WIP - #305

Author: tegefaulkes

src/PolykeyAgent.ts

@@ -327,7 +327,6 @@ class PolykeyAgent {
           vaultsPath,
           keyManager,
           nodeConnectionManager,
-          nodeManager,
           notificationsManager,
           gestaltGraph,
           acl,

src/acl/types.ts

@@ -8,7 +8,7 @@ type PermissionIdString = Opaque<'PermissionIdString', string>;
 
 type Permission = {
   gestalt: GestaltActions;
-  vaults: Record<VaultId | string, VaultActions>; // FIXME: the string union on VaultId is to prevent some false errors.
+  vaults: Record<VaultId, VaultActions>;
 };
 
 type GestaltActions = Partial<Record<GestaltAction, null>>;

src/agent/service/vaultsGitInfoGet.ts

@@ -1,19 +1,23 @@
 import type { VaultName } from '../../vaults/types';
 import type { VaultManager } from '../../vaults';
 import type { ACL } from '../../acl';
+import type { ConnectionInfoGetter } from '../../agent/types';
 import * as grpc from '@grpc/grpc-js';
-import { utils as idUtils } from '@matrixai/id';
 import { utils as grpcUtils } from '../../grpc';
 import { utils as vaultsUtils, errors as vaultsErrors } from '../../vaults';
 import * as vaultsPB from '../../proto/js/polykey/v1/vaults/vaults_pb';
 import * as validationUtils from '../../validation/utils';
+import * as nodesUtils from '../../nodes/utils';
+import { never } from '../../utils/utils';
 
 function vaultsGitInfoGet({
   vaultManager,
   acl,
+  connectionInfoGetter,
 }: {
   vaultManager: VaultManager;
   acl: ACL;
+  connectionInfoGetter: ConnectionInfoGetter;
 }) {
   return async (
     call: grpc.ServerWritableStream<vaultsPB.InfoRequest, vaultsPB.PackChunk>,
@@ -25,42 +29,46 @@ function vaultsGitInfoGet({
       await genWritable.throw({ code: grpc.status.NOT_FOUND });
       return;
     }
-    const nodeMessage = request.getNode();
-    if (nodeMessage == null) {
-      await genWritable.throw({ code: grpc.status.NOT_FOUND });
-      return;
-    }
     let vaultName;
     const vaultNameOrId = vaultMessage.getNameOrId();
     let vaultId = await vaultManager.getVaultId(vaultNameOrId as VaultName);
     vaultName = vaultNameOrId;
     if (!vaultId) {
       try {
         vaultId = validationUtils.parseVaultId(vaultNameOrId);
-        vaultName = (await vaultManager.getVaultMeta(vaultId)).name;
+        vaultName = (await vaultManager.getVaultMeta(vaultId))?.vaultName;
       } catch (err) {
         await genWritable.throw(new vaultsErrors.ErrorVaultsVaultUndefined());
         return;
       }
     }
-    const nodeId = validationUtils.parseNodeId(nodeMessage.getNodeId());
-    const actionType = request.getAction();
-    const perms = await acl.getNodePerm(nodeId);
-    if (!perms) {
-      await genWritable.throw(new vaultsErrors.ErrorVaultsPermissionDenied());
+    // Getting the NodeId from the ReverseProxy connection info
+    const connectionInfo = connectionInfoGetter(call.getPeer());
+    // If this is getting run the connection exists
+    // It SHOULD exist here
+    if (connectionInfo == null) never();
+    const nodeId = connectionInfo.nodeId;
+    const nodeIdEncoded = nodesUtils.encodeNodeId(nodeId);
+    const actionType = validationUtils.parseVaultAction(request.getAction());
+    const permissions = await acl.getNodePerm(nodeId);
+    if (permissions == null) {
+      await genWritable.throw(
+        new vaultsErrors.ErrorVaultsPermissionDenied(
+          `No permissions found for ${nodeIdEncoded}`,
+        ),
+      );
       return;
     }
-    const vaultPerms = perms.vaults[idUtils.toString(vaultId)];
-    try {
-      if (vaultPerms[actionType] !== null) {
-        await genWritable.throw(new vaultsErrors.ErrorVaultsPermissionDenied());
-        return;
-      }
-    } catch (err) {
-      if (err instanceof TypeError) {
-        await genWritable.throw(new vaultsErrors.ErrorVaultsPermissionDenied());
-        return;
-      }
+    const vaultPerms = permissions.vaults[vaultId];
+    if (vaultPerms[actionType] !== null) {
+      await genWritable.throw(
+        new vaultsErrors.ErrorVaultsPermissionDenied(
+          `${nodeIdEncoded} does not have permission to ${actionType} from vault ${vaultsUtils.encodeVaultId(
+            vaultId,
+          )}`,
+        ),
+      );
+      return;
     }
     const meta = new grpc.Metadata();
     meta.set('vaultName', vaultName);

src/agent/service/vaultsGitPackGet.ts

@@ -1,11 +1,24 @@
 import type * as grpc from '@grpc/grpc-js';
 import type { VaultName } from '../../vaults/types';
 import type { VaultManager } from '../../vaults';
+import type { ConnectionInfoGetter } from '../../agent/types';
+import type ACL from '../../acl/ACL';
+import { never } from '../../utils/utils';
+import * as nodesUtils from '../../nodes/utils';
 import { errors as grpcErrors, utils as grpcUtils } from '../../grpc';
 import { utils as vaultsUtils, errors as vaultsErrors } from '../../vaults';
 import * as vaultsPB from '../../proto/js/polykey/v1/vaults/vaults_pb';
+import * as validationUtils from '../../validation/utils';
 
-function vaultsGitPackGet({ vaultManager }: { vaultManager: VaultManager }) {
+function vaultsGitPackGet({
+  vaultManager,
+  acl,
+  connectionInfoGetter,
+}: {
+  vaultManager: VaultManager;
+  acl: ACL;
+  connectionInfoGetter: ConnectionInfoGetter;
+}) {
   return async (
     call: grpc.ServerDuplexStream<vaultsPB.PackChunk, vaultsPB.PackChunk>,
   ) => {
@@ -15,14 +28,43 @@ function vaultsGitPackGet({ vaultManager }: { vaultManager: VaultManager }) {
     clientBodyBuffers.push(clientRequest!.getChunk_asU8());
     const body = Buffer.concat(clientBodyBuffers);
     const meta = call.metadata;
+    // Getting the NodeId from the ReverseProxy connection info
+    const connectionInfo = connectionInfoGetter(call.getPeer());
+    // If this is getting run the connection exists
+    // It SHOULD exist here
+    if (connectionInfo == null) never();
+    const nodeId = connectionInfo.nodeId;
+    const nodeIdEncoded = nodesUtils.encodeNodeId(nodeId);
+    // Getting vaultId
     const vaultNameOrId = meta.get('vaultNameOrId').pop()!.toString();
     if (vaultNameOrId == null) {
       throw new grpcErrors.ErrorGRPC('vault-name not in metadata');
     }
     let vaultId = await vaultManager.getVaultId(vaultNameOrId as VaultName);
     vaultId = vaultId ?? vaultsUtils.decodeVaultId(vaultNameOrId);
     if (vaultId == null) {
-      await genDuplex.throw(new vaultsErrors.ErrorVaultsVaultUndefined());
+      await genDuplex.throw(
+        // Throwing permission error to hide information about vaults existence
+        new vaultsErrors.ErrorVaultsPermissionDenied(
+          `No permissions found for ${nodeIdEncoded}`,
+        ),
+      );
+      return;
+    }
+    // Checking permissions
+    const permissions = await acl.getNodePerm(nodeId);
+    const vaultPerms = permissions?.vaults[vaultId];
+    const actionType = validationUtils.parseVaultAction(
+      meta.get('vaultAction').pop(),
+    );
+    if (vaultPerms?.[actionType] !== null) {
+      await genDuplex.throw(
+        new vaultsErrors.ErrorVaultsPermissionDenied(
+          `${nodeIdEncoded} does not have permission to ${actionType} from vault ${vaultsUtils.encodeVaultId(
+            vaultId,
+          )}`,
+        ),
+      );
       return;
     }
     const response = new vaultsPB.PackChunk();

src/agent/service/vaultsScan.ts

@@ -2,7 +2,7 @@ import type * as grpc from '@grpc/grpc-js';
 import type { GestaltGraph } from '../../gestalts';
 import type { VaultManager } from '../../vaults';
 import type * as nodesPB from '../../proto/js/polykey/v1/nodes/nodes_pb';
-import * as validationUtils from '@/validation/utils';
+import * as validationUtils from '../../validation/utils';
 import * as vaultsPB from '../../proto/js/polykey/v1/vaults/vaults_pb';
 import { utils as vaultsUtils, errors as vaultsErrors } from '../../vaults';
 import { utils as grpcUtils } from '../../grpc';

src/bootstrap/utils.ts

@@ -177,7 +177,6 @@ async function bootstrapState({
       keyManager,
       nodeConnectionManager,
       vaultsPath,
-      nodeManager,
       notificationsManager,
       logger: logger.getChild(VaultManager.name),
       fresh,

src/client/service/vaultsClone.ts

@@ -37,7 +37,7 @@ function vaultsClone({
       // Vault id
       let vaultId;
       const vaultNameOrId = vaultMessage.getNameOrId();
-      vaultId = vaultManager.getVaultId(vaultNameOrId)
+      vaultId = vaultManager.getVaultId(vaultNameOrId);
       vaultId = vaultId ?? vaultsUtils.decodeVaultId(vaultNameOrId);
       if (vaultId == null) throw new vaultsErrors.ErrorVaultsVaultUndefined();
       // Node id

src/client/service/vaultsShare.ts

@@ -4,7 +4,7 @@ import type { VaultId, VaultName } from '../../vaults/types';
 import type * as vaultsPB from '../../proto/js/polykey/v1/vaults/vaults_pb';
 import * as grpc from '@grpc/grpc-js';
 import { utils as idUtils } from '@matrixai/id';
-import * as validationUtils from '@/validation/utils';
+import * as validationUtils from '../../validation/utils';
 import { errors as vaultsErrors } from '../../vaults';
 import { utils as grpcUtils } from '../../grpc';
 import * as utilsPB from '../../proto/js/polykey/v1/utils/utils_pb';

src/proto/js/polykey/v1/vaults/vaults_pb.d.ts

@@ -409,11 +409,6 @@ export class InfoRequest extends jspb.Message {
     clearVault(): void;
     getVault(): Vault | undefined;
     setVault(value?: Vault): InfoRequest;
-
-    hasNode(): boolean;
-    clearNode(): void;
-    getNode(): polykey_v1_nodes_nodes_pb.Node | undefined;
-    setNode(value?: polykey_v1_nodes_nodes_pb.Node): InfoRequest;
     getAction(): string;
     setAction(value: string): InfoRequest;
 
@@ -430,7 +425,6 @@ export class InfoRequest extends jspb.Message {
 export namespace InfoRequest {
     export type AsObject = {
         vault?: Vault.AsObject,
-        node?: polykey_v1_nodes_nodes_pb.Node.AsObject,
         action: string,
     }
 }

src/proto/js/polykey/v1/vaults/vaults_pb.js

@@ -3264,7 +3264,6 @@ proto.polykey.v1.vaults.InfoRequest.prototype.toObject = function(opt_includeIns
 proto.polykey.v1.vaults.InfoRequest.toObject = function(includeInstance, msg) {
   var f, obj = {
     vault: (f = msg.getVault()) && proto.polykey.v1.vaults.Vault.toObject(includeInstance, f),
-    node: (f = msg.getNode()) && polykey_v1_nodes_nodes_pb.Node.toObject(includeInstance, f),
     action: jspb.Message.getFieldWithDefault(msg, 3, "")
   };
 
@@ -3307,11 +3306,6 @@ proto.polykey.v1.vaults.InfoRequest.deserializeBinaryFromReader = function(msg,
       reader.readMessage(value,proto.polykey.v1.vaults.Vault.deserializeBinaryFromReader);
       msg.setVault(value);
       break;
-    case 2:
-      var value = new polykey_v1_nodes_nodes_pb.Node;
-      reader.readMessage(value,polykey_v1_nodes_nodes_pb.Node.deserializeBinaryFromReader);
-      msg.setNode(value);
-      break;
     case 3:
       var value = /** @type {string} */ (reader.readString());
       msg.setAction(value);
@@ -3353,14 +3347,6 @@ proto.polykey.v1.vaults.InfoRequest.serializeBinaryToWriter = function(message,
       proto.polykey.v1.vaults.Vault.serializeBinaryToWriter
     );
   }
-  f = message.getNode();
-  if (f != null) {
-    writer.writeMessage(
-      2,
-      f,
-      polykey_v1_nodes_nodes_pb.Node.serializeBinaryToWriter
-    );
-  }
   f = message.getAction();
   if (f.length > 0) {
     writer.writeString(
@@ -3408,43 +3394,6 @@ proto.polykey.v1.vaults.InfoRequest.prototype.hasVault = function() {
 };
 
 
-/**
- * optional polykey.v1.nodes.Node node = 2;
- * @return {?proto.polykey.v1.nodes.Node}
- */
-proto.polykey.v1.vaults.InfoRequest.prototype.getNode = function() {
-  return /** @type{?proto.polykey.v1.nodes.Node} */ (
-    jspb.Message.getWrapperField(this, polykey_v1_nodes_nodes_pb.Node, 2));
-};
-
-
-/**
- * @param {?proto.polykey.v1.nodes.Node|undefined} value
- * @return {!proto.polykey.v1.vaults.InfoRequest} returns this
-*/
-proto.polykey.v1.vaults.InfoRequest.prototype.setNode = function(value) {
-  return jspb.Message.setWrapperField(this, 2, value);
-};
-
-
-/**
- * Clears the message field making it undefined.
- * @return {!proto.polykey.v1.vaults.InfoRequest} returns this
- */
-proto.polykey.v1.vaults.InfoRequest.prototype.clearNode = function() {
-  return this.setNode(undefined);
-};
-
-
-/**
- * Returns whether this field is set.
- * @return {boolean}
- */
-proto.polykey.v1.vaults.InfoRequest.prototype.hasNode = function() {
-  return jspb.Message.getField(this, 2) != null;
-};
-
-
 /**
  * optional string action = 3;
  * @return {string}

src/proto/schemas/polykey/v1/vaults/vaults.proto

@@ -89,7 +89,6 @@ message LogEntry {
 // Agent specific.
 message InfoRequest {
   Vault vault = 1;
-  polykey.v1.nodes.Node node = 2;
   string action = 3;
 }
 

src/sigchain/Sigchain.ts

@@ -440,7 +440,7 @@ class Sigchain {
 
   @ready(new sigchainErrors.ErrorSigchainNotRunning())
   public async clearDB() {
-    this.sigchainDb.clear();
+    await this.sigchainDb.clear();
 
     await this._transaction(async () => {
       await this.db.put(