Add ability to disable federation (#1604)

* Allow disabling federation

* Don't start federation queues if disabled

* Fix for Go 1.13

dendrite-config.yaml

@@ -60,6 +60,10 @@ global:
   - matrix.org
   - vector.im
 
+  # Disables federation. Dendrite will not be able to make any outbound HTTP requests
+  # to other servers and the federation API will not be exposed.
+  disable_federation: false
+
   # Configuration for Kafka/Naffka.
   kafka:
     # List of Kafka broker addresses to connect to. This is not needed if using

federationsender/federationsender.go

@@ -59,8 +59,8 @@ func NewInternalAPI(
 	consumer, _ := kafka.SetupConsumerProducer(&cfg.Matrix.Kafka)
 
 	queues := queue.NewOutgoingQueues(
-		federationSenderDB, cfg.Matrix.ServerName, federation,
+		federationSenderDB, cfg.Matrix.DisableFederation,
-		rsAPI, stats,
+		cfg.Matrix.ServerName, federation, rsAPI, stats,
 		&queue.SigningInfo{
 			KeyID:      cfg.Matrix.KeyID,
 			PrivateKey: cfg.Matrix.PrivateKey,

federationsender/queue/queue.go

@@ -34,6 +34,7 @@ import (
 // matrix servers
 type OutgoingQueues struct {
 	db          storage.Database
+	disabled    bool
 	rsAPI       api.RoomserverInternalAPI
 	origin      gomatrixserverlib.ServerName
 	client      *gomatrixserverlib.FederationClient
@@ -46,6 +47,7 @@ type OutgoingQueues struct {
 // NewOutgoingQueues makes a new OutgoingQueues
 func NewOutgoingQueues(
 	db storage.Database,
+	disabled bool,
 	origin gomatrixserverlib.ServerName,
 	client *gomatrixserverlib.FederationClient,
 	rsAPI api.RoomserverInternalAPI,
@@ -53,6 +55,7 @@ func NewOutgoingQueues(
 	signing *SigningInfo,
 ) *OutgoingQueues {
 	queues := &OutgoingQueues{
+		disabled:   disabled,
 		db:         db,
 		rsAPI:      rsAPI,
 		origin:     origin,
@@ -62,28 +65,30 @@ func NewOutgoingQueues(
 		queues:     map[gomatrixserverlib.ServerName]*destinationQueue{},
 	}
 	// Look up which servers we have pending items for and then rehydrate those queues.
-	time.AfterFunc(time.Second*5, func() {
+	if !disabled {
-		serverNames := map[gomatrixserverlib.ServerName]struct{}{}
+		time.AfterFunc(time.Second*5, func() {
-		if names, err := db.GetPendingPDUServerNames(context.Background()); err == nil {
+			serverNames := map[gomatrixserverlib.ServerName]struct{}{}
-			for _, serverName := range names {
+			if names, err := db.GetPendingPDUServerNames(context.Background()); err == nil {
-				serverNames[serverName] = struct{}{}
+				for _, serverName := range names {
+					serverNames[serverName] = struct{}{}
+				}
+			} else {
+				log.WithError(err).Error("Failed to get PDU server names for destination queue hydration")
 			}
-		} else {
+			if names, err := db.GetPendingEDUServerNames(context.Background()); err == nil {
-			log.WithError(err).Error("Failed to get PDU server names for destination queue hydration")
+				for _, serverName := range names {
-		}
+					serverNames[serverName] = struct{}{}
-		if names, err := db.GetPendingEDUServerNames(context.Background()); err == nil {
+				}
-			for _, serverName := range names {
+			} else {
-				serverNames[serverName] = struct{}{}
+				log.WithError(err).Error("Failed to get EDU server names for destination queue hydration")
 			}
-		} else {
+			for serverName := range serverNames {
-			log.WithError(err).Error("Failed to get EDU server names for destination queue hydration")
+				if !queues.getQueue(serverName).statistics.Blacklisted() {
-		}
+					queues.getQueue(serverName).wakeQueueIfNeeded()
-		for serverName := range serverNames {
+				}
-			if !queues.getQueue(serverName).statistics.Blacklisted() {
-				queues.getQueue(serverName).wakeQueueIfNeeded()
 			}
-		}
+		})
-	})
+	}
 	return queues
 }
 
@@ -122,6 +127,9 @@ func (oqs *OutgoingQueues) SendEvent(
 	ev *gomatrixserverlib.HeaderedEvent, origin gomatrixserverlib.ServerName,
 	destinations []gomatrixserverlib.ServerName,
 ) error {
+	if oqs.disabled {
+		return fmt.Errorf("federation is disabled")
+	}
 	if origin != oqs.origin {
 		// TODO: Support virtual hosting; gh issue #577.
 		return fmt.Errorf(
@@ -181,6 +189,9 @@ func (oqs *OutgoingQueues) SendEDU(
 	e *gomatrixserverlib.EDU, origin gomatrixserverlib.ServerName,
 	destinations []gomatrixserverlib.ServerName,
 ) error {
+	if oqs.disabled {
+		return fmt.Errorf("federation is disabled")
+	}
 	if origin != oqs.origin {
 		// TODO: Support virtual hosting; gh issue #577.
 		return fmt.Errorf(
@@ -243,6 +254,9 @@ func (oqs *OutgoingQueues) SendEDU(
 
