Merge branch 'main' into HeyPuter#875

Author: jelveh

src/backend/src/services/auth/PermissionService.js

@@ -37,10 +37,16 @@ const implicit_user_permissions = {
 
 
 /**
-* The PermissionService class manages the core functionality for handling permissions within the Puter ecosystem.
-* It provides methods for granting, revoking, and checking permissions for various entities such as users and applications.
-* This service interacts with the database to store, retrieve, and audit permission changes, and also handles complex permission logic like rewriting, implication, and explosion of permissions.
-*/
+ * Permission rewriters are used to map one set of permission strings to another.
+ * These are invoked during permission scanning and when permissions are granted or revoked.
+ * 
+ * For example, Puter's filesystem uses this to map 'fs:/some/path:mode' to
+ * 'fs:SOME-UUID:mode'.
+ * 
+ * A rewriter is constructed using the static method PermissionRewriter.create({ matcher, rewriter }).
+ * The matcher is a function that takes a permission string and returns true if the rewriter should be applied.
+ * The rewriter is a function that takes a permission string and returns the rewritten permission string.
+ */
 class PermissionRewriter {
     static create ({ id, matcher, rewriter }) {
         return new PermissionRewriter({ id, matcher, rewriter });
@@ -70,11 +76,17 @@ class PermissionRewriter {
 
 
 /**
-* The PermissionImplicator class is used to manage implicit permissions.
-* It defines methods to match and check if a given permission is implicitly granted to an actor.
-* @class
-* @name PermissionImplicator
-*/
+ * Permission implicators are used to manage implicit permissions.
+ * It defines a method to check if a given permission is implicitly granted to an actor.
+ * 
+ * For example, Puter's filesystem uses this to grant permission to a file if the specified
+ * 'actor' is the owner of the file.
+ * 
+ * An implicator is constructed using the static method PermissionImplicator.create({ matcher, checker }).
+ * `matcher  is a function that takes a permission string and returns true if the implicator should be applied.
+ * `checker` is a function that takes an actor and a permission string and returns true if the permission is implied.
+ * The actor and permission are passed to checker({ actor, permission }) as an object.
+ */
 class PermissionImplicator {
     static create ({ id, matcher, checker }) {
         return new PermissionImplicator({ id, matcher, checker });
@@ -108,12 +120,17 @@ class PermissionImplicator {
 
 
 /**
-* The PermissionExploder class is responsible for expanding permissions into a set of more granular permissions.
-* It uses a matcher function to determine if a permission should be exploded and an exploder function to perform the expansion.
-* This class is part of the permission management system, allowing for dynamic and complex permission structures.
-* 
-* @class PermissionExploder
-*/
+ * Permission exploders are used to map any permission to a list of permissions
+ * which are considered to imply the specified permission.
+ * 
+ * It uses a matcher function to determine if a permission should be exploded
+ * and an exploder function to perform the expansion.
+ * 
+ * The exploder is constructed using the static method PermissionExploder.create({ matcher, explode }).
+ * The `matcher` is a function that takes a permission string and returns true if the exploder should be applied.
+ * The `explode` is a function that takes an actor and a permission string and returns a list of implied permissions.
+ * The actor and permission are passed to explode({ actor, permission }) as an object.
+ */
 class PermissionExploder {
     static create ({ id, matcher, exploder }) {
         return new PermissionExploder({ id, matcher, exploder });
@@ -952,14 +969,26 @@ class PermissionService extends BaseService {
     }
 
 
-    register_rewriter (translator) {
-        if ( ! (translator instanceof PermissionRewriter) ) {
-            throw new Error('translator must be a PermissionRewriter');
+    /**
+     * Register a permission rewriter. For details see the documentation on the
+     * PermissionRewriter class.
+     * 
+     * @param {PermissionRewriter} rewriter - The permission rewriter to register
+     */
+    register_rewriter (rewriter) {
+        if ( ! (rewriter instanceof PermissionRewriter) ) {
+            throw new Error('rewriter must be a PermissionRewriter');
         }
 
-        this._permission_rewriters.push(translator);
+        this._permission_rewriters.push(rewriter);
     }
 
+    /**
+     * Register a permission implicator. For details see the documentation on the
+     * PermissionImplicator class.
+     * 
+     * @param {PermissionImplicator} implicator - The permission implicator to register
+     */
     register_implicator (implicator) {
         if ( ! (implicator instanceof PermissionImplicator) ) {
             throw new Error('implicator must be a PermissionImplicator');
@@ -968,6 +997,12 @@ class PermissionService extends BaseService {
         this._permission_implicators.push(implicator);
     }
 
+    /**
+     * Register a permission exploder. For details see the documentation on the
+     * PermissionExploder class.
+     * 
+     * @param {PermissionExploder} exploder - The permission exploder to register
+     */
     register_exploder (exploder) {
         if ( ! (exploder instanceof PermissionExploder) ) {
             throw new Error('exploder must be a PermissionExploder');

src/backend/src/services/auth/VirtualGroupService.js

@@ -21,6 +21,14 @@ class VirtualGroupService extends BaseService {
         this.membership_implicators_ = [];
     }
 
+    /**
+     * Registers a function that reports one or more groups that an actor
+     * should be considered a member of.
+     * 
+     * @note this only applies to virtual groups, not persistent groups.
+     * 
+     * @param {*} implicator 
+     */
     register_membership_implicator (implicator) {
         this.membership_implicators_.push(implicator);
     }

src/backend/src/unstructured/permission-scan-lib.js

@@ -10,11 +10,7 @@
 const remove_paths_through_user = ({ reading, user }) => {
     const no_cycle_reading = [];
 
-    for ( let i = 0 ; i < reading.length ; i++ ) {
-        const node = reading[i];
-
-        console.log('checking node...', node);
-
+    for ( const node of reading ) {
         if ( node.$ === 'path' ) {
             if (
                 node.issuer_username === user.username
@@ -33,14 +29,11 @@ const remove_paths_through_user = ({ reading, user }) => {
         no_cycle_reading.push(node);
     }
 
-    console.log('\x1B[36;1m ====', reading.length - no_cycle_reading.length, 'nodes filtered out ====\x1B[0m');
-
     return no_cycle_reading;
 };
 
 const reading_has_terminal = ({ reading }) => {
-    for ( let i = 0 ; i < reading.length ; i++ ) {
-        const node = reading[i];
+    for ( const node of reading ) {
         if ( node.has_terminal ) {
             return true;
         }

src/backend/src/unstructured/permission-scanners.js

@@ -14,9 +14,26 @@ const { reading_has_terminal } = require("./permission-scan-lib");
     "Ctrl+K, Ctrl+J" or "⌘K, ⌘J";
 */
 
+/**
+ * Permission Scanners
+ * @usedBy scan-permission.js
+ * 
+ * These are all the different ways an entity (user or app) can have a permission.
+ * This list of scanners is iterated over and invoked by scan-permission.js.
+ * 
+ * Each `scan` function is passed a sequence scope. The instance attached to the
+ * sequence scope is PermissionService itself, so any `a.iget('something')` is
+ * accessing the member 'something' of the PermissionService instance.
+ */
 const PERMISSION_SCANNERS = [
     {
         name: 'implied',
+        documentation: `
+            Scans for permissions that are implied by "permission implicators".
+            
+            Permission implicators are added by other services via
+            PermissionService's \`register_implicator\` method.
+        `,
         async scan (a) {
             const reading = a.get('reading');
             const { actor, permission_options } = a.values();
@@ -46,6 +63,9 @@ const PERMISSION_SCANNERS = [
     },
     {
         name: 'user-user',
+        documentation: `
+            User-to-User permissions are permission granted form one user to another.
+        `,
         async scan (a) {
             const { reading, actor, permission_options, state } = a.values();
             if ( !(actor.type instanceof UserActorType)  ) {
@@ -96,7 +116,6 @@ const PERMISSION_SCANNERS = [
 
                 if ( should_continue ) continue;
 
-                // const issuer_perm = await this.check(issuer_actor, row.permission);
                 const issuer_reading = await a.icall(
                     'scan', issuer_actor, row.permission, undefined, state);
 
@@ -117,6 +136,13 @@ const PERMISSION_SCANNERS = [
     },
     {
         name: 'hc-user-group-user',
+        documentation: `
+            These are user-to-group permissions that are defined in the
+            hardcoded_user_group_permissions section of "hardcoded-permissions.js".
+            
+            These are typically used to grant permissions from the system user to
+            the default groups: "admin", "user", and "temp".
+        `,
         async scan (a) {
             const { reading, actor, permission_options } = a.values();
             if ( !(actor.type instanceof UserActorType)  ) {
@@ -167,6 +193,11 @@ const PERMISSION_SCANNERS = [
     },
     {
         name: 'user-group-user',
+        documentation: `
+            This scans for permissions that are granted to the user because a
+            group they are a member of was granted this permission by another
+            user.
+        `,
         async scan (a) {
             const { reading, actor, permission_options } = a.values();
             if ( !(actor.type instanceof UserActorType)  ) {
@@ -223,6 +254,16 @@ const PERMISSION_SCANNERS = [
     },
     {
         name: 'user-virtual-group-user',
+        documentation: `
+            These are groups with computed membership. Permissions are not granted
+            to these groups; instead the groups are defined with a list of
+            permissions that are granted to the group members.
+            
+            Services can define "virtual groups" via the "virtual-group" service.
+            Services can also register membership implicators for virtual groups
+            which will compute on the fly whether or not an actor should be
+            considered a member of the group.
+        `,
         async scan (a) {
             const svc_virtualGroup = await a.iget('services').get('virtual-group');
             const { reading, actor, permission_options } = a.values();
@@ -248,6 +289,10 @@ const PERMISSION_SCANNERS = [
     },
     {
         name: 'user-app',
+        documentation: `
+            If the actor is an app, this scans for permissions granted to the app
+            because the user has the permission and granted it to the app.
+        `,
         async scan (a) {
             const { reading, actor, permission_options } = a.values();
             if ( !(actor.type instanceof AppUnderUserActorType)  ) {

