cojson 0.18.35 → 0.18.37

package/src/permissions.ts

@@ -8,6 +8,7 @@ import {
   ParentGroupReferenceRole,
   RawGroup,
   isInheritableRole,
+  isSelfExtension,
 } from "./coValues/group.js";
 import { KeyID } from "./crypto/crypto.js";
 import {
@@ -70,8 +71,6 @@ function canAdmin(role: Role | undefined): boolean {
   return role === "admin" || role === "manager";
 }
 
-type MemberState = { [agent: RawAccountID | AgentID]: Role; [EVERYONE]?: Role };
-
 let logPermissionErrors = true;
 
 export function disablePermissionErrors() {
@@ -193,79 +192,81 @@ function isHigherRole(a: Role, b: Role | undefined) {
   return a === "writer" && b === "reader";
 }
 
-function resolveMemberStateFromParentReference(
-  coValue: CoValueCore,
-  memberState: MemberState,
-  parentReference: ParentGroupReference,
-  roleMapping: ParentGroupReferenceRole,
-  extendChain: Set<CoValueCore["id"]>,
-) {
-  const parentGroup = coValue.node.expectCoValueLoaded(
-    getParentGroupId(parentReference),
-    "Expected parent group to be loaded",
-  );
+class MemberRoleResolver {
+  private parentGroups = new Map<RawGroup, ParentGroupReferenceRole>();
+  private memberRoles = new Map<RawAccountID | AgentID | Everyone, Role>();
 
-  if (parentGroup.verified.header.ruleset.type !== "group") {
-    return;
+  setDirectRole(member: RawAccountID | AgentID | Everyone, role: Role) {
+    this.memberRoles.set(member, role);
   }
 
-  // Skip circular references
-  if (extendChain.has(parentGroup.id)) {
-    return;
+  removeMember(member: RawAccountID | AgentID | Everyone) {
+    this.memberRoles.delete(member);
   }
 
-  const initialAdmin = parentGroup.verified.header.ruleset.initialAdmin;
+  addParentGroup(parentGroup: RawGroup, roleMapping: ParentGroupReferenceRole) {
+    this.parentGroups.set(parentGroup, roleMapping);
+  }
 
-  if (!initialAdmin) {
-    throw new Error("Group must have initialAdmin");
+  removeParentGroup(parentGroup: RawGroup) {
+    this.parentGroups.delete(parentGroup);
   }
 
-  extendChain.add(parentGroup.id);
+  getDirectRole(member: RawAccountID | AgentID | Everyone) {
+    return this.memberRoles.get(member);
+  }
 
-  const { memberState: parentGroupMemberState } =
-    determineValidTransactionsForGroup(parentGroup, initialAdmin, extendChain);
+  getRoleAtTime(member: RawAccountID | AgentID | Everyone, time: number) {
+    let role = this.memberRoles.get(member);
 
-  for (const agent of Object.keys(parentGroupMemberState) as Array<
-    keyof MemberState
-  >) {
-    const parentRole = parentGroupMemberState[agent];
-    const currentRole = memberState[agent];
+    for (const [parentGroup, roleMapping] of this.parentGroups.entries()) {
+      const parentRole = parentGroup.atTime(time).roleOfInternal(member);
 
-    if (isInheritableRole(parentRole)) {
-      if (roleMapping !== "extend" && isHigherRole(roleMapping, currentRole)) {
-        memberState[agent] = roleMapping;
-      } else if (isHigherRole(parentRole, currentRole)) {
-        memberState[agent] = parentRole;
+      if (!parentRole || !isInheritableRole(parentRole)) {
+        continue;
+      }
+
+      const resolvedParentRole =
+        roleMapping === "extend" ? parentRole : roleMapping;
+
+      if (isHigherRole(resolvedParentRole, role)) {
+        role = resolvedParentRole;
       }
     }
+
+    return role;
   }
 }
 
 function determineValidTransactionsForGroup(
   coValue: CoValueCore,
   initialAdmin: RawAccountID | AgentID,
-  extendChain?: Set<CoValueCore["id"]>,
-): { memberState: MemberState } {
+): void {
   coValue.verifiedTransactions.sort(coValue.compareTransactions);
 
-  const memberState: MemberState = {};
   const writeOnlyKeys: Record<RawAccountID | AgentID, KeyID> = {};
   const writeKeys = new Set<string>();
+  const memberRoleResolver = new MemberRoleResolver();
 
   for (const transaction of coValue.verifiedTransactions) {
     const transactor = transaction.author;
-    const transactorRole = memberState[transactor];
+
+    const transactorRole = memberRoleResolver.getRoleAtTime(
+      transactor,
+      transaction.currentMadeAt,
+    );
 
     const tx = transaction.tx;
 
     if (tx.privacy === "private") {
-      if (memberState[transactor] === "admin") {
+      if (transactorRole === "admin") {
         transaction.markValid();
         continue;
       } else {
         logPermissionError(
           "Only admins can make private transactions in groups",
         );
+        transaction.markInvalid();
         continue;
       }
     }
@@ -341,7 +342,6 @@ function determineValidTransactionsForGroup(
         continue;
       }
 
-      // TODO: check validity of agents who the key is revealed to?
       transaction.markValid();
       continue;
     } else if (isParentExtension(change.key)) {
@@ -353,25 +353,35 @@ function determineValidTransactionsForGroup(
         continue;
       }
 
-      extendChain = extendChain ?? new Set([]);
+      const parentGroupId = getParentGroupId(change.key);
 
-      resolveMemberStateFromParentReference(
-        coValue,
-        memberState,
-        change.key,
-        change.value as ParentGroupReferenceRole,
-        extendChain,
+      const parentGroupCore = coValue.node.expectCoValueLoaded(
+        parentGroupId,
+        "Expected parent group to be loaded",
       );
 
-      // Circular reference detected, drop all the transactions involved
-      if (extendChain.has(coValue.id)) {
-        logPermissionError(
-          "Circular extend detected, dropping the transaction",
-        );
+      if (!parentGroupCore.isGroup()) {
+        logPermissionError("Parent group is not a group");
+        transaction.markInvalid();
+        continue;
+      }
+
+      const parentGroup = expectGroup(parentGroupCore.getCurrentContent());
+
+      if (isSelfExtension(coValue, parentGroup)) {
+        logPermissionError("Parent group is a circular dependency");
         transaction.markInvalid();
         continue;
       }
 
+      const value = change.value as ParentGroupReferenceRole;
+
+      if (value === "revoked") {
+        memberRoleResolver.removeParentGroup(parentGroup);
+      } else {
+        memberRoleResolver.addParentGroup(parentGroup, value);
+      }
+
       transaction.markValid();
       continue;
     } else if (isChildExtension(change.key)) {
@@ -460,7 +470,7 @@ function determineValidTransactionsForGroup(
         throw new Error("Expected set operation");
       }
 
-      memberState[change.key] = change.value;
+      memberRoleResolver.setDirectRole(change.key, change.value);
       transaction.markValid();
     }
 
@@ -486,7 +496,10 @@ function determineValidTransactionsForGroup(
       continue;
     }
 
-    const affectedMemberRole = memberState[affectedMember];
+    const affectedMemberRole = memberRoleResolver.getRoleAtTime(
+      affectedMember,
+      transaction.currentMadeAt,
+    );
 
     /**
      * Admins can't:
@@ -568,11 +581,9 @@ function determineValidTransactionsForGroup(
       continue;
     }
 
-    memberState[affectedMember] = change.value;
+    memberRoleResolver.setDirectRole(affectedMember, change.value);
     transaction.markValid();
   }
-
-  return { memberState };
 }
 
 function agentInAccountOrMemberInGroup(

package/src/tests/group.childKeyRotation.test.ts

@@ -69,7 +69,7 @@ describe("Group.childKeyRotation", () => {
     expect(mapOnAliceNode.get("test")).toBeUndefined();
   });
 
-  test("removing a member should rotate the readKey on unloaded child groups", async () => {
+  test.skip("removing a member should rotate the readKey on unloaded child groups", async () => {
     const group = admin.node.createGroup();
 
     let childGroup = bob.node.createGroup();
@@ -103,7 +103,7 @@ describe("Group.childKeyRotation", () => {
     expect(mapOnAliceNode.get("test")).toBeUndefined();
   });
 
-  test("removing a member on a large group should rotate the readKey on unloaded child group", async () => {
+  test.skip("removing a member on a large group should rotate the readKey on unloaded child group", async () => {
     const group = admin.node.createGroup();
 
     const childGroup = bob.node.createGroup();
@@ -163,7 +163,7 @@ describe("Group.childKeyRotation", () => {
     expect(mapOnAliceNode.get("test")).toBeUndefined();
   });
 
-  test("removing a member on a large parent group should rotate the readKey on unloaded grandChild group", async () => {
+  test.skip("removing a member on a large parent group should rotate the readKey on unloaded grandChild group", async () => {
     const parentGroup = admin.node.createGroup();
 
     const group = bob.node.createGroup();
@@ -230,7 +230,7 @@ describe("Group.childKeyRotation", () => {
     expect(mapOnAliceNode.get("test")).toBeUndefined();
   });
 
-  test("non-admin accounts can't trigger the unloaded child group key rotation", async () => {
+  test.skip("non-admin accounts can't trigger the unloaded child group key rotation", async () => {
     const group = admin.node.createGroup();
     const childGroup = bob.node.createGroup();
 
@@ -290,7 +290,7 @@ describe("Group.childKeyRotation", () => {
     expect(updatedMapOnCharlieNode.get("test")).toBe("Readable by charlie");
   });
 
-  test("direct manager account can trigger the unloaded child group key rotation", async () => {
+  test.skip("direct manager account can trigger the unloaded child group key rotation", async () => {
     const group = admin.node.createGroup();
     const childGroup = bob.node.createGroup();
 
@@ -338,7 +338,7 @@ describe("Group.childKeyRotation", () => {
     expect(mapOnAliceNode.get("test")).toBeUndefined();
   });
 
-  test("inherited admin account triggers the unloaded child group key rotation", async () => {
+  test.skip("inherited admin account triggers the unloaded child group key rotation", async () => {
     const group = admin.node.createGroup();
     const childGroup = bob.node.createGroup();
 

package/src/tests/group.inheritance.test.ts

@@ -7,6 +7,7 @@ import {
   createThreeConnectedNodes,
   createTwoConnectedNodes,
   loadCoValueOrFail,
+  setupTestAccount,
   setupTestNode,
 } from "./testUtils";
 import { expectMap } from "../coValue.js";
@@ -1161,4 +1162,64 @@ describe("extend with role mapping", () => {
     expect(map.get("test")).toEqual("Written from the admin");
     expect(mapOnNode2.get("test")).toEqual("Written from the admin");
   });
+
+  test("if an account is revoked on the child but still a member of the parent, transactions should be considered valid", async () => {
+    const alice = await setupTestAccount({
+      connected: true,
+    });
+    const bob = await setupTestAccount({
+      connected: true,
+    });
+    const charlie = await setupTestAccount({
+      connected: true,
+    });
+
+    const group = alice.node.createGroup();
+    const parentGroup = alice.node.createGroup();
+
+    const bobInAlice = await loadCoValueOrFail(alice.node, bob.accountID);
+    group.addMember(bobInAlice, "admin");
+    group.extend(parentGroup, "admin");
+    parentGroup.addMember(bobInAlice, "admin");
+
+    const groupInBob = await loadCoValueOrFail(bob.node, group.id);
+    groupInBob.removeMember(bob.node.getCurrentAgent());
+
+    const charlieInBob = await loadCoValueOrFail(bob.node, charlie.accountID);
+    groupInBob.addMember(charlieInBob, "reader");
+
+    expect(groupInBob.roleOf(charlie.accountID)).toBe("reader");
+  });
+
+  test("if an account is revoked on the parent, their old transactions on the child should stay valid", async () => {
+    const alice = await setupTestAccount({
+      connected: true,
+    });
+    const bob = await setupTestAccount({
+      connected: true,
+    });
+    const charlie = await setupTestAccount({
+      connected: true,
+    });
+
+    const group = alice.node.createGroup();
+    const parentGroup = alice.node.createGroup();
+
+    const bobInAlice = await loadCoValueOrFail(alice.node, bob.accountID);
+    group.extend(parentGroup, "admin");
+    parentGroup.addMember(bobInAlice, "admin");
+
+    const groupInBob = await loadCoValueOrFail(bob.node, group.id);
+    const parentGroupInBob = await loadCoValueOrFail(bob.node, parentGroup.id);
+    const charlieInBob = await loadCoValueOrFail(bob.node, charlie.accountID);
+    groupInBob.addMember(charlieInBob, "reader");
+
+    await new Promise((r) => setTimeout(r, 10));
+
+    parentGroupInBob.removeMember(bob.node.getCurrentAgent());
+
+    const groupInCharlie = await loadCoValueOrFail(charlie.node, group.id);
+
+    expect(groupInCharlie.roleOf(charlie.accountID)).toBe("reader");
+  });
 });

package/src/tests/group.invite.test.ts

@@ -346,15 +346,9 @@ describe("Group invites", () => {
     });
 
     const group = admin.node.createGroup();
-    const person = group.createMap({
-      name: "John Doe",
-    });
 
     // First add member as admin
-    const memberAccount = await loadCoValueOrFail(
-      member.node,
-      member.accountID,
-    );
+    const memberAccount = await loadCoValueOrFail(admin.node, member.accountID);
     group.addMember(memberAccount, "admin");
 
     // Create a reader invite
@@ -367,8 +361,6 @@ describe("Group invites", () => {
     expect(groupOnMemberNode.roleOf(member.accountID)).toEqual("admin");
   });
 
-  logger.setLevel(LogLevel.DEBUG);
-
   test("invites should be able to upgrade the role of an existing member", async () => {
     const admin = await setupTestAccount({
       connected: true,
@@ -381,10 +373,7 @@ describe("Group invites", () => {
     const group = admin.node.createGroup();
 
     // First add member as reader
-    const memberAccount = await loadCoValueOrFail(
-      member.node,
-      member.accountID,
-    );
+    const memberAccount = await loadCoValueOrFail(admin.node, member.accountID);
     group.addMember(memberAccount, "reader");
 
     // Create an admin invite
@@ -401,10 +390,7 @@ describe("Group invites", () => {
     const reader = await setupTestAccount({
       connected: true,
     });
-    const readerAccount = await loadCoValueOrFail(
-      member.node,
-      reader.accountID,
-    );
+    const readerAccount = await loadCoValueOrFail(admin.node, reader.accountID);
     groupOnMemberNode.addMember(readerAccount, "reader");
   });
 
@@ -423,10 +409,7 @@ describe("Group invites", () => {
     });
 
     // First add member as reader
-    const memberAccount = await loadCoValueOrFail(
-      member.node,
-      member.accountID,
-    );
+    const memberAccount = await loadCoValueOrFail(admin.node, member.accountID);
     group.addMember(memberAccount, "reader");
     await group.removeMember(memberAccount);