Investigate how descendent roles are handled

Question

Investigate how descendent roles are handled

thehenrytsai opened this issue 8 months ago · comments

Maybe everything works, but it is unclear to me how the descendent role declared thread-role.json is being used for protocol authorization:

    "thread": {
      "$actions": [
        {
          "role": "thread/participant",
          "can": "read"
        }
      ],

It would be good to investigate if this is a special case because we so happen to have the contextId of the thread, and what happens if the descendent role specified is deeper, e.g. thread/foo/bar/baz, just to make sure there is no security holes.

If we were to disallow descendent roles, we'd do:

      // Validate the `role` property of an `action` if exists.
      if (action.role !== undefined) {
        // make sure the role specified is self, or uncle, or great uncle, or separate root record
        // ie. the role record specified should must share the same "ancestor-chain" with the record of this rule set
        // e.g. if the rule set protocol path is `a1/b1/c1` then the role record can be `a2` (an edge case), `a1/b2`, `a1/b1/c1`, `a1/b1/c2`
        // but NOT `a1/b2/c3`, or `a1/b2/c1/d1`.
        const ruleSetParentProtocolPath = ruleSetProtocolPath.substring(0, ruleSetProtocolPath.lastIndexOf('/')); // NOTE: substring(0, negative-number) returns empty string which is what we want
        const roleParentProtocolPath = action.role.substring(0, action.role.lastIndexOf('/'));
        if (!ruleSetParentProtocolPath.startsWith(roleParentProtocolPath)) {
          throw new DwnError(
            DwnErrorCode.ProtocolsConfigureRoleDoesNotShareSameAncestorsAsRuleSetRecord,
            `Role in action ${JSON.stringify(action)} for rule set ${ruleSetProtocolPath} does not share the same ancestors as the rule set record.`
          );
        }