[feature] Allow admins to expire remote public keys; refetch expired keys on demand (#2183)

4 files changed, 172 insertions, 0 deletions

diff --git a/internal/api/client/admin/admin.go b/internal/api/client/admin/admin.go
index ce6604c29..605c53731 100644
--- a/internal/api/client/admin/admin.go
+++ b/internal/api/client/admin/admin.go
@@ -31,6 +31,7 @@ const (
 	EmojiCategoriesPath     = EmojiPath + "/categories"
 	DomainBlocksPath        = BasePath + "/domain_blocks"
 	DomainBlocksPathWithID  = DomainBlocksPath + "/:" + IDKey
+	DomainKeysExpirePath    = BasePath + "/domain_keys_expire"
 	AccountsPath            = BasePath + "/accounts"
 	AccountsPathWithID      = AccountsPath + "/:" + IDKey
 	AccountsActionPath      = AccountsPathWithID + "/action"
@@ -83,6 +84,9 @@ func (m *Module) Route(attachHandler func(method string, path string, f ...gin.H
 	attachHandler(http.MethodGet, DomainBlocksPathWithID, m.DomainBlockGETHandler)
 	attachHandler(http.MethodDelete, DomainBlocksPathWithID, m.DomainBlockDELETEHandler)
 
+	// domain maintenance stuff
+	attachHandler(http.MethodPost, DomainKeysExpirePath, m.DomainKeysExpirePOSTHandler)
+
 	// accounts stuff
 	attachHandler(http.MethodPost, AccountsActionPath, m.AccountActionPOSTHandler)
 
diff --git a/internal/api/client/admin/domainkeysexpire.go b/internal/api/client/admin/domainkeysexpire.go
new file mode 100644
index 000000000..73a811dd4
--- /dev/null
+++ b/internal/api/client/admin/domainkeysexpire.go
@@ -0,0 +1,149 @@
+// GoToSocial
+// Copyright (C) GoToSocial Authors admin@gotosocial.org
+// SPDX-License-Identifier: AGPL-3.0-or-later
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package admin
+
+import (
+	"errors"
+	"fmt"
+	"net/http"
+	"strings"
+
+	"github.com/gin-gonic/gin"
+	apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model"
+	apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util"
+	"github.com/superseriousbusiness/gotosocial/internal/config"
+	"github.com/superseriousbusiness/gotosocial/internal/gtserror"
+	"github.com/superseriousbusiness/gotosocial/internal/oauth"
+)
+
+// DomainKeysExpirePOSTHandler swagger:operation POST /api/v1/admin/domain_keys_expire domainKeysExpire
+//
+// Force expiry of cached public keys for all accounts on the given domain stored in your database.
+//
+// This is useful in cases where the remote domain has had to rotate their keys for whatever
+// reason (security issue, data leak, routine safety procedure, etc), and your instance can no
+// longer communicate with theirs properly using cached keys. A key marked as expired in this way
+// will be lazily refetched next time a request is made to your instance signed by the owner of that
+// key, so no further action should be required in order to reestablish communication with that domain.
+//
+// This endpoint is explicitly not for rotating your *own* keys, it only works for remote instances.
+//
+// Using this endpoint to expire keys for a domain that hasn't rotated all of their keys is not
+// harmful and won't break federation, but it is pointless and will cause unnecessary requests to
+// be performed.
+//
+//	---
+//	tags:
+//	- admin
+//
+//	consumes:
+//	- multipart/form-data
+//
+//	produces:
+//	- application/json
+//
+//	parameters:
+//	-
+//		name: domain
+//		in: formData
+//		description: Domain to expire keys for.
+//		example: example.org
+//		type: string
+//
+//	security:
+//	- OAuth2 Bearer:
+//		- admin
+//
+//	responses:
+//		'202':
+//			description: >-
+//				Request accepted and will be processed.
+//				Check the logs for progress / errors.
+//			schema:
+//				"$ref": "#/definitions/adminActionResponse"
+//		'400':
+//			description: bad request
+//		'401':
+//			description: unauthorized
+//		'403':
+//			description: forbidden
+//		'404':
+//			description: not found
+//		'406':
+//			description: not acceptable
+//		'409':
+//			description: >-
+//				Conflict: There is already an admin action running that conflicts with this action.
+//				Check the error message in the response body for more information. This is a temporary
+//				error; it should be possible to process this action if you try again in a bit.
+//		'500':
+//			description: internal server error
+func (m *Module) DomainKeysExpirePOSTHandler(c *gin.Context) {
+	authed, err := oauth.Authed(c, true, true, true, true)
+	if err != nil {
+		apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1)
+		return
+	}
+
+	if !*authed.User.Admin {
+		err := fmt.Errorf("user %s not an admin", authed.User.ID)
+		apiutil.ErrorHandler(c, gtserror.NewErrorForbidden(err, err.Error()), m.processor.InstanceGetV1)
+		return
+	}
+
+	if _, err := apiutil.NegotiateAccept(c, apiutil.JSONAcceptHeaders...); err != nil {
+		apiutil.ErrorHandler(c, gtserror.NewErrorNotAcceptable(err, err.Error()), m.processor.InstanceGetV1)
+		return
+	}
+
+	form := new(apimodel.DomainKeysExpireRequest)
+	if err := c.ShouldBind(form); err != nil {
+		apiutil.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGetV1)
+		return
+	}
+
+	if err := validateDomainKeysExpire(form); err != nil {
+		apiutil.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGetV1)
+		return
+	}
+
+	actionID, errWithCode := m.processor.Admin().DomainKeysExpire(
+		c.Request.Context(),
+		authed.Account,
+		form.Domain,
+	)
+	if errWithCode != nil {
+		apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1)
+		return
+	}
+
+	c.JSON(http.StatusAccepted, &apimodel.AdminActionResponse{ActionID: actionID})
+}
+
+func validateDomainKeysExpire(form *apimodel.DomainKeysExpireRequest) error {
+	form.Domain = strings.TrimSpace(form.Domain)
+	if form.Domain == "" {
+		return errors.New("no domain given")
+	}
+
+	if form.Domain == config.GetHost() || form.Domain == config.GetAccountDomain() {
+		return errors.New("provided domain was this domain, but must be a remote domain")
+	}
+
+	return nil
+}
diff --git a/internal/api/model/admin.go b/internal/api/model/admin.go
index 6be3e9cbd..ca4aa32da 100644
--- a/internal/api/model/admin.go
+++ b/internal/api/model/admin.go
@@ -178,6 +178,17 @@ type AdminActionRequest struct {
 	TargetID string `form:"-" json:"-" xml:"-"`
 }
 
+// AdminActionResponse models the server
+// response to an admin action.
+//
+// swagger:model adminActionResponse
+type AdminActionResponse struct {
+	// Internal ID of the action.
+	//
+	// example: 01H9QG6TZ9W5P0402VFRVM17TH
+	ActionID string `json:"action_id"`
+}
+
 // MediaCleanupRequest models admin media cleanup parameters
 //
 // swagger:parameters mediaCleanup
diff --git a/internal/api/model/domain.go b/internal/api/model/domain.go
index 045dc2700..c5f77c82f 100644
--- a/internal/api/model/domain.go
+++ b/internal/api/model/domain.go
@@ -79,3 +79,11 @@ type DomainBlockCreateRequest struct {
 	// public comment on the reason for the domain block
 	PublicComment string `form:"public_comment" json:"public_comment" xml:"public_comment"`
 }
+
+// DomainBlockCreateRequest is the form submitted as a POST to /api/v1/admin/domain_keys_expire to expire a domain's public keys.
+//
+// swagger:model domainKeysExpireRequest
+type DomainKeysExpireRequest struct {
+	// hostname/domain to expire keys for.
+	Domain string `form:"domain" json:"domain" xml:"domain"`
+}