RocketChat · kodiakhq · Aug 21, 2024 · Jun 1, 2024 · Jun 1, 2024 · Jun 1, 2024
diff --git a/.gitignore b/.gitignore
@@ -50,3 +50,6 @@ yarn-error.log*
 *.sublime-workspace
 
 **/.vim/
+
+data/
+registration.yaml
diff --git a/apps/meteor/app/api/server/v1/federation.ts b/apps/meteor/app/api/server/v1/federation.ts
@@ -22,3 +22,21 @@ API.v1.addRoute(
 		},
 	},
 );
+
+API.v1.addRoute(
+	'federation/configuration.verify',
+	{ authRequired: true, permissionsRequired: ['view-privileged-setting'] },
+	{
+		async get() {
+			const service = License.hasValidLicense() ? FederationEE : Federation;
+
+			const status = await service.configurationStatus();
+
+			if (!status.externalReachability.ok || !status.appservice.ok) {
+				return API.v1.failure(status);
+			}
+
+			return API.v1.success(status);
+		},
+	},
+);
diff --git a/apps/meteor/app/lib/server/index.ts b/apps/meteor/app/lib/server/index.ts
@@ -49,5 +49,6 @@ import './methods/unarchiveRoom';
 import './methods/unblockUser';
 import './methods/updateMessage';
 import './methods/saveCustomFields';
+import './methods/checkFederationConfiguration';
 
 export * from './lib';
diff --git a/apps/meteor/app/lib/server/methods/checkFederationConfiguration.ts b/apps/meteor/app/lib/server/methods/checkFederationConfiguration.ts
@@ -0,0 +1,80 @@
+import { Federation, FederationEE, Authorization } from '@rocket.chat/core-services';
+import type { ServerMethods } from '@rocket.chat/ddp-client';
+import { License } from '@rocket.chat/license';
+import { Meteor } from 'meteor/meteor';
+
+declare module '@rocket.chat/ddp-client' {
+	// eslint-disable-next-line @typescript-eslint/naming-convention
+	interface ServerMethods {
+		checkFederationConfiguration(): Promise<{ message: string }>;
+	}
+}
+
+Meteor.methods<ServerMethods>({
+	async checkFederationConfiguration() {
+		const uid = Meteor.userId();
+
+		if (!uid) {
+			throw new Meteor.Error('error-invalid-user', 'Invalid user', {
+				method: 'checkFederationConfiguration',
+			});
+		}
+
+		if (!(await Authorization.hasPermission(uid, 'view-privileged-setting'))) {
+			throw new Meteor.Error('error-not-allowed', 'Action not allowed', {
+				method: 'checkFederationConfiguration',
+			});
+		}
+
+		const errors: string[] = [];
+
+		const successes: string[] = [];
+
+		const service = License.hasValidLicense() ? FederationEE : Federation;
+
+		const status = await service.configurationStatus();
+
+		if (status.externalReachability.ok) {
+			successes.push('homeserver configuration looks good');
+		} else {
+			let err = 'external reachability could not be verified';
+
+			const { error } = status.externalReachability;
+			if (error) {
+				err += `, error: ${error}`;
+			}
+
+			errors.push(err);
+		}
+
+		const {
+			roundTrip: { durationMs: duration },
+		} = status.appservice;
+
+		if (status.appservice.ok) {
+			successes.push(`appservice configuration looks good, total round trip time to homeserver ${duration}ms`);
+		} else {
+			errors.push(`failed to verify appservice configuration: ${status.appservice.error}`);
+		}
+
+		if (errors.length) {
+			void service.markConfigurationInvalid();
+
+			if (successes.length) {
+				const message = ['Configuration could only be partially verified'].concat(successes).concat(errors).join(', ');
+
+				throw new Meteor.Error('error-invalid-configuration', message, { method: 'checkFederationConfiguration' });
+			}
+
+			throw new Meteor.Error('error-invalid-configuration', ['Invalid configuration'].concat(errors).join(', '), {
+				method: 'checkFederationConfiguration',
+			});
+		}
+
+		void service.markConfigurationValid();
+
+		return {
+			message: ['All configuration looks good'].concat(successes).join(', '),
+		};
+	},
+});
diff --git a/apps/meteor/ee/server/local-services/federation/service.ts b/apps/meteor/ee/server/local-services/federation/service.ts
@@ -215,4 +215,20 @@ export class FederationServiceEE extends AbstractBaseFederationServiceEE impleme
 	async stopped(): Promise<void> {
 		return super.stopped();
 	}
+
+	public async verifyConfiguration() {
+		return super.verifyConfiguration();
+	}
+
+	public async markConfigurationValid() {
+		return super.markConfigurationValid();
+	}
+
+	public async markConfigurationInvalid() {
+		return super.markConfigurationInvalid();
+	}
+
+	public async configurationStatus() {
+		return super.configurationStatus();
+	}
 }
@@ -110,4 +110,5 @@ export interface IFederationBridge {
 		externalUserId: string,
 		externalRoomId: string,
 	): Promise<{ creator: { id: string; username: string }; name: string; joinedMembers: string[] } | undefined>;
+	ping(): Promise<{ duration_ms: number }>;
 }
@@ -24,6 +24,8 @@ let MatrixUserInstance: any;
 
 const DEFAULT_TIMEOUT_IN_MS_FOR_JOINING_ROOMS = 180000;
 
+const DEFAULT_TIMEOUT_IN_MS_FOR_PING_EVENT = 60 * 1000;
+
 export class MatrixBridge implements IFederationBridge {
 	protected bridgeInstance: Bridge;
 
@@ -44,6 +46,32 @@ export class MatrixBridge implements IFederationBridge {
 
 			if (!this.isRunning) {
 				await this.bridgeInstance.run(this.internalSettings.getBridgePort());
+
+				this.bridgeInstance.addAppServicePath({
+					method: 'POST',
+					path: '/_matrix/app/v1/ping',
+					checkToken: true,
+					handler: (_req, res, _next) => {
+						/*
+						 * https://spec.matrix.org/v1.11/application-service-api/#post_matrixappv1ping
+						 * Spec does not talk about what to do with the id. It is safe to ignore it as we are already checking for
+						 * homeserver token to be correct.
+						 * From the spec this might be a bit confusing, as it shows a txn id for post, but app service doing nothing with it afterwards
+						 * when receiving from the homeserver.
+						 * From spec directly -
+							AS ---> HS : /_matrix/client/v1/appservice/{appserviceId}/ping {"transaction_id": "meow"}
+								HS ---> AS : /_matrix/app/v1/ping {"transaction_id": "meow"}
+								HS <--- AS : 200 OK {}
+							AS <--- HS : 200 OK {"duration_ms": 123}
+						 * https://github.com/matrix-org/matrix-spec/blob/e53e6ea8764b95f0bdb738549fca6f9f3f901298/content/application-service-api.md?plain=1#L229-L232
+						 * Code - wise, also doesn't care what happens with the response.
+						 * https://github.com/element-hq/synapse/blob/cb6f4a84a6a8f2b79b80851f37eb5fa4c7c5264a/synapse/rest/client/appservice_ping.py#L80 - nothing done on return
+						 * https://github.com/element-hq/synapse/blob/cb6f4a84a6a8f2b79b80851f37eb5fa4c7c5264a/synapse/appservice/api.py#L321-L332 - not even returning the response, caring for just the http status code - https://github.com/element-hq/synapse/blob/cb6f4a84a6a8f2b79b80851f37eb5fa4c7c5264a/synapse/http/client.py#L532-L537
+						 */
+						res.status(200).json({});
+					},
+				});
+
 				this.isRunning = true;
 			}
 		} catch (err) {
@@ -657,6 +685,10 @@ export class MatrixBridge implements IFederationBridge {
 		return MatrixEnumSendMessageType.FILE;
 	}
 
+	private getMyHomeServerOrigin() {
+		return new URL(`https://${this.internalSettings.getHomeServerDomain()}`).hostname;
+	}
+
 	public async uploadContent(
 		externalSenderId: string,
 		content: Buffer,
@@ -724,6 +756,18 @@ export class MatrixBridge implements IFederationBridge {
 			controller: {
 				onEvent: (request) => {
 					const event = request.getData() as unknown as AbstractMatrixEvent;
+
+					console.log('event', event);
+
+					// TODO(debdut): can we ignore all events from out homeserver?
+					// This was added particularly to avoid duplicating messages.
+					// Messages sent from rocket.chat also causes a m.room.message event, which if gets to this bridge
+					// before the event id promise is resolved, the respective message does not get event id attached to them any longer,
+					// thus this event handler "resends" the message to the rocket.chat room (not to matrix though).
+					if (event.type === 'm.room.message' && this.extractHomeserverOrigin(event.sender) === this.getMyHomeServerOrigin()) {
+						return;
+					}
+
 					this.eventHandler(event);
 				},
 				onLog: (line, isError) => {
@@ -752,4 +796,22 @@ export class MatrixBridge implements IFederationBridge {
 			'de.sorunome.msc2409.push_ephemeral': registrationFile.enableEphemeralEvents,
 		};
 	}
+
+	public async ping(): Promise<{ duration_ms: number }> {
+		if (!this.isRunning || !this.bridgeInstance) {
+			throw new Error("matrix bridge isn't yet running");
+		}
+
+		return this.bridgeInstance.getIntent().matrixClient.doRequest(
+			'POST',
+			`/_matrix/client/v1/appservice/${this.internalSettings.getApplicationServiceId()}/ping`,
+			{},
+			/*
+			 * Empty txn id as it is optional, neither does the spec says exactly what to do with it.
+			 * https://github.com/matrix-org/matrix-spec/blob/1fc8f8856fe47849f90344cfa91601c984627acb/data/api/client-server/appservice_ping.yaml#L55-L56
+			 */
+			{},
+			DEFAULT_TIMEOUT_IN_MS_FOR_PING_EVENT,
+		);
+	}
 }
@@ -68,6 +68,17 @@ export class RocketChatSettingsAdapter {
 		return settings.get('Federation_Matrix_enable_ephemeral_events') === true;
 	}
 
+	public isConfigurationValid(): boolean {
+		return settings.get('Federation_Matrix_configuration_status') === 'Valid';
+	}
+
+	public async setConfigurationStatus(status: 'Valid' | 'Invalid'): Promise<void> {
+		const { modifiedCount } = await Settings.updateOne({ _id: 'Federation_Matrix_configuration_status' }, { $set: { value: status } });
+		if (modifiedCount) {
+			void notifyOnSettingChangedById('Federation_Matrix_configuration_status');
+		}
+	}
+
 	public onFederationEnabledStatusChanged(
 		callback: (
 			enabled: boolean,
@@ -205,7 +216,7 @@ export class RocketChatSettingsAdapter {
 		const siteUrl = settings.get<string>('Site_Url');
 
 		await settingsRegistry.add('Federation_Matrix_id', `rocketchat_${uniqueId}`, {
-			readonly: true,
+			readonly: process.env.NODE_ENV === 'production',
 			type: 'string',
 			i18nLabel: 'Federation_Matrix_id',
 			i18nDescription: 'Federation_Matrix_id_desc',
@@ -214,7 +225,7 @@ export class RocketChatSettingsAdapter {
 		});
 
 		await settingsRegistry.add('Federation_Matrix_hs_token', homeserverToken, {
-			readonly: true,
+			readonly: process.env.NODE_ENV === 'production',
 			type: 'string',
 			i18nLabel: 'Federation_Matrix_hs_token',
 			i18nDescription: 'Federation_Matrix_hs_token_desc',
@@ -223,7 +234,7 @@ export class RocketChatSettingsAdapter {
 		});
 
 		await settingsRegistry.add('Federation_Matrix_as_token', applicationServiceToken, {
-			readonly: true,
+			readonly: process.env.NODE_ENV === 'production',
 			type: 'string',
 			i18nLabel: 'Federation_Matrix_as_token',
 			i18nDescription: 'Federation_Matrix_as_token_desc',
@@ -287,5 +298,27 @@ export class RocketChatSettingsAdapter {
 			group: 'Federation',
 			section: 'Matrix Bridge',
 		});
+
+		await settingsRegistry.add('Federation_Matrix_configuration_status', 'Invalid', {
+			readonly: true,
+			type: 'string',
+			i18nLabel: 'Federation_Matrix_configuration_status',
+			i18nDescription: 'Federation_Matrix_configuration_status_desc',
+			public: false,
+			enterprise: false,
+			invalidValue: '',
+			group: 'Federation',
+			section: 'Matrix Bridge',
+		});
+
+		await settingsRegistry.add('Federation_Matrix_check_configuration_button', 'checkFederationConfiguration', {
+			type: 'action',
+			actionText: 'Federation_Matrix_check_configuration',
+			public: false,
+			enterprise: false,
+			invalidValue: '',
+			group: 'Federation',
+			section: 'Matrix Bridge',
+		});
 	}
 }
@@ -3,3 +3,5 @@ import { Logger } from '@rocket.chat/logger';
 const logger = new Logger('Federation_Matrix');
 
 export const federationBridgeLogger = logger.section('matrix_federation_bridge');
+
+export const federationServiceLogger = logger.section('matrix_federation_service');
@@ -30,7 +30,7 @@ async function returnMatrixClientJSON(_: IncomingMessage, res: ServerResponse) {
 
 	res.setHeader('content-type', 'application/json');
 
-	res.write(JSON.stringify({ 'm.homeserver': `${protocol}//${hostname}` }));
+	res.write(JSON.stringify({ 'm.homeserver': { base_url: `${protocol}//${hostname}` } }));
 
 	res.end();
 }