npm - @enbox/dwn-sdk-js - Versions diffs - 0.3.9 → 0.4.1 - Mend

@enbox/dwn-sdk-js 0.3.9 → 0.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (525) hide show

package/src/core/messages-grant-authorization.ts CHANGED Viewed

@@ -1,36 +1,34 @@
 import type { GenericMessage } from '../types/message-types.js';
 import type { MessagesPermissionScope } from '../types/permission-types.js';
-import type { MessageStore } from '../types/message-store.js';
 import type { PermissionGrant } from '../protocols/permission-grant.js';
 import type { ProtocolsConfigureMessage } from '../types/protocols-types.js';
 import type { ProtocolScope } from '../utils/permission-scope.js';
+import type { ValidationStateReader } from '../types/validation-state-reader.js';
 import type { DataEncodedRecordsWriteMessage, RecordsDeleteMessage, RecordsWriteMessage } from '../types/records-types.js';
-import type { MessagesReadMessage, MessagesSubscribeMessage, MessagesSyncMessage } from '../types/messages-types.js';
+import type { MessagesQueryMessage, MessagesReadMessage, MessagesSubscribeMessage } from '../types/messages-types.js';
 import { DwnInterfaceName } from '../enums/dwn-interface-method.js';
 import { GrantAuthorization } from './grant-authorization.js';
-import { isRecordsPrimaryProjectionExcludedProtocol } from './constants.js';
 import { PermissionScopeMatcher } from '../utils/permission-scope.js';
 import { PermissionsProtocol } from '../protocols/permissions.js';
 import { Records } from '../utils/records.js';
-import { RecordsWrite } from '../interfaces/records-write.js';
 import { DwnError, DwnErrorCode } from './dwn-error.js';
 export class MessagesGrantAuthorization {
   public static async fetchPermissionGrants(
     tenant: string,
-    messageStore: MessageStore,
+    validationStateReader: ValidationStateReader,
     permissionGrantIds: string[]
   ): Promise<PermissionGrant[]> {
     return Promise.all(
-      permissionGrantIds.map(permissionGrantId => PermissionsProtocol.fetchGrant(tenant, messageStore, permissionGrantId))
+      permissionGrantIds.map(permissionGrantId => validationStateReader.fetchGrant(tenant, permissionGrantId))
     );
   }
   /**
    * Authorizes a MessagesReadMessage using the given permission grant.
-   * @param messageStore Used to check if the given grant has been revoked; and to fetch related RecordsWrites if needed.
+   * @param validationStateReader Used to check grant revocation and fetch related RecordsWrites if needed.
    */
   public static async authorizeMessagesRead(input: {
     messagesReadMessage: MessagesReadMessage,
@@ -38,10 +36,10 @@ export class MessagesGrantAuthorization {
     expectedGrantor: string,
     expectedGrantee: string,
     permissionGrants: PermissionGrant[],
-    messageStore: MessageStore,
+    validationStateReader: ValidationStateReader,
   }): Promise<void> {
     const {
-      messagesReadMessage, messageToRead, expectedGrantor, expectedGrantee, permissionGrants, messageStore
+      messagesReadMessage, messageToRead, expectedGrantor, expectedGrantee, permissionGrants, validationStateReader
     } = input;
     await MessagesGrantAuthorization.performBaseValidationForGrantSet({
@@ -49,12 +47,12 @@ export class MessagesGrantAuthorization {
       expectedGrantor,
       expectedGrantee,
       permissionGrants,
-      messageStore
+      validationStateReader
     });
     for (const permissionGrant of permissionGrants) {
       const scope = permissionGrant.scope as MessagesPermissionScope;
-      if (await MessagesGrantAuthorization.isScopeAuthorized(expectedGrantor, messageToRead, scope, messageStore)) {
+      if (await MessagesGrantAuthorization.isScopeAuthorized(expectedGrantor, messageToRead, scope, validationStateReader)) {
         return;
       }
     }
@@ -63,18 +61,18 @@ export class MessagesGrantAuthorization {
   }
   /**
-   * Authorizes the scope of a permission grant for MessagesSubscribe or MessagesSync.
-   * @param messageStore Used to check if the grant has been revoked.
+   * Authorizes the scope of a permission grant for MessagesQuery or MessagesSubscribe.
+   * @param validationStateReader Used to check if the grant has been revoked.
    */
-  public static async authorizeSubscribeOrSync(input: {
-    incomingMessage: MessagesSubscribeMessage | MessagesSyncMessage,
+  public static async authorizeQueryOrSubscribe(input: {
+    incomingMessage: MessagesQueryMessage | MessagesSubscribeMessage,
     expectedGrantor: string,
     expectedGrantee: string,
     permissionGrants: PermissionGrant[],
-    messageStore: MessageStore,
+    validationStateReader: ValidationStateReader,
   }): Promise<void> {
     const {
-      incomingMessage, expectedGrantor, expectedGrantee, permissionGrants, messageStore
+      incomingMessage, expectedGrantor, expectedGrantee, permissionGrants, validationStateReader
     } = input;
     await MessagesGrantAuthorization.performBaseValidationForGrantSet({
@@ -82,80 +80,19 @@ export class MessagesGrantAuthorization {
       expectedGrantor,
       expectedGrantee,
       permissionGrants,
-      messageStore
+      validationStateReader
     });
     const scopes = permissionGrants.map(permissionGrant => permissionGrant.scope as MessagesPermissionScope);
-    if ('action' in incomingMessage.descriptor) {
-      MessagesGrantAuthorization.authorizeSyncScope(incomingMessage as MessagesSyncMessage, scopes);
-      return;
-    }
-    MessagesGrantAuthorization.authorizeSubscribeScope(incomingMessage as MessagesSubscribeMessage, scopes);
-  }
-  private static authorizeSyncScope(
-    syncMessage: MessagesSyncMessage,
-    scopes: MessagesPermissionScope[]
-  ): void {
-    const { projectionScopes, protocol } = syncMessage.descriptor;
-    if (projectionScopes === undefined) {
-      MessagesGrantAuthorization.authorizeProtocolSyncScope(scopes, protocol);
-      return;
-    }
-    MessagesGrantAuthorization.authorizeProjectionScopes(scopes, projectionScopes);
-  }
-  private static authorizeProtocolSyncScope(
-    scopes: MessagesPermissionScope[],
-    protocol: string | undefined
-  ): void {
-    if (isRecordsPrimaryProjectionExcludedProtocol(protocol)) {
-      throw new DwnError(
-        DwnErrorCode.MessagesGrantAuthorizationProtocolSyncInfrastructureProtocol,
-        `Protocol-scoped MessagesSync cannot authorize infrastructure protocol ${protocol}`
-      );
-    }
-    if (!MessagesGrantAuthorization.someScopeMatches(scopes, { protocol })) {
-      throw new DwnError(
-        DwnErrorCode.MessagesGrantAuthorizationMismatchedProtocol,
-        `No permission grant scope matches protocol ${protocol}`
-      );
-    }
-  }
-  private static authorizeProjectionScopes(
-    scopes: MessagesPermissionScope[],
-    projectionScopes: ProtocolScope[],
-  ): void {
-    for (const projectionScope of projectionScopes) {
-      if (isRecordsPrimaryProjectionExcludedProtocol(projectionScope.protocol)) {
-        throw new DwnError(
-          DwnErrorCode.MessagesGrantAuthorizationProjectionInfrastructureProtocol,
-          `Projected MessagesSync cannot authorize infrastructure protocol ${projectionScope.protocol}`
-        );
-      }
-      if (MessagesGrantAuthorization.someScopeMatches(scopes, projectionScope)) {
-        continue;
-      }
-      throw new DwnError(
-        DwnErrorCode.MessagesGrantAuthorizationProjectionScopeMismatch,
-        `No permission grant scope matches projection scope ${JSON.stringify(projectionScope)}`
-      );
-    }
+    MessagesGrantAuthorization.authorizeFilterScope(incomingMessage, scopes);
   }
-  private static authorizeSubscribeScope(
-    subscribeMessage: MessagesSubscribeMessage,
+  private static authorizeFilterScope(
+    messagesMessage: MessagesQueryMessage | MessagesSubscribeMessage,
     scopes: MessagesPermissionScope[]
   ): void {
-    const { filters } = subscribeMessage.descriptor;
+    const { filters } = messagesMessage.descriptor;
     if (filters.length === 0 && !MessagesGrantAuthorization.hasUnscopedGrant(scopes)) {
       throw new DwnError(
@@ -195,7 +132,7 @@ export class MessagesGrantAuthorization {
     expectedGrantor: string,
     expectedGrantee: string,
     permissionGrants: PermissionGrant[],
-    messageStore: MessageStore,
+    validationStateReader: ValidationStateReader,
     deliveryTimestamp: string,
   }): Promise<void> {
     const {
@@ -203,7 +140,7 @@ export class MessagesGrantAuthorization {
       expectedGrantor,
       expectedGrantee,
       permissionGrants,
-      messageStore,
+      validationStateReader,
       deliveryTimestamp,
     } = input;
@@ -215,12 +152,12 @@ export class MessagesGrantAuthorization {
       },
     };
-    await MessagesGrantAuthorization.authorizeSubscribeOrSync({
+    await MessagesGrantAuthorization.authorizeQueryOrSubscribe({
       incomingMessage: deliveryMessage,
       expectedGrantor,
       expectedGrantee,
       permissionGrants,
-      messageStore,
+      validationStateReader,
     });
   }
@@ -229,14 +166,14 @@ export class MessagesGrantAuthorization {
    * unresolved, revoked, expired, or interface/method-mismatched grants fail the request.
