continuwuity/src/config/check.rs

#[cfg(unix)]
use std::path::Path; // not unix specific, just only for UNIX sockets stuff and *nix container checks

use tracing::{debug, error, info, warn};

use crate::{utils::error::Error, Config};

pub(crate) fn check(config: &Config) -> Result<(), Error> {
	config.warn_deprecated();
	config.warn_unknown_key();

	if cfg!(feature = "hardened_malloc") && cfg!(feature = "jemalloc") {
		warn!(
			"hardened_malloc and jemalloc were built together, this causes neither to be used. Conduwuit will still \
			 function, but consider rebuilding and pick one as this is now no-op."
		);
	}

	if config.unix_socket_path.is_some() && !cfg!(unix) {
		return Err(Error::bad_config(
			"UNIX socket support is only available on *nix platforms. Please remove \"unix_socket_path\" from your \
			 config.",
		));
	}

	if config.address.is_loopback() && cfg!(unix) {
		debug!(
			"Found loopback listening address {}, running checks if we're in a container.",
			config.address
		);

		#[cfg(unix)]
		if Path::new("/proc/vz").exists() /* Guest */ && !Path::new("/proc/bz").exists()
		/* Host */
		{
			error!(
				"You are detected using OpenVZ with a loopback/localhost listening address of {}. If you are using \
				 OpenVZ for containers and you use NAT-based networking to communicate with the host and guest, this \
				 will NOT work. Please change this to \"0.0.0.0\". If this is expected, you can ignore.",
				config.address
			);
		}

		#[cfg(unix)]
		if Path::new("/.dockerenv").exists() {
			error!(
				"You are detected using Docker with a loopback/localhost listening address of {}. If you are using a \
				 reverse proxy on the host and require communication to conduwuit in the Docker container via \
				 NAT-based networking, this will NOT work. Please change this to \"0.0.0.0\". If this is expected, \
				 you can ignore.",
				config.address
			);
		}

		#[cfg(unix)]
		if Path::new("/run/.containerenv").exists() {
			error!(
				"You are detected using Podman with a loopback/localhost listening address of {}. If you are using a \
				 reverse proxy on the host and require communication to conduwuit in the Podman container via \
				 NAT-based networking, this will NOT work. Please change this to \"0.0.0.0\". If this is expected, \
				 you can ignore.",
				config.address
			);
		}
	}

	// rocksdb does not allow max_log_files to be 0
	if config.rocksdb_max_log_files == 0 && cfg!(feature = "rocksdb") {
		return Err(Error::bad_config(
			"When using RocksDB, rocksdb_max_log_files cannot be 0. Please set a value at least 1.",
		));
	}

	// yeah, unless the user built a debug build hopefully for local testing only
	if config.server_name == "your.server.name" && !cfg!(debug_assertions) {
		return Err(Error::bad_config(
			"You must specify a valid server name for production usage of conduwuit.",
		));
	}

	if cfg!(debug_assertions) {
		info!("Note: conduwuit was built without optimisations (i.e. debug build)");
	}

	// check if the user specified a registration token as `""`
	if config.registration_token == Some(String::new()) {
		return Err(Error::bad_config("Registration token was specified but is empty (\"\")"));
	}

	if config.max_request_size < 16384 {
		return Err(Error::bad_config("Max request size is less than 16KB. Please increase it."));
	}

	// check if user specified valid IP CIDR ranges on startup
	for cidr in &config.ip_range_denylist {
		if let Err(e) = ipaddress::IPAddress::parse(cidr) {
			error!("Error parsing specified IP CIDR range from string: {e}");
			return Err(Error::bad_config("Error parsing specified IP CIDR ranges from strings"));
		}
	}

	if config.allow_registration
		&& !config.yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse
		&& config.registration_token.is_none()
	{
		return Err(Error::bad_config(
			"!! You have `allow_registration` enabled without a token configured in your config which means you are \
			 allowing ANYONE to register on your conduwuit instance without any 2nd-step (e.g. registration token).\n
If this is not the intended behaviour, please set a registration token with the `registration_token` config option.\n
For security and safety reasons, conduwuit will shut down. If you are extra sure this is the desired behaviour you \
			 want, please set the following config option to true:
`yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse`",
		));
	}

	if config.allow_registration
		&& config.yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse
		&& config.registration_token.is_none()
	{
		warn!(
			"Open registration is enabled via setting \
			 `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse` and `allow_registration` to \
			 true without a registration token configured. You are expected to be aware of the risks now.\n
    If this is not the desired behaviour, please set a registration token."
		);
	}

	if config.allow_outgoing_presence && !config.allow_local_presence {
		return Err(Error::bad_config(
			"Outgoing presence requires allowing local presence. Please enable \"allow_local_presence\".",
		));
	}

	if config
		.url_preview_domain_contains_allowlist
		.contains(&"*".to_owned())
	{
		warn!(
			"All URLs are allowed for URL previews via setting \"url_preview_domain_contains_allowlist\" to \"*\". \
			 This opens up significant attack surface to your server. You are expected to be aware of the risks by \
			 doing this."
		);
	}
	if config
		.url_preview_domain_explicit_allowlist
		.contains(&"*".to_owned())
	{
		warn!(
			"All URLs are allowed for URL previews via setting \"url_preview_domain_explicit_allowlist\" to \"*\". \
			 This opens up significant attack surface to your server. You are expected to be aware of the risks by \
			 doing this."
		);
	}
	if config
		.url_preview_url_contains_allowlist
		.contains(&"*".to_owned())
	{
		warn!(
			"All URLs are allowed for URL previews via setting \"url_preview_url_contains_allowlist\" to \"*\". This \
			 opens up significant attack surface to your server. You are expected to be aware of the risks by doing \
			 this."
		);
	}

	Ok(())
}