Add ability to disable federation (#1604)

* Allow disabling federation

* Don't start federation queues if disabled

* Fix for Go 1.13
This commit is contained in:
Neil Alexander 2020-12-02 15:10:03 +00:00 committed by GitHub
parent b4c3692dcc
commit bdf6490375
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 88 additions and 23 deletions

View File

@ -60,6 +60,10 @@ global:
- matrix.org - matrix.org
- vector.im - vector.im
# Disables federation. Dendrite will not be able to make any outbound HTTP requests
# to other servers and the federation API will not be exposed.
disable_federation: false
# Configuration for Kafka/Naffka. # Configuration for Kafka/Naffka.
kafka: kafka:
# List of Kafka broker addresses to connect to. This is not needed if using # List of Kafka broker addresses to connect to. This is not needed if using

View File

@ -59,8 +59,8 @@ func NewInternalAPI(
consumer, _ := kafka.SetupConsumerProducer(&cfg.Matrix.Kafka) consumer, _ := kafka.SetupConsumerProducer(&cfg.Matrix.Kafka)
queues := queue.NewOutgoingQueues( queues := queue.NewOutgoingQueues(
federationSenderDB, cfg.Matrix.ServerName, federation, federationSenderDB, cfg.Matrix.DisableFederation,
rsAPI, stats, cfg.Matrix.ServerName, federation, rsAPI, stats,
&queue.SigningInfo{ &queue.SigningInfo{
KeyID: cfg.Matrix.KeyID, KeyID: cfg.Matrix.KeyID,
PrivateKey: cfg.Matrix.PrivateKey, PrivateKey: cfg.Matrix.PrivateKey,

