Apply the federation_ip_range_blacklist to push and key revocation requests

[clokep]

This fixes an oversight in the application of the federation_ip_range_blacklist which was not correctly being applied to push servers or to key revocation requests.

As part of this I abstracted / cleaned-up some of the code dealing with HTTP clients and the IP range blacklists.

Full list of changes:

• Applies federation_ip_range_blacklist to push, key revocation, and well-known requests.
  • Note that well-known requests were already protected by connecting to these servers due to a confusing way that DNS resolution is done in Twisted. I thought it best to apply it explicitly here.
• Updates the identity server requests (which already used the blacklist) to use the new shared code.
• Abstracts the wrapping code for blocking DNS resolution to blacklisted IPs. (This was copied and pasted in a couple of spots.)
• Renames get_http_client to get_federation_http_client for clarity (and moves this code so all the HTTP client getters are together).

This should be reviewable commit-by-commit.

After this change there's a few things still using HTTP clients without a blacklist:

• get_simple_http_client:
  • Replication -- only connects to IPs given in the configuration.
  • Module API -- this is given to various plugins which are responsibility for handling this themselves.
• get_proxied_http_client, note that these all user URLs provided via the config.
  • CAS / OIDC queries. (Note that OIDC the exact URL isn't provided in the config, but it is somewhat assumed the SSO server is "trusted" in what it returns.)
  • Phone home stats.
  • reCAPTCHA auth checker

[richvdh]

generally seems sensible, but I has thoughts.

[richvdh]

we should be clearer about what sort of "key" this is talking about. It might be clearer to say "for checking key validitity for third-party invite events".

[richvdh]

... which github seems to have eaten. so, here they are again.

• It's not obvious to me that we should be using the federation_ip_blacklist for push and third-party-invite foo, which are really nothing to do with federation. (I could say the same for id servers, but that ship has somewhat sailed.) Maybe it would be better to have a separate option ip_blacklist, which either replaces federation_ip_blacklist, or which federation_ip_blacklist overrides, if specified. Backwards-compat could be a bit fiddly though.

• It seems BlacklistingAgentWrapper is essentially redundant, since HostnameEndpoint sends even IP addresses to the resolver which will trap any blacklisted endpoints. (Is that correct? Has it always been correct? I feel like there was a good reason for having to do this twice? Maybe it's just for clearer logging/errors?) If so, it might be better to capitalise on that and do away with the agent wrapper, rather than having to remember to keep the two parts of blacklisting in sync.

• This is probably out of scope here, but the whole blacklisting arrangement feels fiddly and fragile. Maybe it would be better to construct our Agents with a different EndpointFactory, which can return endpoints which are a bit like HostnameEndpoint but can check addresses against the blacklist just before connecting.

[clokep]

It's not obvious to me that we should be using the federation_ip_blacklist for push and third-party-invite foo, which are really nothing to do with federation. (I could say the same for id servers, but that ship has somewhat sailed.) Maybe it would be better to have a separate option ip_blacklist, which either replaces federation_ip_blacklist, or which federation_ip_blacklist overrides, if specified. Backwards-compat could be a bit fiddly though.

I went back and forth on this a bit and was originally planning to make it separate, but then saw that ID servers used the same setting. I think having a new option which applies to federation, ID servers, push, and key revocation is reasonable. The backwards compatibility path wold use federation_ip_blacklist if it exists, but only for federation / ID servers.

It seems BlacklistingAgentWrapper is essentially redundant, since HostnameEndpoint sends even IP addresses to the resolver which will trap any blacklisted endpoints. (Is that correct? Has it always been correct? I feel like there was a good reason for having to do this twice? Maybe it's just for clearer logging/errors?) If so, it might be better to capitalise on that and do away with the agent wrapper, rather than having to remember to keep the two parts of blacklisting in sync.

I believe this is correct. I don't know if it has always been correct, but I think that has always been Twisted's logic. I wonder if this code was added in-case IP addresses were no longer sent to the resolver in the future? I'll take another look and see what I can do to clarify this code.

This is probably out of scope here, but the whole blacklisting arrangement feels fiddly and fragile. Maybe it would be better to construct our Agents with a different EndpointFactory, which can return endpoints which are a bit like HostnameEndpoint but can check addresses against the blacklist just before connecting.

This sounds more ideal, although I think you still need to handle the resolution of names to IPs and blacklisting those outside of the endpoint? Maybe not though, I'll look into if it is reasonable!

[clokep]

I made the config changes that were requested.

I'm still investigating whether this could use a custom EndpointFactory instead, it seems the interactions with the ProxyAgent (and MatrixFederationAgent only kind of being an Agent) might make this hard though.

I'm hoping to at least wrap things a bit nicer so you only have to call a single blacklisting wrapper instead of two.

[clokep]

It seems BlacklistingAgentWrapper is essentially redundant, since HostnameEndpoint sends even IP addresses to the resolver which will trap any blacklisted endpoints. (Is that correct? Has it always been correct? I feel like there was a good reason for having to do this twice? Maybe it's just for clearer logging/errors?) If so, it might be better to capitalise on that and do away with the agent wrapper, rather than having to remember to keep the two parts of blacklisting in sync.

I believe this is correct. I don't know if it has always been correct, but I think that has always been Twisted's logic. I wonder if this code was added in-case IP addresses were no longer sent to the resolver in the future? I'll take another look and see what I can do to clarify this code.

It seems this was added and discussed when this was added: https://github.com/matrix-org/synapse/pull/4215/files#r243271396, it seems the last question wasn't really answered though.

Looking through the Twisted agent code, the following happens:

1. The Agent by default instantiates an endpoint factory using _StandardEndpointFactory.
2. The _StandardEndpointFactory unconditionally creates HostnameEndpoint instances (sometimes those get wrapped for TLS, but that doesn't change this logic).
3. The HostnameEndpoint unconditionally calls resolveHostName on the reactor. (See the logic for choosing a name resolver, but in our case it will always use reactor.nameResolver.)

Unless it is considered a bug that HostnameResolver calls resolveHostName for IP addresses than I believe the agent wrapper is duplicative. A difference to note is that the BlacklistingAgentWrapper does allow for a specific error message to be raised, while the IPBlacklistingResolver can only pretend that the host could not be resolved.

To the follow-on question about whether we should be using a custom endpoint. I think this is possible, but would require quite a bit of refactoring since the ProxyAgent, which is used by SimpleHttpClient, uses it's own type of endpoints. I do wonder if using the blacklist + the proxy even makes sense though. If you are using a proxy I would expect the proxy to do any blacklisting for you? I think with that change it would be reasonable to use a custom endpoint instead, which would clean-up this code quite a bit.

[clokep]

I debated how much to mention federation_ip_range_blacklist at all. I suspect we'll want to add something to the upgrade notes. The current implementation actually lets you provide two different blacklists (one for push/key validity and one for federation/identity servers). I'm unsure if we should make that a feature (and document it) or if that's an implementation detail and federation_ip_range_blacklist is deprecated. 😄

[richvdh]

I vote for the latter :)

[clokep]

@richvdh Requesting your review again, please take a look at the previous comment and let me know if you think additional changes are needed here, in particular I'm unsure about trying to remove BlacklistingAgentWrapper (see #8821 (comment)) and would appreciate further thoughts from you!

[richvdh]

this sentence no verb

[richvdh]

I vote for the latter :)

[richvdh]

lgtm.

[richvdh]

Unless it is considered a bug that HostnameResolver calls resolveHostName for IP addresses than I believe the agent wrapper is duplicative.

I don't think it's a bug; and if that behaviour ever changes, then I think we'd quickly catch it in our tests, so I would favour the simplicity that comes from removing it. However...

A difference to note is that the BlacklistingAgentWrapper does allow for a specific error message to be raised, while the IPBlacklistingResolver can only pretend that the host could not be resolved.

I suspect this makes it worth keeping. "Unknown host" is an extremely confusing error message, particularly when the "host" in question is an IP address.

I do wonder if using the blacklist + the proxy even makes sense though. If you are using a proxy I would expect the proxy to do any blacklisting for you?

I think it has to, since (with the exception of literal IP addresses) it's only the proxy that sees the IP addresses in question?

So a custom endpoint type is probably the ultimate solution here - but it's a matter for a separate PR.

[clokep]

Thanks! I'll file a follow-up about the endpoint stuff.

[clokep]

Thanks! I'll file a follow-up about the endpoint stuff.

See #8860.