feat: Check for incoming signatures

2025-12-18 19:03:06 +00:00 · 2025-12-18 19:03:06 +00:00 · 8538b21860
commit 8538b21860
parent 63e4aacd2b
3 changed files with 31 additions and 18 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -4063,7 +4063,7 @@ checksum = "88f8660c1ff60292143c98d08fc6e2f654d722db50410e3f3797d40baaf9d8f3"
 [[package]]
 name = "ruma"
 version = "0.10.1"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=c091171279f76d34e530f7b7d7008d12e7429b1a#c091171279f76d34e530f7b7d7008d12e7429b1a"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=27abe0dcd33fd4056efc94bab3582646b31b6ce9#27abe0dcd33fd4056efc94bab3582646b31b6ce9"
 dependencies = [
 "assign",
 "js_int",
@ -4083,7 +4083,7 @@ dependencies = [
 [[package]]
 name = "ruma-appservice-api"
 version = "0.10.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=c091171279f76d34e530f7b7d7008d12e7429b1a#c091171279f76d34e530f7b7d7008d12e7429b1a"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=27abe0dcd33fd4056efc94bab3582646b31b6ce9#27abe0dcd33fd4056efc94bab3582646b31b6ce9"
 dependencies = [
 "js_int",
 "ruma-common",
@ -4095,7 +4095,7 @@ dependencies = [
 [[package]]
 name = "ruma-client-api"
 version = "0.18.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=c091171279f76d34e530f7b7d7008d12e7429b1a#c091171279f76d34e530f7b7d7008d12e7429b1a"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=27abe0dcd33fd4056efc94bab3582646b31b6ce9#27abe0dcd33fd4056efc94bab3582646b31b6ce9"
 dependencies = [
 "as_variant",
 "assign",
@ -4118,7 +4118,7 @@ dependencies = [
 [[package]]
 name = "ruma-common"
 version = "0.13.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=c091171279f76d34e530f7b7d7008d12e7429b1a#c091171279f76d34e530f7b7d7008d12e7429b1a"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=27abe0dcd33fd4056efc94bab3582646b31b6ce9#27abe0dcd33fd4056efc94bab3582646b31b6ce9"
 dependencies = [
 "as_variant",
 "base64 0.22.1",
@ -4150,7 +4150,7 @@ dependencies = [
 [[package]]
 name = "ruma-events"
 version = "0.28.1"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=c091171279f76d34e530f7b7d7008d12e7429b1a#c091171279f76d34e530f7b7d7008d12e7429b1a"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=27abe0dcd33fd4056efc94bab3582646b31b6ce9#27abe0dcd33fd4056efc94bab3582646b31b6ce9"
 dependencies = [
 "as_variant",
 "indexmap",
@ -4175,7 +4175,7 @@ dependencies = [
 [[package]]
 name = "ruma-federation-api"
 version = "0.9.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=c091171279f76d34e530f7b7d7008d12e7429b1a#c091171279f76d34e530f7b7d7008d12e7429b1a"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=27abe0dcd33fd4056efc94bab3582646b31b6ce9#27abe0dcd33fd4056efc94bab3582646b31b6ce9"
 dependencies = [
 "bytes",
 "headers",
@ -4197,7 +4197,7 @@ dependencies = [
 [[package]]
 name = "ruma-identifiers-validation"
 version = "0.9.5"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=c091171279f76d34e530f7b7d7008d12e7429b1a#c091171279f76d34e530f7b7d7008d12e7429b1a"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=27abe0dcd33fd4056efc94bab3582646b31b6ce9#27abe0dcd33fd4056efc94bab3582646b31b6ce9"
 dependencies = [
 "js_int",
 "thiserror 2.0.17",
@ -4206,7 +4206,7 @@ dependencies = [
 [[package]]
 name = "ruma-identity-service-api"
 version = "0.9.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=c091171279f76d34e530f7b7d7008d12e7429b1a#c091171279f76d34e530f7b7d7008d12e7429b1a"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=27abe0dcd33fd4056efc94bab3582646b31b6ce9#27abe0dcd33fd4056efc94bab3582646b31b6ce9"
 dependencies = [
 "js_int",
 "ruma-common",
@ -4216,7 +4216,7 @@ dependencies = [
 [[package]]
 name = "ruma-macros"
