2020-02-13 17:27:33 +00:00
|
|
|
// Copyright 2017-2018 New Vector Ltd
|
|
|
|
// Copyright 2019-2020 The Matrix.org Foundation C.I.C.
|
|
|
|
//
|
|
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
// you may not use this file except in compliance with the License.
|
|
|
|
// You may obtain a copy of the License at
|
|
|
|
//
|
|
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
//
|
|
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
// See the License for the specific language governing permissions and
|
|
|
|
// limitations under the License.
|
|
|
|
|
|
|
|
package sqlite3
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
"database/sql"
|
2020-09-14 15:39:38 +00:00
|
|
|
"fmt"
|
2020-02-13 17:27:33 +00:00
|
|
|
|
2020-06-12 13:55:57 +00:00
|
|
|
"github.com/matrix-org/dendrite/internal/sqlutil"
|
2020-02-13 17:27:33 +00:00
|
|
|
"github.com/matrix-org/gomatrixserverlib"
|
2023-04-19 14:50:33 +00:00
|
|
|
"github.com/matrix-org/gomatrixserverlib/spec"
|
2020-02-13 17:27:33 +00:00
|
|
|
)
|
|
|
|
|
2021-11-24 10:45:23 +00:00
|
|
|
const serverSigningKeysSchema = `
|
2020-02-13 17:27:33 +00:00
|
|
|
-- A cache of signing keys downloaded from remote servers.
|
|
|
|
CREATE TABLE IF NOT EXISTS keydb_server_keys (
|
|
|
|
-- The name of the matrix server the key is for.
|
|
|
|
server_name TEXT NOT NULL,
|
|
|
|
-- The ID of the server key.
|
|
|
|
server_key_id TEXT NOT NULL,
|
|
|
|
-- Combined server name and key ID separated by the ASCII unit separator
|
|
|
|
-- to make it easier to run bulk queries.
|
|
|
|
server_name_and_key_id TEXT NOT NULL,
|
|
|
|
-- When the key is valid until as a millisecond timestamp.
|
|
|
|
-- 0 if this is an expired key (in which case expired_ts will be non-zero)
|
|
|
|
valid_until_ts BIGINT NOT NULL,
|
|
|
|
-- When the key expired as a millisecond timestamp.
|
|
|
|
-- 0 if this is an active key (in which case valid_until_ts will be non-zero)
|
|
|
|
expired_ts BIGINT NOT NULL,
|
|
|
|
-- The base64-encoded public key.
|
|
|
|
server_key TEXT NOT NULL,
|
|
|
|
UNIQUE (server_name, server_key_id)
|
|
|
|
);
|
|
|
|
|
|
|
|
CREATE INDEX IF NOT EXISTS keydb_server_name_and_key_id ON keydb_server_keys (server_name_and_key_id);
|
|
|
|
`
|
|
|
|
|
2021-11-24 10:45:23 +00:00
|
|
|
const bulkSelectServerSigningKeysSQL = "" +
|
2020-02-13 17:27:33 +00:00
|
|
|
"SELECT server_name, server_key_id, valid_until_ts, expired_ts, " +
|
|
|
|
" server_key FROM keydb_server_keys" +
|
|
|
|
" WHERE server_name_and_key_id IN ($1)"
|
|
|
|
|
2021-11-24 10:45:23 +00:00
|
|
|
const upsertServerSigningKeysSQL = "" +
|
2020-02-13 17:27:33 +00:00
|
|
|
"INSERT INTO keydb_server_keys (server_name, server_key_id," +
|
|
|
|
" server_name_and_key_id, valid_until_ts, expired_ts, server_key)" +
|
|
|
|
" VALUES ($1, $2, $3, $4, $5, $6)" +
|
|
|
|
" ON CONFLICT (server_name, server_key_id)" +
|
|
|
|
" DO UPDATE SET valid_until_ts = $4, expired_ts = $5, server_key = $6"
|
|
|
|
|
2021-11-24 10:45:23 +00:00
|
|
|
type serverSigningKeyStatements struct {
|
Add peer-to-peer support into Dendrite via libp2p and fetch (#880)
* Use a fork of pq which supports userCurrent on wasm
* Use sqlite3_js driver when running in JS
* Add cmd/dendritejs to pull in sqlite3_js driver for wasm only
* Update to latest go-sqlite-js version
* Replace prometheus with a stub. sigh
* Hard-code a config and don't use opentracing
* Latest go-sqlite3-js version
* Generate a key for now
* Listen for fetch traffic rather than HTTP
* Latest hacks for js
* libp2p support
* More libp2p
* Fork gjson to allow us to enforce auth checks as before
Previously, all events would come down redacted because the hash
checks would fail. They would fail because sjson.DeleteBytes didn't
remove keys not used for hashing. This didn't work because of a build
tag which included a file which no-oped the index returned.
