log client/remote IP address on various routes tracing calls

this uses InsecureClientIp as this is purely for informational
and logging purposes

Signed-off-by: strawberry <strawberry@puppygock.gay>
This commit is contained in:
strawberry 2024-06-10 21:04:51 -04:00
parent 74b29ce067
commit f1d90e5df6
8 changed files with 59 additions and 31 deletions

View file

@ -1,5 +1,6 @@
use std::fmt::Write; use std::fmt::Write;
use axum_client_ip::InsecureClientIp;
use conduit::debug_info; use conduit::debug_info;
use register::RegistrationKind; use register::RegistrationKind;
use ruma::{ use ruma::{
@ -39,8 +40,9 @@ const RANDOM_USER_ID_LENGTH: usize = 10;
/// ///
/// Note: This will not reserve the username, so the username might become /// Note: This will not reserve the username, so the username might become
/// invalid when trying to register /// invalid when trying to register
#[tracing::instrument(skip_all, fields(%client_ip))]
pub(crate) async fn get_register_available_route( pub(crate) async fn get_register_available_route(
body: Ruma<get_username_availability::v3::Request>, InsecureClientIp(client_ip): InsecureClientIp, body: Ruma<get_username_availability::v3::Request>,
) -> Result<get_username_availability::v3::Response> { ) -> Result<get_username_availability::v3::Response> {
// Validate user id // Validate user id
let user_id = UserId::parse_with_server_name(body.username.to_lowercase(), services().globals.server_name()) let user_id = UserId::parse_with_server_name(body.username.to_lowercase(), services().globals.server_name())
@ -87,7 +89,10 @@ pub(crate) async fn get_register_available_route(
/// - If `inhibit_login` is false: Creates a device and returns device id and /// - If `inhibit_login` is false: Creates a device and returns device id and
/// access_token /// access_token
#[allow(clippy::doc_markdown)] #[allow(clippy::doc_markdown)]
pub(crate) async fn register_route(body: Ruma<register::v3::Request>) -> Result<register::v3::Response> { #[tracing::instrument(skip_all, fields(%client_ip))]
pub(crate) async fn register_route(
InsecureClientIp(client_ip): InsecureClientIp, body: Ruma<register::v3::Request>,
) -> Result<register::v3::Response> {
if !services().globals.allow_registration() && body.appservice_info.is_none() { if !services().globals.allow_registration() && body.appservice_info.is_none() {
info!( info!(
"Registration disabled and request not from known appservice, rejecting registration attempt for username \ "Registration disabled and request not from known appservice, rejecting registration attempt for username \
@ -104,8 +109,8 @@ pub(crate) async fn register_route(body: Ruma<register::v3::Request>) -> Result<
|| (services().globals.allow_registration() && services().globals.config.registration_token.is_some())) || (services().globals.allow_registration() && services().globals.config.registration_token.is_some()))
{ {
info!( info!(
"Guest registration disabled / registration enabled with token configured, rejecting guest registration, \ "Guest registration disabled / registration enabled with token configured, rejecting guest registration \
initial device name: {:?}", attempt, initial device name: {:?}",
body.initial_device_display_name body.initial_device_display_name
); );
return Err(Error::BadRequest( return Err(Error::BadRequest(
@ -297,14 +302,14 @@ pub(crate) async fn register_route(body: Ruma<register::v3::Request>) -> Result<
services() services()
.admin .admin
.send_message(RoomMessageEventContent::notice_plain(format!( .send_message(RoomMessageEventContent::notice_plain(format!(
"New user \"{user_id}\" registered on this server." "New user \"{user_id}\" registered on this server from IP {client_ip}."
))) )))
.await; .await;
} }
// log in conduit admin channel if a guest registered // log in conduit admin channel if a guest registered
if body.appservice_info.is_none() && is_guest && services().globals.log_guest_registrations() { if body.appservice_info.is_none() && is_guest && services().globals.log_guest_registrations() {
info!("New guest user \"{user_id}\" registered on this server."); info!("New guest user \"{user_id}\" registered on this server from IP.");
if let Some(device_display_name) = &body.initial_device_display_name { if let Some(device_display_name) = &body.initial_device_display_name {
if body if body
@ -316,14 +321,15 @@ pub(crate) async fn register_route(body: Ruma<register::v3::Request>) -> Result<
