From bdf64903756414cf5a542af645b2dc09875787cc Mon Sep 17 00:00:00 2001 From: Neil Alexander Date: Wed, 2 Dec 2020 15:10:03 +0000 Subject: [PATCH] Add ability to disable federation (#1604) * Allow disabling federation * Don't start federation queues if disabled * Fix for Go 1.13 --- dendrite-config.yaml | 4 +++ federationsender/federationsender.go | 4 +-- federationsender/queue/queue.go | 52 ++++++++++++++++++---------- internal/config/config_global.go | 4 +++ internal/setup/base.go | 15 ++++++-- internal/setup/federation.go | 32 +++++++++++++++++ 6 files changed, 88 insertions(+), 23 deletions(-) create mode 100644 internal/setup/federation.go diff --git a/dendrite-config.yaml b/dendrite-config.yaml index 2a8650db..ccdb3243 100644 --- a/dendrite-config.yaml +++ b/dendrite-config.yaml @@ -60,6 +60,10 @@ global: - matrix.org - vector.im + # Disables federation. Dendrite will not be able to make any outbound HTTP requests + # to other servers and the federation API will not be exposed. + disable_federation: false + # Configuration for Kafka/Naffka. kafka: # List of Kafka broker addresses to connect to. This is not needed if using diff --git a/federationsender/federationsender.go b/federationsender/federationsender.go index 78791140..7b75cb37 100644 --- a/federationsender/federationsender.go +++ b/federationsender/federationsender.go @@ -59,8 +59,8 @@ func NewInternalAPI( consumer, _ := kafka.SetupConsumerProducer(&cfg.Matrix.Kafka) queues := queue.NewOutgoingQueues( - federationSenderDB, cfg.Matrix.ServerName, federation, - rsAPI, stats, + federationSenderDB, cfg.Matrix.DisableFederation, + cfg.Matrix.ServerName, federation, rsAPI, stats, &queue.SigningInfo{ KeyID: cfg.Matrix.KeyID, PrivateKey: cfg.Matrix.PrivateKey, diff --git a/federationsender/queue/queue.go b/federationsender/queue/queue.go index 04cb57e7..95d37b2b 100644 --- a/federationsender/queue/queue.go +++ b/federationsender/queue/queue.go @@ -34,6 +34,7 @@ import ( // matrix servers type OutgoingQueues struct { db storage.Database + disabled bool rsAPI api.RoomserverInternalAPI origin gomatrixserverlib.ServerName client *gomatrixserverlib.FederationClient @@ -46,6 +47,7 @@ type OutgoingQueues struct { // NewOutgoingQueues makes a new OutgoingQueues func NewOutgoingQueues( db storage.Database, + disabled bool, origin gomatrixserverlib.ServerName, client *gomatrixserverlib.FederationClient, rsAPI api.RoomserverInternalAPI, @@ -53,6 +55,7 @@ func NewOutgoingQueues( signing *SigningInfo, ) *OutgoingQueues { queues := &OutgoingQueues{ + disabled: disabled, db: db, rsAPI: rsAPI, origin: origin, @@ -62,28 +65,30 @@ func NewOutgoingQueues( queues: map[gomatrixserverlib.ServerName]*destinationQueue{}, } // Look up which servers we have pending items for and then rehydrate those queues. - time.AfterFunc(time.Second*5, func() { - serverNames := map[gomatrixserverlib.ServerName]struct{}{} - if names, err := db.GetPendingPDUServerNames(context.Background()); err == nil { - for _, serverName := range names { - serverNames[serverName] = struct{}{} + if !disabled { + time.AfterFunc(time.Second*5, func() { + serverNames := map[gomatrixserverlib.ServerName]struct{}{} + if names, err := db.GetPendingPDUServerNames(context.Background()); err == nil { + for _, serverName := range names { + serverNames[serverName] = struct{}{} + } + } else { + log.WithError(err).Error("Failed to get PDU server names for destination queue hydration") } - } else { - log.WithError(err).Error("Failed to get PDU server names for destination queue hydration") - } - if names, err := db.GetPendingEDUServerNames(context.Background()); err == nil { - for _, serverName := range names { - serverNames[serverName] = struct{}{} + if names, err := db.GetPendingEDUServerNames(context.Background()); err == nil { + for _, serverName := range names { + serverNames[serverName] = struct{}{} + } + } else { + log.WithError(err).Error("Failed to get EDU server names for destination queue hydration") } - } else { - log.WithError(err).Error("Failed to get EDU server names for destination queue hydration") - } - for serverName := range serverNames { - if !queues.getQueue(serverName).statistics.Blacklisted() { - queues.getQueue(serverName).wakeQueueIfNeeded() + for serverName := range serverNames { + if !queues.getQueue(serverName).statistics.Blacklisted() { + queues.getQueue(serverName).wakeQueueIfNeeded() + } } - } - }) + }) + } return queues } @@ -122,6 +127,9 @@ func (oqs *OutgoingQueues) SendEvent( ev *gomatrixserverlib.HeaderedEvent, origin gomatrixserverlib.ServerName, destinations []gomatrixserverlib.ServerName, ) error { + if oqs.disabled { + return fmt.Errorf("federation is disabled") + } if origin != oqs.origin { // TODO: Support virtual hosting; gh issue #577. return fmt.Errorf( @@ -181,6 +189,9 @@ func (oqs *OutgoingQueues) SendEDU( e *gomatrixserverlib.EDU, origin gomatrixserverlib.ServerName, destinations []gomatrixserverlib.ServerName, ) error { + if oqs.disabled { + return fmt.Errorf("federation is disabled") + } if origin != oqs.origin { // TODO: Support virtual hosting; gh issue #577. return fmt.Errorf( @@ -243,6 +254,9 @@ func (oqs *OutgoingQueues) SendEDU( // RetryServer attempts to resend events to the given server if we had given up. func (oqs *OutgoingQueues) RetryServer(srv gomatrixserverlib.ServerName) { + if oqs.disabled { + return + } q := oqs.getQueue(srv) if q == nil { return diff --git a/internal/config/config_global.go b/internal/config/config_global.go index d210a3ac..95652217 100644 --- a/internal/config/config_global.go +++ b/internal/config/config_global.go @@ -34,6 +34,10 @@ type Global struct { // Defaults to 24 hours. KeyValidityPeriod time.Duration `yaml:"key_validity_period"` + // Disables federation. Dendrite will not be able to make any outbound HTTP requests + // to other servers and the federation API will not be exposed. + DisableFederation bool `yaml:"disable_federation"` + // List of domains that the server will trust as identity servers to // verify third-party identifiers. // Defaults to an empty array. diff --git a/internal/setup/base.go b/internal/setup/base.go index 4e1cee47..1820778a 100644 --- a/internal/setup/base.go +++ b/internal/setup/base.go @@ -249,6 +249,9 @@ func (b *BaseDendrite) CreateAccountsDB() accounts.Database { // CreateClient creates a new client (normally used for media fetch requests). // Should only be called once per component. func (b *BaseDendrite) CreateClient() *gomatrixserverlib.Client { + if b.Cfg.Global.DisableFederation { + return gomatrixserverlib.NewClientWithTransport(noOpHTTPTransport) + } client := gomatrixserverlib.NewClient( b.Cfg.FederationSender.DisableTLSValidation, ) @@ -259,6 +262,12 @@ func (b *BaseDendrite) CreateClient() *gomatrixserverlib.Client { // CreateFederationClient creates a new federation client. Should only be called // once per component. func (b *BaseDendrite) CreateFederationClient() *gomatrixserverlib.FederationClient { + if b.Cfg.Global.DisableFederation { + return gomatrixserverlib.NewFederationClientWithTransport( + b.Cfg.Global.ServerName, b.Cfg.Global.KeyID, b.Cfg.Global.PrivateKey, + b.Cfg.FederationSender.DisableTLSValidation, noOpHTTPTransport, + ) + } client := gomatrixserverlib.NewFederationClientWithTimeout( b.Cfg.Global.ServerName, b.Cfg.Global.KeyID, b.Cfg.Global.PrivateKey, b.Cfg.FederationSender.DisableTLSValidation, time.Minute*5, @@ -308,8 +317,10 @@ func (b *BaseDendrite) SetupAndServeHTTP( } externalRouter.PathPrefix(httputil.PublicClientPathPrefix).Handler(b.PublicClientAPIMux) - externalRouter.PathPrefix(httputil.PublicKeyPathPrefix).Handler(b.PublicKeyAPIMux) - externalRouter.PathPrefix(httputil.PublicFederationPathPrefix).Handler(b.PublicFederationAPIMux) + if !b.Cfg.Global.DisableFederation { + externalRouter.PathPrefix(httputil.PublicKeyPathPrefix).Handler(b.PublicKeyAPIMux) + externalRouter.PathPrefix(httputil.PublicFederationPathPrefix).Handler(b.PublicFederationAPIMux) + } externalRouter.PathPrefix(httputil.PublicMediaPathPrefix).Handler(b.PublicMediaAPIMux) if internalAddr != NoListener && internalAddr != externalAddr { diff --git a/internal/setup/federation.go b/internal/setup/federation.go new file mode 100644 index 00000000..7e9a22b3 --- /dev/null +++ b/internal/setup/federation.go @@ -0,0 +1,32 @@ +package setup + +import ( + "context" + "fmt" + "net" + "net/http" +) + +// noOpHTTPTransport is used to disable federation. +var noOpHTTPTransport = &http.Transport{ + Dial: func(_, _ string) (net.Conn, error) { + return nil, fmt.Errorf("federation prohibited by configuration") + }, + DialContext: func(_ context.Context, _, _ string) (net.Conn, error) { + return nil, fmt.Errorf("federation prohibited by configuration") + }, + DialTLS: func(_, _ string) (net.Conn, error) { + return nil, fmt.Errorf("federation prohibited by configuration") + }, +} + +func init() { + noOpHTTPTransport.RegisterProtocol("matrix", &noOpHTTPRoundTripper{}) +} + +type noOpHTTPRoundTripper struct { +} + +func (y *noOpHTTPRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) { + return nil, fmt.Errorf("federation prohibited by configuration") +}