Commit graph

723 commits

Author SHA1 Message Date
fr33domlover
043022d117 When verifying HTTP sig, make Ed25519 verification failure message clearer 2019-03-06 01:31:30 +00:00
fr33domlover
c26289cf42 Don't check CSRF token in InboxR, POSTs there freely come from other servers 2019-03-05 09:00:22 +00:00
fr33domlover
6e721797e9 Catch sig generation error when sending signed HTTP POST 2019-03-05 08:26:41 +00:00
fr33domlover
97594dc945 Fix default actor URI in OutboxR form, from /p to /s 2019-03-04 20:12:19 +00:00
fr33domlover
378ca1b3d4 Fix bug in FedURI parsing 2019-03-04 20:11:58 +00:00
fr33domlover
bb662e798f Display clearer error message when GETing recipient actor fails 2019-03-04 15:47:22 +00:00
fr33domlover
78b5bad2c4 Support bypassing email verification of new users 2019-03-04 14:51:51 +00:00
fr33domlover
c41f1183e0 Display instance host at the top of all pages 2019-03-04 09:06:23 +00:00
fr33domlover
ad034dbacc Make the registration switch work again 2019-03-04 08:14:36 +00:00
fr33domlover
9c3cb27619 Add persistent-graph to update-deps.sh 2019-03-02 19:30:38 +00:00
fr33domlover
6bbba4ce5c Use MVars to protect concurrenct access to instance/actor/key DB records 2019-03-02 19:13:51 +00:00
fr33domlover
f09bdd4141 Add key storage mode that replaces old keys instead of rejecting new ones 2019-02-26 14:00:22 +00:00
fr33domlover
2e705b6868 Make key storage limits configurable instead of hardcoding to 2 2019-02-24 01:35:07 +00:00
fr33domlover
17524b6ee1 Remove hardcoded-to-2 limit on length of an actor's list of public keys 2019-02-24 01:21:42 +00:00
fr33domlover
0912b8e291 Use the DB for checking key usage by actors
* When we refetch a personal key, we never need to separately fetch the actor
* When we refetch a shared key, check usage in DB and insert usage to DB
2019-02-23 17:17:52 +00:00
fr33domlover
b53a7b4f48 Refactor actor key fetching code a bit 2019-02-22 08:30:43 +00:00
fr33domlover
1affe269bb Refactor HTTP sig verification DB update code 2019-02-22 07:20:19 +00:00
fr33domlover
d3e14b3edf Add LocalURI type for recording shared URI host 2019-02-21 23:59:53 +00:00
fr33domlover
aefb2aaee7 Add InstanceURI datatype 2019-02-20 07:40:25 +00:00
fr33domlover
4053f2f2b4 Record usage of instance keys in the DB
When we verify an HTTP signature,

* If we know the key, check in the DB whether we know the actor lists it. If it
  doesn't, and there's room left for keys, HTTP GET the actor and update the DB
  accordingly.
* If we know the key but had to update it, do the same, check usage in DB and
  update DB if needed
* If we don't know the key, record usage in DB

However,

* If we're GETing a key and discovering it's a shared key, we GET the actor to
  verify it lists the key. When we don't know the key at all yet, that's fine
  (can be further optimized but it's marginal), but if it's a key we do know,
  it means we already know the actor and for now it's enough for us to rely
  only on the DB to test usage.
2019-02-19 10:54:55 +00:00
fr33domlover
312ccf6979 When verifying HTTP sig with known shared key, verify actor lists the key
Previously, when verifying an HTTP signature and we fetched the key and
discovered it's shared, we'd fetch the actor and make sure it lists the key URI
in the `publicKey` field. But if we already knew the key, had it cached in our
DB, we wouldn't check the actor at all, despite not knowing whether it lists
the key.

