canic_core/dto/
auth.rs

1use crate::dto::{error::Error, prelude::*, rpc::RootRequestMetadata};
2
3///
4/// DelegationCert
5///
6
7#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
8pub struct DelegationCert {
9    pub root_pid: Principal,
10    pub shard_pid: Principal,
11    pub issued_at: u64,
12    pub expires_at: u64,
13    pub scopes: Vec<String>,
14    pub aud: Vec<Principal>,
15}
16
17///
18/// DelegationProof
19///
20
21#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
22pub struct DelegationProof {
23    pub cert: DelegationCert,
24    pub cert_sig: Vec<u8>,
25}
26
27///
28/// DelegatedTokenClaims
29///
30
31#[derive(CandidType, Clone, Debug, Deserialize, Serialize)]
32pub struct DelegatedTokenClaims {
33    pub sub: Principal,
34    pub shard_pid: Principal,
35    pub scopes: Vec<String>,
36    pub aud: Vec<Principal>,
37    pub iat: u64,
38    pub exp: u64,
39}
40
41///
42/// DelegatedToken
43///
44
45#[derive(CandidType, Clone, Debug, Deserialize, Serialize)]
46pub struct DelegatedToken {
47    pub claims: DelegatedTokenClaims,
48    pub proof: DelegationProof,
49    pub token_sig: Vec<u8>,
50}
51
52///
53/// DelegationRequest
54///
55
56#[derive(CandidType, Clone, Debug, Deserialize, Serialize)]
57pub struct DelegationRequest {
58    pub shard_pid: Principal,
59    pub scopes: Vec<String>,
60    pub aud: Vec<Principal>,
61    pub ttl_secs: u64,
62    pub verifier_targets: Vec<Principal>,
63    pub include_root_verifier: bool,
64    #[serde(default)]
65    pub metadata: Option<RootRequestMetadata>,
66}
67
68///
69/// RoleAttestationRequest
70///
71
72#[derive(CandidType, Clone, Debug, Deserialize, Serialize)]
73pub struct RoleAttestationRequest {
74    pub subject: Principal,
75    pub role: CanisterRole,
76    #[serde(default)]
77    pub subnet_id: Option<Principal>,
78    #[serde(default)]
79    pub audience: Option<Principal>,
80    pub ttl_secs: u64,
81    pub epoch: u64,
82    #[serde(default)]
83    pub metadata: Option<RootRequestMetadata>,
84}
85
86///
87/// RoleAttestation
88///
89
90#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
91pub struct RoleAttestation {
92    pub subject: Principal,
93    pub role: CanisterRole,
94    #[serde(default)]
95    pub subnet_id: Option<Principal>,
96    #[serde(default)]
97    pub audience: Option<Principal>,
98    pub issued_at: u64,
99    pub expires_at: u64,
100    pub epoch: u64,
101}
102
103///
104/// SignedRoleAttestation
105///
106
107#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
108pub struct SignedRoleAttestation {
109    pub payload: RoleAttestation,
110    pub signature: Vec<u8>,
111    pub key_id: u32,
112}
113
114///
115/// AttestationKeyStatus
116///
117
118#[derive(CandidType, Clone, Copy, Debug, Deserialize, Eq, PartialEq, Serialize)]
119pub enum AttestationKeyStatus {
120    Current,
121    Previous,
122}
123
124///
125/// AttestationKey
126///
127
128#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
129pub struct AttestationKey {
130    pub key_id: u32,
131    pub public_key: Vec<u8>,
132    pub status: AttestationKeyStatus,
133    #[serde(default)]
134    pub valid_from: Option<u64>,
135    #[serde(default)]
136    pub valid_until: Option<u64>,
137}
138
139///
140/// AttestationKeySet
141///
142
143#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
144pub struct AttestationKeySet {
145    pub root_pid: Principal,
146    pub generated_at: u64,
147    pub keys: Vec<AttestationKey>,
148}
149
150// admin-only: not part of canonical delegation flow.
151// used for controlled provisioning and tooling flows.
152///
153/// DelegationProvisionRequest
154///
155
156#[derive(CandidType, Clone, Debug, Deserialize, Serialize)]
157pub struct DelegationProvisionRequest {
158    pub cert: DelegationCert,
159    pub signer_targets: Vec<Principal>,
160    pub verifier_targets: Vec<Principal>,
161}
162
163// admin-only: not part of canonical delegation flow.
164// used for controlled provisioning and tooling flows.
165///
166/// DelegationProvisionResponse
167///
168
169#[derive(CandidType, Clone, Debug, Deserialize, Serialize)]
170pub struct DelegationProvisionResponse {
171    pub proof: DelegationProof,
172    pub results: Vec<DelegationProvisionTargetResponse>,
173}
174
175///
176/// DelegationProofStatus
177///
178
179#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
180pub struct DelegationProofStatus {
181    pub shard_pid: Principal,
182    pub issued_at: u64,
183    pub expires_at: u64,
184}
185
186#[derive(CandidType, Clone, Copy, Debug, Deserialize, Eq, PartialEq, Serialize)]
187pub enum DelegationProvisionTargetKind {
188    Signer,
189    Verifier,
190}
191
192#[derive(CandidType, Clone, Copy, Debug, Deserialize, Eq, PartialEq, Serialize)]
193pub enum DelegationProvisionStatus {
194    Ok,
195    Failed,
196}
197
198///
199/// DelegationProvisionTargetResponse
200///
201
202#[derive(CandidType, Clone, Debug, Deserialize, Serialize)]
203pub struct DelegationProvisionTargetResponse {
204    pub target: Principal,
205    pub kind: DelegationProvisionTargetKind,
206    pub status: DelegationProvisionStatus,
207    pub error: Option<Error>,
208}
canic_core/dto/auth.rs

canic_core/dto/
auth.rs
