store signing keys as ids

dholms · dholms · commit 6cd885f63709 · 2024-03-08T19:33:45.000-06:00
diff --git a/packages/ozone/src/context.ts b/packages/ozone/src/context.ts
@@ -16,6 +16,7 @@ import {
 } from './communication-service/template'
 import { AuthVerifier } from './auth-verifier'
 import { ImageInvalidator } from './image-invalidator'
+import { getSigningKeyId } from './util'
 
 export type AppContextOptions = {
   db: Database
@@ -48,6 +49,7 @@ export class AppContext {
       poolIdleTimeoutMs: cfg.db.poolIdleTimeoutMs,
     })
     const signingKey = await Secp256k1Keypair.import(secrets.signingKeyHex)
+    const signingKeyId = await getSigningKeyId(db, signingKey.did())
     const appviewAgent = new AtpAgent({ service: cfg.appview.url })
     const pdsAgent = cfg.pds
       ? new AtpAgent({ service: cfg.pds.url })
@@ -72,6 +74,7 @@ export class AppContext {
 
     const modService = ModerationService.creator(
       signingKey,
+      signingKeyId,
       cfg,
       backgroundQueue,
       idResolver,
@@ -195,5 +198,4 @@ export class AppContext {
     }
   }
 }
-
 export default AppContext
diff --git a/packages/ozone/src/daemon/context.ts b/packages/ozone/src/daemon/context.ts
@@ -8,6 +8,7 @@ import { EventReverser } from './event-reverser'
 import { ModerationService, ModerationServiceCreator } from '../mod-service'
 import { BackgroundQueue } from '../background'
 import { IdResolver } from '@atproto/identity'
+import { getSigningKeyId } from '../util'
 
 export type DaemonContextOptions = {
   db: Database
@@ -31,6 +32,7 @@ export class DaemonContext {
       schema: cfg.db.postgresSchema,
     })
     const signingKey = await Secp256k1Keypair.import(secrets.signingKeyHex)
+    const signingKeyId = await getSigningKeyId(db, signingKey.did())
 
     const appviewAgent = new AtpAgent({ service: cfg.appview.url })
     const createAuthHeaders = (aud: string) =>
@@ -52,6 +54,7 @@ export class DaemonContext {
 
     const modService = ModerationService.creator(
       signingKey,
+      signingKeyId,
       cfg,
       backgroundQueue,
       idResolver,
diff --git a/packages/ozone/src/db/migrations/20240228T003647759Z-add-label-sigs.ts b/packages/ozone/src/db/migrations/20240228T003647759Z-add-label-sigs.ts
@@ -7,11 +7,17 @@ export async function up(db: Kysely<unknown>): Promise<void> {
     .execute()
   await db.schema
     .alterTable('label')
-    .addColumn('signingKey', 'varchar')
+    .addColumn('signingKeyId', 'integer')
+    .execute()
+  await db.schema
+    .createTable('signing_key')
+    .addColumn('id', 'serial', (col) => col.primaryKey())
+    .addColumn('key', 'varchar', (col) => col.notNull().unique())
     .execute()
 }
 
 export async function down(db: Kysely<unknown>): Promise<void> {
+  await db.schema.dropTable('signing_key')
   await db.schema.alterTable('label').dropColumn('sig').execute()
   await db.schema.alterTable('label').dropColumn('signingKey').execute()
 }
diff --git a/packages/ozone/src/db/schema/index.ts b/packages/ozone/src/db/schema/index.ts
@@ -5,11 +5,13 @@ import * as repoPushEvent from './repo_push_event'
 import * as recordPushEvent from './record_push_event'
 import * as blobPushEvent from './blob_push_event'
 import * as label from './label'
+import * as signingKey from './signing_key'
 import * as communicationTemplate from './communication_template'
 
 export type DatabaseSchemaType = modEvent.PartialDB &
   modSubjectStatus.PartialDB &
   label.PartialDB &
+  signingKey.PartialDB &
   repoPushEvent.PartialDB &
   recordPushEvent.PartialDB &
   blobPushEvent.PartialDB &
diff --git a/packages/ozone/src/db/schema/label.ts b/packages/ozone/src/db/schema/label.ts
@@ -11,7 +11,7 @@ export interface Label {
   neg: boolean
   cts: string
   sig: Buffer | null
-  signingKey: string | null
+  signingKeyId: number | null
 }
 
 export type LabelRow = Selectable<Label>
diff --git a/packages/ozone/src/db/schema/signing_key.ts b/packages/ozone/src/db/schema/signing_key.ts
@@ -0,0 +1,10 @@
+import { Generated } from 'kysely'
+
+export const tableName = 'signing_key'
+
+export interface SigningKey {
+  id: Generated<number>
+  key: string
+}
+
+export type PartialDB = { [tableName]: SigningKey }
diff --git a/packages/ozone/src/mod-service/index.ts b/packages/ozone/src/mod-service/index.ts
@@ -58,6 +58,7 @@ export class ModerationService {
   constructor(
     public db: Database,
     public signingKey: Keypair,
+    public signingKeyId: number,
     public cfg: OzoneConfig,
     public backgroundQueue: BackgroundQueue,
     public idResolver: IdResolver,
@@ -69,6 +70,7 @@ export class ModerationService {
 
   static creator(
     signingKey: Keypair,
+    signingKeyId: number,
     cfg: OzoneConfig,
     backgroundQueue: BackgroundQueue,
     idResolver: IdResolver,
@@ -81,6 +83,7 @@ export class ModerationService {
       new ModerationService(
         db,
         signingKey,
+        signingKeyId,
         cfg,
         backgroundQueue,
         idResolver,
@@ -91,8 +94,12 @@ export class ModerationService {
       )
   }
 
