Merge branch 'issue-2459' of github.com:ChrisBQu/defradb into issue-2459

Author: ChrisBQu

README.md

@@ -11,7 +11,7 @@
   </picture>
 </p>
 
-DefraDB is a user-centric database that prioritizes data ownership, personal privacy, and information security. Its data model, powered by the convergence of [MerkleCRDTs](https://arxiv.org/pdf/2004.00107.pdf) and the content-addressability of [IPLD](https://docs.ipld.io/), enables a multi-write-master architecture. It features [DQL](https://docs.source.network/references/query-specification/query-language-overview), a query language compatible with GraphQL but providing extra convenience. By leveraging peer-to-peer networking it can be deployed nimbly in novel topologies. Access control is determined by a relationship-based DSL, supporting document or field-level policies, secured by the SourceHub network. DefraDB is a core part of the [Source technologies](https://source.network/) that enable new paradigms of decentralized data and access-control management, user-centric apps, data trustworthiness, and much more.
+DefraDB is a user-centric database that prioritizes data ownership, personal privacy, and information security. Its data model, powered by the convergence of [MerkleCRDTs](https://arxiv.org/pdf/2004.00107.pdf) and the content-addressability of [IPLD](https://docs.ipld.io/), enables a multi-write-master architecture. It features [DQL](https://docs.source.network/defradb/references/query-specification/query-language-overview), a query language compatible with GraphQL but providing extra convenience. By leveraging peer-to-peer networking it can be deployed nimbly in novel topologies. Access control is determined by a relationship-based DSL, supporting document or field-level policies, secured by the SourceHub network. DefraDB is a core part of the [Source technologies](https://source.network/) that enable new paradigms of decentralized data and access-control management, user-centric apps, data trustworthiness, and much more.
 
 Read the documentation on [docs.source.network](https://docs.source.network/).
 

