Commit Graph

1961 Commits

Author SHA1 Message Date
Amadeo Bellotti
cd7dbfd3d3 loch has some state change 2023-05-24 12:13:44 -04:00
Amadeo Bellotti
791782fafa added %read and %writ cards 2023-05-24 12:13:43 -04:00
Amadeo Bellotti
653725da98 boiler plate for loch 2023-05-24 12:13:43 -04:00
Ted Blackman
579c3259ad merge develop into next/kelvin/412 2023-05-23 11:49:24 -04:00
yosoyubik
a765954cee ames: don't get ship-state in +enqueue-alien-todo
ship-state is retrieved in +send-blob only for sponsors of the ship
2023-05-22 12:49:00 +02:00
yosoyubik
66b92800e3 ames: don't retrieve ship-state in +send-blob 2023-05-22 11:41:32 +02:00
yosoyubik
b427f1c321 ames: early abet in |fi after route update
Continuation of https://github.com/urbit/urbit/pull/6593
2023-05-22 10:58:50 +02:00
Joe Bryan
15440d3dda ames: add %rift to %stir 2023-05-17 16:51:12 -04:00
fang
4019cfba79
Merge pull request #6561 from urbit/m/the-open-eyre
eyre: session identities for all
2023-05-17 13:03:14 +02:00
Philip Monk
8cba74630f ames: bugfixes 2023-05-16 23:05:17 -07:00
Joe Bryan
bbd43cc7d4 clay: clarify +compose-cast trace messages 2023-05-16 16:42:13 -04:00
Joe Bryan
401776545c clay: shortcircuit identity casts 2023-05-16 15:59:04 -04:00
Joe Bryan
c84cf7359b clay: adds trace level 4 for mark conversion details 2023-05-16 15:58:55 -04:00
fang
637992475b
eyre: refactor guest name generation
Concatenating before we truncate, instead of truncating the entropy by
itself, is slightly simpler.

Because this slightly changes the naming algorithm, we must update the
eyre tests to match.
2023-05-16 21:46:48 +02:00
Philip Monk
48b10dcdc7 clay: add fast-path for permissions check 2023-05-15 16:15:52 -07:00
Pyry Kovanen
65fd1cc179
Merge pull request #6581 from urbit/master
Merge ames on-take-wake fix from master to develop
2023-05-10 19:01:03 +03:00
yosoyubik
42c22bf4f3 ames: on-take-wake no-op if not path for keen 2023-05-10 17:18:31 +02:00
~wicrum-wicrun
f0360e69a2
Merge pull request #6578 from urbit/master
Merge clay null tako fix from master back to develop
2023-05-10 16:53:08 +02:00
Joe Bryan
50239414ee clay: allow reads at the null tako 2023-05-10 09:51:14 -04:00
Pyry Kovanen
90b9292cc6
Merge pull request #6573 from urbit/master
Merge master into develop with the gall suspend fix
2023-05-10 16:01:57 +03:00
yosoyubik
3219ce5cb7 gall: don't throw away agent when suspending it 2023-05-10 13:51:58 +02:00
Pyry Kovanen
5777f91b36
Merge pull request #6569 from urbit/master
Merge master back to develop after urbit-os-v2.139
2023-05-09 22:43:44 +03:00
fang
b7e8b9cbfe
clay: the commit must actually be known
+read-at-tako was checking for the zero tako, but had the conditional
inverted. Here, we correct the conditional, and fold the
+may-read check into the whole.
2023-05-09 20:59:51 +02:00
Ted Blackman
fe91cdd357 Merge pull request #6566 from urbit/wicrum/live-before-abed
gall: always check that an agent isn't nuked before initializing `+ap`
2023-05-09 18:50:26 +03:00
~wicrum-wicrun
6d984e764e gall: return [~ ~] when scrying a nuked or nonexistant agent 2023-05-09 17:29:04 +02:00
~wicrum-wicrun
55fc624f72 gall: check the union tag instead of the dude 2023-05-09 17:21:21 +02:00
~wicrum-wicrun
4660380dac gall: remove sigpam 2023-05-09 17:17:03 +02:00
~wicrum-wicrun
af4bf28ac7 gall: always check that an agent isn't nuke before initializing +ap 2023-05-09 17:14:19 +02:00
~wicrum-wicrun
ded78a6ab1 gall: don't try to notify nuked agents about breaches 2023-05-09 18:13:09 +03:00
~wicrum-wicrun
d65bcc248e gall: don't try to notify nuked agents about breaches 2023-05-09 16:40:18 +02:00
fang
449eeb6d7f
eyre: make sure guest identity cannot be ours
If there turned out to be some way for requesters to control the
entropy, this might lead to privilege escalation on comets.
2023-05-09 15:31:47 +02:00
fang
466fc0b63b
eyre: pass session-id+identity into auth handling
This lets it also clean up guest sessions created just for the login
request, and lets us display the current guest identity on the login
page.
2023-05-09 15:10:14 +02:00
fang
61ca0324ac
eyre: start session expiry only "once"
This condition got incorrectly inverted during 0fee4ce. Of course, the
logic here is still subtly incorrect: if a session gets deleted before
the timer fires, then we set a second one. Unfortunately, we are now
here to fix the bug right now.
2023-05-08 19:00:10 +02:00
fang
d15de3b48c
eyre: update %name, add %host endpoint
%name now returns the identity of the session associated with the
request. %host will always return the @p of the ship *handling* the
request.

The latter becomes especially important for guest sessions, who can only
interact with agents on the local ship, but will still need to specify
who that ship is.
2023-05-05 23:38:40 +02:00
fang
b387235597
eyre: enable host to log out any other session
Now that sessions with non-local identities can exist, the host/local
identity should be empowered to forcefully log off any session it hosts.

Additionally, we augment the logout logic with redirect functionality:
it now respects the "redirect" query parameter in the same way the login
page does. Still defaults to redirecting to the login page.
2023-05-05 23:33:37 +02:00
fang
b6e8cd616f
eyre: give 400 for invalid channel requests
We previously had no mechanism for giving error responses, if a client
submitted an invalid request into a channel. Guest access makes this
important, because guests cannot interact with remote ships. Attempting
to do so will cause a gall crash.

Here, we add error handling logic to channel request processing. We
catch the invalid cases described above and invalidate the entire batch
of channel requests if they occur. We make sure to drop the moves and
revert the state we changed, and give a 400 to the client that
informally describes the problem(s).
2023-05-05 22:08:18 +02:00
fang
0fee4ce50b
eyre: guest ids for unauthenticated requests
aka "the open eyre" aka "universal basic identity"

Urbit already supports presence on the clearnet, but fails to expose any
of its interactive affordances to unauthenticated users. Here, we
improve this situation by granting "guest identity" @ps to every
unauthenticated HTTP request, and extending the channels functionality
to them.

Sessions no longer represent only the local identity. Instead, each
session has either the local identity, or a fake guest identity
associated with it.

Every request that does not provide a session key/cookie gets assigned
a fresh one with a guest identity on the spot. As a result, every
single request has an identity associated with it.

The identity of a request gets propagated into userspace, if the request
ends up there.
For normal HTTP requests, this means the src.bowl gets set to that
identity for both the watch and poke of the request. For backwards
compatibility, the authenticated flag on the request noun gets set at
normal: only true if the request came from the local identity.
For channel requests, this means the src.bowl gets set to that identity
for any pokes and watches it sends, and it can only send those to agents
running on the local ship.

The scry endpoint remains unchanged in its behavior: only available to
the local identity.

Notable implementation detail changes in this diff include:
- Factored all gall interactions out into +deal-as.
- Sessions no longer represent exclusively the local identity. This
matters a lot to +give-session-tokens, %code-changed, and logout
handling.
- Session management got factored out into explicit +start-session and
+close-session arms.
2023-05-05 21:59:17 +02:00
Josh Lehman
a6024e33a9
Merge pull request #6553 from urbit/m/eyre-crud-500
eyre: when a %request causes a crud, serve 500
2023-05-05 08:51:28 -07:00
fang
08ad367cd8
eyre: when a %request causes a crud, serve 500
Previously, if an incoming request caused a crash, we would just drop it
on the floor. We should at least have the decency to serve the client a
quick 500 and let them get on with their day.

We make sure not to touch state here. The connection is guaranteed-fresh
because of the task's semantics, and we're handling it in-line in one go.

Notably we only give a simple "crud!" for the body, instead of the full
error trace. We don't know whether the request is authenticated or not
(and who knows if checking was the cause of the crash!), and the crud
might leak sensitive details about the ship it occurred on. For the
owner, the trace still gets printed into the terminal.
2023-05-04 17:42:36 +02:00
Ted Blackman
24467176f6
Merge pull request #6550 from urbit/jb/clay-quiet
clay: remove %take-foreign slog
2023-05-04 11:38:55 -04:00
Ted Blackman
de58756736
Merge pull request #6548 from urbit/philip/pending
clay: on update, remove all previous pending updates
2023-05-04 11:38:22 -04:00
Ted Blackman
100333cd5a
Merge pull request #6549 from urbit/jb/eyre-safe
eyre: handle agent errors safely
2023-05-03 19:16:10 -04:00
Joe Bryan
48ec5b2693 clay: remove %take-foreign slog 2023-05-03 18:48:30 -04:00
Joe Bryan
c42f1d2663 eyre: corrects connection lifecycle comment 2023-05-03 18:40:22 -04:00
Joe Bryan
c349d154b6 eyre: optimizes responses, removes redundant connection state updates 2023-05-03 18:39:19 -04:00
Joe Bryan
007a32c47a eyre: remove redundant connection retrieval 2023-05-03 18:25:48 -04:00
Joe Bryan
7fb2f613d4 eyre: no-op on agent-error when missing connection state 2023-05-03 18:25:10 -04:00
Philip Monk
9d7b196024 clay: on update, remove all previous pending updates
Fixes #6537, see discussion there for alternatives.
2023-05-03 13:03:53 -07:00
Joe Bryan
7f2257e581 clay: virtualize parsing to workaround runaway memoization 2023-05-02 17:16:22 -04:00
Ted Blackman
51e85291c1
Merge pull request #6542 from urbit/wicrum/wan-mop
lull,ames: use `mop` instead of `pha` in `.wan.keens`
2023-05-02 11:55:38 -04:00