View File

@ -34,6 +34,7 @@ import (
// matrix servers // matrix servers
type OutgoingQueues struct { type OutgoingQueues struct {
db storage.Database db storage.Database
disabled bool
rsAPI api.RoomserverInternalAPI rsAPI api.RoomserverInternalAPI
origin gomatrixserverlib.ServerName origin gomatrixserverlib.ServerName
client *gomatrixserverlib.FederationClient client *gomatrixserverlib.FederationClient
@ -46,6 +47,7 @@ type OutgoingQueues struct {
// NewOutgoingQueues makes a new OutgoingQueues // NewOutgoingQueues makes a new OutgoingQueues
func NewOutgoingQueues( func NewOutgoingQueues(
db storage.Database, db storage.Database,
disabled bool,
origin gomatrixserverlib.ServerName, origin gomatrixserverlib.ServerName,
client *gomatrixserverlib.FederationClient, client *gomatrixserverlib.FederationClient,
rsAPI api.RoomserverInternalAPI, rsAPI api.RoomserverInternalAPI,
@ -53,6 +55,7 @@ func NewOutgoingQueues(
signing *SigningInfo, signing *SigningInfo,
) *OutgoingQueues { ) *OutgoingQueues {
queues := &OutgoingQueues{ queues := &OutgoingQueues{
disabled: disabled,
db: db, db: db,
rsAPI: rsAPI, rsAPI: rsAPI,
origin: origin, origin: origin,
@ -62,28 +65,30 @@ func NewOutgoingQueues(
queues: map[gomatrixserverlib.ServerName]*destinationQueue{}, queues: map[gomatrixserverlib.ServerName]*destinationQueue{},
} }
// Look up which servers we have pending items for and then rehydrate those queues. // Look up which servers we have pending items for and then rehydrate those queues.
time.AfterFunc(time.Second*5, func() { if !disabled {
serverNames := map[gomatrixserverlib.ServerName]struct{}{} time.AfterFunc(time.Second*5, func() {
if names, err := db.GetPendingPDUServerNames(context.Background()); err == nil { serverNames := map[gomatrixserverlib.ServerName]struct{}{}
for _, serverName := range names { if names, err := db.GetPendingPDUServerNames(context.Background()); err == nil {
serverNames[serverName] = struct{}{} for _, serverName := range names {
serverNames[serverName] = struct{}{}
}
} else {
log.WithError(err).Error("Failed to get PDU server names for destination queue hydration")
} }
} else { if names, err := db.GetPendingEDUServerNames(context.Background()); err == nil {
log.WithError(err).Error("Failed to get PDU server names for destination queue hydration") for _, serverName := range names {
} serverNames[serverName] = struct{}{}
if names, err := db.GetPendingEDUServerNames(context.Background()); err == nil { }
for _, serverName := range names { } else {
serverNames[serverName] = struct{}{} log.WithError(err).Error("Failed to get EDU server names for destination queue hydration")
} }
} else { for serverName := range serverNames {
log.WithError(err).Error("Failed to get EDU server names for destination queue hydration") if !queues.getQueue(serverName).statistics.Blacklisted() {
} queues.getQueue(serverName).wakeQueueIfNeeded()
for serverName := range serverNames { }
if !queues.getQueue(serverName).statistics.Blacklisted() {
queues.getQueue(serverName).wakeQueueIfNeeded()
} }
} })
}) }
return queues return queues
} }
@ -122,6 +127,9 @@ func (oqs *OutgoingQueues) SendEvent(
ev *gomatrixserverlib.HeaderedEvent, origin gomatrixserverlib.ServerName, ev *gomatrixserverlib.HeaderedEvent, origin gomatrixserverlib.ServerName,
destinations []gomatrixserverlib.ServerName, destinations []gomatrixserverlib.ServerName,
) error { ) error {
if oqs.disabled {
return fmt.Errorf("federation is disabled")
}
if origin != oqs.origin { if origin != oqs.origin {
// TODO: Support virtual hosting; gh issue #577. // TODO: Support virtual hosting; gh issue #577.
return fmt.Errorf( return fmt.Errorf(
@ -181,6 +189,9 @@ func (oqs *OutgoingQueues) SendEDU(
e *gomatrixserverlib.EDU, origin gomatrixserverlib.ServerName, e *gomatrixserverlib.EDU, origin gomatrixserverlib.ServerName,
destinations []gomatrixserverlib.ServerName, destinations []gomatrixserverlib.ServerName,
) error { ) error {
if oqs.disabled {
return fmt.Errorf("federation is disabled")
}
if origin != oqs.origin { if origin != oqs.origin {
// TODO: Support virtual hosting; gh issue #577. // TODO: Support virtual hosting; gh issue #577.
return fmt.Errorf( return fmt.Errorf(
@ -243,6 +254,9 @@ func (oqs *OutgoingQueues) SendEDU(
// RetryServer attempts to resend events to the given server if we had given up. // RetryServer attempts to resend events to the given server if we had given up.
func (oqs *OutgoingQueues) RetryServer(srv gomatrixserverlib.ServerName) { func (oqs *OutgoingQueues) RetryServer(srv gomatrixserverlib.ServerName) {
if oqs.disabled {
return
}
q := oqs.getQueue(srv) q := oqs.getQueue(srv)
if q == nil { if q == nil {
return return

View File

@ -34,6 +34,10 @@ type Global struct {
// Defaults to 24 hours. // Defaults to 24 hours.
KeyValidityPeriod time.Duration `yaml:"key_validity_period"` KeyValidityPeriod time.Duration `yaml:"key_validity_period"`
// Disables federation. Dendrite will not be able to make any outbound HTTP requests
// to other servers and the federation API will not be exposed.
DisableFederation bool `yaml:"disable_federation"`
// List of domains that the server will trust as identity servers to // List of domains that the server will trust as identity servers to
// verify third-party identifiers. // verify third-party identifiers.
// Defaults to an empty array. // Defaults to an empty array.

