use crate::{ client_server, database::rooms::ClosestParent, utils, ConduitResult, Database, Error, PduEvent, Result, Ruma, }; use get_profile_information::v1::ProfileField; use http::header::{HeaderValue, AUTHORIZATION, HOST}; use log::{error, warn}; use rocket::{get, post, put, response::content::Json, State}; use ruma::{ api::{ federation::{ directory::{get_public_rooms, get_public_rooms_filtered}, discovery::{ get_server_keys, get_server_version::v1 as get_server_version, ServerSigningKeys, VerifyKey, }, event::get_missing_events, query::get_profile_information, transactions::send_transaction_message, }, OutgoingRequest, }, directory::{IncomingFilter, IncomingRoomNetwork}, EventId, RoomId, ServerName, ServerSigningKeyId, UserId, }; use std::{ collections::BTreeMap, convert::TryFrom, fmt::Debug, sync::Arc, time::{Duration, SystemTime}, }; use trust_dns_resolver::AsyncResolver; pub async fn request_well_known( globals: &crate::database::globals::Globals, destination: &str, ) -> Option { let body: serde_json::Value = serde_json::from_str( &globals .reqwest_client() .get(&format!( "https://{}/.well-known/matrix/server", destination )) .send() .await .ok()? .text() .await .ok()?, ) .ok()?; Some(body.get("m.server")?.as_str()?.to_owned()) } pub async fn send_request( globals: &crate::database::globals::Globals, destination: Box, request: T, ) -> Result where T: Debug, { if !globals.federation_enabled() { return Err(Error::bad_config("Federation is disabled.")); } let resolver = AsyncResolver::tokio_from_system_conf().await.map_err(|_| { Error::bad_config("Failed to set up trust dns resolver with system config.") })?; let mut host = None; let actual_destination = "https://".to_owned() + &if let Some(mut delegated_hostname) = request_well_known(globals, &destination.as_str()).await { if let Ok(Some(srv)) = resolver .srv_lookup(format!("_matrix._tcp.{}", delegated_hostname)) .await .map(|srv| srv.iter().next().map(|result| result.target().to_string())) { host = Some(delegated_hostname); srv.trim_end_matches('.').to_owned() } else { if delegated_hostname.find(':').is_none() { delegated_hostname += ":8448"; } delegated_hostname } } else { let mut destination = destination.as_str().to_owned(); if destination.find(':').is_none() { destination += ":8448"; } destination }; let mut http_request = request .try_into_http_request(&actual_destination, Some("")) .map_err(|e| { warn!("Failed to find destination {}: {}", actual_destination, e); Error::BadServerResponse("Invalid destination") })?; let mut request_map = serde_json::Map::new(); if !http_request.body().is_empty() { request_map.insert( "content".to_owned(), serde_json::from_slice(http_request.body()) .expect("body is valid json, we just created it"), ); }; request_map.insert("method".to_owned(), T::METADATA.method.to_string().into()); request_map.insert( "uri".to_owned(), http_request .uri() .path_and_query() .expect("all requests have a path") .to_string() .into(), ); request_map.insert("origin".to_owned(), globals.server_name().as_str().into()); request_map.insert("destination".to_owned(), destination.as_str().into()); let mut request_json = serde_json::from_value(request_map.into()).expect("valid JSON is valid BTreeMap"); ruma::signatures::sign_json( globals.server_name().as_str(), globals.keypair(), &mut request_json, ) .expect("our request json is what ruma expects"); let request_json: serde_json::Map = serde_json::from_slice(&serde_json::to_vec(&request_json).unwrap()).unwrap(); let signatures = request_json["signatures"] .as_object() .unwrap() .values() .map(|v| { v.as_object() .unwrap() .iter() .map(|(k, v)| (k, v.as_str().unwrap())) }); for signature_server in signatures { for s in signature_server { http_request.headers_mut().insert( AUTHORIZATION, HeaderValue::from_str(&format!