syntax = "proto3";
package aclrecord;
option go_package = "pkg/acl/aclrecordproto";

message RawACLRecord {
  bytes payload = 1;
  bytes signature = 2;
}

message RawACLRecordWithId {
  bytes payload = 1;
  string id = 2;
}

message ACLRecord {
  string prevId = 1;
  bytes identity = 2;
  bytes data = 3;
  uint64 currentReadKeyHash = 4;
  int64 timestamp = 5;
}

message ACLRoot {
  bytes identity = 1;
  bytes encryptionKey = 2;
  string spaceId = 3;
  bytes encryptedReadKey = 4;
  string derivationScheme = 5;
  uint64 currentReadKeyHash = 6;
  int64 timestamp = 7;
}

message ACLContentValue {
  oneof value {
    ACLUserAdd userAdd = 1;
    ACLUserRemove userRemove = 2;
    ACLUserPermissionChange userPermissionChange = 3;
    ACLUserInvite userInvite = 4;
    ACLUserJoin userJoin = 5;
  }
}

message ACLData {
  repeated ACLContentValue aclContent = 1;
}

message ACLState {
  repeated uint64 readKeyHashes = 1;
  repeated ACLUserState userStates = 2;
  map<string, ACLUserInvite> invites = 3;
}

message ACLUserState {
  bytes identity = 1;
  bytes encryptionKey = 2;
  ACLUserPermissions permissions = 3;
}

message ACLUserAdd {
  bytes identity = 1;
  bytes encryptionKey = 2;
  repeated bytes encryptedReadKeys = 3;
  ACLUserPermissions permissions = 4;
}

message ACLUserInvite {
  bytes acceptPublicKey = 1;
  bytes encryptPublicKey = 2;
  repeated bytes encryptedReadKeys = 3;
  ACLUserPermissions permissions = 4;
  string inviteId = 5;
}

message ACLUserJoin {
  bytes identity = 1;
  bytes encryptionKey = 2;
  bytes acceptSignature = 3;
  string inviteId = 4;
  repeated bytes encryptedReadKeys = 5;
}

message ACLUserRemove {
  bytes identity = 1;
  repeated ACLReadKeyReplace readKeyReplaces = 3;
}

message ACLReadKeyReplace {
  bytes identity = 1;
  bytes encryptionKey = 2;
  bytes encryptedReadKey = 3;
}

message ACLUserPermissionChange {
  bytes identity = 1;
  ACLUserPermissions permissions = 2;
}

enum ACLUserPermissions {
  Admin = 0;
  Writer = 1;
  Reader = 2;
}