Make central IS opt-in (#80)

This commit is contained in:
Max Dor
2018-05-31 13:24:00 +02:00
committed by GitHub
parent b613415dc4
commit 778449e7df
7 changed files with 69 additions and 44 deletions

View File

@@ -47,18 +47,33 @@ key.path: ''
storage.provider.sqlite.database: '/path/to/mxisd.db' storage.provider.sqlite.database: '/path/to/mxisd.db'
####################
# Fallback servers #
####################
#
# Root/Central servers to be used as final fallback when performing lookups.
# By default, for privacy reasons, matrix.org servers are not enabled anymore.
# See the following issue: https://github.com/kamax-io/mxisd/issues/76
#
# If you would like to use them and trade away your privacy for convenience, uncomment the following option:
#
#forward.servers: ['matrix-org']
################ ################
# LDAP Backend # # LDAP Backend #
################ ################
# If you would like to integrate with your AD/Samba/LDAP server, # If you would like to integrate with your AD/Samba/LDAP server,
# see https://github.com/kamax-io/mxisd/blob/master/docs/backends/ldap.md # see https://github.com/kamax-io/mxisd/blob/master/docs/backends/ldap.md
############### ###############
# SQL Backend # # SQL Backend #
############### ###############
# If you would like to integrate with a MySQL/MariaDB/PostgreQL/SQLite DB, # If you would like to integrate with a MySQL/MariaDB/PostgreQL/SQLite DB,
# see https://github.com/kamax-io/mxisd/blob/master/docs/backends/sql.md # see https://github.com/kamax-io/mxisd/blob/master/docs/backends/sql.md
################ ################
# REST Backend # # REST Backend #
################ ################

View File

@@ -18,12 +18,9 @@ TCP 443
| +-------------------+ | +-------------------+
TCP 8090 +-> | mxisd | TCP 8090 +-> | mxisd |
| | | |
| - Profile's 3PIDs >----+ | - Profile's 3PIDs |
| - 3PID Invites | | +--------------------------+ | - 3PID Invites |
+-|-----------------+ +>----------> | Central Identity service | +-|-----------------+
| | TCP 443 | Matrix.org / Vector.im |
| | +--------------------------+
+>-------------------->+
| |
TCP 443 TCP 443
| +------------------------+ | +------------------------+

View File

@@ -19,8 +19,9 @@ started and answer questions you might have.
### Do I need to use mxisd if I run a Homeserver? ### Do I need to use mxisd if I run a Homeserver?
No, but it is strongly recommended, even if you don't use any Identity store or integration. No, but it is strongly recommended, even if you don't use any Identity store or integration.
In its default configuration, mxisd will talk to the central Matrix Identity servers and use other federated public In its default configuration, mxisd uses other federated public servers when performing queries.
servers when performing queries, giving you access to at least the same information as if you were not running it. It can also [be configured](features/identity.md#lookups) to use the central matrix.org servers, giving you access to at
least the same information as if you were not running it.
It will also give your users a choice to make their 3PIDs available publicly, ensuring they are made aware of the It will also give your users a choice to make their 3PIDs available publicly, ensuring they are made aware of the
privacy consequences, which is not the case with the central Matrix.org servers. privacy consequences, which is not the case with the central Matrix.org servers.
@@ -70,18 +71,15 @@ So really, you should go with mxisd.
### Will I loose access to the central Matrix.org/Vector.im Identity data if I use mxisd? ### Will I loose access to the central Matrix.org/Vector.im Identity data if I use mxisd?
No. No.
In its default configuration, mxisd act as a proxy to Matrix.org/Vector.im. You will have access to the same data and In its default configuration, mxisd does not talk to the central Identity server matrix.org to avoid leaking your private
behaviour than if you were using them directly. There is no downside in using mxisd with the default configuration. data and those of people you might know.
mxisd can also be configured not to talk to the central Identity servers if you wish. mxisd [can be configured](features/identity.md#lookups) to talk to the central Identity servers if you wish.
### So mxisd is just a big hack! I don't want to use non-official features! ### So mxisd is just a big hack! I don't want to use non-official features!
mxisd primary concern is to always be compatible with the Matrix ecosystem and the Identity service API. mxisd primary concerns are your privacy and to always be compatible with the Matrix ecosystem and the Identity service API.
Whenever the API will be updated and/or enhanced, mxisd will follow, remaining 100% compatible with the ecosystem. Whenever the API will be updated and/or enhanced, mxisd will follow, remaining 100% compatible with the ecosystem.
Therefore, using mxisd is a safe choice. It will be like using the central Matrix.org Identity servers, yet not closing
the door to a growing list of enhancements and integrations.
### Should I use mxisd if I don't host my own Homeserver? ### Should I use mxisd if I don't host my own Homeserver?
No. No.

View File

@@ -5,8 +5,8 @@ Federated Identity server using the DNS domain part of the 3PID.
Emails are the best candidate for this kind of resolution which are DNS domain based already. Emails are the best candidate for this kind of resolution which are DNS domain based already.
On the other hand, Phone numbers cannot be resolved this way. On the other hand, Phone numbers cannot be resolved this way.
For 3PIDs which are not compatible with the DNS system, mxisd will talk to the central Identity server of matrix.org by For 3PIDs which are not compatible with the DNS system, mxisd can be configured to talk to fallback Identity servers like
default. the central matrix.org one. See the [Identity feature](identity.md#lookups) for instructions on how to enable it.
Outbound federation is enabled by default while inbound federation is opt-in and require a specific DNS record. Outbound federation is enabled by default while inbound federation is opt-in and require a specific DNS record.
@@ -17,16 +17,14 @@ Outbound federation is enabled by default while inbound federation is opt-in and
| | | +------> +----------+ | | | +------> +----------+
| | | | | | | |
| Invites / Lookups | | | | Invites / Lookups | | |
Federated | +--------+ | | | +-------------------+ Federated | +--------+ | | |
Identity ---->| Remote |>-----------+ +------> | Remote Federated | Identity ---->| Remote |>-----------+ |
Server | +--------+ | | | mxisd servers | Server | +--------+ | |
| | | +-------------------+ | | |
| +--------+ | | | +--------+ | | +-------------------+
Homeserver --->| Local |>------------------+ Homeserver --->| Local |>------------------+------> | Remote Federated |
and clients | +--------+ | | +--------------------------+ and clients | +--------+ | | mxisd servers |
+-------------------+ +------> | Central Identity service | +-------------------+ +-------------------+
| Matrix.org / Vector.im |
+--------------------------+
``` ```
## Inbound ## Inbound

View File

@@ -3,6 +3,16 @@
Implementation of the [Unofficial Matrix Identity Service API](https://kamax.io/matrix/api/identity_service/unstable.html). Implementation of the [Unofficial Matrix Identity Service API](https://kamax.io/matrix/api/identity_service/unstable.html).
## Lookups
If you would like to use the central matrix.org Identity server to ensure maximum discovery at the cost of potentially
leaking all your contacts information, add the following to your configuration:
```yaml
forward.servers:
- 'matrix-org'
```
**NOTE:** You should carefully consider enabling this option, which is discouraged.
For more info, see the [relevant issue](https://github.com/kamax-io/mxisd/issues/76).
## Room Invitations ## Room Invitations
Resolution can be customized using the following configuration: Resolution can be customized using the following configuration:

View File

@@ -21,6 +21,7 @@
package io.kamax.mxisd.lookup.provider; package io.kamax.mxisd.lookup.provider;
import io.kamax.mxisd.config.ForwardConfig; import io.kamax.mxisd.config.ForwardConfig;
import io.kamax.mxisd.config.MatrixConfig;
import io.kamax.mxisd.lookup.SingleLookupReply; import io.kamax.mxisd.lookup.SingleLookupReply;
import io.kamax.mxisd.lookup.SingleLookupRequest; import io.kamax.mxisd.lookup.SingleLookupRequest;
import io.kamax.mxisd.lookup.ThreePidMapping; import io.kamax.mxisd.lookup.ThreePidMapping;
@@ -42,6 +43,9 @@ class ForwarderProvider implements IThreePidProvider {
@Autowired @Autowired
private ForwardConfig cfg; private ForwardConfig cfg;
@Autowired
private MatrixConfig mxCfg;
@Autowired @Autowired
private IRemoteIdentityServerFetcher fetcher; private IRemoteIdentityServerFetcher fetcher;
@@ -62,10 +66,13 @@ class ForwarderProvider implements IThreePidProvider {
@Override @Override
public Optional<SingleLookupReply> find(SingleLookupRequest request) { public Optional<SingleLookupReply> find(SingleLookupRequest request) {
for (String root : cfg.getServers()) { for (String label : cfg.getServers()) {
Optional<SingleLookupReply> answer = fetcher.find(root, request); for (String srv : mxCfg.getIdentity().getServers(label)) {
if (answer.isPresent()) { log.info("Using forward server {}", srv);
return answer; Optional<SingleLookupReply> answer = fetcher.find(srv, request);
if (answer.isPresent()) {
return answer;
}
} }
} }
@@ -77,13 +84,15 @@ class ForwarderProvider implements IThreePidProvider {
List<ThreePidMapping> mappingsToDo = new ArrayList<>(mappings); List<ThreePidMapping> mappingsToDo = new ArrayList<>(mappings);
List<ThreePidMapping> mappingsFoundGlobal = new ArrayList<>(); List<ThreePidMapping> mappingsFoundGlobal = new ArrayList<>();
for (String root : cfg.getServers()) { for (String label : cfg.getServers()) {
log.info("{} mappings remaining: {}", mappingsToDo.size(), mappingsToDo); for (String srv : mxCfg.getIdentity().getServers(label)) {
log.info("Querying {}", root); log.info("{} mappings remaining: {}", mappingsToDo.size(), mappingsToDo);
List<ThreePidMapping> mappingsFound = fetcher.find(root, mappingsToDo); log.info("Querying {}", srv);
log.info("{} returned {} mappings", root, mappingsFound.size()); List<ThreePidMapping> mappingsFound = fetcher.find(srv, mappingsToDo);
mappingsFoundGlobal.addAll(mappingsFound); log.info("{} returned {} mappings", srv, mappingsFound.size());
mappingsToDo.removeAll(mappingsFound); mappingsFoundGlobal.addAll(mappingsFound);
mappingsToDo.removeAll(mappingsFound);
}
} }
return mappingsFoundGlobal; return mappingsFoundGlobal;

View File

@@ -24,7 +24,7 @@ matrix:
domain: '' domain: ''
identity: identity:
servers: servers:
root: matrix-org:
- 'https://matrix.org' - 'https://matrix.org'
lookup: lookup:
@@ -174,9 +174,7 @@ wordpress:
threepid: 'SELECT DISTINCT user_login, display_name FROM wp_users WHERE user_email LIKE ?' threepid: 'SELECT DISTINCT user_login, display_name FROM wp_users WHERE user_email LIKE ?'
forward: forward:
servers: servers: []
- 'https://matrix.org'
- 'https://vector.im'
threepid: threepid:
medium: medium:
@@ -226,13 +224,13 @@ session:
toLocal: true toLocal: true
toRemote: toRemote:
enabled: true enabled: true
server: 'root' server: 'matrix-org'
forRemote: forRemote:
enabled: true enabled: true
toLocal: false toLocal: false
toRemote: toRemote:
enabled: true enabled: true
server: 'root' server: 'matrix-org'
notification: notification:
# handler: # handler: