Commit graph

56 commits

Author SHA1 Message Date
fr33domlover
e31c8c600b Turn some AP ticket fields into Maybes 2019-06-04 09:36:14 +00:00
fr33domlover
708f626294 Provide ActivityPub representation of tickets in getTicketR 2019-06-03 21:52:34 +00:00
fr33domlover
c7dccbb7fe Render in advance and store comment content as HTML alongside Markdown source 2019-06-02 14:41:51 +00:00
fr33domlover
d1fea9eb51 Store names of remote actors in DB for display 2019-05-21 08:44:11 +00:00
fr33domlover
2573ff1d93 Parse and publish actor outboxes 2019-05-21 00:36:05 +00:00
fr33domlover
7bcbe52274 Implement getOutboxR, both (trivial) HTML and AS2 2019-05-20 23:51:06 +00:00
fr33domlover
6d304b9307 Smarter treatment of recipients that are collections
- Allow client to specify recipients that don't need to be delivered to
- When fetching recipient, recognize collections and don't try to deliver to
  them
- Remember collections in DB, and use that to skip HTTP delivery
2019-05-17 22:42:01 +00:00
fr33domlover
48882d65ad Allow AP C2S client to list recipients that aren't actors to deliver to 2019-05-17 10:47:53 +00:00
fr33domlover
07281f6900 Fix infinite loop in ActivityPub audience parsing 2019-05-16 21:22:45 +00:00
fr33domlover
b12ad49b62 Remove unused accidentally left line 2019-05-16 21:21:51 +00:00
fr33domlover
b0a26722d3 Do inbox forwarding in project inbox handler 2019-05-03 21:04:53 +00:00
fr33domlover
3d9438714b In sharer inbox, accept forwarded activities, including ones of local users 2019-05-01 23:13:22 +00:00
fr33domlover
951364036f Update activity POSTing code to use the new forwarding mechanism
It's not documented yet, but basically I replaced the custom input string with
an HTTPSig based one.
2019-04-28 10:18:50 +00:00
fr33domlover
71d21ad459 In httpPostAP, support the new signature headers 2019-04-26 00:25:50 +00:00
fr33domlover
57374ec816 When POSTing activities, set a Digest header using SHA-256 2019-04-25 15:49:15 +00:00
fr33domlover
7c2fad7417 Implement fetchAPIDOrH using a dedicated error type 2019-04-16 16:10:17 +00:00
fr33domlover
d5eefd1553 Implement outbox remote delivery, in handler and periodic, not used yet 2019-04-16 14:27:50 +00:00
fr33domlover
1d854423cb Switch Audience from Vector to list and fix Public bug
* No good reason to use Vector, let's use list, it's just easier
* The Public URI recognizing code wasn't being used; now it is
2019-04-01 23:40:29 +00:00
fr33domlover
0032456925 Add noteAudience; record recipient of local remotely-targetted activities in DB 2019-03-23 02:57:34 +00:00
fr33domlover
58a56b6743 Make noteId optional, to support taking a Note in postOutboxR 2019-03-23 02:05:30 +00:00
fr33domlover
88d4c976ee Add route getMessageR, returns an Activity Note for any locally created Message 2019-03-22 20:46:42 +00:00
fr33domlover
ad3a20d783 Receive remote comments on local ticket discussion 2019-03-21 22:57:15 +00:00
fr33domlover
72f96a0dff When verifying HTTPsig, return iid&rsid and remove duplicate shared usage check
* Adapt DB related code to return the InstanceId and RemoteSharerId
* Previously, when fetching a known shared key, we were running a DB
  check/update for the shared usage record. I noticed - and hopefully I
  correctly noticed - that this check already runs when we discover the keyId
  points to a shared key we already know. So, after successful sig
  verification, there's no need to run the check again. So I removed it.
2019-03-21 21:38:59 +00:00
fr33domlover
061c84349d Recognize the 3 variants of the Public collection URI when parsing audience 2019-03-21 19:13:36 +00:00
fr33domlover
747bbd5f0c Publish actor documents for projects, and add some new properties to Actor 2019-03-20 12:01:10 +00:00
fr33domlover
ade1157a04 Add a custom ActivityPub actor type: Project 2019-03-20 10:36:00 +00:00
fr33domlover
6f3df6d569 Allow actors not to list any public keys at all 2019-03-20 09:31:08 +00:00
fr33domlover
9e881554ea Make frg:isShared key property optional, it was accidentally required 2019-03-15 16:33:10 +00:00
fr33domlover
0e0afa78f9 Parse/encoding audience targetting activity fields 2019-03-14 02:30:36 +00:00
fr33domlover
24c091a248 Add activity types Follow, Accept, Reject 2019-03-13 23:37:58 +00:00
fr33domlover
2a39378468 HTTP Signature verification: RSA-SHA256 and PEM/ASN1 support
Before, things worked like this:

