silberengel
/
next.orly.dev
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Browse Source

Add policy configuration reference documentation 

Introduce a comprehensive reference guide for ORLY policy configuration. This document outlines policy options, validation rules, access control, and debugging methods, serving as the authoritative resource for policy-related behavior.
main
mleku 1 month ago
parent
016e97925a
commit
c5db0abf73
No known key found for this signature in database
1 changed files with 615 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 615
      docs/POLICY_CONFIGURATION_REFERENCE.md

615
docs/POLICY_CONFIGURATION_REFERENCE.md
Unescape View File

@ -0,0 +1,615 @@ @@ -0,0 +1,615 @@
# ORLY Policy Configuration Reference
This document provides a definitive reference for all policy configuration options and when each rule applies. Use this as the authoritative source for understanding policy behavior.
## Quick Reference: Read vs Write Applicability
| Rule Field | Write (EVENT) | Read (REQ) | Notes |
|------------|:-------------:|:----------:|-------|
| `size_limit` | ✅ | ❌ | Validates incoming events only |
| `content_limit` | ✅ | ❌ | Validates incoming events only |
| `max_age_of_event` | ✅ | ❌ | Prevents replay attacks |
| `max_age_event_in_future` | ✅ | ❌ | Prevents future-dated events |
| `max_expiry_duration` | ✅ | ❌ | Requires expiration tag |
| `must_have_tags` | ✅ | ❌ | Validates required tags |
| `protected_required` | ✅ | ❌ | Requires NIP-70 "-" tag |
| `identifier_regex` | ✅ | ❌ | Validates "d" tag format |
| `tag_validation` | ✅ | ❌ | Validates tag values with regex |
| `write_allow` | ✅ | ❌ | Pubkey whitelist for writing |
| `write_deny` | ✅ | ❌ | Pubkey blacklist for writing |
| `read_allow` | ❌ | ✅ | Pubkey whitelist for reading |
| `read_deny` | ❌ | ✅ | Pubkey blacklist for reading |
| `privileged` | ❌ | ✅ | Party-involved access control |
| `write_allow_follows` | ✅ | ✅ | Grants **both** read AND write |
| `follows_whitelist_admins` | ✅ | ✅ | Grants **both** read AND write |
| `script` | ✅ | ❌ | Scripts only run for writes |
---
## Core Principle: Validation vs Filtering
The policy system has two distinct modes of operation:
### Write Operations (EVENT messages)
- **Purpose**: Validate and accept/reject incoming events
- **All rules apply** except `read_allow`, `read_deny`, and `privileged`
- Events are checked **before storage**
- Rejected events are never stored
### Read Operations (REQ messages)
- **Purpose**: Filter which stored events a user can retrieve
- **Only access control rules apply**: `read_allow`, `read_deny`, `privileged`, `write_allow_follows`, `follows_whitelist_admins`
- Validation rules (size, age, tags) do NOT apply
- Scripts are NOT executed for reads
- Filtering happens **after database query**
---
## Configuration Structure
```json
{
"default_policy": "allow|deny",
"kind": {
"whitelist": [1, 3, 7],
"blacklist": [4, 42]
},
"owners": ["hex_pubkey_64_chars"],
"policy_admins": ["hex_pubkey_64_chars"],
"policy_follow_whitelist_enabled": true,
"global": { /* Rule object */ },
"rules": {
"1": { /* Rule object for kind 1 */ },
"30023": { /* Rule object for kind 30023 */ }
}
}
```
---
## Top-Level Configuration Fields
### `default_policy`
**Type**: `string`
**Values**: `"allow"` (default) or `"deny"`
**Applies to**: Both read and write
The fallback behavior when no specific rule makes a decision.
```json
{
"default_policy": "deny"
}
```
### `kind.whitelist` and `kind.blacklist`
**Type**: `[]int`
**Applies to**: Both read and write
Controls which event kinds are processed at all.
- **Whitelist** takes precedence: If present, ONLY whitelisted kinds are allowed
- **Blacklist**: If no whitelist, these kinds are denied
- **Neither**: Behavior depends on `default_policy` and whether rules exist
```json
{
"kind": {
"whitelist": [0, 1, 3, 7, 30023]
}
}
```
### `owners`
**Type**: `[]string` (64-character hex pubkeys)
**Applies to**: Policy administration
Relay owners with full control. Merged with `ORLY_OWNERS` environment variable.
```json
{
"owners": ["4a93c5ac0c6f49d2c7e7a5b8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8"]
}
```
### `policy_admins`
**Type**: `[]string` (64-character hex pubkeys)
**Applies to**: Policy administration
Pubkeys that can update policy via kind 12345 events (with restrictions).
### `policy_follow_whitelist_enabled`
**Type**: `boolean`
**Default**: `false`
**Applies to**: Both read and write (when `write_allow_follows` is true)
When enabled, allows `write_allow_follows` rules to grant access to policy admin follows.
---
## Rule Object Fields
Rules can be defined in `global` (applies to all events) or `rules[kind]` (applies to specific kind).
