[feature] Read + Write tombstones for deleted Actors (#1005)

* [feature] Read + Write tombstones for deleted Actors

* copyTombstone

* update to use resultcache instead of old ttl cache

Signed-off-by: kim <grufwub@gmail.com>

* update go-cache library to fix result cache capacity / ordering bugs

Signed-off-by: kim <grufwub@gmail.com>

* bump go-cache/v3 to v3.1.6 to fix bugs

Signed-off-by: kim <grufwub@gmail.com>

* switch on status code

* better explain ErrGone reasoning

Signed-off-by: kim <grufwub@gmail.com>
Co-authored-by: kim <grufwub@gmail.com>

internal/db/bundb/bundb.go

@@ -88,6 +88,7 @@ type DBService struct {
 	db.Status
 	db.Timeline
 	db.User
+	db.Tombstone
 	conn *DBConn
 }
 
@@ -181,12 +182,16 @@ func NewBunDBService(ctx context.Context) (db.DB, error) {
 	status := &statusDB{conn: conn, cache: cache.NewStatusCache()}
 	emoji := &emojiDB{conn: conn, cache: cache.NewEmojiCache()}
 	timeline := &timelineDB{conn: conn}
+	tombstone := &tombstoneDB{conn: conn}
 
 	// Setup DB cross-referencing
 	accounts.status = status
 	status.accounts = accounts
 	timeline.status = status
 
+	// Initialize db structs
+	tombstone.init()
+
 	ps := &DBService{
 		Account: accounts,
 		Admin: &adminDB{
@@ -228,7 +233,8 @@ func NewBunDBService(ctx context.Context) (db.DB, error) {
 			conn:  conn,
 			cache: userCache,
 		},
-		conn: conn,
+		Tombstone: tombstone,
+		conn:      conn,
 	}
 
 	// we can confidently return this useable service now

internal/db/bundb/migrations/20221108142419_create_account_tombstones.go

@@ -0,0 +1,57 @@
+/*
+   GoToSocial
+   Copyright (C) 2021-2022 GoToSocial Authors admin@gotosocial.org
+
+   This program is free software: you can redistribute it and/or modify
+   it under the terms of the GNU Affero General Public License as published by
+   the Free Software Foundation, either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU Affero General Public License for more details.
+
+   You should have received a copy of the GNU Affero General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+package migrations
+
+import (
+	"context"
+
+	gtsmodel "github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
+	"github.com/uptrace/bun"
+)
+
+func init() {
+	up := func(ctx context.Context, db *bun.DB) error {
+		return db.RunInTx(ctx, nil, func(ctx context.Context, tx bun.Tx) error {
+			if _, err := tx.NewCreateTable().Model(&gtsmodel.Tombstone{}).IfNotExists().Exec(ctx); err != nil {
+				return err
+			}
+
+			if _, err := tx.
+				NewCreateIndex().
+				Model(&gtsmodel.Tombstone{}).
+				Index("tombstone_uri_idx").
+				Column("uri").
+				Exec(ctx); err != nil {
+				return err
+			}
+
+			return nil
+		})
+	}
+
+	down := func(ctx context.Context, db *bun.DB) error {
+		return db.RunInTx(ctx, nil, func(ctx context.Context, tx bun.Tx) error {
+			return nil
+		})
+	}
+
+	if err := Migrations.Register(up, down); err != nil {
+		panic(err)
+	}
+}

internal/db/bundb/tombstone.go

@@ -0,0 +1,101 @@
+/*
+   GoToSocial
+   Copyright (C) 2021-2022 GoToSocial Authors admin@gotosocial.org
+
+   This program is free software: you can redistribute it and/or modify
+   it under the terms of the GNU Affero General Public License as published by
+   the Free Software Foundation, either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU Affero General Public License for more details.
+
+   You should have received a copy of the GNU Affero General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+package bundb
+
+import (
+	"context"
+	"time"
+
+	"github.com/superseriousbusiness/gotosocial/internal/db"
+	"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
+	"github.com/uptrace/bun"
+
+	"codeberg.org/gruf/go-cache/v3/result"
+)
+
+type tombstoneDB struct {
+	conn  *DBConn
+	cache *result.Cache[*gtsmodel.Tombstone]
+}
+
+func (t *tombstoneDB) init() {
+	// Initialize tombstone result cache
+	t.cache = result.NewSized([]string{
+		"ID",
+		"URI",
+	}, func(t1 *gtsmodel.Tombstone) *gtsmodel.Tombstone {
+		t2 := new(gtsmodel.Tombstone)
+		*t2 = *t1
+		return t2
+	}, 1000)
+
+	// Set cache TTL and start sweep routine
+	t.cache.SetTTL(time.Minute*5, false)
+	t.cache.Start(time.Second * 10)
+}
+
+func (t *tombstoneDB) GetTombstoneByURI(ctx context.Context, uri string) (*gtsmodel.Tombstone, db.Error) {
+	return t.cache.Load("URI", func() (*gtsmodel.Tombstone, error) {
+		var tomb gtsmodel.Tombstone
+
+		q := t.conn.
+			NewSelect().
+			Model(&tomb).
+			Where("? = ?", bun.Ident("tombstone.uri"), uri)
+
+		if err := q.Scan(ctx); err != nil {
+			return nil, t.conn.ProcessError(err)
+		}
+
+		return &tomb, nil
+	}, uri)
+}
+
+func (t *tombstoneDB) TombstoneExistsWithURI(ctx context.Context, uri string) (bool, db.Error) {
+	tomb, err := t.GetTombstoneByURI(ctx, uri)
+	if err == db.ErrNoEntries {
+		err = nil
+	}
+	return (tomb != nil), err
+}
+
+func (t *tombstoneDB) PutTombstone(ctx context.Context, tombstone *gtsmodel.Tombstone) db.Error {
+	return t.cache.Store(tombstone, func() error {
+		_, err := t.conn.
+			NewInsert().
+			Model(tombstone).
+			Exec(ctx)
+		return t.conn.ProcessError(err)
+	})
+}
+
+func (t *tombstoneDB) DeleteTombstone(ctx context.Context, id string) db.Error {
+	if _, err := t.conn.
+		NewDelete().
+		TableExpr("? AS ?", bun.Ident("tombstones"), bun.Ident("tombstone")).
+		Where("? = ?", bun.Ident("tombstone.id"), id).
+		Exec(ctx); err != nil {
+		return t.conn.ProcessError(err)
+	}
+
+	// Invalidate from cache by ID
+	t.cache.Invalidate("ID", id)
+
+	return nil
+}

internal/db/db.go

@@ -45,6 +45,7 @@ type DB interface {
 	Status
 	Timeline
 	User
+	Tombstone
 
 	/*
 		USEFUL CONVERSION FUNCTIONS

internal/db/tombstone.go

@@ -0,0 +1,40 @@
+/*
+   GoToSocial
+   Copyright (C) 2021-2022 GoToSocial Authors admin@gotosocial.org
+
+   This program is free software: you can redistribute it and/or modify
+   it under the terms of the GNU Affero General Public License as published by
+   the Free Software Foundation, either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU Affero General Public License for more details.
+
+   You should have received a copy of the GNU Affero General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+package db
+
+import (
+	"context"
+
+	"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
+)
+
+// Tombstone contains functionality for storing + retrieving tombstones for remote AP Activities + Objects.
+type Tombstone interface {
+	// GetTombstoneByURI attempts to fetch a tombstone by the given URI.
+	GetTombstoneByURI(ctx context.Context, uri string) (*gtsmodel.Tombstone, Error)
+
+	// TombstoneExistsWithURI returns true if a tombstone with the given URI exists.
+	TombstoneExistsWithURI(ctx context.Context, uri string) (bool, Error)
+
+	// PutTombstone creates a new tombstone in the database.
+	PutTombstone(ctx context.Context, tombstone *gtsmodel.Tombstone) Error
+
+	// DeleteTombstone deletes a tombstone with the given ID.
+	DeleteTombstone(ctx context.Context, id string) Error
+}

