Different activity and object "actors"

angus · October 24, 2023, 8:09am

Hey guys, I’m looking at improving the handling of edits (Updates) in the Discourse ActivityPub plugin and I’m curious to see what the ActivityPub brains trust here thinks of the approach I’ve used across these related PRs. There’s further details in the description of the PRs which I won’t repeat here, but happy to explain further if need be.

github.com/mastodon/mastodon

Allow status updates from other actors via ActivityPub

mastodon:main ← angusmcleod:updates_from_other_actors

opened 07:48AM - 24 Oct 23 UTC

angusmcleod

+95 -12

Some ActivityPub services allow status updates from actors other than the actor …to whom an object (status) is attributedTo. Specifically, we're looking at implementing the ActivityPub version of this existing feature in Discourse via the [Discourse ActivityPub plugin](https://github.com/discourse/discourse-activity-pub). See further: https://github.com/discourse/discourse-activity-pub/pull/34

github.com/discourse/discourse-activity-pub

Support different activity and object actors

discourse:main ← angusmcleod:improve_edit_scenario

opened 07:59AM - 24 Oct 23 UTC

angusmcleod

+164 -12

@pmusaraj A pre-requisite to supporting advanced edit scenarios (e.g. wikis) is …to allow for different activity and object actors. The object "actor" is represented in the [`attributedTo` property](https://www.w3.org/TR/activitystreams-vocabulary/#dfn-attributedto). The reason this is in draft is that Mastodon does not currently support having a different `Update` actor from the original status actor. If we were to merge this, we'd be compliant with the relevant specifications (i.e. ActivityStreams), however edits from staff would not be processed by Mastodon. I've opened a PR to Mastodon to add support for this, so we'll need to wait to see what happens there: https://github.com/mastodon/mastodon/pull/27524 Note that I've already tested running both Discourse and Mastodon with both branches, and this works, i.e. edits from staff in Discourse show up as edits from the appropriate actors in Mastodon, i.e. <img width="231" alt="Screenshot 2023-10-24 at 15 50 36" src="https://github.com/discourse/discourse-activity-pub/assets/5931623/b6215826-958d-42f2-b034-dfb879542d4f">

Can anyone see any issues with this approach of allowing an Updates from an actor other than to whom the object is attributedTo?

trwnh · October 24, 2023, 8:41am

How do you establish that the Update.actor is authorized to modify the Update.object?

angus · October 24, 2023, 8:58am

Yeah, that’s probably the primary concern I have. As I think you’ve pointed out elsewhere, the ActivityPub spec provides

The receiving server MUST take care to be sure that the Update is authorized to modify its object . At minimum, this may be done by ensuring that the Update and its object are of same origin.

As you probably know, mastodon does a form of the minimum requirement by checking that the activity actor and the object uri are of the same origin.

github.com

mastodon/mastodon/blob/f02b0061516bb46a36e73fea666f70a6d449318a/app/lib/activitypub/activity/update.rb#L27


      
          
          private
          
          def update_account
            return reject_payload! if @account.uri != object_uri
          
            ActivityPub::ProcessAccountService.new.call(@account.username, @account.domain, @object, signed_with_known_key: true, request_id: @options[:request_id])
          end
          
          def update_status
            return reject_payload! if non_matching_uri_hosts?(@account.uri, object_uri)
          
            @status = Status.find_by(uri: object_uri, account_id: status_account_id)
            return if @status.nil?
          
            ActivityPub::ProcessStatusUpdateService.new.call(@status, @json, @object, request_id: @options[:request_id], activity_account_id: @account.id)
          end
          
          def status_account_id
            object_actor ? object_actor.id : @account.id
          end

So you’re essentially trusting the publishing server to perform that authorisation (which Discourse does in fact do).

But if you have a better, more secure, idea, that is feasible to implement here, I’m all ears.

helge · October 25, 2023, 5:54am

Yes, it’s an extension of the authorization scope. HTTP Signatures can be taken to mean that one is scoped to the permissions of the actor, who signed it. This actor has permission to modify the stuff it owns, e.g. where attributedTo is said actor. If one wants to do updates beyond that, one would need a server signing key, with more permissions.

The above has to be taken with a grain of salt. I do not think that the exact meaning of permission scope with HTTP signatures has been formalized. I think @macgirvin has been vocal about his criticism of ActivityPub about not addressing the issue of granting people greater permission scopes. The issue he likes is: You should be allowed to remove a comment from a post.

snarfed · October 25, 2023, 7:44pm

I recently put together a brief summary of ActivityPub authorization best practices and techniques implemented in the wild. A handful of community members have reviewed it and agreed so far. More feedback is welcome! SocialCG/ActivityPub/Authentication Authorization - W3C Wiki

snarfed · October 25, 2023, 7:57pm

A handful of FEPs are also relevant here:

1b12 Group federation, group moderation section proposes using attributedTo as an ACL. Their example has it as a Collection, but an inline array could maybe work too. (I know here you want to allow Updates by anyone, not just an specific group.)
400e Publicly-appendable collections is for adding objects to collections, not updating a specific object, but it does aim at public access.

angus · October 26, 2023, 1:37am

@snarfed @helge Thanks for your thoughts.

What, in your respective views, is the single most practical way of supporting the scenario where an actor performs an Update on an Object attributedTo another actor? I’m sure there are many possible approaches. What approach is at the top of your list (and why is at the top of your list)? Or do you think this scenario should not be supported by ActivityPub?

Do I take it that this is your preferred approach @helge?

Activities that create or modify an object - Create, Update, Delete, Undo, Move, etc - must be the same actor as the original object’s attributedTo or activity’s actor. This is generally called the “same origin policy.”

@snarfed Could you explain why you think there needs to be a strict 1:1 relationship between activity actor and object attributedTo? How would a “wiki” feature work with such a rule?

If I’m reading this right, neither of these approaches would support having an Update actor different from an object’s attributedTo, the first being about “changing metadata and remov[ing] malicious content” and the second being about “adding objects to collections”. Is that right?

snarfed · October 26, 2023, 2:20am

Great questions!

My goal with that wiki page was just to try to understand what people are doing now, in the wild, and to distill those down to the minimum recommendations to satisfy obvious user expectations. I only really considered the traditional social networking use case - individual users posting their own stuff - and only a couple of the most basic expectations - users can only post as themselves, and they can’t edit or delete other users’ posts.

I don’t know offhand how AP should allow more sophisticated authz use cases. I like that you’re thinking about them! @eprodrom and I were discussing the same thing this morning; it scared us both to even consider designing more advanced authz when AP doesn’t even have the basics nailed down yet. But I guess the standard answer here is, write a FEP and see what people think!

helge · October 26, 2023, 5:51am

No! My preferred approach is:

Somebody sits down works out a permission model for ActivityPub / Fediverse that clarifies who owns what, and how additional permissions are granted (explicitly and implicitly).

There are a lot of issues here: Like how to model moderators or allowing somebody to remove a comment. I would claim: It’s a mess and requires a lot of work

However, this does not mean that I recommend to anybody to take my preferred approach. The server signing key is a practical recommendation based on “the server, Discourse, has a much better permission system than the Fediverse, thus let’s use it”. I would call

User < Moderators < Server

the hierachical permission model.

tesaguri · March 31, 2024, 1:19am

HTTP Message Signatures (but not draft-cavage-http-signatures, unfortunately) seems to allow multiple signatures to be included (Section 4.3 of RFC 9421).

Will we be able to use this mechanism to represent authorization from both the original and new attributedTo actors?