### Access Control Fields
#### `write_allow`
**Type**: `[]string` (hex pubkeys)
**Applies to**: Write only
**Behavior**: Exclusive whitelist
When present with entries, ONLY these pubkeys can write events of this kind. All others are denied.
```json
{
"rules": {
"1": {
"write_allow": ["pubkey1_hex", "pubkey2_hex"]
}
}
}
```
**Special case**: Empty array `[]` explicitly allows all writers.
#### `write_deny`
**Type**: `[]string` (hex pubkeys)
**Applies to**: Write only
**Behavior**: Blacklist (highest priority)
These pubkeys cannot write events of this kind. **Checked before allow lists.**
```json
{
"rules": {
"1": {
"write_deny": ["banned_pubkey_hex"]
}
}
}
```
#### `read_allow`
**Type**: `[]string` (hex pubkeys)
**Applies to**: Read only
**Behavior**: Exclusive whitelist (with OR logic for privileged)
When present with entries:
- If `privileged: false`: ONLY these pubkeys can read
- If `privileged: true`: These pubkeys OR parties involved can read
```json
{
"rules": {
"4": {
"read_allow": ["trusted_pubkey_hex"],
"privileged": true
}
}
}
```
#### `read_deny`
**Type**: `[]string` (hex pubkeys)
**Applies to**: Read only
**Behavior**: Blacklist (highest priority)
These pubkeys cannot read events of this kind. **Checked before allow lists.**
#### `privileged`
**Type**: `boolean`
**Default**: `false`
**Applies to**: Read only
When `true`, events are only readable by "parties involved":
- The event author (`event.pubkey`)
- Users mentioned in `p` tags
**Interaction with `read_allow`**:
- `read_allow` present + `privileged: true` = OR logic (in list OR party involved)
- `read_allow` empty + `privileged: true` = Only parties involved
- `privileged: true` alone = Only parties involved
```json
{
"rules": {
"4": {
"description": "DMs - only sender and recipient can read",
"privileged": true
}
}
}
```
#### `write_allow_follows`
**Type**: `boolean`
**Default**: `false`
**Applies to**: Both read AND write
**Requires**: `policy_follow_whitelist_enabled: true` at top level
Grants **both read and write access** to pubkeys followed by policy admins.
> **Important**: Despite the name, this grants BOTH read and write access.
```json
{
"policy_follow_whitelist_enabled": true,
"rules": {
"1": {
"write_allow_follows": true
}
}
}
```
#### `follows_whitelist_admins`
**Type**: `[]string` (hex pubkeys)
**Applies to**: Both read AND write
Alternative to `write_allow_follows` that specifies which admin pubkeys' follows are whitelisted for this specific rule.
```json
{
"rules": {
"30023": {
"follows_whitelist_admins": ["curator_pubkey_hex"]
}
}
}
```
---
### Validation Fields (Write-Only)
These fields validate incoming events and are **completely ignored for read operations**.
#### `size_limit`
**Type**: `int64` (bytes)
**Applies to**: Write only
Maximum total serialized event size.
```json
{
"global": {
"size_limit": 100000
}
}
```
#### `content_limit`
**Type**: `int64` (bytes)
**Applies to**: Write only
Maximum size of the `content` field.
```json
{
"rules": {
"1": {
"content_limit": 10000
}
}
}
```
#### `max_age_of_event`
**Type**: `int64` (seconds)
**Applies to**: Write only
Maximum age of events. Events with `created_at` older than `now - max_age_of_event` are rejected.
```json
{
"global": {
"max_age_of_event": 86400
}
}
```
#### `max_age_event_in_future`
**Type**: `int64` (seconds)
**Applies to**: Write only
Maximum time events can be dated in the future. Events with `created_at` later than `now + max_age_event_in_future` are rejected.
```json
{
"global": {
"max_age_event_in_future": 300
}
}
```
#### `max_expiry_duration`
**Type**: `string` (ISO-8601 duration)
**Applies to**: Write only
Maximum allowed expiry time from event creation. Events **must** have an `expiration` tag when this is set.
**Format**: `P[n]Y[n]M[n]W[n]DT[n]H[n]M[n]S`
**Examples**:
- `P7D` = 7 days
- `PT1H` = 1 hour
- `P1DT12H` = 1 day 12 hours
- `PT30M` = 30 minutes
```json
{
"rules": {
"20": {
"description": "Ephemeral events must expire within 24 hours",
"max_expiry_duration": "P1D"
}
}
}
```
#### `must_have_tags`
**Type**: `[]string` (tag names)
**Applies to**: Write only
Required tags that must be present on the event.
```json
{
"rules": {
"1": {
"must_have_tags": ["p", "e"]
}
}
}
```
#### `protected_required`
**Type**: `boolean`
**Default**: `false`
**Applies to**: Write only
Requires events to have a `-` tag (NIP-70 protected events).
```json
{
"rules": {
"4": {
"protected_required": true
}
}
}
```
#### `identifier_regex`
**Type**: `string` (regex pattern)
**Applies to**: Write only
Regex pattern that `d` tag values must match. Events **must** have a `d` tag when this is set.
```json
{
"rules": {
"30023": {
"identifier_regex": "^[a-z0-9-]{1,64}$"
}
}
}
```
#### `tag_validation`
**Type**: `map[string]string` (tag name → regex pattern)
**Applies to**: Write only
Regex patterns for validating specific tag values. Only validates tags that are **present** on the event.
> **Note**: To require a tag to exist, use `must_have_tags`. `tag_validation` only validates format.
```json
{
"rules": {
"30023": {
"tag_validation": {
"t": "^[a-z0-9-]{1,32}$",
"d": "^[a-z0-9-]+$"
}
}
}
}
```
---
### Script Configuration
#### `script`
**Type**: `string` (file path)
**Applies to**: Write only
Path to a custom validation script. **Scripts are NOT executed for read operations.**
```json
{
"rules": {
"1": {
"script": "/etc/orly/scripts/spam-filter.py"
}
}
}
```
---
## Policy Evaluation Order
### For Write Operations
```
1. Global Rule Check (all fields apply)
├─ Universal constraints (size, tags, age, etc.)
├─ write_deny check
├─ write_allow_follows / follows_whitelist_admins check
└─ write_allow check
2. Kind Filtering (whitelist/blacklist)
3. Kind-Specific Rule Check (same as global)
├─ Universal constraints
├─ write_deny check
├─ write_allow_follows / follows_whitelist_admins check
├─ write_allow check
└─ Script execution (if configured)
4. Default Policy (if no rules matched)
```
### For Read Operations
```
1. Global Rule Check (access control only)
├─ read_deny check
├─ write_allow_follows / follows_whitelist_admins check
├─ read_allow check
└─ privileged check (party involved)
2. Kind Filtering (whitelist/blacklist)
3. Kind-Specific Rule Check (access control only)
├─ read_deny check
├─ write_allow_follows / follows_whitelist_admins check
├─ read_allow + privileged (OR logic)
└─ privileged-only check
4. Default Policy (if no rules matched)
NOTE: Scripts are NOT executed for read operations
```
---
## Common Configuration Patterns
### Private Relay (Whitelist Only)
```json
{
"default_policy": "deny",
"global": {
"write_allow": ["trusted_pubkey_1", "trusted_pubkey_2"],
"read_allow": ["trusted_pubkey_1", "trusted_pubkey_2"]
}
}
```
### Open Relay with Spam Protection
```json
{
"default_policy": "allow",
"global": {
"size_limit": 100000,
"max_age_of_event": 86400,
"max_age_event_in_future": 300
},
"rules": {
"1": {
"script": "/etc/orly/scripts/spam-filter.sh"
}
}
}
```
### Community Relay (Follows-Based)
```json
{
"default_policy": "deny",
"policy_admins": ["community_admin_pubkey"],
"policy_follow_whitelist_enabled": true,
"global": {
"write_allow_follows": true
}
}
```
### Encrypted DMs (Privileged Access)
```json
{
"rules": {
"4": {
"description": "Encrypted DMs - only sender/recipient",
"privileged": true,
"protected_required": true
}
}
}
```
### Long-Form Content with Validation
```json
{
"rules": {
"30023": {
"description": "Long-form articles",
"size_limit": 100000,
"content_limit": 50000,
"max_expiry_duration": "P30D",
"identifier_regex": "^[a-z0-9-]{1,64}$",
"tag_validation": {
"t": "^[a-z0-9-]{1,32}$"
}
}
}
}
```
---
## Important Behaviors
### Whitelist vs Blacklist Precedence
1. **Deny lists** (`write_deny`, `read_deny`) are checked **first** and have highest priority
2. **Allow lists** are exclusive when populated - ONLY listed pubkeys are allowed
3. **Deny-only configuration**: If only deny list exists (no allow list), all non-denied pubkeys are allowed
### Empty Arrays vs Null
- `[]` (empty array explicitly set) = Allow all
- `null` or field omitted = No list configured, use other rules
### Global Rules Are Additive
Global rules are always evaluated **in addition to** kind-specific rules. They cannot be overridden at the kind level.
### Implicit Kind Whitelist
When rules are defined but no explicit `kind.whitelist`:
- If `default_policy: "allow"`: All kinds allowed
- If `default_policy: "deny"` or unset: Only kinds with rules allowed
---
## Debugging Policy Issues
Enable debug logging to see policy decisions:
```bash
export ORLY_LOG_LEVEL=debug
```
Log messages include:
- Policy evaluation steps
- Rule matching
- Access decisions with reasons
---
## Source Code Reference
- Policy struct definition: `pkg/policy/policy.go:75-144` (Rule struct)
- Policy struct definition: `pkg/policy/policy.go:380-412` (P struct)
- Check evaluation: `pkg/policy/policy.go:1260-1595` (checkRulePolicy)
- Write handler: `app/handle-event.go:114-138`
- Read handler: `app/handle-req.go:420-438`
Write Preview
Loading…
Cancel
Save