-
-
Notifications
You must be signed in to change notification settings - Fork 316
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[feature] Allow admins to expire remote public keys; refetch expired …
…keys on demand (#2183)
- Loading branch information
1 parent
2cac5a4
commit 4b59451
Showing
23 changed files
with
841 additions
and
117 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,149 @@ | ||
// GoToSocial | ||
// Copyright (C) GoToSocial Authors admin@gotosocial.org | ||
// SPDX-License-Identifier: AGPL-3.0-or-later | ||
// | ||
// This program is free software: you can redistribute it and/or modify | ||
// it under the terms of the GNU Affero General Public License as published by | ||
// the Free Software Foundation, either version 3 of the License, or | ||
// (at your option) any later version. | ||
// | ||
// This program is distributed in the hope that it will be useful, | ||
// but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
// GNU Affero General Public License for more details. | ||
// | ||
// You should have received a copy of the GNU Affero General Public License | ||
// along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
|
||
package admin | ||
|
||
import ( | ||
"errors" | ||
"fmt" | ||
"net/http" | ||
"strings" | ||
|
||
"github.com/gin-gonic/gin" | ||
apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" | ||
apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" | ||
"github.com/superseriousbusiness/gotosocial/internal/config" | ||
"github.com/superseriousbusiness/gotosocial/internal/gtserror" | ||
"github.com/superseriousbusiness/gotosocial/internal/oauth" | ||
) | ||
|
||
// DomainKeysExpirePOSTHandler swagger:operation POST /api/v1/admin/domain_keys_expire domainKeysExpire | ||
// | ||
// Force expiry of cached public keys for all accounts on the given domain stored in your database. | ||
// | ||
// This is useful in cases where the remote domain has had to rotate their keys for whatever | ||
// reason (security issue, data leak, routine safety procedure, etc), and your instance can no | ||
// longer communicate with theirs properly using cached keys. A key marked as expired in this way | ||
// will be lazily refetched next time a request is made to your instance signed by the owner of that | ||
// key, so no further action should be required in order to reestablish communication with that domain. | ||
// | ||
// This endpoint is explicitly not for rotating your *own* keys, it only works for remote instances. | ||
// | ||
// Using this endpoint to expire keys for a domain that hasn't rotated all of their keys is not | ||
// harmful and won't break federation, but it is pointless and will cause unnecessary requests to | ||
// be performed. | ||
// | ||
// --- | ||
// tags: | ||
// - admin | ||
// | ||
// consumes: | ||
// - multipart/form-data | ||
// | ||
// produces: | ||
// - application/json | ||
// | ||
// parameters: | ||
// - | ||
// name: domain | ||
// in: formData | ||
// description: Domain to expire keys for. | ||
// example: example.org | ||
// type: string | ||
// | ||
// security: | ||
// - OAuth2 Bearer: | ||
// - admin | ||
// | ||
// responses: | ||
// '202': | ||
// description: >- | ||
// Request accepted and will be processed. | ||
// Check the logs for progress / errors. | ||
// schema: | ||
// "$ref": "#/definitions/adminActionResponse" | ||
// '400': | ||
// description: bad request | ||
// '401': | ||
// description: unauthorized | ||
// '403': | ||
// description: forbidden | ||
// '404': | ||
// description: not found | ||
// '406': | ||
// description: not acceptable | ||
// '409': | ||
// description: >- | ||
// Conflict: There is already an admin action running that conflicts with this action. | ||
// Check the error message in the response body for more information. This is a temporary | ||
// error; it should be possible to process this action if you try again in a bit. | ||
// '500': | ||
// description: internal server error | ||
func (m *Module) DomainKeysExpirePOSTHandler(c *gin.Context) { | ||
authed, err := oauth.Authed(c, true, true, true, true) | ||
if err != nil { | ||
apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1) | ||
return | ||
} | ||
|
||
if !*authed.User.Admin { | ||
err := fmt.Errorf("user %s not an admin", authed.User.ID) | ||
apiutil.ErrorHandler(c, gtserror.NewErrorForbidden(err, err.Error()), m.processor.InstanceGetV1) | ||
return | ||
} | ||
|
||
if _, err := apiutil.NegotiateAccept(c, apiutil.JSONAcceptHeaders...); err != nil { | ||
apiutil.ErrorHandler(c, gtserror.NewErrorNotAcceptable(err, err.Error()), m.processor.InstanceGetV1) | ||
return | ||
} | ||
|
||
form := new(apimodel.DomainKeysExpireRequest) | ||
if err := c.ShouldBind(form); err != nil { | ||
apiutil.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGetV1) | ||
return | ||
} | ||
|
||
if err := validateDomainKeysExpire(form); err != nil { | ||
apiutil.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGetV1) | ||
return | ||
} | ||
|
||
actionID, errWithCode := m.processor.Admin().DomainKeysExpire( | ||
c.Request.Context(), | ||
authed.Account, | ||
form.Domain, | ||
) | ||
if errWithCode != nil { | ||
apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) | ||
return | ||
} | ||
|
||
c.JSON(http.StatusAccepted, &apimodel.AdminActionResponse{ActionID: actionID}) | ||
} | ||
|
||
func validateDomainKeysExpire(form *apimodel.DomainKeysExpireRequest) error { | ||
form.Domain = strings.TrimSpace(form.Domain) | ||
if form.Domain == "" { | ||
return errors.New("no domain given") | ||
} | ||
|
||
if form.Domain == config.GetHost() || form.Domain == config.GetAccountDomain() { | ||
return errors.New("provided domain was this domain, but must be a remote domain") | ||
} | ||
|
||
return nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
45 changes: 45 additions & 0 deletions
45
internal/db/bundb/migrations/20230905133904_remote_pubkey_expiry.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
// GoToSocial | ||
// Copyright (C) GoToSocial Authors admin@gotosocial.org | ||
// SPDX-License-Identifier: AGPL-3.0-or-later | ||
// | ||
// This program is free software: you can redistribute it and/or modify | ||
// it under the terms of the GNU Affero General Public License as published by | ||
// the Free Software Foundation, either version 3 of the License, or | ||
// (at your option) any later version. | ||
// | ||
// This program is distributed in the hope that it will be useful, | ||
// but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
// GNU Affero General Public License for more details. | ||
// | ||
// You should have received a copy of the GNU Affero General Public License | ||
// along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
|
||
package migrations | ||
|
||
import ( | ||
"context" | ||
"strings" | ||
|
||
"github.com/uptrace/bun" | ||
) | ||
|
||
func init() { | ||
up := func(ctx context.Context, db *bun.DB) error { | ||
_, err := db.ExecContext(ctx, "ALTER TABLE ? ADD COLUMN ? TIMESTAMPTZ", bun.Ident("accounts"), bun.Ident("public_key_expires_at")) | ||
if err != nil && !(strings.Contains(err.Error(), "already exists") || strings.Contains(err.Error(), "duplicate column name") || strings.Contains(err.Error(), "SQLSTATE 42701")) { | ||
return err | ||
} | ||
return nil | ||
} | ||
|
||
down := func(ctx context.Context, db *bun.DB) error { | ||
return db.RunInTx(ctx, nil, func(ctx context.Context, tx bun.Tx) error { | ||
return nil | ||
}) | ||
} | ||
|
||
if err := Migrations.Register(up, down); err != nil { | ||
panic(err) | ||
} | ||
} |
Oops, something went wrong.