Initial public commit

scripts/polmake.sh

@@ -0,0 +1,58 @@
+#!/usr/bin/env bash
+set -u
+if [ -z "$EDITOR" ]; then echo "polmake: No EDITOR set in environment. Please set one :)" 1>&2; exit 1; fi
+ext=".yaml"
+
+newfile () {
+    local prev_mask="$(umask)"
+    umask 0077
+    local file="$(mktemp --suffix "$ext")"
+    umask "$prev_mask"
+    echo "$file"
+}
+
+extswap () {
+    local text="$(cat < /dev/stdin)"
+    if [ "$ext" == ".yaml" ]; then
+        echo "$text" | yq .
+    elif [ "$ext" == ".json" ]; then
+        echo "$text"
+    else
+        echo "polmake: Unsure how to process extension typeof \"$ext\"." 1>&2
+        exit 1
+    fi
+}
+
+file="$(newfile)"
+while :; do
+    set +u
+        $EDITOR "$file"
+    set -u
+
+    json="$(cat "$file")"
+    code="$?"
+    if [ "$code" != 0 ]; then exit 0; fi
+    if [ -z "$json" ]; then exit 0; fi
+    json="$(echo "$json" | extswap)"
+    echo "$json
+
+Type EDIT to open the editor
+Type SIGN to sign this policy
+Type QUIT to cancel"
+    read -p "> " cmd
+    if [ "$cmd" == "EDIT" ] || [ "$cmd" == "edit" ] || [ "$cmd" == "e" ]; then
+        continue
+    elif [ "$cmd" == "SIGN" ] || [ "$cmd" == "sign" ] || [ "$cmd" == "s" ]; then
+        rm "$file"
+        read -p "gpgid> " gpgid
+        ./polsign.sh "$gpgid" <<< "$json"
+        break
+    else
+        rm "$file"
+        break
+    fi
+done
+
+
+
+

scripts/polsign.sh

@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+set -u
+KEY_ID="$1"
+if [ -z "$KEY_ID" ]; then echo "polsign: A signing key id must be defined!" 1>&2; exit 255; fi
+# echo "{}" | mkpolicy key_id
+
+JSON="$(jq . < /dev/stdin)"
+if [ "$?" != "0" ]; then echo "polsign: Unexpected exit code when loading JSON from stdin: $?" 1>&2; exit 255; fi
+
+_JSON="$(echo "$JSON" | jq '{ rules: .rules, signature: null }' -c)"
+if [ "$?" != "0" ]; then echo "polsign: Unexpected exit code when stripping JSON: $?" 1>&2; exit 255; fi
+
+SIGNATURE="$(echo "$_JSON" | gpg --local-user "$KEY_ID" --sign --armor --detach-sig)"
+if [ "$?" != "0" ]; then echo "polsign: Unexpected exit code when signing JSON: $?" 1>&2; exit 255; fi
+
+SIGNED="$(jq --null-input \
+  --argjson event "$_JSON" \
+  --arg signature "$SIGNATURE" \
+  '$event * { signature: $signature }')"
+if [ "$?" != "0" ]; then echo "polsign: Unexpected exit code when signing JSON: $?" 1>&2; exit 255; fi
+
+echo "$SIGNED"
+
+

