edge-control: admin-approved allowlist for project names #1092

New issue

Closed

opened 2026-04-20 18:46:23 +00:00 by dev-bot · 0 comments

dev-bot commented

2026-04-20 18:46:23 +00:00

Collaborator

Mirrored from johba/disinto#833

---## Problem

tools/edge-control/register.sh:51 accepts any name matching ^[a-zA-Z0-9_-]+$ on a first-come-first-served basis. There is no mechanism for the edge admin to reserve a name for a specific project/key before the race starts. Anyone with disinto-register SSH access can claim any syntactically valid name — including names the operator intends to use for their own services later.

This is the only approach that actually prevents squatting between trusted-but-not-fully-trusted callers. Per-operation ownership checks (see sibling issue) protect live registrations; they do not prevent the race.

Proposal

Two-step claim flow:

Admin writes /var/lib/disinto/allowlist.json:
```
{"version":1,"allowed":{"myproject":{"pubkey_fingerprint":"SHA256:..."}}}
```
File is root:root 0644 — only root writes; disinto-register reads.
do_register refuses if:
- project is not a key in .allowed, OR
- the caller's pubkey fingerprint does not match .allowed[project].pubkey_fingerprint (when set — empty means "any pubkey may claim").
register.sh never mutates allowlist.json. Approval is out-of-band (ops repo PR, or ssh + root edit).

Acceptance

register for an un-allowlisted name returns {"error":"name not approved"} and makes no registry changes.
register for an allowlisted name with a bound fingerprint refuses any other pubkey.
register for an allowlisted name with no fingerprint bind works as today (and stamps the claiming pubkey, per existing first-write-wins).
Workflow documented in tools/edge-control/ README.

_Mirrored from [johba/disinto#833](https://codeberg.org/johba/disinto/issues/833)_ ---## Problem `tools/edge-control/register.sh:51` accepts any name matching `^[a-zA-Z0-9_-]+$` on a first-come-first-served basis. There is no mechanism for the edge admin to reserve a name for a specific project/key before the race starts. Anyone with `disinto-register` SSH access can claim any syntactically valid name — including names the operator intends to use for their own services later. This is the only approach that *actually* prevents squatting between trusted-but-not-fully-trusted callers. Per-operation ownership checks (see sibling issue) protect live registrations; they do not prevent the race. ## Proposal Two-step claim flow: 1. Admin writes `/var/lib/disinto/allowlist.json`: ```json {"version":1,"allowed":{"myproject":{"pubkey_fingerprint":"SHA256:..."}}} ``` File is `root:root 0644` — only root writes; `disinto-register` reads. 2. `do_register` refuses if: - `project` is not a key in `.allowed`, OR - the caller's pubkey fingerprint does not match `.allowed[project].pubkey_fingerprint` (when set — empty means "any pubkey may claim"). 3. `register.sh` never mutates `allowlist.json`. Approval is out-of-band (ops repo PR, or ssh + root edit). ## Acceptance - `register` for an un-allowlisted name returns `{"error":"name not approved"}` and makes no registry changes. - `register` for an allowlisted name with a bound fingerprint refuses any other pubkey. - `register` for an allowlisted name with no fingerprint bind works as today (and stamps the claiming pubkey, per existing first-write-wins). - Workflow documented in `tools/edge-control/` README.