gun-rs 1.0.4

A realtime, decentralized, offline-first, graph data synchronization engine (Rust port)
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361

//! Certificate-Based Access Control
//! Based on Gun.js sea/certify.js
//! Allows an authority to grant permissions to certificants for specific paths/patterns

use super::{sign, KeyPair, SeaError};
use serde_json::{json, Value};
use std::collections::HashMap;

/// Certificate structure matching Gun.js format
/// Contains certificants, policies (read/write), expiry, and blocks
#[derive(Clone, Debug)]
pub struct Certificate {
    /// Certificants who have the rights (can be "*" for wildcard or list of pub keys)
    pub certificants: Certificants,
    /// Expiry timestamp (optional)
    pub expiry: Option<f64>,
    /// Read policy (optional)
    pub read_policy: Option<Policy>,
    /// Write policy (optional)
    pub write_policy: Option<Policy>,
    /// Read block/blacklist (optional)
    pub read_block: Option<String>,
    /// Write block/blacklist (optional)
    pub write_block: Option<String>,
}

/// Certificants can be wildcard or a list of public keys
#[derive(Clone, Debug)]
pub enum Certificants {
    /// Wildcard: anyone can have rights
    Wildcard,
    /// List of public keys
    List(Vec<String>),
}

/// Policy for access control
/// Can be a string, RAD/LEX object, or array of policies
#[derive(Clone, Debug)]
pub enum Policy {
    /// Simple string policy (e.g., "inbox")
    String(String),
    /// RAD/LEX object with pattern matching
    Radix(RadixPolicy),
    /// Array of policies
    Array(Vec<Policy>),
}

/// RAD/LEX pattern matching policy
/// Supports patterns like '*', '>', '<', '?', etc.
#[derive(Clone, Debug)]
pub struct RadixPolicy {
    /// Pattern map (key -> pattern)
    pub patterns: HashMap<String, String>,
}

/// Options for certificate creation
#[derive(Clone, Debug, Default)]
pub struct CertifyOptions {
    /// Expiry timestamp (optional)
    pub expiry: Option<f64>,
    /// Block/blacklist (optional)
    pub block: Option<BlockPolicy>,
    /// If true, return raw certificate without "SEA" prefix
    pub raw: bool,
}

/// Block/blacklist policy
#[derive(Clone, Debug)]
pub struct BlockPolicy {
    /// Read block
    pub read: Option<String>,
    /// Write block
    pub write: Option<String>,
}


/// Create a certificate
/// Based on Gun.js SEA.certify()
///
/// # Arguments
/// * `certificants` - Who gets the rights: "*", a pub key string, or Vec of pub keys
/// * `policy` - Access policy: string, RAD/LEX object, or array
/// * `authority` - Key pair of the certificate authority
/// * `opt` - Certificate options
///
/// # Returns
/// Signed certificate string (with "SEA" prefix unless raw=true)
///
/// # Examples
/// ```rust
/// use gun::sea::{certify, pair, CertifyOptions, Policy};
///
/// let authority = pair().await?;
/// let cert = certify(
///     "*", // anyone
///     Policy::String("inbox".to_string()),
///     &authority,
///     CertifyOptions::default()
/// ).await?;
/// ```
pub async fn certify(
    certificants: Certificants,
    policy: Policy,
    authority: &KeyPair,
    opt: CertifyOptions,
) -> Result<String, SeaError> {
    // Normalize certificants
    let certs = match certificants {
        Certificants::Wildcard => "*".to_string(),
        Certificants::List(list) => {
            if list.len() == 1 {
                list[0].clone()
            } else {
                serde_json::to_string(&list)
                    .map_err(|e| SeaError::Crypto(format!("Serialization error: {}", e)))?
            }
        }
    };

    // Extract read/write policies
    // In Gun.js, if policy is an object with 'read' key, use it; otherwise assume write
    let (read_policy, write_policy): (Option<String>, Option<String>) = match policy {
        Policy::String(s) => (None, Some(s)),
        Policy::Radix(r) => {
            // For RAD/LEX, serialize patterns as JSON
            (
                None,
                Some(serde_json::to_string(&r.patterns).unwrap_or_default()),
            )
        }
        Policy::Array(policies) => {
            // Arrays are complex, convert to JSON array
            let policy_strs: Vec<String> = policies.iter().map(|p| format!("{:?}", p)).collect();
            (
                None,
                Some(serde_json::to_string(&policy_strs).unwrap_or_default()),
            )
        }
    };

    // Build certificate data (matching Gun.js format)
    let mut cert_data = json!({
        "c": certs, // certificants
    });

    if let Some(expiry) = opt.expiry {
        cert_data["e"] = json!(expiry);
    }

    if let Some(ref read) = read_policy {
        cert_data["r"] = json!(read);
    }

    if let Some(ref write) = write_policy {
        cert_data["w"] = json!(write);
    }

    if let Some(ref block) = opt.block {
        if let Some(ref read_block) = block.read {
            cert_data["rb"] = json!(read_block);
        }
        if let Some(ref write_block) = block.write {
            cert_data["wb"] = json!(write_block);
        }
    }

    // Sign the certificate (sign expects Value, not string)
    let signature = sign(&cert_data, authority).await?;

    // Format: "SEA{...}" unless raw (matching Gun.js format)
    if opt.raw {
        // Return raw signature object
        serde_json::to_string(&signature)
            .map_err(|e| SeaError::Crypto(format!("Serialization error: {}", e)))
    } else {
        // Wrap in "SEA" prefix
        let sig_str = serde_json::to_string(&signature)
            .map_err(|e| SeaError::Crypto(format!("Serialization error: {}", e)))?;
        Ok(format!("SEA{}", sig_str))
    }
}

