Implement MSC3848: Introduce errcodes for specific event sending fail…

…ures (#13343)

Implements MSC3848

changelog.d/13343.feature

@@ -0,0 +1 @@
+Add new unstable error codes `ORG.MATRIX.MSC3848.ALREADY_JOINED`, `ORG.MATRIX.MSC3848.NOT_JOINED`, and `ORG.MATRIX.MSC3848.INSUFFICIENT_POWER` described in MSC3848.

synapse/api/auth.py

@@ -26,6 +26,7 @@
  Codes,
  InvalidClientTokenError,
  MissingClientTokenError,
+ UnstableSpecAuthError,
 )
 from synapse.appservice import ApplicationService
 from synapse.http import get_request_user_agent
@@ -106,8 +107,11 @@ async def check_user_in_room(
  forgot = await self.store.did_forget(user_id, room_id)
  if not forgot:
  return membership, member_event_id
-
- raise AuthError(403, "User %s not in room %s" % (user_id, room_id))
+ raise UnstableSpecAuthError(
+ 403,
+ "User %s not in room %s" % (user_id, room_id),
+ errcode=Codes.NOT_JOINED,
+ )
 
  async def get_user_by_req(
  self,
@@ -600,8 +604,9 @@ async def check_user_in_room_or_world_readable(
  == HistoryVisibility.WORLD_READABLE
  ):
  return Membership.JOIN, None
- raise AuthError(
+ raise UnstableSpecAuthError(
  403,
  "User %s not in room %s, and room previews are disabled"
  % (user_id, room_id),
+ errcode=Codes.NOT_JOINED,
  )

synapse/api/errors.py

@@ -26,6 +26,7 @@
 from synapse.util import json_decoder
 
 if typing.TYPE_CHECKING:
+ from synapse.config.homeserver import HomeServerConfig
  from synapse.types import JsonDict
 
 logger = logging.getLogger(__name__)
@@ -80,6 +81,12 @@ class Codes(str, Enum):
  INVALID_SIGNATURE = "M_INVALID_SIGNATURE"
  USER_DEACTIVATED = "M_USER_DEACTIVATED"
 
+ # Part of MSC3848
+ # https://github.com/matrix-org/matrix-spec-proposals/pull/3848
+ ALREADY_JOINED = "ORG.MATRIX.MSC3848.ALREADY_JOINED"
+ NOT_JOINED = "ORG.MATRIX.MSC3848.NOT_JOINED"
+ INSUFFICIENT_POWER = "ORG.MATRIX.MSC3848.INSUFFICIENT_POWER"
+
  # The account has been suspended on the server.
  # By opposition to `USER_DEACTIVATED`, this is a reversible measure
  # that can possibly be appealed and reverted.
@@ -167,7 +174,7 @@ def __init__(
  else:
  self._additional_fields = dict(additional_fields)
 
- def error_dict(self) -> "JsonDict":
+ def error_dict(self, config: Optional["HomeServerConfig"]) -> "JsonDict":
  return cs_error(self.msg, self.errcode, **self._additional_fields)
 
 
@@ -213,7 +220,7 @@ def __init__(self, msg: str, consent_uri: str):
  )
  self._consent_uri = consent_uri
 
- def error_dict(self) -> "JsonDict":
+ def error_dict(self, config: Optional["HomeServerConfig"]) -> "JsonDict":
  return cs_error(self.msg, self.errcode, consent_uri=self._consent_uri)
 
 
@@ -307,6 +314,37 @@ def __init__(
  super().__init__(code, msg, errcode, additional_fields)
 
