diff --git a/.editorconfig b/.editorconfig index 91f073bd..3e7fd1b8 100644 --- a/.editorconfig +++ b/.editorconfig @@ -23,6 +23,6 @@ indent_size = 2 indent_style = tab max_line_length = 98 -[{.forgejo/**/*.yml,.github/**/*.yml}] +[*.yml] indent_size = 2 indent_style = space diff --git a/.forgejo/actions/prefligit/action.yml b/.forgejo/actions/prefligit/action.yml new file mode 100644 index 00000000..8cbd4500 --- /dev/null +++ b/.forgejo/actions/prefligit/action.yml @@ -0,0 +1,27 @@ +name: prefligit +description: | + Runs prefligit, pre-commit reimplemented in Rust. +inputs: + extra_args: + description: options to pass to pre-commit run + required: false + default: '--all-files' + +runs: + using: composite + steps: + - name: Install uv + uses: https://github.com/astral-sh/setup-uv@v6 + with: + enable-cache: true + ignore-nothing-to-cache: true + - name: Install Prefligit + shell: bash + run: | + curl --proto '=https' --tlsv1.2 -LsSf https://github.com/j178/prefligit/releases/download/v0.0.10/prefligit-installer.sh | sh + - uses: actions/cache@v3 + with: + path: ~/.cache/prefligit + key: prefligit-0|${{ hashFiles('.pre-commit-config.yaml') }} + - run: prefligit run --show-diff-on-failure --color=always -v ${{ inputs.extra_args }} + shell: bash diff --git a/.forgejo/workflows/documentation.yml b/.forgejo/workflows/documentation.yml index 7d95a317..4f3e903c 100644 --- a/.forgejo/workflows/documentation.yml +++ b/.forgejo/workflows/documentation.yml @@ -17,6 +17,7 @@ jobs: docs: name: Build and Deploy Documentation runs-on: ubuntu-latest + if: secrets.CLOUDFLARE_API_TOKEN != '' steps: - name: Sync repository diff --git a/.forgejo/workflows/prefligit-checks.yml b/.forgejo/workflows/prefligit-checks.yml new file mode 100644 index 00000000..cc512496 --- /dev/null +++ b/.forgejo/workflows/prefligit-checks.yml @@ -0,0 +1,22 @@ +name: Checks / Prefligit + +on: + push: + pull_request: +permissions: + contents: read + +jobs: + prefligit: + runs-on: ubuntu-latest + env: + FROM_REF: ${{ github.event.pull_request.base.sha || (!github.event.forced && ( github.event.before != '0000000000000000000000000000000000000000' && github.event.before || github.sha )) || format('{0}~', github.sha) }} + TO_REF: ${{ github.sha }} + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + persist-credentials: false + - uses: ./.forgejo/actions/prefligit + with: + extra_args: --all-files --hook-stage manual diff --git a/.forgejo/workflows/release-image.yml b/.forgejo/workflows/release-image.yml index 55b303b2..170fe668 100644 --- a/.forgejo/workflows/release-image.yml +++ b/.forgejo/workflows/release-image.yml @@ -49,6 +49,7 @@ jobs: const platforms = ['linux/amd64', 'linux/arm64'] core.setOutput('build_matrix', JSON.stringify({ platform: platforms, + target_cpu: ['base'], include: platforms.map(platform => { return { platform, slug: platform.replace('/', '-') @@ -66,6 +67,8 @@ jobs: strategy: matrix: { + "target_cpu": ["base"], + "profile": ["release"], "include": [ { "platform": "linux/amd64", "slug": "linux-amd64" }, @@ -73,6 +76,7 @@ jobs: ], "platform": ["linux/amd64", "linux/arm64"], } + steps: - name: Echo strategy run: echo '${{ toJSON(fromJSON(needs.define-variables.outputs.build_matrix)) }}' @@ -140,8 +144,8 @@ jobs: uses: actions/cache@v3 with: path: | - cargo-target-${{ matrix.slug }} - key: cargo-target-${{ matrix.slug }}-${{hashFiles('**/Cargo.lock') }}-${{steps.rust-toolchain.outputs.rustc_version}} + cargo-target-${{ matrix.target_cpu }}-${{ matrix.slug }}-${{ matrix.profile }} + key: cargo-target-${{ matrix.target_cpu }}-${{ matrix.slug }}-${{ matrix.profile }}-${{hashFiles('**/Cargo.lock') }}-${{steps.rust-toolchain.outputs.rustc_version}} - name: Cache apt cache id: cache-apt uses: actions/cache@v3 @@ -163,9 +167,9 @@ jobs: { ".cargo/registry": "/usr/local/cargo/registry", ".cargo/git/db": "/usr/local/cargo/git/db", - "cargo-target-${{ matrix.slug }}": { + "cargo-target-${{ matrix.target_cpu }}-${{ matrix.slug }}-${{ matrix.profile }}": { "target": "/app/target", - "id": "cargo-target-${{ matrix.platform }}" + "id": "cargo-target-${{ matrix.target_cpu }}-${{ matrix.slug }}-${{ matrix.profile }}" }, "var-cache-apt-${{ matrix.slug }}": "/var/cache/apt", "var-lib-apt-${{ matrix.slug }}": "/var/lib/apt" diff --git a/.forgejo/workflows/rust-checks.yml b/.forgejo/workflows/rust-checks.yml index 35ca1ad7..105efd0f 100644 --- a/.forgejo/workflows/rust-checks.yml +++ b/.forgejo/workflows/rust-checks.yml @@ -1,4 +1,4 @@ -name: Rust Checks +name: Checks / Rust on: push: diff --git a/.git-blame-ignore-revs b/.git-blame-ignore-revs index 33f738f3..ddfc0568 100644 --- a/.git-blame-ignore-revs +++ b/.git-blame-ignore-revs @@ -5,3 +5,5 @@ f419c64aca300a338096b4e0db4c73ace54f23d0 # use chain_width 60 162948313c212193965dece50b816ef0903172ba 5998a0d883d31b866f7c8c46433a8857eae51a89 +# trailing whitespace and newlines +46c193e74b2ce86c48ce802333a0aabce37fd6e9 diff --git a/.gitattributes b/.gitattributes index 3dfaca65..a1a845b6 100644 --- a/.gitattributes +++ b/.gitattributes @@ -84,4 +84,4 @@ Cargo.lock text *.zst binary # Text files where line endings should be preserved -*.patch -text \ No newline at end of file +*.patch -text diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml new file mode 100644 index 00000000..fcfaade5 --- /dev/null +++ b/.github/FUNDING.yml @@ -0,0 +1,5 @@ +github: [JadedBlueEyes] +# Doesn't support an array, so we can only list nex +ko_fi: nexy7574 +custom: + - https://ko-fi.com/JadedBlueEyes diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 00000000..68e3a982 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,47 @@ +default_install_hook_types: + - pre-commit + - commit-msg +default_stages: + - pre-commit + - manual + +repos: + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v5.0.0 + hooks: + - id: check-byte-order-marker + - id: check-case-conflict + - id: check-symlinks + - id: destroyed-symlinks + - id: check-yaml + - id: check-json + - id: check-toml + - id: end-of-file-fixer + - id: trailing-whitespace + - id: mixed-line-ending + - id: check-merge-conflict + - id: check-added-large-files + + - repo: https://github.com/crate-ci/typos + rev: v1.26.0 + hooks: + - id: typos + - id: typos + name: commit-msg-typos + stages: [commit-msg] + + - repo: https://github.com/crate-ci/committed + rev: v1.1.7 + hooks: + - id: committed + + - repo: local + hooks: + - id: cargo-fmt + name: cargo fmt + entry: cargo +nightly fmt -- + language: system + types: [rust] + pass_filenames: false + stages: + - pre-commit diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index da426801..1c091183 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,6 +1,6 @@ # Contributing guide -This page is for about contributing to Continuwuity. The +This page is about contributing to Continuwuity. The [development](./development.md) page may be of interest for you as well. If you would like to work on an [issue][issues] that is not assigned, preferably @@ -10,7 +10,7 @@ and comment on it. ### Linting and Formatting It is mandatory all your changes satisfy the lints (clippy, rustc, rustdoc, etc) -and your code is formatted via the **nightly** `cargo fmt`. A lot of the +and your code is formatted via the **nightly** rustfmt (`cargo +nightly fmt`). A lot of the `rustfmt.toml` features depend on nightly toolchain. It would be ideal if they weren't nightly-exclusive features, but they currently still are. CI's rustfmt uses nightly. @@ -21,67 +21,91 @@ comment saying why. Do not write inefficient code for the sake of satisfying lints. If a lint is wrong and provides a more inefficient solution or suggestion, allow the lint and mention that in a comment. -### Running CI tests locally +### Pre-commit Checks -continuwuity's CI for tests, linting, formatting, audit, etc use -[`engage`][engage]. engage can be installed from nixpkgs or `cargo install -engage`. continuwuity's Nix flake devshell has the nixpkgs engage with `direnv`. -Use `engage --help` for more usage details. +Continuwuity uses pre-commit hooks to enforce various coding standards and catch common issues before they're committed. These checks include: -To test, format, lint, etc that CI would do, install engage, allow the `.envrc` -file using `direnv allow`, and run `engage`. +- Code formatting and linting +- Typo detection (both in code and commit messages) +- Checking for large files +- Ensuring proper line endings and no trailing whitespace +- Validating YAML, JSON, and TOML files +- Checking for merge conflicts -All of the tasks are defined at the [engage.toml][engage.toml] file. You can -view all of them neatly by running `engage list` +You can run these checks locally by installing [prefligit](https://github.com/j178/prefligit): -If you would like to run only a specific engage task group, use `just`: -- `engage just ` -- Example: `engage just lints` +```bash +# Install prefligit using cargo-binstall +cargo binstall prefligit -If you would like to run a specific engage task in a specific group, use `just - [TASK]`: `engage just lints cargo-fmt` +# Install git