Merge branch 'master' into live

Reviewed-on: #214

Gemfile

@@ -44,6 +44,8 @@ gem 'pagy', '~> 6.0', '>= 6.0.2'
 gem 'flipper'
 gem 'flipper-active_record'
 gem 'flipper-ui'
+gem 'gpgme', '~> 2.0.24'
+gem 'zbase32', '~> 0.1.1'
 
 # HTTP requests
 gem 'faraday'

Gemfile.lock

@@ -197,6 +197,8 @@ GEM
       raabro (~> 1.4)
     globalid (1.2.1)
       activesupport (>= 6.1)
+    gpgme (2.0.24)
+      mini_portile2 (~> 2.7)
     hashdiff (1.1.0)
     i18n (1.14.1)
       concurrent-ruby (~> 1.0)
@@ -483,6 +485,7 @@ GEM
     xpath (3.2.0)
       nokogiri (~> 1.8)
     yard (0.9.34)
+    zbase32 (0.1.1)
     zeitwerk (2.6.12)
 
 PLATFORMS
@@ -507,6 +510,7 @@ DEPENDENCIES
   flipper
   flipper-active_record
   flipper-ui
+  gpgme (~> 2.0.24)
   image_processing (~> 1.12.2)
   importmap-rails
   jbuilder (~> 2.7)
@@ -540,6 +544,7 @@ DEPENDENCIES
   warden
   web-console (~> 4.2)
   webmock
+  zbase32 (~> 0.1.1)
 
 BUNDLED WITH
    2.5.5

app/controllers/admin/users_controller.rb

@@ -30,7 +30,7 @@ class Admin::UsersController < Admin::BaseController
     amount = params[:amount].to_i
     notify_user = ActiveRecord::Type::Boolean.new.cast(params[:notify_user])
 
-    CreateInvitations.call(user: @user, amount: amount, notify: notify_user)
+    UserManager::CreateInvitations.call(user: @user, amount: amount, notify: notify_user)
 
     redirect_to admin_user_path(@user.cn), flash: {
       success: "Added #{amount} invitations to #{@user.cn}'s account"

app/controllers/settings_controller.rb

@@ -21,10 +21,12 @@ class SettingsController < ApplicationController
     end
   end
 
+  # PUT /settings/:section
   def update
     @user.preferences.merge!(user_params[:preferences] || {})
     @user.display_name = user_params[:display_name]
-    @user.avatar_new = user_params[:avatar]
+    @user.avatar_new   = user_params[:avatar]
+    @user.pgp_pubkey   = user_params[:pgp_pubkey]
 
     if @user.save
       if @user.display_name && (@user.display_name != @user.ldap_entry[:display_name])
@@ -35,6 +37,10 @@ class SettingsController < ApplicationController
         LdapManager::UpdateAvatar.call(dn: @user.dn, file: @user.avatar_new)
       end
 
+      if @user.pgp_pubkey && (@user.pgp_pubkey != @user.ldap_entry[:pgp_key])
+        UserManager::UpdatePgpKey.call(user: @user)
+      end
+
       redirect_to setting_path(@settings_section), flash: {
         success: 'Settings saved.'
       }
@@ -44,6 +50,7 @@ class SettingsController < ApplicationController
     end
   end
 
+  # POST /settings/update_email
   def update_email
     if @user.valid_ldap_authentication?(security_params[:current_password])
       if @user.update email: email_params[:email]
@@ -61,6 +68,7 @@ class SettingsController < ApplicationController
     end
   end
 
+  # POST /settings/reset_email_password
   def reset_email_password
     @user.current_password = security_params[:current_password]
 
@@ -83,6 +91,7 @@ class SettingsController < ApplicationController
     end
   end
 
+  # POST /settings/reset_password
   def reset_password
     current_user.send_reset_password_instructions
     sign_out current_user
@@ -90,6 +99,7 @@ class SettingsController < ApplicationController
     redirect_to check_your_email_path, notice: msg
   end
 
+  # POST /settings/set_nostr_pubkey
   def set_nostr_pubkey
     signed_event = Nostr::Event.new(**nostr_event_from_params)
 
@@ -152,7 +162,8 @@ class SettingsController < ApplicationController
 
     def user_params
       params.require(:user).permit(
-        :display_name, :avatar, preferences: UserPreferences.pref_keys
+        :display_name, :avatar, :pgp_pubkey,
+        preferences: UserPreferences.pref_keys
       )
     end
 

app/controllers/signup_controller.rb

@@ -96,7 +96,7 @@ class SignupController < ApplicationController
     session[:new_user] = nil
     session[:validation_error] = nil
 
-    CreateAccount.call(account: {
+    UserManager::CreateAccount.call(account: {
       username: @user.cn,
       domain: Setting.primary_domain,
       email: @user.email,

app/controllers/web_key_directory_controller.rb

@@ -0,0 +1,35 @@
+class WebKeyDirectoryController < WellKnownController
+  before_action :allow_cross_origin_requests
+
+  # /.well-known/openpgpkey/hu/:hashed_username(.txt)
+  def show
+    @user = User.find_by(cn: params[:l].downcase)
+
+    if @user.nil? ||
+       @user.pgp_pubkey.blank? ||
+       !@user.pgp_pubkey_contains_user_address?
+      http_status :not_found and return
+    end
+
+    if params[:hashed_username] != @user.wkd_hash
+      http_status :unprocessable_entity and return
+    end
+
+    respond_to do |format|
+      format.text do
+        response.headers['Content-Type'] = 'text/plain'
+        render plain: @user.pgp_pubkey
+      end
+
+      format.any do
+        key = @user.gnupg_key.export
+        send_data key, filename: "#{@user.wkd_hash}.pem",
+                       type: "application/octet-stream"
+      end
+    end
+  end
+
+  def policy
+    head :ok
+  end
+end

app/mailers/application_mailer.rb

@@ -1,3 +1,90 @@
 class ApplicationMailer < ActionMailer::Base
+  default Rails.application.config.action_mailer.default_options
   layout 'mailer'
+
+  private
+
+    def send_mail
+      @template ||= "#{self.class.name.underscore}/#{caller[0][/`([^']*)'/, 1]}"
+      headers['Message-ID'] = message_id
+
+      if @user.pgp_pubkey.present?
+        mail(to: @user.email, subject: "...", content_type: pgp_content_type) do |format|
+          format.text { render plain: pgp_content }
+        end
+      else
+        mail(to: @user.email, subject: @subject) do |format|
+          format.text { render @template }
+        end
+      end
+    end
+
+    def from_address
+      self.class.default[:from]
+    end
+
+    def from_domain
+      Mail::Address.new(from_address).domain
+    end
+
+    def message_id
+      @message_id ||= "#{SecureRandom.uuid}@#{from_domain}"
+    end
+
+    def boundary
+      @boundary ||= SecureRandom.hex(8)
+    end
+
+    def pgp_content_type
+      "multipart/encrypted; protocol=\"application/pgp-encrypted\"; boundary=\"------------#{boundary}\""
+    end
+
+    def pgp_nested_content
+      message_content = render_to_string(template: @template)
+      message_content_base64 = Base64.encode64(message_content)
+      nested_boundary = SecureRandom.hex(8)
+
+      <<~NESTED_CONTENT
+        Content-Type: multipart/mixed; boundary="------------#{nested_boundary}"; protected-headers="v1"
+        Subject: #{@subject}
+        From: <#{from_address}>
+        To: #{@user.display_name || @user.cn} <#{@user.email}>
+        Message-ID: <#{message_id}>
+
+        --------------#{nested_boundary}
+        Content-Type: text/plain; charset=UTF-8; format=flowed
+        Content-Transfer-Encoding: base64
+
+        #{message_content_base64}
+
+        --------------#{nested_boundary}--
+      NESTED_CONTENT
+    end
+
+    def pgp_content
+      encrypted_content = UserManager::PgpEncrypt.call(user: @user, text: pgp_nested_content)
+      encrypted_base64 = Base64.encode64(encrypted_content.to_s)
+
+      <<~EMAIL_CONTENT
+        This is an OpenPGP/MIME encrypted message (RFC 4880 and 3156)
+        --------------#{boundary}
+        Content-Type: application/pgp-encrypted
+        Content-Description: PGP/MIME version identification
+
+        Version: 1
+
+        --------------#{boundary}
+        Content-Type: application/octet-stream; name="encrypted.asc"
+        Content-Description: OpenPGP encrypted message
+        Content-Disposition: inline; filename="encrypted.asc"
+
+        -----BEGIN PGP MESSAGE-----
+
+        #{encrypted_base64}
+
+        -----END PGP MESSAGE-----
+
+        --------------#{boundary}--
+      EMAIL_CONTENT
+    end
 end

app/mailers/custom_mailer.rb

@@ -18,6 +18,6 @@ class CustomMailer < ApplicationMailer
     @user = params[:user]
     @subject = params[:subject]
     @body = params[:body]
-    mail(to: @user.email, subject: @subject)
+    send_mail
   end
 end

app/mailers/notification_mailer.rb

@@ -3,7 +3,7 @@ class NotificationMailer < ApplicationMailer
     @user = params[:user]
     @amount_sats = params[:amount_sats]
     @subject = "Sats received"
-    mail to: @user.email, subject: @subject
+    send_mail
   end
 
   def remotestorage_auth_created
@@ -15,19 +15,19 @@ class NotificationMailer < ApplicationMailer
       "#{access} #{directory}"
     end
     @subject = "New app connected to your storage"
-    mail to: @user.email, subject: @subject
+    send_mail
   end
 
   def new_invitations_available
     @user = params[:user]
     @subject = "New invitations added to your account"
-    mail to: @user.email, subject: @subject
+    send_mail
   end
 
   def bitcoin_donation_confirmed
     @user = params[:user]
     @donation = params[:donation]
     @subject = "Donation confirmed"
-    mail to: @user.email, subject: @subject
+    send_mail
   end
 end

app/models/user.rb

@@ -3,9 +3,10 @@ require 'nostr'
 class User < ApplicationRecord
   include EmailValidatable
 
-  attr_accessor :display_name
-  attr_accessor :avatar_new
   attr_accessor :current_password
+  attr_accessor :avatar_new
+  attr_accessor :display_name
+  attr_accessor :pgp_pubkey
 
   serialize :preferences, coder: UserPreferences
 
@@ -51,6 +52,8 @@ class User < ApplicationRecord
 
   validate :acceptable_avatar
 
+  validate :acceptable_pgp_key_format, if: -> { defined?(@pgp_pubkey) && @pgp_pubkey.present? }
+
   #
   # Scopes
   #
@@ -165,6 +168,24 @@ class User < ApplicationRecord
     Nostr::PublicKey.new(nostr_pubkey).to_bech32
   end
 