    */
   private static async performBaseValidationForGrantSet(input: {
-    incomingMessage: MessagesReadMessage | MessagesSubscribeMessage | MessagesSyncMessage,
+    incomingMessage: MessagesQueryMessage | MessagesReadMessage | MessagesSubscribeMessage,
     expectedGrantor: string,
     expectedGrantee: string,
     permissionGrants: PermissionGrant[],
-    messageStore: MessageStore,
+    validationStateReader: ValidationStateReader,
   }): Promise<void> {
     const {
-      incomingMessage, expectedGrantor, expectedGrantee, permissionGrants, messageStore
+      incomingMessage, expectedGrantor, expectedGrantee, permissionGrants, validationStateReader
     } = input;
     for (const permissionGrant of permissionGrants) {
@@ -245,7 +182,7 @@ export class MessagesGrantAuthorization {
         expectedGrantor,
         expectedGrantee,
         permissionGrant,
-        messageStore
+        validationStateReader
       });
     }
   }
@@ -257,7 +194,7 @@ export class MessagesGrantAuthorization {
     tenant: string,
     messageToGet: GenericMessage,
     incomingScope: MessagesPermissionScope,
-    messageStore: MessageStore,
+    validationStateReader: ValidationStateReader,
   ): Promise<boolean> {
     if (incomingScope.protocol === undefined) {
       return true;
@@ -268,7 +205,7 @@ export class MessagesGrantAuthorization {
         tenant,
         messageToGet as RecordsWriteMessage | RecordsDeleteMessage,
         incomingScope,
-        messageStore
+        validationStateReader
       );
     }
@@ -286,12 +223,12 @@ export class MessagesGrantAuthorization {
     tenant: string,
     recordsMessage: RecordsWriteMessage | RecordsDeleteMessage,
     incomingScope: MessagesPermissionScope,
-    messageStore: MessageStore,
+    validationStateReader: ValidationStateReader,
   ): Promise<boolean> {
     const recordsWriteMessage = await MessagesGrantAuthorization.getAssociatedRecordsWrite(
       tenant,
       recordsMessage,
-      messageStore
+      validationStateReader
     );
     if (recordsWriteMessage.descriptor.protocol === PermissionsProtocol.uri) {
@@ -299,7 +236,7 @@ export class MessagesGrantAuthorization {
         tenant,
         recordsWriteMessage,
         incomingScope,
-        messageStore
+        validationStateReader
       );
     }
@@ -310,7 +247,7 @@ export class MessagesGrantAuthorization {
     tenant: string,
     recordsWriteMessage: RecordsWriteMessage,
     incomingScope: MessagesPermissionScope,
-    messageStore: MessageStore,
+    validationStateReader: ValidationStateReader,
   ): Promise<boolean> {
     if (MessagesGrantAuthorization.isSubtreeScope(incomingScope)) {
       return false;
@@ -318,7 +255,7 @@ export class MessagesGrantAuthorization {
     const permissionScope = await PermissionsProtocol.getScopeFromPermissionRecord(
       tenant,
-      messageStore,
+      validationStateReader,
       recordsWriteMessage as DataEncodedRecordsWriteMessage
     );
@@ -339,13 +276,13 @@ export class MessagesGrantAuthorization {
   private static async getAssociatedRecordsWrite(
     tenant: string,
     recordsMessage: RecordsWriteMessage | RecordsDeleteMessage,
-    messageStore: MessageStore,
+    validationStateReader: ValidationStateReader,
   ): Promise<RecordsWriteMessage> {
     if (Records.isRecordsWrite(recordsMessage)) {
       return recordsMessage;
     }
-    return RecordsWrite.fetchNewestRecordsWrite(messageStore, tenant, recordsMessage.descriptor.recordId);
+    return validationStateReader.fetchNewestRecordsWrite(tenant, recordsMessage.descriptor.recordId);
   }
   private static getRecordsScopeTarget(recordsWriteMessage: RecordsWriteMessage): ProtocolScope {

package/src/core/protocol-authorization-action.ts CHANGED Viewed

@@ -1,22 +1,18 @@
-import type { Filter } from '../types/query-types.js';
-import type { MessageStore } from '../types/message-store.js';