.admin .admin
.send_message(RoomMessageEventContent::notice_plain(format!( .send_message(RoomMessageEventContent::notice_plain(format!(
"Guest user \"{user_id}\" with device display name `{device_display_name}` registered on this \ "Guest user \"{user_id}\" with device display name `{device_display_name}` registered on this \
server." server from IP {client_ip}."
))) )))
.await; .await;
} else { } else {
services() services()
.admin .admin
.send_message(RoomMessageEventContent::notice_plain(format!( .send_message(RoomMessageEventContent::notice_plain(format!(
"Guest user \"{user_id}\" with no device display name registered on this server.", "Guest user \"{user_id}\" with no device display name registered on this server from IP \
{client_ip}.",
))) )))
.await; .await;
} }
@ -331,7 +337,8 @@ pub(crate) async fn register_route(body: Ruma<register::v3::Request>) -> Result<
services() services()
.admin .admin
.send_message(RoomMessageEventContent::notice_plain(format!( .send_message(RoomMessageEventContent::notice_plain(format!(
"Guest user \"{user_id}\" with no device display name registered on this server.", "Guest user \"{user_id}\" with no device display name registered on this server from IP \
{client_ip}.",
))) )))
.await; .await;
} }
@ -352,7 +359,7 @@ pub(crate) async fn register_route(body: Ruma<register::v3::Request>) -> Result<
.make_user_admin(&user_id, displayname) .make_user_admin(&user_id, displayname)
.await?; .await?;
warn!("Granting {} admin privileges as the first user", user_id); warn!("Granting {user_id} admin privileges as the first user");
} }
} }
} }
@ -416,8 +423,9 @@ pub(crate) async fn register_route(body: Ruma<register::v3::Request>) -> Result<
/// last seen ts) /// last seen ts)
/// - Forgets to-device events /// - Forgets to-device events
/// - Triggers device list updates /// - Triggers device list updates
#[tracing::instrument(skip_all, fields(%client_ip))]
pub(crate) async fn change_password_route( pub(crate) async fn change_password_route(
body: Ruma<change_password::v3::Request>, InsecureClientIp(client_ip): InsecureClientIp, body: Ruma<change_password::v3::Request>,
) -> Result<change_password::v3::Response> { ) -> Result<change_password::v3::Response> {
let sender_user = body.sender_user.as_ref().expect("user is authenticated"); let sender_user = body.sender_user.as_ref().expect("user is authenticated");
let sender_device = body.sender_device.as_ref().expect("user is authenticated"); let sender_device = body.sender_device.as_ref().expect("user is authenticated");
@ -466,7 +474,7 @@ pub(crate) async fn change_password_route(
} }
} }
info!("User {} changed their password.", sender_user); info!("User {sender_user} changed their password.");
services() services()
.admin .admin
.send_message(RoomMessageEventContent::notice_plain(format!( .send_message(RoomMessageEventContent::notice_plain(format!(
@ -504,7 +512,10 @@ pub(crate) async fn whoami_route(body: Ruma<whoami::v3::Request>) -> Result<whoa
/// - Forgets all to-device events /// - Forgets all to-device events
/// - Triggers device list updates /// - Triggers device list updates
/// - Removes ability to log in again /// - Removes ability to log in again
pub(crate) async fn deactivate_route(body: Ruma<deactivate::v3::Request>) -> Result<deactivate::v3::Response> { #[tracing::instrument(skip_all, fields(%client_ip))]
pub(crate) async fn deactivate_route(
InsecureClientIp(client_ip): InsecureClientIp, body: Ruma<deactivate::v3::Request>,
) -> Result<deactivate::v3::Response> {
let sender_user = body.sender_user.as_ref().expect("user is authenticated"); let sender_user = body.sender_user.as_ref().expect("user is authenticated");
let sender_device = body.sender_device.as_ref().expect("user is authenticated"); let sender_device = body.sender_device.as_ref().expect("user is authenticated");
@ -542,7 +553,7 @@ pub(crate) async fn deactivate_route(body: Ruma<deactivate::v3::Request>) -> Res
// Remove devices and mark account as deactivated // Remove devices and mark account as deactivated
services().users.deactivate_account(sender_user)?; services().users.deactivate_account(sender_user)?;
info!("User {} deactivated their account.", sender_user); info!("User {sender_user} deactivated their account.");
services() services()
.admin .admin
.send_message(RoomMessageEventContent::notice_plain(format!( .send_message(RoomMessageEventContent::notice_plain(format!(