( "X-Matrix origin={},key=\"{}\",sig=\"{}\"", globals.server_name(), s.0, s.1 )) .unwrap(), ); } } if let Some(host) = host { http_request .headers_mut() .insert(HOST, HeaderValue::from_str(&host).unwrap()); } let mut reqwest_request = reqwest::Request::try_from(http_request) .expect("all http requests are valid reqwest requests"); *reqwest_request.timeout_mut() = Some(Duration::from_secs(30)); let url = reqwest_request.url().clone(); let reqwest_response = globals.reqwest_client().execute(reqwest_request).await; // Because reqwest::Response -> http::Response is complicated: match reqwest_response { Ok(mut reqwest_response) => { let status = reqwest_response.status(); let mut http_response = http::Response::builder().status(status); let headers = http_response.headers_mut().unwrap(); for (k, v) in reqwest_response.headers_mut().drain() { if let Some(key) = k { headers.insert(key, v); } } let status = reqwest_response.status(); let body = reqwest_response .bytes() .await .unwrap_or_else(|e| { warn!("server error: {}", e); Vec::new().into() }) // TODO: handle timeout .into_iter() .collect::>(); if status != 200 { warn!( "Server returned bad response {} ({}): {} {:?}", destination, url, status, utils::string_from_bytes(&body) ); } let response = T::IncomingResponse::try_from( http_response .body(body) .expect("reqwest body is valid http body"), ); response.map_err(|_| { warn!( "Server returned invalid response bytes {} ({})", destination, url ); Error::BadServerResponse("Server returned bad response.") }) } Err(e) => Err(e.into()), } } #[cfg_attr(feature = "conduit_bin", get("/_matrix/federation/v1/version"))] pub fn get_server_version_route( db: State<'_, Database>, ) -> ConduitResult { if !db.globals.federation_enabled() { return Err(Error::bad_config("Federation is disabled.")); } Ok(get_server_version::Response { server: Some(get_server_version::Server { name: Some("Conduit".to_owned()), version: Some(env!("CARGO_PKG_VERSION").to_owned()), }), } .into()) } #[cfg_attr(feature = "conduit_bin", get("/_matrix/key/v2/server"))] pub fn get_server_keys_route(db: State<'_, Database>) -> Json { if !db.globals.federation_enabled() { // TODO: Use proper types return Json("Federation is disabled.".to_owned()); } let mut verify_keys = BTreeMap::new(); verify_keys.insert( ServerSigningKeyId::try_from( format!("ed25519:{}", db.globals.keypair().version()).as_str(), ) .expect("found invalid server signing keys in DB"), VerifyKey { key: base64::encode_config(db.globals.keypair().public_key(), base64::STANDARD_NO_PAD), }, ); let mut response = serde_json::from_slice( http::Response::try_from(get_server_keys::v2::Response { server_key: ServerSigningKeys { server_name: db.globals.server_name().to_owned(), verify_keys, old_verify_keys: BTreeMap::new(), signatures: BTreeMap::new(), valid_until_ts: SystemTime::now() + Duration::from_secs(60 * 2), }, }) .unwrap() .body(), ) .unwrap(); ruma::signatures::sign_json( db.globals.server_name().as_str(), db.globals.keypair(), &mut response, ) .unwrap(); Json(ruma::serde::to_canonical_json_string(&response).expect("JSON is canonical")) } #[cfg_attr(feature = "conduit_bin", get("/_matrix/key/v2/server/<_>"))] pub fn get_server_keys_deprecated_route(db: State<'_, Database>) -> Json { get_server_keys_route(db) } #[cfg_attr( feature = "conduit_bin", post("/_matrix/federation/v1/publicRooms", data = "") )] pub async fn get_public_rooms_filtered_route( db: State<'_, Database>, body: Ruma>, ) -> ConduitResult { if !db.globals.federation_enabled() { return Err(Error::bad_config("Federation