git-mirrors/continuwuity
1
0
Fork 0
mirror of https://forgejo.ellis.link/continuwuation/continuwuity.git synced 2025-07-09 19:46:43 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat: added an error message along with a better setting for the ACL

Browse source
This commit is contained in:
NinekoTheCat 2023-12-25 17:35:24 +01:00
parent b57dfddc19
commit 4628afe374
No known key found for this signature in database
GPG key ID: 700DB3F678A4AB66
3 changed files with 25 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
src/config/acl.rs
View file

@ -3,9 +3,15 @@ use std::collections::HashSet;
use url::Host; use url::Host;
#[derive(Deserialize, Debug, Default, Clone)] #[derive(Deserialize, Debug, Default, Clone)]
pub struct AccessControlListConfig { pub struct AccessControlListConfig {
/// setting this explicitly enables allowlists #[serde(default = "default_as_false")]
pub(crate) allow_list: Option<HashSet<Host<String>>>, pub allow_only_federation_from_allow_list: bool,
#[serde(default)]
pub(crate) allow_list: HashSet<Host<String>>,
#[serde(default)] #[serde(default)]
pub(crate) block_list: HashSet<Host<String>>, pub(crate) block_list: HashSet<Host<String>>,
} }
fn default_as_false() -> bool {
false
}

9
src/main.rs
View file

@ -90,6 +90,15 @@ async fn main() {
} }
}; };
if !config.allow_federation && config.acl.allow_only_federation_from_allow_list {
warn!(
r#"
Federation is disabled however acl.allow_only_federation_from_allow_list is enabled, this means that servers on the allow list won't be able to federate.
Unlike in synapse an ACL is always applied first before checking if federation is enabled.
"#
);
}
if config.allow_jaeger { if config.allow_jaeger {
opentelemetry::global::set_text_map_propagator(opentelemetry_jaeger::Propagator::new()); opentelemetry::global::set_text_map_propagator(opentelemetry_jaeger::Propagator::new());
let tracer = opentelemetry_jaeger::new_agent_pipeline() let tracer = opentelemetry_jaeger::new_agent_pipeline()

24
src/service/acl/mod.rs
View file

@ -16,17 +16,12 @@ pub struct Service {
impl Service { impl Service {
pub fn list_acls(&self, filter: Option<AclMode>) -> Vec<AclDatabaseEntry> { pub fn list_acls(&self, filter: Option<AclMode>) -> Vec<AclDatabaseEntry> {
let mut set = self.db.get_all_acls(); let mut set = self.db.get_all_acls();
self.acl_config self.acl_config.allow_list.clone().iter().for_each(|it| {
.allow_list set.insert(AclDatabaseEntry {
.clone() mode: AclMode::Allow,
.unwrap_or_default() hostname: it.to_owned(),
.iter()
.for_each(|it| {
set.insert(AclDatabaseEntry {
mode: AclMode::Allow,
hostname: it.to_owned(),
});
}); });
});
self.acl_config.block_list.clone().iter().for_each(|it| { self.acl_config.block_list.clone().iter().for_each(|it| {
set.insert(AclDatabaseEntry { set.insert(AclDatabaseEntry {
mode: AclMode::Block, mode: AclMode::Block,
@ -79,13 +74,10 @@ impl Service {
if self.acl_config.block_list.contains(&server_host_name) { if self.acl_config.block_list.contains(&server_host_name) {
return false; return false;
} }
let mut allow_list_enabled = false; let allow_list_enabled = self.acl_config.allow_only_federation_from_allow_list;
// check allowlist // check allowlist
if let Some(list) = &self.acl_config.allow_list { if allow_list_enabled && self.acl_config.allow_list.contains(&server_host_name) {
if list.contains(&server_host_name) { return true;
return true;
}
allow_list_enabled = true;
} }
//check database //check database