internal/federation/authenticate.go

@@ -37,6 +37,7 @@ import (
 	"github.com/superseriousbusiness/gotosocial/internal/gtserror"
 	"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
 	"github.com/superseriousbusiness/gotosocial/internal/log"
+	"github.com/superseriousbusiness/gotosocial/internal/transport"
 )
 
 /*
@@ -201,8 +202,21 @@ func (f *federator) AuthenticateFederatedRequest(ctx context.Context, requestedU
 		// REMOTE ACCOUNT REQUEST WITHOUT KEY CACHED LOCALLY
 		// the request is remote and we don't have the public key yet,
 		// so we need to authenticate the request properly by dereferencing the remote key
+		gone, err := f.CheckGone(ctx, requestingPublicKeyID)
+		if err != nil {
+			errWithCode := gtserror.NewErrorInternalError(fmt.Errorf("error checking for tombstone for %s: %s", requestingPublicKeyID, err))
+			log.Debug(errWithCode)
+			return nil, errWithCode
+		}
+
+		if gone {
+			errWithCode := gtserror.NewErrorGone(fmt.Errorf("account with public key %s is gone", requestingPublicKeyID))
+			log.Debug(errWithCode)
+			return nil, errWithCode
+		}
+
 		log.Tracef("proceeding with dereference for uncached public key %s", requestingPublicKeyID)
-		transport, err := f.transportController.NewTransportForUsername(ctx, requestedUsername)
+		trans, err := f.transportController.NewTransportForUsername(ctx, requestedUsername)
 		if err != nil {
 			errWithCode := gtserror.NewErrorInternalError(fmt.Errorf("error creating transport for %s: %s", requestedUsername, err))
 			log.Debug(errWithCode)
@@ -210,8 +224,21 @@ func (f *federator) AuthenticateFederatedRequest(ctx context.Context, requestedU
 		}
 
 		// The actual http call to the remote server is made right here in the Dereference function.
-		b, err := transport.Dereference(ctx, requestingPublicKeyID)
+		b, err := trans.Dereference(ctx, requestingPublicKeyID)
 		if err != nil {
+			if errors.Is(err, transport.ErrGone) {
+				// if we get a 410 error it means the account that owns this public key has been deleted;
+				// we should add a tombstone to our database so that we can avoid trying to deref it in future
+				if err := f.HandleGone(ctx, requestingPublicKeyID); err != nil {
+					errWithCode := gtserror.NewErrorInternalError(fmt.Errorf("error marking account with public key %s as gone: %s", requestingPublicKeyID, err))
+					log.Debug(errWithCode)
+					return nil, errWithCode
+				}
+				errWithCode := gtserror.NewErrorGone(fmt.Errorf("account with public key %s is gone", requestingPublicKeyID))
+				log.Debug(errWithCode)
+				return nil, errWithCode
+			}
+
 			errWithCode := gtserror.NewErrorUnauthorized(fmt.Errorf("error dereferencing public key %s: %s", requestingPublicKeyID, err))
 			log.Debug(errWithCode)
 			return nil, errWithCode

internal/federation/federatingprotocol.go

@@ -169,6 +169,13 @@ func (f *federator) AuthenticatePostInbox(ctx context.Context, w http.ResponseWr
 			// if 400, 401, or 403, obey the interface by writing the header and bailing
 			w.WriteHeader(errWithCode.Code())
 			return ctx, false, nil
+		case http.StatusGone:
+			// if the requesting account has gone (http 410) then likely
+			// inbox post was a delete, we can just write 202 and leave,
+			// since we didn't know about the account anyway, so we can't
+			// do any further processing
+			w.WriteHeader(http.StatusAccepted)
+			return ctx, false, nil
 		default:
 			// if not, there's been a proper error
 			return ctx, false, err

internal/federation/federatingprotocol_test.go

@@ -182,6 +182,94 @@ func (suite *FederatingProtocolTestSuite) TestAuthenticatePostInbox() {
 	suite.Equal(sendingAccount.Username, requestingAccount.Username)
 }
 
