[feature] Implement explicit domain allows + allowlist federation mode (#2200)

* love like winter! wohoah, wohoah * domain allow side effects * tests! logging! unallow! * document federation modes * linty linterson * test * further adventures in documentation * finish up domain block documentation (i think) * change wording a wee little bit * docs, example * consolidate shared domainPermission code * call mode once * fetch federation mode within domain blocked func * read domain perm import in streaming manner * don't use pointer to slice for domain perms * don't bother copying blocks + allows before deleting * admonish! * change wording just a scooch * update docs
2025-06-05 21:59:39 +02:00 · 2023-09-21 12:12:04 +02:00
parent d6add4ef93
commit 183eaa5b29
52 changed files with 2877 additions and 730 deletions
--- a/internal/processing/admin/domainallow.go
+++ b/internal/processing/admin/domainallow.go
@@ -0,0 +1,255 @@
+// GoToSocial
+// Copyright (C) GoToSocial Authors admin@gotosocial.org
+// SPDX-License-Identifier: AGPL-3.0-or-later
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package admin
+
+import (
+	"context"
+	"errors"
+	"fmt"
+
+	"codeberg.org/gruf/go-kv"
+	apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model"
+	"github.com/superseriousbusiness/gotosocial/internal/config"
+	"github.com/superseriousbusiness/gotosocial/internal/db"
+	"github.com/superseriousbusiness/gotosocial/internal/gtserror"
+	"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
+	"github.com/superseriousbusiness/gotosocial/internal/id"
+	"github.com/superseriousbusiness/gotosocial/internal/log"
+	"github.com/superseriousbusiness/gotosocial/internal/text"
+)
+
+func (p *Processor) createDomainAllow(
+	ctx context.Context,
+	adminAcct *gtsmodel.Account,
+	domain string,
+	obfuscate bool,
+	publicComment string,
+	privateComment string,
+	subscriptionID string,
+) (*apimodel.DomainPermission, string, gtserror.WithCode) {
+	// Check if an allow already exists for this domain.
+	domainAllow, err := p.state.DB.GetDomainAllow(ctx, domain)
+	if err != nil && !errors.Is(err, db.ErrNoEntries) {
+		// Something went wrong in the DB.
+		err = gtserror.Newf("db error getting domain allow %s: %w", domain, err)
+		return nil, "", gtserror.NewErrorInternalError(err)
+	}
+
+	if domainAllow == nil {
+		// No allow exists yet, create it.
+		domainAllow = &gtsmodel.DomainAllow{
+			ID:                 id.NewULID(),
+			Domain:             domain,
+			CreatedByAccountID: adminAcct.ID,
+			PrivateComment:     text.SanitizeToPlaintext(privateComment),
+			PublicComment:      text.SanitizeToPlaintext(publicComment),
+			Obfuscate:          &obfuscate,
+			SubscriptionID:     subscriptionID,
+		}
+
+		// Insert the new allow into the database.
+		if err := p.state.DB.CreateDomainAllow(ctx, domainAllow); err != nil {
+			err = gtserror.Newf("db error putting domain allow %s: %w", domain, err)
+			return nil, "", gtserror.NewErrorInternalError(err)
+		}
+	}
+
+	actionID := id.NewULID()
+
+	// Process domain allow side
+	// effects asynchronously.
+	if errWithCode := p.actions.Run(
+		ctx,
+		&gtsmodel.AdminAction{
+			ID:             actionID,
+			TargetCategory: gtsmodel.AdminActionCategoryDomain,
+			TargetID:       domain,
+			Type:           gtsmodel.AdminActionSuspend,
+			AccountID:      adminAcct.ID,
+			Text:           domainAllow.PrivateComment,
+		},
+		func(ctx context.Context) gtserror.MultiError {
+			// Log start + finish.
+			l := log.WithFields(kv.Fields{
+				{"domain", domain},
+				{"actionID", actionID},
+			}...).WithContext(ctx)
+
+			l.Info("processing domain allow side effects")
+			defer func() { l.Info("finished processing domain allow side effects") }()
+
+			return p.domainAllowSideEffects(ctx, domainAllow)
+		},
+	); errWithCode != nil {
+		return nil, actionID, errWithCode
+	}
+
+	apiDomainAllow, errWithCode := p.apiDomainPerm(ctx, domainAllow, false)
+	if errWithCode != nil {
+		return nil, actionID, errWithCode
+	}
+
+	return apiDomainAllow, actionID, nil
+}
+
+func (p *Processor) domainAllowSideEffects(
+	ctx context.Context,
+	allow *gtsmodel.DomainAllow,
+) gtserror.MultiError {
+	if config.GetInstanceFederationMode() == config.InstanceFederationModeAllowlist {
+		// We're running in allowlist mode,
+		// so there are no side effects to
+		// process here.
+		return nil
+	}
+
+	// We're running in blocklist mode or
+	// some similar mode which necessitates
+	// domain allow side effects if a block
+	// was in place when the allow was created.
+	//
+	// So, check if there's a block.
+	block, err := p.state.DB.GetDomainBlock(ctx, allow.Domain)
+	if err != nil && !errors.Is(err, db.ErrNoEntries) {
+		errs := gtserror.NewMultiError(1)
+		errs.Appendf("db error getting domain block %s: %w", allow.Domain, err)
+		return errs
+	}
+
+	if block == nil {
+		// No block?
+		// No problem!
+		return nil
+	}
+
+	// There was a block, over which the new
+	// allow ought to take precedence. To account
+	// for this, just run side effects as though
+	// the domain was being unblocked, while
+	// leaving the existing block in place.
+	//
+	// Any accounts that were suspended by
+	// the block will be unsuspended and be
+	// able to interact with the instance again.
