canic_core/dto/
auth.rs

1use crate::dto::{error::Error, prelude::*, rpc::RootRequestMetadata};
2
3//
4// DelegationCert
5//
6
7#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
8pub struct DelegationCert {
9    pub root_pid: Principal,
10    pub shard_pid: Principal,
11    pub issued_at: u64,
12    pub expires_at: u64,
13    pub scopes: Vec<String>,
14    pub aud: Vec<Principal>,
15}
16
17//
18// DelegationProof
19//
20
21#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
22pub struct DelegationProof {
23    pub cert: DelegationCert,
24    pub cert_sig: Vec<u8>,
25}
26
27//
28// DelegationProofInstallIntent
29//
30
31#[derive(CandidType, Clone, Copy, Debug, Deserialize, Eq, PartialEq)]
32pub enum DelegationProofInstallIntent {
33    Provisioning,
34    Prewarm,
35    Repair,
36}
37
38//
39// DelegationProofInstallRequest
40//
41
42#[derive(CandidType, Clone, Debug, Deserialize)]
43pub struct DelegationProofInstallRequest {
44    pub proof: DelegationProof,
45    pub intent: DelegationProofInstallIntent,
46}
47
48//
49// DelegatedTokenClaims
50//
51
52#[derive(CandidType, Clone, Debug, Deserialize)]
53pub struct DelegatedTokenClaims {
54    pub sub: Principal,
55    pub shard_pid: Principal,
56    pub scopes: Vec<String>,
57    pub aud: Vec<Principal>,
58    pub iat: u64,
59    pub exp: u64,
60}
61
62//
63// DelegatedToken
64//
65
66#[derive(CandidType, Clone, Debug, Deserialize)]
67pub struct DelegatedToken {
68    pub claims: DelegatedTokenClaims,
69    pub proof: DelegationProof,
70    pub token_sig: Vec<u8>,
71}
72
73//
74// DelegationRequest
75//
76
77#[derive(CandidType, Clone, Debug, Deserialize)]
78pub struct DelegationRequest {
79    pub shard_pid: Principal,
80    pub scopes: Vec<String>,
81    pub aud: Vec<Principal>,
82    pub ttl_secs: u64,
83    pub verifier_targets: Vec<Principal>,
84    pub include_root_verifier: bool,
85    #[serde(default)]
86    pub metadata: Option<RootRequestMetadata>,
87}
88
89//
90// RoleAttestationRequest
91//
92
93#[derive(CandidType, Clone, Debug, Deserialize)]
94pub struct RoleAttestationRequest {
95    pub subject: Principal,
96    pub role: CanisterRole,
97    #[serde(default)]
98    pub subnet_id: Option<Principal>,
99    #[serde(default)]
100    pub audience: Option<Principal>,
101    pub ttl_secs: u64,
102    pub epoch: u64,
103    #[serde(default)]
104    pub metadata: Option<RootRequestMetadata>,
105}
106
107//
108// RoleAttestation
109//
110
111#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
112pub struct RoleAttestation {
113    pub subject: Principal,
114    pub role: CanisterRole,
115    #[serde(default)]
116    pub subnet_id: Option<Principal>,
117    #[serde(default)]
118    pub audience: Option<Principal>,
119    pub issued_at: u64,
120    pub expires_at: u64,
121    pub epoch: u64,
122}
123
124//
125// SignedRoleAttestation
126//
127
128#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
129pub struct SignedRoleAttestation {
130    pub payload: RoleAttestation,
131    pub signature: Vec<u8>,
132    pub key_id: u32,
133}
134
135//
136// AttestationKeyStatus
137//
138
139#[derive(CandidType, Clone, Copy, Debug, Deserialize, Eq, PartialEq)]
140pub enum AttestationKeyStatus {
141    Current,
142    Previous,
143}
144
145//
146// AttestationKey
147//
148
149#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq)]
150pub struct AttestationKey {
151    pub key_id: u32,
152    pub public_key: Vec<u8>,
153    pub status: AttestationKeyStatus,
154    #[serde(default)]
155    pub valid_from: Option<u64>,
156    #[serde(default)]
157    pub valid_until: Option<u64>,
158}
159
160//
161// AttestationKeySet
162//
163
164#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq)]
165pub struct AttestationKeySet {
166    pub root_pid: Principal,
167    pub generated_at: u64,
168    pub keys: Vec<AttestationKey>,
169}
170
171// admin-only: not part of canonical delegation flow.
172// used for controlled provisioning and tooling flows.
173//
174// DelegationProvisionRequest
175//
176
177#[derive(CandidType, Clone, Debug, Deserialize)]
178pub struct DelegationProvisionRequest {
179    pub cert: DelegationCert,
180    pub signer_targets: Vec<Principal>,
181    pub verifier_targets: Vec<Principal>,
182}
183
184// admin-only: not part of canonical delegation flow.
185// used for controlled provisioning and tooling flows.
186//
187// DelegationProvisionResponse
188//
189
190#[derive(CandidType, Clone, Debug, Deserialize, Serialize)]
191pub struct DelegationProvisionResponse {
192    pub proof: DelegationProof,
193    pub results: Vec<DelegationProvisionTargetResponse>,
194}
195
196//
197// DelegationVerifierProofPushRequest
198//
199
200#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq)]
201pub struct DelegationVerifierProofPushRequest {
202    pub proof: DelegationProof,
203    pub verifier_targets: Vec<Principal>,
204}
205
206//
207// DelegationVerifierProofPushResponse
208//
209
210#[derive(CandidType, Clone, Debug, Deserialize)]
211pub struct DelegationVerifierProofPushResponse {
212    pub results: Vec<DelegationProvisionTargetResponse>,
213}
214
215//
216// DelegationProofStatus
217//
218
219#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq)]
220pub struct DelegationProofStatus {
221    pub shard_pid: Principal,
222    pub issued_at: u64,
223    pub expires_at: u64,
224}
225
226#[derive(CandidType, Clone, Copy, Debug, Deserialize, Eq, PartialEq, Serialize)]
227pub enum DelegationProvisionTargetKind {
228    Signer,
229    Verifier,
230}
231
232#[derive(CandidType, Clone, Copy, Debug, Deserialize, Eq, PartialEq, Serialize)]
233pub enum DelegationProvisionStatus {
234    Ok,
235    Failed,
236}
237
238//
239// DelegationAdminCommand
240//
241
242#[derive(CandidType, Clone, Debug, Deserialize)]
243pub enum DelegationAdminCommand {
244    PrewarmVerifiers(DelegationVerifierProofPushRequest),
245    RepairVerifiers(DelegationVerifierProofPushRequest),
246}
247
248//
249// DelegationAdminResponse
250//
251
252#[derive(CandidType, Clone, Debug, Deserialize)]
253pub enum DelegationAdminResponse {
254    PrewarmedVerifiers {
255        result: DelegationVerifierProofPushResponse,
256    },
257    RepairedVerifiers {
258        result: DelegationVerifierProofPushResponse,
259    },
260}
261
262//
263// DelegationProvisionTargetResponse
264//
265
266#[derive(CandidType, Clone, Debug, Deserialize, Serialize)]
267pub struct DelegationProvisionTargetResponse {
268    pub target: Principal,
269    pub kind: DelegationProvisionTargetKind,
270    pub status: DelegationProvisionStatus,
271    pub error: Option<Error>,
272}
canic_core/dto/auth.rs

canic_core/dto/
auth.rs