acp/README.md

@@ -631,6 +631,26 @@ Result:
 Error: document not found or not authorized to access
 ```
 
+Sometimes we might want to give a specific access (form a relationship) not just to one identity, but any identity.
+In that case we can specify "*" instead of specifying an explicit `actor`:
+```sh
+defradb client acp relationship add \
+--collection Users \
+--docID bae-ff3ceb1c-b5c0-5e86-a024-dd1b16a4261c \
+--relation reader \
+--actor "*" \
+--identity e3b722906ee4e56368f581cd8b18ab0f48af1ea53e635e3f7b8acd076676f6ac
+```
+
+Result:
+```json
+{
+  "ExistedAlready": false
+}
+```
+
+**Note: specifying `*` does not overwrite any previous formed relationships, they will remain as is **
+
 ### Revoking Access To Private Documents
 
 To revoke access to a document for an actor, we must delete the relationship between the
@@ -695,6 +715,26 @@ defradb client collection docIDs --identity 4d092126012ebaf56161716018a71630d994
 
 **Result is empty from the above command**
 
+We can also revoke the previously granted implicit relationship which gave all actors access using the "*" actor.
+Similarly we can just specify "*" to revoke all access given to actors implicitly through this relationship:
+```sh
+defradb client acp relationship delete \
+--collection Users \
+--docID bae-ff3ceb1c-b5c0-5e86-a024-dd1b16a4261c \
+--relation reader \
+--actor "*" \
+--identity e3b722906ee4e56368f581cd8b18ab0f48af1ea53e635e3f7b8acd076676f6ac
+```
+
+Result:
+```json
+{
+  "RecordFound": true
+}
+```
+
+**Note: Deleting with`*` does not remove any explicitly formed relationships, they will remain as they were **
+
 ## DAC Usage HTTP:
 
 ### Authentication

acp/acp_local.go

@@ -254,9 +254,25 @@ func (l *ACPLocal) AddActorRelationship(
 
 	ctx = auth.InjectPrincipal(ctx, principal)
 
+	var newActorRelationship *types.Relationship
+	if targetActor == "*" {
+		newActorRelationship = types.NewAllActorsRelationship(
+			resourceName,
+			objectID,
+			relation,
+		)
+	} else {
+		newActorRelationship = types.NewActorRelationship(
+			resourceName,
+			objectID,
+			relation,
+			targetActor,
+		)
+	}
+
 	setRelationshipRequest := types.SetRelationshipRequest{
 		PolicyId:     policyID,
-		Relationship: types.NewActorRelationship(resourceName, objectID, relation, targetActor),
+		Relationship: newActorRelationship,
 		CreationTime: creationTime,
 	}
 
@@ -285,9 +301,25 @@ func (l *ACPLocal) DeleteActorRelationship(
 
 	ctx = auth.InjectPrincipal(ctx, principal)
 
+	var newActorRelationship *types.Relationship
+	if targetActor == "*" {
+		newActorRelationship = types.NewAllActorsRelationship(
+			resourceName,
+			objectID,
+			relation,
+		)
+	} else {
+		newActorRelationship = types.NewActorRelationship(
+			resourceName,
+			objectID,
+			relation,
+			targetActor,
+		)
+	}
+
 	deleteRelationshipRequest := types.DeleteRelationshipRequest{
 		PolicyId:     policyID,
-		Relationship: types.NewActorRelationship(resourceName, objectID, relation, targetActor),
+		Relationship: newActorRelationship,
 	}
 
 	deleteRelationshipResponse, err := l.engine.DeleteRelationship(ctx, &deleteRelationshipRequest)

acp/acp_source_hub.go

@@ -273,18 +273,28 @@ func (a *acpSourceHub) AddActorRelationship(
 	creationTime *protoTypes.Timestamp,
 ) (bool, error) {
 	msgSet := sourcehub.MsgSet{}
+
+	var newActorRelationship *acptypes.Relationship
+	if targetActor == "*" {
+		newActorRelationship = acptypes.NewAllActorsRelationship(
+			resourceName,
+			objectID,
+			relation,
+		)
+	} else {
+		newActorRelationship = acptypes.NewActorRelationship(
+			resourceName,
+			objectID,
+			relation,
+			targetActor,
+		)
+	}
+
 	cmdMapper := msgSet.WithBearerPolicyCmd(&acptypes.MsgBearerPolicyCmd{
-		Creator:     a.signer.GetAccAddress(),
-		BearerToken: requester.BearerToken,
-		PolicyId:    policyID,
-		Cmd: acptypes.NewSetRelationshipCmd(
-			acptypes.NewActorRelationship(
-				resourceName,
-				objectID,
-				relation,
-				targetActor,
-			),
-		),
+		Creator:      a.signer.GetAccAddress(),
+		BearerToken:  requester.BearerToken,
+		PolicyId:     policyID,
+		Cmd:          acptypes.NewSetRelationshipCmd(newActorRelationship),
 		CreationTime: creationTime,
 	})
 	tx, err := a.txBuilder.Build(ctx, a.signer, &msgSet)
@@ -323,18 +333,28 @@ func (a *acpSourceHub) DeleteActorRelationship(
 	creationTime *protoTypes.Timestamp,
 ) (bool, error) {
 	msgSet := sourcehub.MsgSet{}
+
+	var newActorRelationship *acptypes.Relationship
+	if targetActor == "*" {
+		newActorRelationship = acptypes.NewAllActorsRelationship(
+			resourceName,
+			objectID,
+			relation,
+		)
+	} else {
+		newActorRelationship = acptypes.NewActorRelationship(
+			resourceName,
+			objectID,
+			relation,
+			targetActor,
+		)
+	}
+
 	cmdMapper := msgSet.WithBearerPolicyCmd(&acptypes.MsgBearerPolicyCmd{
-		Creator:     a.signer.GetAccAddress(),
-		BearerToken: requester.BearerToken,
-		PolicyId:    policyID,
-		Cmd: acptypes.NewDeleteRelationshipCmd(
-			acptypes.NewActorRelationship(
-				resourceName,
-				objectID,
-				relation,
-				targetActor,
-			),
-		),
+		Creator:      a.signer.GetAccAddress(),
+		BearerToken:  requester.BearerToken,
+		PolicyId:     policyID,
+		Cmd:          acptypes.NewDeleteRelationshipCmd(newActorRelationship),
 		CreationTime: creationTime,
 	})
 

cli/acp_relationship_add.go

@@ -64,6 +64,14 @@ Example: Let another actor (4d092126012ebaf56161716018a71630d99443d9d5217e9d8502
 	--actor did:key:z7r8os2G88XXBNBTLj3kFR5rzUJ4VAesbX7PgsA68ak9B5RYcXF5EZEmjRzzinZndPSSwujXb4XKHG6vmKEFG6ZfsfcQn \
 	--identity e3b722906ee4e56368f581cd8b18ab0f48af1ea53e635e3f7b8acd076676f6ac
 
+Example: Let all actors read a private document:
+  defradb client acp relationship add \
+	--collection Users \
+	--docID bae-ff3ceb1c-b5c0-5e86-a024-dd1b16a4261c \
+	--relation reader \
+	--actor "*" \
+	--identity e3b722906ee4e56368f581cd8b18ab0f48af1ea53e635e3f7b8acd076676f6ac
+
 Example: Creating a dummy relationship does nothing (from database perspective):
   defradb client acp relationship add \
 	-c Users \

client/db.go

@@ -113,7 +113,9 @@ type DB interface {
 	// If failure occurs, the result will return an error. Upon success the boolean value will
 	// be true if the relationship already existed (no-op), and false if a new relationship was made.
 	//
-	// Note: The request actor must either be the owner or manager of the document.
+	// Note:
+	// - The request actor must either be the owner or manager of the document.
+	// - If the target actor arg is "*", then the relationship applies to all actors implicitly.
 	AddDocActorRelationship(
 		ctx context.Context,
 		collectionName string,
@@ -128,7 +130,10 @@ type DB interface {
 	// be true if the relationship record was found and deleted. Upon success the boolean value
 	// will be false if the relationship record was not found (no-op).
 	//
-	// Note: The request actor must either be the owner or manager of the document.
+	// Note:
+	// - The request actor must either be the owner or manager of the document.
+	// - If the target actor arg is "*", then the implicitly added relationship with all actors is
+	//   removed, however this does not revoke access from actors that had explicit relationships.
 	DeleteDocActorRelationship(
 		ctx context.Context,
 		collectionName string,

docs/website/references/cli/defradb_client_acp_relationship_add.md

@@ -30,6 +30,14 @@ Example: Let another actor (4d092126012ebaf56161716018a71630d99443d9d5217e9d8502
 	--actor did:key:z7r8os2G88XXBNBTLj3kFR5rzUJ4VAesbX7PgsA68ak9B5RYcXF5EZEmjRzzinZndPSSwujXb4XKHG6vmKEFG6ZfsfcQn \
 	--identity e3b722906ee4e56368f581cd8b18ab0f48af1ea53e635e3f7b8acd076676f6ac
 
+Example: Let all actors read a private document:
