Add CLI task for rotating keys (#8466)

* If an Update is signed with known key, skip re-following procedure Because it means the remote actor did *not* lose their database * Add CLI method for rotating keys bin/tootctl accounts rotate [USERNAME] Generates a new RSA key per account and sends out an Update activity signed with the old key. * Key rotation: Space out Update fan-outs every 5 minutes per 1000 accounts * Skip suspended accounts in key rotation
2018-08-26 20:21:03 +02:00
parent 8adf485c0f
commit cabdbb7f9c
10 changed files with 79 additions and 16 deletions
--- a/app/lib/activitypub/activity/update.rb
+++ b/app/lib/activitypub/activity/update.rb
@ -11,6 +11,6 @@ class ActivityPub::Activity::Update < ActivityPub::Activity

  def update_account
    return if @account.uri != object_uri
-    ActivityPub::ProcessAccountService.new.call(@account.username, @account.domain, @object)
+    ActivityPub::ProcessAccountService.new.call(@account.username, @account.domain, @object, signed_with_known_key: true)
  end
 end
--- a/app/lib/activitypub/linked_data_signature.rb
+++ b/app/lib/activitypub/linked_data_signature.rb
@ -32,7 +32,7 @@ class ActivityPub::LinkedDataSignature
    end
  end

-  def sign!(creator)
+  def sign!(creator, sign_with: nil)
    options = {
      'type'    => 'RsaSignature2017',
      'creator' => [ActivityPub::TagManager.instance.uri_for(creator), '#main-key'].join,
@ -42,8 +42,9 @@ class ActivityPub::LinkedDataSignature
    options_hash  = hash(options.without('type', 'id', 'signatureValue').merge('@context' => CONTEXT))
    document_hash = hash(@json.without('signature'))
    to_be_signed  = options_hash + document_hash
+    keypair       = sign_with.present? ? OpenSSL::PKey::RSA.new(sign_with) : creator.keypair

-    signature = Base64.strict_encode64(creator.keypair.sign(OpenSSL::Digest::SHA256.new, to_be_signed))
+    signature = Base64.strict_encode64(keypair.sign(OpenSSL::Digest::SHA256.new, to_be_signed))

    @json.merge('signature' => options.merge('signatureValue' => signature))
  end
--- a/app/lib/request.rb
+++ b/app/lib/request.rb
@ -22,10 +22,11 @@ class Request
    set_digest! if options.key?(:body)
  end

-  def on_behalf_of(account, key_id_format = :acct)
+  def on_behalf_of(account, key_id_format = :acct, sign_with: nil)
    raise ArgumentError unless account.local?

    @account       = account
+    @keypair       = sign_with.present? ? OpenSSL::PKey::RSA.new(sign_with) : @account.keypair
    @key_id_format = key_id_format

    self
@ -70,7 +71,7 @@ class Request

  def signature
    algorithm = 'rsa-sha256'
-    signature = Base64.strict_encode64(@account.keypair.sign(OpenSSL::Digest::SHA256.new, signed_string))
+    signature = Base64.strict_encode64(@keypair.sign(OpenSSL::Digest::SHA256.new, signed_string))

    "keyId=\"#{key_id}\",algorithm=\"#{algorithm}\",headers=\"#{signed_headers}\",signature=\"#{signature}\""
  end
--- a/app/services/activitypub/process_account_service.rb
+++ b/app/services/activitypub/process_account_service.rb
@ -5,9 +5,10 @@ class ActivityPub::ProcessAccountService < BaseService

  # Should be called with confirmed valid JSON
  # and WebFinger-resolved username and domain
-  def call(username, domain, json)
+  def call(username, domain, json, options = {})
    return if json['inbox'].blank? || unsupported_uri_scheme?(json['id'])

+    @options     = options
    @json        = json
    @uri         = @json['id']
    @username    = username
@ -31,7 +32,7 @@ class ActivityPub::ProcessAccountService < BaseService
    return if @account.nil?

    after_protocol_change! if protocol_changed?
-    after_key_change! if key_changed?
+    after_key_change! if key_changed? && !@options[:signed_with_known_key]
    check_featured_collection! if @account.featured_collection_url.present?

    @account
--- a/app/workers/activitypub/delivery_worker.rb
+++ b/app/workers/activitypub/delivery_worker.rb
@ -10,7 +10,8 @@ class ActivityPub::DeliveryWorker

  HEADERS = { 'Content-Type' => 'application/activity+json' }.freeze

-  def perform(json, source_account_id, inbox_url)
+  def perform(json, source_account_id, inbox_url, options = {})
+    @options        = options.with_indifferent_access
    @json           = json
    @source_account = Account.find(source_account_id)
    @inbox_url      = inbox_url
@ -27,7 +28,7 @@ class ActivityPub::DeliveryWorker

  def build_request
    request = Request.new(:post, @inbox_url, body: @json)
-    request.on_behalf_of(@source_account, :uri)
+    request.on_behalf_of(@source_account, :uri, sign_with: @options[:sign_with])
    request.add_headers(HEADERS)
  end

--- a/app/workers/activitypub/update_distribution_worker.rb
+++ b/app/workers/activitypub/update_distribution_worker.rb
@ -5,7 +5,8 @@ class ActivityPub::UpdateDistributionWorker

  sidekiq_options queue: 'push'

-  def perform(account_id)
+  def perform(account_id, options = {})
+    @options = options.with_indifferent_access
    @account = Account.find(account_id)

    ActivityPub::DeliveryWorker.push_bulk(inboxes) do |inbox_url|
@ -26,7 +27,7 @@ class ActivityPub::UpdateDistributionWorker
  end

  def signed_payload
-    @signed_payload ||= Oj.dump(ActivityPub::LinkedDataSignature.new(payload).sign!(@account))
+    @signed_payload ||= Oj.dump(ActivityPub::LinkedDataSignature.new(payload).sign!(@account, sign_with: @options[:sign_with]))
  end

  def payload