+  def pgp_pubkey
+    @pgp_pubkey ||= ldap_entry[:pgp_key]
+  end
+
+  def gnupg_key
+    return nil unless pgp_pubkey.present?
+    GPGME::Key.import(pgp_pubkey)
+    GPGME::Key.get(pgp_fpr)
+  end
+
+  def pgp_pubkey_contains_user_address?
+    gnupg_key.uids.map(&:email).include?(address)
+  end
+
+  def wkd_hash
+    ZBase32.encode(Digest::SHA1.digest(cn))
+  end
+
   def avatar
     @avatar_base64 ||= LdapManager::FetchAvatar.call(cn: cn)
   end
@@ -214,4 +235,10 @@ class User < ApplicationRecord
         errors.add(:avatar, "must be a JPEG or PNG file")
       end
     end
+
+    def acceptable_pgp_key_format
+      unless GPGME::Key.valid?(pgp_pubkey)
+        errors.add(:pgp_pubkey, 'is not a valid armored PGP public key block')
+      end
+    end
 end

app/services/create_account.rb

@@ -1,54 +0,0 @@
-class CreateAccount < ApplicationService
-  def initialize(account:)
-    @username   = account[:username]
-    @domain     = account[:ou] || Setting.primary_domain
-    @email      = account[:email]
-    @password   = account[:password]
-    @invitation = account[:invitation]
-    @confirmed  = account[:confirmed]
-  end
-
-  def call
-    user = create_user_in_database
-    add_ldap_document
-    create_lndhub_account(user) if Setting.lndhub_enabled
-
-    if @invitation.present?
-      update_invitation(user.id)
-    end
-  end
-
-  private
-
-  def create_user_in_database
-    User.create!(
-      cn: @username,
-      ou: @domain,
-      email: @email,
-      password: @password,
-      password_confirmation: @password,
-      confirmed_at: @confirmed ? DateTime.now : nil
-    )
-  end
-
-  def update_invitation(user_id)
-    @invitation.update! invited_user_id: user_id, used_at: DateTime.now
-  end
-
-  def add_ldap_document
-    hashed_pw = Devise.ldap_auth_password_builder.call(@password)
-    CreateLdapUserJob.perform_later(
-      username: @username,
-      domain: @domain,
-      email: @email,
-      hashed_pw: hashed_pw,
-      confirmed: @confirmed
-    )
-  end
-
-  def create_lndhub_account(user)
-    #TODO enable in development when we have a local lndhub (mock?) API
-    return if Rails.env.development?
-    CreateLndhubAccountJob.perform_later(user)
-  end
-end

app/services/create_invitations.rb

@@ -1,17 +0,0 @@
-class CreateInvitations < ApplicationService
-  def initialize(user:, amount:, notify: true)
-    @user = user
-    @amount = amount
-    @notify = notify
-  end
-
-  def call
-    @amount.times do
-      Invitation.create(user: @user)
-    end
-
-    if @notify
-      NotificationMailer.with(user: @user).new_invitations_available.deliver_later
-    end
-  end
-end

app/services/ldap_manager/update_pgp_key.rb

@@ -0,0 +1,16 @@
+module LdapManager
+  class UpdatePgpKey < LdapManagerService
+    def initialize(dn:, pubkey:)
+      @dn = dn
+      @pubkey = pubkey
+    end
+
+    def call
+      if @pubkey.present?
+        replace_attribute @dn, :pgpKey, @pubkey
+      else
+        delete_attribute @dn, :pgpKey
+      end
+    end
+  end
+end

app/services/ldap_service.rb

@@ -58,7 +58,7 @@ class LdapService < ApplicationService
 
     attributes = %w[
       dn cn uid mail displayName admin serviceEnabled
-      mailRoutingAddress mailpassword nostrKey
+      mailRoutingAddress mailpassword nostrKey pgpKey
     ]
     filter = Net::LDAP::Filter.eq("uid", args[:uid] || "*")
 
@@ -73,7 +73,8 @@ class LdapService < ApplicationService
         services_enabled: e.try(:serviceEnabled),
         email_maildrop: e.try(:mailRoutingAddress),
         email_password: e.try(:mailpassword),
-        nostr_key: e.try(:nostrKey) ? e.nostrKey.first : nil
+        nostr_key: e.try(:nostrKey) ? e.nostrKey.first : nil,
+        pgp_key: e.try(:pgpKey) ? e.pgpKey.first : nil
       }
     end
   end
@@ -101,7 +102,7 @@ class LdapService < ApplicationService
     dn = "ou=#{ou},cn=users,#{ldap_suffix}"
 
     aci = <<-EOS
-(target="ldap:///cn=*,ou=#{ou},cn=users,#{ldap_suffix}")(targetattr="cn || sn || uid || userPassword || mail || mailRoutingAddress || serviceEnabled || nostrKey || nsRole || objectClass") (version 3.0; acl "service-#{ou.gsub(".", "-")}-read-search"; allow (read,search) userdn="ldap:///uid=service,ou=#{ou},cn=applications,#{ldap_suffix}";)
+(target="ldap:///cn=*,ou=#{ou},cn=users,#{ldap_suffix}")(targetattr="cn || sn || uid || userPassword || mail || mailRoutingAddress || serviceEnabled || nostrKey || pgpKey || nsRole || objectClass") (version 3.0; acl "service-#{ou.gsub(".", "-")}-read-search"; allow (read,search) userdn="ldap:///uid=service,ou=#{ou},cn=applications,#{ldap_suffix}";)
     EOS
 
     attrs = {

app/services/user_manager/create_account.rb

@@ -0,0 +1,56 @@
+module UserManager
+  class CreateAccount < UserManagerService
+    def initialize(account:)
+      @username   = account[:username]
+      @domain     = account[:ou] || Setting.primary_domain
+      @email      = account[:email]
+      @password   = account[:password]
+      @invitation = account[:invitation]
+      @confirmed  = account[:confirmed]
+    end
+
+    def call
+      user = create_user_in_database
+      add_ldap_document
+      create_lndhub_account(user) if Setting.lndhub_enabled
+
+      if @invitation.present?
+        update_invitation(user.id)
+      end
+    end
+
+    private
+
+    def create_user_in_database
+      User.create!(
+        cn: @username,
+        ou: @domain,
+        email: @email,
+        password: @password,
+        password_confirmation: @password,
+        confirmed_at: @confirmed ? DateTime.now : nil
+      )
+    end
+
+    def update_invitation(user_id)
+      @invitation.update! invited_user_id: user_id, used_at: DateTime.now
+    end
+
+    def add_ldap_document
+      hashed_pw = Devise.ldap_auth_password_builder.call(@password)
+      CreateLdapUserJob.perform_later(
+        username: @username,
+        domain: @domain,
+        email: @email,
+        hashed_pw: hashed_pw,
+        confirmed: @confirmed
+      )
+    end
+
+    def create_lndhub_account(user)
+      #TODO enable in development when we have a local lndhub (mock?) API
+      return if Rails.env.development?
+      CreateLndhubAccountJob.perform_later(user)
+    end
+  end
+end

app/services/user_manager/create_invitations.rb

@@ -0,0 +1,19 @@
+module UserManager
+  class CreateInvitations < UserManagerService
+    def initialize(user:, amount:, notify: true)
+      @user = user
+      @amount = amount
+      @notify = notify
+    end
+
+    def call
+      @amount.times do
+        Invitation.create(user: @user)
+      end
+
+      if @notify
+        NotificationMailer.with(user: @user).new_invitations_available.deliver_later
+      end
+    end
+  end
+end

app/services/user_manager/pgp_encrypt.rb

@@ -0,0 +1,19 @@
+require 'gpgme'
+
+module UserManager
+  class PgpEncrypt < UserManagerService
+    def initialize(user:, text:)
+      @user = user
+      @text = text
+    end
+
+    def call
+      crypto = GPGME::Crypto.new
+      crypto.encrypt(
+        @text,
+        recipients: @user.gnupg_key,
+        always_trust: true
+      )
+    end
+  end
+end

app/services/user_manager/update_pgp_key.rb

@@ -0,0 +1,24 @@
+module UserManager
+  class UpdatePgpKey < UserManagerService
+    def initialize(user:)
+      @user = user
+    end
+
+    def call
+      if @user.pgp_pubkey.blank?
+        @user.update! pgp_fpr: nil
+      else
+        result = GPGME::Key.import(@user.pgp_pubkey)
+
+        if result.imports.present?
+          @user.update! pgp_fpr: result.imports.first.fpr
+        else
+          # TODO notify Sentry, user
+          raise "Failed to import OpenPGP pubkey"
+        end
+      end
+
+      LdapManager::UpdatePgpKey.call(dn: @user.dn, pubkey: @user.pgp_pubkey)
+    end
+  end
+end

app/services/user_manager_service.rb

@@ -0,0 +1,2 @@
+class UserManagerService < ApplicationService
+end

app/views/admin/users/show.html.erb

@@ -89,13 +89,47 @@
     </section>
 
     <section class="sm:flex-1 sm:pt-0">
-      <% if @avatar.present? %>
+      <h3>LDAP</h3>
-      <h3>LDAP<h3>
+      <table class="divided">
-      <p>
+        <tbody>
-        <img src="data:image/jpeg;base64,<%= @avatar %>" class="h-48 w-48" />
+          <tr>
-      </p>
+            <th>Avatar</th>
-      <% end %>
+            <td>
-      <!-- <h3>Actions</h3> -->
+              <% if @avatar.present? %>
+                <img src="data:image/jpeg;base64,<%= @avatar %>" class="h-48 w-48" />
+              <% else %>
+                &mdash;
+              <% end %>
+            </td>
+          </tr>
+          <tr>
+            <th>Display name</th>
+            <td><%= @user.display_name || "—" %></td>
+          </tr>
+          <tr>
+            <th class="align-top">PGP key</th>
+            <td class="align-top leading-5">
+              <% if @user.pgp_pubkey.present? %>
+                <span class="font-mono" title="<%= @user.pgp_fpr %>">
+                  <% if @user.pgp_pubkey_contains_user_address? %>
+                    <%= link_to wkd_key_url(hashed_username: @user.wkd_hash, l: @user.cn, format: :txt),
+                      class: "ks-text-link", target: "_blank" do %>
+                      <%= "#{@user.pgp_fpr[0, 8]}…#{@user.pgp_fpr[-8..-1]}" %>
+                    <% end %>
+                  <% else %>
+                    <%= "#{@user.pgp_fpr[0, 8]}…#{@user.pgp_fpr[-8..-1]}" %>
+                  <% end %>
+                </span><br />
+                <% @user.gnupg_key.uids.each do |uid| %>
+                  <%= uid.uid %><br />
+                <% end %>
+              <% else %>
+                &mdash;
+              <% end %>
+            </td>
+          </tr>
+        </tbody>
+      </table>
     </section>
   </div>
 
