Add enable_room_list_search and enable_trusted_key_servers (ISD-1263 …

…ISD-1266) (#119)

config.yaml

@@ -21,6 +21,12 @@ options:
       Defaults to true. If Synapse uses a single sign-on provider for
       authentication, this option can be used to disable the regular login
       flow.
+  enable_room_list_search:
+    type: boolean
+    default: true
+    description: |
+      When disabled, blocks searching local and remote room lists for local and
+      remote users by always returning an empty list for all queries.
   federation_domain_whitelist:
     type: string
     description: Comma separated list of domains to be allowed to federate.
@@ -72,3 +78,7 @@ options:
     type: string
     description: The username if the SMTP server requires authentication.
     default: ''
+  trusted_key_servers:
+    type: string
+    description: Comma separated list of trusted servers to download signing
+      keys from. Synapse configuration sets default to matrix.org.

src-docs/charm_state.py.md

@@ -64,7 +64,7 @@ Get charm proxy information from juju charm environment.
 
 ---
 
-<a href="../src/charm_state.py#L168"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
+<a href="../src/charm_state.py#L174"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
 
 ### <kbd>classmethod</kbd> `from_charm`
 
@@ -124,6 +124,7 @@ Represent Synapse builtin configuration values.
  - <b>`allow_public_rooms_over_federation`</b>:  allow_public_rooms_over_federation config. 
  - <b>`enable_mjolnir`</b>:  enable_mjolnir config. 
  - <b>`enable_password_config`</b>:  enable_password_config config. 
+ - <b>`enable_room_list_search`</b>:  enable_room_list_search config. 
  - <b>`federation_domain_whitelist`</b>:  federation_domain_whitelist config. 
  - <b>`ip_range_whitelist`</b>:  ip_range_whitelist config. 
  - <b>`public_baseurl`</b>:  public_baseurl config. 
@@ -135,13 +136,14 @@ Represent Synapse builtin configuration values.
  - <b>`smtp_pass`</b>:  password to authenticate to SMTP host. 
  - <b>`smtp_port`</b>:  SMTP port. 
  - <b>`smtp_user`</b>:  username to authenticate to SMTP host. 
+ - <b>`trusted_key_servers`</b>:  trusted_key_servers config. 
 
 
 
 
 ---
 
-<a href="../src/charm_state.py#L102"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
+<a href="../src/charm_state.py#L108"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
 
 ### <kbd>classmethod</kbd> `set_default_smtp_notif_from`
 
@@ -168,7 +170,7 @@ Set server_name as default value to smtp_notif_from.
 
 ---
 
-<a href="../src/charm_state.py#L121"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
+<a href="../src/charm_state.py#L127"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
 
 ### <kbd>classmethod</kbd> `to_yes_or_no`
 

src-docs/pebble.py.md

@@ -33,7 +33,7 @@ Initialize the pebble service.
 
 ---
 
-<a href="../src/pebble.py#L76"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
+<a href="../src/pebble.py#L77"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
 
 ### <kbd>function</kbd> `change_config`
 
@@ -57,7 +57,7 @@ Change the configuration.
 
 ---
 
-<a href="../src/pebble.py#L111"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
+<a href="../src/pebble.py#L118"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
 
 ### <kbd>function</kbd> `enable_saml`
 
@@ -117,7 +117,7 @@ Replan Synapse NGINX service.
 
 ---
 
-<a href="../src/pebble.py#L127"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
+<a href="../src/pebble.py#L134"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
 
 ### <kbd>function</kbd> `reset_instance`
 

src/charm_state.py

@@ -62,6 +62,7 @@ class SynapseConfig(BaseModel):  # pylint: disable=too-few-public-methods
         allow_public_rooms_over_federation: allow_public_rooms_over_federation config.
         enable_mjolnir: enable_mjolnir config.
         enable_password_config: enable_password_config config.
+        enable_room_list_search: enable_room_list_search config.
         federation_domain_whitelist: federation_domain_whitelist config.
         ip_range_whitelist: ip_range_whitelist config.
         public_baseurl: public_baseurl config.
@@ -73,11 +74,13 @@ class SynapseConfig(BaseModel):  # pylint: disable=too-few-public-methods
         smtp_pass: password to authenticate to SMTP host.
         smtp_port: SMTP port.
         smtp_user: username to authenticate to SMTP host.
+        trusted_key_servers: trusted_key_servers config.
     """
 
     allow_public_rooms_over_federation: bool = False
     enable_mjolnir: bool = False
     enable_password_config: bool = True
+    enable_room_list_search: bool = True
     federation_domain_whitelist: str | None = Field(None)
     ip_range_whitelist: str | None = Field(None, regex=r"^[\.:,/\d]+\d+(?:,[:,\d]+)*$")
     public_baseurl: str | None = Field(None)
@@ -89,6 +92,9 @@ class SynapseConfig(BaseModel):  # pylint: disable=too-few-public-methods
     smtp_pass: str | None = Field(None)
     smtp_port: int | None = Field(None)
     smtp_user: str | None = Field(None)
+    trusted_key_servers: str | None = Field(
+        None, regex=r"^[A-Za-z0-9][A-Za-z0-9-.]*(?:,[A-Za-z0-9][A-Za-z0-9-.]*)*\.\D{2,4}$"
+    )
 
     class Config:  # pylint: disable=too-few-public-methods
         """Config class.

src/pebble.py

@@ -73,7 +73,8 @@ def replan_mjolnir(self, container: ops.model.Container) -> None:
         container.add_layer("synapse-mjolnir", self._mjolnir_pebble_layer, combine=True)
         container.replan()
 
-    def change_config(self, container: ops.model.Container) -> None:
+    # The complexity of this method will be reviewed.
+    def change_config(self, container: ops.model.Container) -> None:  # noqa: C901
         """Change the configuration.
 
         Args:
@@ -99,6 +100,12 @@ def change_config(self, container: ops.model.Container) -> None:
                 )
             if self._charm_state.synapse_config.allow_public_rooms_over_federation:
                 synapse.enable_allow_public_rooms_over_federation(container=container)
+            if not self._charm_state.synapse_config.enable_room_list_search:
+                synapse.disable_room_list_search(container=container)
+            if self._charm_state.synapse_config.trusted_key_servers:
+                synapse.enable_trusted_key_servers(
+                    container=container, charm_state=self._charm_state
+                )
             if self._charm_state.synapse_config.ip_range_whitelist:
                 synapse.enable_ip_range_whitelist(
                     container=container, charm_state=self._charm_state

src/synapse/__init__.py

@@ -54,13 +54,15 @@
     check_ready,
     create_mjolnir_config,
     disable_password_config,
+    disable_room_list_search,
     enable_allow_public_rooms_over_federation,
     enable_federation_domain_whitelist,
     enable_ip_range_whitelist,
     enable_metrics,
     enable_saml,
     enable_serve_server_wellknown,
     enable_smtp,
+    enable_trusted_key_servers,
     execute_migrate_config,
     get_environment,
     get_registration_shared_secret,

src/synapse/workload.py

@@ -328,6 +328,24 @@ def disable_password_config(container: ops.Container) -> None:
         raise WorkloadError(str(exc)) from exc
 
 
+def disable_room_list_search(container: ops.Container) -> None:
+    """Change the Synapse configuration to disable room_list_search.
+
+    Args:
+        container: Container of the charm.
+
+    Raises:
+        WorkloadError: something went wrong disabling room_list_search.
+    """
+    try:
+        config = container.pull(SYNAPSE_CONFIG_PATH).read()
+        current_yaml = yaml.safe_load(config)
+        current_yaml["enable_room_list_search"] = False
+        container.push(SYNAPSE_CONFIG_PATH, yaml.safe_dump(current_yaml))
+    except ops.pebble.PathError as exc:
+        raise WorkloadError(str(exc)) from exc
+
+
 def enable_serve_server_wellknown(container: ops.Container) -> None:
     """Change the Synapse configuration to enable server wellknown file.
 
@@ -359,11 +377,35 @@ def enable_federation_domain_whitelist(container: ops.Container, charm_state: Ch
     try:
         config = container.pull(SYNAPSE_CONFIG_PATH).read()
         current_yaml = yaml.safe_load(config)
-        if charm_state.synapse_config.federation_domain_whitelist is not None:
-            current_yaml["federation_domain_whitelist"] = [
-                item.strip()
-                for item in charm_state.synapse_config.federation_domain_whitelist.split(",")
-            ]
+        federation_domain_whitelist = charm_state.synapse_config.federation_domain_whitelist
+        if federation_domain_whitelist is not None:
+            current_yaml["federation_domain_whitelist"] = _create_tuple_from_string_list(
+                federation_domain_whitelist
+            )
+            container.push(SYNAPSE_CONFIG_PATH, yaml.safe_dump(current_yaml))
+    except ops.pebble.PathError as exc:
+        raise WorkloadError(str(exc)) from exc
+
+
+def enable_trusted_key_servers(container: ops.Container, charm_state: CharmState) -> None:
+    """Change the Synapse configuration to set trusted_key_servers.
+
+    Args:
+        container: Container of the charm.
+        charm_state: Instance of CharmState.
+
+    Raises:
+        WorkloadError: something went wrong enabling configuration.
+    """
+    try:
+        config = container.pull(SYNAPSE_CONFIG_PATH).read()
+        current_yaml = yaml.safe_load(config)
+        trusted_key_servers = charm_state.synapse_config.trusted_key_servers
+        if trusted_key_servers is not None:
+            current_yaml["trusted_key_servers"] = tuple(
+                {"server_name": f"{item}"}
+                for item in _create_tuple_from_string_list(trusted_key_servers)
+            )
             container.push(SYNAPSE_CONFIG_PATH, yaml.safe_dump(current_yaml))
     except ops.pebble.PathError as exc:
         raise WorkloadError(str(exc)) from exc
@@ -387,16 +429,16 @@ def enable_allow_public_rooms_over_federation(container: ops.Container) -> None:
         raise WorkloadError(str(exc)) from exc
 
 
-def _create_ip_range_whitelist(ip_range_whitelist: str) -> list[str]:
+def _create_tuple_from_string_list(string_list: str) -> tuple[str, ...]:
     """Format IP range whitelist.
 
     Args:
-        ip_range_whitelist: ip_range_whitelist configuration.
+        string_list: comma separated list configuration.
 
     Returns:
-        IP range whitelist as expected by Synapse or None.
+        Tuple as expected by Synapse.
     """
-    return [item.strip() for item in ip_range_whitelist.split(",")]
+    return tuple(item.strip() for item in string_list.split(","))
 
 
 def enable_ip_range_whitelist(container: ops.Container, charm_state: CharmState) -> None:
@@ -416,7 +458,7 @@ def enable_ip_range_whitelist(container: ops.Container, charm_state: CharmState)
         if ip_range_whitelist is None:
             logger.warning("enable_ip_range_whitelist called but config is empty")
             return
-        current_yaml["ip_range_whitelist"] = _create_ip_range_whitelist(ip_range_whitelist)
+        current_yaml["ip_range_whitelist"] = _create_tuple_from_string_list(ip_range_whitelist)
         container.push(SYNAPSE_CONFIG_PATH, yaml.safe_dump(current_yaml))
     except ops.pebble.PathError as exc:
         raise WorkloadError(str(exc)) from exc