/// The store has a special branch called `overlay` that is used to manage access to the InnerOverlay
/// The store has a special branch called `overlay` that is used to manage access to the InnerOverlay
/// only the ReadCapSecret is needed to access the InnerOverlay
/// only the ReadCapSecret is needed to access the InnerOverlay
/// the full readcap of this branch is needed in order to subscribe to the topic and decrypt the events. The branchId can be found in the branch Definition
/// the full readcap of this branch is needed in order to subscribe to the topic and decrypt the events. The branchId can be found in the branch Definition
/// it can be useful to subscribe to this topic if the user is a member of the store's repo, so it will be notified of refreshReadCap on the overlay
/// it can be useful to subscribe to this topic if the user is a member of the store's repo, so it will be notified of BranchCapRefresh on the overlay
/// if the user is an external user to the store, it will lose access to the InnerOverlay after a RefreshReadCap of the overlay branch of the store.
/// if the user is an external user to the store, it will lose access to the InnerOverlay after a BranchCapRefresh of the overlay branch of the store.
// TODO: ReadCap or PermaCap. If it is a ReadCap, a new RootBranch commit should be published (RefreshReadCap) every time the store read cap changes.
// TODO: ReadCap or PermaCap. If it is a ReadCap, a new RootBranch commit should be published (RootCapRefresh, only read_cap changes) every time the store read cap changes.
/// empty for private repos, eventhough they are all implicitly inheriting perms from private store
/// empty for private repos, eventhough they are all implicitly inheriting perms from private store
@ -1200,7 +1200,7 @@ impl fmt::Display for RootBranch {
/// Quorum definition V0
/// Quorum definition V0
///
///
/// Changed when the signers need to be updated. Signers are not necessarily editors of the repo, and they do not need to be members either, as they will be notified of RefreshReadCaps anyway.
/// Changed when the signers need to be updated. Signers are not necessarily editors of the repo, and they do not need to be members either, as they will be notified of RootCapRefresh anyway.
/// Number of signatures required for a partial order commit to be valid (threshold+1)
/// Number of signatures required for a partial order commit to be valid (threshold+1)
@ -1464,8 +1464,8 @@ pub enum PermissionV0 {
RemoveBranch,// can send removeBranch, always behind SyncSignature
RemoveBranch,// can send removeBranch, always behind SyncSignature
ChangeName,// can send AddName and RemoveName
ChangeName,// can send AddName and RemoveName
RefreshReadCap,// can send RefreshReadCap followed by UpdateRootBranch and/or UpdateBranch commits, with or without renewed topicIds. Always behind SyncSignature
RefreshReadCap,// can send RootCapRefresh or BranchCapRefresh that do not contain a write_cap, followed by UpdateRootBranch and/or UpdateBranch commits, with or without renewed topicIds. Always behind SyncSignature
RefreshWriteCap,// can send RefreshWriteCap followed by UpdateRootBranch and associated UpdateBranch commits on all branches, with renewed topicIds and RepoWriteCapSecret. Always behind SyncSignature
RefreshWriteCap,// can send RootCapRefresh that contains a write_cap and associated BranchCapRefreshes, followed by UpdateRootBranch and associated UpdateBranch commits on all branches, with renewed topicIds and RepoWriteCapSecret. Always behind SyncSignature
//
//
// permissions delegated by owners:
// permissions delegated by owners:
@ -1479,7 +1479,7 @@ pub enum PermissionV0 {
Inbox,// can read inbox
Inbox,// can read inbox
PermaShare,// can create and answer to PermaCap (PermaLink)
PermaShare,// can create and answer to PermaCap (PermaLink)
UpdateStore,// only for store root repo (add repo, remove repo) to the store special branch
UpdateStore,// only for store root repo (add repo, remove repo) to the store special branch
RefreshOverlay,// Equivalent to RefreshReadCap for the overlay special branch.
RefreshOverlay,// Equivalent to BranchCapRefresh for the overlay special branch.
}
}
/// Add permission to a member in a repo
/// Add permission to a member in a repo
@ -1911,7 +1911,7 @@ impl AsyncSignature {
///
///
/// points to the new Signature Object
/// points to the new Signature Object
/// based on the total order quorum (or owners quorum)
/// based on the total order quorum (or owners quorum)
/// mandatory for UpdateRootBranch, UpdateBranch, some AddBranch, RemoveBranch, RemoveMember, RemovePermission, Quorum, Compact, sync Transaction, RefreshReadCap, RefreshWriteCap
/// mandatory for UpdateRootBranch, UpdateBranch, some AddBranch, RemoveBranch, RemoveMember, RemovePermission, Quorum, Compact, sync Transaction, RootCapRefresh, BranchCapRefresh
/// DEPS: the last signed commit in chain
/// DEPS: the last signed commit in chain
/// ACKS: previous head before the chain of signed commit(s). should be identical to the HEADS (marked as DEPS) of first commit in chain
/// ACKS: previous head before the chain of signed commit(s). should be identical to the HEADS (marked as DEPS) of first commit in chain
@ -1943,52 +1943,92 @@ impl fmt::Display for SyncSignature {
}
}
}
}
/// RefreshReadCap. renew the ReadCap of a `transactional` branch, or the root_branch, or all transactional branches and the root_branch.
