Commit Graph

302 Commits

Author SHA1 Message Date
pkova
c5a14ef1c4 lull, ames: add %nail gift to send lanes to unix 2023-10-13 14:08:35 +03:00
pkova
743c8e2c8a lull: add egg-any tagged union for gall scry 2023-10-10 17:51:42 +03:00
Pyry Kovanen
f5567f1fdf
Merge branch 'develop' into mf/gall-backups 2023-10-09 17:01:34 +03:00
pkova
130866c1e8 lull, gall: move $egg from gall to lull 2023-10-09 17:00:30 +03:00
Pyry Kovanen
e355b5090e
Merge pull request #6783 from urbit/pkova/dear
lull, ames: add %dear task to receive lane from unix
2023-09-19 15:56:43 +03:00
pkova
bf4d7c92e1 ames: make dead flow consolidation toggleable, default off 2023-09-14 18:35:26 +03:00
pkova
6a6e07d49f lull, ames: add %dear task to receive lane from unix 2023-09-04 22:09:52 +03:00
pkova
facd6994b0 lull, ames: add %tame task to delete a route for a ship 2023-07-28 18:15:04 +03:00
Pyry Kovanen
897d00334f
Merge branch 'next/kelvin/412' into yu/enable-close-flows 2023-07-24 16:58:13 +03:00
pkova
8565fb5f8b Merge branch 'develop' into next/kelvin/412 2023-07-24 14:58:31 +03:00
fang
9f2c97f95e
lull: add %'PATCH' to $method:http
As of RFC 5789, PATCH is a valid HTTP request method. The $method:http type,
however, did not include it.

Here, we add it to the $method:http type, so that it now includes all nine
standard HTTP methods.
2023-07-12 15:56:51 +02:00
pkova
4fe9de8194 lull, gall, hoon: drop pokes for non-running agents 2023-07-11 17:36:09 +03:00
yosoyubik
48a4b9ad32 ames: add 15-to-16 state migration
The 14-to-15 state migration was released in urbit-os-v2.142
so we add a new ames-state-16 to account for the removal of
.num-live from $pump-metrics.

This also adds several `$+` shorthand type name for better
prettyprinting in nest-fails situations, all related to the types in
$ames-state.

(note: ames states 14 and 15 are the same, ane tha migration
 just re-retrieved our own %rift—first introduced in state-12-to-13)
2023-06-30 12:15:38 +02:00
yosoyubik
57308e22ef ames: clean up %kroc tasks in old ames-state
The %kroc task was introduced in ames-state-10. The way the
migration works, is that queued-events are transformed right
away into the latests version, and the state is done step-wise in
different arms, but in one go as part of the +molt arm.

This means that all states from %10 need to handle cleaning up
the %kroc task, with the addition that we were already handling
another tasks, %snub, from ames-state-9 until ames-state-11.
This means that we need to handle both tasks in two different
ames-states, and from them only the %kroc task.

This also adds several $+ to the ames types, that make nest-failures
easier to read.
2023-06-29 15:25:18 +02:00
yosoyubik
235bfb6b8b ames: re-add +on-deep:ev
probably removed in one of the merges(?)
2023-06-29 09:58:01 +02:00
yosoyubik
20cb84d037 Merge branch 'next/kelvin/412' into yu/enable-close-flows 2023-06-28 15:51:37 +02:00
yosoyubik
b359239f3d Merge branch 'develop' into next/kelvin/412 2023-06-28 12:52:18 +02:00
Joe Bryan
bd0a058c60
Merge pull request #6598 from urbit/m/eyre-mirage
eyre: eauth, cross-ship authentication
2023-06-27 18:34:35 -04:00
fang
4e5ce6fb69
eyre: keep queue for outgoing pleas
Keeping a queue of nonces to match the outgoing %pleas we send lets us
recover the nonce for the %done we receive in response. This is
important in the nack case, where we may want to eagerly serve the HTTP
client an error page response, instead of waiting for the timeout timer
to fire.
2023-06-27 22:58:22 +02:00
fang
c33ddfa101
Merge branch 'next/kelvin/412' into m/eyre-mirage 2023-06-26 13:47:39 +02:00
Joe Bryan
a185d50b5a
Merge branch 'next/kelvin/412' into lick 2023-06-20 14:36:55 -04:00
Philip Monk
18e34bdab6 fine: loosen path restrictions 2023-06-13 23:06:20 -07:00
Philip Monk
fc3d9741df fine: fix various 2023-06-13 16:18:37 -07:00
Ted Blackman
6153f8c7e3
Merge pull request #6609 from urbit/yu/remove-num-live
ames: remove num-live from pump-metrics
2023-06-12 11:50:15 -04:00
fang
ef89cf2410
eyre: rework eauth to be client-initiated
Instead of doing formal network traffic on the host-side whenever a
login attempt gets initiated, we now do it no earlier than when we're on
the client-side. This has the important property that network traffic
can only be initiated by authenticated HTTP requests. The previous
implementation, where hosts sent pleas when an unauthenticated HTTP
client said then wanted to log in, was vulnerable to abuse.

So now, formally, the eauth flow starts at the client's confirmation
screen. There is an optional step preceding this, where an attempt is
started on the host (and data is still stored for this), but to get the
redirect target, the host uses remote scry to get the eauth URL out of
the client ship.

Hosts now also give attempt-specific return URLs, useful in case they
are accessible (or even serving different content) from different
hostnames.
2023-06-09 15:46:04 +02:00
yosoyubik
623e0eafb2 Merge branch 'next/kelvin/412' into yu/enable-close-flows 2023-06-08 06:40:39 +02:00
yosoyubik
68db0b4e03 ames: move +on-kroc logic to |close-flows
+on-kroc was cluttered with ad-hoc logic to indentify stale flows from
failed resubscriptions that were not properly %corked. Here we move
that logic to a generator that, if not in dry mode, will call %ames with a
(list  [ship bone]) to %cork them.

Another option would be to move the logic in the generator to a state
update in ames, which will trigger possibly thousands of %ames messages
to be sent, on every ship that runs the state migration—these flows are
not causing a problem that neds to be addressed, and only take extra
space.

If we decide that this needs to be run by everyone, one solution could be
to set up a timer (maybe taking advantage of the fact that ships don't get
the OTA a the same time) that will eventually poke %hood with a
%helm-ames-kroc task.
2023-06-07 15:55:50 +02:00
Tinnus Napbus
7c3a1c4d7c Merge branch 'next/kelvin/412' into tinnus/local-provenance 2023-06-07 20:38:05 +12:00
yosoyubik
6696f587be Merge branch 'next/kelvin/412' into i/6103/abet-pure 2023-06-01 17:46:36 +02:00
Tinnus Napbus
8ed74ac717 gall: new type which is /w providence 2023-05-30 22:28:19 +12:00
yosoyubik
d3489cc8db ames: generalize $deep tasks
currently all $deep tasks are focused on a particular ship but future
 ones might not, so we move $ship to each individual task
2023-05-30 10:33:13 +02:00
yosoyubik
7ce74f36c6 ames: add %deep task to handle deferred calls
note: %ames tests have not been updated to account for this change
2023-05-30 10:33:13 +02:00
Amadeo Bellotti
7e1ddbcca1 changed name from term to path 2023-05-24 12:13:44 -04:00
Amadeo Bellotti
15424c9200 modified api and compiled 2023-05-24 12:13:44 -04:00
Amadeo Bellotti
82880f4311 changed spew to spit: 2023-05-24 12:13:44 -04:00
Amadeo Bellotti
60c9d07034 modified api 2023-05-24 12:13:44 -04:00
Amadeo Bellotti
d0cd351acb changed to lick 2023-05-24 12:13:44 -04:00
Amadeo Bellotti
08540c8257 fixed api and added rote path 2023-05-24 12:13:44 -04:00
Amadeo Bellotti
323ad41a96 cleaned up interface 2023-05-24 12:13:44 -04:00
Amadeo Bellotti
6a8cea04b3 modified flow for read red, and turn 2023-05-24 12:13:44 -04:00
Amadeo Bellotti
c643db1e14 modified some stuff to return a card to vere 2023-05-24 12:13:44 -04:00
Amadeo Bellotti
791782fafa added %read and %writ cards 2023-05-24 12:13:43 -04:00
Amadeo Bellotti
653725da98 boiler plate for loch 2023-05-24 12:13:43 -04:00
Ted Blackman
89681e25b4
Merge branch 'next/kelvin/412' into yu/remove-num-live 2023-05-23 11:50:40 -04:00
yosoyubik
3554ab895d ames: remove num-live from pump-metrics 2023-05-23 06:48:15 +02:00
fang
87be9c9bef
eyre: add task for setting manual eauth base url 2023-05-22 21:08:11 +02:00
Tinnus Napbus
de51f74dc2 gall: implement local provenance 2023-05-23 01:12:09 +12:00
fang
8579b6c952
eyre: eauth, cross-ship authentication
aka "mirage" aka "eyre oauth"

With Eyre now supporting both local identity authentication, and fake
guest identities, the logical next step is to support authentication
with real non-local identities. Here, we implement that, building on top
of the groundwork laid by #6561.

The primary change is adding a %real case to Eyre's $identity type, and
implementing an http<->ames<->ames handshaking protocol into Eyre for
negotiating approval of login attempts made by unauthenticated HTTP
clients.

The authentication flow, where a "visitor" logs into a "~host" as their
own "~client" identity can be described in brief as follows:
1) Visitor makes an HTTP request saying they are ~client.
2) ~host tells ~client, over Ames, about its own public-facing hostname.
3) ~client responds with its own public-facing hostname.
4) ~host forwards the visitor to ~client's eauth page.
5) Visitor, there already logged in as ~client, approves the login
   attempt.
6) ~client shares a secret with ~host over Ames, and forwards the
   visitor to ~host's eauth page, including the secret in the request.
7) ~host sees that the secrets received over Ames and HTTP match, and
   gives the visitor a new session token, identifying them as ~client.

The negotiating of hostnames/URLs via Ames is crucial to keeping this
handshake sequence secure.

Discovering a ship's public-facing hostname happens when successful
local logins are made by reading out the Host header from the request.
Users may hard-code a value to override this.

Each eauth login attempt comes with a unique nonce. Both the host and
client track the lifetime of these. The corresponding Ames flow (which
goes from ~host -> ~client) is corked when the login attempt gets
aborted, or its associated session expires.

The logout functionality has been updated to let clients ask to be
logged out of sessions on other ships.
2023-05-18 23:13:15 +02:00
fang
d15de3b48c
eyre: update %name, add %host endpoint
%name now returns the identity of the session associated with the
request. %host will always return the @p of the ship *handling* the
request.

The latter becomes especially important for guest sessions, who can only
interact with agents on the local ship, but will still need to specify
who that ship is.
2023-05-05 23:38:40 +02:00
fang
0fee4ce50b
eyre: guest ids for unauthenticated requests
aka "the open eyre" aka "universal basic identity"

Urbit already supports presence on the clearnet, but fails to expose any
of its interactive affordances to unauthenticated users. Here, we
improve this situation by granting "guest identity" @ps to every
unauthenticated HTTP request, and extending the channels functionality
to them.

Sessions no longer represent only the local identity. Instead, each
session has either the local identity, or a fake guest identity
associated with it.

Every request that does not provide a session key/cookie gets assigned
a fresh one with a guest identity on the spot. As a result, every
single request has an identity associated with it.

The identity of a request gets propagated into userspace, if the request
ends up there.
For normal HTTP requests, this means the src.bowl gets set to that
identity for both the watch and poke of the request. For backwards
compatibility, the authenticated flag on the request noun gets set at
normal: only true if the request came from the local identity.
For channel requests, this means the src.bowl gets set to that identity
for any pokes and watches it sends, and it can only send those to agents
running on the local ship.

The scry endpoint remains unchanged in its behavior: only available to
the local identity.

Notable implementation detail changes in this diff include:
- Factored all gall interactions out into +deal-as.
- Sessions no longer represent exclusively the local identity. This
matters a lot to +give-session-tokens, %code-changed, and logout
handling.
- Session management got factored out into explicit +start-session and
+close-session arms.
2023-05-05 21:59:17 +02:00