+1 -2

cmd/rerelay/main.go

reviewed

··· 257 257 } 258 258 259 259 evtman := eventmgr.NewEventManager(persister) 260 260 - vldtr := relay.NewValidator(&dir) 261 260 262 261 logger.Info("constructing relay service") 263 263 - r, err := relay.NewRelay(db, vldtr, evtman, &dir, relayConfig) 262 262 + r, err := relay.NewRelay(db, evtman, &dir, relayConfig) 264 263 if err != nil { 265 264 return err 266 265 }

+2 -3

cmd/rerelay/relay/account.go

reviewed

··· 11 11 "github.com/bluesky-social/indigo/atproto/syntax" 12 12 "github.com/bluesky-social/indigo/cmd/rerelay/relay/models" 13 13 14 14 - "github.com/ipfs/go-cid" 15 14 "gorm.io/gorm" 16 15 ) 17 16 ··· 261 260 return accounts, nil 262 261 } 263 262 264 264 - func (r *Relay) UpsertAccountRepo(uid uint64, rev syntax.TID, commitCID, commitDataCID cid.Cid) error { 265 265 - return r.db.Exec("INSERT INTO account_repo (uid, rev, commit_cid, commit_data) VALUES (?, ?, ?, ?) ON CONFLICT (uid) DO UPDATE SET rev = EXCLUDED.rev, commit_cid = EXCLUDED.commit_cid, commit_data = EXCLUDED.commit_data", uid, rev, commitCID.String(), commitDataCID.String()).Error 263 263 + func (r *Relay) UpsertAccountRepo(uid uint64, rev syntax.TID, commitCID, commitDataCID string) error { 264 264 + return r.db.Exec("INSERT INTO account_repo (uid, rev, commit_cid, commit_data) VALUES (?, ?, ?, ?) ON CONFLICT (uid) DO UPDATE SET rev = EXCLUDED.rev, commit_cid = EXCLUDED.commit_cid, commit_data = EXCLUDED.commit_data", uid, rev, commitCID, commitDataCID).Error 266 265 } 267 266 268 267 // this function with exact name and args implements the `diskpersist.UidSource` interface