hooks to run checks automatically +prefligit install -The following binaries are used in [`engage.toml`][engage.toml]: +# Run all checks +prefligit --all-files +``` -- [`engage`][engage] -- `nix` -- [`direnv`][direnv] -- `rustc` -- `cargo` -- `cargo-fmt` -- `rustdoc` -- `cargo-clippy` -- [`cargo-audit`][cargo-audit] -- [`cargo-deb`][cargo-deb] -- [`lychee`][lychee] -- [`markdownlint-cli`][markdownlint-cli] -- `dpkg` +Alternatively, you can use [pre-commit](https://pre-commit.com/): +```bash +# Install pre-commit +pip install pre-commit + +# Install the hooks +pre-commit install + +# Run all checks manually +pre-commit run --all-files +``` + +These same checks are run in CI via the prefligit-checks workflow to ensure consistency. + +### Running tests locally + +Tests, compilation, and linting can be run with standard Cargo commands: + +```bash +# Run tests +cargo test + +# Check compilation +cargo check --workspace + +# Run lints +cargo clippy --workspace +# Auto-fix: cargo clippy --workspace --fix --allow-staged; + +# Format code (must use nightly) +cargo +nightly fmt +``` ### Matrix tests -CI runs [Complement][complement], but currently does not fail if results from -the checked-in results differ with the new results. If your changes are done to -fix Matrix tests, note that in your pull request. If more Complement tests start -failing from your changes, please review the logs (they are uploaded as -artifacts) and determine if they're intended or not. +Continuwuity uses [Complement][complement] for Matrix protocol compliance testing. Complement tests are run manually by developers, and documentation on how to run these tests locally is currently being developed. -If you'd like to run Complement locally using Nix, see the -[testing](development/testing.md) page. +If your changes are done to fix Matrix tests, please note that in your pull request. If more Complement tests start failing from your changes, please review the logs and determine if they're intended or not. -[Sytest][sytest] support will come soon. +[Sytest][sytest] is currently unsupported. ### Writing documentation -Continuwuity's website uses [`mdbook`][mdbook] and deployed via CI using GitHub -Pages in the [`documentation.yml`][documentation.yml] workflow file with Nix's -mdbook in the devshell. All documentation is in the `docs/` directory at the top -level. The compiled mdbook website is also uploaded as an artifact. +Continuwuity's website uses [`mdbook`][mdbook] and is deployed via CI using Cloudflare Pages +in the [`documentation.yml`][documentation.yml] workflow file. All documentation is in the `docs/` +directory at the top level. -To build the documentation using Nix, run: `bin/nix-build-and-cache just .#book` +To build the documentation locally: -The output of the mdbook generation is in `result/`. mdbooks can be opened in -your browser from the individual HTML files without any web server needed. +1. Install mdbook if you don't have it already: + ```bash + cargo install mdbook # or cargo binstall, or another method + ``` + +2. Build the documentation: + ```bash + mdbook build + ``` + +The output of the mdbook generation is in `public/`. You can open the HTML files directly in your browser without needing a web server. ### Inclusivity and Diversity @@ -109,6 +133,40 @@ Rust's default style and standards with regards to [function names, variable names, comments](https://rust-lang.github.io/api-guidelines/naming.html), etc applies here. +### Commit Messages + +Continuwuity follows the [Conventional Commits](https://www.conventionalcommits.org/) specification for commit messages. This provides a standardized format that makes the commit history more readable and enables automated tools to generate changelogs. + +The basic structure is: +``` +[(optional scope)]: + +[optional body] + +[optional footer(s)] +``` + +The allowed types for commits are: +- `fix`: Bug fixes +- `feat`: New features +- `docs`: Documentation changes +- `style`: Changes that don't affect the meaning of the code (formatting, etc.) +- `refactor`: Code changes that neither fix bugs nor add features +- `perf`: Performance improvements +- `test`: Adding or fixing tests +- `build`: Changes to the build system or dependencies +- `ci`: Changes to CI configuration +- `chore`: Other changes that don't modify source or test files + +Examples: +``` +feat: add user authentication +fix(database): resolve connection pooling issue +docs: update installation instructions +``` + +The project uses the `committed` hook to validate commit messages in pre-commit. This ensures all commits follow the conventional format. + ### Creating pull requests Please try to keep contributions to the Forgejo Instance. While the mirrors of continuwuity @@ -118,6 +176,13 @@ This prevents us from having to ping once in a while to double check the status of it, especially when the CI completed successfully and everything so it *looks* done. +Before submitting a pull request, please ensure: +1. Your code passes all CI checks (formatting, linting, typo detection, etc.) +2. Your commit messages follow the conventional commits format +3. Tests are added for new functionality +4. Documentation is updated if needed + + Direct all PRs/MRs to the `main` branch. @@ -125,20 +190,13 @@ By sending a pull request or patch, you are agreeing that your changes are allowed to be licenced under the Apache-2.0 licence and all of your conduct is in line with the Contributor's Covenant, and continuwuity's Code of Conduct. -Contribution by users who violate either of these code of conducts will not have +Contribution by users who violate either of these code of conducts may not have their contributions accepted. This includes users who have been banned from -continuwuityMatrix rooms for Code of Conduct violations. +continuwuity Matrix rooms for Code of Conduct violations. [issues]: https://forgejo.ellis.link/continuwuation/continuwuity/issues [continuwuity-matrix]: https://matrix.to/#/#continuwuity:continuwuity.org [complement]: https://github.com/matrix-org/complement/ -[engage.toml]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/engage.toml -[engage]: https://charles.page.computer.surgery/engage/ [sytest]: https://github.com/matrix-org/sytest/ -[cargo-deb]: https://github.com/kornelski/cargo-deb -[lychee]: https://github.com/lycheeverse/lychee -[markdownlint-cli]: https://github.com/igorshubovych/markdownlint-cli -[cargo-audit]: https://github.com/RustSec/rustsec/tree/main/cargo-audit -[direnv]: https://direnv.net/ [mdbook]: https://rust-lang.github.io/mdBook/ [documentation.yml]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/.forgejo/workflows/documentation.yml diff --git a/Cargo.lock b/Cargo.lock index ec6e848d..e81603fb 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -3695,7 +3695,7 @@ dependencies = [ [[package]] name = "ruma" version = "0.10.1" -source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=d6870a7fb7f6cccff63f7fd0ff6c581bad80e983#d6870a7fb7f6cccff63f7fd0ff6c581bad80e983" +source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=8ea4885e34a61fa4b7c0bb38b39ec66a772d89a6#8ea4885e34a61fa4b7c0bb38b39ec66a772d89a6" dependencies = [ "assign", "js_int", @@ -3715,7 +3715,7 @@ dependencies = [ [[package]] name = "ruma-appservice-api" version = "0.10.0" -source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=d6870a7fb7f6cccff63f7fd0ff6c581bad80e983#d6870a7fb7f6cccff63f7fd0ff6c581bad80e983" +source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=8ea4885e34a61fa4b7c0bb38b39ec66a772d89a6#8ea4885e34a61fa4b7c0bb38b39ec66a772d89a6" dependencies = [ "js_int", "ruma-common", @@ -3727,7 +3727,7 @@ dependencies = [ [[package]] name = "ruma-client-api" version = "0.18.0" -source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=d6870a7fb7f6cccff63f7fd0ff6c581bad80e983#d6870a7fb7f6cccff63f7fd0ff6c581bad80e983" +source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=8ea4885e34a61fa4b7c0bb38b39ec66a772d89a6#8ea4885e34a61fa4b7c0bb38b39ec66a772d89a6" dependencies = [ "as_variant", "assign", @@ -3750,7 +3750,7 @@ dependencies = [ [[package]] name = "ruma-common" version = "0.13.0" -source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=d6870a7fb7f6cccff63f7fd0ff6c581bad80e983#d6870a7fb7f6cccff63f7fd0ff6c581bad80e983" +source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=8ea4885e34a61fa4b7c0bb38b39ec66a772d89a6#8ea4885e34a61fa4b7c0bb38b39ec66a772d89a6" dependencies = [ "as_variant", "base64 0.22.1", @@ -3782,7 +3782,7 @@ dependencies = [ [[package]] name = "ruma-events" version = "0.28.1" -source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=d6870a7fb7f6cccff63f7fd0ff6c581bad80e983#d6870a7fb7f6cccff63f7fd0ff6c581bad80e983" +source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=8ea4885e34a61fa4b7c0bb38b39ec66a772d89a6#8ea4885e34a61fa4b7c0bb38b39ec66a772d89a6" dependencies = [ "as_variant", "indexmap 2.9.0", @@ -3807,7 +3807,7 @@ dependencies = [ [[package]] name = "ruma-federation-api" version = "0.9.0" -source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=d6870a7fb7f6cccff63f7fd0ff6c581bad80e983#d6870a7fb7f6cccff63f7fd0ff6c581bad80e983" +source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=8ea4885e34a61fa4b7c0bb38b39ec66a772d89a6#8ea4885e34a61fa4b7c0bb38b39ec66a772d89a6" dependencies = [ "bytes", "headers", @@ -3829,7 +3829,7 @@ dependencies = [ [[package]] name = "ruma-identifiers-validation" version = "0.9.5" -source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=d6870a7fb7f6cccff63f7fd0ff6c581bad80e983#d6870a7fb7f6cccff63f7fd0ff6c581bad80e983" +source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=8ea4885e34a61fa4b7c0bb38b39ec66a772d89a6#8ea4885e34a61fa4b7c0bb38b39ec66a772d89a6" dependencies = [ "js_int", "thiserror 2.0.12", @@ -3838,7 +3838,7 @@ dependencies = [ [[package]] name = "ruma-identity-service-api" version = "0.9.0" -source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=d6870a7fb7f6cccff63f7fd0ff6c581bad80e983#d6870a7fb7f6cccff63f7fd0ff6c581bad80e983" +source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=8ea4885e34a61fa4b7c0bb38b39ec66a772d89a6#8ea4885e34a61fa4b7c0bb38b39ec66a772d89a6" dependencies = [ "js_int", "ruma-common", @@ -3848,7 +3848,7 @@ dependencies = [ [[package]] name = "ruma-macros" version = "0.13.0" -source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=d6870a7fb7f6cccff63f7fd0ff6c581bad80e983#d6870a7fb7f6cccff63f7fd0ff6c581bad80e983" +source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=8ea4885e34a61fa4b7c0bb38b39ec66a772d89a6#8ea4885e34a61fa4b7c0bb38b39ec66a772d89a6" dependencies = [ "cfg-if", "proc-macro-crate", @@ -3863,7 +3863,7 @@ dependencies = [ [[package]] name = "ruma-push-gateway-api" version = "0.9.0" -source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=d6870a7fb7f6cccff63f7fd0ff6c581bad80e983#d6870a7fb7f6cccff63f7fd0ff6c581bad80e983" +source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=8ea4885e34a61fa4b7c0bb38b39ec66a772d89a6#8ea4885e34a61fa4b7c0bb38b39ec66a772d89a6" dependencies = [ "js_int", "ruma-common", @@ -3875,7 +3875,7 @@ dependencies = [ [[package]] name = "ruma-signatures" version = "0.15.0" -source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=d6870a7fb7f6cccff63f7fd0ff6c581bad80e983#d6870a7fb7f6cccff63f7fd0ff6c581bad80e983" +source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=8ea4885e34a61fa4b7c0bb38b39ec66a772d89a6#8ea4885e34a61fa4b7c0bb38b39ec66a772d89a6" dependencies = [ "base64 0.22.1", "ed25519-dalek", diff --git a/Cargo.toml b/Cargo.toml index af904447..4456f0ad 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -350,7 +350,7 @@ version = "0.1.2" [workspace.dependencies.ruma] git = "https://forgejo.ellis.link/continuwuation/ruwuma" #branch = "conduwuit-changes" -rev = "d6870a7fb7f6cccff63f7fd0ff6c581bad80e983" +rev = "8ea4885e34a61fa4b7c0bb38b39ec66a772d89a6" features = [ "compat", "rand", diff --git a/README.md b/README.md index e3eb807f..60dcf81d 100644 --- a/README.md +++ b/README.md @@ -4,6 +4,10 @@ ## A community-driven [Matrix](https://matrix.org/) homeserver in Rust +[![Chat on Matrix](https://img.shields.io/matrix/continuwuity%3Acontinuwuity.org?server_fqdn=matrix.continuwuity.org&fetchMode=summary&logo=matrix)](https://matrix.to/#/#continuwuity:continuwuity.org?via=continuwuity.org&via=ellis.link&via=explodie.org&via=matrix.org) [![Join the space](https://img.shields.io/matrix/space%3Acontinuwuity.org?server_fqdn=matrix.continuwuity.org&fetchMode=summary&logo=matrix&label=space)](https://matrix.to/#/#space:continuwuity.org?via=continuwuity.org&via=ellis.link&via=explodie.org&via=matrix.org) + + + [continuwuity] is a Matrix homeserver written in Rust. @@ -11,11 +15,13 @@ It's a community continuation of the [conduwuit](https://github.com/girlbossceo/ -[![forgejo.ellis.link](https://img.shields.io/badge/Ellis%20Git-main+packages-green?style=flat&logo=forgejo&labelColor=fff)](https://forgejo.ellis.link/continuwuation/continuwuity) ![](https://forgejo.ellis.link/continuwuation/continuwuity/badges/stars.svg?style=flat) [![](https://forgejo.ellis.link/continuwuation/continuwuity/badges/issues/open.svg?style=flat)](https://forgejo.ellis.link/continuwuation/continuwuity/issues?state=open) [![](https://forgejo.ellis.link/continuwuation/continuwuity/badges/pulls/open.svg?style=flat)](https://forgejo.ellis.link/continuwuation/continuwuity/pulls?state=open) +[![forgejo.ellis.link](https://img.shields.io/badge/Ellis%20Git-main+packages-green?style=flat&logo=forgejo&labelColor=fff)](https://forgejo.ellis.link/continuwuation/continuwuity) [![Stars](https://forgejo.ellis.link/continuwuation/continuwuity/badges/stars.svg?style=flat)](https://forgejo.ellis.link/continuwuation/continuwuity/stars) [![Issues](https://forgejo.ellis.link/continuwuation/continuwuity/badges/issues/open.svg?style=flat)](https://forgejo.ellis.link/continuwuation/continuwuity/issues?state=open) [![Pull Requests](https://forgejo.ellis.link/continuwuation/continuwuity/badges/pulls/open.svg?style=flat)](https://forgejo.ellis.link/continuwuation/continuwuity/pulls?state=open) -[![GitHub](https://img.shields.io/badge/GitHub-mirror-blue?style=flat&logo=github&labelColor=fff&logoColor=24292f)](https://github.com/continuwuity/continuwuity) ![](https://img.shields.io/github/stars/continuwuity/continuwuity?style=flat) +[![GitHub](https://img.shields.io/badge/GitHub-mirror-blue?style=flat&logo=github&labelColor=fff&logoColor=24292f)](https://github.com/continuwuity/continuwuity) [![Stars](https://img.shields.io/github/stars/continuwuity/continuwuity?style=flat)](https://github.com/continuwuity/continuwuity/stargazers) -[![Codeberg](https://img.shields.io/badge/Codeberg-mirror-2185D0?style=flat&logo=codeberg&labelColor=fff)](https://codeberg.org/nexy7574/continuwuity) ![](https://codeberg.org/nexy7574/continuwuity/badges/stars.svg?style=flat) +[![GitLab](https://img.shields.io/badge/GitLab-mirror-blue?style=flat&logo=gitlab&labelColor=fff)](https://gitlab.com/continuwuity/continuwuity) [![Stars](https://img.shields.io/gitlab/stars/continuwuity/continuwuity?style=flat)](https://gitlab.com/continuwuity/continuwuity/-/starrers) + +[![Codeberg](https://img.shields.io/badge/Codeberg-mirror-2185D0?style=flat&logo=codeberg&labelColor=fff)](https://codeberg.org/continuwuity/continuwuity) [![Stars](https://codeberg.org/continuwuity/continuwuity/badges/stars.svg?style=flat)](https://codeberg.org/continuwuity/continuwuity/stars) ### Why does this exist? @@ -59,8 +65,6 @@ There are currently no open registration Continuwuity instances available. We're working our way through all of the issues in the [Forgejo project](https://forgejo.ellis.link/continuwuation/continuwuity/issues). -- [Replacing old conduwuit links with working continuwuity links](https://forgejo.ellis.link/continuwuation/continuwuity/issues/742) -- [Getting CI and docs deployment working on the new Forgejo project](https://forgejo.ellis.link/continuwuation/continuwuity/issues/740) - [Packaging & availability in more places](https://forgejo.ellis.link/continuwuation/continuwuity/issues/747) - [Appservices bugs & features](https://forgejo.ellis.link/continuwuation/continuwuity/issues?q=&type=all&state=open&labels=178&milestone=0&assignee=0&poster=0) - [Improving compatibility and spec compliance](https://forgejo.ellis.link/continuwuation/continuwuity/issues?labels=119) diff --git a/arch/conduwuit.service b/arch/conduwuit.service index c86e37bd..d5a65e4d 100644 --- a/arch/conduwuit.service +++ b/arch/conduwuit.service @@ -6,6 +6,7 @@ After=network-online.target Documentation=https://continuwuity.org/ RequiresMountsFor=/var/lib/private/conduwuit Alias=matrix-conduwuit.service + [Service] DynamicUser=yes Type=notify-reload @@ -59,7 +60,8 @@ StateDirectory=conduwuit RuntimeDirectory=conduwuit RuntimeDirectoryMode=0750 -Environment="CONTINUWUITY_CONFIG=/etc/conduwuit/conduwuit.toml" +Environment=CONTINUWUITY_CONFIG=${CREDENTIALS_DIRECTORY}/config.toml +LoadCredential=config.toml:/etc/conduwuit/conduwuit.toml BindPaths=/var/lib/private/conduwuit:/var/lib/matrix-conduit BindPaths=/var/lib/private/conduwuit:/var/lib/private/matrix-conduit diff --git a/committed.toml b/committed.toml new file mode 100644 index 00000000..64f7f18a --- /dev/null +++ b/committed.toml @@ -0,0 +1,2 @@ +style = "conventional" +allowed_types = ["ci", "build", "fix", "feat", "chore", "docs", "style", "refactor", "perf", "test"] diff --git a/docker/Dockerfile b/docker/Dockerfile index e734fb81..bd6e72d1 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -1,15 +1,16 @@ ARG RUST_VERSION=1 +ARG DEBIAN_VERSION=bookworm FROM --platform=$BUILDPLATFORM docker.io/tonistiigi/xx AS xx -FROM --platform=$BUILDPLATFORM rust:${RUST_VERSION}-slim-bookworm AS base -FROM --platform=$BUILDPLATFORM rust:${RUST_VERSION}-slim-bookworm AS toolchain +FROM --platform=$BUILDPLATFORM rust:${RUST_VERSION}-slim-${DEBIAN_VERSION} AS base +FROM --platform=$BUILDPLATFORM rust:${RUST_VERSION}-slim-${DEBIAN_VERSION} AS toolchain # Prevent deletion of apt cache RUN rm -f /etc/apt/apt.conf.d/docker-clean # Match Rustc version as close as possible # rustc -vV -ARG LLVM_VERSION=19 +ARG LLVM_VERSION=20 # ENV RUSTUP_TOOLCHAIN=${RUST_VERSION} # Install repo tools @@ -19,10 +20,18 @@ ARG LLVM_VERSION=19 RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \ --mount=type=cache,target=/var/lib/apt,sharing=locked \ apt-get update && apt-get install -y \ - clang-${LLVM_VERSION} lld-${LLVM_VERSION} pkg-config make jq \ - curl git \ + pkg-config make jq \ + curl git software-properties-common \ file +# LLVM packages +RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \ + --mount=type=cache,target=/var/lib/apt,sharing=locked \ + curl https://apt.llvm.org/llvm.sh > llvm.sh && \ + chmod +x llvm.sh && \ + ./llvm.sh ${LLVM_VERSION} && \ + rm llvm.sh + # Create symlinks for LLVM tools RUN < - various performance -improvements, more features, faster-paced development, better client/server interop -hacks upstream won't accept, etc -- [facebook/rocksdb][2]: - liburing -build fixes and GCC debug build fix -- [tikv/jemallocator][3]: - musl -builds seem to be broken on upstream, fixes some broken/suspicious code in -places, additional safety measures, and support redzones for Valgrind -- [zyansheep/rustyline-async][4]: - - tab completion callback and -`CTRL+\` signal quit event for Continuwuity console CLI -- [rust-rocksdb/rust-rocksdb][5]: - - [`@zaidoon1`][8]'s fork -has quicker updates, more up to date dependencies, etc. Our fork fixes musl build -issues, removes unnecessary `gtest` include, and uses our RocksDB and jemallocator -forks. -- [tokio-rs/tracing][6]: - Implements -`Clone` for `EnvFilter` to support dynamically changing tracing envfilter's -alongside other logging/metrics things +All forked dependencies are maintained under the [continuwuation organization on Forgejo](https://forgejo.ellis.link/continuwuation): + +- [ruwuma][continuwuation-ruwuma] - Fork of [ruma/ruma][ruma] with various performance improvements, more features and better client/server interop +- [rocksdb][continuwuation-rocksdb] - Fork of [facebook/rocksdb][rocksdb] via [`@zaidoon1`][8] with liburing build fixes and GCC debug build fixes +- [jemallocator][continuwuation-jemallocator] - Fork of [tikv/jemallocator][jemallocator] fixing musl builds, suspicious code, + and adding support for redzones in Valgrind +- [rustyline-async][continuwuation-rustyline-async] - Fork of [zyansheep/rustyline-async][rustyline-async] with tab completion callback + and `CTRL+\` signal quit event for Continuwuity console CLI +- [rust-rocksdb][continuwuation-rust-rocksdb] - Fork of [rust-rocksdb/rust-rocksdb][rust-rocksdb] fixing musl build issues, + removing unnecessary `gtest` include, and using our RocksDB and jemallocator forks +- [tracing][continuwuation-tracing] - Fork of [tokio-rs/tracing][tracing] implementing `Clone` for `EnvFilter` to + support dynamically changing tracing environments ## Debugging with `tokio-console` @@ -113,12 +104,30 @@ You will also need to enable the `tokio_console` config option in Continuwuity w starting it. This was due to tokio-console causing gradual memory leak/usage if left enabled. -[1]: https://github.com/ruma/ruma/ -[2]: https://github.com/facebook/rocksdb/ -[3]: https://github.com/tikv/jemallocator/ -[4]: https://github.com/zyansheep/rustyline-async/ -[5]: https://github.com/rust-rocksdb/rust-rocksdb/ -[6]: https://github.com/tokio-rs/tracing/ +## Building Docker Images + +To build a Docker image for Continuwuity, use the standard Docker build command: + +```bash +docker build -f docker/Dockerfile . +``` + +The image can be cross-compiled for different architectures. + +[continuwuation-ruwuma]: https://forgejo.ellis.link/continuwuation/ruwuma +[continuwuation-rocksdb]: https://forgejo.ellis.link/continuwuation/rocksdb +[continuwuation-jemallocator]: https://forgejo.ellis.link/continuwuation/jemallocator +[continuwuation-rustyline-async]: https://forgejo.ellis.link/continuwuation/rustyline-async +[continuwuation-rust-rocksdb]: https://forgejo.ellis.link/continuwuation/rust-rocksdb +[continuwuation-tracing]: https://forgejo.ellis.link/continuwuation/tracing + +[ruma]: https://github.com/ruma/ruma/ +[rocksdb]: https://github.com/facebook/rocksdb/ +[jemallocator]: https://github.com/tikv/jemallocator/ +[rustyline-async]: https://github.com/zyansheep/rustyline-async/ +[rust-rocksdb]: https://github.com/rust-rocksdb/rust-rocksdb/ +[tracing]: https://github.com/tokio-rs/tracing/ + [7]: https://docs.rs/tokio-console/latest/tokio_console/ [8]: https://github.com/zaidoon1/ [9]: https://github.com/rust-lang/cargo/issues/12162 diff --git a/docs/static/_headers b/docs/static/_headers index 6e52de9f..dd07f21b 100644 --- a/docs/static/_headers +++ b/docs/static/_headers @@ -3,4 +3,4 @@ Content-Type: application/json /.well-known/continuwuity/* Access-Control-Allow-Origin: * - Content-Type: application/json \ No newline at end of file + Content-Type: application/json diff --git a/docs/static/announcements.schema.json b/docs/static/announcements.schema.json index cacd10c9..474c0d29 100644 --- a/docs/static/announcements.schema.json +++ b/docs/static/announcements.schema.json @@ -32,4 +32,4 @@ "required": [ "announcements" ] - } \ No newline at end of file + } diff --git a/docs/static/support b/docs/static/support index 6b7a9860..88a85c7d 100644 --- a/docs/static/support +++ b/docs/static/support @@ -21,4 +21,4 @@ } ], "support_page": "https://continuwuity.org/introduction#contact" -} \ No newline at end of file +} diff --git a/rust-toolchain.toml b/rust-toolchain.toml index aadc8f99..bdb608aa 100644 --- a/rust-toolchain.toml +++ b/rust-toolchain.toml @@ -9,7 +9,7 @@ # If you're having trouble making the relevant changes, bug a maintainer. [toolchain] -channel = "1.86.0" +channel = "1.87.0" profile = "minimal" components = [ # For rust-analyzer @@ -19,11 +19,3 @@ components = [ "rustfmt", "clippy", ] -targets = [ - #"x86_64-apple-darwin", - "x86_64-unknown-linux-gnu", - "x86_64-unknown-linux-musl", - "aarch64-unknown-linux-musl", - "aarch64-unknown-linux-gnu", - #"aarch64-apple-darwin", -] diff --git a/src/admin/admin.rs b/src/admin/admin.rs index 0d636c72..50b9db7c 100644 --- a/src/admin/admin.rs +++ b/src/admin/admin.rs @@ -9,7 +9,7 @@ use crate::{ }; #[derive(Debug, Parser)] -#[command(name = "conduwuit", version = conduwuit::version())] +#[command(name = conduwuit_core::name(), version = conduwuit_core::version())] pub(super) enum AdminCommand { #[command(subcommand)] /// - Commands for managing appservices diff --git a/src/admin/context.rs b/src/admin/context.rs index 270537be..3d3cffb7 100644 --- a/src/admin/context.rs +++ b/src/admin/context.rs @@ -7,13 +7,14 @@ use futures::{ io::{AsyncWriteExt, BufWriter}, lock::Mutex, }; -use ruma::EventId; +use ruma::{EventId, UserId}; pub(crate) struct Context<'a> { pub(crate) services: &'a Services, pub(crate) body: &'a [&'a str], pub(crate) timer: SystemTime, pub(crate) reply_id: Option<&'a EventId>, + pub(crate) sender: Option<&'a UserId>, pub(crate) output: Mutex>>, } @@ -36,4 +37,10 @@ impl Context<'_> { output.write_all(s.as_bytes()).map_err(Into::into).await }) } + + /// Get the sender as a string, or service user ID if not available + pub(crate) fn sender_or_service_user(&self) -> &UserId { + self.sender + .unwrap_or_else(|| self.services.globals.server_user.as_ref()) + } } diff --git a/src/admin/debug/commands.rs b/src/admin/debug/commands.rs index d0debc2a..a397e0fc 100644 --- a/src/admin/debug/commands.rs +++ b/src/admin/debug/commands.rs @@ -239,10 +239,11 @@ pub(super) async fn get_remote_pdu( }) .await { - | Err(e) => + | Err(e) => { return Err!( "Remote server did not have PDU or failed sending request to remote server: {e}" - ), + ); + }, | Ok(response) => { let json: CanonicalJsonObject = serde_json::from_str(response.pdu.get()).map_err(|e| { @@ -384,8 +385,9 @@ pub(super) async fn change_log_level(&self, filter: Option, reset: bool) .reload .reload(&old_filter_layer, Some(handles)) { - | Err(e) => - return Err!("Failed to modify and reload the global tracing log level: {e}"), + | Err(e) => { + return Err!("Failed to modify and reload the global tracing log level: {e}"); + }, | Ok(()) => { let value = &self.services.server.config.log; let out = format!("Successfully changed log level back to config value {value}"); @@ -408,8 +410,9 @@ pub(super) async fn change_log_level(&self, filter: Option, reset: bool) .reload(&new_filter_layer, Some(handles)) { | Ok(()) => return self.write_str("Successfully changed log level").await, - | Err(e) => - return Err!("Failed to modify and reload the global tracing log level: {e}"), + | Err(e) => { + return Err!("Failed to modify and reload the global tracing log level: {e}"); + }, } } @@ -529,6 +532,7 @@ pub(super) async fn force_set_room_state_from_server( &self, room_id: OwnedRoomId, server_name: OwnedServerName, + at_event: Option, ) -> Result { if !self .services @@ -540,13 +544,18 @@ pub(super) async fn force_set_room_state_from_server( return Err!("We are not participating in the room / we don't know about the room ID."); } - let first_pdu = self - .services - .rooms - .timeline - .latest_pdu_in_room(&room_id) - .await - .map_err(|_| err!