policyeval/antispam: handle federated_user_may_invite and MSC4311

tulir · tulir · commit eeccd4aef99d · 2025-07-19T00:06:11.000+03:00
diff --git a/cmd/meowlnir/antispam.go b/cmd/meowlnir/antispam.go
@@ -8,6 +8,7 @@ import (
 	"github.com/rs/zerolog/hlog"
 	"go.mau.fi/util/exhttp"
 	"maunium.net/go/mautrix"
+	"maunium.net/go/mautrix/event"
 	"maunium.net/go/mautrix/id"
 )
 
@@ -17,6 +18,10 @@ type ReqUserMayInvite struct {
 	Room    id.RoomID `json:"room_id"`
 }
 
+type ReqFederatedUserMayInvite struct {
+	Event *event.Event `json:"event"`
+}
+
 type ReqUserMayJoinRoom struct {
 	UserID    id.UserID `json:"user"`
 	RoomID    id.RoomID `json:"room"`
@@ -33,6 +38,8 @@ func (m *Meowlnir) PostCallback(w http.ResponseWriter, r *http.Request) {
 	switch cbType {
 	case "user_may_invite":
 		m.PostUserMayInvite(w, r)
+	case "federated_user_may_invite":
+		m.PostFederatedUserMayInvite(w, r)
 	case "accept_make_join":
 		m.PostAcceptMakeJoin(w, r)
 	case "user_may_join_room":
@@ -114,7 +121,31 @@ func (m *Meowlnir) PostUserMayInvite(w http.ResponseWriter, r *http.Request) {
 		mautrix.MNotFound.WithMessage("Antispam configuration issue: policy list not found").Write(w)
 		return
 	}
-	errResp := mgmtRoom.HandleUserMayInvite(r.Context(), req.Inviter, req.Invitee, req.Room)
+	errResp := mgmtRoom.HandleUserMayInvite(r.Context(), req.Inviter, req.Invitee, req.Room, "")
+	if errResp != nil {
+		errResp.Write(w)
+	} else {
+		exhttp.WriteEmptyJSONResponse(w, http.StatusOK)
+	}
+}
+
+func (m *Meowlnir) PostFederatedUserMayInvite(w http.ResponseWriter, r *http.Request) {
+	var req ReqFederatedUserMayInvite
+	err := json.NewDecoder(r.Body).Decode(&req)
+	if err != nil {
+		hlog.FromRequest(r).Err(err).Msg("Failed to parse request body")
+		mautrix.MNotJSON.WithMessage("Antispam request error: invalid JSON").Write(w)
+		return
+	}
+
+	m.MapLock.RLock()
+	mgmtRoom, ok := m.EvaluatorByManagementRoom[id.RoomID(r.PathValue("policyListID"))]
+	m.MapLock.RUnlock()
+	if !ok {
+		mautrix.MNotFound.WithMessage("Antispam configuration issue: policy list not found").Write(w)
+		return
+	}
+	errResp := mgmtRoom.HandleFederatedUserMayInvite(r.Context(), req.Event)
 	if errResp != nil {
 		errResp.Write(w)
 	} else {
diff --git a/policyeval/antispam.go b/policyeval/antispam.go
@@ -23,7 +23,19 @@ type pendingInvite struct {
 	Room    id.RoomID
 }
 
-func (pe *PolicyEvaluator) HandleUserMayInvite(ctx context.Context, inviter, invitee id.UserID, roomID id.RoomID) *mautrix.RespError {
+func (pe *PolicyEvaluator) HandleFederatedUserMayInvite(ctx context.Context, evt *event.Event) *mautrix.RespError {
+	var roomCreator id.UserID
+	for _, stateEvt := range evt.Unsigned.InviteRoomState {
+		switch stateEvt.Type {
+		case event.StateCreate:
+			roomCreator = stateEvt.Sender
+		}
+		// TODO also do things like checking room name
+	}
+	return pe.HandleUserMayInvite(ctx, evt.Sender, id.UserID(evt.GetStateKey()), evt.RoomID, roomCreator)
+}
+
+func (pe *PolicyEvaluator) HandleUserMayInvite(ctx context.Context, inviter, invitee id.UserID, roomID id.RoomID, roomCreator id.UserID) *mautrix.RespError {
 	inviterServer := inviter.Homeserver()
 	// We only care about federated invites.
 	if inviterServer == pe.Bot.ServerName && !pe.FilterLocalInvites {
@@ -90,12 +102,18 @@ func (pe *PolicyEvaluator) HandleUserMayInvite(ctx context.Context, inviter, inv
 	// Parsing room IDs is generally not allowed, but in this case,
 	// if a room was created on a banned server, there's no reason to allow invites to it.
 	_, _, roomServer := id.ParseCommonIdentifier(roomID)
-	if rec = pe.Store.MatchServer(lists, roomServer).Recommendations().BanOrUnban; rec != nil && rec.Recommendation != event.PolicyRecommendationUnban {
-		log.Debug().
-			Str("policy_entity", rec.EntityOrHash()).
-			Str("policy_reason", rec.Reason).
-			Msg("Blocking invite to room on banned server")
-		return ptr.Ptr(mautrix.MForbidden.WithMessage("Inviting users to this room is not allowed"))
+	if roomServer == "" {
+		// If the room ID has no server part, check the create event sender (MSC4311).
+		roomServer = roomCreator.Homeserver()
+	}
+	if roomServer != "" {
+		if rec = pe.Store.MatchServer(lists, roomServer).Recommendations().BanOrUnban; rec != nil && rec.Recommendation != event.PolicyRecommendationUnban {
+			log.Debug().
+				Str("policy_entity", rec.EntityOrHash()).
+				Str("policy_reason", rec.Reason).
+				Msg("Blocking invite to room on banned server")
+			return ptr.Ptr(mautrix.MForbidden.WithMessage("Inviting users to this room is not allowed"))
+		}
 	}
 
 	rec = nil
