From 0f6ab423682090fcbc8671f6136a3a835a80768b Mon Sep 17 00:00:00 2001
From: Travis Ralston <travisr@matrix.org>
Date: Tue, 1 Feb 2022 19:40:47 -0700
Subject: [PATCH 1/7] Support MSC3667 in a new room version

Includes MSC3604's representation for testing.
---
 synapse/api/room_versions.py | 51 ++++++++++++++++++++++++++++++++++++
 synapse/event_auth.py        | 16 +++++++++++
 2 files changed, 67 insertions(+)

diff --git a/synapse/api/room_versions.py b/synapse/api/room_versions.py
index a747a4081497..c1ed3ac6f40b 100644
--- a/synapse/api/room_versions.py
+++ b/synapse/api/room_versions.py
@@ -81,6 +81,8 @@ class RoomVersion:
     msc2716_historical: bool
     # MSC2716: Adds support for redacting "insertion", "chunk", and "marker" events
     msc2716_redactions: bool
+    # MSC3667: Treat string format power levels as invalid, thus denied.
+    msc3667_int_only_power_levels: bool
 
 
 class RoomVersions:
@@ -99,6 +101,7 @@ class RoomVersions:
         msc2403_knocking=False,
         msc2716_historical=False,
         msc2716_redactions=False,
+        msc3667_int_only_power_levels=False,
     )
     V2 = RoomVersion(
         "2",
@@ -115,6 +118,7 @@ class RoomVersions:
         msc2403_knocking=False,
         msc2716_historical=False,
         msc2716_redactions=False,
+        msc3667_int_only_power_levels=False,
     )
     V3 = RoomVersion(
         "3",
@@ -131,6 +135,7 @@ class RoomVersions:
         msc2403_knocking=False,
         msc2716_historical=False,
         msc2716_redactions=False,
+        msc3667_int_only_power_levels=False,
     )
     V4 = RoomVersion(
         "4",
@@ -147,6 +152,7 @@ class RoomVersions:
         msc2403_knocking=False,
         msc2716_historical=False,
         msc2716_redactions=False,
+        msc3667_int_only_power_levels=False,
     )
     V5 = RoomVersion(
         "5",
@@ -163,6 +169,7 @@ class RoomVersions:
         msc2403_knocking=False,
         msc2716_historical=False,
         msc2716_redactions=False,
+        msc3667_int_only_power_levels=False,
     )
     V6 = RoomVersion(
         "6",
@@ -179,6 +186,7 @@ class RoomVersions:
         msc2403_knocking=False,
         msc2716_historical=False,
         msc2716_redactions=False,
+        msc3667_int_only_power_levels=False,
     )
     MSC2176 = RoomVersion(
         "org.matrix.msc2176",
@@ -195,6 +203,7 @@ class RoomVersions:
         msc2403_knocking=False,
         msc2716_historical=False,
         msc2716_redactions=False,
+        msc3667_int_only_power_levels=False,
     )
     V7 = RoomVersion(
         "7",
@@ -211,6 +220,7 @@ class RoomVersions:
         msc2403_knocking=True,
         msc2716_historical=False,
         msc2716_redactions=False,
+        msc3667_int_only_power_levels=False,
     )
     V8 = RoomVersion(
         "8",
@@ -227,6 +237,7 @@ class RoomVersions:
         msc2403_knocking=True,
         msc2716_historical=False,
         msc2716_redactions=False,
+        msc3667_int_only_power_levels=False,
     )
     V9 = RoomVersion(
         "9",
@@ -243,6 +254,7 @@ class RoomVersions:
         msc2403_knocking=True,
         msc2716_historical=False,
         msc2716_redactions=False,
+        msc3667_int_only_power_levels=False,
     )
     MSC2716v3 = RoomVersion(
         "org.matrix.msc2716v3",
@@ -259,6 +271,43 @@ class RoomVersions:
         msc2403_knocking=True,
         msc2716_historical=True,
         msc2716_redactions=True,
+        msc3667_int_only_power_levels=False,
+    )
+    MSC3667 = RoomVersion(
+        # v7 + MSC3667
+        "org.matrix.msc3667",
+        RoomDisposition.UNSTABLE,
+        EventFormatVersions.V3,
+        StateResolutionVersions.V2,
+        enforce_key_validity=True,
+        special_case_aliases_auth=False,
+        strict_canonicaljson=True,
+        limit_notifications_power_levels=True,
+        msc2176_redaction_rules=False,
+        msc3083_join_rules=False,
+        msc3375_redaction_rules=False,
+        msc2403_knocking=True,
+        msc2716_historical=False,
+        msc2716_redactions=False,
+        msc3667_int_only_power_levels=True,
+    )
+    MSC3604opt2 = RoomVersion(
+        # v9 + MSC2176 + MSC3667
+        "org.matrix.msc3604.opt2",
+        RoomDisposition.UNSTABLE,
+        EventFormatVersions.V3,
+        StateResolutionVersions.V2,
+        enforce_key_validity=True,
+        special_case_aliases_auth=False,
+        strict_canonicaljson=True,
+        limit_notifications_power_levels=True,
+        msc2176_redaction_rules=True,
+        msc3083_join_rules=True,
+        msc3375_redaction_rules=True,
+        msc2403_knocking=True,
+        msc2716_historical=False,
+        msc2716_redactions=False,
+        msc3667_int_only_power_levels=True,
     )
 
 
@@ -276,6 +325,8 @@ class RoomVersions:
         RoomVersions.V8,
         RoomVersions.V9,
         RoomVersions.MSC2716v3,
+        RoomVersions.MSC3667,
+        RoomVersions.MSC3604opt2,
     )
 }
 
diff --git a/synapse/event_auth.py b/synapse/event_auth.py
index e88596169862..31418a4eb03f 100644
--- a/synapse/event_auth.py
+++ b/synapse/event_auth.py
@@ -137,6 +137,22 @@ def check_auth_rules_for_event(
     Raises:
         AuthError if the checks fail
     """
+    # Before we get too far into event auth, validate that the event is even
+    # valid enough to be used
+    if event.type == EventTypes.PowerLevels:
+        # If applicable, validate that the known power levels are integers
+        if room_version_obj.msc3667_int_only_power_levels:
+            for k, v in event.content.items():
+                if k in ['events', 'notifications', 'users']:
+                    if type(v) is not dict:
+                        raise AuthError(403, "Not a valid object: %s" % (k,))
+                    for k2, v2 in v.items():
+                        if type(v2) is not int:
+                            raise AuthError(403, "Not a valid power level: %s" % (v2,))
+                else:
+                    if type(v) is not int:
+                        raise AuthError(403, "Not a valid power level: %s" % (v,))
+
     # We need to ensure that the auth events are actually for the same room, to
     # stop people from using powers they've been granted in other rooms for
     # example.

From 0e55160dfd64bbbfdf076054fc8356207f25addd Mon Sep 17 00:00:00 2001
From: Travis Ralston <travisr@matrix.org>
Date: Tue, 1 Feb 2022 20:27:43 -0700
Subject: [PATCH 2/7] Changelog

---
 changelog.d/11855.feature | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 changelog.d/11855.feature

diff --git a/changelog.d/11855.feature b/changelog.d/11855.feature
new file mode 100644
index 000000000000..dde48bdd76a1
--- /dev/null
+++ b/changelog.d/11855.feature
@@ -0,0 +1 @@
+Support [MSC3667](https://github.com/matrix-org/matrix-doc/pull/3667) in a new room version.
\ No newline at end of file

From f1d5890e8fd4b2a51438998696d18b136c2258a7 Mon Sep 17 00:00:00 2001
From: Travis Ralston <travisr@matrix.org>
Date: Tue, 1 Feb 2022 20:31:42 -0700
Subject: [PATCH 3/7] lint

---
 changelog.d/{11855.feature => 11885.feature} | 0
 synapse/event_auth.py                        | 2 +-
 2 files changed, 1 insertion(+), 1 deletion(-)
 rename changelog.d/{11855.feature => 11885.feature} (100%)

diff --git a/changelog.d/11855.feature b/changelog.d/11885.feature
similarity index 100%
rename from changelog.d/11855.feature
rename to changelog.d/11885.feature
diff --git a/synapse/event_auth.py b/synapse/event_auth.py
index 31418a4eb03f..54d606cf3c97 100644
--- a/synapse/event_auth.py
+++ b/synapse/event_auth.py
@@ -143,7 +143,7 @@ def check_auth_rules_for_event(
         # If applicable, validate that the known power levels are integers
         if room_version_obj.msc3667_int_only_power_levels:
             for k, v in event.content.items():
-                if k in ['events', 'notifications', 'users']:
+                if k in ["events", "notifications", "users"]:
                     if type(v) is not dict:
                         raise AuthError(403, "Not a valid object: %s" % (k,))
                     for k2, v2 in v.items():

From f5e2cde3f50c7315d4d7a69e814deb9593943318 Mon Sep 17 00:00:00 2001
From: Travis Ralston <travisr@matrix.org>
Date: Tue, 1 Feb 2022 20:35:22 -0700
Subject: [PATCH 4/7] more lint

---
 synapse/event_auth.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/synapse/event_auth.py b/synapse/event_auth.py
index 54d606cf3c97..c99b4faa1d26 100644
--- a/synapse/event_auth.py
+++ b/synapse/event_auth.py
@@ -146,7 +146,7 @@ def check_auth_rules_for_event(
                 if k in ["events", "notifications", "users"]:
                     if type(v) is not dict:
                         raise AuthError(403, "Not a valid object: %s" % (k,))
-                    for k2, v2 in v.items():
+                    for _k2, v2 in v.items():
                         if type(v2) is not int:
                             raise AuthError(403, "Not a valid power level: %s" % (v2,))
                 else:

From 99ef23d2d22ead001e0ab420fe4b34439d39ff11 Mon Sep 17 00:00:00 2001
From: Travis Ralston <travisr@matrix.org>
Date: Thu, 19 May 2022 19:02:18 -0600
Subject: [PATCH 5/7] Remove defunct opt2 room version

---
 synapse/api/room_versions.py | 19 -------------------
 1 file changed, 19 deletions(-)

diff --git a/synapse/api/room_versions.py b/synapse/api/room_versions.py
index 3dc33234a69d..57ebedb7dd4d 100644
--- a/synapse/api/room_versions.py
+++ b/synapse/api/room_versions.py
@@ -322,24 +322,6 @@ class RoomVersions:
         msc2716_redactions=False,
         msc3667_int_only_power_levels=True,
     )
-    MSC3604opt2 = RoomVersion(
-        # v9 + MSC2176 + MSC3667
-        "org.matrix.msc3604.opt2",
-        RoomDisposition.UNSTABLE,
-        EventFormatVersions.V3,
-        StateResolutionVersions.V2,
-        enforce_key_validity=True,
-        special_case_aliases_auth=False,
-        strict_canonicaljson=True,
-        limit_notifications_power_levels=True,
-        msc2176_redaction_rules=True,
-        msc3083_join_rules=True,
-        msc3375_redaction_rules=True,
-        msc2403_knocking=True,
-        msc2716_historical=False,
-        msc2716_redactions=False,
-        msc3667_int_only_power_levels=True,
-    )
 
 
 KNOWN_ROOM_VERSIONS: Dict[str, RoomVersion] = {
@@ -358,7 +340,6 @@ class RoomVersions:
         RoomVersions.MSC2716v3,
         RoomVersions.MSC3787,
         RoomVersions.MSC3667,
-        RoomVersions.MSC3604opt2,
     )
 }
 

From cf72994b2cb038548004d60f6f0b79b4349360ac Mon Sep 17 00:00:00 2001
From: Travis Ralston <travisr@matrix.org>
Date: Thu, 19 May 2022 19:02:55 -0600
Subject: [PATCH 6/7] Populate missing room version fields (post-merge)

---
 synapse/api/room_versions.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/synapse/api/room_versions.py b/synapse/api/room_versions.py
index 57ebedb7dd4d..c3ddc1d75983 100644
--- a/synapse/api/room_versions.py
+++ b/synapse/api/room_versions.py
@@ -303,6 +303,7 @@ class RoomVersions:
         msc2716_historical=False,
         msc2716_redactions=False,
         msc3787_knock_restricted_join_rule=True,
+        msc3667_int_only_power_levels=False,
     )
     MSC3667 = RoomVersion(
         # v7 + MSC3667
@@ -320,6 +321,7 @@ class RoomVersions:
         msc2403_knocking=True,
         msc2716_historical=False,
         msc2716_redactions=False,
+        msc3787_knock_restricted_join_rule=False,
         msc3667_int_only_power_levels=True,
     )
 

From 3f310c9c2ad07636e87bb6760e9dd40ac3eedbba Mon Sep 17 00:00:00 2001
From: Travis Ralston <travisr@matrix.org>
Date: Thu, 19 May 2022 19:03:58 -0600
Subject: [PATCH 7/7] Address the easy parts of code review

---
 synapse/event_auth.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/synapse/event_auth.py b/synapse/event_auth.py
index 1053ffef5a8e..bbf50d79767e 100644
--- a/synapse/event_auth.py
+++ b/synapse/event_auth.py
@@ -152,7 +152,7 @@ def check_auth_rules_for_event(
                 if k in ["events", "notifications", "users"]:
                     if type(v) is not dict:
                         raise AuthError(403, "Not a valid object: %s" % (k,))
-                    for _k2, v2 in v.items():
+                    for v2 in v.values():
                         if type(v2) is not int:
                             raise AuthError(403, "Not a valid power level: %s" % (v2,))
                 else: