Permit Request Authentication

[0x4007]

Use GitHub authentication to verify that the kernel is requesting a permit to be generated when accessing this plugin remotely.

Authentication is required to prove that the request originated from an organization with an encrypted private key in their config. Then it is likely that it is not a fraudulent request to spend an organization's money.

4. The kernel should request these permits to be generated from this api. Because it's our kernel I think that we should be able to verify that it's the kernel somehow

We can basically run it as a Worker plugin, because we can verify it's our kernel because the kernel signs the payload and the plugin verifies it with kernel's public key

Originally posted by @whilefoo in #69 (comment)

[aybanda]

/wallet 0xad40a8E345cB00b4530b3EBF39A22a99e1A43287

[0x4007]

/query @aybanda

[0x4007]

/help

[ubiquity-os]

Available Commands

Command	Description	Example
/help	List all available commands.	/help
/allow	Allows the user to modify the given label.	/allow @user1 label

[0x4007]

Sorry @aybanda we just set up this new @ubiquity-os organization and it seems like we forgot to install our plugins. Let me work on that and then you should be able to set your wallet after!

[0x4007]

/help

[ubiquity-os]

Available Commands

Command	Description	Example
/help	List all available commands.	/help
/allow	Allows the user to modify the given label.	/allow @user1 label
/query	Returns the user's wallet, access, and multiplier information.	/query @ubiquibot
/start	Assign yourself to the issue.	/start
/stop	Unassign yourself from the issue.	/stop
/wallet	Register your wallet address for payments.	/wallet ubq.eth

[0x4007]

/query @aybanda

[0x4007]

@gentlementlegen query doesn't seem to work

[0x4007]

/start

[0x4007]

/query @0x4007

{
  "truncated": false,
  "outcome": "ok",
  "scriptVersion": {
    "id": "24cefe2f-72ad-491e-8af4-1aa61116d714"
  },
  "scriptName": "ubiquibot-command-query-user-development",
  "diagnosticsChannelEvents": [],
  "exceptions": [],
  "logs": [],
  "eventTimestamp": 1727294494442,
  "event": {
    "request": {
      "url": "https://ubiquibot-command-query-user-development.ubiquity.workers.dev/manifest.json",
      "method": "GET",
      "headers": {
        "accept-encoding": "gzip",
        "cf-connecting-ip": "2a06:98c0:3600::103",
        "cf-ipcountry": "US",
        "cf-ray": "8c8d9b5e1234380c",
        "cf-visitor": "{\"scheme\":\"https\"}",
        "cf-worker": "ubq.workers.dev",
        "connection": "Keep-Alive",
        "host": "ubiquibot-command-query-user-development.ubiquity.workers.dev",
        "x-forwarded-proto": "https",
        "x-real-ip": "2a06:98c0:3600::103"
      },
      "cf": {
        "longitude": "-97.82200",
        "httpProtocol": "HTTP/1.1",
        "tlsCipher": "",
        "continent": "NA",
        "asn": 36459,
        "country": "US",
        "tlsClientAuth": {
          "certIssuerDNLegacy": "",
          "certIssuerSKI": "",
          "certSubjectDNRFC2253": "",
          "certSubjectDNLegacy": "",
          "certFingerprintSHA256": "",
          "certNotBefore": "",
          "certSKI": "",
          "certSerial": "",
          "certIssuerDN": "",
          "certVerified": "NONE",
          "certNotAfter": "",
          "certSubjectDN": "",
          "certPresented": "0",
          "certRevoked": "0",
          "certIssuerSerial": "",
          "certIssuerDNRFC2253": "",
          "certFingerprintSHA1": ""
        },
        "tlsVersion": "",
        "colo": "IAD",
        "timezone": "America/Chicago",
        "verifiedBotCategory": "",
        "edgeRequestKeepAliveStatus": 1,
        "tlsClientRandom": "",
        "tlsClientExtensionsSha1": "",
        "tlsClientHelloLength": "",
        "asOrganization": "GitHub",
        "requestPriority": "",
        "latitude": "37.75100"
      }
    },
    "response": {
      "status": 200
    }
  },
  "id": 0
}

1. It shows a 200 for get but doesn't respond.
2. It is only subscribed to issue_comment.created yet it ran with issue_comment.edited

[gentlementlegen]

It runs for every event because this is just the manifest fetch, not a run call. The kernel on its side outputs

    {
      "message": [
        "Error in event handler",
        "HttpError: Resource not accessible by integration - https://docs.github.com/rest/actions/workflows#create-a-workflow-dispatch-event"
      ],
      "level": "error",
      "timestamp": 1727320366632
    }

Did you set the proper permissions?

[0x4007]

I can review permissions but I had both windows open side by side

[gentlementlegen]

I think the logs can be improved so we know what error is for which plugin.

[zugdev]

/start

[ubiquity-os]

Deadline	Wed, Oct 16, 6:16 PM UTC
Beneficiary	0xbB689fDAbBfc0ae9102863E011D3f897b079c80F

Tip

• Use /wallet 0x0000...0000 if you want to update your registered payment wallet address.
• Be sure to open a draft pull request as soon as possible to communicate updates on your progress.
• Be sure to provide timely updates to us when requested, or you will be automatically unassigned from the task.

[zugdev]

@0x4007

1. By my current understanding feat: add the permit-generator github action #69 will introduce permit generation from workflow dispatch, should I already write authentication on top of current generatePermitsFromContext() or wait for merge?

2. I am wondering if by "GitHub authentication" you mean authToken in plugin input or GITHUB_TOKEN or even a different approach?

Another possibly viable approach could be using the EVM key pair or X25519 to auth as well. Can you clarify this a bit?

[0x4007]

1. Seems we need a worker deploy as a prerequisite. Any more details I'm not sure
2. Not sure

@whilefoo rfc you know best

[whilefoo]

The authentication already works for Worker plugin and is supported out of the box if you use the SDK.

For Action plugins the authentication is inferred by Github so only those with permissions can call the plugin, but we could also make even stricter auth for Action plugins so that only kernel can call it @0x4007

[0x4007]

Sounds good please explain to the assignee what they need to do, or you can handle it because I don't have enough context on this

[surafeldev]

/start

[surafeldev]

/help

[ubiquity-os]

Available Commands

Command	Description	Example
/help	List all available commands.	/help

[ubiquity-os-beta]

Available Commands

Command	Description	Example
/help	List all available commands.	/help
/allow	Allows the user to modify the given label.	/allow @user1 label
/query	Returns the user's wallet, access, and multiplier information.	/query @ubiquibot
/start	Assign yourself to the issue.	/start
/stop	Unassign yourself from the issue.	/stop
/wallet	Register your wallet address for payments.	/wallet ubq.eth

[surafeldev]

/start

[surafeldev]

/wallet 0xB13260bfEe08DcA208F2ECc735171B21763EaaF6

[ubiquity-os-beta]

+ Successfully registered wallet address

[surafeldev]

/start

[0x4007]

Sorry we have a temporary misconfig with /start

@gentlementlegen

[gentlementlegen]

Very likely due to ubiquity-os/ubiquity-os-kernel#120
Either way, this task is already assigned.

[whilefoo]

@0x4007 the auth is now implemented in the SDK, so either we change this plugin to use the SDK or copy the lines related to the auth to this plugin but anyway this plugin should be changed to Worker plugin

[gentlementlegen]

/help

[ubiquity-os-beta]

Available Commands

Command	Description	Example
/help	List all available commands.	/help
/allow	Allows the user to modify the given label.	/allow @user1 label
/query	Returns the user's wallet, access, and multiplier information.	/query @UbiquityOS
/start	Assign yourself to the issue.	/start
/stop	Unassign yourself from the issue.	/stop
/wallet	Register your wallet address for payments.	/wallet ubq.eth

[gentlementlegen]

/start

[ubiquity-os-beta]

! This issue is already assigned. Please choose another unassigned task.

[gentlementlegen]

@0x4007 Seems ubiquity-os/ubiquity-os-kernel#120 fixed the /start problem, if it doesn't run again let me know.

[zugdev]

/stop

[zugdev]

Stop working too

[hhio618]

/start

[ubiquity-os-beta]

Warning!	This task was created over 33 days ago. Please confirm that this issue specification is accurate before starting.
Deadline	Sun, Nov 3, 11:10 AM UTC
Beneficiary	0x6321286F9B73f427C72e1f9F1bC6b3d25eF06605

Tip

• Use /wallet 0x0000...0000 if you want to update your registered payment wallet address.
• Be sure to open a draft pull request as soon as possible to communicate updates on your progress.
• Be sure to provide timely updates to us when requested, or you will be automatically unassigned from the task.

[ubiquity-os-beta]

Passed the deadline and no activity is detected, removing assignees: @hhio618.

[kingsley-einstein]

/start

[ubiquity-os-beta]

Warning!	This task was created over 41 days ago. Please confirm that this issue specification is accurate before starting.
Deadline	Sun, Nov 10, 5:50 PM UTC
Beneficiary	0xb69DB7b7B3aD64d53126DCD1f4D5fBDaea4fF578

Tip

• Use /wallet 0x0000...0000 if you want to update your registered payment wallet address.
• Be sure to open a draft pull request as soon as possible to communicate updates on your progress.
• Be sure to provide timely updates to us when requested, or you will be automatically unassigned from the task.

[Keyrxng]

The authentication already works for Worker plugin and is supported out of the box if you use the SDK.

For Action plugins the authentication is inferred by Github so only those with permissions can call the plugin, but we could also make even stricter auth for Action plugins so that only kernel can call it @0x4007

I believe this issue can be closed since #96 converts this plugin into a worker and auth is built in already

[gentlementlegen]

I agree, as long as the SK is used it embeds verification through the private / public key check so only our kernel can actually run it.