Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Clean up role-based auth #2255

Merged
merged 82 commits into from
Mar 7, 2024
Merged
Show file tree
Hide file tree
Changes from 65 commits
Commits
Show all changes
82 commits
Select commit Hold shift + click to select a range
6a26396
tidy bsky auth
dholms Feb 29, 2024
125f721
hook up new auth verifier
dholms Feb 29, 2024
36da1d9
update auth throughout ozone
dholms Feb 29, 2024
32b3de8
handle mod signing keys
dholms Feb 29, 2024
b1f07d5
add client proxy heads to pds
dholms Feb 29, 2024
ef236a4
hook up rest of routes
dholms Feb 29, 2024
bfbb586
simplify pipethrough & add some SSRF protection
dholms Feb 29, 2024
92d9268
tests
dholms Feb 29, 2024
199b754
fix bad var
dholms Feb 29, 2024
d1d39ff
merge main
dholms Feb 29, 2024
5cea30c
remove basic auth in ozone
dholms Feb 29, 2024
7561b93
wip
dholms Feb 29, 2024
cb53fdc
fix key parsing in pds
dholms Feb 29, 2024
f8145ec
Merge branch 'ozone-acls-take2' into rm-basic-auth
dholms Feb 29, 2024
26b3557
fix up all ozone tests
dholms Mar 1, 2024
e3bfb17
fix admin auth test
dholms Mar 1, 2024
a642063
rename test
dholms Mar 1, 2024
e2c0949
Merge branch 'ozone-acls-take2' into rm-basic-auth
dholms Mar 1, 2024
bac2b57
fix ozone test
dholms Mar 1, 2024
d599dd7
clean up tokens in pds
dholms Mar 1, 2024
08dc9a9
fix up pds tests
dholms Mar 1, 2024
8747869
fix up ozone tests
dholms Mar 1, 2024
88c2412
add pipethrough to write routes
dholms Mar 1, 2024
a30ac47
Merge branch 'ozone-acls-take2' into pds-proxy-headers
dholms Mar 1, 2024
648cf62
merge
dholms Mar 1, 2024
a52f7b6
reenable proxied admin test
dholms Mar 1, 2024
9b322c7
add moderator accounts to ozone in dev-env
dholms Mar 4, 2024
f7ef546
update did doc id values
dholms Mar 4, 2024
dbe9aff
Merge branch 'ozone-acls-take2' into pds-proxy-headers
dholms Mar 4, 2024
6eb72bf
Merge branch 'pds-proxy-headers' into rm-basic-auth
dholms Mar 4, 2024
0482a92
null creds string -> `none`
dholms Mar 4, 2024
cccade6
Merge branch 'ozone-acls-take2' into pds-proxy-headers
dholms Mar 4, 2024
8a38742
Merge branch 'pds-proxy-headers' into rm-basic-auth
dholms Mar 4, 2024
5df31de
fix fetchLabels auth check
dholms Mar 5, 2024
04dc443
Merge branch 'ozone-acls-take2' into pds-proxy-headers
dholms Mar 5, 2024
9e290ca
Merge branch 'pds-proxy-headers' into rm-basic-auth
dholms Mar 5, 2024
dd891d4
:sparkles: Add a couple more proxied requests that we use in ozone ui
foysalit Mar 5, 2024
2ca4fee
Add runit to the services/bsky Dockerfile (#2254)
Jacob2161 Feb 29, 2024
6ba5f6c
Improve tag detection (#2260)
estrattonbailey Mar 1, 2024
9b2500e
Version packages (#2261)
github-actions[bot] Mar 1, 2024
c76fd03
:bug: Increment attempt count after each attempt to push ozone event …
foysalit Mar 4, 2024
87f00f2
Ozone delegates email sending to actor's pds (#2272)
devinivy Mar 5, 2024
ccfc4d9
Merge branch 'ozone-acls-take2' into pds-proxy-headers
dholms Mar 5, 2024
1b1d1a4
merge
dholms Mar 5, 2024
c273f46
add dev dep for nodemailer in ozone
dholms Mar 5, 2024
8341c7a
fix auth verifier method
dholms Mar 5, 2024
207e208
Merge branch 'ozone-acls-take2' into pds-proxy-headers
dholms Mar 5, 2024
9ddf283
merge
dholms Mar 5, 2024
f936105
build branch
dholms Mar 5, 2024
d7682f9
Merge branch 'pds-proxy-headers' into rm-basic-auth
dholms Mar 5, 2024
971b4b7
build branch
dholms Mar 5, 2024
11b7af2
merge main
dholms Mar 5, 2024
abe4b03
Merge branch 'ozone-acls-take2' into pds-proxy-headers
dholms Mar 5, 2024
3a9661f
Merge branch 'pds-proxy-headers' into rm-basic-auth
dholms Mar 5, 2024
5f3c91b
fix url check
dholms Mar 5, 2024
037f163
better error handling for get account infos
dholms Mar 5, 2024
fc1c40d
fix labeler service id
dholms Mar 5, 2024
483b71f
Merge branch 'ozone-acls-take2' into pds-proxy-headers
dholms Mar 5, 2024
5e1c5fd
fix iss on auth headers
dholms Mar 5, 2024
64d99dd
Merge branch 'ozone-acls-take2' into pds-proxy-headers
dholms Mar 5, 2024
82acea2
fix dev-env ozone did
dholms Mar 5, 2024
4c7db5c
fix tests & another jwt issuer
dholms Mar 5, 2024
514b437
Merge branch 'ozone-acls-take2' into pds-proxy-headers
dholms Mar 5, 2024
d697105
merge
dholms Mar 5, 2024
9d5d762
fix proxy auth
dholms Mar 5, 2024
81f9d69
ozone: fix ip check
devinivy Mar 5, 2024
c74fd23
Merge remote-tracking branch 'origin/ozone-acls-take2' into pds-proxy…
devinivy Mar 5, 2024
7be8445
fix aud check on pds mod service auth
dholms Mar 5, 2024
7a490d2
Merge branch 'ozone-acls-take2' into pds-proxy-headers
dholms Mar 5, 2024
592518c
tidy
dholms Mar 5, 2024
402cc7b
Merge branch 'ozone-acls-take2' into pds-proxy-headers
dholms Mar 5, 2024
5b6b9ee
Merge branch 'main' into pds-proxy-headers
dholms Mar 6, 2024
f583ba9
Merge branch 'pds-proxy-headers' into rm-basic-auth
dholms Mar 6, 2024
1ce9e00
Update packages/pds/tests/proxied/admin.test.ts
dholms Mar 6, 2024
5aec85f
merge main
dholms Mar 7, 2024
c5c7a4c
Merge branch 'pds-proxy-headers' into rm-basic-auth
dholms Mar 7, 2024
b4211ea
fix pipethrough of headers
dholms Mar 7, 2024
0ab7500
Merge branch 'pds-proxy-headers' into rm-basic-auth
dholms Mar 7, 2024
e46397d
fix moderation status tests
dholms Mar 7, 2024
d9b62b9
fix auth on ozone routes
dholms Mar 7, 2024
4d2c17f
update iss on daemon
dholms Mar 7, 2024
accb2a6
merge main
dholms Mar 7, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion .github/workflows/build-and-push-bsky-ghcr.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@ on:
push:
branches:
- main
- appview-v2
env:
REGISTRY: ghcr.io
USERNAME: ${{ github.actor }}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/build-and-push-ozone-aws.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ on:
push:
branches:
- main
- ozone-cdn-invalidation
- rm-basic-auth
env:
REGISTRY: ${{ secrets.AWS_ECR_REGISTRY_USEAST2_PACKAGES_REGISTRY }}
USERNAME: ${{ secrets.AWS_ECR_REGISTRY_USEAST2_PACKAGES_USERNAME }}
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/build-and-push-pds-ghcr.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ on:
push:
branches:
- main
- rm-basic-auth
env:
REGISTRY: ghcr.io
USERNAME: ${{ github.actor }}
Expand Down
2 changes: 1 addition & 1 deletion packages/bsky/src/api/com/atproto/admin/getAccountInfos.ts
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ import { INVALID_HANDLE } from '@atproto/syntax'

