self,
            http_proxy=os.getenvb(b"http_proxy"),
            https_proxy=os.getenvb(b"HTTPS_PROXY"),
        )

+    @cache_in_self
+    def get_proxied_blacklisted_http_client(self) -> SimpleHttpClient:
+        """
+        An HTTP client that uses configured HTTP(S) proxies and blacklists IPs
+        based on the federation IP range blacklist.
+        """
+        return SimpleHttpClient(
+            self,
+            ip_blacklist=self.config.federation_ip_range_blacklist,
+            http_proxy=os.getenvb(b"http_proxy"),
+            https_proxy=os.getenvb(b"HTTPS_PROXY"),
+        )
+
+    @cache_in_self
+    def get_http_client(self) -> MatrixFederationHttpClient:
+        """
+        An HTTP client for federation.
+        """
+        tls_client_options_factory = context_factory.FederationPolicyForHTTPS(
+            self.config
+        )
+        return MatrixFederationHttpClient(self, tls_client_options_factory)
+
    @cache_in_self
    def get_room_creation_handler(self) -> RoomCreationHandler:
        return RoomCreationHandler(self)
@ -515,13 +544,6 @@ class HomeServer(metaclass=abc.ABCMeta):
    def get_pusherpool(self) -> PusherPool:
        return PusherPool(self)

-    @cache_in_self
-    def get_http_client(self) -> MatrixFederationHttpClient:
-        tls_client_options_factory = context_factory.FederationPolicyForHTTPS(
-            self.config
-        )
-        return MatrixFederationHttpClient(self, tls_client_options_factory)
-
    @cache_in_self
    def get_media_repository_resource(self) -> MediaRepositoryResource:
        # build the media repo resource. This indirects through the HomeServer
--- a/tests/push/test_http.py
+++ b/tests/push/test_http.py
@ -48,7 +48,9 @@ class HTTPPusherTests(HomeserverTestCase):
        config = self.default_config()
        config["start_pushers"] = True

-        hs = self.setup_test_homeserver(config=config, proxied_http_client=m)
+        hs = self.setup_test_homeserver(
+            config=config, proxied_blacklisted_http_client=m
+        )

        return hs

--- a/tests/replication/test_pusher_shard.py
+++ b/tests/replication/test_pusher_shard.py
@ -98,7 +98,7 @@ class PusherShardTestCase(BaseMultiWorkerStreamTestCase):
        self.make_worker_hs(
            "synapse.app.pusher",
            {"start_pushers": True},
-            proxied_http_client=http_client_mock,
+            proxied_blacklisted_http_client=http_client_mock,
        )

        event_id = self._create_pusher_and_send_msg("user")
@ -133,7 +133,7 @@ class PusherShardTestCase(BaseMultiWorkerStreamTestCase):
                "worker_name": "pusher1",
                "pusher_instances": ["pusher1", "pusher2"],
            },
-            proxied_http_client=http_client_mock1,
+            proxied_blacklisted_http_client=http_client_mock1,
        )

        http_client_mock2 = Mock(spec_set=["post_json_get_json"])
@ -148,7 +148,7 @@ class PusherShardTestCase(BaseMultiWorkerStreamTestCase):
                "worker_name": "pusher2",
                "pusher_instances": ["pusher1", "pusher2"],
            },
-            proxied_http_client=http_client_mock2,
+            proxied_blacklisted_http_client=http_client_mock2,
        )

        # We choose a user name that we know should go to pusher1.