diff --git a/appservice/appservice.go b/appservice/appservice.go index 95b8d95c2..f608e8e76 100644 --- a/appservice/appservice.go +++ b/appservice/appservice.go @@ -31,7 +31,6 @@ import ( "github.com/matrix-org/dendrite/setup/config" "github.com/matrix-org/dendrite/setup/kafka" userapi "github.com/matrix-org/dendrite/userapi/api" - "github.com/matrix-org/gomatrixserverlib" "github.com/sirupsen/logrus" ) @@ -44,10 +43,10 @@ func AddInternalRoutes(router *mux.Router, queryAPI appserviceAPI.AppServiceQuer // can call functions directly on the returned API or via an HTTP interface using AddInternalRoutes. func NewInternalAPI( base *setup.BaseDendrite, - client *gomatrixserverlib.Client, userAPI userapi.UserInternalAPI, rsAPI roomserverAPI.RoomserverInternalAPI, ) appserviceAPI.AppServiceQueryAPI { + client := base.CreateAppserviceClient() consumer, _ := kafka.SetupConsumerProducer(&base.Cfg.Global.Kafka) // Create a connection to the appservice postgres DB diff --git a/build/gobind/monolith.go b/build/gobind/monolith.go index 58fe0d155..332d156bd 100644 --- a/build/gobind/monolith.go +++ b/build/gobind/monolith.go @@ -129,7 +129,7 @@ func (m *DendriteMonolith) Start() { base, cache.New(), userAPI, ) - asAPI := appservice.NewInternalAPI(base, base.CreateClient(), userAPI, rsAPI) + asAPI := appservice.NewInternalAPI(base, userAPI, rsAPI) rsAPI.SetAppserviceAPI(asAPI) ygg.SetSessionFunc(func(address string) { diff --git a/cmd/dendrite-demo-libp2p/main.go b/cmd/dendrite-demo-libp2p/main.go index 2e8792b2d..0610ec777 100644 --- a/cmd/dendrite-demo-libp2p/main.go +++ b/cmd/dendrite-demo-libp2p/main.go @@ -163,7 +163,7 @@ func main() { eduInputAPI := eduserver.NewInternalAPI( &base.Base, cache.New(), userAPI, ) - asAPI := appservice.NewInternalAPI(&base.Base, base.Base.CreateClient(), userAPI, rsAPI) + asAPI := appservice.NewInternalAPI(&base.Base, userAPI, rsAPI) rsAPI.SetAppserviceAPI(asAPI) fsAPI := federationsender.NewInternalAPI( &base.Base, federation, rsAPI, keyRing, diff --git a/cmd/dendrite-demo-yggdrasil/main.go b/cmd/dendrite-demo-yggdrasil/main.go index b74a74a65..2a4a335ab 100644 --- a/cmd/dendrite-demo-yggdrasil/main.go +++ b/cmd/dendrite-demo-yggdrasil/main.go @@ -111,7 +111,7 @@ func main() { base, cache.New(), userAPI, ) - asAPI := appservice.NewInternalAPI(base, base.CreateClient(), userAPI, rsAPI) + asAPI := appservice.NewInternalAPI(base, userAPI, rsAPI) rsAPI.SetAppserviceAPI(asAPI) fsAPI := federationsender.NewInternalAPI( base, federation, rsAPI, keyRing, diff --git a/cmd/dendrite-monolith-server/main.go b/cmd/dendrite-monolith-server/main.go index b8a3e231f..b82f73211 100644 --- a/cmd/dendrite-monolith-server/main.go +++ b/cmd/dendrite-monolith-server/main.go @@ -121,9 +121,7 @@ func main() { eduInputAPI = base.EDUServerClient() } - client := base.CreateClient() - - asAPI := appservice.NewInternalAPI(base, client, userAPI, rsAPI) + asAPI := appservice.NewInternalAPI(base, userAPI, rsAPI) if base.UseHTTPAPIs { appservice.AddInternalRoutes(base.InternalAPIMux, asAPI) asAPI = base.AppserviceHTTPClient() @@ -133,7 +131,7 @@ func main() { monolith := setup.Monolith{ Config: base.Cfg, AccountDB: accountDB, - Client: client, + Client: base.CreateClient(), FedClient: federation, KeyRing: keyRing, diff --git a/cmd/dendrite-polylith-multi/personalities/appservice.go b/cmd/dendrite-polylith-multi/personalities/appservice.go index 5be3e594e..d269b15d4 100644 --- a/cmd/dendrite-polylith-multi/personalities/appservice.go +++ b/cmd/dendrite-polylith-multi/personalities/appservice.go @@ -23,9 +23,8 @@ import ( func Appservice(base *setup.BaseDendrite, cfg *config.Dendrite) { userAPI := base.UserAPIClient() rsAPI := base.RoomserverHTTPClient() - client := base.CreateClient() - intAPI := appservice.NewInternalAPI(base, client, userAPI, rsAPI) + intAPI := appservice.NewInternalAPI(base, userAPI, rsAPI) appservice.AddInternalRoutes(base.InternalAPIMux, intAPI) base.SetupAndServeHTTP( diff --git a/cmd/generate-config/main.go b/cmd/generate-config/main.go index fa0da10c5..9ef0f0b41 100644 --- a/cmd/generate-config/main.go +++ b/cmd/generate-config/main.go @@ -61,6 +61,7 @@ func main() { } if *defaultsForCI { + cfg.AppServiceAPI.DisableTLSValidation = true cfg.ClientAPI.RateLimiting.Enabled = false cfg.FederationSender.DisableTLSValidation = true cfg.MSCs.MSCs = []string{"msc2836", "msc2946", "msc2444", "msc2753"} diff --git a/dendrite-config.yaml b/dendrite-config.yaml index a3d1065d4..bf604c9d6 100644 --- a/dendrite-config.yaml +++ b/dendrite-config.yaml @@ -125,6 +125,11 @@ app_service_api: max_idle_conns: 2 conn_max_lifetime: -1 + # Disable the validation of TLS certificates of appservices. This is + # not recommended in production since it may allow appservice traffic + # to be sent to an unverified endpoint. + disable_tls_validation: false + # Appservice configuration files to load into this homeserver. config_files: [] diff --git a/setup/base.go b/setup/base.go index e9aa2a45e..9919bd42c 100644 --- a/setup/base.go +++ b/setup/base.go @@ -290,6 +290,20 @@ func (b *BaseDendrite) CreateClient() *gomatrixserverlib.Client { return client } +// CreateClient creates a new client (normally used for media fetch requests). +// Should only be called once per component. +func (b *BaseDendrite) CreateAppserviceClient() *gomatrixserverlib.Client { + opts := []gomatrixserverlib.ClientOption{ + gomatrixserverlib.WithSkipVerify(b.Cfg.AppServiceAPI.DisableTLSValidation), + } + if b.Cfg.Global.DNSCache.Enabled { + opts = append(opts, gomatrixserverlib.WithDNSCache(b.DNSCache)) + } + client := gomatrixserverlib.NewClient(opts...) + client.SetUserAgent(fmt.Sprintf("Dendrite/%s", internal.VersionString())) + return client +} + // CreateFederationClient creates a new federation client. Should only be called // once per component. func (b *BaseDendrite) CreateFederationClient() *gomatrixserverlib.FederationClient { diff --git a/setup/config/config_appservice.go b/setup/config/config_appservice.go index a042691db..a6f77abfe 100644 --- a/setup/config/config_appservice.go +++ b/setup/config/config_appservice.go @@ -33,6 +33,10 @@ type AppServiceAPI struct { Database DatabaseOptions `yaml:"database"` + // DisableTLSValidation disables the validation of X.509 TLS certs + // on appservice endpoints. This is not recommended in production! + DisableTLSValidation bool `yaml:"disable_tls_validation"` + ConfigFiles []string `yaml:"config_files"` }