Add support for MSC4293 - Redact on Kick/Ban

[H-Shay]

Adds support for MSC4293

[tulir]

Does synapse already pass through the field from /ban requests to the member event?

[H-Shay]

Does synapse already pass through the field from /ban requests to the member event?

it does not, I have added support for that as well, missed it the first go around.

[anoadragon453]

Not a complete review, as I still need to look at tests and the DB updates. But a solid start!

Also be aware that I typically advise people to aim for writing Complement tests when implementing unstable MSCs, such that other homeserver implementations can test against it when it comes time for them to implement the feature.

You don't need to do it here as you've already written a lot of unit tests, but for future reference.

[anoadragon453]

Since we're not actually setting internal_metadata.soft_failed in the msc4293_enabled-related code, I'm not sure if it makes sense for the checks to be in this function.

We might even still hit _persist_events_and_state_updates code later on, event if an event is soft failed(?).

[H-Shay]

My rationale for putting this check here was that this check only applies to events coming in over federation - if a request to send a message into a room the user is banned from comes over the cs api it will just be denied - thus we don't need to worry about redacting it. In this case, however, since the request comes over federation the event is soft-failed but still created, so we need to redact it. I chose this particular location because I was looking for a place where we had already pulled and calculated the state for event, as I was trying to avoid adding database calls if at all possible. If that's not a strong enough rationale for adding it here I can find another place!

[anoadragon453]

I see, that is very handy. My hangup is that the logic we're doing for redactions here doesn't result in any soft fails occurring.

One way we could refactor this is to take all of the auth DAG calculation out of _check_for_soft_fail and put that in a _get_current_auth_events function. Then pass the result of that to _check_for_soft_fail and, i.e. _check_for_redacted_sender.

[H-Shay]

Build errors are odd, I wonder if they are related to #18559 , as the errors mention base64:

Building editable for matrix-synapse (pyproject.toml) did not run successfully.
    │ exit code: 1
    ╰─> [48 lines of output]
        A setup.py file already exists. Using it.
        running build_ext
        running build_rust
        error: failed to parse lock file at: /home/runner/work/synapse/synapse/Cargo.lock
        
        Caused by:
          package `base64` is specified twice in the lockfile
        error: `cargo metadata --manifest-path rust/Cargo.toml --format-version 1` failed with code 101

Otherwise I am not sure what I did to cause these

[erikjohnston]

Sorry, I broke develop :(

This PR should fix it #18561

[turt2live]

drive-by SCT review to meet implementation requirements on the MSC. Overall, looks great - thank you!

The major detail would be removal of the event type filters, but that looks trivial enough to consider the MSC implemented regardless.

[H-Shay]

@anoadragon453 just checking that this is still on your radar

[erikjohnston]

I'm wondering if this is the right architecture for dealing with such redactions. Pulling out all events sent by the user has a few potential issues: a) if there are a lot of events it might take a lot of time, and b) won't redact events that we haven't backfilled over federation yet. The MSC also seems to suggest that events should get unredacted if the ban is replaced with another state event without a redactions?

An alternate method may be to have a separate table that is room_redactions(room_id, sender), which we then check (as well as redactions table) when fetching the event? The new room_redactions would be updated when we add the ban/kick to the current_state_events table, and removed if it gets replaced?

[turt2live]

The MSC also seems to suggest that events should get unredacted if the ban is replaced with another state event without a redactions?

They shouldn't get unredacted, but the auto-redaction should cease for newly received events. I'll try to clarify this in the MSC itself.

An example series of events:

1. Alice sends a message
2. Bob bans Alice, with redact_events: true
3. [Servers and clients redact Alice's message in step 1]
4. Due to propagation delays, Alice's second message arrives after the ban. The server (and client, if it received it) redacts that message too.
5. Later, Bob unbans Alice, setting redact_events: false
6. Again due to propagation delays, or because Alice rejoined, Alice's third message arrives. It is not redacted.

The messages in steps 1 and 4 remain redacted even after step 5.

[anoadragon453]

Agree with Erik's comment above.

Otherwise some minor notes on the current code - which is a lot more readable, thank you!

[anoadragon453]

So self-bans would never appear in auth_events, is that correct?

[anoadragon453]

Sanity check:

Suggested change

	or event.type != EventTypes.Member
	or event.type != EventTypes.Member
	or event.state_key is None

[anoadragon453]

Suggested change

	if sender_level > redact_level:
	if sender_level >= redact_level:

[anoadragon453]

Suggested change

	value_values = [
	(self._clock.time_msec(),) for x in ids_to_redact
	]
	time_now_ms = self._clock.time_msec()
	value_values = [
	(time_now_ms,) for x in ids_to_redact
	]

rather than calling self._clock.time_msec() repeatedly.

[anoadragon453]

Is redacts unique? I feel you could have multiple redactions redacting a single event.

[anoadragon453]

I see, that is very handy. My hangup is that the logic we're doing for redactions here doesn't result in any soft fails occurring.

One way we could refactor this is to take all of the auth DAG calculation out of _check_for_soft_fail and put that in a _get_current_auth_events function. Then pass the result of that to _check_for_soft_fail and, i.e. _check_for_redacted_sender.