Canister Access Control

marcpp · July 10, 2024, 8:57am

I have an app which consists of 5 canisters.

Problem

Most methods within those canisters are declared as public shared, because I need to use them from other canisters (frontend canister or even other canisters). But this means those methods are accessible by anyone outside the app, right?

Question

What are the recommendations for protecting access to methods of those canisters, considering that I will also need access to those methods from outside the app, from specific principals (for monitoring purposes) ?

I’ve browsed around the forum threads a bit, but haven’t found anything relevant. I’m probably not using the right keywords, because this seems like an obvious security concern.

Thanks!

jennifertran · July 10, 2024, 4:36pm

Yes, anyone can access the functions. The best way to test if a function is completely public is to try it without authenticating to the Candid UI (the backend link provided) when you deploy (either locally or on the mainnet).

An initial thing is to require users to authenticate to access the function.

For example, in Rust:

let caller = ic_cdk::caller();
    if caller == Principal::anonymous() {
        panic!("Anonymous principal not allowed to make calls.")
    }
    caller

jennifertran · July 10, 2024, 4:48pm

It sounds like you want to take a step even further by only allowing users who have authenticated on your frontend to access any backend functions. There isn’t a built-in way to do this.

marcpp · July 10, 2024, 4:54pm

Thanks ! Actually, I want to go even one step further: I want some methods to be usable only by a predetermined list of canisters (other canisters of my app + me). I guess I can manually check that the caller is among that list. But yes, my question was exactly this: is there any built-in way of doing this? (I use Motoko)

jennifertran · July 10, 2024, 4:59pm

Yes, you would be able to do this.

You could create a hashmap of the list of canisters (an array would work too but I prefer hashmaps) and loop through it to check the caller is one of the principals in the hashmap.

marcpp · July 11, 2024, 2:18pm

What would be a proper way to wrap all methods with a principal check?

zensh · July 11, 2024, 3:24pm

I implemented an access control mechanism based on access tokens in the ic-oss service.

This allows for fine-grained permission control over files, folders, buckets, cluster, including support for permission inheritance in the file tree. It is a highly flexible access control system designed to meet enterprise needs.
I plan to develop it into a standalone access control service that can be called by other canisters.

Source code for permission definitions:

github.com

ldclabs/ic-oss/blob/main/src/ic_oss_types/src/permission.rs

use std::collections::BTreeSet;
use std::fmt;
use std::ops::Deref;

/// Validate name of resource, operation, constraint, resource path, etc.
/// Valid characters: A-Z, a-z, 0-9, _, -
pub fn validate_name(s: &str) -> Result<(), String> {
    if s.is_empty() {
        return Err("empty string".to_string());
    }

    for c in s.chars() {
        if !matches!(c, 'A'..='Z' | 'a'..='z' | '0'..='9' | '_' | '-') {
            return Err(format!("invalid character: {}", c));
        }
    }
    Ok(())
}

#[derive(Clone, Debug, Default, PartialEq, Eq, PartialOrd, Ord)]

This file has been truncated. show original

Example source code for querying permissions:

github.com

ldclabs/ic-oss/blob/main/src/ic_oss_bucket/src/permission.rs

use candid::Principal;
use ic_oss_types::permission::{Operation, Permission, PermissionChecker, Policies, Resource};

use crate::store::fs;

pub fn check_bucket_read(ps: &Policies, bucket: &Principal) -> bool {
    ps.has_permission(
        &Permission {
            resource: Resource::Bucket,
            operation: Operation::Read,
            constraint: Some(Resource::Other("Info".to_string())),
        },
        bucket.to_string().as_str(),
    )
}

pub fn check_folder_list(ps: &Policies, bucket: &Principal, parent: u32) -> bool {
    if !ps.has_permission(
        &Permission {
            resource: Resource::Bucket,

This file has been truncated. show original

github.com

ldclabs/ic-oss/blob/main/src/ic_oss_bucket/src/api_query.rs#L58


      
                  status: r.status,
                  visibility: r.visibility,
                  managers: r.managers.clone(),
                  auditors: r.auditors.clone(),
                  trusted_ecdsa_pub_keys: r.trusted_ecdsa_pub_keys.clone(),
                  trusted_eddsa_pub_keys: r.trusted_eddsa_pub_keys.clone(),
              }))
          }
          
          #[ic_cdk::query]
          fn get_file_info(id: u32, access_token: Option<ByteBuf>) -> Result<FileInfo, String> {
              match store::fs::get_file(id) {
                  None => Err("file not found".to_string()),
                  Some(file) => {
                      let canister = ic_cdk::id();
                      let ps = match store::state::with(|s| {
                          s.read_permission(
                              &ic_cdk::caller(),
                              &canister,
                              access_token,
                              ic_cdk::api::time() / SECONDS,

anon74414410 · July 11, 2024, 3:56pm

The high level approach is to return a Result rather than the direct type you want to return.

Then you can add a check of

if is_authorized(caller) {
  #err("Not Authorized);
}

at the start of each access controlled method.

You can use a library to abstract this, but it’s easy enough to check against a hardcoded or dynamic list.

marcpp · July 11, 2024, 4:05pm

Yes, I see. I’m already using Result on all my methods so it should be straight forward to add.

As for your last sentence, I agree, but it just feels like every single project building on canisters will want a way to protect their methods, no? So I’m a bit surprised that there’s no “built-in” way to do this already.

In case someone else is interested, I dug up this topic which appears to be doing exactly this in Motoko.

Topic		Replies	Views
I want a function on a canister to be callable only by another canister on the IC, and not by an API call or any other canister Developers	7	514	February 22, 2022
How to restrict/encrypt canister calls Developers	6	401	December 15, 2023
Securing backend Motoko	0	95	June 18, 2024
Feature Request: Mechanism to figure out if a call to a canister comes from canisters belonging to the same project Developers	8	734	March 24, 2023
Calling canister on main network needs no authentication Developers	2	540	March 2, 2022

Canister Access Control

Related topics