-
Notifications
You must be signed in to change notification settings - Fork 234
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Filter out rooms from the room directory being served to other homese…
…rvers when those rooms block that homeserver by their Access Control Lists. (#16759) The idea here being that the directory server shouldn't advertise rooms to a requesting server is the requesting server would not be allowed to join or participate in the room. <!-- Fixes: # <!-- --> <!-- Supersedes: # <!-- --> <!-- Follows: # <!-- --> <!-- Part of: # <!-- --> Base: `develop` <!-- git-stack-base-branch:develop --> <!-- This pull request is commit-by-commit review friendly. <!-- --> <!-- This pull request is intended for commit-by-commit review. <!-- --> Original commit schedule, with full messages: <ol> <li> Pass `from_federation_origin` down into room list retrieval code </li> <li> Don't cache /publicRooms response for inbound federated requests </li> <li> fixup! Don't cache /publicRooms response for inbound federated requests </li> <li> Cap the number of /publicRooms entries to 100 </li> <li> Simplify code now that you can't request unlimited rooms </li> <li> Filter out rooms from federated requests that don't have the correct ACL </li> <li> Request a handful more when filtering ACLs so that we can try to avoid shortchanging the requester </li> </ol> --------- Signed-off-by: Olivier Wilkinson (reivilibre) <oliverw@matrix.org>
- Loading branch information
1 parent
5d3850b
commit a83a337
Showing
4 changed files
with
221 additions
and
52 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
Filter out rooms from the room directory being served to other homeservers when those rooms block that homeserver by their Access Control Lists. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,88 @@ | ||
from http import HTTPStatus | ||
from typing import Optional, Set | ||
|
||
from synapse.rest import admin | ||
from synapse.rest.client import directory, login, room | ||
from synapse.types import JsonDict | ||
|
||
from tests import unittest | ||
|
||
|
||
class RoomListHandlerTestCase(unittest.HomeserverTestCase): | ||
servlets = [ | ||
admin.register_servlets, | ||
login.register_servlets, | ||
room.register_servlets, | ||
directory.register_servlets, | ||
] | ||
|
||
def _create_published_room( | ||
self, tok: str, extra_content: Optional[JsonDict] = None | ||
) -> str: | ||
room_id = self.helper.create_room_as(tok=tok, extra_content=extra_content) | ||
channel = self.make_request( | ||
"PUT", | ||
f"/_matrix/client/v3/directory/list/room/{room_id}?access_token={tok}", | ||
content={ | ||
"visibility": "public", | ||
}, | ||
) | ||
assert channel.code == HTTPStatus.OK, f"couldn't publish room: {channel.result}" | ||
return room_id | ||
|
||
def test_acls_applied_to_room_directory_results(self) -> None: | ||
""" | ||
Creates 3 rooms. Room 2 has an ACL that only permits the homeservers | ||
`test` and `test2` to access it. | ||
We then simulate `test2` and `test3` requesting the room directory and assert | ||
that `test3` does not see room 2, but `test2` sees all 3. | ||
""" | ||
self.register_user("u1", "p1") | ||
u1tok = self.login("u1", "p1") | ||
room1 = self._create_published_room(u1tok) | ||
|
||
room2 = self._create_published_room( | ||
u1tok, | ||
extra_content={ | ||
"initial_state": [ | ||
{ | ||
"type": "m.room.server_acl", | ||
"content": { | ||
"allow": ["test", "test2"], | ||
}, | ||
} | ||
] | ||
}, | ||
) | ||
|
||
room3 = self._create_published_room(u1tok) | ||
|
||
room_list = self.get_success( | ||
self.hs.get_room_list_handler().get_local_public_room_list( | ||
limit=50, from_federation_origin="test2" | ||
) | ||
) | ||
room_ids_in_test2_list: Set[str] = { | ||
entry["room_id"] for entry in room_list["chunk"] | ||
} | ||
|
||
room_list = self.get_success( | ||
self.hs.get_room_list_handler().get_local_public_room_list( | ||
limit=50, from_federation_origin="test3" | ||
) | ||
) | ||
room_ids_in_test3_list: Set[str] = { | ||
entry["room_id"] for entry in room_list["chunk"] | ||
} | ||
|
||
self.assertEqual( | ||
room_ids_in_test2_list, | ||
{room1, room2, room3}, | ||
"test2 should be able to see all 3 rooms", | ||
) | ||
self.assertEqual( | ||
room_ids_in_test3_list, | ||
{room1, room3}, | ||
"test3 should be able to see only 2 rooms", | ||
) |