+	return p.domainUnblockSideEffects(ctx, block)
+}
+
+func (p *Processor) deleteDomainAllow(
+	ctx context.Context,
+	adminAcct *gtsmodel.Account,
+	domainAllowID string,
+) (*apimodel.DomainPermission, string, gtserror.WithCode) {
+	domainAllow, err := p.state.DB.GetDomainAllowByID(ctx, domainAllowID)
+	if err != nil {
+		if !errors.Is(err, db.ErrNoEntries) {
+			// Real error.
+			err = gtserror.Newf("db error getting domain allow: %w", err)
+			return nil, "", gtserror.NewErrorInternalError(err)
+		}
+
+		// There are just no entries for this ID.
+		err = fmt.Errorf("no domain allow entry exists with ID %s", domainAllowID)
+		return nil, "", gtserror.NewErrorNotFound(err, err.Error())
+	}
+
+	// Prepare the domain allow to return, *before* the deletion goes through.
+	apiDomainAllow, errWithCode := p.apiDomainPerm(ctx, domainAllow, false)
+	if errWithCode != nil {
+		return nil, "", errWithCode
+	}
+
+	// Delete the original domain allow.
+	if err := p.state.DB.DeleteDomainAllow(ctx, domainAllow.Domain); err != nil {
+		err = gtserror.Newf("db error deleting domain allow: %w", err)
+		return nil, "", gtserror.NewErrorInternalError(err)
+	}
+
+	actionID := id.NewULID()
+
+	// Process domain unallow side
+	// effects asynchronously.
+	if errWithCode := p.actions.Run(
+		ctx,
+		&gtsmodel.AdminAction{
+			ID:             actionID,
+			TargetCategory: gtsmodel.AdminActionCategoryDomain,
+			TargetID:       domainAllow.Domain,
+			Type:           gtsmodel.AdminActionUnsuspend,
+			AccountID:      adminAcct.ID,
+		},
+		func(ctx context.Context) gtserror.MultiError {
+			// Log start + finish.
+			l := log.WithFields(kv.Fields{
+				{"domain", domainAllow.Domain},
+				{"actionID", actionID},
+			}...).WithContext(ctx)
+
+			l.Info("processing domain unallow side effects")
+			defer func() { l.Info("finished processing domain unallow side effects") }()
+
+			return p.domainUnallowSideEffects(ctx, domainAllow)
+		},
+	); errWithCode != nil {
+		return nil, actionID, errWithCode
+	}
+
+	return apiDomainAllow, actionID, nil
+}
+
+func (p *Processor) domainUnallowSideEffects(
+	ctx context.Context,
+	allow *gtsmodel.DomainAllow,
+) gtserror.MultiError {
+	if config.GetInstanceFederationMode() == config.InstanceFederationModeAllowlist {
+		// We're running in allowlist mode,
+		// so there are no side effects to
+		// process here.
+		return nil
+	}
+
+	// We're running in blocklist mode or
+	// some similar mode which necessitates
+	// domain allow side effects if a block
+	// was in place when the allow was removed.
+	//
+	// So, check if there's a block.
+	block, err := p.state.DB.GetDomainBlock(ctx, allow.Domain)
+	if err != nil && !errors.Is(err, db.ErrNoEntries) {
+		errs := gtserror.NewMultiError(1)
+		errs.Appendf("db error getting domain block %s: %w", allow.Domain, err)
+		return errs
+	}
+
+	if block == nil {
+		// No block?
+		// No problem!
+		return nil
+	}
+
+	// There was a block, over which the previous
+	// allow was taking precedence. Now that the
+	// allow has been removed, we should put the
+	// side effects of the block back in place.
+	//
+	// To do this, process the block side effects
+	// again as though the block were freshly
+	// created. This will mark all accounts from
+	// the blocked domain as suspended, and clean
+	// up their follows/following, media, etc.
+	return p.domainBlockSideEffects(ctx, block)
+}
--- a/internal/processing/admin/domainblock.go
+++ b/internal/processing/admin/domainblock.go
@@ -18,14 +18,9 @@
 package admin

 import (
-	"bytes"
 	"context"
-	"encoding/json"
 	"errors"
 	"fmt"
-	"io"
-	"mime/multipart"
-	"net/http"
 	"time"

 	"codeberg.org/gruf/go-kv"
@@ -40,14 +35,7 @@ import (
 	"github.com/superseriousbusiness/gotosocial/internal/text"
 )

-// DomainBlockCreate creates an instance-level block against the given domain,
-// and then processes side effects of that block (deleting accounts, media, etc).
-//
-// If a domain block already exists for the domain, side effects will be retried.
-//
-// Return values for this function are the (new) domain block, the ID of the admin
-// action resulting from this call, and/or an error if something goes wrong.
-func (p *Processor) DomainBlockCreate(
+func (p *Processor) createDomainBlock(
 	ctx context.Context,
 	adminAcct *gtsmodel.Account,
 	domain string,
@@ -55,7 +43,7 @@ func (p *Processor) DomainBlockCreate(
 	publicComment string,
 	privateComment string,
 	subscriptionID string,
-) (*apimodel.DomainBlock, string, gtserror.WithCode) {
+) (*apimodel.DomainPermission, string, gtserror.WithCode) {
 	// Check if a block already exists for this domain.
 	domainBlock, err := p.state.DB.GetDomainBlock(ctx, domain)
 	if err != nil && !errors.Is(err, db.ErrNoEntries) {
@@ -98,13 +86,22 @@ func (p *Processor) DomainBlockCreate(
 			Text:           domainBlock.PrivateComment,
 		},
 		func(ctx context.Context) gtserror.MultiError {
+			// Log start + finish.
+			l := log.WithFields(kv.Fields{
+				{"domain", domain},
+				{"actionID", actionID},
+			}...).WithContext(ctx)
+
+			l.Info("processing domain block side effects")
+			defer func() { l.Info("finished processing domain block side effects") }()
+
 			return p.domainBlockSideEffects(ctx, domainBlock)
 		},
 	); errWithCode != nil {
 		return nil, actionID, errWithCode
 	}

-	apiDomainBlock, errWithCode := p.apiDomainBlock(ctx, domainBlock)
+	apiDomainBlock, errWithCode := p.apiDomainPerm(ctx, domainBlock, false)
 	if errWithCode != nil {
 		return nil, actionID, errWithCode
 	}
@@ -112,206 +109,6 @@ func (p *Processor) DomainBlockCreate(
 	return apiDomainBlock, actionID, nil
 }

-// DomainBlockDelete removes one domain block with the given ID,
-// and processes side effects of removing the block asynchronously.
-//
-// Return values for this function are the deleted domain block, the ID of the admin
-// action resulting from this call, and/or an error if something goes wrong.
-func (p *Processor) DomainBlockDelete(
-	ctx context.Context,
-	adminAcct *gtsmodel.Account,
-	domainBlockID string,
-) (*apimodel.DomainBlock, string, gtserror.WithCode) {
-	domainBlock, err := p.state.DB.GetDomainBlockByID(ctx, domainBlockID)
-	if err != nil {
-		if !errors.Is(err, db.ErrNoEntries) {
-			// Real error.
-			err = gtserror.Newf("db error getting domain block: %w", err)
-			return nil, "", gtserror.NewErrorInternalError(err)
-		}
-
-		// There are just no entries for this ID.
-		err = fmt.Errorf("no domain block entry exists with ID %s", domainBlockID)
-		return nil, "", gtserror.NewErrorNotFound(err, err.Error())
-	}
-
-	// Prepare the domain block to return, *before* the deletion goes through.
-	apiDomainBlock, errWithCode := p.apiDomainBlock(ctx, domainBlock)
-	if errWithCode != nil {
-		return nil, "", errWithCode
-	}
-
-	// Copy value of the domain block.
-	domainBlockC := new(gtsmodel.DomainBlock)
-	*domainBlockC = *domainBlock
-
-	// Delete the original domain block.
-	if err := p.state.DB.DeleteDomainBlock(ctx, domainBlock.Domain); err != nil {
-		err = gtserror.Newf("db error deleting domain block: %w", err)
-		return nil, "", gtserror.NewErrorInternalError(err)
-	}
-
-	actionID := id.NewULID()
-
-	// Process domain unblock side
-	// effects asynchronously.
-	if errWithCode := p.actions.Run(
-		ctx,
-		&gtsmodel.AdminAction{
-			ID:             actionID,
-			TargetCategory: gtsmodel.AdminActionCategoryDomain,
-			TargetID:       domainBlockC.Domain,
-			Type:           gtsmodel.AdminActionUnsuspend,
-			AccountID:      adminAcct.ID,
-		},
-		func(ctx context.Context) gtserror.MultiError {
-			return p.domainUnblockSideEffects(ctx, domainBlock)
-		},
-	); errWithCode != nil {
-		return nil, actionID, errWithCode
-	}
-
-	return apiDomainBlock, actionID, nil
-}
-
-// DomainBlocksImport handles the import of multiple domain blocks,
-// by calling the DomainBlockCreate function for each domain in the
-// provided file. Will return a slice of processed domain blocks.
-//
-// In the case of total failure, a gtserror.WithCode will be returned
-// so that the caller can respond appropriately. In the case of
-// partial or total success, a MultiStatus model will be returned,
-// which contains information about success/failure count, so that
-// the caller can retry any failures as they wish.
-func (p *Processor) DomainBlocksImport(
-	ctx context.Context,
-	account *gtsmodel.Account,
-	domainsF *multipart.FileHeader,
-) (*apimodel.MultiStatus, gtserror.WithCode) {
-	// Open the provided file.
-	file, err := domainsF.Open()
-	if err != nil {
-		err = gtserror.Newf("error opening attachment: %w", err)
-		return nil, gtserror.NewErrorBadRequest(err, err.Error())
-	}
-	defer file.Close()
-
-	// Copy the file contents into a buffer.
-	buf := new(bytes.Buffer)
-	size, err := io.Copy(buf, file)
-	if err != nil {
-		err = gtserror.Newf("error reading attachment: %w", err)
-		return nil, gtserror.NewErrorBadRequest(err, err.Error())
-	}
-
-	// Ensure we actually read something.
-	if size == 0 {
-		err = gtserror.New("error reading attachment: size 0 bytes")
-		return nil, gtserror.NewErrorBadRequest(err, err.Error())
-	}
-
-	// Parse bytes as slice of domain blocks.
-	domainBlocks := make([]*apimodel.DomainBlock, 0)
-	if err := json.Unmarshal(buf.Bytes(), &domainBlocks); err != nil {
-		err = gtserror.Newf("error parsing attachment as domain blocks: %w", err)
-		return nil, gtserror.NewErrorBadRequest(err, err.Error())
-	}
-
-	count := len(domainBlocks)
-	if count == 0 {
-		err = gtserror.New("error importing domain blocks: 0 entries provided")
-		return nil, gtserror.NewErrorBadRequest(err, err.Error())
-	}
-
-	// Try to process each domain block, differentiating
-	// between successes and errors so that the caller can
-	// try failed imports again if desired.
-	multiStatusEntries := make([]apimodel.MultiStatusEntry, 0, count)
-
-	for _, domainBlock := range domainBlocks {
-		var (
-			domain         = domainBlock.Domain.Domain
-			obfuscate      = domainBlock.Obfuscate
-			publicComment  = domainBlock.PublicComment
-			privateComment = domainBlock.PrivateComment
-			subscriptionID = "" // No sub ID for imports.
-			errWithCode    gtserror.WithCode
-		)
-
-		domainBlock, _, errWithCode = p.DomainBlockCreate(
-			ctx,
-			account,
-			domain,
-			obfuscate,
-			publicComment,
-			privateComment,
-			subscriptionID,
-		)
-
-		var entry *apimodel.MultiStatusEntry
-
-		if errWithCode != nil {
-			entry = &apimodel.MultiStatusEntry{
-				// Use the failed domain entry as the resource value.
