Merge branch 'develop' into e2e_backups

2025-08-01 14:06:06 -04:00 · 2018-08-24 11:44:26 -04:00 · 2018-08-24 11:44:26 -04:00 · 83caead95a
commit 83caead95a
parent 42a394caa2 897d976c1e
232 changed files with 7197 additions and 4107 deletions
--- a/synapse/api/auth.py
+++ b/synapse/api/auth.py
@ -25,7 +25,7 @@ from twisted.internet import defer
 import synapse.types
 from synapse import event_auth
 from synapse.api.constants import EventTypes, JoinRules, Membership
-from synapse.api.errors import AuthError, Codes
+from synapse.api.errors import AuthError, Codes, ResourceLimitError
 from synapse.types import UserID
 from synapse.util.caches import CACHE_SIZE_FACTOR, register_cache
 from synapse.util.caches.lrucache import LruCache
@ -211,9 +211,9 @@ class Auth(object):
            user_agent = request.requestHeaders.getRawHeaders(
                b"User-Agent",
                default=[b""]
-            )[0]
+            )[0].decode('ascii', 'surrogateescape')
            if user and access_token and ip_addr:
-                self.store.insert_client_ip(
+                yield self.store.insert_client_ip(
                    user_id=user.to_string(),
                    access_token=access_token,
                    ip=ip_addr,
@ -682,7 +682,7 @@ class Auth(object):
        Returns:
            bool: False if no access_token was given, True otherwise.
        """
-        query_params = request.args.get("access_token")
+        query_params = request.args.get(b"access_token")
        auth_headers = request.requestHeaders.getRawHeaders(b"Authorization")
        return bool(query_params) or bool(auth_headers)

@ -698,7 +698,7 @@ class Auth(object):
                401 since some of the old clients depended on auth errors returning
                403.
        Returns:
-            str: The access_token
+            unicode: The access_token
        Raises:
            AuthError: If there isn't an access_token in the request.
        """
@ -720,9 +720,9 @@ class Auth(object):
                    "Too many Authorization headers.",
                    errcode=Codes.MISSING_TOKEN,
                )
-            parts = auth_headers[0].split(" ")
-            if parts[0] == "Bearer" and len(parts) == 2:
-                return parts[1]
+            parts = auth_headers[0].split(b" ")
+            if parts[0] == b"Bearer" and len(parts) == 2:
+                return parts[1].decode('ascii')
            else:
                raise AuthError(
                    token_not_found_http_status,
@ -738,7 +738,7 @@ class Auth(object):
                    errcode=Codes.MISSING_TOKEN
                )

-            return query_params[0]
+            return query_params[0].decode('ascii')

    @defer.inlineCallbacks
    def check_in_room_or_world_readable(self, room_id, user_id):
@ -773,3 +773,46 @@ class Auth(object):
            raise AuthError(
                403, "Guest access not allowed", errcode=Codes.GUEST_ACCESS_FORBIDDEN
            )
+
+    @defer.inlineCallbacks
+    def check_auth_blocking(self, user_id=None):
+        """Checks if the user should be rejected for some external reason,
+        such as monthly active user limiting or global disable flag
+
+        Args:
+            user_id(str|None): If present, checks for presence against existing
+            MAU cohort
+        """
+
+        # Never fail an auth check for the server notices users
+        # This can be a problem where event creation is prohibited due to blocking
+        if user_id == self.hs.config.server_notices_mxid:
+            return
+
+        if self.hs.config.hs_disabled:
+            raise ResourceLimitError(
+                403, self.hs.config.hs_disabled_message,
+                errcode=Codes.RESOURCE_LIMIT_EXCEEDED,
+                admin_uri=self.hs.config.admin_uri,
+                limit_type=self.hs.config.hs_disabled_limit_type
+            )
+        if self.hs.config.limit_usage_by_mau is True:
+            # If the user is already part of the MAU cohort or a trial user
+            if user_id:
+                timestamp = yield self.store.user_last_seen_monthly_active(user_id)
+                if timestamp:
+                    return
+
+                is_trial = yield self.store.is_trial_user(user_id)
+                if is_trial:
+                    return
+            # Else if there is no room in the MAU bucket, bail
+            current_mau = yield self.store.get_monthly_active_count()
+            if current_mau >= self.hs.config.max_mau_value:
+                raise ResourceLimitError(
+                    403, "Monthly Active User Limit Exceeded",
+
+                    admin_uri=self.hs.config.admin_uri,
+                    errcode=Codes.RESOURCE_LIMIT_EXCEEDED,
+                    limit_type="monthly_active_user"
+                )
--- a/synapse/api/constants.py
+++ b/synapse/api/constants.py
@ -1,6 +1,7 @@
 # -*- coding: utf-8 -*-
 # Copyright 2014-2016 OpenMarket Ltd
 # Copyright 2017 Vector Creations Ltd
+# Copyright 2018 New Vector Ltd.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@ -77,6 +78,7 @@ class EventTypes(object):
    Name = "m.room.name"

