shruub
/
conduit
mirror of https://gitlab.com/famedly/conduit
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'dont-give-guests-admin' into 'next'

Browse Source 
fix(accounts): don't give guests admin

See merge request famedly/conduit!591
merge-requests/551/head^2
Timo Kösters 6 months ago
parent 7bb480ceb8 4934020ee7
commit 57575b7c6f
3 changed files with 241 additions and 243 deletions
Show Stats Download Patch File Download Diff File

23
src/api/client_server/account.rs
Unescape Escape View File

@ -239,13 +239,22 @@ pub async fn register_route(body: Ruma<register::v3::Request>) -> Result<registe
// If this is the first real user, grant them admin privileges // If this is the first real user, grant them admin privileges
// Note: the server user, @conduit:servername, is generated first // Note: the server user, @conduit:servername, is generated first
if services().users.count()? == 2 { if !is_guest {
services() if let Some(admin_room) = services().admin.get_admin_room()? {
.admin if services()
.make_user_admin(&user_id, displayname) .rooms
.await?; .state_cache
.room_joined_count(&admin_room)?
warn!("Granting {} admin privileges as the first user", user_id); == Some(1)
{
services()
.admin
.make_user_admin(&user_id, displayname)
.await?;
warn!("Granting {} admin privileges as the first user", user_id);
}
}
} }
Ok(register::v3::Response { Ok(register::v3::Response {

301
src/service/admin/mod.rs
Unescape Escape View File

@ -23,7 +23,7 @@ use ruma::{
}, },
TimelineEventType, TimelineEventType,
}, },
EventId, OwnedRoomAliasId, RoomAliasId, RoomId, RoomVersionId, ServerName, UserId, EventId, OwnedRoomAliasId, OwnedRoomId, RoomAliasId, RoomId, RoomVersionId, ServerName, UserId,
}; };
use serde_json::value::to_raw_value; use serde_json::value::to_raw_value;
use tokio::sync::{mpsc, Mutex, MutexGuard}; use tokio::sync::{mpsc, Mutex, MutexGuard};
@ -214,60 +214,51 @@ impl Service {
let conduit_user = UserId::parse(format!("@conduit:{}", services().globals.server_name())) let conduit_user = UserId::parse(format!("@conduit:{}", services().globals.server_name()))
.expect("@conduit:server_name is valid"); .expect("@conduit:server_name is valid");
let conduit_room = services() if let Ok(Some(conduit_room)) = services().admin.get_admin_room() {
.rooms let send_message = |message: RoomMessageEventContent,
.alias mutex_lock: &MutexGuard<'_, ()>| {
.resolve_local_alias( services()
format!("#admins:{}", services().globals.server_name()) .rooms
.as_str() .timeline
.try_into() .build_and_append_pdu(
.expect("#admins:server_name is a valid room alias"), PduBuilder {
) event_type: TimelineEventType::RoomMessage,
.expect("Database data for admin room alias must be valid") content: to_raw_value(&message)
.expect("Admin room must exist"); .expect("event is valid, we just created it"),
unsigned: None,
let send_message = |message: RoomMessageEventContent, mutex_lock: &MutexGuard<'_, ()>| { state_key: None,
services() redacts: None,
.rooms },
.timeline &conduit_user,
.build_and_append_pdu( &conduit_room,
PduBuilder { mutex_lock,
event_type: TimelineEventType::RoomMessage, )
content: to_raw_value(&message) .unwrap();
.expect("event is valid, we just created it"), };
unsigned: None,
state_key: None, loop {
redacts: None, tokio::select! {
}, Some(event) = receiver.recv() => {
&conduit_user, let message_content = match event {
&conduit_room, AdminRoomEvent::SendMessage(content) => content,
mutex_lock, AdminRoomEvent::ProcessMessage(room_message) => self.process_admin_message(room_message).await
) };
.unwrap();
}; let mutex_state = Arc::clone(
services().globals
loop { .roomid_mutex_state
tokio::select! { .write()
Some(event) = receiver.recv() => { .unwrap()
let message_content = match event { .entry(conduit_room.to_owned())
AdminRoomEvent::SendMessage(content) => content, .or_default(),
AdminRoomEvent::ProcessMessage(room_message) => self.process_admin_message(room_message).await );
};
let state_lock = mutex_state.lock().await;
let mutex_state = Arc::clone(
services().globals send_message(message_content, &state_lock);
.roomid_mutex_state
.write() drop(state_lock);
.unwrap() }
.entry(conduit_room.to_owned())
.or_default(),
);
let state_lock = mutex_state.lock().await;
send_message(message_content, &state_lock);
drop(state_lock);
} }
} }
} }
@ -1105,110 +1096,116 @@ impl Service {
Ok(()) Ok(())
} }
/// Invite the user to the conduit admin room. /// Gets the room ID of the admin room
/// ///
/// In conduit, this is equivalent to granting admin privileges. /// Errors are propagated from the database, and will have None if there is no admin room
pub(crate) async fn make_user_admin( pub(crate) fn get_admin_room(&self) -> Result<Option<OwnedRoomId>> {
&self,
user_id: &UserId,
displayname: String,
) -> Result<()> {
let admin_room_alias: Box<RoomAliasId> = let admin_room_alias: Box<RoomAliasId> =
format!("#admins:{}", services().globals.server_name()) format!("#admins:{}", services().globals.server_name())
.try_into() .try_into()
.expect("#admins:server_name is a valid alias name"); .expect("#admins:server_name is a valid alias name");
let room_id = services()
services()
.rooms .rooms
.alias .alias
.resolve_local_alias(&admin_room_alias)? .resolve_local_alias(&admin_room_alias)
.expect("Admin room must exist"); }
let mutex_state = Arc::clone(
services()
.globals
.roomid_mutex_state
.write()
.unwrap()
.entry(room_id.clone())
.or_default(),
);
let state_lock = mutex_state.lock().await;
// Use the server user to grant the new admin's power level
let conduit_user =
UserId::parse_with_server_name("conduit", services().globals.server_name())
.expect("@conduit:server_name is valid");
