mirror of
https://forgejo.ellis.link/continuwuation/continuwuity/
synced 2026-07-11 15:08:55 +00:00
Compare commits
43 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 319e1a2ac1 | |||
| 4c693b597f | |||
| 86d87f6aea | |||
| efc35dd317 | |||
| 251e61c460 | |||
| ab1790da2e | |||
| bf4d48c6db | |||
| cec9f11d47 | |||
| 8a6619afa8 | |||
| eff2919d8c | |||
| b19136fdef | |||
| befe4191b0 | |||
| eff6287b67 | |||
| ff81358272 | |||
| f0e4d6f008 | |||
| 1ccba7400c | |||
| 081f865705 | |||
| 0d6608a2f8 | |||
| abf96140b2 | |||
| 35fb56aafd | |||
| 03bde0e5fa | |||
| 5e306f160a | |||
| fb2eedd5fd | |||
| a76c5c95aa | |||
| 7f83ec3883 | |||
| 9b14ab4c0b | |||
| b915692ae1 | |||
| bed80964fd | |||
| bc7e3185ef | |||
| 7082914d7d | |||
| 8fb14f666f | |||
| 8b6a176901 | |||
| 2e1015846d | |||
| 5d2e840859 | |||
| 2fabf18451 | |||
| 63a26141f8 | |||
| cc1f667c2b | |||
| 89dcda4c3c | |||
| 62730e861a | |||
| 68d018bd37 | |||
| 959370169a | |||
| f71f6e922c | |||
| ce185aff13 |
@@ -74,6 +74,7 @@ jobs:
|
||||
CARGO_INCREMENTAL=${{ env.BUILDKIT_ENDPOINT != '' && '1' || '0' }}
|
||||
TARGET_CPU=
|
||||
RUST_PROFILE=release
|
||||
CARGO_FEATURES=default
|
||||
platforms: ${{ matrix.platform }}
|
||||
labels: ${{ steps.prepare.outputs.metadata_labels }}
|
||||
annotations: ${{ steps.prepare.outputs.metadata_annotations }}
|
||||
@@ -161,6 +162,7 @@ jobs:
|
||||
CARGO_INCREMENTAL=${{ env.BUILDKIT_ENDPOINT != '' && '1' || '0' }}
|
||||
TARGET_CPU=${{ matrix.target_cpu }}
|
||||
RUST_PROFILE=release-max-perf
|
||||
CARGO_FEATURES=default,release_max_log_level
|
||||
platforms: ${{ matrix.platform }}
|
||||
labels: ${{ steps.prepare.outputs.metadata_labels }}
|
||||
annotations: ${{ steps.prepare.outputs.metadata_annotations }}
|
||||
|
||||
@@ -1,3 +1,69 @@
|
||||
# Continuwuity 26.6.0 (2026-07-10)
|
||||
|
||||
## Features
|
||||
|
||||
- Added support for linking an external identity provider with OIDC. Contributed by @ginger. (#765)
|
||||
- Updated [MSC4284: Policy Servers](https://github.com/matrix-org/matrix-spec-proposals/pull/4284) implementation to support the newly stabilised proposal. Contributed by @nex. (#1487)
|
||||
- Added config option for default room ACLs. Contributed by @eve. (#1691)
|
||||
- Added support for fallback encryption keys. (#1710)
|
||||
- Add `!admin users reject-all-invites` to clean invite spam (#1741)
|
||||
- Implemented event rejection, which should resolve and prevent future netsplits of the kinds observed
|
||||
within some Continuwuity rooms.
|
||||
Also resolved several bugs related to both soft-failing events, and event backfilling, which should
|
||||
improve state resolution stability.
|
||||
The `!admin debug get-pdu` command was updated to disambiguate event acceptance status, and
|
||||
`!admin debug show-auth-chain` was added to visually display event auth chains, which may assist
|
||||
developers in debugging strangely complex events.
|
||||
|
||||
Contributed by @nex. (#1747)
|
||||
- Added full support for [MSC4168: Update `m.space.*` state on room upgrade](https://github.com/matrix-org/matrix-spec-proposals/pull/4168). Contributed by @nex. (#1807)
|
||||
- Improved the performance and reliability of fetching missing events, improving network partition recovery. Contributed
|
||||
by @nex. (#1818)
|
||||
- Added static builds using Nix, allowing for Continuwuity on musl. During this, we also introduced a `max-perf-haswell` package, separating it from `max-perf`, so you may want to swap to this if you are on NixOS. Contributed by @Henry-Hiles (QuadRadical). (#1853)
|
||||
- Added support for MSC4380 invite blocking, which has become part of the Matrix specification in v1.18. Contributed by @nex. (#1875)
|
||||
- Added `!admin debug get-state-at` command (#1877)
|
||||
- Added a configuration option to allow choosing a client IP source that is not the TCP connecting IP. Contributed by @nex. (#1931)
|
||||
- Added support for MSC4466, which allows clients to customize how changes to a user's global profile are propagated. Contributed by @ginger.
|
||||
- Added support for Matrix 1.16's `state_after` feature, allowing clients which understand it to sync room state changes more reliably. Contributed by @ginger.
|
||||
- Added support for authenticating clients using the new OAuth 2.0 login API. Contributed by @ginger.
|
||||
- Appservice device management as outlined in MSC4190 (part of Matrix 1.17) is now fully supported. Contributed by @ginger.
|
||||
- Users may now be forbidden from deactivating their own accounts with the new `allow_deactivation` config option. Contributed by @ginger.
|
||||
|
||||
## Bugfixes
|
||||
|
||||
- Adjusted legacy sync logic to allow the `roomsynctoken_shortstatehash` database column to be dropped, massively reducing database sizes, especially for old deployments. Contributed by @ginger. (#917)
|
||||
- Fixed a bug that caused the server to drop events during processing if several events for the same room were sent in a singular transaction. Contributed by @nex. (#1711)
|
||||
- fix `!admin query account-data account-data-get` not returning the content (#1742)
|
||||
- Fixed an issue where Continuwuity would only advertise support for the unstable endpoint for Mutual Rooms (MSC2666), despite only supporting the stable endpoint. Contributed by @Henry-Hiles (QuadRadical) (#1752)
|
||||
- Fixed admin commands being ignored when they had leading whitespace before admin commands. Contributed by @kitvonsnookerz. (#1804)
|
||||
- Fixed several bugs in the `POST /_matrix/client/v3/rooms/{roomId}/upgrade` endpoint. Contributed by @nex. (#1807)
|
||||
- Devices which set their presence as "offline" will no longer be considered for presence updates. Contributed by @timedout.
|
||||
- Improved invite and join reliability in clients using legacy sync. Contributed by @ginger
|
||||
- The invite recipient's membership event is now included in invite stripped state, which should fix flaky invite display in some clients. Contributed by @ginger
|
||||
|
||||
## Improved Documentation
|
||||
|
||||
- Add performance tuning documentation. Contributed by @stratself. (#1498)
|
||||
- Explain accessing Continuwuity's server console when deployed via Docker. (#1671)
|
||||
- Clarified in the config that `max_request_size` affects federated media as well. (#1706)
|
||||
- Added example configuration using caddy-docker-proxy in the livekit setup section of the docs. Contributed by @Cease (#1762)
|
||||
- Updated deployment docs to account for new RPM package availability across more distros. Contributed by @julian45. (#1912)
|
||||
|
||||
## Deprecations and Removals
|
||||
|
||||
- Removed support for LDAP. (#1701)
|
||||
- Removed support for guest user registration, a little-used and deprecated approach to room previews.
|
||||
- Removed the `/_conduwuit/` versions of the `local_user_count` and `version` routes. These routes are still accessible under the `/_continuwuity` prefix.
|
||||
- Support for server-side blurhashing (part of MSC2448) has been removed.
|
||||
- The deprecated `well_known.rtc_focus_server_urls` config option has been removed. MatrixRTC foci should be configured using the `matrix_rtc.foci` config option.
|
||||
|
||||
## Misc
|
||||
|
||||
- #1505, #1829, #1927, #1933, #1934
|
||||
- Switched from Continuwuity's fork of Ruma back to upstream Ruma. Contributed by @ginger.
|
||||
- The version of Debian that the Docker-based build process uses has been upgraded from Bookworm to Trixie, meaning that standalone binaries now have a minimum glibc of 2.41, and can no longer be used on distro versions from before 2025-01-30
|
||||
|
||||
|
||||
# Continuwuity 0.5.8 (2026-04-24)
|
||||
|
||||
## Features
|
||||
|
||||
Generated
+26
-25
@@ -826,7 +826,7 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "conduwuit"
|
||||
version = "26.6.0-rc.1"
|
||||
version = "26.6.0"
|
||||
dependencies = [
|
||||
"aws-lc-rs",
|
||||
"clap",
|
||||
@@ -864,7 +864,7 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "conduwuit_admin"
|
||||
version = "26.6.0-rc.1"
|
||||
version = "26.6.0"
|
||||
dependencies = [
|
||||
"assign",
|
||||
"clap",
|
||||
@@ -890,7 +890,7 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "conduwuit_api"
|
||||
version = "26.6.0-rc.1"
|
||||
version = "26.6.0"
|
||||
dependencies = [
|
||||
"assign",
|
||||
"async-trait",
|
||||
@@ -928,7 +928,7 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "conduwuit_build_metadata"
|
||||
version = "26.6.0-rc.1"
|
||||
version = "26.6.0"
|
||||
dependencies = [
|
||||
"built",
|
||||
"cargo_metadata",
|
||||
@@ -936,7 +936,7 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "conduwuit_core"
|
||||
version = "26.6.0-rc.1"
|
||||
version = "26.6.0"
|
||||
dependencies = [
|
||||
"argon2",
|
||||
"arrayvec",
|
||||
@@ -1004,7 +1004,7 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "conduwuit_database"
|
||||
version = "26.6.0-rc.1"
|
||||
version = "26.6.0"
|
||||
dependencies = [
|
||||
"async-channel",
|
||||
"conduwuit_core",
|
||||
@@ -1025,7 +1025,7 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "conduwuit_macros"
|
||||
version = "26.6.0-rc.1"
|
||||
version = "26.6.0"
|
||||
dependencies = [
|
||||
"cargo_toml",
|
||||
"itertools 0.15.0",
|
||||
@@ -1036,7 +1036,7 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "conduwuit_router"
|
||||
version = "26.6.0-rc.1"
|
||||
version = "26.6.0"
|
||||
dependencies = [
|
||||
"assign",
|
||||
"axum",
|
||||
@@ -1074,7 +1074,7 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "conduwuit_service"
|
||||
version = "26.6.0-rc.1"
|
||||
version = "26.6.0"
|
||||
dependencies = [
|
||||
"askama",
|
||||
"assign",
|
||||
@@ -1126,7 +1126,7 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "conduwuit_web"
|
||||
version = "26.6.0-rc.1"
|
||||
version = "26.6.0"
|
||||
dependencies = [
|
||||
"askama",
|
||||
"assign",
|
||||
@@ -4539,9 +4539,9 @@ checksum = "1e061d1b48cb8d38042de4ae0a7a6401009d6143dc80d2e2d6f31f0bdd6470c7"
|
||||
|
||||
[[package]]
|
||||
name = "resolvematrix"
|
||||
version = "1.0.0"
|
||||
version = "1.1.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "3121df844d2f59c801c703af7200b8dab5d1c04c5032cd57fa9347440346fe87"
|
||||
checksum = "a574e37f06e219dcfdb14a4f0abf56e806c4551e030aae53802d2c42b29aea33"
|
||||
dependencies = [
|
||||
"futures",
|
||||
"hickory-resolver",
|
||||
@@ -4601,7 +4601,7 @@ dependencies = [
|
||||
[[package]]
|
||||
name = "ruma"
|
||||
version = "0.16.0"
|
||||
source = "git+https://github.com/ruma/ruma.git?rev=fca1dbc060f730c1aaf84c9c2fb1e8a587455be8#fca1dbc060f730c1aaf84c9c2fb1e8a587455be8"
|
||||
source = "git+https://github.com/gingershaped/ruwuma.git?rev=0713b97ed53b7cb5e639f5e2f067c0fe6ac525ff#0713b97ed53b7cb5e639f5e2f067c0fe6ac525ff"
|
||||
dependencies = [
|
||||
"assign",
|
||||
"js_int",
|
||||
@@ -4620,8 +4620,9 @@ dependencies = [
|
||||
[[package]]
|
||||
name = "ruma-appservice-api"
|
||||
version = "0.16.0"
|
||||
source = "git+https://github.com/ruma/ruma.git?rev=fca1dbc060f730c1aaf84c9c2fb1e8a587455be8#fca1dbc060f730c1aaf84c9c2fb1e8a587455be8"
|
||||
source = "git+https://github.com/gingershaped/ruwuma.git?rev=0713b97ed53b7cb5e639f5e2f067c0fe6ac525ff#0713b97ed53b7cb5e639f5e2f067c0fe6ac525ff"
|
||||
dependencies = [
|
||||
"http",
|
||||
"js_int",
|
||||
"ruma-common",
|
||||
"ruma-events",
|
||||
@@ -4632,7 +4633,7 @@ dependencies = [
|
||||
[[package]]
|
||||
name = "ruma-client-api"
|
||||
version = "0.24.0"
|
||||
source = "git+https://github.com/ruma/ruma.git?rev=fca1dbc060f730c1aaf84c9c2fb1e8a587455be8#fca1dbc060f730c1aaf84c9c2fb1e8a587455be8"
|
||||
source = "git+https://github.com/gingershaped/ruwuma.git?rev=0713b97ed53b7cb5e639f5e2f067c0fe6ac525ff#0713b97ed53b7cb5e639f5e2f067c0fe6ac525ff"
|
||||
dependencies = [
|
||||
"as_variant",
|
||||
"assign",
|
||||
@@ -4654,7 +4655,7 @@ dependencies = [
|
||||
[[package]]
|
||||
name = "ruma-common"
|
||||
version = "0.19.0"
|
||||
source = "git+https://github.com/ruma/ruma.git?rev=fca1dbc060f730c1aaf84c9c2fb1e8a587455be8#fca1dbc060f730c1aaf84c9c2fb1e8a587455be8"
|
||||
source = "git+https://github.com/gingershaped/ruwuma.git?rev=0713b97ed53b7cb5e639f5e2f067c0fe6ac525ff#0713b97ed53b7cb5e639f5e2f067c0fe6ac525ff"
|
||||
dependencies = [
|
||||
"as_variant",
|
||||
"base64 0.22.1",
|
||||
@@ -4687,7 +4688,7 @@ dependencies = [
|
||||
[[package]]
|
||||
name = "ruma-events"
|
||||
version = "0.34.0"
|
||||
source = "git+https://github.com/ruma/ruma.git?rev=fca1dbc060f730c1aaf84c9c2fb1e8a587455be8#fca1dbc060f730c1aaf84c9c2fb1e8a587455be8"
|
||||
source = "git+https://github.com/gingershaped/ruwuma.git?rev=0713b97ed53b7cb5e639f5e2f067c0fe6ac525ff#0713b97ed53b7cb5e639f5e2f067c0fe6ac525ff"
|
||||
dependencies = [
|
||||
"as_variant",
|
||||
"indexmap 2.14.0",
|
||||
@@ -4708,7 +4709,7 @@ dependencies = [
|
||||
[[package]]
|
||||
name = "ruma-federation-api"
|
||||
version = "0.15.0"
|
||||
source = "git+https://github.com/ruma/ruma.git?rev=fca1dbc060f730c1aaf84c9c2fb1e8a587455be8#fca1dbc060f730c1aaf84c9c2fb1e8a587455be8"
|
||||
source = "git+https://github.com/gingershaped/ruwuma.git?rev=0713b97ed53b7cb5e639f5e2f067c0fe6ac525ff#0713b97ed53b7cb5e639f5e2f067c0fe6ac525ff"
|
||||
dependencies = [
|
||||
"bytes",
|
||||
"headers",
|
||||
@@ -4731,7 +4732,7 @@ dependencies = [
|
||||
[[package]]
|
||||
name = "ruma-identifiers-validation"
|
||||
version = "0.12.1"
|
||||
source = "git+https://github.com/ruma/ruma.git?rev=fca1dbc060f730c1aaf84c9c2fb1e8a587455be8#fca1dbc060f730c1aaf84c9c2fb1e8a587455be8"
|
||||
source = "git+https://github.com/gingershaped/ruwuma.git?rev=0713b97ed53b7cb5e639f5e2f067c0fe6ac525ff#0713b97ed53b7cb5e639f5e2f067c0fe6ac525ff"
|
||||
dependencies = [
|
||||
"js_int",
|
||||
"thiserror 2.0.18",
|
||||
@@ -4740,7 +4741,7 @@ dependencies = [
|
||||
[[package]]
|
||||
name = "ruma-macros"
|
||||
version = "0.19.0"
|
||||
source = "git+https://github.com/ruma/ruma.git?rev=fca1dbc060f730c1aaf84c9c2fb1e8a587455be8#fca1dbc060f730c1aaf84c9c2fb1e8a587455be8"
|
||||
source = "git+https://github.com/gingershaped/ruwuma.git?rev=0713b97ed53b7cb5e639f5e2f067c0fe6ac525ff#0713b97ed53b7cb5e639f5e2f067c0fe6ac525ff"
|
||||
dependencies = [
|
||||
"as_variant",
|
||||
"cfg-if",
|
||||
@@ -4756,7 +4757,7 @@ dependencies = [
|
||||
[[package]]
|
||||
name = "ruma-push-gateway-api"
|
||||
version = "0.15.0"
|
||||
source = "git+https://github.com/ruma/ruma.git?rev=fca1dbc060f730c1aaf84c9c2fb1e8a587455be8#fca1dbc060f730c1aaf84c9c2fb1e8a587455be8"
|
||||
source = "git+https://github.com/gingershaped/ruwuma.git?rev=0713b97ed53b7cb5e639f5e2f067c0fe6ac525ff#0713b97ed53b7cb5e639f5e2f067c0fe6ac525ff"
|
||||
dependencies = [
|
||||
"js_int",
|
||||
"ruma-common",
|
||||
@@ -4768,7 +4769,7 @@ dependencies = [
|
||||
[[package]]
|
||||
name = "ruma-signatures"
|
||||
version = "0.21.0"
|
||||
source = "git+https://github.com/ruma/ruma.git?rev=fca1dbc060f730c1aaf84c9c2fb1e8a587455be8#fca1dbc060f730c1aaf84c9c2fb1e8a587455be8"
|
||||
source = "git+https://github.com/gingershaped/ruwuma.git?rev=0713b97ed53b7cb5e639f5e2f067c0fe6ac525ff#0713b97ed53b7cb5e639f5e2f067c0fe6ac525ff"
|
||||
dependencies = [
|
||||
"base64 0.22.1",
|
||||
"ed25519-dalek",
|
||||
@@ -4785,7 +4786,7 @@ dependencies = [
|
||||
[[package]]
|
||||
name = "ruma-state-res"
|
||||
version = "0.17.0"
|
||||
source = "git+https://github.com/ruma/ruma.git?rev=fca1dbc060f730c1aaf84c9c2fb1e8a587455be8#fca1dbc060f730c1aaf84c9c2fb1e8a587455be8"
|
||||
source = "git+https://github.com/gingershaped/ruwuma.git?rev=0713b97ed53b7cb5e639f5e2f067c0fe6ac525ff#0713b97ed53b7cb5e639f5e2f067c0fe6ac525ff"
|
||||
dependencies = [
|
||||
"js_int",
|
||||
"ruma-common",
|
||||
@@ -4799,7 +4800,7 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "ruminuwuity"
|
||||
version = "26.6.0-rc.1"
|
||||
version = "26.6.0"
|
||||
dependencies = [
|
||||
"assign",
|
||||
"ruma",
|
||||
@@ -6972,7 +6973,7 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "xtask"
|
||||
version = "26.6.0-rc.1"
|
||||
version = "26.6.0"
|
||||
dependencies = [
|
||||
"askama",
|
||||
"cargo_metadata",
|
||||
|
||||
+5
-4
@@ -12,7 +12,7 @@ license = "Apache-2.0"
|
||||
# See also `rust-toolchain.toml`
|
||||
readme = "README.md"
|
||||
repository = "https://forgejo.ellis.link/continuwuation/continuwuity"
|
||||
version = "26.6.0-rc.1"
|
||||
version = "26.6.0"
|
||||
|
||||
[workspace.metadata.crane]
|
||||
name = "conduwuit"
|
||||
@@ -349,8 +349,8 @@ version = "1.1.1"
|
||||
# Used for matrix spec type definitions and helpers
|
||||
[workspace.dependencies.ruma]
|
||||
# version = "0.14.1"
|
||||
git = "https://github.com/ruma/ruma.git"
|
||||
rev = "fca1dbc060f730c1aaf84c9c2fb1e8a587455be8"
|
||||
git = "https://github.com/gingershaped/ruwuma.git"
|
||||
rev = "0713b97ed53b7cb5e639f5e2f067c0fe6ac525ff"
|
||||
features = [
|
||||
"appservice-api-c",
|
||||
"client-api",
|
||||
@@ -386,6 +386,7 @@ features = [
|
||||
"unstable-msc4406",
|
||||
"unstable-msc4439",
|
||||
"unstable-msc4466",
|
||||
"unstable-msc4484",
|
||||
"unstable-extensible-events",
|
||||
]
|
||||
|
||||
@@ -570,7 +571,7 @@ features = ["std"]
|
||||
version = "0.3.0"
|
||||
|
||||
[workspace.dependencies.resolvematrix]
|
||||
version = "1.0.0"
|
||||
version = "1.1.0"
|
||||
|
||||
[workspace.dependencies.serde_urlencoded]
|
||||
version = "0.7.1"
|
||||
|
||||
@@ -1 +0,0 @@
|
||||
Appservice device management as outlined in MSC4190 (part of Matrix 1.17) is now fully supported. Contributed by @ginger.
