optimize config denylists

Signed-off-by: Jason Volk <jason@zemos.net>
2024-10-22 06:21:57 +00:00 · 2024-10-22 06:21:57 +00:00 · ca57dc7928
parent d35376a90c
commit ca57dc7928
5 changed files with 20 additions and 30 deletions
--- a/src/api/client/directory.rs
+++ b/src/api/client/directory.rs
@ -37,14 +37,12 @@ pub(crate) async fn get_public_rooms_filtered_route(
 ) -> Result<get_public_rooms_filtered::v3::Response> {
 	if let Some(server) = &body.server {
 		if services
-			.globals
-			.forbidden_remote_room_directory_server_names()
+			.server
+			.config
+			.forbidden_remote_room_directory_server_names
 			.contains(server)
 		{
-			return Err(Error::BadRequest(
-				ErrorKind::forbidden(),
-				"Server is banned on this homeserver.",
-			));
+			return Err!(Request(Forbidden("Server is banned on this homeserver.")));
 		}
 	}

@ -77,14 +75,12 @@ pub(crate) async fn get_public_rooms_route(
 ) -> Result<get_public_rooms::v3::Response> {
 	if let Some(server) = &body.server {
 		if services
-			.globals
-			.forbidden_remote_room_directory_server_names()
+			.server
+			.config
+			.forbidden_remote_room_directory_server_names
 			.contains(server)
 		{
-			return Err(Error::BadRequest(
-				ErrorKind::forbidden(),
-				"Server is banned on this homeserver.",
-			));
+			return Err!(Request(Forbidden("Server is banned on this homeserver.")));
 		}
 	}

--- a/src/core/config/mod.rs
+++ b/src/core/config/mod.rs
@ -2,7 +2,7 @@ pub mod check;
 pub mod proxy;

 use std::{
-	collections::{BTreeMap, BTreeSet},
+	collections::{BTreeMap, BTreeSet, HashSet},
 	fmt,
 	net::{IpAddr, Ipv4Addr, Ipv6Addr, SocketAddr},
 	path::PathBuf,
@ -983,8 +983,8 @@ pub struct Config {

 	/// Vector list of servers that conduwuit will refuse to download remote
 	/// media from. No default.
-	#[serde(default = "Vec::new")]
-	pub prevent_media_downloads_from: Vec<OwnedServerName>,
+	#[serde(default = "HashSet::new")]
+	pub prevent_media_downloads_from: HashSet<OwnedServerName>,

 	/// List of forbidden server names that we will block incoming AND outgoing
 	/// federation with, and block client room joins / remote user invites.
@ -994,14 +994,14 @@ pub struct Config {
 	/// outbound federation handler.
 	///
 	/// Basically "global" ACLs. No default.
-	#[serde(default = "Vec::new")]
-	pub forbidden_remote_server_names: Vec<OwnedServerName>,
+	#[serde(default = "HashSet::new")]
+	pub forbidden_remote_server_names: HashSet<OwnedServerName>,

 	/// List of forbidden server names that we will block all outgoing federated
 	/// room directory requests for. Useful for preventing our users from
 	/// wandering into bad servers or spaces. No default.
-	#[serde(default = "Vec::new")]
-	pub forbidden_remote_room_directory_server_names: Vec<OwnedServerName>,
+	#[serde(default = "HashSet::new")]
+	pub forbidden_remote_room_directory_server_names: HashSet<OwnedServerName>,

 	/// Vector list of IPv4 and IPv6 CIDR ranges / subnets *in quotes* that you
 	/// do not want conduwuit to send outbound requests to. Defaults to
--- a/src/service/globals/mod.rs
+++ b/src/service/globals/mod.rs
@ -252,10 +252,6 @@ impl Service {

 	pub fn allow_outgoing_read_receipts(&self) -> bool { self.config.allow_outgoing_read_receipts }

-	pub fn forbidden_remote_room_directory_server_names(&self) -> &[OwnedServerName] {
-		&self.config.forbidden_remote_room_directory_server_names
-	}
-
 	pub fn well_known_support_page(&self) -> &Option<Url> { &self.config.well_known.support_page }

 	pub fn well_known_support_role(&self) -> &Option<ContactRole> { &self.config.well_known.support_role }
--- a/src/service/media/remote.rs
+++ b/src/service/media/remote.rs
@ -382,8 +382,7 @@ fn check_fetch_authorized(&self, mxc: &Mxc<'_>) -> Result<()> {
 		.server
 		.config
 		.prevent_media_downloads_from
-		.iter()
-		.any(|entry| entry == mxc.server_name)
+		.contains(mxc.server_name)
 	{
 		// we'll lie to the client and say the blocked server's media was not found and
 		// log. the client has no way of telling anyways so this is a security bonus.
--- a/src/service/sending/send.rs
+++ b/src/service/sending/send.rs
@ -1,8 +1,8 @@
 use std::{fmt::Debug, mem};

 use conduit::{
-	debug, debug_error, debug_info, debug_warn, err, error::inspect_debug_log, implement, trace, utils::string::EMPTY,
-	Err, Error, Result,
+	debug, debug_error, debug_warn, err, error::inspect_debug_log, implement, trace, utils::string::EMPTY, Err, Error,
+	Result,
 };
 use http::{header::AUTHORIZATION, HeaderValue};
 use ipaddress::IPAddress;
@ -36,10 +36,9 @@ impl super::Service {
 			.server
 			.config
 			.forbidden_remote_server_names
-			.contains(&dest.to_owned())
+			.contains(dest)
 		{
-			debug_info!("Refusing to send outbound federation request to {dest}");
-			return Err!(Request(Forbidden("Federation with this homeserver is not allowed.")));
+			return Err!(Request(Forbidden(debug_warn!("Federation with this {dest} is not allowed."))));
 		}

 		let actual = self.services.resolver.get_actual_dest(dest).await?;