Commit graph

266 commits

Author SHA1 Message Date
fr33domlover
acb86ab621 DB: Add RemoteObject entity and use it in RemoteActivity instead of iid+lu 2019-11-05 04:08:36 +00:00
fr33domlover
4dcd6eb1b2 UI: Some tweaks, following ikomi's suggestions, thank you ikomi :) 2019-10-31 11:29:00 +00:00
fr33domlover
0673ed0bb4 DB: Remove the "manual" fields from follow records
Follows used to be added automatically, without a Follow activity sent by the
client. They aren't added automatically anymore, so there's no need for those
"manual" boolean fields.
2019-10-22 10:25:33 +00:00
fr33domlover
9ec4142737 In settings, set the default instance host to localhost
It was vervis.localhost, probably a remainder from the time before the FedURI
rewrite, where it had to contain a period character. Now, in dev mode, it needs
to *not* contain one, and localhost works just fine and makes sense more than
anything else probably.
2019-10-22 08:26:49 +00:00
fr33domlover
bc379a864f Provide 'following' collections and link in page header 2019-10-19 08:15:48 +00:00
fr33domlover
b030320964 C2S: Process the HTML forms in postPublishR, not postSharerOutboxR 2019-10-19 02:41:36 +00:00
fr33domlover
a419db5b5b Publish AS2 representation of SSH keys and list SSH keys in actor documents 2019-10-17 08:37:48 +00:00
fr33domlover
6cb86ebbf1 Install darcs post-apply hooks in darcs repos, no-op hook for now
In Darcs, any command can have a post hook (and a pre hook), and the hook
command can be set using a command-line option to the darcs command that you
run. So, in the Vervis SSH server, if we add a --posthook option when running
`darcs apply` to apply remotely received patches, we get a chance to process
the patch data much like in the git post-receive hook.

The setup this patch creates is similar to the git one: It writes a
_darcs/prefs/defaults file to all Darcs repos, and that defaults file sets the
posthook line for `darcs apply`. The posthook line simply executes the actual
hook program written in Haskell.

The current hook program is a one-liner that prints a line to stdout, so every
time you `darcs push` you can tell the hook got executed. The next step is to
implement the actual hook logic, by reading patch data from the environment
variable in which Darcs puts it.
2019-10-07 14:05:52 +00:00
fr33domlover
bbe6f159d0 Implement C2S unfollowing, using Undo{Follow} 2019-10-05 14:10:29 +00:00
fr33domlover
5a7700ffe4 Implement remote following, disable automatic following
This patch contains migrations that require that there are no follow records.
If you have any, the migration will (hopefully) fail and you'll need to
manually delete any follow records you have. In the next patch I'll try to add
automatic following on the pseudo-client side by running both e.g. createNoteC
and followC in the same POST request handler.
2019-09-25 10:43:05 +00:00
fr33domlover
525a722439 Implement C2S Follow activity and add form on /publish page 2019-09-11 08:12:20 +00:00
fr33domlover
544ebae3fd Specify visibility in Follow records 2019-09-09 00:33:36 +00:00
fr33domlover
68e8b094a0 Handle post-receive hook, publish a Push activity 2019-09-09 00:27:45 +00:00
fr33domlover
3c01f4136c Mechanism for reporting git pushes to Vervis via post-receive hooks
Here's how it works:

- When Vervis starts, it writes a config file and it writes post-receive hooks
  into all the repos it manages
- When a git push is accepted, git runs the post-receive hook, which is a
  trivial shell script that executes the actual Haskell program implementing
  the hook logic
- The Haskell hook program generates a Push JSON object and HTTP POSTs it to
  Vervis running on localhost
- Vervis currently responds with an error, the next step is to implement the
  actual publishing of ForgeFed Push activities
2019-09-05 12:02:42 +00:00
fr33domlover
d4d45c6fe7 AP representation of git repo branches & preparation for Push activities 2019-08-28 15:31:40 +00:00
fr33domlover
8fc5c80dd6 New Network.FedURI with separate URI modes for dev and for fediverse
FedURIs, until now, have been requiring HTTPS, and no port number, and DNS
internet domain names. This works just fine on the forge fediverse, but it
makes local dev builds much less useful.

