Commit Graph

32364 Commits

Author SHA1 Message Date
fang
d8a03d094b
eyre: include local id in the eauth confirm page
We probably want something slightly fancier, like a banner or something,
that also shows up on the login page (and perhaps other "system" pages),
but for now this should suffice.
2023-06-16 21:22:37 +02:00
fang
41048b21e2
tests: update for new eauth architecture
Tag names have been changed, communication direction is now
client->host, and other changes which heavily affect the tests.
2023-06-16 21:20:20 +02:00
fang
ef89cf2410
eyre: rework eauth to be client-initiated
Instead of doing formal network traffic on the host-side whenever a
login attempt gets initiated, we now do it no earlier than when we're on
the client-side. This has the important property that network traffic
can only be initiated by authenticated HTTP requests. The previous
implementation, where hosts sent pleas when an unauthenticated HTTP
client said then wanted to log in, was vulnerable to abuse.

So now, formally, the eauth flow starts at the client's confirmation
screen. There is an optional step preceding this, where an attempt is
started on the host (and data is still stored for this), but to get the
redirect target, the host uses remote scry to get the eauth URL out of
the client ship.

Hosts now also give attempt-specific return URLs, useful in case they
are accessible (or even serving different content) from different
hostnames.
2023-06-09 15:46:04 +02:00
fang
5441692a1f
eyre: up priority on unexpected eauth traces
These are more "warning" or "error" as opposed to informational like all
the other ones at level 2.
2023-05-23 22:44:10 +02:00
fang
73ca5ea95d
eyre: make sure we always url-encode the redirect
Just for consistency, just in case.
2023-05-23 22:38:56 +02:00
fang
c133704866
eyre: move incoming eauth expiry logic into +eauth
+expiry:client:eauth, to be precise. This is a slightly cleaner
factoring.
2023-05-23 22:37:05 +02:00
fang
60eaf8a979
eyre: handle %lost and goof error cases correctly
We weren't handling these at all. Now we make them enter the same
codepath that %done nacks go into: deleting the attempt and maybe
telling the user if we can.

Note that Eyre will not receive %lost for %boons it crashes on until
2023-05-23 22:29:08 +02:00
fang
bf64e94ca3
tests: expand eyre eauth tests
For the server case, we add tests for http-first finalization, incorrect
eauth tokens, attempt expiration, client abort signalling, and client
deletion requests.

For the client case, we add a test for approving eauth attempts without
being locally authenticated.

To this end, we refactor the layout of the eauth tests. The +eauth core
now contains the tasks/gifts to be handled by the client/server, but no
longer does move checking. This happens within the test arms only. This
way, we may trivially re-run parts of the eauth flow under different
conditions.
2023-05-23 20:32:24 +02:00
fang
02e8120298
eyre: factor +eauth-error-page out of event core
This will make it easier to access for tests. The change to its
interface is also nice: in pretty much all scenarios in which we call
it, we already know whether we have redirect deets available to us, so
just provide those as arguments instead of having the function
re-derive.
2023-05-23 19:58:11 +02:00
fang
87be9c9bef
eyre: add task for setting manual eauth base url 2023-05-22 21:08:11 +02:00
fang
f1ab9574e6
eyre: better styling for the eauth confirm page
Brief prompt describing the login attempt's target, properly styled
buttons.

Pulls the CSS code for login pages out into its own arm for cleaner
sharing.
2023-05-22 19:48:28 +02:00
fang
7d4f9d1b57
eyre: properly redirect unauthed eauth confirms
We had naively changed the status code to a 403 "forbidden" response,
which is technically correct, but the "Location" header isn't respected
for that status code, leaving the user with a blank page instead of a
login prompt.
2023-05-19 22:53:02 +02:00
fang
a6acfe3c93
tests: add based happy-path eauth tests 2023-05-19 19:25:04 +02:00
fang
0762c7a127
eyre: only accept eauth approvals from ourselves
Instead of accepting POST requests from anyone who asks.
2023-05-19 19:23:24 +02:00
fang
3347e84811
eyre: rename authentication-state to auth
Only in the $server-state type, the lull typename remains unchanged (for
now). "authentication-state" is just such a mouthful!
2023-05-19 11:32:07 +02:00
fang
dd41df7d7c
tests: make eyre tests build & succeed again 2023-05-19 11:09:11 +02:00
fang
33c3474ae5
eyre: improve eauth login page ux
We improve the styling on the login mode switching "tabs", ensure
elements shared between the two modes are visually aligned, do loose
input validation on the name field, and simply don't render the eauth
option at all if the local ship does not yet have an +eauth-url.
2023-05-19 10:35:23 +02:00
fang
816706892c
dbug: support eyre eauth state & functionality 2023-05-18 23:40:16 +02:00
fang
02a2d116fe
Merge branch 'next/kelvin/412' into m/eyre-mirage 2023-05-18 23:15:55 +02:00
fang
8579b6c952
eyre: eauth, cross-ship authentication
aka "mirage" aka "eyre oauth"

With Eyre now supporting both local identity authentication, and fake
guest identities, the logical next step is to support authentication
with real non-local identities. Here, we implement that, building on top
of the groundwork laid by #6561.

The primary change is adding a %real case to Eyre's $identity type, and
implementing an http<->ames<->ames handshaking protocol into Eyre for
negotiating approval of login attempts made by unauthenticated HTTP
clients.

The authentication flow, where a "visitor" logs into a "~host" as their
own "~client" identity can be described in brief as follows:
1) Visitor makes an HTTP request saying they are ~client.
2) ~host tells ~client, over Ames, about its own public-facing hostname.
3) ~client responds with its own public-facing hostname.
4) ~host forwards the visitor to ~client's eauth page.
5) Visitor, there already logged in as ~client, approves the login
   attempt.
6) ~client shares a secret with ~host over Ames, and forwards the
   visitor to ~host's eauth page, including the secret in the request.
7) ~host sees that the secrets received over Ames and HTTP match, and
   gives the visitor a new session token, identifying them as ~client.

The negotiating of hostnames/URLs via Ames is crucial to keeping this
handshake sequence secure.

Discovering a ship's public-facing hostname happens when successful
local logins are made by reading out the Host header from the request.
Users may hard-code a value to override this.

Each eauth login attempt comes with a unique nonce. Both the host and
client track the lifetime of these. The corresponding Ames flow (which
goes from ~host -> ~client) is corked when the login attempt gets
aborted, or its associated session expires.

The logout functionality has been updated to let clients ask to be
logged out of sessions on other ships.
2023-05-18 23:13:15 +02:00
fang
b8ff52d79a
tests: remove trailing whitespace in eyre tests 2023-05-16 21:47:23 +02:00
fang
637992475b
eyre: refactor guest name generation
Concatenating before we truncate, instead of truncating the entropy by
itself, is slightly simpler.

Because this slightly changes the naming algorithm, we must update the
eyre tests to match.
2023-05-16 21:46:48 +02:00
fang
cde9458c0e
Merge pull request #6563 from urbit/philip/mare
eyre: refactor tests
2023-05-11 20:20:36 +02:00
Philip Monk
c3dc248b30 Merge remote-tracking branch 'origin/m/the-open-eyre' into philip/mare 2023-05-11 11:19:25 -07:00
fang
449eeb6d7f
eyre: make sure guest identity cannot be ours
If there turned out to be some way for requesters to control the
entropy, this might lead to privilege escalation on comets.
2023-05-09 15:31:47 +02:00
fang
d4b99b402f
dbug: ensure eyre identity columns are aligned
Longer vs shorter identity names would cause misalignment.
2023-05-09 15:22:49 +02:00
fang
466fc0b63b
eyre: pass session-id+identity into auth handling
This lets it also clean up guest sessions created just for the login
request, and lets us display the current guest identity on the login
page.
2023-05-09 15:10:14 +02:00
Philip Monk
8910e12f67 eyre: refactor tests
This shaves off 1000 lines of testing code while maintaining the same
tests.  It reduces boilerplate by introducing "mare", a monad for
testing Eyre.  It's very simple (just maintains the current state of
Eyre and the current time), but it's easier to build helper functions in
this form, and that reduces the immense quantities of copy-and-paste
that were in the old tests.  What's there now could surely be improved
further, but I think this is a good start.

The underlying mare machinery is not really specific to Eyre, so it
would be straightforward to apply this strategy to other vanes.  The
work is in creating appropriate helper functions for each vane.  Eyre is
undergoing work, so that's the only one I've changed here.  Further,
it's not clear that this is the ultimate solution to unit testing vanes.
The resulting code is IMO clearer than before, but I wouldn't say it's
*clear*.
2023-05-08 20:40:28 -07:00
fang
67799c77e0
tests: update eyre tests for guest sessions
Unauthenticated requests now also create sessions. This affects most
HTTP request handling tests.

The situation here is not ideal, and worsening over time. Worth spending
some time to think about how to best refactor the Eyre tests to make
them more manageable and easier to maintain.
2023-05-08 19:10:00 +02:00
fang
61ca0324ac
eyre: start session expiry only "once"
This condition got incorrectly inverted during 0fee4ce. Of course, the
logic here is still subtly incorrect: if a session gets deleted before
the timer fires, then we set a second one. Unfortunately, we are now
here to fix the bug right now.
2023-05-08 19:00:10 +02:00
fang
f1c839717e
dbug: handle new eyre identities, fancier logout
Include and render identities associated with requests, channels, and
login sessions. Provide the ability to kick identities and their
sessions, logging them out.
2023-05-05 23:46:30 +02:00
fang
744dea2267
various: stop asserting =(src our):bowl for http
It is no longer guaranteed that the src.bowl for incoming HTTP-related
events is equal to our.bowl. Instead, it will reflect the identity
associated with the request, our or otherwise.

When serving publicly-accessible endpoints, the assertion never made
much sense, but with recent changes actively prevents guests from
accessing the endpoints. Here, we correct all such cases.
2023-05-05 23:41:05 +02:00
fang
d15de3b48c
eyre: update %name, add %host endpoint
%name now returns the identity of the session associated with the
request. %host will always return the @p of the ship *handling* the
request.

The latter becomes especially important for guest sessions, who can only
interact with agents on the local ship, but will still need to specify
who that ship is.
2023-05-05 23:38:40 +02:00
fang
b387235597
eyre: enable host to log out any other session
Now that sessions with non-local identities can exist, the host/local
identity should be empowered to forcefully log off any session it hosts.

Additionally, we augment the logout logic with redirect functionality:
it now respects the "redirect" query parameter in the same way the login
page does. Still defaults to redirecting to the login page.
2023-05-05 23:33:37 +02:00
fang
b6e8cd616f
eyre: give 400 for invalid channel requests
We previously had no mechanism for giving error responses, if a client
submitted an invalid request into a channel. Guest access makes this
important, because guests cannot interact with remote ships. Attempting
to do so will cause a gall crash.

Here, we add error handling logic to channel request processing. We
catch the invalid cases described above and invalidate the entire batch
of channel requests if they occur. We make sure to drop the moves and
revert the state we changed, and give a 400 to the client that
informally describes the problem(s).
2023-05-05 22:08:18 +02:00
fang
0fee4ce50b
eyre: guest ids for unauthenticated requests
aka "the open eyre" aka "universal basic identity"

Urbit already supports presence on the clearnet, but fails to expose any
of its interactive affordances to unauthenticated users. Here, we
improve this situation by granting "guest identity" @ps to every
unauthenticated HTTP request, and extending the channels functionality
to them.

Sessions no longer represent only the local identity. Instead, each
session has either the local identity, or a fake guest identity
associated with it.

Every request that does not provide a session key/cookie gets assigned
a fresh one with a guest identity on the spot. As a result, every
single request has an identity associated with it.

The identity of a request gets propagated into userspace, if the request
ends up there.
For normal HTTP requests, this means the src.bowl gets set to that
identity for both the watch and poke of the request. For backwards
compatibility, the authenticated flag on the request noun gets set at
normal: only true if the request came from the local identity.
For channel requests, this means the src.bowl gets set to that identity
for any pokes and watches it sends, and it can only send those to agents
running on the local ship.

The scry endpoint remains unchanged in its behavior: only available to
the local identity.

Notable implementation detail changes in this diff include:
- Factored all gall interactions out into +deal-as.
- Sessions no longer represent exclusively the local identity. This
matters a lot to +give-session-tokens, %code-changed, and logout
handling.
- Session management got factored out into explicit +start-session and
+close-session arms.
2023-05-05 21:59:17 +02:00
Ted Blackman
65b069a1d9 zuse: kelvin 412 2023-05-04 11:42:41 -04:00
Ted Blackman
24467176f6
Merge pull request #6550 from urbit/jb/clay-quiet
clay: remove %take-foreign slog
2023-05-04 11:38:55 -04:00
Ted Blackman
de58756736
Merge pull request #6548 from urbit/philip/pending
clay: on update, remove all previous pending updates
2023-05-04 11:38:22 -04:00
Ted Blackman
100333cd5a
Merge pull request #6549 from urbit/jb/eyre-safe
eyre: handle agent errors safely
2023-05-03 19:16:10 -04:00
Joe Bryan
48ec5b2693 clay: remove %take-foreign slog 2023-05-03 18:48:30 -04:00
Joe Bryan
c42f1d2663 eyre: corrects connection lifecycle comment 2023-05-03 18:40:22 -04:00
Joe Bryan
c349d154b6 eyre: optimizes responses, removes redundant connection state updates 2023-05-03 18:39:19 -04:00
Joe Bryan
007a32c47a eyre: remove redundant connection retrieval 2023-05-03 18:25:48 -04:00
Joe Bryan
7fb2f613d4 eyre: no-op on agent-error when missing connection state 2023-05-03 18:25:10 -04:00
Philip Monk
9d7b196024 clay: on update, remove all previous pending updates
Fixes #6537, see discussion there for alternatives.
2023-05-03 13:03:53 -07:00
Ted Blackman
4d3af06300
Merge pull request #6545 from urbit/jb/road-pile
clay: virtualize parsing to workaround runaway memoization
2023-05-02 17:37:27 -04:00
Joe Bryan
7f2257e581 clay: virtualize parsing to workaround runaway memoization 2023-05-02 17:16:22 -04:00
Ted Blackman
51e85291c1
Merge pull request #6542 from urbit/wicrum/wan-mop
lull,ames: use `mop` instead of `pha` in `.wan.keens`
2023-05-02 11:55:38 -04:00
~wicrum-wicrun
451a84d467 jael: fake ships always have rift=0 2023-05-02 17:36:22 +02:00