cojson 0.8.17 → 0.8.19-group-inheritance.0

package/src/coValueCore.ts

@@ -1,5 +1,5 @@
 import { Result, err, ok } from "neverthrow";
-import { AnyRawCoValue, RawCoValue } from "./coValue.js";
+import { AnyRawCoValue, CoID, RawCoValue } from "./coValue.js";
 import { ControlledAccountOrAgent, RawAccountID } from "./coValues/account.js";
 import { RawGroup } from "./coValues/group.js";
 import { coreToCoValue } from "./coreToCoValue.js";
@@ -785,6 +785,46 @@ export class CoValueCore {
         }
       }
 
+      // try to find revelation to parent group read keys
+
+      for (const co of content.keys()) {
+        if (co.startsWith("parent_")) {
+          const parentGroupID = co.slice("parent_".length) as CoID<RawGroup>;
+          const parentGroup = this.node.expectCoValueLoaded(
+            parentGroupID,
+            "Expected parent group to be loaded",
+          );
+
+          const parentKey = parentGroup.getCurrentReadKey();
+          if (!parentKey.secret) {
+            continue;
+          }
+
+          const revelationForParentKey = content.get(
+            `${keyID}_for_${parentKey.id}`,
+          );
+
+          if (revelationForParentKey) {
+            const secret = parentGroup.crypto.decryptKeySecret(
+              {
+                encryptedID: keyID,
+                encryptingID: parentKey.id,
+                encrypted: revelationForParentKey,
+              },
+              parentKey.secret,
+            );
+
+            if (secret) {
+              return secret as KeySecret;
+            } else {
+              console.error(
+                `Encrypting parent ${parentKey.id} key didn't decrypt ${keyID}`,
+              );
+            }
+          }
+        }
+      }
+
       return undefined;
     } else if (this.header.ruleset.type === "ownedByGroup") {
       return this.node
@@ -950,9 +990,15 @@ export class CoValueCore {
   /** @internal */
   getDependedOnCoValuesUncached(): RawCoID[] {
     return this.header.ruleset.type === "group"
-      ? expectGroup(this.getCurrentContent())
-          .keys()
-          .filter((k): k is RawAccountID => k.startsWith("co_"))
+      ? [
+          ...expectGroup(this.getCurrentContent())
+            .keys()
+            .filter((k): k is RawAccountID => k.startsWith("co_")),
+          ...expectGroup(this.getCurrentContent())
+            .keys()
+            .filter((k) => k.startsWith("parent_"))
+            .map((k) => k.replace("parent_", "") as RawCoID),
+        ]
       : this.header.ruleset.type === "ownedByGroup"
         ? [
             this.header.ruleset.group,

package/src/coValues/group.ts

@@ -5,6 +5,7 @@ import { Encrypted, KeyID, KeySecret, Sealed } from "../crypto/crypto.js";
 import { AgentID, isAgentID } from "../ids.js";
 import { JsonObject } from "../jsonValue.js";
 import { Role } from "../permissions.js";
+import { expectGroup } from "../typeUtils/expectGroup.js";
 import {
   ControlledAccountOrAgent,
   RawAccount,
@@ -29,6 +30,8 @@ export type GroupShape = {
     KeySecret,
     { encryptedID: KeyID; encryptingID: KeyID }
   >;
+  [parent: `parent_${CoID<RawGroup>}`]: "extend";
+  [child: `child_${CoID<RawGroup>}`]: "extend";
 };
 
 /** A `Group` is a scope for permissions of its members (`"reader" | "writer" | "admin"`), applying to objects owned by that group.
@@ -61,12 +64,68 @@ export class RawGroup<
    * @category 1. Role reading
    */
   roleOf(accountID: RawAccountID): Role | undefined {
-    return this.roleOfInternal(accountID);
+    return this.roleOfInternal(accountID)?.role;
   }
 
   /** @internal */
-  roleOfInternal(accountID: RawAccountID | AgentID): Role | undefined {
-    return this.get(accountID);
+  roleOfInternal(
+    accountID: RawAccountID | AgentID | typeof EVERYONE,
+  ): { role: Role; via: CoID<RawGroup> | undefined } | undefined {
+    const roleHere = this.get(accountID);
+    if (roleHere === "revoked") {
+      return undefined;
+    }
+
+    let roleInfo:
+      | {
+          role: Exclude<Role, "revoked">;
+          via: CoID<RawGroup> | undefined;
+        }
+      | undefined = roleHere && { role: roleHere, via: undefined };
+
+    const parentGroups = this.getParentGroups();
+
+    for (const parentGroup of parentGroups) {
+      const roleInParent = parentGroup.roleOfInternal(accountID);
+
+      if (
+        roleInParent &&
+        roleInParent.role !== "revoked" &&
+        isMorePermissiveAndShouldInherit(roleInParent.role, roleInfo?.role)
+      ) {
+        roleInfo = { role: roleInParent.role, via: parentGroup.id };
+      }
+    }
+
+    return roleInfo;
+  }
+
+  getParentGroups(): RawGroup[] {
+    return (
+      this.keys().filter((key) =>
+        key.startsWith("parent_"),
+      ) as `parent_${CoID<RawGroup>}`[]
+    ).map((parentKey) => {
+      const parent = this.core.node.expectCoValueLoaded(
+        parentKey.slice("parent_".length) as CoID<RawGroup>,
+        "Expected parent group to be loaded",
+      );
+      return expectGroup(parent.getCurrentContent());
+    });
+  }
+
+  getChildGroups(): RawGroup[] {
+    return (
+      this.keys().filter((key) =>
+        key.startsWith("child_"),
+      ) as `child_${CoID<RawGroup>}`[]
+    ).map((childKey) => {
+      const child = this.core.node.expectCoValueLoaded(
+        childKey.slice("child_".length) as CoID<RawGroup>,
+        "Expected child group to be loaded",
+      );
+      return expectGroup(child.getCurrentContent());
+    });
   }
 
   /**
@@ -75,7 +134,7 @@ export class RawGroup<
    * @category 1. Role reading
    */
   myRole(): Role | undefined {
-    return this.roleOfInternal(this.core.node.account.id);
+    return this.roleOfInternal(this.core.node.account.id)?.role;
   }
 
   /**
@@ -203,7 +262,75 @@ export class RawGroup<
       "trusting",
     );
 
+    console.log("Setting", `readKey`, "to", newReadKey.id, "in", this.id);
+
     this.set("readKey", newReadKey.id, "trusting");
+
+    for (const parent of this.getParentGroups()) {
+      const { id: parentReadKeyID, secret: parentReadKeySecret } =
+        parent.core.getCurrentReadKey();
+      if (!parentReadKeySecret) {
+        throw new Error(
+          "Can't reveal new child key to parent where we don't have access to the parent read key",
+        );
+      }
+
+      console.log(
+        "Setting",
+        `${newReadKey.id}_for_${parentReadKeyID}`,
+        "in",
+        this.id,
+      );
+
+      this.set(
+        `${newReadKey.id}_for_${parentReadKeyID}`,
+        this.core.crypto.encryptKeySecret({
+          encrypting: {
+            id: parentReadKeyID,
+            secret: parentReadKeySecret,
+          },
+          toEncrypt: newReadKey,
+        }).encrypted,
+        "trusting",
+      );
+    }
+
+    for (const child of this.getChildGroups()) {
+      console.log("Rotating child", child.id);
+      child.rotateReadKey();
+    }
+  }
+
+  extend(parent: RawGroup) {
+    this.set(`parent_${parent.id}`, "extend", "trusting");
+    parent.set(`child_${this.id}`, "extend", "trusting");
+
+    const { id: parentReadKeyID, secret: parentReadKeySecret } =
+      parent.core.getCurrentReadKey();
+    if (!parentReadKeySecret) {
+      throw new Error("Can't extend group without parent read key secret");
+    }
+
+    const { id: childReadKeyID, secret: childReadKeySecret } =
+      this.core.getCurrentReadKey();
+    if (!childReadKeySecret) {
+      throw new Error("Can't extend group without child read key secret");
+    }
+
+    this.set(
+      `${childReadKeyID}_for_${parentReadKeyID}`,
+      this.core.crypto.encryptKeySecret({
+        encrypting: {
+          id: parentReadKeyID,
+          secret: parentReadKeySecret,
+        },
+        toEncrypt: {
+          id: childReadKeyID,
+          secret: childReadKeySecret,
+        },
+      }).encrypted,
+      "trusting",
+    );
   }
 
   /**
@@ -347,6 +474,34 @@ export class RawGroup<
   }
 }
 
+function isMorePermissiveAndShouldInherit(
+  roleInParent: Role,
+  roleInChild: Exclude<Role, "revoked"> | undefined,
+) {
+  // invites should never be inherited
+  if (
+    roleInParent === "adminInvite" ||
+    roleInParent === "writerInvite" ||
+    roleInParent === "readerInvite"
+  ) {
+    return false;
+  }
+
+  if (roleInParent === "admin") {
+    return !roleInChild || roleInChild !== "admin";
+  }
+
+  if (roleInParent === "writer") {
+    return !roleInChild || roleInChild === "reader";
+  }
+
+  if (roleInParent === "reader") {
+    return !roleInChild;
+  }
+
+  return false;
+}
+
 export type InviteSecret = `inviteSecret_z${string}`;
 
 function inviteSecretFromSecretSeed(secretSeed: Uint8Array): InviteSecret {