 import type { RecordsCount } from '../interfaces/records-count.js';
 import type { RecordsDelete } from '../interfaces/records-delete.js';
 import type { RecordsQuery } from '../interfaces/records-query.js';
 import type { RecordsRead } from '../interfaces/records-read.js';
 import type { RecordsSubscribe } from '../interfaces/records-subscribe.js';
 import type { RecordsWriteMessage } from '../types/records-types.js';
+import type { ValidationStateReader } from '../types/validation-state-reader.js';
 import type { ProtocolActionRule, ProtocolDefinition, ProtocolRuleSet } from '../types/protocols-types.js';
-import { FilterUtility } from '../utils/filter.js';
+import { DwnMethodName } from '../enums/dwn-interface-method.js';
 import { RecordsWrite } from '../interfaces/records-write.js';
 import { DwnError, DwnErrorCode } from './dwn-error.js';
-import { DwnInterfaceName, DwnMethodName } from '../enums/dwn-interface-method.js';
 import { getRuleSetAtPath, isCrossProtocolRef, parseCrossProtocolRef } from '../utils/protocols.js';
 import { ProtocolAction, ProtocolActor } from '../types/protocols-types.js';
-import type { FetchProtocolDefinitionFn } from './protocol-authorization.js';
 /**
  * Check if the incoming message is invoking a role. If so, validate the invoked role.
  * For cross-protocol role invocation, the role record may live in a different protocol
@@ -28,9 +24,8 @@ export async function verifyInvokedRole(
   protocolUri: string,
   contextId: string | undefined,
   protocolDefinition: ProtocolDefinition,
-  messageStore: MessageStore,
-  fetchProtocolDefinition: FetchProtocolDefinitionFn,
-  governingTimestamp?: string,
+  validationStateReader: ValidationStateReader,
+  protocolDefinitionTimestamp?: string,
 ): Promise<void> {
   const protocolRole = incomingMessage.signaturePayload?.protocolRole;
@@ -64,8 +59,8 @@ export async function verifyInvokedRole(
     roleProtocolPath = parsed.protocolPath;
     // Fetch the referenced protocol's definition to validate the role exists
-    const refDefinition = await fetchProtocolDefinition(
-      tenant, roleProtocolUri, messageStore, governingTimestamp
+    const refDefinition = await validationStateReader.fetchProtocolDefinition(
+      tenant, roleProtocolUri, protocolDefinitionTimestamp
     );
     const roleRuleSet = getRuleSetAtPath(roleProtocolPath, refDefinition.structure);
     if (!roleRuleSet?.$role) {
@@ -85,16 +80,6 @@ export async function verifyInvokedRole(
     }
   }
-  // Construct a filter to fetch the invoked role record
-  const roleRecordFilter: Filter = {
-    interface         : DwnInterfaceName.Records,
-    method            : DwnMethodName.Write,
-    protocol          : roleProtocolUri,
-    protocolPath      : roleProtocolPath,
-    recipient         : incomingMessage.author!,
-    isLatestBaseState : true,
-  };
   const ancestorSegmentCountOfRolePath = roleProtocolPath.split('/').length - 1;
   if (contextId === undefined && ancestorSegmentCountOfRolePath > 0) {
     throw new DwnError(
@@ -103,22 +88,26 @@ export async function verifyInvokedRole(
     );
   }
-  // Compute `contextId` prefix filter for fetching the invoked role record if the role path is not at the root level.
+  // Compute `contextId` prefix for fetching the invoked role record if the role path is not at the root level.
   // e.g. if invoked role path is `Thread/Participant`, and the `contextId` of the message is `threadX/messageY/attachmentZ`,
-  // then we need to add a prefix filter as `threadX` for the `contextId`
+  // then we need to use the prefix `threadX` for the `contextId`
   // because the `contextId` of the Participant record would be in the form of be `threadX/participantA`
+  let contextIdPrefix: string | undefined;
   if (ancestorSegmentCountOfRolePath > 0) {
     const contextIdSegments = contextId!.split('/'); // NOTE: currently contextId segment count is never shorter than the role path count.
-    const contextIdPrefix = contextIdSegments.slice(0, ancestorSegmentCountOfRolePath).join('/');
-    const contextIdPrefixFilter = FilterUtility.constructPrefixFilterAsRangeFilter(contextIdPrefix);
-    roleRecordFilter.contextId = contextIdPrefixFilter;
+    contextIdPrefix = contextIdSegments.slice(0, ancestorSegmentCountOfRolePath).join('/');
   }
+  // fetch the invoked role record
+  const matchingRoleRecordExists = await validationStateReader.hasMatchingRoleRecord({
+    tenant,
+    protocol     : roleProtocolUri,
+    protocolPath : roleProtocolPath,
+    recipient    : incomingMessage.author!,
+    contextIdPrefix,
+  });
-  const { messages: matchingMessages } = await messageStore.query(tenant, [roleRecordFilter]);
-  if (matchingMessages.length === 0) {
+  if (!matchingRoleRecordExists) {
     throw new DwnError(
       DwnErrorCode.ProtocolAuthorizationMatchingRoleRecordNotFound,
       `No matching role record found for protocol path ${roleProtocolPath}`
@@ -139,14 +128,14 @@ export async function verifyInvokedRole(
 export async function getActionsSeekingARuleMatch(
   tenant: string,
   incomingMessage: RecordsCount | RecordsDelete | RecordsQuery | RecordsRead | RecordsSubscribe | RecordsWrite,
-  messageStore: MessageStore,
+  validationStateReader: ValidationStateReader,
 ): Promise<ProtocolAction[]> {
   switch (incomingMessage.message.descriptor.method) {
-  case DwnMethodName.Delete:
+  case DwnMethodName.Delete: {
     const recordsDelete = incomingMessage as RecordsDelete;
     const recordId = recordsDelete.message.descriptor.recordId;
-    const initialWrite = await RecordsWrite.fetchInitialRecordsWrite(messageStore, tenant, recordId);
+    const initialWrite = await validationStateReader.fetchInitialRecordsWrite(tenant, recordId);
     // if there is no initial write, then no action rule can authorize the incoming message, because we won't know who the original author is
     // NOTE: purely defensive programming: currently not reachable
@@ -155,7 +144,7 @@ export async function getActionsSeekingARuleMatch(
       return [];
     }
-    const actionsThatWouldAuthorizeDelete = [];
+    const actionsThatWouldAuthorizeDelete: ProtocolAction[] = [];
     const prune = recordsDelete.message.descriptor.prune;
     if (prune) {
       actionsThatWouldAuthorizeDelete.push(ProtocolAction.CoPrune);
@@ -174,6 +163,7 @@ export async function getActionsSeekingARuleMatch(
     }
     return actionsThatWouldAuthorizeDelete;
+  }
   case DwnMethodName.Count:
     return [ProtocolAction.Read];
@@ -187,7 +177,7 @@ export async function getActionsSeekingARuleMatch(
   case DwnMethodName.Subscribe:
     return [ProtocolAction.Read];
-  case DwnMethodName.Write:
+  case DwnMethodName.Write: {
     const incomingRecordsWrite = incomingMessage as RecordsWrite;
     if (await incomingRecordsWrite.isInitialWrite()) {
@@ -201,7 +191,7 @@ export async function getActionsSeekingARuleMatch(
       // else incoming RecordsWrite not an initial write
       const recordId = (incomingMessage as RecordsWrite).message.recordId;
-      const initialWrite = await RecordsWrite.fetchInitialRecordsWrite(messageStore, tenant, recordId);
+      const initialWrite = await validationStateReader.fetchInitialRecordsWrite(tenant, recordId);
       // if there is no initial write to update from, then no action rule can authorize the incoming message
       if (initialWrite === undefined) {
@@ -217,6 +207,7 @@ export async function getActionsSeekingARuleMatch(
       }
     }
   }
+  }
   // purely defensive programming: should not be reachable
   // setting to empty array will prevent any message from being authorized
@@ -233,11 +224,11 @@ export async function authorizeAgainstAllowedActions(
   incomingMessage: RecordsCount | RecordsDelete | RecordsQuery | RecordsRead | RecordsSubscribe | RecordsWrite,
   ruleSet: ProtocolRuleSet,
   recordChain: RecordsWriteMessage[],
-  messageStore: MessageStore,
+  validationStateReader: ValidationStateReader,
   protocolDefinition?: ProtocolDefinition,
 ): Promise<void> {
   const incomingMessageMethod = incomingMessage.message.descriptor.method;
-  const actionsSeekingARuleMatch = await getActionsSeekingARuleMatch(tenant, incomingMessage, messageStore);
+  const actionsSeekingARuleMatch = await getActionsSeekingARuleMatch(tenant, incomingMessage, validationStateReader);
   const author = incomingMessage.author;
   const actionRules = ruleSet.$actions;