canic_core/dto/
auth.rs

1use crate::dto::{error::Error, prelude::*, rpc::RootRequestMetadata};
2
3//
4// DelegationCert
5//
6
7#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
8pub struct DelegationCert {
9    pub root_pid: Principal,
10    pub shard_pid: Principal,
11    pub issued_at: u64,
12    pub expires_at: u64,
13    pub scopes: Vec<String>,
14    pub aud: Vec<Principal>,
15}
16
17//
18// DelegationProof
19//
20
21#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
22pub struct DelegationProof {
23    pub cert: DelegationCert,
24    pub cert_sig: Vec<u8>,
25}
26
27//
28// DelegationProofInstallIntent
29//
30
31#[derive(CandidType, Clone, Copy, Debug, Deserialize, Eq, PartialEq)]
32pub enum DelegationProofInstallIntent {
33    Provisioning,
34    Prewarm,
35    Repair,
36}
37
38//
39// DelegationProofInstallRequest
40//
41
42#[derive(CandidType, Clone, Debug, Deserialize)]
43pub struct DelegationProofInstallRequest {
44    pub proof: DelegationProof,
45    pub intent: DelegationProofInstallIntent,
46    #[serde(default)]
47    pub shard_public_key_sec1: Option<Vec<u8>>,
48}
49
50//
51// DelegatedTokenClaims
52//
53
54#[derive(CandidType, Clone, Debug, Deserialize)]
55pub struct DelegatedTokenClaims {
56    pub sub: Principal,
57    pub shard_pid: Principal,
58    pub scopes: Vec<String>,
59    pub aud: Vec<Principal>,
60    pub iat: u64,
61    pub exp: u64,
62}
63
64//
65// DelegatedToken
66//
67
68#[derive(CandidType, Clone, Debug, Deserialize)]
69pub struct DelegatedToken {
70    pub claims: DelegatedTokenClaims,
71    pub proof: DelegationProof,
72    pub token_sig: Vec<u8>,
73}
74
75//
76// DelegationRequest
77//
78
79#[derive(CandidType, Clone, Debug, Deserialize)]
80pub struct DelegationRequest {
81    pub shard_pid: Principal,
82    pub scopes: Vec<String>,
83    pub aud: Vec<Principal>,
84    pub ttl_secs: u64,
85    pub verifier_targets: Vec<Principal>,
86    pub include_root_verifier: bool,
87    #[serde(default)]
88    pub shard_public_key_sec1: Option<Vec<u8>>,
89    #[serde(default)]
90    pub metadata: Option<RootRequestMetadata>,
91}
92
93//
94// RoleAttestationRequest
95//
96
97#[derive(CandidType, Clone, Debug, Deserialize)]
98pub struct RoleAttestationRequest {
99    pub subject: Principal,
100    pub role: CanisterRole,
101    #[serde(default)]
102    pub subnet_id: Option<Principal>,
103    #[serde(default)]
104    pub audience: Option<Principal>,
105    pub ttl_secs: u64,
106    pub epoch: u64,
107    #[serde(default)]
108    pub metadata: Option<RootRequestMetadata>,
109}
110
111//
112// RoleAttestation
113//
114
115#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
116pub struct RoleAttestation {
117    pub subject: Principal,
118    pub role: CanisterRole,
119    #[serde(default)]
120    pub subnet_id: Option<Principal>,
121    #[serde(default)]
122    pub audience: Option<Principal>,
123    pub issued_at: u64,
124    pub expires_at: u64,
125    pub epoch: u64,
126}
127
128//
129// SignedRoleAttestation
130//
131
132#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
133pub struct SignedRoleAttestation {
134    pub payload: RoleAttestation,
135    pub signature: Vec<u8>,
136    pub key_id: u32,
137}
138
139//
140// AttestationKeyStatus
141//
142
143#[derive(CandidType, Clone, Copy, Debug, Deserialize, Eq, PartialEq)]
144pub enum AttestationKeyStatus {
145    Current,
146    Previous,
147}
148
149//
150// AttestationKey
151//
152
153#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq)]
154pub struct AttestationKey {
155    pub key_id: u32,
156    pub public_key: Vec<u8>,
157    pub status: AttestationKeyStatus,
158    #[serde(default)]
159    pub valid_from: Option<u64>,
160    #[serde(default)]
161    pub valid_until: Option<u64>,
162}
163
164//
165// AttestationKeySet
166//
167
168#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq)]
169pub struct AttestationKeySet {
170    pub root_pid: Principal,
171    pub generated_at: u64,
172    pub keys: Vec<AttestationKey>,
173}
174
175// admin-only: not part of canonical delegation flow.
176// used for controlled provisioning and tooling flows.
177//
178// DelegationProvisionRequest
179//
180
181#[derive(CandidType, Clone, Debug, Deserialize)]
182pub struct DelegationProvisionRequest {
183    pub cert: DelegationCert,
184    pub signer_targets: Vec<Principal>,
185    pub verifier_targets: Vec<Principal>,
186    #[serde(default)]
187    pub shard_public_key_sec1: Option<Vec<u8>>,
188}
189
190// admin-only: not part of canonical delegation flow.
191// used for controlled provisioning and tooling flows.
192//
193// DelegationProvisionResponse
194//
195
196#[derive(CandidType, Clone, Debug, Deserialize, Serialize)]
197pub struct DelegationProvisionResponse {
198    pub proof: DelegationProof,
199    pub results: Vec<DelegationProvisionTargetResponse>,
200}
201
202//
203// DelegationVerifierProofPushRequest
204//
205
206#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq)]
207pub struct DelegationVerifierProofPushRequest {
208    pub proof: DelegationProof,
209    pub verifier_targets: Vec<Principal>,
210}
211
212//
213// DelegationVerifierProofPushResponse
214//
215
216#[derive(CandidType, Clone, Debug, Deserialize)]
217pub struct DelegationVerifierProofPushResponse {
218    pub results: Vec<DelegationProvisionTargetResponse>,
219}
220
221//
222// DelegationProofStatus
223//
224
225#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq)]
226pub struct DelegationProofStatus {
227    pub shard_pid: Principal,
228    pub issued_at: u64,
229    pub expires_at: u64,
230}
231
232#[derive(CandidType, Clone, Copy, Debug, Deserialize, Eq, PartialEq, Serialize)]
233pub enum DelegationProvisionTargetKind {
234    Signer,
235    Verifier,
236}
237
238#[derive(CandidType, Clone, Copy, Debug, Deserialize, Eq, PartialEq, Serialize)]
239pub enum DelegationProvisionStatus {
240    Ok,
241    Failed,
242}
243
244//
245// DelegationAdminCommand
246//
247
248#[derive(CandidType, Clone, Debug, Deserialize)]
249pub enum DelegationAdminCommand {
250    PrewarmVerifiers(DelegationVerifierProofPushRequest),
251    RepairVerifiers(DelegationVerifierProofPushRequest),
252}
253
254//
255// DelegationAdminResponse
256//
257
258#[derive(CandidType, Clone, Debug, Deserialize)]
259pub enum DelegationAdminResponse {
260    PrewarmedVerifiers {
261        result: DelegationVerifierProofPushResponse,
262    },
263    RepairedVerifiers {
264        result: DelegationVerifierProofPushResponse,
265    },
266}
267
268//
269// DelegationProvisionTargetResponse
270//
271
272#[derive(CandidType, Clone, Debug, Deserialize, Serialize)]
273pub struct DelegationProvisionTargetResponse {
274    pub target: Principal,
275    pub kind: DelegationProvisionTargetKind,
276    pub status: DelegationProvisionStatus,
277    pub error: Option<Error>,
278}
canic_core/dto/auth.rs

canic_core/dto/
auth.rs