scripts/schema/config.yaml

@@ -0,0 +1,109 @@
+title: config.yaml
+type: object
+required: [ access_token, user_id, base_url, synapse_base_url, keyring, policy_rooms, actions ]
+properties:
+  base_url:
+    type: string
+    example: http://127.0.0.1:3080/_matrix
+    format: uri
+    pattern: ^https?://.+/_matrix$
+  synapse_base_url:
+    type: string
+    example: http://127.0.0.1:3880/_synapse
+    format: uri
+    pattern: ^https?://.+/_synapse$
+  keyring:
+    type: string
+    example: ./keyring.gpg
+  access_token:
+    type: string
+  dry_run:
+    type: boolean
+  user_id:
+    comment: 'The user_id tied to the access_token. Used for room shutdowns'
+    type: string
+    pattern: '@[\w\-]+:.+'
+  policy_rooms:
+    type: array
+    items:
+      type: string
+      pattern: '![\w\-]+:.+'
+  actions:
+    type: array
+    items:
+      type: object
+      oneOf:
+      - required: [ tag ]
+        properties:
+          tag: { type: string, pattern: ^\w+$ }
+      - required: [ tags ]
+        properties:
+          tags:
+            type: array
+            items: [ { type: string, pattern: ^\w+$ } ]
+      anyOf:
+      - required: [ user ]
+      - required: [ room ]
+      properties:
+        user:
+          properties:
+            archive:
+              properties:
+                media:
+                  comment: 'Save a copy of the identifiers for the last 255 media uploads by this user to disk. This does not save the actual uploads'
+                  type: boolean
+                rooms:
+                  comment: 'Save a copy of all rooms this user was participating in to disk.'
+                  type: boolean
+            deactivate:
+              type: boolean
+              comment: 'Deactivate the User'
+            notify:
+              comment: 'Create an audit log in the audit room about the user.'
+              type: boolean
+            quarantine:
+              comment: 'Quarantine all media uploaded by the user.'
+              type: boolean
+            # TODO: Add mjolnir list forwarding
+        room:
+          properties:
+            archive:
+              properties:
+                media:
+                  comment: 'Save a copy of the identifiers for the last 255 media uploads in this room to disk. This does not save the actual uploads'
+                  type: boolean
+                members:
+                  comment: 'Save a copy of all users that were participating in this room to disk.'
+                  type: boolean
+            delist:
+              comment: 'Remove the room from the room directory.'
+              type: boolean
+            notify:
+              comment: 'Create an audit log in the audit room about this room.'
+              type: boolean
+            reason:
+              comment: 'For shutdown. A publically visible reason.'
+              type: string
+            shutdown:
+              comment: 'Shutdown the room'
+              type: boolean
+            silent:
+              comment: 'For shutdown. If a notice room should not be created for the closed room.'
+              type: boolean
+            quarantine:
+              comment: 'Quarantine all media uploaded in the room.'
+              type: boolean
+
+
+
+
+
+
+
+
+
+
+
+
+
+

scripts/schema/policy.example.json

@@ -0,0 +1,15 @@
+{
+    "rules": [
+        {
+            "type": "m.room",
+            "entity": "!id:example.com",
+            "tags": [ "csam" ]
+        },
+        {
+            "type": "m.user",
+            "entity": "@user-_:example.com",
+            "tag": "high_risk"
+        }
+    ],
+    "signature": "-----BEGIN PUBLIC KEY SIGNATURE-----..."
+}

scripts/schema/policy.yaml

@@ -0,0 +1,28 @@
+title: policy.yaml
+type: object
+required: [ signature, rules ]
+properties:
+  signature:
+    type: string
+  rules:
+    type: array
+    items:
+      type: object
+      required: [ type, entity ]
+      allOf:
+      - oneOf:
+        - properties:
+            type: { type: string, const: m.room }
+            entity: { type: string, pattern: '^![\w\-]+:.+$' }
+        - properties:
+            type: { type: string, const: m.user }
+            entity: { type: string, pattern: '^@[\w\-]+:.+$' }
+      - oneOf:
+        - required: [ tag ]
+          properties:
+            tag: { type: string, pattern: ^\w+$ }
+        - required: [ tags ]
+          properties:
+            tags:
+              type: array
+              items: [ { type: string, pattern: ^\w+$ } ]

scripts/schema/topics.yaml

@@ -0,0 +1,22 @@
+# This file contains a list of "tag aliases", called topics.
+# If any entry values are found, the entry key is added to the tags.
+# This is mainly used for making actions less verbose
+high_risk_porn:
+- 3d_loli
+- csam
+- beastiality
+high_risk:
+- anarchy
+- jailbait
+- high_risk_porn
+porn:
+- drawn_porn
+- high_risk_porn
+- irl_porn
+- loli
+nsfl:
+- gore
+- high_risk
+nsfw:
+- porn
+- nsfl

scripts/systemd/hotpocket.service

@@ -0,0 +1,9 @@
+[Unit]
+Description=Matrix Homeserver Policy Manager
+Wants=hotpocket.timer
+
+[Service]
+User=hotpocket
+Type=simple
+Environment="HOTPOCKET_CONFIG_DIR=/etc/hotpocket"
+ExecStart=./etc/hotpocket.sh

scripts/systemd/hotpocket.timer

@@ -0,0 +1,9 @@
+[Unit]
+Description=Hotpocket Timer
+
+[Timer]
+OnBootSec=30s
+OnCalendar=*:0/10
+
+[Install]
+WantedBy=timers.target