Commit Graph

32493 Commits

Author SHA1 Message Date
fang
744dea2267
various: stop asserting =(src our):bowl for http
It is no longer guaranteed that the src.bowl for incoming HTTP-related
events is equal to our.bowl. Instead, it will reflect the identity
associated with the request, our or otherwise.

When serving publicly-accessible endpoints, the assertion never made
much sense, but with recent changes actively prevents guests from
accessing the endpoints. Here, we correct all such cases.
2023-05-05 23:41:05 +02:00
fang
d15de3b48c
eyre: update %name, add %host endpoint
%name now returns the identity of the session associated with the
request. %host will always return the @p of the ship *handling* the
request.

The latter becomes especially important for guest sessions, who can only
interact with agents on the local ship, but will still need to specify
who that ship is.
2023-05-05 23:38:40 +02:00
fang
b387235597
eyre: enable host to log out any other session
Now that sessions with non-local identities can exist, the host/local
identity should be empowered to forcefully log off any session it hosts.

Additionally, we augment the logout logic with redirect functionality:
it now respects the "redirect" query parameter in the same way the login
page does. Still defaults to redirecting to the login page.
2023-05-05 23:33:37 +02:00
fang
b6e8cd616f
eyre: give 400 for invalid channel requests
We previously had no mechanism for giving error responses, if a client
submitted an invalid request into a channel. Guest access makes this
important, because guests cannot interact with remote ships. Attempting
to do so will cause a gall crash.

Here, we add error handling logic to channel request processing. We
catch the invalid cases described above and invalidate the entire batch
of channel requests if they occur. We make sure to drop the moves and
revert the state we changed, and give a 400 to the client that
informally describes the problem(s).
2023-05-05 22:08:18 +02:00
fang
0fee4ce50b
eyre: guest ids for unauthenticated requests
aka "the open eyre" aka "universal basic identity"

Urbit already supports presence on the clearnet, but fails to expose any
of its interactive affordances to unauthenticated users. Here, we
improve this situation by granting "guest identity" @ps to every
unauthenticated HTTP request, and extending the channels functionality
to them.

Sessions no longer represent only the local identity. Instead, each
session has either the local identity, or a fake guest identity
associated with it.

Every request that does not provide a session key/cookie gets assigned
a fresh one with a guest identity on the spot. As a result, every
single request has an identity associated with it.

The identity of a request gets propagated into userspace, if the request
ends up there.
For normal HTTP requests, this means the src.bowl gets set to that
identity for both the watch and poke of the request. For backwards
compatibility, the authenticated flag on the request noun gets set at
normal: only true if the request came from the local identity.
For channel requests, this means the src.bowl gets set to that identity
for any pokes and watches it sends, and it can only send those to agents
running on the local ship.

The scry endpoint remains unchanged in its behavior: only available to
the local identity.

Notable implementation detail changes in this diff include:
- Factored all gall interactions out into +deal-as.
- Sessions no longer represent exclusively the local identity. This
matters a lot to +give-session-tokens, %code-changed, and logout
handling.
- Session management got factored out into explicit +start-session and
+close-session arms.
2023-05-05 21:59:17 +02:00
Josh Lehman
a6024e33a9
Merge pull request #6553 from urbit/m/eyre-crud-500
eyre: when a %request causes a crud, serve 500
2023-05-05 08:51:28 -07:00
yosoyubik
6213e0bbb3 ames: move +bind-duct to peer-core 2023-05-05 13:06:17 +02:00
morelazers
270905e153 fix: x-urb-jam 2023-05-05 12:11:46 +02:00
yosoyubik
df47808047 Merge branch 'develop' into i/6103/abet-pure 2023-05-05 09:53:01 +02:00
Sigilante
0762b90daa
Update story-remove.hoon 2023-05-04 16:25:39 -05:00
Sigilante
03da1cb4f9
Update story-write.hoon 2023-05-04 16:22:44 -05:00
Sigilante
6389776fc1
Update story-init.hoon 2023-05-04 16:17:50 -05:00
Ted Blackman
65b069a1d9 zuse: kelvin 412 2023-05-04 11:42:41 -04:00
fang
08ad367cd8
eyre: when a %request causes a crud, serve 500
Previously, if an incoming request caused a crash, we would just drop it
on the floor. We should at least have the decency to serve the client a
quick 500 and let them get on with their day.

We make sure not to touch state here. The connection is guaranteed-fresh
because of the task's semantics, and we're handling it in-line in one go.

Notably we only give a simple "crud!" for the body, instead of the full
error trace. We don't know whether the request is authenticated or not
(and who knows if checking was the cause of the crash!), and the crud
might leak sensitive details about the ship it occurred on. For the
owner, the trace still gets printed into the terminal.
2023-05-04 17:42:36 +02:00
Ted Blackman
24467176f6
Merge pull request #6550 from urbit/jb/clay-quiet
clay: remove %take-foreign slog
2023-05-04 11:38:55 -04:00
Ted Blackman
de58756736
Merge pull request #6548 from urbit/philip/pending
clay: on update, remove all previous pending updates
2023-05-04 11:38:22 -04:00
Ted Blackman
100333cd5a
Merge pull request #6549 from urbit/jb/eyre-safe
eyre: handle agent errors safely
2023-05-03 19:16:10 -04:00
Joe Bryan
48ec5b2693 clay: remove %take-foreign slog 2023-05-03 18:48:30 -04:00
Joe Bryan
c42f1d2663 eyre: corrects connection lifecycle comment 2023-05-03 18:40:22 -04:00
Joe Bryan
c349d154b6 eyre: optimizes responses, removes redundant connection state updates 2023-05-03 18:39:19 -04:00
Joe Bryan
007a32c47a eyre: remove redundant connection retrieval 2023-05-03 18:25:48 -04:00
Joe Bryan
7fb2f613d4 eyre: no-op on agent-error when missing connection state 2023-05-03 18:25:10 -04:00
Philip Monk
9d7b196024 clay: on update, remove all previous pending updates
Fixes #6537, see discussion there for alternatives.
2023-05-03 13:03:53 -07:00
Ted Blackman
4d3af06300
Merge pull request #6545 from urbit/jb/road-pile
clay: virtualize parsing to workaround runaway memoization
2023-05-02 17:37:27 -04:00
Joe Bryan
7f2257e581 clay: virtualize parsing to workaround runaway memoization 2023-05-02 17:16:22 -04:00
morelazers
78c1d6e647 feat: noun to mime 2023-05-02 21:28:15 +02:00
Ted Blackman
51e85291c1
Merge pull request #6542 from urbit/wicrum/wan-mop
lull,ames: use `mop` instead of `pha` in `.wan.keens`
2023-05-02 11:55:38 -04:00
~wicrum-wicrun
451a84d467 jael: fake ships always have rift=0 2023-05-02 17:36:22 +02:00
Ted Blackman
09fb89bd5b
Merge pull request #6509 from urbit/jon/doccords-lustar-tistar
turn off doccord parsing for +*, =*
2023-05-02 11:23:15 -04:00
~wicrum-wicrun
c1e14bdbf5 ames: use +pry:mop and +del:mop instead of virtualizing 2023-05-02 17:07:14 +02:00
~wicrum-wicrun
99ca67db7f tests: remove defunct deq test 2023-05-02 17:02:58 +02:00
~wicrum-wicrun
c03c3dc13b ames: migration uses +tap:deq instead of +dip-left:deq 2023-05-02 17:01:53 +02:00
Ted Blackman
1c69528565
Merge pull request #6538 from bacwyls/bwyl/read-s-subs-413-patch
clay: fix read-s subs for 413
2023-05-02 10:42:29 -04:00
Ted Blackman
e4b4f25d52
Merge pull request #6543 from urbit/jb/vang-compat
hoon: support configurable doccords parsing
2023-05-02 10:41:07 -04:00
Joe Bryan
1c26d431f5 hoon: threads doccords flags through +vang, compatibly 2023-05-02 10:34:33 -04:00
Joe Bryan
4a92c7d7d4 Revert "hoon: add doc parsing flag to +vang"
This reverts commit 94ba944188.
2023-05-02 10:31:42 -04:00
~wicrum-wicrun
ecaf70bc00 ames,lull,zuse: move +pha and +deq into ames to not pollute kelvin code 2023-05-02 16:26:59 +02:00
~wicrum-wicrun
ded0b75914 ames,lull: .wan.keen uses fragment as mop key 2023-05-02 16:25:51 +02:00
~wicrum-wicrun
d7a2c53df8 lull,ames: use mop instead of pha in .wan.keens 2023-05-02 15:17:25 +02:00
bacwyls
4a1aae5c48 clay: fix read-s subs for 413
=case was added as an argument to read-s to support %cs subs
it was accidentally removed as an argument during a merge,
breaking %cs subs by causing it to always crash in a
comparison between case and [%da now], because case resolved
to the mold rather than a value. this commit restores
intended functionality.
2023-05-01 18:32:49 -05:00
Joe Bryan
6c0e53e9da
Merge pull request #6535 from urbit/jb/fix-vat
vats: fixes +vat
2023-05-01 16:35:22 -04:00
Joe Bryan
9c59c970e3 vats: fixes +vat 2023-05-01 16:30:21 -04:00
Hunter Miller
10ea5dd55b
Merge pull request #6534 from urbit/hm/landscape-413-pt2
landscape: actual 413 compat
2023-05-01 14:58:35 -05:00
Hunter Miller
5f67d79411 landscape: use correct args and syntax 2023-05-01 14:26:38 -05:00
Ted Blackman
70bef7aee3
Merge pull request #6533 from urbit/hm/landscape-413
landscape: compat w/ 413
2023-05-01 15:08:19 -04:00
Ted Blackman
b632316fba
Merge pull request #6532 from urbit/jb/vats-perf
vats: force multiline rendering, improve performance
2023-05-01 11:38:30 -04:00
Jonathan Paprocki
e718423135 hoon: remove swap +vang for (doc |) in +loll 2023-05-01 11:37:27 -04:00
Ted Blackman
c3d461d6de
Merge pull request #6515 from urbit/i/6504/fine-next-steps
fine: next steps
2023-05-01 11:32:52 -04:00
Josh Lehman
ad51758e2c
Merge pull request #6531 from jfranklin9000/maintainers
meta: don't codeblock table in MAINTAINERS.md
2023-05-01 10:11:19 -05:00
Hunter Miller
565869f86d landscape: compat w/ 413 2023-05-01 09:59:19 -05:00