export default function (server: Server, ctx: AppContext) {
server.com.atproto.admin.getAccountInfos({
auth: ctx.authVerifier.roleOrAdminService,
auth: ctx.authVerifier.roleOrModService,
handler: async ({ params }) => {
const { dids } = params
const actors = await ctx.hydrator.actor.getActors(dids, true)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ import { OutputSchema } from '../../../../lexicon/types/com/atproto/admin/getSub

export default function (server: Server, ctx: AppContext) {
server.com.atproto.admin.getSubjectStatus({
auth: ctx.authVerifier.roleOrAdminService,
auth: ctx.authVerifier.roleOrModService,
handler: async ({ params }) => {
const { did, uri, blob } = params

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ import { isMain as isStrongRef } from '../../../../lexicon/types/com/atproto/rep

export default function (server: Server, ctx: AppContext) {
server.com.atproto.admin.updateSubjectStatus({
auth: ctx.authVerifier.roleOrAdminService,
auth: ctx.authVerifier.roleOrModService,
handler: async ({ input, auth }) => {
const { canPerformTakedown } = ctx.authVerifier.parseCreds(auth)
if (!canPerformTakedown) {
Expand Down
63 changes: 42 additions & 21 deletions packages/bsky/src/auth-verifier.ts
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ export enum RoleStatus {

type NullOutput = {
credentials: {
type: 'null'
type: 'none'
iss: null
}
}
Expand All @@ -45,28 +45,28 @@ type RoleOutput = {
}
}

type AdminServiceOutput = {
type ModServiceOutput = {
credentials: {
type: 'admin_service'
type: 'mod_service'
aud: string
iss: string
}
}

export type AuthVerifierOpts = {
ownDid: string
adminDid: string
modServiceDid: string
adminPasses: string[]
}

export class AuthVerifier {
public ownDid: string
public adminDid: string
public modServiceDid: string
private adminPasses: Set<string>

constructor(public dataplane: DataPlaneClient, opts: AuthVerifierOpts) {
this.ownDid = opts.ownDid
this.adminDid = opts.adminDid
this.modServiceDid = opts.modServiceDid
this.adminPasses = new Set(opts.adminPasses)
}

Expand All @@ -83,13 +83,21 @@ export class AuthVerifier {
if (!this.parseRoleCreds(ctx.req).admin) {
throw new AuthRequiredError('bad credentials')
}
return { credentials: { type: 'standard', iss, aud } }
return {
credentials: { type: 'standard', iss, aud },
}
}
const { iss, aud } = await this.verifyServiceJwt(ctx, {
aud: this.ownDid,
iss: null,
})
return { credentials: { type: 'standard', iss, aud } }
return {
credentials: {
type: 'standard',
iss,
aud,
},
}
}

standardOptional = async (
Expand Down Expand Up @@ -159,19 +167,19 @@ export class AuthVerifier {
}
}

adminService = async (reqCtx: ReqCtx): Promise<AdminServiceOutput> => {
modService = async (reqCtx: ReqCtx): Promise<ModServiceOutput> => {
const { iss, aud } = await this.verifyServiceJwt(reqCtx, {
aud: this.ownDid,
iss: [this.adminDid],
iss: [this.modServiceDid, `${this.modServiceDid}#atproto_labeler`],
})
return { credentials: { type: 'admin_service', aud, iss } }
return { credentials: { type: 'mod_service', aud, iss } }
}

roleOrAdminService = async (
roleOrModService = async (
reqCtx: ReqCtx,
): Promise<RoleOutput | AdminServiceOutput> => {
): Promise<RoleOutput | ModServiceOutput> => {
if (isBearerToken(reqCtx.req)) {
return this.adminService(reqCtx)
return this.modService(reqCtx)
} else {
return this.role(reqCtx)
}
Expand All @@ -195,12 +203,15 @@ export class AuthVerifier {
opts: { aud: string | null; iss: string[] | null },
) {
const getSigningKey = async (
did: string,
iss: string,
_forceRefresh: boolean, // @TODO consider propagating to dataplane
): Promise<string> => {
if (opts.iss !== null && !opts.iss.includes(did)) {
if (opts.iss !== null && !opts.iss.includes(iss)) {
throw new AuthRequiredError('Untrusted issuer', 'UntrustedIss')
}
const [did, serviceId] = iss.split('#')
const keyId =
serviceId === 'atproto_labeler' ? 'atproto_label' : 'atproto'
let identity: GetIdentityByDidResponse
try {
identity = await this.dataplane.getIdentityByDid({ did })
Expand All @@ -211,7 +222,7 @@ export class AuthVerifier {
throw err
}
const keys = unpackIdentityKeys(identity.keys)
const didKey = getKeyAsDidKey(keys, { id: 'atproto' })
const didKey = getKeyAsDidKey(keys, { id: keyId })
if (!didKey) {
throw new AuthRequiredError('missing or bad key')
}
Expand All @@ -226,26 +237,36 @@ export class AuthVerifier {
return { iss: payload.iss, aud: payload.aud }
}

isModService(iss: string): boolean {
return [
this.modServiceDid,
`${this.modServiceDid}#atproto_labeler`,
].includes(iss)
}

nullCreds(): NullOutput {
return {
credentials: {
type: 'null',
type: 'none',
iss: null,
},
}
}

parseCreds(
creds: StandardOutput | RoleOutput | AdminServiceOutput | NullOutput,
creds: StandardOutput | RoleOutput | ModServiceOutput | NullOutput,
) {
const viewer =
creds.credentials.type === 'standard' ? creds.credentials.iss : null
const canViewTakedowns =
(creds.credentials.type === 'role' && creds.credentials.admin) ||
creds.credentials.type === 'admin_service'
creds.credentials.type === 'mod_service' ||
(creds.credentials.type === 'standard' &&
this.isModService(creds.credentials.iss))
const canPerformTakedown =
(creds.credentials.type === 'role' && creds.credentials.admin) ||
creds.credentials.type === 'admin_service'
creds.credentials.type === 'mod_service'

return {
viewer,
canViewTakedowns,
Expand Down
2 changes: 1 addition & 1 deletion packages/bsky/src/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -100,7 +100,7 @@ export class BskyAppView {

const authVerifier = new AuthVerifier(dataplane, {
ownDid: config.serverDid,
adminDid: config.modServiceDid,
modServiceDid: config.modServiceDid,
adminPasses: config.adminPasswords,
})

Expand Down
14 changes: 11 additions & 3 deletions packages/common-web/src/did-doc.ts
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,13 @@ export const getHandle = (doc: DidDocument): string | undefined => {
// @NOTE we parse to type/publicKeyMultibase to avoid the dependency on @atproto/crypto
export const getSigningKey = (
doc: DidDocument,
): { type: string; publicKeyMultibase: string } | undefined => {
return getVerificationMaterial(doc, 'atproto')
}

export const getVerificationMaterial = (
doc: DidDocument,
keyId: string,
): { type: string; publicKeyMultibase: string } | undefined => {
const did = getDid(doc)
let keys = doc.verificationMethod
Expand All @@ -36,14 +43,15 @@ export const getSigningKey = (
keys = [keys]
}
const found = keys.find(
(key) => key.id === '#atproto' || key.id === `${did}#atproto`,
(key) => key.id === `#${keyId}` || key.id === `${did}#${keyId}`,
)
if (!found?.publicKeyMultibase) return undefined
return {
type: found.type,
publicKeyMultibase: found.publicKeyMultibase,
}
}

