Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Discussion: Basic capability-like structure using e.g. UUID #2620

Closed
kevinkassimo opened this issue Jul 7, 2019 · 2 comments
Closed

Discussion: Basic capability-like structure using e.g. UUID #2620

kevinkassimo opened this issue Jul 7, 2019 · 2 comments
Labels
stale

Comments

@kevinkassimo
Copy link
Contributor

kevinkassimo commented Jul 7, 2019
edited
Loading

In discussion from Gitter, @j-f1 proposed using UUID or similar potentially unforgeable entity for accessing native resources.

I think if might be viable to implement something simpler yet might be easy to integrate to Deno as a first step: introducing APIs that allow a module to create a resource mapped by UUID and pass this resource to other modules. Since normal bindings does not have access to the module where certain op is invoked, we might place it on import.meta which has strong association to different modules.

Some API like the following:

// This is actually referring to a resource and that might be modified from any existing handle
class Capability implements Reader /* Writer Seeker Closer */ {
  uri: string;
  id: string;
  // ...
}

// Returns a new Capability, or existing one if already has.
// Potentially only exposed in the main module.
await import.meta.requestCap({
  type: 'file',
  perm: 'rw',
});

// All Capabilities for this module
import.meta.caps;

// Forward a Capability to another module
await import.meta.forwardCaps("./path/to/another/module", [myCap]);

On the Rust side we might be able to use the sent UUID as the ID in a table to find the corresponding resource.

This is a very crude design and might not be very useful (notice this design means so-called "Capability" is not revocable -- unless the underlying resource itself is closed), but I think it could serve as a starting point for more capability design and implementation related discussions.

(Notice that Deno.core.send is currently exposed publicly. If not (possibly hidden inside of a WeakMap) then other JS/TS side solutions might work)
@bartlomieju bartlomieju mentioned this issue Dec 30, 2019
Closed
@solson
Copy link
Contributor

solson commented Sep 19, 2020
edited
Loading

A capabilities system for modules would be great for Deno's security story. I'm going to be writing a lot of personal scripts with file read/write and network access, but the terminal colors script I import from a URL definitely shouldn't share any of that access!

There are some potentially interesting relevant discussions happening in this TC39 proposal.

@solson solson mentioned this issue Sep 19, 2020
Closed
@stale
Copy link

stale bot commented Jan 6, 2021

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Jan 6, 2021
@stale stale bot closed this as completed Jan 13, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@solson @kevinkassimo