Process master/self-signing keys from devices call

2025-12-29 01:33:10 -06:00 · 2021-08-03 10:08:49 +01:00 · 2021-08-03 10:08:49 +01:00 · c990e79387
parent a1309b3afc
commit c990e79387
5 changed files with 81 additions and 12 deletions
--- a/keyserver/internal/cross_signing.go
+++ b/keyserver/internal/cross_signing.go
@ -113,6 +113,41 @@ func (a *KeyInternalAPI) PerformUploadDeviceKeys(ctx context.Context, req *api.P
 		masterKey, hasMasterKey = existingKeys[gomatrixserverlib.CrossSigningKeyPurposeMaster]
 	}

+	// If the user isn't a local user and we haven't successfully found a key
+	// through any local means then ask over federation.
+	if !hasMasterKey {
+		_, host, err := gomatrixserverlib.SplitID('@', req.UserID)
+		if err != nil {
+			res.Error = &api.KeyError{
+				Err: "Retrieving cross-signing keys from federation failed: " + err.Error(),
+			}
+			return
+		}
+		keys, err := a.FedClient.QueryKeys(ctx, host, map[string][]string{
+			req.UserID: {},
+		})
+		if err != nil {
+			res.Error = &api.KeyError{
+				Err: "Retrieving cross-signing keys from federation failed: " + err.Error(),
+			}
+			return
+		}
+		switch k := keys.MasterKeys[req.UserID].CrossSigningBody.(type) {
+		case *gomatrixserverlib.CrossSigningKey:
+			if err := sanityCheckKey(*k, req.UserID, gomatrixserverlib.CrossSigningKeyPurposeMaster); err != nil {
+				res.Error = &api.KeyError{
+					Err: "User-signing key sanity check failed: " + err.Error(),
+				}
+				return
+			}
+		default:
+			res.Error = &api.KeyError{
+				Err: "Unexpected type for master key retrieved from federation",
+			}
+			return
+		}
+	}
+
 	// If we still don't have a master key at this point then there's nothing else
 	// we can do - we've checked both the request and the database.
 	if !hasMasterKey {
--- a/keyserver/internal/device_list_update.go
+++ b/keyserver/internal/device_list_update.go
@ -82,6 +82,7 @@ type DeviceListUpdater struct {
 	mu            *sync.Mutex // protects UserIDToMutex

 	db          DeviceListUpdaterDatabase
+	api         DeviceListUpdaterAPI
 	producer    KeyChangeProducer
 	fedClient   fedsenderapi.FederationClient
 	workerChans []chan gomatrixserverlib.ServerName
@ -114,6 +115,10 @@ type DeviceListUpdaterDatabase interface {
 	DeviceKeysJSON(ctx context.Context, keys []api.DeviceMessage) error
 }

+type DeviceListUpdaterAPI interface {
+	PerformUploadDeviceKeys(ctx context.Context, req *api.PerformUploadDeviceKeysRequest, res *api.PerformUploadDeviceKeysResponse)
+}
+
 // KeyChangeProducer is the interface for producers.KeyChange useful for testing.
 type KeyChangeProducer interface {
 	ProduceKeyChanges(keys []api.DeviceMessage) error
@ -121,13 +126,14 @@ type KeyChangeProducer interface {

 // NewDeviceListUpdater creates a new updater which fetches fresh device lists when they go stale.
 func NewDeviceListUpdater(
-	db DeviceListUpdaterDatabase, producer KeyChangeProducer, fedClient fedsenderapi.FederationClient,
-	numWorkers int,
+	db DeviceListUpdaterDatabase, api DeviceListUpdaterAPI, producer KeyChangeProducer,
+	fedClient fedsenderapi.FederationClient, numWorkers int,
 ) *DeviceListUpdater {
 	return &DeviceListUpdater{
 		userIDToMutex:  make(map[string]*sync.Mutex),
 		mu:             &sync.Mutex{},
 		db:             db,
+		api:            api,
 		producer:       producer,
 		fedClient:      fedClient,
 		workerChans:    make([]chan gomatrixserverlib.ServerName, numWorkers),
@ -367,6 +373,23 @@ func (u *DeviceListUpdater) processServer(serverName gomatrixserverlib.ServerNam
 			}
 			continue
 		}
+		if res.MasterKey != nil || res.SelfSigningKey != nil {
+			uploadReq := &api.PerformUploadDeviceKeysRequest{
+				UserID: userID,
+			}
+			uploadRes := &api.PerformUploadDeviceKeysResponse{}
+			if res.MasterKey != nil {
+				if err = sanityCheckKey(*res.MasterKey, userID, gomatrixserverlib.CrossSigningKeyPurposeMaster); err == nil {
+					uploadReq.MasterKey = *res.MasterKey
+				}
+			}
+			if res.SelfSigningKey != nil {
+				if err = sanityCheckKey(*res.MasterKey, userID, gomatrixserverlib.CrossSigningKeyPurposeSelfSigning); err == nil {
+					uploadReq.SelfSigningKey = *res.SelfSigningKey
+				}
+			}
+			u.api.PerformUploadDeviceKeys(ctx, uploadReq, uploadRes)
+		}
 		err = u.updateDeviceList(&res)
 		if err != nil {
 			logger.WithError(err).WithField("user_id", userID).Error("fetched device list but failed to store/emit it")
--- a/keyserver/internal/device_list_update_test.go
+++ b/keyserver/internal/device_list_update_test.go
@ -95,6 +95,13 @@ func (d *mockDeviceListUpdaterDatabase) DeviceKeysJSON(ctx context.Context, keys
 	return nil
 }

+type mockDeviceListUpdaterAPI struct {
+}
+
+func (d *mockDeviceListUpdaterAPI) PerformUploadDeviceKeys(ctx context.Context, req *api.PerformUploadDeviceKeysRequest, res *api.PerformUploadDeviceKeysResponse) {
+
+}
+
 type roundTripper struct {
 	fn func(*http.Request) (*http.Response, error)
 }
@ -122,8 +129,9 @@ func TestUpdateHavePrevID(t *testing.T) {
 			return true
 		},
 	}
+	ap := &mockDeviceListUpdaterAPI{}
 	producer := &mockKeyChangeProducer{}
-	updater := NewDeviceListUpdater(db, producer, nil, 1)
+	updater := NewDeviceListUpdater(db, ap, producer, nil, 1)
 	event := gomatrixserverlib.DeviceListUpdateEvent{
 		DeviceDisplayName: "Foo Bar",
 		Deleted:           false,
@ -166,6 +174,7 @@ func TestUpdateNoPrevID(t *testing.T) {
 			return false
 		},
 	}
+	ap := &mockDeviceListUpdaterAPI{}
 	producer := &mockKeyChangeProducer{}
 	remoteUserID := "@alice:example.somewhere"
 	var wg sync.WaitGroup
@ -193,7 +202,7 @@ func TestUpdateNoPrevID(t *testing.T) {
 			`)),
 		}, nil
 	})
-	updater := NewDeviceListUpdater(db, producer, fedClient, 2)
+	updater := NewDeviceListUpdater(db, ap, producer, fedClient, 2)
 	if err := updater.Start(); err != nil {
 		t.Fatalf("failed to start updater: %s", err)
 	}
--- a/keyserver/keyserver.go
+++ b/keyserver/keyserver.go
@ -51,20 +51,19 @@ func NewInternalAPI(
 		Producer: producer,
 		DB:       db,
 	}
-	updater := internal.NewDeviceListUpdater(db, keyChangeProducer, fedClient, 8) // 8 workers TODO: configurable
-	go func() {
-		if err := updater.Start(); err != nil {
-			logrus.WithError(err).Panicf("failed to start device list updater")
-		}
-	}()
-
 	ap := &internal.KeyInternalAPI{
 		DB:         db,
 		ThisServer: cfg.Matrix.ServerName,
 		FedClient:  fedClient,
 		Producer:   keyChangeProducer,
-		Updater:    updater,
 	}
+	updater := internal.NewDeviceListUpdater(db, ap, keyChangeProducer, fedClient, 8) // 8 workers TODO: configurable
+	ap.Updater = updater
+	go func() {
+		if err := updater.Start(); err != nil {
+			logrus.WithError(err).Panicf("failed to start device list updater")
+		}
+	}()

 	keyconsumer := consumers.NewOutputSigningKeyUpdateConsumer(
 		base.ProcessContext, base.Cfg, consumer, db, ap,
--- a/3
+++ b/3
@ -550,3 +550,6 @@ Will not back up to an old backup version
 Can create more than 10 backup versions
 Can delete backup
 Deleted & recreated backups are empty
+Can upload self-signing keys
+Fails to upload self-signing keys with no auth
+Fails to upload self-signing key without master key