Skip to main content

canic_core/api/auth/
mod.rs

1use crate::{
2    cdk::types::Principal,
3    dto::{
4        auth::{
5            AttestationKeySet, DelegatedToken, DelegatedTokenClaims, DelegationCert,
6            DelegationProof, DelegationProvisionResponse, DelegationProvisionStatus,
7            DelegationProvisionTargetKind, DelegationRequest, RoleAttestationRequest,
8            SignedRoleAttestation,
9        },
10        error::{Error, ErrorCode},
11        rpc::{Request as RootRequest, Response as RootCapabilityResponse},
12    },
13    error::InternalErrorClass,
14    log,
15    log::Topic,
16    ops::{
17        auth::DelegatedTokenOps,
18        config::ConfigOps,
19        ic::IcOps,
20        rpc::RpcOps,
21        runtime::env::EnvOps,
22        runtime::metrics::auth::{
23            record_attestation_refresh_failed, record_delegation_provision_complete,
24            record_delegation_verifier_target_count, record_delegation_verifier_target_failed,
25            record_delegation_verifier_target_missing, record_signer_issue_without_proof,
26        },
27        storage::auth::DelegationStateOps,
28    },
29    protocol,
30    workflow::rpc::request::handler::RootResponseWorkflow,
31};
32
33// Internal auth pipeline:
34// - `session` owns delegated-session ingress and replay/session state handling.
35// - `admin` owns explicit root-driven fanout preparation and routing.
36// - `proof_store` owns proof-install validation and storage/cache side effects.
37//
38// Keep these modules free of lateral calls to each other. Coordination stays here,
39// and shared invariants should live in dedicated seams like `ops::auth::audience`.
40mod admin;
41mod metadata;
42mod proof_store;
43mod session;
44mod verify_flow;
45
46///
47/// DelegationApi
48///
49/// Requires auth.delegated_tokens.enabled = true in config.
50///
51
52pub struct DelegationApi;
53
54impl DelegationApi {
55    const DELEGATED_TOKENS_DISABLED: &str =
56        "delegated token auth disabled; set auth.delegated_tokens.enabled=true in canic.toml";
57    const MAX_DELEGATED_SESSION_TTL_SECS: u64 = 24 * 60 * 60;
58    const SESSION_BOOTSTRAP_TOKEN_FINGERPRINT_DOMAIN: &[u8] =
59        b"canic-session-bootstrap-token-fingerprint:v1";
60
61    fn map_delegation_error(err: crate::InternalError) -> Error {
62        match err.class() {
63            InternalErrorClass::Infra | InternalErrorClass::Ops | InternalErrorClass::Workflow => {
64                Error::internal(err.to_string())
65            }
66            _ => Error::from(err),
67        }
68    }
69
70    /// Full delegation proof verification (structure + signature).
71    ///
72    /// Purely local verification; does not read certified data or require a
73    /// query context.
74    pub fn verify_delegation_proof(
75        proof: &DelegationProof,
76        authority_pid: Principal,
77    ) -> Result<(), Error> {
78        DelegatedTokenOps::verify_delegation_proof(proof, authority_pid)
79            .map_err(Self::map_delegation_error)
80    }
81
82    #[cfg(canic_test_delegation_material)]
83    #[must_use]
84    pub fn current_signing_proof_for_test() -> Option<DelegationProof> {
85        DelegationStateOps::latest_proof_dto()
86    }
87
88    async fn sign_token(
89        claims: DelegatedTokenClaims,
90        proof: DelegationProof,
91    ) -> Result<DelegatedToken, Error> {
92        DelegatedTokenOps::sign_token(claims, proof)
93            .await
94            .map_err(Self::map_delegation_error)
95    }
96
97    /// Issue a delegated token using a reusable local proof when possible.
98    ///
99    /// If the proof is missing or no longer valid for the requested claims, this
100    /// performs canonical shard-initiated setup and retries with the refreshed proof.
101    pub async fn issue_token(claims: DelegatedTokenClaims) -> Result<DelegatedToken, Error> {
102        let proof = Self::ensure_signing_proof(&claims).await?;
103        Self::sign_token(claims, proof).await
104    }
105
106    /// Full delegated token verification (structure + signature).
107    ///
108    /// Purely local verification; does not read certified data or require a
109    /// query context.
110    pub fn verify_token(
111        token: &DelegatedToken,
112        authority_pid: Principal,
113        now_secs: u64,
114    ) -> Result<(), Error> {
115        DelegatedTokenOps::verify_token(token, authority_pid, now_secs, IcOps::canister_self())
116            .map(|_| ())
117            .map_err(Self::map_delegation_error)
118    }
119
120    /// Verify a delegated token and return verified contents.
121    ///
122    /// This is intended for application-layer session construction.
123    /// It performs full verification and returns verified claims and cert.
124    pub fn verify_token_verified(
125        token: &DelegatedToken,
126        authority_pid: Principal,
127        now_secs: u64,
128    ) -> Result<(DelegatedTokenClaims, DelegationCert), Error> {
129        DelegatedTokenOps::verify_token(token, authority_pid, now_secs, IcOps::canister_self())
130            .map(crate::ops::auth::VerifiedDelegatedToken::into_parts)
131            .map_err(Self::map_delegation_error)
132    }
133
134    /// Canonical shard-initiated delegation request (user_shard -> root).
135    ///
136    /// Caller must match shard_pid and be registered to the subnet.
137    pub async fn request_delegation(
138        request: DelegationRequest,
139    ) -> Result<DelegationProvisionResponse, Error> {
140        let request = metadata::with_root_request_metadata(request);
141        Self::request_delegation_remote(request).await
142    }
143
144    pub async fn request_role_attestation(
145        request: RoleAttestationRequest,
146    ) -> Result<SignedRoleAttestation, Error> {
147        let request = metadata::with_root_attestation_request_metadata(request);
148        let response = Self::request_role_attestation_remote(request).await?;
149
150        match response {
151            RootCapabilityResponse::RoleAttestationIssued(response) => Ok(response),
152            _ => Err(Error::internal(
153                "invalid root response type for role attestation request",
154            )),
155        }
156    }
157
158    pub async fn attestation_key_set() -> Result<AttestationKeySet, Error> {
159        DelegatedTokenOps::attestation_key_set()
160            .await
161            .map_err(Self::map_delegation_error)
162    }
163
164    /// Warm the root delegation and attestation key caches once.
165    pub async fn prewarm_root_key_material() -> Result<(), Error> {
166        EnvOps::require_root().map_err(Error::from)?;
167        DelegatedTokenOps::prewarm_root_key_material()
168            .await
169            .map_err(|err| {
170                log!(Topic::Auth, Warn, "root auth key prewarm failed: {err}");
171                Self::map_delegation_error(err)
172            })
173    }
174
175    pub fn replace_attestation_key_set(key_set: AttestationKeySet) {
176        DelegatedTokenOps::replace_attestation_key_set(key_set);
177    }
178
179    pub async fn verify_role_attestation(
180        attestation: &SignedRoleAttestation,
181        min_accepted_epoch: u64,
182    ) -> Result<(), Error> {
183        let configured_min_accepted_epoch = ConfigOps::role_attestation_config()
184            .map_err(Error::from)?
185            .min_accepted_epoch_by_role
186            .get(attestation.payload.role.as_str())
187            .copied();
188        let min_accepted_epoch = verify_flow::resolve_min_accepted_epoch(
189            min_accepted_epoch,
190            configured_min_accepted_epoch,
191        );
192
193        let caller = IcOps::msg_caller();
194        let self_pid = IcOps::canister_self();
195        let now_secs = IcOps::now_secs();
196        let verifier_subnet = Some(EnvOps::subnet_pid().map_err(Error::from)?);
197        let root_pid = EnvOps::root_pid().map_err(Error::from)?;
198
199        let verify = || {
200            DelegatedTokenOps::verify_role_attestation_cached(
201                attestation,
202                caller,
203                self_pid,
204                verifier_subnet,
205                now_secs,
206                min_accepted_epoch,
207            )
208            .map(|_| ())
209        };
210        let refresh = || async {
211            let key_set: AttestationKeySet =
212                RpcOps::call_rpc_result(root_pid, protocol::CANIC_ATTESTATION_KEY_SET, ()).await?;
213            DelegatedTokenOps::replace_attestation_key_set(key_set);
214            Ok(())
215        };
216
217        match verify_flow::verify_role_attestation_with_single_refresh(verify, refresh).await {
218            Ok(()) => Ok(()),
219            Err(verify_flow::RoleAttestationVerifyFlowError::Initial(err)) => {
220                verify_flow::record_attestation_verifier_rejection(&err);
221                verify_flow::log_attestation_verifier_rejection(
222                    &err,
223                    attestation,
224                    caller,
225                    self_pid,
226                    "cached",
227                );
228                Err(Self::map_delegation_error(err.into()))
229            }
230            Err(verify_flow::RoleAttestationVerifyFlowError::Refresh { trigger, source }) => {
231                verify_flow::record_attestation_verifier_rejection(&trigger);
232                verify_flow::log_attestation_verifier_rejection(
233                    &trigger,
234                    attestation,
235                    caller,
236                    self_pid,
237                    "cache_miss_refresh",
238                );
239                record_attestation_refresh_failed();
240                log!(
241                    Topic::Auth,
242                    Warn,
243                    "role attestation refresh failed local={} caller={} key_id={} error={}",
244                    self_pid,
245                    caller,
246                    attestation.key_id,
247                    source
248                );
249                Err(Self::map_delegation_error(source))
250            }
251            Err(verify_flow::RoleAttestationVerifyFlowError::PostRefresh(err)) => {
252                verify_flow::record_attestation_verifier_rejection(&err);
253                verify_flow::log_attestation_verifier_rejection(
254                    &err,
255                    attestation,
256                    caller,
257                    self_pid,
258                    "post_refresh",
259                );
260                Err(Self::map_delegation_error(err.into()))
261            }
262        }
263    }
264
265    fn require_proof() -> Result<DelegationProof, Error> {
266        let cfg = ConfigOps::delegated_tokens_config().map_err(Error::from)?;
267        if !cfg.enabled {
268            return Err(Error::forbidden(Self::DELEGATED_TOKENS_DISABLED));
269        }
270
271        DelegationStateOps::latest_proof_dto().ok_or_else(|| {
272            record_signer_issue_without_proof();
273            Error::not_found("delegation proof not installed")
274        })
275    }
276
277    // Resolve a proof that is currently usable for token issuance.
278    async fn ensure_signing_proof(claims: &DelegatedTokenClaims) -> Result<DelegationProof, Error> {
279        let now_secs = IcOps::now_secs();
280
281        match Self::require_proof() {
282            Ok(proof)
283                if !DelegatedTokenOps::proof_reusable_for_claims(&proof, claims, now_secs) =>
284            {
285                Self::setup_delegation(claims).await
286            }
287            Ok(proof) => Ok(proof),
288            Err(err) if err.code == ErrorCode::NotFound => Self::setup_delegation(claims).await,
289            Err(err) => Err(err),
290        }
291    }
292
293    // Provision a fresh delegation from root, then resolve the latest locally stored proof.
294    async fn setup_delegation(claims: &DelegatedTokenClaims) -> Result<DelegationProof, Error> {
295        let mut request = Self::delegation_request_from_claims(claims)?;
296        request.shard_public_key_sec1 = Some(
297            DelegatedTokenOps::local_shard_public_key_sec1(request.shard_pid)
298                .await
299                .map_err(Self::map_delegation_error)?,
300        );
301        let required_verifier_targets = request.verifier_targets.clone();
302        let response = Self::request_delegation_remote(request).await?;
303        Self::ensure_required_verifier_targets_provisioned(&required_verifier_targets, &response)?;
304        let proof = response.proof;
305        Self::store_local_signer_proof(proof.clone()).await?;
306        Ok(proof)
307    }
308
309    // Build a canonical delegation request from token claims.
310    fn delegation_request_from_claims(
311        claims: &DelegatedTokenClaims,
312    ) -> Result<DelegationRequest, Error> {
313        let ttl_secs = claims.exp.saturating_sub(claims.iat);
314        if ttl_secs == 0 {
315            return Err(Error::invalid(
316                "delegation ttl_secs must be greater than zero",
317            ));
318        }
319
320        let signer_pid = IcOps::canister_self();
321        let root_pid = EnvOps::root_pid().map_err(Error::from)?;
322        let verifier_targets = DelegatedTokenOps::required_verifier_targets_from_audience(
323            &claims.aud,
324            signer_pid,
325            root_pid,
326            Self::is_registered_canister,
327        )
328        .map_err(|principal| {
329            Error::invalid(format!(
330                "delegation audience principal '{principal}' is invalid for canonical verifier provisioning"
331            ))
332        })?;
333
334        Ok(DelegationRequest {
335            shard_pid: signer_pid,
336            scopes: claims.scopes.clone(),
337            aud: claims.aud.clone(),
338            ttl_secs,
339            verifier_targets,
340            include_root_verifier: true,
341            shard_public_key_sec1: None,
342            metadata: None,
343        })
344    }
345
346    // Validate required verifier fanout and fail closed when any required target is missing/failing.
