policy server following maybe???

(cherry picked from commit e1c06e10f6ce27b570682989fed0defda0fe09a1)
2025-06-26 22:16:37 +02:00 · 2025-06-19 20:26:39 +01:00 · 2025-06-19 20:26:39 +01:00 · 4c30eec355
commit 4c30eec355
parent 6e16a6ef8f
6 changed files with 86 additions and 22 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -3695,7 +3695,7 @@ dependencies = [
 [[package]]
 name = "ruma"
 version = "0.10.1"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=d6870a7fb7f6cccff63f7fd0ff6c581bad80e983#d6870a7fb7f6cccff63f7fd0ff6c581bad80e983"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=781606d1fafbf2daa220fd354d9ad0479a308cd1#781606d1fafbf2daa220fd354d9ad0479a308cd1"
 dependencies = [
 "assign",
 "js_int",
@ -3715,7 +3715,7 @@ dependencies = [
 [[package]]
 name = "ruma-appservice-api"
 version = "0.10.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=d6870a7fb7f6cccff63f7fd0ff6c581bad80e983#d6870a7fb7f6cccff63f7fd0ff6c581bad80e983"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=781606d1fafbf2daa220fd354d9ad0479a308cd1#781606d1fafbf2daa220fd354d9ad0479a308cd1"
 dependencies = [
 "js_int",
 "ruma-common",
@ -3727,7 +3727,7 @@ dependencies = [
 [[package]]
 name = "ruma-client-api"
 version = "0.18.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=d6870a7fb7f6cccff63f7fd0ff6c581bad80e983#d6870a7fb7f6cccff63f7fd0ff6c581bad80e983"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=781606d1fafbf2daa220fd354d9ad0479a308cd1#781606d1fafbf2daa220fd354d9ad0479a308cd1"
 dependencies = [
 "as_variant",
 "assign",
@ -3750,7 +3750,7 @@ dependencies = [
 [[package]]
 name = "ruma-common"
 version = "0.13.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=d6870a7fb7f6cccff63f7fd0ff6c581bad80e983#d6870a7fb7f6cccff63f7fd0ff6c581bad80e983"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=781606d1fafbf2daa220fd354d9ad0479a308cd1#781606d1fafbf2daa220fd354d9ad0479a308cd1"
 dependencies = [
 "as_variant",
 "base64 0.22.1",
@ -3782,7 +3782,7 @@ dependencies = [
 [[package]]
 name = "ruma-events"
 version = "0.28.1"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=d6870a7fb7f6cccff63f7fd0ff6c581bad80e983#d6870a7fb7f6cccff63f7fd0ff6c581bad80e983"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=781606d1fafbf2daa220fd354d9ad0479a308cd1#781606d1fafbf2daa220fd354d9ad0479a308cd1"
 dependencies = [
 "as_variant",
 "indexmap 2.9.0",
@ -3807,7 +3807,7 @@ dependencies = [
 [[package]]
 name = "ruma-federation-api"
 version = "0.9.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=d6870a7fb7f6cccff63f7fd0ff6c581bad80e983#d6870a7fb7f6cccff63f7fd0ff6c581bad80e983"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=781606d1fafbf2daa220fd354d9ad0479a308cd1#781606d1fafbf2daa220fd354d9ad0479a308cd1"
 dependencies = [
 "bytes",
 "headers",
@ -3829,7 +3829,7 @@ dependencies = [
 [[package]]
 name = "ruma-identifiers-validation"
 version = "0.9.5"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=d6870a7fb7f6cccff63f7fd0ff6c581bad80e983#d6870a7fb7f6cccff63f7fd0ff6c581bad80e983"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=781606d1fafbf2daa220fd354d9ad0479a308cd1#781606d1fafbf2daa220fd354d9ad0479a308cd1"
 dependencies = [
 "js_int",
 "thiserror 2.0.12",
@ -3838,7 +3838,7 @@ dependencies = [
 [[package]]
 name = "ruma-identity-service-api"
 version = "0.9.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=d6870a7fb7f6cccff63f7fd0ff6c581bad80e983#d6870a7fb7f6cccff63f7fd0ff6c581bad80e983"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=781606d1fafbf2daa220fd354d9ad0479a308cd1#781606d1fafbf2daa220fd354d9ad0479a308cd1"
 dependencies = [
 "js_int",
 "ruma-common",
@ -3848,7 +3848,7 @@ dependencies = [
 [[package]]
 name = "ruma-macros"
 version = "0.13.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=d6870a7fb7f6cccff63f7fd0ff6c581bad80e983#d6870a7fb7f6cccff63f7fd0ff6c581bad80e983"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=781606d1fafbf2daa220fd354d9ad0479a308cd1#781606d1fafbf2daa220fd354d9ad0479a308cd1"
 dependencies = [
 "cfg-if",
 "proc-macro-crate",
@ -3863,7 +3863,7 @@ dependencies = [
 [[package]]
 name = "ruma-push-gateway-api"
 version = "0.9.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=d6870a7fb7f6cccff63f7fd0ff6c581bad80e983#d6870a7fb7f6cccff63f7fd0ff6c581bad80e983"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=781606d1fafbf2daa220fd354d9ad0479a308cd1#781606d1fafbf2daa220fd354d9ad0479a308cd1"
 dependencies = [
 "js_int",
 "ruma-common",
@ -3875,7 +3875,7 @@ dependencies = [
 [[package]]
 name = "ruma-signatures"
 version = "0.15.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=d6870a7fb7f6cccff63f7fd0ff6c581bad80e983#d6870a7fb7f6cccff63f7fd0ff6c581bad80e983"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=781606d1fafbf2daa220fd354d9ad0479a308cd1#781606d1fafbf2daa220fd354d9ad0479a308cd1"
 dependencies = [
 "base64 0.22.1",
 "ed25519-dalek",
--- a/Cargo.toml
+++ b/Cargo.toml
@ -350,7 +350,7 @@ version = "0.1.2"
 [workspace.dependencies.ruma]
 git = "https://forgejo.ellis.link/continuwuation/ruwuma"
 #branch = "conduwuit-changes"
-rev = "d6870a7fb7f6cccff63f7fd0ff6c581bad80e983"
+rev = "781606d1fafbf2daa220fd354d9ad0479a308cd1"
 features = [
    "compat",
    "rand",
--- a/src/core/matrix/state_res/event_auth.rs
+++ b/src/core/matrix/state_res/event_auth.rs
@ -5,7 +5,7 @@ use futures::{
 	future::{OptionFuture, join3},
 };
 use ruma::{
-	Int, OwnedUserId, RoomVersionId, UserId,
+	EventId, Int, OwnedUserId, RoomVersionId, UserId,
 	events::room::{
 		create::RoomCreateEventContent,
 		join_rules::{JoinRule, RoomJoinRulesEventContent},
@ -217,8 +217,9 @@ where
 	}

