Vaults sharing, permissions and scanning

Author: tegefaulkes

src/PolykeyAgent.ts

@@ -286,18 +286,29 @@ class Polykey {
         fs: fs_,
         logger: logger_.getChild('NodeManager'),
       }));
+    const notifications_ =
+      notificationsManager ??
+      (await NotificationsManager.createNotificationsManager({
+        acl: acl_,
+        db: db_,
+        nodeManager: nodes_,
+        keyManager: keys_,
+        logger: logger_.getChild('NotificationsManager'),
+        fresh,
+      }));
     const vaults_ =
       vaultManager ??
       (await VaultManager.createVaultManager({
         keyManager: keys_,
         vaultsPath: vaultsPath,
-        vaultsKey: keys_.vaultKey,
         nodeManager: nodes_,
         gestaltGraph: gestalts_,
+        notificationsManager: notifications_,
         acl: acl_,
         db: db_,
         fs: fs_,
         logger: logger_.getChild('VaultManager'),
+        fresh,
       }));
     // Setting the workerManager for vaults.
     if (workers_ != null) {
@@ -319,16 +330,6 @@ class Polykey {
         nodeManager: nodes_,
         logger: logger_.getChild('Discovery'),
       }));
-    const notifications_ =
-      notificationsManager ??
-      (await NotificationsManager.createNotificationsManager({
-        acl: acl_,
-        db: db_,
-        nodeManager: nodes_,
-        keyManager: keys_,
-        logger: logger_.getChild('NotificationsManager'),
-        fresh,
-      }));
 
     const sessionManager = await SessionManager.createSessionManager({
       db: db_,
@@ -476,6 +477,8 @@ class Polykey {
       nodeManager: this.nodes,
       sigchain: this.sigchain,
       notificationsManager: this.notifications,
+      acl: this.acl,
+      gestaltGraph: this.gestalts,
     });
 
     // Registering providers.
@@ -492,7 +495,6 @@ class Polykey {
    */
   public async start({ fresh = false }: { fresh?: boolean }) {
     this.logger.info('Starting Polykey');
-
     if (
       (await Lockfile.checkLock(
         this.fs,
@@ -525,7 +527,6 @@ class Polykey {
 
     const keyPrivatePem = this.keys.getRootKeyPairPem().privateKey;
     const certChainPem = await this.keys.getRootCertChainPem();
-
     // GRPC Server
     // Client server
     await this.clientGrpcServer.start({
@@ -543,7 +544,6 @@ class Polykey {
       host: this.agentGrpcHost as Host,
       port: this.agentGrpcPort as Port,
     });
-
     await this.fwdProxy.start({
       tlsConfig: {
         keyPrivatePem: keyPrivatePem,
@@ -571,7 +571,6 @@ class Polykey {
       'fwdProxyPort',
       this.fwdProxy.getProxyPort(),
     );
-
     this.logger.info('Started Polykey');
   }
 

src/agent/GRPCClientAgent.ts

@@ -85,10 +85,10 @@ class GRPCClientAgent extends GRPCClient<AgentServiceClient> {
   }
 
   @ready(new grpcErrors.ErrorGRPCClientNotStarted())
-  public vaultsScan(...args) {
-    return grpcUtils.promisifyReadableStreamCall<vaultsPB.Vault>(
+  public nodesScan(...args) {
+    return grpcUtils.promisifyReadableStreamCall<vaultsPB.List>(
       this.client,
-      this.client.vaultsScan,
+      this.client.nodesScan,
     )(...args);
   }
 
@@ -132,14 +132,6 @@ class GRPCClientAgent extends GRPCClient<AgentServiceClient> {
     )(...args);
   }
 
-  @ready(new grpcErrors.ErrorGRPCClientNotStarted())
-  public vaultsPermisssionsCheck(...args) {
-    return grpcUtils.promisifyUnaryCall<vaultsPB.NodePermissionAllowed>(
-      this.client,
-      this.client.vaultsPermisssionsCheck,
-    )(...args);
-  }
-
   @ready(new grpcErrors.ErrorGRPCClientNotStarted())
   public nodesCrossSignClaim(...args) {
     return grpcUtils.promisifyDuplexStreamCall<

src/agent/agentService.ts

@@ -4,6 +4,9 @@ import type {
   ClaimIdString,
 } from '../claims/types';
 import type { VaultName } from '../vaults/types';
+import type { ACL } from '../acl';
+import type { GestaltGraph } from '../gestalts';
+import type { NodeId } from '../nodes/types';
 
