@peerbit/identity-access-controller 1.0.2

package/LICENSE

@@ -0,0 +1,22 @@
+The MIT License (MIT)
+
+Copyright (c) 2021 dao.xyz
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+

package/README.md

@@ -0,0 +1,11 @@
+# "Chain agnostic" Access Controller
+## 🚧 Experimental state 🚧
+
+An access controller that supports different layers of controll and fallbacks. 
+
+- A store containing ACL information, for example what public key can read and write
+- A distributed relation store that lets you use linked devices to get access
+- A fallback trusted network access controller that lets you have access if you are trusted by the root trust identity
+
+
+As of know, go through the test for documentation

package/lib/esm/access.d.ts

@@ -0,0 +1,20 @@
+import { AccessCondition } from "./condition";
+export declare enum AccessType {
+    Any = 0,
+    Read = 1,
+    Write = 2
+}
+export declare class AccessData {
+}
+export declare class Access extends AccessData {
+    id: string;
+    accessTypes: AccessType[];
+    accessCondition: AccessCondition<any>;
+    constructor(options?: {
+        accessTypes: AccessType[];
+        accessCondition: AccessCondition<any>;
+    });
+    calculateId(): string;
+    initialize(): Access;
+    assertId(): void;
+}

package/lib/esm/access.js

@@ -0,0 +1,74 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var Access_1;
+import { field, option, variant, vec } from "@dao-xyz/borsh";
+import { serialize } from "@dao-xyz/borsh";
+import { AccessCondition } from "./condition";
+import { toBase64 } from "@peerbit/crypto";
+export var AccessType;
+(function (AccessType) {
+    AccessType[AccessType["Any"] = 0] = "Any";
+    AccessType[AccessType["Read"] = 1] = "Read";
+    AccessType[AccessType["Write"] = 2] = "Write";
+})(AccessType || (AccessType = {}));
+export let AccessData = class AccessData {
+};
+AccessData = __decorate([
+    variant(0)
+], AccessData);
+export let Access = Access_1 = class Access extends AccessData {
+    id;
+    accessTypes;
+    accessCondition;
+    constructor(options) {
+        super();
+        if (options) {
+            this.accessTypes = options.accessTypes;
+            this.accessCondition = options.accessCondition;
+            this.initialize();
+        }
+    }
+    calculateId() {
+        if (!this.accessTypes || !this.accessCondition) {
+            throw new Error("Not initialized");
+        }
+        const a = new Access_1();
+        a.accessCondition = this.accessCondition;
+        a.accessTypes = this.accessTypes;
+        return toBase64(serialize(a));
+    }
+    initialize() {
+        this.id = this.calculateId();
+        return this;
+    }
+    assertId() {
+        const calculatedId = this.calculateId();
+        if (this.id !== calculatedId) {
+            throw new Error(`Invalid id, got ${this.id} but expected ${calculatedId}`);
+        }
+    }
+};
+__decorate([
+    field({ type: option("string") }),
+    __metadata("design:type", String)
+], Access.prototype, "id", void 0);
+__decorate([
+    field({ type: vec("u8") }),
+    __metadata("design:type", Array)
+], Access.prototype, "accessTypes", void 0);
+__decorate([
+    field({ type: AccessCondition }),
+    __metadata("design:type", AccessCondition)
+], Access.prototype, "accessCondition", void 0);
+Access = Access_1 = __decorate([
+    variant(0),
+    __metadata("design:paramtypes", [Object])
+], Access);
+//# sourceMappingURL=access.js.map

package/lib/esm/access.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"access.js","sourceRoot":"","sources":["../../src/access.ts"],"names":[],"mappings":";;;;;;;;;;AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE,MAAM,gBAAgB,CAAC;AAC7D,OAAO,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAC3C,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAC9C,OAAO,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAE3C,MAAM,CAAN,IAAY,UAIX;AAJD,WAAY,UAAU;IACrB,yCAAO,CAAA;IACP,2CAAQ,CAAA;IACR,6CAAS,CAAA;AACV,CAAC,EAJW,UAAU,KAAV,UAAU,QAIrB;AAGM,WAAM,UAAU,GAAhB,MAAM,UAAU;CAAG,CAAA;AAAb,UAAU;IADtB,OAAO,CAAC,CAAC,CAAC;GACE,UAAU,CAAG;AAGnB,WAAM,MAAM,cAAZ,MAAM,MAAO,SAAQ,UAAU;IAErC,EAAE,CAAS;IAGX,WAAW,CAAe;IAG1B,eAAe,CAAuB;IAEtC,YAAY,OAGX;QACA,KAAK,EAAE,CAAC;QACR,IAAI,OAAO,EAAE;YACZ,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC;YACvC,IAAI,CAAC,eAAe,GAAG,OAAO,CAAC,eAAe,CAAC;YAC/C,IAAI,CAAC,UAAU,EAAE,CAAC;SAClB;IACF,CAAC;IAED,WAAW;QACV,IAAI,CAAC,IAAI,CAAC,WAAW,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE;YAC/C,MAAM,IAAI,KAAK,CAAC,iBAAiB,CAAC,CAAC;SACnC;QACD,MAAM,CAAC,GAAG,IAAI,QAAM,EAAE,CAAC;QACvB,CAAC,CAAC,eAAe,GAAG,IAAI,CAAC,eAAe,CAAC;QACzC,CAAC,CAAC,WAAW,GAAG,IAAI,CAAC,WAAW,CAAC;QACjC,OAAO,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;IAC/B,CAAC;IAED,UAAU;QACT,IAAI,CAAC,EAAE,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;QAC7B,OAAO,IAAI,CAAC;IACb,CAAC;IAED,QAAQ;QACP,MAAM,YAAY,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;QACxC,IAAI,IAAI,CAAC,EAAE,KAAK,YAAY,EAAE;YAC7B,MAAM,IAAI,KAAK,CACd,mBAAmB,IAAI,CAAC,EAAE,iBAAiB,YAAY,EAAE,CACzD,CAAC;SACF;IACF,CAAC;CACD,CAAA;AA3CA;IADC,KAAK,CAAC,EAAE,IAAI,EAAE,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;;kCACvB;AAGX;IADC,KAAK,CAAC,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;;2CACD;AAG1B;IADC,KAAK,CAAC,EAAE,IAAI,EAAE,eAAe,EAAE,CAAC;8BAChB,eAAe;+CAAM;AAR1B,MAAM;IADlB,OAAO,CAAC,CAAC,CAAC;;GACE,MAAM,CA6ClB"}

package/lib/esm/acl-db.d.ts

@@ -0,0 +1,23 @@
+import { Documents } from "@peerbit/document";
+import { TrustedNetwork, IdentityGraph } from "@peerbit/trusted-network";
+import { Access } from "./access";
+import { Entry } from "@peerbit/log";
+import { PublicSignKey } from "@peerbit/crypto";
+import { Program } from "@peerbit/program";
+import { PeerId } from "@libp2p/interface-peer-id";
+import { SubscriptionType } from "@peerbit/shared-log";
+export declare class IdentityAccessController extends Program {
+    access: Documents<Access>;
+    identityGraphController: IdentityGraph;
+    trustedNetwork: TrustedNetwork;
+    constructor(opts: {
+        id?: Uint8Array;
+        rootTrust: PublicSignKey | PeerId;
+        trustedNetwork?: TrustedNetwork;
+    });
+    canRead(s: PublicSignKey | undefined): Promise<boolean>;
+    canAppend(entry: Entry<any>): Promise<boolean>;
+    open(properties?: {
+        role?: SubscriptionType;
+    }): Promise<void>;
+}

package/lib/esm/acl-db.js

@@ -0,0 +1,150 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+import { field, variant } from "@dao-xyz/borsh";
+import { Documents, DocumentIndex } from "@peerbit/document";
+import { getPathGenerator, TrustedNetwork, getFromByTo, IdentityGraph, createIdentityGraphStore, } from "@peerbit/trusted-network";
+import { Access, AccessType } from "./access";
+import { sha256Sync } from "@peerbit/crypto";
+import { Program } from "@peerbit/program";
+import { RPC } from "@peerbit/rpc";
+import { concat } from "uint8arrays";
+export let IdentityAccessController = class IdentityAccessController extends Program {
+    access;
+    identityGraphController;
+    trustedNetwork;
+    constructor(opts) {
+        super();
+        if (!opts.trustedNetwork && !opts.rootTrust) {
+            throw new Error("Expecting either TrustedNetwork or rootTrust");
+        }
+        this.access = new Documents({
+            id: opts.id && sha256Sync(concat([opts.id, new Uint8Array([0])])),
+            index: new DocumentIndex({
+                query: new RPC(),
+            }),
+        });
+        this.trustedNetwork = opts.trustedNetwork
+            ? opts.trustedNetwork
+            : new TrustedNetwork({
+                id: opts.id && sha256Sync(concat([opts.id, new Uint8Array([1])])),
+                rootTrust: opts.rootTrust,
+            });
+        this.identityGraphController = new IdentityGraph({
+            relationGraph: createIdentityGraphStore(opts.id && sha256Sync(concat([opts.id, new Uint8Array([2])]))),
+        });
+    }
+    // allow anyone write to the ACL db, but assume entry is invalid until a verifier verifies
+    // can append will be anyone who has peformed some proof of work
+    // or
+    // custom can append
+    async canRead(s) {
+        // TODO, improve, caching etc
+        if (!s) {
+            return false;
+        }
+        // Check whether it is trusted by trust web
+        if (await this.trustedNetwork.isTrusted(s)) {
+            return true;
+        }
+        // Else check whether its trusted by this access controller
+        const canReadCheck = async (key) => {
+            for (const value of this.access.index.index.values()) {
+                const access = value.value;
+                if (access instanceof Access) {
+                    if (access.accessTypes.find((x) => x === AccessType.Any || x === AccessType.Read) !== undefined) {
+                        // check condition
+                        if (await access.accessCondition.allowed(key)) {
+                            return true;
+                        }
+                        continue;
+                    }
+                }
+            }
+        };
+        if (await canReadCheck(s)) {
+            return true;
+        }
+        for await (const trustedByKey of getPathGenerator(s, this.identityGraphController.relationGraph, getFromByTo)) {
+            if (await canReadCheck(trustedByKey.from)) {
+                return true;
+            }
+        }
+        return false;
+    }
+    async canAppend(entry) {
+        // TODO, improve, caching etc
+        // Check whether it is trusted by trust web
+        const canAppendByKey = async (key) => {
+            if (await this.trustedNetwork.isTrusted(key)) {
+                return true;
+            }
+            // Else check whether its trusted by this access controller
+            const canWriteCheck = async (key) => {
+                for (const value of this.access.index.index.values()) {
+                    const access = value.value;
+                    if (access instanceof Access) {
+                        if (access.accessTypes.find((x) => x === AccessType.Any || x === AccessType.Write) !== undefined) {
+                            // check condition
+                            if (await access.accessCondition.allowed(key)) {
+                                return true;
+                            }
+                            continue;
+                        }
+                    }
+                }
+            };
+            if (await canWriteCheck(key)) {
+                return true;
+            }
+            for await (const trustedByKey of getPathGenerator(key, this.identityGraphController.relationGraph, getFromByTo)) {
+                if (await canWriteCheck(trustedByKey.from)) {
+                    return true;
+                }
+            }
+            return false;
+        };
+        for (const key of await entry.getPublicKeys()) {
+            if (await canAppendByKey(key)) {
+                return true;
+            }
+        }
+        return false;
+    }
+    async open(properties) {
+        await this.identityGraphController.open({
+            role: properties?.role,
+            canRead: this.canRead.bind(this),
+        });
+        await this.access.open({
+            role: properties?.role,
+            type: Access,
+            canAppend: this.canAppend.bind(this),
+            canRead: this.canRead.bind(this),
+        });
+        await this.trustedNetwork.open(properties);
+    }
+};
+__decorate([
+    field({ type: Documents }),
+    __metadata("design:type", Documents)
+], IdentityAccessController.prototype, "access", void 0);
+__decorate([
+    field({ type: IdentityGraph }),
+    __metadata("design:type", IdentityGraph)
+], IdentityAccessController.prototype, "identityGraphController", void 0);
+__decorate([
+    field({ type: TrustedNetwork }),
+    __metadata("design:type", TrustedNetwork)
+], IdentityAccessController.prototype, "trustedNetwork", void 0);
+IdentityAccessController = __decorate([
+    variant("identity_acl"),
+    __metadata("design:paramtypes", [Object])
+], IdentityAccessController);
+//# sourceMappingURL=acl-db.js.map

package/lib/esm/acl-db.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"acl-db.js","sourceRoot":"","sources":["../../src/acl-db.ts"],"names":[],"mappings":";;;;;;;;;AAAA,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,gBAAgB,CAAC;AAChD,OAAO,EAAE,SAAS,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAC7D,OAAO,EACN,gBAAgB,EAChB,cAAc,EACd,WAAW,EACX,aAAa,EACb,wBAAwB,GACxB,MAAM,0BAA0B,CAAC;AAClC,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,UAAU,CAAC;AAE9C,OAAO,EAAiB,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAC5D,OAAO,EAAE,OAAO,EAAE,MAAM,kBAAkB,CAAC;AAC3C,OAAO,EAAE,GAAG,EAAE,MAAM,cAAc,CAAC;AAEnC,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAI9B,WAAM,wBAAwB,GAA9B,MAAM,wBAAyB,SAAQ,OAAO;IAEpD,MAAM,CAAoB;IAG1B,uBAAuB,CAAgB;IAGvC,cAAc,CAAiB;IAE/B,YAAY,IAIX;QACA,KAAK,EAAE,CAAC;QACR,IAAI,CAAC,IAAI,CAAC,cAAc,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE;YAC5C,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;SAChE;QACD,IAAI,CAAC,MAAM,GAAG,IAAI,SAAS,CAAC;YAC3B,EAAE,EAAE,IAAI,CAAC,EAAE,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,IAAI,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YACjE,KAAK,EAAE,IAAI,aAAa,CAAC;gBACxB,KAAK,EAAE,IAAI,GAAG,EAAE;aAChB,CAAC;SACF,CAAC,CAAC;QAEH,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,cAAc;YACxC,CAAC,CAAC,IAAI,CAAC,cAAc;YACrB,CAAC,CAAC,IAAI,cAAc,CAAC;gBACnB,EAAE,EAAE,IAAI,CAAC,EAAE,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,IAAI,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBACjE,SAAS,EAAE,IAAI,CAAC,SAAS;aACxB,CAAC,CAAC;QACN,IAAI,CAAC,uBAAuB,GAAG,IAAI,aAAa,CAAC;YAChD,aAAa,EAAE,wBAAwB,CACtC,IAAI,CAAC,EAAE,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,IAAI,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAC7D;SACD,CAAC,CAAC;IACJ,CAAC;IAED,0FAA0F;IAC1F,gEAAgE;IAEhE,KAAK;IAEL,oBAAoB;IAEpB,KAAK,CAAC,OAAO,CAAC,CAA4B;QACzC,6BAA6B;QAE7B,IAAI,CAAC,CAAC,EAAE;YACP,OAAO,KAAK,CAAC;SACb;QAED,2CAA2C;QAC3C,IAAI,MAAM,IAAI,CAAC,cAAc,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE;YAC3C,OAAO,IAAI,CAAC;SACZ;QAED,2DAA2D;QAC3D,MAAM,YAAY,GAAG,KAAK,EAAE,GAAkB,EAAE,EAAE;YACjD,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,EAAE,EAAE;gBACrD,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC;gBAC3B,IAAI,MAAM,YAAY,MAAM,EAAE;oBAC7B,IACC,MAAM,CAAC,WAAW,CAAC,IAAI,CACtB,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,UAAU,CAAC,GAAG,IAAI,CAAC,KAAK,UAAU,CAAC,IAAI,CACpD,KAAK,SAAS,EACd;wBACD,kBAAkB;wBAClB,IAAI,MAAM,MAAM,CAAC,eAAe,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE;4BAC9C,OAAO,IAAI,CAAC;yBACZ;wBACD,SAAS;qBACT;iBACD;aACD;QACF,CAAC,CAAC;QAEF,IAAI,MAAM,YAAY,CAAC,CAAC,CAAC,EAAE;YAC1B,OAAO,IAAI,CAAC;SACZ;QACD,IAAI,KAAK,EAAE,MAAM,YAAY,IAAI,gBAAgB,CAChD,CAAC,EACD,IAAI,CAAC,uBAAuB,CAAC,aAAa,EAC1C,WAAW,CACX,EAAE;YACF,IAAI,MAAM,YAAY,CAAC,YAAY,CAAC,IAAI,CAAC,EAAE;gBAC1C,OAAO,IAAI,CAAC;aACZ;SACD;QAED,OAAO,KAAK,CAAC;IACd,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,KAAiB;QAChC,6BAA6B;QAE7B,2CAA2C;QAC3C,MAAM,cAAc,GAAG,KAAK,EAAE,GAAkB,EAAoB,EAAE;YACrE,IAAI,MAAM,IAAI,CAAC,cAAc,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE;gBAC7C,OAAO,IAAI,CAAC;aACZ;YACD,2DAA2D;YAC3D,MAAM,aAAa,GAAG,KAAK,EAAE,GAAkB,EAAE,EAAE;gBAClD,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,EAAE,EAAE;oBACrD,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC;oBAC3B,IAAI,MAAM,YAAY,MAAM,EAAE;wBAC7B,IACC,MAAM,CAAC,WAAW,CAAC,IAAI,CACtB,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,UAAU,CAAC,GAAG,IAAI,CAAC,KAAK,UAAU,CAAC,KAAK,CACrD,KAAK,SAAS,EACd;4BACD,kBAAkB;4BAClB,IAAI,MAAM,MAAM,CAAC,eAAe,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE;gCAC9C,OAAO,IAAI,CAAC;6BACZ;4BACD,SAAS;yBACT;qBACD;iBACD;YACF,CAAC,CAAC;YACF,IAAI,MAAM,aAAa,CAAC,GAAG,CAAC,EAAE;gBAC7B,OAAO,IAAI,CAAC;aACZ;YACD,IAAI,KAAK,EAAE,MAAM,YAAY,IAAI,gBAAgB,CAChD,GAAG,EACH,IAAI,CAAC,uBAAuB,CAAC,aAAa,EAC1C,WAAW,CACX,EAAE;gBACF,IAAI,MAAM,aAAa,CAAC,YAAY,CAAC,IAAI,CAAC,EAAE;oBAC3C,OAAO,IAAI,CAAC;iBACZ;aACD;YAED,OAAO,KAAK,CAAC;QACd,CAAC,CAAC;QAEF,KAAK,MAAM,GAAG,IAAI,MAAM,KAAK,CAAC,aAAa,EAAE,EAAE;YAC9C,IAAI,MAAM,cAAc,CAAC,GAAG,CAAC,EAAE;gBAC9B,OAAO,IAAI,CAAC;aACZ;SACD;QACD,OAAO,KAAK,CAAC;IACd,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,UAAwC;QAClD,MAAM,IAAI,CAAC,uBAAuB,CAAC,IAAI,CAAC;YACvC,IAAI,EAAE,UAAU,EAAE,IAAI;YACtB,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC;SAChC,CAAC,CAAC;QACH,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;YACtB,IAAI,EAAE,UAAU,EAAE,IAAI;YACtB,IAAI,EAAE,MAAM;YACZ,SAAS,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC;YACpC,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC;SAChC,CAAC,CAAC;QACH,MAAM,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC5C,CAAC;CACD,CAAA;AA5JA;IADC,KAAK,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;8BACnB,SAAS;wDAAS;AAG1B;IADC,KAAK,CAAC,EAAE,IAAI,EAAE,aAAa,EAAE,CAAC;8BACN,aAAa;yEAAC;AAGvC;IADC,KAAK,CAAC,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC;8BAChB,cAAc;gEAAC;AARnB,wBAAwB;IADpC,OAAO,CAAC,cAAc,CAAC;;GACX,wBAAwB,CA8JpC"}

package/lib/esm/condition.d.ts

@@ -0,0 +1,20 @@
+import { PublicSignKey } from "@peerbit/crypto";
+import { PeerId } from "@libp2p/interface-peer-id";
+export declare class Network {
+    type: string;
+    rpc: string;
+}
+export declare class AccessCondition<T> {
+    allowed(_key: PublicSignKey): Promise<boolean>;
+}
+export declare class AnyAccessCondition<T> extends AccessCondition<T> {
+    constructor();
+    allowed(_key: PublicSignKey): Promise<boolean>;
+}
+export declare class PublicKeyAccessCondition<T> extends AccessCondition<T> {
+    key: PublicSignKey;
+    constructor(options: {
+        key: PublicSignKey | PeerId;
+    });
+    allowed(identity: PublicSignKey): Promise<boolean>;
+}

package/lib/esm/condition.js

@@ -0,0 +1,113 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+import { field, variant } from "@dao-xyz/borsh";
+import { PublicSignKey, getPublicKeyFromPeerId } from "@peerbit/crypto";
+const coercePublicKey = (publicKey) => {
+    return publicKey instanceof PublicSignKey
+        ? publicKey
+        : getPublicKeyFromPeerId(publicKey);
+};
+export let Network = class Network {
+    type;
+    rpc;
+};
+__decorate([
+    field({ type: "string" }),
+    __metadata("design:type", String)
+], Network.prototype, "type", void 0);
+__decorate([
+    field({ type: "string" }),
+    __metadata("design:type", String)
+], Network.prototype, "rpc", void 0);
+Network = __decorate([
+    variant(0)
+], Network);
+export class AccessCondition {
+    async allowed(_key) {
+        throw new Error("Not implemented");
+    }
+}
+export let AnyAccessCondition = class AnyAccessCondition extends AccessCondition {
+    constructor() {
+        super();
+    }
+    async allowed(_key) {
+        return true;
+    }
+};
+AnyAccessCondition = __decorate([
+    variant([0, 0]),
+    __metadata("design:paramtypes", [])
+], AnyAccessCondition);
+export let PublicKeyAccessCondition = class PublicKeyAccessCondition extends AccessCondition {
+    key;
+    constructor(options) {
+        super();
+        this.key = coercePublicKey(options.key);
+    }
+    async allowed(identity) {
+        return this.key.equals(identity);
+    }
+};
+__decorate([
+    field({ type: PublicSignKey }),
+    __metadata("design:type", PublicSignKey)
+], PublicKeyAccessCondition.prototype, "key", void 0);
+PublicKeyAccessCondition = __decorate([
+    variant([0, 1]),
+    __metadata("design:paramtypes", [Object])
+], PublicKeyAccessCondition);
+/*  Not yet :)
+
+@variant([0, 2])
+export class TokenAccessCondition extends AccessCondition {
+
+    @field({ type: Network })
+    network: Network
+
+    @field({ type: 'string' })
+    token: string
+
+    @field({ type: 'u64' })
+    amount: bigint
+
+    constructor() {
+        super();
+    }
+}
+
+
+@variant(0)
+export class NFTPropertyCondition {
+    @field({ type: 'string' })
+    field: string
+
+    @field({ type: 'string' })
+    value: string;
+}
+
+ @variant([0, 3])  // distinguish between ERC-721, ERC-1155, Solana Metaplex?
+export class NFTAccessCondition extends AccessCondition {
+
+    @field({ type: Network })
+    network: Network
+
+    @field({ type: 'string' })
+    id: string
+
+    @field({ type: option(vec(NFTPropertyCondition)) })
+    properties: NFTPropertyCondition
+
+    constructor() {
+        super();
+    }
+}
+ */
+//# sourceMappingURL=condition.js.map

package/lib/esm/condition.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"condition.js","sourceRoot":"","sources":["../../src/condition.ts"],"names":[],"mappings":";;;;;;;;;AAAA,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,gBAAgB,CAAC;AAChD,OAAO,EAAE,aAAa,EAAE,sBAAsB,EAAE,MAAM,iBAAiB,CAAC;AAGxE,MAAM,eAAe,GAAG,CAAC,SAAiC,EAAE,EAAE;IAC7D,OAAO,SAAS,YAAY,aAAa;QACxC,CAAC,CAAC,SAAS;QACX,CAAC,CAAC,sBAAsB,CAAC,SAAS,CAAC,CAAC;AACtC,CAAC,CAAC;AAGK,WAAM,OAAO,GAAb,MAAM,OAAO;IAEnB,IAAI,CAAS;IAGb,GAAG,CAAS;CACZ,CAAA;AAJA;IADC,KAAK,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;;qCACb;AAGb;IADC,KAAK,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;;oCACd;AALA,OAAO;IADnB,OAAO,CAAC,CAAC,CAAC;GACE,OAAO,CAMnB;AAED,MAAM,OAAO,eAAe;IAC3B,KAAK,CAAC,OAAO,CAAC,IAAmB;QAChC,MAAM,IAAI,KAAK,CAAC,iBAAiB,CAAC,CAAC;IACpC,CAAC;CACD;AAGM,WAAM,kBAAkB,GAAxB,MAAM,kBAAsB,SAAQ,eAAkB;IAC5D;QACC,KAAK,EAAE,CAAC;IACT,CAAC;IACD,KAAK,CAAC,OAAO,CAAC,IAAmB;QAChC,OAAO,IAAI,CAAC;IACb,CAAC;CACD,CAAA;AAPY,kBAAkB;IAD9B,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;;GACH,kBAAkB,CAO9B;AAGM,WAAM,wBAAwB,GAA9B,MAAM,wBAA4B,SAAQ,eAAkB;IAElE,GAAG,CAAgB;IAEnB,YAAY,OAAwC;QACnD,KAAK,EAAE,CAAC;QACR,IAAI,CAAC,GAAG,GAAG,eAAe,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACzC,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,QAAuB;QACpC,OAAO,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAClC,CAAC;CACD,CAAA;AAVA;IADC,KAAK,CAAC,EAAE,IAAI,EAAE,aAAa,EAAE,CAAC;8BAC1B,aAAa;qDAAC;AAFP,wBAAwB;IADpC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;;GACH,wBAAwB,CAYpC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6CG"}

package/lib/esm/index.d.ts

@@ -0,0 +1,3 @@
+export * from "./access.js";
+export * from "./acl-db.js";
+export * from "./condition.js";

package/lib/esm/index.js

@@ -0,0 +1,4 @@
+export * from "./access.js";
+export * from "./acl-db.js";
+export * from "./condition.js";
+//# sourceMappingURL=index.js.map

package/lib/esm/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,aAAa,CAAC;AAC5B,cAAc,aAAa,CAAC;AAC5B,cAAc,gBAAgB,CAAC"}

package/lib/esm/package.json

@@ -0,0 +1,3 @@
+{
+  "type": "module"
+}

package/package.json

@@ -0,0 +1,43 @@
+{
+	"name": "@peerbit/identity-access-controller",
+	"version": "1.0.2",
+	"description": "Access controller that operates on a DB",
+	"type": "module",
+	"sideEffects": false,
+	"module": "lib/esm/index.js",
+	"types": "lib/esm/index.d.ts",
+	"exports": {
+		"import": "./lib/esm/index.js",
+		"require": "./lib/cjs/index.js"
+	},
+	"files": [
+		"lib",
+		"src",
+		"!src/**/__tests__",
+		"!lib/**/__tests__",
+		"LICENSE"
+	],
+	"publishConfig": {
+		"access": "public"
+	},
+	"scripts": {
+		"clean": "shx rm -rf lib/*",
+		"build": "yarn clean && tsc -p tsconfig.json",
+		"postbuild": "echo '{\"type\":\"module\"} ' | node ../../../../node_modules/.bin/json > lib/esm/package.json",
+		"test": "node ../../../../node_modules/.bin/jest test  -c  ../../../../jest.config.ts --runInBand --forceExit",
+		"test:unit": "node ../../../../node_modules/.bin/jest test  -c  ../../../../jest.config.unit.ts --runInBand --forceExit",
+		"test:integration": "node ../node_modules/.bin/jest test -c  ../../../../jest.config.integration.ts --runInBand --forceExit"
+	},
+	"author": "dao.xyz",
+	"license": "MIT",
+	"dependencies": {
+		"@dao-xyz/borsh": "^5.1.5",
+		"@peerbit/document": "1.0.2",
+		"@peerbit/trusted-network": "1.0.2"
+	},
+	"devDependencies": {
+		"@peerbit/test-utils": "^1.0.2",
+		"@peerbit/time": "^1.0.0"
+	},
+	"gitHead": "595db9f1efebf604393eddfff5f678f5d8f16142"
+}

package/src/access.ts

@@ -0,0 +1,61 @@
+import { field, option, variant, vec } from "@dao-xyz/borsh";
+import { serialize } from "@dao-xyz/borsh";
+import { AccessCondition } from "./condition";
+import { toBase64 } from "@peerbit/crypto";
+
+export enum AccessType {
+	Any = 0,
+	Read = 1,
+	Write = 2,
+}
+
+@variant(0)
+export class AccessData {}
+
+@variant(0)
+export class Access extends AccessData {
+	@field({ type: option("string") })
+	id: string;
+
+	@field({ type: vec("u8") })
+	accessTypes: AccessType[];
+
+	@field({ type: AccessCondition })
+	accessCondition: AccessCondition<any>;
+
+	constructor(options?: {
+		accessTypes: AccessType[];
+		accessCondition: AccessCondition<any>;
+	}) {
+		super();
+		if (options) {
+			this.accessTypes = options.accessTypes;
+			this.accessCondition = options.accessCondition;
+			this.initialize();
+		}
+	}
+
+	calculateId(): string {
+		if (!this.accessTypes || !this.accessCondition) {
+			throw new Error("Not initialized");
+		}
+		const a = new Access();
+		a.accessCondition = this.accessCondition;
+		a.accessTypes = this.accessTypes;
+		return toBase64(serialize(a));
+	}
+
+	initialize(): Access {
+		this.id = this.calculateId();
+		return this;
+	}
+
+	assertId() {
+		const calculatedId = this.calculateId();
+		if (this.id !== calculatedId) {
+			throw new Error(
+				`Invalid id, got ${this.id} but expected ${calculatedId}`
+			);
+		}
+	}
+}

package/src/acl-db.ts

@@ -0,0 +1,178 @@
+import { field, variant } from "@dao-xyz/borsh";
+import { Documents, DocumentIndex } from "@peerbit/document";
+import {
+	getPathGenerator,
+	TrustedNetwork,
+	getFromByTo,
+	IdentityGraph,
+	createIdentityGraphStore,
+} from "@peerbit/trusted-network";
+import { Access, AccessType } from "./access";
+import { Entry } from "@peerbit/log";
+import { PublicSignKey, sha256Sync } from "@peerbit/crypto";
+import { Program } from "@peerbit/program";
+import { RPC } from "@peerbit/rpc";
+import { PeerId } from "@libp2p/interface-peer-id";
+import { concat } from "uint8arrays";
+import { SubscriptionType } from "@peerbit/shared-log";
+
+@variant("identity_acl")
+export class IdentityAccessController extends Program {
+	@field({ type: Documents })
+	access: Documents<Access>;
+
+	@field({ type: IdentityGraph })
+	identityGraphController: IdentityGraph;
+
+	@field({ type: TrustedNetwork })
+	trustedNetwork: TrustedNetwork;
+
+	constructor(opts: {
+		id?: Uint8Array;
+		rootTrust: PublicSignKey | PeerId;
+		trustedNetwork?: TrustedNetwork;
+	}) {
+		super();
+		if (!opts.trustedNetwork && !opts.rootTrust) {
+			throw new Error("Expecting either TrustedNetwork or rootTrust");
+		}
+		this.access = new Documents({
+			id: opts.id && sha256Sync(concat([opts.id, new Uint8Array([0])])),
+			index: new DocumentIndex({
+				query: new RPC(),
+			}),
+		});
+
+		this.trustedNetwork = opts.trustedNetwork
+			? opts.trustedNetwork
+			: new TrustedNetwork({
+					id: opts.id && sha256Sync(concat([opts.id, new Uint8Array([1])])),
+					rootTrust: opts.rootTrust,
+			  });
+		this.identityGraphController = new IdentityGraph({
+			relationGraph: createIdentityGraphStore(
+				opts.id && sha256Sync(concat([opts.id, new Uint8Array([2])]))
+			),
+		});
+	}
+
+	// allow anyone write to the ACL db, but assume entry is invalid until a verifier verifies
+	// can append will be anyone who has peformed some proof of work
+
+	// or
+
+	// custom can append
+
+	async canRead(s: PublicSignKey | undefined): Promise<boolean> {
+		// TODO, improve, caching etc
+
+		if (!s) {
+			return false;
+		}
+
+		// Check whether it is trusted by trust web
+		if (await this.trustedNetwork.isTrusted(s)) {
+			return true;
+		}
+
+		// Else check whether its trusted by this access controller
+		const canReadCheck = async (key: PublicSignKey) => {
+			for (const value of this.access.index.index.values()) {
+				const access = value.value;
+				if (access instanceof Access) {
+					if (
+						access.accessTypes.find(
+							(x) => x === AccessType.Any || x === AccessType.Read
+						) !== undefined
+					) {
+						// check condition
+						if (await access.accessCondition.allowed(key)) {
+							return true;
+						}
+						continue;
+					}
+				}
+			}
+		};
+
+		if (await canReadCheck(s)) {
+			return true;
+		}
+		for await (const trustedByKey of getPathGenerator(
+			s,
+			this.identityGraphController.relationGraph,
+			getFromByTo
+		)) {
+			if (await canReadCheck(trustedByKey.from)) {
+				return true;
+			}
+		}
+
+		return false;
+	}
+
+	async canAppend(entry: Entry<any>): Promise<boolean> {
+		// TODO, improve, caching etc
+
+		// Check whether it is trusted by trust web
+		const canAppendByKey = async (key: PublicSignKey): Promise<boolean> => {
+			if (await this.trustedNetwork.isTrusted(key)) {
+				return true;
+			}
+			// Else check whether its trusted by this access controller
+			const canWriteCheck = async (key: PublicSignKey) => {
+				for (const value of this.access.index.index.values()) {
+					const access = value.value;
+					if (access instanceof Access) {
+						if (
+							access.accessTypes.find(
+								(x) => x === AccessType.Any || x === AccessType.Write
+							) !== undefined
+						) {
+							// check condition
+							if (await access.accessCondition.allowed(key)) {
+								return true;
+							}
+							continue;
+						}
+					}
+				}
+			};
+			if (await canWriteCheck(key)) {
+				return true;
+			}
+			for await (const trustedByKey of getPathGenerator(
+				key,
+				this.identityGraphController.relationGraph,
+				getFromByTo
+			)) {
+				if (await canWriteCheck(trustedByKey.from)) {
+					return true;
+				}
+			}
+
+			return false;
+		};
+
+		for (const key of await entry.getPublicKeys()) {
+			if (await canAppendByKey(key)) {
+				return true;
+			}
+		}
+		return false;
+	}
+
+	async open(properties?: { role?: SubscriptionType }) {
+		await this.identityGraphController.open({
+			role: properties?.role,
+			canRead: this.canRead.bind(this),
+		});
+		await this.access.open({
+			role: properties?.role,
+			type: Access,
+			canAppend: this.canAppend.bind(this),
+			canRead: this.canRead.bind(this),
+		});
+		await this.trustedNetwork.open(properties);
+	}
+}

package/src/condition.ts

@@ -0,0 +1,96 @@
+import { field, variant } from "@dao-xyz/borsh";
+import { PublicSignKey, getPublicKeyFromPeerId } from "@peerbit/crypto";
+import { PeerId } from "@libp2p/interface-peer-id";
+
+const coercePublicKey = (publicKey: PublicSignKey | PeerId) => {
+	return publicKey instanceof PublicSignKey
+		? publicKey
+		: getPublicKeyFromPeerId(publicKey);
+};
+
+@variant(0)
+export class Network {
+	@field({ type: "string" })
+	type: string;
+
+	@field({ type: "string" })
+	rpc: string;
+}
+
+export class AccessCondition<T> {
+	async allowed(_key: PublicSignKey): Promise<boolean> {
+		throw new Error("Not implemented");
+	}
+}
+
+@variant([0, 0])
+export class AnyAccessCondition<T> extends AccessCondition<T> {
+	constructor() {
+		super();
+	}
+	async allowed(_key: PublicSignKey): Promise<boolean> {
+		return true;
+	}
+}
+
+@variant([0, 1])
+export class PublicKeyAccessCondition<T> extends AccessCondition<T> {
+	@field({ type: PublicSignKey })
+	key: PublicSignKey;
+
+	constructor(options: { key: PublicSignKey | PeerId }) {
+		super();
+		this.key = coercePublicKey(options.key);
+	}
+
+	async allowed(identity: PublicSignKey): Promise<boolean> {
+		return this.key.equals(identity);
+	}
+}
+
+/*  Not yet :)
+
+@variant([0, 2])
+export class TokenAccessCondition extends AccessCondition {
+
+	@field({ type: Network })
+	network: Network
+
+	@field({ type: 'string' })
+	token: string
+
+	@field({ type: 'u64' })
+	amount: bigint
+
+	constructor() {
+		super();
+	}
+}
+
+
+@variant(0)
+export class NFTPropertyCondition {
+	@field({ type: 'string' })
+	field: string
+
+	@field({ type: 'string' })
+	value: string;
+}
+
+ @variant([0, 3])  // distinguish between ERC-721, ERC-1155, Solana Metaplex? 
+export class NFTAccessCondition extends AccessCondition {
+
+	@field({ type: Network })
+	network: Network
+
+	@field({ type: 'string' })
+	id: string
+
+	@field({ type: option(vec(NFTPropertyCondition)) })
+	properties: NFTPropertyCondition
+
+	constructor() {
+		super();
+	}
+}
+ */

package/src/index.ts

@@ -0,0 +1,3 @@
+export * from "./access.js";
+export * from "./acl-db.js";
+export * from "./condition.js";