First capability-securable implementation of Dataspaces.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

111 lines
5.0 KiB

3 months ago
2 months ago
  1. # novy-syndicate
  2. A follow-on from Syndicate-2017, incorporating object-capability-based
  3. securability and other ideas from E.
  4. You can view this as Syndicate plus locations and capabilities, or as
  5. E plus Syndicate-style shared state and fault-tolerance.
  6. The capabilities offer *securability* of Syndicate-style
  7. point-to-point and multiparty communications, a necessary precondition
  8. for wider use of Syndicate-like ideas.
  9. The locations offer abstraction over *distribution* of Syndicate
  10. systems, a necessary precondition for modular reasoning about and
  11. reuse of Syndicate subsystems.
  12. ## Take it for a spin
  13. git clone https://git.syndicate-lang.org/syndicate-lang/novy-syndicate
  14. cd novy-syndicate
  15. yarn install
  16. yarn build
  17. Start a server containing a single dataspace:
  18. node -r esm lib/distributed/server.js
  19. It will print out a "root" capability giving full control of the
  20. contents of the dataspace:
  21. $ node -r esm lib/distributed/server.js
  22. <ref "syndicate" [] #"\xa6H\x0d\xf50f\x11\xdd\xd0\xd3\x88+Tn\x19w">
  23. b4b303726566b10973796e646963617465b584b210a6480df5306611ddd0d3882b546e197784
  24. Next, try running the `simple-chat` example in a separate terminal:
  25. node -r esm lib/distributed/sandbox.js ../examples/simple-chat.js \
  26. b4b303726566b10973796e646963617465b584b210a6480df5306611ddd0d3882b546e197784
  27. Note that the second command-line argument is the capability to use to
  28. gain access to the server.
  29. Run the same command again in another separate terminal. Typing into
  30. one terminal will be relayed to the other; the command `/nick
  31. <newnick>` will change nickname.
  32. Next, generate an *attenuated* capability which will only allow
  33. interaction via the nickname `tonyg`:
  34. node -r esm lib/tools/attenuate.js \
  35. b4b303726566b10973796e646963617465b584b210a6480df5306611ddd0d3882b546e197784 \
  36. '[<or [
  37. <rewrite <bind p <compound <rec Present 1> {0: <lit "tonyg">}>> <ref p>>
  38. <rewrite <bind p <compound <rec Says 2> {0: <lit "tonyg"> 1: String}>> <ref p>>
  39. ]>]'
  40. The result is the following data structure:
  41. <ref "syndicate" [[<or [
  42. <rewrite <bind p <compound <rec Present 1> {0: <lit "tonyg">}>> <ref p>>,
  43. <rewrite <bind p <compound <rec Says 2> {
  44. 0: <lit "tonyg">,
  45. 1: String
  46. }>> <ref p>>
  47. ]>]] #[oHFy7B4NPVqhD6zJmNPbhg==]>
  48. It is a
  49. [Macaroon](https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/41892.pdf),
  50. based on the "root" capability, but with additional restrictions added
  51. to it.
  52. To try it out, terminate one of the chat clients, and restart it using
  53. the hex form of the attenuated capability:
  54. node -r esm lib/distributed/sandbox.js ../examples/simple-chat.js \
  55. b4b303726566b10973796e646963617465b5b5b4b3026f72b5b4b30772657772697465b4b30462696e64b30170b4b308636f6d706f756e64b4b303726563b30750726573656e749184b790b4b3036c6974b105746f6e796784848484b4b303726566b301708484b4b30772657772697465b4b30462696e64b30170b4b308636f6d706f756e64b4b303726563b304536179739284b790b4b3036c6974b105746f6e79678491b306537472696e67848484b4b303726566b30170848484848484b210a07172ec1e0d3d5aa10facc998d3db8684
  56. Notice that (a) this new client can't hear anything from its peers and
  57. (b) can't send anything either -- *until* it changes its nickname to
  58. `tonyg` (via `/nick tonyg`). Then, its peers can hear it. But to allow
  59. it to hear its peers, we need to add another option when we attenuate
  60. the root capability:
  61. node -r esm lib/tools/attenuate.js \
  62. b4b303726566b10973796e646963617465b584b210a6480df5306611ddd0d3882b546e197784 \
  63. '[<or [
  64. <rewrite <bind p <compound <rec Present 1> {0: <lit "tonyg">}>> <ref p>>
  65. <rewrite <bind p <compound <rec Says 2> {0: <lit "tonyg"> 1: String}>> <ref p>>
  66. <rewrite <bind p <compound <rec Observe 2> {}>> <ref p>>
  67. ]>]'
  68. The result,
  69. <ref "syndicate" [[<or [
  70. <rewrite <bind p <compound <rec Present 1> {0: <lit "tonyg">}>> <ref p>>,
  71. <rewrite <bind p <compound <rec Says 2> {
  72. 0: <lit "tonyg">,
  73. 1: String
  74. }>> <ref p>>,
  75. <rewrite <bind p <compound <rec Observe 2> {}>> <ref p>>
  76. ]>]] #[FqMH2fgbrM29dQedmuFclg==]>
  77. allows assertion of `<Present "tonyg">`, transmission of `<Says
  78. "tonyg" _>`, and observation of anything at all in the dataspace, with
  79. assertion of `<Observe _ _>`.
  80. Rerunning the chat client with the hex form of the capability shows
  81. off the new behaviour:
  82. node -r esm lib/distributed/sandbox.js ../examples/simple-chat.js \
  83. b4b303726566b10973796e646963617465b5b5b4b3026f72b5b4b30772657772697465b4b30462696e64b30170b4b308636f6d706f756e64b4b303726563b30750726573656e749184b790b4b3036c6974b105746f6e796784848484b4b303726566b301708484b4b30772657772697465b4b30462696e64b30170b4b308636f6d706f756e64b4b303726563b304536179739284b790b4b3036c6974b105746f6e79678491b306537472696e67848484b4b303726566b301708484b4b30772657772697465b4b30462696e64b30170b4b308636f6d706f756e64b4b303726563b3074f6273657276659284b7848484b4b303726566b30170848484848484b21016a307d9f81baccdbd75079d9ae15c9684