Skip to content

An federation whitelist query endpoint extension #16848

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 15 commits into from
May 13, 2024
Merged

An federation whitelist query endpoint extension #16848

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
1d03cfa
An federation whitelist query endpoint extension
erikjohnston Jan 24, 2024
8653451
Newsfile
erikjohnston Jan 24, 2024
d4c1270
Add tests
erikjohnston Jan 24, 2024
b79f8e4
Merge branch 'develop' into erikj/federation_whitelist
devonh Apr 16, 2024
264746c
Merge branch 'develop' into erikj/federation_whitelist
devonh Apr 25, 2024
da1b7b9
Update docs/usage/configuration/config_documentation.md
devonh May 7, 2024
2ec7a55
Update docs/usage/configuration/config_documentation.md
devonh May 7, 2024
d9aa8a9
Update docs/usage/configuration/config_documentation.md
devonh May 7, 2024
1829e4a
Update tests/rest/synapse/client/test_federation_whitelist.py
devonh May 7, 2024
a70d14f
Add fed whitelist test that filters duplicates
devonh May 7, 2024
77bd7b2
Update fed whitelist docstring for clarity
devonh May 7, 2024
75a3ec2
Move config option under federation
devonh May 9, 2024
320fb3e
Version federation whitelist endpoint
devonh May 10, 2024
e3794ad
Remove reference to extension feature
devonh May 13, 2024
a75e5b3
Merge branch 'develop' into erikj/federation_whitelist
devonh May 13, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 31 additions & 0 deletions docs/usage/configuration/config_documentation.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4541,3 +4541,34 @@ background_updates:
min_batch_size: 10
default_batch_size: 50
```


---
## Extension features
Configuration for extension features for Synapse

---
### `extension_federation_whitelist_endpoint`

Enables an endpoint for fetching the federation whitelist config.

The request path is `/_synapse/client/config/federation_whitelist`, and the
response format is:

```json
{
"whitelist_enabled": true, // Whether there is a federation whitelist
"whitelist": [ // Which hosts are allowed by the whitelist
"example.com"
]
}
```

If `whitelist_enabled` is `false` then the server can federate with all others.

The endpoint requires authentication.

Example configuration:
```yaml
extension_federation_whitelist_endpoint: true
```
2 changes: 2 additions & 0 deletions synapse/config/_base.pyi
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ from synapse.config import ( # noqa: F401
database,
emailconfig,
experimental,
extensions,
federation,
jwt,
key,
Expand Down Expand Up @@ -120,6 +121,7 @@ class RootConfig:
federation: federation.FederationConfig
retention: retention.RetentionConfig
background_updates: background_updates.BackgroundUpdateConfig
extensions: extensions.ExtensionsConfig

config_classes: List[Type["Config"]] = ...
config_files: List[str]
Expand Down
29 changes: 29 additions & 0 deletions synapse/config/extensions.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
#
# This file is licensed under the Affero General Public License (AGPL) version 3.
#
# Copyright (C) 2023 New Vector, Ltd
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# See the GNU Affero General Public License for more details:
# <https://www.gnu.org/licenses/agpl-3.0.html>.
#

from typing import Any

from synapse.config._base import Config
from synapse.types import JsonDict


class ExtensionsConfig(Config):
"""Config section for enabling extension features"""

section = "extensions"

def read_config(self, config: JsonDict, **kwargs: Any) -> None:
self.federation_whitelist_endpoint: bool = config.get(
Copy link
Member

@anoadragon453 anoadragon453 May 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Previously @erikjohnston noted that the "extension" config section was created as this option didn't fit in anywhere else.

But would it not fit under "federation"?

synapse/synapse/config/federation.py

Line 28 in 23740ea

class FederationConfig(Config):

Copy link
Member

@devonh devonh May 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It could be beneficial to follow the approach mentioned here: #17147 (comment)

ie. to move this to an in-tree-module and have the config follow the normal module config rules.

Copy link
Member

@devonh devonh May 8, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The approach mentioned in that PR was deemed undesirable for now.

Copy link
Member

@anoadragon453 anoadragon453 May 9, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But would it not fit under "federation"?

On this, @erikjohnston wrote on Matrix:

Yeah, maybe. I suppose the federation section is relatively small. I'm just thinking of what this will look like if we have e.g. 10 optional features like this, and whether we'd want them grouped together in one place in the docs or not
and whether its clearer in the code or not
I suppose we can cross that bridge when we come to it

I don't see this as an optional feature, more a config option like any other. And they won't end up all under federation of course, but spread across the config. I don't think they'll build up in any noticeable way as a group.

Copy link
Member

@devonh devonh May 9, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree. I'll move it under the federation section.

"extension_federation_whitelist_endpoint", False
)
2 changes: 2 additions & 0 deletions synapse/config/homeserver.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@
from .database import DatabaseConfig
from .emailconfig import EmailConfig
from .experimental import ExperimentalConfig
from .extensions import ExtensionsConfig
from .federation import FederationConfig
from .jwt import JWTConfig
from .key import KeyConfig
Expand Down Expand Up @@ -105,4 +106,5 @@ class HomeServerConfig(RootConfig):
RedisConfig,
ExperimentalConfig,
BackgroundUpdateConfig,
ExtensionsConfig,
]
4 changes: 4 additions & 0 deletions synapse/rest/synapse/client/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@

from twisted.web.resource import Resource

from synapse.rest.synapse.client.federation_whitelist import FederationWhitelistResource
from synapse.rest.synapse.client.new_user_consent import NewUserConsentResource
from synapse.rest.synapse.client.pick_idp import PickIdpResource
from synapse.rest.synapse.client.pick_username import pick_username_resource
Expand Down Expand Up @@ -76,6 +77,9 @@ def build_synapse_client_resource_tree(hs: "HomeServer") -> Mapping[str, Resourc
# To be removed in Synapse v1.32.0.
resources["/_matrix/saml2"] = res

if hs.config.extensions.federation_whitelist_endpoint:
resources[FederationWhitelistResource.PATH] = FederationWhitelistResource(hs)

return resources


Expand Down
67 changes: 67 additions & 0 deletions synapse/rest/synapse/client/federation_whitelist.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
#
# This file is licensed under the Affero General Public License (AGPL) version 3.
#
# Copyright (C) 2024 New Vector, Ltd
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# See the GNU Affero General Public License for more details:
# <https://www.gnu.org/licenses/agpl-3.0.html>.
#

import logging
from typing import TYPE_CHECKING, Tuple

from synapse.http.server import DirectServeJsonResource
from synapse.http.site import SynapseRequest
from synapse.types import JsonDict

if TYPE_CHECKING:
from synapse.server import HomeServer

logger = logging.getLogger(__name__)


class FederationWhitelistResource(DirectServeJsonResource):
"""Custom endpoint (disabled by default) to fetch the federation whitelist
config.

Only enabled if `federation_whitelist_endpoint` extension feature is
enabled.

Response format:

{
"whitelist_enabled": true, // Whether there is a federation whitelist
"whitelist": [ // Which hosts are allowed by the whitelist
"example.com"
]
}
"""

PATH = "/_synapse/client/config/federation_whitelist"

def __init__(self, hs: "HomeServer"):
super().__init__()

self._federation_whitelist = hs.config.federation.federation_domain_whitelist

self._auth = hs.get_auth()

async def _async_render_GET(self, request: SynapseRequest) -> Tuple[int, JsonDict]:
await self._auth.get_user_by_req(request)

whitelist = []
if self._federation_whitelist:
# federation_whitelist is actually a dict, not a list
whitelist = list(self._federation_whitelist)

return_dict: JsonDict = {
"whitelist_enabled": self._federation_whitelist is not None,
"whitelist": whitelist,
}

return 200, return_dict