cmd/rerelay/relay/firehose.go cmd/rerelay/relay/broadcast.go

reviewed

+30 -34

cmd/rerelay/relay/ingest.go

reviewed

··· 11 11 "github.com/bluesky-social/indigo/cmd/rerelay/relay/models" 12 12 "github.com/bluesky-social/indigo/cmd/rerelay/stream" 13 13 14 14 - "github.com/ipfs/go-cid" 15 14 "go.opentelemetry.io/otel/attribute" 16 15 "gorm.io/gorm" 17 16 ) ··· 65 64 if err != nil { 66 65 return fmt.Errorf("invalid DID in message: %w", err) 67 66 } 67 67 + 68 68 // XXX: did = did.Normalize() 69 69 account, err := r.GetAccount(ctx, did) 70 70 if err != nil { ··· 81 81 return err 82 82 } 83 83 } 84 84 + 84 85 if account == nil { 85 86 return ErrAccountNotFound 86 87 } ··· 134 135 } 135 136 } 136 137 137 137 - // TODO: very messy fetch code here 138 138 - var repo *models.AccountRepo 139 139 - err = r.db.First(repo, account.UID).Error 140 140 - if err != nil && !errors.Is(err, gorm.ErrRecordNotFound) { 141 141 - logger.Error("failed to get previous root", "err", err) 142 142 - repo = nil 138 138 + ident, err := r.dir.LookupDID(ctx, did) 139 139 + if err != nil { 140 140 + // XXX: handle more granularly (eg, true not-founds vs errors); and add tests 141 141 + logger.Warn("failed to load identity") 143 142 } 144 144 - var prevRev *syntax.TID 145 145 - var prevData *cid.Cid 146 146 - if repo != nil { 147 147 - c, err := cid.Parse(repo.CommitData) 148 148 - if err != nil { 149 149 - return fmt.Errorf("parsing commitDataCID from database: %w", err) 143 143 + 144 144 + var prevRepo *models.AccountRepo 145 145 + err = r.db.First(prevRepo, account.UID).Error 146 146 + if err != nil { 147 147 + if !errors.Is(err, gorm.ErrRecordNotFound) { 148 148 + // TODO: should this be a hard error? 149 149 + logger.Error("failed to read previous repo state", "err", err) 150 150 } 151 151 - prevData = &c 152 152 - t := syntax.TID(repo.Rev) 153 153 - prevRev = &t 154 154 - } 155 155 - evtPrevDataStr := "" 156 156 - if evt.PrevData != nil { 157 157 - evtPrevDataStr = ((*cid.Cid)(evt.PrevData)).String() 151 151 + prevRepo = nil 158 152 } 159 159 - commitDataCID, err := r.Validator.HandleCommit(ctx, hostname, account, evt, prevRev, prevData) 153 153 + 154 154 + // most commit validation happens in this method. Note that is handles lenient/strict modes. 155 155 + newRepo, err := r.VerifyRepoCommit(ctx, evt, ident, prevRepo, hostname) 160 156 if err != nil { 161 161 - // XXX: induction trace log 162 162 - logger.Error("commit bad", "prevData", evtPrevDataStr, "err", err) 163 163 - logger.Warn("failed handling event", "err", err, "commitCID", evt.Commit.String()) 164 164 - return fmt.Errorf("handle user event failed: %w", err) 157 157 + logger.Warn("commit message failed verification", "err", err) 158 158 + return err 165 159 } 166 160 167 167 - // TID syntax has been verified by validator 168 168 - rev := syntax.TID(evt.Rev) 169 169 - 170 170 - err = r.UpsertAccountRepo(account.UID, rev, cid.Cid(evt.Commit), *commitDataCID) 161 161 + err = r.UpsertAccountRepo(account.UID, syntax.TID(newRepo.Rev), newRepo.CommitCID, newRepo.CommitData) 171 162 if err != nil { 172 172 - return fmt.Errorf("failed to set previous root uid=%d: %w", account.UID, err) 163 163 + return fmt.Errorf("failed to upsert account repo (%s): %w", account.DID, err) 173 164 } 174 165 175 166 // Broadcast the identity event to all consumers 167 167 + // TODO: is this copy important? 176 168 commitCopy := *evt 177 169 err = r.Events.AddEvent(ctx, &stream.XRPCStreamEvent{ 178 170 RepoCommit: &commitCopy, ··· 209 201 return fmt.Errorf("could not get user for did %#v: %w", evt.Did, err) 210 202 } 211 203 212 212 - commitCID, commitDataCID, err := r.Validator.HandleSync(ctx, hostname, evt) 204 204 + ident, err := r.dir.LookupDID(ctx, did) 205 205 + if err != nil { 206 206 + // XXX: handle more granularly (eg, true not-founds vs errors); and add tests 207 207 + logger.Warn("failed to load identity") 208 208 + } 209 209 + 210 210 + newRepo, err := r.VerifyRepoSync(ctx, evt, ident, hostname) 213 211 if err != nil { 214 212 return err 215 213 } 216 216 - // TID syntax has been verified by validator 217 217 - rev := syntax.TID(evt.Rev) 218 214 219 215 // TODO: should this happen before or after firehose persist/broadcast? 220 220 - err = r.UpsertAccountRepo(account.UID, rev, *commitCID, *commitDataCID) 216 216 + err = r.UpsertAccountRepo(account.UID, syntax.TID(newRepo.Rev), newRepo.CommitCID, newRepo.CommitData) 221 217 if err != nil { 222 218 return fmt.Errorf("failed to upsert repo state (uid %d): %w", account.UID, err) 223 219 }

+2 -3

cmd/rerelay/relay/relay.go

reviewed

··· 22 22 Logger *slog.Logger 23 23 Slurper *Slurper 24 24 Events *eventmgr.EventManager 25 25 - Validator *Validator 26 25 HostChecker HostChecker 27 26 Config RelayConfig 28 27 ··· 47 46 MaxQueuePerHost int64 48 47 ApplyHostClientSettings func(c *xrpc.Client) 49 48 SkipAccountHostCheck bool // XXX: only used for testing 49 49 + LenientSyncValidation bool // XXX: wire through config 50 50 51 51 // if true, ignore "requestCrawl" 52 52 DisableNewHosts bool ··· 62 62 } 63 63 } 64 64 65 65 - func NewRelay(db *gorm.DB, vldtr *Validator, evtman *eventmgr.EventManager, dir identity.Directory, config *RelayConfig) (*Relay, error) { 65 65 + func NewRelay(db *gorm.DB, evtman *eventmgr.EventManager, dir identity.Directory, config *RelayConfig) (*Relay, error) { 66 66 67 67 if config == nil { 68 68 config = DefaultRelayConfig() ··· 77 77 dir: dir, 78 78 Logger: slog.Default().With("system", "relay"), 79 79 Events: evtman, 80 80 - Validator: vldtr, 81 80 HostChecker: hc, 82 81 Config: *config, 83 82