-				Resource: domain,
-				Message:  errWithCode.Safe(),
-				Status:   errWithCode.Code(),
-			}
-		} else {
-			entry = &apimodel.MultiStatusEntry{
-				// Use successfully created API model domain block as the resource value.
-				Resource: domainBlock,
-				Message:  http.StatusText(http.StatusOK),
-				Status:   http.StatusOK,
-			}
-		}
-
-		multiStatusEntries = append(multiStatusEntries, *entry)
-	}
-
-	return apimodel.NewMultiStatus(multiStatusEntries), nil
-}
-
-// DomainBlocksGet returns all existing domain blocks. If export is
-// true, the format will be suitable for writing out to an export.
-func (p *Processor) DomainBlocksGet(ctx context.Context, account *gtsmodel.Account, export bool) ([]*apimodel.DomainBlock, gtserror.WithCode) {
-	domainBlocks, err := p.state.DB.GetDomainBlocks(ctx)
-	if err != nil && !errors.Is(err, db.ErrNoEntries) {
-		err = gtserror.Newf("db error getting domain blocks: %w", err)
-		return nil, gtserror.NewErrorInternalError(err)
-	}
-
-	apiDomainBlocks := make([]*apimodel.DomainBlock, 0, len(domainBlocks))
-	for _, domainBlock := range domainBlocks {
-		apiDomainBlock, errWithCode := p.apiDomainBlock(ctx, domainBlock)
-		if errWithCode != nil {
-			return nil, errWithCode
-		}
-
-		apiDomainBlocks = append(apiDomainBlocks, apiDomainBlock)
-	}
-
-	return apiDomainBlocks, nil
-}
-
-// DomainBlockGet returns one domain block with the given id. If export
-// is true, the format will be suitable for writing out to an export.
-func (p *Processor) DomainBlockGet(ctx context.Context, id string, export bool) (*apimodel.DomainBlock, gtserror.WithCode) {
-	domainBlock, err := p.state.DB.GetDomainBlockByID(ctx, id)
-	if err != nil {
-		if errors.Is(err, db.ErrNoEntries) {
-			err = fmt.Errorf("no domain block exists with id %s", id)
-			return nil, gtserror.NewErrorNotFound(err, err.Error())
-		}
-
-		// Something went wrong in the DB.
-		err = gtserror.Newf("db error getting domain block %s: %w", id, err)
-		return nil, gtserror.NewErrorInternalError(err)
-	}
-
-	return p.apiDomainBlock(ctx, domainBlock)
-}
-
 // domainBlockSideEffects processes the side effects of a domain block:
 //
 //  1. Strip most info away from the instance entry for the domain.
@@ -323,13 +120,6 @@ func (p *Processor) domainBlockSideEffects(
 	ctx context.Context,
 	block *gtsmodel.DomainBlock,
 ) gtserror.MultiError {
-	l := log.
-		WithContext(ctx).
-		WithFields(kv.Fields{
-			{"domain", block.Domain},
-		}...)
-	l.Debug("processing domain block side effects")
-
 	var errs gtserror.MultiError

 	// If we have an instance entry for this domain,
@@ -347,7 +137,6 @@ func (p *Processor) domainBlockSideEffects(
 			errs.Appendf("db error updating instance: %w", err)
 			return errs
 		}
-		l.Debug("instance entry updated")
 	}

 	// For each account that belongs to this domain,
@@ -372,6 +161,68 @@ func (p *Processor) domainBlockSideEffects(
 	return errs
 }

+func (p *Processor) deleteDomainBlock(
+	ctx context.Context,
+	adminAcct *gtsmodel.Account,
+	domainBlockID string,
+) (*apimodel.DomainPermission, string, gtserror.WithCode) {
+	domainBlock, err := p.state.DB.GetDomainBlockByID(ctx, domainBlockID)
+	if err != nil {
+		if !errors.Is(err, db.ErrNoEntries) {
+			// Real error.
+			err = gtserror.Newf("db error getting domain block: %w", err)
+			return nil, "", gtserror.NewErrorInternalError(err)
+		}
+
+		// There are just no entries for this ID.
+		err = fmt.Errorf("no domain block entry exists with ID %s", domainBlockID)
+		return nil, "", gtserror.NewErrorNotFound(err, err.Error())
+	}
+
+	// Prepare the domain block to return, *before* the deletion goes through.
+	apiDomainBlock, errWithCode := p.apiDomainPerm(ctx, domainBlock, false)
+	if errWithCode != nil {
+		return nil, "", errWithCode
+	}
+
+	// Delete the original domain block.
+	if err := p.state.DB.DeleteDomainBlock(ctx, domainBlock.Domain); err != nil {
+		err = gtserror.Newf("db error deleting domain block: %w", err)
+		return nil, "", gtserror.NewErrorInternalError(err)
+	}
+
+	actionID := id.NewULID()
+
+	// Process domain unblock side
+	// effects asynchronously.
+	if errWithCode := p.actions.Run(
+		ctx,
+		&gtsmodel.AdminAction{
+			ID:             actionID,
+			TargetCategory: gtsmodel.AdminActionCategoryDomain,
+			TargetID:       domainBlock.Domain,
+			Type:           gtsmodel.AdminActionUnsuspend,
+			AccountID:      adminAcct.ID,
+		},
+		func(ctx context.Context) gtserror.MultiError {
+			// Log start + finish.
+			l := log.WithFields(kv.Fields{
+				{"domain", domainBlock.Domain},
+				{"actionID", actionID},
+			}...).WithContext(ctx)
+
+			l.Info("processing domain unblock side effects")
+			defer func() { l.Info("finished processing domain unblock side effects") }()
+
+			return p.domainUnblockSideEffects(ctx, domainBlock)
+		},
+	); errWithCode != nil {
+		return nil, actionID, errWithCode
+	}
+
+	return apiDomainBlock, actionID, nil
+}
+
 // domainUnblockSideEffects processes the side effects of undoing a
 // domain block:
 //
@@ -385,13 +236,6 @@ func (p *Processor) domainUnblockSideEffects(
 	ctx context.Context,
 	block *gtsmodel.DomainBlock,
 ) gtserror.MultiError {
-	l := log.
-		WithContext(ctx).
-		WithFields(kv.Fields{
-			{"domain", block.Domain},
-		}...)
-	l.Debug("processing domain unblock side effects")
-
 	var errs gtserror.MultiError

 	// Update instance entry for this domain, if we have it.
@@ -414,7 +258,6 @@ func (p *Processor) domainUnblockSideEffects(
 			errs.Appendf("db error updating instance: %w", err)
 			return errs
 		}
-		l.Debug("instance entry updated")
 	}

 	// Unsuspend all accounts whose suspension origin was this domain block.
--- a/internal/processing/admin/domainblock_test.go
+++ b/internal/processing/admin/domainblock_test.go
@@ -1,76 +0,0 @@
-// GoToSocial
-// Copyright (C) GoToSocial Authors admin@gotosocial.org
-// SPDX-License-Identifier: AGPL-3.0-or-later
-//
-// This program is free software: you can redistribute it and/or modify
-// it under the terms of the GNU Affero General Public License as published by
-// the Free Software Foundation, either version 3 of the License, or
-// (at your option) any later version.
-//
-// This program is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-// GNU Affero General Public License for more details.
-//
-// You should have received a copy of the GNU Affero General Public License
-// along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-package admin_test
-
-import (
-	"context"
-	"testing"
-
-	"github.com/stretchr/testify/suite"
-	"github.com/superseriousbusiness/gotosocial/testrig"
-)
-
-type DomainBlockTestSuite struct {
-	AdminStandardTestSuite
-}
-
-func (suite *DomainBlockTestSuite) TestCreateDomainBlock() {
-	var (
-		ctx            = context.Background()
-		adminAcct      = suite.testAccounts["admin_account"]
-		domain         = "fossbros-anonymous.io"
-		obfuscate      = false
-		publicComment  = ""
-		privateComment = ""
-		subscriptionID = ""
-	)
-
-	apiBlock, actionID, errWithCode := suite.adminProcessor.DomainBlockCreate(
-		ctx,
-		adminAcct,
-		domain,
-		obfuscate,
-		publicComment,
-		privateComment,
-		subscriptionID,
-	)
-	suite.NoError(errWithCode)
-	suite.NotNil(apiBlock)
-	suite.NotEmpty(actionID)
-
-	// Wait for action to finish.
-	if !testrig.WaitFor(func() bool {
-		return suite.adminProcessor.Actions().TotalRunning() == 0
-	}) {
-		suite.FailNow("timed out waiting for admin action(s) to finish")
-	}
-
-	// Ensure action marked as
-	// completed in the database.
-	adminAction, err := suite.db.GetAdminAction(ctx, actionID)
-	if err != nil {
-		suite.FailNow(err.Error())
-	}
-
-	suite.NotZero(adminAction.CompletedAt)
-	suite.Empty(adminAction.Errors)
-}
-
-func TestDomainBlockTestSuite(t *testing.T) {
-	suite.Run(t, new(DomainBlockTestSuite))
-}
--- a/internal/processing/admin/domainpermission.go
+++ b/internal/processing/admin/domainpermission.go
@@ -0,0 +1,335 @@
+// GoToSocial
+// Copyright (C) GoToSocial Authors admin@gotosocial.org
+// SPDX-License-Identifier: AGPL-3.0-or-later
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package admin
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"mime/multipart"
+	"net/http"
+
+	apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model"
+	"github.com/superseriousbusiness/gotosocial/internal/db"
+	"github.com/superseriousbusiness/gotosocial/internal/gtserror"
+	"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
+)
+
+// apiDomainPerm is a cheeky shortcut for returning
+// the API version of the given domain permission
+// (*gtsmodel.DomainBlock or *gtsmodel.DomainAllow),
+// or an appropriate error if something goes wrong.
+func (p *Processor) apiDomainPerm(
+	ctx context.Context,
+	domainPermission gtsmodel.DomainPermission,
+	export bool,
+) (*apimodel.DomainPermission, gtserror.WithCode) {
+	apiDomainPerm, err := p.tc.DomainPermToAPIDomainPerm(ctx, domainPermission, export)
+	if err != nil {
+		err := gtserror.NewfAt(3, "error converting domain permission to api model: %w", err)
+		return nil, gtserror.NewErrorInternalError(err)
+	}
+
+	return apiDomainPerm, nil
+}
+
+// DomainPermissionCreate creates an instance-level permission
+// targeting the given domain, and then processes any side
+// effects of the permission creation.
+//
+// If the same permission type already exists for the domain,
+// side effects will be retried.
+//
+// Return values for this function are the new or existing
+// domain permission, the ID of the admin action resulting
+// from this call, and/or an error if something goes wrong.
+func (p *Processor) DomainPermissionCreate(
+	ctx context.Context,
+	permissionType gtsmodel.DomainPermissionType,
+	adminAcct *gtsmodel.Account,
+	domain string,
+	obfuscate bool,
+	publicComment string,
+	privateComment string,
+	subscriptionID string,
+) (*apimodel.DomainPermission, string, gtserror.WithCode) {
+	switch permissionType {
+
+	// Explicitly block a domain.
+	case gtsmodel.DomainPermissionBlock:
+		return p.createDomainBlock(
+			ctx,
+			adminAcct,
+			domain,
+			obfuscate,
+			publicComment,
+			privateComment,
+			subscriptionID,
+		)
+
+	// Explicitly allow a domain.
+	case gtsmodel.DomainPermissionAllow:
+		return p.createDomainAllow(
+			ctx,
+			adminAcct,
+			domain,
+			obfuscate,
+			publicComment,
+			privateComment,
+			subscriptionID,
+		)
+
+	// Weeping, roaring, red-faced.