347    fn ensure_required_verifier_targets_provisioned(
348        required_targets: &[Principal],
349        response: &DelegationProvisionResponse,
350    ) -> Result<(), Error> {
351        let mut checked = Vec::new();
352        for target in required_targets {
353            if checked.contains(target) {
354                continue;
355            }
356            checked.push(*target);
357        }
358        record_delegation_verifier_target_count(checked.len());
359
360        for target in &checked {
361            let Some(result) = response.results.iter().find(|entry| {
362                entry.kind == DelegationProvisionTargetKind::Verifier && entry.target == *target
363            }) else {
364                record_delegation_verifier_target_missing();
365                return Err(Error::internal(format!(
366                    "delegation provisioning missing verifier target result for '{target}'"
367                )));
368            };
369
370            if result.status != DelegationProvisionStatus::Ok {
371                record_delegation_verifier_target_failed();
372                let detail = result
373                    .error
374                    .as_ref()
375                    .map_or_else(|| "unknown error".to_string(), ToString::to_string);
376                return Err(Error::internal(format!(
377                    "delegation provisioning failed for required verifier target '{target}': {detail}"
378                )));
379            }
380        }
381
382        record_delegation_provision_complete();
383        Ok(())
384    }
385
386    // Derive required verifier targets from audience with strict filtering/validation.
387    #[cfg(test)]
388    fn derive_required_verifier_targets_from_aud<F>(
389        audience: &[Principal],
390        signer_pid: Principal,
391        root_pid: Principal,
392        is_valid_target: F,
393    ) -> Result<Vec<Principal>, Error>
394    where
395        F: FnMut(Principal) -> bool,
396    {
397        DelegatedTokenOps::required_verifier_targets_from_audience(
398            audience,
399            signer_pid,
400            root_pid,
401            is_valid_target,
402        )
403        .map_err(|principal| {
404            Error::invalid(format!(
405                "delegation audience principal '{principal}' is invalid for canonical verifier provisioning"
406            ))
407        })
408    }
409
410    // Delegated audience invariants:
411    // 1. claims.aud must be non-empty.
412    // 2. claims.aud must be a set-subset of proof.cert.aud.
413    // 3. proof installation on target T requires T ∈ proof.cert.aud.
414    // 4. token acceptance on canister C requires C ∈ claims.aud.
415    //
416    // Keep ingress, fanout, install, and runtime checks aligned to this block.
417}
418
419impl DelegationApi {
420    // Execute one local root delegation provisioning request.
421    pub async fn request_delegation_root(
422        request: DelegationRequest,
423    ) -> Result<DelegationProvisionResponse, Error> {
424        let request = metadata::with_root_request_metadata(request);
425        let response = RootResponseWorkflow::response(RootRequest::issue_delegation(request))
426            .await
427            .map_err(Self::map_delegation_error)?;
428
429        match response {
430            RootCapabilityResponse::DelegationIssued(response) => Ok(response),
431            _ => Err(Error::internal(
432                "invalid root response type for delegation request",
433            )),
434        }
435    }
436
437    // Route a canonical delegation provisioning request over RPC to root.
438    async fn request_delegation_remote(
439        request: DelegationRequest,
440    ) -> Result<DelegationProvisionResponse, Error> {
441        let root_pid = EnvOps::root_pid().map_err(Error::from)?;
442        RpcOps::call_rpc_result(root_pid, protocol::CANIC_REQUEST_DELEGATION, request)
443            .await
444            .map_err(Self::map_delegation_error)
445    }
446
447    // Execute one local root role-attestation request.
448    pub async fn request_role_attestation_root(
449        request: RoleAttestationRequest,
450    ) -> Result<SignedRoleAttestation, Error> {
451        let request = metadata::with_root_attestation_request_metadata(request);
452        let response = RootResponseWorkflow::response(RootRequest::issue_role_attestation(request))
453            .await
454            .map_err(Self::map_delegation_error)?;
455
456        match response {
457            RootCapabilityResponse::RoleAttestationIssued(response) => Ok(response),
458            _ => Err(Error::internal(
459                "invalid root response type for role attestation request",
460            )),
461        }
462    }
463
464    // Route a canonical role-attestation request over RPC to root.
465    async fn request_role_attestation_remote(
466        request: RoleAttestationRequest,
467    ) -> Result<RootCapabilityResponse, Error> {
468        let root_pid = EnvOps::root_pid().map_err(Error::from)?;
469        RpcOps::call_rpc_result(root_pid, protocol::CANIC_REQUEST_ROLE_ATTESTATION, request)
470            .await
471            .map_err(Self::map_delegation_error)
472    }
473}
474
475#[cfg(test)]
476mod tests;