gitlord
/
synapse
mirror of https://github.com/matrix-org/synapse.git
1
0
Fork 0
Code Issues 0 Releases 671 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1 Commit
842 Branches
288 MiB
 
 
 
 
 
 
Tree: 4f475c7697
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '4f475c7697'
${ noResults }
synapse/docs/model/rooms

275 lines
12 KiB
Raw Blame History 

  1. ===========

  2. Rooms Model

  3. ===========

  4. 

  5. A description of the general data model used to implement Rooms, and the

  6. user-level visible effects and implications.

  7. 

  8. 

  9. Overview

  10. ========

  11. 

  12. "Rooms" in Synapse are shared messaging channels over which all the participant

  13. users can exchange messages. Rooms have an opaque persistent identify, a

  14. globally-replicated set of state (consisting principly of a membership set of

  15. users, and other management and miscellaneous metadata), and a message history.

  16. 

  17. 

  18. Room Identity and Naming

  19. ========================

  20. 

  21. Rooms can be arbitrarily created by any user on any home server; at which point

  22. the home server will sign the message that creates the channel, and the

  23. fingerprint of this signature becomes the strong persistent identify of the

  24. room. This now identifies the room to any home server in the network regardless

  25. of its original origin. This allows the identify of the room to outlive any

  26. particular server. Subject to appropriate permissions [to be discussed later],

  27. any current member of a room can invite others to join it, can post messages

  28. that become part of its history, and can change the persistent state of the room

  29. (including its current set of permissions).

  30. 

  31. Home servers can provide a directory service, allowing a lookup from a

  32. convenient human-readable form of room label to a room ID. This mapping is

  33. scoped to the particular home server domain and so simply represents that server

  34. administrator's opinion of what room should take that label; it does not have to

  35. be globally replicated and does not form part of the stored state of that room.

  36. 

  37. This room name takes the form

  38. 

  39.   #localname:some.domain.name

  40. 

  41. for similarity and consistency with user names on directories.

  42. 

  43. To join a room (and therefore to be allowed to inspect past history, post new

  44. messages to it, and read its state), a user must become aware of the room's

  45. fingerprint ID. There are two mechanisms to allow this:

  46. 

  47.  * An invite message from someone else in the room

  48. 

  49.  * A referral from a room directory service

  50. 

  51. As room IDs are opaque and ephemeral, they can serve as a mechanism to create

  52. "ad-hoc" rooms deliberately unnamed, for small group-chats or even private

  53. one-to-one message exchange.

  54. 

  55. 

  56. Stored State and Permissions

  57. ============================

  58. 

  59. Every room has a globally-replicated set of stored state. This state is a set of

  60. key/value or key/subkey/value pairs. The value of every (sub)key is a

  61. JSON-representable object. The main key of a piece of stored state establishes

  62. its meaning; some keys store sub-keys to allow a sub-structure within them [more

  63. detail below]. Some keys have special meaning to Synapse, as they relate to

  64. management details of the room itself, storing such details as user membership,

  65. and permissions of users to alter the state of the room itself. Other keys may

  66. store information to present to users, which the system does not directly rely

  67. on. The key space itself is namespaced, allowing 3rd party extensions, subject

  68. to suitable permission.

  69. 

  70. Permission management is based on the concept of "power-levels". Every user

  71. within a room has an integer assigned, being their "power-level" within that

  72. room. Along with its actual data value, each key (or subkey) also stores the

  73. minimum power-level a user must have in order to write to that key, the

  74. power-level of the last user who actually did write to it, and the PDU ID of

  75. that state change.

  76. 

  77. To be accepted as valid, a change must NOT:

  78. 

  79.  * Be made by a user having a power-level lower than required to write to the

  80.    state key

  81. 

  82.  * Alter the required power-level for that state key to a value higher than the

  83.    user has

  84. 

  85.  * Increase that user's own power-level

  86. 

  87.  * Grant any other user a power-level higher than the level of the user making

  88.    the change

  89. 

  90. [[TODO(paul): consider if relaxations should be allowed; e.g. is the current

  91. outright-winner allowed to raise their own level, to allow for "inflation"?]]

  92. 

  93. 

  94. Room State Keys

  95. ===============

  96. 

  97. [[TODO(paul): if this list gets too big it might become necessary to move it

  98. into its own doc]]

  99. 

  100. The following keys have special semantics or meaning to Synapse itself:

  101. 

  102. m.member (has subkeys)

  103.   Stores a sub-key for every Synapse User ID which is currently a member of

  104.   this room. Its value gives the membership type ("knocked", "invited",

  105.   "joined").

  106. 

  107. m.power_levels

  108.   Stores a mapping from Synapse User IDs to their power-level in the room. If

  109.   they are not present in this mapping, the default applies.

  110. 

  111.   The reason to store this as a single value rather than a value with subkeys

  112.   is that updates to it are atomic; allowing a number of colliding-edit

  113.   problems to be avoided.

  114. 

  115. m.default_level

  116.   Gives the default power-level for members of the room that do not have one

  117.   specified in their membership key.

  118. 

  119. m.invite_level

  120.   If set, gives the minimum power-level required for members to invite others

  121.   to join, or to accept knock requests from non-members requesting access. If

  122.   absent, then invites are not allowed. An invitation involves setting their

  123.   membership type to "invited", in addition to sending the invite message.

  124. 

  125. m.join_rules

  126.   Encodes the rules on how non-members can join the room. Has the following

  127.   possibilities:

  128.     "public" - a non-member can join the room directly

  129.     "knock" - a non-member cannot join the room, but can post a single "knock"

  130.         message requesting access, which existing members may approve or deny

  131.     "invite" - non-members cannot join the room without an invite from an

  132.         existing member

  133.     "private" - nobody who is not in the 'may_join' list or already a member

  134.         may join by any mechanism

  135. 

  136.   In any of the first three modes, existing members with sufficient permission

  137.   can send invites to non-members if allowed by the "m.invite_level" key. A

  138.   "private" room is not allowed to have the "m.invite_level" set.

  139. 

  140.   A client may use the value of this key to hint at the user interface

  141.   expectations to provide; in particular, a private chat with one other use

  142.   might warrant specific handling in the client.

  143. 

  144. m.may_join

  145.   A list of User IDs that are always allowed to join the room, regardless of any

  146.   of the prevailing join rules and invite levels. These apply even to private

  147.   rooms. These are stored in a single list with normal update-powerlevel

  148.   permissions applied; users cannot arbitrarily remove themselves from the list.

  149. 

  150. m.add_state_level

  151.   The power-level required for a user to be able to add new state keys.

  152. 

  153. m.public_history

  154.   If set and true, anyone can request the history of the room, without needing

  155.   to be a member of the room.

  156. 

  157. m.archive_servers

  158.   For "public" rooms with public history, gives a list of home servers that

  159.   should be included in message distribution to the room, even if no users on

  160.   that server are present. These ensure that a public room can still persist

  161.   even if no users are currently members of it. This list should be consulted by

  162.   the dirctory servers as the candidate list they respond with.

  163. 

  164. The following keys are provided by Synapse for user benefit, but their value is

  165. not otherwise used by Synapse.

  166. 

  167. m.name

  168.   Stores a short human-readable name for the room, such that clients can display

  169.   to a user to assist in identifying which room is which.

  170.   

  171.   This name specifically is not the strong ID used by the message transport

  172.   system to refer to the room, because it may be changed from time to time.

  173. 

  174. m.topic

  175.   Stores the current human-readable topic

  176. 

  177. 

  178. Room Creation Templates

  179. =======================

  180. 

  181. A client (or maybe home server?) could offer a few templates for the creation of

  182. new rooms. For example, for a simple private one-to-one chat the channel could

  183. assign the creator a power-level of 1, requiring a level of 1 to invite, and

  184. needing an invite before members can join. An invite is then sent to the other

  185. party, and if accepted and the other user joins, the creator's power-level can

  186. now be reduced to 0. This now leaves a room with two participants in it being

  187. unable to add more.