 import * as grpc from '@grpc/grpc-js';
 import { promisify } from '../utils';
@@ -44,12 +47,16 @@ function createAgentService({
   nodeManager,
   notificationsManager,
   sigchain,
+  acl,
+  gestaltGraph,
 }: {
   keyManager: KeyManager;
   vaultManager: VaultManager;
   nodeManager: NodeManager;
   sigchain: Sigchain;
   notificationsManager: NotificationsManager;
+  acl: ACL;
+  gestaltGraph: GestaltGraph;
 }): IAgentServiceServer {
   const agentService: IAgentServiceServer = {
     echo: async (
@@ -66,21 +73,44 @@ function createAgentService({
       const genWritable = grpcUtils.generatorWritable(call);
       const request = call.request;
       const vaultNameOrId = request.getNameOrId();
-      let vaultId, vaultName;
+      let vaultName;
+      let vaultId = await vaultManager.getVaultId(vaultNameOrId as VaultName);
+      if (!vaultId) {
+        try {
+          vaultId = makeVaultId(idUtils.fromString(vaultNameOrId));
+          vaultName = await vaultManager.getVaultName(vaultId);
+        } catch (err) {
+          await genWritable.throw(new vaultsErrors.ErrorVaultUndefined());
+          return;
+        }
+      } else {
+        vaultName = vaultNameOrId;
+      }
+      await vaultManager.openVault(vaultId);
+      const metaIn = call.metadata;
+      const nodeId = metaIn.get('nodeId').pop()!.toString() as NodeId;
+      const actionType = metaIn.get('action').pop()!.toString();
+      const perms = await acl.getNodePerm(nodeId);
+      if (!perms) {
+        await genWritable.throw(new vaultsErrors.ErrorVaultPermissionDenied());
+        return;
+      }
+      const vaultPerms = perms.vaults[idUtils.toString(vaultId)];
       try {
-        vaultId = makeVaultId(idUtils.fromString(vaultNameOrId));
-        await vaultManager.openVault(vaultId);
-        vaultName = await vaultManager.getVaultName(vaultId);
+        if (vaultPerms[actionType] !== null) {
+          await genWritable.throw(
+            new vaultsErrors.ErrorVaultPermissionDenied(),
+          );
+          return;
+        }
       } catch (err) {
-        if (err instanceof vaultsErrors.ErrorVaultUndefined) {
-          vaultId = await vaultManager.getVaultId(vaultNameOrId as VaultName);
-          await vaultManager.openVault(vaultId);
-          vaultName = vaultNameOrId;
-        } else {
-          throw err;
+        if (err instanceof TypeError) {
+          await genWritable.throw(
+            new vaultsErrors.ErrorVaultPermissionDenied(),
+          );
+          return;
         }
       }
-      // TODO: Check the permissions here
       const meta = new grpc.Metadata();
       meta.set('vaultName', vaultName);
       meta.set('vaultId', makeVaultIdPretty(vaultId));
@@ -112,22 +142,15 @@ function createAgentService({
         const vaultNameOrId = meta.get('vaultNameOrId').pop()!.toString();
         if (vaultNameOrId == null)
           throw new ErrorGRPC('vault-name not in metadata.');
-        let vaultId;
-        try {
-          vaultId = makeVaultId(vaultNameOrId);
-          await vaultManager.openVault(vaultId);
-        } catch (err) {
-          if (
-            err instanceof vaultsErrors.ErrorVaultUndefined ||
-            err instanceof SyntaxError
-          ) {
-            vaultId = await vaultManager.getVaultId(vaultNameOrId as VaultName);
-            await vaultManager.openVault(vaultId);
-          } else {
-            throw err;
+        let vaultId = await vaultManager.getVaultId(vaultNameOrId as VaultName);
+        if (!vaultId) {
+          try {
+            vaultId = makeVaultId(vaultNameOrId);
+          } catch (err) {
+            return;
           }
         }
-        // TODO: Check the permissions here
+        await vaultManager.openVault(vaultId);
         const response = new vaultsPB.PackChunk();
         const [sideBand, progressStream] = await vaultManager.handlePackRequest(
           vaultId,
@@ -154,20 +177,39 @@ function createAgentService({
         call.end();
       });
     },
-    vaultsScan: async (
-      call: grpc.ServerWritableStream<nodesPB.Node, vaultsPB.Vault>,
+    nodesScan: async (
+      call: grpc.ServerWritableStream<nodesPB.Node, vaultsPB.List>,
     ): Promise<void> => {
       const genWritable = grpcUtils.generatorWritable(call);
-      const response = new vaultsPB.Vault();
-      const id = makeNodeId(call.request.getNodeId());
+      const response = new vaultsPB.List();
+      const nodeId = makeNodeId(call.request.getNodeId());
+      const perms = await gestaltGraph.getGestaltActionsByNode(nodeId);
+      if (!perms) {
+        await genWritable.throw(new vaultsErrors.ErrorVaultPermissionDenied());
+        return;
+      }
       try {
-        throw Error('Not implemented');
-        // FIXME: handleVaultNamesRequest doesn't exist.
-        // const listResponse = vaultManager.handleVaultNamesRequest(id);
-        let listResponse;
-        for await (const vault of listResponse) {
+        if (perms['scan'] !== null) {
+          await genWritable.throw(
+            new vaultsErrors.ErrorVaultPermissionDenied(),
+          );
+          return;
+        }
+      } catch (err) {
+        if (err instanceof TypeError) {
+          await genWritable.throw(
+            new vaultsErrors.ErrorVaultPermissionDenied(),
+          );
+          return;
+        }
+        throw err;
+      }
+      try {
+        const listResponse = await vaultManager.listVaults();
+        for (const vault of listResponse) {
           if (vault !== null) {
-            response.setNameOrId(vault);
+            response.setVaultName(vault[0]);
+            response.setVaultId(makeVaultIdPretty(vault[1]));
             await genWritable.next(response);
           } else {
             await genWritable.next(null);
@@ -304,33 +346,6 @@ function createAgentService({
       }
       callback(null, response);
     },
-    vaultsPermisssionsCheck: async (
-      call: grpc.ServerUnaryCall<
-        vaultsPB.NodePermission,
-        vaultsPB.NodePermissionAllowed
-      >,
-      callback: grpc.sendUnaryData<vaultsPB.NodePermissionAllowed>,
-    ): Promise<void> => {
-      const response = new vaultsPB.NodePermissionAllowed();
-      try {
-        const nodeId = makeNodeId(call.request.getNodeId());
-        const vaultId = makeVaultId(call.request.getVaultId());
-        throw Error('Not Implemented');
-        // FIXME: getVaultPermissions not implemented.
-        // const result = await vaultManager.getVaultPermissions(vaultId, nodeId);
-        let result;
-        if (result[nodeId] === undefined) {
-          response.setPermission(false);
-        } else if (result[nodeId]['pull'] === undefined) {
-          response.setPermission(false);
-        } else {
-          response.setPermission(true);
-        }
-        callback(null, response);
-      } catch (err) {
-        callback(grpcUtils.fromError(err), null);
-      }
-    },
     nodesCrossSignClaim: async (
       call: grpc.ServerDuplexStream<nodesPB.CrossSign, nodesPB.CrossSign>,
     ) => {

src/agent/backgroundAgent.ts

@@ -22,6 +22,7 @@ process.on('message', async (startOptions: string) => {
     polykeyAgent = await PolykeyAgent.createPolykey({
       password: ops.password,
       nodePath: ops.nodePath,
+      fresh: ops.fresh,
     });
     await polykeyAgent.start({});
     //Catching kill signals.

src/agent/utils.ts

@@ -26,9 +26,10 @@ async function checkAgentRunning(nodePath: string): Promise<boolean> {
   return false;
 }
 
-async function spawnBackgroundAgent( // FIXME, this is broken.
+async function spawnBackgroundAgent(
   nodePath: string,
   password: string,
+  fresh = false,
 ): Promise<number> {
   //Checking agent running.
   if (await checkAgentRunning(nodePath)) {
@@ -85,6 +86,7 @@ async function spawnBackgroundAgent( // FIXME, this is broken.
   const startOptions = {
     nodePath: nodePath,
     password: password,
+    fresh: fresh,
   };
 
   let pid;

src/bin/agent/start.ts

@@ -14,6 +14,7 @@ const start = binUtils.createCommand('start', {
   format: true,
   passwordFile: true,
 });
+start.option('-fr, --fresh', 'Starts a fresh agent');
 start.option('-b, --background', 'Starts the agent as a background process');
 start.action(async (options) => {
   const agentConfig = {};
@@ -28,20 +29,27 @@ start.action(async (options) => {
     : utils.getDefaultNodePath();
   agentConfig['nodePath'] = nodePath;
   const background = options.background;
+  if (options.fresh) {
+    agentConfig['fresh'] = true;
+  }
 
   const password = await fs.promises.readFile(options.passwordFile, {
     encoding: 'utf-8',
   });
 
   try {
     if (background) {
-      await agentUtils.spawnBackgroundAgent(nodePath, password);
+      await agentUtils.spawnBackgroundAgent(
+        nodePath,
+        password,
+        agentConfig['fresh'],
+      );
     } else {
       const agent = await PolykeyAgent.createPolykey({
         password,
         ...agentConfig,
       });
-      await agent.start({});
+      await agent.start({ fresh: agentConfig['fresh'] });
 
       // If started add handlers for terminating.
       const termHandler = async () => {

src/bin/nodes/index.ts

@@ -4,6 +4,7 @@ import claim from './claim';
 // Import commandUnclaimNode from "./commandUnclaimNode";
 import add from './add';
 import find from './find';
+import scan from './scan';
 
 const commandNodes = createCommand('node');
 commandNodes.description('nodes commands');
@@ -13,5 +14,6 @@ commandNodes.addCommand(ping);
 commandNodes.addCommand(add);
 commandNodes.addCommand(find);
 commandNodes.addCommand(claim);
+commandNodes.addCommand(scan);
 
 export default commandNodes;