|
||||
@@ -1 +0,0 @@
|
||||
Improved invite and join reliability in clients using legacy sync. Contributed by @ginger
|
||||
@@ -1 +0,0 @@
|
||||
Removed the `/_conduwuit/` versions of the `local_user_count` and `version` routes. These routes are still accessible under the `/_continuwuity` prefix.
|
||||
@@ -1 +0,0 @@
|
||||
The invite recipient's membership event is now included in invite stripped state, which should fix flaky invite display in some clients. Contributed by @ginger
|
||||
@@ -1 +0,0 @@
|
||||
Switched from Continuwuity's fork of Ruma back to upstream Ruma. Contributed by @ginger.
|
||||
@@ -1 +0,0 @@
|
||||
Users may now be forbidden from deactivating their own accounts with the new `allow_deactivation` config option. Contributed by @ginger.
|
||||
@@ -1 +0,0 @@
|
||||
Added support for Matrix 1.16's `state_after` feature, allowing clients which understand it to sync room state changes more reliably. Contributed by @ginger.
|
||||
@@ -1 +0,0 @@
|
||||
Added support for authenticating clients using the new OAuth 2.0 login API. Contributed by @ginger.
|
||||
@@ -1 +0,0 @@
|
||||
Added support for MSC4466, which allows clients to customize how changes to a user's global profile are propagated. Contributed by @ginger.
|
||||
@@ -1 +0,0 @@
|
||||
Devices which set their presence as "offline" will no longer be considered for presence updates. Contributed by @timedout.
|
||||
@@ -1 +0,0 @@
|
||||
Removed support for guest user registration, a little-used and deprecated approach to room previews.
|
||||
@@ -1 +0,0 @@
|
||||
The deprecated `well_known.rtc_focus_server_urls` config option has been removed. MatrixRTC foci should be configured using the `matrix_rtc.foci` config option.
|
||||
@@ -1 +0,0 @@
|
||||
The version of Debian that the Docker-based build process uses has been upgraded from Bookworm to Trixie, meaning that standalone binaries now have a minimum glibc of 2.41, and can no longer be used on distro versions from before 2025-01-30
|
||||
@@ -1 +0,0 @@
|
||||
Support for server-side blurhashing (part of MSC2448) has been removed.
|
||||
@@ -1 +0,0 @@
|
||||
Updated [MSC4284: Policy Servers](https://github.com/matrix-org/matrix-spec-proposals/pull/4284) implementation to support the newly stabilised proposal. Contributed by @nex.
|
||||
@@ -1 +0,0 @@
|
||||
Add performance tuning documentation. Contributed by @stratself.
|
||||
@@ -1 +0,0 @@
|
||||
Rewrite the resolver service to use [resolvematrix](https://forgejo.ellis.link/continuwuation/resolvematrix) for server resolution. Rewrite by @s1lv3r, crate by @Jade
|
||||
@@ -1 +0,0 @@
|
||||
Explain accessing Continuwuity's server console when deployed via Docker.
|
||||
@@ -1 +0,0 @@
|
||||
Added config option for default room ACLs. Contributed by @eve.
|
||||
@@ -1 +0,0 @@
|
||||
Removed support for LDAP.
|
||||
@@ -1 +0,0 @@
|
||||
Clarified in the config that `max_request_size` affects federated media as well.
|
||||
@@ -1 +0,0 @@
|
||||
Added support for fallback encryption keys.
|
||||
@@ -1 +0,0 @@
|
||||
Fixed a bug that caused the server to drop events during processing if several events for the same room were sent in a singular transaction. Contributed by @nex.
|
||||
@@ -1 +0,0 @@
|
||||
Add `!admin users reject-all-invites` to clean invite spam
|
||||
@@ -1 +0,0 @@
|
||||
fix `!admin query account-data account-data-get` not returning the content
|
||||
@@ -1,9 +0,0 @@
|
||||
Implemented event rejection, which should resolve and prevent future netsplits of the kinds observed
|
||||
within some Continuwuity rooms.
|
||||
Also resolved several bugs related to both soft-failing events, and event backfilling, which should
|
||||
improve state resolution stability.
|
||||
The `!admin debug get-pdu` command was updated to disambiguate event acceptance status, and
|
||||
`!admin debug show-auth-chain` was added to visually display event auth chains, which may assist
|
||||
developers in debugging strangely complex events.
|
||||
|
||||
Contributed by @nex.
|
||||
@@ -1 +0,0 @@
|
||||
Fixed an issue where Continuwuity would only advertise support for the unstable endpoint for Mutual Rooms (MSC2666), despite only supporting the stable endpoint. Contributed by @Henry-Hiles (QuadRadical)
|
||||
@@ -1 +0,0 @@
|
||||
Added example configuration using caddy-docker-proxy in the livekit setup section of the docs. Contributed by @Cease
|
||||
@@ -1 +0,0 @@
|
||||
Fixed admin commands being ignored when they had leading whitespace before admin commands. Contributed by @kitvonsnookerz.
|
||||
@@ -1 +0,0 @@
|
||||
Fixed several bugs in the `POST /_matrix/client/v3/rooms/{roomId}/upgrade` endpoint. Contributed by @nex.
|
||||
@@ -1 +0,0 @@
|
||||
Added full support for [MSC4168: Update `m.space.*` state on room upgrade](https://github.com/matrix-org/matrix-spec-proposals/pull/4168). Contributed by @nex.
|
||||
@@ -1,2 +0,0 @@
|
||||
Improved the performance and reliability of fetching missing events, improving network partition recovery. Contributed
|
||||
by @nex.
|
||||
@@ -1 +0,0 @@
|
||||
Remove support for MSC4373, as the MSC is now closed. Contributed by @vel.
|
||||
@@ -1 +0,0 @@
|
||||
Added static builds using Nix, allowing for Continuwuity on musl. During this, we also introduced a `max-perf-haswell` package, separating it from `max-perf`, so you may want to swap to this if you are on NixOS. Contributed by @Henry-Hiles (QuadRadical).
|
||||
@@ -1 +0,0 @@
|
||||
Added support for MSC4380 invite blocking, which has become part of the Matrix specification in v1.18. Contributed by @nex.
|
||||
@@ -1 +0,0 @@
|
||||
Added `!admin debug get-state-at` command
|
||||
@@ -1 +0,0 @@
|
||||
Updated deployment docs to account for new RPM package availability across more distros. Contributed by @julian45.
|
||||
@@ -1 +0,0 @@
|
||||
Move resolver service into client service, and remove deprecated and unused code. Contributed by @s1lv3r.
|
||||
@@ -1 +0,0 @@
|
||||
Added support for linking an external identity provider with OIDC. Contributed by @ginger.
|
||||
@@ -1 +0,0 @@
|
||||
Adjusted legacy sync logic to no longer use the `roomsynctoken_shortstatehash` database column. Once this change has been confirmed to be stable and reliable, a future update will remove it entirely, significantly decreasing database sizes. Contributed by @ginger.
|
||||
@@ -290,6 +290,27 @@
|
||||
#
|
||||
#ip_lookup_strategy = 5
|
||||
|
||||
# The source to use for discovering the real connecting client IP.
|
||||
#
|
||||
# Takes any of the following options:
|
||||
#
|
||||
# "cf_connecting_ip" - `Cf-Connecting-Ip` header
|
||||
# "cloudfront_viewer_address" - `CloudFront-Viewer-Address` header
|
||||
# "fly_client_ip" - `Fly-Client-IP` header
|
||||
# "x_forwarded_for" - rightmost value of the `X-Forwarded-For` header
|
||||
# "true_client_ip" - `True-Client-Ip` header
|
||||
# "x_envoy_external_address" - `X-Envoy-External-Address` header
|
||||
# "x_real_ip" - `X-Real-Ip` header
|
||||
#
|
||||
# Only set this if you are certain only your reverse proxy
|
||||
# will send the expected header. There is no "is the connecting IP allowed
|
||||
# to set this header" check; if the header selected is present, it is
|
||||
# used.
|
||||
#
|
||||
# Defaults to the IP address actually making the connection.
|
||||
#
|
||||
#request_ip_source = false
|
||||
|
||||
# Max request size for file uploads in bytes. Defaults to 20MB.
|
||||
# Also limits incoming federated media.
|
||||
#
|
||||
|
||||
+3
-1
@@ -171,6 +171,7 @@ RUN --mount=type=cache,target=/usr/local/cargo/registry \
|
||||
--mount=type=cache,target=/usr/local/cargo/git/db \
|
||||
--mount=type=cache,target=/app/target,id=continuwuity-cargo-target-${TARGET_CPU}-${TARGETPLATFORM}-${RUST_PROFILE} \
|
||||
bash <<'EOF'
|
||||
set -euo pipefail
|
||||
set -o allexport
|
||||
set -o xtrace
|
||||
. /etc/environment
|
||||
@@ -191,7 +192,7 @@ RUN --mount=type=cache,target=/usr/local/cargo/registry \
|
||||
jq -r ".target_directory"))
|
||||
mkdir /out/sbin
|
||||
PACKAGE=conduwuit
|
||||
xx-cargo build --locked --profile ${RUST_PROFILE} \
|
||||
CARGO_LOG=debug xx-cargo build --locked --profile ${RUST_PROFILE} \
|
||||
--no-default-features --features ${CARGO_FEATURES} \
|
||||
-p $PACKAGE;
|
||||
BINARIES=($(cargo metadata --no-deps --format-version 1 | \
|
||||
@@ -207,6 +208,7 @@ EOF
|
||||
RUN --mount=type=cache,target=/usr/local/cargo/registry \
|
||||
--mount=type=cache,target=/usr/local/cargo/git/db \
|
||||
bash <<'EOF'
|
||||
set -euo pipefail
|
||||
set -o xtrace
|
||||
mkdir /out/sbom
|
||||
typeset -A PACKAGES
|
||||
|
||||
@@ -6,10 +6,10 @@
|
||||
"message": "Welcome to Continuwuity! Important announcements about the project will appear here."
|
||||
},
|
||||
{
|
||||
"id": 14,
|
||||
"id": 15,
|
||||
"mention_room": true,
|
||||
"date": "2026-06-20",
|
||||
"message": "[v0.5.10](https://forgejo.ellis.link/continuwuation/continuwuity/releases/tag/v0.5.10) has been released. It is a security release, so we suggest you update as soon as possible. Don't forget to also join [our announcements room](https://matrix.to/#/!jIdNjSM5X-V5JVx2h2kAhUZIIQ08GyzPL55NFZAH1vM/%24K1ISNKIqfNiZzsNVCaTt2E7ZtNeP6Dsy6sbz9l3rO0A?via=ellis.link&via=gingershaped.computer&via=matrix.org)."
|
||||
"date": "2026-07-10",
|
||||
"message": "[Continuwuity 26.6.0](https://forgejo.ellis.link/continuwuation/continuwuity/releases/tag/v26.6.0) is finally out! This is by far our largest release yet, and it wouldn't have been possible without our community. Thank you so much for all of your patience, support, and/or development time over the last three months <3"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
@@ -104,13 +104,11 @@ ## `!admin query resolver`
|
||||
|
||||
resolver service
|
||||
|
||||
### `!admin query resolver destinations-cache`
|
||||
### `!admin query resolver cache`
|
||||
|
||||
Query the destinations cache
|
||||
Query the destinations or overrides cache
|
||||
|
||||
### `!admin query resolver overrides-cache`
|
||||
|
||||
Query the overrides cache
|
||||
Shows entire cache by default, but can be narrowed to only show overrides with `-o/--overrides true`, or to exclude them with `false`
|
||||
|
||||
### `!admin query resolver flush-cache`
|
||||
|
||||
|
||||
@@ -43,6 +43,8 @@ let
|
||||
env = {
|
||||
CARGO_PROFILE = profile;
|
||||
RUSTFLAGS = rustflags;
|
||||
GIT_COMMIT_HASH = self.rev or self.dirtyRev;
|
||||
GIT_COMMIT_HASH_SHORT = self.shortRev or self.dirtyShortRev;
|
||||
}
|
||||
// (lib.optionalAttrs (rocksdb != null) {
|
||||
ROCKSDB_INCLUDE_DIR = "${rocksdb}/include";
|
||||
|
||||
@@ -36,14 +36,16 @@
|
||||
self'.packages.stable-toolchain
|
||||
);
|
||||
|
||||
# extra features via `cargoExtraArgs`
|
||||
cargoExtraArgs = "-F http3";
|
||||
|
||||
default = pkgs.callPackage ./continuwuity.nix {
|
||||
inherit self craneLib;
|
||||
|
||||
liburing = (if isStatic then pkgs.pkgsStatic else pkgs).liburing;
|
||||
rocksdb = if isStatic then null else self'.packages.rocksdb;
|
||||
|
||||
# extra features via `cargoExtraArgs`
|
||||
cargoExtraArgs = "-F http3";
|
||||
inherit cargoExtraArgs;
|
||||
# extra RUSTFLAGS via `rustflags`
|
||||
# the stuff below is required for http3
|
||||
rustflags = "--cfg reqwest_unstable";
|
||||
@@ -55,6 +57,7 @@
|
||||
max-perf = default.override {
|
||||
# compiles slower but with more thorough optimizations
|
||||
profile = "release-max-perf";
|
||||
cargoExtraArgs = "${cargoExtraArgs} -F release_max_log_level";
|
||||
};
|
||||
|
||||
max-perf-haswell = max-perf.override {
|
||||
|
||||
+1
-1
@@ -12,7 +12,7 @@
|
||||
target:
|
||||
target.fromToolchainName {
|
||||
name = (lib.importTOML "${inputs.self}/rust-toolchain.toml").toolchain.channel;
|
||||
sha256 = "sha256-h+t2xTBz5yt2YIO+1VMIIGlCU7gyp2LYOFvaV1nwOXU=";
|
||||
sha256 = "sha256-OATSZm98Es5kIFuqaba+UvkQtFsVgJEBMmS+t6od5/U=";
|
||||
};
|
||||
in
|
||||
{
|
||||
|
||||
+1
-1
@@ -10,7 +10,7 @@
|
||||
|
||||
[toolchain]
|
||||
profile = "minimal"
|
||||
channel = "1.96.1"
|
||||
channel = "1.97.0"
|
||||
components = [
|
||||
# For rust-analyzer
|
||||
"rust-src",
|
||||
|
||||
@@ -1017,7 +1017,7 @@ pub(super) async fn resolve_true_destination(
|
||||
.http_client(self.services.client.default.clone())
|
||||
.build()?
|
||||
} else {
|
||||
&self.services.client.resolver
|
||||
&self.services.client.matrix_resolver
|
||||
};
|
||||
|
||||
let actual = resolver.resolve_server(server_name.as_str()).await?;
|
||||
|
||||
@@ -47,7 +47,7 @@ async fn cache(
|
||||
writeln!(self, "| Server Name | Destination | SNI | Override | Step | Expires |").await?;
|
||||
writeln!(self, "| ----------- | ----------- | --- | -------- | ---- | ------- |").await?;
|
||||
|
||||
let entries = self.services.client.resolver.get_all_cache_entries();
|
||||
let entries = self.services.client.matrix_resolver.get_all_cache_entries();
|
||||
|
||||
for (host, entry) in entries {
|
||||
if let Some(ors) = overrides
|
||||
@@ -81,13 +81,13 @@ async fn cache(
|
||||
|
||||
async fn flush_cache(&self, name: Option<OwnedServerName>, all: bool) -> Result {
|
||||
if all {
|
||||
self.services.client.resolver.clear_cache();
|
||||
self.services.client.dns.clear_cache();
|
||||
self.services.client.matrix_resolver.clear_cache();
|
||||
self.services.client.dns_resolver.clear_cache();
|
||||
writeln!(self, "Resolver and DNS caches cleared!").await
|
||||
} else if let Some(name) = name {
|
||||
self.services
|
||||
.client
|
||||
.resolver
|
||||
.matrix_resolver
|
||||
.remove_cache_entry(name.as_str());
|
||||
self.write_str(&format!("Cleared {name} from resolver caches!"))
|
||||
.await
|
||||
|
||||
@@ -115,7 +115,7 @@ pub(super) async fn suspend(&self, user_id: String) -> Result {
|
||||
// TODO: Record the actual user that sent the suspension where possible
|
||||
self.services
|
||||
.users
|
||||
.suspend_account(&user_id, self.sender_or_service_user())
|
||||
.suspend_account(&user_id, self.sender)
|
||||
.await;
|
||||
|
||||
self.write_str(&format!("User {user_id} has been suspended."))
|
||||
@@ -948,7 +948,7 @@ pub(super) async fn lock(&self, user_id: String) -> Result {
|
||||
|
||||
self.services
|
||||
.users
|
||||
.lock_account(&user_id, self.sender_or_service_user())
|
||||
.lock_account(&user_id, self.sender)
|
||||
.await;
|
||||
|
||||
self.write_str(&format!("User {user_id} has been locked."))
|
||||
|
||||
@@ -62,6 +62,8 @@ zstd_compression = [
|
||||
"reqwest/zstd",
|
||||
]
|
||||
|
||||
admin_api = []
|
||||
|
||||
[dependencies]
|
||||
async-trait.workspace = true
|
||||
axum-client-ip.workspace = true
|
||||
|
||||
@@ -1 +0,0 @@
|
||||
pub mod rooms;
|
||||
@@ -1,36 +0,0 @@
|
||||
use axum::extract::State;
|
||||
use conduwuit::{Err, Result};
|
||||
use futures::StreamExt;
|
||||
use ruma::OwnedRoomId;
|
||||
use ruminuwuity::admin::continuwuity::rooms;
|
||||
|
||||
use crate::Ruma;
|
||||
|
||||
/// # `GET /_continuwuity/admin/rooms/list`
|
||||
///
|
||||
/// Lists all rooms known to this server, excluding banned ones.
|
||||
pub(crate) async fn list_rooms(
|
||||
State(services): State<crate::State>,
|
||||
body: Ruma<rooms::list::v1::Request>,
|
||||
) -> Result<rooms::list::v1::Response> {
|
||||
let sender_user = body.identity.expect_sender_user()?;
|
||||
if !services.users.is_admin(sender_user).await {
|
||||
return Err!(Request(Forbidden("Only server administrators can use this endpoint")));
|
||||
}
|
||||
|
||||
let mut rooms: Vec<OwnedRoomId> = services
|
||||
.rooms
|
||||
.metadata
|
||||
.iter_ids()
|
||||
.filter_map(|room_id| async move {
|
||||
if !services.rooms.metadata.is_banned(&room_id).await {
|
||||
Some(room_id.clone())
|
||||
} else {
|
||||
None
|
||||
}
|
||||
})
|
||||
.collect()
|
||||
.await;
|
||||
rooms.sort();
|
||||
Ok(rooms::list::v1::Response::new(rooms))
|
||||
}
|
||||
@@ -1,2 +0,0 @@
|
||||
pub mod ban;
|
||||
pub mod list;
|
||||
@@ -1,6 +1,6 @@
|
||||
use axum::extract::State;
|
||||
use conduwuit::{Err, Result};
|
||||
use futures::future::{join, join3};
|
||||
use futures::join;
|
||||
use ruma::api::client::admin::{is_user_locked, lock_user};
|
||||
|
||||
use crate::Ruma;
|
||||
@@ -12,15 +12,7 @@ pub(crate) async fn get_lock_status(
|
||||
State(services): State<crate::State>,
|
||||
body: Ruma<is_user_locked::v1::Request>,
|
||||
) -> Result<is_user_locked::v1::Response> {
|
||||
let (admin, status) = join(
|
||||
services.users.is_admin(body.identity.expect_sender_user()?),
|
||||
services.users.status(&body.user_id),
|
||||
)
|
||||
.await;
|
||||
|
||||
if !admin {
|
||||
return Err!(Request(Forbidden("Only server administrators can use this endpoint")));
|
||||
}
|
||||
let status = services.users.status(&body.user_id).await;
|
||||
|
||||
status.ensure_active()?;
|
||||
|
||||
@@ -36,22 +28,14 @@ pub(crate) async fn put_lock_status(
|
||||
State(services): State<crate::State>,
|
||||
body: Ruma<lock_user::v1::Request>,
|
||||
) -> Result<lock_user::v1::Response> {
|
||||
let sender_user = body.identity.expect_sender_user()?;
|
||||
let sender_user = body.identity.sender_user();
|
||||
|
||||
let (sender_admin, status, target_admin) = join3(
|
||||
services.users.is_admin(sender_user),
|
||||
services.users.status(&body.user_id),
|
||||
services.users.is_admin(&body.user_id),
|
||||
)
|
||||
.await;
|
||||
|
||||
if !sender_admin {
|
||||
return Err!(Request(Forbidden("Only server administrators can use this endpoint")));
|
||||
}
|
||||
let (status, target_admin) =
|
||||
join!(services.users.status(&body.user_id), services.users.is_admin(&body.user_id),);
|
||||
|
||||
status.ensure_active()?;
|
||||
|
||||
if body.user_id == *sender_user {
|
||||
if sender_user.is_some_and(|sender_user| body.user_id == sender_user) {
|
||||
return Err!(Request(Forbidden("You cannot lock yourself")));
|
||||
}
|
||||
|
||||
@@ -79,7 +63,7 @@ pub(crate) async fn put_lock_status(
|
||||
// Notify the admin room that an account has been un/suspended
|
||||
services
|
||||
.admin
|
||||
.send_text(&format!("{} has been {} by {}.", body.user_id, action, sender_user))
|
||||
.send_text(&format!("{} has been {} by {}.", body.user_id, action, body.identity))
|
||||
.await;
|
||||
}
|
||||
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
mod lock;
|
||||
pub(crate) mod site;
|
||||
mod suspend;
|
||||
|
||||
pub(crate) use self::{lock::*, suspend::*};
|
||||
|
||||
@@ -0,0 +1,2 @@
|
||||
pub(crate) mod rooms;
|
||||
pub(crate) mod users;
|
||||
@@ -6,7 +6,7 @@
|
||||
|
||||
use crate::{Ruma, client::leave_room};
|
||||
|
||||
/// # `PUT /_continuwuity/admin/rooms/{roomID}/ban`
|
||||
/// # `PUT /_continuwuity/admin/v1/rooms/{roomID}/ban`
|
||||
///
|
||||
/// Bans or unbans a room.
|
||||
pub(crate) async fn ban_room(
|
||||
@@ -0,0 +1,178 @@
|
||||
use axum::extract::State;
|
||||
use conduwuit::{
|
||||
Event, Result,
|
||||
utils::stream::{BroadbandExt, WidebandExt},
|
||||
};
|
||||
use futures::StreamExt;
|
||||
use ruma::{
|
||||
OwnedRoomId,
|
||||
events::{
|
||||
StateEventType,
|
||||
room::{
|
||||
create::RoomCreateEventContent,
|
||||
encryption::PossiblyRedactedRoomEncryptionEventContent,
|
||||
tombstone::PossiblyRedactedRoomTombstoneEventContent,
|
||||
},
|
||||
},
|
||||
};
|
||||
use ruminuwuity::admin::continuwuity::rooms;
|
||||
use tokio::join;
|
||||
|
||||
use crate::Ruma;
|
||||
|
||||
/// # `GET /_continuwuity/admin/rooms`
|
||||
///
|
||||
/// Lists all room IDs known to this server, excluding banned ones.
|
||||
///
|
||||
/// This is the legacy version of the endpoint, which does not support
|
||||
/// pagination or including banned rooms. It is recommended to use the
|
||||
/// `/v1/rooms` endpoint instead. This endpoint may be removed in a future
|
||||
/// release.
|
||||
pub(crate) async fn legacy_list_rooms(
|
||||
State(services): State<crate::State>,
|
||||
_body: Ruma<rooms::list::unstable::Request>,
|
||||
) -> Result<rooms::list::unstable::Response> {
|
||||
let mut rooms: Vec<OwnedRoomId> = services
|
||||
.rooms
|
||||
.metadata
|
||||
.iter_ids()
|
||||
.filter_map(|room_id| async move {
|
||||
if !services.rooms.metadata.is_banned(&room_id).await {
|
||||
Some(room_id.clone())
|
||||
} else {
|
||||
None
|
||||
}
|
||||
})
|
||||
.collect()
|
||||
.await;
|
||||
rooms.sort();
|
||||
Ok(rooms::list::unstable::Response::new(rooms))
|
||||
}
|
||||
|
||||
/// # `GET /_continuwuity/admin/v1/rooms`
|
||||
///
|
||||
/// Lists rooms known to this server.
|
||||
pub(crate) async fn list_rooms(
|
||||
State(services): State<crate::State>,
|
||||
body: Ruma<rooms::list::v1::Request>,
|
||||
) -> Result<rooms::list::v1::Response> {
|
||||
let include_banned_rooms = body.include_banned_rooms;
|
||||
let rooms = services
|
||||
.rooms
|
||||
.metadata
|
||||
.iter_ids()
|
||||
.wide_filter_map(|room_id| async move {
|
||||
if include_banned_rooms || !services.rooms.metadata.is_banned(&room_id).await {
|
||||
Some(room_id.clone())
|
||||
} else {
|
||||
None
|
||||
}
|
||||
})
|
||||
.skip(body.offset.unwrap_or_default())
|
||||
.take(body.limit.unwrap_or(100).min(100))
|
||||
.broad_filter_map(|room_id| async move {
|
||||
let (
|
||||
banned,
|
||||
disabled,
|
||||
member_count,
|
||||
local_member_count,
|
||||
resident_server_count,
|
||||
published,
|
||||
create_event,
|
||||
encryption_event,
|
||||
name_event,
|
||||
topic_event,
|
||||
canonical_alias_event,
|
||||
join_rules_event,
|
||||
history_visibility_event,
|
||||
tombstone_event,
|
||||
) = join!(
|
||||
services.rooms.metadata.is_banned(&room_id),
|
||||
services.rooms.metadata.is_disabled(&room_id),
|
||||
services.rooms.state_cache.room_joined_count(&room_id),
|
||||
services
|
||||
.rooms
|
||||
.state_cache
|
||||
.active_local_users_in_room(&room_id)
|
||||
.count(),
|
||||
services.rooms.state_cache.room_servers(&room_id).count(),
|
||||
services.rooms.directory.is_public_room(&room_id),
|
||||
services.rooms.state_accessor.room_state_get(
|
||||
&room_id,
|
||||
&StateEventType::RoomCreate,
|
||||
""
|
||||
),
|
||||
services
|
||||
.rooms
|
||||
.state_accessor
|
||||
.room_state_get_content::<PossiblyRedactedRoomEncryptionEventContent>(
|
||||
&room_id,
|
||||
&StateEventType::RoomEncryption,
|
||||
""
|
||||
),
|
||||
services.rooms.state_accessor.room_state_get_content(
|
||||
&room_id,
|
||||
&StateEventType::RoomName,
|
||||
""
|
||||
),
|
||||
services.rooms.state_accessor.room_state_get_content(
|
||||
&room_id,
|
||||
&StateEventType::RoomTopic,
|
||||
""
|
||||
),
|
||||
services.rooms.state_accessor.room_state_get_content(
|
||||
&room_id,
|
||||
&StateEventType::RoomCanonicalAlias,
|
||||
""
|
||||
),
|
||||
services.rooms.state_accessor.room_state_get_content(
|
||||
&room_id,
|
||||
&StateEventType::RoomJoinRules,
|
||||
""
|
||||
),
|
||||
services.rooms.state_accessor.room_state_get_content(
|
||||
&room_id,
|
||||
&StateEventType::RoomHistoryVisibility,
|
||||
""
|
||||
),
|
||||
services
|
||||
.rooms
|
||||
.state_accessor
|
||||
.room_state_get_content::<PossiblyRedactedRoomTombstoneEventContent>(
|
||||
&room_id,
|
||||
&StateEventType::RoomTombstone,
|
||||
""
|
||||
),
|
||||
);
|
||||
let Ok(create_event) = create_event else {
|
||||
return None;
|
||||
};
|
||||
let create_content = create_event
|
||||
.get_content::<RoomCreateEventContent>()
|
||||
.expect("m.room.create content must be valid");
|
||||
Some(rooms::list::v1::MinimalRoomInfo {
|
||||
room_id,
|
||||
banned,
|
||||
disabled,
|
||||
member_count: usize::try_from(member_count.unwrap_or_default())
|
||||
.expect("u64 should fit in usize"),
|
||||
local_member_count,
|
||||
resident_server_count,
|
||||
creators: vec![create_event.sender],
|
||||
encrypted: encryption_event.is_ok_and(|c| c.algorithm.is_some()),
|
||||
federated: create_content.federate,
|
||||
published,
|
||||
version: create_content.room_version,
|
||||
name: name_event.unwrap_or(None),
|
||||
topic: topic_event.unwrap_or(None),
|
||||
canonical_alias: canonical_alias_event.unwrap_or(None),
|
||||
join_rules: join_rules_event.unwrap_or(None),
|
||||
history_visibility: history_visibility_event.unwrap_or(None),
|
||||
predecessor: create_content.predecessor.map(|c| c.room_id),
|
||||
successor: tombstone_event.map_or(None, |c| c.replacement_room),
|
||||
})
|
||||
})
|
||||
.collect()
|
||||
.await;
|
||||
Ok(rooms::list::v1::Response::new(rooms))
|
||||
}
|
||||
@@ -0,0 +1,5 @@
|
||||
mod ban;
|
||||
mod list;
|
||||
|
||||
pub(crate) use ban::ban_room;
|
||||
pub(crate) use list::*;
|
||||
@@ -0,0 +1,142 @@
|
||||
use axum::extract::State;
|
||||
use conduwuit::{
|
||||
err, error, info,
|
||||
utils::{IterStream, stream::BroadbandExt},
|
||||
warn,
|
||||
};
|
||||
use futures::{FutureExt, StreamExt};
|
||||
use ruma::{api::client::profile::PropagateTo, profile::ProfileFieldValue};
|
||||
use ruminuwuity::admin::continuwuity::users;
|
||||
use service::users::{HashedPassword, ProfileFieldChange};
|
||||
|
||||
use crate::router::Ruma;
|
||||
|
||||
/// # `POST /_continuwuity/admin/v1/users/create`
|
||||
///
|
||||
/// Creates a new user.
|
||||
pub(crate) async fn create_user(
|
||||
State(services): State<crate::State>,
|
||||
body: Ruma<users::create::v1::Request>,
|
||||
) -> conduwuit::Result<users::create::v1::Response> {
|
||||
let email = body
|
||||
.email
|
||||
.clone()
|
||||
.map(lettre::Address::try_from)
|
||||
.transpose()
|
||||
.map_err(|e| err!(Request(BadJson("Invalid email address: {e}"))))?;
|
||||
|
||||
let ref user_id = services
|
||||
.users
|
||||
.determine_registration_user_id(Some(body.localpart.clone()), email.as_ref(), None)
|
||||
.await?;
|
||||
|
||||
services.users.create_shadow_account(user_id).await?;
|
||||
|
||||
services
|
||||
.users
|
||||
.convert_to_local_account(user_id, HashedPassword::new(&body.password)?)
|
||||
.await?;
|
||||
|
||||
if let Some(email) = &email {
|
||||
services
|
||||
.threepid
|
||||
.associate_localpart_email(user_id.localpart(), email)
|
||||
.await?;
|
||||
}
|
||||
|
||||
if body.suspended {
|
||||
services
|
||||
.users
|
||||
.suspend_account(user_id, body.identity.sender_user())
|
||||
.await;
|
||||
}
|
||||
if body.locked {
|
||||
services
|
||||
.users
|
||||
.lock_account(user_id, body.identity.sender_user())
|
||||
.await;
|
||||
}
|
||||
if body.login_disabled {
|
||||
services.users.disable_login(user_id);
|
||||
}
|
||||
if let Some(ref value) = body.display_name {
|
||||
services
|
||||
.users
|
||||
.set_profile_field(
|
||||
user_id,
|
||||
ProfileFieldChange::Set(ProfileFieldValue::DisplayName(value.to_owned())),
|
||||
PropagateTo::None,
|
||||
)
|
||||
.await?;
|
||||
}
|
||||
if let Some(ref value) = body.avatar_url {
|
||||
services
|
||||
.users
|
||||
.set_profile_field(
|
||||
user_id,
|
||||
ProfileFieldChange::Set(ProfileFieldValue::AvatarUrl(value.to_owned())),
|
||||
PropagateTo::None,
|
||||
)
|
||||
.await?;
|
||||
}
|
||||
if body.admin {
|
||||
services
|
||||
.admin
|
||||
.make_user_admin(user_id)
|
||||
.await
|
||||
.inspect_err(|e| error!("failed to make new user {user_id} an admin: {e}"))
|
||||
.ok();
|
||||
}
|
||||
|
||||
body.auto_join_rooms
|
||||
.clone()
|
||||
.into_iter()
|
||||
.stream()
|
||||
.chain(
|
||||
if body.skip_auto_join {
|
||||
vec![]
|
||||
} else {
|
||||
services.config.auto_join_rooms.clone()
|
||||
}
|
||||
.into_iter()
|
||||
.stream(),
|
||||
)
|
||||
.broad_filter_map(|room| async move {
|
||||
services
|
||||
.rooms
|
||||
.alias
|
||||
.resolve_with_servers(&room, None)
|
||||
.await
|
||||
.inspect_err(|e| {
|
||||
warn!(
|
||||
"Failed to resolve room alias to room ID when attempting to auto join \
|
||||
{room}: {e}"
|
||||
);
|
||||
})
|
||||
.ok()
|
||||
})
|
||||
.for_each_concurrent(None, |(room_id, servers)| async move {
|
||||
match services
|
||||
.rooms
|
||||
.membership
|
||||
.join_room(
|
||||
user_id,
|
||||
&room_id,
|
||||
Some("Automatically joining this room upon registration".to_owned()),
|
||||
servers.as_ref(),
|
||||
)
|
||||
.boxed()
|
||||
.await
|
||||
{
|
||||
| Err(e) => {
|
||||
warn!("Failed to automatically join {user_id} to {room_id}: {e}");
|
||||
},
|
||||
| _ => {
|
||||
info!("Automatically joined room {user_id} to {room_id}");
|
||||
},
|
||||
}
|
||||
})
|
||||
.await;
|
||||
|
||||
Ok(users::create::v1::Response::new(user_id.to_owned()))
|
||||
}
|
||||
@@ -0,0 +1,42 @@
|
||||
use axum::extract::State;
|
||||
use conduwuit::utils::stream::WidebandExt;
|
||||
use futures::StreamExt;
|
||||
use ruminuwuity::admin::continuwuity::users;
|
||||
use tokio::join;
|
||||
|
||||
use crate::router::Ruma;
|
||||
|
||||
/// # `GET /_continuwuity/admin/v1/users`
|
||||
///
|
||||
/// Lists all users on this homeserver.
|
||||
pub(crate) async fn list_users(
|
||||
State(services): State<crate::State>,
|
||||
body: Ruma<users::list::v1::Request>,
|
||||
) -> conduwuit::Result<users::list::v1::Response> {
|
||||
let users = services
|
||||
.users
|
||||
.stream_local_users()
|
||||
.skip(body.offset.unwrap_or_default())
|
||||
.take(body.limit.unwrap_or(100).min(100))
|
||||
.wide_filter_map(|user_id| async move {
|
||||
let (status, suspended, locked, admin, login_disabled) = join!(
|
||||
services.users.status(&user_id),
|
||||
services.users.is_suspended(&user_id),
|
||||
services.users.is_locked(&user_id),
|
||||
services.users.is_admin(&user_id),
|
||||
services.users.is_login_disabled(&user_id),
|
||||
);
|
||||
Some(users::list::v1::User {
|
||||
user_id: user_id.clone(),
|
||||
deactivated: !status.is_active(),
|
||||
suspended: suspended.unwrap_or_default(),
|
||||
locked: locked.unwrap_or_default(),
|
||||
admin,
|
||||
login_disabled,
|
||||
})
|
||||
})
|
||||
.collect()
|
||||
.await;
|
||||
|
||||
Ok(users::list::v1::Response::new(users))
|
||||
}
|
||||
@@ -0,0 +1,5 @@
|
||||
mod create;
|
||||
mod list;
|
||||
|
||||
pub(crate) use create::*;
|
||||
pub(crate) use list::*;
|
||||
@@ -67,7 +67,7 @@ pub(crate) async fn put_suspended_status(
|
||||
let action = if body.suspended {
|
||||
services
|
||||
.users
|
||||
.suspend_account(&body.user_id, sender_user)
|
||||
.suspend_account(&body.user_id, body.identity.sender_user())
|
||||
.await;
|
||||
"suspended"
|
||||
} else {
|
||||
|
||||
@@ -29,6 +29,12 @@ pub(crate) async fn get_profile_route(
|
||||
State(services): State<crate::State>,
|
||||
body: Ruma<get_profile::v3::Request>,
|
||||
) -> Result<get_profile::v3::Response> {
|
||||
if services.config.require_auth_for_profile_requests && body.identity.is_none() {
|
||||
return Err!(Request(Unauthorized(
|
||||
"This server requires authentication to view user profiles."
|
||||
)));
|
||||
}
|
||||
|
||||
let Some(profile) = fetch_full_profile(&services, &body.user_id).await else {
|
||||
return Err!(Request(NotFound("This user's profile could not be fetched.")));
|
||||
};
|
||||
@@ -40,6 +46,12 @@ pub(crate) async fn get_profile_field_route(
|
||||
State(services): State<crate::State>,
|
||||
body: Ruma<get_profile_field::v3::Request>,
|
||||
) -> Result<get_profile_field::v3::Response> {
|
||||
if services.config.require_auth_for_profile_requests && body.identity.is_none() {
|
||||
return Err!(Request(Unauthorized(
|
||||
"This server requires authentication to view user profiles."
|
||||
)));
|
||||
}
|
||||
|
||||
let value = fetch_profile_field(&services, &body.user_id, body.field.clone()).await?;
|
||||
|
||||
Ok(assign!(get_profile_field::v3::Response::default(), { value }))
|
||||
|
||||
@@ -11,8 +11,6 @@
|
||||
pub mod router;
|
||||
pub mod server;
|
||||
|
||||
pub mod admin;
|
||||
|
||||
pub(crate) use self::router::{Ruma, RumaResponse, State};
|
||||
|
||||
conduwuit::mod_ctor! {}
|
||||
|
||||
+21
-3
@@ -16,7 +16,12 @@
|
||||
|
||||
use self::handler::RouterExt;
|
||||
pub(super) use self::{args::Args as Ruma, auth::ClientIdentity, response::RumaResponse};
|
||||
use crate::{admin, client, server};
|
||||
#[cfg(feature = "admin_api")]
|
||||
use crate::client::admin::site as admin_api;
|
||||
use crate::{
|
||||
client::{self, admin},
|
||||
server,
|
||||
};
|
||||
|
||||
pub fn build(router: Router<State>, state: State) -> Router<State> {
|
||||
let config = &state.server.config;
|
||||
@@ -191,8 +196,11 @@ pub fn build(router: Router<State>, state: State) -> Router<State> {
|
||||
.ruma_route(&client::get_authorization_server_metadata_route)
|
||||
.merge(client::oauth::router(state))
|
||||
.route("/_continuwuity/server_version", get(client::continuwuity_server_version))
|
||||
.ruma_route(&admin::rooms::ban::ban_room)
|
||||
.ruma_route(&admin::rooms::list::list_rooms);
|
||||
.ruma_route(&admin::site::rooms::ban_room)
|
||||
.ruma_route(&admin::site::rooms::list_rooms)
|
||||
.ruma_route(&admin::site::rooms::legacy_list_rooms)
|
||||
.ruma_route(&admin::site::users::create_user)
|
||||
.ruma_route(&admin::site::users::list_users);
|
||||
|
||||
if config.allow_federation {
|
||||
router = router
|
||||
@@ -275,6 +283,16 @@ pub fn build(router: Router<State>, state: State) -> Router<State> {
|
||||
.route("/_matrix/media/r0/preview_url", any(redirect_legacy_preview));
|
||||
}
|
||||
|
||||
#[cfg(feature = "admin_api")]
|
||||
{
|
||||
router = router
|
||||
.ruma_route(&admin_api::users::list_users_route)
|
||||
.ruma_route(&admin_api::users::create_user_route)
|
||||
.ruma_route(&admin_api::rooms::ban_room)
|
||||
.ruma_route(&admin_api::rooms::legacy_list_rooms_route)
|
||||
.ruma_route(&admin_api::rooms::list_rooms_route);
|
||||
};
|
||||
|
||||
router
|
||||
}
|
||||
|
||||
|
||||
+184
-151
@@ -1,11 +1,14 @@
|
||||
use std::any::{Any, TypeId};
|
||||
use std::{
|
||||
any::{Any, TypeId},
|
||||
fmt::Display,
|
||||
};
|
||||
|
||||
use conduwuit::{Err, Error, Result, err};
|
||||
use http::StatusCode;
|
||||
use ruma::{
|
||||
DeviceId, OwnedDeviceId, OwnedServerName, OwnedUserId, UserId,
|
||||
api::{
|
||||
IncomingRequest,
|
||||
IncomingRequest, OAuthClientScope,
|
||||
auth_scheme::{
|
||||
AccessToken, AccessTokenOptional, AppserviceToken, AppserviceTokenOptional,
|
||||
AuthScheme, NoAccessToken, NoAuthentication,
|
||||
@@ -77,68 +80,66 @@ pub(crate) fn appservice_info(&self) -> Option<&RegistrationInfo> {
|
||||
pub(crate) fn is_appservice(&self) -> bool { matches!(self, Self::Appservice { .. }) }
|
||||
}
|
||||
|
||||
impl Display for ClientIdentity {
|
||||
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
|
||||
match self {
|
||||
| Self::User { sender_user, sender_device } =>
|
||||
write!(f, "{sender_user} ({sender_device})"),
|
||||
| Self::Appservice { sender_user, appservice_info, .. } =>
|
||||
write!(f, "appservice `{}` using {sender_user}", appservice_info.registration.id),
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
pub(crate) trait CheckAuth: AuthScheme {
|
||||
type Identity: Send;
|
||||
|
||||
fn authenticate<R: IncomingRequest + Any, B: AsRef<[u8]> + Sync>(
|
||||
fn authenticate<R: IncomingRequest<Authentication = Self> + Any, B: AsRef<[u8]> + Sync>(
|
||||
services: &Services,
|
||||
incoming_request: &hyper::Request<B>,
|
||||
query: AuthQueryParams,
|
||||
) -> impl Future<Output = Result<Self::Identity>> + Send {
|
||||
async move {
|
||||
let route = TypeId::of::<R>();
|
||||
|
||||
let output = Self::extract_authentication(incoming_request).map_err(|err| {
|
||||
err!(Request(Unauthorized(warn!(
|
||||
"Failed to extract authorization: {}",
|
||||
"Failed to extract request authentication: {}",
|
||||
err.into()
|
||||
))))
|
||||
})?;
|
||||
|
||||
Self::verify(services, output, incoming_request, query, route).await
|
||||
Self::verify::<R, B>(services, output, incoming_request, query).await
|
||||
}
|
||||
}
|
||||
|
||||
fn verify<B: AsRef<[u8]> + Sync>(
|
||||
fn verify<R: IncomingRequest<Authentication = Self> + Any, B: AsRef<[u8]> + Sync>(
|
||||
services: &Services,
|
||||
output: Self::Output,
|
||||
request: &hyper::Request<B>,
|
||||
query: AuthQueryParams,
|
||||
route: TypeId,
|
||||
) -> impl Future<Output = Result<Self::Identity>> + Send;
|
||||
}
|
||||
|
||||
impl CheckAuth for ServerSignatures {
|
||||
type Identity = OwnedServerName;
|
||||
|
||||
async fn verify<B: AsRef<[u8]> + Sync>(
|
||||
async fn verify<R: IncomingRequest<Authentication = Self> + Any, B: AsRef<[u8]> + Sync>(
|
||||
services: &Services,
|
||||
output: Self::Output,
|
||||
request: &hyper::Request<B>,
|
||||
_query: AuthQueryParams,
|
||||
_route: TypeId,
|
||||
) -> Result<Self::Identity> {
|
||||
let destination = services.globals.server_name();
|
||||
if output
|
||||
.destination
|
||||
.as_ref()
|
||||
.is_some_and(|supplied_destination| supplied_destination != destination)
|
||||
{
|
||||
return Err!(Request(Unauthorized("Destination mismatch.")));
|
||||
}
|
||||
|
||||
let key = services
|
||||
.server_keys
|
||||
.get_verify_key(&output.origin, &output.key)
|
||||
.await
|
||||
.map_err(|e| {
|
||||
err!(Request(Unauthorized(warn!("Failed to fetch signing keys: {e}"))))
|
||||
.map_err(|err| {
|
||||
err!(Request(Unauthorized(warn!("Failed to fetch signing keys: {err}"))))
|
||||
})?;
|
||||
|
||||
let keys: PubKeys = [(output.key.to_string(), key.key)].into();
|
||||
let keys: PubKeyMap = [(output.origin.as_str().into(), keys)].into();
|
||||
|
||||
match output.verify_request(request, destination, &keys) {
|
||||
match output.verify_request(request, services.globals.server_name(), &keys) {
|
||||
| Ok(()) => {
|
||||
if services
|
||||
.moderation
|
||||
@@ -160,115 +161,36 @@ async fn verify<B: AsRef<[u8]> + Sync>(
|
||||
impl CheckAuth for AccessToken {
|
||||
type Identity = ClientIdentity;
|
||||
|
||||
async fn verify<B: AsRef<[u8]> + Sync>(
|
||||
async fn verify<R: IncomingRequest<Authentication = Self> + Any, B: AsRef<[u8]> + Sync>(
|
||||
services: &Services,
|
||||
output: Self::Output,
|
||||
_request: &hyper::Request<B>,
|
||||
query: AuthQueryParams,
|
||||
route: TypeId,
|
||||
) -> Result<Self::Identity> {
|
||||
if output.is_empty() {
|
||||
return Err!(Request(Unauthorized("Missing access token.")));
|
||||
}
|
||||
if let Some((sender_user, sender_device, status)) =
|
||||
services.users.find_from_token(&output).await
|
||||
{
|
||||
// If the token is expired we return a soft logout
|
||||
if matches!(status, AccessTokenStatus::Expired) {
|
||||
return Err(Error::Request(
|
||||
ErrorKind::UnknownToken(
|
||||
assign!(UnknownTokenErrorData::new(), { soft_logout: true }),
|
||||
),
|
||||
"This token has expired".into(),
|
||||
StatusCode::UNAUTHORIZED,
|
||||
));
|
||||
}
|
||||
|
||||
// Locked users can only use /logout and /logout/all
|
||||
if services
|
||||
.users
|
||||
.is_locked(&sender_user)
|
||||
.await
|
||||
.is_ok_and(std::convert::identity)
|
||||
{
|
||||
if !(route == TypeId::of::<client::session::logout::v3::Request>()
|
||||
|| route == TypeId::of::<client::session::logout_all::v3::Request>())
|
||||
{
|
||||
return Err!(Request(UserLocked("Your account is locked.")));
|
||||
}
|
||||
}
|
||||
|
||||
Ok(ClientIdentity::User { sender_user, sender_device })
|
||||
} else if let Ok(appservice_info) = services.appservice.find_from_token(&output).await {
|
||||
let Ok(sender_user) = query.user_id.clone().map_or_else(
|
||||
|| {
|
||||
UserId::parse_with_server_name(
|
||||
appservice_info.registration.sender_localpart.as_str(),
|
||||
services.globals.server_name(),
|
||||
)
|
||||
},
|
||||
UserId::parse,
|
||||
) else {
|
||||
return Err!(Request(InvalidUsername("Username is invalid.")));
|
||||
};
|
||||
|
||||
if !appservice_info.is_user_match(&sender_user) {
|
||||
return Err!(Request(Exclusive("User is not in namespace.")));
|
||||
}
|
||||
|
||||
// MSC3202/MSC4190: Handle device_id masquerading for appservices.
|
||||
// The device_id can be provided via `device_id` or
|
||||
// `org.matrix.msc3202.device_id` query parameter.
|
||||
let sender_device =
|
||||
if let Some(device_id) = query.device_id.as_deref().map(Into::into) {
|
||||
// Verify the device exists for this user
|
||||
if services
|
||||
.users
|
||||
.get_device_metadata(&sender_user, device_id)
|
||||
.await
|
||||
.is_err()
|
||||
{
|
||||
return Err!(Request(Forbidden(
|
||||
"Device does not exist for user or appservice cannot masquerade as \
|
||||
this device."
|
||||
)));
|
||||
}
|
||||
|
||||
Some(device_id.to_owned())
|
||||
} else {
|
||||
None
|
||||
};
|
||||
|
||||
Ok(ClientIdentity::Appservice {
|
||||
sender_user,
|
||||
sender_device,
|
||||
appservice_info: Box::new(appservice_info),
|
||||
})
|
||||
} else {
|
||||
Err(Error::Request(
|
||||
ErrorKind::UnknownToken(UnknownTokenErrorData::new()),
|
||||
"Invalid token".into(),
|
||||
StatusCode::UNAUTHORIZED,
|
||||
))
|
||||
}
|
||||
verify_access_token(services, output, query, TypeId::of::<R>(), R::required_scopes())
|
||||
.await
|
||||
}
|
||||
}
|
||||
|
||||
impl CheckAuth for AccessTokenOptional {
|
||||
type Identity = Option<ClientIdentity>;
|
||||
|
||||
async fn verify<B: AsRef<[u8]> + Sync>(
|
||||
async fn verify<R: IncomingRequest<Authentication = Self> + Any, B: AsRef<[u8]> + Sync>(
|
||||
services: &Services,
|
||||
output: Self::Output,
|
||||
request: &hyper::Request<B>,
|
||||
_request: &hyper::Request<B>,
|
||||
query: AuthQueryParams,
|
||||
route: TypeId,
|
||||
) -> Result<Self::Identity> {
|
||||
match output {
|
||||
| Some(token) =>
|
||||
<AccessToken as CheckAuth>::verify(services, token, request, query, route)
|
||||
.await
|
||||
.map(Some),
|
||||
| Some(token) => verify_access_token(
|
||||
services,
|
||||
token,
|
||||
query,
|
||||
TypeId::of::<R>(),
|
||||
R::required_scopes(),
|
||||
)
|
||||
.await
|
||||
.map(Some),
|
||||
| None => Ok(None),
|
||||
}
|
||||
}
|
||||
@@ -277,39 +199,29 @@ async fn verify<B: AsRef<[u8]> + Sync>(
|
||||
impl CheckAuth for AppserviceToken {
|
||||
type Identity = RegistrationInfo;
|
||||
|
||||
async fn verify<B: AsRef<[u8]> + Sync>(
|
||||
async fn verify<R: IncomingRequest<Authentication = Self> + Any, B: AsRef<[u8]> + Sync>(
|
||||
services: &Services,
|
||||
output: Self::Output,
|
||||
_request: &hyper::Request<B>,
|
||||
_query: AuthQueryParams,
|
||||
_route: TypeId,
|
||||
) -> Result<Self::Identity> {
|
||||
if output.is_empty() {
|
||||
return Err!(Request(Unauthorized("Missing access token.")));
|
||||
}
|
||||
let Ok(appservice_info) = services.appservice.find_from_token(&output).await else {
|
||||
return Err!(Request(Unauthorized("Invalid appservice token.")));
|
||||
};
|
||||
|
||||
Ok(appservice_info)
|
||||
verify_appservice_access_token(services, output).await
|
||||
}
|
||||
}
|
||||
|
||||
impl CheckAuth for AppserviceTokenOptional {
|
||||
type Identity = Option<RegistrationInfo>;
|
||||
|
||||
async fn verify<B: AsRef<[u8]> + Sync>(
|
||||
async fn verify<R: IncomingRequest<Authentication = Self> + Any, B: AsRef<[u8]> + Sync>(
|
||||
services: &Services,
|
||||
output: Self::Output,
|
||||
request: &hyper::Request<B>,
|
||||
query: AuthQueryParams,
|
||||
route: TypeId,
|
||||
_request: &hyper::Request<B>,
|
||||
_query: AuthQueryParams,
|
||||
) -> Result<Self::Identity> {
|
||||
match output {
|
||||
| Some(token) =>
|
||||
<AppserviceToken as CheckAuth>::verify(services, token, request, query, route)
|
||||
.await
|
||||
.map(Some),
|
||||
| Some(token) => verify_appservice_access_token(services, token)
|
||||
.await
|
||||
.map(Some),
|
||||
| None => Ok(None),
|
||||
}
|
||||
}
|
||||
@@ -318,12 +230,11 @@ async fn verify<B: AsRef<[u8]> + Sync>(
|
||||
impl CheckAuth for NoAuthentication {
|
||||
type Identity = ();
|
||||
|
||||
async fn verify<B: AsRef<[u8]> + Sync>(
|
||||
async fn verify<R: IncomingRequest<Authentication = Self> + Any, B: AsRef<[u8]> + Sync>(
|
||||
_services: &Services,
|
||||
_output: Self::Output,
|
||||
_request: &hyper::Request<B>,
|
||||
_query: AuthQueryParams,
|
||||
_route: TypeId,
|
||||
) -> Result<Self::Identity> {
|
||||
Ok(())
|
||||
}
|
||||
@@ -332,31 +243,153 @@ async fn verify<B: AsRef<[u8]> + Sync>(
|
||||
impl CheckAuth for NoAccessToken {
|
||||
type Identity = Option<ClientIdentity>;
|
||||
|
||||
async fn verify<B: AsRef<[u8]> + Sync>(
|
||||
async fn verify<R: IncomingRequest<Authentication = Self> + Any, B: AsRef<[u8]> + Sync>(
|
||||
services: &Services,
|
||||
_output: Self::Output,
|
||||
request: &hyper::Request<B>,
|
||||
query: AuthQueryParams,
|
||||
route: TypeId,
|
||||
) -> Result<Self::Identity> {
|
||||
// We handle these the same as AccessTokenOptional
|
||||
let token = AccessTokenOptional::extract_authentication(request).map_err(|err| {
|
||||
err!(Request(Unauthorized(warn!("Failed to extract authorization: {}", err))))
|
||||
})?;
|
||||
|
||||
// Check special access restrictions
|
||||
if (route == TypeId::of::<client::profile::get_avatar_url::v3::Request>()
|
||||
|| route == TypeId::of::<client::profile::get_display_name::v3::Request>()
|
||||
|| route == TypeId::of::<client::profile::get_profile_field::v3::Request>()
|
||||
|| route == TypeId::of::<client::profile::get_profile::v3::Request>())
|
||||
&& services.config.require_auth_for_profile_requests
|
||||
&& token.is_none()
|
||||
{
|
||||
return Err!(Request(Unauthorized(
|
||||
"This server requires authentication to access user profiles."
|
||||
)));
|
||||
match token {
|
||||
| Some(token) => verify_access_token(
|
||||
services,
|
||||
token,
|
||||
query,
|
||||
TypeId::of::<R>(),
|
||||
// Assume that no scopes are required for these endpoints since
|
||||
// ostensibly they don't require authentication
|
||||
&[],
|
||||
)
|
||||
.await
|
||||
.map(Some),
|
||||
| None => Ok(None),
|
||||
}
|
||||
|
||||
<AccessTokenOptional as CheckAuth>::verify(services, token, request, query, route).await
|
||||
}
|
||||
}
|
||||
|
||||
async fn verify_access_token(
|
||||
services: &Services,
|
||||
output: String,
|
||||
query: AuthQueryParams,
|
||||
route: TypeId,
|
||||
required_scopes: &[OAuthClientScope],
|
||||
) -> Result<ClientIdentity> {
|
||||
if let Some((sender_user, sender_device, status)) =
|
||||
services.users.find_from_token(&output).await
|
||||
{
|
||||
// If the token is expired we return a soft logout
|
||||
if matches!(status, AccessTokenStatus::Expired) {
|
||||
return Err(Error::Request(
|
||||
ErrorKind::UnknownToken(
|
||||
assign!(UnknownTokenErrorData::new(), { soft_logout: true }),
|
||||
),
|
||||
"This access token has expired.".into(),
|
||||
StatusCode::UNAUTHORIZED,
|
||||
));
|
||||
}
|
||||
|
||||
// Locked users can only use /logout and /logout/all
|
||||
if services
|
||||
.users
|
||||
.is_locked(&sender_user)
|
||||
.await
|
||||
.is_ok_and(std::convert::identity)
|
||||
{
|
||||
if !(route == TypeId::of::<client::session::logout::v3::Request>()
|
||||
|| route == TypeId::of::<client::session::logout_all::v3::Request>())
|
||||
{
|
||||
return Err!(Request(UserLocked("Your account is locked.")));
|
||||
}
|
||||
}
|
||||
|
||||
// If this device is bound to an OAuth session, check its scopes. This will also
|
||||
// handle admin-only endpoints for OAuth clients.
|
||||
if let Some(session) = services
|
||||
.oauth
|
||||
.get_session_info_for_device(&sender_user, &sender_device)
|
||||
.await
|
||||
{
|
||||
if required_scopes
|
||||
.iter()
|
||||
.all(|scope| !session.scopes.contains(scope))
|
||||
{
|
||||
return Err!(Request(Forbidden(
|
||||
"You don't have the necessary scopes to use this endpoint."
|
||||
)));
|
||||
}
|
||||
} else {
|
||||
// Otherwise, explicitly check if the endpoint is restricted to admins only.
|
||||
if required_scopes.contains(&OAuthClientScope::ServerAdministration)
|
||||
&& !services.users.is_admin(&sender_user).await
|
||||
{
|
||||
return Err!(Request(Forbidden(
|
||||
"Only server administrators can use this endpoint."
|
||||
)));
|
||||
}
|
||||
}
|
||||
|
||||
Ok(ClientIdentity::User { sender_user, sender_device })
|
||||
} else if let Ok(appservice_info) = services.appservice.find_from_token(&output).await {
|
||||
let Ok(sender_user) = query.user_id.clone().map_or_else(
|
||||
|| {
|
||||
UserId::parse_with_server_name(
|
||||
appservice_info.registration.sender_localpart.as_str(),
|
||||
services.globals.server_name(),
|
||||
)
|
||||
},
|
||||
UserId::parse,
|
||||
) else {
|
||||
return Err!(Request(InvalidUsername("Username is invalid.")));
|
||||
};
|
||||
|
||||
if !appservice_info.is_user_match(&sender_user) {
|
||||
return Err!(Request(Exclusive("User is not in this appservice's namespace.")));
|
||||
}
|
||||
|
||||
// MSC3202/MSC4190: Handle device_id masquerading for appservices.
|
||||
// The device_id can be provided via `device_id` or
|
||||
// `org.matrix.msc3202.device_id` query parameter.
|
||||
let sender_device = if let Some(device_id) = query.device_id.as_deref().map(Into::into) {
|
||||
// Verify the device exists for this user
|
||||
if services
|
||||
.users
|
||||
.get_device_metadata(&sender_user, device_id)
|
||||
.await
|
||||
.is_err()
|
||||
{
|
||||
return Err!(Request(Forbidden("Appservice cannot masquerade as this device.")));
|
||||
}
|
||||
|
||||
Some(device_id.to_owned())
|
||||
} else {
|
||||
None
|
||||
};
|
||||
|
||||
Ok(ClientIdentity::Appservice {
|
||||
sender_user,
|
||||
sender_device,
|
||||
appservice_info: Box::new(appservice_info),
|
||||
})
|
||||
} else {
|
||||
Err(Error::Request(
|
||||
ErrorKind::UnknownToken(UnknownTokenErrorData::new()),
|
||||
"Invalid access token.".into(),
|
||||
StatusCode::UNAUTHORIZED,
|
||||
))
|
||||
}
|
||||
}
|
||||
|
||||
async fn verify_appservice_access_token(
|
||||
services: &Services,
|
||||
output: String,
|
||||
) -> Result<RegistrationInfo> {
|
||||
let Ok(appservice_info) = services.appservice.find_from_token(&output).await else {
|
||||
return Err!(Request(Unauthorized("Invalid appservice token.")));
|
||||
};
|
||||
|
||||
Ok(appservice_info)
|
||||
}
|
||||
|
||||
+22
-1
@@ -370,6 +370,27 @@ pub struct Config {
|
||||
#[serde(default = "default_ip_lookup_strategy")]
|
||||
pub ip_lookup_strategy: u8,
|
||||
|
||||
/// The source to use for discovering the real connecting client IP.
|
||||
///
|
||||
/// Takes any of the following options:
|
||||
///
|
||||
/// "cf_connecting_ip" - `Cf-Connecting-Ip` header
|
||||
/// "cloudfront_viewer_address" - `CloudFront-Viewer-Address` header
|
||||
/// "fly_client_ip" - `Fly-Client-IP` header
|
||||
/// "x_forwarded_for" - rightmost value of the `X-Forwarded-For` header
|
||||
/// "true_client_ip" - `True-Client-Ip` header
|
||||
/// "x_envoy_external_address" - `X-Envoy-External-Address` header
|
||||
/// "x_real_ip" - `X-Real-Ip` header
|
||||
///
|
||||
/// Only set this if you are certain only your reverse proxy
|
||||
/// will send the expected header. There is no "is the connecting IP allowed
|
||||
/// to set this header" check; if the header selected is present, it is
|
||||
/// used.
|
||||
///
|
||||
/// Defaults to the IP address actually making the connection.
|
||||
#[serde(default)]
|
||||
pub request_ip_source: Option<String>,
|
||||
|
||||
/// Max request size for file uploads in bytes. Defaults to 20MB.
|
||||
/// Also limits incoming federated media.
|
||||
///
|
||||
@@ -2476,7 +2497,7 @@ pub struct OidcConfig {
|
||||
/// automatically fetch the identity provider's metadata from this URL.
|
||||
/// Generally you should set this to the base domain your identity provider
|
||||
/// runs on.
|
||||
pub discovery_url: Url,
|
||||
pub discovery_url: String,
|
||||
|
||||
/// The OAuth client ID for Continuwuity to use when communicating with the
|
||||
/// identity provider.
|
||||
|
||||
@@ -41,5 +41,7 @@ pub fn unstable_features() -> BTreeMap<String, bool> {
|
||||
("org.matrix.msc4155".to_owned(), true),
|
||||
// profile change propagation (https://github.com/matrix-org/matrix-spec-proposals/pull/4466)
|
||||
("computer.gingershaped.msc4466".to_owned(), true),
|
||||
// server admin oauth scope (https://github.com/matrix-org/matrix-spec-proposals/pull/4484)
|
||||
("org.continuwuity.msc4484.unstable".to_owned(), true),
|
||||
])
|
||||
}
|
||||
|
||||
@@ -17,7 +17,7 @@
|
||||
},
|
||||
};
|
||||
|
||||
use conduwuit::{Err, Result, debug, info, warn};
|
||||
use conduwuit::{Err, Result, debug, err, info, warn};
|
||||
use rocksdb::{
|
||||
AsColumnFamilyRef, BoundColumnFamily, DBCommon, DBWithThreadMode, MultiThreaded,
|
||||
WaitForCompactOptions,
|
||||
@@ -127,6 +127,12 @@ pub fn current_sequence(&self) -> u64 {
|
||||
|
||||
sequence
|
||||
}
|
||||
|
||||
pub fn drop_column(&self, name: &str) -> Result {
|
||||
self.db
|
||||
.drop_cf(name)
|
||||
.map_err(|err| err!("Failed to drop {name}: {err}"))
|
||||
}
|
||||
}
|
||||
|
||||
impl Drop for Engine {
|
||||
|
||||
+2
-1
@@ -42,12 +42,12 @@ assets = [
|
||||
[features]
|
||||
default = [
|
||||
"standard",
|
||||
"release_max_log_level",
|
||||
"ring",
|
||||
"bindgen-runtime", # replace with bindgen-static on alpine
|
||||
]
|
||||
standard = [
|
||||
"brotli_compression",
|
||||
"direct_tls",
|
||||
"element_hacks",
|
||||
"gzip_compression",
|
||||
"io_uring",
|
||||
@@ -68,6 +68,7 @@ full = [
|
||||
"jemalloc_prof",
|
||||
"perf_measurements",
|
||||
"tokio_console",
|
||||
"conduwuit-api/admin_api",
|
||||
]
|
||||
|
||||
brotli_compression = [
|
||||
|
||||
+17
-1
@@ -48,6 +48,22 @@ pub(crate) fn build(services: &Arc<Services>) -> Result<(Router, Guard)> {
|
||||
))]
|
||||
let layers = layers.layer(compression_layer(server));
|
||||
|
||||
let client_ip_layer = match services
|
||||
.config
|
||||
.request_ip_source
|
||||
.as_ref()
|
||||
.map(AsRef::as_ref)
|
||||
{
|
||||
| Some("cf_connecting_ip") => ClientIpSource::CfConnectingIp,
|
||||
| Some("cloudfront_viewer_address") => ClientIpSource::CloudFrontViewerAddress,
|
||||
| Some("fly_client_ip") => ClientIpSource::FlyClientIp,
|
||||
| Some("x_forwarded_for") => ClientIpSource::RightmostXForwardedFor,
|
||||
| Some("true_client_ip") => ClientIpSource::TrueClientIp,
|
||||
| Some("x_envoy_external_address") => ClientIpSource::XEnvoyExternalAddress,
|
||||
| Some("x_real_ip") => ClientIpSource::XRealIp,
|
||||
| None | Some(_) => ClientIpSource::ConnectInfo,
|
||||
};
|
||||
|
||||
let services_ = services.clone();
|
||||
let layers = layers
|
||||
.layer(SetSensitiveHeadersLayer::new([header::AUTHORIZATION]))
|
||||
@@ -59,7 +75,7 @@ pub(crate) fn build(services: &Arc<Services>) -> Result<(Router, Guard)> {
|
||||
.on_response(DefaultOnResponse::new().level(Level::DEBUG)),
|
||||
)
|
||||
.layer(axum::middleware::from_fn_with_state(Arc::clone(services), request::handle))
|
||||
.layer(ClientIpSource::ConnectInfo.into_extension())
|
||||
.layer(client_ip_layer.into_extension())
|
||||
.layer(ResponseBodyTimeoutLayer::new(Duration::from_secs(
|
||||
server.config.client_response_timeout,
|
||||
)))
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
pub mod rooms;
|
||||
pub mod users;
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
pub mod v1 {
|
||||
use ruma::{
|
||||
OwnedRoomAliasId, OwnedRoomId, OwnedUserId,
|
||||
api::{auth_scheme::AccessToken, request, response},
|
||||
api::{OAuthClientScope, auth_scheme::AccessToken, request, response},
|
||||
metadata,
|
||||
};
|
||||
|
||||
@@ -9,8 +9,10 @@ pub mod v1 {
|
||||
method: PUT,
|
||||
rate_limited: false,
|
||||
authentication: AccessToken,
|
||||
required_scopes: [OAuthClientScope::ServerAdministration],
|
||||
history: {
|
||||
1.0 => "/_continuwuity/admin/rooms/{room_id}/ban",
|
||||
unstable("org.continuwuity.admin") => "/_continuwuity/admin/rooms/{room_id}/ban",
|
||||
1.0 => "/_continuwuity/admin/v1/rooms/{room_id}/ban",
|
||||
}
|
||||
}
|
||||
|
||||
@@ -29,8 +31,11 @@ pub struct Request {
|
||||
|
||||
#[response]
|
||||
pub struct Response {
|
||||
/// Users who were successfully kicked from this room.
|
||||
pub kicked_users: Vec<OwnedUserId>,
|
||||
/// Users who could not be kicked from the room.
|
||||
pub failed_kicked_users: Vec<OwnedUserId>,
|
||||
/// Any local aliases that were removed from the room.
|
||||
pub local_aliases: Vec<OwnedRoomAliasId>,
|
||||
}
|
||||
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
pub mod v1 {
|
||||
pub mod unstable {
|
||||
use ruma::{
|
||||
OwnedRoomId,
|
||||
api::{auth_scheme::AccessToken, request, response},
|
||||
api::{OAuthClientScope, auth_scheme::AccessToken, request, response},
|
||||
metadata,
|
||||
};
|
||||
|
||||
@@ -9,8 +9,9 @@ pub mod v1 {
|
||||
method: GET,
|
||||
rate_limited: false,
|
||||
authentication: AccessToken,
|
||||
required_scopes: [OAuthClientScope::ServerAdministration],
|
||||
history: {
|
||||
1.0 => "/_continuwuity/admin/rooms/list",
|
||||
unstable => "/_continuwuity/admin/rooms/list",
|
||||
}
|
||||
}
|
||||
|
||||
@@ -20,6 +21,7 @@ pub mod v1 {
|
||||
|
||||
#[response]
|
||||
pub struct Response {
|
||||
/// A list of room IDs known to this server.
|
||||
pub rooms: Vec<OwnedRoomId>,
|
||||
}
|
||||
|
||||
@@ -33,3 +35,133 @@ impl Response {
|
||||
pub fn new(rooms: Vec<OwnedRoomId>) -> Self { Self { rooms } }
|
||||
}
|
||||
}
|
||||
|
||||
pub mod v1 {
|
||||
use ruma::{
|
||||
OwnedRoomId, OwnedUserId, RoomVersionId,
|
||||
api::{auth_scheme::AccessToken, request, response},
|
||||
events::room::{
|
||||
canonical_alias::PossiblyRedactedRoomCanonicalAliasEventContent,
|
||||
history_visibility::PossiblyRedactedRoomHistoryVisibilityEventContent,
|
||||
join_rules::PossiblyRedactedRoomJoinRulesEventContent,
|
||||
name::PossiblyRedactedRoomNameEventContent,
|
||||
topic::PossiblyRedactedRoomTopicEventContent,
|
||||
},
|
||||
metadata,
|
||||
serde::{default_true, is_default},
|
||||
};
|
||||
|
||||
metadata! {
|
||||
method: GET,
|
||||
rate_limited: false,
|
||||
authentication: AccessToken,
|
||||
history: {
|
||||
1.0 => "/_continuwuity/admin/v1/rooms",
|
||||
}
|
||||
}
|
||||
|
||||
#[request]
|
||||
#[derive(Default)]
|
||||
pub struct Request {
|
||||
/// The maximum number of results to return in this page. Maximum (and
|
||||
/// default) is 100.
|
||||
#[ruma_api(query)]
|
||||
#[serde(default, skip_serializing_if = "is_default")]
|
||||
pub limit: Option<usize>,
|
||||
|
||||
/// The number of results to skip over before returning results. Default
|
||||
/// is 0.
|
||||
#[ruma_api(query)]
|
||||
#[serde(default, skip_serializing_if = "is_default")]
|
||||
pub offset: Option<usize>,
|
||||
|
||||
/// If true, includes banned rooms in the response.
|
||||
#[ruma_api(query)]
|
||||
#[serde(default, skip_serializing_if = "is_default")]
|
||||
pub include_banned_rooms: bool,
|
||||
}
|
||||
|
||||
#[derive(Clone, Debug, serde::Serialize, serde::Deserialize)]
|
||||
pub struct MinimalRoomInfo {
|
||||
/// The room's unique ID.
|
||||
pub room_id: OwnedRoomId,
|
||||
/// If true, this room is banned, and cannot be joined by non-admins.
|
||||
#[serde(default, skip_serializing_if = "is_default")]
|
||||
pub banned: bool,
|
||||
/// If true, this room has federation disabled, but can still be locally
|
||||
/// used.
|
||||
#[serde(default, skip_serializing_if = "is_default")]
|
||||
pub disabled: bool,
|
||||
/// The total number of joined members in this room.
|
||||
#[serde(default, skip_serializing_if = "is_default")]
|
||||
pub member_count: usize,
|
||||
/// The total number of joined members in this room that are local to
|
||||
/// this server.
|
||||
#[serde(default, skip_serializing_if = "is_default")]
|
||||
pub local_member_count: usize,
|
||||
/// The number of unique homeservers currently joined to this room.
|
||||
#[serde(default, skip_serializing_if = "is_default")]
|
||||
pub resident_server_count: usize,
|
||||
/// The users who created this room.
|
||||
///
|
||||
/// The first entry is always the sender of the `m.room.create` event.
|
||||
/// Any entries thereafter are additional creators in v12+ rooms. An
|
||||
/// empty vec indicates the room is not known.
|
||||
#[serde(default, skip_serializing_if = "is_default")]
|
||||
pub creators: Vec<OwnedUserId>,
|
||||
/// If true, this room has encryption enabled.
|
||||
#[serde(default, skip_serializing_if = "is_default")]
|
||||
pub encrypted: bool,
|
||||
/// If true, this room is allowed to be federated (`m.federate` is not
|
||||
/// `false` in `m.room.create`).
|
||||
#[serde(default = "default_true", skip_serializing_if = "is_default")]
|
||||
pub federated: bool,
|
||||
/// If true, this room is published to this server's room directory.
|
||||
#[serde(default, skip_serializing_if = "is_default")]
|
||||
pub published: bool,
|
||||
/// The version of the room.
|
||||
pub version: RoomVersionId,
|
||||
/// The event content for the `m.room.name` event, if any is present.
|
||||
/// May be redacted.
|
||||
#[serde(default, skip_serializing_if = "Option::is_none")]
|
||||
pub name: Option<PossiblyRedactedRoomNameEventContent>,
|
||||
/// The event content for the `m.room.topic` event, if any is present.
|
||||
/// May be redacted.
|
||||
#[serde(default, skip_serializing_if = "Option::is_none")]
|
||||
pub topic: Option<PossiblyRedactedRoomTopicEventContent>,
|
||||
/// The event content for the `m.room.canonical_alias` event, if any is
|
||||
/// present. May be redacted.
|
||||
#[serde(default, skip_serializing_if = "Option::is_none")]
|
||||
pub canonical_alias: Option<PossiblyRedactedRoomCanonicalAliasEventContent>,
|
||||
/// The event content for the `m.room.join_rules` event, if any is
|
||||
/// present. May be redacted.
|
||||
#[serde(default, skip_serializing_if = "Option::is_none")]
|
||||
pub join_rules: Option<PossiblyRedactedRoomJoinRulesEventContent>,
|
||||
/// The event content for the `m.room.history_visibility` event, if any
|
||||
/// is present. May be redacted.
|
||||
#[serde(default, skip_serializing_if = "Option::is_none")]
|
||||
pub history_visibility: Option<PossiblyRedactedRoomHistoryVisibilityEventContent>,
|
||||
/// The ID of the room which replaces this one, if any.
|
||||
#[serde(default, skip_serializing_if = "Option::is_none")]
|
||||
pub successor: Option<OwnedRoomId>,
|
||||
/// The ID of the room which preceded this one, if any.
|
||||
#[serde(default, skip_serializing_if = "Option::is_none")]
|
||||
pub predecessor: Option<OwnedRoomId>,
|
||||
}
|
||||
|
||||
#[response]
|
||||
pub struct Response {
|
||||
/// A list of rooms known to this server.
|
||||
pub rooms: Vec<MinimalRoomInfo>,
|
||||
}
|
||||
|
||||
impl Request {
|
||||
#[must_use]
|
||||
pub fn new() -> Self { Self::default() }
|
||||
}
|
||||
|
||||
impl Response {
|
||||
#[must_use]
|
||||
pub fn new(rooms: Vec<MinimalRoomInfo>) -> Self { Self { rooms } }
|
||||
}
|
||||
}
|
||||
|
||||
@@ -0,0 +1,105 @@
|
||||
pub mod v1 {
|
||||
use ruma::{
|
||||
OwnedMxcUri, OwnedRoomOrAliasId, OwnedUserId,
|
||||
api::{OAuthClientScope, auth_scheme::AccessToken, request, response},
|
||||
metadata,
|
||||
};
|
||||
|
||||
metadata! {
|
||||
method: POST,
|
||||
rate_limited: false,
|
||||
authentication: AccessToken,
|
||||
required_scopes: [OAuthClientScope::ServerAdministration],
|
||||
history: {
|
||||
1.0 => "/_continuwuity/admin/v1/users/create",
|
||||
},
|
||||
}
|
||||
|
||||
#[request]
|
||||
pub struct Request {
|
||||
/// The user's localpart (the identifier between `@` and `:`). Cannot be
|
||||
/// blank.
|
||||
pub localpart: String,
|
||||
|
||||
/// The user's desired password. Cannot be blank.
|
||||
pub password: String,
|
||||
|
||||
/// The user's email address, if any.
|
||||
#[serde(default, skip_serializing_if = "ruma::serde::is_default")]
|
||||
pub email: Option<String>,
|
||||
|
||||
/// The display name to set upon creation.
|
||||
#[serde(default, skip_serializing_if = "ruma::serde::is_default")]
|
||||
pub display_name: Option<String>,
|
||||
|
||||
/// The avatar URI to set upon creation.
|
||||
#[serde(default, skip_serializing_if = "ruma::serde::is_default")]
|
||||
pub avatar_url: Option<OwnedMxcUri>,
|
||||
|
||||
/// Suspends the user immediately upon creation. They can still log in.
|
||||
#[serde(default, skip_serializing_if = "ruma::serde::is_default")]
|
||||
pub suspended: bool,
|
||||
|
||||
/// Locks the user immediately upon creation. They will receive
|
||||
/// M_USER_LOCKED upon login.
|
||||
#[serde(default, skip_serializing_if = "ruma::serde::is_default")]
|
||||
pub locked: bool,
|
||||
|
||||
/// Disables the user's login immediately upon creation.
|
||||
///
|
||||
/// The user can still be used if an admin generates an access token for
|
||||
/// the account, but the user will not be able to use `POST
|
||||
/// /_matrix/client/v3/login`.
|
||||
#[serde(default, skip_serializing_if = "ruma::serde::is_default")]
|
||||
pub login_disabled: bool,
|
||||
|
||||
/// Promotes the user to a server administrator immediately upon
|
||||
/// creation.
|
||||
#[serde(default, skip_serializing_if = "ruma::serde::is_default")]
|
||||
pub admin: bool,
|
||||
|
||||
/// Skips joining rooms in the server's configured auto_join_rooms.
|
||||
///
|
||||
/// If this is false, all rooms in the config.toml's `auto_join_rooms`
|
||||
/// will be automatically joined upon creation. If `auto_join_rooms`
|
||||
/// is supplied in this request too, those rooms will be joined
|
||||
/// afterwards.
|
||||
#[serde(default, skip_serializing_if = "ruma::serde::is_default")]
|
||||
pub skip_auto_join: bool,
|
||||
|
||||
/// Additional rooms to auto-join the new user to. If `skip_auto_join`
|
||||
/// is `true`, these rooms will still be joined.
|
||||
#[serde(default, skip_serializing_if = "ruma::serde::is_default")]
|
||||
pub auto_join_rooms: Vec<OwnedRoomOrAliasId>,
|
||||
}
|
||||
|
||||
#[response]
|
||||
pub struct Response {
|
||||
/// The fully qualified user ID of the newly created user.
|
||||
pub user_id: OwnedUserId,
|
||||
}
|
||||
|
||||
impl Request {
|
||||
#[must_use]
|
||||
pub fn new(localpart: String, password: String) -> Self {
|
||||
Self {
|
||||
localpart,
|
||||
password,
|
||||
email: None,
|
||||
display_name: None,
|
||||
avatar_url: None,
|
||||
suspended: false,
|
||||
locked: false,
|
||||
login_disabled: false,
|
||||
admin: false,
|
||||
skip_auto_join: false,
|
||||
auto_join_rooms: Vec::new(),
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
impl Response {
|
||||
#[must_use]
|
||||
pub fn new(user_id: OwnedUserId) -> Self { Self { user_id } }
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,139 @@
|
||||
pub mod v1 {
|
||||
use ruma::{
|
||||
OwnedUserId,
|
||||
api::{OAuthClientScope, auth_scheme::AccessToken, request, response},
|
||||
metadata,
|
||||
};
|
||||
use serde::Deserialize;
|
||||
|
||||
metadata! {
|
||||
method: GET,
|
||||
rate_limited: false,
|
||||
authentication: AccessToken,
|
||||
required_scopes: [OAuthClientScope::ServerAdministration],
|
||||
history: {
|
||||
1.0 => "/_continuwuity/admin/v1/users",
|
||||
}
|
||||
}
|
||||
|
||||
#[request]
|
||||
#[derive(Default)]
|
||||
pub struct Request {
|
||||
/// If true, includes deactivated users in the response.
|
||||
#[ruma_api(query)]
|
||||
#[serde(default, skip_serializing_if = "ruma::serde::is_default")]
|
||||
pub include_deactivated: bool,
|
||||
/// If true, includes locked users in the response.
|
||||
#[ruma_api(query)]
|
||||
#[serde(default, skip_serializing_if = "ruma::serde::is_default")]
|
||||
pub include_locked: bool,
|
||||
/// If true, includes suspended users in the response.
|
||||
#[ruma_api(query)]
|
||||
#[serde(default, skip_serializing_if = "ruma::serde::is_default")]
|
||||
pub include_suspended: bool,
|
||||
|
||||
/// The maximum number of results to return in this page. Maximum (and
|
||||
/// default) is 100.
|
||||
#[ruma_api(query)]
|
||||
#[serde(default, skip_serializing_if = "ruma::serde::is_default")]
|
||||
pub limit: Option<usize>,
|
||||
|
||||
/// The number of results to skip over before returning results. Default
|
||||
/// is 0.
|
||||
#[ruma_api(query)]
|
||||
#[serde(default, skip_serializing_if = "ruma::serde::is_default")]
|
||||
pub offset: Option<usize>,
|
||||
}
|
||||
|
||||
#[derive(Debug, Clone, PartialEq, Eq, Deserialize, serde::Serialize)]
|
||||
pub struct User {
|
||||
/// The full user ID of the user.
|
||||
pub user_id: OwnedUserId,
|
||||
|
||||
/// Whether this user is deactivated.
|
||||
#[serde(default, skip_serializing_if = "ruma::serde::is_default")]
|
||||
pub deactivated: bool,
|
||||
|
||||
/// Whether this user is suspended.
|
||||
#[serde(default, skip_serializing_if = "ruma::serde::is_default")]
|
||||
pub suspended: bool,
|
||||
|
||||
/// Whether this user is locked.
|
||||
#[serde(default, skip_serializing_if = "ruma::serde::is_default")]
|
||||
pub locked: bool,
|
||||
|
||||
/// Whether this user is an admin.
|
||||
#[serde(default, skip_serializing_if = "ruma::serde::is_default")]
|
||||
pub admin: bool,
|
||||
|
||||
/// Whether this user has their login disabled.
|
||||
#[serde(default, skip_serializing_if = "ruma::serde::is_default")]
|
||||
pub login_disabled: bool,
|
||||
}
|
||||
|
||||
impl User {
|
||||
#[must_use]
|
||||
pub fn new(user_id: OwnedUserId) -> Self {
|
||||
Self {
|
||||
user_id,
|
||||
deactivated: false,
|
||||
suspended: false,
|
||||
locked: false,
|
||||
admin: false,
|
||||
login_disabled: false,
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#[response]
|
||||
#[derive(Default)]
|
||||
pub struct Response {
|
||||
pub users: Vec<User>,
|
||||
}
|
||||
|
||||
impl Request {
|
||||
#[must_use]
|
||||
pub fn new() -> Self { Self::default() }
|
||||
}
|
||||
|
||||
impl Response {
|
||||
#[must_use]
|
||||
pub fn new(users: Vec<User>) -> Self { Self { users } }
|
||||
}
|
||||
|
||||
#[cfg(test)]
|
||||
mod tests {
|
||||
use assign::assign;
|
||||
use serde_json::json;
|
||||
|
||||
use super::*;
|
||||
|
||||
#[test]
|
||||
fn request_defaults() {
|
||||
let req = Request::new();
|
||||
assert!(!req.include_deactivated && !req.include_locked && !req.include_suspended);
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn user_serialize_omits_default_values() {
|
||||
let user_id = OwnedUserId::try_from("@alice:example.org".to_owned()).unwrap();
|
||||
let user = User::new(user_id.clone());
|
||||
|
||||
let expected = json!({ "user_id": user_id.to_string() });
|
||||
assert_eq!(serde_json::to_value(&user).expect("failed to serialize user"), expected);
|
||||
|
||||
let suspended_user = assign!(user, {suspended: true});
|
||||
let expected2 = json!({ "user_id": "@alice:example.org", "suspended": true});
|
||||
assert_eq!(
|
||||
serde_json::to_value(&suspended_user).expect("failed to serialize user"),
|
||||
expected2
|
||||
);
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn response_defaults() {
|
||||
let response = Response::default();
|
||||
assert!(response.users.is_empty());
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,2 @@
|
||||
pub mod create;
|
||||
pub mod list;
|
||||
@@ -1,53 +0,0 @@
|
||||
//! `GET /_matrix/client/v1/admin/suspend/{userId}`
|
||||
//!
|
||||
//! Check the suspension status of a target user
|
||||
|
||||
pub mod v1 {
|
||||
//! `/_matrix/client/unstable/uk.timedout.msc4323/admin/suspend/{userID}`
|
||||
//! ([msc])
|
||||
//!
|
||||
//! [msc]: https://github.com/matrix-org/matrix-spec-proposals/pull/4323
|
||||
|
||||
use ruma::{
|
||||
OwnedUserId,
|
||||
api::{auth_scheme::AccessToken, request, response},
|
||||
metadata,
|
||||
};
|
||||
|
||||
metadata! {
|
||||
method: GET,
|
||||
rate_limited: false,
|
||||
authentication: AccessToken,
|
||||
history: {
|
||||
unstable => "/_matrix/client/unstable/uk.timedout.msc4323/admin/suspend/{user_id}",
|
||||
1.18 => "/_matrix/client/v1/admin/suspend/{user_id}",
|
||||
}
|
||||
}
|
||||
|
||||
/// Request type for the get & set user suspension status endpoint.
|
||||
#[request(error = ruma::api::error::Error)]
|
||||
pub struct Request {
|
||||
/// The user to look up.
|
||||
#[ruma_api(path)]
|
||||
pub user_id: OwnedUserId,
|
||||
}
|
||||
|
||||
/// Response type for the suspension endpoints
|
||||
#[response(error = ruma::api::error::Error)]
|
||||
pub struct Response {
|
||||
/// Whether the user is currently suspended.
|
||||
pub suspended: bool,
|
||||
}
|
||||
|
||||
impl Request {
|
||||
/// Creates a new `Request` with the given user id.
|
||||
#[must_use]
|
||||
pub fn new(user_id: OwnedUserId) -> Self { Self { user_id } }
|
||||
}
|
||||
|
||||
impl Response {
|
||||
/// Creates a new `Response` with the given suspension status.
|
||||
#[must_use]
|
||||
pub fn new(suspended: bool) -> Self { Self { suspended } }
|
||||
}
|
||||
}
|
||||
@@ -1,3 +1 @@
|
||||
pub mod continuwuity;
|
||||
pub mod get_suspended;
|
||||
pub mod set_suspended;
|
||||
|
||||
@@ -1,55 +0,0 @@
|
||||
//! `PUT /_matrix/client/v1/admin/suspend/{userId}`
|
||||
//!
|
||||
//! Set the suspension status of a target user
|
||||
|
||||
pub mod v1 {
|
||||
//! `/_matrix/client/unstable/uk.timedout.msc4323/admin/suspend/{userID}`
|
||||
//! ([msc])
|
||||
//!
|
||||
//! [msc]: https://github.com/matrix-org/matrix-spec-proposals/pull/4323
|
||||
|
||||
use ruma::{
|
||||
OwnedUserId,
|
||||
api::{auth_scheme::AccessToken, request, response},
|
||||
metadata,
|
||||
};
|
||||
|
||||
metadata! {
|
||||
method: PUT,
|
||||
rate_limited: false,
|
||||
authentication: AccessToken,
|
||||
history: {
|
||||
unstable => "/_matrix/client/unstable/uk.timedout.msc4323/admin/suspend/{user_id}",
|
||||
1.18 => "/_matrix/client/v1/admin/suspend/{user_id}",
|
||||
}
|
||||
}
|
||||
|
||||
/// Request type for the set user suspension status endpoint.
|
||||
#[request(error = ruma::api::error::Error)]
|
||||
pub struct Request {
|
||||
/// The user to look up.
|
||||
#[ruma_api(path)]
|
||||
pub user_id: OwnedUserId,
|
||||
|
||||
pub suspended: bool,
|
||||
}
|
||||
|
||||
/// Response type for the suspension endpoints
|
||||
#[response(error = ruma::api::error::Error)]
|
||||
pub struct Response {
|
||||
/// Whether the user is currently suspended.
|
||||
pub suspended: bool,
|
||||
}
|
||||
|
||||
impl Request {
|
||||
/// Creates a new `Request` with the given user id.
|
||||
#[must_use]
|
||||
pub fn new(user_id: OwnedUserId, suspended: bool) -> Self { Self { user_id, suspended } }
|
||||
}
|
||||
|
||||
impl Response {
|
||||
/// Creates a new `Response` with the given suspension status.
|
||||
#[must_use]
|
||||
pub fn new(suspended: bool) -> Self { Self { suspended } }
|
||||
}
|
||||
}
|
||||
@@ -1,108 +0,0 @@
|
||||
use std::{net::SocketAddr, sync::Arc, time::Duration};
|
||||
|
||||
use conduwuit::{Result, Server, err};
|
||||
use futures::FutureExt;
|
||||
use hickory_resolver::{
|
||||
TokioResolver, config::ConnectionConfig, lookup_ip::LookupIp,
|
||||
net::runtime::TokioRuntimeProvider,
|
||||
};
|
||||
use reqwest::dns::{Addrs, Name, Resolve, Resolving};
|
||||
|
||||
pub struct Resolver {
|
||||
pub(crate) resolver: Arc<TokioResolver>,
|
||||
server: Arc<Server>,
|
||||
}
|
||||
|
||||
type ResolvingResult = Result<Addrs, Box<dyn std::error::Error + Send + Sync>>;
|
||||
|
||||
impl Resolver {
|
||||
#[allow(clippy::as_conversions, clippy::cast_sign_loss, clippy::cast_possible_truncation)]
|
||||
pub(super) fn build(server: &Arc<Server>) -> Result<Arc<Self>> {
|
||||
let config = &server.config;
|
||||
let (sys_conf, mut opts) = hickory_resolver::system_conf::read_system_conf()
|
||||
.map_err(|e| err!(error!("Failed to configure DNS resolver from system: {e}")))?;
|
||||
|
||||
let mut conf = hickory_resolver::config::ResolverConfig::default();
|
||||
|
||||
if let Some(domain) = sys_conf.domain() {
|
||||
conf.set_domain(domain.clone());
|
||||
}
|
||||
|
||||
for sys_conf in sys_conf.search() {
|
||||
conf.add_search(sys_conf.clone());
|
||||
}
|
||||
|
||||
for sys_conf in sys_conf.name_servers() {
|
||||
let mut ns = sys_conf.clone();
|
||||
|
||||
if config.query_over_tcp_only {
|
||||
ns.connections = vec![ConnectionConfig::tcp()];
|
||||
}
|
||||
|
||||
ns.trust_negative_responses = !config.query_all_nameservers;
|
||||
|
||||
conf.add_name_server(ns);
|
||||
}
|
||||
|
||||
opts.cache_size = u64::from(config.dns_cache_entries);
|
||||
opts.preserve_intermediates = true;
|
||||
opts.negative_min_ttl = Some(Duration::from_secs(config.dns_min_ttl_nxdomain));
|
||||
opts.negative_max_ttl = Some(Duration::from_hours(720));
|
||||
opts.positive_min_ttl = Some(Duration::from_secs(config.dns_min_ttl));
|
||||
opts.positive_max_ttl = Some(Duration::from_hours(168));
|
||||
opts.timeout = Duration::from_secs(config.dns_timeout);
|
||||
opts.attempts = config.dns_attempts as usize;
|
||||
opts.try_tcp_on_error = config.dns_tcp_fallback;
|
||||
opts.num_concurrent_reqs = 1;
|
||||
opts.edns0 = true;
|
||||
opts.case_randomization = true;
|
||||
opts.ip_strategy = match config.ip_lookup_strategy {
|
||||
| 1 => hickory_resolver::config::LookupIpStrategy::Ipv4Only,
|
||||
| 2 => hickory_resolver::config::LookupIpStrategy::Ipv6Only,
|
||||
| 3 => hickory_resolver::config::LookupIpStrategy::Ipv4AndIpv6,
|
||||
| 4 => hickory_resolver::config::LookupIpStrategy::Ipv6thenIpv4,
|
||||
| _ => hickory_resolver::config::LookupIpStrategy::Ipv4thenIpv6,
|
||||
};
|
||||
|
||||
let runtime_provider = TokioRuntimeProvider::new();
|
||||
let mut builder = TokioResolver::builder_with_config(conf, runtime_provider);
|
||||
*builder.options_mut() = opts;
|
||||
let resolver = Arc::new(builder.build().expect("failed to build resolver :("));
|
||||
|
||||
Ok(Arc::new(Self { resolver, server: server.clone() }))
|
||||
}
|
||||
|
||||
/// Clear the in-memory hickory-dns caches
|
||||
#[inline]
|
||||
pub fn clear_cache(&self) { self.resolver.clear_cache(); }
|
||||
}
|
||||
|
||||
impl Resolve for Resolver {
|
||||
fn resolve(&self, name: Name) -> Resolving {
|
||||
resolve_to_reqwest(self.server.clone(), self.resolver.clone(), name).boxed()
|
||||
}
|
||||
}
|
||||
|
||||
async fn resolve_to_reqwest(
|
||||
server: Arc<Server>,
|
||||
resolver: Arc<TokioResolver>,
|
||||
name: Name,
|
||||
) -> ResolvingResult {
|
||||
use std::{io, io::ErrorKind::Interrupted};
|
||||
|
||||
let handle_shutdown = || Box::new(io::Error::new(Interrupted, "Server shutting down"));
|
||||
let handle_results = |results: LookupIp| {
|
||||
Box::new(
|
||||
results
|
||||
.iter()
|
||||
.collect::<Vec<_>>()
|
||||
.into_iter()
|
||||
.map(|ip| SocketAddr::new(ip, 0)),
|
||||
)
|
||||
};
|
||||
|
||||
tokio::select! {
|
||||
results = resolver.lookup_ip(name.as_str()) => Ok(handle_results(results?)),
|
||||
() = server.until_shutdown() => Err(handle_shutdown()),
|
||||
}
|
||||
}
|
||||
+84
-23
@@ -1,19 +1,20 @@
|
||||
mod dns;
|
||||
|
||||
use std::{sync::Arc, time::Duration};
|
||||
|
||||
use async_trait::async_trait;
|
||||
use conduwuit::{Config, Result, err, trace};
|
||||
use conduwuit::{Config, Result, Server, err, trace};
|
||||
use either::Either;
|
||||
use hickory_resolver::{
|
||||
TokioResolver, config::ConnectionConfig, net::runtime::TokioRuntimeProvider,
|
||||
};
|
||||
use ipaddress::IPAddress;
|
||||
use reqwest::redirect;
|
||||
use resolvematrix::server::{MatrixResolver, MatrixResolverBuilder};
|
||||
|
||||
use crate::{client::dns::Resolver, service};
|
||||
use crate::service;
|
||||
|
||||
pub struct Service {
|
||||
pub resolver: MatrixResolver,
|
||||
pub dns: Arc<Resolver>,
|
||||
pub matrix_resolver: Arc<MatrixResolver>,
|
||||
pub dns_resolver: Arc<TokioResolver>,
|
||||
|
||||
pub default: reqwest::Client,
|
||||
pub url_preview: reqwest::Client,
|
||||
@@ -31,8 +32,10 @@ pub struct Service {
|
||||
impl crate::Service for Service {
|
||||
fn build(args: crate::Args<'_>) -> Result<Arc<Self>> {
|
||||
let config = &args.server.config;
|
||||
let dns = Resolver::build(args.server)?;
|
||||
let resolver = MatrixResolverBuilder::new()
|
||||
|
||||
let dns_resolver = get_dns_resolver(args.server)?;
|
||||
|
||||
let matrix_resolver = Arc::new(MatrixResolverBuilder::new()
|
||||
.dangerous_tls_accept_invalid_certs(args.server.config.allow_invalid_tls_certificates_yes_i_know_what_the_fuck_i_am_doing_with_this_and_i_know_this_is_insecure)
|
||||
.http_client(
|
||||
base(&args.server.config)?
|
||||
@@ -43,8 +46,9 @@ fn build(args: crate::Args<'_>) -> Result<Arc<Self>> {
|
||||
.redirect(redirect::Policy::limited(4))
|
||||
.build()?
|
||||
)
|
||||
.dns_resolver(dns.resolver.clone())
|
||||
.build()?;
|
||||
.dns_resolver(dns_resolver.clone())
|
||||
.build()?);
|
||||
let matrix_dns_resolver = matrix_resolver.create_dns_resolver();
|
||||
|
||||
let url_preview_bind_addr = config
|
||||
.url_preview_bound_interface
|
||||
@@ -62,29 +66,31 @@ fn build(args: crate::Args<'_>) -> Result<Arc<Self>> {
|
||||
.unwrap_or_else(|| conduwuit::user_agent_media().to_owned());
|
||||
|
||||
Ok(Arc::new(Self {
|
||||
resolver,
|
||||
dns: dns.clone(),
|
||||
matrix_resolver,
|
||||
dns_resolver,
|
||||
|
||||
default: base(config)?.dns_resolver(dns.clone()).build()?,
|
||||
default: base(config)?
|
||||
.dns_resolver(matrix_dns_resolver.clone())
|
||||
.build()?,
|
||||
|
||||
url_preview: base(config)
|
||||
.and_then(|builder| {
|
||||
builder_interface(builder, url_preview_bind_iface.as_deref())
|
||||
})?
|
||||
.local_address(url_preview_bind_addr)
|
||||
.dns_resolver(dns.clone())
|
||||
.dns_resolver(matrix_dns_resolver.clone())
|
||||
.timeout(Duration::from_secs(config.url_preview_timeout))
|
||||
.redirect(redirect::Policy::limited(3))
|
||||
.user_agent(url_preview_user_agent)
|
||||
.build()?,
|
||||
|
||||
extern_media: base(config)?
|
||||
.dns_resolver(dns.clone())
|
||||
.dns_resolver(matrix_dns_resolver.clone())
|
||||
.redirect(redirect::Policy::limited(3))
|
||||
.build()?,
|
||||
|
||||
federation: base(config)?
|
||||
.dns_resolver(dns.clone())
|
||||
.dns_resolver(matrix_dns_resolver.clone())
|
||||
.connect_timeout(Duration::from_secs(config.federation_conn_timeout))
|
||||
.read_timeout(Duration::from_secs(config.federation_timeout))
|
||||
.timeout(Duration::from_secs(
|
||||
@@ -98,7 +104,7 @@ fn build(args: crate::Args<'_>) -> Result<Arc<Self>> {
|
||||
.build()?,
|
||||
|
||||
federation_slow: base(config)?
|
||||
.dns_resolver(dns.clone())
|
||||
.dns_resolver(matrix_dns_resolver.clone())
|
||||
.connect_timeout(Duration::from_secs(config.federation_conn_timeout))
|
||||
.read_timeout(Duration::from_secs(config.federation_timeout.saturating_mul(6)))
|
||||
.timeout(Duration::from_secs(
|
||||
@@ -112,7 +118,7 @@ fn build(args: crate::Args<'_>) -> Result<Arc<Self>> {
|
||||
.build()?,
|
||||
|
||||
sender: base(config)?
|
||||
.dns_resolver(dns.clone())
|
||||
.dns_resolver(matrix_dns_resolver.clone())
|
||||
.connect_timeout(Duration::from_secs(config.federation_conn_timeout))
|
||||
.read_timeout(Duration::from_secs(config.sender_timeout))
|
||||
.timeout(Duration::from_secs(config.sender_timeout))
|
||||
@@ -122,7 +128,7 @@ fn build(args: crate::Args<'_>) -> Result<Arc<Self>> {
|
||||
.build()?,
|
||||
|
||||
appservice: base(config)?
|
||||
.dns_resolver(dns.clone())
|
||||
.dns_resolver(matrix_dns_resolver.clone())
|
||||
.connect_timeout(Duration::from_secs(5))
|
||||
.read_timeout(Duration::from_secs(config.appservice_timeout))
|
||||
.timeout(Duration::from_secs(config.appservice_timeout))
|
||||
@@ -132,7 +138,7 @@ fn build(args: crate::Args<'_>) -> Result<Arc<Self>> {
|
||||
.build()?,
|
||||
|
||||
pusher: base(config)?
|
||||
.dns_resolver(dns)
|
||||
.dns_resolver(matrix_dns_resolver)
|
||||
.connect_timeout(Duration::from_secs(config.pusher_conn_timeout))
|
||||
.timeout(Duration::from_secs(config.pusher_timeout))
|
||||
.pool_max_idle_per_host(1)
|
||||
@@ -151,11 +157,11 @@ fn build(args: crate::Args<'_>) -> Result<Arc<Self>> {
|
||||
}
|
||||
|
||||
async fn clear_cache(&self) {
|
||||
self.resolver.clear_cache();
|
||||
self.dns.resolver.clear_cache();
|
||||
self.matrix_resolver.clear_cache();
|
||||
self.dns_resolver.clear_cache();
|
||||
}
|
||||
|
||||
fn name(&self) -> &str { service::make_name(std::module_path!()) }
|
||||
fn name(&self) -> &str { service::make_name(module_path!()) }
|
||||
}
|
||||
|
||||
impl Service {
|
||||
@@ -254,3 +260,58 @@ fn builder_interface(
|
||||
Ok(builder)
|
||||
}
|
||||
}
|
||||
|
||||
fn get_dns_resolver(server: &Arc<Server>) -> Result<Arc<TokioResolver>> {
|
||||
let config = &server.config;
|
||||
let (sys_conf, mut opts) = hickory_resolver::system_conf::read_system_conf()
|
||||
.map_err(|e| err!(error!("Failed to configure DNS resolver from system: {e}")))?;
|
||||
|
||||
let mut conf = hickory_resolver::config::ResolverConfig::default();
|
||||
|
||||
if let Some(domain) = sys_conf.domain() {
|
||||
conf.set_domain(domain.clone());
|
||||
}
|
||||
|
||||
for sys_conf in sys_conf.search() {
|
||||
conf.add_search(sys_conf.clone());
|
||||
}
|
||||
|
||||
for sys_conf in sys_conf.name_servers() {
|
||||
let mut ns = sys_conf.clone();
|
||||
|
||||
if config.query_over_tcp_only {
|
||||
ns.connections = vec![ConnectionConfig::tcp()];
|
||||
}
|
||||
|
||||
ns.trust_negative_responses = !config.query_all_nameservers;
|
||||
|
||||
conf.add_name_server(ns);
|
||||
}
|
||||
|
||||
opts.cache_size = u64::from(config.dns_cache_entries);
|
||||
opts.preserve_intermediates = true;
|
||||
opts.negative_min_ttl = Some(Duration::from_secs(config.dns_min_ttl_nxdomain));
|
||||
opts.negative_max_ttl = Some(Duration::from_hours(720));
|
||||
opts.positive_min_ttl = Some(Duration::from_secs(config.dns_min_ttl));
|
||||
opts.positive_max_ttl = Some(Duration::from_hours(168));
|
||||
opts.timeout = Duration::from_secs(config.dns_timeout);
|
||||
opts.attempts = config.dns_attempts.into();
|
||||
opts.try_tcp_on_error = config.dns_tcp_fallback;
|
||||
opts.num_concurrent_reqs = 1;
|
||||
opts.edns0 = true;
|
||||
opts.case_randomization = true;
|
||||
opts.ip_strategy = match config.ip_lookup_strategy {
|
||||
| 1 => hickory_resolver::config::LookupIpStrategy::Ipv4Only,
|
||||
| 2 => hickory_resolver::config::LookupIpStrategy::Ipv6Only,
|
||||
| 3 => hickory_resolver::config::LookupIpStrategy::Ipv4AndIpv6,
|
||||
| 4 => hickory_resolver::config::LookupIpStrategy::Ipv6thenIpv4,
|
||||
| _ => hickory_resolver::config::LookupIpStrategy::Ipv4thenIpv6,
|
||||
};
|
||||
|
||||
let runtime_provider = TokioRuntimeProvider::new();
|
||||
let mut builder = TokioResolver::builder_with_config(conf, runtime_provider);
|
||||
*builder.options_mut() = opts;
|
||||
let resolver = Arc::new(builder.build().expect("failed to build resolver :("));
|
||||
|
||||
Ok(resolver)
|
||||
}
|
||||
|
||||
@@ -134,7 +134,7 @@ pub async fn execute_on<'i, T, PathBuilderInput>(
|
||||
let actual = self
|
||||
.services
|
||||
.client
|
||||
.resolver
|
||||
.matrix_resolver
|
||||
.resolve_server(dest.as_str())
|
||||
.await?;
|
||||
|
||||
|
||||
@@ -240,6 +240,19 @@ async fn migrate(services: &Services) -> Result<()> {
|
||||
.map_err(|e| err!("Failed to run 'split_userid_password' migration': {e}"))?;
|
||||
}
|
||||
|
||||
if db["global"]
|
||||
.get(DROP_ROOMSYNCTOKEN_SHORTSTATEHASH)
|
||||
.await
|
||||
.is_not_found()
|
||||
{
|
||||
info!("Running migration 'drop_roomsynctoken_shortstatehash'");
|
||||
obliterate_roomsynctoken_shortstatehash_with_extreme_prejudice(services)
|
||||
.await
|
||||
.map_err(|e| {
|
||||
err!("Failed to run 'drop_roomsynctoken_shortstatehash' migration': {e}")
|
||||
})?;
|
||||
}
|
||||
|
||||
assert_eq!(
|
||||
services.globals.db.database_version().await,
|
||||
DATABASE_VERSION,
|
||||
@@ -873,3 +886,14 @@ async fn split_userid_password(services: &Services) -> Result {
|
||||
db.db.sort()?;
|
||||
Ok(())
|
||||
}
|
||||
|
||||
const DROP_ROOMSYNCTOKEN_SHORTSTATEHASH: &str = "drop_roomsynctoken_shortstatehash";
|
||||
async fn obliterate_roomsynctoken_shortstatehash_with_extreme_prejudice(
|
||||
services: &Services,
|
||||
) -> Result {
|
||||
services.db.db.drop_column("roomsynctoken_shortstatehash")?;
|
||||
|
||||
info!("Cleared roomsynctoken_shortstatehash.");
|
||||
|
||||
Ok(())
|
||||
}
|
||||
|
||||
+40
-14
@@ -8,7 +8,7 @@
|
||||
};
|
||||
|
||||
use regex::Regex;
|
||||
use ruma::OwnedDeviceId;
|
||||
use ruma::{OwnedDeviceId, api::OAuthClientScope};
|
||||
use serde::{Deserialize, Serialize};
|
||||
use url::Url;
|
||||
|
||||
@@ -55,26 +55,40 @@ pub enum Prompt {
|
||||
}
|
||||
|
||||
#[derive(Debug, Clone, Deserialize, Serialize, PartialOrd, Ord)]
|
||||
pub enum Scope {
|
||||
pub enum RequestedScope {
|
||||
Device(OwnedDeviceId),
|
||||
ClientApi,
|
||||
ApiFullAccess,
|
||||
ServerAdministration,
|
||||
}
|
||||
|
||||
impl PartialEq for Scope {
|
||||
impl RequestedScope {
|
||||
#[must_use]
|
||||
pub fn as_granted_scope(&self) -> Option<OAuthClientScope> {
|
||||
match self {
|
||||
| Self::ApiFullAccess => Some(OAuthClientScope::ApiFullAccess),
|
||||
| Self::ServerAdministration => Some(OAuthClientScope::ServerAdministration),
|
||||
| Self::Device(_) => None,
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
impl PartialEq for RequestedScope {
|
||||
fn eq(&self, other: &Self) -> bool { discriminant(self) == discriminant(other) }
|
||||
}
|
||||
|
||||
impl Eq for Scope {}
|
||||
impl Eq for RequestedScope {}
|
||||
|
||||
impl Hash for Scope {
|
||||
impl Hash for RequestedScope {
|
||||
fn hash<H: std::hash::Hasher>(&self, state: &mut H) { discriminant(self).hash(state); }
|
||||
}
|
||||
|
||||
impl Display for Scope {
|
||||
impl Display for RequestedScope {
|
||||
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
|
||||
let urn = match self {
|
||||
| Self::ClientApi => "urn:matrix:client:api:*".to_owned(),
|
||||
| Self::ApiFullAccess => "urn:matrix:client:api:*".to_owned(),
|
||||
| Self::Device(device_id) => format!("urn:matrix:client:device:{device_id}"),
|
||||
| Self::ServerAdministration =>
|
||||
"urn:matrix:client:cc.c10y.msc4484.server_administration".to_owned(),
|
||||
};
|
||||
|
||||
f.write_str(&urn)
|
||||
@@ -85,22 +99,27 @@ fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
|
||||
pub struct RawScopes(String);
|
||||
|
||||
impl RawScopes {
|
||||
pub fn to_scopes(&self) -> Result<BTreeSet<Scope>, String> {
|
||||
let client_api_token_regex =
|
||||
pub fn to_scopes(&self) -> Result<BTreeSet<RequestedScope>, String> {
|
||||
let full_access_regex =
|
||||
Regex::new(r"urn:matrix:(client|org.matrix.msc2967.client):api:\*").unwrap();
|
||||
let device_token_regex = Regex::new(
|
||||
r"urn:matrix:(client|org.matrix.msc2967.client):device:([a-zA-Z0-9-._~]{5,})",
|
||||
)
|
||||
.unwrap();
|
||||
let server_administration_regex =
|
||||
Regex::new(r"urn:matrix:client:cc.c10y.msc4484.server_administration").unwrap();
|
||||
|
||||
let mut scopes = BTreeSet::new();
|
||||
|
||||
for token in self.0.split(' ') {
|
||||
let scope_was_new = {
|
||||
if client_api_token_regex.is_match(token) {
|
||||
scopes.insert(Scope::ClientApi)
|
||||
if full_access_regex.is_match(token) {
|
||||
scopes.insert(RequestedScope::ApiFullAccess)
|
||||
} else if let Some(captures) = device_token_regex.captures(token) {
|
||||
scopes.insert(Scope::Device(captures.get(2).unwrap().as_str().into()))
|
||||
scopes
|
||||
.insert(RequestedScope::Device(captures.get(2).unwrap().as_str().into()))
|
||||
} else if server_administration_regex.is_match(token) {
|
||||
scopes.insert(RequestedScope::ServerAdministration)
|
||||
} else if token == "openid" {
|
||||
// TODO(unspecced): Element sets this scope but doesn't use it for anything
|
||||
true
|
||||
@@ -160,8 +179,15 @@ pub enum ErrorCode {
|
||||
InvalidClientMetadata,
|
||||
}
|
||||
|
||||
#[derive(Serialize)]
|
||||
#[serde(untagged)]
|
||||
pub enum AuthorizationCodeResponse {
|
||||
Success(AuthorizationCodeData),
|
||||
Error(OAuthError),
|
||||
}
|
||||
|
||||
#[derive(Serialize, Deserialize)]
|
||||
pub struct AuthorizationCodeResponse {
|
||||
pub struct AuthorizationCodeData {
|
||||
pub state: String,
|
||||
pub code: String,
|
||||
}
|
||||
|
||||
+52
-38
@@ -12,7 +12,7 @@
|
||||
use database::{Deserialized, Json, Map};
|
||||
use itertools::Itertools;
|
||||
use lru_cache::LruCache;
|
||||
use ruma::{DeviceId, OwnedDeviceId, OwnedUserId, UserId};
|
||||
use ruma::{DeviceId, OwnedDeviceId, OwnedUserId, UserId, api::OAuthClientScope};
|
||||
use serde::{Deserialize, Serialize};
|
||||
use url::Url;
|
||||
|
||||
@@ -21,8 +21,9 @@
|
||||
oauth::{
|
||||
client_metadata::{ApplicationType, ClientMetadata, ResponseType},
|
||||
grant::{
|
||||
AuthorizationCodeQuery, AuthorizationCodeResponse, CodeChallengeMethod, ErrorCode,
|
||||
OAuthError, ResponseMode, Scope, TokenRequest, TokenResponse, TokenType,
|
||||
AuthorizationCodeData, AuthorizationCodeQuery, AuthorizationCodeResponse,
|
||||
CodeChallengeMethod, ErrorCode, OAuthError, RequestedScope, ResponseMode,
|
||||
TokenRequest, TokenResponse, TokenType,
|
||||
},
|
||||
},
|
||||
users,
|
||||
@@ -51,7 +52,7 @@ struct Services {
|
||||
#[derive(Debug, Deserialize, Serialize)]
|
||||
pub struct SessionInfo {
|
||||
pub client_id: String,
|
||||
pub scopes: BTreeSet<Scope>,
|
||||
pub scopes: BTreeSet<OAuthClientScope>,
|
||||
current_refresh_token: String,
|
||||
}
|
||||
|
||||
@@ -64,7 +65,7 @@ struct RefreshTokenInfo {
|
||||
|
||||
struct PendingCodeGrant {
|
||||
authorizing_user: OwnedUserId,
|
||||
requested_scopes: BTreeSet<Scope>,
|
||||
requested_scopes: BTreeSet<RequestedScope>,
|
||||
client_name: Option<String>,
|
||||
expected_client_id: String,
|
||||
expected_redirect_uri: Url,
|
||||
@@ -224,49 +225,59 @@ pub async fn request_authorization_code(
|
||||
}
|
||||
}
|
||||
|
||||
let requested_scopes = query.scope.to_scopes()?;
|
||||
|
||||
let redirect_uri_query_separator = match query.response_mode {
|
||||
| ResponseMode::Fragment => '#',
|
||||
| ResponseMode::Query => '?',
|
||||
};
|
||||
|
||||
let code = PendingCodeGrant::generate_code();
|
||||
let response = 'response: {
|
||||
let requested_scopes = query.scope.to_scopes()?;
|
||||
|
||||
info!(
|
||||
client_id = &query.client_id,
|
||||
client_name = &client_metadata.client_name,
|
||||
?requested_scopes,
|
||||
?authorizing_user,
|
||||
"Issuing oauth authorization code"
|
||||
);
|