See https://github.com/tidwall/gjson/issues/157
When it's resolved, let's go back to mainline.
* Use gjson@1.6.0 as it fixes https://github.com/tidwall/gjson/issues/157
* Use latest gomatrixserverlib for sig checks
* Fix a bug which could cause exclude_from_sync to not be set
Caused when sending events over federation.
* Use query variadic to make lookups actually work!
* Latest gomatrixserverlib
* Add notes on getting p2p up and running
Partly so I don't forget myself!
* refactor: Move p2p specific stuff to cmd/dendritejs
This is important or else the normal build of dendrite will fail
because the p2p libraries depend on syscall/js which doesn't work
on normal builds.
Also, clean up main.go to read a bit better.
* Update ho-http-js-libp2p to return errors from RoundTrip
* Add an LRU cache around the key DB
We actually need this for P2P because otherwise we can *segfault*
with things like: "runtime: unexpected return pc for runtime.handleEvent"
where the event is a `syscall/js` event, caused by spamming sql.js
caused by "Checking event signatures for 14 events of room state" which
hammers the key DB repeatedly in quick succession.
Using a cache fixes this, though the underlying cause is probably a bug
in the version of Go I'm on (1.13.7)
* breaking: Add Tracing.Enabled to toggle whether we do opentracing
Defaults to false, which is why this is a breaking change. We need
this flag because WASM builds cannot do opentracing.
* Start adding conditional builds for wasm to handle lib/pq
The general idea here is to have the wasm build have a `NewXXXDatabase`
that doesn't import any postgres package and hence we never import
`lib/pq`, which doesn't work under WASM (undefined `userCurrent`).
* Remove lib/pq for wasm for syncapi
* Add conditional building to remaining storage APIs
* Update build script to set env vars correctly for dendritejs
* sqlite bug fixes
* Docs
* Add a no-op main for dendritejs when not building under wasm
* Use the real prometheus, even for WASM
Instead, the dendrite-sw.js must mock out `process.pid` and
`fs.stat` - which must invoke the callback with an error (e.g `EINVAL`)
in order for it to work:
```
global.process = {
pid: 1,
};
global.fs.stat = function(path, cb) {
cb({
code: "EINVAL",
});
}
```
* Linting
2020-03-06 10:23:55 +00:00
|
|
|
db *sql.DB
|
2020-02-13 17:27:33 +00:00
|
|
|
bulkSelectServerKeysStmt *sql.Stmt
|
|
|
|
upsertServerKeysStmt *sql.Stmt
|
|
|
|
}
|
|
|
|
|
2021-11-24 10:45:23 +00:00
|
|
|
func NewSQLiteServerSigningKeysTable(db *sql.DB) (s *serverSigningKeyStatements, err error) {
|
|
|
|
s = &serverSigningKeyStatements{
|
|
|
|
db: db,
|
|
|
|
}
|
|
|
|
_, err = db.Exec(serverSigningKeysSchema)
|
2020-02-13 17:27:33 +00:00
|
|
|
if err != nil {
|
|
|
|
return
|
|
|
|
}
|
2023-03-23 12:52:53 +00:00
|
|
|
return s, sqlutil.StatementList{
|
|
|
|
{&s.bulkSelectServerKeysStmt, bulkSelectServerSigningKeysSQL},
|
|
|
|
{&s.upsertServerKeysStmt, upsertServerSigningKeysSQL},
|
|
|
|
}.Prepare(db)
|
2020-02-13 17:27:33 +00:00
|
|
|
}
|
|
|
|
|
2021-11-24 10:45:23 +00:00
|
|
|
func (s *serverSigningKeyStatements) BulkSelectServerKeys(
|
|
|
|
ctx context.Context, txn *sql.Tx,
