You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
327 lines
10 KiB
ReStructuredText
327 lines
10 KiB
ReStructuredText
Federation
|
|
==========
|
|
|
|
Constructing a new event
|
|
------------------------
|
|
|
|
**TODO**
|
|
|
|
|
|
Signing and Hashes
|
|
~~~~~~~~~~~~~~~~~~
|
|
|
|
**TODO**
|
|
|
|
Validation
|
|
----------
|
|
|
|
**TODO**
|
|
|
|
Domain specific string
|
|
A string of the form ``<prefix><localpart>:<domain>``, where <prefix> is a
|
|
single character, ``<localpart>`` is an arbitrary string that does not
|
|
include a colon, and `<domain>` is a valid server name.
|
|
|
|
``room_id``
|
|
A domain specific string with prefix ``!`` that is static across all events
|
|
in a graph and uniquely identifies it. The ``domain`` should be that of the
|
|
home server that created the room (i.e., the server that generated the
|
|
first ``m.room.create`` event).
|
|
|
|
``sender``
|
|
The entity that logically sent the event. This is usually a user id, but
|
|
can also be a server name.
|
|
|
|
User Id
|
|
A domain specific string with prefix ``@`` representing a user account. The
|
|
``domain`` is the home server of the user and is the server used to contact
|
|
the user.
|
|
|
|
Joining a room
|
|
--------------
|
|
|
|
If a user requests to join a room that the server is already in (i.e. the a
|
|
user on that server has already joined the room) then the server can simply
|
|
generate a join event and send it as normal.
|
|
|
|
If the server is not already in the room it needs to will need to join via
|
|
another server that is already in the room. This is done as a two step process.
|
|
|
|
First, the local server requests from the remote server a skeleton of a join
|
|
event. The remote does this as the local server does not have the event graph
|
|
to use to fill out the ``prev_events`` key in the new event. Critically, the
|
|
remote server does not process the event it responded with.
|
|
|
|
Once the local server has this event, it fills it out with any extra data and
|
|
signs it. Once ready the local server sends this event to a remote server
|
|
(which could be the same or different from the first remote server), this
|
|
remote server then processes the event and distributes to all the other
|
|
participating servers in that room. The local server is told about the
|
|
current state and complete auth chain for the join event. The local server
|
|
can then process the join event itself.
|
|
|
|
|
|
.. Note::
|
|
Finding which server to use to join any particular room is not specified.
|
|
|
|
|
|
Inviting a user
|
|
---------------
|
|
|
|
To invite a remote user to a room we need their home server to sign the invite
|
|
event. This is done by sending the event to the remote server, which then signs
|
|
the event, before distributing the invite to other servers.
|
|
|
|
Failures
|
|
--------
|
|
|
|
A server can notify a remote server about something it thinks it has done
|
|
wrong using the failures mechanism. For example, the remote accepted an event
|
|
the local think it shouldn't have.
|
|
|
|
A failure has a severity level depending on the action taken by the local
|
|
server. These levels are:
|
|
|
|
``FATAL``
|
|
The local server could not parse the event, for example due to a missing
|
|
required field.
|
|
|
|
``ERROR``
|
|
The local server *could* parse the event, but it was rejected. For example,
|
|
the event may have failed an authorization check.
|
|
|
|
``WARN``
|
|
The local server accepted the event, but something was unexpected about it.
|
|
For example, the event may have referenced another event the local server
|
|
thought should be rejected.
|
|
|
|
A failure also includes several other fields:
|
|
|
|
``code``
|
|
A numeric code (to be defined later) indicating a particular type of
|
|
failure.
|
|
|
|
``reason``
|
|
A short string indicating what was wrong, for diagnosis purposes on the
|
|
remote server.
|
|
|
|
``affected``
|
|
The event id of the event this failure is responding to. For example, if
|
|
an accepted event referenced a rejected event, this would point to the
|
|
accepted one.
|
|
|
|
``source``
|
|
The event id of the event that was the source of this unexpected behaviour.
|
|
For example, if an accepted event referenced a rejected event, this would
|
|
point to the rejected one.
|
|
|
|
|
|
Authorization
|
|
-------------
|
|
|
|
When receiving new events from remote servers, or creating new events, a server
|
|
must know whether that event is allowed by the authorization rules. These rules
|
|
depend solely on the state at that event. The types of state events that affect
|
|
authorization are:
|
|
|
|
- ``m.room.create``
|
|
- ``m.room.member``
|
|
- ``m.room.join_rules``
|
|
- ``m.room.power_levels``
|
|
|
|
Servers should not create new events that reference unauthorized events.
|
|
However, any event that does reference an unauthorized event is not itself
|
|
automatically considered unauthorized.
|
|
|
|
Unauthorized events that appear in the event graph do *not* have any effect on
|
|
the state of the graph.
|
|
|
|
.. Note:: This is in contrast to redacted events which can still affect the
|
|
state of the graph. For example, a redacted *"join"* event will still
|
|
result in the user being considered joined.
|
|
|
|
|
|
Rules
|
|
~~~~~
|
|
|
|
The following are the rules to determine if an event is authorized (this does
|
|
include validation).
|
|
|
|
**TODO**: What signatures do we expect?
|
|
|
|
1. If type is ``m.room.create`` allow.
|
|
#. If type is ``m.room.member``:
|
|
|
|
a. If ``membership`` is ``join``:
|
|
|
|
i. If the previous event is an ``m.room.create``, the depth is 1 and
|
|
the ``state_key`` is the creator, then allow.
|
|
#. If the ``state_key`` does not match ``sender`` key, reject.
|
|
#. If the current state has ``membership`` set to ``join``.
|
|
#. If the ``sender`` is in the ``m.room.may_join`` list. [Not currently
|
|
implemented]
|
|
#. If the ``join_rules`` is:
|
|
|
|
- ``public``: allow.
|
|
- ``invite``: allow if the current state has ``membership`` set to
|
|
``invite``
|
|
- ``knock``: **TODO**.
|
|
- ``private``: Reject.
|
|
|
|
#. Reject
|
|
|
|
#. If ``membership`` is ``invite`` then allow if ``sender`` is in room,
|
|
otherwise reject.
|
|
#. If ``membership`` is ``leave``:
|
|
|
|
i. If ``sender`` matches ``state_key`` allow.
|
|
#. If ``sender``'s power level is greater than the the ``kick_level``
|
|
given in the current ``m.room.power_levels`` state (defaults to 50),
|
|
and the ``state_key``'s power level is less than or equal to the
|
|
``sender``'s power level, then allow.
|
|
#. Reject.
|
|
|
|
#. If ``membership`` is ``ban``:
|
|
|
|
i. **TODO**.
|
|
|
|
#. Reject.
|
|
|
|
#. Reject the event if the event type's required power level is less that the
|
|
``sender``'s power level.
|
|
#. If the ``sender`` is not in the room, reject.
|
|
#. If the type is ``m.room.power_levels``:
|
|
|
|
a. **TODO**.
|
|
|
|
#. Allow.
|
|
|
|
|
|
Definitions
|
|
~~~~~~~~~~~
|
|
|
|
Required Power Level
|
|
A given event type has an associated *required power level*. This is given
|
|
by the current ``m.room.power_levels`` event, it is either listed explicitly
|
|
in the ``events`` section or given by either ``state_default`` or
|
|
``events_default`` depending on if the event type is a state event or not.
|
|
|
|
|
|
Auth events
|
|
~~~~~~~~~~~
|
|
|
|
The auth events of an event are the set of events used by the authorization
|
|
algorithm to accept the event. These should be a subset of the current state.
|
|
|
|
A server is required to store the complete chain of auth events for all events
|
|
it serves to remote servers.
