[feature] Allow admins to expire remote public keys; refetch expired …

…keys on demand (#2183)
superseriousbusiness · Sep 12, 2023 · 4b59451 · 4b59451
1 parent 2cac5a4
commit 4b59451
Show file tree

Hide file tree

Showing 23 changed files with 841 additions and 117 deletions.
diff --git a/docs/api/swagger.yaml b/docs/api/swagger.yaml
@@ -445,6 +445,19 @@ definitions:
         type: object
         x-go-name: AdminAccountInfo
         x-go-package: github.com/superseriousbusiness/gotosocial/internal/api/model
+    adminActionResponse:
+        description: |-
+            AdminActionResponse models the server
+            response to an admin action.
+        properties:
+            action_id:
+                description: Internal ID of the action.
+                example: 01H9QG6TZ9W5P0402VFRVM17TH
+                type: string
+                x-go-name: ActionID
+        type: object
+        x-go-name: AdminActionResponse
+        x-go-package: github.com/superseriousbusiness/gotosocial/internal/api/model
     adminEmoji:
         properties:
             category:
@@ -1018,6 +1031,16 @@ definitions:
         type: object
         x-go-name: DomainBlockCreateRequest
         x-go-package: github.com/superseriousbusiness/gotosocial/internal/api/model
+    domainKeysExpireRequest:
+        properties:
+            domain:
+                description: hostname/domain to expire keys for.
+                type: string
+                x-go-name: Domain
+        title: DomainBlockCreateRequest is the form submitted as a POST to /api/v1/admin/domain_keys_expire to expire a domain's public keys.
+        type: object
+        x-go-name: DomainKeysExpireRequest
+        x-go-package: github.com/superseriousbusiness/gotosocial/internal/api/model
     emoji:
         properties:
             category:
@@ -4103,6 +4126,56 @@ paths:
             summary: View domain block with the given ID.
             tags:
                 - admin
+    /api/v1/admin/domain_keys_expire:
+        post:
+            consumes:
+                - multipart/form-data
+            description: |-
+                This is useful in cases where the remote domain has had to rotate their keys for whatever
+                reason (security issue, data leak, routine safety procedure, etc), and your instance can no
+                longer communicate with theirs properly using cached keys. A key marked as expired in this way
+                will be lazily refetched next time a request is made to your instance signed by the owner of that
+                key, so no further action should be required in order to reestablish communication with that domain.
+
+                This endpoint is explicitly not for rotating your *own* keys, it only works for remote instances.
+
+                Using this endpoint to expire keys for a domain that hasn't rotated all of their keys is not
+                harmful and won't break federation, but it is pointless and will cause unnecessary requests to
+                be performed.
+            operationId: domainKeysExpire
+            parameters:
+                - description: Domain to expire keys for.
+                  example: example.org
+                  in: formData
+                  name: domain
+                  type: string
+            produces:
+                - application/json
+            responses:
+                "202":
+                    description: Request accepted and will be processed. Check the logs for progress / errors.
+                    schema:
+                        $ref: '#/definitions/adminActionResponse'
+                "400":
+                    description: bad request
+                "401":
+                    description: unauthorized
+                "403":
+                    description: forbidden
+                "404":
+                    description: not found
+                "406":
+                    description: not acceptable
+                "409":
+                    description: 'Conflict: There is already an admin action running that conflicts with this action. Check the error message in the response body for more information. This is a temporary error; it should be possible to process this action if you try again in a bit.'
+                "500":
+                    description: internal server error
+            security:
+                - OAuth2 Bearer:
+                    - admin
+            summary: Force expiry of cached public keys for all accounts on the given domain stored in your database.
+            tags:
+                - admin
     /api/v1/admin/email/test:
         post:
             consumes:

diff --git a/internal/api/client/admin/admin.go b/internal/api/client/admin/admin.go
@@ -31,6 +31,7 @@ const (
 	EmojiCategoriesPath     = EmojiPath + "/categories"
 	DomainBlocksPath        = BasePath + "/domain_blocks"
 	DomainBlocksPathWithID  = DomainBlocksPath + "/:" + IDKey
+	DomainKeysExpirePath    = BasePath + "/domain_keys_expire"
 	AccountsPath            = BasePath + "/accounts"
 	AccountsPathWithID      = AccountsPath + "/:" + IDKey
 	AccountsActionPath      = AccountsPathWithID + "/action"
@@ -83,6 +84,9 @@ func (m *Module) Route(attachHandler func(method string, path string, f ...gin.H
 	attachHandler(http.MethodGet, DomainBlocksPathWithID, m.DomainBlockGETHandler)
 	attachHandler(http.MethodDelete, DomainBlocksPathWithID, m.DomainBlockDELETEHandler)
 
+	// domain maintenance stuff
+	attachHandler(http.MethodPost, DomainKeysExpirePath, m.DomainKeysExpirePOSTHandler)
+
 	// accounts stuff
 	attachHandler(http.MethodPost, AccountsActionPath, m.AccountActionPOSTHandler)
 

diff --git a/internal/api/client/admin/domainkeysexpire.go b/internal/api/client/admin/domainkeysexpire.go
@@ -0,0 +1,149 @@
+// GoToSocial
+// Copyright (C) GoToSocial Authors admin@gotosocial.org
+// SPDX-License-Identifier: AGPL-3.0-or-later
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package admin
+
+import (
+	"errors"
+	"fmt"
+	"net/http"
+	"strings"
+
+	"github.com/gin-gonic/gin"
+	apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model"
+	apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util"
+	"github.com/superseriousbusiness/gotosocial/internal/config"
+	"github.com/superseriousbusiness/gotosocial/internal/gtserror"
+	"github.com/superseriousbusiness/gotosocial/internal/oauth"
+)
+
+// DomainKeysExpirePOSTHandler swagger:operation POST /api/v1/admin/domain_keys_expire domainKeysExpire
+//
+// Force expiry of cached public keys for all accounts on the given domain stored in your database.
+//
+// This is useful in cases where the remote domain has had to rotate their keys for whatever
+// reason (security issue, data leak, routine safety procedure, etc), and your instance can no
+// longer communicate with theirs properly using cached keys. A key marked as expired in this way
+// will be lazily refetched next time a request is made to your instance signed by the owner of that
+// key, so no further action should be required in order to reestablish communication with that domain.
+//
+// This endpoint is explicitly not for rotating your *own* keys, it only works for remote instances.
+//
+// Using this endpoint to expire keys for a domain that hasn't rotated all of their keys is not
+// harmful and won't break federation, but it is pointless and will cause unnecessary requests to
+// be performed.
+//
+//	---
+//	tags:
+//	- admin
+//
+//	consumes:
+//	- multipart/form-data
+//
+//	produces:
+//	- application/json
+//
+//	parameters:
+//	-
+//		name: domain
+//		in: formData
+//		description: Domain to expire keys for.
+//		example: example.org
+//		type: string
+//
+//	security:
+//	- OAuth2 Bearer:
+//		- admin
+//
+//	responses:
+//		'202':
+//			description: >-
+//				Request accepted and will be processed.
+//				Check the logs for progress / errors.
+//			schema:
+//				"$ref": "#/definitions/adminActionResponse"
+//		'400':
+//			description: bad request
+//		'401':
+//			description: unauthorized
+//		'403':
+//			description: forbidden
+//		'404':
+//			description: not found
+//		'406':
+//			description: not acceptable
+//		'409':
+//			description: >-
+//				Conflict: There is already an admin action running that conflicts with this action.
+//				Check the error message in the response body for more information. This is a temporary
+//				error; it should be possible to process this action if you try again in a bit.
+//		'500':
+//			description: internal server error
+func (m *Module) DomainKeysExpirePOSTHandler(c *gin.Context) {
+	authed, err := oauth.Authed(c, true, true, true, true)
+	if err != nil {
+		apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1)
+		return
+	}
+
+	if !*authed.User.Admin {
+		err := fmt.Errorf("user %s not an admin", authed.User.ID)
+		apiutil.ErrorHandler(c, gtserror.NewErrorForbidden(err, err.Error()), m.processor.InstanceGetV1)
+		return
+	}
+
+	if _, err := apiutil.NegotiateAccept(c, apiutil.JSONAcceptHeaders...); err != nil {
+		apiutil.ErrorHandler(c, gtserror.NewErrorNotAcceptable(err, err.Error()), m.processor.InstanceGetV1)
+		return
+	}
+
+	form := new(apimodel.DomainKeysExpireRequest)
+	if err := c.ShouldBind(form); err != nil {
+		apiutil.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGetV1)
+		return
+	}
+
+	if err := validateDomainKeysExpire(form); err != nil {
+		apiutil.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGetV1)
+		return
+	}
+
+	actionID, errWithCode := m.processor.Admin().DomainKeysExpire(
+		c.Request.Context(),
+		authed.Account,
+		form.Domain,
+	)
+	if errWithCode != nil {
+		apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1)
+		return
+	}
+
+	c.JSON(http.StatusAccepted, &apimodel.AdminActionResponse{ActionID: actionID})
+}
+
+func validateDomainKeysExpire(form *apimodel.DomainKeysExpireRequest) error {
+	form.Domain = strings.TrimSpace(form.Domain)
+	if form.Domain == "" {
+		return errors.New("no domain given")
+	}
+
+	if form.Domain == config.GetHost() || form.Domain == config.GetAccountDomain() {
+		return errors.New("provided domain was this domain, but must be a remote domain")
+	}
+
+	return nil
+}
diff --git a/internal/api/model/admin.go b/internal/api/model/admin.go
@@ -178,6 +178,17 @@ type AdminActionRequest struct {
 	TargetID string `form:"-" json:"-" xml:"-"`
 }
 
