@smythos/sre 1.5.0 → 1.5.2

package/src/subsystems/Security/AccessControl/AccessCandidate.class.ts

@@ -0,0 +1,76 @@
+import { IAccessCandidate, TAccessLevel, TAccessRole } from '@sre/types/ACL.types';
+import { AccessRequest } from './AccessRequest.class';
+
+export class AccessCandidate implements IAccessCandidate {
+    public role: TAccessRole;
+    public id: string;
+    //public _candidate: TAccessCandidate;
+    constructor(candidate?: IAccessCandidate) {
+        //this._candidate = candidate || { role: TAccessRole.Public, id: '' };
+
+        this.role = candidate ? candidate.role : TAccessRole.Public;
+        this.id = candidate ? candidate.id : '';
+    }
+
+    public toString(): string {
+        return `AC:R[${this.role}]:ID[${this.id}]`;
+    }
+
+    public get request(): AccessRequest {
+        return new AccessRequest(this);
+    }
+
+    public get readRequest(): AccessRequest {
+        return new AccessRequest(this).setLevel(TAccessLevel.Read);
+    }
+    public get writeRequest(): AccessRequest {
+        return new AccessRequest(this).setLevel(TAccessLevel.Write);
+    }
+    public get ownerRequest(): AccessRequest {
+        return new AccessRequest(this).setLevel(TAccessLevel.Owner);
+    }
+
+    public static clone(candidate: IAccessCandidate): AccessCandidate {
+        return new AccessCandidate(candidate);
+    }
+
+    public team(teamId: string): AccessCandidate {
+        this.role = TAccessRole.Team;
+        this.id = teamId;
+
+        return this;
+    }
+    static team(teamId: string): AccessCandidate {
+        return new AccessCandidate({ role: TAccessRole.Team, id: teamId });
+    }
+
+    public agent(agentId: string): AccessCandidate {
+        this.role = TAccessRole.Agent;
+        this.id = agentId;
+        return this;
+    }
+    static agent(agentId: string): AccessCandidate {
+        return new AccessCandidate({ role: TAccessRole.Agent, id: agentId });
+    }
+
+    public user(userId: string): AccessCandidate {
+        this.role = TAccessRole.User;
+        this.id = userId;
+        return this;
+    }
+    static user(userId: string): AccessCandidate {
+        return new AccessCandidate({ role: TAccessRole.User, id: userId });
+    }
+
+    public public(): AccessCandidate {
+        this.role = TAccessRole.Public;
+
+        //public is a special case we use the role as the owner id because public access does not have specific candidate IDs
+        this.id = TAccessRole.Public;
+
+        return this;
+    }
+    static public(): AccessCandidate {
+        return new AccessCandidate({ role: TAccessRole.Public, id: '' });
+    }
+}

package/src/subsystems/Security/AccessControl/AccessRequest.class.ts

@@ -0,0 +1,52 @@
+import { IAccessCandidate, IAccessRequest, TAccessLevel } from '@sre/types/ACL.types';
+import { uid } from '@sre/utils/index';
+
+export class AccessRequest implements IAccessRequest {
+    public id: string;
+    public resourceId: string;
+
+    public level: TAccessLevel[] = [];
+    public candidate: IAccessCandidate;
+
+    constructor(object?: IAccessRequest | IAccessCandidate) {
+        if (!object) {
+            this.id = 'aclR:' + uid();
+        }
+        if (['role', 'id'].every((k) => k in object)) {
+            //this is a candidate
+            this.id = 'aclR:' + uid();
+            this.candidate = object as IAccessCandidate;
+        } else {
+            const acReq: AccessRequest = object as AccessRequest;
+            this.id = acReq.id;
+            //this.resourceId = acReq.resourceId;
+            this.level = acReq.level;
+            this.candidate = acReq.candidate;
+        }
+
+        this.resourceId = undefined;
+    }
+
+    public static clone(request: IAccessRequest): AccessRequest {
+        return new AccessRequest(request);
+    }
+
+    public setLevel(level: TAccessLevel | TAccessLevel[]): AccessRequest {
+        this.level = Array.isArray(level) ? level : [level];
+        return this;
+    }
+    public addLevel(level: TAccessLevel | TAccessLevel[]): AccessRequest {
+        this.level = [...this.level, ...(Array.isArray(level) ? level : [level])];
+        return this;
+    }
+    public resource(resourceId: string): AccessRequest {
+        this.resourceId = resourceId;
+
+        return this;
+    }
+    public setCandidate(candidate: IAccessCandidate): AccessRequest {
+        this.candidate = candidate;
+
+        return this;
+    }
+}

package/src/subsystems/Security/Account.service/AccountConnector.ts

@@ -0,0 +1,41 @@
+import { Connector } from '@sre/Core/Connector.class';
+import { AccessRequest } from '@sre/Security/AccessControl/AccessRequest.class';
+import { IAccessCandidate, TAccessRole } from '@sre/types/ACL.types';
+import { AccessCandidate } from '../AccessControl/AccessCandidate.class';
+import { KeyValueObject } from '@sre/types/Common.types';
+import { ACL } from '../AccessControl/ACL.class';
+
+export interface ISmythAccountRequest {
+    isTeamMember(teamId: string): Promise<boolean>;
+    getCandidateTeam(): Promise<string | undefined>;
+    getAllTeamSettings(): Promise<KeyValueObject>;
+    getAllUserSettings(): Promise<KeyValueObject>;
+    getTeamSetting(settingKey: string): Promise<string>;
+    getUserSetting(settingKey: string): Promise<string>;
+    getAgentSetting(settingKey: string): Promise<string>;
+    getTeam(): Promise<string>;
+}
+
+export abstract class AccountConnector extends Connector {
+    public requester(candidate: AccessCandidate): ISmythAccountRequest {
+        return {
+            getAllUserSettings: async () => this.getAllUserSettings(candidate.readRequest, candidate.id),
+            getUserSetting: async (settingKey: string) => this.getUserSetting(candidate.readRequest, candidate.id, settingKey),
+            getAllTeamSettings: async () => this.getAllTeamSettings(candidate.readRequest, candidate.id),
+            getTeamSetting: async (settingKey: string) => this.getTeamSetting(candidate.readRequest, candidate.id, settingKey),
+            isTeamMember: async (teamId: string) => this.isTeamMember(teamId, candidate),
+            getCandidateTeam: async () => this.getCandidateTeam(candidate),
+            getTeam: async () => this.getCandidateTeam(candidate),
+            getAgentSetting: async (settingKey: string) => this.getAgentSetting(candidate.readRequest, candidate.id, settingKey),
+        };
+    }
+    public abstract getResourceACL(resourceId: string, candidate: IAccessCandidate): Promise<ACL>;
+
+    public abstract isTeamMember(teamId: string, candidate: IAccessCandidate): Promise<boolean>;
+    public abstract getCandidateTeam(candidate: IAccessCandidate): Promise<string | undefined>;
+    public abstract getAllTeamSettings(acRequest: AccessRequest, teamId: string): Promise<KeyValueObject>;
+    public abstract getAllUserSettings(acRequest: AccessRequest, accountId: string): Promise<KeyValueObject>;
+    public abstract getTeamSetting(acRequest: AccessRequest, teamId: string, settingKey: string): Promise<string>;
+    public abstract getUserSetting(acRequest: AccessRequest, accountId: string, settingKey: string): Promise<string>;
+    public abstract getAgentSetting(acRequest: AccessRequest, agentId: string, settingKey: string): Promise<string>;
+}

package/src/subsystems/Security/Account.service/connectors/AWSAccount.class.ts

@@ -0,0 +1,76 @@
+import mysql from 'mysql2/promise';
+import { ACL } from '@sre/Security/AccessControl/ACL.class';
+import { AccessRequest } from '@sre/Security/AccessControl/AccessRequest.class';
+import { DEFAULT_TEAM_ID, IAccessCandidate, IACL, TAccessRole } from '@sre/types/ACL.types';
+import { AccountConnector } from '../AccountConnector';
+import { KeyValueObject } from '@sre/types/Common.types';
+
+export class AWSAccount extends AccountConnector {
+    public name = 'AWSAccount';
+
+    private pool: mysql.Pool;
+
+    constructor(protected _settings: any) {
+        super(_settings);
+
+        this.pool = mysql.createPool({
+            host: _settings.host,
+            database: _settings.database || 'app',
+            user: _settings.user || 'app',
+            password: _settings.password,
+            connectionLimit: 10,
+        });
+    }
+
+    public isTeamMember(team: string, candidate: IAccessCandidate): Promise<boolean> {
+        return Promise.resolve(true);
+    }
+
+    public getCandidateTeam(candidate: IAccessCandidate): Promise<string | undefined> {
+        if (candidate.role === TAccessRole.Team) {
+            return Promise.resolve(candidate.id);
+        }
+
+        return Promise.resolve(DEFAULT_TEAM_ID);
+    }
+
+    public async getAllTeamSettings(acRequest: AccessRequest, teamId: string): Promise<KeyValueObject[]> {
+        try {
+            const [rows] = await this.pool.execute('SELECT `key`, `value` FROM TeamSettings');
+            const settings: KeyValueObject[] = [];
+            if (Array.isArray(rows) && rows.length > 0) {
+                settings.push(...rows.map((row) => ({ key: row.key, value: row.value })));
+            }
+            return settings;
+        } catch (error) {
+            console.error('Error in getTeamSetting:', error);
+            return [] as KeyValueObject[];
+        }
+    }
+
+    public async getTeamSetting(acRequest: AccessRequest, teamId: string, settingKey: string): Promise<string> {
+        try {
+            const [rows] = await this.pool.execute('SELECT `value` FROM TeamSettings WHERE `key` = ? LIMIT 1', [settingKey]);
+            if (Array.isArray(rows) && rows.length > 0 && 'value' in rows[0]) return rows[0].value;
+            return '';
+        } catch (error) {
+            console.error('Error in getTeamSetting:', error);
+            return '';
+        }
+    }
+
+    // TODO: Implement this
+    public getResourceACL(resourceId: string, candidate: IAccessCandidate): Promise<ACL> {
+        throw new Error('getResourceACL Method not implemented.');
+    }
+    public getAllUserSettings(acRequest: AccessRequest, accountId: string): Promise<KeyValueObject[]> {
+        throw new Error('getAllUserSettings Method not implemented.');
+    }
+    public getUserSetting(acRequest: AccessRequest, accountId: string, settingKey: string): Promise<string> {
+        throw new Error('getUserSetting Method not implemented.');
+    }
+
+    public getAgentSetting(acRequest: AccessRequest, agentId: string, settingKey: string): Promise<string> {
+        throw new Error('getAgentSetting Method not implemented.');
+    }
+}

package/src/subsystems/Security/Account.service/connectors/DummyAccount.class.ts

@@ -0,0 +1,130 @@
+import { Connector } from '@sre/Core/Connector.class';
+import { ACL } from '@sre/Security/AccessControl/ACL.class';
+import { AccessCandidate } from '@sre/Security/AccessControl/AccessCandidate.class';
+import { AccessRequest } from '@sre/Security/AccessControl/AccessRequest.class';
+import { SecureConnector } from '@sre/Security/SecureConnector.class';
+import { DEFAULT_TEAM_ID, IAccessCandidate, IACL, TAccessRole } from '@sre/types/ACL.types';
+import { StorageData, StorageMetadata } from '@sre/types/Storage.types';
+import { AccountConnector } from '../AccountConnector';
+import { KeyValueObject } from '@sre/types/Common.types';
+import { Logger } from '@sre/helpers/Log.helper';
+
+const console = Logger('DummyAccount');
+
+/*
+data format 
+
+{
+    "team1": {
+        users: {
+            "user1": {
+                "settings": {
+                    "setting1": "value1",
+                    "setting2": "value2"
+                }
+            }
+        },
+        "agents": {
+            "agent1": {
+                "settings": {
+                    "setting1": "value1",
+                    "setting2": "value2"
+                }
+            }
+        },
+        "settings": {
+            "setting1": "value1",
+            "setting2": "value2"
+        }
+    }
+}
+
+*/
+
+export class DummyAccount extends AccountConnector {
+    public name = 'DummyAccount';
+    public data: any = {};
+
+    constructor(protected _settings?: any) {
+        super(_settings);
+        this.data = _settings?.data || {};
+        if (!this.data[DEFAULT_TEAM_ID]) {
+            this.data[DEFAULT_TEAM_ID] = {
+                users: {},
+                agents: { FAKE_AGENT_ID: {} },
+                settings: {},
+            };
+        }
+        if (!this.data[DEFAULT_TEAM_ID])
+            console.warn(
+                'You are using the DummyAccount connector. This is a development tool and should not be used in production if you have security concerns.'
+            );
+    }
+
+    public isTeamMember(team: string, candidate: IAccessCandidate): Promise<boolean> {
+        if (team === DEFAULT_TEAM_ID) {
+            return Promise.resolve(true);
+        }
+
+        switch (candidate.role) {
+            case TAccessRole.Team:
+                return Promise.resolve(team === candidate.id);
+            case TAccessRole.User:
+                return Promise.resolve(this.data[team]?.users?.[candidate.id]);
+            case TAccessRole.Agent:
+                return Promise.resolve(this.data[team]?.agents?.[candidate.id]);
+            default:
+                return Promise.resolve(false);
+        }
+    }
+    public getCandidateTeam(candidate: IAccessCandidate): Promise<string | undefined> {
+        if (candidate.role === TAccessRole.Team) {
+            return Promise.resolve(candidate.id);
+        }
+
+        //lookup the team id for the user or agent
+        for (const team in this.data) {
+            if (candidate.role === TAccessRole.User && this.data[team]?.users?.[candidate.id]) {
+                return Promise.resolve(team);
+            }
+            if (candidate.role === TAccessRole.Agent && this.data[team]?.agents?.[candidate.id]) {
+                return Promise.resolve(team);
+            }
+        }
+        return Promise.resolve(DEFAULT_TEAM_ID);
+    }
+
+    public getResourceACL(resourceId: string, candidate: IAccessCandidate): Promise<ACL> {
+        throw new Error('getResourceACL Method not implemented.');
+    }
+    public getAllTeamSettings(acRequest: AccessRequest, teamId: string): Promise<KeyValueObject[]> {
+        return Promise.resolve(this.data[teamId]?.settings);
+    }
+    public getAllUserSettings(acRequest: AccessRequest, accountId: string): Promise<KeyValueObject[]> {
+        for (const team in this.data) {
+            if (this.data[team]?.users?.[accountId]) {
+                return Promise.resolve(this.data[team]?.users?.[accountId]?.settings);
+            }
+        }
+        return Promise.resolve([]);
+    }
+    public getTeamSetting(acRequest: AccessRequest, teamId: string, settingKey: string): Promise<string> {
+        return Promise.resolve(this.data[teamId]?.settings?.[settingKey]);
+    }
+    public getUserSetting(acRequest: AccessRequest, accountId: string, settingKey: string): Promise<string> {
+        for (const team in this.data) {
+            if (this.data[team]?.users?.[accountId]) {
+                return Promise.resolve(this.data[team]?.users?.[accountId]?.settings?.[settingKey]);
+            }
+        }
+        return Promise.resolve(undefined);
+    }
+    public getAgentSetting(acRequest: AccessRequest, agentId: string, settingKey: string): Promise<string> {
+        for (const team in this.data) {
+            if (this.data[team]?.agents?.[agentId]) {
+                return Promise.resolve(this.data[team]?.agents?.[agentId]?.settings?.[settingKey]);
+            }
+        }
+        return Promise.resolve(undefined);
+    }
+}

package/src/subsystems/Security/Account.service/connectors/JSONFileAccount.class.ts

@@ -0,0 +1,159 @@
+import { Connector } from '@sre/Core/Connector.class';
+import { ACL } from '@sre/Security/AccessControl/ACL.class';
+import { AccessCandidate } from '@sre/Security/AccessControl/AccessCandidate.class';
+import { AccessRequest } from '@sre/Security/AccessControl/AccessRequest.class';
+import { SecureConnector } from '@sre/Security/SecureConnector.class';
+import { DEFAULT_TEAM_ID, IAccessCandidate, IACL, TAccessRole } from '@sre/types/ACL.types';
+import { StorageData, StorageMetadata } from '@sre/types/Storage.types';
+import { AccountConnector } from '../AccountConnector';
+import { KeyValueObject } from '@sre/types/Common.types';
+import * as fs from 'fs';
+import * as path from 'path';
+
+/*
+JSONAccount format 
+
+{
+    "team1": {
+        users: {
+            "user1": {
+                "settings": {
+                    "setting1": "value1",
+                    "setting2": "value2"
+                }
+            }
+        },
+        "agents": {
+            "agent1": {
+                "settings": {
+                    "setting1": "value1",
+                    "setting2": "value2"
+                }
+            }
+        },
+        "settings": {
+            "setting1": "value1",
+            "setting2": "value2"
+        }
+    }
+}
+
+*/
+
+export type TJSONFileAccountSettings = {
+    file: string;
+};
+
+export class JSONFileAccount extends AccountConnector {
+    public name = 'JSONFileAccount';
+    private data: any = {};
+    private file: string;
+
+    constructor(protected _settings: TJSONFileAccountSettings) {
+        super(_settings);
+        this.file = _settings.file;
+        this.loadData();
+    }
+
+    private loadData() {
+        try {
+            const fileContent = fs.readFileSync(this.file, 'utf-8');
+            this.data = JSON.parse(fileContent);
+        } catch (error) {
+            console.error('Error loading JSON account data:', error);
+            this.data = {};
+        }
+    }
+
+    private saveData() {
+        try {
+            fs.writeFileSync(this.file, JSON.stringify(this.data, null, 2));
+        } catch (error) {
+            console.error('Error saving JSON account data:', error);
+        }
+    }
+
+    public async isTeamMember(team: string, candidate: IAccessCandidate): Promise<boolean> {
+        if (!this.data[team]) return false;
+
+        if (candidate.role === TAccessRole.User) {
+            return !!this.data[team].users?.[candidate.id];
+        } else if (candidate.role === TAccessRole.Agent) {
+            return !!this.data[team].agents?.[candidate.id];
+        }
+
+        return false;
+    }
+
+    public async getCandidateTeam(candidate: IAccessCandidate): Promise<string | undefined> {
+        if (candidate.role === TAccessRole.Team) {
+            return candidate.id;
+        }
+
+        // Search through all teams to find where the candidate belongs
+        for (const [teamId, teamData] of Object.entries(this.data)) {
+            const typedTeamData = teamData as { users?: Record<string, any>; agents?: Record<string, any> };
+            if (candidate.role === TAccessRole.User && typedTeamData.users?.[candidate.id]) {
+                return teamId;
+            }
+            if (candidate.role === TAccessRole.Agent && typedTeamData.agents?.[candidate.id]) {
+                return teamId;
+            }
+        }
+
+        return DEFAULT_TEAM_ID;
+    }
+
+    public async getResourceACL(resourceId: string, candidate: IAccessCandidate): Promise<ACL> {
+        throw new Error('getResourceACL Method not implemented.');
+    }
+
+    public async getAllTeamSettings(acRequest: AccessRequest, teamId: string): Promise<KeyValueObject[]> {
+        if (!this.data[teamId]?.settings) return [];
+
+        return Object.entries(this.data[teamId].settings).map(([key, value]) => ({
+            key,
+            value: value as string,
+        }));
+    }
+
+    public async getAllUserSettings(acRequest: AccessRequest, accountId: string): Promise<KeyValueObject[]> {
+        // Search through all teams to find user settings
+        for (const teamData of Object.values(this.data)) {
+            const typedTeamData = teamData as { users?: Record<string, { settings?: Record<string, any> }> };
+            if (typedTeamData.users?.[accountId]?.settings) {
+                return Object.entries(typedTeamData.users[accountId].settings).map(([key, value]) => ({
+                    key,
+                    value: value as string,
+                }));
+            }
+        }
+        return [];
+    }
+
+    public async getTeamSetting(acRequest: AccessRequest, teamId: string, settingKey: string): Promise<string> {
+        return this.data[teamId]?.settings?.[settingKey] || '';
+    }
+
+    public async getUserSetting(acRequest: AccessRequest, accountId: string, settingKey: string): Promise<string> {
+        // Search through all teams to find user setting
+        for (const teamData of Object.values(this.data)) {
+            const typedTeamData = teamData as { users?: Record<string, { settings?: Record<string, any> }> };
+            if (typedTeamData.users?.[accountId]?.settings?.[settingKey]) {
+                return typedTeamData.users[accountId].settings[settingKey];
+            }
+        }
+        return '';
+    }
+
+    public async getAgentSetting(acRequest: AccessRequest, agentId: string, settingKey: string): Promise<string> {
+        // Search through all teams to find agent setting
+        for (const teamData of Object.values(this.data)) {
+            const typedTeamData = teamData as { agents?: Record<string, { settings?: Record<string, any> }> };
+            if (typedTeamData.agents?.[agentId]?.settings?.[settingKey]) {
+                return typedTeamData.agents[agentId].settings[settingKey];
+            }
+        }
+        return '';
+    }
+}

package/src/subsystems/Security/Account.service/index.ts

@@ -0,0 +1,14 @@
+//==[ SRE: LLM ]======================
+
+import { ConnectorService, ConnectorServiceProvider } from '@sre/Core/ConnectorsService';
+import { TConnectorService } from '@sre/types/SRE.types';
+import { DummyAccount } from './connectors/DummyAccount.class';
+import { AWSAccount } from './connectors/AWSAccount.class';
+import { JSONFileAccount } from './connectors/JSONFileAccount.class';
+export class AccountService extends ConnectorServiceProvider {
+    public register() {
+        ConnectorService.register(TConnectorService.Account, 'AWSAccount', AWSAccount);
+        ConnectorService.register(TConnectorService.Account, 'DummyAccount', DummyAccount);
+        ConnectorService.register(TConnectorService.Account, 'JSONFileAccount', JSONFileAccount);
+    }
+}