-432

cmd/rerelay/relay/validator.go

reviewed

··· 1 1 - package relay 2 2 - 3 3 - import ( 4 4 - "bytes" 5 5 - "context" 6 6 - "fmt" 7 7 - "log/slog" 8 8 - "sync" 9 9 - "sync/atomic" 10 10 - "time" 11 11 - 12 12 - comatproto "github.com/bluesky-social/indigo/api/atproto" 13 13 - "github.com/bluesky-social/indigo/atproto/identity" 14 14 - "github.com/bluesky-social/indigo/atproto/repo" 15 15 - "github.com/bluesky-social/indigo/atproto/syntax" 16 16 - "github.com/bluesky-social/indigo/cmd/rerelay/relay/models" 17 17 - 18 18 - "github.com/ipfs/go-cid" 19 19 - "go.opentelemetry.io/otel" 20 20 - ) 21 21 - 22 22 - const defaultMaxRevFuture = time.Hour 23 23 - 24 24 - func NewValidator(directory identity.Directory) *Validator { 25 25 - maxRevFuture := defaultMaxRevFuture // TODO: configurable 26 26 - ErrRevTooFarFuture := fmt.Errorf("new rev is > %s in the future", maxRevFuture) 27 27 - 28 28 - return &Validator{ 29 29 - userLocks: make(map[uint64]*userLock), 30 30 - log: slog.Default().With("system", "validator"), 31 31 - directory: directory, 32 32 - 33 33 - maxRevFuture: maxRevFuture, 34 34 - ErrRevTooFarFuture: ErrRevTooFarFuture, 35 35 - AllowSignatureNotFound: true, // TODO: configurable 36 36 - } 37 37 - } 38 38 - 39 39 - // Validator contains the context and code necessary to validate #commit and #sync messages 40 40 - type Validator struct { 41 41 - lklk sync.Mutex 42 42 - userLocks map[uint64]*userLock 43 43 - 44 44 - log *slog.Logger 45 45 - 46 46 - directory identity.Directory 47 47 - 48 48 - // maxRevFuture is added to time.Now() for a limit of clock skew we'll accept a `rev` in the future for 49 49 - maxRevFuture time.Duration 50 50 - 51 51 - // ErrRevTooFarFuture is the error we return 52 52 - // held here because we fmt.Errorf() once with our configured maxRevFuture into the message 53 53 - ErrRevTooFarFuture error 54 54 - 55 55 - // AllowSignatureNotFound enables counting messages without findable public key to pass through with a warning counter 56 56 - // TODO: refine this for what kind of 'not found' we accept. 57 57 - AllowSignatureNotFound bool 58 58 - } 59 59 - 60 60 - type NextCommitHandler interface { 61 61 - HandleCommit(ctx context.Context, hostname string, uid uint64, did string, commit *comatproto.SyncSubscribeRepos_Commit) error 62 62 - } 63 63 - 64 64 - type userLock struct { 65 65 - lk sync.Mutex 66 66 - waiters atomic.Int32 67 67 - } 68 68 - 69 69 - // lockUser re-serializes access per-user after events may have been fanned out to many worker threads by events/schedulers/parallel 70 70 - func (val *Validator) lockUser(ctx context.Context, uid uint64) func() { 71 71 - ctx, span := otel.Tracer("validator").Start(ctx, "userLock") 72 72 - defer span.End() 73 73 - 74 74 - val.lklk.Lock() 75 75 - 76 76 - ulk, ok := val.userLocks[uid] 77 77 - if !ok { 78 78 - ulk = &userLock{} 79 79 - val.userLocks[uid] = ulk 80 80 - } 81 81 - 82 82 - ulk.waiters.Add(1) 83 83 - 84 84 - val.lklk.Unlock() 85 85 - 86 86 - ulk.lk.Lock() 87 87 - 88 88 - return func() { 89 89 - val.lklk.Lock() 90 90 - defer val.lklk.Unlock() 91 91 - 92 92 - ulk.lk.Unlock() 93 93 - 94 94 - nv := ulk.waiters.Add(-1) 95 95 - 96 96 - if nv == 0 { 97 97 - delete(val.userLocks, uid) 98 98 - } 99 99 - } 100 100 - } 101 101 - 102 102 - func (val *Validator) HandleCommit(ctx context.Context, hostname string, account *models.Account, commit *comatproto.SyncSubscribeRepos_Commit, prevRev *syntax.TID, prevData *cid.Cid) (commitDataCID *cid.Cid, err error) { 103 103 - uid := account.UID 104 104 - unlock := val.lockUser(ctx, uid) 105 105 - defer unlock() 106 106 - repoFragment, err := val.VerifyCommitMessage(ctx, hostname, commit, prevRev, prevData) 107 107 - if err != nil { 108 108 - return nil, err 109 109 - } 110 110 - commitDataCID, err = repoFragment.MST.RootCID() 111 111 - if err != nil { 112 112 - return nil, err 113 113 - } 114 114 - return commitDataCID, nil 115 115 - } 116 116 - 117 117 - type revOutOfOrderError struct { 118 118 - dt time.Duration 119 119 - } 120 120 - 121 121 - func (roooe *revOutOfOrderError) Error() string { 122 122 - return fmt.Sprintf("new rev is before previous