View file

@ -1,3 +1,4 @@
use axum_client_ip::InsecureClientIp;
use ruma::{ use ruma::{
api::{ api::{
client::{ client::{
@ -27,8 +28,9 @@ use crate::{service::server_is_ours, services, Error, Result, Ruma};
/// Lists the public rooms on this server. /// Lists the public rooms on this server.
/// ///
/// - Rooms are ordered by the number of joined members /// - Rooms are ordered by the number of joined members
#[tracing::instrument(skip_all, fields(%client_ip))]
pub(crate) async fn get_public_rooms_filtered_route( pub(crate) async fn get_public_rooms_filtered_route(
body: Ruma<get_public_rooms_filtered::v3::Request>, InsecureClientIp(client_ip): InsecureClientIp, body: Ruma<get_public_rooms_filtered::v3::Request>,
) -> Result<get_public_rooms_filtered::v3::Response> { ) -> Result<get_public_rooms_filtered::v3::Response> {
if let Some(server) = &body.server { if let Some(server) = &body.server {
if services() if services()
@ -52,8 +54,8 @@ pub(crate) async fn get_public_rooms_filtered_route(
) )
.await .await
.map_err(|e| { .map_err(|e| {
warn!("Failed to return our /publicRooms: {e}"); warn!(?body.server, "Failed to return /publicRooms: {e}");
Error::BadRequest(ErrorKind::Unknown, "Failed to return this server's public room list.") Error::BadRequest(ErrorKind::Unknown, "Failed to return the requested server's public room list.")
})?; })?;
Ok(response) Ok(response)
@ -64,8 +66,9 @@ pub(crate) async fn get_public_rooms_filtered_route(
/// Lists the public rooms on this server. /// Lists the public rooms on this server.
/// ///
/// - Rooms are ordered by the number of joined members /// - Rooms are ordered by the number of joined members
#[tracing::instrument(skip_all, fields(%client_ip))]
pub(crate) async fn get_public_rooms_route( pub(crate) async fn get_public_rooms_route(
body: Ruma<get_public_rooms::v3::Request>, InsecureClientIp(client_ip): InsecureClientIp, body: Ruma<get_public_rooms::v3::Request>,
) -> Result<get_public_rooms::v3::Response> { ) -> Result<get_public_rooms::v3::Response> {
if let Some(server) = &body.server { if let Some(server) = &body.server {
if services() if services()
@ -89,8 +92,8 @@ pub(crate) async fn get_public_rooms_route(
) )
.await .await
.map_err(|e| { .map_err(|e| {
warn!("Failed to return our /publicRooms: {e}"); warn!(?body.server, "Failed to return /publicRooms: {e}");
Error::BadRequest(ErrorKind::Unknown, "Failed to return this server's public room list.") Error::BadRequest(ErrorKind::Unknown, "Failed to return the requested server's public room list.")
})?; })?;
Ok(get_public_rooms::v3::Response { Ok(get_public_rooms::v3::Response {
@ -106,8 +109,9 @@ pub(crate) async fn get_public_rooms_route(
/// Sets the visibility of a given room in the room directory. /// Sets the visibility of a given room in the room directory.
/// ///
/// - TODO: Access control checks /// - TODO: Access control checks
#[tracing::instrument(skip_all, fields(%client_ip))]
pub(crate) async fn set_room_visibility_route( pub(crate) async fn set_room_visibility_route(
body: Ruma<set_room_visibility::v3::Request>, InsecureClientIp(client_ip): InsecureClientIp, body: Ruma<set_room_visibility::v3::Request>,
) -> Result<set_room_visibility::v3::Response> { ) -> Result<set_room_visibility::v3::Response> {
let sender_user = body.sender_user.as_ref().expect("user is authenticated"); let sender_user = body.sender_user.as_ref().expect("user is authenticated");