(Database("Failed to find the latest PDU in database")))?; + let at_event_id = match at_event { + | Some(event_id) => event_id, + | None => self + .services + .rooms + .timeline + .latest_pdu_in_room(&room_id) + .await + .map_err(|_| err!(Database("Failed to find the latest PDU in database")))? + .event_id + .clone(), + }; let room_version = self.services.rooms.state.get_room_version(&room_id).await?; @@ -557,7 +566,7 @@ pub(super) async fn force_set_room_state_from_server( .sending .send_federation_request(&server_name, get_room_state::v1::Request { room_id: room_id.clone(), - event_id: first_pdu.event_id.clone(), + event_id: at_event_id, }) .await?; diff --git a/src/admin/debug/mod.rs b/src/admin/debug/mod.rs index 1fd4e263..bceee9ba 100644 --- a/src/admin/debug/mod.rs +++ b/src/admin/debug/mod.rs @@ -177,6 +177,9 @@ pub(super) enum DebugCommand { room_id: OwnedRoomId, /// The server we will use to query the room state for server_name: OwnedServerName, + /// The event ID of the latest known PDU in the room. Will be found + /// automatically if not provided. + event_id: Option, }, /// - Runs a server name through conduwuit's true destination resolution diff --git a/src/admin/processor.rs b/src/admin/processor.rs index f7b7140f..8d1fe89c 100644 --- a/src/admin/processor.rs +++ b/src/admin/processor.rs @@ -63,6 +63,7 @@ async fn process_command(services: Arc, input: &CommandInput) -> Proce body: &body, timer: SystemTime::now(), reply_id: input.reply_id.as_deref(), + sender: input.sender.as_deref(), output: BufWriter::new(Vec::new()).into(), }; diff --git a/src/admin/user/commands.rs b/src/admin/user/commands.rs index e5e481e5..d094fc5f 100644 --- a/src/admin/user/commands.rs +++ b/src/admin/user/commands.rs @@ -224,6 +224,47 @@ pub(super) async fn deactivate(&self, no_leave_rooms: bool, user_id: String) -> .await } +#[admin_command] +pub(super) async fn suspend(&self, user_id: String) -> Result { + let user_id = parse_local_user_id(self.services, &user_id)?; + + if user_id == self.services.globals.server_user { + return Err!("Not allowed to suspend the server service account.",); + } + + if !self.services.users.exists(&user_id).await { + return Err!("User {user_id} does not exist."); + } + if self.services.users.is_admin(&user_id).await { + return Err!("Admin users cannot be suspended."); + } + // TODO: Record the actual user that sent the suspension where possible + self.services + .users + .suspend_account(&user_id, self.sender_or_service_user()) + .await; + + self.write_str(&format!("User {user_id} has been suspended.")) + .await +} + +#[admin_command] +pub(super) async fn unsuspend(&self, user_id: String) -> Result { + let user_id = parse_local_user_id(self.services, &user_id)?; + + if user_id == self.services.globals.server_user { + return Err!("Not allowed to unsuspend the server service account.",); + } + + if !self.services.users.exists(&user_id).await { + return Err!("User {user_id} does not exist."); + } + self.services.users.unsuspend_account(&user_id).await; + + self.write_str(&format!("User {user_id} has been unsuspended.")) + .await +} + #[admin_command] pub(super) async fn reset_password(&self, username: String, password: Option) -> Result { let user_id = parse_local_user_id(self.services, &username)?; diff --git a/src/admin/user/mod.rs b/src/admin/user/mod.rs index e789376a..645d3637 100644 --- a/src/admin/user/mod.rs +++ b/src/admin/user/mod.rs @@ -59,6 +59,28 @@ pub(super) enum UserCommand { force: bool, }, + /// - Suspend a user + /// + /// Suspended users are able to log in, sync, and read messages, but are not + /// able to send events nor redact them, cannot change their profile, and + /// are unable to join, invite to, or knock on rooms. + /// + /// Suspended users can still leave rooms and deactivate their account. + /// Suspending them effectively makes them read-only. + Suspend { + /// Username of the user to suspend + user_id: String, + }, + + /// - Unsuspend a user + /// + /// Reverses the effects of the `suspend` command, allowing the user to send + /// messages, change their profile, create room invites, etc. + Unsuspend { + /// Username of the user to unsuspend + user_id: String, + }, + /// - List local users in the database #[clap(alias = "list")] ListUsers, diff --git a/src/api/client/alias.rs b/src/api/client/alias.rs index 9f1b05f8..dc7aad44 100644 --- a/src/api/client/alias.rs +++ b/src/api/client/alias.rs @@ -18,6 +18,9 @@ pub(crate) async fn create_alias_route( body: Ruma, ) -> Result { let sender_user = body.sender_user.as_ref().expect("user is authenticated"); + if services.users.is_suspended(sender_user).await? { + return Err!(Request(UserSuspended("You cannot perform this action while suspended."))); + } services .rooms @@ -63,6 +66,9 @@ pub(crate) async fn delete_alias_route( body: Ruma, ) -> Result { let sender_user = body.sender_user.as_ref().expect("user is authenticated"); + if services.users.is_suspended(sender_user).await? { + return Err!(Request(UserSuspended("You cannot perform this action while suspended."))); + } services .rooms diff --git a/src/api/client/directory.rs b/src/api/client/directory.rs index aa6ae168..2e219fd9 100644 --- a/src/api/client/directory.rs +++ b/src/api/client/directory.rs @@ -128,6 +128,9 @@ pub(crate) async fn set_room_visibility_route( // Return 404 if the room doesn't exist return Err!(Request(NotFound("Room not found"))); } + if services.users.is_suspended(sender_user).await? { + return Err!(Request(UserSuspended("You cannot perform this action while suspended."))); + } if services .users diff --git a/src/api/client/media.rs b/src/api/client/media.rs index 94572413..11d5450c 100644 --- a/src/api/client/media.rs +++ b/src/api/client/media.rs @@ -52,6 +52,9 @@ pub(crate) async fn create_content_route( body: Ruma, ) -> Result { let user = body.sender_user.as_ref().expect("user is authenticated"); + if services.users.is_suspended(user).await? { + return Err!(Request(UserSuspended("You cannot perform this action while suspended."))); + } let filename = body.filename.as_deref(); let content_type = body.content_type.as_deref(); diff --git a/src/api/client/membership.rs b/src/api/client/membership.rs index e587d806..e6392533 100644 --- a/src/api/client/membership.rs +++ b/src/api/client/membership.rs @@ -178,6 +178,9 @@ pub(crate) async fn join_room_by_id_route( body: Ruma, ) -> Result { let sender_user = body.sender_user(); + if services.users.is_suspended(sender_user).await? { + return Err!(Request(UserSuspended("You cannot perform this action while suspended."))); + } banned_room_check( &services, @@ -249,6 +252,9 @@ pub(crate) async fn join_room_by_id_or_alias_route( let sender_user = body.sender_user.as_deref().expect("user is authenticated"); let appservice_info = &body.appservice_info; let body = body.body; + if services.users.is_suspended(sender_user).await? { + return Err!(Request(UserSuspended("You cannot perform this action while suspended."))); + } let (servers, room_id) = match OwnedRoomId::try_from(body.room_id_or_alias) { | Ok(room_id) => { @@ -369,6 +375,9 @@ pub(crate) async fn knock_room_route( ) -> Result { let sender_user = body.sender_user(); let body = &body.body; + if services.users.is_suspended(sender_user).await? { + return Err!(Request(UserSuspended("You cannot perform this action while suspended."))); + } let (servers, room_id) = match OwnedRoomId::try_from(body.room_id_or_alias.clone()) { | Ok(room_id) => { @@ -492,6 +501,9 @@ pub(crate) async fn invite_user_route( body: Ruma, ) -> Result { let sender_user = body.sender_user(); + if services.users.is_suspended(sender_user).await? { + return Err!(Request(UserSuspended("You cannot perform this action while suspended."))); + } if !services.users.is_admin(sender_user).await && services.config.block_non_admin_invites { debug_error!( @@ -566,6 +578,10 @@ pub(crate) async fn kick_user_route( State(services): State, body: Ruma, ) -> Result { + let sender_user = body.sender_user(); + if services.users.is_suspended(sender_user).await? { + return Err!(Request(UserSuspended("You cannot perform this action while suspended."))); + } let state_lock = services.rooms.state.mutex.lock(&body.room_id).await; let Ok(event) = services @@ -601,7 +617,7 @@ pub(crate) async fn kick_user_route( third_party_invite: None, ..event }), - body.sender_user(), + sender_user, &body.room_id, &state_lock, ) @@ -625,6 +641,10 @@ pub(crate) async fn ban_user_route( return Err!(Request(Forbidden("You cannot ban yourself."))); } + if services.users.is_suspended(sender_user).await? { + return Err!(Request(UserSuspended("You cannot perform this action while suspended."))); + } + let state_lock = services.rooms.state.mutex.lock(&body.room_id).await; let current_member_content = services @@ -646,6 +666,7 @@ pub(crate) async fn ban_user_route( is_direct: None, join_authorized_via_users_server: None, third_party_invite: None, + redact_events: body.redact_events, ..current_member_content }), sender_user, @@ -666,6 +687,10 @@ pub(crate) async fn unban_user_route( State(services): State, body: Ruma, ) -> Result { + let sender_user = body.sender_user(); + if services.users.is_suspended(sender_user).await? { + return Err!