+	default:
+		err := gtserror.Newf("unrecognized permission type %d", permissionType)
+		return nil, "", gtserror.NewErrorInternalError(err)
+	}
+}
+
+// DomainPermissionDelete removes one domain block with the given ID,
+// and processes side effects of removing the block asynchronously.
+//
+// Return values for this function are the deleted domain block, the ID of the admin
+// action resulting from this call, and/or an error if something goes wrong.
+func (p *Processor) DomainPermissionDelete(
+	ctx context.Context,
+	permissionType gtsmodel.DomainPermissionType,
+	adminAcct *gtsmodel.Account,
+	domainBlockID string,
+) (*apimodel.DomainPermission, string, gtserror.WithCode) {
+	switch permissionType {
+
+	// Delete explicit domain block.
+	case gtsmodel.DomainPermissionBlock:
+		return p.deleteDomainBlock(
+			ctx,
+			adminAcct,
+			domainBlockID,
+		)
+
+	// Delete explicit domain allow.
+	case gtsmodel.DomainPermissionAllow:
+		return p.deleteDomainAllow(
+			ctx,
+			adminAcct,
+			domainBlockID,
+		)
+
+	// You do the hokey-cokey and you turn
+	// around, that's what it's all about.
+	default:
+		err := gtserror.Newf("unrecognized permission type %d", permissionType)
+		return nil, "", gtserror.NewErrorInternalError(err)
+	}
+}
+
+// DomainPermissionsImport handles the import of multiple
+// domain permissions, by calling the DomainPermissionCreate
+// function for each domain in the provided file. Will return
+// a slice of processed domain permissions.
+//
+// In the case of total failure, a gtserror.WithCode will be
+// returned so that the caller can respond appropriately. In
+// the case of partial or total success, a MultiStatus model
+// will be returned, which contains information about success
+// + failure count, so that the caller can retry any failures
+// as they wish.
+func (p *Processor) DomainPermissionsImport(
+	ctx context.Context,
+	permissionType gtsmodel.DomainPermissionType,
+	account *gtsmodel.Account,
+	domainsF *multipart.FileHeader,
+) (*apimodel.MultiStatus, gtserror.WithCode) {
+	// Ensure known permission type.
+	if permissionType != gtsmodel.DomainPermissionBlock &&
+		permissionType != gtsmodel.DomainPermissionAllow {
+		err := gtserror.Newf("unrecognized permission type %d", permissionType)
+		return nil, gtserror.NewErrorInternalError(err)
+	}
+
+	// Open the provided file.
+	file, err := domainsF.Open()
+	if err != nil {
+		err = gtserror.Newf("error opening attachment: %w", err)
+		return nil, gtserror.NewErrorBadRequest(err, err.Error())
+	}
+	defer file.Close()
+
+	// Parse file as slice of domain blocks.
+	domainPerms := make([]*apimodel.DomainPermission, 0)
+	if err := json.NewDecoder(file).Decode(&domainPerms); err != nil {
+		err = gtserror.Newf("error parsing attachment as domain permissions: %w", err)
+		return nil, gtserror.NewErrorBadRequest(err, err.Error())
+	}
+
+	count := len(domainPerms)
+	if count == 0 {
+		err = gtserror.New("error importing domain permissions: 0 entries provided")
+		return nil, gtserror.NewErrorBadRequest(err, err.Error())
+	}
+
+	// Try to process each domain permission, differentiating
+	// between successes and errors so that the caller can
+	// try failed imports again if desired.
+	multiStatusEntries := make([]apimodel.MultiStatusEntry, 0, count)
+
+	for _, domainPerm := range domainPerms {
+		var (
+			domain         = domainPerm.Domain.Domain
+			obfuscate      = domainPerm.Obfuscate
+			publicComment  = domainPerm.PublicComment
+			privateComment = domainPerm.PrivateComment
+			subscriptionID = "" // No sub ID for imports.
+			errWithCode    gtserror.WithCode
+		)
+
+		domainPerm, _, errWithCode = p.DomainPermissionCreate(
+			ctx,
+			permissionType,
+			account,
+			domain,
+			obfuscate,
+			publicComment,
+			privateComment,
+			subscriptionID,
+		)
+
+		var entry *apimodel.MultiStatusEntry
+
+		if errWithCode != nil {
+			entry = &apimodel.MultiStatusEntry{
+				// Use the failed domain entry as the resource value.
+				Resource: domain,
+				Message:  errWithCode.Safe(),
+				Status:   errWithCode.Code(),
+			}
+		} else {
+			entry = &apimodel.MultiStatusEntry{
+				// Use successfully created API model domain block as the resource value.
+				Resource: domainPerm,
+				Message:  http.StatusText(http.StatusOK),
+				Status:   http.StatusOK,
+			}
+		}
+
+		multiStatusEntries = append(multiStatusEntries, *entry)
+	}
+
+	return apimodel.NewMultiStatus(multiStatusEntries), nil
+}
+
+// DomainPermissionsGet returns all existing domain
+// permissions of the requested type. If export is
+// true, the format will be suitable for writing out
+// to an export.
+func (p *Processor) DomainPermissionsGet(
+	ctx context.Context,
+	permissionType gtsmodel.DomainPermissionType,
+	account *gtsmodel.Account,
+	export bool,
+) ([]*apimodel.DomainPermission, gtserror.WithCode) {
+	var (
+		domainPerms []gtsmodel.DomainPermission
+		err         error
+	)
+
+	switch permissionType {
+	case gtsmodel.DomainPermissionBlock:
+		var blocks []*gtsmodel.DomainBlock
+
+		blocks, err = p.state.DB.GetDomainBlocks(ctx)
+		if err != nil {
+			break
+		}
+
+		for _, block := range blocks {
+			domainPerms = append(domainPerms, block)
+		}
+
+	case gtsmodel.DomainPermissionAllow:
+		var allows []*gtsmodel.DomainAllow
+
+		allows, err = p.state.DB.GetDomainAllows(ctx)
+		if err != nil {
+			break
+		}
+
+		for _, allow := range allows {
+			domainPerms = append(domainPerms, allow)
+		}
+
+	default:
+		err = errors.New("unrecognized permission type")
+	}
+
+	if err != nil {
+		err := gtserror.Newf("error getting %ss: %w", permissionType.String(), err)
+		return nil, gtserror.NewErrorInternalError(err)
+	}
+
+	apiDomainPerms := make([]*apimodel.DomainPermission, len(domainPerms))
+	for i, domainPerm := range domainPerms {
+		apiDomainBlock, errWithCode := p.apiDomainPerm(ctx, domainPerm, export)
+		if errWithCode != nil {
+			return nil, errWithCode
+		}
+
+		apiDomainPerms[i] = apiDomainBlock
+	}
+
+	return apiDomainPerms, nil
+}
+
+// DomainPermissionGet returns one domain
+// permission with the given id and type.
+//
+// If export is true, the format will be
+// suitable for writing out to an export.
+func (p *Processor) DomainPermissionGet(
+	ctx context.Context,
+	permissionType gtsmodel.DomainPermissionType,
+	id string,
+	export bool,
+) (*apimodel.DomainPermission, gtserror.WithCode) {
+	var (
+		domainPerm gtsmodel.DomainPermission
+		err        error
+	)
+
+	switch permissionType {
+	case gtsmodel.DomainPermissionBlock:
+		domainPerm, err = p.state.DB.GetDomainBlockByID(ctx, id)
+	case gtsmodel.DomainPermissionAllow:
+		domainPerm, err = p.state.DB.GetDomainAllowByID(ctx, id)
+	default:
+		err = gtserror.New("unrecognized permission type")
+	}
+
+	if err != nil {
+		if errors.Is(err, db.ErrNoEntries) {
+			err = fmt.Errorf("no domain %s exists with id %s", permissionType.String(), id)
+			return nil, gtserror.NewErrorNotFound(err, err.Error())
+		}
+
+		err = gtserror.Newf("error getting domain %s with id %s: %w", permissionType.String(), id, err)
+		return nil, gtserror.NewErrorInternalError(err)
+	}
+
+	return p.apiDomainPerm(ctx, domainPerm, export)
+}
--- a/internal/processing/admin/domainpermission_test.go
+++ b/internal/processing/admin/domainpermission_test.go
@@ -0,0 +1,280 @@
+// GoToSocial
+// Copyright (C) GoToSocial Authors admin@gotosocial.org
+// SPDX-License-Identifier: AGPL-3.0-or-later
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package admin_test
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/suite"
+	apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model"
+	"github.com/superseriousbusiness/gotosocial/internal/config"
+	"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
+	"github.com/superseriousbusiness/gotosocial/testrig"
+)
+
+type DomainBlockTestSuite struct {
+	AdminStandardTestSuite
+}
+
+type domainPermAction struct {
+	// 'create' or 'delete'
+	// the domain permission.
+	createOrDelete string
+
+	// Type of permission
+	// to create or delete.
+	permissionType gtsmodel.DomainPermissionType
+
+	// Domain to target
+	// with the permission.
+	domain string
+
+	// Expected result of this
+	// permission action on each
+	// account on the target domain.
+	// Eg., suite.Zero(account.SuspendedAt)
+	expected func(*gtsmodel.Account) bool
+}
+
+type domainPermTest struct {
+	// Federation mode under which to
+	// run this test. This is important
+	// because it may effect which side
+	// effects are taken, if any.
+	instanceFederationMode string
+
+	// Series of actions to run as part
+	// of this test. After each action,
+	// expected will be called. This
+	// allows testers to run multiple
+	// actions in a row and check that
+	// the results after each action are
+	// what they expected, in light of
+	// previous actions.
+	actions []domainPermAction
+}
+
+// run a domainPermTest by running each of
+// its actions in turn and checking results.
+func (suite *DomainBlockTestSuite) runDomainPermTest(t domainPermTest) {
+	config.SetInstanceFederationMode(t.instanceFederationMode)
+
+	for _, action := range t.actions {
+		// Run the desired action.
+		var actionID string
+		switch action.createOrDelete {
+		case "create":
+			_, actionID = suite.createDomainPerm(action.permissionType, action.domain)
+		case "delete":
+			_, actionID = suite.deleteDomainPerm(action.permissionType, action.domain)
+		default:
+			panic("createOrDelete was not 'create' or 'delete'")
+		}
+
+		// Let the action finish.
+		suite.awaitAction(actionID)
+
+		// Check expected results
+		// against each account.
+		accounts, err := suite.db.GetInstanceAccounts(
+			context.Background(),
+			action.domain,
+			"", 0,
+		)
+		if err != nil {
+			suite.FailNow("", "error getting instance accounts for %s: %v", action.domain, err)
+		}
+
+		for _, account := range accounts {
+			if !action.expected(account) {
+				suite.T().FailNow()
+			}
+		}
+	}
+}
+
+// create given permissionType with default values.
+func (suite *DomainBlockTestSuite) createDomainPerm(
+	permissionType gtsmodel.DomainPermissionType,
+	domain string,
+) (*apimodel.DomainPermission, string) {
+	ctx := context.Background()
+
+	apiPerm, actionID, errWithCode := suite.adminProcessor.DomainPermissionCreate(
+		ctx,
+		permissionType,
+		suite.testAccounts["admin_account"],
+		domain,
+		false,
+		"",
+		"",
+		"",
+	)
+	suite.NoError(errWithCode)
+	suite.NotNil(apiPerm)
+	suite.NotEmpty(actionID)
+
+	return apiPerm, actionID
+}
+
+// delete given permission type.
+func (suite *DomainBlockTestSuite) deleteDomainPerm(
+	permissionType gtsmodel.DomainPermissionType,
+	domain string,
+) (*apimodel.DomainPermission, string) {
+	var (
+		ctx              = context.Background()
+		domainPermission gtsmodel.DomainPermission
+	)
+
+	// To delete the permission,
+	// first get it from the db.
+	switch permissionType {
+	case gtsmodel.DomainPermissionBlock:
+		domainPermission, _ = suite.db.GetDomainBlock(ctx, domain)
+	case gtsmodel.DomainPermissionAllow:
+		domainPermission, _ = suite.db.GetDomainAllow(ctx, domain)
+	default:
+		panic("unrecognized permission type")
+	}
+
+	if domainPermission == nil {
+		suite.FailNow("domain permission was nil")
+	}
+
+	// Now use the ID to delete it.
+	apiPerm, actionID, errWithCode := suite.adminProcessor.DomainPermissionDelete(
+		ctx,
+		permissionType,
+		suite.testAccounts["admin_account"],
+		domainPermission.GetID(),
+	)
+	suite.NoError(errWithCode)
+	suite.NotNil(apiPerm)
+	suite.NotEmpty(actionID)
+
+	return apiPerm, actionID
+}
+
+// waits for given actionID to be completed.
+func (suite *DomainBlockTestSuite) awaitAction(actionID string) {
+	ctx := context.Background()
+
+	if !testrig.WaitFor(func() bool {
+		return suite.adminProcessor.Actions().TotalRunning() == 0
+	}) {
+		suite.FailNow("timed out waiting for admin action(s) to finish")
+	}
+
+	// Ensure action marked as
+	// completed in the database.
+	adminAction, err := suite.db.GetAdminAction(ctx, actionID)
+	if err != nil {
+		suite.FailNow(err.Error())
+	}
+
+	suite.NotZero(adminAction.CompletedAt)
+	suite.Empty(adminAction.Errors)
+}
+
+func (suite *DomainBlockTestSuite) TestBlockAndUnblockDomain() {
+	const domain = "fossbros-anonymous.io"
+
+	suite.runDomainPermTest(domainPermTest{
+		instanceFederationMode: config.InstanceFederationModeBlocklist,
+		actions: []domainPermAction{
+			{
+				createOrDelete: "create",
+				permissionType: gtsmodel.DomainPermissionBlock,
+				domain:         domain,
+				expected: func(account *gtsmodel.Account) bool {
+					// Domain was blocked, so each
+					// account should now be suspended.
+					return suite.NotZero(account.SuspendedAt)
+				},
+			},
+			{
+				createOrDelete: "delete",
+				permissionType: gtsmodel.DomainPermissionBlock,
+				domain:         domain,
+				expected: func(account *gtsmodel.Account) bool {
+					// Domain was unblocked, so each
+					// account should now be unsuspended.
+					return suite.Zero(account.SuspendedAt)
+				},
+			},
+		},
+	})
+}
+
+func (suite *DomainBlockTestSuite) TestBlockAndAllowDomain() {
+	const domain = "fossbros-anonymous.io"
+
+	suite.runDomainPermTest(domainPermTest{
+		instanceFederationMode: config.InstanceFederationModeBlocklist,
+		actions: []domainPermAction{
+			{
+				createOrDelete: "create",
+				permissionType: gtsmodel.DomainPermissionBlock,
+				domain:         domain,
+				expected: func(account *gtsmodel.Account) bool {
+					// Domain was blocked, so each
+					// account should now be suspended.
+					return suite.NotZero(account.SuspendedAt)
+				},
+			},
+			{
+				createOrDelete: "create",
+				permissionType: gtsmodel.DomainPermissionAllow,
+				domain:         domain,
+				expected: func(account *gtsmodel.Account) bool {
+					// Domain was explicitly allowed, so each
+					// account should now be unsuspended, since
+					// the allow supercedes the block.
+					return suite.Zero(account.SuspendedAt)
+				},
+			},
+			{
+				createOrDelete: "delete",
+				permissionType: gtsmodel.DomainPermissionAllow,
+				domain:         domain,
+				expected: func(account *gtsmodel.Account) bool {
+					// Deleting the allow now, while there's
+					// still a block in place, should cause
+					// the block to take effect again.
+					return suite.NotZero(account.SuspendedAt)
+				},
+			},
+			{
+				createOrDelete: "delete",
+				permissionType: gtsmodel.DomainPermissionBlock,
+				domain:         domain,
+				expected: func(account *gtsmodel.Account) bool {
+					// Deleting the block now should
+					// unsuspend the accounts again.
+					return suite.Zero(account.SuspendedAt)
+				},
+			},
+		},
+	})
+}
+
+func TestDomainBlockTestSuite(t *testing.T) {
+	suite.Run(t, new(DomainBlockTestSuite))
+}
--- a/internal/processing/admin/util.go
+++ b/internal/processing/admin/util.go
@@ -22,28 +22,11 @@ import (
 	"errors"
 	"time"

-	apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model"
 	"github.com/superseriousbusiness/gotosocial/internal/db"
 	"github.com/superseriousbusiness/gotosocial/internal/gtserror"
 	"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
 )

-// apiDomainBlock is a cheeky shortcut for returning
-// the API version of the given domainBlock, or an
-// appropriate error if something goes wrong.
-func (p *Processor) apiDomainBlock(
-	ctx context.Context,
-	domainBlock *gtsmodel.DomainBlock,
-) (*apimodel.DomainBlock, gtserror.WithCode) {
-	apiDomainBlock, err := p.tc.DomainBlockToAPIDomainBlock(ctx, domainBlock, false)
-	if err != nil {
-		err = gtserror.Newf("error converting domain block for %s to api model : %w", domainBlock.Domain, err)
-		return nil, gtserror.NewErrorInternalError(err)
-	}
-
-	return apiDomainBlock, nil
-}
-
 // stubbifyInstance renders the given instance as a stub,
 // removing most information from it and marking it as
 // suspended.