Update proto

commonfile/fileproto/file_drpc.pb.go

@@ -1,5 +1,5 @@
 // Code generated by protoc-gen-go-drpc. DO NOT EDIT.
-// protoc-gen-go-drpc version: v0.0.33
+// protoc-gen-go-drpc version: v0.0.32
 // source: commonfile/fileproto/protos/file.proto
 
 package fileproto

commonspace/object/acl/aclrecordproto/protos/aclrecord.proto

@@ -2,6 +2,7 @@ syntax = "proto3";
 package aclrecord;
 option go_package = "commonspace/object/acl/aclrecordproto";
 
+// RawAclRecord is a proto message containing the acl payload in bytes, signature of the account who added it and signature of the acceptor
 message RawAclRecord {
     bytes payload = 1;
     bytes signature = 2;
@@ -9,19 +10,21 @@ message RawAclRecord {
     bytes acceptorSignature = 4;
 }
 
+// RawAclRecordWithId is a raw record and the id for convenience
 message RawAclRecordWithId {
     bytes payload = 1;
     string id = 2;
 }
 
+// AclRecord is a record containing the acl data
 message AclRecord {
     string prevId = 1;
     bytes identity = 2;
     bytes data = 3;
-    string readKeyId = 4;
+    int64 timestamp = 4;
-    int64 timestamp = 5;
 }
 
+// AclRoot is a root of access control list
 message AclRoot {
     bytes identity = 1;
     bytes masterKey = 2;
@@ -31,69 +34,83 @@ message AclRoot {
     bytes identitySignature = 6;
 }
 
+// AclAccountInvite contains the public invite key, the private part of which is sent to the user directly
+message AclAccountInvite {
+    bytes inviteKey = 1;
+}
+
+// AclAccountRequestJoin contains the reference to the invite record and the data of the person who wants to join, confirmed by the private invite key
+message AclAccountRequestJoin {
+    bytes inviteIdentity = 1;
+    string inviteRecordId = 2;
+    bytes inviteIdentitySignature = 3;
+}
+
+// AclAccountRequestAccept contains the reference to join record and all read keys, encrypted with the identity of the requestor
+message AclAccountRequestAccept {
+    bytes identity = 1;
+    string requestRecordId = 2;
+    bytes encryptedReadKeys = 3;
+}
+
+// AclAccountInviteRevoke revokes the invite record
+message AclAccountInviteRevoke {
+    string inviteRecordId = 1;
+}
+
+// AclReadKeys are all read keys in Acl
+message AclReadKeys {
+    repeated bytes readKey = 1;
+}
+
+// AclEncryptedReadKeys are all keys for specific identity
+message AclEncryptedReadKeys {
+    bytes identity = 1;
+    bytes encryptedReadKeys = 2;
+}
+
+// AclAccountPermissionChange changes permissions of specific account
+message AclAccountPermissionChange {
+    bytes identity = 1;
+    AclUserPermissions permissions = 2;
+}
+
+// AclReadKeyChange changes the key for a space
+message AclReadKeyChange {
+    repeated AclEncryptedReadKeys accountKeys = 1;
+}
+
+// AclAccountRemove removes an account and changes read key for space
+message AclAccountRemove {
+    bytes identity = 1;
+    repeated AclEncryptedReadKeys accountKeys = 2;
+}
+
+// AclContentValue contains possible values for Acl
 message AclContentValue {
     oneof value {
-        AclUserAdd userAdd = 1;
+        AclAccountInvite invite = 1;
-        AclUserRemove userRemove = 2;
+        AclAccountInviteRevoke inviteRevoke = 2;
-        AclUserPermissionChange userPermissionChange = 3;
+        AclAccountRequestJoin requestJoin = 3;
-        AclUserInvite userInvite = 4;
+        AclAccountRequestAccept requestAccept = 4;
-        AclUserJoin userJoin = 5;
+        AclAccountPermissionChange permissionChange = 5;
+        AclAccountRemove accountRemove = 6;
+        AclReadKeyChange readKeyChange = 7;
     }
 }
 
+// AclData contains different acl content
 message AclData {
     repeated AclContentValue aclContent = 1;
 }
 
-message AclState {
+// AclUserPermissions contains different possible user roles
-    repeated string readKeyIds = 1;
-    repeated AclUserState userStates = 2;
-    map<string, AclUserInvite> invites = 3;
-}
-
-message AclUserState {
-    bytes identity = 1;
-    AclUserPermissions permissions = 2;
-}
-
-message AclUserAdd {
-    bytes identity = 1;
-    repeated bytes encryptedReadKeys = 2;
-    AclUserPermissions permissions = 3;
-}
-
-message AclUserInvite {
-    bytes acceptPublicKey = 1;
-    repeated bytes encryptedReadKeys = 2;
-    AclUserPermissions permissions = 3;
-}
-
-message AclUserJoin {
-    bytes identity = 1;
-    bytes acceptSignature = 2;
-    bytes acceptPubKey = 3;
-    repeated bytes encryptedReadKeys = 4;
-}
-
-message AclUserRemove {
-    bytes identity = 1;
-    repeated AclReadKeyReplace readKeyReplaces = 2;
-}
-
-message AclReadKeyReplace {
-    bytes identity = 1;
-    bytes encryptedReadKey = 2;
-}
-
-message AclUserPermissionChange {
-    bytes identity = 1;
-    AclUserPermissions permissions = 2;
-}
-
 enum AclUserPermissions {
-    Admin = 0;
+    None = 0;
-    Writer = 1;
+    Owner = 1;
-    Reader = 2;
+    Admin = 2;
+    Writer = 3;
+    Reader = 4;
 }
 
 message AclSyncMessage {

commonspace/object/acl/list/aclstate.go

@@ -3,6 +3,7 @@ package list
 import (
 	"errors"
 	"fmt"
+
 	"github.com/anyproto/any-sync/app/logger"
 	"github.com/anyproto/any-sync/commonspace/object/acl/aclrecordproto"
 	"github.com/anyproto/any-sync/util/crypto"
@@ -23,6 +24,7 @@ var (
 	ErrOldInvite               = errors.New("invite is too old")
 	ErrInsufficientPermissions = errors.New("insufficient permissions")
 	ErrNoReadKey               = errors.New("acl state doesn't have a read key")
+	ErrNoInvite                = errors.New("can't delete invite record")
 	ErrInvalidSignature        = errors.New("signature is invalid")
 	ErrIncorrectRoot           = errors.New("incorrect root")
 	ErrIncorrectRecordSequence = errors.New("incorrect prev id of a record")
@@ -39,6 +41,7 @@ type AclState struct {
 	userReadKeys     map[string]crypto.SymKey
 	userStates       map[string]AclUserState
 	statesAtRecord   map[string][]AclUserState
+	inviteKeys       map[string]crypto.PubKey
 	key              crypto.PrivKey
 	pubKey           crypto.PubKey
 	keyStore         crypto.KeyStorage
@@ -110,17 +113,18 @@ func (st *AclState) applyRecord(record *AclRecord) (err error) {
 		err = ErrIncorrectRecordSequence
 		return
 	}
+	// if the record is root record
 	if record.Id == st.id {
 		err = st.applyRoot(record)
 		if err != nil {
 			return
 		}
 		st.statesAtRecord[record.Id] = []AclUserState{
-			{PubKey: record.Identity, Permissions: aclrecordproto.AclUserPermissions_Admin},
+			st.userStates[mapKeyFromPubKey(record.Identity)],
 		}
 		return
 	}
-
+	// if the model is not cached
 	if record.Model == nil {
 		aclData := &aclrecordproto.AclData{}
 		err = proto.Unmarshal(record.Data, aclData)
@@ -129,18 +133,16 @@ func (st *AclState) applyRecord(record *AclRecord) (err error) {
 		}
 		record.Model = aclData
 	}
-
+	// applying records contents
 	err = st.applyChangeData(record)
 	if err != nil {
 		return
 	}
-
+	// getting all states for users at record and saving them
-	// getting all states for users at record
 	var states []AclUserState
 	for _, state := range st.userStates {
 		states = append(states, state)
 	}
-
 	st.statesAtRecord[record.Id] = states
 	return
 }
@@ -156,7 +158,7 @@ func (st *AclState) applyRoot(record *AclRecord) (err error) {
 	// adding user to the list
 	userState := AclUserState{
 		PubKey:      record.Identity,
-		Permissions: aclrecordproto.AclUserPermissions_Admin,
+		Permissions: AclPermissions(aclrecordproto.AclUserPermissions_Admin),
 	}
 	st.currentReadKeyId = record.ReadKeyId
 	st.userStates[mapKeyFromPubKey(record.Identity)] = userState
@@ -181,54 +183,35 @@ func (st *AclState) saveReadKeyFromRoot(record *AclRecord) (err error) {
 			return
 		}
 	}
-
 	st.userReadKeys[record.Id] = readKey
 	return
 }
 
 func (st *AclState) applyChangeData(record *AclRecord) (err error) {
-	defer func() {
-		if err != nil {
-			return
-		}
-		if record.ReadKeyId != st.currentReadKeyId {
-			st.totalReadKeys++
-			st.currentReadKeyId = record.ReadKeyId
-		}
-	}()
 	model := record.Model.(*aclrecordproto.AclData)
-	if !st.isUserJoin(model) {
+	if !st.isUserJoin(model) && !st.Permissions(record.Identity).CanManageAccounts() {
-		// we check signature when we add this to the List, so no need to do it here
+		return ErrInsufficientPermissions
-		if _, exists := st.userStates[mapKeyFromPubKey(record.Identity)]; !exists {
-			err = ErrNoSuchUser
-			return
 	}
-
-		// only Admins can do non-user join changes
-		if !st.HasPermission(record.Identity, aclrecordproto.AclUserPermissions_Admin) {
-			// TODO: add string encoding
-			err = fmt.Errorf("user %s must have admin permissions", record.Identity.Account())
-			return
-		}
-	}
-
 	for _, ch := range model.GetAclContent() {
 		if err = st.applyChangeContent(ch, record.Id); err != nil {
 			log.Info("error while applying changes: %v; ignore", zap.Error(err))
 			return err
 		}
 	}
-
+	if record.ReadKeyId != st.currentReadKeyId {
+		st.totalReadKeys++
+		st.currentReadKeyId = record.ReadKeyId
+	}
 	return nil
 }
 
 func (st *AclState) applyChangeContent(ch *aclrecordproto.AclContentValue, recordId string) error {
 	switch {
-	case ch.GetUserPermissionChange() != nil:
+	case ch.GetPermissionChange() != nil:
-		return st.applyUserPermissionChange(ch.GetUserPermissionChange(), recordId)
+		return st.applyPermissionChange(ch.GetPermissionChange(), recordId)
-	case ch.GetUserAdd() != nil:
+	case ch.GetInvite() != nil:
-		return st.applyUserAdd(ch.GetUserAdd(), recordId)
+		return st.applyInvite(ch.GetInvite(), recordId)
-	case ch.GetUserRemove() != nil:
+	case ch.GetInviteRevoke() != nil:
 		return st.applyUserRemove(ch.GetUserRemove(), recordId)
 	case ch.GetUserInvite() != nil:
 		return st.applyUserInvite(ch.GetUserInvite(), recordId)
@@ -239,7 +222,7 @@ func (st *AclState) applyChangeContent(ch *aclrecordproto.AclContentValue, recor
 	}
 }
 
-func (st *AclState) applyUserPermissionChange(ch *aclrecordproto.AclUserPermissionChange, recordId string) error {
+func (st *AclState) applyPermissionChange(ch *aclrecordproto.AclAccountPermissionChange, recordId string) error {
 	chIdentity, err := st.keyStore.PubKeyFromProto(ch.Identity)
 	if err != nil {
 		return err
@@ -248,13 +231,22 @@ func (st *AclState) applyUserPermissionChange(ch *aclrecordproto.AclUserPermissi
 	if !exists {
 		return ErrNoSuchUser
 	}
-
+	state.Permissions = AclPermissions(ch.Permissions)
-	state.Permissions = ch.Permissions
 	return nil
 }
 
-func (st *AclState) applyUserInvite(ch *aclrecordproto.AclUserInvite, recordId string) error {
+func (st *AclState) applyInvite(ch *aclrecordproto.AclAccountInvite, recordId string) error {
-	// TODO: check old code and bring it back :-)
+	inviteKey, err := st.keyStore.PubKeyFromProto(ch.InviteKey)
+	if err != nil {
+		return err
+	}
+	st.inviteKeys[recordId] = inviteKey
+	return nil
+}
+
+func (st *AclState) applyInviteRevoke(ch *aclrecordproto.AclAccountInviteRevoke, recordId string) error {
+
+	delete(st.inviteKeys, ch.InviteRecordId)
 	return nil
 }
 
@@ -283,13 +275,12 @@ func (st *AclState) decryptReadKey(msg []byte) (crypto.SymKey, error) {
 	return key, nil
 }
 
-func (st *AclState) HasPermission(identity crypto.PubKey, permission aclrecordproto.AclUserPermissions) bool {
+func (st *AclState) Permissions(identity crypto.PubKey) AclPermissions {
 	state, exists := st.userStates[mapKeyFromPubKey(identity)]
 	if !exists {
-		return false
+		return AclPermissions(aclrecordproto.AclUserPermissions_None)
 	}
-
+	return state.Permissions
-	return state.Permissions == permission
 }
 
 func (st *AclState) isUserJoin(data *aclrecordproto.AclData) bool {
@@ -297,10 +288,6 @@ func (st *AclState) isUserJoin(data *aclrecordproto.AclData) bool {
 	return data.GetAclContent() != nil && data.GetAclContent()[0].GetUserJoin() != nil
 }
 
-func (st *AclState) isUserAdd(data *aclrecordproto.AclData, identity []byte) bool {
-	return false
-}
-
 func (st *AclState) UserStates() map[string]AclUserState {
 	return st.userStates
 }

commonspace/object/acl/list/models.go

@@ -18,5 +18,31 @@ type AclRecord struct {
 
 type AclUserState struct {
 	PubKey      crypto.PubKey
-	Permissions aclrecordproto.AclUserPermissions
+	Permissions AclPermissions
+}
+
+type AclPermissions aclrecordproto.AclUserPermissions
+
+func (p AclPermissions) CanWrite() bool {
+	switch aclrecordproto.AclUserPermissions(p) {
+	case aclrecordproto.AclUserPermissions_Admin:
+		return true
+	case aclrecordproto.AclUserPermissions_Writer:
+		return true
+	case aclrecordproto.AclUserPermissions_Owner:
+		return true
+	default:
+		return false
+	}
+}
+
+func (p AclPermissions) CanManageAccounts() bool {
+	switch aclrecordproto.AclUserPermissions(p) {
+	case aclrecordproto.AclUserPermissions_Admin:
+		return true
+	case aclrecordproto.AclUserPermissions_Owner:
+		return true
+	default:
+		return false
+	}
 }

commonspace/object/acl/list/validator.go

@@ -0,0 +1,5 @@
+package list
+
+type Validator interface {
+	Validate()
+}

commonspace/object/tree/objecttree/objecttree.go

@@ -4,11 +4,11 @@ package objecttree
 import (
 	"context"
 	"errors"
-	"github.com/anyproto/any-sync/util/crypto"
 	"sync"
 	"time"
 
-	"github.com/anyproto/any-sync/commonspace/object/acl/aclrecordproto"
+	"github.com/anyproto/any-sync/util/crypto"
+
 	"github.com/anyproto/any-sync/commonspace/object/acl/list"
 	"github.com/anyproto/any-sync/commonspace/object/tree/treechangeproto"
 	"github.com/anyproto/any-sync/commonspace/object/tree/treestorage"
@@ -248,9 +248,7 @@ func (ot *objectTree) prepareBuilderContent(content SignableChangeContent) (cnt
 		pubKey    = content.Key.GetPublic()
 		readKeyId string
 	)
-	canWrite := state.HasPermission(pubKey, aclrecordproto.AclUserPermissions_Writer) ||
+	if !state.Permissions(pubKey).CanWrite() {
-		state.HasPermission(pubKey, aclrecordproto.AclUserPermissions_Admin)
-	if !canWrite {
 		err = list.ErrInsufficientPermissions
 		return
 	}

commonspace/object/tree/objecttree/objecttreevalidator.go

@@ -3,7 +3,7 @@ package objecttree
 import (
 	"context"
 	"fmt"
-	"github.com/anyproto/any-sync/commonspace/object/acl/aclrecordproto"
+
 	"github.com/anyproto/any-sync/commonspace/object/acl/list"
 	"github.com/anyproto/any-sync/commonspace/object/tree/treestorage"
 	"github.com/anyproto/any-sync/util/slice"
@@ -52,20 +52,18 @@ func (v *objectTreeValidator) ValidateNewChanges(tree *Tree, aclList list.AclLis
 
 func (v *objectTreeValidator) validateChange(tree *Tree, aclList list.AclList, c *Change) (err error) {
 	var (
-		perm  list.AclUserState
+		userState list.AclUserState
 		state     = aclList.AclState()
 	)
 	// checking if the user could write
-	perm, err = state.StateAtRecord(c.AclHeadId, c.Identity)
+	userState, err = state.StateAtRecord(c.AclHeadId, c.Identity)
 	if err != nil {
 		return
 	}
-
+	if !userState.Permissions.CanWrite() {
-	if perm.Permissions != aclrecordproto.AclUserPermissions_Writer && perm.Permissions != aclrecordproto.AclUserPermissions_Admin {
 		err = list.ErrInsufficientPermissions
 		return
 	}
-
 	if c.Id == tree.RootId() {
 		return
 	}

commonspace/spacesyncproto/spacesync_drpc.pb.go

@@ -1,5 +1,5 @@
 // Code generated by protoc-gen-go-drpc. DO NOT EDIT.
-// protoc-gen-go-drpc version: v0.0.33
+// protoc-gen-go-drpc version: v0.0.32
 // source: commonspace/spacesyncproto/protos/spacesync.proto
 
 package spacesyncproto
@@ -103,10 +103,6 @@ type drpcSpaceSync_ObjectSyncStreamClient struct {
 	drpc.Stream
 }
 
-func (x *drpcSpaceSync_ObjectSyncStreamClient) GetStream() drpc.Stream {
-	return x.Stream
-}
-
 func (x *drpcSpaceSync_ObjectSyncStreamClient) Send(m *ObjectSyncMessage) error {
 	return x.MsgSend(m, drpcEncoding_File_commonspace_spacesyncproto_protos_spacesync_proto{})
 }

coordinator/coordinatorproto/coordinator_drpc.pb.go

@@ -1,5 +1,5 @@
 // Code generated by protoc-gen-go-drpc. DO NOT EDIT.
-// protoc-gen-go-drpc version: v0.0.33
+// protoc-gen-go-drpc version: v0.0.32
 // source: coordinator/coordinatorproto/protos/coordinator.proto
 
 package coordinatorproto

net/peer/peer.go

@@ -3,6 +3,11 @@ package peer
 
 import (
 	"context"
+	"io"
+	"net"
+	"sync"
+	"time"
+
 	"github.com/anyproto/any-sync/app/logger"
 	"github.com/anyproto/any-sync/app/ocache"
 	"github.com/anyproto/any-sync/net/connutil"
@@ -11,15 +16,11 @@ import (
 	"github.com/anyproto/any-sync/net/secureservice/handshake/handshakeproto"
 	"github.com/anyproto/any-sync/net/transport"
 	"go.uber.org/zap"
-	"io"
-	"net"
 	"storj.io/drpc"
 	"storj.io/drpc/drpcconn"
 	"storj.io/drpc/drpcmanager"
 	"storj.io/drpc/drpcstream"
 	"storj.io/drpc/drpcwire"
-	"sync"
-	"time"
 )
 
 var log = logger.NewNamed("common.net.peer")
@@ -200,6 +201,11 @@ func (p *peer) TryClose(objectTTL time.Duration) (res bool, err error) {
 	return false, nil
 }
 
+// 70 stream -> 1 subconn
+// 62 request -> 1 subconn
+// 2600 subconn (2400 non active -> 5 min)
+
+// 2 5min connect
 func (p *peer) gc(ttl time.Duration) (aliveCount int) {
 	p.mu.Lock()
 	defer p.mu.Unlock()

net/streampool/testservice/testservice_drpc.pb.go

@@ -1,5 +1,5 @@
 // Code generated by protoc-gen-go-drpc. DO NOT EDIT.
-// protoc-gen-go-drpc version: v0.0.33
+// protoc-gen-go-drpc version: v0.0.32
 // source: net/streampool/testservice/protos/testservice.proto
 
 package testservice
@@ -72,10 +72,6 @@ type drpcTest_TestStreamClient struct {
 	drpc.Stream
 }
 
-func (x *drpcTest_TestStreamClient) GetStream() drpc.Stream {
-	return x.Stream
-}
-
 func (x *drpcTest_TestStreamClient) Send(m *StreamMessage) error {
 	return x.MsgSend(m, drpcEncoding_File_net_streampool_testservice_protos_testservice_proto{})
 }