-
Notifications
You must be signed in to change notification settings - Fork 567
Add experimental support for letting application services proxy namespaces in the C-S and S-S API #19972
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
Johennes
wants to merge
5
commits into
element-hq:develop
Choose a base branch
from
Johennes:johannes/app-service-proxying
base: develop
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Add experimental support for letting application services proxy namespaces in the C-S and S-S API #19972
Changes from all commits
Commits
Show all changes
5 commits
Select commit
Hold shift + click to select a range
99351e1
Add appservice configuration option for proxy prefix
Johennes 6114739
Proxy C-S requests to app services
Johennes bb7c5bb
Proxy S-S requests to app services
Johennes e88742b
Document registration property
Johennes bacc9c9
Add changelog
Johennes File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| Add experimental support for letting application services proxy namespaces in the C-S and S-S API. | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
103 changes: 103 additions & 0 deletions
103
synapse/federation/transport/server/appservice_proxy.py
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,103 @@ | ||
| # | ||
| # This file is licensed under the Affero General Public License (AGPL) version 3. | ||
| # | ||
| # Copyright (C) 2026 Element Creations Ltd | ||
| # | ||
| # This program is free software: you can redistribute it and/or modify | ||
| # it under the terms of the GNU Affero General Public License as | ||
| # published by the Free Software Foundation, either version 3 of the | ||
| # License, or (at your option) any later version. | ||
| # | ||
| # See the GNU Affero General Public License for more details: | ||
| # <https://www.gnu.org/licenses/agpl-3.0.html>. | ||
| # | ||
|
|
||
| import logging | ||
| import re | ||
| from http import HTTPStatus | ||
| from io import BytesIO | ||
| from typing import TYPE_CHECKING | ||
|
|
||
| from synapse.api.errors import Codes, SynapseError | ||
| from synapse.appservice import ApplicationService | ||
| from synapse.federation.transport.server._base import Authenticator | ||
| from synapse.http import QuieterFileBodyProducer | ||
| from synapse.http.appservice_proxy import proxy_request_to_appservice | ||
| from synapse.http.server import HttpServer, ServletCallback | ||
| from synapse.http.site import SynapseRequest | ||
| from synapse.util.json import json_decoder | ||
| from synapse.util.ratelimitutils import FederationRateLimiter | ||
|
|
||
| if TYPE_CHECKING: | ||
| from synapse.server import HomeServer | ||
|
|
||
| logger = logging.getLogger(__name__) | ||
|
|
||
|
|
||
| def _make_proxy_callback( | ||
| hs: "HomeServer", | ||
| authenticator: Authenticator, | ||
| ratelimiter: FederationRateLimiter, | ||
| appservice: ApplicationService, | ||
| ) -> ServletCallback: | ||
| async def _proxy(request: SynapseRequest, **kwargs: str) -> None: | ||
| raw_body = request.content.read() # type: ignore[union-attr] | ||
|
|
||
| content = None | ||
| if request.method in (b"PUT", b"POST"): | ||
| try: | ||
| content = json_decoder.decode(raw_body.decode("utf-8")) | ||
| except Exception: | ||
| raise SynapseError( | ||
| HTTPStatus.BAD_REQUEST, "Content not JSON.", Codes.NOT_JSON | ||
| ) | ||
|
|
||
| origin = await authenticator.authenticate_request(request, content) | ||
|
|
||
| # Apply the same per-origin rate limiting that every other federation endpoint gets. | ||
| with ratelimiter.ratelimit(origin) as d: | ||
| await d | ||
| if request._disconnected: | ||
| logger.warning( | ||
| "client disconnected before we started processing request" | ||
| ) | ||
| return | ||
|
|
||
| await proxy_request_to_appservice( | ||
| request, | ||
| hs, | ||
| appservice, | ||
| QuieterFileBodyProducer(BytesIO(raw_body)), | ||
| extra_request_headers={b"X-Matrix-Origin": origin.encode("ascii")}, | ||
| ) | ||
|
|
||
| return _proxy | ||
|
|
||
|
|
||
| def register_servlets( | ||
| hs: "HomeServer", | ||
| resource: HttpServer, | ||
| authenticator: Authenticator, | ||
| ratelimiter: FederationRateLimiter, | ||
| ) -> None: | ||
| """Registers blanket reverse-proxy routes for each application service that has | ||
| configured a proxy prefix. This forwards requests under /_matrix/federation/<prefix>/* | ||
| to the same path under the application service's URL after verifying request | ||
| authentication. | ||
| """ | ||
| for appservice in hs.get_datastores().main.get_app_services(): | ||
| if appservice.proxy_prefix is None: | ||
| continue | ||
|
|
||
| pattern = re.compile( | ||
| "^/_matrix/federation/%s(/.*)?$" % (re.escape(appservice.proxy_prefix),) | ||
| ) | ||
| callback = _make_proxy_callback(hs, authenticator, ratelimiter, appservice) | ||
|
|
||
| for method in ("GET", "POST", "PUT", "DELETE"): | ||
| resource.register_paths( | ||
| method, | ||
| (pattern,), | ||
| callback, | ||
| "ApplicationServiceFederationProxy", | ||
| ) |
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This sounds like something that should be handled by a Secure Border Gateway (SBG)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hm, is the SBG capable of verifying client access tokens and federation signatures?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, see
crates/matrix-sbg/src/annotations.rsfor how this information is derived for each request and then somerequest.verified_requester()example usage. See this note for the federation side but it could be updated to handle it as well.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the pointers. This looks interesting but I think it may not be a good fit here. Our specific use case is we want to convert the endpoints that lk-jwt-service serves into regular C-S endpoints but still spare Synapse (and other homeservers) having to implement them. Instead, the idea is to run lk-jwt-service as an application service and letting it claim part of the C-S (and S-S) API. In other words, the interface being public and (in future) part of the AS spec is actually intentional.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note that the lk-jwt-service is FOSS and needs to work with FOSS Synapse, specifically it'll implement a specced MatrixRTC transport. The reason for having it separate is so that we don't have to have VoIP specific code in Synapse and can leave that to the VoIP team.
SBG is proprietary. It would potentially be useful if lk-jwt-service was also going to be private, but it's not
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems like the same sort of pattern that we use MAS for implementing the OAuth API and even serving the legacy Matrix auth API for compatibility.
Why is this new proxy pattern necessary compared to what we do for MAS?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is essentially the same pattern but going through the application service API in generalised form to make it easier to reuse by other homeservers (and future possibly other application services). I'm hoping to still write an MSC for this but haven't gotten around to it yet.