pal-explorer-cli 0.4.0

package/lib/core/shares.js

@@ -0,0 +1,325 @@
+import crypto from 'crypto';
+import config from '../utils/config.js';
+import { signConfigKey, verifyConfigKey } from '../utils/configIntegrity.js';
+import { getFriends, getActivePublicKey, getActiveUser } from './users.js';
+import keytar from 'keytar';
+import path from 'path';
+import fs from 'fs';
+import { hooks } from './extensions.js';
+
+
+const SHARE_KEY_SERVICE = 'pal-share-keys';
+
+const generateId = () => crypto.randomBytes(8).toString('hex');
+
+// Valid visibility levels (expanded from global/private)
+export const VISIBILITY_LEVELS = ['public', 'global', 'private', 'group', 'network', 'link-only'];
+
+export const SHARE_CATEGORIES = ['documents', 'media', 'projects', 'games', 'backups', 'other'];
+
+export function addShare(filePath, type = 'file', visibility = 'global', permissions = { read: true, write: false }, recipients = [], { recursive = true, expiresIn = 0, maxDownloads = 0, password = null, category = null, description = null, color = null, icon = null } = {}) {
+  const shares = config.get('shares') || [];
+  const absolutePath = path.resolve(filePath);
+
+  const exists = shares.find(s => s.path === absolutePath);
+  if (exists) {
+    throw new Error(`Resource already shared: ${absolutePath}`);
+  }
+
+  const share = {
+    id: generateId(),
+    path: absolutePath,
+    name: path.basename(absolutePath),
+    type,
+    visibility,
+    permissions,
+    recipients,
+    recursive,
+    createdAt: new Date().toISOString(),
+    createdBy: getActivePublicKey(),
+    status: 'active',
+    downloads: 0,
+  };
+  if (password) share.password = password;
+  if (category) share.category = category;
+  if (description) share.description = description;
+  if (color) share.color = color;
+  if (icon) share.icon = icon;
+  if (expiresIn > 0) share.expiresAt = new Date(Date.now() + expiresIn).toISOString();
+  if (maxDownloads > 0) share.maxDownloads = maxDownloads;
+
+  shares.push(share);
+  config.set('shares', shares); signConfigKey('shares').catch(() => {});
+
+  // Fire extension hooks (non-blocking)
+  hooks.emit('after:share:create', {
+    path: absolutePath, name: path.basename(absolutePath), shareId: share.id,
+  }).catch(() => {});
+
+  return share;
+}
+
+// Async version with before-hook support (used by GUI/extensions)
+export async function addShareChecked(filePath, type = 'file', visibility = 'global', permissions = { read: true, write: false }, recipients = [], opts = {}) {
+  const absolutePath = path.resolve(filePath);
+  const hookResult = await hooks.emit('before:share:create', {
+    path: absolutePath, name: path.basename(absolutePath), visibility, recipients,
+  });
+  if (hookResult.blocked) {
+    throw new Error(`Blocked by extension: ${hookResult.reason}`);
+  }
+  return addShare(filePath, type, visibility, permissions, recipients, opts);
+}
+
+export function isShareExpired(share) {
+  if (share.expiresAt && new Date(share.expiresAt) < new Date()) return true;
+  if (share.maxDownloads > 0 && (share.downloads || 0) >= share.maxDownloads) return true;
+  return false;
+}
+
+export function incrementShareDownloads(shareId) {
+  const shares = config.get('shares') || [];
+  const share = shares.find(s => s.id === shareId);
+  if (!share) return;
+  share.downloads = (share.downloads || 0) + 1;
+  if (share.maxDownloads > 0 && share.downloads >= share.maxDownloads) {
+    share.status = 'expired';
+  }
+  config.set('shares', shares);
+}
+
+export function expireOldShares() {
+  const shares = config.get('shares') || [];
+  let changed = false;
+  for (const share of shares) {
+    if (share.status === 'active' && isShareExpired(share)) {
+      share.status = 'expired';
+      changed = true;
+    }
+  }
+  if (changed) {
+    config.set('shares', shares);
+    signConfigKey('shares').catch(() => {});
+  }
+  return changed;
+}
+
+export function listShares({ allUsers = false } = {}) {
+  let shares = config.get('shares') || [];
+  if (!allUsers) {
+    const activeUser = getActiveUser();
+    if (activeUser && activeUser.role !== 'owner') {
+      const pk = activeUser.publicKey;
+      shares = shares.filter(s => s.createdBy === pk);
+    }
+  }
+  return shares.map(s => ({
+    ...s,
+    name: s.name || path.basename(s.path),
+    expired: isShareExpired(s),
+  }));
+}
+
+export function removeShare(idOrPath) {
+  const shares = config.get('shares') || [];
+  const initialLength = shares.length;
+  const resolved = path.resolve(idOrPath);
+  const target = shares.find(s => s.id === idOrPath || s.path === resolved);
+
+  if (!target) {
+    throw new Error('Share not found.');
+  }
+
+  // Ownership check: non-owners can only revoke their own shares
+  // Shares without createdBy are legacy (pre-multiuser) and belong to the owner
+  const activeUser = getActiveUser();
+  if (activeUser && activeUser.role !== 'owner') {
+    if (!target.createdBy || target.createdBy !== activeUser.publicKey) {
+      throw new Error('You can only revoke your own shares.');
+    }
+  }
+
+  const newShares = shares.filter(s => s.id !== idOrPath && s.path !== resolved);
+
+  if (newShares.length === initialLength) {
+    throw new Error('Share not found.');
+  }
+
+  config.set('shares', newShares); signConfigKey('shares').catch(() => {});
+
+  // Fire extension hooks (non-blocking)
+  if (target) {
+    hooks.emit('after:share:revoke', { path: target.path, shareId: target.id }).catch(() => {});
+  }
+
+  return true;
+}
+
+// Async version with before-hook support (used by GUI/extensions)
+export async function removeShareChecked(idOrPath) {
+  const shares = config.get('shares') || [];
+  const resolved = path.resolve(idOrPath);
+  const target = shares.find(s => s.id === idOrPath || s.path === resolved);
+  if (target) {
+    const hookResult = await hooks.emit('before:share:revoke', {
+      path: target.path, shareId: target.id,
+    });
+    if (hookResult.blocked) {
+      throw new Error(`Blocked by extension: ${hookResult.reason}`);
+    }
+  }
+  return removeShare(idOrPath);
+}
+
+export function updateShare(idOrPath, updates) {
+  const shares = config.get('shares') || [];
+  const resolved = path.resolve(idOrPath);
+  const share = shares.find(s => s.id === idOrPath || s.path === resolved);
+  if (!share) throw new Error('Share not found.');
+
+  const allowed = ['visibility', 'recipients', 'sharedWithGroups', 'sharedWithNetworks',
+    'streamable', 'recursive', 'name', 'permissions'];
+  for (const key of allowed) {
+    if (updates[key] !== undefined) share[key] = updates[key];
+  }
+  share.updatedAt = new Date().toISOString();
+  config.set('shares', shares); signConfigKey('shares').catch(() => {});
+  return share;
+}
+
+export function getShareSummary() {
+  const shares = config.get('shares') || [];
+  return shares.map(s => ({
+    id: s.id,
+    name: s.name || path.basename(s.path),
+    path: s.path,
+    type: s.type,
+    visibility: s.visibility || 'global',
+    streamable: s.streamable || false,
+    recipientCount: (s.recipients || []).length,
+    recipients: (s.recipients || []).map(r => r.name || r.handle || r.id),
+    groups: s.sharedWithGroups || [],
+    networks: s.sharedWithNetworks || [],
+    hasMagnet: !!s.magnet,
+    hasPassword: !!s.password,
+    recursive: s.recursive !== false,
+    createdAt: s.createdAt,
+    updatedAt: s.updatedAt,
+  }));
+}
+
+export function getSharesByDrive() {
+  const shares = listShares();
+  const byDrive = {};
+
+  shares.forEach(share => {
+    const drive = path.parse(share.path).root;
+    if (!byDrive[drive]) byDrive[drive] = [];
+    byDrive[drive].push(share);
+  });
+
+  return byDrive;
+}
+
+export async function storeShareKey(shareId, shareKeyHex) {
+  try {
+    await keytar.setPassword(SHARE_KEY_SERVICE, shareId, shareKeyHex);
+  } catch (err) {
+    throw new Error(`Failed to store share key securely: ${err.message}`);
+  }
+}
+
+export async function getShareKey(shareId) {
+  try {
+    return await keytar.getPassword(SHARE_KEY_SERVICE, shareId);
+  } catch (err) {
+    console.error(`Failed to retrieve share key: ${err.message}`);
+    return null;
+  }
+}
+
+export async function rotateShareKey(shareId) {
+  const { generateShareKey, encryptShareKeyForRecipient } = await import('../crypto/shareEncryption.js');
+  const { encryptForSeed, getEncryptedSeedDir } = await import('../crypto/streamEncryption.js');
+
+  const shares = config.get('shares') || [];
+  const share = shares.find(s => s.id === shareId);
+  if (!share) throw new Error('Share not found');
+
+  const newShareKey = generateShareKey();
+
+  // Re-encrypt the source files with the new key
+  const encDir = getEncryptedSeedDir(shareId + '-' + Date.now().toString(36));
+  if (fs.existsSync(share.path)) {
+    encryptForSeed(share.path, encDir, newShareKey);
+  }
+
+  // Clean up old encrypted dir
+  if (share.encryptedPath && fs.existsSync(share.encryptedPath)) {
+    try { fs.rmSync(share.encryptedPath, { recursive: true, force: true }); } catch {}
+  }
+
+  // Re-wrap key for remaining recipients
+  const friends = getFriends();
+  const newEncryptedShareKeys = {};
+  for (const recipient of (share.recipients || [])) {
+    const pal = friends.find(f => f.id === recipient.id);
+    if (pal?.id && pal.id !== 'unknown') {
+      newEncryptedShareKeys[pal.id] = encryptShareKeyForRecipient(newShareKey, pal.id);
+    }
+  }
+
+  // Store new key securely
+  await keytar.setPassword(SHARE_KEY_SERVICE, shareId, newShareKey.toString('hex'));
+
+  // Update share config
+  share.encryptedPath = encDir;
+  share.encryptedShareKeys = newEncryptedShareKeys;
+  share.magnet = null; // Will be regenerated on next seed
+  share.rotatedAt = new Date().toISOString();
+  config.set('shares', shares); signConfigKey('shares').catch(() => {});
+
+  return { share, newEncryptedShareKeys };
+}
+
+export function removeRecipientFromShare(shareId, palId) {
+  const shares = config.get('shares') || [];
+  const share = shares.find(s => s.id === shareId);
+  if (!share) return null;
+
+  share.recipients = (share.recipients || []).filter(r => r.id !== palId);
+  if (share.encryptedShareKeys) {
+    delete share.encryptedShareKeys[palId];
+  }
+  config.set('shares', shares); signConfigKey('shares').catch(() => {});
+  return share;
+}
+
+export function getSharesForPal(palId) {
+  const shares = config.get('shares') || [];
+  return shares.filter(s =>
+    (s.recipients || []).some(r => r.id === palId)
+  );
+}
+
+export async function migrateShareKeys() {
+  const shares = config.get('shares') || [];
+  if (!shares.some(s => s.shareKeyHex)) return;
+
+  let migrated = 0;
+  await Promise.all(shares.map(async (share) => {
+    if (!share.shareKeyHex) return;
+    try {
+      await keytar.setPassword(SHARE_KEY_SERVICE, share.id, share.shareKeyHex);
+      delete share.shareKeyHex;
+      migrated++;
+    } catch (err) {
+      console.error(`Failed to migrate share key for ${share.id}: ${err.message}`);
+    }
+  }));
+
+  if (migrated > 0) {
+    config.set('shares', shares); signConfigKey('shares').catch(() => {});
+    console.log(`Migrated ${migrated} share key(s) to credential store.`);
+  }
+}