apply forbidden_remote_server_names to outbound sending and inbound federation handling

Signed-off-by: strawberry <strawberry@puppygock.gay>

conduwuit-example.toml

@@ -224,9 +224,11 @@ registration_token = "change this token for something specific to your server"
 # No default.
 # forbidden_alias_names = []
 
-# List of forbidden server names that we will block all client room joins, incoming federated room directory requests, incoming federated invites for, and incoming federated joins. This check is applied on the room ID, room alias, sender server name, and sender user's server name.
-# Basically "global" ACLs. For our user (client) checks, admin users are allowed.
-# No default.
+# List of forbidden server names that we will block incoming AND outgoing federation with, and block client room joins / remote user invites.
+#
+# This check is applied on the room ID, room alias, sender server name, sender user's server name, inbound federation X-Matrix origin, and outbound federation handler.
+#
+# Basically "global" ACLs. No default.
 # forbidden_remote_server_names = []
 
 # List of forbidden server names that we will block all outgoing federated room directory requests for. Useful for preventing our users from wandering into bad servers or spaces.

src/api/router/auth.rs

@@ -6,7 +6,7 @@ use axum_extra::{
 	typed_header::TypedHeaderRejectionReason,
 	TypedHeader,
 };
-use conduit::{warn, Err, Error, Result};
+use conduit::{debug_info, warn, Err, Error, Result};
 use http::uri::PathAndQuery;
 use ruma::{
 	api::{client::error::ErrorKind, AuthScheme, Metadata},
@@ -185,7 +185,7 @@ fn auth_appservice(services: &Services, request: &Request, info: Box<Registratio
 async fn auth_server(
 	services: &Services, request: &mut Request, json_body: &Option<CanonicalJsonValue>,
 ) -> Result<Auth> {
-	if !services.globals.allow_federation() {
+	if !services.server.config.allow_federation {
 		return Err!(Config("allow_federation", "Federation is disabled."));
 	}
 
@@ -206,6 +206,17 @@ async fn auth_server(
 		})?;
 
 	let origin = &x_matrix.origin;
+
+	if services
+		.server
+		.config
+		.forbidden_remote_server_names
+		.contains(origin)
+	{
+		debug_info!("Refusing to accept inbound federation request to {origin}");
+		return Err!(Request(Forbidden("Federation with this homeserver is not allowed.")));
+	}
+
 	let signatures =
 		BTreeMap::from_iter([(x_matrix.key.clone(), CanonicalJsonValue::String(x_matrix.sig.to_string()))]);
 	let signatures = BTreeMap::from_iter([(

src/service/sending/send.rs

@@ -1,7 +1,8 @@
 use std::{fmt::Debug, mem};
 
 use conduit::{
-	debug, debug_error, debug_warn, err, error::inspect_debug_log, trace, utils::string::EMPTY, Err, Error, Result,
+	debug, debug_error, debug_info, debug_warn, err, error::inspect_debug_log, trace, utils::string::EMPTY, Err, Error,
+	Result,
 };
 use http::{header::AUTHORIZATION, HeaderValue};
 use ipaddress::IPAddress;
@@ -31,6 +32,16 @@ impl super::Service {
 			return Err!(Config("allow_federation", "Federation is disabled."));
 		}
 
+		if self
+			.server
+			.config
+			.forbidden_remote_server_names
+			.contains(&dest.to_owned())
+		{
+			debug_info!("Refusing to send outbound federation request to {dest}");
+			return Err!(Request(Forbidden("Federation with this homeserver is not allowed.")));
+		}
+
 		let actual = self.services.resolver.get_actual_dest(dest).await?;
 		let request = self.prepare::<T>(dest, &actual, req).await?;
 		self.execute::<T>(dest, &actual, request, client).await