@@ -205,7 +239,9 @@
             ) %>
           </td>
           <td class="text-right">
+            <% if @user.nostr_pubkey.present? %>
             <%= link_to "Open profile", "https://njump.me/#{@user.nostr_pubkey_bech32}", class: "btn-sm btn-gray" %>
+            <% end %>
           </td>
         </tr>
         <% end %>

app/views/settings/_account.html.erb

@@ -1,6 +1,6 @@
 <%= tag.section data: {
       controller: "settings--account--email",
-      "settings--account--email-validation-failed-value": @validation_errors.present?
+      "settings--account--email-validation-failed-value": @validation_errors&.[](:email)&.present?
     } do %>
   <h3>E-Mail</h3>
   <%= form_for(@user, url: update_email_settings_path, method: "post") do |f| %>
@@ -23,7 +23,7 @@
         </span>
       </button>
     </p>
-    <% if @validation_errors.present? && @validation_errors[:email].present? %>
+    <% if @validation_errors&.[](:email)&.present? %>
       <p class="error-msg"><%= @validation_errors[:email].first %></p>
     <% end %>
     <div class="initial-hidden">
@@ -41,10 +41,33 @@
 <% end %>
 <section>
   <h3>Password</h3>
-  <p class="mb-8">Use the following button to request an email with a password reset link:</p>
+  <p class="mb-6">Use the following button to request an email with a password reset link:</p>
   <%= form_with(url: reset_password_settings_path, method: :post) do %>
     <p>
       <%= submit_tag("Send me a password reset link", class: 'btn-md btn-gray w-full sm:w-auto') %>
     </p>
   <% end %>
 </section>
+<%= form_for(@user, url: setting_path(:account), html: { :method => :put }) do |f| %>
+  <section class="!pt-8 sm:!pt-12">
+    <h3>OpenPGP</h3>
+    <ul role="list">
+      <%= render FormElements::FieldsetComponent.new(
+            title: "Public key",
+            description: "Your OpenPGP public key in ASCII Armor format"
+          ) do %>
+        <%= f.text_area :pgp_pubkey,
+          value: @user.pgp_pubkey,
+          class: "h-24 w-full" %>
+        <% if @validation_errors&.[](:pgp_pubkey)&.present? %>
+          <p class="error-msg">This <%= @validation_errors[:pgp_pubkey].first %></p>
+        <% end %>
+      <% end %>
+    </ul>
+  </section>
+  <section>
+    <p class="pt-6 border-t border-gray-200 text-right">
+      <%= f.submit 'Save', class: "btn-md btn-blue w-full md:w-auto" %>
+    </p>
+  </section>
+<% end %>

app/views/settings/_email.html.erb

@@ -5,7 +5,7 @@
   <h3>E-Mail Password</h3>
   <%= form_for(@user, url: reset_email_password_settings_path, method: "post") do |f| %>
     <%= hidden_field_tag :section, "email" %>
-    <p class="mb-8">
+    <p class="mb-6">
       Use the following button to generate a new email password:
     </p>
     <p class="hidden initial-visible">

config/environments/development.rb

@@ -57,16 +57,22 @@ Rails.application.configure do
   # routes, locales, etc. This feature depends on the listen gem.
   config.file_watcher = ActiveSupport::EventedFileUpdateChecker
 
-  config.action_mailer.default_options = {
-    from: "accounts@localhost"
-  }
-
   # Don't actually send emails, cache them for viewing via letter opener
   config.action_mailer.delivery_method = :letter_opener
+
   # Don't care if the mailer can't send
   config.action_mailer.raise_delivery_errors = true
+
   # Base URL to be used by email template link helpers
-  config.action_mailer.default_url_options = { host: "localhost:3000", protocol: "http" }
+  config.action_mailer.default_url_options = {
+    host: "localhost:3000",
+    protocol: "http"
+  }
+
+  config.action_mailer.default_options = {
+    from: "accounts@localhost",
+    message_id: -> { "<#{Mail.random_tag}@localhost>" },
+  }
 
   # Allow requests from any IP
   config.web_console.permissions = '0.0.0.0/0'

config/environments/production.rb

@@ -63,7 +63,7 @@ Rails.application.configure do
   outgoing_email_domain  = Mail::Address.new(outgoing_email_address).domain
 
   config.action_mailer.default_url_options = {
-    host: ENV['AKKOUNTS_DOMAIN'],
+    host: ENV.fetch('AKKOUNTS_DOMAIN'),
     protocol: "https",
   }
 

config/environments/test.rb

@@ -46,8 +46,12 @@ Rails.application.configure do
 
   config.action_mailer.default_url_options = {
     host: "accounts.kosmos.org",
-    protocol: "https",
+    protocol: "https"
-    from: "accounts@kosmos.org"
+  }
+
+  config.action_mailer.default_options = {
+    from: "accounts@kosmos.org",
+    message_id: -> { "<#{Mail.random_tag}@kosmos.org>" },
   }
 
   config.active_job.queue_adapter = :test

config/routes.rb

@@ -70,10 +70,12 @@ Rails.application.routes.draw do
 
   get '.well-known/webfinger', to: 'webfinger#show'
   get '.well-known/nostr', to: 'well_known#nostr'
-  get '.well-known/lnurlp/:username', to: 'lnurlpay#index', as: 'lightning_address'
+  get '.well-known/lnurlp/:username', to: 'lnurlpay#index', as: :lightning_address
-  get '.well-known/keysend/:username', to: 'lnurlpay#keysend', as: 'lightning_address_keysend'
+  get '.well-known/keysend/:username', to: 'lnurlpay#keysend', as: :lightning_address_keysend
+  get '.well-known/openpgpkey/hu/:hashed_username(.:format)', to: 'web_key_directory#show', as: :wkd_key
+  get '.well-known/openpgpkey/policy', to: 'web_key_directory#policy'
 
-  get 'lnurlpay/:username/invoice', to: 'lnurlpay#invoice', as: 'lnurlpay_invoice'
+  get 'lnurlpay/:username/invoice', to: 'lnurlpay#invoice', as: :lnurlpay_invoice
 
   post 'webhooks/lndhub', to: 'webhooks#lndhub'
 

config/sidekiq.yml

@@ -1,4 +1,6 @@
 :concurrency: 2
+production:
+  :concurrency: 10
 :queues:
   - default
   - mailers

db/migrate/20240922205634_add_pgp_fpr_to_users.rb

@@ -0,0 +1,5 @@
+class AddPgpFprToUsers < ActiveRecord::Migration[7.1]
+  def change
+    add_column :users, :pgp_fpr, :string
+  end
+end

db/schema.rb

@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema[7.1].define(version: 2024_06_07_123654) do
+ActiveRecord::Schema[7.1].define(version: 2024_09_22_205634) do
   create_table "active_storage_attachments", force: :cascade do |t|
     t.string "name", null: false
     t.string "record_type", null: false
@@ -132,6 +132,7 @@ ActiveRecord::Schema[7.1].define(version: 2024_06_07_123654) do
     t.datetime "remember_created_at"
     t.string "remember_token"
     t.text "preferences"
+    t.string "pgp_fpr"
     t.index ["email"], name: "index_users_on_email", unique: true
     t.index ["reset_password_token"], name: "index_users_on_reset_password_token", unique: true
   end

db/seeds.rb

@@ -7,7 +7,7 @@ Sidekiq::Testing.inline! do
 
   puts "Create user: admin"
 
-  CreateAccount.call(account: {
+  UserManager::CreateAccount.call(account: {
     username: "admin", domain: "kosmos.org", email: "admin@example.com",
     password: "admin is admin", confirmed: true
   })
@@ -20,7 +20,7 @@ Sidekiq::Testing.inline! do
     email = Faker::Internet.unique.email
     next if username.length < 3
 
-    CreateAccount.call(account: {
+    UserManager::CreateAccount.call(account: {
       username: username, domain: "kosmos.org", email: email,
       password: "user is user", confirmed: true
     })

db/seeds/admin.asc

@@ -0,0 +1,13 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mDMEZvGiUxYJKwYBBAHaRw8BAQdARPZXLqyB3nylJuzuARlOJxqc9mchMKHI4Cy+
+hPWlzja0GEFkbWluIDxhZG1pbkBrb3Ntb3Mub3JnPoiZBBMWCgBBFiEE0pie1+fG
+ImdZwzGnwgEYSg8AulYFAmbxolMCGwMFCQWjmoAFCwkIBwICIgIGFQoJCAsCBBYC
+AwECHgcCF4AACgkQwgEYSg8AulaldAEA7yzh7XRCdIJDHgLUvKHsy2NnyLaDD1Tl
+hyZWbl5og0IBAJAQ2Dm82YXMdUK3X1OGlK8KH5O4E5lSFY4+8/xx0UEJuDgEZvGi
+UxIKKwYBBAGXVQEFAQEHQJc8pzzeIF7Hm5z1eseRAqGvFa+V1BIDf+1XQzuJhhxi
+AwEIB4h+BBgWCgAmFiEE0pie1+fGImdZwzGnwgEYSg8AulYFAmbxolMCGwwFCQWj
+moAACgkQwgEYSg8AulbLtgEApZvuDqSP77lrl1jmtCAJEEZk/ofsRFkf1g3U3Zhm
+9PcA/1+AbcyqjLTcqIPjHmZyGEPiaAvEsBzbPKEPiL3JYhkG
+=45sx
+-----END PGP PUBLIC KEY BLOCK-----

docker-compose.yml

@@ -111,7 +111,7 @@ services:
       - redis
 
   strfry:
-    image: gitea.kosmos.org/kosmos/strfry-deno:1.1.1
+    image: gitea.kosmos.org/kosmos/strfry-deno:2.0.0
     volumes:
       - ./docker/strfry/strfry.conf:/etc/strfry.conf
       - ./extras/strfry:/opt/strfry

docs/dev/nostr.md

@@ -0,0 +1,57 @@
+# Nostr
+
+## strfry
+
+The `extras/strfry` directory contains code to integrate [strfry][1] with
+akkounts, so that notes published to the relay have to be authored by (or in
+some cases just related to) local users who have verified their Nostr public
+key.
+
+### Requirements
+
+[Deno](https://deno.com/) needs to be installed on the machine that you run
+strfry on.
+
+We provide a Docker image with recent strfry and Deno builds:
+
+https://gitea.kosmos.org/kosmos/-/packages/container/strfry-deno/
+
+### Configuration
+
+You can use either environment variables (see e.g. the `strfry` service in
+`docker-compose-yml`) or a local `.env` file in the same working directory
+that you place the extra files in (e.g. `/opt/strfry`).
+
+In your `strfry.conf`, configure `strfry-policy.ts` as the write policy, like so:
+
+```
+writePolicy {
+    plugin = "/opt/strfry/strfry-policy.ts"
+}
+```
+
+All dependencies will be downloaded and cached automatically when the plugin is
+called for the first time.
+
+### Manual tasks
+
+You can sync all notes authored by local users (any account that has verified
+their Nostr pubkey with akkounts) from a remote [strfry][1] relay via negentropy
+sync:
+
+    deno run -A /opt/strfry/strfry-sync.ts wss://nostr.kosmos.org
+
+Or, in the running container when using Docker Compose:
+
+    docker compose exec strfry deno run -A /opt/strfry/strfry-sync.ts wss://nostr.kosmos.org
+
+The `strfry` service container also exposes the local relay on your local host
+on port 4777.
+
+[nak](https://github.com/fiatjaf/nak) is a helpful tool for manual Nostr tasks.
+Here's how you can grab a note by its event ID from a remote relay and publish
+it to your local strfry for example:
+
+    nak req -i 0fb010192685b86b0810b3de3706fbbf3b8c1db30b14533094a2b9700c820cdc nostr.kosmos.org | nak event ws://localhost:4777
+
+[1]: https://github.com/hoytech/strfry

extras/strfry/deno.lock

@@ -1,101 +1,231 @@
 {
-  "version": "3",
+  "version": "4",
-  "packages": {
+  "specifiers": {
-    "specifiers": {
+    "jsr:@nostr/tools@*": "2.3.1",
-      "jsr:@nostr/tools@^2.3.1": "jsr:@nostr/tools@2.3.1",
+    "jsr:@nostr/tools@^2.3.1": "2.3.1",
-      "npm:@noble/ciphers@^0.5.1": "npm:@noble/ciphers@0.5.3",
+    "jsr:@nostrify/nostrify@0.36": "0.36.2",
-      "npm:@noble/curves@1.2.0": "npm:@noble/curves@1.2.0",
+    "jsr:@nostrify/policies@*": "0.36.1",
-      "npm:@noble/hashes@1.3.1": "npm:@noble/hashes@1.3.1",
+    "jsr:@nostrify/strfry@*": "0.2.1",
-      "npm:@scure/base@1.1.1": "npm:@scure/base@1.1.1",
+    "jsr:@nostrify/types@0.35": "0.35.0",
-      "npm:ldapts": "npm:ldapts@7.0.12"
+    "jsr:@nostrify/types@0.36": "0.36.0",
+    "jsr:@std/bytes@^1.0.5": "1.0.5",
+    "jsr:@std/encoding@~0.224.1": "0.224.3",
+    "jsr:@std/json@^1.0.1": "1.0.1",
+    "jsr:@std/streams@^1.0.7": "1.0.9",
+    "jsr:@std/streams@^1.0.8": "1.0.9",
+    "npm:@noble/ciphers@~0.5.1": "0.5.3",
+    "npm:@noble/curves@1.2.0": "1.2.0",
+    "npm:@noble/hashes@1.3.1": "1.3.1",
+    "npm:@scure/base@1.1.1": "1.1.1",
+    "npm:@scure/bip32@^1.4.0": "1.6.2",
+    "npm:@scure/bip39@^1.3.0": "1.5.4",
+    "npm:ldapts@*": "7.0.12",
+    "npm:lru-cache@^10.2.0": "10.4.3",
+    "npm:nostr-tools@^2.7.0": "2.12.0",
+    "npm:websocket-ts@^2.1.5": "2.2.1",
+    "npm:zod@^3.23.8": "3.24.2"
+  },
+  "jsr": {
+    "@nostr/tools@2.3.1": {
+      "integrity": "af01dc45cb28784c584d7a0699707196f397bcc53946efa582a01b11ddde4d61",
+      "dependencies": [
+        "npm:@noble/ciphers",
+        "npm:@noble/curves",
+        "npm:@noble/hashes",
+        "npm:@scure/base"
+      ]
     },
-    "jsr": {
+    "@nostrify/nostrify@0.36.2": {
-      "@nostr/tools@2.3.1": {
+      "integrity": "cc4787ca170b623a2e5dfed1baa4426077daa6143af728ea7dd325d58f4d04d6",
-        "integrity": "af01dc45cb28784c584d7a0699707196f397bcc53946efa582a01b11ddde4d61",
+      "dependencies": [
-        "dependencies": [
+        "jsr:@nostrify/types@0.35",
-          "npm:@noble/ciphers@^0.5.1",
+        "jsr:@std/encoding",
-          "npm:@noble/curves@1.2.0",
+        "npm:@scure/bip32",
-          "npm:@noble/hashes@1.3.1",
+        "npm:@scure/bip39",
-          "npm:@scure/base@1.1.1"
+        "npm:lru-cache",
-        ]
+        "npm:nostr-tools",
-      }
+        "npm:websocket-ts",
+        "npm:zod"
+      ]
     },
-    "npm": {
+    "@nostrify/policies@0.36.1": {
-      "@noble/ciphers@0.5.3": {
+      "integrity": "6d59af115a687fcd18b6caebab0e4f50ee6cdb0aafa2aacd0aec2065021275b4",
-        "integrity": "sha512-B0+6IIHiqEs3BPMT0hcRmHvEj2QHOLu+uwt+tqDDeVd0oyVzh7BPrDcPjRnV1PV/5LaknXJJQvOuRGR0zQJz+w==",
+      "dependencies": [
-        "dependencies": {}
+        "jsr:@nostrify/nostrify",
-      },
+        "jsr:@nostrify/types@0.35",
-      "@noble/curves@1.2.0": {
+        "npm:nostr-tools"
-        "integrity": "sha512-oYclrNgRaM9SsBUBVbb8M6DTV7ZHRTKugureoYEncY5c65HOmRzvSiTE3y5CYaPYJA/GVkrhXEoF0M3Ya9PMnw==",
+      ]
-        "dependencies": {
+    },
-          "@noble/hashes": "@noble/hashes@1.3.2"
+    "@nostrify/strfry@0.2.1": {
-        }
+      "integrity": "be437b13f49e6564e557da23072bf642723a603568f672543a64d9fda6663432",
-      },
+      "dependencies": [
-      "@noble/hashes@1.3.1": {
+        "jsr:@nostrify/types@0.36",
-        "integrity": "sha512-EbqwksQwz9xDRGfDST86whPBgM65E0OH/pCgqW0GBVzO22bNE+NuIbeTb714+IfSjU3aRk47EUvXIb5bTsenKA==",
+        "jsr:@std/json",
-        "dependencies": {}
+        "jsr:@std/streams@^1.0.8"
-      },
+      ]
-      "@noble/hashes@1.3.2": {
+    },
-        "integrity": "sha512-MVC8EAQp7MvEcm30KWENFjgR+Mkmf+D189XJTkFIlwohU5hcBbn1ZkKq7KVTi2Hme3PMGF390DaL52beVrIihQ==",
+    "@nostrify/types@0.35.0": {
-        "dependencies": {}
+      "integrity": "b8d515563d467072694557d5626fa1600f74e83197eef45dd86a9a99c64f7fe6"
-      },
+    },
-      "@scure/base@1.1.1": {
+    "@nostrify/types@0.36.0": {
-        "integrity": "sha512-ZxOhsSyxYwLJj3pLZCefNitxsj093tb2vq90mp2txoYeBqbcjDjqFhyM8eUjq/uFm6zJ+mUuqxlS2FkuSY1MTA==",
+      "integrity": "b3413467debcbd298d217483df4e2aae6c335a34765c90ac7811cf7c637600e7"
-        "dependencies": {}
+    },
-      },
+    "@std/bytes@1.0.5": {
-      "@types/asn1@0.2.4": {
+      "integrity": "4465dd739d7963d964c809202ebea6d5c6b8e3829ef25c6a224290fbb8a1021e"
-        "integrity": "sha512-V91DSJ2l0h0gRhVP4oBfBzRBN9lAbPUkGDMCnwedqPKX2d84aAMc9CulOvxdw1f7DfEYx99afab+Rsm3e52jhA==",
+    },
-        "dependencies": {
+    "@std/encoding@0.224.3": {
-          "@types/node": "@types/node@18.16.19"
+      "integrity": "5e861b6d81be5359fad4155e591acf17c0207b595112d1840998bb9f476dbdaf"
-        }
+    },
-      },
+    "@std/json@1.0.1": {
-      "@types/node@18.16.19": {
+      "integrity": "1f0f70737e8827f9acca086282e903677bc1bb0c8ffcd1f21bca60039563049f",
-        "integrity": "sha512-IXl7o+R9iti9eBW4Wg2hx1xQDig183jj7YLn8F7udNceyfkbn1ZxmzZXuak20gR40D7pIkIY1kYGx5VIGbaHKA==",
+      "dependencies": [
-        "dependencies": {}
+        "jsr:@std/streams@^1.0.7"
-      },
+      ]
-      "@types/uuid@9.0.8": {
+    },
-        "integrity": "sha512-jg+97EGIcY9AGHJJRaaPVgetKDsrTgbRjQ5Msgjh/DQKEFl0DtyRr/VCOyD1T2R1MNeWPK/u7JoGhlDZnKBAfA==",
+    "@std/streams@1.0.9": {
-        "dependencies": {}
+      "integrity": "a9d26b1988cdd7aa7b1f4b51e1c36c1557f3f252880fa6cc5b9f37078b1a5035",
-      },
+      "dependencies": [
-      "asn1@0.2.6": {
+        "jsr:@std/bytes"
-        "integrity": "sha512-ix/FxPn0MDjeyJ7i/yoHGFt/EX6LyNbxSEhPPXODPL+KB0VPk86UYfL0lMdy+KCnv+fmvIzySwaK5COwqVbWTQ==",
+      ]
-        "dependencies": {
+    }
-          "safer-buffer": "safer-buffer@2.1.2"
+  },
-        }
+  "npm": {
-      },
+    "@noble/ciphers@0.5.3": {
-      "debug@4.3.5": {
+      "integrity": "sha512-B0+6IIHiqEs3BPMT0hcRmHvEj2QHOLu+uwt+tqDDeVd0oyVzh7BPrDcPjRnV1PV/5LaknXJJQvOuRGR0zQJz+w=="
-        "integrity": "sha512-pt0bNEmneDIvdL1Xsd9oDQ/wrQRkXDT4AUWlNZNPKvW5x/jyO9VFXkJUP07vQ2upmw5PlaITaPKc31jK13V+jg==",
+    },
-        "dependencies": {
+    "@noble/curves@1.1.0": {
-          "ms": "ms@2.1.2"
+      "integrity": "sha512-091oBExgENk/kGj3AZmtBDMpxQPDtxQABR2B9lb1JbVTs6ytdzZNwvhxQ4MWasRNEzlbEH8jCWFCwhF/Obj5AA==",
-        }
+      "dependencies": [
-      },
+        "@noble/hashes@1.3.1"
-      "ldapts@7.0.12": {
+      ]
-        "integrity": "sha512-orwgIejUi/ZyGah9y8jWZmFUg8Ci5M8WAv0oZjSf3MVuk1sRBdor9Qy1ttGHbYpWj96HXKFunQ8AYZ8WWGp17g==",
+    },
-        "dependencies": {
+    "@noble/curves@1.2.0": {
-          "@types/asn1": "@types/asn1@0.2.4",
+      "integrity": "sha512-oYclrNgRaM9SsBUBVbb8M6DTV7ZHRTKugureoYEncY5c65HOmRzvSiTE3y5CYaPYJA/GVkrhXEoF0M3Ya9PMnw==",
-          "@types/uuid": "@types/uuid@9.0.8",
+      "dependencies": [
-          "asn1": "asn1@0.2.6",
+        "@noble/hashes@1.3.2"
-          "debug": "debug@4.3.5",
+      ]
-          "strict-event-emitter-types": "strict-event-emitter-types@2.0.0",
+    },
-          "uuid": "uuid@9.0.1"
+    "@noble/curves@1.8.2": {
-        }
+      "integrity": "sha512-vnI7V6lFNe0tLAuJMu+2sX+FcL14TaCWy1qiczg1VwRmPrpQCdq5ESXQMqUc2tluRNf6irBXrWbl1mGN8uaU/g==",
-      },
+      "dependencies": [
-      "ms@2.1.2": {
+        "@noble/hashes@1.7.2"
-        "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w==",
+      ]
-        "dependencies": {}
+    },
-      },
+    "@noble/hashes@1.3.1": {
-      "safer-buffer@2.1.2": {
+      "integrity": "sha512-EbqwksQwz9xDRGfDST86whPBgM65E0OH/pCgqW0GBVzO22bNE+NuIbeTb714+IfSjU3aRk47EUvXIb5bTsenKA=="
-        "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==",
+    },
-        "dependencies": {}
+    "@noble/hashes@1.3.2": {
-      },
+      "integrity": "sha512-MVC8EAQp7MvEcm30KWENFjgR+Mkmf+D189XJTkFIlwohU5hcBbn1ZkKq7KVTi2Hme3PMGF390DaL52beVrIihQ=="
-      "strict-event-emitter-types@2.0.0": {
+    },
-        "integrity": "sha512-Nk/brWYpD85WlOgzw5h173aci0Teyv8YdIAEtV+N88nDB0dLlazZyJMIsN6eo1/AR61l+p6CJTG1JIyFaoNEEA==",
+    "@noble/hashes@1.7.2": {
-        "dependencies": {}
+      "integrity": "sha512-biZ0NUSxyjLLqo6KxEJ1b+C2NAx0wtDoFvCaXHGgUkeHzf3Xc1xKumFKREuT7f7DARNZ/slvYUwFG6B0f2b6hQ=="
-      },
+    },
-      "uuid@9.0.1": {
+    "@scure/base@1.1.1": {
-        "integrity": "sha512-b+1eJOlsR9K8HJpow9Ok3fiWOWSIcIzXodvv0rQjVoOVNpWMpxf1wZNpt4y9h10odCNrqnYp1OBzRktckBe3sA==",
+      "integrity": "sha512-ZxOhsSyxYwLJj3pLZCefNitxsj093tb2vq90mp2txoYeBqbcjDjqFhyM8eUjq/uFm6zJ+mUuqxlS2FkuSY1MTA=="
-        "dependencies": {}
+    },
-      }
+    "@scure/base@1.2.4": {
+      "integrity": "sha512-5Yy9czTO47mqz+/J8GM6GIId4umdCk1wc1q8rKERQulIoc8VP9pzDcghv10Tl2E7R96ZUx/PhND3ESYUQX8NuQ=="
+    },
+    "@scure/bip32@1.3.1": {
+      "integrity": "sha512-osvveYtyzdEVbt3OfwwXFr4P2iVBL5u1Q3q4ONBfDY/UpOuXmOlbgwc1xECEboY8wIays8Yt6onaWMUdUbfl0A==",
+      "dependencies": [
+        "@noble/curves@1.1.0",
+        "@noble/hashes@1.3.2",
+        "@scure/base@1.1.1"
+      ]
+    },
+    "@scure/bip32@1.6.2": {
+      "integrity": "sha512-t96EPDMbtGgtb7onKKqxRLfE5g05k7uHnHRM2xdE6BP/ZmxaLtPek4J4KfVn/90IQNrU1IOAqMgiDtUdtbe3nw==",
+      "dependencies": [
+        "@noble/curves@1.8.2",
+        "@noble/hashes@1.7.2",
+        "@scure/base@1.2.4"
+      ]
+    },
+    "@scure/bip39@1.2.1": {
+      "integrity": "sha512-Z3/Fsz1yr904dduJD0NpiyRHhRYHdcnyh73FZWiV+/qhWi83wNJ3NWolYqCEN+ZWsUz2TWwajJggcRE9r1zUYg==",
+      "dependencies": [
+        "@noble/hashes@1.3.2",
+        "@scure/base@1.1.1"
+      ]
+    },
+    "@scure/bip39@1.5.4": {
+      "integrity": "sha512-TFM4ni0vKvCfBpohoh+/lY05i9gRbSwXWngAsF4CABQxoaOHijxuaZ2R6cStDQ5CHtHO9aGJTr4ksVJASRRyMA==",
+      "dependencies": [
+        "@noble/hashes@1.7.2",
+        "@scure/base@1.2.4"
+      ]
+    },
+    "@types/asn1@0.2.4": {
+      "integrity": "sha512-V91DSJ2l0h0gRhVP4oBfBzRBN9lAbPUkGDMCnwedqPKX2d84aAMc9CulOvxdw1f7DfEYx99afab+Rsm3e52jhA==",
+      "dependencies": [
+        "@types/node"
+      ]
+    },
+    "@types/node@18.16.19": {
+      "integrity": "sha512-IXl7o+R9iti9eBW4Wg2hx1xQDig183jj7YLn8F7udNceyfkbn1ZxmzZXuak20gR40D7pIkIY1kYGx5VIGbaHKA=="
+    },
+    "@types/uuid@9.0.8": {
+      "integrity": "sha512-jg+97EGIcY9AGHJJRaaPVgetKDsrTgbRjQ5Msgjh/DQKEFl0DtyRr/VCOyD1T2R1MNeWPK/u7JoGhlDZnKBAfA=="
+    },
+    "asn1@0.2.6": {
+      "integrity": "sha512-ix/FxPn0MDjeyJ7i/yoHGFt/EX6LyNbxSEhPPXODPL+KB0VPk86UYfL0lMdy+KCnv+fmvIzySwaK5COwqVbWTQ==",
+      "dependencies": [
+        "safer-buffer"
+      ]
+    },
+    "debug@4.3.5": {
+      "integrity": "sha512-pt0bNEmneDIvdL1Xsd9oDQ/wrQRkXDT4AUWlNZNPKvW5x/jyO9VFXkJUP07vQ2upmw5PlaITaPKc31jK13V+jg==",
+      "dependencies": [
+        "ms"
+      ]
+    },
+    "ldapts@7.0.12": {
+      "integrity": "sha512-orwgIejUi/ZyGah9y8jWZmFUg8Ci5M8WAv0oZjSf3MVuk1sRBdor9Qy1ttGHbYpWj96HXKFunQ8AYZ8WWGp17g==",
+      "dependencies": [
+        "@types/asn1",
+        "@types/uuid",
+        "asn1",
+        "debug",
+        "strict-event-emitter-types",
+        "uuid"
+      ]
+    },
+    "lru-cache@10.4.3": {
+      "integrity": "sha512-JNAzZcXrCt42VGLuYz0zfAzDfAvJWW6AfYlDBQyDV5DClI2m5sAmK+OIO7s59XfsRsWHp02jAJrRadPRGTt6SQ=="
+    },
+    "ms@2.1.2": {
+      "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w=="
+    },
+    "nostr-tools@2.12.0": {
+      "integrity": "sha512-pUWEb020gTvt1XZvTa8AKNIHWFapjsv2NKyk43Ez2nnvz6WSXsrTFE0XtkNLSRBjPn6EpxumKeNiVzLz74jNSA==",
+      "dependencies": [
+        "@noble/ciphers",
+        "@noble/curves@1.2.0",
+        "@noble/hashes@1.3.1",
+        "@scure/base@1.1.1",
+        "@scure/bip32@1.3.1",
+        "@scure/bip39@1.2.1",
+        "nostr-wasm"
+      ]
+    },
+    "nostr-wasm@0.1.0": {
+      "integrity": "sha512-78BTryCLcLYv96ONU8Ws3Q1JzjlAt+43pWQhIl86xZmWeegYCNLPml7yQ+gG3vR6V5h4XGj+TxO+SS5dsThQIA=="
+    },
+    "safer-buffer@2.1.2": {
+      "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg=="
+    },
+    "strict-event-emitter-types@2.0.0": {
+      "integrity": "sha512-Nk/brWYpD85WlOgzw5h173aci0Teyv8YdIAEtV+N88nDB0dLlazZyJMIsN6eo1/AR61l+p6CJTG1JIyFaoNEEA=="
+    },
+    "uuid@9.0.1": {
+      "integrity": "sha512-b+1eJOlsR9K8HJpow9Ok3fiWOWSIcIzXodvv0rQjVoOVNpWMpxf1wZNpt4y9h10odCNrqnYp1OBzRktckBe3sA=="
+    },
+    "websocket-ts@2.2.1": {
+      "integrity": "sha512-YKPDfxlK5qOheLZ2bTIiktZO1bpfGdNCPJmTEaPW7G9UXI1GKjDdeacOrsULUS000OPNxDVOyAuKLuIWPqWM0Q=="
+    },
+    "zod@3.24.2": {
+      "integrity": "sha512-lY7CDW43ECgW9u1TcT3IoXHflywfVqDYze4waEz812jR/bZ8FHDsl7pFQoSZTz5N+2NqRXs8GBwnAwo3ZNxqhQ=="
     }
   },
   "remote": {

