Skip to main content

canic_core/dto/
auth.rs

1use crate::dto::{prelude::*, rpc::RootRequestMetadata};
2
3//
4// SignatureAlgorithm
5//
6
7#[derive(CandidType, Clone, Copy, Debug, Deserialize, Eq, PartialEq, Serialize)]
8pub enum SignatureAlgorithm {
9    EcdsaP256Sha256,
10}
11
12//
13// DelegationAudience
14//
15
16#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
17pub enum DelegationAudience {
18    Roles(Vec<CanisterRole>),
19    Principals(Vec<Principal>),
20    RolesOrPrincipals {
21        roles: Vec<CanisterRole>,
22        principals: Vec<Principal>,
23    },
24}
25
26//
27// RootPublicKey
28//
29
30#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
31pub struct RootPublicKey {
32    pub root_pid: Principal,
33    pub key_id: String,
34    pub alg: SignatureAlgorithm,
35    pub public_key_sec1: Vec<u8>,
36    pub key_hash: [u8; 32],
37    pub not_before: u64,
38    pub not_after: Option<u64>,
39}
40
41//
42// RootTrustAnchor
43//
44
45#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
46pub struct RootTrustAnchor {
47    pub root_pid: Principal,
48    pub root_key: RootPublicKey,
49}
50
51//
52// ShardKeyBinding
53//
54
55#[derive(CandidType, Clone, Copy, Debug, Deserialize, Eq, PartialEq, Serialize)]
56pub enum ShardKeyBinding {
57    IcThresholdEcdsa {
58        key_name_hash: [u8; 32],
59        derivation_path_hash: [u8; 32],
60    },
61}
62
63//
64// DelegationCert
65//
66
67#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
68pub struct DelegationCert {
69    pub version: u16,
70    pub root_pid: Principal,
71    pub root_key_id: String,
72    pub root_key_hash: [u8; 32],
73    pub alg: SignatureAlgorithm,
74    pub shard_pid: Principal,
75    pub shard_key_id: String,
76    pub shard_public_key_sec1: Vec<u8>,
77    pub shard_key_hash: [u8; 32],
78    pub shard_key_binding: ShardKeyBinding,
79    pub issued_at: u64,
80    pub expires_at: u64,
81    pub max_token_ttl_secs: u64,
82    pub scopes: Vec<String>,
83    pub aud: DelegationAudience,
84    pub verifier_role_hash: Option<[u8; 32]>,
85}
86
87//
88// DelegationProof
89//
90
91#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
92pub struct DelegationProof {
93    pub cert: DelegationCert,
94    pub root_sig: Vec<u8>,
95}
96
97//
98// DelegatedTokenClaims
99//
100
101#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
102pub struct DelegatedTokenClaims {
103    pub version: u16,
104    pub subject: Principal,
105    pub issuer_shard_pid: Principal,
106    pub cert_hash: [u8; 32],
107    pub issued_at: u64,
108    pub expires_at: u64,
109    pub aud: DelegationAudience,
110    pub scopes: Vec<String>,
111    pub nonce: [u8; 16],
112}
113
114//
115// DelegatedToken
116//
117
118#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
119pub struct DelegatedToken {
120    pub claims: DelegatedTokenClaims,
121    pub proof: DelegationProof,
122    pub shard_sig: Vec<u8>,
123}
124
125//
126// DelegationProofIssueRequest
127//
128
129#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
130pub struct DelegationProofIssueRequest {
131    pub shard_pid: Principal,
132    pub scopes: Vec<String>,
133    pub aud: DelegationAudience,
134    pub cert_ttl_secs: u64,
135}
136
137//
138// DelegatedTokenIssueRequest
139//
140
141#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
142pub struct DelegatedTokenIssueRequest {
143    pub proof: DelegationProof,
144    pub subject: Principal,
145    pub aud: DelegationAudience,
146    pub scopes: Vec<String>,
147    pub ttl_secs: u64,
148    pub nonce: [u8; 16],
149}
150
151//
152// DelegatedTokenMintRequest
153//
154
155#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
156pub struct DelegatedTokenMintRequest {
157    pub subject: Principal,
158    pub aud: DelegationAudience,
159    pub scopes: Vec<String>,
160    pub token_ttl_secs: u64,
161    pub cert_ttl_secs: u64,
162    pub nonce: [u8; 16],
163}
164
165//
166// RoleAttestationRequest
167//
168
169#[derive(CandidType, Clone, Debug, Deserialize)]
170pub struct RoleAttestationRequest {
171    pub subject: Principal,
172    pub role: CanisterRole,
173    #[serde(default)]
174    pub subnet_id: Option<Principal>,
175    #[serde(default)]
176    pub audience: Option<Principal>,
177    pub ttl_secs: u64,
178    pub epoch: u64,
179    #[serde(default)]
180    pub metadata: Option<RootRequestMetadata>,
181}
182
183//
184// RoleAttestation
185//
186
187#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
188pub struct RoleAttestation {
189    pub subject: Principal,
190    pub role: CanisterRole,
191    #[serde(default)]
192    pub subnet_id: Option<Principal>,
193    #[serde(default)]
194    pub audience: Option<Principal>,
195    pub issued_at: u64,
196    pub expires_at: u64,
197    pub epoch: u64,
198}
199
200//
201// SignedRoleAttestation
202//
203
204#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
205pub struct SignedRoleAttestation {
206    pub payload: RoleAttestation,
207    pub signature: Vec<u8>,
208    pub key_id: u32,
209}
210
211//
212// AttestationKeyStatus
213//
214
215#[derive(CandidType, Clone, Copy, Debug, Deserialize, Eq, PartialEq)]
216pub enum AttestationKeyStatus {
217    Current,
218    Previous,
219}
220
221//
222// AttestationKey
223//
224
225#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq)]
226pub struct AttestationKey {
227    pub key_id: u32,
228    pub public_key: Vec<u8>,
229    pub key_name: String,
230    pub key_hash: [u8; 32],
231    pub status: AttestationKeyStatus,
232    #[serde(default)]
233    pub valid_from: Option<u64>,
234    #[serde(default)]
235    pub valid_until: Option<u64>,
236}
237
238//
239// AttestationKeySet
240//
241
242#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq)]
243pub struct AttestationKeySet {
244    pub root_pid: Principal,
245    pub generated_at: u64,
246    pub keys: Vec<AttestationKey>,
247}