feat: added an error message along with a better setting for the ACL

This commit is contained in:
NinekoTheCat 2023-12-25 17:35:24 +01:00
parent b57dfddc19
commit 4628afe374
No known key found for this signature in database
GPG key ID: 700DB3F678A4AB66
3 changed files with 25 additions and 18 deletions

View file

@ -3,9 +3,15 @@ use std::collections::HashSet;
use url::Host;
#[derive(Deserialize, Debug, Default, Clone)]
pub struct AccessControlListConfig {
/// setting this explicitly enables allowlists
pub(crate) allow_list: Option<HashSet<Host<String>>>,
#[serde(default = "default_as_false")]
pub allow_only_federation_from_allow_list: bool,
#[serde(default)]
pub(crate) allow_list: HashSet<Host<String>>,
#[serde(default)]
pub(crate) block_list: HashSet<Host<String>>,
}
fn default_as_false() -> bool {
false
}

View file

@ -90,6 +90,15 @@ async fn main() {
}
};
if !config.allow_federation && config.acl.allow_only_federation_from_allow_list {
warn!(
r#"
Federation is disabled however acl.allow_only_federation_from_allow_list is enabled, this means that servers on the allow list won't be able to federate.
Unlike in synapse an ACL is always applied first before checking if federation is enabled.
"#
);
}
if config.allow_jaeger {
opentelemetry::global::set_text_map_propagator(opentelemetry_jaeger::Propagator::new());
let tracer = opentelemetry_jaeger::new_agent_pipeline()

View file

@ -16,17 +16,12 @@ pub struct Service {
impl Service {
pub fn list_acls(&self, filter: Option<AclMode>) -> Vec<AclDatabaseEntry> {
let mut set = self.db.get_all_acls();
self.acl_config
.allow_list
.clone()
.unwrap_or_default()
.iter()
.for_each(|it| {
set.insert(AclDatabaseEntry {
mode: AclMode::Allow,
hostname: it.to_owned(),
});
self.acl_config.allow_list.clone().iter().for_each(|it| {
set.insert(AclDatabaseEntry {
mode: AclMode::Allow,
hostname: it.to_owned(),
});
});
self.acl_config.block_list.clone().iter().for_each(|it| {
set.insert(AclDatabaseEntry {
mode: AclMode::Block,
@ -79,13 +74,10 @@ impl Service {
if self.acl_config.block_list.contains(&server_host_name) {
return false;
}
let mut allow_list_enabled = false;
let allow_list_enabled = self.acl_config.allow_only_federation_from_allow_list;
// check allowlist
if let Some(list) = &self.acl_config.allow_list {
if list.contains(&server_host_name) {
return true;
}
allow_list_enabled = true;
if allow_list_enabled && self.acl_config.allow_list.contains(&server_host_name) {
return true;
}
//check database