Commit graph

492 commits

Author SHA1 Message Date
fr33domlover
0731597e1b List collab tables under projects section in models file 2019-02-12 11:46:12 +00:00
fr33domlover
c2bf470fb6 Generate and keep permanent salt for generating hashids for URIs 2019-02-08 21:54:22 +00:00
fr33domlover
9536d870e5 Add utility for loading permanent key files, and use it for ocap signing key 2019-02-08 03:13:56 +00:00
fr33domlover
fbc9ad2b30 Rotate actor key once a day by default, instead of once an hour
I'm not sure what the best balance is, but once an hour may end up causing a
lot more key re-fetch requests coming from other servers. I prefer to default
to once a day for now (maybe even once a week) and tighten it later if needed.

Caveat: If an instance key is rotated once a day, there's no
change-key-right-after-toot-deletion thing for deniability. Potentially,
rotation may happen only 24 hours after that deletion, which is much more than
1 hour. On the other hand, it's a whole instance key, not personal key of the
actor.
2019-02-07 23:28:39 +00:00
fr33domlover
8ac559d064 New datatype FedURI for @id URIs
Using a dedicated type allows to record in the type the guarantees that we
provide, such as scheme being HTTPS and authority being present. Allows to
replace ugly `fromJust` and such with direct field access.
2019-02-07 23:08:28 +00:00
fr33domlover
e325175a9c Publish 2 rotating instance-scope keys instead of the one-implicitly-shared-key
Before, there was a single key used as a personal key for all actors. Now,
things work like this:

- There are 2 keys, each time one is rotated, this way the old key remains
  valid and we can freely rotate without a risk of race conditions on other
  servers and end up with our posts being rejected
- The keys are explicitly instance-scope keys, all actors refer to them
- We add the ActivityPub-Actor header to all activity POSTs we send, to declare
  for which specific actor our signature applies. Activities and otherwise
  different payloads may have varying ways to specify attribution; using this
  header will be a standard uniform way to specify the actor, regardless of
  payload format. Of course, servers should make sure the actual activity is
  attributed to the same actor we specified in the header. (This is important
  with instance-scope keys; for personal keys it's not critical)
2019-02-07 10:34:33 +00:00
fr33domlover
8166d5b5eb Support for instance-scope keys when verifying HTTP signature 2019-02-06 02:48:23 +00:00
fr33domlover
400245cf34 Accept HTTP signatures made with shared instance-scope actor keys 2019-02-05 13:02:15 +00:00
fr33domlover
e8a5ef4e86 Replace unused symbol name with underscore 2019-02-05 12:56:06 +00:00
fr33domlover
d4c7fa5809 When parsing ID URIs in AP JSON, make sure their authority part is non-empty 2019-02-05 12:54:55 +00:00
fr33domlover
c2c4e24497 Support actor key expiration
Allow keys to specify expiration time using w3c security vocabulary. If a key
has expired, we treat it like sig validation failure and re-fetch the key from
the other server. And we never accept a sig, even a valid sig, if the key has
expired.

Since servers keep actors and keys in the DB, expiration can be a nice way to
ask that keys aren't used more than we want them to. The security vocab spec
also recommends to set expiration time on keys, so it's nice to support this
feature.
2019-02-05 04:05:44 +00:00
fr33domlover
37b3416a41 Support remote actors specifying 2 keys, and DB storage of these keys
It's now possible for activities we be attributed to actors that have more than
one key. We allow up to 2 keys. We also store in the DB. Scaling to support any
number of keys is trivial, but I'm limiting to 2 to avoid potential trouble and
because 2 is the actual number we need.

By having 2 keys, and replacing only one of them in each rotation, we avoid
race conditions. With 1 key, the following can happen:

1. We send an activity to another server
2. We rotate our key
3. The server reaches the activity in its processing queue, tries to verify our
   request signature, but fails because it can't fetch the key. It's the old
   key and we discarded it already, replaced it with the new one

When we use 2 keys, the previous key remains available and other servers have
time to finish processing our requests signed with that key. We can safely
rotate, without worrying about whether the user sent anything right before the
rotation time.

Caveat: With this feature, we allow OTHER servers to rotate freely. It's safe
because it's optional, but it's just Vervis right now. Once Vervis itself
starts using 2 keys, it will be able to rotate freely without race condition
risk, but probably Mastodon etc. won't accept its signatures because of the use
of 2 keys and because they're server-scope keys.

Maybe I can get these features adopted by the fediverse?
2019-02-04 19:38:50 +00:00
fr33domlover
02da508ed0 Allow actor publicKey to be a URI, and require the URI to match the Sig keyId 2019-02-04 10:07:25 +00:00
fr33domlover
c336d56036 Allow actor public key to be in a separate document 2019-02-03 23:39:56 +00:00
fr33domlover
8db38c087f Allow other servers to do blind key rotation by re-fetching if sig is invalid 2019-02-03 15:05:28 +00:00
fr33domlover
b0b2aa83c5 Store remote actor keys in the DB, reuse them instead of GETing every time 2019-02-03 13:58:14 +00:00
fr33domlover
21c8df1251 Actor public key specifies whether it's shared
Shared key means the key is used for multiple actors. I'm not sure explicitly
specifying this will be necessary, but I prefer to have it in place to help
with debugging in case something unexpected comes from other servers, or my
format overlaps with stuff used in other software and encodes a different
meaning.

Each public key can specify whether it's shared or personal, and this patch
checks for that when verifying a request signature. It rejects shared keys,
accepting valid sigs only from personal keys.

Very soon I'll add shared key support.
2019-02-03 11:12:18 +00:00
fr33domlover
991296faa1 Move some JSON/AP codec utils to new Data.Aeson.Local module 2019-02-03 11:01:36 +00:00
fr33domlover
e6f987817e Fix: HTTP signature wasn't being sent in AP POSTs 2019-02-03 10:59:35 +00:00
fr33domlover
cd8ed9ef89 Hold a persistent server key for ocap signatures 2019-01-30 03:12:42 +00:00
fr33domlover
c0965a4c47 Default roles for repos and turn user/anon collab tables into proj/repo fields
* Repo collab now supports basic default roles developer/user/guest like
  project collab does
* User/Anon collab for repos and projects are now stored as fields instead of
  in dedicated tables, there was never a need for dedicated tables but I didn't
  see that before
* Repo push op is now part of `ProjectOperation`
* `RepoRole` and related code has been entirely removed, only project roles
  remain and they're used for both repos and projects
* This is the first not-totally-trivial DB migration in Vervis, it's automatic
  but please be careful and report errors
2019-01-29 22:24:32 +00:00
fr33domlover
5cba838917 Enable basic default project roles
* When adding collaborators, you don't need a custom role. If you don't choose
  one, a basic default "developer" role will be used
* If you don't assign a `ProjectCollabUser` role, a default "user" role is
  assumed for logged in users, otherwise a "guest" role
* The "guest" role currently has no access at all
* Theoretically there may also be a "maintainer" role allowing project
  sharers/maintainers to give maintainer-level access to more people, but right
  now maintainer role would be the same as developer so I haven't added it yet
2019-01-28 14:43:07 +00:00
fr33domlover
dcadaed2ee Show links for adding repo/project collaborators 2019-01-27 02:56:11 +00:00
fr33domlover
577df6ddcf Add "about" field to person table, display in person page 2019-01-26 23:39:13 +00:00
fr33domlover
e9ac361f27 Uncomment new person form, it's not being used 2019-01-26 23:38:43 +00:00
fr33domlover
20c0e40638 Determine operation access in Vervis.Access, reuse it everywhere it's needed 2019-01-26 22:22:49 +00:00
fr33domlover
250701712a Move most of the DB graph modules to a separate persistent-graph library 2019-01-26 22:20:19 +00:00
fr33domlover
da6d8c008e Rename project field in Project Role assignment tables, it had the wrong name 2019-01-26 12:56:15 +00:00
fr33domlover
4875f0b9f7 Make login status display consider unverified login 2019-01-21 22:51:19 +00:00
fr33domlover
04e26a911d In httpGetAP, if we got an unexpected Content-Type, specify it in error message 2019-01-21 22:24:09 +00:00
fr33domlover
2a68bb560b Link to OutboxR for testing, instead of InboxR 2019-01-21 21:42:21 +00:00
fr33domlover
e6ee947cfd In update-deps.sh, darcs pull new patches automatically without asking 2019-01-21 21:07:56 +00:00
fr33domlover
1f47ca39eb Federation test outbox page with form for entering JSON 2019-01-21 15:54:57 +00:00
fr33domlover
2cc621e3a5 Public ActivityPub actor in PersonR
It already had one, but it didn't have a public key and it was using the old
mess of the Vervis.ActivityStreams module, which I'll possibly remove soon.
It's hopefully more elegant now.
2019-01-19 05:56:58 +00:00
fr33domlover
2a4dc345f4 Back to using the (updated) YesodHttpSig class 2019-01-19 04:21:56 +00:00
fr33domlover
393cce0ede When GETing the keyId, set Accept header to JSON-LD/AS2 2019-01-19 02:57:58 +00:00
fr33domlover
93def0dfc8 When doing httpJSON to GET keyId, use appHttpManager, not the silly global one 2019-01-19 02:33:20 +00:00
fr33domlover
61a82f52d8 Turn inbox URL in layout template into a link, accidentally didn't before 2019-01-19 02:21:23 +00:00
fr33domlover
28439b0236 Add InboxR to breadcrumbs instance, I always forget and it causes errors 2019-01-19 02:20:49 +00:00
fr33domlover
e4153fc909 Ugh I forgot *again* to commit a new source file, the actual InboxR handler 2019-01-19 01:56:50 +00:00
fr33domlover
df01560ea6 ActivityPub inbox test page
This patch includes some ugliness and commented out code. Sorry for that. I'll
clean it up soon.

Basically there's a TVar holding a Vector of at most 10 AP activities. You can
freely POST stuff to /inbox, and then GET /inbox and see what you posted, or an
error description saying why your activity was rejected.
2019-01-19 01:44:21 +00:00
fr33domlover
e22d0c000a In homepage say ForgeFed instead of GitPub (thanks zPlus!) 2019-01-19 01:43:19 +00:00
fr33domlover
822345a70e Move signup link to login line, should look a bit nicer 2019-01-19 01:41:57 +00:00
fr33domlover
853390aba0 Move signup link to the top, to be close to login link (thanks zPlus!)
It's still ugly, they appear on different lines. Ideally, should change the
layout to have the links together.
2019-01-19 01:07:09 +00:00
fr33domlover
9adf7a2e34 Fix HTTP sig default time limit, 5 minutes not 5 seconds 2019-01-19 01:06:09 +00:00
fr33domlover
499e26db48 Periodically rotated AP actor key for signing ActivityPub requests
The actor key will be used for all actors on the server. It's held in a `TVar`
so that it can always be safely updated and safely retrieved (technically there
is a single writer so IORef and MVar could work, but they require extra care
while TVar is by design suited for this sort of thing).
2019-01-14 22:08:44 +00:00
fr33domlover
adaa920aa4 Launch service thread with a function that re-throws if they fail
In Haskell by default if a thread has an exception, the main thread isn't
notified at all. This patch changes service thread launching to re-throw their
exceptions in the main thread, so that their failure is noticed.
2019-01-14 22:03:49 +00:00
fr33domlover
5862b03019 Remove HTTP connection manager, it's not being used
I suppose there's no performance difference in using one, but it requires
`http-conduit` as a build dependency, so potentially we may be reducing build
time by removing unnecessary deps.
2019-01-14 02:30:39 +00:00
fr33domlover
4c50a1fc96 Turn clone-deps.sh into a safe update-deps.sh script and document in INSTALL.md 2019-01-14 01:50:14 +00:00
fr33domlover
0e2001af0f Palette: Make the dark blue lighter, it's too dark against the #111 background 2019-01-03 10:18:09 +00:00