Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

forward requester id to check username for spam callbacks #17916

Conversation

WilsonLe
Copy link
Contributor

Pull Request Checklist

  • Pull request is based on the develop branch
  • Pull request includes a changelog file. The entry should:
    • Be a short description of your change which makes sense to users. "Fixed a bug that prevented receiving messages from other servers." instead of "Moved X method from EventStore to EventWorkerStore.".
    • Use markdown where necessary, mostly for code blocks.
    • End with either a period (.) or an exclamation mark (!).
    • Start with a capital letter.
    • Feel free to credit yourself, by adding a sentence "Contributed by @github_username." or "Contributed by [Your Name]." to the end of the entry.
  • Code style is correct
    (run the linters)

@CLAassistant
Copy link

CLAassistant commented Nov 11, 2024

CLA assistant check
All committers have signed the CLA.

@WilsonLe WilsonLe marked this pull request as ready for review November 11, 2024 08:51
@WilsonLe WilsonLe requested a review from a team as a code owner November 11, 2024 08:51
@@ -735,7 +738,9 @@ async def check_username_for_spam(self, user_profile: UserProfile) -> bool:
with Measure(self.clock, f"{callback.__module__}.{callback.__qualname__}"):
# Make a copy of the user profile object to ensure the spam checker cannot
# modify it.
res = await delay_cancellation(callback(user_profile.copy()))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we need to not break current checkers that do not yet have requester_id in their signature.

Something like (untested and some stuffs are missing but it's so you get the idea) :

checker_args = inspect.signature(callback)
if len(checker_args.parameters) == 2:
    callback(user_profile.copy(), requester_id)
else:
    callback(user_profile.copy())

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added unit tests to ensure backwards compat

@MatMaul
Copy link
Contributor

MatMaul commented Nov 12, 2024

Thanks for that!

docs/spam_checker.md and docs/modules/spam_checker_callbacks.md would also need an update.

async def allow_all_expects_requester_id(
user_profile: UserProfile, requester_id: str
) -> bool:
# Allow all users.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add something like assert requester_id is not None to test that requester_id is correctly passed here.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added assert is instance of string checks

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we not do self.assertEqual(requester_id, u1)?


# Configure a spam checker that filters all users.
async def block_all_expects_requester_id(
user_profile: UserProfile, requester_id: str
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let's remove requester_id: str param here so we do test backward compatibility, and add a comment about it.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I kept the old tests that does not have requester_id. I simply added more tests with requester_id.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll add comments for backwards compatibility for these functions.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I kept the old tests that does not have requester_id. I simply added more tests with requester_id.

Oh good point I haven't noticed, thanks for the comments.

Copy link
Contributor

@MatMaul MatMaul left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, we now need someone from the core team to trigger the CI :)

@github-actions github-actions bot deployed to PR Documentation Preview November 14, 2024 15:09 Active
changelog.d/17916.feature Outdated Show resolved Hide resolved
WilsonLe and others added 2 commits November 15, 2024 02:45
Co-authored-by: Patrick Cloke <clokep@users.noreply.github.com>
Copy link
Member

@erikjohnston erikjohnston left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Otherwise, LGTM thanks!

@@ -245,7 +245,7 @@ this callback.
_First introduced in Synapse v1.37.0_

```python
async def check_username_for_spam(user_profile: synapse.module_api.UserProfile) -> bool
async def check_username_for_spam(user_profile: synapse.module_api.UserProfile, requester_id: str) -> bool
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add a sentence or two for what requester_id is please, something like:

The requester_id parameter is the ID of the user that called the user directory API.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@erikjohnston Hi I couldn't reply to your comment on using self.assertEqual(requester_id, u1) directly but I've added the checks.

async def allow_all_expects_requester_id(
user_profile: UserProfile, requester_id: str
) -> bool:
# Allow all users.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we not do self.assertEqual(requester_id, u1)?

@github-actions github-actions bot deployed to PR Documentation Preview December 13, 2024 13:51 Active
@erikjohnston
Copy link
Member

Thanks @WilsonLe, sorry it got dropped for a bit. Just FYI that you can rerequest review from people after you made changes, which makes it easier for us to not forget things :)

@erikjohnston erikjohnston enabled auto-merge (squash) December 13, 2024 13:51
@erikjohnston erikjohnston merged commit eedab12 into element-hq:develop Dec 13, 2024
41 checks passed
yingziwu added a commit to yingziwu/synapse that referenced this pull request Jan 16, 2025
Please note that this version of Synapse drops support for PostgreSQL 11 and 12. The minimum version of PostgreSQL supported is now version 13.

No significant changes since 1.122.0rc1.

- Remove support for PostgreSQL 11 and 12. Contributed by @clokep. ([\#18034](element-hq/synapse#18034))

- Added the `email.tlsname` config option.  This allows specifying the domain name used to validate the SMTP server's TLS certificate separately from the `email.smtp_host` to connect to. ([\#17849](element-hq/synapse#17849))
- Module developers will have access to the user ID of the requester when adding `check_username_for_spam` callbacks to `spam_checker_module_callbacks`. Contributed by Wilson@Pangea.chat. ([\#17916](element-hq/synapse#17916))
- Add endpoints to the Admin API to fetch the number of invites the provided user has sent after a given timestamp,
  fetch the number of rooms the provided user has joined after a given timestamp, and get report IDs of event
  reports against a provided user (i.e. where the user was the sender of the reported event). ([\#17948](element-hq/synapse#17948))
- Support stable account suspension from [MSC3823](matrix-org/matrix-spec-proposals#3823). ([\#17964](element-hq/synapse#17964))
- Add `macaroon_secret_key_path` config option. ([\#17983](element-hq/synapse#17983))

- Fix bug when rejecting withdrew invite with a `third_party_rules` module, where the invite would be stuck for the client. ([\#17930](element-hq/synapse#17930))
- Properly purge state groups tables when purging a room with the Admin API. ([\#18024](element-hq/synapse#18024))
- Fix a bug preventing the admin redaction endpoint from working on messages from remote users. ([\#18029](element-hq/synapse#18029), [\#18043](element-hq/synapse#18043))

- Update `synapse.app.generic_worker` documentation to only recommend `GET` requests for stream writer routes by default, unless the worker is also configured as a stream writer. Contributed by @evoL. ([\#17954](element-hq/synapse#17954))
- Add documentation for the previously-undocumented `last_seen_ts` query parameter to the query user Admin API. ([\#17976](element-hq/synapse#17976))
- Improve documentation for the `TaskScheduler` class. ([\#17992](element-hq/synapse#17992))
- Fix example in reverse proxy docs to include server port. ([\#17994](element-hq/synapse#17994))
- Update Alpine Linux Synapse Package Maintainer within the installation instructions. ([\#17846](element-hq/synapse#17846))

- Add `RoomID` & `EventID` rust types. ([\#17996](element-hq/synapse#17996))
- Fix various type errors across the codebase. ([\#17998](element-hq/synapse#17998))
- Disable DB statement timeout when doing a room purge since it can be quite long. ([\#18017](element-hq/synapse#18017))
- Remove some remaining uses of `twisted.internet.defer.returnValue`. Contributed by Colin Watson. ([\#18020](element-hq/synapse#18020))
- Refactor `get_profile` to no longer include fields with a value of `None`. ([\#18063](element-hq/synapse#18063))

* Bump anyhow from 1.0.93 to 1.0.95. ([\#18012](element-hq/synapse#18012), [\#18045](element-hq/synapse#18045))
* Bump authlib from 1.3.2 to 1.4.0. ([\#18048](element-hq/synapse#18048))
* Bump dawidd6/action-download-artifact from 6 to 7. ([\#17981](element-hq/synapse#17981))
* Bump http from 1.1.0 to 1.2.0. ([\#18013](element-hq/synapse#18013))
- Bump mypy from 1.11.2 to 1.12.1. ([\#17999](element-hq/synapse#17999))
* Bump mypy-zope from 1.0.8 to 1.0.9. ([\#18047](element-hq/synapse#18047))
* Bump pillow from 10.4.0 to 11.0.0. ([\#18015](element-hq/synapse#18015))
* Bump pydantic from 2.9.2 to 2.10.3. ([\#18014](element-hq/synapse#18014))
* Bump pyicu from 2.13.1 to 2.14. ([\#18060](element-hq/synapse#18060))
* Bump pyo3 from 0.23.2 to 0.23.3. ([\#18001](element-hq/synapse#18001))
* Bump python-multipart from 0.0.16 to 0.0.18. ([\#17985](element-hq/synapse#17985))
* Bump sentry-sdk from 2.17.0 to 2.19.2. ([\#18061](element-hq/synapse#18061))
* Bump serde from 1.0.215 to 1.0.217. ([\#18031](element-hq/synapse#18031), [\#18059](element-hq/synapse#18059))
* Bump serde_json from 1.0.133 to 1.0.134. ([\#18044](element-hq/synapse#18044))
* Bump twine from 5.1.1 to 6.0.1. ([\#18049](element-hq/synapse#18049))

**Changelogs for older versions can be found [here](docs/changelogs/).**
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants