@icure/api 6.4.0 → 7.0.0-beta.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (154) hide show
  1. package/icc-api/api/IccDeviceApi.d.ts +1 -1
  2. package/icc-api/api/IccDeviceApi.js.map +1 -1
  3. package/icc-api/api/IccDoctemplateApi.js.map +1 -1
  4. package/icc-api/api/IccDocumentTemplateApi.js.map +1 -1
  5. package/icc-api/api/IccHcpartyApi.d.ts +1 -1
  6. package/icc-api/api/IccHcpartyApi.js.map +1 -1
  7. package/icc-api/api/IccPatientApi.d.ts +1 -1
  8. package/icc-api/api/IccPatientApi.js.map +1 -1
  9. package/icc-api/model/MaintenanceTask.d.ts +6 -5
  10. package/icc-api/model/MaintenanceTask.js +5 -0
  11. package/icc-api/model/MaintenanceTask.js.map +1 -1
  12. package/icc-api/model/User.d.ts +23 -1
  13. package/icc-api/model/User.js +21 -0
  14. package/icc-api/model/User.js.map +1 -1
  15. package/icc-api/model/models.d.ts +14 -0
  16. package/icc-api/model/models.js.map +1 -1
  17. package/icc-x-api/crypto/AES.d.ts +2 -0
  18. package/icc-x-api/crypto/AES.js +12 -0
  19. package/icc-x-api/crypto/AES.js.map +1 -1
  20. package/icc-x-api/crypto/BaseExchangeKeysManager.d.ts +122 -0
  21. package/icc-x-api/crypto/BaseExchangeKeysManager.js +356 -0
  22. package/icc-x-api/crypto/BaseExchangeKeysManager.js.map +1 -0
  23. package/icc-x-api/crypto/ConfidentialEntities.d.ts +58 -0
  24. package/icc-x-api/crypto/ConfidentialEntities.js +99 -0
  25. package/icc-x-api/crypto/ConfidentialEntities.js.map +1 -0
  26. package/icc-x-api/crypto/CryptoPrimitives.d.ts +31 -0
  27. package/icc-x-api/crypto/CryptoPrimitives.js +55 -0
  28. package/icc-x-api/crypto/CryptoPrimitives.js.map +1 -0
  29. package/icc-x-api/crypto/CryptoStrategies.d.ts +82 -0
  30. package/icc-x-api/crypto/CryptoStrategies.js +3 -0
  31. package/icc-x-api/crypto/CryptoStrategies.js.map +1 -0
  32. package/icc-x-api/crypto/EntitiesEncryption.d.ts +254 -0
  33. package/icc-x-api/crypto/EntitiesEncryption.js +700 -0
  34. package/icc-x-api/crypto/EntitiesEncryption.js.map +1 -0
  35. package/icc-x-api/crypto/ExchangeKeysManager.d.ts +56 -0
  36. package/icc-x-api/crypto/ExchangeKeysManager.js +147 -0
  37. package/icc-x-api/crypto/ExchangeKeysManager.js.map +1 -0
  38. package/icc-x-api/crypto/KeyManager.d.ts +103 -0
  39. package/icc-x-api/crypto/KeyManager.js +288 -0
  40. package/icc-x-api/crypto/KeyManager.js.map +1 -0
  41. package/icc-x-api/crypto/KeyRecovery.d.ts +34 -0
  42. package/icc-x-api/crypto/KeyRecovery.js +253 -0
  43. package/icc-x-api/crypto/KeyRecovery.js.map +1 -0
  44. package/icc-x-api/crypto/LegacyCryptoStrategies.d.ts +28 -0
  45. package/icc-x-api/crypto/LegacyCryptoStrategies.js +22 -0
  46. package/icc-x-api/crypto/LegacyCryptoStrategies.js.map +1 -0
  47. package/icc-x-api/crypto/RSA.d.ts +19 -20
  48. package/icc-x-api/crypto/RSA.js +30 -1
  49. package/icc-x-api/crypto/RSA.js.map +1 -1
  50. package/icc-x-api/crypto/ShamirKeysManager.d.ts +43 -0
  51. package/icc-x-api/crypto/ShamirKeysManager.js +150 -0
  52. package/icc-x-api/crypto/ShamirKeysManager.js.map +1 -0
  53. package/icc-x-api/crypto/ShareMetadataBehaviour.d.ts +19 -0
  54. package/icc-x-api/crypto/ShareMetadataBehaviour.js +24 -0
  55. package/icc-x-api/crypto/ShareMetadataBehaviour.js.map +1 -0
  56. package/icc-x-api/crypto/TransferKeysManager.d.ts +29 -0
  57. package/icc-x-api/crypto/TransferKeysManager.js +121 -0
  58. package/icc-x-api/crypto/TransferKeysManager.js.map +1 -0
  59. package/icc-x-api/crypto/utils.d.ts +46 -0
  60. package/icc-x-api/crypto/utils.js +128 -0
  61. package/icc-x-api/crypto/utils.js.map +1 -1
  62. package/icc-x-api/filters/ContactByHcPartyTagCodeDateFilter.d.ts +11 -0
  63. package/icc-x-api/filters/ContactByHcPartyTagCodeDateFilter.js +11 -0
  64. package/icc-x-api/filters/ContactByHcPartyTagCodeDateFilter.js.map +1 -1
  65. package/icc-x-api/filters/DeviceByHcPartyFilter.d.ts +11 -0
  66. package/icc-x-api/filters/DeviceByHcPartyFilter.js +11 -0
  67. package/icc-x-api/filters/DeviceByHcPartyFilter.js.map +1 -1
  68. package/icc-x-api/filters/DeviceByIdsFilter.d.ts +11 -0
  69. package/icc-x-api/filters/DeviceByIdsFilter.js +11 -0
  70. package/icc-x-api/filters/DeviceByIdsFilter.js.map +1 -1
  71. package/icc-x-api/filters/HealthElementByHcPartySecretForeignKeysFilter.d.ts +11 -0
  72. package/icc-x-api/filters/HealthElementByHcPartySecretForeignKeysFilter.js +11 -0
  73. package/icc-x-api/filters/HealthElementByHcPartySecretForeignKeysFilter.js.map +1 -1
  74. package/icc-x-api/icc-accesslog-x-api.d.ts +49 -4
  75. package/icc-x-api/icc-accesslog-x-api.js +112 -102
  76. package/icc-x-api/icc-accesslog-x-api.js.map +1 -1
  77. package/icc-x-api/icc-calendar-item-x-api.d.ts +53 -5
  78. package/icc-x-api/icc-calendar-item-x-api.js +112 -100
  79. package/icc-x-api/icc-calendar-item-x-api.js.map +1 -1
  80. package/icc-x-api/icc-classification-x-api.d.ts +45 -2
  81. package/icc-x-api/icc-classification-x-api.js +89 -41
  82. package/icc-x-api/icc-classification-x-api.js.map +1 -1
  83. package/icc-x-api/icc-contact-x-api.d.ts +57 -19
  84. package/icc-x-api/icc-contact-x-api.js +149 -154
  85. package/icc-x-api/icc-contact-x-api.js.map +1 -1
  86. package/icc-x-api/icc-crypto-x-api.d.ts +266 -366
  87. package/icc-x-api/icc-crypto-x-api.js +416 -1327
  88. package/icc-x-api/icc-crypto-x-api.js.map +1 -1
  89. package/icc-x-api/icc-data-owner-x-api.d.ts +110 -11
  90. package/icc-x-api/icc-data-owner-x-api.js +188 -14
  91. package/icc-x-api/icc-data-owner-x-api.js.map +1 -1
  92. package/icc-x-api/icc-doctemplate-x-api.js +3 -3
  93. package/icc-x-api/icc-doctemplate-x-api.js.map +1 -1
  94. package/icc-x-api/icc-document-x-api.d.ts +76 -5
  95. package/icc-x-api/icc-document-x-api.js +137 -59
  96. package/icc-x-api/icc-document-x-api.js.map +1 -1
  97. package/icc-x-api/icc-form-x-api.d.ts +47 -7
  98. package/icc-x-api/icc-form-x-api.js +85 -86
  99. package/icc-x-api/icc-form-x-api.js.map +1 -1
  100. package/icc-x-api/icc-hcparty-x-api.d.ts +1 -1
  101. package/icc-x-api/icc-hcparty-x-api.js +1 -1
  102. package/icc-x-api/icc-hcparty-x-api.js.map +1 -1
  103. package/icc-x-api/icc-helement-x-api.d.ts +50 -3
  104. package/icc-x-api/icc-helement-x-api.js +101 -118
  105. package/icc-x-api/icc-helement-x-api.js.map +1 -1
  106. package/icc-x-api/icc-icure-maintenance-x-api.d.ts +31 -0
  107. package/icc-x-api/icc-icure-maintenance-x-api.js +124 -0
  108. package/icc-x-api/icc-icure-maintenance-x-api.js.map +1 -0
  109. package/icc-x-api/icc-invoice-x-api.d.ts +45 -5
  110. package/icc-x-api/icc-invoice-x-api.js +89 -64
  111. package/icc-x-api/icc-invoice-x-api.js.map +1 -1
  112. package/icc-x-api/icc-maintenance-task-x-api.d.ts +38 -6
  113. package/icc-x-api/icc-maintenance-task-x-api.js +73 -102
  114. package/icc-x-api/icc-maintenance-task-x-api.js.map +1 -1
  115. package/icc-x-api/icc-message-x-api.d.ts +55 -2
  116. package/icc-x-api/icc-message-x-api.js +92 -33
  117. package/icc-x-api/icc-message-x-api.js.map +1 -1
  118. package/icc-x-api/icc-patient-x-api.d.ts +67 -7
  119. package/icc-x-api/icc-patient-x-api.js +409 -473
  120. package/icc-x-api/icc-patient-x-api.js.map +1 -1
  121. package/icc-x-api/icc-receipt-x-api.d.ts +49 -5
  122. package/icc-x-api/icc-receipt-x-api.js +85 -47
  123. package/icc-x-api/icc-receipt-x-api.js.map +1 -1
  124. package/icc-x-api/icc-time-table-x-api.d.ts +34 -10
  125. package/icc-x-api/icc-time-table-x-api.js +61 -18
  126. package/icc-x-api/icc-time-table-x-api.js.map +1 -1
  127. package/icc-x-api/index.d.ts +30 -1
  128. package/icc-x-api/index.js +112 -49
  129. package/icc-x-api/index.js.map +1 -1
  130. package/icc-x-api/maintenance/KeyPairUpdateRequest.d.ts +35 -0
  131. package/icc-x-api/maintenance/KeyPairUpdateRequest.js +54 -0
  132. package/icc-x-api/maintenance/KeyPairUpdateRequest.js.map +1 -0
  133. package/icc-x-api/storage/DefaultStorageEntryKeysFactory.d.ts +9 -0
  134. package/icc-x-api/storage/DefaultStorageEntryKeysFactory.js +23 -0
  135. package/icc-x-api/storage/DefaultStorageEntryKeysFactory.js.map +1 -0
  136. package/icc-x-api/storage/IcureStorageFacade.d.ts +55 -0
  137. package/icc-x-api/storage/IcureStorageFacade.js +95 -0
  138. package/icc-x-api/storage/IcureStorageFacade.js.map +1 -0
  139. package/icc-x-api/storage/StorageEntryKeysFactory.d.ts +31 -0
  140. package/icc-x-api/storage/StorageEntryKeysFactory.js +3 -0
  141. package/icc-x-api/storage/StorageEntryKeysFactory.js.map +1 -0
  142. package/icc-x-api/utils/collection-utils.d.ts +8 -0
  143. package/icc-x-api/utils/collection-utils.js +26 -0
  144. package/icc-x-api/utils/collection-utils.js.map +1 -0
  145. package/icc-x-api/utils/crypto-utils.d.ts +8 -1
  146. package/icc-x-api/utils/crypto-utils.js +19 -3
  147. package/icc-x-api/utils/crypto-utils.js.map +1 -1
  148. package/icc-x-api/utils/graph-utils.d.ts +45 -0
  149. package/icc-x-api/utils/graph-utils.js +203 -0
  150. package/icc-x-api/utils/graph-utils.js.map +1 -0
  151. package/icc-x-api/utils/lru-temporised-async-cache.d.ts +27 -0
  152. package/icc-x-api/utils/lru-temporised-async-cache.js +120 -0
  153. package/icc-x-api/utils/lru-temporised-async-cache.js.map +1 -0
  154. package/package.json +1 -1
@@ -0,0 +1,31 @@
1
+ import { RSAUtils } from './RSA';
2
+ import { AESUtils } from './AES';
3
+ import { ShamirClass } from './shamir';
4
+ /**
5
+ * Gives access to cryptographic primitives.
6
+ */
7
+ export declare class CryptoPrimitives {
8
+ private readonly _rsa;
9
+ private readonly _aes;
10
+ private readonly _shamir;
11
+ private readonly _crypto;
12
+ get crypto(): Crypto;
13
+ get shamir(): ShamirClass;
14
+ get RSA(): RSAUtils;
15
+ get AES(): AESUtils;
16
+ constructor(crypto?: Crypto);
17
+ /**
18
+ * Generates a UUID using a cryptographically secure random number generator.
19
+ */
20
+ randomUuid(): string;
21
+ /**
22
+ * @param data some data
23
+ * @return the sha256 hash of {@link data}
24
+ */
25
+ sha256(data: ArrayBuffer | Uint8Array): Promise<ArrayBuffer>;
26
+ /**
27
+ * @param n how many bytes to generate
28
+ * @return an array with n random bytes
29
+ */
30
+ randomBytes(n: number): Uint8Array;
31
+ }
@@ -0,0 +1,55 @@
1
+ "use strict";
2
+ Object.defineProperty(exports, "__esModule", { value: true });
3
+ exports.CryptoPrimitives = void 0;
4
+ const RSA_1 = require("./RSA");
5
+ const AES_1 = require("./AES");
6
+ const shamir_1 = require("./shamir");
7
+ /**
8
+ * Gives access to cryptographic primitives.
9
+ */
10
+ class CryptoPrimitives {
11
+ get crypto() {
12
+ return this._crypto;
13
+ }
14
+ get shamir() {
15
+ return this._shamir;
16
+ }
17
+ get RSA() {
18
+ return this._rsa;
19
+ }
20
+ get AES() {
21
+ return this._aes;
22
+ }
23
+ constructor(crypto = typeof window !== 'undefined' ? window.crypto : typeof self !== 'undefined' ? self.crypto : {}) {
24
+ this._crypto = crypto;
25
+ this._rsa = new RSA_1.RSAUtils(crypto);
26
+ this._aes = new AES_1.AESUtils(crypto);
27
+ this._shamir = new shamir_1.ShamirClass(crypto);
28
+ }
29
+ /**
30
+ * Generates a UUID using a cryptographically secure random number generator.
31
+ */
32
+ randomUuid() {
33
+ return ((1e7).toString() + -1e3 + -4e3 + -8e3 + -1e11).replace(/[018]/g,
34
+ //Keep next inlined or you will lose the random
35
+ (c) => (Number(c) ^ (this.crypto.getRandomValues(new Uint8Array(1))[0] & (15 >> (Number(c) / 4)))).toString(16));
36
+ }
37
+ /**
38
+ * @param data some data
39
+ * @return the sha256 hash of {@link data}
40
+ */
41
+ sha256(data) {
42
+ return this.crypto.subtle.digest('SHA-256', data);
43
+ }
44
+ /**
45
+ * @param n how many bytes to generate
46
+ * @return an array with n random bytes
47
+ */
48
+ randomBytes(n) {
49
+ const res = new Uint8Array(n);
50
+ this.crypto.getRandomValues(res);
51
+ return res;
52
+ }
53
+ }
54
+ exports.CryptoPrimitives = CryptoPrimitives;
55
+ //# sourceMappingURL=CryptoPrimitives.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"CryptoPrimitives.js","sourceRoot":"","sources":["../../../icc-x-api/crypto/CryptoPrimitives.ts"],"names":[],"mappings":";;;AAAA,+BAAgC;AAChC,+BAAgC;AAChC,qCAAsC;AAEtC;;GAEG;AACH,MAAa,gBAAgB;IAM3B,IAAI,MAAM;QACR,OAAO,IAAI,CAAC,OAAO,CAAA;IACrB,CAAC;IAED,IAAI,MAAM;QACR,OAAO,IAAI,CAAC,OAAO,CAAA;IACrB,CAAC;IAED,IAAI,GAAG;QACL,OAAO,IAAI,CAAC,IAAI,CAAA;IAClB,CAAC;IAED,IAAI,GAAG;QACL,OAAO,IAAI,CAAC,IAAI,CAAA;IAClB,CAAC;IAED,YAAY,SAAiB,OAAO,MAAM,KAAK,WAAW,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,IAAI,KAAK,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAE,EAAa;QACrI,IAAI,CAAC,OAAO,GAAG,MAAM,CAAA;QACrB,IAAI,CAAC,IAAI,GAAG,IAAI,cAAQ,CAAC,MAAM,CAAC,CAAA;QAChC,IAAI,CAAC,IAAI,GAAG,IAAI,cAAQ,CAAC,MAAM,CAAC,CAAA;QAChC,IAAI,CAAC,OAAO,GAAG,IAAI,oBAAW,CAAC,MAAM,CAAC,CAAA;IACxC,CAAC;IAED;;OAEG;IACH,UAAU;QACR,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,GAAG,CAAC,GAAG,GAAG,CAAC,GAAG,GAAG,CAAC,GAAG,GAAG,CAAC,IAAI,CAAC,CAAC,OAAO,CAC5D,QAAQ;QACR,+CAA+C;QAC/C,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAE,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,CAAC,CAAC,CAAiB,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CACjI,CAAA;IACH,CAAC;IAED;;;OAGG;IACH,MAAM,CAAC,IAA8B;QACnC,OAAO,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,CAAC,CAAA;IACnD,CAAC;IAED;;;OAGG;IACH,WAAW,CAAC,CAAS;QACnB,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,CAAC,CAAC,CAAA;QAC7B,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,GAAG,CAAC,CAAA;QAChC,OAAO,GAAG,CAAA;IACZ,CAAC;CACF;AAzDD,4CAyDC","sourcesContent":["import { RSAUtils } from './RSA'\nimport { AESUtils } from './AES'\nimport { ShamirClass } from './shamir'\n\n/**\n * Gives access to cryptographic primitives.\n */\nexport class CryptoPrimitives {\n private readonly _rsa: RSAUtils\n private readonly _aes: AESUtils\n private readonly _shamir: ShamirClass\n private readonly _crypto: Crypto\n\n get crypto(): Crypto {\n return this._crypto\n }\n\n get shamir(): ShamirClass {\n return this._shamir\n }\n\n get RSA(): RSAUtils {\n return this._rsa\n }\n\n get AES(): AESUtils {\n return this._aes\n }\n\n constructor(crypto: Crypto = typeof window !== 'undefined' ? window.crypto : typeof self !== 'undefined' ? self.crypto : ({} as Crypto)) {\n this._crypto = crypto\n this._rsa = new RSAUtils(crypto)\n this._aes = new AESUtils(crypto)\n this._shamir = new ShamirClass(crypto)\n }\n\n /**\n * Generates a UUID using a cryptographically secure random number generator.\n */\n randomUuid() {\n return ((1e7).toString() + -1e3 + -4e3 + -8e3 + -1e11).replace(\n /[018]/g,\n //Keep next inlined or you will lose the random\n (c) => (Number(c) ^ ((this.crypto.getRandomValues(new Uint8Array(1))! as Uint8Array)[0] & (15 >> (Number(c) / 4)))).toString(16)\n )\n }\n\n /**\n * @param data some data\n * @return the sha256 hash of {@link data}\n */\n sha256(data: ArrayBuffer | Uint8Array): Promise<ArrayBuffer> {\n return this.crypto.subtle.digest('SHA-256', data)\n }\n\n /**\n * @param n how many bytes to generate\n * @return an array with n random bytes\n */\n randomBytes(n: number): Uint8Array {\n const res = new Uint8Array(n)\n this.crypto.getRandomValues(res)\n return res\n }\n}\n"]}
@@ -0,0 +1,82 @@
1
+ import { KeyPair } from './RSA';
2
+ import { DataOwner } from '../icc-data-owner-x-api';
3
+ import { CryptoPrimitives } from './CryptoPrimitives';
4
+ /**
5
+ * Allows to customise the behaviour of the crypto api to better suit your needs.
6
+ *
7
+ * An important task which should be done in these crypto strategies is public key verification: in general there is no guarantee that the public keys
8
+ * stored in the iCure database are authentic, i.e. created by the data owner they are associated to. This is because the database admins or a
9
+ * malicious attacker may have added his own public keys to the data owner's public keys.
10
+ * Sharing any kind of data using unverified public keys could potentially cause a data leak: this is why when creating new exchange keys or when
11
+ * creating recovery data only verified keys will be considered. For decrypting existing data instead unverified keys will be used without issues.
12
+ */
13
+ export interface CryptoStrategies {
14
+ /**
15
+ * Method called during initialisation of the crypto API to validate keys recovered through iCure's recovery methods and/or to allow recovery of
16
+ * missing keys using means external to iCure.
17
+ * On startup the iCure sdk will try to load all keys for the current data owner and its parent hierarchy: if the sdk can't find some of the keys
18
+ * for any of the data owners (according to the public keys for the data owner in the iCure server) and/or the sdk could recover some private keys
19
+ * but can't verify the authenticity of the key pairs this method will be called.
20
+ * The recovered and verified keys will automatically be cached using the current api {@link KeyStorageFacade} and {@link StorageFacade}
21
+ *
22
+ * The input is an array containing an object for each data owner part of the current data owner hierarchy. The objects are ordered from the data
23
+ * for the topmost parent of the current data owner hierarchy (first element) to the data for the current data owner (last element). Each object
24
+ * contains:
25
+ * - dataOwner: the data owner entity that this object refers to
26
+ * - unknownKeys: all public keys (in hex-encoded spki format) of `dataOwner` for which the authenticity status (verified or unverified) is unknown
27
+ * (no result was cached from a previous api instantiation and the key was not generated on the current device).
28
+ * - unavailableKeys: all public keys (in hex-encoded spki format) of `dataOwner` for which the sdk could not recover a private key. May overlap
29
+ * (partially or completely) with `unknownKeys`.
30
+ *
31
+ * The returned value must be an object associating to each data owner id an object with:
32
+ * - `recoveredKeys`: all recovered keys (will be automatically considered as verified), by fingerprint.
33
+ * - `keyAuthenticity`: an object associating to each public key fingerprint its authenticity. Note that if any of the keys from `unknownKeys` is
34
+ * completely missing from this object the key will be considered as unverified in this api instance (same as if associated to false), but this
35
+ * value won't be cached (will be again part of `unknownKeys` in future instances.
36
+ * @param keysData all information on unknown and unavailable keys for each data owner part of the current data owner hierarchy.
37
+ * @param cryptoPrimitives cryptographic primitives you can use to support the process.
38
+ * @return all recovered keys and key authenticity information, by data owner.
39
+ */
40
+ recoverAndVerifySelfHierarchyKeys(keysData: {
41
+ dataOwner: DataOwner;
42
+ unknownKeys: string[];
43
+ unavailableKeys: string[];
44
+ }[], cryptoPrimitives: CryptoPrimitives): Promise<{
45
+ [dataOwnerId: string]: {
46
+ recoveredKeys: {
47
+ [keyPairFingerprint: string]: KeyPair<CryptoKey>;
48
+ };
49
+ keyAuthenticity: {
50
+ [keyPairFingerprint: string]: boolean;
51
+ };
52
+ };
53
+ }>;
54
+ /**
55
+ * The correct initialisation of the crypto API requires that at least 1 verified (or device) key pair is available for each data owner part of the
56
+ * current data owner hierarchy. If no verified key is available for any of the data owner parents the api initialisation will automatically fail,
57
+ * however if there is no verified key for the current data owner you can instead create a new crypto key.
58
+ * @param self the current data owner.
59
+ * @param cryptoPrimitives cryptographic primitives you can use to support the process.
60
+ * @return depending on which values you return the api initialisation will proceed differently:
61
+ * - If this method returns true a new key will be automatically generated by the sdk.
62
+ * - If this method returns a key pair the crypto api loads the key pair and considers it as a device key.
63
+ * - If this method returns false the initialisation will fail with a predefined error.
64
+ * - If this method throws an error the initialisation will propagate the error.
65
+ */
66
+ generateNewKeyForDataOwner(self: DataOwner, cryptoPrimitives: CryptoPrimitives): Promise<KeyPair<CryptoKey> | boolean>;
67
+ /**
68
+ * Verifies if the public keys of a data owner which will be the delegate of a new exchange key do actually belong to the person the data owner
69
+ * represents. This method is not called when the delegate would be the current data owner for the api.