    ServerACL = "m.room.server_acl"
+    Pinned = "m.room.pinned_events"


 class RejectedReason(object):
@ -94,3 +96,19 @@ class RoomCreationPreset(object):
 class ThirdPartyEntityKind(object):
    USER = "user"
    LOCATION = "location"
+
+
+class RoomVersions(object):
+    V1 = "1"
+    VDH_TEST = "vdh-test-version"
+
+
+# the version we will give rooms which are created on this server
+DEFAULT_ROOM_VERSION = RoomVersions.V1
+
+# vdh-test-version is a placeholder to get room versioning support working and tested
+# until we have a working v2.
+KNOWN_ROOM_VERSIONS = {RoomVersions.V1, RoomVersions.VDH_TEST}
+
+ServerNoticeMsgType = "m.server_notice"
+ServerNoticeLimitReached = "m.server_notice.usage_limit_reached"
--- a/synapse/api/errors.py
+++ b/synapse/api/errors.py
@ -1,5 +1,6 @@
 # -*- coding: utf-8 -*-
 # Copyright 2014-2016 OpenMarket Ltd
+# Copyright 2018 New Vector Ltd.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@ -55,7 +56,9 @@ class Codes(object):
    SERVER_NOT_TRUSTED = "M_SERVER_NOT_TRUSTED"
    CONSENT_NOT_GIVEN = "M_CONSENT_NOT_GIVEN"
    CANNOT_LEAVE_SERVER_NOTICE_ROOM = "M_CANNOT_LEAVE_SERVER_NOTICE_ROOM"
-    MAU_LIMIT_EXCEEDED = "M_MAU_LIMIT_EXCEEDED"
+    RESOURCE_LIMIT_EXCEEDED = "M_RESOURCE_LIMIT_EXCEEDED"
+    UNSUPPORTED_ROOM_VERSION = "M_UNSUPPORTED_ROOM_VERSION"
+    INCOMPATIBLE_ROOM_VERSION = "M_INCOMPATIBLE_ROOM_VERSION"
    WRONG_ROOM_KEYS_VERSION = "M_WRONG_ROOM_KEYS_VERSION"


@ -229,6 +232,30 @@ class AuthError(SynapseError):
        super(AuthError, self).__init__(*args, **kwargs)


+class ResourceLimitError(SynapseError):
+    """
+    Any error raised when there is a problem with resource usage.
+    For instance, the monthly active user limit for the server has been exceeded
+    """
+    def __init__(
+        self, code, msg,
+        errcode=Codes.RESOURCE_LIMIT_EXCEEDED,
+        admin_uri=None,
+        limit_type=None,
+    ):
+        self.admin_uri = admin_uri
+        self.limit_type = limit_type
+        super(ResourceLimitError, self).__init__(code, msg, errcode=errcode)
+
+    def error_dict(self):
+        return cs_error(
+            self.msg,
+            self.errcode,
+            admin_uri=self.admin_uri,
+            limit_type=self.limit_type
+        )
+
+
 class EventSizeError(SynapseError):
    """An error raised when an event is too big."""

@ -299,11 +326,24 @@ class RoomKeysVersionError(SynapseError):
        )
        self.current_version = current_version

+class IncompatibleRoomVersionError(SynapseError):
+    """A server is trying to join a room whose version it does not support."""
+
+    def __init__(self, room_version):
+        super(IncompatibleRoomVersionError, self).__init__(
+            code=400,
+            msg="Your homeserver does not support the features required to "
+                "join this room",
+            errcode=Codes.INCOMPATIBLE_ROOM_VERSION,
+        )
+
+        self._room_version = room_version
+
    def error_dict(self):
        return cs_error(
            self.msg,
            self.errcode,
-            current_version=self.current_version,
+            room_version=self.current_version,
        )


--- a/synapse/api/ratelimiting.py
+++ b/synapse/api/ratelimiting.py
@ -72,7 +72,7 @@ class Ratelimiter(object):
        return allowed, time_allowed

    def prune_message_counts(self, time_now_s):
-        for user_id in self.message_counts.keys():
+        for user_id in list(self.message_counts.keys()):
            message_count, time_start, msg_rate_hz = (
                self.message_counts[user_id]
            )