canic_core/dto/
auth.rs

1use crate::dto::{error::Error, prelude::*, rpc::RootRequestMetadata};
2
3///
4/// DelegationCert
5///
6
7#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
8pub struct DelegationCert {
9    pub root_pid: Principal,
10    pub shard_pid: Principal,
11    pub issued_at: u64,
12    pub expires_at: u64,
13    pub scopes: Vec<String>,
14    pub aud: Vec<Principal>,
15}
16
17///
18/// DelegationProof
19///
20
21#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
22pub struct DelegationProof {
23    pub cert: DelegationCert,
24    pub cert_sig: Vec<u8>,
25}
26
27///
28/// DelegationProofInstallIntent
29///
30
31#[derive(CandidType, Clone, Copy, Debug, Deserialize, Eq, PartialEq, Serialize)]
32pub enum DelegationProofInstallIntent {
33    Provisioning,
34    Prewarm,
35    Repair,
36}
37
38///
39/// DelegationProofInstallRequest
40///
41
42#[derive(CandidType, Clone, Debug, Deserialize, Serialize)]
43pub struct DelegationProofInstallRequest {
44    pub proof: DelegationProof,
45    pub intent: DelegationProofInstallIntent,
46}
47
48///
49/// DelegatedTokenClaims
50///
51
52#[derive(CandidType, Clone, Debug, Deserialize, Serialize)]
53pub struct DelegatedTokenClaims {
54    pub sub: Principal,
55    pub shard_pid: Principal,
56    pub scopes: Vec<String>,
57    pub aud: Vec<Principal>,
58    pub iat: u64,
59    pub exp: u64,
60}
61
62///
63/// DelegatedToken
64///
65
66#[derive(CandidType, Clone, Debug, Deserialize, Serialize)]
67pub struct DelegatedToken {
68    pub claims: DelegatedTokenClaims,
69    pub proof: DelegationProof,
70    pub token_sig: Vec<u8>,
71}
72
73///
74/// DelegationRequest
75///
76
77#[derive(CandidType, Clone, Debug, Deserialize, Serialize)]
78pub struct DelegationRequest {
79    pub shard_pid: Principal,
80    pub scopes: Vec<String>,
81    pub aud: Vec<Principal>,
82    pub ttl_secs: u64,
83    pub verifier_targets: Vec<Principal>,
84    pub include_root_verifier: bool,
85    #[serde(default)]
86    pub metadata: Option<RootRequestMetadata>,
87}
88
89///
90/// RoleAttestationRequest
91///
92
93#[derive(CandidType, Clone, Debug, Deserialize, Serialize)]
94pub struct RoleAttestationRequest {
95    pub subject: Principal,
96    pub role: CanisterRole,
97    #[serde(default)]
98    pub subnet_id: Option<Principal>,
99    #[serde(default)]
100    pub audience: Option<Principal>,
101    pub ttl_secs: u64,
102    pub epoch: u64,
103    #[serde(default)]
104    pub metadata: Option<RootRequestMetadata>,
105}
106
107///
108/// RoleAttestation
109///
110
111#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
112pub struct RoleAttestation {
113    pub subject: Principal,
114    pub role: CanisterRole,
115    #[serde(default)]
116    pub subnet_id: Option<Principal>,
117    #[serde(default)]
118    pub audience: Option<Principal>,
119    pub issued_at: u64,
120    pub expires_at: u64,
121    pub epoch: u64,
122}
123
124///
125/// SignedRoleAttestation
126///
127
128#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
129pub struct SignedRoleAttestation {
130    pub payload: RoleAttestation,
131    pub signature: Vec<u8>,
132    pub key_id: u32,
133}
134
135///
136/// AttestationKeyStatus
137///
138
139#[derive(CandidType, Clone, Copy, Debug, Deserialize, Eq, PartialEq, Serialize)]
140pub enum AttestationKeyStatus {
141    Current,
142    Previous,
143}
144
145///
146/// AttestationKey
147///
148
149#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
150pub struct AttestationKey {
151    pub key_id: u32,
152    pub public_key: Vec<u8>,
153    pub status: AttestationKeyStatus,
154    #[serde(default)]
155    pub valid_from: Option<u64>,
156    #[serde(default)]
157    pub valid_until: Option<u64>,
158}
159
160///
161/// AttestationKeySet
162///
163
164#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
165pub struct AttestationKeySet {
166    pub root_pid: Principal,
167    pub generated_at: u64,
168    pub keys: Vec<AttestationKey>,
169}
170
171// admin-only: not part of canonical delegation flow.
172// used for controlled provisioning and tooling flows.
173///
174/// DelegationProvisionRequest
175///
176
177#[derive(CandidType, Clone, Debug, Deserialize, Serialize)]
178pub struct DelegationProvisionRequest {
179    pub cert: DelegationCert,
180    pub signer_targets: Vec<Principal>,
181    pub verifier_targets: Vec<Principal>,
182}
183
184// admin-only: not part of canonical delegation flow.
185// used for controlled provisioning and tooling flows.
186///
187/// DelegationProvisionResponse
188///
189
190#[derive(CandidType, Clone, Debug, Deserialize, Serialize)]
191pub struct DelegationProvisionResponse {
192    pub proof: DelegationProof,
193    pub results: Vec<DelegationProvisionTargetResponse>,
194}
195
196///
197/// DelegationVerifierProofPushRequest
198///
199
200#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
201pub struct DelegationVerifierProofPushRequest {
202    pub proof: DelegationProof,
203    pub verifier_targets: Vec<Principal>,
204}
205
206///
207/// DelegationVerifierProofPushResponse
208///
209
210#[derive(CandidType, Clone, Debug, Deserialize, Serialize)]
211pub struct DelegationVerifierProofPushResponse {
212    pub results: Vec<DelegationProvisionTargetResponse>,
213}
214
215///
216/// DelegationProofStatus
217///
218
219#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
220pub struct DelegationProofStatus {
221    pub shard_pid: Principal,
222    pub issued_at: u64,
223    pub expires_at: u64,
224}
225
226#[derive(CandidType, Clone, Copy, Debug, Deserialize, Eq, PartialEq, Serialize)]
227pub enum DelegationProvisionTargetKind {
228    Signer,
229    Verifier,
230}
231
232#[derive(CandidType, Clone, Copy, Debug, Deserialize, Eq, PartialEq, Serialize)]
233pub enum DelegationProvisionStatus {
234    Ok,
235    Failed,
236}
237
238///
239/// DelegationAdminCommand
240///
241
242#[derive(CandidType, Clone, Debug, Deserialize, Serialize)]
243pub enum DelegationAdminCommand {
244    PrewarmVerifiers(DelegationVerifierProofPushRequest),
245    RepairVerifiers(DelegationVerifierProofPushRequest),
246}
247
248///
249/// DelegationAdminResponse
250///
251
252#[derive(CandidType, Clone, Debug, Deserialize, Serialize)]
253pub enum DelegationAdminResponse {
254    PrewarmedVerifiers {
255        result: DelegationVerifierProofPushResponse,
256    },
257    RepairedVerifiers {
258        result: DelegationVerifierProofPushResponse,
259    },
260}
261
262///
263/// DelegationProvisionTargetResponse
264///
265
266#[derive(CandidType, Clone, Debug, Deserialize, Serialize)]
267pub struct DelegationProvisionTargetResponse {
268    pub target: Principal,
269    pub kind: DelegationProvisionTargetKind,
270    pub status: DelegationProvisionStatus,
271    pub error: Option<Error>,
272}
canic_core/dto/auth.rs

canic_core/dto/
auth.rs
