Double bridging rule files

config.sample.yaml

@@ -422,6 +422,11 @@ ircService:
     # allotted time period, the provisioning request will fail.
     # Default: 300 seconds (5 mins)
     requestTimeoutSeconds: 300
+    # A file defining the provisioning rules for rooms. Format is documented
+    # in rules.sample.yaml. Leave undefined to not specify any rules.
+    ruleFile: "./provisioning.rules.yaml"
+    # Watch the file for changes, and apply the rules. Default: false
+    enableReload: true
 
   # WARNING: The bridge needs to send plaintext passwords to the IRC server, it cannot
   # send a password hash. As a result, passwords (NOT hashes) are stored encrypted in

lib/bridge/IrcBridge.js

@@ -52,6 +52,16 @@ function IrcBridge(config, registration) {
     this.ircHandler = new IrcHandler(this, this.config.ircHandler);
     this._clientPool = new ClientPool(this);
     var dirPath = this.config.ircService.databaseUri.substring("nedb://".length);
+    let roomLinkValidation = undefined;
+    let provisioning = config.ircService.provisioning;
+    if (provisioning && provisioning.enabled &&
+        typeof (provisioning.ruleFile) === "string") {
+        roomLinkValidation = {
+            ruleFile: provisioning.ruleFile,
+            triggerEndpoint: provisioning.enableReload
+        };
+    }
+
     this._bridge = new Bridge({
         registration: this.registration,
         homeserverUrl: this.config.homeserver.url,
@@ -89,7 +99,8 @@ function IrcBridge(config, registration) {
                 dontCheckPowerLevel: true,
                 enablePresence: this.config.homeserver.enablePresence,
             }
-        }
+        },
+        roomLinkValidation,
     });
 
     this._timers = null; // lazy map of Histogram instances used as metrics

lib/config/schema.yml

@@ -86,6 +86,10 @@ properties:
                         type: "boolean"
                     requestTimeoutSeconds:
                         type: "number"
+                    ruleFile:
+                        type: "string"
+                    enableReload:
+                        type: "boolean"
             passwordEncryptionKeyPath:
                 type: "string"
             matrixHandler:

lib/provisioning/Provisioner.js

@@ -244,6 +244,16 @@ Provisioner.prototype._userHasProvisioningPower = Promise.coroutine(
 
         // Try 100 times to join a room, or timeout after 10 min
         yield retry(req, 100, 5000, matrixClient, matrixClient.joinRoom, roomId).timeout(600000);
+        try {
+            yield this._ircBridge.getAppServiceBridge().canProvisionRoom(roomId);
+        }
+        catch (err) {
+            req.log.error(`Room failed room validator check: (${err})`);
+            throw new Error(
+                'Room failed validation. You may be attempting to "double bridge" this room.' +
+                ' Error: ' + err
+            );
+        }
 
         try {
             powerState = yield matrixClient.getStateEvent(roomId, 'm.room.power_levels');

package.json

@@ -31,7 +31,7 @@
     "he": "^1.1.1",
     "irc": "matrix-org/node-irc#c9abb427bec5016d94a2abf3e058cc62de09ea5a",
     "js-yaml": "^3.2.7",
-    "matrix-appservice-bridge": "1.6.0c",
+    "matrix-appservice-bridge": "matrix-org/matrix-appservice-bridge#8c4f2bc39fabb88e0069010a212706905c3d90c5",
     "nedb": "^1.1.2",
     "nopt": "^3.0.1",
     "prom-client": "^6.3.0",

provisioning.rules.sample.yaml

@@ -0,0 +1,12 @@
+# A set of regexes to match against joined members in rooms.
+# If one of the regexes matches a userId, then do not allow provisioning
+# to the room UNLESS it also matches a exempt regex.
+# This doesn't affect existing bridge entrys, only new provisioned rooms.
+#
+# For this to work, config.provisioning.ruleFile must point to this file.
+userIds:
+    exempt:
+      - "@appservice-irc:localhost"
+      - "@irc_.+:localhost"
+    conflict:
+      - "@irc_.+:.+"