+  defradb client acp relationship add \
+	--collection Users \
+	--docID bae-ff3ceb1c-b5c0-5e86-a024-dd1b16a4261c \
+	--relation reader \
+	--actor "*" \
+	--identity e3b722906ee4e56368f581cd8b18ab0f48af1ea53e635e3f7b8acd076676f6ac
+
 Example: Creating a dummy relationship does nothing (from database perspective):
   defradb client acp relationship add \
 	-c Users \

go.mod

@@ -19,7 +19,7 @@ require (
 	github.com/go-errors/errors v1.5.1
 	github.com/gofrs/uuid/v5 v5.3.0
 	github.com/iancoleman/strcase v0.3.0
-	github.com/ipfs/boxo v0.24.2
+	github.com/ipfs/boxo v0.24.3
 	github.com/ipfs/go-block-format v0.2.0
 	github.com/ipfs/go-cid v0.4.1
 	github.com/ipfs/go-datastore v0.6.0
@@ -34,7 +34,7 @@ require (
 	github.com/lestrrat-go/jwx/v2 v2.1.2
 	github.com/libp2p/go-libp2p v0.37.0
 	github.com/libp2p/go-libp2p-gostream v0.6.0
-	github.com/libp2p/go-libp2p-kad-dht v0.27.0
+	github.com/libp2p/go-libp2p-kad-dht v0.28.1
 	github.com/libp2p/go-libp2p-pubsub v0.12.0
 	github.com/libp2p/go-libp2p-record v0.2.0
 	github.com/mr-tron/base58 v1.2.0
@@ -62,7 +62,7 @@ require (
 	go.opentelemetry.io/otel/metric v1.32.0
 	go.opentelemetry.io/otel/sdk/metric v1.32.0
 	go.uber.org/zap v1.27.0
-	golang.org/x/crypto v0.28.0
+	golang.org/x/crypto v0.29.0
 	golang.org/x/exp v0.0.0-20241009180824-f66d83c29e7c
 	google.golang.org/grpc v1.67.1
 )
@@ -80,7 +80,7 @@ require (
 	cosmossdk.io/depinject v1.0.0 // indirect
 	cosmossdk.io/errors v1.0.1 // indirect
 	cosmossdk.io/log v1.4.1 // indirect
-	cosmossdk.io/math v1.3.0 // indirect
+	cosmossdk.io/math v1.4.0 // indirect
 	cosmossdk.io/store v1.1.1 // indirect
 	cosmossdk.io/x/circuit v0.1.0 // indirect
 	cosmossdk.io/x/evidence v0.1.0 // indirect
@@ -151,7 +151,7 @@ require (
 	github.com/flynn/noise v1.1.0 // indirect
 	github.com/francoispqt/gojay v1.2.13 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
-	github.com/gabriel-vasile/mimetype v1.4.4 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.6 // indirect
 	github.com/getsentry/sentry-go v0.27.0 // indirect
 	github.com/go-jose/go-jose/v3 v3.0.1-0.20221117193127-916db76e8214 // indirect
 	github.com/go-kit/kit v0.12.0 // indirect
@@ -190,7 +190,7 @@ require (
 	github.com/gorilla/websocket v1.5.3 // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 // indirect
 	github.com/grpc-ecosystem/grpc-gateway v1.16.0 // indirect
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0 // indirect
 	github.com/gsterjov/go-libsecret v0.0.0-20161001094733-a6f4afe4910c // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
@@ -351,7 +351,7 @@ require (
 	go.etcd.io/bbolt v1.3.10 // indirect
 	go.opencensus.io v0.24.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.52.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.56.0 // indirect
 	go.opentelemetry.io/otel v1.32.0 // indirect
 	go.opentelemetry.io/otel/sdk v1.32.0 // indirect
 	go.opentelemetry.io/otel/trace v1.32.0 // indirect
@@ -362,17 +362,17 @@ require (
 	golang.org/x/mod v0.21.0 // indirect
 	golang.org/x/net v0.30.0 // indirect
 	golang.org/x/oauth2 v0.23.0 // indirect
-	golang.org/x/sync v0.8.0 // indirect
+	golang.org/x/sync v0.9.0 // indirect
 	golang.org/x/sys v0.27.0 // indirect
-	golang.org/x/term v0.25.0 // indirect
-	golang.org/x/text v0.19.0 // indirect
+	golang.org/x/term v0.26.0 // indirect
+	golang.org/x/text v0.20.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
 	golang.org/x/tools v0.26.0 // indirect
 	gonum.org/v1/gonum v0.15.0 // indirect
 	google.golang.org/api v0.171.0 // indirect
 	google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20240814211410-ddb44dafa142 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20241007155032-5fefd90f89a9 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20241007155032-5fefd90f89a9 // indirect
 	google.golang.org/protobuf v1.35.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect