Reconcile state when processing incoming events during faster joins

In order to handle incoming events over federation during a faster join, we need to relax the auth rules. Specifically, we need to accept that we may not have the sender's membership in our view of the room state. However, it should be in the `auth_events`, and state-resolving the auth events against our view should give the right thing.
matrix-org · Jul 1, 2022 · 9f5baec · 9f5baec
1 parent 58fb17d
commit 9f5baec
Showing 1 changed file with 28 additions and 5 deletions.
diff --git a/synapse/handlers/federation_event.py b/synapse/handlers/federation_event.py
@@ -1528,13 +1528,36 @@ async def _check_event_auth(
         # https://spec.matrix.org/v1.3/server-server-api/#checks-performed-on-receipt-of-a-pdu:
         #   5. Passes authorization rules based on the state before the event,
         #      otherwise it is rejected.
-        event_types = event_auth.auth_types_for_event(event.room_version, event)
-        prev_state_ids = await context.get_prev_state_ids(
-            StateFilter.from_types(event_types)
-        )
+        #
+        # ... however, if we only have partial state for the room, then there is a good
+        # chance that we'll be missing some of the state needed to auth the new event.
+        # So, we state-resolve the auth event that we are given against the state that
+        # we know about, which ensures things like bans are applied.
+        if context.partial_state:
+            room_version = await self._store.get_room_version_id(event.room_id)
+
+            local_state_id_map = await context.get_prev_state_ids()
+            claimed_auth_events_id_map = {
+                (ev.type, ev.state_key): ev.event_id for ev in claimed_auth_events
+            }
+
+            state_for_auth_id_map = (
+                await self._state_resolution_handler.resolve_events_with_store(
+                    event.room_id,
+                    room_version,
+                    [local_state_id_map, claimed_auth_events_id_map],
+                    event_map=None,
+                    state_res_store=StateResolutionStore(self._store),
+                )
+            )
+        else:
+            event_types = event_auth.auth_types_for_event(event.room_version, event)
+            state_for_auth_id_map = await context.get_prev_state_ids(
+                StateFilter.from_types(event_types)
+            )
 
         calculated_auth_event_ids = self._event_auth_handler.compute_auth_events(
-            event, prev_state_ids, for_verification=True
+            event, state_for_auth_id_map, for_verification=True
         )
 
         # if those are the same, we're done here.