calling policy servers #857

nex · 2025-06-20T00:55:45Z

nex commented

2025-06-20 00:55:45 +00:00

Allows us to call MSC4284 policy servers to determine if an event should be soft failed or not.

Call policy server on incoming event
Don't send redactions for spam events to clients
Prevent sending events that fail the policy checks

Allows us to call MSC4284 policy servers to determine if an event should be soft failed or not. - [X] Call policy server on incoming event - [x] Don't send redactions for spam events to clients - [x] Prevent sending events that fail the policy checks

nex added the

labels

2025-06-20 00:55:45 +00:00

nex self-assigned this

2025-06-20 00:55:45 +00:00

nex commented

2025-06-20 01:16:21 +00:00

There's some artifacts of some other branches in here, I'll want to filter those out before merge. Truly am a git mastermind

Jade requested changes

2025-06-20 09:51:55 +00:00

Dismissed

Jade left a comment

It looks mostly good aside from what happened overnight in offtopic. If you want I can handle some of these changes for you.

src/service/rooms/event_handler/call_policyserv.rs Outdated

					
				@ -0,0 +59,4 @@

							return Ok(());

						},

					};

					if response.recommendation == "spam" {

Are there any other recommendations we should handle there? Or is it just spam so far?

The MSC says spam and ok are the only two defined responses, however namespaced ones are possible. Synapse only actions if the recommendation is spam, so we do the same

The MSC says `spam` and `ok` are the only two defined responses, however namespaced ones are possible. Synapse only actions if the recommendation is `spam`, so we do the same

Jade marked this conversation as resolved

src/service/rooms/event_handler/upgrade_outlier_pdu.rs Outdated

					
				@ -45,3 +45,3 @@

					}

					debug!("Upgrading to timeline pdu");

					debug!("Upgrading pdu {} from outlier to timeline pdu", incoming_pdu.event_id);

Use structured logging parameters at the start of the log macro rather than interpolating the dynamic value into the string.
Could probably add this as a code style guide.

Use structured logging parameters at the start of the log macro rather than interpolating the dynamic value into the string. Could probably add this as a code style guide.

👍 1

Could probably add this as a code style guide.

Would be a good idea given I've been doing this everywhere else too lol

> Could probably add this as a code style guide. Would be a good idea given I've been doing this everywhere else too lol

nex marked this conversation as resolved

src/service/rooms/event_handler/upgrade_outlier_pdu.rs Outdated

					
				@ -217,1 +219,4 @@

					// 14-pre. If the event is not a state event, ask the policy server about it

					if incoming_pdu.state_key.is_none()

						&& incoming_pdu.sender().server_name() != self.services.globals.server_name()

Aren't we supposed to use the policy server to check our own events?

We aren't supposed to send federation requests to ourselves (or at least Synapse said they didn't do this, intentionally, but that was probably something to do with "unexpected behaviours")

That's not what this is doing though, you're checking the sender of the event against our server name.
To avoid sending federation requests to ourselves, compare in src/service/rooms/event_handler/call_policyserv.rs:25 the via vs our server name.

That's not what this is doing though, you're checking the sender of the event against our server name. To avoid sending federation requests to ourselves, compare in src/service/rooms/event_handler/call_policyserv.rs:25 the via vs our server name.

call_policyserv will be used to check ourselves later, so I can't put the check there. Upgrading an outlier PDU should only happen for remote events anyway afaik, so comparing the sender's homeserver to ours before calling the check is just a guard rail

That's the function that has the federation request, so the guard should be in that function anyway.

call_policyserv will be used to check ourselves later, so I can't put the check there.

Are we misunderstanding each other?

Event sender
Policy server
Our server

Policy server != our server as self-federation isn't allowed
Current check is event sender != our server - but that check should never be false as upgrading an outlier PDU should only happen for remote events ??

That's the function that has the federation request, so the guard *should* be in that function anyway. > call_policyserv will be used to check ourselves later, so I can't put the check there. Are we misunderstanding each other? - Event sender - Policy server - Our server Policy server != our server as self-federation isn't allowed Current check is event sender != our server - but that check should never be false as upgrading an outlier PDU should only happen for remote events ??

I haven't checked, but are you sure our own events can never be outliers? I'm inclined to keep the check just as a safety net since it doesn't exactly cost anything to compare, but if you're sure we've never got own-outliers I can remove it

nex marked this conversation as resolved

src/service/rooms/event_handler/upgrade_outlier_pdu.rs Outdated

					
				@ -218,0 +222,4 @@

						&& incoming_pdu.sender().server_name() != self.services.globals.server_name()

					{

						debug!("Checking policy server for event {}", incoming_pdu.event_id);

						let policy = self.policyserv_check(&incoming_pdu, room_id);

We're missing a timeout here

👍 1

nex marked this conversation as resolved

src/service/rooms/event_handler/upgrade_outlier_pdu.rs Outdated

					
				@ -218,0 +223,4 @@

					{

						debug!("Checking policy server for event {}", incoming_pdu.event_id);

						let policy = self.policyserv_check(&incoming_pdu, room_id);

						if let Err(e) = policy.await {

Can we send off the policy server check at an earlier point so that it's done in parallel to another check? Might require moving a part of this function into its own async function that can be async-joined

not really sure if doing it in parallel is a good use of resources - if an event fails the auth checks because of its own auth events, there's no poing making an additional network request to see if it's spam, for example. It only needs to call the policy server if it'll potentially be sent to the client, so if it's not going to be sent to the client there's not much point checking.
Unless you think it's worth it anyway? I'm not actually sure how heavy the cost of checking is yet

not really sure if doing it in parallel is a good use of resources - if an event fails the auth checks because of its own auth events, there's no poing making an additional network request to see if it's spam, for example. It only needs to call the policy server if it'll potentially be sent to the client, so if it's not going to be sent to the client there's not much point checking. Unless you think it's worth it anyway? I'm not actually sure how heavy the cost of checking is yet

My intuition is that it is time-slow but resource-cheap, so we want to start it as early as possible. However rooting through the code here again, during normal operation the only thing in there that would be slow is state events, and this doesn't check those anyway, so ignore this for now

State events should be checked eventually, but I want to battle test it on timeline events before I start soft-failing state events, since the latter is quite dangerous in comparison

State events *should* be checked eventually, but I want to battle test it on timeline events before I start soft-failing state events, since the latter is quite dangerous in comparison

nex marked this conversation as resolved

src/service/rooms/timeline/mod.rs Outdated

					
				@ -701,0 +701,4 @@

						if state_key.is_none() {

							if prev_events.is_empty() {

								warn!("Timeline event had zero prev_events, something broke.");

								return Err!(Request(Unknown("Timeline event had zero prev_events.")));

Does this block belong in this PR? Should probably be tested separately

No, this is from the fix-create-auth branch, got caught up in the cherry pick

nex marked this conversation as resolved

nex commented

2025-06-20 12:25:40 +00:00

Note, the aforementioned offtopic explosion was a Meowlnir bug, not bug with this impl.

nex force-pushed nex/serving-policy from 67cfd5fd99

Release Docker Image / define-variables (push) Successful in 3s

Details

Rust Checks / Format (push) Successful in 1m4s

Details

Rust Checks / Clippy (push) Failing after 2m30s

Details

Documentation / Build and Deploy Documentation (pull_request) Successful in 37s

Details

Release Docker Image / build-image (linux/arm64, linux-arm64) (push) Successful in 10m27s

Details

Rust Checks / Cargo Test (push) Failing after 16m1s

Details

Release Docker Image / build-image (linux/amd64, linux-amd64) (push) Successful in 10m52s

Details

Release Docker Image / merge (push) Successful in 24s

Details

to 5ec8e378c2

Release Docker Image / define-variables (push) Successful in 2s

Details

Checks / Prefligit / prefligit (push) Failing after 43s

Details

Checks / Rust / Format (push) Successful in 40s

Details

Documentation / Build and Deploy Documentation (pull_request) Successful in 41s

Details

Checks / Prefligit / prefligit (pull_request) Failing after 26s

Details

Checks / Rust / Clippy (push) Failing after 4m14s

Details

Checks / Rust / Cargo Test (push) Failing after 4m39s

Details

Release Docker Image / build-image (linux/amd64, release, linux-amd64, base) (push) Failing after 8m35s

Details

Release Docker Image / build-image (linux/arm64, release, linux-arm64, base) (push) Failing after 8m44s

Details

Release Docker Image / merge (push) Has been skipped

Details

2025-06-30 16:17:06 +00:00

Compare

nex force-pushed nex/serving-policy from 5ec8e378c2

Release Docker Image / define-variables (push) Successful in 2s

Details

Checks / Prefligit / prefligit (push) Failing after 43s

Details

Checks / Rust / Format (push) Successful in 40s

Details

Documentation / Build and Deploy Documentation (pull_request) Successful in 41s

Details

Checks / Prefligit / prefligit (pull_request) Failing after 26s

Details

Checks / Rust / Clippy (push) Failing after 4m14s

Details

Checks / Rust / Cargo Test (push) Failing after 4m39s

Details

Release Docker Image / build-image (linux/amd64, release, linux-amd64, base) (push) Failing after 8m35s

Details

Release Docker Image / build-image (linux/arm64, release, linux-arm64, base) (push) Failing after 8m44s

Details

Release Docker Image / merge (push) Has been skipped

Details

to ce94e241b3

Release Docker Image / define-variables (push) Successful in 2s

Details

Checks / Prefligit / prefligit (push) Successful in 31s

Details

Checks / Rust / Format (push) Successful in 46s

Details

Checks / Prefligit / prefligit (pull_request) Successful in 26s

Details

Documentation / Build and Deploy Documentation (pull_request) Successful in 50s

Details

Checks / Rust / Clippy (push) Failing after 2m49s

Details

Checks / Rust / Cargo Test (push) Failing after 3m9s

Details

Release Docker Image / build-image (linux/amd64, release, linux-amd64, base) (push) Failing after 9m33s

Details

Release Docker Image / build-image (linux/arm64, release, linux-arm64, base) (push) Failing after 11m12s

Details

Release Docker Image / merge (push) Has been skipped

Details

2025-07-19 19:23:35 +00:00

Compare

nex force-pushed nex/serving-policy from cb4a7b5b2e

Release Docker Image / merge (push) Blocked by required conditions

Details

Release Docker Image / define-variables (push) Successful in 13s

Details

Checks / Prefligit / prefligit (push) Successful in 15s

Details

Checks / Prefligit / prefligit (pull_request) Successful in 34s

Details

Documentation / Build and Deploy Documentation (pull_request) Successful in 42s

Details

Checks / Rust / Format (push) Successful in 55s

Details

Checks / Rust / Cargo Test (push) Has been cancelled

Details

Release Docker Image / build-image (linux/arm64, release, linux-arm64, base) (push) Has been cancelled

Details

Release Docker Image / build-image (linux/amd64, release, linux-amd64, base) (push) Has been cancelled

Details

Checks / Rust / Clippy (push) Has been cancelled

Details

to 977fddf4c5

Release Docker Image / merge (push) Blocked by required conditions

Details

Release Docker Image / define-variables (push) Successful in 5s

Details

Checks / Prefligit / prefligit (push) Successful in 12s

Details

Checks / Rust / Format (push) Successful in 36s

Details

Checks / Prefligit / prefligit (pull_request) Successful in 29s

Details

Documentation / Build and Deploy Documentation (pull_request) Successful in 44s

Details

Checks / Rust / Clippy (push) Has been cancelled

Details

Release Docker Image / build-image (linux/amd64, release, linux-amd64, base) (push) Has been cancelled

Details

Release Docker Image / build-image (linux/arm64, release, linux-arm64, base) (push) Has been cancelled

Details

Checks / Rust / Cargo Test (push) Has been cancelled

Details

2025-07-19 22:52:10 +00:00

Compare

nex changed title from ~~WIP: calling policy servers~~ to calling policy servers

2025-07-19 22:54:34 +00:00

nex requested reviews from Jade, Owners

2025-07-19 22:54:36 +00:00

Jade approved these changes

2025-07-20 00:04:05 +00:00

Dismissed

src/service/rooms/event_handler/call_policyserv.rs Outdated

					
				@ -0,0 +10,4 @@

				/// Returns Ok if the policy server allows the event

				#[implement(super::Service)]

				#[tracing::instrument(skip_all, level = "debug")]

				pub async fn policyserv_check(&self, pdu: &PduEvent, room_id: &RoomId) -> Result {

I get the feeling that this should actually be a result(bool) - fail due to an error is different from rejection, and I don't think we're supposed to fail closed? For clarity at least.