rev by %s", roooe.dt.String()) 123 123 - } 124 124 - 125 125 - var ErrNewRevBeforePrevRev = &revOutOfOrderError{} 126 126 - 127 127 - func (val *Validator) VerifyCommitMessage(ctx context.Context, hostname string, msg *comatproto.SyncSubscribeRepos_Commit, prevRev *syntax.TID, prevData *cid.Cid) (*repo.Repo, error) { 128 128 - hasWarning := false 129 129 - commitVerifyStarts.Inc() 130 130 - logger := slog.Default().With("did", msg.Repo, "rev", msg.Rev, "seq", msg.Seq, "time", msg.Time) 131 131 - 132 132 - did, err := syntax.ParseDID(msg.Repo) 133 133 - if err != nil { 134 134 - commitVerifyErrors.WithLabelValues(hostname, "did").Inc() 135 135 - return nil, err 136 136 - } 137 137 - rev, err := syntax.ParseTID(msg.Rev) 138 138 - if err != nil { 139 139 - commitVerifyErrors.WithLabelValues(hostname, "tid").Inc() 140 140 - return nil, err 141 141 - } 142 142 - if prevRev != nil { 143 143 - curTime := rev.Time() 144 144 - prevTime := prevRev.Time() 145 145 - if curTime.Before(prevTime) { 146 146 - commitVerifyErrors.WithLabelValues(hostname, "revb").Inc() 147 147 - dt := prevTime.Sub(curTime) 148 148 - return nil, &revOutOfOrderError{dt} 149 149 - } 150 150 - } 151 151 - if rev.Time().After(time.Now().Add(val.maxRevFuture)) { 152 152 - commitVerifyErrors.WithLabelValues(hostname, "revf").Inc() 153 153 - return nil, val.ErrRevTooFarFuture 154 154 - } 155 155 - _, err = syntax.ParseDatetime(msg.Time) 156 156 - if err != nil { 157 157 - commitVerifyErrors.WithLabelValues(hostname, "time").Inc() 158 158 - return nil, err 159 159 - } 160 160 - 161 161 - if msg.TooBig { 162 162 - //logger.Warn("event with tooBig flag set") 163 163 - commitVerifyWarnings.WithLabelValues(hostname, "big").Inc() 164 164 - // XXX: induction trace log 165 165 - val.log.Warn("commit tooBig", "seq", msg.Seq, "host", hostname, "repo", msg.Repo) 166 166 - hasWarning = true 167 167 - } 168 168 - if msg.Rebase { 169 169 - //logger.Warn("event with rebase flag set") 170 170 - commitVerifyWarnings.WithLabelValues(hostname, "reb").Inc() 171 171 - // XXX: induction trace log 172 172 - val.log.Warn("commit rebase", "seq", msg.Seq, "host", hostname, "repo", msg.Repo) 173 173 - hasWarning = true 174 174 - } 175 175 - 176 176 - commit, repoFragment, err := repo.LoadRepoFromCAR(ctx, bytes.NewReader([]byte(msg.Blocks))) 177 177 - if err != nil { 178 178 - commitVerifyErrors.WithLabelValues(hostname, "car").Inc() 179 179 - return nil, err 180 180 - } 181 181 - 182 182 - if commit.Rev != rev.String() { 183 183 - commitVerifyErrors.WithLabelValues(hostname, "rev").Inc() 184 184 - return nil, fmt.Errorf("rev did not match commit") 185 185 - } 186 186 - if commit.DID != did.String() { 187 187 - commitVerifyErrors.WithLabelValues(hostname, "did2").Inc() 188 188 - return nil, fmt.Errorf("rev did not match commit") 189 189 - } 190 190 - 191 191 - err = val.VerifyCommitSignature(ctx, commit, hostname, &hasWarning) 192 192 - if err != nil { 193 193 - // signature errors are metrics counted inside VerifyCommitSignature() 194 194 - return nil, err 195 195 - } 196 196 - 197 197 - // load out all the records 198 198 - for _, op := range msg.Ops { 199 199 - if (op.Action == "create" || op.Action == "update") && op.Cid != nil { 200 200 - c := (*cid.Cid)(op.Cid) 201 201 - nsid, rkey, err := syntax.ParseRepoPath(op.Path) 202 202 - if err != nil { 203 203 - commitVerifyErrors.WithLabelValues(hostname, "opp").Inc() 204 204 - return nil, fmt.Errorf("invalid repo path in ops list: %w", err) 205 205 - } 206 206 - val, err := repoFragment.GetRecordCID(ctx, nsid, rkey) 207 207 - if err != nil { 208 208 - commitVerifyErrors.WithLabelValues(hostname, "rcid").Inc() 209 209 - return nil, err 210 210 - } 211 211 - if *c != *val { 212 212 - commitVerifyErrors.WithLabelValues(hostname, "opc").Inc() 213 213 - return nil, fmt.Errorf("record op doesn't match MST tree value") 214 214 - } 215 215 - _, _, err = repoFragment.GetRecordBytes(ctx, nsid, rkey) 216 216 - if err != nil { 217 217 - commitVerifyErrors.WithLabelValues(hostname, "rec").Inc() 218 218 - return nil, err 219 219 - } 220 220 - } 221 221 - } 222 222 - 223 223 - // TODO: once firehose format is fully shipped, remove this 224 224 - for _, o := range msg.Ops { 225 225 - switch o.Action { 226 226 - case "delete": 227 227 - if o.Prev == nil { 228 228 - logger.Debug("can't invert legacy op", "action", o.Action) 229 229 - // XXX: induction trace log 230 230 - val.log.Warn("commit delete op", "seq", msg.Seq, "host", hostname, "repo", msg.Repo) 231 231 - commitVerifyOkish.WithLabelValues(hostname, "del").Inc() 232 232 - return repoFragment, nil 233 233 - } 234 234 - case "update": 235 235 - if o.Prev == nil { 236 236 - logger.Debug("can't invert legacy op", "action", o.Action) 237 237 - // XXX: induction trace log 238 238 - val.log.Warn("commit update op", "seq", msg.Seq, "host", hostname, "repo", msg.Repo) 239 239 - commitVerifyOkish.WithLabelValues(hostname, "up").Inc() 240 240 - return repoFragment, nil 241 241 - } 242 242 - } 243 243 - } 244 244 - 245 245 - if msg.PrevData != nil { 246 246 - c := (*cid.Cid)(msg.PrevData) 247 247 - if prevData != nil { 248 248 - if *c != *prevData { 249 249 - commitVerifyWarnings.WithLabelValues(hostname, "pr").Inc() 250 250 - // XXX: induction trace log 251 251 - val.log.Warn("commit prevData mismatch", "seq", msg.Seq, "host", hostname, "repo", msg.Repo) 252 252 - hasWarning = true 253 253 - } 254 254 - } else { 255 255 - // see counter below for okish "new" 256 256 - } 257 257 - 258 258 - // check internal consistency that claimed previous root matches the rest of this message 259 259 - ops, err := ParseCommitOps(msg.Ops) 260 260 - if err != nil { 261 261 - commitVerifyErrors.WithLabelValues(hostname, "pop").Inc() 262 262 - return nil, err 263 263 - } 264 264 - ops, err = repo.NormalizeOps(ops) 265 265 - if err != nil { 266 266 - commitVerifyErrors.WithLabelValues(hostname, "nop").Inc() 267 267 - return nil, err 268 268 - } 269 269 - 270 270 - invTree := repoFragment.MST.Copy() 271 271 - for _, op := range ops { 272 272 - if err := repo.InvertOp(&invTree, &op); err != nil { 273 273 - commitVerifyErrors.WithLabelValues(hostname, "inv").Inc() 274 274 - return nil, err 275 275 - } 276 276 - } 277 277 - computed, err := invTree.RootCID() 278 278 - if err != nil { 279 279 - commitVerifyErrors.WithLabelValues(hostname, "it").Inc() 280 280 - return nil, err 281 281 - } 282 282 - if *computed != *c { 283 283 - // this is self-inconsistent malformed data 284 284 - commitVerifyErrors.WithLabelValues(hostname, "pd").Inc() 285 285 - return nil, fmt.Errorf("inverted tree root didn't match prevData") 286 286 - } 287 287 - //logger.Debug("prevData matched", "prevData", c.String(), "computed", computed.String()) 288 288 - 289 289 - if prevData == nil { 290 290 - commitVerifyOkish.WithLabelValues(hostname, "new").Inc() 291 291 - } else if hasWarning { 292 292 - commitVerifyOkish.WithLabelValues(hostname, "warn").Inc() 293 293 - } else { 294 294 - // TODO: would it be better to make everything "okish"? 295 295 - // commitVerifyOkish.WithLabelValues(hostname, "ok").Inc() 296 296 - commitVerifyOk.WithLabelValues(hostname).Inc() 297 297 - } 298 298 - } else { 299 299 - // this source is still on old protocol without new prevData field 300 300 - commitVerifyOkish.WithLabelValues(hostname, "old").Inc() 301 301 - } 302 302 - 303 303 - return repoFragment, nil 304 304 - } 305 305 - 306 306 - // HandleSync checks signed commit from a #sync message 307 307 - func (val *Validator) HandleSync(ctx context.Context, hostname string, msg *comatproto.SyncSubscribeRepos_Sync) (commitCID, commitDataCID *cid.Cid, err error) { 308 308 - hasWarning := false 309 309 - 310 310 - did, err := syntax.ParseDID(msg.Did) 311 311 - if err != nil { 312 312 - syncVerifyErrors.WithLabelValues(hostname, "did").Inc() 313 313 - return nil, nil, err 314 314 - } 315 315 - rev, err := syntax.ParseTID(msg.Rev) 316 316 - if err != nil { 317 317 - syncVerifyErrors.WithLabelValues(hostname, "tid").Inc() 318 318 - return nil, nil, err 319 319 - } 320 320 - if rev.Time().After(time.Now().Add(val.maxRevFuture)) { 321 321 - syncVerifyErrors.WithLabelValues(hostname, "revf").Inc() 322 322 - return nil, nil, val.ErrRevTooFarFuture 323 323 - } 324 324 - _, err = syntax.ParseDatetime(msg.Time) 325 325 - if err != nil { 326 326 - syncVerifyErrors.WithLabelValues(hostname, "time").Inc() 327 327 - return nil, nil, err 328 328 - } 329 329 - 330 330 - commit, commitCID, err := repo.LoadCommitFromCAR(ctx, bytes.NewReader([]byte(msg.Blocks))) 331 331 - if err != nil { 332 332 - commitVerifyErrors.WithLabelValues(hostname, "car").Inc() 333 333 - return nil, nil, err 334 334 - } 335 335 - 336 336 - if commit.Rev != rev.String() { 337 337 - commitVerifyErrors.WithLabelValues(hostname, "rev").Inc() 338 338 - return nil, nil, fmt.Errorf("rev did not match commit") 339 339 - } 340 340 - if commit.DID != did.String() { 341 341 - commitVerifyErrors.WithLabelValues(hostname, "did2").Inc() 342 342 - return nil, nil, fmt.Errorf("rev did not match commit") 343 343 - } 344 344 - 345 345 - err = val.VerifyCommitSignature(ctx, commit, hostname, &hasWarning) 346 346 - if err != nil { 347 347 - // signature errors are metrics counted inside VerifyCommitSignature() 348 348 - return nil, nil, err 349 349 - } 350 350 - 351 351 - return commitCID, &commit.Data, nil 352 352 - } 353 353 - 354 354 - // TODO: lift back to indigo/atproto/repo util code? 355 355 - func ParseCommitOps(ops []*comatproto.SyncSubscribeRepos_RepoOp) ([]repo.Operation, error) { 356 356 - out := []repo.Operation{} 357 357 - for _, rop := range ops { 358 358 - switch rop.Action { 359 359 - case "create": 360 360 - if rop.Cid == nil || rop.Prev != nil { 361 361 - return nil, fmt.Errorf("invalid repoOp: create") 362 362 - } 363 363 - op := repo.Operation{ 364 364 - Path: rop.Path, 365 365 - Prev: nil, 366 366 - Value: (*cid.Cid)(rop.Cid), 367 367 - } 368 368 - out = append(out, op) 369 369 - case "delete": 370 370 - if rop.Cid != nil || rop.Prev == nil { 371 371 - return nil, fmt.Errorf("invalid repoOp: delete") 372 372 - } 373 373 - op := repo.Operation{ 374 374 - Path: rop.Path, 375 375 - Prev: (*cid.Cid)(rop.Prev), 376 376 - Value: nil, 377 377 - } 378 378 - out = append(out, op) 379 379 - case "update": 380 380 - if rop.Cid == nil || rop.Prev == nil { 381 381 - return nil, fmt.Errorf("invalid repoOp: update") 382 382 - } 383 383 - op := repo.Operation{ 384 384 - Path: rop.Path, 385 385 - Prev: (*cid.Cid)(rop.Prev), 386 386 - Value: (*cid.Cid)(rop.Cid), 387 387 - } 388 388 - out = append(out, op) 389 389 - default: 390 390 - return nil, fmt.Errorf("invalid repoOp action: %s", rop.Action) 391 391 - } 392 392 - } 393 393 - return out, nil 394 394 - } 395 395 - 396 396 - // VerifyCommitSignature get's repo's registered public key from Identity Directory, verifies Commit 397 397 - // hostname is just for metrics in case of error 398 398 - func (val *Validator) VerifyCommitSignature(ctx context.Context, commit *repo.Commit, hostname string, hasWarning *bool) error { 399 399 - if val.directory == nil { 400 400 - return nil 401 401 - } 402 402 - xdid, err := syntax.ParseDID(commit.DID) 403 403 - if err != nil { 404 404 - commitVerifyErrors.WithLabelValues(hostname, "sig1").Inc() 405 405 - return fmt.Errorf("bad car DID: %w", err) 406 406 - } 407 407 - ident, err := val.directory.LookupDID(ctx, xdid) 408 408 - if err != nil { 409 409 - if val.AllowSignatureNotFound { 410 410 - // allow not-found conditions to pass without signature check 411 411 - commitVerifyWarnings.WithLabelValues(hostname, "nok").Inc() 412 412 - if hasWarning != nil { 413 413 - *hasWarning = true 414 414 - } 415 415 - return nil 416 416 - } 417 417 - commitVerifyErrors.WithLabelValues(hostname, "sig2").Inc() 418 418 - return fmt.Errorf("DID lookup failed: %w", err) 419 419 - } 420 420 - pk, err := ident.PublicKey() 421 421 - if err != nil { 422 422 - commitVerifyErrors.WithLabelValues(hostname, "sig3").Inc() 423 423 - return fmt.Errorf("no atproto pubkey: %w", err) 424 424 - } 425 425 - err = commit.VerifySignature(pk) 426 426 - if err != nil { 427 427 - // TODO: if the DID document was stale, force re-fetch from source and re-try if pubkey has changed 428 428 - commitVerifyErrors.WithLabelValues(hostname, "sig4").Inc() 429 429 - return fmt.Errorf("invalid signature: %w", err) 430 430 - } 431 431 - return nil 432 432 - }