extras/strfry/ldap-policy.ts

@@ -1,8 +1,8 @@
-import type { IterablePubkeys, Policy } from 'https://gitlab.com/soapbox-pub/strfry-policies/-/raw/develop/mod.ts';
+import { NostrEvent, NostrRelayInfo, NostrRelayOK, NPolicy } from 'jsr:@nostrify/types@^0.35.0';
+import { nip57 } from 'jsr:@nostr/tools';
 import { Client } from 'npm:ldapts';
-import { nip57 } from '@nostr/tools';
 
-interface LdapConfig {
+export interface LdapConfig {
   url: string;
   bindDN: string;
   password: string;
@@ -10,68 +10,73 @@ interface LdapConfig {
   whitelistPubkeys?: IterablePubkeys;
 }
 
-const ldapPolicy: Policy<LdapConfig> = async (msg, opts) => {
+export class LdapPolicy implements NPolicy {
-  const client = new Client({ url: opts.url });
+  constructor(private opts: LdapConfig) {}
-  const { kind, tags } = msg.event;
-  let { pubkey } = msg.event;
-  let out = { id: msg.event.id }
 
-  if (opts.whitelistPubkeys.includes(pubkey)) {
+  // deno-lint-ignore require-await
-    out['action'] = 'accept';
+  async call(event: NostrEvent): Promise<NostrRelayOK> {
-    out['msg'] = '';
+    const client = new Client({ url: this.opts.url });
-    return out;
+    const { id, kind, tags } = event;
-  }
+    let { pubkey } = event;
 
-  // Zap receipt
+    if (this.opts.whitelistPubkeys.includes(pubkey)) {
-  if (kind === 9735) {
+      return ['OK', id, true, ''];
-    const descriptionTag = tags.find(([t, v]) => t === 'description' && v);
-    const invalidZapRequestMsg = 'Zap receipts must contain a valid zap request from a relay member';
-
-    if (typeof descriptionTag === 'undefined') {
-      out['action'] = 'reject';
-      out['msg'] = invalidZapRequestMsg;
-      return out;
     }
 
-    const zapRequestJSON = descriptionTag[1];
+    // Zap receipt
-    const validationResult = nip57.validateZapRequest(zapRequestJSON);
+    if (kind === 9735) {
+      const descriptionTag = tags.find(([t, v]) => t === 'description' && v);
+      const invalidZapRequestMsg = 'Zap receipts must contain a valid zap request from a relay member';
 
-    // TODO
+      if (typeof descriptionTag === 'undefined') {
-    // The zap receipt event's pubkey MUST be the same as the recipient's lnurl provider's nostrPubkey (retrieved in step 1 of the protocol flow).
+        return ['OK', id, false, invalidZapRequestMsg];
-    // The invoiceAmount contained in the bolt11 tag of the zap receipt MUST equal the amount tag of the zap request (if present).
+      }
 
-    if (validationResult === null) {
+      const zapRequestJSON = descriptionTag[1];
-      pubkey = JSON.parse(zapRequestJSON).pubkey;
+      const validationResult = nip57.validateZapRequest(zapRequestJSON);
-    } else {
+
-      out['action'] = 'reject';
+      // TODO
-      out['msg'] = invalidZapRequestMsg;
+      // The zap receipt event's pubkey MUST be the same as the recipient's lnurl provider's nostrPubkey (retrieved in step 1 of the protocol flow).
-      return out;
+      // The invoiceAmount contained in the bolt11 tag of the zap receipt MUST equal the amount tag of the zap request (if present).
+
+      if (validationResult === null) {
+        pubkey = JSON.parse(zapRequestJSON).pubkey;
+      } else {
+        return ['OK', id, false, invalidZapRequestMsg];
+      }
+    }
+
+    const out = { accept: true, msg: ''};
+
+    try {
+      await client.bind(this.opts.bindDN, this.opts.password);
+
+      const { searchEntries } = await client.search(this.opts.searchDN, {
+        filter: `(nostrKey=${pubkey})`,
+        attributes: ['nostrKey']
+      });
+      const memberKey = searchEntries[0]?.nostrKey;
+
+      if (memberKey === pubkey) {
+        out['accept'] = true;
+      } else {
+        out['accept'] = false;
+        out['msg'] = 'Only members can publish notes on this relay';
+      }
+    } catch (ex) {
+      out['accept'] = false;
+      out['msg'] = 'Auth service temporarily unavailable';
+    } finally {
+      await client.unbind();
+      return ['OK', id, out['accept'], out['msg']];
     }
   }
 
-  try {
+  get info(): NostrRelayInfo {
-    await client.bind(opts.bindDN, opts.password);
+    return {
-
+      limitation: {
-    const { searchEntries } = await client.search(opts.searchDN, {
+        restricted_writes: true,
-      filter: `(nostrKey=${pubkey})`,
+      },
-      attributes: ['nostrKey']
+    };
-    });
-    const memberKey = searchEntries[0]?.nostrKey;
-
-    if (memberKey === pubkey) {
-      out['action'] = 'accept';
-      out['msg'] = '';
-    } else {
-      out['action'] = 'reject';
-      out['msg'] = 'Only members can publish notes on this relay';
-    }
-  } catch (ex) {
-    out['action'] = 'reject';
-    out['msg'] = 'Auth service temporarily unavailable';
-  } finally {
-    await client.unbind();
-    return out;
   }
-};
+}
-
-export default ldapPolicy;

extras/strfry/strfry-policy.ts

@@ -1,20 +1,20 @@
 #!/bin/sh
-//bin/true; exec deno run -A "$0" "$@"
+//bin/true; exec deno run --unstable-kv -A "$0" "$@"
 import {
-  antiDuplicationPolicy,
+  AntiDuplicationPolicy,
-  hellthreadPolicy,
+  HellthreadPolicy,
-  pipeline,
+  PipePolicy,
-  rateLimitPolicy,
   readStdin,
   writeStdout,
-} from 'https://gitlab.com/soapbox-pub/strfry-policies/-/raw/develop/mod.ts';
+} from 'jsr:@nostrify/policies';
-import ldapPolicy from './ldap-policy.ts';
+import { strfry } from 'jsr:@nostrify/strfry';
+import { LdapConfig, LdapPolicy } from './ldap-policy.ts';
 import { load } from "https://deno.land/std@0.224.0/dotenv/mod.ts";
 
 const dirname = new URL('.', import.meta.url).pathname;
 await load({ envPath: `${dirname}/.env`, export: true });
 
-const ldapConfig = {
+const ldapConfig: LdapConfig = {
   url: Deno.env.get("LDAP_URL"),
   bindDN: Deno.env.get("LDAP_BIND_DN"),
   password: Deno.env.get("LDAP_PASSWORD"),
@@ -22,13 +22,10 @@ const ldapConfig = {
   whitelistPubkeys: Deno.env.get("WHITELIST_PUBKEYS")?.split(',')
 }
 
-for await (const msg of readStdin()) {
+const policy = new PipePolicy([
-  const result = await pipeline(msg, [
+  new HellthreadPolicy({ limit: 10 }),
-    [hellthreadPolicy, { limit: 10 }],
+  new AntiDuplicationPolicy({ kv: await Deno.openKv(), expireIn: 60000, minLength: 50 }),
-    [antiDuplicationPolicy, { ttl: 60000, minLength: 50 }],
+  new LdapPolicy(ldapConfig)
-    [rateLimitPolicy, { whitelist: ['127.0.0.1'] }],
+]);
-    [ldapPolicy, ldapConfig],
-  ]);
 
-  writeStdout(result);
+await strfry(policy);
-}

lib/tasks/ldap.rake

@@ -21,7 +21,7 @@ namespace :ldap do
 
   desc "Add custom attributes to schema"
   task add_custom_attributes: :environment do |t, args|
-    %w[ admin service_enabled nostr_key ].each do |name|
+    %w[ admin service_enabled nostr_key pgp_key ].each do |name|
       Rake::Task["ldap:modify_ldap_schema"].invoke(name, "add")
       Rake::Task['ldap:modify_ldap_schema'].reenable
     end
@@ -29,7 +29,7 @@ namespace :ldap do
 
   desc "Delete custom attributes from schema"
   task delete_custom_attributes: :environment do |t, args|
-    %w[ admin service_enabled nostr_key ].each do |name|
+    %w[ admin service_enabled nostr_key pgp_key ].each do |name|
       Rake::Task["ldap:modify_ldap_schema"].invoke(name, "delete")
       Rake::Task['ldap:modify_ldap_schema'].reenable
     end

schemas/ldap/nostr_key.ldif

@@ -5,5 +5,5 @@ attributeTypes: ( 1.3.6.1.4.1.61554.1.1.2.1.21
   NAME 'nostrKey'
   DESC 'Nostr public key'
   EQUALITY caseIgnoreMatch
-  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
   SINGLE-VALUE )

schemas/ldap/pgp_key.ldif

@@ -0,0 +1,8 @@
+dn: cn=schema
+changetype: modify
+add: attributeTypes
+attributeTypes: ( 1.3.6.1.4.1.3401.8.2.11
+  NAME 'pgpKey'
+  DESC 'OpenPGP public key block'
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+  SINGLE-VALUE )

spec/features/settings/account_spec.rb

@@ -14,6 +14,7 @@ RSpec.describe 'Account settings', type: :feature do
         .with("invalid password").and_return(false)
       allow_any_instance_of(User).to receive(:valid_ldap_authentication?)
         .with("valid password").and_return(true)
+      allow_any_instance_of(User).to receive(:pgp_pubkey).and_return(nil)
     end
 
     scenario 'fails with invalid password' do
@@ -55,4 +56,44 @@ RSpec.describe 'Account settings', type: :feature do
       end
     end
   end
+
+  feature "Update OpenPGP key" do
+    let(:invalid_key) { File.read("#{Rails.root}/spec/fixtures/files/pgp_key_invalid.asc") }
+    let(:valid_key_alice) { File.read("#{Rails.root}/spec/fixtures/files/pgp_key_valid_alice.asc") }
+    let(:fingerprint_alice) { "EB85BB5FA33A75E15E944E63F231550C4F47E38E" }
+
+    before do
+      login_as user, :scope => :user
+      allow_any_instance_of(User).to receive(:ldap_entry).and_return({
+        uid: user.cn, ou: user.ou, display_name: nil, pgp_key: nil
+      })
+    end
+
+    scenario 'rejects an invalid key' do
+      expect(UserManager::UpdatePgpKey).not_to receive(:call)
+
+      visit setting_path(:account)
+      fill_in 'Public key', with: invalid_key
+      click_button "Save"
+
+      expect(current_url).to eq(setting_url(:account))
+      within ".error-msg" do
+        expect(page).to have_content("This is not a valid armored PGP public key block")
+      end
+    end
+
+    scenario 'stores a valid key' do
+      expect(UserManager::UpdatePgpKey).to receive(:call)
+        .with(user: user).and_return(true)
+
+      visit setting_path(:account)
+      fill_in 'Public key', with: valid_key_alice
+      click_button "Save"
+
+      expect(current_url).to eq(setting_url(:account))
+      within ".flash-msg" do
+        expect(page).to have_content("Settings saved")
+      end
+    end
+  end
 end

spec/features/settings/profile_spec.rb

@@ -9,7 +9,7 @@ RSpec.describe 'Profile settings', type: :feature do
     allow(user).to receive(:display_name).and_return("Mark")
     allow_any_instance_of(User).to receive(:dn).and_return("cn=mwahlberg,ou=kosmos.org,cn=users,dc=kosmos,dc=org")
     allow_any_instance_of(User).to receive(:ldap_entry).and_return({
-      uid: user.cn, ou: user.ou, display_name: "Mark"
+      uid: user.cn, ou: user.ou, display_name: "Mark", pgp_key: nil
     })
     allow_any_instance_of(User).to receive(:avatar).and_return(avatar_base64)
 

spec/features/signup_spec.rb

@@ -52,7 +52,7 @@ RSpec.describe "Signup", type: :feature do
       click_button "Continue"
       expect(page).to have_content("Choose a password")
 
-      expect(CreateAccount).to receive(:call)
+      expect(UserManager::CreateAccount).to receive(:call)
         .with(account: {
           username: "tony", domain: "kosmos.org",
           email: "tony@example.com", password: "a-valid-password",
@@ -96,7 +96,7 @@ RSpec.describe "Signup", type: :feature do
       click_button "Create account"
       expect(page).to have_content("Password is too short")
 
-      expect(CreateAccount).to receive(:call)
+      expect(UserManager::CreateAccount).to receive(:call)
         .with(account: {
           username: "tony", domain: "kosmos.org",
           email: "tony@example.com", password: "a-valid-password",

spec/fixtures/files/pgp_key_invalid.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+b7O1u120JkFsaWNlIExvdmVsYWNlIDxhbGljZUBvcGVucGdwLmV4YW1wbGU+iJAE
+ExYIADgCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AWIQTrhbtfozp14V6UTmPy
+MVUMT0fjjgUCXaWfOgAKCRDyMVUMT0fjjukrAPoDnHBSogOmsHOsd9qGsiZpgRnO
+dypvbm+QtXZqth9rvwD9HcDC0tC+PHAsO7OTh1S1TC9RiJsvawAfCPaQZoed8gK4
+OARcRwTpEgorBgEEAZdVAQUBAQdAQv8GIa2rSTzgqbXCpDDYMiKRVitCsy203x3s
+E9+eviIDAQgHiHgEGBYIACAWIQTrhbtfozp14V6UTmPyMVUMT0fjjgUCXEcE6QIb
+DAAKCRDyMVUMT0fjjlnQAQDFHUs6TIcxrNTtEZFjUFm1M0PJ1Dng/cDW4xN80fsn
+0QEA22Kr7VkCjeAEC08VSTeV+QFsmz55/lntWkwYWhmvOgE=
+=iIGO
+-----END PGP PUBLIC KEY BLOCK-----

spec/fixtures/files/pgp_key_valid_alice.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Comment: Alice's OpenPGP certificate
+Comment: https://www.ietf.org/id/draft-bre-openpgp-samples-01.html
+
+mDMEXEcE6RYJKwYBBAHaRw8BAQdArjWwk3FAqyiFbFBKT4TzXcVBqPTB3gmzlC/U
+b7O1u120JkFsaWNlIExvdmVsYWNlIDxhbGljZUBvcGVucGdwLmV4YW1wbGU+iJAE
+ExYIADgCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AWIQTrhbtfozp14V6UTmPy
+MVUMT0fjjgUCXaWfOgAKCRDyMVUMT0fjjukrAPoDnHBSogOmsHOsd9qGsiZpgRnO
+dypvbm+QtXZqth9rvwD9HcDC0tC+PHAsO7OTh1S1TC9RiJsvawAfCPaQZoed8gK4
+OARcRwTpEgorBgEEAZdVAQUBAQdAQv8GIa2rSTzgqbXCpDDYMiKRVitCsy203x3s
+E9+eviIDAQgHiHgEGBYIACAWIQTrhbtfozp14V6UTmPyMVUMT0fjjgUCXEcE6QIb
+DAAKCRDyMVUMT0fjjlnQAQDFHUs6TIcxrNTtEZFjUFm1M0PJ1Dng/cDW4xN80fsn
+0QEA22Kr7VkCjeAEC08VSTeV+QFsmz55/lntWkwYWhmvOgE=
+=iIGO
+
+-----END PGP PUBLIC KEY BLOCK-----

spec/fixtures/files/pgp_key_valid_jimmy.asc

@@ -0,0 +1,13 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mDMEZvFjRhYJKwYBBAHaRw8BAQdACUxVX9bGlbuNR0MNYUyHHxTcOgm4qjwq8Bjg
+7P41OFK0GEppbW15IDxqaW1teUBrb3Ntb3Mub3JnPoiZBBMWCgBBFiEEMWv1FiNt
+r3cjaxX2BX2Tly+4YsMFAmbxY0YCGwMFCQWjmoAFCwkIBwICIgIGFQoJCAsCBBYC
+AwECHgcCF4AACgkQBX2Tly+4YsMjHgEAoOOLrv9pWbi8hhrSMkqJ7FJvsBTQF//U
+aJUQRa8CTgoBAI3kyGKZ8gOC8UOOKsUC0LiNCVXPyX45h8T4QFRdEVYKuDgEZvFj
+RhIKKwYBBAGXVQEFAQEHQIomqcQ59UjtQex54pz8qGqyxCj2DPJYUat9pXinDgN8
+AwEIB4h+BBgWCgAmFiEEMWv1FiNtr3cjaxX2BX2Tly+4YsMFAmbxY0YCGwwFCQWj
+moAACgkQBX2Tly+4YsPoVgEA/9Q5Gs1klP4u/nw343V57e9s4RKmEiRSkErnC9wW
+Iu0A/jp6Elz2pDQPB2XLwcb+n7JlgA05HI0zWj1+EoM7TC4J
+=KQbn
+-----END PGP PUBLIC KEY BLOCK-----

spec/mailers/notification_mailer_spec.rb

@@ -0,0 +1,87 @@
+# spec/mailers/welcome_mailer_spec.rb
+require 'rails_helper'
+
+RSpec.describe NotificationMailer, type: :mailer do
+  describe '#lightning_sats_received' do
+
+    context "without PGP key" do
+      let(:user) { create(:user, cn: "phil", email: 'phil@example.com') }
+
+      before do
+        allow_any_instance_of(User).to receive(:ldap_entry).and_return({
+          uid: user.cn, ou: user.ou, display_name: nil, pgp_key: nil
+        })
+      end
+
+      describe "unencrypted email" do
+        let(:mail) { described_class.with(user: user, amount_sats: 21000).lightning_sats_received }
+
+        it 'renders the correct to/from headers' do
+          expect(mail.to).to eq([user.email])
+          expect(mail.from).to eq(['accounts@kosmos.org'])
+        end
+
+        it 'renders the correct subject' do
+          expect(mail.subject).to eq('Sats received')
+        end
+
+        it 'uses the correct content type' do
+          expect(mail.header['content-type'].to_s).to include('text/plain')
+        end
+
+        it 'renders the body with correct content' do
+          expect(mail.body.encoded).to match(/You just received 21,000 sats/)
+          expect(mail.body.encoded).to include(user.address)
+        end
+
+        it 'includes a link to the lightning service page' do
+          expect(mail.body.encoded).to include("https://accounts.kosmos.org/services/lightning")
+        end
+      end
+    end
+
+    context "with PGP key" do
+      let(:pgp_pubkey) { File.read("#{Rails.root}/spec/fixtures/files/pgp_key_valid_alice.asc") }
+      let(:pgp_fingerprint) { "EB85BB5FA33A75E15E944E63F231550C4F47E38E" }
+      let(:user) { create(:user, id: 2, cn: "alice", email: 'alice@example.com', pgp_fpr: pgp_fingerprint) }
+
+      before do
+        allow_any_instance_of(User).to receive(:ldap_entry).and_return({
+          uid: user.cn, ou: user.ou, display_name: nil, pgp_key: pgp_pubkey
+        })
+      end
+
+      describe "encrypted email" do
+        let(:mail) { described_class.with(user: user, amount_sats: 21000).lightning_sats_received }
+
+        it 'renders the correct to/from headers' do
+          expect(mail.to).to eq([user.email])
+          expect(mail.from).to eq(['accounts@kosmos.org'])
+        end
+
+        it 'encrypts the subject line' do
+          expect(mail.subject).to eq('...')
+        end
+
+        it 'uses the correct content type' do
+          expect(mail.header['content-type'].to_s).to include('multipart/encrypted')
+          expect(mail.header['content-type'].to_s).to include('protocol="application/pgp-encrypted"')
+        end
+
+        it 'renders the PGP version part' do
+          expect(mail.body.encoded).to include("Content-Type: application/pgp-encrypted")
+          expect(mail.body.encoded).to include("Content-Description: PGP/MIME version identification")
+          expect(mail.body.encoded).to include("Version: 1")
+        end
+
+        it 'renders the encrypted PGP part' do
+          expect(mail.body.encoded).to include('Content-Type: application/octet-stream; name="encrypted.asc"')
+          expect(mail.body.encoded).to include('Content-Description: OpenPGP encrypted message')
+          expect(mail.body.encoded).to include('Content-Disposition: inline; filename="encrypted.asc"')
+          expect(mail.body.encoded).to include('-----BEGIN PGP MESSAGE-----')
+          expect(mail.body.encoded).to include('hF4DR')
+        end
+      end
+    end
+  end
+end

spec/models/user_spec.rb

@@ -1,20 +1,16 @@
 require 'rails_helper'
 
 RSpec.describe User, type: :model do
-  let(:user) { create :user, cn: "philipp" }
+  let(:user) { create :user, cn: "philipp", ou: "kosmos.org", email: "philipp@example.com" }
   let(:dn) { "cn=philipp,ou=kosmos.org,cn=users,dc=kosmos,dc=org" }
 
   describe "#address" do
-    let(:user) { build :user, cn: "jimmy", ou: "kosmos.org" }
-
     it "returns the user address" do
-      expect(user.address).to eq("jimmy@kosmos.org")
+      expect(user.address).to eq("philipp@kosmos.org")
     end
   end
 
   describe "#mastodon_address" do
-    let(:user) { build :user, cn: "jimmy", ou: "kosmos.org" }
-
     context "Mastodon service not configured" do
       before do
         Setting.mastodon_enabled = false
@@ -32,7 +28,7 @@ RSpec.describe User, type: :model do
 
       describe "domain is the same as primary domain" do
         it "returns the user address" do
-          expect(user.mastodon_address).to eq("jimmy@kosmos.org")
+          expect(user.mastodon_address).to eq("philipp@kosmos.org")
         end
       end
 
@@ -42,7 +38,7 @@ RSpec.describe User, type: :model do
         end
 
         it "returns the user address" do
-          expect(user.mastodon_address).to eq("jimmy@kosmos.social")
+          expect(user.mastodon_address).to eq("philipp@kosmos.social")
         end
       end
 
@@ -239,7 +235,7 @@ RSpec.describe User, type: :model do
 
   describe "#nostr_pubkey" do
     before do
-      allow_any_instance_of(User).to receive(:ldap_entry)
+      allow(user).to receive(:ldap_entry)
         .and_return({ nostr_key: "07e188a1ff87ce171d517b8ed2bb7a31b1d3453a0db3b15379ec07b724d232f3" })
     end
 
@@ -250,7 +246,7 @@ RSpec.describe User, type: :model do
 
   describe "#nostr_pubkey_bech32" do
     before do
-      allow_any_instance_of(User).to receive(:ldap_entry)
+      allow(user).to receive(:ldap_entry)
         .and_return({ nostr_key: "07e188a1ff87ce171d517b8ed2bb7a31b1d3453a0db3b15379ec07b724d232f3" })
     end
 
@@ -258,4 +254,73 @@ RSpec.describe User, type: :model do
       expect(user.nostr_pubkey_bech32).to eq("npub1qlsc3g0lsl8pw8230w8d9wm6xxcax3f6pkemz5measrmwfxjxteslf2hac")
     end
   end
+
+  describe "OpenPGP key" do
+    let(:alice) { create :user, id: 2, cn: "alice", email: "alice@example.com" }
+    let(:jimmy) { create :user, id: 3, cn: "jimmy", email: "jimmy@example.com" }
+    let(:valid_key_alice) { File.read("#{Rails.root}/spec/fixtures/files/pgp_key_valid_alice.asc") }
+    let(:valid_key_jimmy) { File.read("#{Rails.root}/spec/fixtures/files/pgp_key_valid_jimmy.asc") }
+    let(:fingerprint_alice) { "EB85BB5FA33A75E15E944E63F231550C4F47E38E" }
+    let(:fingerprint_jimmy) { "316BF516236DAF77236B15F6057D93972FB862C3" }
+    let(:invalid_key) { File.read("#{Rails.root}/spec/fixtures/files/pgp_key_invalid.asc") }
+
+    before do
+      GPGME::Key.import(valid_key_alice)
+      GPGME::Key.import(valid_key_jimmy)
+      alice.update pgp_fpr: fingerprint_alice
+      jimmy.update pgp_fpr: fingerprint_jimmy
+      allow(alice).to receive(:ldap_entry).and_return({ pgp_key: valid_key_alice })
+      allow(jimmy).to receive(:ldap_entry).and_return({ pgp_key: valid_key_jimmy })
+    end
+
+    after do
+      alice.gnupg_key.delete!
+      jimmy.gnupg_key.delete!
+    end
+
+    describe "#acceptable_pgp_key_format" do
+      it "validates the record when the key is valid" do
+        alice.pgp_pubkey = valid_key_alice
+        expect(alice).to be_valid
+      end
+
+      it "adds a validation error when the key is not valid" do
+        user.pgp_pubkey = invalid_key
+        expect(user).to_not be_valid
+        expect(user.errors[:pgp_pubkey]).to be_present
+      end
+    end
+
+    describe "#pgp_pubkey" do
+      it "returns the raw pubkey from LDAP" do
+        expect(alice.pgp_pubkey).to eq(valid_key_alice)
+      end
+    end
+
+    describe "#gnupg_key" do
+      subject { alice.gnupg_key }
+
+      it "returns a GPGME::Key object from the system's GPG keyring" do
+        expect(subject).to be_a(GPGME::Key)
+        expect(subject.fingerprint).to eq(fingerprint_alice)
+        expect(subject.email).to eq("alice@openpgp.example")
+      end
+    end
+
+    describe "#pgp_pubkey_contains_user_address?" do
+      it "returns false when the user address is one of the UIDs of the key" do
+        expect(alice.pgp_pubkey_contains_user_address?).to eq(false)
+      end
+
+      it "returns true when the user address is missing from the UIDs of the key" do
+        expect(jimmy.pgp_pubkey_contains_user_address?).to eq(true)
+      end
+    end
+
+    describe "wkd_hash" do
+      it "returns a z-base32 encoded SHA-1 digest of the username" do
+        expect(alice.wkd_hash).to eq("kei1q4tipxxu1yj79k9kfukdhfy631xe")
+      end
+    end
+  end
 end

spec/requests/web_key_directory_spec.rb

@@ -0,0 +1,101 @@
+require 'rails_helper'
+
+RSpec.describe "OpenPGP Web Key Directory", type: :request do
+  describe "policy" do
+    it "returns an empty 200 response" do
+      get "/.well-known/openpgpkey/policy"
+      expect(response).to have_http_status(:ok)
+      expect(response.body).to be_empty
+    end
+  end
+
+  describe "non-existent user" do
+    it "returns a 404 status" do
+      get "/.well-known/openpgpkey/hu/fmb8gw3n4zdj4xpwaziki4mwcxr1368i?l=aristotle"
+      expect(response).to have_http_status(:not_found)
+    end
+  end
+
+  describe "user without pubkey" do
+    let(:user) { create :user, cn: 'bernd', ou: 'kosmos.org' }
+
+    it "returns a 404 status" do
+      get "/.well-known/openpgpkey/hu/kp95h369c89sx8ia1hn447i868nqyz4t?l=bernd"
+      expect(response).to have_http_status(:not_found)
+    end
+  end
+
+  describe "user with pubkey" do
+    let(:alice) { create :user, id: 2, cn: "alice", email: "alice@example.com" }
+    let(:jimmy) { create :user, id: 3, cn: "jimmy", email: "jimmy@example.com" }
+    let(:valid_key_alice) { File.read("#{Rails.root}/spec/fixtures/files/pgp_key_valid_alice.asc") }
+    let(:valid_key_jimmy) { File.read("#{Rails.root}/spec/fixtures/files/pgp_key_valid_jimmy.asc") }
+    let(:fingerprint_alice) { "EB85BB5FA33A75E15E944E63F231550C4F47E38E" }
+    let(:fingerprint_jimmy) { "316BF516236DAF77236B15F6057D93972FB862C3" }
+    let(:invalid_key) { File.read("#{Rails.root}/spec/fixtures/files/pgp_key_invalid.asc") }
+
+    before do
+      GPGME::Key.import(valid_key_alice)
+      GPGME::Key.import(valid_key_jimmy)
+      alice.update pgp_fpr: fingerprint_alice
+      jimmy.update pgp_fpr: fingerprint_jimmy
+    end
+
+    after do
+      alice.gnupg_key.delete!
+      jimmy.gnupg_key.delete!
+    end
+
+    describe "pubkey does not contain user address" do
+      before do
+        allow_any_instance_of(User).to receive(:ldap_entry)
+          .and_return({ pgp_key: valid_key_alice })
+      end
+
+      it "returns a 404 status" do
+        get "/.well-known/openpgpkey/hu/kei1q4tipxxu1yj79k9kfukdhfy631xe?l=alice"
+        expect(response).to have_http_status(:not_found)
+      end
+    end
+
+    describe "pubkey contains user address" do
+      before do
+        allow_any_instance_of(User).to receive(:ldap_entry)
+          .and_return({ pgp_key: valid_key_jimmy })
+      end
+
+      it "returns the pubkey in binary format" do
+        get "/.well-known/openpgpkey/hu/yuca4ky39mhwkjo78qb8zjgbfj1hg3yf?l=jimmy"
+        expect(response).to have_http_status(:ok)
+        expect(response.headers['Content-Type']).to eq("application/octet-stream")
+        expected_binary_data = File.binread("#{Rails.root}/spec/fixtures/files/pgp_key_valid_jimmy.pem")
+        expect(response.body).to eq(expected_binary_data)
+      end
+
+      context "with wrong capitalization of username" do
+        it "returns the pubkey as ASCII Armor plain text" do
+          get "/.well-known/openpgpkey/hu/yuca4ky39mhwkjo78qb8zjgbfj1hg3yf?l=JimmY"
+          expect(response).to have_http_status(:ok)
+          expected_binary_data = File.binread("#{Rails.root}/spec/fixtures/files/pgp_key_valid_jimmy.pem")
+          expect(response.body).to eq(expected_binary_data)
+        end
+      end
+
+      context "with .txt extension" do
+        it "returns the pubkey as ASCII Armor plain text" do
+          get "/.well-known/openpgpkey/hu/yuca4ky39mhwkjo78qb8zjgbfj1hg3yf.txt?l=jimmy"
+          expect(response).to have_http_status(:ok)
+          expect(response.body).to eq(valid_key_jimmy)
+          expect(response.headers['Content-Type']).to eq("text/plain")
+        end
+      end
+
+      context "invalid URL" do
+        it "returns a 422 status" do
+          get "/.well-known/openpgpkey/hu/123456abcdef?l=alice"
+          expect(response).to have_http_status(:not_found)
+        end
+      end
+    end
+  end
+end

spec/services/user_manager/create_account_spec.rb

@@ -1,8 +1,8 @@
 require 'rails_helper'
 
-RSpec.describe CreateAccount, type: :model do
+RSpec.describe UserManager::CreateAccount, type: :model do
   describe "#create_user_in_database" do
-    let(:service) { CreateAccount.new(account: {
+    let(:service) { described_class.new(account: {
       username: 'isaacnewton',
       email: 'isaacnewton@example.com',
       password: 'bright-ideas-in-autumn'
@@ -19,7 +19,7 @@ RSpec.describe CreateAccount, type: :model do
 
   describe "#update_invitation" do
     let(:invitation) { create :invitation }
-    let(:service) { CreateAccount.new(account: {
+    let(:service) { described_class.new(account: {
       username: 'isaacnewton',
       email: 'isaacnewton@example.com',
       password: 'bright-ideas-in-autumn',
@@ -42,7 +42,7 @@ RSpec.describe CreateAccount, type: :model do
   describe "#add_ldap_document" do
     include ActiveJob::TestHelper
 
-    let(:service) { CreateAccount.new(account: {
+    let(:service) { described_class.new(account: {
       username: 'halfinney',
       email: 'halfinney@example.com',
       password: 'remember-remember-the-5th-of-november'
@@ -68,7 +68,7 @@ RSpec.describe CreateAccount, type: :model do
   describe "#add_ldap_document for pre-confirmed account" do
     include ActiveJob::TestHelper
 
-    let(:service) { CreateAccount.new(account: {
+    let(:service) { described_class.new(account: {
       username: 'halfinney',
       email: 'halfinney@example.com',
       password: 'remember-remember-the-5th-of-november',
@@ -89,7 +89,7 @@ RSpec.describe CreateAccount, type: :model do
   describe "#create_lndhub_account" do
     include ActiveJob::TestHelper
 
-    let(:service) { CreateAccount.new(account: {
+    let(:service) { described_class.new(account: {
       username: 'halfinney', email: 'halfinney@example.com',
       password: 'bright-ideas-in-winter'
     })}

spec/services/user_manager/create_invitations_spec.rb

@@ -1,13 +1,13 @@
 require 'rails_helper'
 
-RSpec.describe CreateInvitations, type: :model do
+RSpec.describe UserManager::CreateInvitations, type: :model do
   include ActiveJob::TestHelper
 
   let(:user) { create :user }
 
   describe "#call" do
     before do
-      CreateInvitations.call(user: user, amount: 5)
+      described_class.call(user: user, amount: 5)
     end
 
     after(:each) { clear_enqueued_jobs }
@@ -28,7 +28,7 @@ RSpec.describe CreateInvitations, type: :model do
 
   describe "#call with notification disabled" do
     before do
-      CreateInvitations.call(user: user, amount: 3, notify: false)
+      described_class.call(user: user, amount: 3, notify: false)
     end
 
     after(:each) { clear_enqueued_jobs }

spec/services/user_manager/update_pgp_key_spec.rb

@@ -0,0 +1,74 @@
+require 'rails_helper'
+
+RSpec.describe UserManager::UpdatePgpKey, type: :model do
+  include ActiveJob::TestHelper
+
+  let(:alice) { create :user, cn: "alice" }
+  let(:dn)    { "cn=alice,ou=kosmos.org,cn=users,dc=kosmos,dc=org" }
+  let(:pubkey_asc) { File.read("#{Rails.root}/spec/fixtures/files/pgp_key_valid_alice.asc") }
+  let(:fingerprint) { "EB85BB5FA33A75E15E944E63F231550C4F47E38E" }
+
+  before do
+    allow(alice).to receive(:dn).and_return(dn)
+    allow(alice).to receive(:ldap_entry).and_return({
+      uid: alice.cn, ou: alice.ou, pgp_key: nil
+    })
+  end
+
+  describe "#call" do
+    context "with valid key" do
+      before do
+        alice.pgp_pubkey = pubkey_asc
+
+        allow(LdapManager::UpdatePgpKey).to receive(:call)
+          .with(dn: alice.dn, pubkey: pubkey_asc)
+      end
+
+      after do
+        alice.gnupg_key.delete!
+      end
+
+      it "imports the key into the GnuPG keychain" do
+        described_class.call(user: alice)
+        expect(alice.gnupg_key).to be_present
+      end
+
+      it "stores the key's fingerprint on the user record" do
+        described_class.call(user: alice)
+        expect(alice.pgp_fpr).to eq(fingerprint)
+      end
+
+      it "updates the user's LDAP entry with the new key" do
+        expect(LdapManager::UpdatePgpKey).to receive(:call)
+          .with(dn: alice.dn, pubkey: pubkey_asc)
+        described_class.call(user: alice)
+      end
+    end
+
+    context "with empty key" do
+      before do
+        alice.update pgp_fpr: fingerprint
+        alice.pgp_pubkey = ""
+
+        allow(LdapManager::UpdatePgpKey).to receive(:call)
+          .with(dn: alice.dn, pubkey: "")
+      end
+
+      it "does not attempt to import the key" do
+        expect(GPGME::Key).not_to receive(:import)
+        described_class.call(user: alice)
+      end
+
+      it "removes the key's fingerprint from the user record" do
+        described_class.call(user: alice)
+        expect(alice.pgp_fpr).to be_nil
+      end
+
+      it "removes the key from the user's LDAP entry" do
+        expect(LdapManager::UpdatePgpKey).to receive(:call)
+          .with(dn: alice.dn, pubkey: "")
+        described_class.call(user: alice)
+      end
+    end
+  end
+end