Fix /key/v2/server, add HTTP Host matching

This commit is contained in:
Neil Alexander 2022-11-17 09:26:56 +00:00
parent df76a17234
commit 607819f425
No known key found for this signature in database
GPG Key ID: A02A2019A2BB0944
2 changed files with 19 additions and 17 deletions

View File

@ -16,7 +16,6 @@ package routing
import ( import (
"encoding/json" "encoding/json"
"net"
"net/http" "net/http"
"time" "time"
@ -146,14 +145,26 @@ func LocalKeys(cfg *config.FederationAPI, serverName gomatrixserverlib.ServerNam
func localKeys(cfg *config.FederationAPI, serverName gomatrixserverlib.ServerName) (*gomatrixserverlib.ServerKeys, error) { func localKeys(cfg *config.FederationAPI, serverName gomatrixserverlib.ServerName) (*gomatrixserverlib.ServerKeys, error) {
var keys gomatrixserverlib.ServerKeys var keys gomatrixserverlib.ServerKeys
var virtualHost *config.VirtualHost var virtualHost *config.VirtualHost
loop:
for _, v := range cfg.Matrix.VirtualHosts { for _, v := range cfg.Matrix.VirtualHosts {
if v.ServerName == serverName { if v.ServerName == serverName {
virtualHost = v virtualHost = v
break break loop
}
for _, httpHost := range v.MatchHTTPHosts {
if httpHost == serverName {
virtualHost = v
break loop
}
} }
} }
if virtualHost == nil { identity, err := cfg.Matrix.SigningIdentityFor(serverName)
if err != nil {
identity, _ = cfg.Matrix.SigningIdentityFor(cfg.Matrix.ServerName)
}
if identity.ServerName == serverName {
publicKey := cfg.Matrix.PrivateKey.Public().(ed25519.PublicKey) publicKey := cfg.Matrix.PrivateKey.Public().(ed25519.PublicKey)
keys.ServerName = cfg.Matrix.ServerName keys.ServerName = cfg.Matrix.ServerName
keys.ValidUntilTS = gomatrixserverlib.AsTimestamp(time.Now().Add(cfg.Matrix.KeyValidityPeriod)) keys.ValidUntilTS = gomatrixserverlib.AsTimestamp(time.Now().Add(cfg.Matrix.KeyValidityPeriod))
@ -189,20 +200,6 @@ func localKeys(cfg *config.FederationAPI, serverName gomatrixserverlib.ServerNam
return nil, err return nil, err
} }
identity, err := cfg.Matrix.SigningIdentityFor(serverName)
if err != nil {
// TODO: This is a bit of a hack because the Host header can contain a port
// number if it's specified in the well-known file. Try getting a signing
// identity without it to see if that helps.
var h string
if h, _, err = net.SplitHostPort(string(serverName)); err == nil {
identity, err = cfg.Matrix.SigningIdentityFor(gomatrixserverlib.ServerName(h))
}
if err != nil {
return nil, err
}
}
keys.Raw, err = gomatrixserverlib.SignJSON( keys.Raw, err = gomatrixserverlib.SignJSON(
string(identity.ServerName), identity.KeyID, identity.PrivateKey, toSign, string(identity.ServerName), identity.KeyID, identity.PrivateKey, toSign,
) )

View File

@ -195,6 +195,11 @@ type VirtualHost struct {
// Defaults to 24 hours. // Defaults to 24 hours.
KeyValidityPeriod time.Duration `yaml:"key_validity_period"` KeyValidityPeriod time.Duration `yaml:"key_validity_period"`
// Match these HTTP Host headers on the `/key/v2/server` endpoint, this needs
// to match all delegated names, likely including the port number too if
// the well-known delegation includes that also.
MatchHTTPHosts []gomatrixserverlib.ServerName `yaml:"match_http_hosts"`
// Is registration enabled on this virtual host? // Is registration enabled on this virtual host?
AllowRegistration bool `json:"allow_registration"` AllowRegistration bool `json:"allow_registration"`
} }