-
Notifications
You must be signed in to change notification settings - Fork 105
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authorize RecordsRead with globalRole #512
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks legit! One comment.
f703003
to
300b156
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🏅
I'm not clear how this works. Does the submitter of a request provide proof of being in a role with the access decision made based on that information? Or, does the party in a role prove that to get an authorization that is then used when making the request? The former can lead to a confused deputy vulnerability. |
Hi @alanhkarp -- This test demonstrates this example: https://github.com/TBD54566975/dwn-sdk-js/pull/512/files#diff-9fb19363159f93356a17db530c83de231c08f7c853522922fc6bc00d22164306R477-R524 |
This test uses Role-Based Access Control (RBAC), and there are no security issues with such a simple example. However, when Bob is acting on a resource specified by somebody else, he is vulnerable to a confused deputy attack. There is no need to get rid of roles in order to avoid this problem. The test works as before, but Bob first makes a request to Alice's DWN that verifies he's in the role he claims and returns a capability granting access to the chat. Bob can then use that capability to read Alice's chat record. Even if Alice's DWN can't create the capability, Alice can include it in the friendRoleRecord when she tells her DWN that Bob is in the role. RBAC has a long history, so we know its strengths and weaknesses. While it is conceptually simple, there are issues managing granular access. Every enterprise use of RBAC that I've ever heard of suffered from role explosion as more and more roles get introduced to manage different combinations of permissions. (See From ABAC to ZBAC published in the Journal of Information Warfare, but the Journal's link is broken.) On the plus side, experience with User Managed Access (UMA) shows that individuals can manage simple policies with RBAC. (I haven't seen evidence one way or the other on even moderately complex policies.) |
A few weeks ago, I mentioned that running a service on top of DWN could expose the service to a confused deputy vulnerability when using roles (or any other form of authentication for that matter) to make access decisions. I was asked to provide an example. Forgive the delay, but here is one I came up with. @LiranCohen runs a service that adds captions to music videos using DWN for backend storage. @andorsk signs up for songs by Adele. When he wants captions added to the "Hello" video, he submits a request specifying the video and the record to hold the output. Liran's service accesses the video, puts the captioned version where Andor said to, and updates the billing record. There are some questions to be answered.
There are many ways Liran's service can implement checks to prevent this attack. The real question is whether it should have to. Let's look at the same example with capabilities. Liran's has a capability granting access to every video the service can provide. When Andor signs up for videos of Adele songs, Liran delegates to Andor a capability for the subset of records that apply to Adele videos and a capability to read Andor's billing record. When Andor wants "Hello" captioned, he delegates to Liran's service a capability to read the record containing the video and a capability to write the record for the captioned version. Andor can revoke those capabilities when the request has been completed. Liran's service now has the least privilege needed to carry out the request. Also, if Andor delegates a billing record capability in place of the one for the output record, the service's update request will fail as it should because Andor's capability only grants him permission to read his billing record. |
This implements the first step in supporting protocol
roles
. This PR creates the concept of$globalRole
. It allowsRecordsRead
to be authorized by arole
. It does NOT yet implement revocation and retention lists for roles.