-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
9d81f1f
commit 6853666
Showing
6 changed files
with
89 additions
and
96 deletions.
There are no files selected for viewing
102 changes: 20 additions & 82 deletions
102
apps/api-delegations/src/db/actions/delegations/get-delegation-db.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,92 +1,30 @@ | ||
import type { DelegationWithMetadata } from 'universal-types'; | ||
import type { GetDelegationParams } from '../../../validation.js'; | ||
import { db } from '../../index.js'; | ||
import { ROOT_AUTHORITY } from 'universal-data'; | ||
import { | ||
MAX_DELEGATION_DEPTH, | ||
buildAuthConfig, | ||
replaceAuthKeys, | ||
} from './utils.js'; | ||
|
||
function addAuthorityDelegationAtLeaf( | ||
root: DelegationWithMetadata, | ||
newAuthorityDelegation: DelegationWithMetadata, | ||
): DelegationWithMetadata { | ||
// If we've reached a leaf where authorityDelegation is null, insert the new delegation here. | ||
if (root.authorityDelegation === null) { | ||
return { | ||
...root, | ||
authorityDelegation: newAuthorityDelegation, | ||
}; | ||
} | ||
|
||
// Otherwise, recurse down one level and update that subtree | ||
return { | ||
...root, | ||
authorityDelegation: addAuthorityDelegationAtLeaf( | ||
root.authorityDelegation, | ||
newAuthorityDelegation, | ||
), | ||
}; | ||
} | ||
type GetDelegationDbReturnType = Promise<DelegationWithMetadata | undefined>; | ||
|
||
export async function getDelegationDb({ | ||
hash, | ||
}: GetDelegationParams): Promise<DelegationWithMetadata | undefined> { | ||
return db.transaction(async (tx) => { | ||
// Fetch the top-level (initial) delegation | ||
const topDelegationDb = await tx.query.delegations.findFirst({ | ||
where: (delegations, { eq }) => eq(delegations.hash, hash), | ||
with: { caveats: true }, | ||
}); | ||
|
||
if (!topDelegationDb) { | ||
return undefined; | ||
} | ||
|
||
// Initialize our top-level delegation with authorityDelegation = null | ||
let delegation: DelegationWithMetadata = { | ||
...topDelegationDb, | ||
authorityDelegation: null, | ||
}; | ||
|
||
// If authority is the root authority, no further chaining is needed | ||
if (delegation.authority === ROOT_AUTHORITY) { | ||
return delegation; | ||
} | ||
|
||
// Check for delegation loops | ||
if (delegation.hash === delegation.authority) { | ||
throw new Error('Delegation loop detected'); | ||
} | ||
|
||
// Walk down the chain of authority delegations until we hit the root | ||
let currentAuthority = delegation.authority; | ||
|
||
// TODO: replace loop with query using recursive CTE | ||
while (currentAuthority !== ROOT_AUTHORITY) { | ||
const nextDelegationDb = await tx.query.delegations.findFirst({ | ||
where: (delegations, { eq }) => eq(delegations.hash, currentAuthority), | ||
with: { caveats: true }, | ||
}); | ||
|
||
if (!nextDelegationDb) { | ||
// If we can't find the next delegation in the chain, stop and return what we have so far | ||
break; | ||
} | ||
|
||
// Check for delegation loops | ||
if (nextDelegationDb.hash === nextDelegationDb.authority) { | ||
throw new Error('Delegation loop detected'); | ||
} | ||
|
||
const nextDelegation: DelegationWithMetadata = { | ||
...nextDelegationDb, | ||
authorityDelegation: null, | ||
}; | ||
|
||
// Insert this delegation at the leaf of our current chain | ||
delegation = addAuthorityDelegationAtLeaf(delegation, nextDelegation); | ||
}: GetDelegationParams): GetDelegationDbReturnType { | ||
const delegation = await db.query.delegations.findFirst({ | ||
where: (delegations, { eq }) => eq(delegations.hash, hash), | ||
with: { | ||
// Supports MAX_DELEGATION_DEPTH levels of parent recursion | ||
caveats: true, | ||
auth: buildAuthConfig(MAX_DELEGATION_DEPTH), | ||
}, | ||
}); | ||
|
||
// Move on to the next authority in the chain | ||
currentAuthority = nextDelegation.authority; | ||
} | ||
if (!delegation) { | ||
return; | ||
} | ||
|
||
return delegation; | ||
}); | ||
// Recursively update auth for authorityDelegation | ||
return replaceAuthKeys(delegation); | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
import type { DelegationWithMetadata } from 'universal-types'; | ||
|
||
export type ReplaceAuthKeysParams = Omit< | ||
DelegationWithMetadata, | ||
'authorityDelegation' | ||
> & { | ||
auth: ReplaceAuthKeysParams | null; | ||
}; | ||
|
||
export function replaceAuthKeys( | ||
delegation: ReplaceAuthKeysParams, | ||
): DelegationWithMetadata { | ||
const { auth, ...rest } = delegation; | ||
|
||
return { | ||
...rest, | ||
authorityDelegation: auth ? replaceAuthKeys(auth) : null, | ||
}; | ||
} | ||
|
||
export const MAX_DELEGATION_DEPTH = 5; | ||
|
||
export type AuthConfig = true | { with: { caveats: true; auth: AuthConfig } }; | ||
|
||
export function buildAuthConfig(depth: number): AuthConfig { | ||
if (depth === 0) { | ||
return true; // at the bottom level, 'auth' is just 'true' | ||
} | ||
return { | ||
with: { | ||
caveats: true, | ||
auth: buildAuthConfig(depth - 1), | ||
}, | ||
}; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters