Preview: * https://forgejo.codeberg.page/@docs_pull_639/docs/next/developer/federation-architecture/ * https://forgejo.codeberg.page/@docs_pull_639/docs/next/developer/threat-analysis/ * https://forgejo.codeberg.page/@docs_pull_639/docs/next/developer/adr/ Co-authored-by: patdyn <erik.seiert@meissa-gmbh.de> Co-authored-by: Clemens <clemens.geibel@meissa-gmbh.de.de> Reviewed-on: https://codeberg.org/forgejo/docs/pulls/639 Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org> Reviewed-by: Panagiotis "Ivory" Vasilopoulos <git@n0toose.net> Co-authored-by: Michael Jerger <michael.jerger@meissa-gmbh.de> Co-committed-by: Michael Jerger <michael.jerger@meissa-gmbh.de>
7.3 KiB
title | license |
---|---|
ADR: Map federated Person | CC-BY-SA-4.0 |
Map federated Person
Status
Active
Context
While implementing federation we have to represent federated persons on a local instance.
A federated person should be able to execute local actions (as if he was a local user), ideally without too many code changes.
For being able to map the federated person reliable, the local representation has to carry a clear mapping to the original federated person.
We get actor information as {"actor": "https://repo.prod.meissa.de/api/v1/activitypub/user-id/1",}
. To find out whether this user is available locally without dereferencing the federated person every time is important for performance & system resilience.
Decision
We decided to use option 3 "Map to User & FederatedUser".
Discussion can be found here: https://codeberg.org/forgejo/discussions/issues/101
Choices
1. Map to plain Forgejo User
- We map PersonId AsLoginName() (e.g. 13-some.instan.ce) to User.LoginName. Due to limitations of User.LoginName validation mapping may be affected by invalid characters.
- Created User is limited:
- non functional email is generated, email notification is false. At the moment we have problems with email whitelists at this point.
- strong password is generated silently
- User.Type is UserTypeRemoteUser
- User is not Admin
- User is not Active
1. Pro
- We can use Forgejo code (like star / unstar fkt.) without changes.
- No new model & persistence is introduced, architectural change is small.
1. Con
- But we use fields against their semantic and see some problems / limitations for mapping arise.
- generating email having the source fqdn is impacted by email whitelists.
- loginName is used for mapping, but e.g. @ is not allowed.
- password is generated headless.
- Maybe the large User table gets even larger (see https://git.exozy.me/a/gitea/issues/2)
- Occasional contributors may not understand the difference in level of trust implied by federated user. This may promote errors with security impact.
- Understanding federated users entries being kind of cache would conflict with user table entries.
- LoginNames may be occupied by federated users. This may leak information and increase attack surface.
2. Map to User-&-ExternalLoginUser
- We map PersonId.AsWebfinger() (e.g. 13@some.instan.ce) to ExternalLoginUser.ExternalID. LoginSourceID may be left Empty.
- Created User is limited:
- non functional email is generated, email notification is false.
- strong password is generated silently
- User.Type is UserTypeRemoteUser
- User is not Admin
- User is not Active
- Created ExternalLoginUser is limited
- Login via fediverse is not intended and will not work. This is distinct to the F3 usecase.
2. Pro
- We can use Forgejo code (like star / unstar fkt.) without changes.
- No new model & persistence is introduced, architectural change is small. Comparable to option 1.
- This option was taken by the F3-Export/Import-Feature
- Mapping may be more reliable compared to option 1.
2. Con
- We use fields against their semantic (User.EMail, User.Password, User.LoginSource, ExternalLoginUser.Login*) and see some problems / limitations for login functionality arise. Situation is worse than option 1.
- generating email having the source fqdn is impacted by email whitelists.
- password is generated headless.
- TODO: How would we map/generate User.LoginName ?
- TODO: How would we generate ExternalLoginUser.Login* fields?
- Getting a larger User table applies to this solution comparable to option 1.
- Occasional contributors may not understand the difference in level of trust implied by federated user, this may promote errors with security impact.
- Understanding federated users entries being kind of cache would conflict with user table entries.
- LoginNames may be occupied by federated users. This may leak information and increase attack surface.
3. Map to User-&-FederatedUser
- We map PersonId.asWbfinger() to FederatedPerson.ExternalID (e.g. 13@some.instan.ce).
- Created User is limited:
- non functional email is generated, email notification is false.
- strong password is generated silently
- User.Type is UserTypeRemoteUser
- User is not Admin
- User is not Active
3. Pro
- We can use Forgejo code (like star / unstar fkt.) without changes.
- Introduce FederatedUser as new model & persistence, architectural change is medium.
- We will be able to have a reliable mapping. Better than option 1 & 2.
3. Con
- But we use fields (User.EMail, User.Password) against their semantic, but we probably can handle the problems arising. Situation is comparable to option 1.
- generating email having the source fqdn is impacted by email whitelists.
- password is generated headless.
- TODO: How would we map/generate User.LoginName ?
- Getting a larger User table applies to this solution comparable to option 1.
- Occasional contributors may not understand the difference in level of trust implied by federated user, this may promote errors with security impact, comparable to option 1.
- Getting a larger User table applies to this solution comparable to option 1.
- Understanding federated users entries being kind of cache would conflict with user table entries.
- LoginNames may be occupied by federated users. This may leak information and increase attack surface.
4. Map to new FederatedPerson and introduce a common User interface
- We map PersonId.asWbfinger() to FederatedPerson.ExternalID (e.g. 13@some.instan.ce).
- We will have no semantic mismatch.
4. Pro
- We will be able to have a reliable mapping.
- We will not use fields against their semantics.
- We do not enhance user table with "cache entries". Forgejo stays scalable, no additional DOS surface.
- Occasional contributors may understand a clear difference between user and federated user.
- No LoginNames where occupied
- Caching aspects of federated users (like refresh, evict) may be easier to implement.
4. Con
- We can use Forgejo code (like star / unstar fkt.) after refactorings only.
- At every place of interaction we have to enhance persistence (e.g. a find may have to query two tables now) & introduce a common User interface.
- We introduce new model & persistence.