src/backend/src/util/context.js

@@ -52,7 +52,6 @@ class Context {
                 );
             }
 
-            // x = globalThis.root_context ?? this.create({});
             x = this.root.sub({}, this.USE_NAME_FALLBACK);
         }
         if ( x && k ) return x.get(k);
@@ -180,7 +179,6 @@ class Context {
         });
     }
     abind (cb) {
-        const als = this.constructor.contextAsyncLocalStorage;
         return async (...args) => {
             return await this.arun(async () => {
                 return await cb(...args);

src/backend/src/util/fuzz.js

@@ -16,15 +16,6 @@
  * You should have received a copy of the GNU Affero General Public License
  * along with this program.  If not, see <https://www.gnu.org/licenses/>.
  */
-// function fuzz_number(n) {
-//     if (n === 0) return 0;
-    
-//     // let randomized = n + (Math.random() - 0.5) * n * 0.2;
-//     let randomized = n;
-//     let magnitude = Math.floor(Math.log10(randomized));
-//     let factor = Math.pow(10, magnitude);
-//     return Math.round(randomized / factor) * factor;
-// }
 
 function fuzz_number(num) {
     // If the number is 0, then return 0
@@ -46,47 +37,6 @@ function fuzz_number(num) {
     return Math.round(num / factor) * factor;
 }
 
-// function fuzz_number(number) {
-//     if (isNaN(number)) {
-//         return 'Invalid number';
-//     }
-
-//     let formattedNumber;
-//     if (number >= 1000000) {
-//         // For millions, we want to show one decimal place
-//         formattedNumber = (number / 1000000).toFixed(0) + 'm';
-//     } else if (number >= 1000) {
-//         // For thousands, we want to show one decimal place
-//         formattedNumber = (number / 1000).toFixed(0) + 'k';
-//     } else if (number >= 500) {
-//         // For hundreds, we want to show no decimal places
-//         formattedNumber = '500+';
-//     } else if (number >= 100) {
-//         // For hundreds, we want to show no decimal places
-//         formattedNumber = '100+';
-//     } else if (number >= 50) {
-//         // For hundreds, we want to show no decimal places
-//         formattedNumber = '50+';
-//     } else if (number >= 10) {
-//         // For hundreds, we want to show no decimal places
-//         formattedNumber = '10+';
-//     }
-//     else {
-//         // For numbers less than 10, we show the number as is.
-//         formattedNumber = '1+';
-//     }
-
-//     // If the decimal place is 0 (e.g., 5.0k), we remove the decimal part (to have 5k instead)
-//     formattedNumber = formattedNumber.replace(/\.0(?=[k|m])/, '');
-
-//     // Append the plus sign for numbers 1000 and greater, denoting the number is 'this value or more'.
-//     if (number >= 1000) {
-//         formattedNumber += '+';
-//     }
-
-//     return formattedNumber;
-// }
-
 module.exports = {
     fuzz_number
 };

src/backend/src/util/lockutil.js

@@ -18,6 +18,9 @@
  */
 const { TeePromise } = require('@heyputer/putility').libs.promise;
 
+/**
+ * RWLock is a read-write lock that allows multiple readers or a single writer.
+ */
 class RWLock {
     static TYPE_READ = Symbol('read');
     static TYPE_WRITE = Symbol('write');
@@ -45,11 +48,6 @@ class RWLock {
         this.check_queue_();
     }
     check_queue_ () {
-        // console.log('check_queue_', {
-        //     readers_: this.readers_,
-        //     writer_: this.writer_,
-        //     queue: this.queue.map(item => item.type),
-        // });
         if ( this.queue.length === 0 ) {
             if ( this.readers_ === 0 && ! this.writer_ ) {
                 this.on_empty_();

src/backend/src/util/otelutil.js

@@ -100,7 +100,6 @@ class ParallelTasks {
             return;
         }
 
-        // const span = this.tracer.startSpan(name);
         this.promises.push(this.run_(name, fn));
     }
 

src/backend/src/util/queuing.js

@@ -52,7 +52,7 @@ const simple_retry = async function simple_retry (func, max_tries, interval) {
 };
 
 const poll = async function poll({ poll_fn, schedule_fn }) {
-    let delay = undefined;
+    let delay;
 
     while ( true ) {
         const is_done = await poll_fn();