+182

cmd/rerelay/relay/verify.go

reviewed

··· 1 1 + package relay 2 2 + 3 3 + import ( 4 4 + "bytes" 5 5 + "context" 6 6 + "errors" 7 7 + "fmt" 8 8 + "time" 9 9 + 10 10 + comatproto "github.com/bluesky-social/indigo/api/atproto" 11 11 + "github.com/bluesky-social/indigo/atproto/identity" 12 12 + "github.com/bluesky-social/indigo/atproto/repo" 13 13 + "github.com/bluesky-social/indigo/atproto/syntax" 14 14 + "github.com/bluesky-social/indigo/cmd/rerelay/relay/models" 15 15 + ) 16 16 + 17 17 + var ( 18 18 + ErrFutureRev = errors.New("commit revision in the future") 19 19 + ErrRevSequence = errors.New("commit revision out of order") 20 20 + ) 21 21 + 22 22 + const futureRevTolerance = time.Minute * 5 23 23 + 24 24 + // High-level entrypoint for verifying #commit messages. 25 25 + // 26 26 + // Always verifies: loading commit and repo; field syntax; commit signature; future rev 27 27 + // 28 28 + // Strict verification: use of deprecated fields; MST inversion; all ops present in blocks 29 29 + // 30 30 + // Does not check: account/host matching; host-level sequence; account-level rev ordering; DID syntax 31 31 + // 32 32 + // `ident` arg may be nil (if resolution failed) 33 33 + // `prevRepo` arg represents previous state, and is optional/nullable. 34 34 + // `hostname` arg is piped through just for logging, not for validating account/host match 35 35 + // returns an AccountRepo with empty UID, containing metadata about *this* commit 36 36 + func (r *Relay) VerifyRepoCommit(ctx context.Context, evt *comatproto.SyncSubscribeRepos_Commit, ident *identity.Identity, prevRepo *models.AccountRepo, hostname string) (*models.AccountRepo, error) { 37 37 + logger := r.Logger.With("host", hostname, "did", evt.Repo, "rev", evt.Rev) 38 38 + 39 39 + // even in lenient/legacy mode (eg, tooBig), we need to verify commit 40 40 + commit, commitCID, err := repo.LoadCommitFromCAR(ctx, bytes.NewReader(evt.Blocks)) 41 41 + if err != nil { 42 42 + return nil, err 43 43 + } 44 44 + 45 45 + if err := r.VerifyCommitObject(ctx, commit, ident, hostname); err != nil { 46 46 + return nil, err 47 47 + } 48 48 + 49 49 + // consistency between event fields and commit fields 50 50 + if evt.Repo != commit.DID { 51 51 + return nil, fmt.Errorf("mismatched inner commit DID field: %s", commit.DID) 52 52 + } 53 53 + if evt.Rev != commit.Rev { 54 54 + return nil, fmt.Errorf("mismatched inner commit rev field: %s", commit.Rev) 55 55 + } 56 56 + 57 57 + err = r.VerifyCommitMessageStrict(ctx, evt, commit, prevRepo, hostname) 58 58 + if err != nil { 59 59 + if r.Config.LenientSyncValidation { 60 60 + logger.Warn("allowing commit message which failed strict validation", "problem", err) 61 61 + } else { 62 62 + return nil, err 63 63 + } 64 64 + } 65 65 + 66 66 + resp := models.AccountRepo{ 67 67 + Rev: commit.Rev, 68 68 + CommitCID: commitCID.String(), 69 69 + CommitData: commit.Data.String(), 70 70 + } 71 71 + return &resp, nil 72 72 + } 73 73 + 74 74 + // the parts of basic verification which are common between #commit and #sync messages 75 75 + func (r *Relay) VerifyCommitObject(ctx context.Context, commit *repo.Commit, ident *identity.Identity, hostname string) error { 76 76 + logger := r.Logger.With("host", hostname, "did", commit.DID, "rev", commit.Rev) 77 77 + 78 78 + // TODO: what parts does this actually do? 79 79 + if err := commit.VerifyStructure(); err != nil { 80 80 + return err 81 81 + } 82 82 + 83 83 + // if identity is available, verify the signature 84 84 + if ident != nil { 85 85 + // NOTE: may eventually want to cache cryptographic key parsing 86 86 + pubkey, err := ident.PublicKey() 87 87 + if err != nil { 88 88 + return fmt.Errorf("commit verification: %w", err) 89 89 + } 90 90 + 91 91 + if err := commit.VerifySignature(pubkey); err != nil { 92 92 + return fmt.Errorf("commit verification: %w", err) 93 93 + } 94 94 + } else { 95 95 + logger.Warn("skipping commit signature validation", "reason", "ident unavailable") 96 96 + } 97 97 + return nil 98 98 + } 99 99 + 100 100 + func (r *Relay) VerifyCommitMessageStrict(ctx context.Context, evt *comatproto.SyncSubscribeRepos_Commit, commit *repo.Commit, prevRepo *models.AccountRepo, hostname string) error { 101 101 + 102 102 + logger := r.Logger.With("host", hostname, "did", commit.DID, "rev", commit.Rev) 103 103 + 104 104 + // first check things which would skip MST inversion entirely 105 105 + if len(evt.Blocks) == 0 { 106 106 + return fmt.Errorf("commit messaging missing blocks") 107 107 + } 108 108 + if evt.TooBig { 109 109 + return fmt.Errorf("deprecated tooBig commit flag set") 110 110 + } 111 111 + if evt.PrevData == nil { 112 112 + return fmt.Errorf("missing prevData field") 113 113 + } 114 114 + if prevRepo != nil { 115 115 + if evt.PrevData.String() != prevRepo.CommitData { 116 116 + logger.Warn("commit with miss-matching prevData", "prevData", evt.PrevData, "prevRepo.CommitData", prevRepo.CommitData) 117 117 + } 118 118 + if evt.Since != nil && *evt.Since != prevRepo.Rev { 119 119 + logger.Warn("commit with miss-matching since", "since", evt.Since, "prevRepo.Rev", prevRepo.Rev) 120 120 + } 121 121 + } 122 122 + 123 123 + // this parse is redundant with earlier parse; once lenient mode is removed we should do only a single pass 124 124 + origRepo, _, err := repo.LoadRepoFromCAR(ctx, bytes.NewReader(evt.Blocks)) 125 125 + if err != nil { 126 126 + return err 127 127 + } 128 128 + 129 129 + // TODO: break out this function in to smaller chunks 130 130 + _ = origRepo 131 131 + if _, err := repo.VerifyCommitMessage(ctx, evt); err != nil { 132 132 + logger.Warn("failed to invert commit MST", "err", err) 133 133 + } 134 134 + 135 135 + // finally less-important checks 136 136 + if evt.Rebase { 137 137 + return fmt.Errorf("deprecated rebase commit flag set") 138 138 + } 139 139 + _, err = syntax.ParseDatetime(evt.Time) 140 140 + if err != nil { 141 141 + return fmt.Errorf("commit timestamp syntax: %w", err) 142 142 + } 143 143 + return nil 144 144 + } 145 145 + 146 146 + // High-level entrypoint for verifying #sync messages. 147 147 + // 148 148 + // Always verifies: loading commit and repo; field syntax; commit signature; future rev 149 149 + // 150 150 + // Does not check: account/host matching; host-level sequence; account-level rev ordering; DID syntax 151 151 + // 152 152 + // `ident` arg may be nil (if resolution failed) 153 153 + // `hostname` arg is piped through just for logging, not for validating account/host match 154 154 + // returns an AccountRepo with empty UID, containing metadata about *this* commit 155 155 + func (r *Relay) VerifyRepoSync(ctx context.Context, evt *comatproto.SyncSubscribeRepos_Sync, ident *identity.Identity, hostname string) (*models.AccountRepo, error) { 156 156 + //logger := r.Logger.With("host", hostname, "did", evt.Did, "rev", evt.Rev) 157 157 + 158 158 + // even in lenient/legacy mode (eg, tooBig), we need to verify commit 159 159 + commit, commitCID, err := repo.LoadCommitFromCAR(ctx, bytes.NewReader(evt.Blocks)) 160 160 + if err != nil { 161 161 + return nil, err 162 162 + } 163 163 + 164 164 + if err := r.VerifyCommitObject(ctx, commit, ident, hostname); err != nil { 165 165 + return nil, err 166 166 + } 167 167 + 168 168 + // consistency between event fields and commit fields 169 169 + if evt.Did != commit.DID { 170 170 + return nil, fmt.Errorf("mismatched inner commit DID field: %s", commit.DID) 171 171 + } 172 172 + if evt.Rev != commit.Rev { 173 173 + return nil, fmt.Errorf("mismatched inner commit rev field: %s", commit.Rev) 174 174 + } 175 175 + 176 176 + resp := models.AccountRepo{ 177 177 + Rev: commit.Rev, 178 178 + CommitCID: commitCID.String(), 179 179 + CommitData: commit.Data.String(), 180 180 + } 181 181 + return &resp, nil 182 182 + }

+2 -2

cmd/rerelay/testing/runner.go

reviewed

··· 35 35 relayConfig := relay.DefaultRelayConfig() 36 36 relayConfig.SSL = false 37 37 relayConfig.SkipAccountHostCheck = true 38 38 + relayConfig.LenientSyncValidation = true 38 39 39 40 db, err := cliutil.SetupDatabase("sqlite://:memory:", 40) 40 41 if err != nil { ··· 46 47 if err != nil { 47 48 panic(err) 48 49 } 49 49 - vldtr := relay.NewValidator(dir) 50 50 evtman := eventmgr.NewEventManager(persister) 51 51 52 52 - r, err := relay.NewRelay(db, vldtr, evtman, dir, relayConfig) 52 52 + r, err := relay.NewRelay(db, evtman, dir, relayConfig) 53 53 if err != nil { 54 54 panic(err) 55 55 }