  188. 

  189. 

  190. Rooms that Continue History

  191. ===========================

  192. 

  193. An option that could be considered for room creation, is that when a new room is

  194. created the creator could specify a PDU ID into an existing room, as the history

  195. continuation point. This would be stored as an extra piece of meta-data on the

  196. initial PDU of the room's creation. (It does not appear in the normal previous

  197. PDU linkage).

  198. 

  199. This would allow users in rooms to "fork" a room, if it is considered that the

  200. conversations in the room no longer fit its original purpose, and wish to

  201. diverge. Existing permissions on the original room would continue to apply of

  202. course, for viewing that history. If both rooms are considered "public" we might

  203. also want to define a message to post into the original room to represent this

  204. fork point, and give a reference to the new room.

  205. 

  206. 

  207. User Direct Message Rooms

  208. =========================

  209. 

  210. There is no need to build a mechanism for directly sending messages between

  211. users, because a room can handle this ability. To allow direct user-to-user chat

  212. messaging we simply need to be able to create rooms with specific set of

  213. permissions to allow this direct messaging.

  214. 

  215. Between any given pair of user IDs that wish to exchange private messages, there

  216. will exist a single shared Room, created lazily by either side. These rooms will

  217. need a certain amount of special handling in both home servers and display on

  218. clients, but as much as possible should be treated by the lower layers of code

  219. the same as other rooms.

  220. 

  221. Specially, a client would likely offer a special menu choice associated with

  222. another user (in room member lists, presence list, etc..) as "direct chat". That

  223. would perform all the necessary steps to create the private chat room. Receiving

  224. clients should display these in a special way too as the room name is not

  225. important; instead it should distinguish them on the Display Name of the other

  226. party.

  227. 

  228. Home Servers will need a client-API option to request setting up a new user-user

  229. chat room, which will then need special handling within the server. It will

  230. create a new room with the following 

  231. 

  232.   m.member: the proposing user

  233.   m.join_rules: "private"

  234.   m.may_join: both users

  235.   m.power_levels: empty

  236.   m.default_level: 0

  237.   m.add_state_level: 0

  238.   m.public_history: False

  239. 

  240. Having created the room, it can send an invite message to the other user in the

  241. normal way - the room permissions state that no users can be set to the invited

  242. state, but because they're in the may_join list then they'd be allowed to join

  243. anyway.

  244. 

  245. In this arrangement there is now a room with both users may join but neither has

  246. the power to invite any others. Both users now have the confidence that (at

  247. least within the messaging system itself) their messages remain private and

  248. cannot later be provably leaked to a third party. They can freely set the topic

  249. or name if they choose and add or edit any other state of the room. The update

  250. powerlevel of each of these fixed properties should be 1, to lock out the users

  251. from being able to alter them.

  252. 

  253. 

  254. Anti-Glare

  255. ==========

  256. 

  257. There exists the possibility of a race condition if two users who have no chat

  258. history with each other simultaneously create a room and invite the other to it.

  259. This is called a "glare" situation. There are two possible ideas for how to

  260. resolve this:

  261. 

  262.  * Each Home Server should persist the mapping of (user ID pair) to room ID, so

  263.    that duplicate requests can be suppressed. On receipt of a room creation

  264.    request that the HS thinks there already exists a room for, the invitation to

  265.    join can be rejected if:

  266.       a) the HS believes the sending user is already a member of the room (and

  267.          maybe their HS has forgotten this fact), or

  268.       b) the proposed room has a lexicographically-higher ID than the existing

  269.          room (to resolve true race condition conflicts)

  270.       

  271.  * The room ID for a private 1:1 chat has a special form, determined by

  272.    concatenting the User IDs of both members in a deterministic order, such that

  273.    it doesn't matter which side creates it first; the HSes can just ignore

  274.    (or merge?) received PDUs that create the room twice.