canic_core/dto/
auth.rs

1use crate::dto::{error::Error, prelude::*, rpc::RootRequestMetadata};
2
3//
4// DelegationCert
5//
6
7#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
8pub struct DelegationCert {
9    pub root_pid: Principal,
10    pub shard_pid: Principal,
11    pub issued_at: u64,
12    pub expires_at: u64,
13    pub scopes: Vec<String>,
14    pub aud: Vec<Principal>,
15}
16
17//
18// DelegationProof
19//
20
21#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
22pub struct DelegationProof {
23    pub cert: DelegationCert,
24    pub cert_sig: Vec<u8>,
25}
26
27//
28// DelegationProofInstallIntent
29//
30
31#[derive(CandidType, Clone, Copy, Debug, Deserialize, Eq, PartialEq)]
32pub enum DelegationProofInstallIntent {
33    Provisioning,
34    Prewarm,
35    Repair,
36}
37
38//
39// DelegationProofInstallRequest
40//
41
42#[derive(CandidType, Clone, Debug, Deserialize)]
43pub struct DelegationProofInstallRequest {
44    pub proof: DelegationProof,
45    pub intent: DelegationProofInstallIntent,
46    #[serde(default)]
47    pub root_public_key_sec1: Option<Vec<u8>>,
48    #[serde(default)]
49    pub shard_public_key_sec1: Option<Vec<u8>>,
50}
51
52//
53// DelegatedTokenClaims
54//
55
56#[derive(CandidType, Clone, Debug, Deserialize)]
57pub struct DelegatedTokenClaims {
58    pub sub: Principal,
59    pub shard_pid: Principal,
60    pub scopes: Vec<String>,
61    pub aud: Vec<Principal>,
62    pub iat: u64,
63    pub exp: u64,
64}
65
66//
67// DelegatedToken
68//
69
70#[derive(CandidType, Clone, Debug, Deserialize)]
71pub struct DelegatedToken {
72    pub claims: DelegatedTokenClaims,
73    pub proof: DelegationProof,
74    pub token_sig: Vec<u8>,
75}
76
77//
78// DelegationRequest
79//
80
81#[derive(CandidType, Clone, Debug, Deserialize)]
82pub struct DelegationRequest {
83    pub shard_pid: Principal,
84    pub scopes: Vec<String>,
85    pub aud: Vec<Principal>,
86    pub ttl_secs: u64,
87    pub verifier_targets: Vec<Principal>,
88    pub include_root_verifier: bool,
89    #[serde(default)]
90    pub shard_public_key_sec1: Option<Vec<u8>>,
91    #[serde(default)]
92    pub metadata: Option<RootRequestMetadata>,
93}
94
95//
96// RoleAttestationRequest
97//
98
99#[derive(CandidType, Clone, Debug, Deserialize)]
100pub struct RoleAttestationRequest {
101    pub subject: Principal,
102    pub role: CanisterRole,
103    #[serde(default)]
104    pub subnet_id: Option<Principal>,
105    #[serde(default)]
106    pub audience: Option<Principal>,
107    pub ttl_secs: u64,
108    pub epoch: u64,
109    #[serde(default)]
110    pub metadata: Option<RootRequestMetadata>,
111}
112
113//
114// RoleAttestation
115//
116
117#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
118pub struct RoleAttestation {
119    pub subject: Principal,
120    pub role: CanisterRole,
121    #[serde(default)]
122    pub subnet_id: Option<Principal>,
123    #[serde(default)]
124    pub audience: Option<Principal>,
125    pub issued_at: u64,
126    pub expires_at: u64,
127    pub epoch: u64,
128}
129
130//
131// SignedRoleAttestation
132//
133
134#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
135pub struct SignedRoleAttestation {
136    pub payload: RoleAttestation,
137    pub signature: Vec<u8>,
138    pub key_id: u32,
139}
140
141//
142// AttestationKeyStatus
143//
144
145#[derive(CandidType, Clone, Copy, Debug, Deserialize, Eq, PartialEq)]
146pub enum AttestationKeyStatus {
147    Current,
148    Previous,
149}
150
151//
152// AttestationKey
153//
154
155#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq)]
156pub struct AttestationKey {
157    pub key_id: u32,
158    pub public_key: Vec<u8>,
159    pub status: AttestationKeyStatus,
160    #[serde(default)]
161    pub valid_from: Option<u64>,
162    #[serde(default)]
163    pub valid_until: Option<u64>,
164}
165
166//
167// AttestationKeySet
168//
169
170#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq)]
171pub struct AttestationKeySet {
172    pub root_pid: Principal,
173    pub generated_at: u64,
174    pub keys: Vec<AttestationKey>,
175}
176
177// admin-only: not part of canonical delegation flow.
178// used for controlled provisioning and tooling flows.
179//
180// DelegationProvisionRequest
181//
182
183#[derive(CandidType, Clone, Debug, Deserialize)]
184pub struct DelegationProvisionRequest {
185    pub cert: DelegationCert,
186    pub signer_targets: Vec<Principal>,
187    pub verifier_targets: Vec<Principal>,
188    #[serde(default)]
189    pub shard_public_key_sec1: Option<Vec<u8>>,
190}
191
192// admin-only: not part of canonical delegation flow.
193// used for controlled provisioning and tooling flows.
194//
195// DelegationProvisionResponse
196//
197
198#[derive(CandidType, Clone, Debug, Deserialize, Serialize)]
199pub struct DelegationProvisionResponse {
200    pub proof: DelegationProof,
201    pub results: Vec<DelegationProvisionTargetResponse>,
202}
203
204//
205// DelegationVerifierProofPushRequest
206//
207
208#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq)]
209pub struct DelegationVerifierProofPushRequest {
210    pub proof: DelegationProof,
211    pub verifier_targets: Vec<Principal>,
212}
213
214//
215// DelegationVerifierProofPushResponse
216//
217
218#[derive(CandidType, Clone, Debug, Deserialize)]
219pub struct DelegationVerifierProofPushResponse {
220    pub results: Vec<DelegationProvisionTargetResponse>,
221}
222
223//
224// DelegationProofStatus
225//
226
227#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq)]
228pub struct DelegationProofStatus {
229    pub shard_pid: Principal,
230    pub issued_at: u64,
231    pub expires_at: u64,
232}
233
234#[derive(CandidType, Clone, Copy, Debug, Deserialize, Eq, PartialEq, Serialize)]
235pub enum DelegationProvisionTargetKind {
236    Signer,
237    Verifier,
238}
239
240#[derive(CandidType, Clone, Copy, Debug, Deserialize, Eq, PartialEq, Serialize)]
241pub enum DelegationProvisionStatus {
242    Ok,
243    Failed,
244}
245
246//
247// DelegationAdminCommand
248//
249
250#[derive(CandidType, Clone, Debug, Deserialize)]
251pub enum DelegationAdminCommand {
252    PrewarmVerifiers(DelegationVerifierProofPushRequest),
253    RepairVerifiers(DelegationVerifierProofPushRequest),
254}
255
256//
257// DelegationAdminResponse
258//
259
260#[derive(CandidType, Clone, Debug, Deserialize)]
261pub enum DelegationAdminResponse {
262    PrewarmedVerifiers {
263        result: DelegationVerifierProofPushResponse,
264    },
265    RepairedVerifiers {
266        result: DelegationVerifierProofPushResponse,
267    },
268}
269
270//
271// DelegationProvisionTargetResponse
272//
273
274#[derive(CandidType, Clone, Debug, Deserialize, Serialize)]
275pub struct DelegationProvisionTargetResponse {
276    pub target: Principal,
277    pub kind: DelegationProvisionTargetKind,
278    pub status: DelegationProvisionStatus,
279    pub error: Option<Error>,
280}
canic_core/dto/auth.rs

canic_core/dto/
auth.rs
