12:41 <Jassu> Hi!

14:09 <JacobWeisz[m]> Hello!

14:18 <Jassu> Just a quick question. Is there a way to allow outgoing HTTPS requests for a specific grain by the admin without needing to fix the app package itself?

14:19 <Jassu> In this specific case, I'd like to get the WeKan board outgoing webhooks working, but the app itself does not support requesting the permissions as it should.

14:27 <JacobWeisz[m]> Unfortunately, no. The sandbox model is pretty strict. Even pre-Powerbox, apps had to use a Sandstorm-specific API to make a request.

14:29 <JacobWeisz[m]> Probably the "easiest" way to add outgoing requests would be Ian's http proxy, which handles making requests on the app's behalf, but it still has to be included in the app package and set as an HTTP proxy for the app.

14:30 <JacobWeisz[m]> https://github.com/zenhack/powerbox-http-proxy

14:46 <Jassu> Jacob Weisz: So it's not just about not having a permission, but also that the outgoing HTTP / HTTPS must be done in some very specific way from inside the app?

14:49 <JacobWeisz[m]> That's correct. Every app that makes outgoing requests requests a capability to do so from Sandstorm over Cap'n Proto, and then uses that capability for subsequent requests.

14:50 <JacobWeisz[m]> The proxy above automates all of this, so you don't have to make heavy code changes to the app, but yeah, something inside the app package has to request and store those network capabilities.

18:28 <TimMc__> Hmm, what's the Matrix channel bridged to this room?

18:35 <TimMc> isd: Heads up, I'm reducing my funding tier now that Github's matching is over.

18:35 <Jassu> There seems to be no addresses given to this portal room, which implies that people have just joined the channel using the bridge.

18:36 <TimMc> I'm new to Matrix (I'm running my own homeserver now) so I'll have to figure out what that means. :-)

18:37 <Jassu> It means !aRcBmpdoLgPiGSOVNq:matrix.org this is the ID of the room as nobody has aliased it.

18:40 <TimMc> Hmm. I might not be able to join from my homeserver, which is incompletely implemented (dendrite).

18:40 <TimMc> That's OK, I'll just stay on IRC. :-)

18:41 <Jassu> Well. You’ll have to talk to the irc integration.

18:41 <Jassu> Ummm...

18:41 <Jassu> Was this on freenode?

18:45 <isd> I bridged #sandstorm:matrix.org, but I think several of us had already joined the freenode bridging.

18:45 <Jassu> Oh

18:46 <Jassu> Yeah, this is the same room, but for some reason I cannot see that alias for the room.

18:48 <isd> Yeah, I imagine it doesn't do an exhaustie search for aliases.

18:49 <Jassu> The alias should be part of the room state actually. Which is a bit weird in this case.

18:49 <Jassu> I cannot check the room version from the mobile client apparently. Meh.

18:50 <isd> re: http, blanket internet access is something we really try to discourage granting. The proxy will request access to each host at first use, so it doesn't rely on a blanket up-front grant, but it means the user has to be there to approve it.

18:50 <isd> I wrote it for ttrss originally, where this is pretty workable since it happens when the user adds a feed, though the extra prompt is a little annoying.

18:51 <isd> Also, it does require a bit of work to integrate with an app, but much less than getting the app to use sandstorm's APIs directly everywhere. But also, worse integration...

18:52 <isd> In an ideal world, we'd have apps that were written with Sandstorm in mind, but that's obviously a very labor intensive thing to make happen...

18:52 <Jassu> Yeah. I know the reasoning is sound. The problem comes with apps that lack features because there’s no support built in for it.

18:53 <Jassu> And from user’s perspective... I either have a way to tell the system that this specific grain must be allowed, or I install the application somewhere else.

18:53 <isd> I don't know much about wekan's internals. Maybe xet7 has a better idea of what it would take to make this work.

18:54 <isd> ...or just punt on using it, or port it, which are my approaches depending on how invested I am :(

18:54 <Jassu> Because it’s not feasible to start being a developer to get an app working. :p

18:56 <Jassu> But I could go and run some commands as root on the sandstorm instance to ”break” the model to get over the limitation. Even for only a specific grain as needed.

18:56 <isd> It definitely sucks now. The approach really only makes sense assuming we someday get to "good support" -- but I worry that if we make an easy way to just bypass everything, we'll end up with a world where sandstorm's phone-home protection is meaningless in practice, because every app asks for over-broad permissions :/

18:56 <JacobWeisz[m]> Wekan app integration is both better than most but probably worse than it should be, because Sandstorm developers used to contribute integration to Wekan, but now it's just maintained from that point.

18:57 <JacobWeisz[m]> A lot of the webhook like functionality did not exist in Wekan at that time.

18:57 <isd> (I know xet7 also does feature prioritization for Wekan on a contract basis sometimes...)

18:58 <Jassu> Nope. It should not be for apps to ask for over broad permissions. But rather an admin of the sandstorm instance to be able to override the protection for a specific grain.

18:59 <JacobWeisz[m]> That may be a significant more work than you may think, since Sandstorm apps don't actually speak HTTP.

19:00 <Jassu> Mm. Well, then there are no easy way around it.

19:00 <isd> Yeah, that would actually be a lot of work. apps are launched in a network namespace, so it's not just a "permission denied" somewhere that we can toggle.

19:00 <isd> We'd have to write a bunch of plumbing to make it possible.

19:01 <Jassu> Yeah. I get it.

19:01 <isd> Anyway. I'm sympathetic, but it's not an easy situation :/

19:04 <JacobWeisz[m]> The downside to making a platform really secure by default is that making anything accessible is a fair amount of work. But it's also... like really secure. Tradeoffs.

19:05 <isd> (One of the nice things about capabilities in theory is they actually making composition & security really work well, but that requires everything to be built around them, so when you have a bunch of legacy code it ends up being a pain instead)

19:05 <JacobWeisz[m]> I do wonder how much would be entailed in Wekan adding Ian's proxy though... I kinda imagine it's not insane.

19:06 <isd> I can't imagine it would be that hard.

19:06 <JacobWeisz[m]> Biggest roadblock might be meteor-spk... How much hacking around that would be needed to also launch the proxy?

19:07 <isd> Also probably not to hard to deal with; if nothing else you could just have wekan itself launch a process on startup if its running in Sandstorm.

19:08 <isd> xet7: ^

19:08 <Jassu> I know very well the usual curse of building security. But a platform without content is a platform without users... and without users there’s hardly any need for the platform. :/

19:08 <isd> (I assume he's afk if he hasn't noticed the other mentions so far, but...)

19:09 <Jassu> Working with security stuff is probably why I like the concept so much though.

19:09 <isd> Yeah... but it's work either way, and I'd rather invest the effort into integrating apps "correctly"

19:10 <Jassu> Yeah, totally.

19:16 <isd> A lot of it is just a question of manpower; we had 3 full time developers for a couple years, and the basic PoC powerbox was basically the last thing they built before the business side of things disappeared... then a long period of dormancy, and these days I'm like 90% of the labor for the project. I probably should spend a bit more time on app maintenence & packaging; most of what I've done is either new apps or platform

19:16 <isd> development. Some of it's also been internal stuff that isn't super visible, but important long term (ironically, in some cases trying to make it even harder to get to the outside world as there were a few escape hatches put in place before the powerbox was built -- and I fear if we don't remove those before it's too late we won't be able to. But it kinda sucks for users in the short term)

19:22 <Jassu> Yeah. I used sandstorm like years ago for being able to give some interms more flexibility for their projects & fiddling around. And this week I set it up again for a easy to use collaboration & information sharing for some 30+ people team or random people that participated in a cyber defence exercise. I was quite surprised that the etherpad was still at the same version than back then, and pasting content to it was still

19:22 <Jassu> broken. WeKan board worked well though, except the lack of webhooks that would’ve been quite a nice addition to keep up on things.

19:24 <Jassu> But in general when it comes to developing security centric products, I feel that the important factor is actually understand how much the world would have to change around you for your idea to be useful. I’ve hit my head into this wall quite many times along the way. ;)

19:25 <isd> I think out of date apps is less about the world changing around us and more about spending time keeping them up to date.

19:27 <Jassu> Nono. The relevant perspective here is that you need to change how the apps work in order to accomodate them in your platform. So this is the factor of world needing to change to make your tech useful.

19:27 <isd> The initial pass is likely to be much more work than subsequent updates, since (1) more bitrot to deal with in general, and (2) a lot of really old apps predate vagrant-spk, and so their build (if it's even documnted) is much more ad-hoc.

19:27 <Jassu> Eg, if everyone started developing for Sandstorm, then you have zero effort, BUT you made a HUGE change to the world around you.

19:28 <isd> Sure. But it is a question of degree. There's a pretty broad class of apps where the degree is "not that much actually," but we need to package & keep those apps up to date.

19:29 <isd> There are of course others where network access is more central, and it's going to be a much bigger pain.

19:29 <Jassu> Yup. If the work is somewhat equal to how much effort distros have to do for packaging, then you’d be golden.

19:31 <isd> Anyway, I have some errands to run. Later.

19:31 <Jassu> So, without really knowing the deep down things of the platform, I would think if there were any pieces or abstractions that you could push to those frameworks people use to develop stuff? Something that makes everyone there a little bit safer maybe, but also builds direct benefit for you for future app packaging.

19:33 <isd> There are a couple bits of this, e.g. there's a meteor package that integrates meteor's auth system with Sandstorm, which is used by some apps. And somebody wrote a similar thing for django. I definitely think pushing stuff into tooling is a good idea in general.

19:34 <isd> Off I go.

21:05 <xet7> For Wekan outgoing webhooks and sending email, it's just looking where that Wekan code is, checking isSandstorm, and using Sandstorm specific APIs to make HTTP request for outgoing webhook that sends JSON to URL, and for email, similar Sandstorm API call

21:06 <xet7> For Wekan permissions at wekan/sandstorm*.js, I still have not yet figured out how to properly add every grain user to Wekan board member permissions when there is many boards in one grain

21:08 <xet7> I did sometime add some translations to Sandstorm code, but I have not yet read enough Sandstorm code and docs that I could figure out how Sandstorm permissions work

21:10 <xet7> And only in newly greated Wekan grains, creator of Wekan grain have Admin permission. To some older Wekan grains, some users do not have Admin access

21:10 <xet7> I did sometime think of code that would allow every Sandstorm user to be Admin user of Wekan grain, but that change was reverted

21:11 <xet7> Also I'm currently doing Teams/Organizations, I don't know would they map in any way to Sandstorm permissions, or will they stay per-Wekan grain only

21:12 <xet7> For API, I think currently only export board API works at Sandstorm, other API does not work with Sandstorm grain API key

21:13 <xet7> Sometime I tried to enable more API, but I could not figure out why other Wekan api calls did give permission denied errors

21:13 <xet7> it could be related to API only being usable with password login

21:14 <xet7> I also don't know how long Wekan will stay with Meteor web framework, it seems that Meteor loads too much Javascript and minimongo content to browserside, that makes slow user experience.

21:15 <xet7> It could be that sometime in future I just run most Javascript at serverside

21:15 <xet7> and have less content at browserside

21:15 <xet7> I'll see how it goes with these speed optimizations to Wekan

21:30 <xet7> Is there some way, that when there is Django website and Meteor app (like Wekan) in iframe, Meteor app would detect being in iframe and automatically login? Similarly like at Sandstorm Wekan automatically logins?

21:35 <xet7> Although, Wekan getting away from Meteor could be wishful thinking. Depends if I get it working. Or, I'll just find a way to optimize speed enough with Meteor.

21:36 <xet7> Usually when I try something else than Meteor, code examples don't work at all, syntax has changed, etc etc

21:38 <isd> xet7: I believe there is a django auth plugin somewhere for Sandstorm.

21:38 <isd> Do you really mean "detect when running in an iframe" as opposed to running as a sandstorm app?

21:39 <isd> (Does Wekan use the Sandstorm auth meteor package?)

21:39 <xet7> Non-sandstorm, normal Django website

21:39 <xet7> and standalone Wekan in iframe

21:39 <isd> What's your use case for this then?

21:39 <xet7> After logging into Django website, automatic login to Wekan

21:40 <isd> Ah, you want to use two frameworks and integrate their auth together.

21:40 <isd> I don't know.

21:40 <xet7> Yes. No problem, I'll figure it out.