 	/*
-	// TODO: In the past this code caused problems federating with synapse, maybe this has been
-	// resolved already. Needs testing.
+	// TODO: In the past this code was commented as it caused problems with Synapse. This is no
+	// longer the case. This needs to be implemented.
+	// See also: https://github.com/ruma/ruma/pull/2064
 	//
 	// 2. Reject if auth_events
 	// a. auth_events cannot have duplicate keys since it's a BTree
--- a/src/service/rooms/event_handler/call_policyserv.rs
+++ b/src/service/rooms/event_handler/call_policyserv.rs
@ -0,0 +1,54 @@
+use conduwuit::{Err, Result, debug, implement, trace, warn};
+use ruma::{
+	EventId, OwnedEventId, OwnedServerName, RoomId, ServerName,
+	api::federation::room::policy::v1::{Request as PolicyRequest, Response as PolicyResponse},
+	events::{
+		StateEventType,
+		room::{
+			policy::{PolicyServerResponseContent, RoomPolicyEventContent},
+			server_acl::RoomServerAclEventContent,
+		},
+	},
+};
+use serde::{Deserialize, Serialize};
+
+/// Returns Ok if the policy server allows the event
+#[implement(super::Service)]
+#[tracing::instrument(skip_all, level = "debug")]
+pub async fn policyserv_check(&self, event_id: &EventId, room_id: &RoomId) -> Result {
+	let Ok(policyserver) = self
+		.services
+		.state_accessor
+		.room_state_get_content(room_id, &StateEventType::RoomPolicy, "")
+		.await
+		.map(|c: RoomPolicyEventContent| c)
+	else {
+		return Ok(());
+	};
+
+	let via = match policyserver.via {
+		| Some(ref via) => ServerName::parse(via)?,
+		| None => {
+			debug!("No policy server configured for room {room_id}");
+			return Ok(());
+		},
+	};
+	let response = self
+		.services
+		.sending
+		.send_federation_request(via, PolicyRequest { event_id: event_id.to_owned() })
+		.await;
+	let response = match response {
+		| Ok(response) => response,
+		| Err(e) => {
+			warn!("Failed to contact policy server {via} for room {room_id}: {e}");
+			return Ok(());
+		},
+	};
+	if response.recommendation == "spam" {
+		warn!("Event {event_id} in room {room_id} was marked as spam by policy server {via}");
+		return Err!(Request(Forbidden("Event was marked as spam by policy server")));
+	};
+
+	Ok(())
+}
--- a/src/service/rooms/event_handler/mod.rs
+++ b/src/service/rooms/event_handler/mod.rs
@ -1,4 +1,5 @@
 mod acl_check;
+mod call_policyserv;
 mod fetch_and_handle_outliers;
 mod fetch_prev;
 mod fetch_state;
--- a/src/service/rooms/event_handler/upgrade_outlier_pdu.rs
+++ b/src/service/rooms/event_handler/upgrade_outlier_pdu.rs
@ -1,12 +1,6 @@
 use std::{borrow::Borrow, collections::BTreeMap, iter::once, sync::Arc, time::Instant};