/// the second tuple member is only set when a write_cap refresh is performed, and for users that are Editor (any Member that also has at least one permission, plus all the Owners)
/// an ordered list of user IDs, with their corresponding crypto_box of a RefreshSecretV0.
/// A User ID for each Member, Signer and Owner of the repo (except the one that is being excluded, if any)
/// the ordering is important as it allows receivers to perform a binary search on the array (searching for their own ID)
/// the refresh secret is used for encrypting the SyncSignature commit's key in the event sent in old topic (RefreshSecretV0.0) and for an optional write_cap refresh (RefreshSecretV0.1)
/// RootCapRefresh. renew the capabilities of the root branch, or all transactional branches and the root_branch.
///
///
/// Each branch forms its separate chain for that purpose.
/// Each branch forms its separate chain for that purpose.
/// can refresh the topic ids, or not
/// can refresh the topic ids, or not
/// DEPS: current HEADS in the branch at the moment of refresh.
/// ACKS: current HEADS in the branch at the moment of refresh. DEPS to the previous RootBranch commit that will be superseded.
/// followed in the chain by a Branch or RootBranch commit (linked with ACK). The key used in EventV0 for the commit in the future of the RefreshReadCap, is the refresh_secret.
/// the chain on the root_branch is : RootCapRefresh -> RemovePermission/RemoveMember -> UpdateRootBranch -> optional AddPermission(s) -> AddBranch x for each branch
/// the chain can be, by example: RefreshReadCap -> RootBranch -> AddBranch
/// and on each transactional branch: BranchCapRefresh -> UpdateBranch
/// or for a transactional branch: RefreshReadCap -> Branch
/// always eventually followed at the end of each chain by a SyncSignature (each branch its own).
/// always eventually followed at the end of each chain by a SyncSignature (each branch its own)
/// The key used in EventV0 to encrypt the key for that SyncSignature commit is the refresh_secret (RefreshSecretV0.0).
///
/// On each new topic, the first commit (singleton) is a BranchCapRefreshed that contains internal references to the old branch (but no DEPS or ACKS).
/// A randomly generated secret (SymKey) used for the refresh process, encrypted for each Member, Signer and Owner of the repo (except the one that is being excluded, if any)
// ObjectRef to the RefreshCap object
/// format to be defined (see crypto_box)
pubrefresh_ref: ObjectRef,
RefreshSecret(),
// or a reference to a master RefreshReadCap commit when some transactional branches are refreshed together with the root_branch. the refresh_secret is taken from that referenced commit
/// write cap encrypted with the refresh_secret RefreshSecretV0.1
MasterRefresh(ObjectRef),
/// only allowed if the user has RefreshWriteCap permission
/// RefreshWriteCap is always done on the root_branch, and always refreshes all the transaction branches WriteCaps, and TopicIDs.
/// BranchCapRefresh renew the capabilities of one specific transactional branch
///
///
/// DEPS: current HEADS in the branch at the moment of refresh.
/// ACKS: current HEADS in the branch at the moment of refresh. DEPS to the previous Branch commit that will be superseded.
/// the chain on the root_branch is : RemovePermission/RemoveMember -> RefreshWriteCap -> RootBranch -> optional AddPermission(s) -> AddBranch
/// the chain is, on the transactional branch: BranchCapRefresh -> UpdateBranch
/// and on each transactional branch: RefreshWriteCap -> Branch
/// if this is an isolated branch refresh (not part of a rootcaprefresh), then the root branch chain is : AddBranch (ACKS to HEADS, quorumtype:TotalOrder )
/// always eventually followed at the end of each chain by a SyncSignature (each branch its own)
/// always eventually followed at the end of each chain by a SyncSignature (each branch its own)
/// The key used in EventV0 to encrypt the key for that SyncSignature commit is the refresh_secret (RefreshSecretV0.0), but not on the root branch if it is an isolated branch refresh
///
/// On the new topic, the first commit (singleton) is a BranchCapRefreshed that contains internal references to the old branch (but no DEPS or ACKS).
/// ObjectRef to the RefreshCap object (shared with a root branch and other transac branches, or specially crafted for this branch if it is an isolated branch refresh)
/// A RefreshReadCapV0::RefreshSecret when on the root_branch, otherwise on transactional branches, a RefreshReadCapV0::MasterRefresh pointing to this RefreshWriteCapV0
V0(BranchCapRefreshV0),
pubrefresh_read_cap: RefreshReadCapV0,
}
/// BranchCapRefreshed is a singleton in a new topic. it has no ACKS nor DEPS.
/// reference to the previous read_cap of the branch
pubcontinuation_of: ReadCap,
/// reference to the SyncSignature commit that did the refresh
pubrefresh: ObjectRef,
/// the new RepoWriteCapSecret, encrypted for each Editor (any Member that also has at least one permission, plus all the Owners). See format of RefreshSecret
/// reference to the UpdateBranch/UpdateRootBranch commit within the event of the SyncSignature
// TODO: format. should be encrypted
pubnew_read_cap: ReadCap,
// None when used for a transaction branch, as we don't want to duplicate this encrypted secret in each branch.