conduwuit/src/service/rooms/event_handler/acl_check.rs

use conduwuit::{Err, Result, debug, implement, trace, warn};
use ruma::{
	RoomId, ServerName,
	events::{StateEventType, room::server_acl::RoomServerAclEventContent},
};

/// Returns Ok if the acl allows the server
#[implement(super::Service)]
#[tracing::instrument(skip_all, level = "debug")]
pub async fn acl_check(&self, server_name: &ServerName, room_id: &RoomId) -> Result {
	let Ok(acl_event_content) = self
		.services
		.state_accessor
		.room_state_get_content(room_id, &StateEventType::RoomServerAcl, "")
		.await
		.map(|c: RoomServerAclEventContent| c)
		.inspect(|acl| trace!(%room_id, "ACL content found: {acl:?}"))
		.inspect_err(|e| trace!(%room_id, "No ACL content found: {e:?}"))
	else {
		return Ok(());
	};

	if acl_event_content.allow.is_empty() {
		warn!(%room_id, "Ignoring broken ACL event (allow key is empty)");
		return Ok(());
	}

	if acl_event_content.deny.contains(&String::from("*"))
		&& acl_event_content.allow.contains(&String::from("*"))
	{
		warn!(%room_id, "Ignoring broken ACL event (allow key and deny key both contain wildcard \"*\"");
		return Ok(());
	}

	if acl_event_content.is_allowed(server_name) {
		trace!("server {server_name} is allowed by ACL");
		Ok(())
	} else {
		debug!("Server {server_name} was denied by room ACL in {room_id}");
		Err!(Request(Forbidden("Server was denied by room ACL")))
	}
}
run cargo fix for rust 2024 changes and rustfmt Signed-off-by: June Clementine Strawberry <strawberry@puppygock.gay> 2025-02-23 01:17:45 -05:00			`use conduwuit::{Err, Result, debug, implement, trace, warn};`
split event_handler service Signed-off-by: Jason Volk <jason@zemos.net> 2024-11-08 07:30:52 +00:00			`use ruma::{`
			`RoomId, ServerName,`
run cargo fix for rust 2024 changes and rustfmt Signed-off-by: June Clementine Strawberry <strawberry@puppygock.gay> 2025-02-23 01:17:45 -05:00			`events::{StateEventType, room::server_acl::RoomServerAclEventContent},`
split event_handler service Signed-off-by: Jason Volk <jason@zemos.net> 2024-11-08 07:30:52 +00:00			`};`

			`/// Returns Ok if the acl allows the server`
			`#[implement(super::Service)]`
bump ruma tweak tracing instrument Signed-off-by: Jason Volk <jason@zemos.net> 2025-01-01 23:47:42 +00:00			`#[tracing::instrument(skip_all, level = "debug")]`
split event_handler service Signed-off-by: Jason Volk <jason@zemos.net> 2024-11-08 07:30:52 +00:00			`pub async fn acl_check(&self, server_name: &ServerName, room_id: &RoomId) -> Result {`
			`let Ok(acl_event_content) = self`
			`.services`
			`.state_accessor`
			`.room_state_get_content(room_id, &StateEventType::RoomServerAcl, "")`
			`.await`
			`.map(\|c: RoomServerAclEventContent\| c)`
allow broken no-op deny+allow room server ACL keys Signed-off-by: June Clementine Strawberry <june@3.dog> 2025-03-07 00:54:30 -05:00			`.inspect(\|acl\| trace!(%room_id, "ACL content found: {acl:?}"))`
			`.inspect_err(\|e\| trace!(%room_id, "No ACL content found: {e:?}"))`
split event_handler service Signed-off-by: Jason Volk <jason@zemos.net> 2024-11-08 07:30:52 +00:00			`else {`
			`return Ok(());`
			`};`

			`if acl_event_content.allow.is_empty() {`
allow broken no-op deny+allow room server ACL keys Signed-off-by: June Clementine Strawberry <june@3.dog> 2025-03-07 00:54:30 -05:00			`warn!(%room_id, "Ignoring broken ACL event (allow key is empty)");`
			`return Ok(());`
			`}`

			`if acl_event_content.deny.contains(&String::from("*"))`
			`&& acl_event_content.allow.contains(&String::from("*"))`
			`{`
			`warn!(%room_id, "Ignoring broken ACL event (allow key and deny key both contain wildcard \"*\"");`
split event_handler service Signed-off-by: Jason Volk <jason@zemos.net> 2024-11-08 07:30:52 +00:00			`return Ok(());`
			`}`

			`if acl_event_content.is_allowed(server_name) {`
			`trace!("server {server_name} is allowed by ACL");`
			`Ok(())`
			`} else {`
			`debug!("Server {server_name} was denied by room ACL in {room_id}");`
			`Err!(Request(Forbidden("Server was denied by room ACL")))`
			`}`
			`}`