feat: added an error message along with a better setting for the ACL

2025-07-09 04:56:41 +02:00 · 2023-12-25 17:35:24 +01:00 · 2023-12-25 17:35:24 +01:00 · 4628afe374
commit 4628afe374
parent b57dfddc19
3 changed files with 25 additions and 18 deletions
--- a/src/config/acl.rs
+++ b/src/config/acl.rs
@ -3,9 +3,15 @@ use std::collections::HashSet;
 use url::Host;
 #[derive(Deserialize, Debug, Default, Clone)]
 pub struct AccessControlListConfig {
-    /// setting this explicitly enables allowlists
-    pub(crate) allow_list: Option<HashSet<Host<String>>>,
+    #[serde(default = "default_as_false")]
+    pub allow_only_federation_from_allow_list: bool,
+    #[serde(default)]
+    pub(crate) allow_list: HashSet<Host<String>>,

    #[serde(default)]
    pub(crate) block_list: HashSet<Host<String>>,
 }
+
+fn default_as_false() -> bool {
+    false
+}
--- a/src/main.rs
+++ b/src/main.rs
@ -90,6 +90,15 @@ async fn main() {
        }
    };

+    if !config.allow_federation && config.acl.allow_only_federation_from_allow_list {
+        warn!(
+            r#"
+Federation is disabled however acl.allow_only_federation_from_allow_list is enabled, this means that servers on the allow list won't be able to federate.
+Unlike in synapse an ACL is always applied first before checking if federation is enabled.
+        "#
+        );
+    }
+
    if config.allow_jaeger {
        opentelemetry::global::set_text_map_propagator(opentelemetry_jaeger::Propagator::new());
        let tracer = opentelemetry_jaeger::new_agent_pipeline()
--- a/src/service/acl/mod.rs
+++ b/src/service/acl/mod.rs
@ -16,17 +16,12 @@ pub struct Service {
 impl Service {
    pub fn list_acls(&self, filter: Option<AclMode>) -> Vec<AclDatabaseEntry> {
        let mut set = self.db.get_all_acls();
-        self.acl_config
-            .allow_list
-            .clone()
-            .unwrap_or_default()
-            .iter()
-            .for_each(|it| {
-                set.insert(AclDatabaseEntry {
-                    mode: AclMode::Allow,
-                    hostname: it.to_owned(),
-                });
+        self.acl_config.allow_list.clone().iter().for_each(|it| {
+            set.insert(AclDatabaseEntry {
+                mode: AclMode::Allow,
+                hostname: it.to_owned(),
            });
+        });
        self.acl_config.block_list.clone().iter().for_each(|it| {
            set.insert(AclDatabaseEntry {
                mode: AclMode::Block,
@ -79,13 +74,10 @@ impl Service {
        if self.acl_config.block_list.contains(&server_host_name) {
            return false;
        }
-        let mut allow_list_enabled = false;
+        let allow_list_enabled = self.acl_config.allow_only_federation_from_allow_list;
        // check allowlist
-        if let Some(list) = &self.acl_config.allow_list {
-            if list.contains(&server_host_name) {
-                return true;
-            }
-            allow_list_enabled = true;
+        if allow_list_enabled && self.acl_config.allow_list.contains(&server_host_name) {
+            return true;
        }

        //check database