From 65e3f1d0ed03b296ab6380a00c332e102b8b6162 Mon Sep 17 00:00:00 2001 From: Michael Jerger Date: Wed, 20 Dec 2023 09:33:29 +0100 Subject: [PATCH] update adr lining out a second option --- .../adr-activity-for-star.md | 92 +++++++++++++++++++ docs/unsure-where-to-put/adr_star_activity.md | 35 ------- .../threat_analysis_star_activity.md | 2 +- 3 files changed, 93 insertions(+), 36 deletions(-) create mode 100644 docs/unsure-where-to-put/adr-activity-for-star.md delete mode 100644 docs/unsure-where-to-put/adr_star_activity.md diff --git a/docs/unsure-where-to-put/adr-activity-for-star.md b/docs/unsure-where-to-put/adr-activity-for-star.md new file mode 100644 index 0000000000..b8a41c7711 --- /dev/null +++ b/docs/unsure-where-to-put/adr-activity-for-star.md @@ -0,0 +1,92 @@ +# Activity for federated star action + +## Status + +Still in dsicussion + +## Context + +While implementing the star activity we have to take several decissions which will impcat all other activities. Due to this relevance we will discuss decission with as many federation contributors as posible. + +## Decision + +tbd + +## Choices +### 1. Star Activity derived from AP Like with additional source information + +```edn +# edn notation +{@context [ + "as": "https://www.w3.org/ns/activitystreams#", + "forge": "https://forgefed.org/ns#",], + ::as/id "https://repo.prod.meissa.de/api/v1/activitypub/user-id/1/outbox/12345", + ::as/type "Star", + ::forge/source "forgejo", + ::as/actor "https://repo.prod.meissa.de/api/v1/activitypub/user-id/1", + ::as/object "https://codeberg.org/api/v1/activitypub/repository-id/12" +} +``` +```json +# json notation +{"id": "https://repo.prod.meissa.de/api/v1/activitypub/user-id/1/outbox/12345", + "type": "Star", + "source": "forgejo", + "actor": "https://repo.prod.meissa.de/api/v1/activitypub/user-id/1", + "object": "https://codeberg.org/api/v1/activitypub/repository-id/1", + "startTime": "2014-12-31T23:00:00-08:00", +} +``` + +This way of expressing stars will have the following features: + +1. Actor & object may be dereferenced by (ap-)api +2. The activity can be referenced itself (e.g. in order to express a result of the triggered action) +3. Star is a special case of a Like. Star only happens in ForgeFed context. Different things should be named differnt ... +4. With the `source` given it would be more easy to distinguish the uri layout for object and actor id's and make implementation more straight forward + 1. The `source` field reflects the software sending an activity. Values of may be forgejo, gitlab, ... + 2. Knowing the sending system will it make easier to interact with: + 1. We know exactly how the actor can be derefernced - names maybe filled & used different (see: https://codeberg.org/meissa/forgejo/src/commit/7cac9806f8247963b1cdce3f2c5f5d1bc3763fbe/routers/api/v1/activitypub/repository.go#L180) + 2. We know how we can validate the given references - valid uris will be different in details (see: https://codeberg.org/meissa/forgejo/src/commit/7cac9806f8247963b1cdce3f2c5f5d1bc3763fbe/models/forgefed/actor.go#L121) +5. startTime protects against The Reply Attack discussed in [threat-analysis] [threat-analysis] + + +### 2. Like Activity while source information comes from NodeInfo + +```json +# NodeInfo +{ + "version": "2.1", + "software": { + "name": "gitea", + "version": "1.20.0+dev-2539-g5840cc6d3", + }, + "protocols": [ + "activitypub" + ], +} + +# Like Activity +{"id": "https://repo.prod.meissa.de/api/v1/activitypub/user-id/1/outbox/12345", + "type": "Like", + "actor": "https://repo.prod.meissa.de/api/v1/activitypub/user-id/1", + "object": "https://codeberg.org/api/v1/activitypub/repository-id/1", + "startTime": "2014-12-31T23:00:00-08:00" +} +``` + +This way of expressing stars will have the following features: + +1. Actor & object may be dereferenced by (ap-)api +2. The activity can be referenced itself (e.g. in order to express a result of the triggered action) +3. With NodeInfo given it would be more easy to distinguish the uri layout for object and actor id's and make implementation more straight forward + 1. The NodeInfo field reflects the software & version sending an activity. Values of may be gitea, forgejo, gitlab, ... + 2. Knowing the sending system will it make easier to interact with: + 1. We know exactly how the actor can be derefernced - names maybe filled & used different (see: https://codeberg.org/meissa/forgejo/src/commit/7cac9806f8247963b1cdce3f2c5f5d1bc3763fbe/routers/api/v1/activitypub/repository.go#L180) + 2. We know how we can validate the given references - valid uris will be different in details (see: https://codeberg.org/meissa/forgejo/src/commit/7cac9806f8247963b1cdce3f2c5f5d1bc3763fbe/models/forgefed/actor.go#L121) +4. startTime protects against The Reply Attack discussed in [threat-analysis] [threat-analysis] + +## See also + +1. [spec in clojure]: https://repo.prod.meissa.de/meissa/activity-pub-poc/src/branch/forgefed_star/src/test/cljc/org/domaindrivenarchitecture/fed_poc/forgefed_test.cljc#L36-L41 +2. [threat-analysis]: threat_analysis_star_activity.md \ No newline at end of file diff --git a/docs/unsure-where-to-put/adr_star_activity.md b/docs/unsure-where-to-put/adr_star_activity.md deleted file mode 100644 index 4b8954eb90..0000000000 --- a/docs/unsure-where-to-put/adr_star_activity.md +++ /dev/null @@ -1,35 +0,0 @@ -``` -# edn notation -{@context [ - "as": "https://www.w3.org/ns/activitystreams#", - "forge": "https://forgefed.org/ns#",], - ::as/id "https://repo.prod.meissa.de/api/v1/activitypub/user-id/1/outbox/12345", - ::as/type "Star", - ::forge/source "forgejo", - ::as/actor "https://repo.prod.meissa.de/api/v1/activitypub/user-id/1", - ::as/object "https://codeberg.org/api/v1/activitypub/repository-id/12" -} - -# json notation -{"id": "https://repo.prod.meissa.de/api/v1/activitypub/user-id/1/outbox/12345", - "type": "Star", - "source": "forgejo", - "actor": "https://repo.prod.meissa.de/api/v1/activitypub/user-id/1", - "object": "https://codeberg.org/api/v1/activitypub/repository-id/1" -} -``` - -This way of expressing stars will have the following features: - -1. Actor & object may be dereferenced by (ap-)api -2. The activity can be referenced itself (e.g. in order to express a result of the triggered action) -3. Star is a special case of a Like. Star only happens in ForgeFed context. Different things should be named differnt ... -4. With the `source` given it would be more easy to distinguish the uri layout for object and actor id's and make implementation more straight forward - 1. The `source` field reflects the software sending an activity. Values of may be forgejo, gitlab, ... - 2. Knowing the sending system will it make easier to interact with: - 1. We know exactly how the actor can be derefernced (see: https://codeberg.org/meissa/forgejo/src/commit/7cac9806f8247963b1cdce3f2c5f5d1bc3763fbe/models/forgefed/actor.go#L121) - 2. We know how we can validate the given references (see: https://codeberg.org/meissa/forgejo/src/commit/7cac9806f8247963b1cdce3f2c5f5d1bc3763fbe/routers/api/v1/activitypub/repository.go#L180) - -See also: -1. [spec in clojure]: https://repo.prod.meissa.de/meissa/activity-pub-poc/src/branch/forgefed_star/src/test/cljc/org/domaindrivenarchitecture/fed_poc/forgefed_test.cljc#L36-L41 - diff --git a/docs/unsure-where-to-put/threat_analysis_star_activity.md b/docs/unsure-where-to-put/threat_analysis_star_activity.md index f10b04b301..1c80e123eb 100644 --- a/docs/unsure-where-to-put/threat_analysis_star_activity.md +++ b/docs/unsure-where-to-put/threat_analysis_star_activity.md @@ -89,7 +89,7 @@ flowchart TD 1. Validate object uri in order to send only requests to well defined endpoints. 2. giteas global SQL injection protection. TODO: verify if there is one. 3. We accept only signed Activities -4. We accept only activities having a timestamp & remember the last executed activity timestamp. +4. We accept only activities having an startTime & remember the last executed activity startTime. 5. We introduce (or have) rate limiting per IP. 6. We ensure, that outgoing HTTP requests have a reasonable timeout (if you didn't get that 500b JSON response after 10 seconds, you probably won't get it).