Skip to content

Updating a policy

In this assignment, we learn how to update a policy. Recall that in assignment 2, we used the wrong version of the policy language. We wanted to use version "0.3" but we "wrongly" used "0.2" instead. Because of this version mismatch, our "namespace" does not actually work: Only starting with version "0.3", one can use a policy as a namespace.

We now want to update the namespace from version "0.2" to session "0.3". We also want to be explicit about who gets access to this policy with the help of an access policy. Only entities that know the private keys for a given public key can access the namespace.

Task 1

First, retrieve the policy and compute the hash value as you already done in the last assignment. Use the computed has value as predecessor in the updated policy.

predecessor: $PREDECESSOR

Second, update the namespace policy to use version "0.3".

version: "0.3"

Third, create an explicit access policy that only grants you permission to read and update the policy. Moreover, only your own key should be able to create policies in this namespace.

Task 2

One potential problem is that a policy is briefly modified to grant access to a program or entity temporarily. After this access has been used, the policy is changed back to the old version of the policy. SCONE CAS keeps the complete history of a policy. Given the current policy, one can use the predecessor field to retrieve the predecessor of the policy. Eventually, we will retrieve a version of the policy with an empty predecessor. This is the first policy with this name.

Note that SCONE CAS does not permit to delete policies. In this way, one can always retrieve the complete history. Moreover, no entity can generate a policy with the same hash as any of the policies that ever existed on this CAS. In other words, attempts to hide a policy change by trying to delete a policy and then recreating a policy with the same name will fail.

The second task is to retrieve and print all versions of your namespace.

Background

The default access policy of a namespace is as follows:

access_policy:
  read:
    - CREATOR
  update:
    - CREATOR
  create_sessions:
    - CREATOR
    - 

This means that the public key used to create this policy / namespace, can be used to read this policy, to update this policy, or to create sessions in this namespace.

To retrieve a policy with a given hash, we can use the following URL: https://cas:8081/v1/sessions/${NS}?hash=${PRED}. Where $NS contains the name of the policy and $PRED its hash. We can start with the $PRED being the hash of the current policy. We retrieve this policy, extract the value of the predecessor field. We then repeat these steps until no predecessor is defined.

Note that extracting fields in Yaml is not as well supported as extracting fields from Json. One way to extract this is to use a simple Python program. Also, to retrieve the session from SCONE CAS, you need a client certificate that grants you read access to the policy. Also, provide the CAS certificate to curl to prevent potential man-in-the-middle attacks.

Solution

A solution for this task for bash is available at assignment 4.

Screencast

Troubleshooting

  • Please have a look at the troubleshooting hints from the previous assignments. If you experience any additional issues, please let us know via email. We will add the issue and a proposed solution to this troubleshooting section.