// Invite and join the real user
services().rooms.timeline.build_and_append_pdu(
PduBuilder {
event_type: TimelineEventType::RoomMember,
content: to_raw_value(&RoomMemberEventContent {
membership: MembershipState::Invite,
displayname: None,
avatar_url: None,
is_direct: None,
third_party_invite: None,
blurhash: None,
reason: None,
join_authorized_via_users_server: None,
})
.expect("event is valid, we just created it"),
unsigned: None,
state_key: Some(user_id.to_string()),
redacts: None,
},
&conduit_user,
&room_id,
&state_lock,
)?;
services().rooms.timeline.build_and_append_pdu(
PduBuilder {
event_type: TimelineEventType::RoomMember,
content: to_raw_value(&RoomMemberEventContent {
membership: MembershipState::Join,
displayname: Some(displayname),
avatar_url: None,
is_direct: None,
third_party_invite: None,
blurhash: None,
reason: None,
join_authorized_via_users_server: None,
})
.expect("event is valid, we just created it"),
unsigned: None,
state_key: Some(user_id.to_string()),
redacts: None,
},
user_id,
&room_id,
&state_lock,
)?;
// Set power level
let mut users = BTreeMap::new();
users.insert(conduit_user.to_owned(), 100.into());
users.insert(user_id.to_owned(), 100.into());
services().rooms.timeline.build_and_append_pdu(
PduBuilder {
event_type: TimelineEventType::RoomPowerLevels,
content: to_raw_value(&RoomPowerLevelsEventContent {
users,
..Default::default()
})
.expect("event is valid, we just created it"),
unsigned: None,
state_key: Some("".to_owned()),
redacts: None,
},
&conduit_user,
&room_id,
&state_lock,
)?;
// Send welcome message /// Invite the user to the conduit admin room.
services().rooms.timeline.build_and_append_pdu( ///
/// In conduit, this is equivalent to granting admin privileges.
pub(crate) async fn make_user_admin(
&self,
user_id: &UserId,
displayname: String,
) -> Result<()> {
if let Some(room_id) = services().admin.get_admin_room()? {
let mutex_state = Arc::clone(
services()
.globals
.roomid_mutex_state
.write()
.unwrap()
.entry(room_id.clone())
.or_default(),
);
let state_lock = mutex_state.lock().await;
// Use the server user to grant the new admin's power level
let conduit_user =
UserId::parse_with_server_name("conduit", services().globals.server_name())
.expect("@conduit:server_name is valid");
// Invite and join the real user
services().rooms.timeline.build_and_append_pdu(
PduBuilder {
event_type: TimelineEventType::RoomMember,
content: to_raw_value(&RoomMemberEventContent {
membership: MembershipState::Invite,
displayname: None,
avatar_url: None,
is_direct: None,
third_party_invite: None,
blurhash: None,
reason: None,
join_authorized_via_users_server: None,
})
.expect("event is valid, we just created it"),
unsigned: None,
state_key: Some(user_id.to_string()),
redacts: None,
},
&conduit_user,
&room_id,
&state_lock,
)?;
services().rooms.timeline.build_and_append_pdu(
PduBuilder {
event_type: TimelineEventType::RoomMember,
content: to_raw_value(&RoomMemberEventContent {
membership: MembershipState::Join,
displayname: Some(displayname),
avatar_url: None,
is_direct: None,
third_party_invite: None,
blurhash: None,
reason: None,
join_authorized_via_users_server: None,
})
.expect("event is valid, we just created it"),
unsigned: None,
state_key: Some(user_id.to_string()),
redacts: None,
},
user_id,
&room_id,
&state_lock,
)?;
// Set power level
let mut users = BTreeMap::new();
users.insert(conduit_user.to_owned(), 100.into());
users.insert(user_id.to_owned(), 100.into());
services().rooms.timeline.build_and_append_pdu(
PduBuilder {
event_type: TimelineEventType::RoomPowerLevels,
content: to_raw_value(&RoomPowerLevelsEventContent {
users,
..Default::default()
})
.expect("event is valid, we just created it"),
unsigned: None,
state_key: Some("".to_owned()),
redacts: None,
},
&conduit_user,
&room_id,
&state_lock,
)?;
// Send welcome message
services().rooms.timeline.build_and_append_pdu(
PduBuilder { PduBuilder {
event_type: TimelineEventType::RoomMessage, event_type: TimelineEventType::RoomMessage,
content: to_raw_value(&RoomMessageEventContent::text_html( content: to_raw_value(&RoomMessageEventContent::text_html(
@ -1224,7 +1221,7 @@ impl Service {
&room_id, &room_id,
&state_lock, &state_lock,
)?; )?;
}
Ok(()) Ok(())
} }
} }