|
2023-04-19 14:50:33 +00:00
|
|
|
requests map[gomatrixserverlib.PublicKeyLookupRequest]spec.Timestamp,
|
2020-02-13 17:27:33 +00:00
|
|
|
) (map[gomatrixserverlib.PublicKeyLookupRequest]gomatrixserverlib.PublicKeyLookupResult, error) {
|
2020-09-14 15:39:38 +00:00
|
|
|
nameAndKeyIDs := make([]string, 0, len(requests))
|
2020-02-13 17:27:33 +00:00
|
|
|
for request := range requests {
|
|
|
|
nameAndKeyIDs = append(nameAndKeyIDs, nameAndKeyID(request))
|
|
|
|
}
|
2020-09-14 15:39:38 +00:00
|
|
|
results := make(map[gomatrixserverlib.PublicKeyLookupRequest]gomatrixserverlib.PublicKeyLookupResult, len(requests))
|
Add peer-to-peer support into Dendrite via libp2p and fetch (#880)
* Use a fork of pq which supports userCurrent on wasm
* Use sqlite3_js driver when running in JS
* Add cmd/dendritejs to pull in sqlite3_js driver for wasm only
* Update to latest go-sqlite-js version
* Replace prometheus with a stub. sigh
* Hard-code a config and don't use opentracing
* Latest go-sqlite3-js version
* Generate a key for now
* Listen for fetch traffic rather than HTTP
* Latest hacks for js
* libp2p support
* More libp2p
* Fork gjson to allow us to enforce auth checks as before
Previously, all events would come down redacted because the hash
checks would fail. They would fail because sjson.DeleteBytes didn't
remove keys not used for hashing. This didn't work because of a build
tag which included a file which no-oped the index returned.
See https://github.com/tidwall/gjson/issues/157
When it's resolved, let's go back to mainline.
* Use gjson@1.6.0 as it fixes https://github.com/tidwall/gjson/issues/157
* Use latest gomatrixserverlib for sig checks
* Fix a bug which could cause exclude_from_sync to not be set
Caused when sending events over federation.
* Use query variadic to make lookups actually work!
* Latest gomatrixserverlib
* Add notes on getting p2p up and running
Partly so I don't forget myself!
* refactor: Move p2p specific stuff to cmd/dendritejs
This is important or else the normal build of dendrite will fail
because the p2p libraries depend on syscall/js which doesn't work
on normal builds.
Also, clean up main.go to read a bit better.
* Update ho-http-js-libp2p to return errors from RoundTrip
* Add an LRU cache around the key DB
We actually need this for P2P because otherwise we can *segfault*
with things like: "runtime: unexpected return pc for runtime.handleEvent"
where the event is a `syscall/js` event, caused by spamming sql.js
caused by "Checking event signatures for 14 events of room state" which
hammers the key DB repeatedly in quick succession.
Using a cache fixes this, though the underlying cause is probably a bug
in the version of Go I'm on (1.13.7)
* breaking: Add Tracing.Enabled to toggle whether we do opentracing
Defaults to false, which is why this is a breaking change. We need
this flag because WASM builds cannot do opentracing.
* Start adding conditional builds for wasm to handle lib/pq
The general idea here is to have the wasm build have a `NewXXXDatabase`
that doesn't import any postgres package and hence we never import
`lib/pq`, which doesn't work under WASM (undefined `userCurrent`).