export const getSigningDidKey = (doc: DidDocument): string | undefined => {
const parsed = getSigningKey(doc)
if (!parsed) return
Expand Down Expand Up @@ -73,7 +81,7 @@ export const getNotifEndpoint = (doc: DidDocument): string | undefined => {

export const getServiceEndpoint = (
doc: DidDocument,
opts: { id: string; type: string },
opts: { id: string; type?: string },
) => {
const did = getDid(doc)
let services = doc.service
Expand All @@ -86,7 +94,7 @@ export const getServiceEndpoint = (
(service) => service.id === opts.id || service.id === `${did}${opts.id}`,
)
if (!found) return undefined
if (found.type !== opts.type) {
if (opts.type && found.type !== opts.type) {
return undefined
}
if (typeof found.serviceEndpoint !== 'string') {
Expand Down
4 changes: 2 additions & 2 deletions packages/dev-env/src/bsky.ts
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ import { AtpAgent } from '@atproto/api'
import { Secp256k1Keypair } from '@atproto/crypto'
import { Client as PlcClient } from '@did-plc/lib'
import { BskyConfig } from './types'
import { ADMIN_PASSWORD, MOD_PASSWORD, TRIAGE_PASSWORD } from './const'
import { ADMIN_PASSWORD } from './const'
import { BackgroundQueue } from '@atproto/bsky/src/data-plane/server/background'

export class TestBsky {
Expand Down Expand Up @@ -64,7 +64,7 @@ export class TestBsky {
modServiceDid: cfg.modServiceDid ?? 'did:example:invalidMod',
labelsFromIssuerDids: ['did:example:labeler'], // this did is also used as the labeler in seeds
...cfg,
adminPasswords: [ADMIN_PASSWORD, MOD_PASSWORD, TRIAGE_PASSWORD],
adminPasswords: [ADMIN_PASSWORD],
})

// Separate migration db in case migration changes some connection state that we need in the tests, e.g. "alter database ... set ..."
Expand Down
2 changes: 0 additions & 2 deletions packages/dev-env/src/const.ts
Original file line number Diff line number Diff line change
@@ -1,4 +1,2 @@
export const ADMIN_PASSWORD = 'admin-pass'
export const MOD_PASSWORD = 'mod-pass'
export const TRIAGE_PASSWORD = 'triage-pass'
export const JWT_SECRET = 'jwt-secret'
2 changes: 2 additions & 0 deletions packages/dev-env/src/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,9 @@ export * from './network'
export * from './network-no-appview'
export * from './pds'
export * from './plc'
export * from './ozone'
export * from './feed-gen'
export * from './seed'
export * from './moderator-client'
export * from './types'
export * from './util'
23 changes: 23 additions & 0 deletions packages/dev-env/src/mock/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,29 @@ export async function generateMockSetup(env: TestNetwork) {
)
}

// Create moderator accounts
const triageRes =
await clients.loggedout.api.com.atproto.server.createAccount({
email: '[email protected]',
handle: 'triage.test',
password: 'triage-pass',
})
env.ozone.addAdminDid(triageRes.data.did)
const modRes = await clients.loggedout.api.com.atproto.server.createAccount({
email: '[email protected]',
handle: 'mod.test',
password: 'mod-pass',
})
env.ozone.addAdminDid(modRes.data.did)
const adminRes = await clients.loggedout.api.com.atproto.server.createAccount(
{
email: '[email protected]',
handle: 'admin-mod.test',
password: 'admin-mod-pass',
},
)
env.ozone.addAdminDid(adminRes.data.did)

// Report one user
const reporter = picka(users)
await reporter.agent.api.com.atproto.moderation.createReport({
Expand Down
Loading
Loading