Commit graph

232 commits

Author SHA1 Message Date
fr33domlover
4053f2f2b4 Record usage of instance keys in the DB
When we verify an HTTP signature,

* If we know the key, check in the DB whether we know the actor lists it. If it
  doesn't, and there's room left for keys, HTTP GET the actor and update the DB
  accordingly.
* If we know the key but had to update it, do the same, check usage in DB and
  update DB if needed
* If we don't know the key, record usage in DB

However,

* If we're GETing a key and discovering it's a shared key, we GET the actor to
  verify it lists the key. When we don't know the key at all yet, that's fine
  (can be further optimized but it's marginal), but if it's a key we do know,
  it means we already know the actor and for now it's enough for us to rely
  only on the DB to test usage.
2019-02-19 10:54:55 +00:00
fr33domlover
9e0314fa09 Store remote actors' inbox URIs in DB, avoiding some actor fetch
When a local user wants to publish an activity, we were always GETing the
recipient actor, so that we could determine their inbox and POST the activity
to it. But now, instead, whenever we GET an actor (whether it's for the key sig
verification or for determining inbox URI), we keep their inbox URI in the
database, and we don't need to GET it again next time.
2019-02-14 23:27:40 +00:00
fr33domlover
e8ba301c6a Switch actor ID URIs to be /s/ACTOR instead of /p and /g
See Vervis ticket #60.
2019-02-14 22:13:58 +00:00
fr33domlover
0731597e1b List collab tables under projects section in models file 2019-02-12 11:46:12 +00:00
fr33domlover
c2bf470fb6 Generate and keep permanent salt for generating hashids for URIs 2019-02-08 21:54:22 +00:00
fr33domlover
fbc9ad2b30 Rotate actor key once a day by default, instead of once an hour
I'm not sure what the best balance is, but once an hour may end up causing a
lot more key re-fetch requests coming from other servers. I prefer to default
to once a day for now (maybe even once a week) and tighten it later if needed.

Caveat: If an instance key is rotated once a day, there's no
change-key-right-after-toot-deletion thing for deniability. Potentially,
rotation may happen only 24 hours after that deletion, which is much more than
1 hour. On the other hand, it's a whole instance key, not personal key of the
actor.
2019-02-07 23:28:39 +00:00
fr33domlover
8ac559d064 New datatype FedURI for @id URIs
Using a dedicated type allows to record in the type the guarantees that we
provide, such as scheme being HTTPS and authority being present. Allows to
replace ugly `fromJust` and such with direct field access.
2019-02-07 23:08:28 +00:00
fr33domlover
e325175a9c Publish 2 rotating instance-scope keys instead of the one-implicitly-shared-key
Before, there was a single key used as a personal key for all actors. Now,
things work like this:

- There are 2 keys, each time one is rotated, this way the old key remains
  valid and we can freely rotate without a risk of race conditions on other
  servers and end up with our posts being rejected
- The keys are explicitly instance-scope keys, all actors refer to them
- We add the ActivityPub-Actor header to all activity POSTs we send, to declare
  for which specific actor our signature applies. Activities and otherwise
  different payloads may have varying ways to specify attribution; using this
  header will be a standard uniform way to specify the actor, regardless of
  payload format. Of course, servers should make sure the actual activity is
  attributed to the same actor we specified in the header. (This is important
  with instance-scope keys; for personal keys it's not critical)
2019-02-07 10:34:33 +00:00
fr33domlover
8166d5b5eb Support for instance-scope keys when verifying HTTP signature 2019-02-06 02:48:23 +00:00
fr33domlover
c2c4e24497 Support actor key expiration
Allow keys to specify expiration time using w3c security vocabulary. If a key
has expired, we treat it like sig validation failure and re-fetch the key from
the other server. And we never accept a sig, even a valid sig, if the key has
expired.

Since servers keep actors and keys in the DB, expiration can be a nice way to
ask that keys aren't used more than we want them to. The security vocab spec
also recommends to set expiration time on keys, so it's nice to support this
feature.
2019-02-05 04:05:44 +00:00
fr33domlover
37b3416a41 Support remote actors specifying 2 keys, and DB storage of these keys
It's now possible for activities we be attributed to actors that have more than
one key. We allow up to 2 keys. We also store in the DB. Scaling to support any
number of keys is trivial, but I'm limiting to 2 to avoid potential trouble and
because 2 is the actual number we need.

By having 2 keys, and replacing only one of them in each rotation, we avoid
race conditions. With 1 key, the following can happen:

1. We send an activity to another server
2. We rotate our key
3. The server reaches the activity in its processing queue, tries to verify our
   request signature, but fails because it can't fetch the key. It's the old
   key and we discarded it already, replaced it with the new one

When we use 2 keys, the previous key remains available and other servers have
time to finish processing our requests signed with that key. We can safely
rotate, without worrying about whether the user sent anything right before the
rotation time.

Caveat: With this feature, we allow OTHER servers to rotate freely. It's safe
because it's optional, but it's just Vervis right now. Once Vervis itself
starts using 2 keys, it will be able to rotate freely without race condition
risk, but probably Mastodon etc. won't accept its signatures because of the use
of 2 keys and because they're server-scope keys.

Maybe I can get these features adopted by the fediverse?
2019-02-04 19:38:50 +00:00
fr33domlover
c336d56036 Allow actor public key to be in a separate document 2019-02-03 23:39:56 +00:00
fr33domlover
b0b2aa83c5 Store remote actor keys in the DB, reuse them instead of GETing every time 2019-02-03 13:58:14 +00:00
fr33domlover
cd8ed9ef89 Hold a persistent server key for ocap signatures 2019-01-30 03:12:42 +00:00
fr33domlover
c0965a4c47 Default roles for repos and turn user/anon collab tables into proj/repo fields
* Repo collab now supports basic default roles developer/user/guest like
  project collab does
* User/Anon collab for repos and projects are now stored as fields instead of
  in dedicated tables, there was never a need for dedicated tables but I didn't
  see that before
* Repo push op is now part of `ProjectOperation`
* `RepoRole` and related code has been entirely removed, only project roles
  remain and they're used for both repos and projects
* This is the first not-totally-trivial DB migration in Vervis, it's automatic
  but please be careful and report errors
2019-01-29 22:24:32 +00:00
fr33domlover
5cba838917 Enable basic default project roles
* When adding collaborators, you don't need a custom role. If you don't choose
  one, a basic default "developer" role will be used
* If you don't assign a `ProjectCollabUser` role, a default "user" role is
  assumed for logged in users, otherwise a "guest" role
* The "guest" role currently has no access at all
* Theoretically there may also be a "maintainer" role allowing project
  sharers/maintainers to give maintainer-level access to more people, but right
  now maintainer role would be the same as developer so I haven't added it yet
2019-01-28 14:43:07 +00:00
fr33domlover
577df6ddcf Add "about" field to person table, display in person page 2019-01-26 23:39:13 +00:00
fr33domlover
da6d8c008e Rename project field in Project Role assignment tables, it had the wrong name 2019-01-26 12:56:15 +00:00
fr33domlover
1f47ca39eb Federation test outbox page with form for entering JSON 2019-01-21 15:54:57 +00:00
fr33domlover
df01560ea6 ActivityPub inbox test page
This patch includes some ugliness and commented out code. Sorry for that. I'll
clean it up soon.

