From 727d527d8b0749ed47700bed463d9385200eed62 Mon Sep 17 00:00:00 2001 From: Johannes Marbach Date: Tue, 19 Nov 2024 10:46:59 +0100 Subject: [PATCH 1/8] MSC4163: Make ACLs apply to EDUs Signed-off-by: Johannes Marbach --- content/server-server-api.md | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/content/server-server-api.md b/content/server-server-api.md index e1b57c962..6051ed0f8 100644 --- a/content/server-server-api.md +++ b/content/server-server-api.md @@ -1228,7 +1228,6 @@ of `M_FORBIDDEN`. The following endpoint prefixes MUST be protected: -- `/_matrix/federation/v1/send` (on a per-PDU basis) - `/_matrix/federation/v1/make_join` - `/_matrix/federation/v1/make_leave` - `/_matrix/federation/v1/send_join` @@ -1245,6 +1244,22 @@ The following endpoint prefixes MUST be protected: - `/_matrix/federation/v1/event_auth` - `/_matrix/federation/v1/get_missing_events` +Additionally the [`/_matrix/federation/v1/send/{txnId}`](#put_matrixfederationv1sendtxnid) +endpoint MUST be protected as follows: + +- ACLs MUST be applied on a per-PDU basis. If the `origin` server is + denied access to the room identified by `room_id`, the PDU MUST be + ignored with an appropriate error included in the response for the + respective event ID. +- ACLs MUST be applied on a per-EDU basis to all EDUs that are local + to a specific room. This includes: + + - [Typing notifications (m.typing)](#typing-notifications) + - [Receipts (m.receipt)](#receipts) + + If the `origin` server is denied access to the room identified by + `room_id`, the EDU MUST be ignored. + ## Signing Events Signing events is complicated by the fact that servers can choose to From f5bb734f73478302f0a4193f17b7de89d92419c5 Mon Sep 17 00:00:00 2001 From: Johannes Marbach Date: Tue, 19 Nov 2024 10:49:58 +0100 Subject: [PATCH 2/8] Add changelog --- changelogs/server_server/newsfragments/2004.feature | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelogs/server_server/newsfragments/2004.feature diff --git a/changelogs/server_server/newsfragments/2004.feature b/changelogs/server_server/newsfragments/2004.feature new file mode 100644 index 000000000..dd23b73d6 --- /dev/null +++ b/changelogs/server_server/newsfragments/2004.feature @@ -0,0 +1 @@ +Make ACLs apply to EDUs as per [MSC4163](https://github.com/matrix-org/matrix-spec-proposals/pull/4163). From 276fa602c82909524a6c52e6f692a4ffb42d0247 Mon Sep 17 00:00:00 2001 From: Johannes Marbach Date: Tue, 19 Nov 2024 15:27:22 +0100 Subject: [PATCH 3/8] Apply ACLs per room ID for m.receipt EDUs --- content/server-server-api.md | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/content/server-server-api.md b/content/server-server-api.md index 6051ed0f8..9b9ccf6ce 100644 --- a/content/server-server-api.md +++ b/content/server-server-api.md @@ -1247,18 +1247,18 @@ The following endpoint prefixes MUST be protected: Additionally the [`/_matrix/federation/v1/send/{txnId}`](#put_matrixfederationv1sendtxnid) endpoint MUST be protected as follows: -- ACLs MUST be applied on a per-PDU basis. If the `origin` server is - denied access to the room identified by `room_id`, the PDU MUST be - ignored with an appropriate error included in the response for the - respective event ID. -- ACLs MUST be applied on a per-EDU basis to all EDUs that are local - to a specific room. This includes: - - - [Typing notifications (m.typing)](#typing-notifications) - - [Receipts (m.receipt)](#receipts) - - If the `origin` server is denied access to the room identified by - `room_id`, the EDU MUST be ignored. +- ACLs MUST be applied to all PDUs on a per-PDU basis. If the `origin` + server is denied access to the room identified by `room_id`, the PDU + MUST be ignored with an appropriate error included in the response + for the respective event ID. +- ACLs MUST be applied to all EDUs that are local to a specific room: + + - For [typing notifications (m.typing)](#typing-notifications), if + the `origin` server is denied access to the room identified by + `room_id`, the EDU MUST be ignored. + - For [receipts (m.receipt)](#receipts), all receipts for a particular + room ID MUST be ignored if the `origin` server is denied access to + the room identified by that ID. ## Signing Events From 65c77ef638d2bbeca2247b781a5c846b652c58d4 Mon Sep 17 00:00:00 2001 From: Johannes Marbach Date: Wed, 11 Dec 2024 08:33:34 +0100 Subject: [PATCH 4/8] Update content/server-server-api.md Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com> --- content/server-server-api.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/server-server-api.md b/content/server-server-api.md index 9b9ccf6ce..674ab6375 100644 --- a/content/server-server-api.md +++ b/content/server-server-api.md @@ -1253,7 +1253,7 @@ endpoint MUST be protected as follows: for the respective event ID. - ACLs MUST be applied to all EDUs that are local to a specific room: - - For [typing notifications (m.typing)](#typing-notifications), if + - For [typing notifications (`m.typing`)](#typing-notifications), if the `origin` server is denied access to the room identified by `room_id`, the EDU MUST be ignored. - For [receipts (m.receipt)](#receipts), all receipts for a particular From 2e5c532617a398560e5d65c7ed4ff7dc86b3ee31 Mon Sep 17 00:00:00 2001 From: Johannes Marbach Date: Wed, 11 Dec 2024 08:33:45 +0100 Subject: [PATCH 5/8] Update content/server-server-api.md Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com> --- content/server-server-api.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/server-server-api.md b/content/server-server-api.md index 674ab6375..c214dd782 100644 --- a/content/server-server-api.md +++ b/content/server-server-api.md @@ -1256,7 +1256,7 @@ endpoint MUST be protected as follows: - For [typing notifications (`m.typing`)](#typing-notifications), if the `origin` server is denied access to the room identified by `room_id`, the EDU MUST be ignored. - - For [receipts (m.receipt)](#receipts), all receipts for a particular + - For [receipts (`m.receipt`)](#receipts), all receipts for a particular room ID MUST be ignored if the `origin` server is denied access to the room identified by that ID. From 81e449047b3d94ffbff2c38b9487e16d34086560 Mon Sep 17 00:00:00 2001 From: Johannes Marbach Date: Wed, 11 Dec 2024 13:34:14 +0100 Subject: [PATCH 6/8] Update content/server-server-api.md --- content/server-server-api.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/server-server-api.md b/content/server-server-api.md index c214dd782..28c7e4234 100644 --- a/content/server-server-api.md +++ b/content/server-server-api.md @@ -1247,7 +1247,7 @@ The following endpoint prefixes MUST be protected: Additionally the [`/_matrix/federation/v1/send/{txnId}`](#put_matrixfederationv1sendtxnid) endpoint MUST be protected as follows: -- ACLs MUST be applied to all PDUs on a per-PDU basis. If the `origin` +- ACLs MUST be applied to all PDUs on a per-PDU basis. If the sending server is denied access to the room identified by `room_id`, the PDU MUST be ignored with an appropriate error included in the response for the respective event ID. From 49704107c544c58765673f86b56ca2463ce72514 Mon Sep 17 00:00:00 2001 From: Johannes Marbach Date: Wed, 11 Dec 2024 13:34:47 +0100 Subject: [PATCH 7/8] Update content/server-server-api.md --- content/server-server-api.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/server-server-api.md b/content/server-server-api.md index 28c7e4234..3d9291b4e 100644 --- a/content/server-server-api.md +++ b/content/server-server-api.md @@ -1254,7 +1254,7 @@ endpoint MUST be protected as follows: - ACLs MUST be applied to all EDUs that are local to a specific room: - For [typing notifications (`m.typing`)](#typing-notifications), if - the `origin` server is denied access to the room identified by + the sending server is denied access to the room identified by `room_id`, the EDU MUST be ignored. - For [receipts (`m.receipt`)](#receipts), all receipts for a particular room ID MUST be ignored if the `origin` server is denied access to From 61913444ccbf17a2fa30e4a1b1bc8d259a332f3d Mon Sep 17 00:00:00 2001 From: Johannes Marbach Date: Wed, 11 Dec 2024 13:35:22 +0100 Subject: [PATCH 8/8] Update content/server-server-api.md --- content/server-server-api.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/server-server-api.md b/content/server-server-api.md index 3d9291b4e..8e99c431a 100644 --- a/content/server-server-api.md +++ b/content/server-server-api.md @@ -1257,7 +1257,7 @@ endpoint MUST be protected as follows: the sending server is denied access to the room identified by `room_id`, the EDU MUST be ignored. - For [receipts (`m.receipt`)](#receipts), all receipts for a particular - room ID MUST be ignored if the `origin` server is denied access to + room ID MUST be ignored if the sending server is denied access to the room identified by that ID. ## Signing Events