Update docs about the use labels with HTTP requests

project-oak · Nov 20, 2020 · 527bacd · 527bacd
1 parent 1ecfdef
commit 527bacd
Show file tree

Hide file tree

Showing 3 changed files with 106 additions and 25 deletions.
diff --git a/docs/concepts.md b/docs/concepts.md
@@ -321,35 +321,28 @@ represented by a message containing two Channels handles:
     some trusted authentication mechanism that is performed as part of the gRPC
     connection itself; this represents the actual authority of the caller.
   - an empty integrity component.
-  
+
 ### HTTP and user labels
 
-Similar to gRPC requests, each incoming HTTP request must have a label 
-specifying the confidentiality guarantees that the caller wants to impose on the 
-request message. The label is either provided as a [JSON formatted](jsom-schem) 
-header named `oak-label` or a [protobuf message](/oak_abi/proto/label.proto) 
-in a header named `oak-label-bin`. 
-FIXME: ADD JSON SCHEMA
+Similar to gRPC requests, each incoming HTTP request must have a label
+specifying the confidentiality guarantees that the caller wants to impose on the
+request message. The label is either provided as a
+[JSON formatted](/oak_abi/json/label.json) header named `oak-label` or a
+[protobuf message](/oak_abi/proto/label.proto) in a header named
+`oak-label-bin`.
 
 Internally, each incoming HTTP invocation is represented by a message containing
-two Channel handles:   
-FIXME: DO WE HAVE THE SAME LABELS for HTTP?
+two Channel handles:
 
-- a "request receiver" read handle to a Channel whose Label has:
+- a "request receiver" read handle to a Channel whose label has a
+  confidentiality component explicitly set to the confidentiality component of
+  the label provided as a header (i.e., `oak-label` or `oak-label-bin`) in the
+  HTTP request. This represents the confidentiality guarantees that the caller
+  wants to impose on the request message.
 
-  - a confidentiality component explicitly specified by the caller as gRPC
-    request metadata; this represents the confidentiality guarantees that the
-    caller wants to impose on the request message.
-  - an integrity component implicitly set by the gRPC pseudo-Node based on some
-    trusted authentication mechanism that is performed as part of the gRPC
-    connection itself; this represents the actual authority of the caller.
-
-- a "response sender" write handle to a Channel, whose Label has:
-
-  - a confidentiality component implicitly set by the gRPC pseudo-Node based on
-    some trusted authentication mechanism that is performed as part of the gRPC
-    connection itself; this represents the actual authority of the caller.
-  - an empty integrity component.
+- a "response sender" write handle to a Channel. To avoid any accidental data
+  leaks, the label of the Channel is set to have a confidentiality component set
+  based on the identity of the user, and an empty integrity component.
 
 ### Signature labels
 

diff --git a/oak_abi/json/label.json b/oak_abi/json/label.json
@@ -0,0 +1,88 @@
+{
+  "definitions": {
+    "oak.label.Tag": {
+      "title": "Tag",
+      "description": "Tag represents a category of confidentiality or integrity that is associated with data within Oak, and refers to a Node or family of Nodes which are able to declassify data with that tag.",
+      "type": "object",
+      "properties": {
+        "grpcTag": {
+          "$ref": "#/definitions/oak.label.GrpcTag"
+        },
+        "webAssemblyModuleTag": {
+          "$ref": "#/definitions/oak.label.WebAssemblyModuleTag"
+        },
+        "webAssemblyModuleSignatureTag": {
+          "$ref": "#/definitions/oak.label.WebAssemblyModuleSignatureTag"
+        },
+        "tlsEndpointTag": {
+          "$ref": "#/definitions/oak.label.TlsEndpointTag"
+        }
+      }
+    },
+    "oak.label.Label": {
+      "title": "Label",
+      "description": "Represents information flowing through a Node or channel.",
+      "type": "object",
+      "properties": {
+        "confidentialityTags": {
+          "type": "array",
+          "description": "The confidentiality component of the label.",
+          "items": {
+            "$ref": "#/definitions/oak.label.Tag"
+          }
+        },
+        "integrityTags": {
+          "type": "array",
+          "description": "The integrity component of the label",
+          "items": {
+            "$ref": "#/definitions/oak.label.Tag"
+          }
+        }
+      }
+    },
+    "oak.label.GrpcTag": {
+      "title": "GrpcTag",
+      "description": "Policies related to gRPC communication, referring to the native gRPC node within the TCB.",
+      "type": "object",
+      "properties": {
+        "authorizationBearerTokenHmac": {
+          "description": "BearerToken encoded as a string using standard base64 encoding with paddings.,",
+          "type": "string"
+        }
+      }
+    },
+    "oak.label.WebAssemblyModuleTag": {
+      "title": "WebAssemblyModuleTag",
+      "description": "Policies related to modules, referring to the native WebAssembly node within the TCB.",
+      "type": "object",
+      "properties": {
+        "webAssemblyModuleHashSha256": {
+          "description": "The attestation for a single WebAssembly module, a SHA256 digest of the module in binary format.",
+          "type": "string"
+        }
+      }
+    },
+    "oak.label.WebAssemblyModuleSignatureTag": {
+      "title": "WebAssemblyModuleSignatureTag",
+      "description": "Policies related to modules, referring to the signature of the native WebAssembly node.",
+      "type": "object",
+      "properties": {
+        "publicKey": {
+          "description": "Public key counterpart of the private key used to sign WebAssembly module. The key is encoded as a string using standard base64 encoding with paddings.",
+          "type": "string"
+        }
+      }
+    },
+    "oak.label.TlsEndpointTag": {
+      "title": "TlsEndpointTag",
+      "description": "Policies related to HTTPS communication.",
+      "type": "object",
+      "properties": {
+        "authority": {
+          "description": "The TLS authority (host:port) of the remote endpoint, which is validated by the Oak Runtime using the set of Certificate Authorities (CA) that are available to it.",
+          "type": "string"
+        }
+      }
+    }
+  }
+}
diff --git a/oak_abi/proto/application.proto b/oak_abi/proto/application.proto
@@ -137,8 +137,8 @@ message HttpClientConfiguration {
   // The authority supported by this client. The authority must match the label of the HTTP Client
   // pseudo-Node. If the authority is non-empty, only HTTPS requests with the same authority
   // component in their URIs can be handled. If the authority is empty, the client must be public
-  // and it may handle arbitrary requests to any HTTP or HTTPS services. The authority is also used to
-  // set the privilege of the node.
+  // and it may handle arbitrary requests to any HTTP or HTTPS services. The authority is also used
+  // to set the privilege of the node.
   string authority = 1;
 }