Basically there's a TVar holding a Vector of at most 10 AP activities. You can
freely POST stuff to /inbox, and then GET /inbox and see what you posted, or an
error description saying why your activity was rejected.
2019-01-19 01:44:21 +00:00
fr33domlover
9adf7a2e34 Fix HTTP sig default time limit, 5 minutes not 5 seconds 2019-01-19 01:06:09 +00:00
fr33domlover
499e26db48 Periodically rotated AP actor key for signing ActivityPub requests
The actor key will be used for all actors on the server. It's held in a `TVar`
so that it can always be safely updated and safely retrieved (technically there
is a single writer so IORef and MVar could work, but they require extra care
while TVar is by design suited for this sort of thing).
2019-01-14 22:08:44 +00:00
fr33domlover
c420b8d8ea Make the cookie encryption key and timeout configurable in settings file 2018-07-01 08:15:23 +00:00
fr33domlover
ef21175ec2 Allow loading the SVG font from deployment data path 2018-05-26 10:27:05 +00:00
fr33domlover
9f77ea69cb Display commit diff for Git repos 2018-05-21 20:32:34 +00:00
fr33domlover
ce89bded73 Add a commit view route, nothing displayed yet 2018-05-17 15:46:57 +00:00
fr33domlover
d49b5d678c Allow login using email address 2018-04-11 11:09:42 +00:00
fr33domlover
7c2faa7faa Email tokens expire within 1 day 2018-04-01 03:02:35 +00:00
fr33domlover
c664ee9468 Change filename of default settings, so that editted settings are separate 2018-03-31 22:40:32 +00:00
fr33domlover
f149da8ec6 getPersonR respond with minimal ActivityPub actor 2018-03-25 19:26:30 +00:00
fr33domlover
f196bf38d6 Unverified variants of setCreds and clearCreds 2018-03-17 22:16:02 +00:00
fr33domlover
d026cf0656 Treat email address as EmailAddress instead of Text including in the mailer 2018-03-06 02:26:27 +00:00
fr33domlover
3398b56931 Switch to yesod-auth-account and make the mail code independent of Vervis 2018-03-03 21:33:59 +00:00
fr33domlover
829fd72fef Use my new persistent-migration library, to which I moved the related modules 2018-02-26 14:23:02 +00:00
fr33domlover
c6d49da143 Organize settings.yml and add mail section 2018-02-25 09:25:24 +00:00
fr33domlover
fc556e0eb3 Workflow scope field, minimal support 2016-09-01 17:40:02 +00:00
fr33domlover
dc74456a6a Use the new migration system in place of persistent's one 2016-08-31 16:51:02 +00:00
fr33domlover
a94608dff5 Remove the last remaining default= from models file
Since defaults are specified in Form code that inserts new entities,
they already appear on the application side. So I'm going to try
managing them *only* in the application, and not have defaults in the DB
at all (maybe just temporarily when needed for schema migrations).
2016-08-20 17:32:27 +00:00
fr33domlover
5909424644 Custom ticket field relevance filter by ticket status 2016-08-11 09:27:30 +00:00
fr33domlover
21192fef26 Route for accepting a New ticket 2016-08-11 07:58:51 +00:00
fr33domlover
3329b49b2e Turn boolean ticketDone into TicketStatus enum 2016-08-11 00:44:11 +00:00
fr33domlover
d7be2f04b2 Ticket custom fields can be constant, i.e. no edits 2016-08-09 13:22:56 +00:00
fr33domlover
6457bf5607 Display custom enum fields in ticket page 2016-08-09 11:36:14 +00:00
fr33domlover
35933061c9 Display custom ticket field values in ticket page 2016-08-08 20:51:58 +00:00
fr33domlover
6e5ab77466 Projects must specify a ticket workflow 2016-08-08 19:05:22 +00:00
fr33domlover
561eb6826d Remove some default column values from model, leave that to Haskell 2016-08-08 18:35:01 +00:00
fr33domlover
a2ca78c790 Custom ticket fields specify whether required 2016-08-08 17:29:12 +00:00
fr33domlover
17643c6d49 Field enums aren't useful if you can't define values 2016-08-08 17:05:09 +00:00
fr33domlover
7ee28b97d2 Per-workflow custom ticket field enum types 2016-08-08 14:48:38 +00:00
fr33domlover
01385c480b Per-workflow custom ticket fields 2016-08-08 14:01:06 +00:00
fr33domlover
687aa68a04 Per-sharer ticket workflows
A workflow is a new entity in Vervis. It defines the workflow of a
projects' ticket system. That includes the possible ticket states,
custom ticket fields, various filters and so on. All ticket system
customization is currently planned to be managed using workflows.

Currently workflows are private and per sharer, but the plan is to
support public workflows that can be shared and cloned.
2016-08-08 11:05:19 +00:00
fr33domlover
dc54a89503 Ticket tree view page 2016-08-04 07:36:24 +00:00
fr33domlover
5c153b0294 Ticket dependency add/remove and some fixes to recursive SQL 2016-07-28 16:40:10 +00:00
fr33domlover
ddd4393825 New YAML setting: Optional user limit 2016-07-27 21:46:48 +00:00
fr33domlover
188905f9aa Git clone over HTTP(S) using git binary 2016-07-27 15:17:03 +00:00
fr33domlover
d1e1f3c0f7 Reverse dependencies page for tickets 2016-07-27 08:35:50 +00:00
fr33domlover
6626e40340 Specify default role for repo and project visitors 2016-07-03 07:52:11 +00:00
fr33domlover
c7de6119ab Build role graph 2016-06-21 07:35:19 +00:00
fr33domlover
5340cf23f1 Project role inheritance and graph queries with some raw SQL 2016-06-17 20:17:39 +00:00
fr33domlover
55945e30f9 Ticket claim request submission 2016-06-08 01:28:18 +00:00
fr33domlover
5557e65f66 Ticket dependencies in DB and per-ticket list of children 2016-06-07 20:16:15 +00:00
fr33domlover
11d4a955d8 Per-ticket list of claim requests with full info 2016-06-07 16:31:55 +00:00
fr33domlover
047b9c00c9 Per-project list of ticket claim requests 2016-06-07 15:29:26 +00:00
fr33domlover
5e04f951f2 Ticket claim requests in DB and personal list view of them 2016-06-07 10:01:57 +00:00
fr33domlover
ae83a5f3ad Ticket un/assign (like un/claim but for other people) 2016-06-07 07:33:19 +00:00
fr33domlover
23c06c535a Put roles under sharers, now groups' roles can be managed too 2016-06-06 19:41:22 +00:00
fr33domlover
f2e4bb4291 Roles now under by sharers, i.e. now groups too 2016-06-06 17:29:54 +00:00
fr33domlover
a3af63d368 Ticket claim and unclaim routes with access checks 2016-06-06 09:03:49 +00:00
fr33domlover
5305caf0b0 Repo settings page, allow repos to move between projects 2016-06-05 21:11:05 +00:00
fr33domlover
91266dd421 Project settings route, with wiki repo selector 2016-06-05 10:43:28 +00:00
fr33domlover
f8e1442e72 Initial minimal optional per-project wiki 2016-06-04 06:57:54 +00:00
fr33domlover
18394a1213 Split ticket open/close out of TicketEditR into new routes 2016-06-01 19:50:41 +00:00
fr33domlover
e398c86854 Ticket assignee field 2016-06-01 16:20:19 +00:00
fr33domlover
4e0e8cb736 Add project roles, basically a copy of the repo role code 2016-06-01 08:52:14 +00:00
fr33domlover
10c27464dd Make all role-related code repo-specific 2016-06-01 07:35:22 +00:00
fr33domlover
2d4fb85fca Dummy routes for repo team members 2016-05-29 14:13:25 +00:00
fr33domlover
c0e8ed0d2e Initial minimal limited per-repo RBAC system 2016-05-29 13:17:55 +00:00
fr33domlover
ada42dea62 Enable adding group members 2016-05-26 16:25:23 +00:00
fr33domlover
16d33da4de Add group member related dummy routes 2016-05-25 17:48:17 +00:00
fr33domlover
3687687457 Add group members page and breadcrumbs for group routes 2016-05-25 16:03:58 +00:00
fr33domlover
4c3aa8b269 Add group roles and make a group's creator its admin 2016-05-25 15:52:15 +00:00
fr33domlover
bc66463776 Add group routes 2016-05-24 21:48:21 +00:00
fr33domlover
ac893b6040 Fix layout of routes file ruined during recent route change 2016-05-24 08:50:19 +00:00
fr33domlover
778f22c85d Define column default like PostgreSQL to prevent repeated migration 2016-05-24 08:37:41 +00:00
fr33domlover
19b576e795 New sharer field: Creation time 2016-05-24 08:34:40 +00:00
fr33domlover
3dd82178f5 Rename PersonInGroup model to GroupMember 2016-05-24 08:28:57 +00:00
fr33domlover
c6c41b485c Finish route change, it builds now
I used this chance to make some name changes, add some utils, tweak some
imports, remove more `setTitle`s and so on. I also made person, repo,
key and project creation forms verify CI-uniqueness.
2016-05-23 20:46:54 +00:00
fr33domlover
49807ed27f Start big route change, doesn't build yet
I decided to add some safety to routes:

- Use dedicated newtypes
- Use CI for the CI-unique DB fields

Since such a change requires so many changes in many source files, this
is also a chance to do other such breaking changes. I'm recording the
change gradually. It won't build until I finish, so for now don't waste
time trying to build the app.
2016-05-23 12:24:14 +00:00
fr33domlover
9368e68ab5 Enable new top-level comments, discussion system works now 2016-05-21 20:01:31 +00:00
fr33domlover
a56a7575fe Implement reply-to-existing-comment 2016-05-19 22:07:25 +00:00
fr33domlover
c942c7d398 Ticket discussion and message routes 2016-05-19 16:58:23 +00:00
fr33domlover
c435dfa89b Each ticket has a unique discussion ID 2016-05-18 09:44:32 +00:00
fr33domlover
e76c1f7206 Compressed inventory parser and DarcsRev TH utils 2016-05-17 20:34:22 +00:00
fr33domlover
298bbc57e4 SSH key deletion button 2016-05-13 21:41:46 +00:00
fr33domlover
4d16203e5d Repo deletion button 2016-05-13 19:23:56 +00:00
fr33domlover
80576d9caa Darcs pull over HTTP 2016-05-13 10:58:42 +00:00
fr33domlover
ed2df29b66 Refactor git log view, make room for darcs 2016-05-05 16:30:30 +00:00
fr33domlover
3ed04941e8 Refactor git source view code and implement the same for Darcs 2016-05-05 07:29:19 +00:00
fr33domlover
d69c5e8abc Repos specify their VCS (i.e. Git or Darcs) in the DB 2016-05-02 23:51:53 +00:00
fr33domlover
e8befc41ee Multiplex ticket PUT and DELETE over POST
HTML forms support only GET and POST methods. One way to bypass that is
to send the form using JS. But I don't want that. Another is to send a
POST with a hidden form field which specifies the read method. This is
what 'postTicketR' does.
2016-05-02 11:34:11 +00:00
fr33domlover
9d3b7b686f Ticket update form 2016-05-02 09:15:10 +00:00
fr33domlover
88569a08ad Dummy handlers for ticket editing and deletion 2016-05-02 06:13:57 +00:00
fr33domlover
349d089019 First ticket number should be 1, not 0 2016-05-01 11:05:56 +00:00
fr33domlover
7a4b211617 Ticket view page 2016-05-01 09:58:55 +00:00
fr33domlover
eaadbc050c Ticket list page 2016-04-30 23:02:44 +00:00
fr33domlover
09b767a037 New ticket post form 2016-04-30 22:32:22 +00:00
fr33domlover
5f909bd3b3 Add Ticket to persistent model 2016-04-30 20:40:33 +00:00
fr33domlover
dbf0c5a2cb Remove IRC channel and ML data from DB 2016-04-30 20:15:48 +00:00
fr33domlover
4065143d8f Remove upload-pack over HTTP, 'hit' opens too many file descriptors 2016-04-29 18:08:05 +00:00
fr33domlover
bf355de715 Dummy git upload-pack request POST handler 2016-04-23 18:33:41 +00:00
fr33domlover
8856bd2344 Git over HTTP: Add initial always-denying ref discovery handler 2016-04-21 00:32:22 +00:00
fr33domlover
4c3371beda Add settings option to disable registration 2016-04-19 16:03:27 +00:00
fr33domlover
5ae09c2ad7 Remove copyright field from settings, copyright is wrong! 2016-04-19 15:47:26 +00:00
fr33domlover
ea71f30d96 Repos right under users, not under projects 2016-04-12 17:37:31 +00:00
fr33domlover
3325a9d960 Display any file and dir in the repo, not just top level 2016-04-12 10:06:21 +00:00
fr33domlover
100ba7511c RepoSourceR, display file tree for given branch or tag 2016-04-12 00:19:04 +00:00
fr33domlover
fa4e4294b1 Add repo commits route 2016-04-11 21:35:26 +00:00
fr33domlover
78213db2fc Add UI for display of SSH keys 2016-03-07 00:42:06 +00:00
fr33domlover
8a78fec8f6 Change SSH host key default filenames 2016-03-07 00:37:07 +00:00
fr33domlover
8cf0f2502c Implement DB-based SSH authentication 2016-03-06 11:58:48 +00:00
fr33domlover
062fb5539a Add app settings for SSH server 2016-03-05 03:56:25 +00:00
fr33domlover
b20c672a01 Implement git history log in repo page 2016-03-03 08:15:54 +00:00
fr33domlover
ec4c7de582 Add repo pages and repo creation form 2016-02-27 05:41:36 +00:00
fr33domlover
9b686c6db0 Write initial overview content and add project creation form 2016-02-25 03:10:30 +00:00
fr33domlover
1c044520b5 Implement registration and make it build 2016-02-23 02:27:01 +00:00
fr33domlover
c0a86c3f5b Add user registration form view, still no-op 2016-02-19 04:10:42 +00:00
fr33domlover
5287a47372 Add project pages 2016-02-17 21:53:53 +00:00
fr33domlover
a6525d7549 Add people and person pages 2016-02-17 16:43:23 +00:00
fr33domlover
7857a8a964 Make initial homepage with table and simple login 2016-02-16 11:41:13 +00:00
fr33domlover
3da488b3a2 Remove example code I don't need 2016-02-14 10:17:31 +00:00
fr33domlover
f4dcf17f3f Move some files around, tweak the generated code a bit 2016-02-14 09:10:21 +00:00
fr33domlover
952f6baafd Bring Yesod scaffolding 2016-02-13 03:35:30 +00:00