[feature] Allow admins to expire remote public keys; refetch expired keys on demand (#2183)

2025-06-05 21:59:39 +02:00 · 2023-09-12 11:43:12 +02:00
parent 2cac5a4613
commit 4b594516ec
23 changed files with 841 additions and 117 deletions
--- a/web/source/settings/admin/actions/keys/expireremote.jsx
+++ b/web/source/settings/admin/actions/keys/expireremote.jsx
@@ -0,0 +1,61 @@
+/*
+	GoToSocial
+	Copyright (C) GoToSocial Authors admin@gotosocial.org
+	SPDX-License-Identifier: AGPL-3.0-or-later
+
+	This program is free software: you can redistribute it and/or modify
+	it under the terms of the GNU Affero General Public License as published by
+	the Free Software Foundation, either version 3 of the License, or
+	(at your option) any later version.
+
+	This program is distributed in the hope that it will be useful,
+	but WITHOUT ANY WARRANTY; without even the implied warranty of
+	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+	GNU Affero General Public License for more details.
+
+	You should have received a copy of the GNU Affero General Public License
+	along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+"use strict";
+
+const React = require("react");
+
+const query = require("../../../lib/query");
+
+const { useTextInput } = require("../../../lib/form");
+const { TextInput } = require("../../../components/form/inputs");
+
+const MutationButton = require("../../../components/form/mutation-button");
+
+module.exports = function ExpireRemote({}) {
+	const domainField = useTextInput("domain");
+
+	const [expire, expireResult] = query.useInstanceKeysExpireMutation();
+
+	function submitExpire(e) {
+		e.preventDefault();
+		expire(domainField.value);
+	}
+
+	return (
+		<form onSubmit={submitExpire}>
+			<h2>Expire remote instance keys</h2>
+			<p>
+				Mark all public keys from the given remote instance as expired.<br/><br/>
+				This is useful in cases where the remote domain has had to rotate their keys for whatever
+				reason (security issue, data leak, routine safety procedure, etc), and your instance can no
+				longer communicate with theirs properly using cached keys. A key marked as expired in this way
+				will be lazily refetched next time a request is made to your instance signed by the owner of that
+				key.
+			</p>
+			<TextInput
+				field={domainField}
+				label="Domain"
+				type="string"
+				placeholder="example.org"
+			/>
+			<MutationButton label="Expire keys" result={expireResult} />
+		</form>
+	);
+};
--- a/web/source/settings/admin/actions/keys/index.jsx
+++ b/web/source/settings/admin/actions/keys/index.jsx
@@ -0,0 +1,32 @@
+/*
+	GoToSocial
+	Copyright (C) GoToSocial Authors admin@gotosocial.org
+	SPDX-License-Identifier: AGPL-3.0-or-later
+
+	This program is free software: you can redistribute it and/or modify
+	it under the terms of the GNU Affero General Public License as published by
+	the Free Software Foundation, either version 3 of the License, or
+	(at your option) any later version.
+
+	This program is distributed in the hope that it will be useful,
+	but WITHOUT ANY WARRANTY; without even the implied warranty of
+	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+	GNU Affero General Public License for more details.
+
+	You should have received a copy of the GNU Affero General Public License
+	along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+"use strict";
+
+const React = require("react");
+const ExpireRemote = require("./expireremote");
+
+module.exports = function Keys() {
+	return (
+		<>
+			<h1>Key Actions</h1>
+			<ExpireRemote />
+		</>
+	);
+};
--- a/web/source/settings/admin/actions/media/cleanup.jsx
+++ b/web/source/settings/admin/actions/media/cleanup.jsx
@@ -21,42 +21,39 @@

 const React = require("react");

-const query = require("../lib/query");
+const query = require("../../../lib/query");

-const { useTextInput } = require("../lib/form");
-const { TextInput } = require("../components/form/inputs");
+const { useTextInput } = require("../../../lib/form");
+const { TextInput } = require("../../../components/form/inputs");

-const MutationButton = require("../components/form/mutation-button");
+const MutationButton = require("../../../components/form/mutation-button");

-module.exports = function AdminActionPanel() {
+module.exports = function Cleanup({}) {
 	const daysField = useTextInput("days", { defaultValue: 30 });

 	const [mediaCleanup, mediaCleanupResult] = query.useMediaCleanupMutation();

