Browse Source
privacy by default for room dir (#6355)
Ensure that the the default settings for the room directory are that the it is hidden from public view by default.tags/v1.7.0rc1
Neil Johnson
4 years ago
committed by
GitHub
GitHub
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 91 additions and 18 deletions
Split View
Diff Options
-
+17 -0UPGRADE.rst
-
+1 -0changelog.d/6354.feature
-
+7 -6docs/sample_config.yaml
-
+14 -12synapse/config/server.py
-
+52 -0tests/federation/transport/test_server.py
+ 17
- 0
UPGRADE.rst
View File
| @@ -75,6 +75,23 @@ for example: | |||
| wget https://packages.matrix.org/debian/pool/main/m/matrix-synapse-py3/matrix-synapse-py3_1.3.0+stretch1_amd64.deb | |||
| dpkg -i matrix-synapse-py3_1.3.0+stretch1_amd64.deb | |||
| Upgrading to v1.7.0 | |||
| =================== | |||
| In an attempt to configure Synapse in a privacy preserving way, the default | |||
| behaviours of ``allow_public_rooms_without_auth`` and | |||
| ``allow_public_rooms_over_federation`` have been inverted. This means that by | |||
| default, only authenticated users querying the Client/Server API will be able | |||
| to query the room directory, and relatedly that the server will not share | |||
| room directory information with other servers over federation. | |||
| If your installation does not explicitly set these settings one way or the other | |||
| and you want either setting to be ``true`` then it will necessary to update | |||
| your homeserver configuration file accordingly. | |||
| For more details on the surrounding context see our `explainer | |||
| <https://matrix.org/blog/2019/11/09/avoiding-unwelcome-visitors-on-private-matrix-servers>`_. | |||
| Upgrading to v1.5.0 | |||
| =================== | |||
+ 1
- 0
changelog.d/6354.feature
View File
| @@ -0,0 +1 @@ | |||
| Configure privacy preserving settings by default for the room directory. | |||
+ 7
- 6
docs/sample_config.yaml
View File
| @@ -54,15 +54,16 @@ pid_file: DATADIR/homeserver.pid | |||
| # | |||
| #require_auth_for_profile_requests: true | |||
| # If set to 'false', requires authentication to access the server's public rooms | |||
| # directory through the client API. Defaults to 'true'. | |||
| # If set to 'true', removes the need for authentication to access the server's | |||
| # public rooms directory through the client API, meaning that anyone can | |||
| # query the room directory. Defaults to 'false'. | |||
| # | |||
| #allow_public_rooms_without_auth: false | |||
| #allow_public_rooms_without_auth: true | |||
| # If set to 'false', forbids any other homeserver to fetch the server's public | |||
| # rooms directory via federation. Defaults to 'true'. | |||
| # If set to 'true', allows any other homeserver to fetch the server's public | |||
| # rooms directory via federation. Defaults to 'false'. | |||
| # | |||
| #allow_public_rooms_over_federation: false | |||
| #allow_public_rooms_over_federation: true | |||
| # The default room version for newly created rooms. | |||
| # | |||
+ 14
- 12
synapse/config/server.py
View File
| @@ -118,15 +118,16 @@ class ServerConfig(Config): | |||
| self.allow_public_rooms_without_auth = False | |||
| self.allow_public_rooms_over_federation = False | |||
| else: | |||
| # If set to 'False', requires authentication to access the server's public | |||
| # rooms directory through the client API. Defaults to 'True'. | |||
| # If set to 'true', removes the need for authentication to access the server's | |||
| # public rooms directory through the client API, meaning that anyone can | |||
| # query the room directory. Defaults to 'false'. | |||
| self.allow_public_rooms_without_auth = config.get( | |||
| "allow_public_rooms_without_auth", True | |||
| "allow_public_rooms_without_auth", False | |||
| ) | |||
| # If set to 'False', forbids any other homeserver to fetch the server's public | |||
| # rooms directory via federation. Defaults to 'True'. | |||
| # If set to 'true', allows any other homeserver to fetch the server's public | |||
| # rooms directory via federation. Defaults to 'false'. | |||
| self.allow_public_rooms_over_federation = config.get( | |||
| "allow_public_rooms_over_federation", True | |||
| "allow_public_rooms_over_federation", False | |||
| ) | |||
| default_room_version = config.get("default_room_version", DEFAULT_ROOM_VERSION) | |||
| @@ -620,15 +621,16 @@ class ServerConfig(Config): | |||
| # | |||
| #require_auth_for_profile_requests: true | |||
| # If set to 'false', requires authentication to access the server's public rooms | |||
| # directory through the client API. Defaults to 'true'. | |||
| # If set to 'true', removes the need for authentication to access the server's | |||
| # public rooms directory through the client API, meaning that anyone can | |||
| # query the room directory. Defaults to 'false'. | |||
| # | |||
| #allow_public_rooms_without_auth: false | |||
| #allow_public_rooms_without_auth: true | |||
| # If set to 'false', forbids any other homeserver to fetch the server's public | |||
| # rooms directory via federation. Defaults to 'true'. | |||
| # If set to 'true', allows any other homeserver to fetch the server's public | |||
| # rooms directory via federation. Defaults to 'false'. | |||
| # | |||
| #allow_public_rooms_over_federation: false | |||
| #allow_public_rooms_over_federation: true | |||
| # The default room version for newly created rooms. | |||
| # | |||
+ 52
- 0
tests/federation/transport/test_server.py
View File
| @@ -0,0 +1,52 @@ | |||
| # -*- coding: utf-8 -*- | |||
| # Copyright 2019 The Matrix.org Foundation C.I.C. | |||
| # | |||
| # Licensed under the Apache License, Version 2.0 (the "License"); | |||
| # you may not use this file except in compliance with the License. | |||
| # You may obtain a copy of the License at | |||
| # | |||
| # http://www.apache.org/licenses/LICENSE-2.0 | |||
| # | |||
| # Unless required by applicable law or agreed to in writing, software | |||
| # distributed under the License is distributed on an "AS IS" BASIS, | |||
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |||
| # See the License for the specific language governing permissions and | |||
| # limitations under the License. | |||
| from twisted.internet import defer | |||
| from synapse.config.ratelimiting import FederationRateLimitConfig | |||
| from synapse.federation.transport import server | |||
| from synapse.util.ratelimitutils import FederationRateLimiter | |||
| from tests import unittest | |||
| from tests.unittest import override_config | |||
| class RoomDirectoryFederationTests(unittest.HomeserverTestCase): | |||
| def prepare(self, reactor, clock, homeserver): | |||
| class Authenticator(object): | |||
| def authenticate_request(self, request, content): | |||
| return defer.succeed("otherserver.nottld") | |||
| ratelimiter = FederationRateLimiter(clock, FederationRateLimitConfig()) | |||
| server.register_servlets( | |||
| homeserver, self.resource, Authenticator(), ratelimiter | |||
| ) | |||
| @override_config({"allow_public_rooms_over_federation": False}) | |||
| def test_blocked_public_room_list_over_federation(self): | |||
| request, channel = self.make_request( | |||
| "GET", "/_matrix/federation/v1/publicRooms" | |||
| ) | |||
| self.render(request) | |||
| self.assertEquals(403, channel.code) | |||
| @override_config({"allow_public_rooms_over_federation": True}) | |||
| def test_open_public_room_list_over_federation(self): | |||
| request, channel = self.make_request( | |||
| "GET", "/_matrix/federation/v1/publicRooms" | |||
| ) | |||
| self.render(request) | |||
| self.assertEquals(200, channel.code) | |||