MSC4380 implementation

An implementation of MSC4380, leaning heavily on what's already there for
MSC4155.

It has its own `experimental_features` flag. If both MSC4155 and MSC4380 are
enabled, and a user has both configurations set, then we prioritise the MSC4380
one.

Author: richvdh

synapse/api/constants.py

@@ -307,6 +307,10 @@ class AccountDataTypes:
     MSC4155_INVITE_PERMISSION_CONFIG: Final = (
         "org.matrix.msc4155.invite_permission_config"
     )
+    # MSC4380: Invite blocking
+    MSC4380_INVITE_PERMISSION_CONFIG: Final = (
+        "org.matrix.msc4380.invite_permission_config"
+    )
     # Synapse-specific behaviour. See "Client-Server API Extensions" documentation
     # in Admin API for more information.
     SYNAPSE_ADMIN_CLIENT_CONFIG: Final = "io.element.synapse.admin_client_config"

synapse/api/errors.py

@@ -137,7 +137,7 @@ class Codes(str, Enum):
     PROFILE_TOO_LARGE = "M_PROFILE_TOO_LARGE"
     KEY_TOO_LARGE = "M_KEY_TOO_LARGE"
 
-    # Part of MSC4155
+    # Part of MSC4155/MSC4380
     INVITE_BLOCKED = "ORG.MATRIX.MSC4155.M_INVITE_BLOCKED"
 
     # Part of MSC4190

synapse/config/experimental.py

@@ -593,3 +593,6 @@ def read_config(
         # MSC4306: Thread Subscriptions
         # (and MSC4308: Thread Subscriptions extension to Sliding Sync)
         self.msc4306_enabled: bool = experimental.get("msc4306_enabled", False)
+
+        # MSC4380: Invite blocking
+        self.msc4380_enabled: bool = experimental.get("msc4380_enabled", False)

synapse/rest/client/versions.py

@@ -182,6 +182,8 @@ async def on_GET(self, request: SynapseRequest) -> tuple[int, JsonDict]:
                     "org.matrix.msc4306": self.config.experimental.msc4306_enabled,
                     # MSC4169: Backwards-compatible redaction sending using `/send`
                     "com.beeper.msc4169": self.config.experimental.msc4169_enabled,
+                    # MSC4380: Invite blocking
+                    "org.matrix.msc4380": self.config.experimental.msc4380_enabled,
                 },
             },
         )

synapse/storage/databases/main/account_data.py

@@ -43,6 +43,7 @@
 from synapse.storage.invite_rule import (
     InviteRulesConfig,
     MSC4155InviteRulesConfig,
+    MSC4380InviteRulesConfig,
     AllowAllInviteRulesConfig,
 )
 from synapse.storage.util.id_generators import MultiWriterIdGenerator
@@ -108,6 +109,7 @@ def __init__(
         )
 
         self._msc4155_enabled = hs.config.experimental.msc4155_enabled
+        self._msc4380_enabled = hs.config.experimental.msc4380_enabled
 
     def get_max_account_data_stream_id(self) -> int:
         """Get the current max stream ID for account data stream
@@ -571,6 +573,15 @@ async def get_invite_config_for_user(self, user_id: str) -> InviteRulesConfig:
         Args:
             user_id: The user whose invite configuration should be returned.
         """
+        if self._msc4380_enabled:
+            data = await self.get_global_account_data_by_type_for_user(
+                user_id, AccountDataTypes.MSC4380_INVITE_PERMISSION_CONFIG
+            )
+            # If the user has an MSC4380-style config setting, prioritise that
+            # above an MSC4155 one
+            if data is not None:
+                return MSC4380InviteRulesConfig.from_account_data(data)
+
         if self._msc4155_enabled:
             data = await self.get_global_account_data_by_type_for_user(
                 user_id, AccountDataTypes.MSC4155_INVITE_PERMISSION_CONFIG

synapse/storage/invite_rule.py

@@ -130,3 +130,20 @@ def get_invite_rule(self, user_id: str) -> InviteRule:
                     return rule
 
         return InviteRule.ALLOW
+
+
+@attr.s(slots=True, auto_attribs=True)
+class MSC4380InviteRulesConfig(InviteRulesConfig):
+    block_all: bool
+    """If true, all invites are blocked."""
+
+    @classmethod
+    def from_account_data(cls, data: JsonMapping) -> "MSC4380InviteRulesConfig":
+        block_all = data.get("block_all")
+        if not isinstance(block_all, bool):
+            block_all = False
+
+        return cls(block_all=block_all)
+
+    def get_invite_rule(self, inviter_user_id: str) -> InviteRule:
+        return InviteRule.BLOCK if self.block_all else InviteRule.ALLOW

tests/handlers/test_room_member.py

@@ -458,7 +458,9 @@ def test_deduplicate_joins(self) -> None:
         self.assertEqual(initial_count, new_count)
 
 
-class TestInviteFiltering(FederatingHomeserverTestCase):
+class TestMSC4155InviteFiltering(FederatingHomeserverTestCase):
+    """Tests for MSC4155-style invite filtering."""
+
     servlets = [
         synapse.rest.admin.register_servlets,
         synapse.rest.client.login.register_servlets,
@@ -618,3 +620,145 @@ def test_msc4155_block_invite_remote_server(self) -> None:
         ).value
         self.assertEqual(f.code, 403)
         self.assertEqual(f.errcode, "ORG.MATRIX.MSC4155.M_INVITE_BLOCKED")
+
+
+class TestMSC4380InviteFiltering(FederatingHomeserverTestCase):
+    """Tests for MSC4380-style invite filtering."""
+
+    servlets = [
+        synapse.rest.admin.register_servlets,
+        synapse.rest.client.login.register_servlets,
+        synapse.rest.client.room.register_servlets,
+    ]
+
+    def prepare(self, reactor: MemoryReactor, clock: Clock, hs: HomeServer) -> None:
+        self.handler = hs.get_room_member_handler()
+        self.fed_handler = hs.get_federation_handler()
+        self.store = hs.get_datastores().main
+
+        # Create two users.
+        self.alice = self.register_user("alice", "pass")
+        self.alice_token = self.login("alice", "pass")
+        self.bob = self.register_user("bob", "pass")
+        self.bob_token = self.login("bob", "pass")
+
+    @override_config({"experimental_features": {"msc4380_enabled": True}})
+    def test_misc4380_block_invite_local(self) -> None:
+        """Test that MSC4380 will block a user from being invited to a room"""
+        room_id = self.helper.create_room_as(self.alice, tok=self.alice_token)
+
+        self.get_success(
+            self.store.add_account_data_for_user(
+                self.bob,
+                AccountDataTypes.MSC4380_INVITE_PERMISSION_CONFIG,
+                {
+                    "block_all": True,
+                },
+            )
+        )
+
+        f = self.get_failure(
+            self.handler.update_membership(
+                requester=create_requester(self.alice),
+                target=UserID.from_string(self.bob),
+                room_id=room_id,
+                action=Membership.INVITE,
+            ),
+            SynapseError,
+        ).value
+        self.assertEqual(f.code, 403)
+        self.assertEqual(f.errcode, "ORG.MATRIX.MSC4155.M_INVITE_BLOCKED")
+
+    @override_config({"experimental_features": {"msc4380_enabled": True}})
+    def test_misc4380_non_bool_setting(self) -> None:
+        """Test that `block_all` being set to something non-booly is the same as False."""
+        room_id = self.helper.create_room_as(self.alice, tok=self.alice_token)
+
+        self.get_success(
+            self.store.add_account_data_for_user(
+                self.bob,
+                AccountDataTypes.MSC4380_INVITE_PERMISSION_CONFIG,
+                {
+                    "block_all": "True",
+                },
+            )
+        )
+
+        self.get_success(
+            self.handler.update_membership(
+                requester=create_requester(self.alice),
+                target=UserID.from_string(self.bob),
+                room_id=room_id,
+                action=Membership.INVITE,
+            )
+        )
+
+    @override_config({"experimental_features": {"msc4380_enabled": False}})
+    def test_msc4380_disabled_allow_invite_local(self) -> None:
+        """Test that MSC4380 will block a user from being invited to a room"""
+        room_id = self.helper.create_room_as(self.alice, tok=self.alice_token)
+
+        self.get_success(
+            self.store.add_account_data_for_user(
+                self.bob,
+                AccountDataTypes.MSC4380_INVITE_PERMISSION_CONFIG,
+                {
+                    "block_all": True,
+                },
+            )
+        )
+
+        self.get_success(
+            self.handler.update_membership(
+                requester=create_requester(self.alice),
+                target=UserID.from_string(self.bob),
+                room_id=room_id,
+                action=Membership.INVITE,
+            ),
+        )
+
+    @override_config({"experimental_features": {"msc4380_enabled": True}})
+    def test_msc4380_block_invite_remote(self) -> None:
+        """Test that MSC4380 will block a user from being invited to a room by a remote user."""
+        # A remote user who sends the invite
+        remote_server = "otherserver"
+        remote_user = "@otheruser:" + remote_server
+
+        self.get_success(
+            self.store.add_account_data_for_user(
+                self.bob,
+                AccountDataTypes.MSC4380_INVITE_PERMISSION_CONFIG,
+                {"block_all": True},
+            )
+        )
+
+        room_id = self.helper.create_room_as(
+            room_creator=self.alice, tok=self.alice_token
+        )
+        room_version = self.get_success(self.store.get_room_version(room_id))
+
+        invite_event = event_from_pdu_json(
+            {
+                "type": EventTypes.Member,
+                "content": {"membership": "invite"},
+                "room_id": room_id,
+                "sender": remote_user,
+                "state_key": self.bob,
+                "depth": 32,
+                "prev_events": [],
+                "auth_events": [],
+                "origin_server_ts": self.clock.time_msec(),
+            },
+            room_version,
+        )
+
+        f = self.get_failure(
+            self.fed_handler.on_invite_request(
+                remote_server,
+                invite_event,
+                invite_event.room_version,
+            ),
+            SynapseError,
+        ).value
+        self.assertEqual(f.code, 403)
+        self.assertEqual(f.errcode, "ORG.MATRIX.MSC4155.M_INVITE_BLOCKED")