70
+ *
71
+ * The user will have to obtain the verified public keys of the delegate from outside iCure, for example by email with another hcp, by checking the
72
+ * personal website of the other user, or by scanning verification qr codes at the doctor office...
73
+ *
74
+ * As long as one of the public keys is verified the creation of a new exchange key will succeed. If no public key is verified the operation will
75
+ * fail.
76
+ * @param delegate the potential data owner delegate.
77
+ * @param publicKeys public keys requiring verification, in spki hex-encoded format.
78
+ * @param cryptoPrimitives cryptographic primitives you can use to support the process.
79
+ * @return all verified public keys, in spki hex-encoded format.
80
+ */
81
+ verifyDelegatePublicKeys(delegate: DataOwner, publicKeys: string[], cryptoPrimitives: CryptoPrimitives): Promise<string[]>;
82
+ }
@@ -0,0 +1,3 @@
1
+ "use strict";
2
+ Object.defineProperty(exports, "__esModule", { value: true });
3
+ //# sourceMappingURL=CryptoStrategies.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"CryptoStrategies.js","sourceRoot":"","sources":["../../../icc-x-api/crypto/CryptoStrategies.ts"],"names":[],"mappings":"","sourcesContent":["import { KeyPair } from './RSA'\nimport { DataOwner } from '../icc-data-owner-x-api'\nimport { CryptoPrimitives } from './CryptoPrimitives'\n\n/**\n * Allows to customise the behaviour of the crypto api to better suit your needs.\n *\n * An important task which should be done in these crypto strategies is public key verification: in general there is no guarantee that the public keys\n * stored in the iCure database are authentic, i.e. created by the data owner they are associated to. This is because the database admins or a\n * malicious attacker may have added his own public keys to the data owner's public keys.\n * Sharing any kind of data using unverified public keys could potentially cause a data leak: this is why when creating new exchange keys or when\n * creating recovery data only verified keys will be considered. For decrypting existing data instead unverified keys will be used without issues.\n */\nexport interface CryptoStrategies {\n /**\n * Method called during initialisation of the crypto API to validate keys recovered through iCure's recovery methods and/or to allow recovery of\n * missing keys using means external to iCure.\n * On startup the iCure sdk will try to load all keys for the current data owner and its parent hierarchy: if the sdk can't find some of the keys\n * for any of the data owners (according to the public keys for the data owner in the iCure server) and/or the sdk could recover some private keys\n * but can't verify the authenticity of the key pairs this method will be called.\n * The recovered and verified keys will automatically be cached using the current api {@link KeyStorageFacade} and {@link StorageFacade}\n *\n * The input is an array containing an object for each data owner part of the current data owner hierarchy. The objects are ordered from the data\n * for the topmost parent of the current data owner hierarchy (first element) to the data for the current data owner (last element). Each object\n * contains:\n * - dataOwner: the data owner entity that this object refers to\n * - unknownKeys: all public keys (in hex-encoded spki format) of `dataOwner` for which the authenticity status (verified or unverified) is unknown\n * (no result was cached from a previous api instantiation and the key was not generated on the current device).\n * - unavailableKeys: all public keys (in hex-encoded spki format) of `dataOwner` for which the sdk could not recover a private key. May overlap\n * (partially or completely) with `unknownKeys`.\n *\n * The returned value must be an object associating to each data owner id an object with:\n * - `recoveredKeys`: all recovered keys (will be automatically considered as verified), by fingerprint.\n * - `keyAuthenticity`: an object associating to each public key fingerprint its authenticity. Note that if any of the keys from `unknownKeys` is\n * completely missing from this object the key will be considered as unverified in this api instance (same as if associated to false), but this\n * value won't be cached (will be again part of `unknownKeys` in future instances.\n * @param keysData all information on unknown and unavailable keys for each data owner part of the current data owner hierarchy.\n * @param cryptoPrimitives cryptographic primitives you can use to support the process.\n * @return all recovered keys and key authenticity information, by data owner.\n */\n recoverAndVerifySelfHierarchyKeys(\n keysData: {\n dataOwner: DataOwner\n unknownKeys: string[]\n unavailableKeys: string[]\n }[],\n cryptoPrimitives: CryptoPrimitives\n ): Promise<{\n [dataOwnerId: string]: {\n recoveredKeys: { [keyPairFingerprint: string]: KeyPair<CryptoKey> }\n keyAuthenticity: { [keyPairFingerprint: string]: boolean }\n }\n }>\n\n /**\n * The correct initialisation of the crypto API requires that at least 1 verified (or device) key pair is available for each data owner part of the\n * current data owner hierarchy. If no verified key is available for any of the data owner parents the api initialisation will automatically fail,\n * however if there is no verified key for the current data owner you can instead create a new crypto key.\n * @param self the current data owner.\n * @param cryptoPrimitives cryptographic primitives you can use to support the process.\n * @return depending on which values you return the api initialisation will proceed differently:\n * - If this method returns true a new key will be automatically generated by the sdk.\n * - If this method returns a key pair the crypto api loads the key pair and considers it as a device key.\n * - If this method returns false the initialisation will fail with a predefined error.\n * - If this method throws an error the initialisation will propagate the error.\n */\n generateNewKeyForDataOwner(self: DataOwner, cryptoPrimitives: CryptoPrimitives): Promise<KeyPair<CryptoKey> | boolean>\n\n /**\n * Verifies if the public keys of a data owner which will be the delegate of a new exchange key do actually belong to the person the data owner\n * represents. This method is not called when the delegate would be the current data owner for the api.\n *\n * The user will have to obtain the verified public keys of the delegate from outside iCure, for example by email with another hcp, by checking the\n * personal website of the other user, or by scanning verification qr codes at the doctor office...\n *\n * As long as one of the public keys is verified the creation of a new exchange key will succeed. If no public key is verified the operation will\n * fail.\n * @param delegate the potential data owner delegate.\n * @param publicKeys public keys requiring verification, in spki hex-encoded format.\n * @param cryptoPrimitives cryptographic primitives you can use to support the process.\n * @return all verified public keys, in spki hex-encoded format.\n */\n verifyDelegatePublicKeys(delegate: DataOwner, publicKeys: string[], cryptoPrimitives: CryptoPrimitives): Promise<string[]>\n}\n"]}
@@ -0,0 +1,254 @@
1
+ import { Delegation, EncryptedEntity, EncryptedEntityStub } from '../../icc-api/model/models';
2
+ import { IccDataOwnerXApi } from '../icc-data-owner-x-api';
3
+ import { ExchangeKeysManager } from './ExchangeKeysManager';
4
+ import { CryptoPrimitives } from './CryptoPrimitives';
5
+ import { ShareMetadataBehaviour } from './ShareMetadataBehaviour';
6
+ /**
7
+ * @internal this class is for internal use only and may be changed without notice
8
+ * Give access to functions for retrieving encryption metadata of entities.
9
+ */
10
+ export declare class EntitiesEncryption {
11
+ private readonly primitives;
12
+ private readonly dataOwnerApi;
13
+ private readonly exchangeKeysManager;
14
+ constructor(primitives: CryptoPrimitives, dataOwnerApi: IccDataOwnerXApi, exchangeKeysManager: ExchangeKeysManager);
15
+ /**
16
+ * Get the encryption keys of an entity that the provided data owner can access, potentially using the keys for his parent.
17
+ * There should only be one encryption key for each entity, but the method supports more to allow to deal with conflicts and merged duplicate data.
18
+ * @param entity an encrypted entity.
19
+ * @param dataOwnerId optionally a data owner part of the hierarchy for the current data owner, defaults to the current data owner.
20
+ * @param tagsFilter allows to obtain only encryption keys associated to tags which satisfy the provided filter.
21
+ * @return the encryption keys that the provided data owner can decrypt, deduplicated.
22
+ */
23
+ encryptionKeysOf(entity: EncryptedEntity | EncryptedEntityStub, dataOwnerId?: string, tagsFilter?: (tags: string[]) => Promise<boolean>): Promise<string[]>;
24
+ /**
25
+ * Get the encryption keys of an entity that the current data owner and his parents can access. The resulting array contains the keys for each data
26
+ * owner in the hierarchy which can be decrypted using only that data owner keys (excludes keys accessible through the parent keys). The order of
27
+ * the array is the same as in {@link IccDataOwnerXApi.getCurrentDataOwnerHierarchyIds}.
28
+ * Note that different data owners may have access to the same keys, but the keys extracted for each data owner are deduplicated.
29
+ * There should only be one encryption key for each entity, but the method supports more to allow to deal with conflicts and merged duplicate data.
30
+ * @param entity an encrypted entity.
31
+ * @param tagsFilter allows to obtain only encryption keys associated to tags which satisfy the provided filter.
32
+ * @return the encryption keys that each member of the current data owner hierarchy can decrypt using only his keys and not keys of his parents.
33
+ */
34
+ encryptionKeysForHcpHierarchyOf(entity: EncryptedEntity | EncryptedEntityStub, tagsFilter?: (tags: string[]) => Promise<boolean>): Promise<{
35
+ ownerId: string;
36
+ extracted: string[];
37
+ }[]>;
38
+ /**
39
+ * Get the secret ids (SFKs) of an entity that the provided data owner can access, potentially using the keys for his parent.
40
+ * @param entity an encrypted entity.
41
+ * @param dataOwnerId optionally a data owner part of the hierarchy for the current data owner, defaults to the current data owner.
42
+ * @param tagsFilter allows to obtain only secret ids associated to tags which satisfy the provided filter.
43
+ * @return the secret ids (SFKs) that the provided data owner can decrypt, deduplicated.
44
+ */
45
+ secretIdsOf(entity: EncryptedEntity | EncryptedEntityStub, dataOwnerId?: string, tagsFilter?: (tags: string[]) => Promise<boolean>): Promise<string[]>;
46
+ /**
47
+ * Get the secret ids (SFKs) of an entity that the current data owner and his parents can access. The resulting array contains the ids for each data
48
+ * owner in the hierarchy which can be decrypted using only that data owner keys (excludes ids accessible through the parent keys). The order of
49
+ * the array is the same as in {@link IccDataOwnerXApi.getCurrentDataOwnerHierarchyIds}.
50
+ * Note that different data owners may have access to the same secret ids, but the secret ids extracted for each data owner are deduplicated.
51
+ * @param entity an encrypted entity.
52
+ * @param tagsFilter allows to obtain only secret ids associated to tags which satisfy the provided filter.
53
+ * @return the secret ids that each member of the current data owner hierarchy can decrypt using only his keys and not keys of his parents.
54
+ */
55
+ secretIdsForHcpHierarchyOf(entity: EncryptedEntity | EncryptedEntityStub, tagsFilter?: (tags: string[]) => Promise<boolean>): Promise<{
56
+ ownerId: string;
57
+ extracted: string[];
58
+ }[]>;
59
+ /**
60
+ * Get the decrypted owning entity ids (formerly CFKs) for the provided entity that can be decrypted using the private keys of the current data
61
+ * owner and his parents. The owning entity id would be, for example, the id of a patient for contact and healthcare elements, or the id of a
62
+ * message for documents.
63
+ * There should only be one owning entity id for each entity, but the method supports more to allow to deal with conflicts and merged duplicate
64
+ * data.
65
+ * @param entity an encrypted entity.
66
+ * @param dataOwnerId optionally a data owner part of the hierarchy for the current data owner, defaults to the current data owner.
67
+ * @param tagsFilter allows to obtain only owning entity ids associated to tags which satisfy the provided filter.
68
+ * @return the owning entity ids (CFKs) that the provided data owner can decrypt, deduplicated.
69
+ */
70
+ owningEntityIdsOf(entity: EncryptedEntity | EncryptedEntityStub, dataOwnerId?: string, tagsFilter?: (tags: string[]) => Promise<boolean>): Promise<string[]>;
71
+ /**
72
+ * Get the decrypted owning entity ids (formerly CFKs) for the provided entity that can be decrypted using the private keys of the current data
73
+ * owner and his parents. The owning entity id would be, for example, the id of a patient for contact and healthcare elements, or the id of a
74
+ * message for documents.
75
+ * The resulting array contains the ids for each data owner in the hierarchy which can be decrypted using only that data owner keys (excludes ids
76
+ * accessible through the parent keys). The order of the array is the same as in {@link IccDataOwnerXApi.getCurrentDataOwnerHierarchyIds}.
77
+ * Note that different data owners may have access to the same owning entity ids, but the owning entity ids extracted for each data owner are
78
+ * deduplicated in case they could be accessed through different delegations.
79
+ * There should only be one owning entity id for each entity, but the method supports more to allow to deal with conflicts and merged duplicate
80
+ * data.
81
+ * @param entity an encrypted entity.
82
+ * @param tagsFilter allows to obtain only owning entity ids associated to tags which satisfy the provided filter.
83
+ * @return the owning entity ids that each member of the current data owner hierarchy can decrypt using only his keys and not keys of his parents.
84
+ */
85
+ owningEntityIdsForHcpHierarchyOf(entity: EncryptedEntity | EncryptedEntityStub, tagsFilter?: (tags: string[]) => Promise<boolean>): Promise<{
86
+ ownerId: string;
87
+ extracted: string[];
88
+ }[]>;
89
+ /**
90
+ * @internal this method is intended only for internal use and may be changed without notice.
91
+ * Initializes encryption metadata for an entity. This includes the encrypted secret id, owning entity id, and encryption key for the entity, and
92
+ * the clear text secret foreign key of the parent entity.
93
+ * This method returns a modified copy of the entity.
94
+ * @param entity entity which requires encryption metadata initialisation.
95
+ * @param owningEntity id of the owning entity, if any (e.g. patient id for Contact/HealtchareElement, message id for Document, ...).
96
+ * @param owningEntitySecretId secret id of the parent entity, to use in the secret foreign keys for the provided entity, if any.
97
+ * @param initialiseEncryptionKeys if false this method will not initialize any encryption keys. Use only for entities which use delegations for
98
+ * access control but don't actually have any encrypted content.
99
+ * @param additionalDelegations automatically shares the
100
+ * @param tags tags to associate with the initial encryption keys and metadata
101
+ * @throws if the entity already has non-empty values for encryption metadata.
102
+ * @return an updated copy of the entity.
103
+ */
104
+ entityWithInitialisedEncryptedMetadata<T extends EncryptedEntity>(entity: T, owningEntity: string | undefined, owningEntitySecretId: string | undefined, initialiseEncryptionKeys: boolean, additionalDelegations?: string[], tags?: string[]): Promise<{
105
+ updatedEntity: T;
106
+ rawEncryptionKey: string | undefined;
107
+ secretId: string;
108
+ }>;
109
+ entityWithAutoExtendedEncryptedMetadata<T extends EncryptedEntity>(entity: T, delegateId: string, shareSecretIds: string[] | undefined, shareEncryptionKeys: ShareMetadataBehaviour | undefined, shareOwningEntityIds: ShareMetadataBehaviour | undefined): Promise<T>;
110
+ /**
111
+ * Updates encryption metadata for an entity in order to share it with a delegate or in order to add additional encrypted metadata for an existing
112
+ * delegate.
113
+ * The first time this method is used for a specific delegate it will give access to all unencrypted content of the entity to the delegate data
114
+ * owner. Additionally, this method also allows to share new or existing secret ids (shareSecretId), encryption keys (shareEncryptionKeys) and
115
+ * owning entity ids (shareOwningEntityIds) for the entity.
116
+ * You can use methods like {@link secretIdsOf}, {@link secretIdsForHcpHierarchyOf}, {@link encryptionKeysOf}, ... to retrieve the data you want to
117
+ * share. In most cases you may want to share everything related to the entity, but note that if you use confidential delegations for patients you
118
+ * may want to avoid sharing the confidential secret ids of the current user with other hcps.
119
+ * This method returns a modified copy of the entity.
120
+ * @param entity entity which requires encryption metadata initialisation.
121
+ * @param delegateId id of the delegate to share data with.
122
+ * @param shareSecretIds secret ids to share.
123
+ * @param shareEncryptionKeys encryption keys to share.
124
+ * @param shareOwningEntityIds owning enttiy ids to share.
125
+ * @param newTags tags to associate with the new encryption keys and metadata. Existing data won't be changed.
126
+ * @throws if any of the shareX parameters is set to `true` but the corresponding piece of data could not be retrieved.
127
+ * @return an updated copy of the entity.
128
+ */
129
+ entityWithExtendedEncryptedMetadata<T extends EncryptedEntity>(entity: T, delegateId: string, shareSecretIds: string[], shareEncryptionKeys: string[], shareOwningEntityIds: string[], newTags?: string[]): Promise<T>;
130
+ /**
131
+ * Encrypts data using a key of the entity that the provided data owner can access (current data owner by default). If the provided data owner can
132
+ * access multiple encryption keys of the entity there is no guarantee on which key will be used.
133
+ * Note: you should not use this method to encrypt the `encryptedSelf` of iCure entities, since that will be automatically handled by the extended
134
+ * apis. You should use this method only to encrypt additional data, such as document attachments.
135
+ * @param entity an entity.
136
+ * @param content data of the entity which you want to encrypt.
137
+ * @param dataOwnerId optionally a data owner part of the hierarchy for the current data owner, defaults to the current data owner.
138
+ * @param tagsFilter allows to use for encryption only keys associated to tags which pass the filter.
139
+ * @return the encrypted data.
140
+ * @throws if the provided data owner can't access any encryption keys for the entity.
141
+ */
142
+ encryptDataOf(entity: EncryptedEntity | EncryptedEntityStub, content: ArrayBuffer | Uint8Array, dataOwnerId?: string, tagsFilter?: (tags: string[]) => Promise<boolean>): Promise<ArrayBuffer>;
143
+ /**
144
+ * Decrypts data using a key of the entity that the provided data owner can access (current data owner by default). If the provided data owner can
145
+ * access multiple encryption keys each of them will be tried for decryption until one of them gives a result that is valid according to the
146
+ * provided validator.
147
+ * Note: you should not use this method to decrypt the `encryptedSelf` of iCure entities, since that will be automatically handled by the extended
148
+ * apis. You should use this method only to decrypt additional data, such as document attachments.
149
+ * @param entity an entity.
150
+ * @param content data of the entity which you want to decrypt.
151
+ * @param dataOwnerId optionally a data owner part of the hierarchy for the current data owner, defaults to the current data owner.
152
+ * @param validator a function which verifies the correctness of decrypted content: helps to identify decryption with the wrong key without relying
153
+ * solely on padding.
154
+ * @param tagsFilter allows to use for decryption only keys associated to tags which pass the filter.
155
+ * @return the decrypted data.
156
+ * @throws if the provided data owner can't access any encryption keys for the entity, or if no key could be found which provided valid decrypted
157
+ * content according to the validator.
158
+ */
159
+ decryptDataOf(entity: EncryptedEntity | EncryptedEntityStub, content: ArrayBuffer | Uint8Array, validator?: (decryptedData: ArrayBuffer) => Promise<boolean>, dataOwnerId?: string, tagsFilter?: (tags: string[]) => Promise<boolean>): Promise<ArrayBuffer>;
160
+ /**
161
+ * @internal this method is intended for internal use only and may be changed without notice.
162
+ * Decrypts the content of an encrypted entity.
163
+ */
164
+ decryptEntity<T extends EncryptedEntity>(entity: T, ownerId: string, constructor: (json: any) => T): Promise<{
165
+ entity: T;
166
+ decrypted: boolean;
167
+ }>;
168
+ /**
169
+ * @internal this method is intended for internal use only and may be changed without notice.
170
+ * Tries using the provided keys to decrypt some json.
171
+ */
172
+ tryDecryptJson(potentialKeys: {
173
+ key: CryptoKey;
174
+ raw: string;
175
+ }[], encrypted: Uint8Array, truncateTrailingDecryptedNulls: boolean): Promise<{} | undefined>;
176
+ /**
177
+ * @internal this method is intended for internal use only and may be changed without notice.
178
+ * Tries to encrypt the content of an encrypted entity.
179
+ * 1. If valid key for encryption is found the method returns the entity with the encrypted fields specified by cryptedKeys
180
+ * 2. If requireEncryption is true and no key could be found for encryption of the entity the method fails.
181
+ * 3. If requireEncryption is false and no key could be found for encryption the method will only check that the entity does not specify any value
182
+ * for fields which should be encrypted according to cryptedKeys (e.g. note in a patient by default). If the entity specifies a value for any field
183
+ * which should be encrypted the method throws an error, otherwise the method returns the original entity.
184
+ */
185
+ tryEncryptEntity<T extends EncryptedEntity>(entity: T, dataOwnerId: string, cryptedKeys: string[], encodeBinaryData: boolean, requireEncryption: boolean, constructor: (json: any) => T): Promise<T>;
186
+ /**
187
+ * @internal This method is for internal use only and may be changed without notice.
188
+ * Ensures that the encryption keys of an entity are initialised. If not will throw an exception or initialise them depending on the content of
189
+ * the entity. This function supports migration of entities using older encryption schemes (delegation only without encrypted keys) or entities
190
+ * which were previously not encrypted.
191
+ */
192
+ ensureEncryptionKeysInitialised<T extends EncryptedEntity>(entity: T): Promise<T>;
193
+ /**
194
+ * Get the decrypted content of a delegation-like object which the provided data owner would be able to access using ONLY HIS EXCHANGE KEYS (does
195
+ * not consider exchange keys for parents).
196
+ * Note that the retrieved exchange keys are decrypted using the private keys available on the device, and results may vary from other devices.
197
+ * @param dataOwnerId id of a data owner, he should be part of the current data owner hierarchy.
198
+ * @param delegations a delegation-like object containing the encrypted key
199
+ * @param includeFromDelegations if true also considers delegation from the provided data owner (or parents) to look for values. This allows to
200
+ * decrypt delegations associated to exchange keys recovered after a giveAccessBack request.
201
+ * @param validateDecrypted validates the decrypted result, to drop decryption results with wrong key that still gave a valid checksum.
202
+ * @param tagsFilter allows to obtain only encryption keys associated to tags which satisfy the provided filter.
203
+ * @return the key which could be decrypted using only keys available on the current device and delegations from/to the provided data owner. May
204
+ * contain duplicates.
205
+ */
206
+ private extractFromDelegationsForDataOwner;
207
+ private populateDelegatedTo;
208
+ private extractedHierarchyFromDelegation;
209
+ /**
210
+ * @internal This method should be private but is currently public/internal to allow to continue supporting legacy methods
211
+ */
212
+ extractMergedHierarchyFromDelegationAndOwner(delegations: {
213
+ [delegateId: string]: Delegation[];
214
+ }, dataOwnerId: string | undefined, validateDecrypted: (result: string) => boolean | Promise<boolean>, tagsFilter: (tags: string[]) => Promise<boolean>): Promise<string[]>;
215
+ private tryDecryptDelegation;
216
+ private tryImportKey;
217
+ /**
218
+ * @internal this method is for internal use only and may be changed without notice.
219
+ */
220
+ importFirstValidKey(keys: string[], entityId: string): Promise<{
221
+ key: CryptoKey;
222
+ raw: string;
223
+ }>;
224
+ private tryImportFirstValidKey;
225
+ /**
226
+ * @internal this method is for internal use only and may be changed without notice.
227
+ */
228
+ importAllValidKeys(keys: string[]): Promise<{
229
+ key: CryptoKey;
230
+ raw: string;
231
+ }[]>;
232
+ private validateEncryptionKey;
233
+ private validateSecretId;
234
+ private validateOwningEntityId;
235
+ private createEncryptionKeyDelegation;
236
+ private createSecretIdDelegation;
237
+ private createOwningEntityIdDelegation;
238
+ private createDelegation;
239
+ private loadEncryptionKeysForDelegates;
240
+ private createOrUpdateEntityDelegations;
241
+ /**
242
+ * De-duplicates all currently accessible delegations, by removing any delegations created by the current data owner which have duplicated content,
243
+ * and checks if any of the required entries are currently available to the delegate through the existing delegations.
244
+ * @param delegateId id of the delegate.
245
+ * @param allDelegations delegations of the entity.
246
+ * @param requiredEntries potentially new entries that the delegate needs to be able to access from the delegations.
247
+ * @param validateDecrypted validator for decrypted delegation content
248
+ * @return the deduplicated delegations
249
+ */
250
+ private deduplicateDelegationsAndFilterRequiredEntries;
251
+ private deduplicate;
252
+ private throwDetailedExceptionForInvalidParameter;
253
+ private checkEmptyEncryptionMetadata;
254
+ }