mirror of
https://git.anonymousland.org/anonymousland/synapse-product.git
synced 2024-10-01 08:25:44 -04:00
Merge pull request #5534 from matrix-org/babolivier/federation-publicrooms
Split public rooms directory auth config in two
This commit is contained in:
commit
deb4fe6ef3
1
changelog.d/5534.feature
Normal file
1
changelog.d/5534.feature
Normal file
@ -0,0 +1 @@
|
|||||||
|
Split public rooms directory auth config in two settings, in order to manage client auth independently from the federation part of it. Obsoletes the "restrict_public_rooms_to_local_users" configuration setting. If "restrict_public_rooms_to_local_users" is set in the config, Synapse will act as if both new options are enabled, i.e. require authentication through the client API and deny federation requests.
|
@ -54,11 +54,15 @@ pid_file: DATADIR/homeserver.pid
|
|||||||
#
|
#
|
||||||
#require_auth_for_profile_requests: true
|
#require_auth_for_profile_requests: true
|
||||||
|
|
||||||
# If set to 'true', requires authentication to access the server's
|
# If set to 'false', requires authentication to access the server's public rooms
|
||||||
# public rooms directory through the client API, and forbids any other
|
# directory through the client API. Defaults to 'true'.
|
||||||
# homeserver to fetch it via federation. Defaults to 'false'.
|
|
||||||
#
|
#
|
||||||
#restrict_public_rooms_to_local_users: true
|
#allow_public_rooms_without_auth: false
|
||||||
|
|
||||||
|
# If set to 'false', forbids any other homeserver to fetch the server's public
|
||||||
|
# rooms directory via federation. Defaults to 'true'.
|
||||||
|
#
|
||||||
|
#allow_public_rooms_over_federation: false
|
||||||
|
|
||||||
# The default room version for newly created rooms.
|
# The default room version for newly created rooms.
|
||||||
#
|
#
|
||||||
|
@ -82,11 +82,31 @@ class ServerConfig(Config):
|
|||||||
"require_auth_for_profile_requests", False
|
"require_auth_for_profile_requests", False
|
||||||
)
|
)
|
||||||
|
|
||||||
# If set to 'True', requires authentication to access the server's
|
if "restrict_public_rooms_to_local_users" in config and (
|
||||||
# public rooms directory through the client API, and forbids any other
|
"allow_public_rooms_without_auth" in config
|
||||||
# homeserver to fetch it via federation.
|
or "allow_public_rooms_over_federation" in config
|
||||||
self.restrict_public_rooms_to_local_users = config.get(
|
):
|
||||||
"restrict_public_rooms_to_local_users", False
|
raise ConfigError(
|
||||||
|
"Can't use 'restrict_public_rooms_to_local_users' if"
|
||||||
|
" 'allow_public_rooms_without_auth' and/or"
|
||||||
|
" 'allow_public_rooms_over_federation' is set."
|
||||||
|
)
|
||||||
|
|
||||||
|
# Check if the legacy "restrict_public_rooms_to_local_users" flag is set. This
|
||||||
|
# flag is now obsolete but we need to check it for backward-compatibility.
|
||||||
|
if config.get("restrict_public_rooms_to_local_users", False):
|
||||||
|
self.allow_public_rooms_without_auth = False
|
||||||
|
self.allow_public_rooms_over_federation = False
|
||||||
|
else:
|
||||||
|
# If set to 'False', requires authentication to access the server's public
|
||||||
|
# rooms directory through the client API. Defaults to 'True'.
|
||||||
|
self.allow_public_rooms_without_auth = config.get(
|
||||||
|
"allow_public_rooms_without_auth", True
|
||||||
|
)
|
||||||
|
# If set to 'False', forbids any other homeserver to fetch the server's public
|
||||||
|
# rooms directory via federation. Defaults to 'True'.
|
||||||
|
self.allow_public_rooms_over_federation = config.get(
|
||||||
|
"allow_public_rooms_over_federation", True
|
||||||
)
|
)
|
||||||
|
|
||||||
default_room_version = config.get("default_room_version", DEFAULT_ROOM_VERSION)
|
default_room_version = config.get("default_room_version", DEFAULT_ROOM_VERSION)
|
||||||
@ -366,11 +386,15 @@ class ServerConfig(Config):