This patch introduces URI types that have a type tag specifying one of 2 modes:

- `Dev`: Works with URIs like `http://localhost:3000/s/fr33`
- `Fed`: Works with URIs like `https://dev.community/s/fr33`

This should allow even to run multiple federating instances for development,
without needing TLS or reverse proxies or editing the hosts files or anything
like that.
2019-07-23 13:59:48 +00:00
fr33domlover
81a05a950f Implement getTicketDepR, not used anywhere else yet
This patch also disables the ability to specify deps when creating a ticket,
because those deps won't be in the ticket object anymore. Instead of coding a
workaround and getting complications later, I just disabled that thing. It
wasn't really being used by anyone anyway.
2019-07-11 15:14:16 +00:00
fr33domlover
828e015c54 Rename TicketDepR to TicketDepOldR; we're going to use TicketDepR in a new way 2019-07-08 15:54:41 +00:00
fr33domlover
89f2f91199 Remove build-time settings from settings template
The settings file is now used only during run time, and build-time settings are
set directly in source code. This patch removes those settings from the YAML
file, since they're unused, to avoid confusion.
2019-06-29 23:55:50 +00:00
fr33domlover
6d72d676e7 Switch OutboxItem's Activity from plain BL to an upgraded PersistJSONObject 2019-06-29 03:19:00 +00:00
fr33domlover
e10b4d452a Treat outbox items in DB as bytestrings to avoid depending on JSON parsing 2019-06-28 23:15:08 +00:00
fr33domlover
07f76d2a6f Publish Accept activity when creating a new ticket from the Offer 2019-06-26 01:12:11 +00:00
fr33domlover
fb909adf2e Handle Offer{Ticket} in project inbox, and turn DB ticketTitle into HTML 2019-06-17 19:55:03 +00:00
fr33domlover
e1ae75b50c Add project outbox and outbox item routes 2019-06-16 21:37:31 +00:00
fr33domlover
a65979f5af Give Project an Outbox in the DB 2019-06-16 21:34:06 +00:00
fr33domlover
5aaf2ba8a9 Rename OutboxR to SharerOutboxR, because projects will have outboxes too 2019-06-16 14:58:00 +00:00
fr33domlover
499479b662 Decouple OutboxItem from Person via a new table named Outbox 2019-06-15 18:51:26 +00:00
fr33domlover
1fb1829f6e Generate an Offer Ticket for every ticket, including project inbox item
CRITICAL: Due to the requirement that each new ticket points to its Offer
activity, ticket creation has been disabled! The next patches should implement
C2S submission of Offer Ticket, and then ticket creation will work again. Sorry
for that.
2019-06-14 17:45:37 +00:00
fr33domlover
0aaec575d9 Change default instance host from 'localhost' to 'vervis.localhost'
That way it satisfies the current requirements for a valid FedURI.
2019-06-14 17:44:29 +00:00
fr33domlover
b40ef116b1 For tickets by remote authors, link in the DB to the RemoteActivity, the Offer 2019-06-12 22:14:19 +00:00
fr33domlover
61d1029926 Project team and followers
* Have a project team collection, content is the same as ticket team (but
  potentially ticket team allows people to opt out of updates on specific
  tickets, while project team isn't tied to any specific ticket or other child
  object)
* Have a project followers collection, and address it in ticket comments in
  addition to the already used recipients (project, ticket team, ticket
  followers)
2019-06-11 12:19:51 +00:00
fr33domlover
322d09658e (Hopefully correctly) fill project inboxes with ticket comment Create Notes 2019-06-09 18:41:37 +00:00
fr33domlover
f4e324e587 Give each project an inbox in DB 2019-06-09 16:21:23 +00:00
fr33domlover
f70aa42060 Add UniquePersonInbox to persistent model; each user has their own unique inbox 2019-06-09 15:56:42 +00:00
fr33domlover
090c562553 Add an Inbox table in DB, make inbox related tables use it instead of Person
This allows the inbox system to be separate from Person, allowing other kinds
of objects to have inboxes too. Much like there's FollowerSet which works
separately from Tickets, and will allow to have follower sets for projects,
users, etc. too.

Inboxes are made independent from Person users because I'm going to give
Projects inboxes too.
2019-06-09 13:16:32 +00:00
fr33domlover
b1897a20c0 Allow ticket author to be a remote actor 2019-06-07 04:26:32 +00:00
fr33domlover
708f626294 Provide ActivityPub representation of tickets in getTicketR 2019-06-03 21:52:34 +00:00
fr33domlover
f7432e515c Add ticketDescription DB entity field, containing pandoc-rendered HTML 2019-06-03 12:45:02 +00:00
fr33domlover
c7dccbb7fe Render in advance and store comment content as HTML alongside Markdown source 2019-06-02 14:41:51 +00:00
fr33domlover
facf4d7f3e Rename messageContent field to messageSource; content will soon be HTML 2019-06-02 12:04:35 +00:00
fr33domlover
21b7325c1b Rename role related tables to reflect the role unification
There used to be project roles and repo roles, and they were separate. A while
ago I merged them, and there has been a single role system, used with both
repos and projects. However the table names were still "ProjectRole" and things
like that. This patch renames some tables to just refer to a "Role" because
there's only one kind of role system.
2019-05-31 15:02:57 +00:00
fr33domlover
eb514b8c3f Use path segment in HighlightStyleR, addStylesheet doesn't support query params 2019-05-27 19:54:11 +00:00
fr33domlover
e02a0fa4db Make pandoc highlight style configurable in settings and in query parameter 2019-05-27 18:30:48 +00:00
fr33domlover
b8b226d15c Highlight code segments in pandoc rendered source file views 2019-05-27 13:28:57 +00:00
fr33domlover
e848fe5fed Add unique UniqueLocalMessageCreate 2019-05-25 12:59:54 +00:00
fr33domlover
e81eb80b8b Add field localMessageCreate, pointing to the OutboxItem that created it
I added a migration that creates an ugly fake OutboxItem for messages that
don't have one. I'll try to turn it into a real one. And then very possibly
remove the whole ugly migration, replacing it with addFielfRefRequiredEmpty,
which should work for empty instances.
2019-05-25 03:23:57 +00:00
fr33domlover
c531f41565 Implement basic notifications in DB and UI 2019-05-22 21:50:30 +00:00
fr33domlover
d1fea9eb51 Store names of remote actors in DB for display 2019-05-21 08:44:11 +00:00
fr33domlover
6d304b9307 Smarter treatment of recipients that are collections
- Allow client to specify recipients that don't need to be delivered to
- When fetching recipient, recognize collections and don't try to deliver to
  them
- Remember collections in DB, and use that to skip HTTP delivery
2019-05-17 22:42:01 +00:00
fr33domlover
a6bfb0cf36 Show note about federation being disabled, and list other known instances 2019-05-05 22:00:26 +00:00
fr33domlover
25a8ea6b8b Reorder routes to correct the route resolution 2019-05-05 20:51:48 +00:00
fr33domlover
8303baa69d Implement GETing the personal inbox 2019-05-05 10:20:55 +00:00
fr33domlover
f6eaca2fa8 When project receives remote ticket comment, add author to followers 2019-05-03 23:55:49 +00:00
fr33domlover
b0a26722d3 Do inbox forwarding in project inbox handler 2019-05-03 21:04:53 +00:00
fr33domlover
5d5c56695e Remember for deliveries in the DB, whether they should sign forwarding 2019-05-02 09:31:56 +00:00
fr33domlover
46fb4d1512 Add settings switch for activity debug reports 2019-04-25 22:46:27 +00:00
fr33domlover
f462a67680 Implement sharer inbox handler
It runs checks against all the relevant tables, but ultimately just inserts the
activity into the recipient's inbox and nothing more, leaving the RemoteMessage
creation and inbox forwarding to the project inbox handler.
2019-04-23 02:57:53 +00:00
fr33domlover
e06f40b665 Switch from single inbox to individual inbox URIs; disable inbox post for now
Inbox post is disabled but in the next patches I'll code and integrate a fixed
complete one, hopefully finally getting ticket comment federation ready for
testing.

I'm making this change because if an actor receives an activity due to being
addressed in bto, ot bcc, or being listed in some remote collection, the server
doesn't have a way to tell which actor(s) are the intended recipients, without
having an individual inbox URL for each actor. I could use a different hack for
this, but it wouldn't be compatible with other AP servers (unless the whole
fediverse agrees on a method).

I wasn't using sharedInbox anyway, and it's an optimization either way.
2019-04-21 10:58:57 +00:00
fr33domlover
f37b9b3f52 Run the delivery worker priodically, settings control how often to run 2019-04-18 10:38:01 +00:00
fr33domlover
d5eefd1553 Implement outbox remote delivery, in handler and periodic, not used yet 2019-04-16 14:27:50 +00:00
fr33domlover
7946fe441d Add field errorSince to RemoteActor to track inbox POST unreachability 2019-04-12 01:09:45 +00:00
fr33domlover
3f9364e4aa Rename RemoteSharer entity to RemoteActor 2019-04-12 00:56:27 +00:00
fr33domlover
9a306e762c Unfinished updated outbox handler 2019-04-11 13:44:44 +00:00
fr33domlover
7dda068ba3 Make the DB migrations not depend on current model 2019-04-11 13:26:57 +00:00
fr33domlover
0c280c7af6 Add setting that says how much time to keep retrying activity delivery 2019-04-01 23:38:44 +00:00
fr33domlover
c2415301bc More type-safe handling of DB key Hashids 2019-03-29 03:25:32 +00:00
fr33domlover
228e954706 Create Note outbox handler, not in use yet
I wrote a function handleOutboxNote that's supposed to do the whole outbox POST
handler process. There's an outbox item table in the DB now, I adapted things
in various source files. Ticket comment federation work is still in progress.
2019-03-28 21:08:30 +00:00
fr33domlover
cdb1c8b121 Add settings option to disable federation 2019-03-25 00:17:24 +00:00
fr33domlover
85c6354291 Switch jsonb support from persistent-postgresql to a custom module
The custom module provides a parametric wrapper, allowing any specific
FromJSON/ToJSON instance to be used. It's a standalone module though, and not a
wrapper of persistent-postgresql, because persistent-postgresql uses aeson
Value and it prevents using toEncoding to get from the value directly to a
string.
2019-03-23 15:29:50 +00:00
fr33domlover
0032456925 Add noteAudience; record recipient of local remotely-targetted activities in DB 2019-03-23 02:57:34 +00:00
fr33domlover
88d4c976ee Add route getMessageR, returns an Activity Note for any locally created Message 2019-03-22 20:46:42 +00:00
fr33domlover
c27636a438 Add route /publish for sending activities, getOutboxR now free to return outbox 2019-03-22 05:17:54 +00:00
fr33domlover
ad3a20d783 Receive remote comments on local ticket discussion 2019-03-21 22:57:15 +00:00
fr33domlover
9b916c9b75 Add ID URI field to RemoteMessage 2019-03-20 13:12:22 +00:00
fr33domlover
716487f2b8 In ticket comment tree, support mixing local and remote (federated) comments 2019-03-20 08:07:37 +00:00
fr33domlover
e0de4cdcc7 Remove Discussion's nextMessage field, it's not being used anymore 2019-03-18 20:18:25 +00:00
fr33domlover
4b351ef62e Automatically set approot to https://HOST and require Host header to match 2019-03-16 17:15:31 +00:00
fr33domlover
475e398d6d Switch ticket comment IDs to use Hashids-of-MessageId instead of custom number 2019-03-15 16:36:02 +00:00
fr33domlover
2a39378468 HTTP Signature verification: RSA-SHA256 and PEM/ASN1 support
Before, things worked like this:

* Only signatures of Ed25519 keys could be verified
* Key encoding placed the plain binary Ed25519 key in the PEM, instead of the
  key's ASN1 encoding

With this patch it now works like this:

* Ed25519 signatures are supported as before
* RSA keys are now supported too, assuming RSA-SHA256 signatures
* Both Ed25519 and RSA keys are encoded and decoded using actual PEM with ASN1
2019-03-10 23:15:42 +00:00
fr33domlover
78b5bad2c4 Support bypassing email verification of new users 2019-03-04 14:51:51 +00:00
fr33domlover
c41f1183e0 Display instance host at the top of all pages 2019-03-04 09:06:23 +00:00
fr33domlover
f09bdd4141 Add key storage mode that replaces old keys instead of rejecting new ones 2019-02-26 14:00:22 +00:00
fr33domlover
2e705b6868 Make key storage limits configurable instead of hardcoding to 2 2019-02-24 01:35:07 +00:00
fr33domlover
d3e14b3edf Add LocalURI type for recording shared URI host 2019-02-21 23:59:53 +00:00
fr33domlover
4053f2f2b4 Record usage of instance keys in the DB
When we verify an HTTP signature,

* If we know the key, check in the DB whether we know the actor lists it. If it
  doesn't, and there's room left for keys, HTTP GET the actor and update the DB
  accordingly.
* If we know the key but had to update it, do the same, check usage in DB and
  update DB if needed
* If we don't know the key, record usage in DB

However,

* If we're GETing a key and discovering it's a shared key, we GET the actor to
  verify it lists the key. When we don't know the key at all yet, that's fine
  (can be further optimized but it's marginal), but if it's a key we do know,
  it means we already know the actor and for now it's enough for us to rely
  only on the DB to test usage.
2019-02-19 10:54:55 +00:00
fr33domlover
9e0314fa09 Store remote actors' inbox URIs in DB, avoiding some actor fetch
When a local user wants to publish an activity, we were always GETing the
recipient actor, so that we could determine their inbox and POST the activity
to it. But now, instead, whenever we GET an actor (whether it's for the key sig
verification or for determining inbox URI), we keep their inbox URI in the
database, and we don't need to GET it again next time.
2019-02-14 23:27:40 +00:00
fr33domlover
e8ba301c6a Switch actor ID URIs to be /s/ACTOR instead of /p and /g
See Vervis ticket #60.
2019-02-14 22:13:58 +00:00
fr33domlover
0731597e1b List collab tables under projects section in models file 2019-02-12 11:46:12 +00:00
fr33domlover
c2bf470fb6 Generate and keep permanent salt for generating hashids for URIs 2019-02-08 21:54:22 +00:00
fr33domlover
fbc9ad2b30 Rotate actor key once a day by default, instead of once an hour
I'm not sure what the best balance is, but once an hour may end up causing a
lot more key re-fetch requests coming from other servers. I prefer to default
to once a day for now (maybe even once a week) and tighten it later if needed.

Caveat: If an instance key is rotated once a day, there's no
change-key-right-after-toot-deletion thing for deniability. Potentially,
rotation may happen only 24 hours after that deletion, which is much more than
1 hour. On the other hand, it's a whole instance key, not personal key of the
actor.
2019-02-07 23:28:39 +00:00
fr33domlover
8ac559d064 New datatype FedURI for @id URIs
Using a dedicated type allows to record in the type the guarantees that we
provide, such as scheme being HTTPS and authority being present. Allows to
replace ugly `fromJust` and such with direct field access.
2019-02-07 23:08:28 +00:00
fr33domlover
e325175a9c Publish 2 rotating instance-scope keys instead of the one-implicitly-shared-key
Before, there was a single key used as a personal key for all actors. Now,
things work like this:

- There are 2 keys, each time one is rotated, this way the old key remains
  valid and we can freely rotate without a risk of race conditions on other
  servers and end up with our posts being rejected
- The keys are explicitly instance-scope keys, all actors refer to them
- We add the ActivityPub-Actor header to all activity POSTs we send, to declare
  for which specific actor our signature applies. Activities and otherwise
  different payloads may have varying ways to specify attribution; using this
  header will be a standard uniform way to specify the actor, regardless of
  payload format. Of course, servers should make sure the actual activity is
  attributed to the same actor we specified in the header. (This is important
  with instance-scope keys; for personal keys it's not critical)
2019-02-07 10:34:33 +00:00
fr33domlover
8166d5b5eb Support for instance-scope keys when verifying HTTP signature 2019-02-06 02:48:23 +00:00
fr33domlover
c2c4e24497 Support actor key expiration
Allow keys to specify expiration time using w3c security vocabulary. If a key
has expired, we treat it like sig validation failure and re-fetch the key from
the other server. And we never accept a sig, even a valid sig, if the key has
expired.

Since servers keep actors and keys in the DB, expiration can be a nice way to
ask that keys aren't used more than we want them to. The security vocab spec
also recommends to set expiration time on keys, so it's nice to support this
feature.
2019-02-05 04:05:44 +00:00
fr33domlover
37b3416a41 Support remote actors specifying 2 keys, and DB storage of these keys
It's now possible for activities we be attributed to actors that have more than
one key. We allow up to 2 keys. We also store in the DB. Scaling to support any
number of keys is trivial, but I'm limiting to 2 to avoid potential trouble and
because 2 is the actual number we need.

By having 2 keys, and replacing only one of them in each rotation, we avoid
race conditions. With 1 key, the following can happen:

1. We send an activity to another server
2. We rotate our key
3. The server reaches the activity in its processing queue, tries to verify our
   request signature, but fails because it can't fetch the key. It's the old
   key and we discarded it already, replaced it with the new one

When we use 2 keys, the previous key remains available and other servers have
time to finish processing our requests signed with that key. We can safely
rotate, without worrying about whether the user sent anything right before the
rotation time.

Caveat: With this feature, we allow OTHER servers to rotate freely. It's safe
because it's optional, but it's just Vervis right now. Once Vervis itself
starts using 2 keys, it will be able to rotate freely without race condition
risk, but probably Mastodon etc. won't accept its signatures because of the use
of 2 keys and because they're server-scope keys.

Maybe I can get these features adopted by the fediverse?
2019-02-04 19:38:50 +00:00
fr33domlover
c336d56036 Allow actor public key to be in a separate document 2019-02-03 23:39:56 +00:00
fr33domlover
b0b2aa83c5 Store remote actor keys in the DB, reuse them instead of GETing every time 2019-02-03 13:58:14 +00:00
fr33domlover
cd8ed9ef89 Hold a persistent server key for ocap signatures 2019-01-30 03:12:42 +00:00
fr33domlover
c0965a4c47 Default roles for repos and turn user/anon collab tables into proj/repo fields
* Repo collab now supports basic default roles developer/user/guest like
  project collab does
* User/Anon collab for repos and projects are now stored as fields instead of
  in dedicated tables, there was never a need for dedicated tables but I didn't
  see that before
* Repo push op is now part of `ProjectOperation`
* `RepoRole` and related code has been entirely removed, only project roles
  remain and they're used for both repos and projects
* This is the first not-totally-trivial DB migration in Vervis, it's automatic
  but please be careful and report errors
2019-01-29 22:24:32 +00:00
fr33domlover
5cba838917 Enable basic default project roles
* When adding collaborators, you don't need a custom role. If you don't choose
  one, a basic default "developer" role will be used
* If you don't assign a `ProjectCollabUser` role, a default "user" role is
  assumed for logged in users, otherwise a "guest" role
* The "guest" role currently has no access at all
* Theoretically there may also be a "maintainer" role allowing project
  sharers/maintainers to give maintainer-level access to more people, but right
  now maintainer role would be the same as developer so I haven't added it yet
2019-01-28 14:43:07 +00:00