[feature] Allow admins to expire remote public keys; refetch expired keys on demand (#2183)

2025-06-05 21:59:39 +02:00 · 2023-09-12 11:43:12 +02:00
parent 2cac5a4613
commit 4b594516ec
23 changed files with 841 additions and 117 deletions
--- a/internal/processing/admin/domainkeysexpire.go
+++ b/internal/processing/admin/domainkeysexpire.go
@@ -0,0 +1,87 @@
+// GoToSocial
+// Copyright (C) GoToSocial Authors admin@gotosocial.org
+// SPDX-License-Identifier: AGPL-3.0-or-later
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package admin
+
+import (
+	"context"
+	"time"
+
+	"github.com/superseriousbusiness/gotosocial/internal/gtserror"
+	"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
+	"github.com/superseriousbusiness/gotosocial/internal/id"
+)
+
+// DomainKeysExpire iterates through all
+// accounts belonging to the given domain,
+// and expires the public key of each
+// account found this way.
+//
+// The PublicKey for each account will be
+// re-fetched next time a signed request
+// from that account is received.
+func (p *Processor) DomainKeysExpire(
+	ctx context.Context,
+	adminAcct *gtsmodel.Account,
+	domain string,
+) (string, gtserror.WithCode) {
+	actionID := id.NewULID()
+
+	// Process key expiration asynchronously.
+	if errWithCode := p.actions.Run(
+		ctx,
+		&gtsmodel.AdminAction{
+			ID:             actionID,
+			TargetCategory: gtsmodel.AdminActionCategoryDomain,
+			TargetID:       domain,
+			Type:           gtsmodel.AdminActionExpireKeys,
+			AccountID:      adminAcct.ID,
+		},
+		func(ctx context.Context) gtserror.MultiError {
+			return p.domainKeysExpireSideEffects(ctx, domain)
+		},
+	); errWithCode != nil {
+		return actionID, errWithCode
+	}
+
+	return actionID, nil
+}
+
+func (p *Processor) domainKeysExpireSideEffects(ctx context.Context, domain string) gtserror.MultiError {
+	var (
+		expiresAt = time.Now()
+		errs      gtserror.MultiError
+	)
+
+	// For each account on this domain, expire
+	// the public key and update the account.
+	if err := p.rangeDomainAccounts(ctx, domain, func(account *gtsmodel.Account) {
+		account.PublicKeyExpiresAt = expiresAt
+
+		if err := p.state.DB.UpdateAccount(
+			ctx,
+			account,
+			"public_key_expires_at",
+		); err != nil {
+			errs.Appendf("db error updating account: %w", err)
+		}
+	}); err != nil {
+		errs.Appendf("db error ranging through accounts: %w", err)
+	}
+
+	return errs
+}
--- a/internal/processing/fedi/common.go
+++ b/internal/processing/fedi/common.go
@@ -48,7 +48,7 @@ func (p *Processor) authenticate(ctx context.Context, requestedUsername string)

 	// Ensure request signed, and use signature URI to
 	// get requesting account, dereferencing if necessary.
-	requestingAccountURI, errWithCode := p.federator.AuthenticateFederatedRequest(ctx, requestedUsername)
+	pubKeyAuth, errWithCode := p.federator.AuthenticateFederatedRequest(ctx, requestedUsername)
 	if errWithCode != nil {
 		return nil, nil, errWithCode
 	}
@@ -56,10 +56,10 @@ func (p *Processor) authenticate(ctx context.Context, requestedUsername string)
 	requestingAccount, _, err := p.federator.GetAccountByURI(
 		gtscontext.SetFastFail(ctx),
 		requestedUsername,
-		requestingAccountURI,
+		pubKeyAuth.OwnerURI,
 	)
 	if err != nil {
-		err = gtserror.Newf("error getting account %s: %w", requestingAccountURI, err)
+		err = gtserror.Newf("error getting account %s: %w", pubKeyAuth.OwnerURI, err)
 		return nil, nil, gtserror.NewErrorUnauthorized(err)
 	}

--- a/internal/processing/fedi/user.go
+++ b/internal/processing/fedi/user.go
@@ -66,7 +66,7 @@ func (p *Processor) UserGet(ctx context.Context, requestedUsername string, reque
 	// If the request is not on a public key path, we want to
 	// try to authenticate it before we serve any data, so that
 	// we can serve a more complete profile.
-	requestingAccountURI, errWithCode := p.federator.AuthenticateFederatedRequest(ctx, requestedUsername)
+	pubKeyAuth, errWithCode := p.federator.AuthenticateFederatedRequest(ctx, requestedUsername)
 	if errWithCode != nil {
 		return nil, errWithCode // likely 401
 	}
@@ -89,7 +89,7 @@ func (p *Processor) UserGet(ctx context.Context, requestedUsername string, reque
 	// Instead, we end up in an 'I'll show you mine if you show me
 	// yours' situation, where we sort of agree to reveal each
 	// other's profiles at the same time.
-	if p.federator.Handshaking(requestedUsername, requestingAccountURI) {
+	if p.federator.Handshaking(requestedUsername, pubKeyAuth.OwnerURI) {
 		return data(person)
 	}

@@ -98,10 +98,11 @@ func (p *Processor) UserGet(ctx context.Context, requestedUsername string, reque
 	requestingAccount, _, err := p.federator.GetAccountByURI(
 		// On a hot path so fail quickly.
 		gtscontext.SetFastFail(ctx),
-		requestedUsername, requestingAccountURI,
+		requestedUsername,
+		pubKeyAuth.OwnerURI,
 	)
 	if err != nil {
-		err := gtserror.Newf("error getting account %s: %w", requestingAccountURI, err)
+		err := gtserror.Newf("error getting account %s: %w", pubKeyAuth.OwnerURI, err)
 		return nil, gtserror.NewErrorUnauthorized(err)
 	}