package/src/subsystems/Security/Credentials.helper.ts

@@ -0,0 +1,62 @@
+import { AccessCandidate } from '../..';
+import { ConnectorService } from '../../Core/ConnectorsService';
+
+export type TCredentialsRequest = {
+    vaultProvider?: string;
+    keyName: string;
+    mapping?: {
+        [key: string]: string;
+    };
+};
+
+/**
+ * Get credentials from a vault
+ *
+ * @param candidate - The candidate requesting the credentials
+ * @param credentialsRequest - The credentials request
+ * @returns The credentials
+ */
+export async function getCredentials(
+    candidate: AccessCandidate,
+    credentialsRequest: TCredentialsRequest | string
+): Promise<string | Record<string, any>> {
+    if (typeof credentialsRequest === 'string') {
+        credentialsRequest = {
+            vaultProvider: '', //default vault provider
+            keyName: credentialsRequest, //default key name
+        };
+    }
+
+    const vaultConnector = ConnectorService.getVaultConnector(credentialsRequest.vaultProvider || '');
+    const vaultRequester = vaultConnector.requester(candidate);
+    const credentials = await vaultRequester.get(credentialsRequest.keyName);
+
+    if (!credentialsRequest.mapping) return credentials;
+
+    const mappedCredentials = {};
+    for (const [key, value] of Object.entries(credentialsRequest.mapping)) {
+        mappedCredentials[key] = JSONExpression(credentials, value);
+    }
+
+    return mappedCredentials;
+}
+
+/**
+ * @param obj - The object to extract the property from
+ * @param propertyString - The property to extract from the object
+ * @returns The property value
+ */
+function JSONExpression(obj, propertyString) {
+    const properties = propertyString.split(/\.|\[|\]\.|\]\[|\]/).filter(Boolean);
+    let currentProperty = obj;
+
+    for (let property of properties) {
+        if (currentProperty === undefined || currentProperty === null) {
+            return undefined;
+        }
+
+        currentProperty = currentProperty[property];
+    }
+
+    return currentProperty;
+}

package/src/subsystems/Security/ManagedVault.service/ManagedVaultConnector.ts

@@ -0,0 +1,34 @@
+import { ACL } from '@sre/Security/AccessControl/ACL.class';
+import { AccessCandidate } from '@sre/Security/AccessControl/AccessCandidate.class';
+import { AccessRequest } from '@sre/Security/AccessControl/AccessRequest.class';
+import { SecureConnector } from '@sre/Security/SecureConnector.class';
+import { IAccessCandidate, IACL } from '@sre/types/ACL.types';
+
+/**
+ * The managed vault is a vault that is managed by the SRE, its keys are not visible to the user.
+ * it's used to store generated tokens at runtime, like OAuth tokens
+ */
+
+export interface IManagedVaultRequest {
+    get(keyId: string): Promise<string>;
+    set(keyId: string, value: string): Promise<void>;
+    delete(keyId: string): Promise<void>;
+    exists(keyId: string): Promise<boolean>;
+}
+
+export abstract class ManagedVaultConnector extends SecureConnector {
+    requester(candidate: AccessCandidate): IManagedVaultRequest {
+        return {
+            get: async (keyId: string) => this.get(candidate.readRequest, keyId),
+            set: async (keyId: string, value: string) => this.set(candidate.writeRequest, keyId, value),
+            delete: async (keyId: string) => this.delete(candidate.writeRequest, keyId),
+            exists: async (keyId: string) => this.exists(candidate.readRequest, keyId),
+        };
+    }
+
+    public abstract getResourceACL(resourceId: string, candidate: IAccessCandidate): Promise<ACL>;
+    protected abstract get(acRequest: AccessRequest, keyId: string): Promise<string>;
+    protected abstract set(acRequest: AccessRequest, keyId: string, value: string): Promise<void>;
+    protected abstract delete(acRequest: AccessRequest, keyId: string): Promise<void>;
+    protected abstract exists(acRequest: AccessRequest, keyId: string): Promise<boolean>;
+}