 // RetryServer attempts to resend events to the given server if we had given up.
 func (oqs *OutgoingQueues) RetryServer(srv gomatrixserverlib.ServerName) {
+	if oqs.disabled {
+		return
+	}
 	q := oqs.getQueue(srv)
 	if q == nil {
 		return

internal/config/config_global.go

@@ -34,6 +34,10 @@ type Global struct {
 	// Defaults to 24 hours.
 	KeyValidityPeriod time.Duration `yaml:"key_validity_period"`
 
+	// Disables federation. Dendrite will not be able to make any outbound HTTP requests
+	// to other servers and the federation API will not be exposed.
+	DisableFederation bool `yaml:"disable_federation"`
+
 	// List of domains that the server will trust as identity servers to
 	// verify third-party identifiers.
 	// Defaults to an empty array.

internal/setup/base.go

@@ -249,6 +249,9 @@ func (b *BaseDendrite) CreateAccountsDB() accounts.Database {
 // CreateClient creates a new client (normally used for media fetch requests).
 // Should only be called once per component.
 func (b *BaseDendrite) CreateClient() *gomatrixserverlib.Client {
+	if b.Cfg.Global.DisableFederation {
+		return gomatrixserverlib.NewClientWithTransport(noOpHTTPTransport)
+	}
 	client := gomatrixserverlib.NewClient(
 		b.Cfg.FederationSender.DisableTLSValidation,
 	)
@@ -259,6 +262,12 @@ func (b *BaseDendrite) CreateClient() *gomatrixserverlib.Client {
 // CreateFederationClient creates a new federation client. Should only be called
 // once per component.
 func (b *BaseDendrite) CreateFederationClient() *gomatrixserverlib.FederationClient {
+	if b.Cfg.Global.DisableFederation {
+		return gomatrixserverlib.NewFederationClientWithTransport(
+			b.Cfg.Global.ServerName, b.Cfg.Global.KeyID, b.Cfg.Global.PrivateKey,
+			b.Cfg.FederationSender.DisableTLSValidation, noOpHTTPTransport,
+		)
+	}
 	client := gomatrixserverlib.NewFederationClientWithTimeout(
 		b.Cfg.Global.ServerName, b.Cfg.Global.KeyID, b.Cfg.Global.PrivateKey,
 		b.Cfg.FederationSender.DisableTLSValidation, time.Minute*5,
@@ -308,8 +317,10 @@ func (b *BaseDendrite) SetupAndServeHTTP(
 	}
 
 	externalRouter.PathPrefix(httputil.PublicClientPathPrefix).Handler(b.PublicClientAPIMux)
-	externalRouter.PathPrefix(httputil.PublicKeyPathPrefix).Handler(b.PublicKeyAPIMux)
+	if !b.Cfg.Global.DisableFederation {
-	externalRouter.PathPrefix(httputil.PublicFederationPathPrefix).Handler(b.PublicFederationAPIMux)
+		externalRouter.PathPrefix(httputil.PublicKeyPathPrefix).Handler(b.PublicKeyAPIMux)
+		externalRouter.PathPrefix(httputil.PublicFederationPathPrefix).Handler(b.PublicFederationAPIMux)
+	}
 	externalRouter.PathPrefix(httputil.PublicMediaPathPrefix).Handler(b.PublicMediaAPIMux)
 
 	if internalAddr != NoListener && internalAddr != externalAddr {

internal/setup/federation.go

@@ -0,0 +1,32 @@
+package setup
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"net/http"
+)
+
+// noOpHTTPTransport is used to disable federation.
+var noOpHTTPTransport = &http.Transport{
+	Dial: func(_, _ string) (net.Conn, error) {
+		return nil, fmt.Errorf("federation prohibited by configuration")
+	},
+	DialContext: func(_ context.Context, _, _ string) (net.Conn, error) {
+		return nil, fmt.Errorf("federation prohibited by configuration")
+	},
+	DialTLS: func(_, _ string) (net.Conn, error) {
+		return nil, fmt.Errorf("federation prohibited by configuration")
+	},
+}
+
+func init() {
+	noOpHTTPTransport.RegisterProtocol("matrix", &noOpHTTPRoundTripper{})
+}
+
+type noOpHTTPRoundTripper struct {
+}
+
+func (y *noOpHTTPRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
+	return nil, fmt.Errorf("federation prohibited by configuration")
+}