From cabdbb7f9c1df8007749d07a2e186bb3ad35f62b Mon Sep 17 00:00:00 2001 From: Eugen Rochko Date: Sun, 26 Aug 2018 20:21:03 +0200 Subject: Add CLI task for rotating keys (#8466) * If an Update is signed with known key, skip re-following procedure Because it means the remote actor did *not* lose their database * Add CLI method for rotating keys bin/tootctl accounts rotate [USERNAME] Generates a new RSA key per account and sends out an Update activity signed with the old key. * Key rotation: Space out Update fan-outs every 5 minutes per 1000 accounts * Skip suspended accounts in key rotation --- app/workers/activitypub/delivery_worker.rb | 5 +++-- app/workers/activitypub/update_distribution_worker.rb | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) (limited to 'app/workers') diff --git a/app/workers/activitypub/delivery_worker.rb b/app/workers/activitypub/delivery_worker.rb index 323a9f85b..adbb496d9 100644 --- a/app/workers/activitypub/delivery_worker.rb +++ b/app/workers/activitypub/delivery_worker.rb @@ -10,7 +10,8 @@ class ActivityPub::DeliveryWorker HEADERS = { 'Content-Type' => 'application/activity+json' }.freeze - def perform(json, source_account_id, inbox_url) + def perform(json, source_account_id, inbox_url, options = {}) + @options = options.with_indifferent_access @json = json @source_account = Account.find(source_account_id) @inbox_url = inbox_url @@ -27,7 +28,7 @@ class ActivityPub::DeliveryWorker def build_request request = Request.new(:post, @inbox_url, body: @json) - request.on_behalf_of(@source_account, :uri) + request.on_behalf_of(@source_account, :uri, sign_with: @options[:sign_with]) request.add_headers(HEADERS) end diff --git a/app/workers/activitypub/update_distribution_worker.rb b/app/workers/activitypub/update_distribution_worker.rb index bbda69305..b9e5ff064 100644 --- a/app/workers/activitypub/update_distribution_worker.rb +++ b/app/workers/activitypub/update_distribution_worker.rb @@ -5,7 +5,8 @@ class ActivityPub::UpdateDistributionWorker sidekiq_options queue: 'push' - def perform(account_id) + def perform(account_id, options = {}) + @options = options.with_indifferent_access @account = Account.find(account_id) ActivityPub::DeliveryWorker.push_bulk(inboxes) do |inbox_url| @@ -26,7 +27,7 @@ class ActivityPub::UpdateDistributionWorker end def signed_payload - @signed_payload ||= Oj.dump(ActivityPub::LinkedDataSignature.new(payload).sign!(@account)) + @signed_payload ||= Oj.dump(ActivityPub::LinkedDataSignature.new(payload).sign!(@account, sign_with: @options[:sign_with])) end def payload -- cgit