 version = "0.13.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=c091171279f76d34e530f7b7d7008d12e7429b1a#c091171279f76d34e530f7b7d7008d12e7429b1a"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=27abe0dcd33fd4056efc94bab3582646b31b6ce9#27abe0dcd33fd4056efc94bab3582646b31b6ce9"
 dependencies = [
 "cfg-if",
 "proc-macro-crate",
@ -4231,7 +4231,7 @@ dependencies = [
 [[package]]
 name = "ruma-push-gateway-api"
 version = "0.9.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=c091171279f76d34e530f7b7d7008d12e7429b1a#c091171279f76d34e530f7b7d7008d12e7429b1a"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=27abe0dcd33fd4056efc94bab3582646b31b6ce9#27abe0dcd33fd4056efc94bab3582646b31b6ce9"
 dependencies = [
 "js_int",
 "ruma-common",
@ -4243,7 +4243,7 @@ dependencies = [
 [[package]]
 name = "ruma-signatures"
 version = "0.15.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=c091171279f76d34e530f7b7d7008d12e7429b1a#c091171279f76d34e530f7b7d7008d12e7429b1a"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=27abe0dcd33fd4056efc94bab3582646b31b6ce9#27abe0dcd33fd4056efc94bab3582646b31b6ce9"
 dependencies = [
 "base64 0.22.1",
 "ed25519-dalek",
--- a/Cargo.toml
+++ b/Cargo.toml
@ -351,7 +351,7 @@ version = "0.1.2"
 # Used for matrix spec type definitions and helpers
 [workspace.dependencies.ruma]
 git = "https://forgejo.ellis.link/continuwuation/ruwuma"
-rev = "c091171279f76d34e530f7b7d7008d12e7429b1a"
+rev = "27abe0dcd33fd4056efc94bab3582646b31b6ce9"
 features = [
    "compat",
    "rand",
--- a/src/service/rooms/event_handler/policy_server.rs
+++ b/src/service/rooms/event_handler/policy_server.rs
@ -10,7 +10,7 @@ use conduwuit::{
 	warn,
 };
 use ruma::{
-	CanonicalJsonObject, CanonicalJsonValue, KeyId, RoomId, ServerName,
+	CanonicalJsonObject, CanonicalJsonValue, KeyId, RoomId, ServerName, SigningKeyId,
 	api::federation::room::{
 		policy_check::unstable::Request as PolicyCheckRequest,
 		policy_sign::unstable::Request as PolicySignRequest,
@ -31,7 +31,7 @@ use serde_json::value::RawValue;
 /// contacted for whatever reason, Err(e) is returned, which generally is a
 /// fail-open operation.
 #[implement(super::Service)]
-#[tracing::instrument(skip(self, pdu, pdu_json))]
+#[tracing::instrument(skip(self, pdu, pdu_json, room_id))]
 pub async fn ask_policy_server(
 	&self,
 	pdu: &PduEvent,
@ -109,9 +109,22 @@ pub async fn ask_policy_server(
 				.fetch_policy_server_signature(pdu, pdu_json, via, outgoing, room_id)
 				.await;
 		}
-		debug!("Event is not local, performing legacy spam check");
-		// TODO: this should probably be marking it as failed, but for now fall
-		// thru
+		// for incoming events, is it signed by <via> with the key
+		// "ed25519:policy_server"?
+		if let Some(CanonicalJsonValue::Object(sigs)) = pdu_json.get("signatures") {
+			if let Some(CanonicalJsonValue::Object(server_sigs)) = sigs.get(via.as_str()) {
+				let wanted_key_id: &KeyId<ruma::SigningKeyAlgorithm, ruma::Base64PublicKey> =
+					SigningKeyId::parse("ed25519:policy_server")?;
+				if let Some(CanonicalJsonValue::String(_sig_value)) =
+					server_sigs.get(wanted_key_id.as_str())
+				{
+					// TODO: verify signature
+				}
+			}
+		};
+		debug!(
+			"Event is not local and has no policy server signature, performing legacy spam check"
+		);
 	}
 	debug_info!(
 		via = %via,
@ -171,7 +184,7 @@ pub async fn ask_policy_server(
 /// Asks a remote policy server for a signature on this event.
 /// If the policy server signs this event, the original data is mutated.
 #[implement(super::Service)]
-#[tracing::instrument(skip_all)]
+#[tracing::instrument(skip_all, fields(event_id=%pdu.event_id(), via=%via))]
 pub async fn fetch_policy_server_signature(
 	&self,
 	pdu: &PduEvent,