import { LedgerSigner } from '../records/ledger-signer'; import { Aggregation, InAggregation, RegexMatch } from './aggregation'; import { QueryForRecord } from './filter-query-options'; import { LedgerFilter } from './ledger-filter'; import { LedgerHandle } from './ledger-handle'; export type CircleRule = LedgerHandle; export type AccessCircle = CircleRule | InAggregation | RegexMatch; export declare enum AccessRecordOwnership { Owner = "owner" } export declare const AccessRecordOwnerships: AccessRecordOwnership.Owner[]; /** * Defines access rule regarding the record signer * * It's value is a composition of LedgerSigner properties. */ export type SignerRule = QueryForRecord & { /** * Defines constraints for the signer circles * * @example admin * @example * { * $in: ['admin', 'owner'] * } */ $circle?: AccessCircle; /** * Defines constraints for the relationship * between the record and the signer * * @example owner * */ $record?: AccessRecordOwnership; /** * Defines constraints for the relationship * between the ledger and the signer * * @example owner */ $ledger?: AccessRecordOwnership; }; /** * Record signer access rule. * * It could be defined as a simple value or an aggregation object * with combination of values. * * @example * * Record must be signed by signer "owner" * { * ..., * "signer": "owner" * } * * @example * * Record must be signed by signer with public key * "MCowBQYDK2VwAyEAgVf5wa9Ciu7LT7peynX9/TxtqUJPWdL91V7CuF6SIJo=" * { * ..., * "signer": "MCowBQYDK2VwAyEAgVf5wa9Ciu7LT7peynX9/TxtqUJPWdL91V7CuF6SIJo=" * } * */ export type AccessSigner = SignerRule; /** * Defines the record class affected by the access rule. * * `Any` indicates the rule is meant to be applied * to every ledger record class: ledger, signer, symbol, * wallet, intent, and effect. */ export declare enum AccessRecord { Anchor = "anchor", AnchorProof = "anchor-proof", Any = "any", Bridge = "bridge", BridgeProof = "bridge-proof", Circle = "circle", CircleProof = "circle-proof", CircleSigner = "circle-signer", Domain = "domain", DomainProof = "domain-proof", Effect = "effect", EffectProof = "effect-proof", Intent = "intent", IntentProof = "intent-proof", Ledger = "ledger", LedgerProof = "ledger-proof", Policy = "policy", PolicyProof = "policy-proof", Report = "report", ReportProof = "report-proof", Request = "request", Schema = "schema", SchemaProof = "schema-proof", Server = "server", Signer = "signer", SignerProof = "signer-proof", Symbol = "symbol", SymbolProof = "symbol-proof", Wallet = "wallet", WalletProof = "wallet-proof" } export declare const AccessRecords: AccessRecord[]; export type RecordMatch = AccessRecord | Aggregation; /** * Defines which action is affected by the access rule. * * `Any` indicates that both `Create` and `Read` actions * will be affected by this rule */ export declare enum AccessAction { Abort = "abort", Access = "access", Activate = "activate", Any = "any", AssignSigner = "assign-signer", Commit = "commit", Create = "create", Destroy = "destroy", Drop = "drop", Issue = "issue", Limit = "limit", Lookup = "lookup", Manage = "manage", Query = "query", Read = "read", RemoveSigner = "remove-signer", Spend = "spend", Update = "update" } export declare const AccessActions: AccessAction[]; export type ActionMatch = AccessAction | Aggregation; /** * Defines constraints for the Bearer token * */ export type BearerRule = { /** * Defines constraints for the token issuer * * @example company.org */ iss?: string; /** * Defines constraints for the token subject * * @example admin */ sub?: string; /** * Defines constraints for the token audience * * @example ledger */ aud?: string; /** * Defines if the request hash is mandatory * * @example true */ hsh?: boolean; /** * Defines the signer required to verify the signature of bearer token * * @example * * { * handle: 'owner' * } */ $signer?: SignerRule; }; /** * Bearer token access rule. * * It could be defined as a simple value or an aggregation object * with combination of values. * * @example * * Token should have request hash (hsh) * Token must be signed by signer "owner" * { * ..., * "bearer": { * "sub": "owner", * "hsh": true * } * } * * @example * * Token should have request hash (hsh) * Token must be signed by signer with public key * "MCowBQYDK2VwAyEAgVf5wa9Ciu7LT7peynX9/TxtqUJPWdL91V7CuF6SIJo=" * { * ..., * "bearer": { * "sub": "MCowBQYDK2VwAyEAgVf5wa9Ciu7LT7peynX9/TxtqUJPWdL91V7CuF6SIJo=", * "hsh": true * } * } * */ export type AccessBearer = BearerRule; /** * Built-in functions that can be * attached to wallet access rules. */ export declare enum AccessWalletInvoke { CanSpendAllChangedRouteTargets = "wallet.canSpendAllChangedRouteTargets" } /** * Built-in functions that can be * attached to intent rules. */ export declare enum AccessIntentInvoke { CanReadAnyClaimWallet = "intent.canReadAnyClaimWallet", CanReadAnyClaimWalletInThread = "intent.canReadAnyClaimWalletInThread", CanSpendEveryClaimWallet = "intent.canSpendEveryClaimWallet", CanSpendAnyClaimWallet = "intent.canSpendAnyClaimWallet", CanSpendAnyClaimWalletInThread = "intent.canSpendAnyClaimWalletInThread" } export type AccessInvoke = AccessWalletInvoke | AccessIntentInvoke; export declare const AccessWalletInvokes: AccessWalletInvoke.CanSpendAllChangedRouteTargets[]; export declare const AccessIntentInvokes: AccessIntentInvoke[]; export declare const AccessInvokes: (AccessWalletInvoke.CanSpendAllChangedRouteTargets | AccessIntentInvoke)[]; /** * Correlates Access records with their invoke alternatives. */ export declare const InvokeRecordAlternatives: { wallet: AccessWalletInvoke.CanSpendAllChangedRouteTargets[]; intent: AccessIntentInvoke[]; "intent-proof": AccessIntentInvoke[]; }; /** * Filter rules to reject some of the access rules. * * Filter targets the `data` part of the ledger record. * It uses dot notation on the left side to target nested * record data properties (compatible with `lodash.filter`). * * @example * access[0].filter = { * 'schema': 'bank' * } */ export type AccessFilter = LedgerFilter; /** * Change rules to reject some of the access rules. * * Change targets the `data` part of the ledger record. * It uses dot notation on the left side to target nested * record data properties (compatible with `lodash.filter`). * * @example * access[0].change = { * 'schema': 'p2p' * } */ export type AccessChange = LedgerFilter; /** * Represents ledger access control rules. Access control * is implemented by constraining access to public keys, ledger signers, * and requiring bearer token validations, based on the action and record * class. * * @example * { * // Only `admin` signer can create symbols * action: 'create', * record: 'symbol', * bearer: { * sub: 'admin', * }, * } * * @example * { * // Config any record creation can be performed only by root * action: 'create', * record: 'any', * bearer: { * sub: 'root' // Each read request has to contain a bearer token signed by `root` * }, * signer: { * public: 'root'. // Each read request body has to be signed by signer `root` * } * } * * @example * { * // Config any record reading operation can be performed only by root * action: 'read', * record: 'any', * bearer: { * sub: 'root' // Each read request has to contain a bearer token signed by `root` * }, * } */ export type LedgerAccessRule = { /** * Defines constraints for the record signer */ signer?: AccessSigner; /** * Defines the record class affected by the access rule */ record?: RecordMatch; /** * Defines which action is affected by the access rule */ action: ActionMatch; /** * Defines a built-in function to be executed when * asserting access. */ invoke?: AccessInvoke; /** * Defines constraints for the request bearer token */ bearer?: AccessBearer; /** * Defines a filter to match the current state of a record. * It should be used when updating or reading records */ filter?: AccessFilter; /** * Defines a filter to match the new state of a record. * It should be used when creating or updating records */ change?: AccessChange; }; export type LedgerPolicyRule = { /** * Attaches a policy to access rule */ policy: LedgerHandle | InAggregation; }; export type AccessRule = LedgerAccessRule | LedgerPolicyRule; /** * Represents record access control rules. Access control * is implemented by constraining access to public keys * or JWT tokens and requiring valid signatures or tokens * on each request. */ export type LedgerAccess = Array;