Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Develop custom access control plug in #104

Open
gabrc52 opened this issue Aug 30, 2023 · 4 comments
Open

Develop custom access control plug in #104

gabrc52 opened this issue Aug 30, 2023 · 4 comments

Comments

@gabrc52
Copy link
Contributor

gabrc52 commented Aug 30, 2023
edited
Loading

Features

  • You can make semi-unfederated rooms
  • You can restrict rooms to specific affiliations (such as student, affiliate, staff)
  • You can restrict rooms to a specific moira list or set of moira lists
  • Instead of Moira lists, this should ideally be extensible to allow other things people in the general Matrix ecosystem may want. This way, it could be turned into an MSC.
  • You should be able to chain rules, for example allow people in any of these 2 lists, or allow any students but non-students in a certain list are allowed
    • how far do we want to go? do we want to have an AND operator, or just an OR operator? any boolean expression? For now let's stick with allowing people if (A1 OR A2 OR A3 OR ...) AND NOT (B1 OR B2 OR B3 OR ...)
  • You can optionally make invites override the rules, so that invited users can bypass the rules
  • For now, we just need the student-only rooms and can leave other things as unimplemented

Implementation

event name: edu.mit.sipb.custom_acl
state key can be an empty string since we have no use for it

  • It might make sense to take the design of m.room.server_acl as inspiration or maybe even make this into a superset of it. Same for m.room.join_rules.
  • Each type has a name, which in a MSC would be namespaced but for now we don't need a namespace. Either way, they could become namespaced when migrating to an official event. Note that m.room.join_rules is already namespaced, and so far only supports m.room_membership. We still need to put some thought in how to make it compatible with m.room.join_rules, since we can technically add our own namespaced stuff to it already.
  • There is an allow and deny property, and it follows the same logic as the server ACL:
  1. if there is no such event, allow
  2. if any of the deny entries is satisfied, deny
  3. if any of the allow entries is satisfied, allow
  4. otherwise, deny

Types

  • In general, everything m.room.join_rules and m.room.server_acl already support.
  • exact_homeserver: Match a homeserver exactly
  • homeserver_glob: Match a homeserver glob
  • ip_literal: Match any homeserver that is an IP literal
  • moira_list: ACL for the given moira list, as long as the list is either an AFS list or a list the server's kerberos identity has access to read its membership (any non-hidden list or any list daemon/matrix.mit.edu can administer)
  • affiliation: Match a specific affiliation
  • invited: Match people who are invited to the room. It should match with true if it meant the joiner was invited, otherwise it would match with false.
  • mit_community or even mit_alumni (TBD, needs thought but it needs to be an option): Match MIT community members or alumni regardless of what homeserver they are in. This would require a way of verifying their identity (in a similar style as Discord verification, your entry would get denied and you'd get a DM to verify, and then our integration could remember you for future rooms).

Error messages

Element relays the error messages from the homeserver, so if someone tries to join a semi-unfederated room as in the example below, it would be better for the error message to say You are not invited to this room or for the other example You are not invited to this room, please ask a MIT student to invite you.

I don't know how to implement custom error messages while also allowing full flexibility, but we could handle a few special cases, and return a generic error message otherwise. It is also possible that for the case of the moira list ones, we may not want to tell people why they were rejected from a room.

Examples

These are all illustrative but within the MIT context, and do not mean I endorse having rooms like that.

Semi-undefederated room: only people in our homeserver can join unless they are invited

{
  "allow": [
    {"type": "homeserver", "value": "matrix.mit.edu"},
    {"type": "invited", "value": "true"},
  ]
}

Allow anyone in ec-discuss or r-h-t

{
  "allow": [
    {"type": "moira_list", "value": "ec-discuss"},
    {"type": "moira_list", "value": "r-h-t"},
  ]
}

Allow all MIT students or anyone who was invited to the room

This is what we need for classes.

{
  "allow": [
    {"type": "affiliation", "value": "student@mit.edu"},
    {"type": "invited", "value": "true"},
  ]
}

Allow all MIT students and allow all SIPB members regardless of whether they are a student or not

{
  "allow": [
    {"type": "moira_list", "value": "sipb"},
    {"type": "affiliation", "value": "student@mit.edu"}
  ]
}

Allow all EC residents except Tetazoans

{
  "allow": [
    {"type": "moira_list", "value": "ec-residents"}
  ],
  "deny": [
    {"type": "moira_list", "value": "3e-residents"}
  ]
}

Allow MIT kerb-holders (through matrix.mit.edu) who are not MIT students

{
  "allow": [
    {"type": "homserver", "value": "matrix.mit.edu"},
  ],
  "deny": [
    {"type": "affiliation", "value": "student@mit.edu"],
  ],
}

Allow only invited students

Since this would require an AND, it is not implementable through this current proposal, but it can be done by combining a join rule event with this event. If we do a MSC, care is to be taken so that things like this still work.

Notes

  • We should get its own repo for it since we want docs and other stuff.
@gabrc52 gabrc52 mentioned this issue Aug 30, 2023
Open
76 tasks
@gabrc52 gabrc52 changed the title Develop custom access control plug in - for now it should only work with custom state events, then we can document them and put them into our upcoming integration manager Develop custom access control plug in Aug 30, 2023
@gabrc52 gabrc52 mentioned this issue Aug 30, 2023
Open
@gabrc52
Copy link
Contributor Author

gabrc52 commented Aug 30, 2023

Thinking of it a bit more, I'm not sure how this all plays in with federation. I was assuming our home server would be the arbiter but there are more homeservers and this is why the spec about server ACLs has this whole thing about how to deal with noncompliant servers.

Let's just do a simple plugin which handles the classes part first and then actually work in making a new plugin we can publish. The MSC can be a draft since I'd be able to get feedback and iterate.

Rooms don't just live in one home server and if you can't join via one you can join via another.

This means if you let one person from one server in you might be letting in everyone else in that home sever.

@gabrc52
Copy link
Contributor Author

gabrc52 commented Aug 30, 2023

image

Yeah it's probably not a good idea to send a MSC yet since they have plans of adding role-based access control and if that is so we might be able to mirror moira lists to that

@gabrc52
Copy link
Contributor Author

gabrc52 commented Aug 30, 2023

Also we might want to hook user_may_invite too otherwise people might have stuck invites or invites they just can't join and can only decline

@gabrc52
Copy link
Contributor Author

gabrc52 commented Aug 30, 2023

Also note that the Synapse module API allows returning specific error codes but not messages so that might need work too for friendlier messages

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@gabrc52