2023-10-17 22:14:08 +07:00
|
|
|
/**
|
2023-04-03 21:52:40 +04:00
|
|
|
* Copyright 2023 Fluence Labs Limited
|
|
|
|
|
*
|
|
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
|
* you may not use this file except in compliance with the License.
|
|
|
|
|
* You may obtain a copy of the License at
|
|
|
|
|
*
|
|
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
*
|
|
|
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
* See the License for the specific language governing permissions and
|
|
|
|
|
* limitations under the License.
|
|
|
|
|
*/
|
|
|
|
|
|
2023-10-17 22:14:08 +07:00
|
|
|
import { SecurityTetraplet } from "@fluencelabs/avm";
|
|
|
|
|
import { CallParams, PeerIdB58 } from "@fluencelabs/interfaces";
|
2022-11-03 21:22:10 +03:00
|
|
|
|
|
|
|
|
type ArgName = string | null;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* A predicate of call params for sig service's sign method which determines whether signing operation is allowed or not
|
|
|
|
|
*/
|
2023-10-17 22:14:08 +07:00
|
|
|
export type SecurityGuard<T extends ArgName> = (
|
|
|
|
|
params: CallParams<T>,
|
|
|
|
|
) => boolean;
|
2022-11-03 21:22:10 +03:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Only allow calls when tetraplet for 'data' argument satisfies the predicate
|
|
|
|
|
*/
|
|
|
|
|
export const allowTetraplet = <T extends ArgName>(
|
2023-10-17 22:14:08 +07:00
|
|
|
pred: (tetraplet: SecurityTetraplet) => boolean,
|
2022-11-03 21:22:10 +03:00
|
|
|
): SecurityGuard<T> => {
|
2023-10-17 22:14:08 +07:00
|
|
|
return (params) => {
|
|
|
|
|
const t = params.tetraplets["data"][0];
|
|
|
|
|
return pred(t);
|
|
|
|
|
};
|
2022-11-03 21:22:10 +03:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Only allow data which comes from the specified serviceId and fnName
|
|
|
|
|
*/
|
2023-10-17 22:14:08 +07:00
|
|
|
export const allowServiceFn = <T extends ArgName>(
|
|
|
|
|
serviceId: string,
|
|
|
|
|
fnName: string,
|
|
|
|
|
): SecurityGuard<T> => {
|
|
|
|
|
return allowTetraplet((t) => {
|
|
|
|
|
return t.service_id === serviceId && t.function_name === fnName;
|
|
|
|
|
});
|
2022-11-03 21:22:10 +03:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Only allow data originated from the specified json_path
|
|
|
|
|
*/
|
2023-10-17 22:14:08 +07:00
|
|
|
export const allowExactJsonPath = <T extends ArgName>(
|
|
|
|
|
jsonPath: string,
|
|
|
|
|
): SecurityGuard<T> => {
|
|
|
|
|
return allowTetraplet((t) => {
|
|
|
|
|
return t.json_path === jsonPath;
|
|
|
|
|
});
|
2022-11-03 21:22:10 +03:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Only allow signing when particle is initiated at the specified peer
|
|
|
|
|
*/
|
2023-10-17 22:14:08 +07:00
|
|
|
export const allowOnlyParticleOriginatedAt = <T extends ArgName>(
|
|
|
|
|
peerId: PeerIdB58,
|
|
|
|
|
): SecurityGuard<T> => {
|
|
|
|
|
return (params) => {
|
|
|
|
|
return params.initPeerId === peerId;
|
|
|
|
|
};
|
2022-11-03 21:22:10 +03:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Only allow signing when all of the predicates are satisfied.
|
|
|
|
|
* Useful for predicates reuse
|
|
|
|
|
*/
|
2023-10-17 22:14:08 +07:00
|
|
|
export const and = <T extends ArgName>(
|
|
|
|
|
...predicates: SecurityGuard<T>[]
|
|
|
|
|
): SecurityGuard<T> => {
|
|
|
|
|
return (params) => {
|
|
|
|
|
return predicates.every((x) => {
|
|
|
|
|
return x(params);
|
|
|
|
|
});
|
|
|
|
|
};
|
2022-11-03 21:22:10 +03:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Only allow signing when any of the predicates are satisfied.
|
|
|
|
|
* Useful for predicates reuse
|
|
|
|
|
*/
|
2023-10-17 22:14:08 +07:00
|
|
|
export const or = <T extends ArgName>(
|
|
|
|
|
...predicates: SecurityGuard<T>[]
|
|
|
|
|
): SecurityGuard<T> => {
|
|
|
|
|
return (params) => {
|
|
|
|
|
return predicates.some((x) => {
|
|
|
|
|
return x(params);
|
|
|
|
|
});
|
|
|
|
|
};
|
2022-11-03 21:22:10 +03:00
|
|
|
};
|