|
|
|
|
.. todo
|
|
We probably should probably give a lower band of how long auth events
|
|
should be kept around for.
|
|
|
|
Auth chain
|
|
~~~~~~~~~~
|
|
|
|
The *auth chain* for an event is the recursive list of auth events and the auth
|
|
chain for those auth events.
|
|
|
|
The auth chain for event gives all the information a server needs to accept an
|
|
event. However, being given an auth chain for an event that appears valid does
|
|
not mean that the event might later be rejected. For example if we discover
|
|
that the sender had been banned between the join event listed in the auth
|
|
events and the event being authed.
|
|
|
|
**TODO**: Clean the above explanations up a bit.
|
|
|
|
|
|
Auth chain resolution
|
|
~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
**TODO**: If an auth check fails, or if we get told something we accepted
|
|
should have been rejected, we need to try and determine who is right.
|
|
|
|
Both should inform the other of what they think the current auth chain is. If
|
|
either are missing auth events that they know are valid (through authorization
|
|
and state resolution) they process the missing events as usual.
|
|
|
|
If either side notice that the other has accepted an auth events we think
|
|
should be rejected (for reasons *not* in their auth chain), that server should
|
|
inform the other with suitable proof.
|
|
|
|
The proofs can be:
|
|
|
|
- An *event chain* that shows an auth event is *not* an ancestor of the event.
|
|
- Given an event (and event chain?) showing that authorization had been revoked.
|
|
|
|
|
|
|
|
State Resolution
|
|
----------------
|
|
|
|
**TODO**
|
|
|
|
|
|
Appendix
|
|
========
|
|
|
|
**TODO**
|
|
|
|
Example event:
|
|
|
|
.. code::
|
|
|
|
{
|
|
"auth_events": [
|
|
[
|
|
"$14187571482fLeia:localhost:8480",
|
|
{
|
|
"sha256": "kiZUclzzPetHfy0rVoYKnYXnIv5VxH8a4996zVl8xbw"
|
|
}
|
|
],
|
|
[
|
|
"$14187571480odWTd:localhost:8480",
|
|
{
|
|
"sha256": "GqtndjviW9yPGaZ6EJfzuqVCRg5Lhoyo4YYv1NFP7fw"
|
|
}
|
|
],
|
|
[
|
|
"$14205549830rrMar:localhost:8480",
|
|
{
|
|
"sha256": "gZmL23QdWjNOmghEZU6YjqgHHrf2fxarKO2z5ZTbkig"
|
|
}
|
|
]
|
|
],
|
|
"content": {
|
|
"body": "Test!",
|
|
"msgtype": "m.text"
|
|
},
|
|
"depth": 250,
|
|
"event_id": "$14207181140uTFlx:localhost:8480",
|
|
"hashes": {
|
|
"sha256": "k1nuafFdFvZXzhb5NeTE0Q2Jkqu3E8zkh3uH3mqwIxc"
|
|
},
|
|
"origin": "localhost:8480",
|
|
"origin_server_ts": 1420718114694,
|
|
"prev_events": [
|
|
[
|
|
"$142071809077XNNkP:localhost:8480",
|
|
{
|
|
"sha256": "xOnU1b+4LOVz5qih0dkNFrdMgUcf35fKx9sdl/gqhjY"
|
|
}
|
|
]
|
|
],
|
|
"room_id": "!dwZDafgDEFTtpPKpLy:localhost:8480",
|
|
"sender": "@bob:localhost:8480",
|
|
"signatures": {
|
|
"localhost:8480": {
|
|
"ed25519:auto": "Nzd3D+emFBJJ4LCTzQEZaKO0Sa3sSTR1fGpu8OWXYn+7XUqke9Q1jYUewrEfxb3lPxlYWm/GztVUJizLz1K5Aw"
|
|
}
|
|
},
|
|
"type": "m.room.message",
|
|
"unsigned": {
|
|
"age": 500
|
|
}
|
|
}
|
|
|