Add left_rooms admin API

Author: MatMaul

changelog.d/19260.feature

@@ -0,0 +1 @@
+Add `left_rooms` endpoint to the admin API. This is useful for forensics and T&S purpose.

synapse/rest/admin/__init__.py

@@ -114,7 +114,8 @@
     UserByThreePid,
     UserInvitesCount,
     UserJoinedRoomCount,
-    UserMembershipRestServlet,
+    UserJoinedRoomsRestServlet,
+    UserLeftRoomsRestServlet,
     UserRegisterServlet,
     UserReplaceMasterCrossSigningKeyRestServlet,
     UserRestServletV2,
@@ -297,7 +298,8 @@ def register_servlets(hs: "HomeServer", http_server: HttpServer) -> None:
     VersionServlet(hs).register(http_server)
     if not auth_delegated:
         UserAdminServlet(hs).register(http_server)
-    UserMembershipRestServlet(hs).register(http_server)
+    UserJoinedRoomsRestServlet(hs).register(http_server)
+    UserLeftRoomsRestServlet(hs).register(http_server)
     if not auth_delegated:
         UserTokenRestServlet(hs).register(http_server)
     UserRestServletV2(hs).register(http_server)

synapse/rest/admin/users.py

@@ -28,7 +28,7 @@
 import attr
 from pydantic import StrictBool, StrictInt, StrictStr
 
-from synapse.api.constants import Direction
+from synapse.api.constants import Direction, Membership
 from synapse.api.errors import Codes, NotFoundError, SynapseError
 from synapse.http.servlet import (
     RestServlet,
@@ -1031,7 +1031,7 @@ async def on_PUT(
         return HTTPStatus.OK, {}
 
 
-class UserMembershipRestServlet(RestServlet):
+class UserJoinedRoomsRestServlet(RestServlet):
     """
     Get list of joined room ID's for a user.
     """
@@ -1054,6 +1054,29 @@ async def on_GET(
         return HTTPStatus.OK, rooms_response
 
 
+class UserLeftRoomsRestServlet(RestServlet):
+    """
+    Get list of left room ID's for a user.
+    """
+
+    PATTERNS = admin_patterns("/users/(?P<user_id>[^/]*)/left_rooms$")
+
+    def __init__(self, hs: "HomeServer"):
+        self.is_mine = hs.is_mine
+        self.auth = hs.get_auth()
+        self.store = hs.get_datastores().main
+
+    async def on_GET(
+        self, request: SynapseRequest, user_id: str
+    ) -> tuple[int, JsonDict]:
+        await assert_requester_is_admin(self.auth, request)
+
+        room_ids = await self.store.get_rooms_for_user(user_id, Membership.LEAVE)
+        rooms_response = {"left_rooms": list(room_ids), "total": len(room_ids)}
+
+        return HTTPStatus.OK, rooms_response
+
+
 class PushersRestServlet(RestServlet):
     """
     Gets information about all pushers for a specific `user_id`.

synapse/storage/databases/main/roommember.py

@@ -746,8 +746,10 @@ async def get_rooms_user_currently_banned_from(
 
         return frozenset(room_ids)
 
-    @cached(max_entries=500000, iterable=True)
-    async def get_rooms_for_user(self, user_id: str) -> frozenset[str]:
+    @cached(num_args=2, max_entries=500000, iterable=True, tree=True)
+    async def get_rooms_for_user(
+        self, user_id: str, current_membership: str = Membership.JOIN
+    ) -> frozenset[str]:
         """Returns a set of room_ids the user is currently joined to.
 
         If a remote user only returns rooms this server is currently
@@ -758,7 +760,7 @@ async def get_rooms_for_user(self, user_id: str) -> frozenset[str]:
             table="current_state_events",
             keyvalues={
                 "type": EventTypes.Member,
-                "membership": Membership.JOIN,
+                "membership": current_membership,
                 "state_key": user_id,
             },
             retcol="room_id",

tests/rest/admin/test_room.py

@@ -2975,6 +2975,61 @@ def test_join_private_room_if_owner(self) -> None:
         self.assertEqual(200, channel.code, msg=channel.json_body)
         self.assertEqual(private_room_id, channel.json_body["joined_rooms"][0])
 
+    def test_joined_rooms(self) -> None:
+        """
+        Test joined_rooms admin endpoint.
+        """
+
+        channel = self.make_request(
+            "POST",
+            f"/_matrix/client/v3/join/{self.public_room_id}",
+            content={"user_id": self.second_user_id},
+            access_token=self.second_tok,
+        )
+
+        self.assertEqual(200, channel.code, msg=channel.json_body)
+        self.assertEqual(self.public_room_id, channel.json_body["room_id"])
+
+        channel = self.make_request(
+            "GET",
+            f"/_synapse/admin/v1/users/{self.second_user_id}/joined_rooms",
+            access_token=self.admin_user_tok,
+        )
+        self.assertEqual(200, channel.code, msg=channel.json_body)
+        self.assertEqual(self.public_room_id, channel.json_body["joined_rooms"][0])
+
+    def test_left_rooms(self) -> None:
+        """
+        Test left_rooms admin endpoint.
+        """
+
+        channel = self.make_request(
+            "POST",
+            f"/_matrix/client/v3/join/{self.public_room_id}",
+            content={"user_id": self.second_user_id},
+            access_token=self.second_tok,
+        )
+
+        self.assertEqual(200, channel.code, msg=channel.json_body)
+        self.assertEqual(self.public_room_id, channel.json_body["room_id"])
+
+        channel = self.make_request(
+            "POST",
+            f"/_matrix/client/v3/rooms/{self.public_room_id}/leave",
+            content={"user_id": self.second_user_id},
+            access_token=self.second_tok,
+        )
+
+        self.assertEqual(200, channel.code, msg=channel.json_body)
+
+        channel = self.make_request(
+            "GET",
+            f"/_synapse/admin/v1/users/{self.second_user_id}/left_rooms",
+            access_token=self.admin_user_tok,
+        )
+        self.assertEqual(200, channel.code, msg=channel.json_body)
+        self.assertEqual(self.public_room_id, channel.json_body["left_rooms"][0])
+
     def test_context_as_non_admin(self) -> None:
         """
         Test that, without being admin, one cannot use the context admin API