magmaus3/continuwuity
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

refactor: Centralize server forbidden checks into moderation module

Browse source 
This moves all checks related to `forbidden_remote_server_names`,
`forbidden_remote_room_directory_server_names` and
`prevent_media_downloads_from` to a new `moderation` module.
This is useful for implementing more complicated logic globally.
Mostly the changes from #673, but is also relevant for #750
This commit is contained in:
Jade Ellis 2025-04-19 23:02:43 +01:00
parent e71138ab6f
commit 0eb9e4f3d2
No known key found for this signature in database
GPG key ID: 8705A2A3EBF77BD2
18 changed files with 109 additions and 97 deletions
Download patch file Download diff file Expand all files Collapse all files

8
src/service/federation/execute.rs
View file

@ -64,13 +64,7 @@ where
return Err!(Config("allow_federation", "Federation is disabled."));
}
if self
.services
.server
.config
.forbidden_remote_server_names
.is_match(dest.host())
{
if self.services.moderation.is_remote_server_forbidden(dest) {
return Err!(Request(Forbidden(debug_warn!("Federation with {dest} is not allowed."))));
}

4
src/service/federation/mod.rs
View file

@ -4,7 +4,7 @@ use std::sync::Arc;
use conduwuit::{Result, Server};
use crate::{Dep, client, resolver, server_keys};
use crate::{Dep, client, moderation, resolver, server_keys};
pub struct Service {
services: Services,
@ -15,6 +15,7 @@ struct Services {
client: Dep<client::Service>,
resolver: Dep<resolver::Service>,
server_keys: Dep<server_keys::Service>,
moderation: Dep<moderation::Service>,
}
impl crate::Service for Service {
@ -25,6 +26,7 @@ impl crate::Service for Service {
client: args.depend::<client::Service>("client"),
resolver: args.depend::<resolver::Service>("resolver"),
server_keys: args.depend::<server_keys::Service>("server_keys"),
moderation: args.depend::<moderation::Service>("moderation"),
},
}))
}

4
src/service/media/mod.rs
View file

@ -22,7 +22,7 @@ use tokio::{
use self::data::{Data, Metadata};
pub use self::thumbnail::Dim;
use crate::{Dep, client, globals, sending};
use crate::{Dep, client, globals, moderation, sending};
#[derive(Debug)]
pub struct FileMeta {
@ -42,6 +42,7 @@ struct Services {
client: Dep<client::Service>,
globals: Dep<globals::Service>,
sending: Dep<sending::Service>,
moderation: Dep<moderation::Service>,
}
/// generated MXC ID (`media-id`) length
@ -64,6 +65,7 @@ impl crate::Service for Service {
client: args.depend::<client::Service>("client"),
globals: args.depend::<globals::Service>("globals"),
sending: args.depend::<sending::Service>("sending"),
moderation: args.depend::<moderation::Service>("moderation"),
},
}))
}

12
src/service/media/remote.rs
View file

@ -423,16 +423,8 @@ pub async fn fetch_remote_content_legacy(
fn check_fetch_authorized(&self, mxc: &Mxc<'_>) -> Result<()> {
if self
.services
.server
.config
.prevent_media_downloads_from
.is_match(mxc.server_name.host())
|| self
.services
.server
.config
.forbidden_remote_server_names
.is_match(mxc.server_name.host())
.moderation
.is_remote_server_media_downloads_forbidden(mxc.server_name)
{
// we'll lie to the client and say the blocked server's media was not found and
// log. the client has no way of telling anyways so this is a security bonus.

1
src/service/mod.rs
View file

@ -16,6 +16,7 @@ pub mod federation;
pub mod globals;
pub mod key_backups;
pub mod media;
pub mod moderation;
pub mod presence;
pub mod pusher;
pub mod resolver;

62
src/service/moderation.rs Normal file
View file

@ -0,0 +1,62 @@
use std::sync::Arc;
use conduwuit::{Result, Server, implement};
use ruma::ServerName;
pub struct Service {
services: Services,
}
struct Services {
pub server: Arc<Server>,
}
impl crate::Service for Service {
fn build(args: crate::Args<'_>) -> Result<Arc<Self>> {
Ok(Arc::new(Self {
services: Services { server: args.server.clone() },
}))
}
fn name(&self) -> &str { crate::service::make_name(std::module_path!()) }
}
#[implement(Service)]
#[must_use]
pub fn is_remote_server_forbidden(&self, server_name: &ServerName) -> bool {
// Forbidden if NOT (allowed is empty OR allowed contains server OR is self)
// OR forbidden contains server
self.services
.server
.config
.forbidden_remote_server_names
.is_match(server_name.host())
}
#[implement(Service)]
#[must_use]
pub fn is_remote_server_room_directory_forbidden(&self, server_name: &ServerName) -> bool {
// Forbidden if NOT (allowed is empty OR allowed contains server OR is self)
// OR forbidden contains server
self.is_remote_server_forbidden(server_name)
|| self
.services
.server
.config
.forbidden_remote_room_directory_server_names
.is_match(server_name.host())
}
#[implement(Service)]
#[must_use]
pub fn is_remote_server_media_downloads_forbidden(&self, server_name: &ServerName) -> bool {
// Forbidden if NOT (allowed is empty OR allowed contains server OR is self)
// OR forbidden contains server
self.is_remote_server_forbidden(server_name)
|| self
.services
.server
.config
.prevent_media_downloads_from
.is_match(server_name.host())
}

4
src/service/services.rs
View file

@ -12,7 +12,7 @@ use tokio::sync::Mutex;
use crate::{
account_data, admin, appservice, client, config, emergency, federation, globals, key_backups,
manager::Manager,
media, presence, pusher, resolver, rooms, sending, server_keys, service,
media, moderation, presence, pusher, resolver, rooms, sending, server_keys, service,
service::{Args, Map, Service},
sync, transaction_ids, uiaa, updates, users,
};
@ -39,6 +39,7 @@ pub struct Services {
pub uiaa: Arc<uiaa::Service>,
pub updates: Arc<updates::Service>,
pub users: Arc<users::Service>,
pub moderation: Arc<moderation::Service>,
manager: Mutex<Option<Arc<Manager>>>,
pub(crate) service: Arc<Map>,
@ -106,6 +107,7 @@ impl Services {
uiaa: build!(uiaa::Service),
updates: build!(updates::Service),
users: build!(users::Service),
moderation: build!(moderation::Service),
manager: Mutex::new(None),
service,