This PR adds a fission app delegate command to delegate capabilities for working with apps.
This PR fixes/implements the following bugs/features
[x] Add fission app delegate command
The command provides the following API:
» fission app delegate
Missing: (-a|--app-name NAME) (-d|--did DID)
Usage: fission-delegate-cli app delegate (-a|--app-name NAME) (-d|--did DID)
[-p|--potency POTENCY]
[-l|--lifetime LIFETIME] [-q|--quiet]
Delegate capability to an audience DID
Available options:
-a,--app-name NAME The target app
-d,--did DID An audience DID
-p,--potency POTENCY The potency to delegate. Options include AppendOnly,
Destroy, or Super_User. (default: "AppendOnly")
-l,--lifetime LIFETIME Lifetime in seconds before UCAN expires
(default: 300)
-q,--quiet Only output the UCAN on success
-h,--help Show this help text
A developer has a few options for providing credentials to sign the delegated UCAN. They can set FISSION_MACHINE_KEY and FISSION_APP_UCAN environment variables, register a Fission user, or link an existing Fission user from another machine or browser. When using environment variables, both FISSION_MACHINE_KEY and FISSION_APP_UCAN must be set.
The command checks for the ability to delegate in order as follows:
FISSION_MACHINE_KEY and FISSION_APP_UCAN are set
Check that FISSION_APP_UCAN has capability and the audience DID matches FISSION_MACHINE_KEY
Environment variables are not set
Developer has a linked Fission account
Check the UCAN store for a UCAN with capability
Developer created an account on this machine
Request an index of the developer's apps, and check if the app is registered
Note that in either case where we check a UCAN, we trust the UCAN, but we verify on the server.
The command assumes least privilege by defaulting to AppendOnly potency and limiting the UCAN lifetime to five minutes. Both can be set when more potency or a longer lifetime are desired.
The quiet flag reduces the command's output to just the UCAN. This flag should be useful in non-interactive use cases where helpful messages and emoji could get in the way of parsing the output.
Test plan (required)
Create a testing key pair with fission generate credentials. Select an app you have registered at the CLI, then run
fission app delegate -d <testing-keypair-DID> -a <app-name> -l 86400
The app-name should only include the subdomain portion of the app URL. For example, only ancient-round-crab would be used for ancient-round-crab.fission.app.
This command will generate an append-only UCAN that is valid for one day.
Next, set the temporary private key as FISSION_MACHINE_KEY and the append-only UCAN as FISSION_APP_UCAN environment variables.
Generate a second temporary key pair, then run the same delegate command. This time, the command will delegate using the environment variables.
Error cases include:
Missing credentials
Only one of FISSION_MACHINE_KEY and FISSION_APP_UCAN are set
No environment variables are set and no account registered or linked
App not registered
An account was created on this machine, but the requested app has not been registered
Invalid UCAN
The UCAN cannot be parsed
Time bounds violation
Invalid signature
Potency escalation
For example, an append-only UCAN is used as proof but Destroy or Super_User potency are requested
Insufficient resources
The proof UCAN cannot delegate for the requested app. For example, a UCAN with only the app resource ancient-round-crab could not delegate for rich-young-skinny-bigfoot.
Closing issues
Closes #599
After Merge
[ ] Does this change invalidate any docs or tutorials? No, but we should update the docs with the new command
[ ] Does this change require a release to be made? Yes, but we should wait to release it with the append endpoint
Tasks
[x] Add command stub to CLI
[x] Check that user has capability to delegate
[x] Generate UCAN for an existing key pair by DID
[x] Read in signing key and proof UCAN as FISSION_MACHINE_KEY and FISSION_APP_UCAN environment variables
Summary
This PR adds a
fission app delegatecommand to delegate capabilities for working with apps.This PR fixes/implements the following bugs/features
fission app delegatecommandThe command provides the following API:
A developer has a few options for providing credentials to sign the delegated UCAN. They can set
FISSION_MACHINE_KEYandFISSION_APP_UCANenvironment variables, register a Fission user, or link an existing Fission user from another machine or browser. When using environment variables, bothFISSION_MACHINE_KEYandFISSION_APP_UCANmust be set.The command checks for the ability to delegate in order as follows:
FISSION_MACHINE_KEYandFISSION_APP_UCANare setFISSION_APP_UCANhas capability and the audience DID matchesFISSION_MACHINE_KEYNote that in either case where we check a UCAN, we trust the UCAN, but we verify on the server.
The command assumes least privilege by defaulting to AppendOnly potency and limiting the UCAN lifetime to five minutes. Both can be set when more potency or a longer lifetime are desired.
The quiet flag reduces the command's output to just the UCAN. This flag should be useful in non-interactive use cases where helpful messages and emoji could get in the way of parsing the output.
Test plan (required)
Create a testing key pair with
fission generate credentials. Select an app you have registered at the CLI, then runThe
app-nameshould only include the subdomain portion of the app URL. For example, onlyancient-round-crabwould be used forancient-round-crab.fission.app.This command will generate an append-only UCAN that is valid for one day.
Next, set the temporary private key as
FISSION_MACHINE_KEYand the append-only UCAN asFISSION_APP_UCANenvironment variables.Generate a second temporary key pair, then run the same delegate command. This time, the command will delegate using the environment variables.
Error cases include:
FISSION_MACHINE_KEYandFISSION_APP_UCANare setDestroyorSuper_Userpotency are requestedancient-round-crabcould not delegate forrich-young-skinny-bigfoot.Closing issues
Closes #599
After Merge
Tasks
FISSION_MACHINE_KEYandFISSION_APP_UCANenvironment variables