Add ContextVariableCondition with flexible variable matching (#688)

Author: derekpierre

packages/taco/examples/conditions.ts

@@ -124,26 +124,3 @@ console.assert(
   myContractCallCondition.requiresAuthentication(),
   'ContractCondition requires a signer',
 );
-
-// Address Allowlist Condition Example
-const addressAllowlistCondition =
-  new conditions.base.addressAllowlist.AddressAllowlistCondition({
-    userAddress: ':userAddress',
-    addresses: [
-      '0x1e988ba4692e52Bc50b375bcC8585b95c48AaD77',
-      '0x742d35Cc6634C0532925a3b844Bc454e4438f44e',
-      '0x0000000000000000000000000000000000000001',
-    ],
-  });
-
-console.assert(
-  addressAllowlistCondition.requiresAuthentication(),
-  'AddressAllowlistCondition requires authentication',
-);
-
-// You can check if an address is allowed with the condition's toObj method
-const addressToCheck = '0x1e988ba4692e52Bc50b375bcC8585b95c48AaD77';
-const addresses = addressAllowlistCondition.toObj().addresses;
-// This would be checked by taco nodes after validating the wallet signature provided by encryptor (the value of the variable `addressToCheck`).
-const isAllowed = addresses.includes(addressToCheck);
-console.assert(isAllowed, 'Address should be allowed but it is not.');

packages/taco/integration-test/condition-lingo.test.ts

@@ -1,6 +1,7 @@
 import axios from 'axios';
 import * as https from 'https';
 import { describe, test } from 'vitest';
+import { conditions } from '../src';
 import {
   CompoundCondition,
   CompoundConditionType,
@@ -14,6 +15,7 @@ import {
 } from '../src/conditions/schemas/ecdsa';
 import { SequentialCondition } from '../src/conditions/sequential';
 import {
+  testContextVariableConditionObj,
   testContractConditionObj,
   testJsonApiConditionObj,
   testJsonRpcConditionObj,
@@ -162,5 +164,14 @@ describe.skipIf(!process.env.RUNNING_IN_CI)(
         await validateConditionExpression(conditionExpr);
       }
     }, 15000);
+
+    test('validate context variable condition structure', async () => {
+      const contextVariableCondition =
+        new conditions.base.contextVariable.ContextVariableCondition(
+          testContextVariableConditionObj,
+        );
+      const conditionExpr = new ConditionExpression(contextVariableCondition);
+      await validateConditionExpression(conditionExpr);
+    }, 15000);
   },
 );

packages/taco/integration-test/encrypt-decrypt.test.ts

@@ -18,6 +18,7 @@ import { CompoundCondition } from '../src/conditions/compound-condition';
 import {
   createSignatureForTestSecp256k1ECDSACondition,
   createTestSecp256k1ECDSACondition,
+  testContextVariableConditionObj,
   UINT256_MAX,
 } from '../test/test-utils';
 
@@ -123,58 +124,6 @@ describe.skipIf(!process.env.RUNNING_IN_CI)(
       expect(decryptedMessageString).toEqual(messageString);
     }, 15000);
 
-    test('should encrypt and decrypt according to wallet allowlist condition', async () => {
-      const messageString =
-        'This message should only be accessible to allowed wallet addresses';
-      const message = toBytes(messageString);
-
-      const addressAllowlistCondition =
-        new conditions.base.addressAllowlist.AddressAllowlistCondition({
-          userAddress: ':userAddress',
-          addresses: [
-            CONSUMER_ADDRESS,
-            '0x742d35Cc6634C0532925a3b844Bc454e4438f44e',
-            '0x0000000000000000000000000000000000000001',
-          ],
-        });
-
-      expect(addressAllowlistCondition.requiresAuthentication()).toBe(true);
-
-      const messageKit = await encrypt(
-        provider,
-        DOMAIN,
-        message,
-        addressAllowlistCondition,
-        RITUAL_ID,
-        encryptorSigner,
-      );
-
-      const encryptedBytes = messageKit.toBytes();
-
-      const messageKitFromBytes = ThresholdMessageKit.fromBytes(encryptedBytes);
-      const conditionContext =
-        conditions.context.ConditionContext.fromMessageKit(messageKitFromBytes);
-
-      const authProvider = new EIP4361AuthProvider(provider, consumerSigner, {
-        domain: 'localhost',
-        uri: 'http://localhost:3000',
-      });
-      conditionContext.addAuthProvider(
-        USER_ADDRESS_PARAM_DEFAULT,
-        authProvider,
-      );
-
-      const decryptedBytes = await decrypt(
-        provider,
-        DOMAIN,
-        messageKitFromBytes,
-        conditionContext,
-      );
-      const decryptedMessageString = fromBytes(decryptedBytes);
-
-      expect(decryptedMessageString).toEqual(messageString);
-    }, 15000);
-
     test('should encrypt and decrypt according to ECDSA signature condition with predefined verifying key', async () => {
       const messageString =
         'This message is protected by ECDSA signature verification 🔐';
@@ -329,5 +278,106 @@ describe.skipIf(!process.env.RUNNING_IN_CI)(
 
       expect(decryptedMessageString).toEqual(messageString);
     }, 25000);
+
+    test('should encrypt and decrypt with ContextVariableCondition', async () => {
+      const messageString =
+        'This message is protected by context variable condition 🔐';
+      const message = toBytes(messageString);
+
+      // Create a context variable condition that checks if userAddress is in allowlist
+      const contextVariableCondition = new conditions.base.contextVariable.ContextVariableCondition({
+        ...testContextVariableConditionObj,
+        returnValueTest: {
+          comparator: 'in',
+          value: [
+            CONSUMER_ADDRESS.toLowerCase(),
+            '0x0000000000000000000000000000000000000001',
+          ],
+        },
+      });
+
+      expect(contextVariableCondition.requiresAuthentication()).toBe(true);
+
+      const messageKit = await encrypt(
+        provider,
+        DOMAIN,
+        message,
+        contextVariableCondition,
+        RITUAL_ID,
+        encryptorSigner,
+      );
+
+      const encryptedBytes = messageKit.toBytes();
+
+      const messageKitFromBytes = ThresholdMessageKit.fromBytes(encryptedBytes);
+      const conditionContext =
+        conditions.context.ConditionContext.fromMessageKit(messageKitFromBytes);
+
+      expect(
+        conditionContext.requestedContextParameters.has(
+          USER_ADDRESS_PARAM_DEFAULT,
+        ),
+      ).toBeTruthy();
+
+      // Add auth provider for userAddress context parameter
+      const authProvider = new EIP4361AuthProvider(provider, consumerSigner);
+      conditionContext.addAuthProvider(
+        USER_ADDRESS_PARAM_DEFAULT,
+        authProvider,
+      );
+
+      const decryptedBytes = await decrypt(
+        provider,
+        DOMAIN,
+        messageKitFromBytes,
+        conditionContext,
+      );
+      const decryptedMessageString = fromBytes(decryptedBytes);
+
+      expect(decryptedMessageString).toEqual(messageString);
+    }, 20000);
+
+    test('should fail to decrypt with ContextVariableCondition when userAddress is not in allowlist', async () => {
+      const messageString = 'This should fail with wrong address';
+      const message = toBytes(messageString);
+
+      // Create a context variable condition with specific allowed addresses
+      const restrictedContextVariableCondition = new conditions.base.contextVariable.ContextVariableCondition({
+        ...testContextVariableConditionObj,
+        returnValueTest: {
+          comparator: 'in',
+          value: [
+            '0x0000000000000000000000000000000000000001', // Not our consumer address
+            '0x0000000000000000000000000000000000000002',
+          ],
+        },
+      });
+
+      const messageKit = await encrypt(
+        provider,
+        DOMAIN,
+        message,
+        restrictedContextVariableCondition,
+        RITUAL_ID,
+        encryptorSigner,
+      );
+
+      const encryptedBytes = messageKit.toBytes();
+
+      const messageKitFromBytes = ThresholdMessageKit.fromBytes(encryptedBytes);
+      const conditionContext =
+        conditions.context.ConditionContext.fromMessageKit(messageKitFromBytes);
+
+      // Add auth provider for userAddress context parameter (but with wrong address)
+      const authProvider = new EIP4361AuthProvider(provider, consumerSigner);
+      conditionContext.addAuthProvider(
+        USER_ADDRESS_PARAM_DEFAULT,
+        authProvider,
+      );
+
+      await expect(
+        decrypt(provider, DOMAIN, messageKitFromBytes, conditionContext),
+      ).rejects.toThrow();
+    }, 20000);
   },
 );

packages/taco/schema-docs/condition-schemas.md

@@ -6,7 +6,7 @@ _Union of the following possible types:_
 
 - [RpcCondition](#rpccondition)
 - [TimeCondition](#timecondition)
-- [AddressAllowlistCondition](#addressallowlistcondition)
+- [ContextVariableCondition](#contextvariablecondition)
 - [ContractCondition](#contractcondition)
 - [EcdsaCondition](#ecdsacondition)
 - [JsonApiCondition](#jsonapicondition)
@@ -100,6 +100,20 @@ _Object containing the following properties:_
 
 _(\*) Required._
 
+## ContextVariableCondition
+
+Context Variable Condition for performing comparison operations on context variable values.
+
+_Object containing the following properties:_
+
+| Property                   | Description                                                                                  | Type                                              |
+| :------------------------- | :------------------------------------------------------------------------------------------- | :------------------------------------------------ |
+| **`conditionType`** (\*)   |                                                                                              | `'context-variable'`                              |
+| **`contextVariable`** (\*) | The context variable to check (e.g., ":userAddress", ":customParam")                         | `string` (_regex: `/^:[a-zA-Z_][a-zA-Z0-9_]*$/`_) |
+| **`returnValueTest`** (\*) | Test to perform on a value. Supports comparison operators like ==, >, <, >=, <=, !=, in, !in | [ReturnValueTest](#returnvaluetest)               |
+
+_(\*) Required._
+
 ## ContractCondition
 
 _Object containing the following properties:_
@@ -232,6 +246,8 @@ _(\*) Required._
 
 ## ReturnValueTest
 
+Test to perform on a value. Supports comparison operators like ==, >, <, >=, <=, !=, in, !in
+
 _Object containing the following properties:_
 
 | Property              | Type                                                          |
@@ -344,20 +360,6 @@ _Object containing the following properties:_
 
 _(\*) Required._
 
-## AddressAllowlistCondition
-
-Address Allowlist Condition for allowing decryption for specific wallet addresses. It is very handy when combined with other conditions.
-
-_Object containing the following properties:_
-
-| Property                 | Description                                                                                                                                     | Type                                |
-| :----------------------- | :---------------------------------------------------------------------------------------------------------------------------------------------- | :---------------------------------- |
-| **`conditionType`** (\*) |                                                                                                                                                 | `'address-allowlist'`               |
-| **`userAddress`** (\*)   | This is a context variable that will be replaced at decryption time. It represents the Ethereum address of the requester attempting decryption. | [UserAddress](#useraddress)         |
-| **`addresses`** (\*)     | List of wallet addresses allowed to decrypt. Addresses should be provided in checksummed form.                                                  | `Array<string>` (_min: 1, max: 25_) |
-
-_(\*) Required._
-
 ## More resources
 
 For more information, please refer to the TACo documentation:

packages/taco/src/conditions/base/address-allowlist.ts

@@ -0,0 +1,21 @@
+import { Condition } from '../condition';
+import {
+  ContextVariableConditionProps,
+  contextVariableConditionSchema,
+  ContextVariableConditionType,
+} from '../schemas/context-variable';
+import { OmitConditionType } from '../shared';
+
+export { ContextVariableConditionProps, ContextVariableConditionType };
+
+/**
+ * A condition that performs comparison operations on context variable values.
+ */
+export class ContextVariableCondition extends Condition {
+  constructor(value: OmitConditionType<ContextVariableConditionProps>) {
+    super(contextVariableConditionSchema, {
+      conditionType: ContextVariableConditionType,
+      ...value,
+    });
+  }
+}

packages/taco/src/conditions/base/context-variable.ts

@@ -1,7 +1,7 @@
 // Exporting classes here instead of their respective schema files to
 // avoid circular dependency on Condition class.
 
-export * as addressAllowlist from './address-allowlist';
+export * as contextVariable from './context-variable';
 export * as contract from './contract';
 export * as ecdsa from './ecdsa';
 export * as jsonApi from './json-api';

packages/taco/src/conditions/base/index.ts

@@ -1,8 +1,8 @@
 import {
-  AddressAllowlistCondition,
-  AddressAllowlistConditionProps,
-  AddressAllowlistConditionType,
-} from './base/address-allowlist';
+  ContextVariableCondition,
+  ContextVariableConditionProps,
+  ContextVariableConditionType,
+} from './base/context-variable';
 import {
   ContractCondition,
   ContractConditionProps,
@@ -76,10 +76,6 @@ export class ConditionFactory {
         return new JsonRpcCondition(props as JsonRpcConditionProps);
       case JWTConditionType:
         return new JWTCondition(props as JWTConditionProps);
-      case AddressAllowlistConditionType:
-        return new AddressAllowlistCondition(
-          props as AddressAllowlistConditionProps,
-        );
       case SigningObjectAttributeConditionType:
         return new SigningObjectAttributeCondition(
           props as SigningObjectAttributeConditionProps,
@@ -88,6 +84,10 @@ export class ConditionFactory {
         return new SigningObjectAbiAttributeCondition(
           props as SigningObjectAbiAttributeConditionProps,
         );
+      case ContextVariableConditionType:
+        return new ContextVariableCondition(
+          props as ContextVariableConditionProps,
+        );
       // Logical Conditions
       case CompoundConditionType:
         return new CompoundCondition(props as CompoundConditionProps);