add TOS checking to tenant gate

decentralized-identity · Nov 16, 2023 · aa6ae54 · aa6ae54
1 parent 27ef40a
commit aa6ae54
Show file tree

Hide file tree

Showing 10 changed files with 278 additions and 186 deletions.
diff --git a/src/config.ts b/src/config.ts
@@ -27,6 +27,8 @@ export const config = {
     process.env.DWN_STORAGE ||
     'sqlite://data/dwn.db',
 
+  tos: process.env.DWN_TOS_FILE,
+
   // log level - trace/debug/info/warn/error
   logLevel: process.env.DWN_SERVER_LOG_LEVEL || 'INFO',
 };
diff --git a/src/dwn-server.ts b/src/dwn-server.ts
@@ -1,5 +1,6 @@
 import { Dwn } from '@tbd54566975/dwn-sdk-js';
 
+import { readFileSync } from 'fs';
 import type { Server } from 'http';
 import log from 'loglevel';
 import prefix from 'loglevel-plugin-prefix';
@@ -9,9 +10,9 @@ import { HttpServerShutdownHandler } from './lib/http-server-shutdown-handler.js
 
 import { type Config, config as defaultConfig } from './config.js';
 import { HttpApi } from './http-api.js';
-import { ProofOfWork } from './pow.js';
 import { setProcessHandlers } from './process-handlers.js';
 import { getDWNConfig, getDialectFromURI } from './storage.js';
+import { TenantGate } from './tenant-gate.js';
 import { WsApi } from './ws-api.js';
 
 export type DwnServerOptions = {
@@ -47,18 +48,26 @@ export class DwnServer {
    * The DWN creation is secondary and only happens if it hasn't already been done.
    */
   async #setupServer(): Promise<void> {
+    let tenantGate: TenantGate;
     if (!this.dwn) {
-      this.dwn = await Dwn.create(getDWNConfig(this.config));
-    }
-
-    let pow: ProofOfWork = null;
-    if (this.config.powRegistration) {
-      pow = new ProofOfWork(
-        getDialectFromURI(new URL(this.config.tenantRegistrationStore)),
+      const tenantGateDB = getDialectFromURI(
+        new URL(this.config.tenantRegistrationStore),
       );
+      const tos =
+        this.config.tos !== undefined
+          ? readFileSync(this.config.tos).toString()
+          : null;
+      tenantGate = new TenantGate(
+        tenantGateDB,
+        this.config.powRegistration,
+        this.config.tos !== undefined,
+        tos,
+      );
+
+      this.dwn = await Dwn.create(getDWNConfig(this.config, tenantGate));
     }
 
-    this.#httpApi = new HttpApi(this.dwn, pow);
+    this.#httpApi = new HttpApi(this.dwn, tenantGate);
     await this.#httpApi.start(this.config.port, () => {
       log.info(`HttpServer listening on port ${this.config.port}`);
     });
@@ -68,7 +77,7 @@ export class DwnServer {
     );
 
     if (this.config.webSocketServerEnabled) {
-      this.#wsApi = new WsApi(this.#httpApi.server, this.dwn, pow);
+      this.#wsApi = new WsApi(this.#httpApi.server, this.dwn);
       this.#wsApi.start(() => log.info(`WebSocketServer ready...`));
     }
   }

diff --git a/src/http-api.ts b/src/http-api.ts
@@ -24,7 +24,7 @@ import {
 import { config } from './config.js';
 import { jsonRpcApi } from './json-rpc-api.js';
 import { requestCounter, responseHistogram } from './metrics.js';
-import type { ProofOfWork } from './pow.js';
+import type { TenantGate } from './tenant-gate.js';
 
 const packagejson = process.env.npm_package_json
   ? JSON.parse(readFileSync(process.env.npm_package_json).toString())
@@ -33,10 +33,10 @@ const packagejson = process.env.npm_package_json
 export class HttpApi {
   #api: Express;
   #server: http.Server;
-  pow?: ProofOfWork;
+  pow?: TenantGate;
   dwn: Dwn;
 
-  constructor(dwn: Dwn, pow?: ProofOfWork) {
+  constructor(dwn: Dwn, pow?: TenantGate) {
     this.#api = express();
     this.#server = http.createServer(this.#api);
     this.dwn = dwn;
@@ -91,7 +91,7 @@ export class HttpApi {
     });
 
     this.#api.get('/:did/records/:id', async (req, res) => {
-      if (this.pow && !(await this.pow.isAuthorized(req.params.did))) {
+      if (this.pow && !(await this.pow.isTenant(req.params.did))) {
         return res.status(403).json('did not authorized on this server');
       }
 
@@ -156,10 +156,7 @@ export class HttpApi {
         return res.status(400).json(reply);
       }
 
-      if (
-        this.pow &&
-        !(await this.pow.isAuthorized(dwnRpcRequest.params.target))
-      ) {
+      if (this.pow && !(await this.pow.isTenant(dwnRpcRequest.params.target))) {
         const reply = createJsonRpcErrorResponse(
           dwnRpcRequest.id || uuidv4(),
           JsonRpcErrorCodes.Forbidden,

diff --git a/src/pow.ts b/src/pow.ts
diff --git a/src/storage.ts b/src/storage.ts
@@ -25,6 +25,7 @@ import pg from 'pg';
 import Cursor from 'pg-cursor';
 
 import type { Config } from './config.js';
+import type { TenantGate } from './tenant-gate.js';
 
 export enum EStoreType {
   DataStore,
@@ -41,15 +42,18 @@ export enum BackendTypes {
 
 export type StoreType = DataStore | EventLog | MessageStore;
 
-export function getDWNConfig(config: Config): DwnConfig {
+export function getDWNConfig(
+  config: Config,
+  tenantGate: TenantGate,
+): DwnConfig {
   const dataStore: DataStore = getStore(config.dataStore, EStoreType.DataStore);
   const eventLog: EventLog = getStore(config.eventLog, EStoreType.EventLog);
   const messageStore: MessageStore = getStore(
     config.messageStore,
     EStoreType.MessageStore,
   );
 
-  return { eventLog, dataStore, messageStore };
+  return { eventLog, dataStore, messageStore, tenantGate };
 }
 
 function getLevelStore(