+func (suite *FederatingProtocolTestSuite) TestAuthenticatePostGone() {
+	// the activity we're gonna use
+	activity := suite.testActivities["delete_https://somewhere.mysterious/users/rest_in_piss#main-key"]
+	inboxAccount := suite.testAccounts["local_account_1"]
+
+	fedWorker := concurrency.NewWorkerPool[messages.FromFederator](-1, -1)
+
+	httpClient := testrig.NewMockHTTPClient(nil, "../../testrig/media")
+	tc := testrig.NewTestTransportController(httpClient, suite.db, fedWorker)
+
+	// now setup module being tested, with the mock transport controller
+	federator := federation.NewFederator(suite.db, testrig.NewTestFederatingDB(suite.db, fedWorker), tc, suite.tc, testrig.NewTestMediaManager(suite.db, suite.storage))
+
+	request := httptest.NewRequest(http.MethodPost, "http://localhost:8080/users/the_mighty_zork/inbox", nil)
+	// we need these headers for the request to be validated
+	request.Header.Set("Signature", activity.SignatureHeader)
+	request.Header.Set("Date", activity.DateHeader)
+	request.Header.Set("Digest", activity.DigestHeader)
+
+	verifier, err := httpsig.NewVerifier(request)
+	suite.NoError(err)
+
+	ctx := context.Background()
+	// by the time AuthenticatePostInbox is called, PostInboxRequestBodyHook should have already been called,
+	// which should have set the account and username onto the request. We can replicate that behavior here:
+	ctxWithAccount := context.WithValue(ctx, ap.ContextReceivingAccount, inboxAccount)
+	ctxWithVerifier := context.WithValue(ctxWithAccount, ap.ContextRequestingPublicKeyVerifier, verifier)
+	ctxWithSignature := context.WithValue(ctxWithVerifier, ap.ContextRequestingPublicKeySignature, activity.SignatureHeader)
+
+	// we can pass this recorder as a writer and read it back after
+	recorder := httptest.NewRecorder()
+
+	// trigger the function being tested, and return the new context it creates
+	_, authed, err := federator.AuthenticatePostInbox(ctxWithSignature, recorder, request)
+	suite.NoError(err)
+	suite.False(authed)
+	suite.Equal(http.StatusAccepted, recorder.Code)
+}
+
+func (suite *FederatingProtocolTestSuite) TestAuthenticatePostGoneNoTombstoneYet() {
+	// delete the relevant tombstone
+	if err := suite.db.DeleteTombstone(context.Background(), suite.testTombstones["https://somewhere.mysterious/users/rest_in_piss#main-key"].ID); err != nil {
+		suite.FailNow(err.Error())
+	}
+
+	// the activity we're gonna use
+	activity := suite.testActivities["delete_https://somewhere.mysterious/users/rest_in_piss#main-key"]
+	inboxAccount := suite.testAccounts["local_account_1"]
+
+	fedWorker := concurrency.NewWorkerPool[messages.FromFederator](-1, -1)
+
+	httpClient := testrig.NewMockHTTPClient(nil, "../../testrig/media")
+	tc := testrig.NewTestTransportController(httpClient, suite.db, fedWorker)
+
+	// now setup module being tested, with the mock transport controller
+	federator := federation.NewFederator(suite.db, testrig.NewTestFederatingDB(suite.db, fedWorker), tc, suite.tc, testrig.NewTestMediaManager(suite.db, suite.storage))
+
+	request := httptest.NewRequest(http.MethodPost, "http://localhost:8080/users/the_mighty_zork/inbox", nil)
+	// we need these headers for the request to be validated
+	request.Header.Set("Signature", activity.SignatureHeader)
+	request.Header.Set("Date", activity.DateHeader)
+	request.Header.Set("Digest", activity.DigestHeader)
+
+	verifier, err := httpsig.NewVerifier(request)
+	suite.NoError(err)
+
+	ctx := context.Background()
+	// by the time AuthenticatePostInbox is called, PostInboxRequestBodyHook should have already been called,
+	// which should have set the account and username onto the request. We can replicate that behavior here:
+	ctxWithAccount := context.WithValue(ctx, ap.ContextReceivingAccount, inboxAccount)
+	ctxWithVerifier := context.WithValue(ctxWithAccount, ap.ContextRequestingPublicKeyVerifier, verifier)
+	ctxWithSignature := context.WithValue(ctxWithVerifier, ap.ContextRequestingPublicKeySignature, activity.SignatureHeader)
+
+	// we can pass this recorder as a writer and read it back after
+	recorder := httptest.NewRecorder()
+
+	// trigger the function being tested, and return the new context it creates
+	_, authed, err := federator.AuthenticatePostInbox(ctxWithSignature, recorder, request)
+	suite.NoError(err)
+	suite.False(authed)
+	suite.Equal(http.StatusAccepted, recorder.Code)
+
+	// there should be a tombstone in the db now for this account
+	exists, err := suite.db.TombstoneExistsWithURI(ctx, "https://somewhere.mysterious/users/rest_in_piss#main-key")
+	suite.NoError(err)
+	suite.True(exists)
+}
+
 func (suite *FederatingProtocolTestSuite) TestBlocked1() {
 	fedWorker := concurrency.NewWorkerPool[messages.FromFederator](-1, -1)
 	httpClient := testrig.NewMockHTTPClient(nil, "../../testrig/media")

internal/federation/federator_test.go

@@ -36,6 +36,7 @@ type FederatorStandardTestSuite struct {
 	testAccounts   map[string]*gtsmodel.Account
 	testStatuses   map[string]*gtsmodel.Status
 	testActivities map[string]testrig.ActivityWithSignature
+	testTombstones map[string]*gtsmodel.Tombstone
 }
 
 // SetupSuite sets some variables on the suite that we can use as consts (more or less) throughout
@@ -45,6 +46,7 @@ func (suite *FederatorStandardTestSuite) SetupSuite() {
 	suite.tc = testrig.NewTestTypeConverter(suite.db)
 	suite.testAccounts = testrig.NewTestAccounts()
 	suite.testStatuses = testrig.NewTestStatuses()
+	suite.testTombstones = testrig.NewTestTombstones()
 }
 
 func (suite *FederatorStandardTestSuite) SetupTest() {

internal/federation/gone.go

@@ -0,0 +1,34 @@
+package federation
+
+import (
+	"context"
+	"fmt"
+	"net/url"
+
+	"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
+	"github.com/superseriousbusiness/gotosocial/internal/id"
+	"github.com/superseriousbusiness/gotosocial/internal/log"
+)
+
+// CheckGone checks if a tombstone exists in the database for AP Actor or Object with the given uri.
+func (f *federator) CheckGone(ctx context.Context, uri *url.URL) (bool, error) {
+	return f.db.TombstoneExistsWithURI(ctx, uri.String())
+}
+
+// HandleGone puts a tombstone in the database, which marks an AP Actor or Object with the given uri as gone.
+func (f *federator) HandleGone(ctx context.Context, uri *url.URL) error {
+	tombstoneID, err := id.NewULID()
+	if err != nil {
+		err = fmt.Errorf("HandleGone: error generating id for new tombstone %s: %s", uri, err)
+		log.Error(err)
+		return err
+	}
+
+	tombstone := &gtsmodel.Tombstone{
+		ID:     tombstoneID,
+		Domain: uri.Host,
+		URI:    uri.String(),
+	}
+
+	return f.db.PutTombstone(ctx, tombstone)
+}

internal/gtserror/withcode.go

@@ -161,3 +161,16 @@ func NewErrorUnprocessableEntity(original error, helpText ...string) WithCode {
 		code:     http.StatusUnprocessableEntity,
 	}
 }
+
+// NewErrorGone returns an ErrorWithCode 410 with the given original error and optional help text.
+func NewErrorGone(original error, helpText ...string) WithCode {
+	safe := http.StatusText(http.StatusGone)
+	if helpText != nil {
+		safe = safe + ": " + strings.Join(helpText, ": ")
+	}
+	return withCode{
+		original: original,
+		safe:     errors.New(safe),
+		code:     http.StatusGone,
+	}
+}

internal/gtsmodel/tombstone.go

@@ -0,0 +1,38 @@
+/*
+   GoToSocial
+   Copyright (C) 2021-2022 GoToSocial Authors admin@gotosocial.org
+
+   This program is free software: you can redistribute it and/or modify
+   it under the terms of the GNU Affero General Public License as published by
+   the Free Software Foundation, either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU Affero General Public License for more details.
+
+   You should have received a copy of the GNU Affero General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+// Package gtsmodel contains types used *internally* by GoToSocial and added/removed/selected from the database.
+// These types should never be serialized and/or sent out via public APIs, as they contain sensitive information.
+// The annotation used on these structs is for handling them via the bun-db ORM.
+// See here for more info on bun model annotations: https://bun.uptrace.dev/guide/models.html
+package gtsmodel
+
+import (
+	"time"
+)
+
+// Tombstone represents either a remote fediverse account, object, activity etc which has been deleted.
+// It's useful in cases where a remote account has been deleted, and we don't want to keep trying to process
+// subsequent activities from that account, or deletes which target it.
+type Tombstone struct {
+	ID        string    `validate:"required,ulid" bun:"type:CHAR(26),pk,nullzero,notnull,unique"`        // id of this item in the database
+	CreatedAt time.Time `validate:"-" bun:"type:timestamptz,nullzero,notnull,default:current_timestamp"` // when was item created
+	UpdatedAt time.Time `validate:"-" bun:"type:timestamptz,nullzero,notnull,default:current_timestamp"` // when was item last updated
+	Domain    string    `validate:"omitempty,fqdn" bun:",nullzero,notnull"`                              // Domain of the Object/Actor.
+	URI       string    `validate:"required,url" bun:",nullzero,notnull,unique"`                         // ActivityPub URI for this Object/Actor.
+}

internal/transport/dereference.go

@@ -20,6 +20,7 @@ package transport
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -30,6 +31,12 @@ import (
 	"github.com/superseriousbusiness/gotosocial/internal/uris"
 )
 
+// ErrGone is returned from Dereference when the remote resource returns 410 GONE.
+// This is useful in cases where we're processing a delete of a resource that's already
+// been removed from the remote server, so we know we don't need to keep trying to
+// dereference it.
+var ErrGone = errors.New("remote resource returned HTTP code 410 GONE")
+
 func (t *transport) Dereference(ctx context.Context, iri *url.URL) ([]byte, error) {
 	// if the request is to us, we can shortcut for certain URIs rather than going through
 	// the normal request flow, thereby saving time and energy
@@ -66,10 +73,12 @@ func (t *transport) Dereference(ctx context.Context, iri *url.URL) ([]byte, erro
 	}
 	defer rsp.Body.Close()
 
-	// Check for an expected status code
-	if rsp.StatusCode != http.StatusOK {
+	switch rsp.StatusCode {
+	case http.StatusOK:
+		return io.ReadAll(rsp.Body)
+	case http.StatusGone:
+		return nil, ErrGone
+	default:
 		return nil, fmt.Errorf("GET request to %s failed (%d): %s", iriStr, rsp.StatusCode, rsp.Status)
 	}
-
-	return io.ReadAll(rsp.Body)
 }