View File

@ -249,6 +249,9 @@ func (b *BaseDendrite) CreateAccountsDB() accounts.Database {
// CreateClient creates a new client (normally used for media fetch requests). // CreateClient creates a new client (normally used for media fetch requests).
// Should only be called once per component. // Should only be called once per component.
func (b *BaseDendrite) CreateClient() *gomatrixserverlib.Client { func (b *BaseDendrite) CreateClient() *gomatrixserverlib.Client {
if b.Cfg.Global.DisableFederation {
return gomatrixserverlib.NewClientWithTransport(noOpHTTPTransport)
}
client := gomatrixserverlib.NewClient( client := gomatrixserverlib.NewClient(
b.Cfg.FederationSender.DisableTLSValidation, b.Cfg.FederationSender.DisableTLSValidation,
) )
@ -259,6 +262,12 @@ func (b *BaseDendrite) CreateClient() *gomatrixserverlib.Client {
// CreateFederationClient creates a new federation client. Should only be called // CreateFederationClient creates a new federation client. Should only be called
// once per component. // once per component.
func (b *BaseDendrite) CreateFederationClient() *gomatrixserverlib.FederationClient { func (b *BaseDendrite) CreateFederationClient() *gomatrixserverlib.FederationClient {
if b.Cfg.Global.DisableFederation {
return gomatrixserverlib.NewFederationClientWithTransport(
b.Cfg.Global.ServerName, b.Cfg.Global.KeyID, b.Cfg.Global.PrivateKey,
b.Cfg.FederationSender.DisableTLSValidation, noOpHTTPTransport,
)
}
client := gomatrixserverlib.NewFederationClientWithTimeout( client := gomatrixserverlib.NewFederationClientWithTimeout(
b.Cfg.Global.ServerName, b.Cfg.Global.KeyID, b.Cfg.Global.PrivateKey, b.Cfg.Global.ServerName, b.Cfg.Global.KeyID, b.Cfg.Global.PrivateKey,
b.Cfg.FederationSender.DisableTLSValidation, time.Minute*5, b.Cfg.FederationSender.DisableTLSValidation, time.Minute*5,
@ -308,8 +317,10 @@ func (b *BaseDendrite) SetupAndServeHTTP(
} }
externalRouter.PathPrefix(httputil.PublicClientPathPrefix).Handler(b.PublicClientAPIMux) externalRouter.PathPrefix(httputil.PublicClientPathPrefix).Handler(b.PublicClientAPIMux)
externalRouter.PathPrefix(httputil.PublicKeyPathPrefix).Handler(b.PublicKeyAPIMux) if !b.Cfg.Global.DisableFederation {
externalRouter.PathPrefix(httputil.PublicFederationPathPrefix).Handler(b.PublicFederationAPIMux) externalRouter.PathPrefix(httputil.PublicKeyPathPrefix).Handler(b.PublicKeyAPIMux)
externalRouter.PathPrefix(httputil.PublicFederationPathPrefix).Handler(b.PublicFederationAPIMux)
}
externalRouter.PathPrefix(httputil.PublicMediaPathPrefix).Handler(b.PublicMediaAPIMux) externalRouter.PathPrefix(httputil.PublicMediaPathPrefix).Handler(b.PublicMediaAPIMux)
if internalAddr != NoListener && internalAddr != externalAddr { if internalAddr != NoListener && internalAddr != externalAddr {

View File

@ -0,0 +1,32 @@
package setup
import (
"context"
"fmt"
"net"
"net/http"
)
// noOpHTTPTransport is used to disable federation.
var noOpHTTPTransport = &http.Transport{
Dial: func(_, _ string) (net.Conn, error) {
return nil, fmt.Errorf("federation prohibited by configuration")
},
DialContext: func(_ context.Context, _, _ string) (net.Conn, error) {
return nil, fmt.Errorf("federation prohibited by configuration")
},
DialTLS: func(_, _ string) (net.Conn, error) {
return nil, fmt.Errorf("federation prohibited by configuration")
},
}
func init() {
noOpHTTPTransport.RegisterProtocol("matrix", &noOpHTTPRoundTripper{})
}
type noOpHTTPRoundTripper struct {
}
func (y *noOpHTTPRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
return nil, fmt.Errorf("federation prohibited by configuration")
}