|
|||||||
#
|
#
|
||||||
#require_auth_for_profile_requests: true
|
#require_auth_for_profile_requests: true
|
||||||
|
|
||||||
# If set to 'true', requires authentication to access the server's
|
# If set to 'false', requires authentication to access the server's public rooms
|
||||||
# public rooms directory through the client API, and forbids any other
|
# directory through the client API. Defaults to 'true'.
|
||||||
# homeserver to fetch it via federation. Defaults to 'false'.
|
|
||||||
#
|
#
|
||||||
#restrict_public_rooms_to_local_users: true
|
#allow_public_rooms_without_auth: false
|
||||||
|
|
||||||
|
# If set to 'false', forbids any other homeserver to fetch the server's public
|
||||||
|
# rooms directory via federation. Defaults to 'true'.
|
||||||
|
#
|
||||||
|
#allow_public_rooms_over_federation: false
|
||||||
|
|
||||||
# The default room version for newly created rooms.
|
# The default room version for newly created rooms.
|
||||||
#
|
#
|
||||||
|
@ -721,15 +721,15 @@ class PublicRoomList(BaseFederationServlet):
|
|||||||
|
|
||||||
PATH = "/publicRooms"
|
PATH = "/publicRooms"
|
||||||
|
|
||||||
def __init__(self, handler, authenticator, ratelimiter, server_name, deny_access):
|
def __init__(self, handler, authenticator, ratelimiter, server_name, allow_access):
|
||||||
super(PublicRoomList, self).__init__(
|
super(PublicRoomList, self).__init__(
|
||||||
handler, authenticator, ratelimiter, server_name
|
handler, authenticator, ratelimiter, server_name
|
||||||
)
|
)
|
||||||
self.deny_access = deny_access
|
self.allow_access = allow_access
|
||||||
|
|
||||||
@defer.inlineCallbacks
|
@defer.inlineCallbacks
|
||||||
def on_GET(self, origin, content, query):
|
def on_GET(self, origin, content, query):
|
||||||
if self.deny_access:
|
if not self.allow_access:
|
||||||
raise FederationDeniedError(origin)
|
raise FederationDeniedError(origin)
|
||||||
|
|
||||||
limit = parse_integer_from_args(query, "limit", 0)
|
limit = parse_integer_from_args(query, "limit", 0)
|
||||||
@ -1436,7 +1436,7 @@ def register_servlets(hs, resource, authenticator, ratelimiter, servlet_groups=N
|
|||||||
authenticator=authenticator,
|
authenticator=authenticator,
|
||||||
ratelimiter=ratelimiter,
|
ratelimiter=ratelimiter,
|
||||||
server_name=hs.hostname,
|
server_name=hs.hostname,
|
||||||
deny_access=hs.config.restrict_public_rooms_to_local_users,
|
allow_access=hs.config.allow_public_rooms_over_federation,
|
||||||
).register(resource)
|
).register(resource)
|
||||||
|
|
||||||
if "group_server" in servlet_groups:
|
if "group_server" in servlet_groups:
|
||||||
|
@ -311,7 +311,7 @@ class PublicRoomListRestServlet(TransactionRestServlet):
|
|||||||
# Option to allow servers to require auth when accessing
|
# Option to allow servers to require auth when accessing
|
||||||
# /publicRooms via CS API. This is especially helpful in private
|
# /publicRooms via CS API. This is especially helpful in private
|
||||||
# federations.
|
# federations.
|
||||||
if self.hs.config.restrict_public_rooms_to_local_users:
|
if not self.hs.config.allow_public_rooms_without_auth:
|
||||||
raise
|
raise
|
||||||
|
|
||||||
# We allow people to not be authed if they're just looking at our
|
# We allow people to not be authed if they're just looking at our
|
||||||
|
@ -920,7 +920,7 @@ class PublicRoomsRestrictedTestCase(unittest.HomeserverTestCase):
|
|||||||
self.url = b"/_matrix/client/r0/publicRooms"
|
self.url = b"/_matrix/client/r0/publicRooms"
|
||||||
|
|
||||||
config = self.default_config()
|
config = self.default_config()
|
||||||
config["restrict_public_rooms_to_local_users"] = True
|
config["allow_public_rooms_without_auth"] = False
|
||||||
self.hs = self.setup_test_homeserver(config=config)
|
self.hs = self.setup_test_homeserver(config=config)
|
||||||
|
|
||||||
return self.hs
|
return self.hs
|
||||||
|
Loading…
Reference in New Issue
Block a user