Add federation_domain_whitelist option (#2820)

Add federation_domain_whitelist gives a way to restrict which domains your HS is allowed to federate with. useful mainly for gracefully preventing a private but internet-connected HS from trying to federate to the wider public Matrix network
2025-05-02 12:26:02 -04:00 · 2018-01-22 19:11:18 +01:00 · 2018-01-22 19:11:18 +01:00 · ab9f844aaf
commit ab9f844aaf
parent d84f65255e
14 changed files with 146 additions and 7 deletions
--- a/synapse/http/matrixfederationclient.py
+++ b/synapse/http/matrixfederationclient.py
@ -27,7 +27,7 @@ import synapse.metrics
 from canonicaljson import encode_canonical_json

 from synapse.api.errors import (
-    SynapseError, Codes, HttpResponseException,
+    SynapseError, Codes, HttpResponseException, FederationDeniedError,
 )

 from signedjson.sign import sign_json
@ -123,11 +123,22 @@ class MatrixFederationHttpClient(object):

            Fails with ``HTTPRequestException``: if we get an HTTP response
                code >= 300.
+
            Fails with ``NotRetryingDestination`` if we are not yet ready
                to retry this server.
+
+            Fails with ``FederationDeniedError`` if this destination
+                is not on our federation whitelist
+
            (May also fail with plenty of other Exceptions for things like DNS
                failures, connection failures, SSL failures.)
        """
+        if (
+            self.hs.config.federation_domain_whitelist and
+            destination not in self.hs.config.federation_domain_whitelist
+        ):
+            raise FederationDeniedError(destination)
+
        limiter = yield synapse.util.retryutils.get_retry_limiter(
            destination,
            self.clock,
@ -308,6 +319,9 @@ class MatrixFederationHttpClient(object):

            Fails with ``NotRetryingDestination`` if we are not yet ready
            to retry this server.
+
+            Fails with ``FederationDeniedError`` if this destination
+            is not on our federation whitelist
        """

        if not json_data_callback:
@ -368,6 +382,9 @@ class MatrixFederationHttpClient(object):

            Fails with ``NotRetryingDestination`` if we are not yet ready
            to retry this server.
+
+            Fails with ``FederationDeniedError`` if this destination
+            is not on our federation whitelist
        """

        def body_callback(method, url_bytes, headers_dict):
@ -422,6 +439,9 @@ class MatrixFederationHttpClient(object):

            Fails with ``NotRetryingDestination`` if we are not yet ready
            to retry this server.
+
+            Fails with ``FederationDeniedError`` if this destination
+            is not on our federation whitelist
        """
        logger.debug("get_json args: %s", args)

@ -475,6 +495,9 @@ class MatrixFederationHttpClient(object):

            Fails with ``NotRetryingDestination`` if we are not yet ready
            to retry this server.
+
+            Fails with ``FederationDeniedError`` if this destination
+            is not on our federation whitelist
        """

        response = yield self._request(
@ -518,6 +541,9 @@ class MatrixFederationHttpClient(object):

            Fails with ``NotRetryingDestination`` if we are not yet ready
            to retry this server.
+
+            Fails with ``FederationDeniedError`` if this destination
+            is not on our federation whitelist
        """

        encoded_args = {}