fix: permission checks for aliases

2024-06-11 23:15:02 +02:00 · 2024-06-11 23:15:02 +02:00 · 144d548ef7
commit 144d548ef7
parent 7b259272ce
10 changed files with 168 additions and 51 deletions
--- a/src/service/admin/mod.rs
+++ b/src/service/admin/mod.rs
@ -1,9 +1,4 @@
-use std::{
-    collections::BTreeMap,
-    convert::{TryFrom, TryInto},
-    sync::Arc,
-    time::Instant,
-};
+use std::{collections::BTreeMap, convert::TryFrom, sync::Arc, time::Instant};

 use clap::Parser;
 use regex::Regex;
@ -925,7 +920,15 @@ impl Service {
                {
                    RoomMessageEventContent::text_plain("No such alias exists")
                } else {
-                    services().rooms.alias.remove_alias(&alias)?;
+                    // We execute this as the server user for two reasons
+                    // 1. If the user can execute commands in the admin room, they can always remove the alias.
+                    // 2. In the future, we are likely going to be able to allow users to execute commands via
+                    //   other methods, such as IPC, which would lead to us not knowing their user id
+
+                    services()
+                        .rooms
+                        .alias
+                        .remove_alias(&alias, services().globals.server_user())?;
                    RoomMessageEventContent::text_plain("Alias removed sucessfully")
                }
            }
@ -1232,9 +1235,7 @@ impl Service {
            .await?;

        // 6. Room alias
-        let alias: OwnedRoomAliasId = format!("#admins:{}", services().globals.server_name())
-            .try_into()
-            .expect("#admins:server_name is a valid alias name");
+        let alias: OwnedRoomAliasId = services().globals.admin_alias().to_owned();

        services()
            .rooms
@ -1257,7 +1258,10 @@ impl Service {
            )
            .await?;

-        services().rooms.alias.set_alias(&alias, &room_id)?;
+        services()
+            .rooms
+            .alias
+            .set_alias(&alias, &room_id, conduit_user)?;

        Ok(())
    }
@ -1266,15 +1270,10 @@ impl Service {
    ///
    /// Errors are propagated from the database, and will have None if there is no admin room
    pub(crate) fn get_admin_room(&self) -> Result<Option<OwnedRoomId>> {
-        let admin_room_alias: Box<RoomAliasId> =
-            format!("#admins:{}", services().globals.server_name())
-                .try_into()
-                .expect("#admins:server_name is a valid alias name");
-
        services()
            .rooms
            .alias
-            .resolve_local_alias(&admin_room_alias)
+            .resolve_local_alias(services().globals.admin_alias())
    }

    /// Invite the user to the conduit admin room.
@ -1400,6 +1399,15 @@ impl Service {
        }
        Ok(())
    }
+
+    /// Checks whether a given user is an admin of this server
+    pub fn user_is_admin(&self, user_id: &UserId) -> Result<bool> {
+        let Some(admin_room) = self.get_admin_room()? else {
+            return Ok(false);
+        };
+
+        services().rooms.state_cache.is_joined(user_id, &admin_room)
+    }
 }

 #[cfg(test)]
--- a/src/service/globals/mod.rs
+++ b/src/service/globals/mod.rs
@ -4,6 +4,7 @@ use ruma::{
    serde::Base64, OwnedDeviceId, OwnedEventId, OwnedRoomId, OwnedServerName,
    OwnedServerSigningKeyId, OwnedUserId,
 };
+use ruma::{OwnedRoomAliasId, RoomAliasId};

 use crate::api::server_server::FedDest;

@ -72,6 +73,7 @@ pub struct Service {
    pub roomid_mutex_federation: RwLock<HashMap<OwnedRoomId, Arc<Mutex<()>>>>, // this lock will be held longer
    pub roomid_federationhandletime: RwLock<HashMap<OwnedRoomId, (OwnedEventId, Instant)>>,
    server_user: OwnedUserId,
+    admin_alias: OwnedRoomAliasId,
    pub stateres_mutex: Arc<Mutex<()>>,
    pub rotate: RotationHandler,

