mirror of
https://github.com/onsonr/sonr.git
synced 2025-03-10 21:09:11 +00:00
105 lines
3.3 KiB
Markdown
105 lines
3.3 KiB
Markdown
# `x/macaroon`
|
|
|
|
The Macaroon module is responsible for providing decentralized access control and service authorization for the Sonr ecosystem. It implements macaroon-based authentication and authorization mechanisms.
|
|
|
|
## Concepts
|
|
|
|
Macaroons are a type of bearer credential that allow for decentralized delegation, attenuation, and third-party caveats. This module implements the core functionality for creating, validating, and managing macaroons within the Sonr ecosystem.
|
|
|
|
## State
|
|
|
|
The module maintains the following state:
|
|
|
|
### Grant
|
|
|
|
Represents a permission grant with the following fields:
|
|
- `id`: Unique identifier (auto-incremented)
|
|
- `controller`: Address of the controller
|
|
- `subject`: Subject of the grant
|
|
- `origin`: Origin of the grant
|
|
- `expiry_height`: Block height at which the grant expires
|
|
|
|
### Macaroon
|
|
|
|
Represents a macaroon token with the following fields:
|
|
- `id`: Unique identifier (auto-incremented)
|
|
- `controller`: Address of the controller
|
|
- `subject`: Subject of the macaroon
|
|
- `origin`: Origin of the macaroon
|
|
- `expiry_height`: Block height at which the macaroon expires
|
|
- `macaroon`: The actual macaroon token
|
|
|
|
## State Transitions
|
|
|
|
State transitions occur through the following messages:
|
|
- `MsgUpdateParams`: Updates the module parameters
|
|
- `MsgIssueMacaroon`: Issues a new macaroon
|
|
|
|
## Messages
|
|
|
|
### MsgUpdateParams
|
|
|
|
Updates the module parameters. Can only be executed by the governance account.
|
|
|
|
Fields:
|
|
- `authority`: Address of the governance account
|
|
- `params`: New parameter values
|
|
|
|
### MsgIssueMacaroon
|
|
|
|
Issues a new macaroon for a given controller and origin.
|
|
|
|
Fields:
|
|
- `controller`: Address of the controller
|
|
- `origin`: Origin of the request in wildcard form
|
|
- `permissions`: Map of permissions
|
|
- `token`: Macaroon token to authenticate the operation
|
|
|
|
## Queries
|
|
|
|
The module provides the following queries:
|
|
|
|
- `Params`: Retrieves the current module parameters
|
|
- `RefreshToken`: Refreshes a macaroon token (post-authentication)
|
|
- `ValidateToken`: Validates a macaroon token (pre-authentication)
|
|
|
|
## Parameters
|
|
|
|
The module has the following parameters:
|
|
|
|
- `methods`: Defines the available DID methods
|
|
- `default`: Default method
|
|
- `supported`: List of supported methods
|
|
- `scopes`: Defines the set of scopes
|
|
- `base`: Base scope
|
|
- `supported`: List of supported scopes
|
|
- `caveats`: Defines the available caveats
|
|
- `supported_first_party`: List of supported first-party caveats
|
|
- `supported_third_party`: List of supported third-party caveats
|
|
- `transactions`: Defines the allowlist and denylist for transactions
|
|
- `allowlist`: List of allowed transactions
|
|
- `denylist`: List of denied transactions
|
|
|
|
## Events
|
|
|
|
The module may emit events related to macaroon issuance, validation, and refreshing. (Specific event details to be implemented)
|
|
|
|
## Client
|
|
|
|
The module provides gRPC endpoints for all queries and message types defined in the protobuf files.
|
|
|
|
## Future Improvements
|
|
|
|
- Implement more advanced caveat types
|
|
- Add support for third-party caveats
|
|
- Enhance macaroon revocation mechanisms
|
|
- Implement additional security features and checks
|
|
|
|
## Tests
|
|
|
|
(To be implemented: Acceptance tests for the module's functionality)
|
|
|
|
## Appendix
|
|
|
|
For more information on macaroons and their implementation, refer to the original macaroon paper: "Macaroons: Cookies with Contextual Caveats for Decentralized Authorization in the Cloud" by Arnar Birgisson, et al.
|