160
src/service/rooms/timeline/mod.rs
Unescape Escape View File

@ -28,7 +28,7 @@ use ruma::{
state_res, state_res,
state_res::{Event, RoomVersion}, state_res::{Event, RoomVersion},
uint, user_id, CanonicalJsonObject, CanonicalJsonValue, EventId, OwnedEventId, OwnedRoomId, uint, user_id, CanonicalJsonObject, CanonicalJsonValue, EventId, OwnedEventId, OwnedRoomId,
OwnedServerName, RoomAliasId, RoomId, ServerName, UserId, OwnedServerName, RoomId, ServerName, UserId,
}; };
use serde::Deserialize; use serde::Deserialize;
use serde_json::value::{to_raw_value, RawValue as RawJsonValue}; use serde_json::value::{to_raw_value, RawValue as RawJsonValue};
@ -448,12 +448,6 @@ impl Service {
.search .search
.index_pdu(shortroomid, &pdu_id, &body)?; .index_pdu(shortroomid, &pdu_id, &body)?;
let admin_room = services().rooms.alias.resolve_local_alias(
<&RoomAliasId>::try_from(
format!("#admins:{}", services().globals.server_name()).as_str(),
)
.expect("#admins:server_name is a valid room alias"),
)?;
let server_user = format!("@conduit:{}", services().globals.server_name()); let server_user = format!("@conduit:{}", services().globals.server_name());
let to_conduit = body.starts_with(&format!("{server_user}: ")) let to_conduit = body.starts_with(&format!("{server_user}: "))
@ -466,8 +460,10 @@ impl Service {
let from_conduit = pdu.sender == server_user let from_conduit = pdu.sender == server_user
&& services().globals.emergency_password().is_none(); && services().globals.emergency_password().is_none();
if to_conduit && !from_conduit && admin_room.as_ref() == Some(&pdu.room_id) { if let Some(admin_room) = services().admin.get_admin_room()? {
services().admin.process_message(body); if to_conduit && !from_conduit && admin_room == pdu.room_id {
services().admin.process_message(body);
}
} }
} }
} }
@ -820,89 +816,85 @@ impl Service {
let (pdu, pdu_json) = let (pdu, pdu_json) =
self.create_hash_and_sign_event(pdu_builder, sender, room_id, state_lock)?; self.create_hash_and_sign_event(pdu_builder, sender, room_id, state_lock)?;
let admin_room = services().rooms.alias.resolve_local_alias( if let Some(admin_room) = services().admin.get_admin_room()? {
<&RoomAliasId>::try_from( if admin_room == room_id {
format!("#admins:{}", services().globals.server_name()).as_str(), match pdu.event_type() {
) TimelineEventType::RoomEncryption => {
.expect("#admins:server_name is a valid room alias"), warn!("Encryption is not allowed in the admins room");
)?; return Err(Error::BadRequest(
if admin_room.filter(|v| v == room_id).is_some() { ErrorKind::Forbidden,
match pdu.event_type() { "Encryption is not allowed in the admins room.",
TimelineEventType::RoomEncryption => { ));
warn!("Encryption is not allowed in the admins room");
return Err(Error::BadRequest(
ErrorKind::Forbidden,
"Encryption is not allowed in the admins room.",
));
}
TimelineEventType::RoomMember => {
#[derive(Deserialize)]
struct ExtractMembership {
membership: MembershipState,
} }
TimelineEventType::RoomMember => {
let target = pdu #[derive(Deserialize)]
.state_key() struct ExtractMembership {
.filter(|v| v.starts_with('@')) membership: MembershipState,
.unwrap_or(sender.as_str());
let server_name = services().globals.server_name();
let server_user = format!("@conduit:{}", server_name);
let content = serde_json::from_str::<ExtractMembership>(pdu.content.get())
.map_err(|_| Error::bad_database("Invalid content in pdu."))?;
if content.membership == MembershipState::Leave {
if target == server_user {
warn!("Conduit user cannot leave from admins room");
return Err(Error::BadRequest(
ErrorKind::Forbidden,
"Conduit user cannot leave from admins room.",
));
}
let count = services()
.rooms
.state_cache
.room_members(room_id)
.filter_map(|m| m.ok())
.filter(|m| m.server_name() == server_name)
.filter(|m| m != target)
.count();
if count < 2 {
warn!("Last admin cannot leave from admins room");
return Err(Error::BadRequest(
ErrorKind::Forbidden,
"Last admin cannot leave from admins room.",
));
} }
}
if content.membership == MembershipState::Ban && pdu.state_key().is_some() { let target = pdu
if target == server_user { .state_key()
warn!("Conduit user cannot be banned in admins room"); .filter(|v| v.starts_with('@'))
return Err(Error::BadRequest( .unwrap_or(sender.as_str());
ErrorKind::Forbidden, let server_name = services().globals.server_name();
"Conduit user cannot be banned in admins room.", let server_user = format!("@conduit:{}", server_name);
)); let content = serde_json::from_str::<ExtractMembership>(pdu.content.get())
.map_err(|_| Error::bad_database("Invalid content in pdu."))?;
if content.membership == MembershipState::Leave {
if target == server_user {
warn!("Conduit user cannot leave from admins room");
return Err(Error::BadRequest(
ErrorKind::Forbidden,
"Conduit user cannot leave from admins room.",
));
}
let count = services()
.rooms
.state_cache
.room_members(room_id)
.filter_map(|m| m.ok())
.filter(|m| m.server_name() == server_name)
.filter(|m| m != target)
.count();
if count < 2 {
warn!("Last admin cannot leave from admins room");
return Err(Error::BadRequest(
ErrorKind::Forbidden,
"Last admin cannot leave from admins room.",
));
}
} }
let count = services() if content.membership == MembershipState::Ban && pdu.state_key().is_some() {
.rooms if target == server_user {
.state_cache warn!("Conduit user cannot be banned in admins room");
.room_members(room_id) return Err(Error::BadRequest(
.filter_map(|m| m.ok()) ErrorKind::Forbidden,
.filter(|m| m.server_name() == server_name) "Conduit user cannot be banned in admins room.",
.filter(|m| m != target) ));
.count(); }
if count < 2 {
warn!("Last admin cannot be banned in admins room"); let count = services()
return Err(Error::BadRequest( .rooms
ErrorKind::Forbidden, .state_cache
"Last admin cannot be banned in admins room.", .room_members(room_id)
)); .filter_map(|m| m.ok())
.filter(|m| m.server_name() == server_name)
.filter(|m| m != target)
.count();
if count < 2 {
warn!("Last admin cannot be banned in admins room");
return Err(Error::BadRequest(
ErrorKind::Forbidden,
"Last admin cannot be banned in admins room.",
));
}
} }
} }
_ => {}
} }
_ => {}
} }
} }

Write Preview
Loading…
Cancel
Save