1use std::{
2 borrow::Borrow,
3 collections::{BTreeMap, BTreeSet, HashSet},
4};
5
6use js_int::Int;
7use ruma_common::{
8 room::JoinRuleKind, room_version_rules::AuthorizationRules, EventId, OwnedUserId, UserId,
9};
10use ruma_events::{
11 room::{member::MembershipState, power_levels::UserPowerLevel},
12 StateEventType, TimelineEventType,
13};
14use serde_json::value::RawValue as RawJsonValue;
15use tracing::{debug, info, instrument, warn};
16
17mod room_member;
18#[cfg(test)]
19mod tests;
20
21use self::room_member::check_room_member;
22use crate::{
23 events::{
24 member::{RoomMemberEventContent, RoomMemberEventOptionExt},
25 power_levels::{RoomPowerLevelsEventOptionExt, RoomPowerLevelsIntField},
26 RoomCreateEvent, RoomJoinRulesEvent, RoomMemberEvent, RoomPowerLevelsEvent,
27 RoomThirdPartyInviteEvent,
28 },
29 utils::RoomIdExt,
30 Event,
31};
32
33pub fn auth_types_for_event(
44 event_type: &TimelineEventType,
45 sender: &UserId,
46 state_key: Option<&str>,
47 content: &RawJsonValue,
48 rules: &AuthorizationRules,
49) -> Result<Vec<(StateEventType, String)>, String> {
50 if event_type == &TimelineEventType::RoomCreate {
52 return Ok(vec![]);
53 }
54
55 let mut auth_types = vec![
60 (StateEventType::RoomPowerLevels, "".to_owned()),
61 (StateEventType::RoomMember, sender.to_string()),
62 ];
63
64 if !rules.room_create_event_id_as_room_id {
66 auth_types.push((StateEventType::RoomCreate, "".to_owned()));
67 }
68
69 if event_type == &TimelineEventType::RoomMember {
71 let Some(state_key) = state_key else {
73 return Err("missing `state_key` field for `m.room.member` event".to_owned());
74 };
75 let key = (StateEventType::RoomMember, state_key.to_owned());
76 if !auth_types.contains(&key) {
77 auth_types.push(key);
78 }
79
80 let content = RoomMemberEventContent::new(content);
81 let membership = content.membership()?;
82
83 if matches!(
86 membership,
87 MembershipState::Join | MembershipState::Invite | MembershipState::Knock
88 ) {
89 let key = (StateEventType::RoomJoinRules, "".to_owned());
90 if !auth_types.contains(&key) {
91 auth_types.push(key);
92 }
93 }
94
95 if membership == MembershipState::Invite {
99 let third_party_invite = content.third_party_invite()?;
100
101 if let Some(third_party_invite) = third_party_invite {
102 let token = third_party_invite.token()?.to_owned();
103 let key = (StateEventType::RoomThirdPartyInvite, token);
104 if !auth_types.contains(&key) {
105 auth_types.push(key);
106 }
107 }
108 }
109
110 if membership == MembershipState::Join && rules.restricted_join_rule {
116 let join_authorised_via_users_server = content.join_authorised_via_users_server()?;
117 if let Some(user_id) = join_authorised_via_users_server {
118 let key = (StateEventType::RoomMember, user_id.to_string());
119 if !auth_types.contains(&key) {
120 auth_types.push(key);
121 }
122 }
123 }
124 }
125
126 Ok(auth_types)
127}
128
129#[instrument(skip_all, fields(event_id = incoming_event.event_id().borrow().as_str()))]
144pub fn check_state_independent_auth_rules<E: Event>(
145 rules: &AuthorizationRules,
146 incoming_event: impl Event,
147 fetch_event: impl Fn(&EventId) -> Option<E>,
148) -> Result<(), String> {
149 debug!("starting state-independent auth check");
150
151 if *incoming_event.event_type() == TimelineEventType::RoomCreate {
153 let room_create_event = RoomCreateEvent::new(incoming_event);
154
155 return check_room_create(room_create_event, rules);
156 }
157
158 let expected_auth_types = auth_types_for_event(
159 incoming_event.event_type(),
160 incoming_event.sender(),
161 incoming_event.state_key(),
162 incoming_event.content(),
163 rules,
164 )?
165 .into_iter()
166 .map(|(event_type, state_key)| (TimelineEventType::from(event_type), state_key))
167 .collect::<HashSet<_>>();
168
169 let Some(room_id) = incoming_event.room_id() else {
170 return Err("missing `room_id` field for event".to_owned());
171 };
172
173 let mut seen_auth_types: HashSet<(TimelineEventType, String)> =
174 HashSet::with_capacity(expected_auth_types.len());
175
176 for auth_event_id in incoming_event.auth_events() {
178 let event_id = auth_event_id.borrow();
179
180 let Some(auth_event) = fetch_event(event_id) else {
181 return Err(format!("failed to find auth event {event_id}"));
182 };
183
184 if auth_event.room_id().is_none_or(|auth_room_id| auth_room_id != room_id) {
186 return Err(format!("auth event {event_id} not in the same room"));
187 }
188
189 let event_type = auth_event.event_type();
190 let state_key = auth_event
191 .state_key()
192 .ok_or_else(|| format!("auth event {event_id} has no `state_key`"))?;
193 let key = (event_type.clone(), state_key.to_owned());
194
195 if seen_auth_types.contains(&key) {
197 return Err(format!(
198 "duplicate auth event {event_id} for ({event_type}, {state_key}) pair"
199 ));
200 }
201
202 if !expected_auth_types.contains(&key) {
205 return Err(format!(
206 "unexpected auth event {event_id} with ({event_type}, {state_key}) pair"
207 ));
208 }
209
210 if auth_event.rejected() {
213 return Err(format!("rejected auth event {event_id}"));
214 }
215
216 seen_auth_types.insert(key);
217 }
218
219 if !rules.room_create_event_id_as_room_id
221 && !seen_auth_types
222 .iter()
223 .any(|(event_type, _)| *event_type == TimelineEventType::RoomCreate)
224 {
225 return Err("no `m.room.create` event in auth events".to_owned());
226 }
227
228 if rules.room_create_event_id_as_room_id {
230 let room_create_event_id = room_id.room_create_event_id().map_err(|error| {
231 format!("could not construct `m.room.create` event ID from room ID: {error}")
232 })?;
233
234 let room_create_event = fetch_event(&room_create_event_id).ok_or_else(|| {
235 format!("failed to find `m.room.create` event {room_create_event_id}")
236 })?;
237
238 if room_create_event.rejected() {
239 return Err(format!("rejected `m.room.create` event {room_create_event_id}"));
240 }
241 }
242
243 Ok(())
244}
245
246#[instrument(skip_all, fields(event_id = incoming_event.event_id().borrow().as_str()))]
268pub fn check_state_dependent_auth_rules<E: Event>(
269 rules: &AuthorizationRules,
270 incoming_event: impl Event,
271 fetch_state: impl Fn(&StateEventType, &str) -> Option<E>,
272) -> Result<(), String> {
273 debug!("starting state-dependent auth check");
274
275 if *incoming_event.event_type() == TimelineEventType::RoomCreate {
277 debug!("allowing `m.room.create` event");
278 return Ok(());
279 }
280
281 let room_create_event = fetch_state.room_create_event()?;
282
283 let federate = room_create_event.federate()?;
286 if !federate
287 && room_create_event.sender().server_name() != incoming_event.sender().server_name()
288 {
289 return Err("\
290 room is not federated and event's sender domain \
291 does not match `m.room.create` event's sender domain"
292 .to_owned());
293 }
294
295 let sender = incoming_event.sender();
296
297 if rules.special_case_room_aliases
299 && *incoming_event.event_type() == TimelineEventType::RoomAliases
300 {
301 debug!("starting m.room.aliases check");
302 if incoming_event.state_key() != Some(sender.server_name().as_str()) {
306 return Err("\
307 server name of the `state_key` of `m.room.aliases` event \
308 does not match the server name of the sender"
