New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
claimRequest() and other powerbox-related updates #2027
Conversation
@kentonv this is the code that I was talking about earlier today. It sets the |
@dwrensha I agree, that does look wrong. It seems like the code meant to use |
Hm... it also occurs to me that |
I'm not so sure. Would making that change require that other users who want to review/audit the capabilities owned by a grain also be able to see Does this still make sense if the powerbox request is initiated server-side, or do we intend to drop that flow entirely? Seems we'd need a place for the introducer in that workflow too, but you wouldn't necessarily want to chain to a |
No, The The clientside flow goes like this:
In a hypothetical server-side-only flow, the first two steps are merged into a single It's the sturdyref created in step 3 that I think you're talking about showing up in an audit UI. The |
It is not obvious to me if or why I should assume that some (the last?) item in the If we do make that guarantee, we should probably document it and assert about it in the code. I have always assumed This suggests that we will need some pretty complicated join logic to pull profiles for identities referenced by any number of ApiTokens, but perhaps that was already true. |
One issue that I'm not sure this addresses is "how do I associate an identity (not just an account) with an Maybe userIsAdmin needs to be a struct of (accountId, identityId), rather than just a Text? |
To pass the |
Ahhh, so for a hypothetical Okay, so it sounds like the guarantee is:
Does that sound right? (Also, thanks for helping me understand all the intent here!) |
Note quite. I would say that the entire Consider the following interaction.
The The "requirements relevant to the most recent powerbox interaction" seems to me to be exactly the information needed for a an audit UI. I suppose it is plausible that in future revisions of the powerbox this may no longer be the case (e.g. if we support capabilities that don't autorevoke when the sharer loses access to the intermediary grain). Then we will need to add some additional way to capture the data needed in the audit UI. But I say let's not worry about that until it becomes a problem. |
After some updates to the copy/paste powerbox flow and these changes to the powerbox test app, the integration tests are now passing. |
8913a38
to
52113f6
Compare
Note that I'm not quite happy with |
In the latest commit, This approach still does not seem quite satisfactory, because a grain has no way either to prevent an asset from being deleted or even to get notified when an asset is deleted, short of repeatedly calling interface StaticAsset {
getUrl @0 () -> (url :Text);
}
interface SandstormApi {
// ....
createStaticAsset @8 (mimeType :Text, encoding :Text, content :Data)
-> (asset :StaticAsset);
}
struct GrainMetadata {
appTitle @0 :LocalizedText;
union {
icon :group {
format @1 :Text;
asset @2 :StaticAsset;
asset2xDpi @3 :StaticAsset;
# If present, an equivalent asset at twice-resolution
}
appId @4 :Text;
}
}
struct ViewInfo {
/// ...
metadata @5 :GrainMetadata;
}
That is, we would put the actual I think we would also want to prevent grains from providing their own implementations of @kentonv: I'm interested in your thoughts on all of this. |
Another idea for keeping assets valid: we could add a method like interface SandstormApi {
// ....
holdStaticAsset @9 (assetId :Text) -> (handle :Util.Handle);
} where the asset's refcount is incremented for as long as Then maybe interface SandstormApi {
// ....
createStaticAsset @8 (mimeType :Text, encoding :Text, content :Data)
-> (asset :StaticAsset, handle :Util.Handle);
} |
4ae90a6
to
4d3ace0
Compare
} | ||
|
||
if (!viewInfo.grainIconUrl) { | ||
// TODO(security, now): Do we need to do some kind of filtering here to prevent |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This TODO wouldn't be caught by our release script, FWIW. You need to do TODO(now) TODO(security)
, or just say that TODO(now)
takes precedence.
OK, reviewed everything. I'm worried that referencing assets by string ID rather than by capability is going to create obstacles somewhere down the road, particularly when we start having federation between Sandstorm servers where the same asset probably has different IDs on different servers. I think we will want to be aware when asset references move between servers, so that data can automatically be synced in the background, etc. We obviously only have that ability with capabilities. Let me think about this more tomorrow. |
Ready for re-review. In this version, the |
appId @4 :Text; | ||
# App ID, needed to generate a favicon if no icon is provided. | ||
} | ||
getUrl @0 () -> (url :Text); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is XSS-prone: If the StaticAsset capability is implemented by another app or other malicious source, it can return a javascript:
URL or similar, which is likely to be evaluated in the context of the calling app. You can say it is the caller's responsibility to filter, but most won't.
We can prevent this problem by changing the return to something like:
(https: Bool, hostPath :Text)
The URL is then formed as:
(https ? "https://" : "http://") + hostPath
…e step for better security.
Abandon backwards-compatibility plan.
Swap ordinals of SandstormApi.restore() and SandstormApi.claimRequest().
Also, add an "identicon" host that renders identicons server-side.
…isting static host.
I've split the return value of Ready for re-review. |
This pulls together the work from #2016 and #2019.
The ip-networking integration tests are working after applying https://github.com/zarvox/sandstorm-test-python/pull/4.
I have not yet updated the other powerbox integration tests, which are based on https://github.com/jparyani/sandstorm-test-app. So this will not pass Jenkins.
I've split out a new file powerbox.capnp. Doing so isn't strictly necessary for this change, but if we want to do that eventually, now seems like an opportune time.
I've not yet addressed all of the comments in #2019, but I wanted to get this pull request up for discussion.