 
+class UnstableSpecAuthError(AuthError):
+ """An error raised when a new error code is being proposed to replace a previous one.
+ This error will return a "org.matrix.unstable.errcode" property with the new error code,
+ with the previous error code still being defined in the "errcode" property.
+
+ This error will include `org.matrix.msc3848.unstable.errcode` in the C-S error body.
+ """
+
+ def __init__(
+ self,
+ code: int,
+ msg: str,
+ errcode: str,
+ previous_errcode: str = Codes.FORBIDDEN,
+ additional_fields: Optional[dict] = None,
+ ):
+ self.previous_errcode = previous_errcode
+ super().__init__(code, msg, errcode, additional_fields)
+
+ def error_dict(self, config: Optional["HomeServerConfig"]) -> "JsonDict":
+ fields = {}
+ if config is not None and config.experimental.msc3848_enabled:
+ fields["org.matrix.msc3848.unstable.errcode"] = self.errcode
+ return cs_error(
+ self.msg,
+ self.previous_errcode,
+ **fields,
+ **self._additional_fields,
+ )
+
+
 class InvalidClientCredentialsError(SynapseError):
  """An error raised when there was a problem with the authorisation credentials
  in a client request.
@@ -338,8 +376,8 @@ def __init__(
  super().__init__(msg=msg, errcode="M_UNKNOWN_TOKEN")
  self._soft_logout = soft_logout
 
- def error_dict(self) -> "JsonDict":
- d = super().error_dict()
+ def error_dict(self, config: Optional["HomeServerConfig"]) -> "JsonDict":
+ d = super().error_dict(config)
  d["soft_logout"] = self._soft_logout
  return d
 
@@ -362,7 +400,7 @@ def __init__(
  self.limit_type = limit_type
  super().__init__(code, msg, errcode=errcode)
 
- def error_dict(self) -> "JsonDict":
+ def error_dict(self, config: Optional["HomeServerConfig"]) -> "JsonDict":
  return cs_error(
  self.msg,
  self.errcode,
@@ -397,7 +435,7 @@ def __init__(
  super().__init__(code, msg, errcode)
  self.error_url = error_url
 
- def error_dict(self) -> "JsonDict":
+ def error_dict(self, config: Optional["HomeServerConfig"]) -> "JsonDict":
  return cs_error(self.msg, self.errcode, error_url=self.error_url)
 
 
@@ -414,7 +452,7 @@ def __init__(
  super().__init__(code, msg, errcode)
  self.retry_after_ms = retry_after_ms
 
- def error_dict(self) -> "JsonDict":
+ def error_dict(self, config: Optional["HomeServerConfig"]) -> "JsonDict":
  return cs_error(self.msg, self.errcode, retry_after_ms=self.retry_after_ms)
 
 
@@ -429,7 +467,7 @@ def __init__(self, current_version: str):
  super().__init__(403, "Wrong room_keys version", Codes.WRONG_ROOM_KEYS_VERSION)
  self.current_version = current_version
 
- def error_dict(self) -> "JsonDict":
+ def error_dict(self, config: Optional["HomeServerConfig"]) -> "JsonDict":
  return cs_error(self.msg, self.errcode, current_version=self.current_version)
 
 
@@ -469,7 +507,7 @@ def __init__(self, room_version: str):
 
  self._room_version = room_version
 
- def error_dict(self) -> "JsonDict":
+ def error_dict(self, config: Optional["HomeServerConfig"]) -> "JsonDict":
  return cs_error(self.msg, self.errcode, room_version=self._room_version)
 
 
@@ -515,7 +553,7 @@ def __init__(self, content_keep_ms: Optional[int] = None):
  )
  self.content_keep_ms = content_keep_ms
 
- def error_dict(self) -> "JsonDict":
+ def error_dict(self, config: Optional["HomeServerConfig"]) -> "JsonDict":
  extra = {}
  if self.content_keep_ms is not None:
  extra = {"fi.mau.msc2815.content_keep_ms": self.content_keep_ms}

synapse/config/experimental.py

@@ -90,3 +90,6 @@ def read_config(self, config: JsonDict, **kwargs: Any) -> None:
 
  # MSC3827: Filtering of /publicRooms by room type
  self.msc3827_enabled: bool = experimental.get("msc3827_enabled", False)
+
+ # MSC3848: Introduce errcodes for specific event sending failures
+ self.msc3848_enabled: bool = experimental.get("msc3848_enabled", False)

synapse/event_auth.py

@@ -30,7 +30,13 @@
  JoinRules,
  Membership,
 )
-from synapse.api.errors import AuthError, EventSizeError, SynapseError
+from synapse.api.errors import (
+ AuthError,
+ Codes,
+ EventSizeError,
+ SynapseError,
+ UnstableSpecAuthError,
+)
 from synapse.api.room_versions import (
  KNOWN_ROOM_VERSIONS,
  EventFormatVersions,
@@ -291,7 +297,11 @@ def check_state_dependent_auth_rules(
  invite_level = get_named_level(auth_dict, "invite", 0)
 
  if user_level < invite_level:
- raise AuthError(403, "You don't have permission to invite users")
+ raise UnstableSpecAuthError(
+ 403,
+ "You don't have permission to invite users",
+ errcode=Codes.INSUFFICIENT_POWER,
+ )
  else:
  logger.debug("Allowing! %s", event)
  return
@@ -474,7 +484,11 @@ def _is_membership_change_allowed(
  return
 
  if not caller_in_room: # caller isn't joined
- raise AuthError(403, "%s not in room %s." % (event.user_id, event.room_id))
+ raise UnstableSpecAuthError(
+ 403,
+ "%s not in room %s." % (event.user_id, event.room_id),
+ errcode=Codes.NOT_JOINED,
+ )
 
  if Membership.INVITE == membership:
  # TODO (erikj): We should probably handle this more intelligently
@@ -484,10 +498,18 @@ def _is_membership_change_allowed(
  if target_banned:
  raise AuthError(403, "%s is banned from the room" % (target_user_id,))
  elif target_in_room: # the target is already in the room.
- raise AuthError(403, "%s is already in the room." % target_user_id)
+ raise UnstableSpecAuthError(
+ 403,
+ "%s is already in the room." % target_user_id,
+ errcode=Codes.ALREADY_JOINED,
+ )
  else:
  if user_level < invite_level:
- raise AuthError(403, "You don't have permission to invite users")
+ raise UnstableSpecAuthError(
+ 403,
+ "You don't have permission to invite users",
+ errcode=Codes.INSUFFICIENT_POWER,
+ )
  elif Membership.JOIN == membership:
  # Joins are valid iff caller == target and:
  # * They are not banned.
@@ -549,15 +571,27 @@ def _is_membership_change_allowed(
  elif Membership.LEAVE == membership:
  # TODO (erikj): Implement kicks.
  if target_banned and user_level < ban_level:
- raise AuthError(403, "You cannot unban user %s." % (target_user_id,))
+ raise UnstableSpecAuthError(
+ 403,
+ "You cannot unban user %s." % (target_user_id,),
+ errcode=Codes.INSUFFICIENT_POWER,
+ )
  elif target_user_id != event.user_id:
  kick_level = get_named_level(auth_events, "kick", 50)
 
  if user_level < kick_level or user_level <= target_level:
- raise AuthError(403, "You cannot kick user %s." % target_user_id)
+ raise UnstableSpecAuthError(
+ 403,
+ "You cannot kick user %s." % target_user_id,
+ errcode=Codes.INSUFFICIENT_POWER,
+ )
  elif Membership.BAN == membership:
  if user_level < ban_level or user_level <= target_level:
- raise AuthError(403, "You don't have permission to ban")
+ raise UnstableSpecAuthError(
+ 403,
+ "You don't have permission to ban",
+ errcode=Codes.INSUFFICIENT_POWER,
+ )
  elif room_version.msc2403_knocking and Membership.KNOCK == membership:
  if join_rule != JoinRules.KNOCK and (
  not room_version.msc3787_knock_restricted_join_rule
@@ -567,7 +601,11 @@ def _is_membership_change_allowed(
  elif target_user_id != event.user_id:
  raise AuthError(403, "You cannot knock for other users")
  elif target_in_room:
- raise AuthError(403, "You cannot knock on a room you are already in")
+ raise UnstableSpecAuthError(
+ 403,
+ "You cannot knock on a room you are already in",
+ errcode=Codes.ALREADY_JOINED,
+ )
  elif caller_invited:
  raise AuthError(403, "You are already invited to this room")
  elif target_banned:
@@ -638,10 +676,11 @@ def _can_send_event(event: "EventBase", auth_events: StateMap["EventBase"]) -> b
  user_level = get_user_power_level(event.user_id, auth_events)
 