||||
if requested_scopes.contains(&RequestedScope::ServerAdministration) {
|
||||
// Only server admins can request this scope
|
||||
if !self.services.users.is_admin(&authorizing_user).await {
|
||||
break 'response AuthorizationCodeResponse::Error(OAuthError {
|
||||
error: ErrorCode::AccessDenied,
|
||||
error_description: "You are not a server administrator.".into(),
|
||||
});
|
||||
}
|
||||
}
|
||||
|
||||
let code = PendingCodeGrant::generate_code();
|
||||
|
||||
info!(
|
||||
client_id = &query.client_id,
|
||||
client_name = &client_metadata.client_name,
|
||||
?requested_scopes,
|
||||
?authorizing_user,
|
||||
"Issuing oauth authorization code"
|
||||
);
|
||||
|
||||
let pending_grant = PendingCodeGrant {
|
||||
authorizing_user,
|
||||
requested_scopes,
|
||||
client_name: client_metadata.client_name,
|
||||
expected_client_id: query.client_id,
|
||||
expected_redirect_uri: query.redirect_uri.clone(),
|
||||
code_challenge: query.code_challenge,
|
||||
requested_at: SystemTime::now(),
|
||||
};
|
||||
|
||||
self.pending_code_grants
|
||||
.lock()
|
||||
.await
|
||||
.insert(code.clone(), pending_grant);
|
||||
|
||||
AuthorizationCodeResponse::Success(AuthorizationCodeData { state: query.state, code })
|
||||
};
|
||||
|
||||
let redirect_uri = format!(
|
||||
"{}{}{}",
|
||||
query.redirect_uri,
|
||||
redirect_uri_query_separator,
|
||||
serde_urlencoded::to_string(AuthorizationCodeResponse {
|
||||
state: query.state,
|
||||
code: code.clone(),
|
||||
})
|
||||
.unwrap(),
|
||||
serde_urlencoded::to_string(response).unwrap(),
|
||||
);
|
||||
|
||||
let pending_grant = PendingCodeGrant {
|
||||
authorizing_user,
|
||||
requested_scopes,
|
||||
client_name: client_metadata.client_name,
|
||||
expected_client_id: query.client_id,
|
||||
expected_redirect_uri: query.redirect_uri,
|
||||
code_challenge: query.code_challenge,
|
||||
requested_at: SystemTime::now(),
|
||||
};
|
||||
|
||||
self.pending_code_grants
|
||||
.lock()
|
||||
.await
|
||||
.insert(code, pending_grant);
|
||||
|
||||
Ok(redirect_uri)
|
||||
}
|
||||
|
||||
@@ -339,7 +350,7 @@ pub async fn revoke_token(&self, token: String) -> Result<(), OAuthError> {
|
||||
async fn create_session(
|
||||
&self,
|
||||
authorizing_user: OwnedUserId,
|
||||
requested_scopes: BTreeSet<Scope>,
|
||||
requested_scopes: BTreeSet<RequestedScope>,
|
||||
client_name: Option<String>,
|
||||
client_id: String,
|
||||
) -> Result<TokenResponse, OAuthError> {
|
||||
@@ -349,7 +360,7 @@ async fn create_session(
|
||||
let device_id = requested_scopes
|
||||
.iter()
|
||||
.find_map(|scope| {
|
||||
if let Scope::Device(device_id) = scope {
|
||||
if let RequestedScope::Device(device_id) = scope {
|
||||
Some(device_id)
|
||||
} else {
|
||||
None
|
||||
@@ -391,7 +402,10 @@ async fn create_session(
|
||||
Json(SessionInfo {
|
||||
client_id: client_id.clone(),
|
||||
current_refresh_token: refresh_token.clone(),
|
||||
scopes: requested_scopes.clone(),
|
||||
scopes: requested_scopes
|
||||
.iter()
|
||||
.filter_map(RequestedScope::as_granted_scope)
|
||||
.collect(),
|
||||
}),
|
||||
);
|
||||
|
||||
|
||||
@@ -33,7 +33,7 @@
|
||||
|
||||
use crate::{
|
||||
Dep, config, globals, media,
|
||||
oauth::grant::AuthorizationCodeResponse,
|
||||
oauth::grant::AuthorizationCodeData,
|
||||
threepid,
|
||||
users::{self, AccountStatus, ProfileFieldChange},
|
||||
};
|
||||
@@ -172,7 +172,8 @@ async fn worker(self: Arc<Self>) -> Result {
|
||||
.expect("redirect url should be valid");
|
||||
|
||||
let provider_metadata = CoreProviderMetadata::discover_async(
|
||||
IssuerUrl::from_url(config.discovery_url.clone()),
|
||||
IssuerUrl::new(config.discovery_url.clone())
|
||||
.map_err(|err| err!("Failed to parse OIDC discovery URL: {err}"))?,
|
||||
client,
|
||||
)
|
||||
.await
|
||||
@@ -244,7 +245,7 @@ pub async fn begin_session(&self, prompt: Option<CoreAuthPrompt>) -> (PendingSes
|
||||
pub async fn exchange_code(
|
||||
&self,
|
||||
session: PendingSession,
|
||||
response: AuthorizationCodeResponse,
|
||||
response: AuthorizationCodeData,
|
||||
) -> Result<Claims, &'static str> {
|
||||
let Some(OidcClient { machine, client, .. }) = self.client.as_ref() else {
|
||||
return Err("Delegated authentication is not enabled on this server.");
|
||||
|
||||
@@ -4,83 +4,18 @@
|
||||
};
|
||||
|
||||
use conduwuit::{
|
||||
Err, Event, PduEvent, Result, debug, debug_error, debug_info, debug_warn, defer, err, error,
|
||||
info, matrix::PartialPdu, result::DebugInspect, trace, utils::time::jitter, warn,
|
||||
Err, Event, Result, debug, debug_error, debug_warn, defer, err, error, info,
|
||||
matrix::PartialPdu, result::DebugInspect, trace, utils::time::jitter, warn,
|
||||
};
|
||||
use futures::{
|
||||
FutureExt, StreamExt,
|
||||
future::{OptionFuture, try_join4},
|
||||
};
|
||||
use ruma::{
|
||||
CanonicalJsonValue, EventId, OwnedUserId, RoomId, ServerName, UserId,
|
||||
events::{
|
||||
TimelineEventType,
|
||||
room::member::{MembershipState, RoomMemberEventContent},
|
||||
},
|
||||
};
|
||||
use ruma::{CanonicalJsonValue, EventId, OwnedUserId, RoomId, ServerName, UserId};
|
||||
use tokio::sync::mpsc;
|
||||
|
||||
use crate::rooms::timeline::{RawPduId, pdu_fits};
|
||||
|
||||
async fn should_rescind_invite(
|
||||
services: &crate::rooms::event_handler::Services,
|
||||
content: &mut BTreeMap<String, CanonicalJsonValue>,
|
||||
sender: &UserId,
|
||||
room_id: &RoomId,
|
||||
) -> Result<Option<PduEvent>> {
|
||||
// We insert a bogus event ID since we can't actually calculate the right one
|
||||
content.insert("event_id".to_owned(), CanonicalJsonValue::String("$rescind".to_owned()));
|
||||
let pdu_event = serde_json::from_value::<PduEvent>(
|
||||
serde_json::to_value(&content).expect("CanonicalJsonObj is a valid JsonValue"),
|
||||
)
|
||||
.map_err(|e| err!("invalid PDU: {e}"))?;
|
||||
|
||||
if pdu_event.room_id().is_none_or(|r| r != room_id)
|
||||
&& pdu_event.sender() != sender
|
||||
&& pdu_event.event_type() != &TimelineEventType::RoomMember
|
||||
&& pdu_event.state_key().is_none_or(|v| v == sender.as_str())
|
||||
{
|
||||
return Ok(None);
|
||||
}
|
||||
|
||||
let target_user_id = UserId::parse(pdu_event.state_key().unwrap())?;
|
||||
if pdu_event
|
||||
.get_content::<RoomMemberEventContent>()?
|
||||
.membership
|
||||
!= MembershipState::Leave
|
||||
{
|
||||
return Ok(None); // Not a leave event
|
||||
}
|
||||
|
||||
// Does the target user have a pending invite?
|
||||
let Ok(pending_invite_state) = services
|
||||
.state_cache
|
||||
.invite_state(&target_user_id, room_id)
|
||||
.await
|
||||
else {
|
||||
return Ok(None); // No pending invite, so nothing to rescind
|
||||
};
|
||||
for event in pending_invite_state {
|
||||
if event
|
||||
.get_field::<String>("type")?
|
||||
.is_some_and(|t| t == "m.room.member")
|
||||
|| event
|
||||
.get_field::<OwnedUserId>("state_key")?
|
||||
.is_some_and(|s| s == *target_user_id)
|
||||
|| event
|
||||
.get_field::<OwnedUserId>("sender")?
|
||||
.is_some_and(|s| s == *sender)
|
||||
|| event
|
||||
.get_field::<RoomMemberEventContent>("content")?
|
||||
.is_some_and(|c| c.membership == MembershipState::Invite)
|
||||
{
|
||||
return Ok(Some(pdu_event));
|
||||
}
|
||||
}
|
||||
|
||||
Ok(None)
|
||||
}
|
||||
|
||||
impl super::Service {
|
||||
/// When receiving an event one needs to:
|
||||
/// 0. Check the server is in the room
|
||||
@@ -183,28 +118,6 @@ pub async fn handle_incoming_pdu<'a>(
|
||||
.server_in_room(self.services.globals.server_name(), room_id)
|
||||
.await
|
||||
{
|
||||
// Is this a federated invite rescind?
|
||||
// copied from https://github.com/element-hq/synapse/blob/7e4588a/synapse/handlers/federation_event.py#L255-L300
|
||||
if value.get("type").and_then(|t| t.as_str()) == Some("m.room.member") {
|
||||
if let Some(pdu) =
|
||||
should_rescind_invite(&self.services, &mut value.clone(), &sender, room_id)
|
||||
.await?
|
||||
{
|
||||
debug_info!(
|
||||
"Invite to {room_id} appears to have been rescinded by {sender}, \
|
||||
marking as left"
|
||||
);
|
||||
|
||||
self.services
|
||||
.state_cache
|
||||
.mark_as_left(&sender, room_id, Some(pdu))
|
||||
.await;
|
||||
|
||||
self.services.sync.wake(&sender).await;
|
||||
|
||||
return Ok(None);
|
||||
}
|
||||
}
|
||||
info!(
|
||||
%origin,
|
||||
%room_id,
|
||||
|
||||
@@ -24,7 +24,7 @@
|
||||
};
|
||||
use tokio::sync::{Notify, mpsc};
|
||||
|
||||
use crate::{Dep, globals, rooms, sending, server_keys, sync};
|
||||
use crate::{Dep, globals, rooms, sending, server_keys};
|
||||
pub struct Service {
|
||||
pub mutex_federation: RoomMutexMap,
|
||||
pub federation_handletime: SyncRwLock<HandleTimeMap>,
|
||||
@@ -47,7 +47,6 @@ struct Services {
|
||||
state_cache: Dep<rooms::state_cache::Service>,
|
||||
state_accessor: Dep<rooms::state_accessor::Service>,
|
||||
state_compressor: Dep<rooms::state_compressor::Service>,
|
||||
sync: Dep<sync::Service>,
|
||||
timeline: Dep<rooms::timeline::Service>,
|
||||
server: Arc<Server>,
|
||||
}
|
||||
@@ -78,7 +77,6 @@ fn build(args: crate::Args<'_>) -> Result<Arc<Self>> {
|
||||
.depend::<rooms::state_accessor::Service>("rooms::state_accessor"),
|
||||
state_compressor: args
|
||||
.depend::<rooms::state_compressor::Service>("rooms::state_compressor"),
|
||||
sync: args.depend::<sync::Service>("sync"),
|
||||
timeline: args.depend::<rooms::timeline::Service>("rooms::timeline"),
|
||||
server: args.server.clone(),
|
||||
},
|
||||
|
||||
@@ -263,6 +263,15 @@ pub async fn get_room_hierarchy_for_user(
|
||||
continue;
|
||||
}
|
||||
|
||||
// Bail out if queue length exceeds 50 to keep cycles in the space graph from
|
||||
// blowing up the traversal. If you actually have over fifty nested spaces,
|
||||
// and you're looking at this function to figure out what the issue is, I
|
||||
// suggest you reconsider some of the choices you made which led you to this
|
||||
// point.
|
||||
if queue.len() > 50 {
|
||||
return Err!("Space hierarchy is unreasonably large");
|
||||
}
|
||||
|
||||
// Add accessible children as a new layer
|
||||
if !summary.children.is_empty() {
|
||||
queue.push(summary.children);
|
||||
|
||||
@@ -6,8 +6,7 @@
|
||||
};
|
||||
use ruma::api::{
|
||||
IncomingResponse, OutgoingRequest,
|
||||
appservice::Registration,
|
||||
auth_scheme::{AccessToken, SendAccessToken},
|
||||
appservice::{HomeserverToken, Registration},
|
||||
path_builder::SinglePath,
|
||||
};
|
||||
|
||||
@@ -22,7 +21,9 @@ pub async fn send_appservice_request<T>(
|
||||
request: T,
|
||||
) -> Result<Option<T::IncomingResponse>>
|
||||
where
|
||||
T: OutgoingRequest<Authentication = AccessToken, PathBuilder = SinglePath> + Debug + Send,
|
||||
T: OutgoingRequest<Authentication = HomeserverToken, PathBuilder = SinglePath>
|
||||
+ Debug
|
||||
+ Send,
|
||||
{
|
||||
let Some(dest) = registration.url else {
|
||||
return Ok(None);
|
||||
@@ -36,7 +37,7 @@ pub async fn send_appservice_request<T>(
|
||||
|
||||
let hs_token = registration.hs_token.as_str();
|
||||
let mut http_request = request
|
||||
.try_into_http_request::<BytesMut>(&dest, SendAccessToken::Appservice(hs_token), ())
|
||||
.try_into_http_request::<BytesMut>(&dest, hs_token, ())
|
||||
.map_err(|e| {
|
||||
err!(BadServerResponse(
|
||||
warn!(appservice = %registration.id, "Failed to find destination {dest}: {e:?}")
|
||||
|
||||
@@ -197,7 +197,7 @@ pub async fn create_local_account(
|
||||
// register, suspend them.
|
||||
if !was_first_user && self.services.config.suspend_on_register {
|
||||
// Note that we can still do auto joins for suspended users
|
||||
self.suspend_account(user_id, &self.services.globals.server_user)
|
||||
self.suspend_account(user_id, Some(&self.services.globals.server_user))
|
||||
.await;
|
||||
|
||||
// And send an @room notice to the admin room, to prompt admins to review the
|
||||
@@ -389,13 +389,13 @@ pub async fn deactivate_account(&self, user_id: &UserId) -> Result<()> {
|
||||
}
|
||||
|
||||
/// Suspend account, placing it in a read-only state
|
||||
pub async fn suspend_account(&self, user_id: &UserId, suspending_user: &UserId) {
|
||||
pub async fn suspend_account(&self, user_id: &UserId, suspending_user: Option<&UserId>) {
|
||||
self.db.userid_suspension.raw_put(
|
||||
user_id,
|
||||
Json(UserSuspension {
|
||||
suspended: true,
|
||||
suspended_at: MilliSecondsSinceUnixEpoch::now().get().into(),
|
||||
suspended_by: suspending_user.to_string(),
|
||||
suspended_by: suspending_user.map(ToString::to_string),
|
||||
}),
|
||||
);
|
||||
}
|
||||
@@ -406,7 +406,7 @@ pub async fn unsuspend_account(&self, user_id: &UserId) {
|
||||
}
|
||||
|
||||
/// Locks an account, preventing it being used until it is unlocked.
|
||||
pub async fn lock_account(&self, user_id: &UserId, locking_user: &UserId) {
|
||||
pub async fn lock_account(&self, user_id: &UserId, locking_user: Option<&UserId>) {
|
||||
// NOTE: Locking is basically just suspension with a more severe effect,
|
||||
// so we'll just re-use the suspension data structure to store the lock state.
|
||||
let suspension = self
|
||||
@@ -418,7 +418,7 @@ pub async fn lock_account(&self, user_id: &UserId, locking_user: &UserId) {
|
||||
.unwrap_or_else(|_| UserSuspension {
|
||||
suspended: true,
|
||||
suspended_at: MilliSecondsSinceUnixEpoch::now().get().into(),
|
||||
suspended_by: locking_user.to_string(),
|
||||
suspended_by: locking_user.map(ToString::to_string),
|
||||
});
|
||||
|
||||
self.db.userid_lock.raw_put(user_id, Json(suspension));
|
||||
|
||||
@@ -31,7 +31,7 @@ pub struct UserSuspension {
|
||||
/// When the user was suspended (Unix timestamp in milliseconds)
|
||||
pub suspended_at: u64,
|
||||
/// User ID of who suspended this user
|
||||
pub suspended_by: String,
|
||||
pub suspended_by: Option<String>,
|
||||
}
|
||||
|
||||
/// A password hash. This is only for use when setting a user's password,
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user