Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Commit

Permalink
Split public rooms directory auth config in two
Browse files Browse the repository at this point in the history
  • Loading branch information
babolivier committed Jun 24, 2019
1 parent 18f0b69 commit 8487530
Show file tree
Hide file tree
Showing 6 changed files with 49 additions and 20 deletions.
1 change: 1 addition & 0 deletions changelog.d/5534.feature
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Split public rooms directory auth config in two settings, in order to manage client auth independently from the federation part of it. Obsoletes the "restrict_public_rooms_to_local_users" configuration setting. If "restrict_public_rooms_to_local_users" is set in the config, Synapse will act as if both new options are enabled, i.e. require authentication through the client API and deny federation requests.
12 changes: 8 additions & 4 deletions docs/sample_config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -77,11 +77,15 @@ pid_file: DATADIR/homeserver.pid
#
#require_auth_for_profile_requests: true

# If set to 'true', requires authentication to access the server's
# public rooms directory through the client API, and forbids any other
# homeserver to fetch it via federation. Defaults to 'false'.
# If set to 'false', requires authentication to access the server's public rooms
# directory through the client API. Defaults to 'true'.
#
#restrict_public_rooms_to_local_users: true
#allow_public_rooms_without_auth: false

# If set to 'false', forbids any other homeserver to fetch the server's public
# rooms directory via federation. Defaults to 'true'.
#
#allow_public_rooms_over_federation: false

# The default room version for newly created rooms.
#
Expand Down
44 changes: 34 additions & 10 deletions synapse/config/server.py
Original file line number Diff line number Diff line change
Expand Up @@ -84,12 +84,32 @@ def read_config(self, config):
"require_auth_for_profile_requests", False,
)

# If set to 'True', requires authentication to access the server's
# public rooms directory through the client API, and forbids any other
# homeserver to fetch it via federation.
self.restrict_public_rooms_to_local_users = config.get(
"restrict_public_rooms_to_local_users", False,
)
if "restrict_public_rooms_to_local_users" in config and (
"allow_public_rooms_without_auth" in config
or "allow_public_rooms_over_federation" in config
):
raise ConfigError(
"Can't use 'restrict_public_rooms_to_local_users' if"
" 'allow_public_rooms_without_auth' and/or"
" 'allow_public_rooms_over_federation' is set."
)

# Check if the legacy "restrict_public_rooms_to_local_users" flag is set. This
# flag is now obsolete but we need to check it for backward-compatibility.
if config.get("restrict_public_rooms_to_local_users", False):
self.allow_public_rooms_without_auth = False
self.allow_public_rooms_over_federation = False
else:
# If set to 'False', requires authentication to access the server's public
# rooms directory through the client API. Defaults to 'True'.
self.allow_public_rooms_without_auth = config.get(
"allow_public_rooms_without_auth", True
)
# If set to 'False', forbids any other homeserver to fetch the server's public
# rooms directory via federation. Defaults to 'True'.
self.allow_public_rooms_over_federation = config.get(
"allow_public_rooms_over_federation", True
)

default_room_version = config.get(
"default_room_version", DEFAULT_ROOM_VERSION,
Expand Down Expand Up @@ -407,11 +427,15 @@ def default_config(self, server_name, data_dir_path, **kwargs):
#
#require_auth_for_profile_requests: true
# If set to 'true', requires authentication to access the server's
# public rooms directory through the client API, and forbids any other
# homeserver to fetch it via federation. Defaults to 'false'.
# If set to 'false', requires authentication to access the server's public rooms
# directory through the client API. Defaults to 'true'.
#
#allow_public_rooms_without_auth: false
# If set to 'false', forbids any other homeserver to fetch the server's public
# rooms directory via federation. Defaults to 'true'.
#
#restrict_public_rooms_to_local_users: true
#allow_public_rooms_over_federation: false
# The default room version for newly created rooms.
#
Expand Down
8 changes: 4 additions & 4 deletions synapse/federation/transport/server.py
Original file line number Diff line number Diff line change
Expand Up @@ -720,15 +720,15 @@ class PublicRoomList(BaseFederationServlet):

PATH = "/publicRooms"

def __init__(self, handler, authenticator, ratelimiter, server_name, deny_access):
def __init__(self, handler, authenticator, ratelimiter, server_name, allow_access):
super(PublicRoomList, self).__init__(
handler, authenticator, ratelimiter, server_name,
)
self.deny_access = deny_access
self.allow_access = allow_access

@defer.inlineCallbacks
def on_GET(self, origin, content, query):
if self.deny_access:
if not self.allow_access:
raise FederationDeniedError(origin)

limit = parse_integer_from_args(query, "limit", 0)
Expand Down Expand Up @@ -1455,7 +1455,7 @@ def register_servlets(hs, resource, authenticator, ratelimiter, servlet_groups=N
authenticator=authenticator,
ratelimiter=ratelimiter,
server_name=hs.hostname,
deny_access=hs.config.restrict_public_rooms_to_local_users,
allow_access=hs.config.allow_public_rooms_over_federation,
).register(resource)

if "group_server" in servlet_groups:
Expand Down
2 changes: 1 addition & 1 deletion synapse/rest/client/v1/room.py
Original file line number Diff line number Diff line change
Expand Up @@ -320,7 +320,7 @@ def on_GET(self, request):
# Option to allow servers to require auth when accessing
# /publicRooms via CS API. This is especially helpful in private
# federations.
if self.hs.config.restrict_public_rooms_to_local_users:
if not self.hs.config.allow_public_rooms_without_auth:
raise

# We allow people to not be authed if they're just looking at our
Expand Down
2 changes: 1 addition & 1 deletion tests/rest/client/v1/test_rooms.py
Original file line number Diff line number Diff line change
Expand Up @@ -920,7 +920,7 @@ def make_homeserver(self, reactor, clock):
self.url = b"/_matrix/client/r0/publicRooms"

config = self.default_config()
config["restrict_public_rooms_to_local_users"] = True
config["allow_public_rooms_without_auth"] = False
self.hs = self.setup_test_homeserver(config=config)

return self.hs
Expand Down

0 comments on commit 8487530

Please sign in to comment.