is disabled.")); } let response = client_server::get_public_rooms_filtered_helper( &db, None, body.limit, body.since.as_deref(), &body.filter, &body.room_network, ) .await? .0; Ok(get_public_rooms_filtered::v1::Response { chunk: response .chunk .into_iter() .map(|c| { // Convert ruma::api::federation::directory::get_public_rooms::v1::PublicRoomsChunk // to ruma::api::client::r0::directory::PublicRoomsChunk Ok::<_, Error>( serde_json::from_str( &serde_json::to_string(&c) .expect("PublicRoomsChunk::to_string always works"), ) .expect("federation and client-server PublicRoomsChunk are the same type"), ) }) .filter_map(|r| r.ok()) .collect(), prev_batch: response.prev_batch, next_batch: response.next_batch, total_room_count_estimate: response.total_room_count_estimate, } .into()) } #[cfg_attr( feature = "conduit_bin", get("/_matrix/federation/v1/publicRooms", data = "") )] pub async fn get_public_rooms_route( db: State<'_, Database>, body: Ruma>, ) -> ConduitResult { if !db.globals.federation_enabled() { return Err(Error::bad_config("Federation is disabled.")); } let response = client_server::get_public_rooms_filtered_helper( &db, None, body.limit, body.since.as_deref(), &IncomingFilter::default(), &IncomingRoomNetwork::Matrix, ) .await? .0; Ok(get_public_rooms::v1::Response { chunk: response .chunk .into_iter() .map(|c| { // Convert ruma::api::federation::directory::get_public_rooms::v1::PublicRoomsChunk // to ruma::api::client::r0::directory::PublicRoomsChunk Ok::<_, Error>( serde_json::from_str( &serde_json::to_string(&c) .expect("PublicRoomsChunk::to_string always works"), ) .expect("federation and client-server PublicRoomsChunk are the same type"), ) }) .filter_map(|r| r.ok()) .collect(), prev_batch: response.prev_batch, next_batch: response.next_batch, total_room_count_estimate: response.total_room_count_estimate, } .into()) } #[cfg_attr( feature = "conduit_bin", put("/_matrix/federation/v1/send/<_>", data = "") )] pub async fn send_transaction_message_route<'a>( db: State<'a, Database>, body: Ruma>, ) -> ConduitResult { if !db.globals.federation_enabled() { return Err(Error::bad_config("Federation is disabled.")); } for edu in &body.edus { match serde_json::from_str::(edu.json().get()) { Ok(edu) => match edu.edu_type.as_str() { "m.typing" => { if let Some(typing) = edu.content.get("typing") { if typing.as_bool().unwrap_or_default() { db.rooms.edus.typing_add( &UserId::try_from(edu.content["user_id"].as_str().unwrap()) .unwrap(), &RoomId::try_from(edu.content["room_id"].as_str().unwrap()) .unwrap(), 3000 + utils::millis_since_unix_epoch(), &db.globals, )?; } else { db.rooms.edus.typing_remove( &UserId::try_from(edu.content["user_id"].as_str().unwrap()) .unwrap(), &RoomId::try_from(edu.content["room_id"].as_str().unwrap()) .unwrap(), &db.globals, )?; } } } "m.presence" => {} "m.receipt" => {} _ => {} }, Err(_err) => { continue; } } } // TODO: For RoomVersion6 we must check that Raw<..> is canonical do we anywhere? // SPEC: // Servers MUST strictly enforce the JSON format specified in the appendices. // This translates to a 400 M_BAD_JSON error on most endpoints, or discarding of // events over federation. For example, the Federation API's /send endpoint would // discard the event whereas the Client Server API's /send/{eventType} endpoint // would return a M_BAD_JSON error. let mut resolved_map = BTreeMap::new(); for pdu in &body.pdus { // Ruma/PduEvent/StateEvent satisfies - 1. Is a valid event, otherwise it is dropped. // state-res checks signatures - 2. Passes signature checks, otherwise event is dropped. // 3. Passes hash checks, otherwise it is redacted before being processed further. // TODO: redact event if hashing fails let (event_id, value) = crate::pdu::process_incoming_pdu(pdu); let pdu = serde_json::from_value::( serde_json::to_value(&value).expect("CanonicalJsonObj is a valid JsonValue"), ) .expect("all ruma pdus are conduit pdus"); let room_id = &pdu.room_id; // If we have no idea about this room skip the PDU if !db.rooms.exists(room_id)? { resolved_map.insert(event_id, Err("Room is unknown to this server".into())); continue; } // If it is not a state event, we can skip state-res... maybe if value.get("state_key").is_none() { if !db.rooms.is_joined(&pdu.sender, room_id)? { warn!("Sender is not joined {}", pdu.kind); resolved_map.insert(event_id, Err("User is not in this room".into())); continue; } let count = db.globals.next_count()?; let mut pdu_id = room_id.as_bytes().to_vec(); pdu_id.push(0xff); pdu_id.extend_from_slice(&count.to_be_bytes()); db.rooms.append_to_state(&pdu_id, &pdu)?; db.rooms.append_pdu( &pdu, &value, count, pdu_id.into(), &db.globals, &db.account_data, &db.admin, )?; resolved_map.insert(event_id, Ok::<(), String>(())); continue; } // We have a state event so we need info for state-res let get_state_response = match send_request( &db.globals, body.body.origin.clone(), ruma::api::federation::event::get_room_state::v1::Request { room_id, event_id: &event_id, }, ) .await { Ok(res) => res, // We can't hard fail because there are some valid errors, just // keep checking PDU's // // As an example a possible error // {"errcode":"M_FORBIDDEN","error":"Host not in room."} Err(err) => { resolved_map.insert(event_id, Err(err.to_string())); continue; } }; let their_current_state = get_state_response .pdus .iter() .chain(get_state_response.auth_chain.iter()) // add auth events .map(|pdu| { let (event_id, json) = crate::pdu::process_incoming_pdu(pdu); ( event_id.clone(), Arc::new( // When creating a StateEvent the event_id arg will be used // over any found in the json and it will not use ruma::reference_hash // to generate one state_res::StateEvent::from_id_canon_obj(event_id, json) .expect("valid pdu json"), ), ) }) .collect::>(); let our_current_state = db.rooms.room_state_full(room_id)?; // State resolution takes care of these checks // 4. Passes authorization rules based on the event's auth events, otherwise it is rejected. // 5. Passes authorization rules based on the state at the event, otherwise it is rejected. // TODO: 6. Passes authorization rules based on the current state of the room, otherwise it is "soft failed". match state_res::StateResolution::resolve( room_id, &ruma::RoomVersionId::Version6, &[ our_current_state .iter() .map(|((ev, sk), v)| ((ev.clone(), sk.to_owned()), v.event_id.clone())) .collect::>(), their_current_state .iter() .map(|(_id, v)| ((v.kind(), v.state_key()), v.event_id())) .collect::>(), ], Some( our_current_state .iter() .map(|(_k, v)| (v.event_id.clone(), v.convert_for_state_res())) .chain( their_current_state .iter() .map(|(id, ev)| (id.clone(), ev.clone())), ) .collect::>(), ), &db.rooms, ) { Ok(resolved) if resolved.values().any(|id| &event_id == id) => { // If the event is older than the last event in pduid_pdu Tree then find the // closest ancestor we know of and insert after the known ancestor by // altering the known events pduid to = same roomID + same count bytes + 0x1 // pushing a single byte every time a simple append cannot be done. match db.rooms.get_latest_pduid_before( room_id, &pdu.prev_events, &their_current_state, )? { Some(ClosestParent::Append) => { let count = db.globals.next_count()?; let mut pdu_id = room_id.as_bytes().to_vec(); pdu_id.push(0xff); pdu_id.extend_from_slice(&count.to_be_bytes()); db.rooms.append_pdu( &pdu, &value, count, pdu_id.into(), &db.globals, &db.account_data, &db.admin, )?; } Some(ClosestParent::Insert(old_count)) => { let count = old_count; let mut pdu_id = room_id.as_bytes().to_vec(); pdu_id.push(0xff); pdu_id.extend_from_slice(&count.to_be_bytes()); // Create a new count that is after old_count but before // the pdu appended after pdu_id.push(1); db.rooms.append_pdu( &pdu, &value, count, pdu_id.into(), &db.globals, &db.account_data, &db.admin, )?; } _ => { error!("Not a sequential event or no parents found"); continue; } } resolved_map.insert(event_id, Ok::<(), String>(())); } // If the eventId is not found in the resolved state auth has failed Ok(_) => { resolved_map.insert( event_id, Err("This event failed authentication, not found in resolved set".into()), ); } Err(e) => { resolved_map.insert(event_id, Err(e.to_string())); } }; } Ok(send_transaction_message::v1::Response { pdus: resolved_map }.into()) } #[cfg_attr( feature = "conduit_bin", post("/_matrix/federation/v1/get_missing_events/<_>", data = "") )] pub fn get_missing_events_route<'a>( db: State<'a, Database>, body: Ruma>, ) -> ConduitResult { if !db.globals.federation_enabled() { return Err(Error::bad_config("Federation is disabled.")); } let mut queued_events = body.latest_events.clone(); let mut events = Vec::new(); let mut i = 0; while i < queued_events.len() && events.len() < u64::from(body.limit) as usize { if let Some(pdu) = db.rooms.get_pdu_json(&queued_events[i])? { if body.earliest_events.contains( &serde_json::from_value( pdu.get("event_id") .cloned() .ok_or_else(|| Error::bad_database("Event in db has no event_id field."))?, ) .map_err(|_| Error::bad_database("Invalid event_id field in pdu in db."))?, ) { i += 1; continue; } queued_events.extend_from_slice( &serde_json::from_value::>( pdu.get("prev_events").cloned().ok_or_else(|| { Error::bad_database("Invalid prev_events field of pdu in db.") })?, ) .map_err(|_| Error::bad_database("Invalid prev_events content in pdu in db."))?, ); events.push(serde_json::from_value(pdu).expect("Raw<..> is always valid")); } i += 1; } Ok(get_missing_events::v1::Response { events }.into()) } #[cfg_attr( feature = "conduit_bin", get("/_matrix/federation/v1/query/profile", data = "") )] pub fn get_profile_information_route<'a>( db: State<'a, Database>, body: Ruma>, ) -> ConduitResult { if !db.globals.federation_enabled() { return Err(Error::bad_config("Federation is disabled.")); } let mut displayname = None; let mut avatar_url = None; match &body.field { // TODO: what to do with custom Some(ProfileField::_Custom(_s)) => {} Some(ProfileField::DisplayName) => displayname = db.users.displayname(&body.user_id)?, Some(ProfileField::AvatarUrl) => avatar_url = db.users.avatar_url(&body.user_id)?, None => { displayname = db.users.displayname(&body.user_id)?; avatar_url = db.users.avatar_url(&body.user_id)?; } } Ok(get_profile_information::v1::Response { displayname, avatar_url, } .into()) } /* #[cfg_attr( feature = "conduit_bin", get("/_matrix/federation/v2/invite/<_>/<_>", data = "") )] pub fn get_user_devices_route<'a>( db: State<'a, Database>, body: Ruma>, ) -> ConduitResult { if !db.globals.federation_enabled() { return Err(Error::bad_config("Federation is disabled.")); } let mut displayname = None; let mut avatar_url = None; match body.field { Some(ProfileField::DisplayName) => displayname = db.users.displayname(&body.user_id)?, Some(ProfileField::AvatarUrl) => avatar_url = db.users.avatar_url(&body.user_id)?, None => { displayname = db.users.displayname(&body.user_id)?; avatar_url = db.users.avatar_url(&body.user_id)?; } } Ok(get_profile_information::v1::Response { displayname, avatar_url, } .into()) } */