diff --git a/conduwuit-example.toml b/conduwuit-example.toml index 27e4cb0b..a7078140 100644 --- a/conduwuit-example.toml +++ b/conduwuit-example.toml @@ -224,9 +224,11 @@ registration_token = "change this token for something specific to your server" # No default. # forbidden_alias_names = [] -# List of forbidden server names that we will block all client room joins, incoming federated room directory requests, incoming federated invites for, and incoming federated joins. This check is applied on the room ID, room alias, sender server name, and sender user's server name. -# Basically "global" ACLs. For our user (client) checks, admin users are allowed. -# No default. +# List of forbidden server names that we will block incoming AND outgoing federation with, and block client room joins / remote user invites. +# +# This check is applied on the room ID, room alias, sender server name, sender user's server name, inbound federation X-Matrix origin, and outbound federation handler. +# +# Basically "global" ACLs. No default. # forbidden_remote_server_names = [] # List of forbidden server names that we will block all outgoing federated room directory requests for. Useful for preventing our users from wandering into bad servers or spaces. diff --git a/src/api/router/auth.rs b/src/api/router/auth.rs index 3f08ddba..2069e7b7 100644 --- a/src/api/router/auth.rs +++ b/src/api/router/auth.rs @@ -6,7 +6,7 @@ use axum_extra::{ typed_header::TypedHeaderRejectionReason, TypedHeader, }; -use conduit::{warn, Err, Error, Result}; +use conduit::{debug_info, warn, Err, Error, Result}; use http::uri::PathAndQuery; use ruma::{ api::{client::error::ErrorKind, AuthScheme, Metadata}, @@ -185,7 +185,7 @@ fn auth_appservice(services: &Services, request: &Request, info: Box, ) -> Result { - if !services.globals.allow_federation() { + if !services.server.config.allow_federation { return Err!(Config("allow_federation", "Federation is disabled.")); } @@ -206,6 +206,17 @@ async fn auth_server( })?; let origin = &x_matrix.origin; + + if services + .server + .config + .forbidden_remote_server_names + .contains(origin) + { + debug_info!("Refusing to accept inbound federation request to {origin}"); + return Err!(Request(Forbidden("Federation with this homeserver is not allowed."))); + } + let signatures = BTreeMap::from_iter([(x_matrix.key.clone(), CanonicalJsonValue::String(x_matrix.sig.to_string()))]); let signatures = BTreeMap::from_iter([( diff --git a/src/service/sending/send.rs b/src/service/sending/send.rs index b3a84d62..68d68571 100644 --- a/src/service/sending/send.rs +++ b/src/service/sending/send.rs @@ -1,7 +1,8 @@ use std::{fmt::Debug, mem}; use conduit::{ - debug, debug_error, debug_warn, error::inspect_debug_log, trace, utils::string::EMPTY, Err, Error, Result, + debug, debug_error, debug_info, debug_warn, error::inspect_debug_log, trace, utils::string::EMPTY, Err, Error, + Result, }; use http::{header::AUTHORIZATION, HeaderValue}; use ipaddress::IPAddress; @@ -31,6 +32,16 @@ impl super::Service { return Err!(Config("allow_federation", "Federation is disabled.")); } + if self + .server + .config + .forbidden_remote_server_names + .contains(&dest.to_owned()) + { + debug_info!("Refusing to send outbound federation request to {dest}"); + return Err!(Request(Forbidden("Federation with this homeserver is not allowed."))); + } + let actual = self.services.resolver.get_actual_dest(dest).await?; let request = self.prepare::(dest, &actual, req).await?; self.execute::(dest, &actual, request, client).await