-use conduwuit::{
-	Err, Result, debug, debug_info, err, implement,
-	matrix::{EventTypeExt, PduEvent, StateKey, state_res},
-	trace,
-	utils::stream::{BroadbandExt, ReadyExt},
-	warn,
-};
+use conduwuit::{Err, Result, debug, debug_info, err, implement, info, matrix::{EventTypeExt, PduEvent, StateKey, state_res}, trace, utils::stream::{BroadbandExt, ReadyExt}, warn, Event};
 use futures::{FutureExt, StreamExt, future::ready};
 use ruma::{CanonicalJsonValue, RoomId, ServerName, events::StateEventType};

@ -242,6 +236,20 @@ pub(super) async fn upgrade_outlier_to_timeline_pdu(
 		return Err!(Request(InvalidParam("Event has been soft failed")));
 	}

+	// 15. If the event is not a state event, ask the policy server about it
+	if incoming_pdu.state_key.is_none() {
+		debug!("Checking policy server for event {}", incoming_pdu.event_id);
+		let policy = self.policyserv_check(
+			&incoming_pdu.event_id,
+			room_id,
+		);
+		if let Err(e) = policy.await {
+			warn!("Policy server check failed for event {}: {e}", incoming_pdu.event_id);
+			return Err!(Request(Forbidden("Event was marked as spam by policy server")));
+		}
+		debug!("Policy server check passed for event {}", incoming_pdu.event_id);
+	}
+
 	// Now that the event has passed all auth it is added into the timeline.
 	// We use the `state_at_event` instead of `state_after` so we accurately
 	// represent the state for this event.