[Galene] Help with subtree tokens

[Juliusz Chroboczek <jch@irif.fr>]

Hi,

We need two things:

  1. global admin tokens, tokens that give admin rights to the whole server;

  2. a way to give out administrator (not op) powers for a hierarchy.

Point (1) is so that administrators don't need to store a password in
order to use galenectl, just the admin token.  That's good for security,
since people are unlikely to reuse tokens across sites, and also because
tokens are easier to revoke than passwords.

Point (2) is so that I can tell people "here's an admin token for
teaching/*", and they can administer the teaching hierarchy.

Here's my plan to achieve both, please let me know if it makes sense to
you.


# Current format of stateful tokens

A stateful token currently looks like this:

    {
        "token": "Xul0t84QJlE",
        "group": "admin",
        "permissions": ["present"],
        "expires": "2029-10-24T15:03:00Z"
    }

There are other fields, but they are optional.  Stateful tokens are stored
in the file data/var/tokens.jsonl.  Creating a new token is an efficient
operation, since we just append a line to the file, but modifying a token
requires rewriting the whole file.  Tokens are cached in main memory, so
fetching a token is just a hashtable access.

The protocol is designed so that other, more efficient implementations are
possible if the single file ends up being a bottleneck.  In particular,
since a token is specific to a single group, it would be possible to have
per-group token files.  If you enjoy Cobol, you might also consider
storing tokens in an SQL table with "token" the primary key.

Every 15 minutes, we walk through the tokens list and garbage collect any
tokens that have been expired for 24 hours or more.


# Plan for subtree tokens

A subtree token looks just like a normal token, but has the additional
field "include-subgroups":

    {
        "token": "Xul0t84QJlE",
        "group": "teaching",
        "permissions": ["admin"],
        "expires": "2029-10-24T15:00:00Z",
        "include-subgroups": true
    }

A holder of such a token is authorised not only for the groups "teaching",
but also for any groups of the form "teaching/*".  In particular, if they
have the "admin" permission, they are allowed to create new groups under
"teaching", with no restrictions.

As a special case, the field "group" can be the empty string, in which
case the token applies to the whole server.


## Downsides

Since subtree tokens don't apply to a single group, they cannot be stored
in per-group files, a global file will be required.  Also, token lookup
stops being a hashtable lookup, since it is required to check for tokens
for supergroups of the current group.


# Plan for stateless tokens

It is pretty trivial to do the same for stateless (cryptographic) tokens.
However, since Yunohost are the main user of stateless tokens, I'm
planning to wait to get feedback from them before I implement subtree
support for stateless tokens.


# Comments?

The above design doesn't quite seem right, but I'm unable to put my finger
on what bothers me.  Perhaps someone can help?


-- Juliusz