Ozone ACLs

packages/bsky/src/api/com/atproto/admin/getAccountInfos.ts

@@ -5,7 +5,7 @@ import { INVALID_HANDLE } from '@atproto/syntax'
 
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.admin.getAccountInfos({
-    auth: ctx.authVerifier.roleOrAdminService,
+    auth: ctx.authVerifier.roleOrModService,
     handler: async ({ params }) => {
       const { dids } = params
       const actors = await ctx.hydrator.actor.getActors(dids, true)

packages/bsky/src/api/com/atproto/admin/getSubjectStatus.ts

@@ -5,7 +5,7 @@ import { OutputSchema } from '../../../../lexicon/types/com/atproto/admin/getSub
 
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.admin.getSubjectStatus({
-    auth: ctx.authVerifier.roleOrAdminService,
+    auth: ctx.authVerifier.roleOrModService,
     handler: async ({ params }) => {
       const { did, uri, blob } = params
 

packages/bsky/src/api/com/atproto/admin/updateSubjectStatus.ts

@@ -10,7 +10,7 @@ import { isMain as isStrongRef } from '../../../../lexicon/types/com/atproto/rep
 
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.admin.updateSubjectStatus({
-    auth: ctx.authVerifier.roleOrAdminService,
+    auth: ctx.authVerifier.roleOrModService,
     handler: async ({ input, auth }) => {
       const { canPerformTakedown } = ctx.authVerifier.parseCreds(auth)
       if (!canPerformTakedown) {

packages/bsky/src/auth-verifier.ts

@@ -45,28 +45,28 @@ type RoleOutput = {
   }
 }
 
-type AdminServiceOutput = {
+type ModServiceOutput = {
   credentials: {
-    type: 'admin_service'
+    type: 'mod_service'
     aud: string
     iss: string
   }
 }
 
 export type AuthVerifierOpts = {
   ownDid: string
-  adminDid: string
+  modServiceDid: string
   adminPasses: string[]
 }
 
 export class AuthVerifier {
   public ownDid: string
-  public adminDid: string
+  public modServiceDid: string
   private adminPasses: Set<string>
 
   constructor(public dataplane: DataPlaneClient, opts: AuthVerifierOpts) {
     this.ownDid = opts.ownDid
-    this.adminDid = opts.adminDid
+    this.modServiceDid = opts.modServiceDid
     this.adminPasses = new Set(opts.adminPasses)
   }
 
@@ -83,13 +83,21 @@ export class AuthVerifier {
       if (!this.parseRoleCreds(ctx.req).admin) {
         throw new AuthRequiredError('bad credentials')
       }
-      return { credentials: { type: 'standard', iss, aud } }
+      return {
+        credentials: { type: 'standard', iss, aud },
+      }
     }
     const { iss, aud } = await this.verifyServiceJwt(ctx, {
       aud: this.ownDid,
       iss: null,
     })
-    return { credentials: { type: 'standard', iss, aud } }
+    return {
+      credentials: {
+        type: 'standard',
+        iss,
+        aud,
+      },
+    }
   }
 
   standardOptional = async (
@@ -159,19 +167,19 @@ export class AuthVerifier {
     }
   }
 
-  adminService = async (reqCtx: ReqCtx): Promise<AdminServiceOutput> => {
+  modService = async (reqCtx: ReqCtx): Promise<ModServiceOutput> => {
     const { iss, aud } = await this.verifyServiceJwt(reqCtx, {
       aud: this.ownDid,
-      iss: [this.adminDid],
+      iss: [this.modServiceDid, `${this.modServiceDid}#atproto_mod`],
     })
-    return { credentials: { type: 'admin_service', aud, iss } }
+    return { credentials: { type: 'mod_service', aud, iss } }
   }
 
-  roleOrAdminService = async (
+  roleOrModService = async (
     reqCtx: ReqCtx,
-  ): Promise<RoleOutput | AdminServiceOutput> => {
+  ): Promise<RoleOutput | ModServiceOutput> => {
     if (isBearerToken(reqCtx.req)) {
-      return this.adminService(reqCtx)
+      return this.modService(reqCtx)
     } else {
       return this.role(reqCtx)
     }
@@ -195,12 +203,13 @@ export class AuthVerifier {
     opts: { aud: string | null; iss: string[] | null },
   ) {
     const getSigningKey = async (
-      did: string,
+      iss: string,
       _forceRefresh: boolean, // @TODO consider propagating to dataplane
     ): Promise<string> => {
-      if (opts.iss !== null && !opts.iss.includes(did)) {
+      if (opts.iss !== null && !opts.iss.includes(iss)) {
         throw new AuthRequiredError('Untrusted issuer', 'UntrustedIss')
       }
+      const [did, keyId = 'atproto'] = iss.split('#')
       let identity: GetIdentityByDidResponse
       try {
         identity = await this.dataplane.getIdentityByDid({ did })
@@ -211,7 +220,7 @@ export class AuthVerifier {
         throw err
       }
       const keys = unpackIdentityKeys(identity.keys)
-      const didKey = getKeyAsDidKey(keys, { id: 'atproto' })
+      const didKey = getKeyAsDidKey(keys, { id: keyId })
       if (!didKey) {
         throw new AuthRequiredError('missing or bad key')
       }
@@ -226,6 +235,12 @@ export class AuthVerifier {
     return { iss: payload.iss, aud: payload.aud }
   }
 
+  isModService(iss: string): boolean {
+    return [this.modServiceDid, `${this.modServiceDid}#atproto_mod`].includes(
+      iss,
+    )
+  }
+
   nullCreds(): NullOutput {
     return {
       credentials: {
@@ -236,16 +251,19 @@ export class AuthVerifier {
   }
 
   parseCreds(
-    creds: StandardOutput | RoleOutput | AdminServiceOutput | NullOutput,
+    creds: StandardOutput | RoleOutput | ModServiceOutput | NullOutput,
   ) {
     const viewer =
       creds.credentials.type === 'standard' ? creds.credentials.iss : null
     const canViewTakedowns =
       (creds.credentials.type === 'role' && creds.credentials.admin) ||
-      creds.credentials.type === 'admin_service'
+      creds.credentials.type === 'mod_service' ||
+      (creds.credentials.type === 'standard' &&
+        this.isModService(creds.credentials.iss))
     const canPerformTakedown =
       (creds.credentials.type === 'role' && creds.credentials.admin) ||
-      creds.credentials.type === 'admin_service'
+      creds.credentials.type === 'mod_service'
+
     return {
       viewer,
       canViewTakedowns,

packages/bsky/src/index.ts

@@ -100,7 +100,7 @@ export class BskyAppView {
 
     const authVerifier = new AuthVerifier(dataplane, {
       ownDid: config.serverDid,
-      adminDid: config.modServiceDid,
+      modServiceDid: config.modServiceDid,
       adminPasses: config.adminPasswords,
     })
 

packages/common-web/src/did-doc.ts

@@ -27,6 +27,13 @@ export const getHandle = (doc: DidDocument): string | undefined => {
 // @NOTE we parse to type/publicKeyMultibase to avoid the dependency on @atproto/crypto
 export const getSigningKey = (
   doc: DidDocument,
+): { type: string; publicKeyMultibase: string } | undefined => {
+  return getVerificationMaterial(doc, 'atproto')
+}
+
+export const getVerificationMaterial = (
+  doc: DidDocument,
+  keyId: string,
 ): { type: string; publicKeyMultibase: string } | undefined => {
   const did = getDid(doc)
   let keys = doc.verificationMethod
@@ -36,14 +43,15 @@ export const getSigningKey = (
     keys = [keys]
   }
   const found = keys.find(
-    (key) => key.id === '#atproto' || key.id === `${did}#atproto`,
+    (key) => key.id === `#${keyId}` || key.id === `${did}#${keyId}`,
   )
   if (!found?.publicKeyMultibase) return undefined
   return {
     type: found.type,
     publicKeyMultibase: found.publicKeyMultibase,
   }
 }
+
 export const getSigningDidKey = (doc: DidDocument): string | undefined => {
   const parsed = getSigningKey(doc)
   if (!parsed) return

packages/dev-env/src/ozone.ts

@@ -44,6 +44,9 @@ export class TestOzone {
       adminPassword: ADMIN_PASSWORD,
       moderatorPassword: MOD_PASSWORD,
       triagePassword: TRIAGE_PASSWORD,
+      adminDids: [],
+      moderatorDids: [],
+      triageDids: [],
     }
 
     // Separate migration db in case migration changes some connection state that we need in the tests, e.g. "alter database ... set ..."

packages/ozone/src/api/admin/createCommunicationTemplate.ts

@@ -4,13 +4,13 @@ import AppContext from '../../context'
 
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.admin.createCommunicationTemplate({
-    auth: ctx.roleVerifier,
+    auth: ctx.authVerifier.modOrRole,
     handler: async ({ input, auth }) => {
       const access = auth.credentials
       const db = ctx.db
       const { createdBy, ...template } = input.body
 
-      if (!access.admin) {
+      if (!access.isAdmin) {
         throw new AuthRequiredError(
           'Must be an admin to create a communication template',
         )

packages/ozone/src/api/admin/deleteCommunicationTemplate.ts

@@ -4,13 +4,13 @@ import AppContext from '../../context'
 
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.admin.deleteCommunicationTemplate({
-    auth: ctx.roleVerifier,
+    auth: ctx.authVerifier.modOrRole,
     handler: async ({ input, auth }) => {
       const access = auth.credentials
       const db = ctx.db
       const { id } = input.body
 
-      if (!access.admin) {
+      if (!access.isAdmin) {
         throw new AuthRequiredError(
           'Must be an admin to delete a communication template',
         )

packages/ozone/src/api/admin/emitModerationEvent.ts

@@ -11,7 +11,7 @@ import { ModerationLangService } from '../../mod-service/lang'
 
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.admin.emitModerationEvent({
-    auth: ctx.roleVerifier,
+    auth: ctx.authVerifier.modOrRole,
     handler: async ({ input, auth }) => {
       const access = auth.credentials
       const db = ctx.db
@@ -29,15 +29,15 @@ export default function (server: Server, ctx: AppContext) {
 
       // if less than moderator access then can only take ack and escalation actions
       if (isTakedownEvent || isReverseTakedownEvent) {
-        if (!access.moderator) {
+        if (!access.isModerator) {
           throw new AuthRequiredError(
             'Must be a full moderator to take this type of action',
           )
         }
 
         // Non admins should not be able to take down feed generators
         if (
-          !access.admin &&
+          !access.isAdmin &&
           subject.recordPath?.includes('app.bsky.feed.generator/')
         ) {
           throw new AuthRequiredError(
@@ -46,7 +46,7 @@ export default function (server: Server, ctx: AppContext) {
         }
       }
       // if less than moderator access then can not apply labels
-      if (!access.moderator && isLabelEvent) {
+      if (!access.isModerator && isLabelEvent) {
         throw new AuthRequiredError('Must be a full moderator to label content')
       }
 

packages/ozone/src/api/admin/getModerationEvent.ts

@@ -3,7 +3,7 @@ import AppContext from '../../context'
 
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.admin.getModerationEvent({
-    auth: ctx.roleVerifier,
+    auth: ctx.authVerifier.modOrRole,
     handler: async ({ params }) => {
       const { id } = params
       const db = ctx.db

packages/ozone/src/api/admin/getRecord.ts

@@ -6,7 +6,7 @@ import { AtUri } from '@atproto/syntax'
 
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.admin.getRecord({
-    auth: ctx.roleVerifier,
+    auth: ctx.authVerifier.modOrRole,
     handler: async ({ params, auth }) => {
       const db = ctx.db
 
@@ -22,7 +22,7 @@ export default function (server: Server, ctx: AppContext) {
       record.repo = addAccountInfoToRepoView(
         record.repo,
         accountInfo,
-        auth.credentials.moderator,
+        auth.credentials.isModerator,
       )
 
       return {

packages/ozone/src/api/admin/getRepo.ts

@@ -5,7 +5,7 @@ import { addAccountInfoToRepoViewDetail, getPdsAccountInfo } from './util'
 
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.admin.getRepo({
-    auth: ctx.roleVerifier,
+    auth: ctx.authVerifier.modOrRole,
     handler: async ({ params, auth }) => {
       const { did } = params
       const db = ctx.db
@@ -20,7 +20,7 @@ export default function (server: Server, ctx: AppContext) {
       const repo = addAccountInfoToRepoViewDetail(
         partialRepo,
         accountInfo,
-        auth.credentials.moderator,
+        auth.credentials.isModerator,
       )
       return {
         encoding: 'application/json',

packages/ozone/src/api/admin/listCommunicationTemplates.ts

@@ -4,12 +4,12 @@ import AppContext from '../../context'
 
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.admin.listCommunicationTemplates({
-    auth: ctx.roleVerifier,
+    auth: ctx.authVerifier.modOrRole,
     handler: async ({ auth }) => {
       const access = auth.credentials
       const db = ctx.db
 
-      if (!access.moderator) {
+      if (!access.isModerator) {
         throw new AuthRequiredError(
           'Must be a full moderator to view list of communication template',
         )

packages/ozone/src/api/admin/queryModerationEvents.ts

@@ -4,7 +4,7 @@ import { getEventType } from '../moderation/util'
 
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.admin.queryModerationEvents({
-    auth: ctx.roleVerifier,
+    auth: ctx.authVerifier.modOrRole,
     handler: async ({ params }) => {
       const {
         subject,

packages/ozone/src/api/admin/queryModerationStatuses.ts

@@ -4,7 +4,7 @@ import { getReviewState } from '../moderation/util'
 
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.admin.queryModerationStatuses({
-    auth: ctx.roleVerifier,
+    auth: ctx.authVerifier.modOrRole,
     handler: async ({ params }) => {
       const {
         subject,

packages/ozone/src/api/admin/searchRepos.ts

@@ -4,7 +4,7 @@ import { mapDefined } from '@atproto/common'
 
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.admin.searchRepos({
-    auth: ctx.roleVerifier,
+    auth: ctx.authVerifier.modOrRole,
     handler: async ({ params }) => {
       const modService = ctx.modService(ctx.db)
 

packages/ozone/src/api/admin/updateCommunicationTemplate.ts

@@ -4,13 +4,13 @@ import AppContext from '../../context'
 
 export default function (server: Server, ctx: AppContext) {
   server.com.atproto.admin.updateCommunicationTemplate({
-    auth: ctx.roleVerifier,
+    auth: ctx.authVerifier.modOrRole,
     handler: async ({ input, auth }) => {
       const access = auth.credentials
       const db = ctx.db
       const { id, updatedBy, ...template } = input.body
 
-      if (!access.admin) {
+      if (!access.isAdmin) {
         throw new AuthRequiredError(
           'Must be an admin to update a communication template',
         )