[feature] Implement explicit domain allows + allowlist federation mode (#2200)

* love like winter! wohoah, wohoah

* domain allow side effects

* tests! logging! unallow!

* document federation modes

* linty linterson

* test

* further adventures in documentation

* finish up domain block documentation (i think)

* change wording a wee little bit

* docs, example

* consolidate shared domainPermission code

* call mode once

* fetch federation mode within domain blocked func

* read domain perm import in streaming manner

* don't use pointer to slice for domain perms

* don't bother copying blocks + allows before deleting

* admonish!

* change wording just a scooch

* update docs

4 files changed, 190 insertions, 1 deletions

diff --git a/internal/gtsmodel/adminaction.go b/internal/gtsmodel/adminaction.go
index 1e55a33f9..e8b82e495 100644
--- a/internal/gtsmodel/adminaction.go
+++ b/internal/gtsmodel/adminaction.go
@@ -42,7 +42,7 @@ func (c AdminActionCategory) String() string {
 	case AdminActionCategoryDomain:
 		return "domain"
 	default:
-		return "unknown"
+		return "unknown" //nolint:goconst
 	}
 }
 
diff --git a/internal/gtsmodel/domainallow.go b/internal/gtsmodel/domainallow.go
new file mode 100644
index 000000000..2a3e53e79
--- /dev/null
+++ b/internal/gtsmodel/domainallow.go
@@ -0,0 +1,78 @@
+// GoToSocial
+// Copyright (C) GoToSocial Authors admin@gotosocial.org
+// SPDX-License-Identifier: AGPL-3.0-or-later
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package gtsmodel
+
+import "time"
+
+// DomainAllow represents a federation allow towards a particular domain.
+type DomainAllow struct {
+	ID                 string    `bun:"type:CHAR(26),pk,nullzero,notnull,unique"`                    // id of this item in the database
+	CreatedAt          time.Time `bun:"type:timestamptz,nullzero,notnull,default:current_timestamp"` // when was item created
+	UpdatedAt          time.Time `bun:"type:timestamptz,nullzero,notnull,default:current_timestamp"` // when was item last updated
+	Domain             string    `bun:",nullzero,notnull"`                                           // domain to allow. Eg. 'whatever.com'
+	CreatedByAccountID string    `bun:"type:CHAR(26),nullzero,notnull"`                              // Account ID of the creator of this allow
+	CreatedByAccount   *Account  `bun:"rel:belongs-to"`                                              // Account corresponding to createdByAccountID
+	PrivateComment     string    `bun:""`                                                            // Private comment on this allow, viewable to admins
+	PublicComment      string    `bun:""`                                                            // Public comment on this allow, viewable (optionally) by everyone
+	Obfuscate          *bool     `bun:",nullzero,notnull,default:false"`                             // whether the domain name should appear obfuscated when displaying it publicly
+	SubscriptionID     string    `bun:"type:CHAR(26),nullzero"`                                      // if this allow was created through a subscription, what's the subscription ID?
+}
+
+func (d *DomainAllow) GetID() string {
+	return d.ID
+}
+
+func (d *DomainAllow) GetCreatedAt() time.Time {
+	return d.CreatedAt
+}
+
+func (d *DomainAllow) GetUpdatedAt() time.Time {
+	return d.UpdatedAt
+}
+
+func (d *DomainAllow) GetDomain() string {
+	return d.Domain
+}
+
+func (d *DomainAllow) GetCreatedByAccountID() string {
+	return d.CreatedByAccountID
+}
+
+func (d *DomainAllow) GetCreatedByAccount() *Account {
+	return d.CreatedByAccount
+}
+
+func (d *DomainAllow) GetPrivateComment() string {
+	return d.PrivateComment
+}
+
+func (d *DomainAllow) GetPublicComment() string {
+	return d.PublicComment
+}
+
+func (d *DomainAllow) GetObfuscate() *bool {
+	return d.Obfuscate
+}
+
+func (d *DomainAllow) GetSubscriptionID() string {
+	return d.SubscriptionID
+}
+
+func (d *DomainAllow) GetType() DomainPermissionType {
+	return DomainPermissionAllow
+}
diff --git a/internal/gtsmodel/domainblock.go b/internal/gtsmodel/domainblock.go
index dfe642ef5..4e0b3ca65 100644
--- a/internal/gtsmodel/domainblock.go
+++ b/internal/gtsmodel/domainblock.go
@@ -32,3 +32,47 @@ type DomainBlock struct {
 	Obfuscate          *bool     `bun:",nullzero,notnull,default:false"`                             // whether the domain name should appear obfuscated when displaying it publicly
 	SubscriptionID     string    `bun:"type:CHAR(26),nullzero"`                                      // if this block was created through a subscription, what's the subscription ID?
 }
+
+func (d *DomainBlock) GetID() string {
+	return d.ID
+}
+
+func (d *DomainBlock) GetCreatedAt() time.Time {
+	return d.CreatedAt
+}
+
+func (d *DomainBlock) GetUpdatedAt() time.Time {
+	return d.UpdatedAt
+}
+
+func (d *DomainBlock) GetDomain() string {
+	return d.Domain
+}
+
+func (d *DomainBlock) GetCreatedByAccountID() string {
+	return d.CreatedByAccountID
+}
+
+func (d *DomainBlock) GetCreatedByAccount() *Account {
+	return d.CreatedByAccount
+}
+
+func (d *DomainBlock) GetPrivateComment() string {
+	return d.PrivateComment
+}
+
+func (d *DomainBlock) GetPublicComment() string {
+	return d.PublicComment
+}
+
+func (d *DomainBlock) GetObfuscate() *bool {
+	return d.Obfuscate
+}
+
+func (d *DomainBlock) GetSubscriptionID() string {
+	return d.SubscriptionID
+}
+
+func (d *DomainBlock) GetType() DomainPermissionType {
+	return DomainPermissionBlock
+}
diff --git a/internal/gtsmodel/domainpermission.go b/internal/gtsmodel/domainpermission.go
new file mode 100644
index 000000000..01e8fdaaa
--- /dev/null
+++ b/internal/gtsmodel/domainpermission.go
@@ -0,0 +1,67 @@
+// GoToSocial
+// Copyright (C) GoToSocial Authors admin@gotosocial.org
+// SPDX-License-Identifier: AGPL-3.0-or-later
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package gtsmodel
+
+import "time"
+
+// DomainPermission models a domain
+// permission entry (block/allow).
+type DomainPermission interface {
+	GetID() string
+	GetCreatedAt() time.Time
+	GetUpdatedAt() time.Time
+	GetDomain() string
+	GetCreatedByAccountID() string
+	GetCreatedByAccount() *Account
+	GetPrivateComment() string
+	GetPublicComment() string
+	GetObfuscate() *bool
+	GetSubscriptionID() string
+	GetType() DomainPermissionType
+}
+
+// Domain permission type.
+type DomainPermissionType uint8
+
+const (
+	DomainPermissionUnknown DomainPermissionType = iota
+	DomainPermissionBlock                        // Explicitly block a domain.
+	DomainPermissionAllow                        // Explicitly allow a domain.
+)
+
+func (p DomainPermissionType) String() string {
+	switch p {
+	case DomainPermissionBlock:
+		return "block"
+	case DomainPermissionAllow:
+		return "allow"
+	default:
+		return "unknown"
+	}
+}
+
+func NewDomainPermissionType(in string) DomainPermissionType {
+	switch in {
+	case "block":
+		return DomainPermissionBlock
+	case "allow":
+		return DomainPermissionAllow
+	default:
+		return DomainPermissionUnknown
+	}
+}