  if user_level < send_level:
- raise AuthError(
+ raise UnstableSpecAuthError(
  403,
  "You don't have permission to post that to the room. "
  + "user_level (%d) < send_level (%d)" % (user_level, send_level),
+ errcode=Codes.INSUFFICIENT_POWER,
  )
 
  # Check state_key
@@ -716,9 +755,10 @@ def check_historical(
  historical_level = get_named_level(auth_events, "historical", 100)
 
  if user_level < historical_level:
- raise AuthError(
+ raise UnstableSpecAuthError(
  403,
  'You don\'t have permission to send send historical related events ("insertion", "batch", and "marker")',
+ errcode=Codes.INSUFFICIENT_POWER,
  )
 
 

synapse/federation/federation_server.py

@@ -469,7 +469,7 @@ async def process_pdus_for_room(room_id: str) -> None:
  )
  for pdu in pdus_by_room[room_id]:
  event_id = pdu.event_id
- pdu_results[event_id] = e.error_dict()
+ pdu_results[event_id] = e.error_dict(self.hs.config)
  return
 
  for pdu in pdus_by_room[room_id]:

synapse/handlers/auth.py

@@ -565,7 +565,7 @@ async def check_ui_auth(
  except LoginError as e:
  # this step failed. Merge the error dict into the response
  # so that the client can have another go.
- errordict = e.error_dict()
+ errordict = e.error_dict(self.hs.config)
 
  creds = await self.store.get_completed_ui_auth_stages(session.session_id)
  for f in flows:

synapse/handlers/message.py

@@ -41,6 +41,7 @@
  NotFoundError,
  ShadowBanError,
  SynapseError,
+ UnstableSpecAuthError,
  UnsupportedRoomVersionError,
 )
 from synapse.api.room_versions import KNOWN_ROOM_VERSIONS
@@ -149,7 +150,11 @@ async def get_room_data(
  "Attempted to retrieve data from a room for a user that has never been in it. "
  "This should not have happened."
  )
- raise SynapseError(403, "User not in room", errcode=Codes.FORBIDDEN)
+ raise UnstableSpecAuthError(
+ 403,
+ "User not in room",
+ errcode=Codes.NOT_JOINED,
+ )
 
  return data
 
@@ -334,7 +339,11 @@ async def get_joined_members(self, requester: Requester, room_id: str) -> dict:
  break
  else:
  # Loop fell through, AS has no interested users in room
- raise AuthError(403, "Appservice not in room")
+ raise UnstableSpecAuthError(
+ 403,
+ "Appservice not in room",
+ errcode=Codes.NOT_JOINED,
+ )
 
  return {
  user_id: {

synapse/handlers/room_summary.py

@@ -28,11 +28,11 @@
  RoomTypes,
 )
 from synapse.api.errors import (
- AuthError,
  Codes,
  NotFoundError,
  StoreError,
  SynapseError,
+ UnstableSpecAuthError,
  UnsupportedRoomVersionError,
 )
 from synapse.api.ratelimiting import Ratelimiter
@@ -175,10 +175,11 @@ async def _get_room_hierarchy(
 
  # First of all, check that the room is accessible.
  if not await self._is_local_room_accessible(requested_room_id, requester):
- raise AuthError(
+ raise UnstableSpecAuthError(
  403,
  "User %s not in room %s, and room previews are disabled"
  % (requester, requested_room_id),
+ errcode=Codes.NOT_JOINED,
  )
 
  # If this is continuing a previous session, pull the persisted data.