* Only signatures of Ed25519 keys could be verified
* Key encoding placed the plain binary Ed25519 key in the PEM, instead of the
  key's ASN1 encoding

With this patch it now works like this:

* Ed25519 signatures are supported as before
* RSA keys are now supported too, assuming RSA-SHA256 signatures
* Both Ed25519 and RSA keys are encoded and decoded using actual PEM with ASN1
2019-03-10 23:15:42 +00:00
fr33domlover
ef57f29a54 Adapt Activity/Create/Note to new ActivityPub typeclass and add safety checks 2019-03-10 06:42:03 +00:00
fr33domlover
6e721797e9 Catch sig generation error when sending signed HTTP POST 2019-03-05 08:26:41 +00:00
fr33domlover
17524b6ee1 Remove hardcoded-to-2 limit on length of an actor's list of public keys 2019-02-24 01:21:42 +00:00
fr33domlover
0912b8e291 Use the DB for checking key usage by actors
* When we refetch a personal key, we never need to separately fetch the actor
* When we refetch a shared key, check usage in DB and insert usage to DB
2019-02-23 17:17:52 +00:00
fr33domlover
b53a7b4f48 Refactor actor key fetching code a bit 2019-02-22 08:30:43 +00:00
fr33domlover
1affe269bb Refactor HTTP sig verification DB update code 2019-02-22 07:20:19 +00:00
fr33domlover
d3e14b3edf Add LocalURI type for recording shared URI host 2019-02-21 23:59:53 +00:00
fr33domlover
aefb2aaee7 Add InstanceURI datatype 2019-02-20 07:40:25 +00:00
fr33domlover
312ccf6979 When verifying HTTP sig with known shared key, verify actor lists the key
Previously, when verifying an HTTP signature and we fetched the key and
discovered it's shared, we'd fetch the actor and make sure it lists the key URI
in the `publicKey` field. But if we already knew the key, had it cached in our
DB, we wouldn't check the actor at all, despite not knowing whether it lists
the key.

With this patch, we now always GET the actor when the key is shared,
determining the actor URI from the `ActivityPub-Actor` request header, and we
verify that the actor lists the key URI. We do that regardless of whether or
not we have the key in the DB, although these two cases and handled in
different parts of the code right now (for a new key, it's in Web.ActivityPub
fetchKey; for a known key, it's in Vervis.Foundation httpVerifySig).
2019-02-18 09:20:13 +00:00
fr33domlover
fa5c509a25 When we fetch a stand-alone personal key, make sure AP-Actor matches key owner
If the key we fetched is a shared key, the only way to determine the actor to
which the signature applies is to read the HTTP header ActivityPub-Actor. But
if it's a personal key, we can detect the actor by checking the key's owner
field. Still, if that actor header is provided, we now compare it to the key
owner and make sure they're identical.

