[feature] Add domain permission drafts and excludes (#3547)

* [feature] Add domain permission drafts and excludes * fix typescript complaining * lint * make filenames more consistent * test own domain excluded
2025-10-29 03:02:25 -05:00 · 2024-11-21 14:09:58 +01:00 · 2024-11-21 14:09:58 +01:00 · 301543616b
commit 301543616b
parent c2029df9bc
69 changed files with 5664 additions and 264 deletions
--- a/internal/db/bundb/domain.go
+++ b/internal/db/bundb/domain.go
@ -20,6 +20,7 @@ package bundb
 import (
 	"context"
 	"net/url"
+	"time"

 	"github.com/superseriousbusiness/gotosocial/internal/config"
 	"github.com/superseriousbusiness/gotosocial/internal/db"
@ -110,6 +111,36 @@ func (d *domainDB) GetDomainAllowByID(ctx context.Context, id string) (*gtsmodel
 	return &allow, nil
 }

+func (d *domainDB) UpdateDomainAllow(ctx context.Context, allow *gtsmodel.DomainAllow, columns ...string) error {
+	// Normalize the domain as punycode
+	var err error
+	allow.Domain, err = util.Punify(allow.Domain)
+	if err != nil {
+		return err
+	}
+
+	// Ensure updated_at is set.
+	allow.UpdatedAt = time.Now()
+	if len(columns) != 0 {
+		columns = append(columns, "updated_at")
+	}
+
+	// Attempt to update domain allow.
+	if _, err := d.db.
+		NewUpdate().
+		Model(allow).
+		Column(columns...).
+		Where("? = ?", bun.Ident("domain_allow.id"), allow.ID).
+		Exec(ctx); err != nil {
+		return err
+	}
+
+	// Clear the domain allow cache (for later reload)
+	d.state.Caches.DB.DomainAllow.Clear()
+
+	return nil
+}
+
 func (d *domainDB) DeleteDomainAllow(ctx context.Context, domain string) error {
 	// Normalize the domain as punycode
 	domain, err := util.Punify(domain)
@ -206,6 +237,36 @@ func (d *domainDB) GetDomainBlockByID(ctx context.Context, id string) (*gtsmodel
 	return &block, nil
 }

+func (d *domainDB) UpdateDomainBlock(ctx context.Context, block *gtsmodel.DomainBlock, columns ...string) error {
+	// Normalize the domain as punycode
+	var err error
+	block.Domain, err = util.Punify(block.Domain)
+	if err != nil {
+		return err
+	}
+
+	// Ensure updated_at is set.
+	block.UpdatedAt = time.Now()
+	if len(columns) != 0 {
+		columns = append(columns, "updated_at")
+	}
+
+	// Attempt to update domain block.
+	if _, err := d.db.
+		NewUpdate().
+		Model(block).
+		Column(columns...).
+		Where("? = ?", bun.Ident("domain_block.id"), block.ID).
+		Exec(ctx); err != nil {
+		return err
+	}
+
+	// Clear the domain block cache (for later reload)
+	d.state.Caches.DB.DomainBlock.Clear()
+
+	return nil
+}
+
 func (d *domainDB) DeleteDomainBlock(ctx context.Context, domain string) error {
 	// Normalize the domain as punycode
 	domain, err := util.Punify(domain)
--- a/internal/db/bundb/domainpermissiondraft.go
+++ b/internal/db/bundb/domainpermissiondraft.go
@ -0,0 +1,285 @@
+// GoToSocial
+// Copyright (C) GoToSocial Authors admin@gotosocial.org
+// SPDX-License-Identifier: AGPL-3.0-or-later
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package bundb
+
+import (
+	"context"
+	"errors"
+	"slices"
+
+	"github.com/superseriousbusiness/gotosocial/internal/db"
+	"github.com/superseriousbusiness/gotosocial/internal/gtscontext"
+	"github.com/superseriousbusiness/gotosocial/internal/gtserror"
+	"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
+	"github.com/superseriousbusiness/gotosocial/internal/log"
+	"github.com/superseriousbusiness/gotosocial/internal/paging"
+	"github.com/superseriousbusiness/gotosocial/internal/util"
+	"github.com/uptrace/bun"
+)
+
+func (d *domainDB) getDomainPermissionDraft(
+	ctx context.Context,
+	lookup string,
+	dbQuery func(*gtsmodel.DomainPermissionDraft) error,
+	keyParts ...any,
+) (*gtsmodel.DomainPermissionDraft, error) {
+	// Fetch perm draft from database cache with loader callback.
+	permDraft, err := d.state.Caches.DB.DomainPermissionDraft.LoadOne(
+		lookup,
+		// Only called if not cached.
+		func() (*gtsmodel.DomainPermissionDraft, error) {
+			var permDraft gtsmodel.DomainPermissionDraft
+			if err := dbQuery(&permDraft); err != nil {
+				return nil, err
+			}
+			return &permDraft, nil
+		},
+		keyParts...,
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	if gtscontext.Barebones(ctx) {
+		// No need to fully populate.
+		return permDraft, nil
+	}
+
+	if permDraft.CreatedByAccount == nil {
+		// Not set, fetch from database.
+		permDraft.CreatedByAccount, err = d.state.DB.GetAccountByID(
+			gtscontext.SetBarebones(ctx),
+			permDraft.CreatedByAccountID,
+		)
+		if err != nil {
+			return nil, gtserror.Newf("error populating created by account: %w", err)
+		}
+	}
+
+	return permDraft, nil
+}
+
+func (d *domainDB) GetDomainPermissionDraftByID(
+	ctx context.Context,
+	id string,
+) (*gtsmodel.DomainPermissionDraft, error) {
+	return d.getDomainPermissionDraft(
+		ctx,
+		"ID",
+		func(permDraft *gtsmodel.DomainPermissionDraft) error {
+			return d.db.
+				NewSelect().
+				Model(permDraft).
+				Where("? = ?", bun.Ident("domain_permission_draft.id"), id).
+				Scan(ctx)
+		},
+		id,
+	)
+}
+
+func (d *domainDB) GetDomainPermissionDrafts(
+	ctx context.Context,
+	permType gtsmodel.DomainPermissionType,
+	permSubID string,
+	domain string,
+	page *paging.Page,
+) (
+	[]*gtsmodel.DomainPermissionDraft,
+	error,
+) {
+	var (
+		// Get paging params.
+		minID = page.GetMin()
+		maxID = page.GetMax()
+		limit = page.GetLimit()
+		order = page.GetOrder()
+
+		// Make educated guess for slice size
+		permDraftIDs = make([]string, 0, limit)
+	)
+
+	q := d.db.
+		NewSelect().
+		TableExpr(
+			"? AS ?",
+			bun.Ident("domain_permission_drafts"),
+			bun.Ident("domain_permission_draft"),
+		).
+		// Select only IDs from table
+		Column("domain_permission_draft.id")
+
+	// Return only items with id
+	// lower than provided maxID.
+	if maxID != "" {
+		q = q.Where(
+			"? < ?",
+			bun.Ident("domain_permission_draft.id"),
+			maxID,
+		)
+	}
+
+	// Return only items with id
+	// greater than provided minID.
+	if minID != "" {
+		q = q.Where(
+			"? > ?",
+			bun.Ident("domain_permission_draft.id"),
+			minID,
+		)
+	}
+
+	// Return only items with
+	// given permission type.
+	if permType != gtsmodel.DomainPermissionUnknown {
+		q = q.Where(
+			"? = ?",
+			bun.Ident("domain_permission_draft.permission_type"),
+			permType,
+		)
+	}
+
+	// Return only items with
+	// given subscription ID.
+	if permSubID != "" {
+		q = q.Where(
+			"? = ?",
+			bun.Ident("domain_permission_draft.subscription_id"),
+			permSubID,
+		)
+	}
+
+	// Return only items
+	// with given domain.
+	if domain != "" {
+		var err error
+
+		// Normalize domain as punycode.
+		domain, err = util.Punify(domain)
+		if err != nil {
+			return nil, gtserror.Newf("error punifying domain %s: %w", domain, err)
+		}
+
+		q = q.Where(
+			"? = ?",
+			bun.Ident("domain_permission_draft.domain"),
+			domain,
+		)
+	}
+
+	if limit > 0 {
+		// Limit amount of
+		// items returned.
+		q = q.Limit(limit)
+	}
+
+	if order == paging.OrderAscending {
+		// Page up.
+		q = q.OrderExpr(
+			"? ASC",
+			bun.Ident("domain_permission_draft.id"),
+		)
+	} else {
+		// Page down.
+		q = q.OrderExpr(
+			"? DESC",
+			bun.Ident("domain_permission_draft.id"),
+		)
+	}
+
+	if err := q.Scan(ctx, &permDraftIDs); err != nil {
+		return nil, err
+	}
+
+	// Catch case of no items early
+	if len(permDraftIDs) == 0 {
+		return nil, db.ErrNoEntries
+	}
+
+	// If we're paging up, we still want items
+	// to be sorted by ID desc, so reverse slice.
+	if order == paging.OrderAscending {
+		slices.Reverse(permDraftIDs)
+	}
+
+	// Allocate return slice (will be at most len permDraftIDs)
+	permDrafts := make([]*gtsmodel.DomainPermissionDraft, 0, len(permDraftIDs))
+	for _, id := range permDraftIDs {
+		permDraft, err := d.GetDomainPermissionDraftByID(ctx, id)
+		if err != nil {
+			log.Errorf(ctx, "error getting domain permission draft %q: %v", id, err)
+			continue
+		}
+
+		// Append to return slice
+		permDrafts = append(permDrafts, permDraft)
+	}
+
+	return permDrafts, nil
+}
+
+func (d *domainDB) PutDomainPermissionDraft(
+	ctx context.Context,
+	permDraft *gtsmodel.DomainPermissionDraft,
+) error {
+	var err error
+
+	// Normalize the domain as punycode
+	permDraft.Domain, err = util.Punify(permDraft.Domain)
+	if err != nil {
+		return gtserror.Newf("error punifying domain %s: %w", permDraft.Domain, err)
+	}
+
+	return d.state.Caches.DB.DomainPermissionDraft.Store(
+		permDraft,
+		func() error {
+			_, err := d.db.
+				NewInsert().
+				Model(permDraft).
+				Exec(ctx)
+			return err
+		},
+	)
+}
+
+func (d *domainDB) DeleteDomainPermissionDraft(
+	ctx context.Context,
+	id string,
+) error {
+	// Delete the permDraft from DB.
+	q := d.db.NewDelete().
+		TableExpr(
+			"? AS ?",
+			bun.Ident("domain_permission_drafts"),
+			bun.Ident("domain_permission_draft"),
+		).
+		Where(
+			"? = ?",
+			bun.Ident("domain_permission_draft.id"),
+			id,
+		)
+
+	_, err := q.Exec(ctx)
+	if err != nil && !errors.Is(err, db.ErrNoEntries) {
+		return err
+	}
+
+	// Invalidate any cached model by ID.
+	d.state.Caches.DB.DomainPermissionDraft.Invalidate("ID", id)
+
+	return nil
+}
--- a/internal/db/bundb/domainpermissiondraft_test.go
+++ b/internal/db/bundb/domainpermissiondraft_test.go
@ -0,0 +1,120 @@
+// GoToSocial
+// Copyright (C) GoToSocial Authors admin@gotosocial.org
+// SPDX-License-Identifier: AGPL-3.0-or-later
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package bundb_test
+
+import (
+	"context"
+	"errors"
+	"testing"
+
+	"github.com/stretchr/testify/suite"
+	"github.com/superseriousbusiness/gotosocial/internal/db"
+	"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
+	"github.com/superseriousbusiness/gotosocial/internal/util"
+)
+
+type DomainPermissionDraftTestSuite struct {
+	BunDBStandardTestSuite
+}
+
+func (suite *DomainPermissionDraftTestSuite) TestPermDraftCreateGetDelete() {
+	var (
+		ctx   = context.Background()
+		draft = &gtsmodel.DomainPermissionDraft{
+			ID:                 "01JCZN614XG85GCGAMSV9ZZAEJ",
+			PermissionType:     gtsmodel.DomainPermissionBlock,
+			Domain:             "exämple.org",
+			CreatedByAccountID: suite.testAccounts["admin_account"].ID,
+			PrivateComment:     "this domain is poo",
+			PublicComment:      "this domain is poo, but phrased in a more outward-facing way",
+			Obfuscate:          util.Ptr(false),
+			SubscriptionID:     "01JCZN8PG55KKEVTDAY52D0T3P",
+		}
+	)
+
+	// Whack the draft in.
+	if err := suite.state.DB.PutDomainPermissionDraft(ctx, draft); err != nil {
+		suite.FailNow(err.Error())
+	}
+
+	// Get the draft again.
+	dbDraft, err := suite.state.DB.GetDomainPermissionDraftByID(ctx, draft.ID)
+	if err != nil {
+		suite.FailNow(err.Error())
+	}
+
+	// Domain should have been stored punycoded.
+	suite.Equal("xn--exmple-cua.org", dbDraft.Domain)
+
+	// Search for domain using both
+	// punycode and unicode variants.
+	search1, err := suite.state.DB.GetDomainPermissionDrafts(
+		ctx,
+		gtsmodel.DomainPermissionUnknown,
+		"",
+		"exämple.org",
+		nil,
+	)
+	if err != nil {
+		suite.FailNow(err.Error())
+	}
+	if len(search1) != 1 {
+		suite.FailNow("couldn't get domain perm draft exämple.org")
+	}
+
+	search2, err := suite.state.DB.GetDomainPermissionDrafts(
+		ctx,
+		gtsmodel.DomainPermissionUnknown,
+		"",
+		"xn--exmple-cua.org",
+		nil,
+	)
+	if err != nil {
+		suite.FailNow(err.Error())
+	}
+	if len(search2) != 1 {
+		suite.FailNow("couldn't get domain perm draft example.org")
+	}
+
+	// Change ID + try to put the same draft again.
+	draft.ID = "01JCZNVYSDT3JE385FABMJ7ADQ"
+	err = suite.state.DB.PutDomainPermissionDraft(ctx, draft)
+	if !errors.Is(err, db.ErrAlreadyExists) {
+		suite.FailNow("was able to insert same domain perm draft twice")
+	}
+
+	// Put same draft but change permission type, should work.
+	draft.PermissionType = gtsmodel.DomainPermissionAllow
+	if err := suite.state.DB.PutDomainPermissionDraft(ctx, draft); err != nil {
+		suite.FailNow(err.Error())
+	}
+
+	// Delete both drafts.
+	for _, id := range []string{
+		"01JCZN614XG85GCGAMSV9ZZAEJ",
+		"01JCZNVYSDT3JE385FABMJ7ADQ",
+	} {
+		if err := suite.state.DB.DeleteDomainPermissionDraft(ctx, id); err != nil {
+			suite.FailNow("error deleting domain permission draft")
+		}
+	}
+}
+
+func TestDomainPermissionDraftTestSuite(t *testing.T) {
+	suite.Run(t, new(DomainPermissionDraftTestSuite))
+}
--- a/internal/db/bundb/domainpermissionexclude.go
+++ b/internal/db/bundb/domainpermissionexclude.go
@ -0,0 +1,270 @@
+// GoToSocial
+// Copyright (C) GoToSocial Authors admin@gotosocial.org
+// SPDX-License-Identifier: AGPL-3.0-or-later
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package bundb
+
+import (
+	"context"
+	"errors"
+	"slices"
+
+	"github.com/superseriousbusiness/gotosocial/internal/config"
+	"github.com/superseriousbusiness/gotosocial/internal/db"
+	"github.com/superseriousbusiness/gotosocial/internal/gtscontext"
+	"github.com/superseriousbusiness/gotosocial/internal/gtserror"
+	"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
+	"github.com/superseriousbusiness/gotosocial/internal/log"
+	"github.com/superseriousbusiness/gotosocial/internal/paging"
+	"github.com/superseriousbusiness/gotosocial/internal/util"
+	"github.com/uptrace/bun"
+)
+
+func (d *domainDB) PutDomainPermissionExclude(
+	ctx context.Context,
+	exclude *gtsmodel.DomainPermissionExclude,
+) error {
+	// Normalize the domain as punycode
+	var err error
+	exclude.Domain, err = util.Punify(exclude.Domain)
+	if err != nil {
+		return err
+	}
+
+	// Attempt to store domain perm exclude in DB
+	if _, err := d.db.NewInsert().
+		Model(exclude).
+		Exec(ctx); err != nil {
+		return err
+	}
+
+	// Clear the domain perm exclude cache (for later reload)
+	d.state.Caches.DB.DomainPermissionExclude.Clear()
+
+	return nil
+}
+
+func (d *domainDB) IsDomainPermissionExcluded(ctx context.Context, domain string) (bool, error) {
+	// Normalize the domain as punycode
+	domain, err := util.Punify(domain)
+	if err != nil {
+		return false, err
+	}
+
+	// Func to scan list of all
+	// excluded domain perms from DB.
+	loadF := func() ([]string, error) {
+		var domains []string
+
+		if err := d.db.
+			NewSelect().
+			Table("domain_permission_excludes").
+			Column("domain").
+			Scan(ctx, &domains); err != nil {
+			return nil, err
+		}
+
+		// Exclude our own domain as creating blocks
+		// or allows for self will likely break things.
+		domains = append(domains, config.GetHost())
+
+		return domains, nil
+	}
+
+	// Check the cache for a domain perm exclude,
+	// hydrating the cache with loadF if necessary.
+	return d.state.Caches.DB.DomainPermissionExclude.Matches(domain, loadF)
+}
+
+func (d *domainDB) GetDomainPermissionExcludeByID(
+	ctx context.Context,
+	id string,
+) (*gtsmodel.DomainPermissionExclude, error) {
+	exclude := new(gtsmodel.DomainPermissionExclude)
+
+	q := d.db.
+		NewSelect().
+		Model(exclude).
+		Where("? = ?", bun.Ident("domain_permission_exclude.id"), id)
+	if err := q.Scan(ctx); err != nil {
+		return nil, err
+	}
+
+	if gtscontext.Barebones(ctx) {
+		// No need to fully populate.
+		return exclude, nil
+	}
+
+	if exclude.CreatedByAccount == nil {
+		// Not set, fetch from database.
+		var err error
+		exclude.CreatedByAccount, err = d.state.DB.GetAccountByID(
+			gtscontext.SetBarebones(ctx),
+			exclude.CreatedByAccountID,
+		)
+		if err != nil {
+			return nil, gtserror.Newf("error populating created by account: %w", err)
+		}
+	}
+
+	return exclude, nil
+}
+
+func (d *domainDB) GetDomainPermissionExcludes(
+	ctx context.Context,
+	domain string,
+	page *paging.Page,
+) (
+	[]*gtsmodel.DomainPermissionExclude,
+	error,
+) {
+	var (
+		// Get paging params.
+		minID = page.GetMin()
+		maxID = page.GetMax()
+		limit = page.GetLimit()
+		order = page.GetOrder()
+
+		// Make educated guess for slice size
+		excludeIDs = make([]string, 0, limit)
+	)
+
+	q := d.db.
+		NewSelect().
+		TableExpr(
+			"? AS ?",
+			bun.Ident("domain_permission_excludes"),
+			bun.Ident("domain_permission_exclude"),
+		).
+		// Select only IDs from table
+		Column("domain_permission_exclude.id")
+
+	// Return only items with id
+	// lower than provided maxID.
+	if maxID != "" {
+		q = q.Where(
+			"? < ?",
+			bun.Ident("domain_permission_exclude.id"),
+			maxID,
+		)
+	}
+
+	// Return only items with id
+	// greater than provided minID.
+	if minID != "" {
+		q = q.Where(
+			"? > ?",
+			bun.Ident("domain_permission_exclude.id"),
+			minID,
+		)
+	}
+
+	// Return only items
+	// with given domain.
+	if domain != "" {
+		var err error
+
+		// Normalize domain as punycode.
+		domain, err = util.Punify(domain)
+		if err != nil {
+			return nil, gtserror.Newf("error punifying domain %s: %w", domain, err)
+		}
+
+		q = q.Where(
+			"? = ?",
+			bun.Ident("domain_permission_exclude.domain"),
+			domain,
+		)
+	}
+
+	if limit > 0 {
+		// Limit amount of
+		// items returned.
+		q = q.Limit(limit)
+	}
+
+	if order == paging.OrderAscending {
+		// Page up.
+		q = q.OrderExpr(
+			"? ASC",
+			bun.Ident("domain_permission_exclude.id"),
+		)
+	} else {
+		// Page down.
+		q = q.OrderExpr(
+			"? DESC",
+			bun.Ident("domain_permission_exclude.id"),
+		)
+	}
+
+	if err := q.Scan(ctx, &excludeIDs); err != nil {
+		return nil, err
+	}
+
+	// Catch case of no items early
+	if len(excludeIDs) == 0 {
+		return nil, db.ErrNoEntries
+	}
+
+	// If we're paging up, we still want items
+	// to be sorted by ID desc, so reverse slice.
+	if order == paging.OrderAscending {
+		slices.Reverse(excludeIDs)
+	}
+
+	// Allocate return slice (will be at most len permSubIDs).
+	excludes := make([]*gtsmodel.DomainPermissionExclude, 0, len(excludeIDs))
+	for _, id := range excludeIDs {
+		exclude, err := d.GetDomainPermissionExcludeByID(ctx, id)
+		if err != nil {
+			log.Errorf(ctx, "error getting domain permission exclude %q: %v", id, err)
+			continue
+		}
+
+		// Append to return slice
+		excludes = append(excludes, exclude)
+	}
+
+	return excludes, nil
+}
+
+func (d *domainDB) DeleteDomainPermissionExclude(
+	ctx context.Context,
+	id string,
+) error {
+	// Delete the permSub from DB.
+	q := d.db.NewDelete().
+		TableExpr(
+			"? AS ?",
+			bun.Ident("domain_permission_excludes"),
+			bun.Ident("domain_permission_exclude"),
+		).
+		Where(
+			"? = ?",
+			bun.Ident("domain_permission_exclude.id"),
+			id,
+		)
+
+	_, err := q.Exec(ctx)
+	if err != nil && !errors.Is(err, db.ErrNoEntries) {
+		return err
+	}
+
+	// Clear the domain perm exclude cache (for later reload)
+	d.state.Caches.DB.DomainPermissionExclude.Clear()
+
+	return nil
+}
--- a/internal/db/bundb/domainpermissionexclude_test.go
+++ b/internal/db/bundb/domainpermissionexclude_test.go
@ -0,0 +1,185 @@
+// GoToSocial
+// Copyright (C) GoToSocial Authors admin@gotosocial.org
+// SPDX-License-Identifier: AGPL-3.0-or-later
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package bundb_test
+
+import (
+	"context"
+	"errors"
+	"testing"
+
+	"github.com/stretchr/testify/suite"
+	"github.com/superseriousbusiness/gotosocial/internal/config"
+	"github.com/superseriousbusiness/gotosocial/internal/db"
+	"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
+)
+
+type DomainPermissionExcludeTestSuite struct {
+	BunDBStandardTestSuite
+}
+
+func (suite *DomainPermissionExcludeTestSuite) TestPermExcludeCreateGetDelete() {
+	var (
+		ctx     = context.Background()
+		exclude = &gtsmodel.DomainPermissionExclude{
+			ID:                 "01JCZN614XG85GCGAMSV9ZZAEJ",
+			Domain:             "exämple.org",
+			CreatedByAccountID: suite.testAccounts["admin_account"].ID,
+			PrivateComment:     "this domain is poo",
+		}
+	)
+
+	// Whack the exclude in.
+	if err := suite.state.DB.PutDomainPermissionExclude(ctx, exclude); err != nil {
+		suite.FailNow(err.Error())
+	}
+
+	// Get the exclude again.
+	dbExclude, err := suite.state.DB.GetDomainPermissionExcludeByID(ctx, exclude.ID)
+	if err != nil {
+		suite.FailNow(err.Error())
+	}
+
+	// Domain should have been stored punycoded.
+	suite.Equal("xn--exmple-cua.org", dbExclude.Domain)
+
+	// Search for domain using both
+	// punycode and unicode variants.
+	search1, err := suite.state.DB.GetDomainPermissionExcludes(
+		ctx,
+		"exämple.org",
+		nil,
+	)
+	if err != nil {
+		suite.FailNow(err.Error())
+	}
+	if len(search1) != 1 {
+		suite.FailNow("couldn't get domain perm exclude exämple.org")
+	}
+
+	search2, err := suite.state.DB.GetDomainPermissionExcludes(
+		ctx,
+		"xn--exmple-cua.org",
+		nil,
+	)
+	if err != nil {
+		suite.FailNow(err.Error())
+	}
+	if len(search2) != 1 {
+		suite.FailNow("couldn't get domain perm exclude example.org")
+	}
+
+	// Change ID + try to put the same exclude again.
+	exclude.ID = "01JCZNVYSDT3JE385FABMJ7ADQ"
+	err = suite.state.DB.PutDomainPermissionExclude(ctx, exclude)
+	if !errors.Is(err, db.ErrAlreadyExists) {
+		suite.FailNow("was able to insert same domain perm exclude twice")
+	}
+
+	// Delete both excludes.
+	for _, id := range []string{
+		"01JCZN614XG85GCGAMSV9ZZAEJ",
+		"01JCZNVYSDT3JE385FABMJ7ADQ",
+	} {
+		if err := suite.state.DB.DeleteDomainPermissionExclude(ctx, id); err != nil {
+			suite.FailNow("error deleting domain permission exclude")
+		}
+	}
+}
+
+func (suite *DomainPermissionExcludeTestSuite) TestExcluded() {
+	var (
+		ctx                = context.Background()
+		createdByAccountID = suite.testAccounts["admin_account"].ID
+	)
+
+	// Insert some excludes into the db.
+	for _, exclude := range []*gtsmodel.DomainPermissionExclude{
+		{
+			ID:                 "01JD7AFFBBZSPY8R2M0JCGQGPW",
+			Domain:             "example.org",
+			CreatedByAccountID: createdByAccountID,
+		},
+		{
+			ID:                 "01JD7AMK98E2QX78KXEZJ1RF5Z",
+			Domain:             "boobs.com",
+			CreatedByAccountID: createdByAccountID,
+		},
+		{
+			ID:                 "01JD7AMXW3R3W98E91R62ACDA0",
+			Domain:             "rad.boobs.com",
+			CreatedByAccountID: createdByAccountID,
+		},
+		{
+			ID:                 "01JD7AYYN5TXQVASB30PT08CE1",
+			Domain:             "honkers.org",
+			CreatedByAccountID: createdByAccountID,
+		},
+	} {
+		if err := suite.state.DB.PutDomainPermissionExclude(ctx, exclude); err != nil {
+			suite.FailNow(err.Error())
+		}
+	}
+
+	type testCase struct {
+		domain   string
+		excluded bool
+	}
+
+	for i, testCase := range []testCase{
+		{
+			domain:   config.GetHost(),
+			excluded: true,
+		},
+		{
+			domain:   "test.example.org",
+			excluded: true,
+		},
+		{
+			domain:   "example.org",
+			excluded: true,
+		},
+		{
+			domain:   "boobs.com",
+			excluded: true,
+		},
+		{
+			domain:   "rad.boobs.com",
+			excluded: true,
+		},
+		{
+			domain:   "sir.not.appearing.in.this.list",
+			excluded: false,
+		},
+	} {
+		excluded, err := suite.state.DB.IsDomainPermissionExcluded(ctx, testCase.domain)
+		if err != nil {
+			suite.FailNow(err.Error())
+		}
+
+		if excluded != testCase.excluded {
+			suite.Failf("",
+				"test %d: %s excluded should be %t",
+				i, testCase.domain, testCase.excluded,
+			)
+		}
+	}
+}
+
+func TestDomainPermissionExcludeTestSuite(t *testing.T) {
+	suite.Run(t, new(DomainPermissionExcludeTestSuite))
+}
--- a/internal/db/bundb/migrations/20241022153016_domain_permission_draft_exclude.go
+++ b/internal/db/bundb/migrations/20241022153016_domain_permission_draft_exclude.go
@ -0,0 +1,82 @@
+// GoToSocial
+// Copyright (C) GoToSocial Authors admin@gotosocial.org
+// SPDX-License-Identifier: AGPL-3.0-or-later
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package migrations
+
+import (
+	"context"
+
+	"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
+	"github.com/uptrace/bun"
+)
+
+func init() {
+	up := func(ctx context.Context, db *bun.DB) error {
+		return db.RunInTx(ctx, nil, func(ctx context.Context, tx bun.Tx) error {
+
+			// Create `domain_permission_drafts`.
+			if _, err := tx.
+				NewCreateTable().
+				Model((*gtsmodel.DomainPermissionDraft)(nil)).
+				IfNotExists().
+				Exec(ctx); err != nil {
+				return err
+			}
+
+			// Create `domain_permission_ignores`.
+			if _, err := tx.
+				NewCreateTable().
+				Model((*gtsmodel.DomainPermissionExclude)(nil)).
+				IfNotExists().
+				Exec(ctx); err != nil {
+				return err
+			}
+
+			// Create indexes. Indices. Indie sexes.
+			for table, indexes := range map[string]map[string][]string{
+				"domain_permission_drafts": {
+					"domain_permission_drafts_domain_idx":          {"domain"},
+					"domain_permission_drafts_subscription_id_idx": {"subscription_id"},
+				},
+			} {
+				for index, columns := range indexes {
+					if _, err := tx.
+						NewCreateIndex().
+						Table(table).
+						Index(index).
+						Column(columns...).
+						IfNotExists().
+						Exec(ctx); err != nil {
+						return err
+					}
+				}
+			}
+
+			return nil
+		})
+	}
+
+	down := func(ctx context.Context, db *bun.DB) error {
+		return db.RunInTx(ctx, nil, func(ctx context.Context, tx bun.Tx) error {
+			return nil
+		})
+	}
+
+	if err := Migrations.Register(up, down); err != nil {
+		panic(err)
+	}
+}
--- a/internal/db/domain.go
+++ b/internal/db/domain.go
@ -22,6 +22,7 @@ import (
 	"net/url"

 	"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
+	"github.com/superseriousbusiness/gotosocial/internal/paging"
 )

 // Domain contains DB functions related to domains and domain blocks.
@ -42,6 +43,9 @@ type Domain interface {
 	// GetDomainAllows returns all instance-level domain allows currently enforced by this instance.
 	GetDomainAllows(ctx context.Context) ([]*gtsmodel.DomainAllow, error)

+	// UpdateDomainAllow updates the given domain allow, setting the provided columns (empty for all).
+	UpdateDomainAllow(ctx context.Context, allow *gtsmodel.DomainAllow, columns ...string) error
+
 	// DeleteDomainAllow deletes an instance-level domain allow with the given domain, if it exists.
 	DeleteDomainAllow(ctx context.Context, domain string) error

@ -57,6 +61,9 @@ type Domain interface {
 	// GetDomainBlocks returns all instance-level domain blocks currently enforced by this instance.
 	GetDomainBlocks(ctx context.Context) ([]*gtsmodel.DomainBlock, error)

+	// UpdateDomainBlock updates the given domain block, setting the provided columns (empty for all).
+	UpdateDomainBlock(ctx context.Context, block *gtsmodel.DomainBlock, columns ...string) error
+
 	// DeleteDomainBlock deletes an instance-level domain block with the given domain, if it exists.
 	DeleteDomainBlock(ctx context.Context, domain string) error

@ -78,4 +85,51 @@ type Domain interface {
 	// AreURIsBlocked calls IsURIBlocked for each URI.
 	// Will return true if even one of the given URIs is blocked.
 	AreURIsBlocked(ctx context.Context, uris []*url.URL) (bool, error)
+
+	/*
+		Domain permission draft stuff.
+	*/
+
+	// GetDomainPermissionDraftByID gets one DomainPermissionDraft with the given ID.
+	GetDomainPermissionDraftByID(ctx context.Context, id string) (*gtsmodel.DomainPermissionDraft, error)
+
+	// GetDomainPermissionDrafts returns a page of
+	// DomainPermissionDrafts using the given parameters.
+	GetDomainPermissionDrafts(
+		ctx context.Context,
+		permType gtsmodel.DomainPermissionType,
+		permSubID string,
+		domain string,
+		page *paging.Page,
+	) ([]*gtsmodel.DomainPermissionDraft, error)
+
+	// PutDomainPermissionDraft stores one DomainPermissionDraft.
+	PutDomainPermissionDraft(ctx context.Context, permDraft *gtsmodel.DomainPermissionDraft) error
+
+	// DeleteDomainPermissionDraft deletes one DomainPermissionDraft with the given id.
+	DeleteDomainPermissionDraft(ctx context.Context, id string) error
+
+	/*
+		Domain permission exclude stuff.
+	*/
+
+	// GetDomainPermissionExcludeByID gets one DomainPermissionExclude with the given ID.
+	GetDomainPermissionExcludeByID(ctx context.Context, id string) (*gtsmodel.DomainPermissionExclude, error)
+
+	// GetDomainPermissionExcludes returns a page of
+	// DomainPermissionExcludes using the given parameters.
+	GetDomainPermissionExcludes(
+		ctx context.Context,
+		domain string,
+		page *paging.Page,
+	) ([]*gtsmodel.DomainPermissionExclude, error)
+
+	// PutDomainPermissionExclude stores one DomainPermissionExclude.
+	PutDomainPermissionExclude(ctx context.Context, permExclude *gtsmodel.DomainPermissionExclude) error
+
+	// DeleteDomainPermissionExclude deletes one DomainPermissionExclude with the given id.
+	DeleteDomainPermissionExclude(ctx context.Context, id string) error
+
+	// IsDomainPermissionExcluded returns true if the given domain matches in the list of excluded domains.
+	IsDomainPermissionExcluded(ctx context.Context, domain string) (bool, error)
 }