309 .to_owned());
310 }
311
312 info!("`m.room.aliases` event was allowed");
314 return Ok(());
315 }
316
317 if *incoming_event.event_type() == TimelineEventType::RoomMember {
319 let room_member_event = RoomMemberEvent::new(incoming_event);
320 return check_room_member(room_member_event, rules, room_create_event, fetch_state);
321 }
322
323 let sender_membership = fetch_state.user_membership(sender)?;
325
326 if sender_membership != MembershipState::Join {
327 return Err("sender's membership is not `join`".to_owned());
328 }
329
330 let creators = room_create_event.creators(rules)?;
331 let current_room_power_levels_event = fetch_state.room_power_levels_event();
332
333 let sender_power_level =
334 current_room_power_levels_event.user_power_level(sender, &creators, rules)?;
335
336 if *incoming_event.event_type() == TimelineEventType::RoomThirdPartyInvite {
338 let invite_power_level = current_room_power_levels_event
341 .get_as_int_or_default(RoomPowerLevelsIntField::Invite, rules)?;
342
343 if sender_power_level < invite_power_level {
344 return Err("sender does not have enough power to send invites in this room".to_owned());
345 }
346
347 info!("`m.room.third_party_invite` event was allowed");
348 return Ok(());
349 }
350
351 let event_type_power_level = current_room_power_levels_event.event_power_level(
354 incoming_event.event_type(),
355 incoming_event.state_key(),
356 rules,
357 )?;
358 if sender_power_level < event_type_power_level {
359 return Err(format!(
360 "sender does not have enough power to send event of type `{}`",
361 incoming_event.event_type()
362 ));
363 }
364
365 if incoming_event.state_key().is_some_and(|k| k.starts_with('@'))
368 && incoming_event.state_key() != Some(incoming_event.sender().as_str())
369 {
370 return Err(
371 "sender cannot send event with `state_key` matching another user's ID".to_owned()
372 );
373 }
374
375 if *incoming_event.event_type() == TimelineEventType::RoomPowerLevels {
377 let room_power_levels_event = RoomPowerLevelsEvent::new(incoming_event);
378 return check_room_power_levels(
379 room_power_levels_event,
380 current_room_power_levels_event,
381 rules,
382 sender_power_level,
383 &creators,
384 );
385 }
386
387 if rules.special_case_room_redaction
389 && *incoming_event.event_type() == TimelineEventType::RoomRedaction
390 {
391 return check_room_redaction(
392 incoming_event,
393 current_room_power_levels_event,
394 rules,
395 sender_power_level,
396 );
397 }
398
399 info!("allowing event passed all checks");
401 Ok(())
402}
403
404fn check_room_create(
406 room_create_event: RoomCreateEvent<impl Event>,
407 rules: &AuthorizationRules,
408) -> Result<(), String> {
409 debug!("start `m.room.create` check");
410
411 if room_create_event.prev_events().next().is_some() {
413 return Err("`m.room.create` event cannot have previous events".into());
414 }
415
416 if rules.room_create_event_id_as_room_id {
417 if room_create_event.room_id().is_some() {
419 return Err("`m.room.create` event cannot have a `room_id` field".into());
420 }
421 } else {
422 let Some(room_id) = room_create_event.room_id() else {
424 return Err("missing `room_id` field in `m.room.create` event".into());
425 };
426 let Some(room_id_server_name) = room_id.server_name() else {
427 return Err(
428 "invalid `room_id` field in `m.room.create` event: could not parse server name"
429 .into(),
430 );
431 };
432
433 if room_id_server_name != room_create_event.sender().server_name() {
434 return Err("invalid `room_id` field in `m.room.create` event: server name does not match sender's server name".into());
435 }
436 }
437
438 if !rules.use_room_create_sender && !room_create_event.has_creator()? {
445 return Err("missing `creator` field in `m.room.create` event".into());
446 }
447
448 room_create_event.additional_creators(rules)?;
451
452 info!("`m.room.create` event was allowed");
454 Ok(())
455}
456
457fn check_room_power_levels(
459 room_power_levels_event: RoomPowerLevelsEvent<impl Event>,
460 current_room_power_levels_event: Option<RoomPowerLevelsEvent<impl Event>>,
461 rules: &AuthorizationRules,
462 sender_power_level: UserPowerLevel,
463 room_creators: &HashSet<OwnedUserId>,
464) -> Result<(), String> {
465 debug!("starting m.room.power_levels check");
466
467 let new_int_fields = room_power_levels_event.int_fields_map(rules)?;
470
471 let new_events = room_power_levels_event.events(rules)?;
474 let new_notifications = room_power_levels_event.notifications(rules)?;
475
476 let new_users = room_power_levels_event.users(rules)?;
481
482 if rules.explicitly_privilege_room_creators
485 && new_users.is_some_and(|new_users| {
486 room_creators.iter().any(|creator| new_users.contains_key(creator))
487 })
488 {
489 return Err("creator user IDs are not allowed in the `users` field".to_owned());
490 }
491
492 debug!("validation of power event finished");
493
494 let Some(current_room_power_levels_event) = current_room_power_levels_event else {
496 info!("initial m.room.power_levels event allowed");
497 return Ok(());
498 };
499
500 for field in RoomPowerLevelsIntField::ALL {
503 let current_power_level = current_room_power_levels_event.get_as_int(*field, rules)?;
504 let new_power_level = new_int_fields.get(field).copied();
505
506 if current_power_level == new_power_level {
507 continue;
508 }
509
510 let current_power_level_too_big =
513 current_power_level.unwrap_or_else(|| field.default_value()) > sender_power_level;
514 let new_power_level_too_big =
516 new_power_level.unwrap_or_else(|| field.default_value()) > sender_power_level;
517
518 if current_power_level_too_big || new_power_level_too_big {
519 return Err(format!(
520 "sender does not have enough power to change the power level of `{field}`"
521 ));
522 }
523 }
524
525 let current_events = current_room_power_levels_event.events(rules)?;
528 check_power_level_maps(
529 current_events.as_ref(),
530 new_events.as_ref(),
531 &sender_power_level,
532 |_, current_power_level| {
533 current_power_level > sender_power_level
537 },
538 |ev_type| {
539 format!(
540 "sender does not have enough power to change the `{ev_type}` event type power level"
541 )
542 },
543 )?;
544
545 if rules.limit_notifications_power_levels {
548 let current_notifications = current_room_power_levels_event.notifications(rules)?;
549 check_power_level_maps(
550 current_notifications.as_ref(),
551 new_notifications.as_ref(),
552 &sender_power_level,
553 |_, current_power_level| {
554 current_power_level > sender_power_level
559 },
560 |key| {
561 format!(
562 "sender does not have enough power to change the `{key}` notification power level"
563 )
564 },
565 )?;
566 }
567
568 let current_users = current_room_power_levels_event.users(rules)?;
571 check_power_level_maps(
572 current_users,
573 new_users,
574 &sender_power_level,
575 |user_id, current_power_level| {
576 user_id != room_power_levels_event.sender() && current_power_level >= sender_power_level
581 },
582 |user_id| format!("sender does not have enough power to change `{user_id}`'s power level"),
583 )?;
584
585 info!("m.room.power_levels event allowed");
587 Ok(())
588}
589
590fn check_power_level_maps<K: Ord>(
608 current: Option<&BTreeMap<K, Int>>,
609 new: Option<&BTreeMap<K, Int>>,
610 sender_power_level: &UserPowerLevel,
611 reject_current_power_level_change_fn: impl FnOnce(&K, Int) -> bool + Copy,
612 error_fn: impl FnOnce(&K) -> String,
613) -> Result<(), String> {
614 let keys_to_check = current
615 .iter()
616 .flat_map(|m| m.keys())
617 .chain(new.iter().flat_map(|m| m.keys()))
618 .collect::<BTreeSet<_>>();
619
620 for key in keys_to_check {
621 let current_power_level = current.as_ref().and_then(|m| m.get(key));
622 let new_power_level = new.as_ref().and_then(|m| m.get(key));
623
624 if current_power_level == new_power_level {
625 continue;
626 }
627
628 let current_power_level_change_rejected = current_power_level
630 .is_some_and(|power_level| reject_current_power_level_change_fn(key, *power_level));
631
632 let new_power_level_too_big = new_power_level.is_some_and(|pl| pl > sender_power_level);
635
636 if current_power_level_change_rejected || new_power_level_too_big {
637 return Err(error_fn(key));
638 }
639 }
640
641 Ok(())
642}
643
644fn check_room_redaction(
646 room_redaction_event: impl Event,
647 current_room_power_levels_event: Option<RoomPowerLevelsEvent<impl Event>>,
648 rules: &AuthorizationRules,
649 sender_level: UserPowerLevel,
650) -> Result<(), String> {
651 let redact_level = current_room_power_levels_event
652 .get_as_int_or_default(RoomPowerLevelsIntField::Redact, rules)?;
653
654 if sender_level >= redact_level {
656 info!("`m.room.redaction` event allowed via power levels");
657 return Ok(());
658 }
659
660 if room_redaction_event.event_id().borrow().server_name()
663 == room_redaction_event.redacts().as_ref().and_then(|&id| id.borrow().server_name())
664 {
665 info!("`m.room.redaction` event allowed via room version 1 rules");
666 return Ok(());
667 }
668
669 Err("`m.room.redaction` event did not pass any of the allow rules".to_owned())
671}
672
673trait FetchStateExt<E: Event> {
674 fn room_create_event(&self) -> Result<RoomCreateEvent<E>, String>;
675
676 fn user_membership(&self, user_id: &UserId) -> Result<MembershipState, String>;
677
678 fn room_power_levels_event(&self) -> Option<RoomPowerLevelsEvent<E>>;
679
680 fn join_rule(&self) -> Result<JoinRuleKind, String>;
681
682 fn room_third_party_invite_event(&self, token: &str) -> Option<RoomThirdPartyInviteEvent<E>>;
683}
684
685impl<E, F> FetchStateExt<E> for F
686where
687 F: Fn(&StateEventType, &str) -> Option<E>,
688 E: Event,
689{
690 fn room_create_event(&self) -> Result<RoomCreateEvent<E>, String> {
691 self(&StateEventType::RoomCreate, "")
692 .map(RoomCreateEvent::new)
693 .ok_or_else(|| "no `m.room.create` event in current state".to_owned())
694 }
695
696 fn user_membership(&self, user_id: &UserId) -> Result<MembershipState, String> {
697 self(&StateEventType::RoomMember, user_id.as_str()).map(RoomMemberEvent::new).membership()
698 }
699
700 fn room_power_levels_event(&self) -> Option<RoomPowerLevelsEvent<E>> {
701 self(&StateEventType::RoomPowerLevels, "").map(RoomPowerLevelsEvent::new)
702 }
703
704 fn join_rule(&self) -> Result<JoinRuleKind, String> {
705 self(&StateEventType::RoomJoinRules, "")
706 .map(RoomJoinRulesEvent::new)
707 .ok_or_else(|| "no `m.room.join_rules` event in current state".to_owned())?
708 .join_rule()
709 }
710
711 fn room_third_party_invite_event(&self, token: &str) -> Option<RoomThirdPartyInviteEvent<E>> {
712 self(&StateEventType::RoomThirdPartyInvite, token).map(RoomThirdPartyInviteEvent::new)
713 }
714}