-
Notifications
You must be signed in to change notification settings - Fork 276
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve permission system that supports dynamic tokens for DEC #175
Comments
On an existing basis codes with ACL and protocols, consider a version of the design as follows: 1. Add handler permission to rmetaThe upgraded access types are as follows: #[derive(Clone, Debug, Serialize, Deserialize, Eq, PartialEq)]
pub enum GlobalStatePathGroupAccess {
Specified(GlobalStatePathSpecifiedGroup),
Default(u32 /*AccessString*/),
Handler, // New Type, should be handled by the dec's acl handler
} 2. Reuse the previous handler.acl eventThis event once played the role of acl callback in the old ACL mechanism, but after the ACL was restructured into a new logic, this event has been deprecated but still retained. We can reactivate this event, but the Request needs to be redesigned and should include the following fields: pub struct AclHandlerRequest {
pub dec: ObjectId,
pub path: String,
pub source: RequestSourceInfo,
pub permissions: AccessPermissions,
} 3. rmeta managementWe can use add_access and remove_access to set the handler permission for a global-state path. When a request needs to use rmeta for verification, it matches the corresponding path. If it corresponds to a handler, it will call the ACL event registered by the corresponding dec for dynamic judgment, thus determining whether the request is rejected or accepted. 4. Custom token for requestsSince the ACL handler is a general rmeta processing mechanism, all places that need to use rmeta to handle permissions need to support custom tokens. It is somewhat difficult to recklessly add a field to many different request modes, so after researching, we consider adding it to the composite structure of req-path: RequestGlobalStatePath Since req-path itself is a composite structure, you can refer to the design pattern of URLs, providing parameters in the form of ? followed by the parameter, like:
However, note the following two points:
|
Great! Is there some built-in authentication strategy? compare password or verify the signature? By the way, I think we should use uniform names for some special identifiers. For example: the and there are |
The token should be more precisely called user_token, and it should be transparent to the cyfs-stack. The specific verification mechanism depends on the app's own handling(during acl handler callback). It can use a password form or asymmetric key verification such as a signature. Cyfs-base provides some utility functions and classes for these purposes. The AclHandlerRequest mentioned above is just pseudocode for illustration purposes, where the path refers to the req-path and dec refers to the dec-id. In the actual implementation, this will be unified. |
…on-system-that-supports-dynamic-tokens-for-dec' into main
rmeta adds support for dynamic permissions 1. Add Handler type to the permission type of rmetaIf the corresponding permission type is rmeta related is defined as follows: CYFS/src/component/cyfs-lib/src/rmeta/def/access.rs Lines 91 to 96 in afd05eb
Usage as the following code: CYFS/src/tests/cyfs-stack-test/src/case/acl_handler.rs Lines 73 to 83 in afd05eb
2. Refactoring the acl events in the Router Handlers event systemThe new acl event is adapted to the rmeta callback request, the corresponding request and response are defined as follows:
dec needs to check the permission request inside the handler based on the following params:
Here is a complete req_path with query_string
