|
- # Copyright 2020 The Matrix.org Foundation C.I.C.
- #
- # Licensed under the Apache License, Version 2.0 (the "License");
- # you may not use this file except in compliance with the License.
- # You may obtain a copy of the License at
- #
- # http://www.apache.org/licenses/LICENSE-2.0
- #
- # Unless required by applicable law or agreed to in writing, software
- # distributed under the License is distributed on an "AS IS" BASIS,
- # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- # See the License for the specific language governing permissions and
- # limitations under the License.
-
- import logging
- from typing import Optional
-
- from synapse.api.constants import LimitBlockingTypes, UserTypes
- from synapse.api.errors import Codes, ResourceLimitError
- from synapse.config.server import is_threepid_reserved
- from synapse.types import Requester
-
- logger = logging.getLogger(__name__)
-
-
- class AuthBlocking:
- def __init__(self, hs):
- self.store = hs.get_datastore()
-
- self._server_notices_mxid = hs.config.server_notices_mxid
- self._hs_disabled = hs.config.hs_disabled
- self._hs_disabled_message = hs.config.hs_disabled_message
- self._admin_contact = hs.config.admin_contact
- self._max_mau_value = hs.config.max_mau_value
- self._limit_usage_by_mau = hs.config.limit_usage_by_mau
- self._mau_limits_reserved_threepids = hs.config.mau_limits_reserved_threepids
- self._server_name = hs.hostname
- self._track_appservice_user_ips = hs.config.appservice.track_appservice_user_ips
-
- async def check_auth_blocking(
- self,
- user_id: Optional[str] = None,
- threepid: Optional[dict] = None,
- user_type: Optional[str] = None,
- requester: Optional[Requester] = None,
- ):
- """Checks if the user should be rejected for some external reason,
- such as monthly active user limiting or global disable flag
-
- Args:
- user_id: If present, checks for presence against existing
- MAU cohort
-
- threepid: If present, checks for presence against configured
- reserved threepid. Used in cases where the user is trying register
- with a MAU blocked server, normally they would be rejected but their
- threepid is on the reserved list. user_id and
- threepid should never be set at the same time.
-
- user_type: If present, is used to decide whether to check against
- certain blocking reasons like MAU.
-
- requester: If present, and the authenticated entity is a user, checks for
- presence against existing MAU cohort. Passing in both a `user_id` and
- `requester` is an error.
- """
- if requester and user_id:
- raise Exception(
- "Passed in both 'user_id' and 'requester' to 'check_auth_blocking'"
- )
-
- if requester:
- if requester.authenticated_entity.startswith("@"):
- user_id = requester.authenticated_entity
- elif requester.authenticated_entity == self._server_name:
- # We never block the server from doing actions on behalf of
- # users.
- return
- elif requester.app_service and not self._track_appservice_user_ips:
- # If we're authenticated as an appservice then we only block
- # auth if `track_appservice_user_ips` is set, as that option
- # implicitly means that application services are part of MAU
- # limits.
- return
-
- # Never fail an auth check for the server notices users or support user
- # This can be a problem where event creation is prohibited due to blocking
- if user_id is not None:
- if user_id == self._server_notices_mxid:
- return
- if await self.store.is_support_user(user_id):
- return
-
- if self._hs_disabled:
- raise ResourceLimitError(
- 403,
- self._hs_disabled_message,
- errcode=Codes.RESOURCE_LIMIT_EXCEEDED,
- admin_contact=self._admin_contact,
- limit_type=LimitBlockingTypes.HS_DISABLED,
- )
- if self._limit_usage_by_mau is True:
- assert not (user_id and threepid)
-
- # If the user is already part of the MAU cohort or a trial user
- if user_id:
- timestamp = await self.store.user_last_seen_monthly_active(user_id)
- if timestamp:
- return
-
- is_trial = await self.store.is_trial_user(user_id)
- if is_trial:
- return
- elif threepid:
- # If the user does not exist yet, but is signing up with a
- # reserved threepid then pass auth check
- if is_threepid_reserved(self._mau_limits_reserved_threepids, threepid):
- return
- elif user_type == UserTypes.SUPPORT:
- # If the user does not exist yet and is of type "support",
- # allow registration. Support users are excluded from MAU checks.
- return
- # Else if there is no room in the MAU bucket, bail
- current_mau = await self.store.get_monthly_active_count()
- if current_mau >= self._max_mau_value:
- raise ResourceLimitError(
- 403,
- "Monthly Active User Limit Exceeded",
- admin_contact=self._admin_contact,
- errcode=Codes.RESOURCE_LIMIT_EXCEEDED,
- limit_type=LimitBlockingTypes.MONTHLY_ACTIVE_USER,
- )
|