/// Verify a certificate with full signature verification
/// 
/// Verifies a certificate's signature using the authority's public key and extracts
/// the certificate data. This performs full cryptographic verification, not just JSON parsing.
/// 
/// # Arguments
/// * `cert` - Certificate string (with optional "SEA" prefix)
/// * `authority_pub` - Public key of the certificate authority in base64 x.y format
/// 
/// # Returns
/// `Certificate` struct with verified data if signature is valid
/// 
/// # Errors
/// - `SeaError::Crypto`: If certificate format is invalid
/// - `SeaError::VerificationFailed`: If signature verification fails (wrong authority or tampered data)
/// 
/// # Security
/// 
/// This function performs full cryptographic signature verification using ECDSA P-256.
/// Certificates with invalid signatures or wrong authority keys will be rejected.
/// 
/// # Example
/// ```rust,no_run
/// use gun::sea::{certify, verify_certificate, pair, Certificants, Policy, CertifyOptions};
/// 
/// # async fn example() -> Result<(), Box<dyn std::error::Error>> {
/// let authority = pair().await?;
/// 
/// // Create certificate
/// let cert = certify(
///     Certificants::Wildcard,
///     Policy::String("inbox".to_string()),
///     &authority,
///     CertifyOptions::default(),
/// ).await?;
/// 
/// // Verify certificate
/// let verified = verify_certificate(&cert, &authority.pub_key).await?;
/// println!("Certificate verified for: {:?}", verified.certificants);
/// # Ok(())
/// # }
/// ```
pub async fn verify_certificate(cert: &str, authority_pub: &str) -> Result<Certificate, SeaError> {
    // Remove "SEA" prefix if present
    let cert_data = if let Some(stripped) = cert.strip_prefix("SEA{") {
        // Remove "SEA{" prefix and find matching "}"
        // The certificate is a JSON object, so we need to parse it properly
        let mut json_str = String::from("{");
        json_str.push_str(stripped);
        json_str
    } else if let Some(stripped) = cert.strip_prefix("SEA") {
        stripped.to_string()
    } else {
        cert.to_string()
    };

    // Parse certificate as signed data (format: {m: message, s: signature})
    let signed_data: Value = serde_json::from_str(&cert_data)
        .map_err(|e| SeaError::Crypto(format!("Parse error: {}", e)))?;

    // Verify signature using SEA.verify()
    use super::verify;
    let parsed = verify(&signed_data, authority_pub).await?;

    // Extract certificate fields
    let certificants = if let Some(c) = parsed.get("c") {
        if let Some(s) = c.as_str() {
            if s == "*" {
                Certificants::Wildcard
            } else {
                Certificants::List(vec![s.to_string()])
            }
        } else if let Some(arr) = c.as_array() {
            Certificants::List(
                arr.iter()
                    .filter_map(|v| v.as_str().map(|s| s.to_string()))
                    .collect(),
            )
        } else {
            return Err(SeaError::Crypto("Invalid certificants format".to_string()));
        }
    } else {
        return Err(SeaError::Crypto("Missing certificants".to_string()));
    };

    let expiry = parsed.get("e").and_then(|v| v.as_f64());
    let read_policy = parsed
        .get("r")
        .and_then(|v| v.as_str().map(|s| Policy::String(s.to_string())));
    let write_policy = parsed
        .get("w")
        .and_then(|v| v.as_str().map(|s| Policy::String(s.to_string())));
    let read_block = parsed
        .get("rb")
        .and_then(|v| v.as_str().map(|s| s.to_string()));
    let write_block = parsed
        .get("wb")
        .and_then(|v| v.as_str().map(|s| s.to_string()));

    Ok(Certificate {
        certificants,
        expiry,
        read_policy,
        write_policy,
        read_block,
        write_block,
    })
}

/// Check if a path matches a policy
/// Implements RAD/LEX pattern matching
pub fn matches_policy(path: &str, policy: &Policy) -> bool {
    match policy {
        Policy::String(s) => {
            // Simple string match
            path == s || path.starts_with(&format!("{}/", s))
        }
        Policy::Radix(r) => {
            // RAD/LEX pattern matching
            // For now, simple implementation - full RAD/LEX would need more complex matching
            for pattern in r.patterns.keys() {
                if pattern == "*" {
                    return true; // Wildcard matches everything
                }
                if path.starts_with(pattern) {
                    return true;
                }
            }
            false
        }
        Policy::Array(policies) => {
            // Array: any policy matches
            policies.iter().any(|p| matches_policy(path, p))
        }
    }
}

/// Check if a certificate grants permission for a path
pub fn check_permission(
    cert: &Certificate,
    path: &str,
    operation: &str, // "read" or "write"
) -> bool {
    // Check expiry
    if let Some(expiry) = cert.expiry {
        let now = chrono::Utc::now().timestamp_millis() as f64;
        if now > expiry {
            return false; // Expired
        }
    }

    // Check blocks
    if operation == "read" {
        if let Some(ref block) = cert.read_block {
            if path.contains(block) {
                return false; // Blocked
            }
        }
    } else if operation == "write" {
        if let Some(ref block) = cert.write_block {
            if path.contains(block) {
                return false; // Blocked
            }
        }
    }

    // Check policies
    if operation == "read" {
        if let Some(ref policy) = cert.read_policy {
            return matches_policy(path, policy);
        }
    } else if operation == "write" {
        if let Some(ref policy) = cert.write_policy {
            return matches_policy(path, policy);
        }
    }

    false
}