@ -194,6 +196,8 @@ impl Service {

        let mut s = Self {
            allow_registration: RwLock::new(config.allow_registration),
+            admin_alias: RoomAliasId::parse(format!("#admins:{}", &config.server_name))
+                .expect("#admins:server_name is a valid alias name"),
            server_user: UserId::parse(format!("@conduit:{}", &config.server_name))
                .expect("@conduit:server_name is valid"),
            db,
@ -293,6 +297,10 @@ impl Service {
        self.server_user.as_ref()
    }

+    pub fn admin_alias(&self) -> &RoomAliasId {
+        self.admin_alias.as_ref()
+    }
+
    pub fn max_request_size(&self) -> u32 {
        self.config.max_request_size
    }
--- a/src/service/rooms/alias/data.rs
+++ b/src/service/rooms/alias/data.rs
@ -1,9 +1,12 @@
 use crate::Result;
-use ruma::{OwnedRoomAliasId, OwnedRoomId, RoomAliasId, RoomId};
+use ruma::{OwnedRoomAliasId, OwnedRoomId, OwnedUserId, RoomAliasId, RoomId, UserId};

 pub trait Data: Send + Sync {
    /// Creates or updates the alias to the given room id.
-    fn set_alias(&self, alias: &RoomAliasId, room_id: &RoomId) -> Result<()>;
+    fn set_alias(&self, alias: &RoomAliasId, room_id: &RoomId, user_id: &UserId) -> Result<()>;
+
+    /// Finds the user who assigned the given alias to a room
+    fn who_created_alias(&self, alias: &RoomAliasId) -> Result<Option<OwnedUserId>>;

    /// Forgets about an alias. Returns an error if the alias did not exist.
    fn remove_alias(&self, alias: &RoomAliasId) -> Result<()>;
--- a/src/service/rooms/alias/mod.rs
+++ b/src/service/rooms/alias/mod.rs
@ -1,9 +1,17 @@
 mod data;

 pub use data::Data;
+use tracing::error;

-use crate::Result;
-use ruma::{OwnedRoomAliasId, OwnedRoomId, RoomAliasId, RoomId};
+use crate::{services, Error, Result};
+use ruma::{
+    api::client::error::ErrorKind,
+    events::{
+        room::power_levels::{RoomPowerLevels, RoomPowerLevelsEventContent},
+        StateEventType,
+    },
+    OwnedRoomAliasId, OwnedRoomId, RoomAliasId, RoomId, UserId,
+};

 pub struct Service {
    pub db: &'static dyn Data,
@ -11,13 +19,71 @@ pub struct Service {

 impl Service {
    #[tracing::instrument(skip(self))]
-    pub fn set_alias(&self, alias: &RoomAliasId, room_id: &RoomId) -> Result<()> {
-        self.db.set_alias(alias, room_id)
+    pub fn set_alias(&self, alias: &RoomAliasId, room_id: &RoomId, user_id: &UserId) -> Result<()> {
+        if alias == services().globals.admin_alias() && user_id != services().globals.server_user()
+        {
+            Err(Error::BadRequest(
+                ErrorKind::forbidden(),
+                "Only the server user can set this alias",
+            ))
+        } else {
+            self.db.set_alias(alias, room_id, user_id)
+        }
    }

