From 7cede63ab7cc1d7148ab7768a63bfeaf0f9132af Mon Sep 17 00:00:00 2001 From: Tobias Bieniek Date: Wed, 19 Oct 2022 10:44:58 +0200 Subject: [PATCH 1/6] token-scopes: Align endpoint table --- text/0000-crates-io-token-scopes.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/text/0000-crates-io-token-scopes.md b/text/0000-crates-io-token-scopes.md index 1d6f5c04ecb..faae984e2ff 100644 --- a/text/0000-crates-io-token-scopes.md +++ b/text/0000-crates-io-token-scopes.md @@ -90,15 +90,15 @@ registries. The scopes proposed by this RFC allow access to the following endpoints: -| Endpoint | Required scope | -| --- | --- | -| `PUT /crates/new` (new crates) | **publish-new** | -| `PUT /crates/new` (existing crates) | **publish-update** | -| `DELETE /crates/:crate_id/:version/yank` | **yank** | -| `PUT /crates/:crate_id/:version/unyank` | **yank** | -| `PUT /crates/:crate_id/owners` | **change-owners** | -| `DELETE /crates/:crate_id/owners` | **change-owners** | -| everything except `PUT /me/tokens` | **legacy** | +| Endpoint | Required scope | +|------------------------------------------|--------------------| +| `PUT /crates/new` (new crates) | **publish-new** | +| `PUT /crates/new` (existing crates) | **publish-update** | +| `DELETE /crates/:crate_id/:version/yank` | **yank** | +| `PUT /crates/:crate_id/:version/unyank` | **yank** | +| `PUT /crates/:crate_id/owners` | **change-owners** | +| `DELETE /crates/:crate_id/owners` | **change-owners** | +| everything except `PUT /me/tokens` | **legacy** | Removing an endpoint from a scope or adding an existing endpoint to an existing scope will be considered a breaking change. Adding newly created endpoints to From 826ebc0373e48c7117ae38a8c3c246a9a2ebd303 Mon Sep 17 00:00:00 2001 From: Tobias Bieniek Date: Wed, 19 Oct 2022 10:46:57 +0200 Subject: [PATCH 2/6] token-scopes: Fix typos --- text/0000-crates-io-token-scopes.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/text/0000-crates-io-token-scopes.md b/text/0000-crates-io-token-scopes.md index faae984e2ff..11f58e0c1e5 100644 --- a/text/0000-crates-io-token-scopes.md +++ b/text/0000-crates-io-token-scopes.md @@ -42,7 +42,7 @@ adding the following endpoint scopes: * **yank**: allows yanking and unyanking existing versions of the user's crates * **change-owners**: allows inviting new owners or removing existing owners * **legacy**: allows accessing all the endpoints on crates.io except for - creating new tokens, like tokens created befores the implementation of this + creating new tokens, like tokens created before the implementation of this RFC. More endpoint scopes might be added in the future without the need of a @@ -81,8 +81,8 @@ crate scope filter (equivalent to no restrictions). # Reference-level explanation [reference-level-explanation]: #reference-level-explanation -Endpoint scopes and crates scope are two completly separate systems, and can be -used independently from one another. Token scopes will be implemented entirely +Endpoint scopes and crates scope are two completely separate systems, and can be +used independently of one another. Token scopes will be implemented entirely on the crates.io side, and there will be no change to `cargo` or alternate registries. @@ -162,7 +162,7 @@ in the RFC author's opinion, are more likely to need crate scopes than a person with just a few crates), and it wouldn't allow new crates matching the pattern but uploaded after the token's creation from being accessed. -Finally an alternative could be to do nothing, and encourage users to create +Finally, an alternative could be to do nothing, and encourage users to create "machine accounts" for each set of crates they own. A drawback of this is that GitHub's terms of service limit how many accounts a single person could have. @@ -222,7 +222,7 @@ implementation of solutions that would make the check hard. To increase the security of CI environments even more, we could implement an option to require a separate confirmation for the actions executed by tokens. For example, we could send a confirmation email with a link the owners have to -click to actually publish the crate uploaded by CI, preventing any mailicious +click to actually publish the crate uploaded by CI, preventing any malicious action with stolen tokens. To remove the need for machine accounts, a future RFC could propose adding API From 67d07c6535059d65c5d8d88d39553f8ea8d4ec62 Mon Sep 17 00:00:00 2001 From: Tobias Bieniek Date: Wed, 19 Oct 2022 12:56:27 +0200 Subject: [PATCH 3/6] token-scopes: Remove endpoint scope preselection paragraph We might want to discuss the default endpoint scope separately. It could be beneficial to not select anything by default, or just `publish-update` as a default for CI systems. --- text/0000-crates-io-token-scopes.md | 5 ----- 1 file changed, 5 deletions(-) diff --git a/text/0000-crates-io-token-scopes.md b/text/0000-crates-io-token-scopes.md index 11f58e0c1e5..8cb1a779711 100644 --- a/text/0000-crates-io-token-scopes.md +++ b/text/0000-crates-io-token-scopes.md @@ -48,11 +48,6 @@ adding the following endpoint scopes: More endpoint scopes might be added in the future without the need of a dedicated RFC. -The crates.io UI will pre-select the scopes needed by the `cargo` CLI, which at -the time of writing this RFC are `publish-new`, `publish-update`, `yank` and -`change-owners`. The user will have to explicitly opt into extra scopes or the -legacy permission model. - Tokens created before the implementation of this RFC will default to the legacy scope. From 48d8cf4f723a92f4bd6f7d961ea432a984c12eca Mon Sep 17 00:00:00 2001 From: Tobias Bieniek Date: Wed, 19 Oct 2022 13:04:55 +0200 Subject: [PATCH 4/6] token-scopes: Rephrase "crates scope" guide to only allow wildcards at the end --- text/0000-crates-io-token-scopes.