Add core ownership records

[gmaclennan]

Description

Each device is identified by an "identity key". We need to know which cores belong to which device. Each device should own at most one core in each namespace, and at least one core in the 'auth' namespace.

So that we can use our existing indexer, we can use the device identity public key as docId. The other fields need to be:

type CoreOwnership = {
  authCoreId: string,
  configCoreId: string,
  dataCoreId: string,
  blobCoreId: string,
  blobIndexCoreId: string
}

e.g. fields names of the format ${namespace}CoreId.

The authCoreId should always match the core ID of the auth core where it is written.

Validation

To validate this message, we need to validate ownership of the secret keys for each core. We can store this in a signature record, where we sign the core keys (as buffers), using the core secret key.

type CoreOwnership = {
  // ...
  coreSignatures: Record<Namespace, Buffer>

We don't need to convert these to string because we don't need to use them in any SQL queries (unlike the coreId fields above). That saves a round-trip from buffer-string-buffer.

We also need to validate ownership of the identity key - unlikely that someone would say their cores belong to someone else, but maybe best to be sure?

type CoreOwnership = {
  // ...
  identitySignature: Buffer
}

Questions

• Should we allow core ownership records to be modified? If not we can "trick" sqlite-indexer to only index the first ownership record by:
  1. Before sending to the indexer (e.g. in IndexWriter) check the authCoreId matches the core where it is written
  2. Replace links with an empty array
  3. Pass a custom getWinner function to sqlite-indexer to pick the winner with the lowest index (from versionId)
• Should we validate at index time or at read time? Might make sense to keep the validation in the indexer, then we only need to validate once rather than on every read. Should just drop/ignore invalid records.
• Where should responsibility for writing the core ownership record lie? It should happen when the auth core is first created. Maybe in CoreManager?

API

class CoreOwnership {
  constructor({
    coreManager: CoreManager,
    authDataStore: DataStore,
    keyManager: KeyManager
  })
  // Write the ownership record to the auth core.
  writeOwnership(): Promise<void>
  // Return the identity key of the device that owns the core with the given key
  getOwner(coreKey: Buffer): Promise<Buffer>
  // Return the core key for the core owned by deviceId in the given namespace
  getCoreKey(deviceKey: Buffer, namespace: Namespace): Promise<Buffer>
}

Tasks

• Add dataType.createWithDocId() method #190
• Add sign and verify functions to @mapeo/crypto mapeo-crypto#11
• digidem/mapeo-schema#125
• Add special handling of coreOwnership records to IndexWriter #210
• Add a DataType instance for coreOwnership, but don't expose it to the public API
• Create CoreOwnership class with getOwner and getCoreKey methods
• Write core ownership record when the auth core is first created

[achou11]

Should we allow core ownership records to be modified?

Don't have any useful input on this one. Just reading about the "trick" doesn't seem inspiring from a code maintenance perspective, but not sure what allowing modifications entails in practice.

Should we validate at index time or at read time?

Leaning towards at index time

Where should responsibility for writing the core ownership record lie?

CoreManager seems to make sense 👍