Gate registration and guest access per-virtual host

clientapi/routing/register.go

@@ -650,7 +650,13 @@ func handleGuestRegistration(
 	cfg *config.ClientAPI,
 	userAPI userapi.ClientUserAPI,
 ) util.JSONResponse {
-	if cfg.RegistrationDisabled || cfg.GuestsDisabled {
+	registrationEnabled := !cfg.RegistrationDisabled
+	guestsEnabled := !cfg.GuestsDisabled
+	if r.ServerName != cfg.Matrix.ServerName {
+		registrationEnabled, guestsEnabled = cfg.Matrix.VirtualHost(r.ServerName).RegistrationAllowed()
+	}
+
+	if !registrationEnabled || !guestsEnabled {
 		return util.JSONResponse{
 			Code: http.StatusForbidden,
 			JSON: jsonerror.Forbidden("Guest registration is disabled"),
@@ -660,6 +666,7 @@ func handleGuestRegistration(
 	var res userapi.PerformAccountCreationResponse
 	err := userAPI.PerformAccountCreation(req.Context(), &userapi.PerformAccountCreationRequest{
 		AccountType: userapi.AccountTypeGuest,
+		ServerName:  r.ServerName,
 	}, &res)
 	if err != nil {
 		return util.JSONResponse{
@@ -736,7 +743,11 @@ func handleRegistrationFlow(
 		)
 	}
 
-	if cfg.RegistrationDisabled && r.Auth.Type != authtypes.LoginTypeSharedSecret {
+	registrationEnabled := !cfg.RegistrationDisabled
+	if r.ServerName != cfg.Matrix.ServerName {
+		registrationEnabled, _ = cfg.Matrix.VirtualHost(r.ServerName).RegistrationAllowed()
+	}
+	if !registrationEnabled && r.Auth.Type != authtypes.LoginTypeSharedSecret {
 		return util.JSONResponse{
 			Code: http.StatusForbidden,
 			JSON: jsonerror.Forbidden("Registration is disabled"),

setup/config/config.go

@@ -235,7 +235,7 @@ func loadConfig(
 		if v.KeyValidityPeriod == 0 {
 			v.KeyValidityPeriod = c.Global.KeyValidityPeriod
 		}
-		if v.PrivateKeyPath == "" {
+		if v.PrivateKeyPath == "" || v.PrivateKey == nil || v.KeyID == "" {
 			v.KeyID = c.Global.KeyID
 			v.PrivateKey = c.Global.PrivateKey
 			continue

setup/config/config_global.go

@@ -151,6 +151,15 @@ func (c *Global) SplitLocalID(sigil byte, id string) (string, gomatrixserverlib.
 	return u, s, nil
 }
 
+func (c *Global) VirtualHost(serverName gomatrixserverlib.ServerName) *VirtualHost {
+	for _, v := range c.VirtualHosts {
+		if v.ServerName == serverName {
+			return v
+		}
+	}
+	return nil
+}
+
 func (c *Global) SigningIdentityFor(serverName gomatrixserverlib.ServerName) (*gomatrixserverlib.SigningIdentity, error) {
 	for _, id := range c.SigningIdentities() {
 		if id.ServerName == serverName {
@@ -202,6 +211,9 @@ type VirtualHost struct {
 
 	// Is registration enabled on this virtual host?
 	AllowRegistration bool `json:"allow_registration"`
+
+	// Is guest registration enabled on this virtual host?
+	AllowGuests bool `json:"allow_guests"`
 }
 
 func (v *VirtualHost) Verify(configErrs *ConfigErrors) {
@@ -216,6 +228,16 @@ func (v *VirtualHost) SigningIdentity() *gomatrixserverlib.SigningIdentity {
 	}
 }
 
+// RegistrationAllowed returns two bools, the first states whether registration
+// is allowed for this virtual host and the second states whether guests are
+// allowed for this virtual host.
+func (v *VirtualHost) RegistrationAllowed() (bool, bool) {
+	if v == nil {
+		return false, false
+	}
+	return v.AllowRegistration, v.AllowGuests
+}
+
 type OldVerifyKeys struct {
 	// Path to the private key.
 	PrivateKeyPath Path `yaml:"private_key"`