    #[tracing::instrument(skip(self))]
-    pub fn remove_alias(&self, alias: &RoomAliasId) -> Result<()> {
-        self.db.remove_alias(alias)
+    fn user_can_remove_alias(&self, alias: &RoomAliasId, user_id: &UserId) -> Result<bool> {
+        let Some(room_id) = self.resolve_local_alias(alias)? else {
+            return Err(Error::BadRequest(ErrorKind::NotFound, "Alias not found."));
+        };
+
+        // The creator of an alias can remove it
+        if self
+            .db
+            .who_created_alias(alias)?
+            .map(|user| user == user_id)
+            .unwrap_or_default()
+            // Server admins can remove any local alias
+            || services().admin.user_is_admin(user_id)?
+            // Always allow the Conduit user to remove the alias, since there may not be an admin room
+            || services().globals.server_user ()== user_id
+        {
+            Ok(true)
+            // Checking whether the user is able to change canonical aliases of the room
+        } else if let Some(event) = services().rooms.state_accessor.room_state_get(
+            &room_id,
+            &StateEventType::RoomPowerLevels,
+            "",
+        )? {
+            serde_json::from_str(event.content.get())
+                .map_err(|_| Error::bad_database("Invalid event content for m.room.power_levels"))
+                .map(|content: RoomPowerLevelsEventContent| {
+                    RoomPowerLevels::from(content)
+                        .user_can_send_state(user_id, StateEventType::RoomCanonicalAlias)
+                })
+        // If there is no power levels event, only the room creator can change canonical aliases
+        } else if let Some(event) = services().rooms.state_accessor.room_state_get(
+            &room_id,
+            &StateEventType::RoomCreate,
+            "",
+        )? {
+            Ok(event.sender == user_id)
+        } else {
+            error!("Room {} has no m.room.create event (VERY BAD)!", room_id);
+            Err(Error::bad_database("Room has no m.room.create event"))
+        }
+    }
+
+    #[tracing::instrument(skip(self))]
+    pub fn remove_alias(&self, alias: &RoomAliasId, user_id: &UserId) -> Result<()> {
+        if self.user_can_remove_alias(alias, user_id)? {
+            self.db.remove_alias(alias)
+        } else {
+            Err(Error::BadRequest(
+                ErrorKind::forbidden(),
+                "User is not permitted to remove this alias.",
+            ))
+        }
    }

    #[tracing::instrument(skip(self))]
--- a/src/service/rooms/timeline/mod.rs
+++ b/src/service/rooms/timeline/mod.rs
@ -496,7 +496,14 @@ impl Service {
                        && services().globals.emergency_password().is_none();

                    if let Some(admin_room) = services().admin.get_admin_room()? {
-                        if to_conduit && !from_conduit && admin_room == pdu.room_id {
+                        if to_conduit
+                            && !from_conduit
+                            && admin_room == pdu.room_id
+                            && services()
+                                .rooms
+                                .state_cache
+                                .is_joined(server_user, &admin_room)?
+                        {
                            services().admin.process_message(body);
                        }
                    }
--- a/src/service/users/mod.rs
+++ b/src/service/users/mod.rs
@ -9,7 +9,6 @@ pub use data::Data;
 use ruma::{
    api::client::{
        device::Device,
-        error::ErrorKind,
        filter::FilterDefinition,
        sync::sync_events::{
            self,
@ -20,7 +19,7 @@ use ruma::{
    events::AnyToDeviceEvent,
    serde::Raw,
    DeviceId, DeviceKeyAlgorithm, DeviceKeyId, OwnedDeviceId, OwnedDeviceKeyId, OwnedMxcUri,
-    OwnedRoomId, OwnedUserId, RoomAliasId, UInt, UserId,
+    OwnedRoomId, OwnedUserId, UInt, UserId,
 };

 use crate::{services, Error, Result};
@ -262,19 +261,14 @@ impl Service {

    /// Check if a user is an admin
    pub fn is_admin(&self, user_id: &UserId) -> Result<bool> {
-        let admin_room_alias_id =
-            RoomAliasId::parse(format!("#admins:{}", services().globals.server_name()))
-                .map_err(|_| Error::BadRequest(ErrorKind::InvalidParam, "Invalid alias."))?;
-        let admin_room_id = services()
-            .rooms
-            .alias
-            .resolve_local_alias(&admin_room_alias_id)?
-            .unwrap();
-
-        services()
-            .rooms
-            .state_cache
-            .is_joined(user_id, &admin_room_id)
+        if let Some(admin_room_id) = services().admin.get_admin_room()? {
+            services()
+                .rooms
+                .state_cache
+                .is_joined(user_id, &admin_room_id)
+        } else {
+            Ok(false)
+        }
    }

    /// Create a new user account on this homeserver.