Merge branch 'develop' into devon/acl-edus

2025-12-17 15:25:14 +00:00 · 2025-11-14 15:24:03 +00:00 · 2025-11-14 00:13:28 +00:00 · 2025-11-13 17:12:30 -07:00 · 2025-11-13 16:59:03 -07:00 · 2025-11-13 23:55:58 +00:00
2 changed files with 51 additions and 1 deletions
--- a/changelog.d/18475.feature
+++ b/changelog.d/18475.feature
@@ -0,0 +1 @@
+Make ACLs apply to EDUs per [MSC4163](https://github.com/matrix-org/matrix-spec-proposals/pull/4163).
--- a/synapse/federation/federation_server.py
+++ b/synapse/federation/federation_server.py
@@ -19,6 +19,7 @@
 # [This file includes modifications made by New Vector Limited]
 #
 #
+import copy
 import logging
 import random
 from typing import (
@@ -567,9 +568,57 @@ class FederationServer(FederationBase):
                origin=origin,
                destination=self.server_name,
                edu_type=edu_dict["edu_type"],
-                content=edu_dict["content"],
+                content=copy.deepcopy(edu_dict["content"]),
            )
+
            try:
+                # Server ACL's apply to `EduTypes.TYPING` per MSC4163:
+                #
+                # > For typing notifications (m.typing), the room_id field inside
+                # > content should be checked, with the typing notification ignored if
+                # > the origin of the request is a server which is forbidden by the
+                # > room's ACL. Ignoring the typing notification means that the EDU
+                # > MUST be dropped upon receipt.
+                if edu.edu_type == EduTypes.TYPING:
+                    origin_host, _ = parse_server_name(origin)
+                    room_id = edu.content["room_id"]
+                    try:
+                        await self.check_server_matches_acl(origin_host, room_id)
+                    except AuthError:
+                        logger.warning(
+                            "Ignoring typing EDU for room %s from banned server because of ACL's",
+                            room_id,
+                        )
+                        return
+
+                # Server ACL's apply to `EduTypes.RECEIPT` per MSC4163:
+                #
+                # > For read receipts (m.receipt), all receipts inside a room_id
+                # > inside content should be ignored if the origin of the request is
+                # > forbidden by the room's ACL.
+                if edu.edu_type == EduTypes.RECEIPT:
+                    origin_host, _ = parse_server_name(origin)
+                    to_remove_room_ids = set()
+                    for room_id in edu.content.keys():
+                        try:
+                            await self.check_server_matches_acl(origin_host, room_id)
+                        except AuthError:
+                            to_remove_room_ids.add(room_id)
+
+                    if to_remove_room_ids:
+                        logger.warning(
+                            "Ignoring receipts in EDU for rooms %s from banned server %s because of ACL's",
+                            to_remove_room_ids,
+                            origin_host,
+                        )
+
+                        for room_id in to_remove_room_ids:
+                            edu.content.pop(room_id)
+
+                        if not edu.content:
+                            # If we've removed all the rooms, we can just ignore the whole EDU
+                            return
+
                await self.registry.on_edu(edu.edu_type, origin, edu.content)
            except Exception:
                # If there was an error handling the EDU, we must reject the
Author	SHA1	Message	Date
Devon Hudson	0ab0e390cd	Merge branch 'develop' into devon/acl-edus	2025-12-17 15:25:14 +00:00
Devon Hudson	eac6538b6d	Merge branch 'develop' into devon/acl-edus	2025-11-14 15:24:03 +00:00
Devon Hudson	2d9d14ee30	Merge branch 'develop' into devon/acl-edus	2025-11-14 00:13:28 +00:00
Devon Hudson	27331588ef	Move logic under top level try	2025-11-13 17:12:30 -07:00
Devon Hudson	6f550c256f	to_remove_room_ids rename	2025-11-13 16:59:03 -07:00
Devon Hudson	20f395eaec	Update synapse/federation/federation_server.py Co-authored-by: Eric Eastwood <erice@element.io>	2025-11-13 23:55:58 +00:00
Devon Hudson	ad9efbea51	Update synapse/federation/federation_server.py Co-authored-by: Eric Eastwood <erice@element.io>	2025-11-13 23:55:45 +00:00
Quentin Gliech	cfc03b180f	Only remove banned rooms from receipts, not the whole EDU	2025-06-02 13:37:29 +02:00
Devon Hudson	681987a150	Update changelog.d/18475.feature Co-authored-by: Eric Eastwood <erice@element.io>	2025-05-23 22:16:51 +00:00
Devon Hudson	e2684682cc	Add changelog entry	2025-05-23 16:01:21 -06:00
Devon Hudson	7be240d44b	Ignore received EDUs if origin server in room ACL	2025-05-23 15:57:53 -06:00
				`@@ -0,0 +1 @@`
				`Make ACLs apply to EDUs per [MSC4163](https://github.com/matrix-org/matrix-spec-proposals/pull/4163).`