Policy: add scopes to ease usability #34552

bmeck · 2020-07-29T15:05:23Z

Checklist

make -j4 test (UNIX), or vcbuild test (Windows) passes
tests and/or benchmarks are included
documentation is changed or added
commit message follows commit guidelines

This adds a mechanism matching package.json that allows setting default "integrity" and "dependency" values by a URL subspace. It also adds the ability to opt-in to cascading permissions by introducing "cascade": true. It uses a separate field in the policy file due to collisions of string representation of scopes and potential resources.

bmeck · 2020-08-07T13:41:04Z

I've noted that full protocol scoping is not currently possible for https: since http requires a host, similarly file:// does not cover non-localhost file hosts.

bmeck · 2020-08-07T19:57:36Z

Ugggg, blob: inherits origin from parsing in its path... mmmm I guess we should match and special case so that blob: never inherits from a protocol level scope?

bmeck · 2020-08-14T20:05:16Z

rebased due to this and conditions landing a bit uncleanly

nodejs-github-bot · 2020-08-18T01:16:12Z

CI: https://ci.nodejs.org/job/node-test-pull-request/32819/

bmeck · 2020-08-18T04:12:59Z

this is pretty much just ready for review, some odd quirks about node do leak out like how the '-e' and '-p' CLI flags treat their location as files?

doc/api/policy.md

jasnell · 2020-08-18T15:57:42Z

doc/api/policy.md

+If a dependency is not found, the resource may include `"cascade": true` which
+will delegate to a scope. Scopes may also use `"cascade": true`. The scope for


These two sentences are a bit confusing and awkward together

how about combining them:

If a scope or resource includes "cascade": true unknown specifiers will
be searched for in their containing scope.

doc/api/policy.md

lib/internal/modules/esm/get_source.js

lib/internal/modules/esm/resolve.js

test/fixtures/policy/dependencies/dependencies-scopes-policy.json

bmeck · 2020-08-19T14:29:08Z

Wrote up some attack concerns on adding this feature in some slides. I believe the risk of using this feature is acceptable.

bmeck · 2020-08-20T13:28:43Z

CI: https://ci.nodejs.org/job/node-test-pull-request/32867/

bmeck · 2020-08-21T14:22:13Z

I intend to land this on Monday.

bmeck · 2020-08-25T16:31:09Z

rebased but waiting on ci reliability (seems unrelated?)

nodejs-github-bot · 2020-08-26T18:40:00Z

CI: https://ci.nodejs.org/job/node-test-pull-request/32945/

PR-URL: #34552 Reviewed-By: James M Snell <jasnell@gmail.com>

bmeck · 2020-08-26T19:36:35Z

Landed in 4234904

PR-URL: #34552 Reviewed-By: James M Snell <jasnell@gmail.com>

bmeck added wip Issues and PRs that are still a work in progress. module Issues and PRs related to the module subsystem. experimental Issues and PRs related to experimental features. policy Issues and PRs related to the policy subsystem. labels Jul 29, 2020

bmeck force-pushed the policy-scopes branch from 2b11d70 to 6a3b6df Compare August 11, 2020 17:33

jasnell approved these changes Aug 11, 2020

View reviewed changes

bmeck force-pushed the policy-scopes branch 3 times, most recently from e25f721 to 6233f31 Compare August 14, 2020 20:04

bmeck removed the wip Issues and PRs that are still a work in progress. label Aug 18, 2020

bmeck force-pushed the policy-scopes branch from dfeb21d to 0c65b32 Compare August 18, 2020 01:15

bmeck force-pushed the policy-scopes branch from 0c65b32 to fe9ac67 Compare August 18, 2020 01:30

bmeck requested review from jasnell and guybedford August 18, 2020 14:36