-	function submitMediaCleanup(e) {
+	function submitCleanup(e) {
 		e.preventDefault();
 		mediaCleanup(daysField.value);
 	}
-
+    
 	return (
-		<>
-			<h1>Admin Actions</h1>
-			<form onSubmit={submitMediaCleanup}>
-				<h2>Media cleanup</h2>
-				<p>
+		<form onSubmit={submitCleanup}>
+			<h2>Cleanup</h2>
+			<p>
 					Clean up remote media older than the specified number of days.
 					If the remote instance is still online they will be refetched when needed.
 					Also cleans up unused headers and avatars from the media cache.
-				</p>
-				<TextInput
-					field={daysField}
-					label="Days"
-					type="number"
-					min="0"
-					placeholder="30"
-				/>
-				<MutationButton label="Remove old media" result={mediaCleanupResult} />
-			</form>
-		</>
+			</p>
+			<TextInput
+				field={daysField}
+				label="Days"
+				type="number"
+				min="0"
+				placeholder="30"
+			/>
+			<MutationButton label="Remove old media" result={mediaCleanupResult} />
+		</form>
 	);
-};
+};
--- a/web/source/settings/admin/actions/media/index.jsx
+++ b/web/source/settings/admin/actions/media/index.jsx
@@ -0,0 +1,32 @@
+/*
+	GoToSocial
+	Copyright (C) GoToSocial Authors admin@gotosocial.org
+	SPDX-License-Identifier: AGPL-3.0-or-later
+
+	This program is free software: you can redistribute it and/or modify
+	it under the terms of the GNU Affero General Public License as published by
+	the Free Software Foundation, either version 3 of the License, or
+	(at your option) any later version.
+
+	This program is distributed in the hope that it will be useful,
+	but WITHOUT ANY WARRANTY; without even the implied warranty of
+	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+	GNU Affero General Public License for more details.
+
+	You should have received a copy of the GNU Affero General Public License
+	along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+"use strict";
+
+const React = require("react");
+const Cleanup = require("./cleanup");
+
+module.exports = function Media() {
+	return (
+		<>
+			<h1>Media Actions</h1>
+			<Cleanup />
+		</>
+	);
+};
--- a/web/source/settings/index.js
+++ b/web/source/settings/index.js
@@ -55,7 +55,10 @@ const { Sidebar, ViewRouter } = createNavigation("/settings", [
 		defaultUrl: "/settings/admin/settings",
 		permissions: ["admin"]
 	}, [
-		Item("Actions", { icon: "fa-bolt" }, require("./admin/actions")),
+		Menu("Actions", { icon: "fa-bolt" }, [
+			Item("Media", { icon: "fa-photo" }, require("./admin/actions/media")),
+			Item("Keys", { icon: "fa-key-modern" }, require("./admin/actions/keys")),
+		]),
 		Menu("Custom Emoji", { icon: "fa-smile-o" }, [
 			Item("Local", { icon: "fa-home", wildcard: true }, require("./admin/emoji/local")),
 			Item("Remote", { icon: "fa-cloud" }, require("./admin/emoji/remote"))
@@ -63,7 +66,7 @@ const { Sidebar, ViewRouter } = createNavigation("/settings", [
 		Menu("Settings", { icon: "fa-sliders" }, [
 			Item("Settings", { icon: "fa-sliders", url: "" }, require("./admin/settings")),
 			Item("Rules", { icon: "fa-dot-circle-o", wildcard: true }, require("./admin/settings/rules"))
-		])
+		]),
 	])
 ]);

--- a/web/source/settings/lib/query/admin/index.js
+++ b/web/source/settings/lib/query/admin/index.js
@@ -47,6 +47,15 @@ const endpoints = (build) => ({
 			}
 		})
 	}),
+	instanceKeysExpire: build.mutation({
+		query: (domain) => ({
+			method: "POST",
+			url: `/api/v1/admin/domain_keys_expire`,
+			params: {
+				domain: domain
+			}
+		})
+	}),
 	instanceBlocks: build.query({
 		query: () => ({
 			url: `/api/v1/admin/domain_blocks`