fix(contract): propagate with_actor/with_scope to bound function#361
Open
wolfy-j wants to merge 5 commits into
Open
fix(contract): propagate with_actor/with_scope to bound function#361wolfy-j wants to merge 5 commits into
wolfy-j wants to merge 5 commits into
Conversation
A contract framed with :with_actor()/:with_scope() shipped the actor and security scope in OpenCmd, but the dispatcher dropped them: handleOpen only passed the binding scope to Instantiate, and instanceImpl.Call built the task with no security pairs. So a bound function always ran under the caller's ambient actor, and framing a specific owner was silently ignored. Carry the open-time actor/scope onto the instance and append ActorPair/ ScopePair to task.Context on every call (the same mechanism funcs uses for its with_actor/with_scope), so the bound function runs under the framed security context. Only applied when explicitly framed, so non-framed calls keep inheriting the ambient context unchanged. Adds integration tests asserting the framed actor reaches the bound function and persists across multiple calls on the same instance.
Add a securityFramer capability interface so handleOpen frames instances through an explicit port rather than a concrete-type assertion; a custom Instantiator can now opt into security framing. Tests: - scope propagation via with_scope reaches the bound function - with_actor overrides an ambient actor; no framing inherits it - instance-level proof that a framed scope carries its policies
…ags, dedup test handler - remove redundant instance != nil guard (comma-ok assertion handles nil) - group hasActor/hasScope flags after the value fields - extract shared actorReportFunc; collapse four duplicate inline handlers
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
A contract framed with
:with_actor()/:with_scope()silently dropped the actor. The Lua contract module setsActor/HasActor/SecurityScope/HasScopeonOpenCmd, but the dispatcher never applied them:system/contract/dispatcher.gohandleOpenpassed onlyopenCmd.Scope(the binding value bag) toInstantiateand forked the ambient frame context.instanceImpl.Callbuilt theruntime.Taskwith value pairs only, no security pairs.Net effect: a bound function always ran under the caller's ambient
security.actor(). Framing a specific owner (e.g. a background job registering a component on behalf of a user) was ignored, surfacing asNo authenticated actor found. By contrastfuncsworks because it appendssecapi.ActorPair/ScopePairtoTask.Context.Fix
Mirror the funcs mechanism: carry the open-time actor/scope onto
instanceImpl(set inhandleOpenfromOpenCmd— same package, no interface change), and appendActorPair/ScopePairtotask.ContextinCallonly when explicitly framed. Non-framed calls keep inheriting the ambient context unchanged.Tests
TestIntegration_ActorPropagation— opened:with_actor("framed-user"), the bound function must observe that actor (wasno-actorbefore the fix).TestIntegration_ActorPropagation_PersistsAcrossCalls— the framed actor persists across multiple calls on the same instance.go build ./...,go vet, and thesystem/contract/runtime/lua/modules/contract/funcssuites all pass.