* Remove lib/pq for wasm for syncapi
* Add conditional building to remaining storage APIs
* Update build script to set env vars correctly for dendritejs
* sqlite bug fixes
* Docs
* Add a no-op main for dendritejs when not building under wasm
* Use the real prometheus, even for WASM
Instead, the dendrite-sw.js must mock out `process.pid` and
`fs.stat` - which must invoke the callback with an error (e.g `EINVAL`)
in order for it to work:
```
global.process = {
pid: 1,
};
global.fs.stat = function(path, cb) {
cb({
code: "EINVAL",
});
}
```
* Linting
2020-03-06 10:23:55 +00:00
|
|
|
iKeyIDs := make([]interface{}, len(nameAndKeyIDs))
|
|
|
|
for i, v := range nameAndKeyIDs {
|
|
|
|
iKeyIDs[i] = v
|
|
|
|
}
|
|
|
|
|
2020-09-14 15:39:38 +00:00
|
|
|
err := sqlutil.RunLimitedVariablesQuery(
|
2021-11-24 10:45:23 +00:00
|
|
|
ctx, bulkSelectServerSigningKeysSQL, s.db, iKeyIDs, sqlutil.SQLite3MaxVariables,
|
2020-09-14 15:39:38 +00:00
|
|
|
func(rows *sql.Rows) error {
|
2023-11-22 12:05:24 +00:00
|
|
|
var serverName string
|
|
|
|
var keyID string
|
|
|
|
var key string
|
|
|
|
var validUntilTS int64
|
|
|
|
var expiredTS int64
|
|
|
|
var vk gomatrixserverlib.VerifyKey
|
2020-09-14 15:39:38 +00:00
|
|
|
for rows.Next() {
|
|
|
|
if err := rows.Scan(&serverName, &keyID, &validUntilTS, &expiredTS, &key); err != nil {
|
|
|
|
return fmt.Errorf("bulkSelectServerKeys: %v", err)
|
|
|
|
}
|
|
|
|
r := gomatrixserverlib.PublicKeyLookupRequest{
|
2023-04-19 14:50:33 +00:00
|
|
|
ServerName: spec.ServerName(serverName),
|
2020-09-14 15:39:38 +00:00
|
|
|
KeyID: gomatrixserverlib.KeyID(keyID),
|
|
|
|
}
|
|
|
|
err := vk.Key.Decode(key)
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("bulkSelectServerKeys: %v", err)
|
|
|
|
}
|
|
|
|
results[r] = gomatrixserverlib.PublicKeyLookupResult{
|
|
|
|
VerifyKey: vk,
|
2023-04-19 14:50:33 +00:00
|
|
|
ValidUntilTS: spec.Timestamp(validUntilTS),
|
|
|
|
ExpiredTS: spec.Timestamp(expiredTS),
|
2020-09-14 15:39:38 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
},
|
|
|
|
)
|
|
|
|
|
2020-02-13 17:27:33 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return results, nil
|
|
|
|
}
|
|
|
|
|
2021-11-24 10:45:23 +00:00
|
|
|
func (s *serverSigningKeyStatements) UpsertServerKeys(
|
|
|
|
ctx context.Context, txn *sql.Tx,
|
2020-02-13 17:27:33 +00:00
|
|
|
request gomatrixserverlib.PublicKeyLookupRequest,
|
|
|
|
key gomatrixserverlib.PublicKeyLookupResult,
|
|
|
|
) error {
|
2021-11-24 10:45:23 +00:00
|
|
|
stmt := sqlutil.TxStmt(txn, s.upsertServerKeysStmt)
|
|
|
|
_, err := stmt.ExecContext(
|
|
|
|
ctx,
|
|
|
|
string(request.ServerName),
|
|
|
|
string(request.KeyID),
|
|
|
|
nameAndKeyID(request),
|
|
|
|
key.ValidUntilTS,
|
|
|
|
key.ExpiredTS,
|
|
|
|
key.Key.Encode(),
|
|
|
|
)
|
|
|
|
return err
|
2020-02-13 17:27:33 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func nameAndKeyID(request gomatrixserverlib.PublicKeyLookupRequest) string {
|
|
|
|
return string(request.ServerName) + "\x1F" + string(request.KeyID)
|
|
|
|
}
|