When fetching a key that is embedded in the actor document, we were already
comparing the actor ID with the actor header, so that part didn't require
changes.
2019-02-17 00:14:05 +00:00
fr33domlover
9e0314fa09 Store remote actors' inbox URIs in DB, avoiding some actor fetch
When a local user wants to publish an activity, we were always GETing the
recipient actor, so that we could determine their inbox and POST the activity
to it. But now, instead, whenever we GET an actor (whether it's for the key sig
verification or for determining inbox URI), we keep their inbox URI in the
database, and we don't need to GET it again next time.
2019-02-14 23:27:40 +00:00
fr33domlover
754709833a When a client posts to their outbox, allow only Create Note, not near-any JSON 2019-02-12 11:53:24 +00:00
fr33domlover
8ac559d064 New datatype FedURI for @id URIs
Using a dedicated type allows to record in the type the guarantees that we
provide, such as scheme being HTTPS and authority being present. Allows to
replace ugly `fromJust` and such with direct field access.
2019-02-07 23:08:28 +00:00
fr33domlover
e325175a9c Publish 2 rotating instance-scope keys instead of the one-implicitly-shared-key
Before, there was a single key used as a personal key for all actors. Now,
things work like this:

- There are 2 keys, each time one is rotated, this way the old key remains
  valid and we can freely rotate without a risk of race conditions on other
  servers and end up with our posts being rejected
- The keys are explicitly instance-scope keys, all actors refer to them
- We add the ActivityPub-Actor header to all activity POSTs we send, to declare
  for which specific actor our signature applies. Activities and otherwise
  different payloads may have varying ways to specify attribution; using this
  header will be a standard uniform way to specify the actor, regardless of
  payload format. Of course, servers should make sure the actual activity is
  attributed to the same actor we specified in the header. (This is important
  with instance-scope keys; for personal keys it's not critical)
2019-02-07 10:34:33 +00:00
fr33domlover
8166d5b5eb Support for instance-scope keys when verifying HTTP signature 2019-02-06 02:48:23 +00:00
fr33domlover
400245cf34 Accept HTTP signatures made with shared instance-scope actor keys 2019-02-05 13:02:15 +00:00
fr33domlover
c2c4e24497 Support actor key expiration
Allow keys to specify expiration time using w3c security vocabulary. If a key
has expired, we treat it like sig validation failure and re-fetch the key from
the other server. And we never accept a sig, even a valid sig, if the key has
expired.

Since servers keep actors and keys in the DB, expiration can be a nice way to
ask that keys aren't used more than we want them to. The security vocab spec
also recommends to set expiration time on keys, so it's nice to support this
feature.
2019-02-05 04:05:44 +00:00
fr33domlover
37b3416a41 Support remote actors specifying 2 keys, and DB storage of these keys
It's now possible for activities we be attributed to actors that have more than
one key. We allow up to 2 keys. We also store in the DB. Scaling to support any
number of keys is trivial, but I'm limiting to 2 to avoid potential trouble and
because 2 is the actual number we need.

By having 2 keys, and replacing only one of them in each rotation, we avoid
race conditions. With 1 key, the following can happen:

1. We send an activity to another server
2. We rotate our key
3. The server reaches the activity in its processing queue, tries to verify our
   request signature, but fails because it can't fetch the key. It's the old
   key and we discarded it already, replaced it with the new one

When we use 2 keys, the previous key remains available and other servers have
time to finish processing our requests signed with that key. We can safely
rotate, without worrying about whether the user sent anything right before the
rotation time.

Caveat: With this feature, we allow OTHER servers to rotate freely. It's safe
because it's optional, but it's just Vervis right now. Once Vervis itself
starts using 2 keys, it will be able to rotate freely without race condition
risk, but probably Mastodon etc. won't accept its signatures because of the use
of 2 keys and because they're server-scope keys.

Maybe I can get these features adopted by the fediverse?
2019-02-04 19:38:50 +00:00
fr33domlover
02da508ed0 Allow actor publicKey to be a URI, and require the URI to match the Sig keyId 2019-02-04 10:07:25 +00:00