(Request(UserSuspended("You cannot perform this action while suspended."))); + } let state_lock = services.rooms.state.mutex.lock(&body.room_id).await; let current_member_content = services @@ -694,7 +719,7 @@ pub(crate) async fn unban_user_route( is_direct: None, ..current_member_content }), - body.sender_user(), + sender_user, &body.room_id, &state_lock, ) @@ -925,24 +950,32 @@ pub async fn join_room_by_id_helper( return Ok(join_room_by_id::v3::Response { room_id: room_id.into() }); } - if let Ok(membership) = services - .rooms - .state_accessor - .get_member(room_id, sender_user) - .await - { - if membership.membership == MembershipState::Ban { - debug_warn!("{sender_user} is banned from {room_id} but attempted to join"); - return Err!(Request(Forbidden("You are banned from the room."))); - } - } - let server_in_room = services .rooms .state_cache .server_in_room(services.globals.server_name(), room_id) .await; + // Only check our known membership if we're already in the room. + // See: https://forgejo.ellis.link/continuwuation/continuwuity/issues/855 + let membership = if server_in_room { + services + .rooms + .state_accessor + .get_member(room_id, sender_user) + .await + } else { + debug!("Ignoring local state for join {room_id}, we aren't in the room yet."); + Ok(RoomMemberEventContent::new(MembershipState::Leave)) + }; + if let Ok(m) = membership { + if m.membership == MembershipState::Ban { + debug_warn!("{sender_user} is banned from {room_id} but attempted to join"); + // TODO: return reason + return Err!(Request(Forbidden("You are banned from the room."))); + } + } + let local_join = server_in_room || servers.is_empty() || (servers.len() == 1 && services.globals.server_is_ours(&servers[0])); @@ -1815,6 +1848,7 @@ pub async fn leave_room( displayname: None, third_party_invite: None, blurhash: None, + redact_events: None, }; let is_banned = services.rooms.metadata.is_banned(room_id); diff --git a/src/api/client/profile.rs b/src/api/client/profile.rs index 3699b590..bdba4078 100644 --- a/src/api/client/profile.rs +++ b/src/api/client/profile.rs @@ -36,6 +36,9 @@ pub(crate) async fn set_displayname_route( body: Ruma, ) -> Result { let sender_user = body.sender_user.as_ref().expect("user is authenticated"); + if services.users.is_suspended(sender_user).await? { + return Err!(Request(UserSuspended("You cannot perform this action while suspended."))); + } if *sender_user != body.user_id && body.appservice_info.is_none() { return Err!(Request(Forbidden("You cannot update the profile of another user"))); @@ -125,6 +128,9 @@ pub(crate) async fn set_avatar_url_route( body: Ruma, ) -> Result { let sender_user = body.sender_user.as_ref().expect("user is authenticated"); + if services.users.is_suspended(sender_user).await? { + return Err!(Request(UserSuspended("You cannot perform this action while suspended."))); + } if *sender_user != body.user_id && body.appservice_info.is_none() { return Err!(Request(Forbidden("You cannot update the profile of another user"))); @@ -343,6 +349,7 @@ pub async fn update_displayname( reason: None, is_direct: None, third_party_invite: None, + redact_events: None, }); Ok((pdu, room_id)) @@ -396,6 +403,7 @@ pub async fn update_avatar_url( reason: None, is_direct: None, third_party_invite: None, + redact_events: None, }); Ok((pdu, room_id)) diff --git a/src/api/client/read_marker.rs b/src/api/client/read_marker.rs index fbfc8fea..e152869c 100644 --- a/src/api/client/read_marker.rs +++ b/src/api/client/read_marker.rs @@ -58,29 +58,34 @@ pub(crate) async fn set_read_marker_route( } if let Some(event) = &body.read_receipt { - let receipt_content = BTreeMap::from_iter([( - event.to_owned(), - BTreeMap::from_iter([( - ReceiptType::Read, - BTreeMap::from_iter([(sender_user.to_owned(), ruma::events::receipt::Receipt { - ts: Some(MilliSecondsSinceUnixEpoch::now()), - thread: ReceiptThread::Unthreaded, - })]), - )]), - )]); + if !services.users.is_suspended(sender_user).await? { + let receipt_content = BTreeMap::from_iter([( + event.to_owned(), + BTreeMap::from_iter([( + ReceiptType::Read, + BTreeMap::from_iter([( + sender_user.to_owned(), + ruma::events::receipt::Receipt { + ts: Some(MilliSecondsSinceUnixEpoch::now()), + thread: ReceiptThread::Unthreaded, + }, + )]), + )]), + )]); - services - .rooms - .read_receipt - .readreceipt_update( - sender_user, - &body.room_id, - &ruma::events::receipt::ReceiptEvent { - content: ruma::events::receipt::ReceiptEventContent(receipt_content), - room_id: body.room_id.clone(), - }, - ) - .await; + services + .rooms + .read_receipt + .readreceipt_update( + sender_user, + &body.room_id, + &ruma::events::receipt::ReceiptEvent { + content: ruma::events::receipt::ReceiptEventContent(receipt_content), + room_id: body.room_id.clone(), + }, + ) + .await; + } } if let Some(event) = &body.private_read_receipt { diff --git a/src/api/client/redact.rs b/src/api/client/redact.rs index 8dbe47a6..a8eaf91d 100644 --- a/src/api/client/redact.rs +++ b/src/api/client/redact.rs @@ -1,5 +1,5 @@ use axum::extract::State; -use conduwuit::{Result, matrix::pdu::PduBuilder}; +use conduwuit::{Err, Result, matrix::pdu::PduBuilder}; use ruma::{ api::client::redact::redact_event, events::room::redaction::RoomRedactionEventContent, }; @@ -17,6 +17,10 @@ pub(crate) async fn redact_event_route( ) -> Result { let sender_user = body.sender_user.as_ref().expect("user is authenticated"); let body = body.body; + if services.users.is_suspended(sender_user).await? { + // TODO: Users can redact their own messages while suspended + return Err!(Request(UserSuspended("You cannot perform this action while suspended."))); + } let state_lock = services.rooms.state.mutex.lock(&body.room_id).await; diff --git a/src/api/client/room/create.rs b/src/api/client/room/create.rs index be3fd23b..d1dffc51 100644 --- a/src/api/client/room/create.rs +++ b/src/api/client/room/create.rs @@ -70,6 +70,10 @@ pub(crate) async fn create_room_route( )); } + if services.users.is_suspended(sender_user).await? { + return Err!(Request(UserSuspended("You cannot perform this action while suspended."))); + } + let room_id: OwnedRoomId = match &body.room_id { | Some(custom_room_id) => custom_room_id_check(&services, custom_room_id)?, | _ => RoomId::new(&services.server.name), diff --git a/src/api/client/room/upgrade.rs b/src/api/client/room/upgrade.rs index 9ec0b3bb..d8f5ea83 100644 --- a/src/api/client/room/upgrade.rs +++ b/src/api/client/room/upgrade.rs @@ -2,7 +2,7 @@ use std::cmp::max; use axum::extract::State; use conduwuit::{ - Error, Result, err, info, + Err, Error, Result, err, info, matrix::{StateKey, pdu::PduBuilder}, }; use futures::StreamExt; @@ -63,6 +63,10 @@ pub(crate) async fn upgrade_room_route( )); } + if services.users.is_suspended(sender_user).await? { + return Err!(Request(UserSuspended("You cannot perform this action while suspended."))); + } + // Create a replacement room let replacement_room = RoomId::new(services.globals.server_name()); @@ -189,6 +193,7 @@ pub(crate) async fn upgrade_room_route( blurhash: services.users.blurhash(sender_user).await.ok(), reason: None, join_authorized_via_users_server: None, + redact_events: None, }) .expect("event is valid, we just created it"), unsigned: None, diff --git a/src/api/client/send.rs b/src/api/client/send.rs index f753fa65..b87d1822 100644 --- a/src/api/client/send.rs +++ b/src/api/client/send.rs @@ -23,6 +23,9 @@ pub(crate) async fn send_message_event_route( let sender_user = body.sender_user(); let sender_device = body.sender_device.as_deref(); let appservice_info = body.appservice_info.as_ref(); + if services.users.is_suspended(sender_user).await? { + return Err!(Request(UserSuspended("You cannot perform this action while suspended."))); + } // Forbid m.room.encrypted if encryption is disabled if MessageLikeEventType::RoomEncrypted == body.event_type && !services.config.allow_encryption diff --git a/src/api/client/space.rs b/src/api/client/space.rs index 92768926..23b1e80f 100644 --- a/src/api/client/space.rs +++ b/src/api/client/space.rs @@ -121,7 +121,9 @@ where .map(|(key, val)| (key, val.collect())) .collect(); - if !populate { + if populate { + rooms.push(summary_to_chunk(summary.clone())); + } else { children = children .iter() .rev() @@ -144,10 +146,8 @@ where .collect(); } - if populate { - rooms.push(summary_to_chunk(summary.clone())); - } else if queue.is_empty() && children.is_empty() { - return Err!(Request(InvalidParam("Room IDs in token were not found."))); + if !populate && queue.is_empty() && children.is_empty() { + break; } parents.insert(current_room.clone()); diff --git a/src/api/client/state.rs b/src/api/client/state.rs index 2ddc8f14..07802b1b 100644 --- a/src/api/client/state.rs +++ b/src/api/client/state.rs @@ -33,6 +33,10 @@ pub(crate) async fn send_state_event_for_key_route( ) -> Result { let sender_user = body.sender_user(); + if services.users.is_suspended(sender_user).await? { + return Err!(Request(UserSuspended("You cannot perform this action while suspended."))); + } + Ok(send_state_event::v3::Response { event_id: send_state_event_for_key_helper( &services, diff --git a/src/api/client/sync/v3.rs b/src/api/client/sync/v3.rs index 8eac6b66..7bc74c95 100644 --- a/src/api/client/sync/v3.rs +++ b/src/api/client/sync/v3.rs @@ -1009,8 +1009,6 @@ async fn calculate_state_incremental<'a>( ) -> Result { let since_shortstatehash = since_shortstatehash.unwrap_or(current_shortstatehash); - let state_changed = since_shortstatehash != current_shortstatehash; - let encrypted_room = services .rooms .state_accessor @@ -1042,7 +1040,7 @@ async fn calculate_state_incremental<'a>( }) .into(); - let state_diff_ids: OptionFuture<_> = (!full_state && state_changed) + let state_diff_ids: OptionFuture<_> = (!full_state) .then(|| { StreamExt::into_future( services diff --git a/src/api/client/typing.rs b/src/api/client/typing.rs index 1d8d02fd..7b0df538 100644 --- a/src/api/client/typing.rs +++ b/src/api/client/typing.rs @@ -26,41 +26,42 @@ pub(crate) async fn create_typing_event_route( { return Err!(Request(Forbidden("You are not in this room."))); } - - match body.state { - | Typing::Yes(duration) => { - let duration = utils::clamp( - duration.as_millis().try_into().unwrap_or(u64::MAX), + if !services.users.is_suspended(sender_user).await? { + match body.state { + | Typing::Yes(duration) => { + let duration = utils::clamp( + duration.as_millis().try_into().unwrap_or(u64::MAX), + services + .server + .config + .typing_client_timeout_min_s + .try_mul(1000)?, + services + .server + .config + .typing_client_timeout_max_s + .try_mul(1000)?, + ); services - .server - .config - .typing_client_timeout_min_s - .try_mul(1000)?, + .rooms + .typing + .typing_add( + sender_user, + &body.room_id, + utils::millis_since_unix_epoch() + .checked_add(duration) + .expect("user typing timeout should not get this high"), + ) + .await?; + }, + | _ => { services - .server - .config - .typing_client_timeout_max_s - .try_mul(1000)?, - ); - services - .rooms - .typing - .typing_add( - sender_user, - &body.room_id, - utils::millis_since_unix_epoch() - .checked_add(duration) - .expect("user typing timeout should not get this high"), - ) - .await?; - }, - | _ => { - services - .rooms - .typing - .typing_remove(sender_user, &body.room_id) - .await?; - }, + .rooms + .typing + .typing_remove(sender_user, &body.room_id) + .await?; + }, + } } // ping presence diff --git a/src/core/matrix/state_res/event_auth.rs b/src/core/matrix/state_res/event_auth.rs index 759ab5cb..bd2b9c61 100644 --- a/src/core/matrix/state_res/event_auth.rs +++ b/src/core/matrix/state_res/event_auth.rs @@ -5,7 +5,7 @@ use futures::{ future::{OptionFuture, join3}, }; use ruma::{ - Int, OwnedUserId, RoomVersionId, UserId, + EventId, Int, OwnedUserId, RoomVersionId, UserId, events::room::{ create::RoomCreateEventContent, join_rules::{JoinRule, RoomJoinRulesEventContent}, @@ -217,8 +217,9 @@ where } /* - // TODO: In the past this code caused problems federating with synapse, maybe this has been - // resolved already. Needs testing. + // TODO: In the past this code was commented as it caused problems with Synapse. This is no + // longer the case. This needs to be implemented. + // See also: https://github.com/ruma/ruma/pull/2064 // // 2. Reject if auth_events // a. auth_events cannot have duplicate keys since it's a BTree diff --git a/src/database/maps.rs b/src/database/maps.rs index 19f9ced4..214dbf34 100644 --- a/src/database/maps.rs +++ b/src/database/maps.rs @@ -378,6 +378,10 @@ pub(super) static MAPS: &[Descriptor] = &[ name: "userid_password", ..descriptor::RANDOM }, + Descriptor { + name: "userid_suspension", + ..descriptor::RANDOM_SMALL + }, Descriptor { name: "userid_presenceid", ..descriptor::RANDOM_SMALL diff --git a/src/main/logging.rs b/src/main/logging.rs index eeeda127..aec50bd4 100644 --- a/src/main/logging.rs +++ b/src/main/logging.rs @@ -77,7 +77,7 @@ pub(crate) fn init( ); let tracer = opentelemetry_jaeger::new_agent_pipeline() .with_auto_split_batch(true) - .with_service_name("conduwuit") + .with_service_name(conduwuit_core::name()) .install_batch(opentelemetry_sdk::runtime::Tokio) .expect("jaeger agent pipeline"); let telemetry = tracing_opentelemetry::layer().with_tracer(tracer); diff --git a/src/service/admin/mod.rs b/src/service/admin/mod.rs index 683f5400..86e12c3c 100644 --- a/src/service/admin/mod.rs +++ b/src/service/admin/mod.rs @@ -45,11 +45,13 @@ struct Services { services: StdRwLock>>, } -/// Inputs to a command are a multi-line string and optional reply_id. +/// Inputs to a command are a multi-line string, optional reply_id, and optional +/// sender. #[derive(Debug)] pub struct CommandInput { pub command: String, pub reply_id: Option, + pub sender: Option>, } /// Prototype of the tab-completer. The input is buffered text when tab @@ -162,7 +164,22 @@ impl Service { pub fn command(&self, command: String, reply_id: Option) -> Result<()> { self.channel .0 - .send(CommandInput { command, reply_id }) + .send(CommandInput { command, reply_id, sender: None }) + .map_err(|e| err!("Failed to enqueue admin command: {e:?}")) + } + + /// Posts a command to the command processor queue with sender information + /// and returns. Processing will take place on the service worker's task + /// asynchronously. Errors if the queue is full. + pub fn command_with_sender( + &self, + command: String, + reply_id: Option, + sender: Box, + ) -> Result<()> { + self.channel + .0 + .send(CommandInput { command, reply_id, sender: Some(sender) }) .map_err(|e| err!("Failed to enqueue admin command: {e:?}")) } @@ -173,7 +190,7 @@ impl Service { command: String, reply_id: Option, ) -> ProcessorResult { - self.process_command(CommandInput { command, reply_id }) + self.process_command(CommandInput { command, reply_id, sender: None }) .await } diff --git a/src/service/rooms/event_handler/call_policyserv.rs b/src/service/rooms/event_handler/call_policyserv.rs new file mode 100644 index 00000000..4a52227d --- /dev/null +++ b/src/service/rooms/event_handler/call_policyserv.rs @@ -0,0 +1,71 @@ +use conduwuit::{ + Err, Event, PduEvent, Result, debug, implement, utils::to_canonical_object, warn, +}; +use ruma::{ + RoomId, ServerName, + api::federation::room::policy::v1::Request as PolicyRequest, + canonical_json::to_canonical_value, + events::{StateEventType, room::policy::RoomPolicyEventContent}, +}; + +/// Returns Ok if the policy server allows the event +#[implement(super::Service)] +#[tracing::instrument(skip_all, level = "debug")] +pub async fn policyserv_check(&self, pdu: &PduEvent, room_id: &RoomId) -> Result { + let Ok(policyserver) = self + .services + .state_accessor + .room_state_get_content(room_id, &StateEventType::RoomPolicy, "") + .await + .map(|c: RoomPolicyEventContent| c) + else { + return Ok(()); + }; + + let via = match policyserver.via { + | Some(ref via) => ServerName::parse(via)?, + | None => { + debug!("No policy server configured for room {room_id}"); + return Ok(()); + }, + }; + // TODO: dont do *this* + let pdu_json = self.services.timeline.get_pdu_json(pdu.event_id()).await?; + let outgoing = self + .services + .sending + .convert_to_outgoing_federation_event(pdu_json) + .await; + // let s = match serde_json::to_string(outgoing.as_ref()) { + // | Ok(s) => s, + // | Err(e) => { + // warn!("Failed to convert pdu {} to outgoing federation event: {e}", + // pdu.event_id()); return Err!(Request(InvalidParam("Failed to convert PDU + // to outgoing event."))); }, + // }; + debug!("Checking pdu {outgoing:?} for spam with policy server {via} for room {room_id}"); + let response = self + .services + .sending + .send_federation_request(via, PolicyRequest { + event_id: pdu.event_id().to_owned(), + pdu: Some(outgoing), + }) + .await; + let response = match response { + | Ok(response) => response, + | Err(e) => { + warn!("Failed to contact policy server {via} for room {room_id}: {e}"); + return Ok(()); + }, + }; + if response.recommendation == "spam" { + warn!( + "Event {} in room {room_id} was marked as spam by policy server {via}", + pdu.event_id().to_owned() + ); + return Err!(Request(Forbidden("Event was marked as spam by policy server"))); + }; + + Ok(()) +} diff --git a/src/service/rooms/event_handler/mod.rs b/src/service/rooms/event_handler/mod.rs index 45675da8..3213db29 100644 --- a/src/service/rooms/event_handler/mod.rs +++ b/src/service/rooms/event_handler/mod.rs @@ -1,4 +1,5 @@ mod acl_check; +mod call_policyserv; mod fetch_and_handle_outliers; mod fetch_prev; mod fetch_state; diff --git a/src/service/rooms/event_handler/upgrade_outlier_pdu.rs b/src/service/rooms/event_handler/upgrade_outlier_pdu.rs index 97d3df97..2cce47a9 100644 --- a/src/service/rooms/event_handler/upgrade_outlier_pdu.rs +++ b/src/service/rooms/event_handler/upgrade_outlier_pdu.rs @@ -1,7 +1,7 @@ use std::{borrow::Borrow, collections::BTreeMap, iter::once, sync::Arc, time::Instant}; use conduwuit::{ - Err, Result, debug, debug_info, err, implement, + Err, Event, Result, debug, debug_info, err, implement, info, matrix::{EventTypeExt, PduEvent, StateKey, state_res}, trace, utils::stream::{BroadbandExt, ReadyExt}, @@ -44,7 +44,7 @@ pub(super) async fn upgrade_outlier_to_timeline_pdu( return Err!