Add appservice-specific client and ability to control TLS validation for appservices only

2025-12-26 08:13:09 -06:00 · 2021-03-04 14:38:26 +00:00 · 2021-03-04 14:38:26 +00:00 · d327bacf28
parent 9cf65c51f0
commit d327bacf28
10 changed files with 31 additions and 11 deletions
--- a/appservice/appservice.go
+++ b/appservice/appservice.go
@ -31,7 +31,6 @@ import (
 	"github.com/matrix-org/dendrite/setup/config"
 	"github.com/matrix-org/dendrite/setup/kafka"
 	userapi "github.com/matrix-org/dendrite/userapi/api"
-	"github.com/matrix-org/gomatrixserverlib"
 	"github.com/sirupsen/logrus"
 )

@ -44,10 +43,10 @@ func AddInternalRoutes(router *mux.Router, queryAPI appserviceAPI.AppServiceQuer
 // can call functions directly on the returned API or via an HTTP interface using AddInternalRoutes.
 func NewInternalAPI(
 	base *setup.BaseDendrite,
-	client *gomatrixserverlib.Client,
 	userAPI userapi.UserInternalAPI,
 	rsAPI roomserverAPI.RoomserverInternalAPI,
 ) appserviceAPI.AppServiceQueryAPI {
+	client := base.CreateAppserviceClient()
 	consumer, _ := kafka.SetupConsumerProducer(&base.Cfg.Global.Kafka)

 	// Create a connection to the appservice postgres DB
--- a/build/gobind/monolith.go
+++ b/build/gobind/monolith.go
@ -129,7 +129,7 @@ func (m *DendriteMonolith) Start() {
 		base, cache.New(), userAPI,
 	)

-	asAPI := appservice.NewInternalAPI(base, base.CreateClient(), userAPI, rsAPI)
+	asAPI := appservice.NewInternalAPI(base, userAPI, rsAPI)
 	rsAPI.SetAppserviceAPI(asAPI)

 	ygg.SetSessionFunc(func(address string) {
--- a/cmd/dendrite-demo-libp2p/main.go
+++ b/cmd/dendrite-demo-libp2p/main.go
@ -163,7 +163,7 @@ func main() {
 	eduInputAPI := eduserver.NewInternalAPI(
 		&base.Base, cache.New(), userAPI,
 	)
-	asAPI := appservice.NewInternalAPI(&base.Base, base.Base.CreateClient(), userAPI, rsAPI)
+	asAPI := appservice.NewInternalAPI(&base.Base, userAPI, rsAPI)
 	rsAPI.SetAppserviceAPI(asAPI)
 	fsAPI := federationsender.NewInternalAPI(
 		&base.Base, federation, rsAPI, keyRing,
--- a/cmd/dendrite-demo-yggdrasil/main.go
+++ b/cmd/dendrite-demo-yggdrasil/main.go
@ -111,7 +111,7 @@ func main() {
 		base, cache.New(), userAPI,
 	)

-	asAPI := appservice.NewInternalAPI(base, base.CreateClient(), userAPI, rsAPI)
+	asAPI := appservice.NewInternalAPI(base, userAPI, rsAPI)
 	rsAPI.SetAppserviceAPI(asAPI)
 	fsAPI := federationsender.NewInternalAPI(
 		base, federation, rsAPI, keyRing,
--- a/cmd/dendrite-monolith-server/main.go
+++ b/cmd/dendrite-monolith-server/main.go
@ -121,9 +121,7 @@ func main() {
 		eduInputAPI = base.EDUServerClient()
 	}

-	client := base.CreateClient()
-
-	asAPI := appservice.NewInternalAPI(base, client, userAPI, rsAPI)
+	asAPI := appservice.NewInternalAPI(base, userAPI, rsAPI)
 	if base.UseHTTPAPIs {
 		appservice.AddInternalRoutes(base.InternalAPIMux, asAPI)
 		asAPI = base.AppserviceHTTPClient()
@ -133,7 +131,7 @@ func main() {
 	monolith := setup.Monolith{
 		Config:    base.Cfg,
 		AccountDB: accountDB,
-		Client:    client,
+		Client:    base.CreateClient(),
 		FedClient: federation,
 		KeyRing:   keyRing,

--- a/cmd/dendrite-polylith-multi/personalities/appservice.go
+++ b/cmd/dendrite-polylith-multi/personalities/appservice.go
@ -23,9 +23,8 @@ import (
 func Appservice(base *setup.BaseDendrite, cfg *config.Dendrite) {
 	userAPI := base.UserAPIClient()
 	rsAPI := base.RoomserverHTTPClient()
-	client := base.CreateClient()

-	intAPI := appservice.NewInternalAPI(base, client, userAPI, rsAPI)
+	intAPI := appservice.NewInternalAPI(base, userAPI, rsAPI)
 	appservice.AddInternalRoutes(base.InternalAPIMux, intAPI)

 	base.SetupAndServeHTTP(
--- a/cmd/generate-config/main.go
+++ b/cmd/generate-config/main.go
@ -61,6 +61,7 @@ func main() {
 	}

 	if *defaultsForCI {
+		cfg.AppServiceAPI.DisableTLSValidation = true
 		cfg.ClientAPI.RateLimiting.Enabled = false
 		cfg.FederationSender.DisableTLSValidation = true
 		cfg.MSCs.MSCs = []string{"msc2836", "msc2946", "msc2444", "msc2753"}
--- a/dendrite-config.yaml
+++ b/dendrite-config.yaml
@ -125,6 +125,11 @@ app_service_api:
    max_idle_conns: 2
    conn_max_lifetime: -1

+  # Disable the validation of TLS certificates of appservices. This is
+  # not recommended in production since it may allow appservice traffic
+  # to be sent to an unverified endpoint.
+  disable_tls_validation: false
+
  # Appservice configuration files to load into this homeserver.
  config_files: []

--- a/setup/base.go
+++ b/setup/base.go
@ -290,6 +290,20 @@ func (b *BaseDendrite) CreateClient() *gomatrixserverlib.Client {
 	return client
 }

+// CreateClient creates a new client (normally used for media fetch requests).
+// Should only be called once per component.
+func (b *BaseDendrite) CreateAppserviceClient() *gomatrixserverlib.Client {
+	opts := []gomatrixserverlib.ClientOption{
+		gomatrixserverlib.WithSkipVerify(b.Cfg.AppServiceAPI.DisableTLSValidation),
+	}
+	if b.Cfg.Global.DNSCache.Enabled {
+		opts = append(opts, gomatrixserverlib.WithDNSCache(b.DNSCache))
+	}
+	client := gomatrixserverlib.NewClient(opts...)
+	client.SetUserAgent(fmt.Sprintf("Dendrite/%s", internal.VersionString()))
+	return client
+}
+
 // CreateFederationClient creates a new federation client. Should only be called
 // once per component.
 func (b *BaseDendrite) CreateFederationClient() *gomatrixserverlib.FederationClient {
--- a/setup/config/config_appservice.go
+++ b/setup/config/config_appservice.go
@ -33,6 +33,10 @@ type AppServiceAPI struct {

 	Database DatabaseOptions `yaml:"database"`

+	// DisableTLSValidation disables the validation of X.509 TLS certs
+	// on appservice endpoints. This is not recommended in production!
+	DisableTLSValidation bool `yaml:"disable_tls_validation"`
+
 	ConfigFiles []string `yaml:"config_files"`
 }