Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat!: remove canIssue default from the server #251

Merged
merged 4 commits into from
Mar 7, 2023
Merged

feat!: remove canIssue default from the server #251

Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
e6df77b
chore: test to verify that validator rejects delegation from service
Gozala Mar 7, 2023
deadaa0
add another test
Gozala Mar 7, 2023
fbf7246
fix: remove canIssue default in the server
Gozala Mar 7, 2023
6d34850
fix typo
Gozala Mar 7, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
89 changes: 89 additions & 0 deletions packages/validator/test/session.spec.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -310,3 +310,92 @@ test('resolve key', async () => {
},
})
})

test('service can not delegate access to account', async () => {
const account = Absentee.from({ id: 'did:mailto:web.mail:alice' })
gobengo marked this conversation as resolved.
Show resolved Hide resolved
// service should not be able to delegate access to account resource
const auth = await Delegation.delegate({
gobengo marked this conversation as resolved.
Show resolved Hide resolved
issuer: w3,
audience: alice,
capabilities: [
{
with: account.did(),
can: 'debug/echo',
},
],
})

const session = await Delegation.delegate({
issuer: service,
gobengo marked this conversation as resolved.
Show resolved Hide resolved
audience: alice,
capabilities: [
{
with: w3.did(),
can: 'ucan/attest',
nb: { proof: auth.cid },
},
],
proofs: [auth],
})

const request = echo.invoke({
audience: w3,
issuer: alice,
with: account.did(),
nb: { message: 'hello world' },
proofs: [auth, session],
})

const result = await access(await request.delegate(), {
authority: w3,
capability: echo,
principal: Verifier,
})

assert.equal(result.error, true)
})

test('attest with an account did', async () => {
const account = Absentee.from({ id: 'did:mailto:web.mail:alice' })

// service should not be able to delegate access to account resource
const auth = await Delegation.delegate({
issuer: w3,
audience: alice,
capabilities: [
{
with: account.did(),
can: 'debug/echo',
},
],
})

const session = await Delegation.delegate({
issuer: w3,
audience: alice,
capabilities: [
{
// this should be an service did instead
with: account.did(),
can: 'ucan/attest',
nb: { proof: auth.cid },
},
],
})

const request = echo.invoke({
audience: w3,
issuer: alice,
with: account.did(),
nb: { message: 'hello world' },
proofs: [auth, session],
})

const result = await access(await request.delegate(), {
authority: w3,
capability: echo,
principal: Verifier,
})

assert.equal(result.error, true)
})