With this patch, we now always GET the actor when the key is shared,
determining the actor URI from the `ActivityPub-Actor` request header, and we
verify that the actor lists the key URI. We do that regardless of whether or
not we have the key in the DB, although these two cases and handled in
different parts of the code right now (for a new key, it's in Web.ActivityPub
fetchKey; for a known key, it's in Vervis.Foundation httpVerifySig).
2019-02-18 09:20:13 +00:00
fr33domlover
9b8cae79e0 Remove old commented out line of code 2019-02-18 09:18:50 +00:00
fr33domlover
69e807214d Even if we have the specified keyid in the DB, check AP actor header if present
Previously, when verifying an HTTP signature and we find out we have the
provided keyid in the DB, and this key is a personal key, we would just grab
the key owner from the DB and ignore the ActivityPub-Actor header.

This patch adds a check: If we find the key in the DB and it's a personal key,
do grab the owner from that DB row, but also check the actor header: If it's
provided, it has to be identical to the key owner ID URI.
2019-02-17 00:32:38 +00:00
fr33domlover
fa5c509a25 When we fetch a stand-alone personal key, make sure AP-Actor matches key owner
If the key we fetched is a shared key, the only way to determine the actor to
which the signature applies is to read the HTTP header ActivityPub-Actor. But
if it's a personal key, we can detect the actor by checking the key's owner
field. Still, if that actor header is provided, we now compare it to the key
owner and make sure they're identical.

When fetching a key that is embedded in the actor document, we were already
comparing the actor ID with the actor header, so that part didn't require
changes.
2019-02-17 00:14:05 +00:00
fr33domlover
bf56ebf158 Make the verification key update logic clearer 2019-02-16 21:47:58 +00:00
fr33domlover
9e0314fa09 Store remote actors' inbox URIs in DB, avoiding some actor fetch
When a local user wants to publish an activity, we were always GETing the
recipient actor, so that we could determine their inbox and POST the activity
to it. But now, instead, whenever we GET an actor (whether it's for the key sig
verification or for determining inbox URI), we keep their inbox URI in the
database, and we don't need to GET it again next time.
2019-02-14 23:27:40 +00:00
fr33domlover
128f1297ec In postInboxR, use the Activity type, so we only accept Create Note for now 2019-02-14 22:29:59 +00:00
fr33domlover
fb396bb984 Define breadcrumbs for shared actor key routes 2019-02-14 22:17:04 +00:00
fr33domlover
e6b7a5297a Fix error in key expiration check caused by a typo 2019-02-14 22:16:15 +00:00
fr33domlover
e8ba301c6a Switch actor ID URIs to be /s/ACTOR instead of /p and /g
See Vervis ticket #60.
2019-02-14 22:13:58 +00:00
fr33domlover
754709833a When a client posts to their outbox, allow only Create Note, not near-any JSON 2019-02-12 11:53:24 +00:00
fr33domlover
0731597e1b List collab tables under projects section in models file 2019-02-12 11:46:12 +00:00
fr33domlover
c2bf470fb6 Generate and keep permanent salt for generating hashids for URIs 2019-02-08 21:54:22 +00:00
fr33domlover
9536d870e5 Add utility for loading permanent key files, and use it for ocap signing key 2019-02-08 03:13:56 +00:00
fr33domlover
fbc9ad2b30 Rotate actor key once a day by default, instead of once an hour
I'm not sure what the best balance is, but once an hour may end up causing a
lot more key re-fetch requests coming from other servers. I prefer to default
to once a day for now (maybe even once a week) and tighten it later if needed.

Caveat: If an instance key is rotated once a day, there's no
change-key-right-after-toot-deletion thing for deniability. Potentially,
rotation may happen only 24 hours after that deletion, which is much more than
1 hour. On the other hand, it's a whole instance key, not personal key of the
actor.
2019-02-07 23:28:39 +00:00
fr33domlover
8ac559d064 New datatype FedURI for @id URIs
Using a dedicated type allows to record in the type the guarantees that we
provide, such as scheme being HTTPS and authority being present. Allows to
replace ugly `fromJust` and such with direct field access.
2019-02-07 23:08:28 +00:00
fr33domlover
e325175a9c Publish 2 rotating instance-scope keys instead of the one-implicitly-shared-key
Before, there was a single key used as a personal key for all actors. Now,
things work like this:

- There are 2 keys, each time one is rotated, this way the old key remains
  valid and we can freely rotate without a risk of race conditions on other
  servers and end up with our posts being rejected
- The keys are explicitly instance-scope keys, all actors refer to them
- We add the ActivityPub-Actor header to all activity POSTs we send, to declare
  for which specific actor our signature applies. Activities and otherwise
  different payloads may have varying ways to specify attribution; using this
  header will be a standard uniform way to specify the actor, regardless of
  payload format. Of course, servers should make sure the actual activity is
  attributed to the same actor we specified in the header. (This is important
  with instance-scope keys; for personal keys it's not critical)
2019-02-07 10:34:33 +00:00
fr33domlover
8166d5b5eb Support for instance-scope keys when verifying HTTP signature 2019-02-06 02:48:23 +00:00
fr33domlover
400245cf34 Accept HTTP signatures made with shared instance-scope actor keys 2019-02-05 13:02:15 +00:00
fr33domlover
e8a5ef4e86 Replace unused symbol name with underscore 2019-02-05 12:56:06 +00:00
fr33domlover
d4c7fa5809 When parsing ID URIs in AP JSON, make sure their authority part is non-empty 2019-02-05 12:54:55 +00:00
fr33domlover
c2c4e24497 Support actor key expiration
Allow keys to specify expiration time using w3c security vocabulary. If a key
has expired, we treat it like sig validation failure and re-fetch the key from
the other server. And we never accept a sig, even a valid sig, if the key has
expired.

Since servers keep actors and keys in the DB, expiration can be a nice way to
ask that keys aren't used more than we want them to. The security vocab spec
also recommends to set expiration time on keys, so it's nice to support this
feature.
2019-02-05 04:05:44 +00:00
fr33domlover
37b3416a41 Support remote actors specifying 2 keys, and DB storage of these keys
It's now possible for activities we be attributed to actors that have more than
one key. We allow up to 2 keys. We also store in the DB. Scaling to support any
number of keys is trivial, but I'm limiting to 2 to avoid potential trouble and
because 2 is the actual number we need.

By having 2 keys, and replacing only one of them in each rotation, we avoid
race conditions. With 1 key, the following can happen:

1. We send an activity to another server
2. We rotate our key
3. The server reaches the activity in its processing queue, tries to verify our
   request signature, but fails because it can't fetch the key. It's the old
   key and we discarded it already, replaced it with the new one

When we use 2 keys, the previous key remains available and other servers have
time to finish processing our requests signed with that key. We can safely
rotate, without worrying about whether the user sent anything right before the
rotation time.

Caveat: With this feature, we allow OTHER servers to rotate freely. It's safe
because it's optional, but it's just Vervis right now. Once Vervis itself
starts using 2 keys, it will be able to rotate freely without race condition
risk, but probably Mastodon etc. won't accept its signatures because of the use
of 2 keys and because they're server-scope keys.

Maybe I can get these features adopted by the fediverse?
2019-02-04 19:38:50 +00:00
fr33domlover
02da508ed0 Allow actor publicKey to be a URI, and require the URI to match the Sig keyId 2019-02-04 10:07:25 +00:00
fr33domlover
c336d56036 Allow actor public key to be in a separate document 2019-02-03 23:39:56 +00:00
fr33domlover
8db38c087f Allow other servers to do blind key rotation by re-fetching if sig is invalid 2019-02-03 15:05:28 +00:00
fr33domlover
b0b2aa83c5 Store remote actor keys in the DB, reuse them instead of GETing every time 2019-02-03 13:58:14 +00:00
fr33domlover
21c8df1251 Actor public key specifies whether it's shared
Shared key means the key is used for multiple actors. I'm not sure explicitly
specifying this will be necessary, but I prefer to have it in place to help
with debugging in case something unexpected comes from other servers, or my
format overlaps with stuff used in other software and encodes a different
meaning.

Each public key can specify whether it's shared or personal, and this patch
checks for that when verifying a request signature. It rejects shared keys,
accepting valid sigs only from personal keys.

Very soon I'll add shared key support.
2019-02-03 11:12:18 +00:00
fr33domlover
991296faa1 Move some JSON/AP codec utils to new Data.Aeson.Local module 2019-02-03 11:01:36 +00:00
fr33domlover
e6f987817e Fix: HTTP signature wasn't being sent in AP POSTs 2019-02-03 10:59:35 +00:00