View file

@ -5,6 +5,7 @@ use std::{
time::{Duration, Instant}, time::{Duration, Instant},
}; };
use axum_client_ip::InsecureClientIp;
use ruma::{ use ruma::{
api::{ api::{
client::{ client::{
@ -141,8 +142,9 @@ async fn banned_room_check(user_id: &UserId, room_id: Option<&RoomId>, server_na
/// rules locally /// rules locally
/// - If the server does not know about the room: asks other servers over /// - If the server does not know about the room: asks other servers over
/// federation /// federation
#[tracing::instrument(skip_all, fields(%client_ip))]
pub(crate) async fn join_room_by_id_route( pub(crate) async fn join_room_by_id_route(
body: Ruma<join_room_by_id::v3::Request>, InsecureClientIp(client_ip): InsecureClientIp, body: Ruma<join_room_by_id::v3::Request>,
) -> Result<join_room_by_id::v3::Response> { ) -> Result<join_room_by_id::v3::Response> {
let sender_user = body.sender_user.as_ref().expect("user is authenticated"); let sender_user = body.sender_user.as_ref().expect("user is authenticated");
@ -193,8 +195,9 @@ pub(crate) async fn join_room_by_id_route(
/// - If the server does not know about the room: use the server name query /// - If the server does not know about the room: use the server name query
/// param if specified. if not specified, asks other servers over federation /// param if specified. if not specified, asks other servers over federation
/// via room alias server name and room ID server name /// via room alias server name and room ID server name
#[tracing::instrument(skip_all, fields(%client_ip))]
pub(crate) async fn join_room_by_id_or_alias_route( pub(crate) async fn join_room_by_id_or_alias_route(
body: Ruma<join_room_by_id_or_alias::v3::Request>, InsecureClientIp(client_ip): InsecureClientIp, body: Ruma<join_room_by_id_or_alias::v3::Request>,
) -> Result<join_room_by_id_or_alias::v3::Response> { ) -> Result<join_room_by_id_or_alias::v3::Response> {
let sender_user = body.sender_user.as_deref().expect("user is authenticated"); let sender_user = body.sender_user.as_deref().expect("user is authenticated");
let body = body.body; let body = body.body;
@ -295,7 +298,10 @@ pub(crate) async fn leave_room_route(body: Ruma<leave_room::v3::Request>) -> Res
/// # `POST /_matrix/client/r0/rooms/{roomId}/invite` /// # `POST /_matrix/client/r0/rooms/{roomId}/invite`
/// ///
/// Tries to send an invite event into the room. /// Tries to send an invite event into the room.
pub(crate) async fn invite_user_route(body: Ruma<invite_user::v3::Request>) -> Result<invite_user::v3::Response> { #[tracing::instrument(skip_all, fields(%client_ip))]
pub(crate) async fn invite_user_route(
InsecureClientIp(client_ip): InsecureClientIp, body: Ruma<invite_user::v3::Request>,
) -> Result<invite_user::v3::Response> {
let sender_user = body.sender_user.as_ref().expect("user is authenticated"); let sender_user = body.sender_user.as_ref().expect("user is authenticated");
if !services().users.is_admin(sender_user)? && services().globals.block_non_admin_invites() { if !services().users.is_admin(sender_user)? && services().globals.block_non_admin_invites() {

View file

@ -1,3 +1,4 @@
use axum_client_ip::InsecureClientIp;
use ruma::{ use ruma::{
api::{client::error::ErrorKind, federation::membership::create_invite}, api::{client::error::ErrorKind, federation::membership::create_invite},
events::room::member::{MembershipState, RoomMemberEventContent}, events::room::member::{MembershipState, RoomMemberEventContent},
@ -16,7 +17,10 @@ use crate::{
/// # `PUT /_matrix/federation/v2/invite/{roomId}/{eventId}` /// # `PUT /_matrix/federation/v2/invite/{roomId}/{eventId}`
/// ///
/// Invites a remote user to a room. /// Invites a remote user to a room.
pub(crate) async fn create_invite_route(body: Ruma<create_invite::v2::Request>) -> Result<create_invite::v2::Response> { #[tracing::instrument(skip_all, fields(%client_ip))]
pub(crate) async fn create_invite_route(
InsecureClientIp(client_ip): InsecureClientIp, body: Ruma<create_invite::v2::Request>,
) -> Result<create_invite::v2::Response> {
let origin = body.origin.as_ref().expect("server is authenticated"); let origin = body.origin.as_ref().expect("server is authenticated");
// ACL check origin // ACL check origin

