add ip_range_whitelist parameter to limit where ASes can connect from

2024-10-01 01:36:05 -04:00 · 2018-06-28 20:31:53 +01:00 · 2018-06-28 20:31:53 +01:00 · f4f1cda928
commit f4f1cda928
parent 6350bf925e
3 changed files with 19 additions and 2 deletions
--- a/synapse/api/auth.py
+++ b/synapse/api/auth.py
@ -19,6 +19,7 @@ from six import itervalues

 import pymacaroons
 from twisted.internet import defer
+from netaddr import IPAddress

 import synapse.types
 from synapse import event_auth
@ -244,6 +245,11 @@ class Auth(object):
        if app_service is None:
            defer.returnValue((None, None))

+        if app_service.ip_range_whitelist:
+            ip_address = IPAddress(self.hs.get_ip_from_request(request))
+            if ip_address not in app_service.ip_range_whitelist:
+                defer.returnValue((None, None))
+
        if "user_id" not in request.args:
            defer.returnValue((app_service.sender, app_service))

--- a/synapse/appservice/init.py
+++ b/synapse/appservice/init.py
@ -85,7 +85,8 @@ class ApplicationService(object):
    NS_LIST = [NS_USERS, NS_ALIASES, NS_ROOMS]

    def __init__(self, token, hostname, url=None, namespaces=None, hs_token=None,
-                 sender=None, id=None, protocols=None, rate_limited=True):
+                 sender=None, id=None, protocols=None, rate_limited=True,
+                 ip_range_whitelist=None):
        self.token = token
        self.url = url
        self.hs_token = hs_token
@ -93,6 +94,7 @@ class ApplicationService(object):
        self.server_name = hostname
        self.namespaces = self._check_namespaces(namespaces)
        self.id = id
+        self.ip_range_whitelist = ip_range_whitelist

        if "|" in self.id:
            raise Exception("application service ID cannot contain '|' character")
--- a/synapse/config/appservice.py
+++ b/synapse/config/appservice.py
@ -17,6 +17,8 @@ from ._base import Config, ConfigError
 from synapse.appservice import ApplicationService
 from synapse.types import UserID

+from netaddr import IPSet
+
 import yaml
 import logging

@ -154,6 +156,12 @@ def _load_appservice(hostname, as_info, config_filename):
            " will not receive events or queries.",
            config_filename,
        )
+
+    if as_info.get('ip_range_whitelist'):
+        ip_range_whitelist = IPSet(
+            as_info.get('ip_range_whitelist')
+        )
+
    return ApplicationService(
        token=as_info["as_token"],
        hostname=hostname,
@ -163,5 +171,6 @@ def _load_appservice(hostname, as_info, config_filename):
        sender=user_id,
        id=as_info["id"],
        protocols=protocols,
-        rate_limited=rate_limited
+        rate_limited=rate_limited,
+        ip_range_whitelist=ip_range_whitelist,
    )