-  views = new ModerationViews(this.db, this.signingKey, this.appviewAgent, () =>
-    this.createAuthHeaders(this.cfg.appview.did),
+  views = new ModerationViews(
+    this.db,
+    this.signingKey,
+    this.signingKeyId,
+    this.appviewAgent,
+    () => this.createAuthHeaders(this.cfg.appview.did),
   )
 
   async getEvent(id: number): Promise<ModerationEventRow | undefined> {
@@ -898,8 +905,7 @@ export class ModerationService {
     const signedLabels = await Promise.all(
       labels.map((l) => signLabel(l, this.signingKey)),
     )
-    const signingKey = this.signingKey.did()
-    const dbVals = signedLabels.map((l) => formatLabelRow(l, signingKey))
+    const dbVals = signedLabels.map((l) => formatLabelRow(l, this.signingKeyId))
     const { ref } = this.db.db.dynamic
     await sql`notify ${ref(LabelChannel)}`.execute(this.db.db)
     const excluded = (col: string) => ref(`excluded.${col}`)
diff --git a/packages/ozone/src/mod-service/util.ts b/packages/ozone/src/mod-service/util.ts
@@ -20,7 +20,7 @@ export const formatLabel = (row: LabelRow): Label => {
 
 export const formatLabelRow = (
   label: Label,
-  signingKey?: string,
+  signingKeyId?: number,
 ): Omit<LabelRow, 'id'> => {
   return {
     src: label.src,
@@ -30,7 +30,7 @@ export const formatLabelRow = (
     neg: !!label.neg,
     cts: label.cts,
     sig: label.sig ? Buffer.from(label.sig) : null,
-    signingKey: signingKey ?? null,
+    signingKeyId: signingKeyId ?? null,
   }
 }
 
diff --git a/packages/ozone/src/mod-service/views.ts b/packages/ozone/src/mod-service/views.ts
@@ -40,6 +40,7 @@ export class ModerationViews {
   constructor(
     private db: Database,
     private signingKey: Keypair,
+    private signingKeyId: number,
     private appviewAgent: AtpAgent,
     private appviewAuth: () => Promise<AuthHeaders>,
   ) {}
@@ -419,16 +420,15 @@ export class ModerationViews {
   }
 
   async formatLabelAndEnsureSig(row: LabelRow) {
-    const signingKey = this.signingKey.did()
     const formatted = formatLabel(row)
-    if (!!row.sig && row.signingKey === signingKey) {
+    if (!!row.sig && row.signingKeyId === this.signingKeyId) {
       return formatted
     }
     const signed = await signLabel(formatted, this.signingKey)
     try {
       await this.db.db
         .updateTable('label')
-        .set({ sig: Buffer.from(signed.sig), signingKey })
+        .set({ sig: Buffer.from(signed.sig), signingKeyId: this.signingKeyId })
         .where('id', '=', row.id)
         .execute()
     } catch (err) {
diff --git a/packages/ozone/src/util.ts b/packages/ozone/src/util.ts
@@ -1,6 +1,27 @@
 import { AxiosError } from 'axios'
 import { XRPCError, ResponseType } from '@atproto/xrpc'
 import { RetryOptions, retry } from '@atproto/common'
+import Database from './db'
+
+export const getSigningKeyId = async (
+  db: Database,
+  signingKey: string,
+): Promise<number> => {
+  const selectRes = await db.db
+    .selectFrom('signing_key')
+    .selectAll()
+    .where('key', '=', signingKey)
+    .executeTakeFirst()
+  if (selectRes) {
+    return selectRes.id
+  }
+  const insertRes = await db.db
+    .insertInto('signing_key')
+    .values({ key: signingKey })
+    .returningAll()
+    .executeTakeFirstOrThrow()
+  return insertRes.id
+}
 
 export async function retryHttp<T>(
   fn: () => Promise<T>,
diff --git a/packages/ozone/tests/query-labels.test.ts b/packages/ozone/tests/query-labels.test.ts
@@ -10,6 +10,7 @@ import {
   OutputSchema as LabelMessage,
   isLabels,
 } from '../src/lexicon/types/com/atproto/label/subscribeLabels'
+import { getSigningKeyId } from '../src/util'
 
 describe('ozone query labels', () => {
   let network: TestNetwork
@@ -154,9 +155,11 @@ describe('ozone query labels', () => {
 
     const modSrvc = ctx.modService(ctx.db)
     const newSigningKey = await Secp256k1Keypair.create()
+    const newSigningKeyId = await getSigningKeyId(ctx.db, newSigningKey.did())
     ctx.devOverride({
       modService: ModerationService.creator(
         newSigningKey,
+        newSigningKeyId,
         ctx.cfg,
         modSrvc.backgroundQueue,
         ctx.idResolver,
@@ -186,7 +189,7 @@ describe('ozone query labels', () => {
     await network.ozone.processAll()
 
     const fromDb = await ctx.db.db.selectFrom('label').selectAll().execute()
-    expect(fromDb.every((row) => row.signingKey === newSigningKey.did())).toBe(
+    expect(fromDb.every((row) => row.signingKeyId === newSigningKeyId)).toBe(
       true,
     )
 

Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@ export interface Label {`
`11`	`11`	`neg: boolean`
`12`	`12`	`cts: string`
`13`	`13`	`sig: Buffer \| null`
`14`		`- signingKey: string \| null`
	`14`	`+ signingKeyId: number \| null`
`15`	`15`	`}`
`16`	`16`
`17`	`17`	`export type LabelRow = Selectable<Label>`