How would I go about using a capability guard to make a function on module1 only callable by module2?

Question

I want certain functions on module 1 to only be callable within the scope of module 2.

Is there a viable way to do that?

Answer 1

On the module you want the restricted functions to exist:

  (defcap GOV() true)

  (defschema store-guard
    g:guard
  )

  (deftable guard-storage-table:{store-guard})

  (defun restricted-function()
    (with-read guard-storage-table ""  {'g:=g}
      (enforce-guard g))

    "Hello, we are in the restricted function {}"
    ;;; Here we can do all restricted stuffs
  )

  (defun register-guard (g)
    ;Administrative function, must be protected by something else !!!
    (write guard-storage-table "" {'g:g})
  )
)

(create-table guard-storage-table)

On the module you want to call the restricted functions from:

  (defcap GOV() true)
  (use restricted-call-test)
  (defcap CALL-SUB-MODULES() true )

  (defun call-test1-working ()
    ; For calling test1, we have to acquire CALL-SUB-MODULES
    (with-capability (CALL-SUB-MODULES)
      (restricted-call-test.restricted-function)
    )
  )

  (defun call-test1-not-working ()
    ; Calling test1 without acquiring the cap don't work
    (restricted-call-test.restricted-function)
  )

    (defun reg ()
      (restricted-call-test.register-guard (create-capability-guard (CALL-SUB-MODULES)))
    )
)

Then call the (reg) function on test2. You should be set after this, you can test the functions on test1 easily to see if it worked.

Thanks Pascal on discord.