And a comment more like

/// Checks with the room's policy server (if configured) whether the given event should
/// be allowed in the room.
///
/// Returns `Ok(())` if the event is permitted, or an error if the event is
/// denied as spam. Skips the check for policy server meta-events or if no
/// policy server is configured for the room.

And a comment more like ``` /// Checks with the room's policy server (if configured) whether the given event should /// be allowed in the room. /// /// Returns `Ok(())` if the event is permitted, or an error if the event is /// denied as spam. Skips the check for policy server meta-events or if no /// policy server is configured for the room. ```

I don't think we're supposed to fail closed?

Ooh, good shout, it's supposed to be fail open. Oops.

> I don't think we're supposed to fail closed? Ooh, good shout, it's supposed to be fail open. Oops.

nex marked this conversation as resolved

src/service/rooms/event_handler/call_policyserv.rs Outdated

					
				@ -0,0 +25,4 @@

						return Ok(());

					};

					let via = match policyserver.via {

via? This is not a via server for routing!

via is what it's called in the spec 🤷‍♀️

`via` is what it's called in the spec 🤷‍♀️

Spec being funny

Jade marked this conversation as resolved

Jade force-pushed nex/serving-policy from 4f90379ac1

Release Docker Image / define-variables (push) Successful in 2s

Details

Checks / Prefligit / prefligit (push) Successful in 32s

Details

Checks / Rust / Format (push) Successful in 43s

Details

Checks / Prefligit / prefligit (pull_request) Successful in 28s

Details

Documentation / Build and Deploy Documentation (pull_request) Successful in 47s

Details

Checks / Rust / Clippy (push) Successful in 3m41s

Details

Checks / Rust / Cargo Test (push) Successful in 4m21s

Details

Release Docker Image / build-image (linux/amd64, release, linux-amd64, base) (push) Successful in 10m25s

Details

Release Docker Image / build-image (linux/arm64, release, linux-arm64, base) (push) Successful in 20m16s

Details

Release Docker Image / merge (push) Successful in 43s

Details

to dd3ace92e9

Checks / Prefligit / prefligit (push) Successful in 16s

Details

Release Docker Image / define-variables (push) Successful in 4s

Details

Checks / Prefligit / prefligit (pull_request) Successful in 33s

Details

Documentation / Build and Deploy Documentation (pull_request) Successful in 1m6s

Details

Release Docker Image / build-image (linux/amd64, release, linux-amd64, base) (push) Successful in 17m1s

Details

Release Docker Image / build-image (linux/arm64, release, linux-arm64, base) (push) Successful in 17m41s

Details

Release Docker Image / merge (push) Successful in 26s

Details

Checks / Rust / Format (push) Successful in 48s

Details

Checks / Rust / Clippy (push) Successful in 4m21s

Details

Checks / Rust / Cargo Test (push) Successful in 4m52s

Details

2025-07-20 20:01:47 +00:00

Compare

nex commented

2025-07-22 17:23:34 +00:00

TODO: customisable timeout for policy server call

nex force-pushed nex/serving-policy from 6ab209504d

Release Docker Image / merge (push) Blocked by required conditions

Details

Release Docker Image / define-variables (push) Successful in 3s

Details

Checks / Prefligit / prefligit (push) Successful in 18s

Details

Checks / Rust / Format (push) Successful in 41s

Details

Documentation / Build and Deploy Documentation (pull_request) Successful in 46s

Details

Checks / Prefligit / prefligit (pull_request) Successful in 19s

Details

Release Docker Image / build-image (linux/arm64, release, linux-arm64, base) (push) Has been cancelled

Details

Checks / Rust / Cargo Test (push) Has been cancelled

Details

Release Docker Image / build-image (linux/amd64, release, linux-amd64, base) (push) Has been cancelled

Details

Checks / Rust / Clippy (push) Has been cancelled

Details

to f335f45017

Release Docker Image / merge (push) Blocked by required conditions

Details

Release Docker Image / define-variables (push) Successful in 2s

Details

Checks / Prefligit / prefligit (push) Successful in 11s

Details

Checks / Rust / Format (push) Successful in 39s

Details

Checks / Prefligit / prefligit (pull_request) Successful in 15s

Details

Documentation / Build and Deploy Documentation (pull_request) Successful in 40s

Details

Checks / Rust / Clippy (push) Successful in 4m4s

Details

Checks / Rust / Cargo Test (push) Successful in 5m0s

Details

Release Docker Image / build-image (linux/arm64, release, linux-arm64, base) (push) Has been cancelled

Details

Release Docker Image / build-image (linux/amd64, release, linux-amd64, base) (push) Has been cancelled

Details

2025-07-23 16:49:14 +00:00

Compare

nex commented

2025-07-23 16:50:21 +00:00

I don't see anything left to do here. Requesting code review from @Jade and general feature review from testers @tcpipuk and @Aranjedeath

👍 1

nex requested reviews from Jade, Aranjedeath, tcpipuk

2025-07-23 16:50:24 +00:00

Jade reviewed

2025-07-23 16:52:23 +00:00

src/service/rooms/event_handler/policy_server.rs Outdated

					
				@ -0,0 +12,4 @@

					events::{StateEventType, room::policy::RoomPolicyEventContent},

				};

				/// Returns Ok if the policy server allows the event

outdated comment (see prev review on this line too)

👍 1

guh thought I caught that one

nex marked this conversation as resolved

Jade reviewed

2025-07-23 16:54:48 +00:00

src/service/rooms/event_handler/policy_server.rs Outdated

					
				@ -0,0 +104,4 @@

							room_id = %room_id,

							"Event was marked as spam by policy server",

						);

						return Err!(Request(Forbidden("Event was marked as spam by policy server")));

Ok(false)?? Right?

`Ok(false)`?? Right?

I actually prefer opening +300-30 no-op feature PRs

nex marked this conversation as resolved

nex added 3 commits

2025-07-23 17:01:53 +00:00

fix(policy-server): Correctly default to 10 second timeout 99ebe022ed

fix(policy-server): Update ask_policy_server docstring fe06d78c8e

fix(policy-server): Return the correct result when an event is marked as spam

Documentation / Build and Deploy Documentation (pull_request) Successful in 35s

Details

Checks / Prefligit / prefligit (pull_request) Successful in 27s

Details

Release Docker Image / define-variables (push) Successful in 7s

Details

Checks / Prefligit / prefligit (push) Successful in 25s

Details

Documentation / Build and Deploy Documentation (push) Successful in 31s

Details

Checks / Rust / Format (push) Successful in 40s

Details

Checks / Rust / Clippy (push) Successful in 4m57s

Details

Checks / Rust / Cargo Test (push) Successful in 5m30s

Details

Release Docker Image / build-image (linux/arm64, release, linux-arm64, base) (push) Successful in 12m49s

Details

Release Docker Image / build-image (linux/amd64, release, linux-amd64, base) (push) Successful in 13m46s

Details

Release Docker Image / merge (push) Successful in 25s

Details

f32f60d056

nex reviewed

2025-07-23 17:07:27 +00:00

conduwuit-example.toml

					
				@ -343,0 +344,4 @@

				# servers should respond near instantly, however may slow down under

				# load. If a policy server doesn't respond in a short amount of time, the

				# room it is configured in may become unusable if this limit is set too

				# high. 10 seconds is a good default, however dropping this to 3-5 seconds

Does suggesting lower values make this sound more complicated than it needs to be?

I would only provide tuning advice here if different values have been tested and we have something to recommend. Everybody else will take the default.

Perhaps splitting stuff like this off into a dedicated tuning guide in the docs is more appropriate then, since it'll be easier to waffle about the pros and cons of stuff there rather than in docstrings