+// AdminActionResponse models the server
+// response to an admin action.
+//
+// swagger:model adminActionResponse
+type AdminActionResponse struct {
+	// Internal ID of the action.
+	//
+	// example: 01H9QG6TZ9W5P0402VFRVM17TH
+	ActionID string `json:"action_id"`
+}
+
 // MediaCleanupRequest models admin media cleanup parameters
 //
 // swagger:parameters mediaCleanup

diff --git a/internal/api/model/domain.go b/internal/api/model/domain.go
@@ -79,3 +79,11 @@ type DomainBlockCreateRequest struct {
 	// public comment on the reason for the domain block
 	PublicComment string `form:"public_comment" json:"public_comment" xml:"public_comment"`
 }
+
+// DomainBlockCreateRequest is the form submitted as a POST to /api/v1/admin/domain_keys_expire to expire a domain's public keys.
+//
+// swagger:model domainKeysExpireRequest
+type DomainKeysExpireRequest struct {
+	// hostname/domain to expire keys for.
+	Domain string `form:"domain" json:"domain" xml:"domain"`
+}
diff --git a/internal/db/bundb/migrations/20230905133904_remote_pubkey_expiry.go b/internal/db/bundb/migrations/20230905133904_remote_pubkey_expiry.go
@@ -0,0 +1,45 @@
+// GoToSocial
+// Copyright (C) GoToSocial Authors admin@gotosocial.org
+// SPDX-License-Identifier: AGPL-3.0-or-later
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package migrations
+
+import (
+	"context"
+	"strings"
+
+	"github.com/uptrace/bun"
+)
+
+func init() {
+	up := func(ctx context.Context, db *bun.DB) error {
+		_, err := db.ExecContext(ctx, "ALTER TABLE ? ADD COLUMN ? TIMESTAMPTZ", bun.Ident("accounts"), bun.Ident("public_key_expires_at"))
+		if err != nil && !(strings.Contains(err.Error(), "already exists") || strings.Contains(err.Error(), "duplicate column name") || strings.Contains(err.Error(), "SQLSTATE 42701")) {
+			return err
+		}
+		return nil
+	}
+
+	down := func(ctx context.Context, db *bun.DB) error {
+		return db.RunInTx(ctx, nil, func(ctx context.Context, tx bun.Tx) error {
+			return nil
+		})
+	}
+
+	if err := Migrations.Register(up, down); err != nil {
+		panic(err)
+	}
+}