View file

@ -1,3 +1,4 @@
use axum_client_ip::InsecureClientIp;
use ruma::{ use ruma::{
api::{ api::{
client::error::ErrorKind, client::error::ErrorKind,
@ -11,8 +12,9 @@ use crate::{services, Error, Result, Ruma};
/// # `POST /_matrix/federation/v1/publicRooms` /// # `POST /_matrix/federation/v1/publicRooms`
/// ///
/// Lists the public rooms on this server. /// Lists the public rooms on this server.
#[tracing::instrument(skip_all, fields(%client_ip))]
pub(crate) async fn get_public_rooms_filtered_route( pub(crate) async fn get_public_rooms_filtered_route(
body: Ruma<get_public_rooms_filtered::v1::Request>, InsecureClientIp(client_ip): InsecureClientIp, body: Ruma<get_public_rooms_filtered::v1::Request>,
) -> Result<get_public_rooms_filtered::v1::Response> { ) -> Result<get_public_rooms_filtered::v1::Response> {
if !services() if !services()
.globals .globals
@ -42,8 +44,9 @@ pub(crate) async fn get_public_rooms_filtered_route(
/// # `GET /_matrix/federation/v1/publicRooms` /// # `GET /_matrix/federation/v1/publicRooms`
/// ///
/// Lists the public rooms on this server. /// Lists the public rooms on this server.
#[tracing::instrument(skip_all, fields(%client_ip))]
pub(crate) async fn get_public_rooms_route( pub(crate) async fn get_public_rooms_route(
body: Ruma<get_public_rooms::v1::Request>, InsecureClientIp(client_ip): InsecureClientIp, body: Ruma<get_public_rooms::v1::Request>,
) -> Result<get_public_rooms::v1::Response> { ) -> Result<get_public_rooms::v1::Response> {
if !services() if !services()
.globals .globals

View file

@ -1,5 +1,6 @@
use std::{collections::BTreeMap, sync::Arc, time::Instant}; use std::{collections::BTreeMap, sync::Arc, time::Instant};
use axum_client_ip::InsecureClientIp;
use conduit::debug_warn; use conduit::debug_warn;
use ruma::{ use ruma::{
api::{ api::{
@ -25,8 +26,9 @@ use crate::{
/// # `PUT /_matrix/federation/v1/send/{txnId}` /// # `PUT /_matrix/federation/v1/send/{txnId}`
/// ///
/// Push EDUs and PDUs to this server. /// Push EDUs and PDUs to this server.
#[tracing::instrument(skip_all, fields(%client_ip))]
pub(crate) async fn send_transaction_message_route( pub(crate) async fn send_transaction_message_route(
body: Ruma<send_transaction_message::v1::Request>, InsecureClientIp(client_ip): InsecureClientIp, body: Ruma<send_transaction_message::v1::Request>,
) -> Result<send_transaction_message::v1::Response> { ) -> Result<send_transaction_message::v1::Response> {
let origin = body.origin.as_ref().expect("server is authenticated"); let origin = body.origin.as_ref().expect("server is authenticated");

View file

@ -7,8 +7,7 @@ pub mod json;
pub mod sys; pub mod sys;
use std::{ use std::{
cmp, cmp::{self, Ordering},
cmp::Ordering,
time::{SystemTime, UNIX_EPOCH}, time::{SystemTime, UNIX_EPOCH},
}; };

View file

@ -37,7 +37,6 @@ pub(crate) fn build(server: &Arc<Server>) -> io::Result<Router> {
let layers = layers let layers = layers
.sensitive_headers([header::AUTHORIZATION]) .sensitive_headers([header::AUTHORIZATION])
.sensitive_request_headers([HeaderName::from_static("x-forwarded-for")].into())
.layer(axum::middleware::from_fn_with_state(Arc::clone(server), request::spawn)) .layer(axum::middleware::from_fn_with_state(Arc::clone(server), request::spawn))
.layer( .layer(
TraceLayer::new_for_http() TraceLayer::new_for_http()