magmaus3/continuwuity
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: Add allowed_remote_server_names

Browse source 
This allows explicitly allowing servers. Can be
combined with the opposite to create allowlist-only
federation.

See also #31

Closes #673
This commit is contained in:
Jade Ellis 2025-04-19 23:29:33 +01:00
parent 0eb9e4f3d2
commit 9e62076baa
No known key found for this signature in database
GPG key ID: 8705A2A3EBF77BD2
3 changed files with 39 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

10
conduwuit-example.toml
View file

@ -1206,10 +1206,20 @@
# #
# Basically "global" ACLs. # Basically "global" ACLs.
# #
# You can set this to ["*"] to block all servers by default, and then
# use `allowed_remote_server_names` to allow only specific servers.
#
# example: ["badserver\.tld$", "badphrase", "19dollarfortnitecards"] # example: ["badserver\.tld$", "badphrase", "19dollarfortnitecards"]
# #
#forbidden_remote_server_names = [] #forbidden_remote_server_names = []
# List of allowed server names via regex patterns that we will allow,
# regardless of if they match `forbidden_remote_server_names`.
#
# example: ["goodserver\.tld$", "goodphrase"]
#
#allowed_remote_server_names = []
# List of forbidden server names via regex patterns that we will block all # List of forbidden server names via regex patterns that we will block all
# outgoing federated room directory requests for. Useful for preventing # outgoing federated room directory requests for. Useful for preventing
# our users from wandering into bad servers or spaces. # our users from wandering into bad servers or spaces.

12
src/core/config/mod.rs
View file

@ -1383,12 +1383,24 @@ pub struct Config {
/// ///
/// Basically "global" ACLs. /// Basically "global" ACLs.
/// ///
/// You can set this to ["*"] to block all servers by default, and then
/// use `allowed_remote_server_names` to allow only specific servers.
///
/// example: ["badserver\.tld$", "badphrase", "19dollarfortnitecards"] /// example: ["badserver\.tld$", "badphrase", "19dollarfortnitecards"]
/// ///
/// default: [] /// default: []
#[serde(default, with = "serde_regex")] #[serde(default, with = "serde_regex")]
pub forbidden_remote_server_names: RegexSet, pub forbidden_remote_server_names: RegexSet,
/// List of allowed server names via regex patterns that we will allow,
/// regardless of if they match `forbidden_remote_server_names`.
///
/// example: ["goodserver\.tld$", "goodphrase"]
///
/// default: []
#[serde(default, with = "serde_regex")]
pub allowed_remote_server_names: RegexSet,
/// List of forbidden server names via regex patterns that we will block all /// List of forbidden server names via regex patterns that we will block all
/// outgoing federated room directory requests for. Useful for preventing /// outgoing federated room directory requests for. Useful for preventing
/// our users from wandering into bad servers or spaces. /// our users from wandering into bad servers or spaces.

19
src/service/moderation.rs
View file

@ -24,8 +24,23 @@ impl crate::Service for Service {
#[implement(Service)] #[implement(Service)]
#[must_use] #[must_use]
pub fn is_remote_server_forbidden(&self, server_name: &ServerName) -> bool { pub fn is_remote_server_forbidden(&self, server_name: &ServerName) -> bool {
// Forbidden if NOT (allowed is empty OR allowed contains server OR is self) // We must never block federating with ourselves
// OR forbidden contains server if server_name == self.services.server.config.server_name {
return false;
}
// Check if server is explicitly allowed
if self
.services
.server
.config
.allowed_remote_server_names
.is_match(server_name.host())
{
return false;
}
// Check if server is explicitly forbidden
self.services self.services
.server .server
.config .config