The request can be answered by the Acl handler with the following CYFS/src/component/cyfs-lib/src/acl/action.rs Lines 12 to 16 in afd05eb
3. How to register acl events for Dec serviceRegistering acl events is similar to registering post-object events, you can filter the corresponding rmeta access callback events by The filter supports the following fields and types:- Request side
- Response side
The sample code for registering an event is as follows - The acl handler callback:CYFS/src/tests/cyfs-stack-test/src/case/acl_handler.rs Lines 20 to 58 in afd05eb
- Register acl handler:CYFS/src/tests/cyfs-stack-test/src/case/acl_handler.rs Lines 85 to 95 in afd05eb
4. How to use the custom req_query_string on the request sideThe req_query_string is a custom parameter for the rmeta permissions dynamic Handler, which can be passed with various pre-designed parameters from dec to better verify the permissions of the request. For all requests that use req_path to rely on rmeta permissions, you can specify additional req_query_string to specify additional parameters for the permission request, such as token, password, etc., including the following scenarios - NON/NDN/Crypto/Trans etc.Directly attach a query_string to the req_path of the request: {req_path}? {query_string} - Global-state based on op-env/accessor's related interfacedirectly on the path/inner_path parameter of the request, in the following format: {path}? {query_string} - r-linkYou need to include additional query pairs in the query string of the url, but you need to avoid some parameters reserved by the protocol The current list of reserved parameters is as follows:
For example, here is an example of an r link with
- o-linkSince the req-path of the o link is itself provided as a query string parameter, the req_path with user-defined query_string needs to be encoded to escape the ? and & special characters to avoid not being recognized correctly by cyfs-stack internally For example, the following o link:
where got the decoded parameters are as follows
|
The dynamic acl base on rmeta handler has been merged into the main, and a simple test case is in The detailed usage documentation is above, hopefully providing some detailed testing help @lizhihongTest |
How can I set cyfs.GlobalStatePathGroupAccess.Handler() by cyfs.AccessString ? If I put_object or publish_file can set access, But the request params type is cyfs.AccessString |
The current permission system in cyfs-stack is divided into two layers:
|
The interface of dynamic tokens for DEC has been test finished, The remaining r/a-link related tests will be manually performed in the browser. Testing reporthttp://bdttest.tinyappcloud.com/cyfs_test_package/test_report/2023_05_04_dynamic_token/ Testing codecyfs-test-lab:test_dynamic_token_scenario.ts Testing resultScenario Testing: Dynamic token |
Test environmentOOD : Nightly 1.1.0.755 Random test data codecyfs-test-lab:test_dynamic_token_r_a_link.ts Test Data
R-link get object frist time use with correct tokenTesk Link: cyfs://r/5aSixgLox5CRLLaMcnsRz75A4khSXay5WRjfN5VjNNVx/9tGpLNndR5tyui8DkYBpEz8mFHzjfqkCVmsFusa5roHd/qa_test_token/share-9tGpLNnLxfgtzB9VkdteBhsdcuFw7FnK69F5twFQ6Z24?token=sk-hc1Rf0ndAdddcG1S2iic Test Result:
R-link get object second timeTesk Link: cyfs://r/5aSixgLox5CRLLaMcnsRz75A4khSXay5WRjfN5VjNNVx/9tGpLNndR5tyui8DkYBpEz8mFHzjfqkCVmsFusa5roHd/qa_test_token/share-9tGpLNnLxfgtzB9VkdteBhsdcuFw7FnK69F5twFQ6Z24?token=sk-hc1Rf0ndAdddcG1S2iic Test Result:
R-link get object second use flags=1 refresh objectTesk Link: cyfs://r/5aSixgLox5CRLLaMcnsRz75A4khSXay5WRjfN5VjNNVx/9tGpLNndR5tyui8DkYBpEz8mFHzjfqkCVmsFusa5roHd/qa_test_token/share-9tGpLNnLxfgtzB9VkdteBhsdcuFw7FnK69F5twFQ6Z24?token=sk-hc1Rf0ndAdddcG1S2iic&flags=1 Test Result:
R-link get object second set ketwords paramsTesk Link: cyfs://r/5aSixgLox5CRLLaMcnsRz75A4khSXay5WRjfN5VjNNVx/9tGpLNndR5tyui8DkYBpEz8mFHzjfqkCVmsFusa5roHd/qa_test_token/share-9tGpLNnLxfgtzB9VkdteBhsdcuFw7FnK69F5twFQ6Z24?token=sk-hc1Rf0ndAdddcG1S2iic&flags=1&page_index=1 Test Result:
R-link get object use error tokenTesk Link: cyfs://r/5aSixgLox5CRLLaMcnsRz75A4khSXay5WRjfN5VjNNVx/9tGpLNndR5tyui8DkYBpEz8mFHzjfqkCVmsFusa5roHd/qa_test_token/share-9tGpLNnLxfgtzB9VkdteBhsdcuFw7FnK69F5twFQ6Z24?token=error-hc1Rf0ndAdddcG1S2iic&flags=1 Test Result:
O-link get object frist timeTesk Link: cyfs://o/5aSixgLox5CRLLaMcnsRz75A4khSXay5WRjfN5VjNNVx/9tGpLNnLxfgtzB9VkdteBhsdcuFw7FnK69F5twFQ6Z24?req_path=/9tGpLNndR5tyui8DkYBpEz8mFHzjfqkCVmsFusa5roHd/qa_test_token/share-9tGpLNnLxfgtzB9VkdteBhsdcuFw7FnK69F5twFQ6Z24?token=sk-hc1Rf0ndAdddcG1S2iic Test Result:
O-link get object second timeTesk Link: cyfs://o/5aSixgLox5CRLLaMcnsRz75A4khSXay5WRjfN5VjNNVx/9tGpLNnLxfgtzB9VkdteBhsdcuFw7FnK69F5twFQ6Z24?req_path=/9tGpLNndR5tyui8DkYBpEz8mFHzjfqkCVmsFusa5roHd/qa_test_token/share-9tGpLNnLxfgtzB9VkdteBhsdcuFw7FnK69F5twFQ6Z24?token=sk-hc1Rf0ndAdddcG1S2iic Test Result:
O-link get object second use flags=1 refresh objectTesk Link: cyfs://o/5aSixgLox5CRLLaMcnsRz75A4khSXay5WRjfN5VjNNVx/9tGpLNnLxfgtzB9VkdteBhsdcuFw7FnK69F5twFQ6Z24?req_path=/9tGpLNndR5tyui8DkYBpEz8mFHzjfqkCVmsFusa5roHd/qa_test_token/share-9tGpLNnLxfgtzB9VkdteBhsdcuFw7FnK69F5twFQ6Z24?token=sk-hc1Rf0ndAdddcG1S2iic&&flags=1 Test Result:
O-link get object second set ketwords paramsTesk Link: cyfs://o/5aSixgLox5CRLLaMcnsRz75A4khSXay5WRjfN5VjNNVx/9tGpLNnLxfgtzB9VkdteBhsdcuFw7FnK69F5twFQ6Z24?req_path=/9tGpLNndR5tyui8DkYBpEz8mFHzjfqkCVmsFusa5roHd/qa_test_token/share-9tGpLNnLxfgtzB9VkdteBhsdcuFw7FnK69F5twFQ6Z24?token=sk-hc1Rf0ndAdddcG1S2iic&page_index=1&flags=1 Test Result:
O-link get object use error tokenTesk Link: cyfs://o/5aSixgLox5CRLLaMcnsRz75A4khSXay5WRjfN5VjNNVx/9tGpLNnLxfgtzB9VkdteBhsdcuFw7FnK69F5twFQ6Z24?req_path=/9tGpLNndR5tyui8DkYBpEz8mFHzjfqkCVmsFusa5roHd/qa_test_token/share-9tGpLNnLxfgtzB9VkdteBhsdcuFw7FnK69F5twFQ6Z24?token=error-hc1Rf0ndAdddcG1S2iic&&flags=1 Test Result:
|
…ermission-system-that-supports-dynamic-tokens-for-dec' into main
The current permission system has two layers: rmeta and object access, with the following characteristics:
These two levels of permissions can handle many static configurations but are insufficient for some dynamic permission scenarios, such as:
A DEC needs to share a specific resource with others and sets a token (maybe a random password string). As long as others know this token, they can access the resource. The shared token has an expiration time, after which others will no longer have access.
This is a typical token-based sharing mechanism, with tokens being custom-generated and validated by each DEC. Tokens can be a random password or a public key format, etc.
The protocol stack needs to consider how to support this form of dynamic permission. It is reasonable to add it to the rmeta layer, as introduced from the beginning. Since DEC validation is required, the handler system also needs to be involved. The DEC can dynamically handle permission validation requests for each rmeta to determine whether to grant or deny access.
The text was updated successfully, but these errors were encountered: