signing_key: ensure only one key per user exists

Fixes: AkkomaGang/akkoma issue 858
2025-01-11 21:25:00 +01:00 · 2025-01-11 21:25:00 +01:00 · ea2de1f28a
commit ea2de1f28a
parent 2a4587f201
2 changed files with 47 additions and 2 deletions
--- a/lib/pleroma/user/signing_key.ex
+++ b/lib/pleroma/user/signing_key.ex
@ -201,13 +201,22 @@ def fetch_remote_key(key_id) do
         {:ok, user} <- User.get_or_fetch_by_ap_id(ap_id) do
      Logger.debug("Fetched remote key: #{ap_id}")
      # store the key
-      key = %__MODULE__{
+      key = %{
        user_id: user.id,
        public_key: public_key_pem,
        key_id: key_id
      }

-      Repo.insert(key, on_conflict: :replace_all, conflict_target: :key_id)
+      key_cs =
+        cast(%__MODULE__{}, key, [:user_id, :public_key, :key_id])
+        |> unique_constraint(:user_id)
+
+      Repo.insert(key_cs,
+        # while this should never run for local users anyway, etc make sure we really never loose privkey info!
+        on_conflict: {:replace_all_except, [:inserted_at, :private_key]},
+        # if the key owner overlaps with a distinct existing key entry, this intetionally still errros
+        conflict_target: :key_id
+      )
    else
      e ->
        Logger.debug("Failed to fetch remote key: #{inspect(e)}")
--- a/priv/repo/migrations/20250112000001_signing_key_unique_user_id.exs
+++ b/priv/repo/migrations/20250112000001_signing_key_unique_user_id.exs
@ -0,0 +1,36 @@
+defmodule Pleroma.Repo.Migrations.SigningKeyUniqueUserId do
+  use Ecto.Migration
+
+  import Ecto.Query
+
+  def up() do
+    # If dupes exists for any local user we do NOT want to delete the genuine privkey alongside the fake.
+    # Instead just filter out anything pertaining to local users, if dupes exists manual intervention
+    # is required anyway and index creation will just fail later (check against legacy field in users table)
+    dupes =
+      Pleroma.User.SigningKey
+      |> join(:inner, [s], u in Pleroma.User, on: s.user_id == u.id)
+      |> group_by([s], s.user_id)
+      |> having([], count() > 1)
+      |> having([_s, u], not fragment("bool_or(?)", u.local))
+      |> select([s], s.user_id)
+
+    # Delete existing remote duplicates
+    # they’ll be reinserted on the next user update
+    # or proactively fetched when receiving a signature from it
+    Pleroma.User.SigningKey
+    |> where([s], s.user_id in subquery(dupes))
+    |> Pleroma.Repo.delete_all()
+
+    drop_if_exists(index(:signing_keys, [:user_id]))
+
+    create_if_not_exists(
+      index(:signing_keys, [:user_id], name: :signing_keys_user_id_index, unique: true)
+    )
+  end
+
+  def down() do
+    drop_if_exists(index(:signing_keys, [:user_id]))
+    create_if_not_exists(index(:signing_keys, [:user_id], name: :signing_keys_user_id_index))
+  end
+end