feat!: wildcard support in capabilies #218
Conversation
Gozala
force-pushed
the
feat/wildcard-caps
branch
from
545413d to
b0dd187
Compare
| proofs: [proof], | ||
| }) | ||
|
|
||
| const result = await access(await ping.delegate(), { |
There was a problem hiding this comment.
see https://github.com/web3-storage/ucanto/pull/218/files#r1100550414
IMHO it's not obvious to me from ucan-wg/spec that middle dev/* should authorize this, because spec doesn't say anything about special semantics for dev/* syntax
There was a problem hiding this comment.
So delegation chain we have here is as follows (where top on is ambient authority by ownership, which is also something UCAN spec has no opinion on)
{ with: did:key:zAli, can: * }
^
: - by Ownership to Alice
{ with: did:*, can: * } => { with: did:key:zAli, can: * }
^
| - by Alice to Bob
{ with: did:*, can: dev/* } => { with: did:key:zAli, can: dev/* }
^
| - by Bob to Mallory
{ with: did:*, can: * } => [{ with: did:key:zAli, can: dev/* }, { with: did:key:zBob, can: * }]
^
| - by Mallory to W3
{ with: did:key:zAli, can: 'dev/ping', nb: { message: 'hello'} }
If you follow the chain you can see all the constraints that had been imposed at every layer (spec calls it diminishing) yet despite all the the constraints bottom is still true.
Now one could argue that Bob is escalating when delegating to Mallory, yet I think it goes against intuition and there is a discussion to spec this pattern because otherwise we have keep recreating chains every time some agent gains more capabilities, for details see:
ucan-wg/spec#130
ucan-wg/spec#131
| @@ -0,0 +1,109 @@ | |||
| import * as API from '@ucanto/interface' | |||
There was a problem hiding this comment.
Is this capability2.js file imported anywhere?
There was a problem hiding this comment.
what is intended difference between capability.js and capability2.js (if any)
There was a problem hiding this comment.
oops, I did not intend to include that file
Co-authored-by: Benjamin Goering <171782+gobengo@users.noreply.github.com>
|
I have chatted with @expede about ways to express "everything, everywhere delegated or owned" resources we've decided we can express this as |
| * resolveAbility('ucan:*', 'https://example.com', null) // => 'https://example.com' | ||
| * resolveAbility('did:*', 'did:key:zAlice', null) // => null | ||
| * resolveAbility('did:key:zAlice', 'did:key:zAlice', null) // => did:key:zAlice |
There was a problem hiding this comment.
Should be resolveResource in these examples not resolveAbility?
Fixes #87
We need this to make authorization protocol able to support more granular delegations without specifying exact space DID. And we do not want to specify exact space DID to avoid having to recreate UCAN delegations chains and instead add desired proofs. Specifically consider following scenario
did:key:zSpacedelegates todid:mailto:web.mail:alicedid:mailto:web:mail:aliceauthorizesdid:key:zAgentdid:key:zAnotherSpacedelegates todid:mailto:web.mail:aliceUnless in step 2
withfield is open ended likedid:*, agentdid:key:zAgentwill not have access to newdid:key:zAnotherSpaceeven though it would be able to get it through access/claim.Changes here implement native support for wildcards in
canandwithfields and consequently address above described limitation. Furthermore it eliminates need for boilerplate capabilities we had to usePlease note that implementation correctly handles unintended escalation like:
To make this work when validator parses (middle) capability it inherits information from the outer (bottom) capability and comes out just like bottom one in this instance. By doing this validator correctly identifies escalation (200 > 100) in the next step.