(Request(InvalidParam("Event has been soft failed"))); } - debug!("Upgrading to timeline pdu"); + debug!("Upgrading pdu {} from outlier to timeline pdu", incoming_pdu.event_id); let timer = Instant::now(); let room_version_id = get_room_version_id(create_event)?; @@ -52,7 +52,7 @@ pub(super) async fn upgrade_outlier_to_timeline_pdu( // backwards extremities doing all the checks in this list starting at 1. // These are not timeline events. - debug!("Resolving state at event"); + debug!("Resolving state at event {}", incoming_pdu.event_id); let mut state_at_incoming_event = if incoming_pdu.prev_events.len() == 1 { self.state_at_incoming_degree_one(&incoming_pdu).await? } else { @@ -70,7 +70,7 @@ pub(super) async fn upgrade_outlier_to_timeline_pdu( state_at_incoming_event.expect("we always set this to some above"); let room_version = to_room_version(&room_version_id); - debug!("Performing auth check"); + debug!("Performing auth check to upgrade {}", incoming_pdu.event_id); // 11. Check the auth of the event passes based on the state of the event let state_fetch_state = &state_at_incoming_event; let state_fetch = |k: StateEventType, s: StateKey| async move { @@ -80,6 +80,7 @@ pub(super) async fn upgrade_outlier_to_timeline_pdu( self.services.timeline.get_pdu(event_id).await.ok() }; + debug!("running auth check on {}", incoming_pdu.event_id); let auth_check = state_res::event_auth::auth_check( &room_version, &incoming_pdu, @@ -93,7 +94,7 @@ pub(super) async fn upgrade_outlier_to_timeline_pdu( return Err!(Request(Forbidden("Event has failed auth check with state at the event."))); } - debug!("Gathering auth events"); + debug!("Gathering auth events for {}", incoming_pdu.event_id); let auth_events = self .services .state @@ -111,6 +112,7 @@ pub(super) async fn upgrade_outlier_to_timeline_pdu( ready(auth_events.get(&key).cloned()) }; + debug!("running auth check on {} with claimed state auth", incoming_pdu.event_id); let auth_check = state_res::event_auth::auth_check( &room_version, &incoming_pdu, @@ -121,8 +123,8 @@ pub(super) async fn upgrade_outlier_to_timeline_pdu( .map_err(|e| err!(Request(Forbidden("Auth check failed: {e:?}"))))?; // Soft fail check before doing state res - debug!("Performing soft-fail check"); - let soft_fail = match (auth_check, incoming_pdu.redacts_id(&room_version_id)) { + debug!("Performing soft-fail check on {}", incoming_pdu.event_id); + let mut soft_fail = match (auth_check, incoming_pdu.redacts_id(&room_version_id)) { | (false, _) => true, | (true, None) => false, | (true, Some(redact_id)) => @@ -215,10 +217,26 @@ pub(super) async fn upgrade_outlier_to_timeline_pdu( .await?; } + // 14-pre. If the event is not a state event, ask the policy server about it + if incoming_pdu.state_key.is_none() + && incoming_pdu.sender().server_name() != self.services.globals.server_name() + { + debug!("Checking policy server for event {}", incoming_pdu.event_id); + let policy = self.policyserv_check(&incoming_pdu, room_id); + if let Err(e) = policy.await { + warn!("Policy server check failed for event {}: {e}", incoming_pdu.event_id); + if !soft_fail { + soft_fail = true; + } + } + debug!("Policy server check passed for event {}", incoming_pdu.event_id); + } + // 14. Check if the event passes auth based on the "current state" of the room, // if not soft fail it if soft_fail { - debug!("Soft failing event"); + info!("Soft failing event {}", incoming_pdu.event_id); + // assert!(extremities.is_empty(), "soft_fail extremities empty"); let extremities = extremities.iter().map(Borrow::borrow); self.services diff --git a/src/service/rooms/timeline/mod.rs b/src/service/rooms/timeline/mod.rs index 4b2f3cb2..124877b3 100644 --- a/src/service/rooms/timeline/mod.rs +++ b/src/service/rooms/timeline/mod.rs @@ -536,9 +536,11 @@ impl Service { self.services.search.index_pdu(shortroomid, &pdu_id, &body); if self.services.admin.is_admin_command(pdu, &body).await { - self.services - .admin - .command(body, Some((*pdu.event_id).into()))?; + self.services.admin.command_with_sender( + body, + Some((*pdu.event_id).into()), + pdu.sender.clone().into(), + )?; } } }, @@ -698,6 +700,20 @@ impl Service { .await .saturating_add(uint!(1)); + if state_key.is_none() { + if prev_events.is_empty() { + warn!("Timeline event had zero prev_events, something broke."); + return Err!(Request(Unknown("Timeline event had zero prev_events."))); + } + if depth.le(&uint!(2)) { + warn!( + "Had unsafe depth of {depth} in {room_id} when creating non-state event. \ + Bad!" + ); + return Err!(Request(Unknown("Unsafe depth for non-state event."))); + } + }; + let mut unsigned = unsigned.unwrap_or_default(); if let Some(state_key) = &state_key { @@ -719,6 +735,18 @@ impl Service { ); } } + if event_type != TimelineEventType::RoomCreate && prev_events.is_empty() { + return Err!(Request(Unknown("Event incorrectly had zero prev_events."))); + } + if state_key.is_none() && depth.lt(&uint!(2)) { + // The first two events in a room are always m.room.create and m.room.member, + // so any other events with that same depth are illegal. + warn!( + "Had unsafe depth {depth} when creating non-state event in {room_id}. Cowardly \ + aborting" + ); + return Err!(Request(Unknown("Unsafe depth for non-state event."))); + } let mut pdu = PduEvent { event_id: ruma::event_id!("$thiswillbefilledinlater").into(), @@ -757,6 +785,10 @@ impl Service { ready(auth_events.get(&key)) }; + debug!( + "running auth check on new {} event by {} in {}", + pdu.kind, pdu.sender, pdu.room_id + ); let auth_check = state_res::auth_check( &room_version, &pdu, @@ -961,8 +993,9 @@ impl Service { state_lock: &'a RoomMutexGuard, ) -> Result> where - Leaves: Iterator + Send + 'a, + Leaves: Iterator + Send + Clone + 'a, { + // assert!(new_room_leaves.clone().count() > 0, "extremities are empty"); // We append to state before appending the pdu, so we don't have a moment in // time with the pdu without it's state. This is okay because append_pdu can't // fail. diff --git a/src/service/users/mod.rs b/src/service/users/mod.rs index 701561a8..d2dfccd9 100644 --- a/src/service/users/mod.rs +++ b/src/service/users/mod.rs @@ -16,10 +16,21 @@ use ruma::{ }, serde::Raw, }; +use serde::{Deserialize, Serialize}; use serde_json::json; use crate::{Dep, account_data, admin, globals, rooms}; +#[derive(Debug, Clone, Serialize, Deserialize)] +pub struct UserSuspension { + /// Whether the user is currently suspended + pub suspended: bool, + /// When the user was suspended (Unix timestamp in milliseconds) + pub suspended_at: u64, + /// User ID of who suspended this user + pub suspended_by: String, +} + pub struct Service { services: Services, db: Data, @@ -52,6 +63,7 @@ struct Data { userid_lastonetimekeyupdate: Arc, userid_masterkeyid: Arc, userid_password: Arc, + userid_suspension: Arc, userid_selfsigningkeyid: Arc, userid_usersigningkeyid: Arc, useridprofilekey_value: Arc, @@ -87,6 +99,7 @@ impl crate::Service for Service { userid_lastonetimekeyupdate: args.db["userid_lastonetimekeyupdate"].clone(), userid_masterkeyid: args.db["userid_masterkeyid"].clone(), userid_password: args.db["userid_password"].clone(), + userid_suspension: args.db["userid_suspension"].clone(), userid_selfsigningkeyid: args.db["userid_selfsigningkeyid"].clone(), userid_usersigningkeyid: args.db["userid_usersigningkeyid"].clone(), useridprofilekey_value: args.db["useridprofilekey_value"].clone(), @@ -143,6 +156,23 @@ impl Service { Ok(()) } + /// Suspend account, placing it in a read-only state + pub async fn suspend_account(&self, user_id: &UserId, suspending_user: &UserId) { + self.db.userid_suspension.raw_put( + user_id, + Json(UserSuspension { + suspended: true, + suspended_at: MilliSecondsSinceUnixEpoch::now().get().into(), + suspended_by: suspending_user.to_string(), + }), + ); + } + + /// Unsuspend account, placing it in a read-write state + pub async fn unsuspend_account(&self, user_id: &UserId) { + self.db.userid_suspension.remove(user_id); + } + /// Check if a user has an account on this homeserver. #[inline] pub async fn exists(&self, user_id: &UserId) -> bool { @@ -159,6 +189,25 @@ impl Service { .await } + /// Check if account is suspended + pub async fn is_suspended(&self, user_id: &UserId) -> Result { + match self + .db + .userid_suspension + .get(user_id) + .await + .deserialized::() + { + | Ok(s) => Ok(s.suspended), + | Err(e) => + if e.is_not_found() { + Ok(false) + } else { + Err(e) + }, + } + } + /// Check if account is active, infallible pub async fn is_active(&self, user_id: &UserId) -> bool { !self.is_deactivated(user_id).await.unwrap_or(true) diff --git a/theme/css/chrome.css b/theme/css/chrome.css index d6cc2b32..f14ffc2c 100644 --- a/theme/css/chrome.css +++ b/theme/css/chrome.css @@ -605,4 +605,3 @@ ul#searchresults span.teaser em { margin-inline-start: -14px; width: 14px; } -