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/text/0000-crates-io-token-scopes.md b/text/0000-crates-io-token-scopes.md index 8cb1a779711..4d32d276a26 100644 --- a/text/0000-crates-io-token-scopes.md +++ b/text/0000-crates-io-token-scopes.md @@ -56,19 +56,19 @@ scope. The user will be able to opt into limiting which crates the token can act on by defining a crates scope. -The crates scope can be left empty to allow the token to act on all the crates -owned by the user, or it can contain the comma-separated list of crate names -the token can interact with. Crate names can contain `*` to match zero or more -characters. +The crates scope can contain a list of crate name patterns the token can +interact with. Crate name patterns can either be regular crate names or they +can end with a `*` character to match zero or more characters. -For example, a crates scope of `lazy_static,serde*` allows the token to act on -the `lazy_static` crate or any present or future crates starting with `serde` -(including `serde` itself), if the user is an owner of those crates. +For example, a crate name pattern of `lazy_static` will only make the token +apply to the corresponding crate, while `serde*` allows the token to act on +any present or future crates starting with `serde` (including `serde` itself), +but only if the user is an owner of those crates. The crates scope will allow access to all present and future crates matching it. When an endpoint that doesn't interact with crates is called by a token with a crates scope, the crates scope will be ignored and the call will be -authorized. +authorized, unless limited by an endpoint scope (see above). Tokens created before the implementation of this RFC will default to an empty crate scope filter (equivalent to no restrictions). From fb5579799cf621ed7344c29f30e02a10b8283983 Mon Sep 17 00:00:00 2001 From: Tobias Bieniek Date: Wed, 19 Oct 2022 13:05:48 +0200 Subject: [PATCH 5/6] token-scopes: Split "no change to cargo" part into dedicated paragraph This is somewhat unrelated to the previous sentence and deserves its own paragraph --- text/0000-crates-io-token-scopes.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/text/0000-crates-io-token-scopes.md b/text/0000-crates-io-token-scopes.md index 4d32d276a26..b67ec496927 100644 --- a/text/0000-crates-io-token-scopes.md +++ b/text/0000-crates-io-token-scopes.md @@ -77,9 +77,10 @@ crate scope filter (equivalent to no restrictions). [reference-level-explanation]: #reference-level-explanation Endpoint scopes and crates scope are two completely separate systems, and can be -used independently of one another. Token scopes will be implemented entirely -on the crates.io side, and there will be no change to `cargo` or alternate -registries. +used independently of one another. + +Token scopes will be implemented entirely on the crates.io side, and there will +be no change necessary to `cargo` or alternate registries. ## Endpoint scopes From 1d9527ec45fb590566394055fab2e465df04a820 Mon Sep 17 00:00:00 2001 From: Tobias Bieniek Date: Wed, 19 Oct 2022 13:07:10 +0200 Subject: [PATCH 6/6] token-scopes: Remove regular expression implementation details --- text/0000-crates-io-token-scopes.md | 26 +------------------------- 1 file changed, 1 insertion(+), 25 deletions(-) diff --git a/text/0000-crates-io-token-scopes.md b/text/0000-crates-io-token-scopes.md index b67ec496927..04dacb44133 100644 --- a/text/0000-crates-io-token-scopes.md +++ b/text/0000-crates-io-token-scopes.md @@ -104,31 +104,7 @@ existing set of endpoints in that scope. ## Crates scope -The pattern for the crate scope is desugared into a regular expression, -following these rules: - -* **`^(`** is added at the start of the pattern, and **`)$`** is added at the end of it. -* **`,`** is desugared into `|`, separating multiple patterns. -* **`*`** is desugared into `.*`, matching zero or more characters greedily. -* All other non-alphanumeric characters are quoted to prevent them from having - a special meaning. - -As an example, the following pattern: - -``` -foo,bar-* -``` - -... is desugared into the following regex: - -``` -^(foo|bar\-.*)$ -``` - -Any combination of those characters is allowed, but crates.io might define a -complexity limit for the generated regular expressions. - -The pattern will be evaluated during each API call, and if no match is found +The patterns will be evaluated during each API call, and if no match is found the request will be denied. Because it's evaluated every time, a crates scope will allow interacting with matching crates published after token creation.