canic_core/access/
auth.rs

1//! Authorization helpers for canister-to-canister and user calls.
2//!
3//! Compose rule futures and enforce them with [`require_all`] or
4//! [`require_any`]. For ergonomics, prefer the facade macros
5//! `canic::auth_require_all!` and `canic::auth_require_any!`, which accept
6//! async closures or functions that return [`AuthRuleResult`].
7
8use crate::{
9    Error, ThisError,
10    access::AccessError,
11    cdk::{
12        api::{canister_self, msg_caller},
13        types::Principal,
14    },
15    ids::CanisterRole,
16    log,
17    log::Topic,
18    ops::{
19        runtime::env::EnvOps,
20        storage::{
21            children::CanisterChildrenOps,
22            directory::{app::AppDirectoryOps, subnet::SubnetDirectoryOps},
23            registry::subnet::SubnetRegistryOps,
24        },
25    },
26};
27use std::pin::Pin;
28
29///
30/// AuthAccessError
31///
32/// Each variant captures the principal that failed a rule (where relevant),
33/// making it easy to emit actionable diagnostics in logs.
34///
35
36#[derive(Debug, ThisError)]
37pub enum AuthAccessError {
38    /// Guardrail for unreachable states (should not be observed in practice).
39    #[error("invalid error state - this should never happen")]
40    InvalidState,
41
42    /// No rules were provided to an authorization check.
43    #[error("one or more rules must be defined")]
44    NoRulesDefined,
45
46    #[error("access dependency unavailable: {0}")]
47    DependencyUnavailable(String),
48
49    #[error("caller '{0}' does not match the app directory's canister role '{1}'")]
50    NotAppDirectoryType(Principal, CanisterRole),
51
52    #[error("caller '{0}' does not match the subnet directory's canister role '{1}'")]
53    NotSubnetDirectoryType(Principal, CanisterRole),
54
55    #[error("caller '{0}' is not a child of this canister")]
56    NotChild(Principal),
57
58    #[error("caller '{0}' is not a controller of this canister")]
59    NotController(Principal),
60
61    #[error("caller '{0}' is not the parent of this canister")]
62    NotParent(Principal),
63
64    #[error("expected caller principal '{1}' got '{0}'")]
65    NotPrincipal(Principal, Principal),
66
67    #[error("caller '{0}' is not root")]
68    NotRoot(Principal),
69
70    #[error("caller '{0}' is not the current canister")]
71    NotSameCanister(Principal),
72
73    #[error("caller '{0}' is not registered on the subnet registry")]
74    NotRegisteredToSubnet(Principal),
75
76    #[error("caller '{0}' is not on the whitelist")]
77    NotWhitelisted(Principal),
78}
79
80impl From<AuthAccessError> for Error {
81    fn from(err: AuthAccessError) -> Self {
82        AccessError::Auth(err).into()
83    }
84}
85
86/// Callable issuing an authorization decision for a given caller.
87pub type AuthRuleFn = Box<
88    dyn Fn(Principal) -> Pin<Box<dyn Future<Output = Result<(), AccessError>> + Send>>
89        + Send
90        + Sync,
91>;
92
93/// Future produced by an [`AuthRuleFn`].
94pub type AuthRuleResult = Pin<Box<dyn Future<Output = Result<(), AccessError>> + Send>>;
95
96/// Require that all provided rules pass for the current caller.
97///
98/// Returns the first failing rule error, or [`AuthError::NoRulesDefined`] if
99/// `rules` is empty.
100pub async fn require_all(rules: Vec<AuthRuleFn>) -> Result<(), AccessError> {
101    let caller = msg_caller();
102
103    if rules.is_empty() {
104        return Err(AuthAccessError::NoRulesDefined.into());
105    }
106
107    for rule in rules {
108        if let Err(err) = rule(caller).await {
109            log!(
110                Topic::Auth,
111                Warn,
112                "auth failed (all) caller={caller}: {err}",
113            );
114
115            return Err(err);
116        }
117    }
118
119    Ok(())
120}
121
122/// Require that any one of the provided rules passes for the current caller.
123///
124/// Returns the last failing rule error if none pass, or
125/// [`AuthError::NoRulesDefined`] if `rules` is empty.
126pub async fn require_any(rules: Vec<AuthRuleFn>) -> Result<(), AccessError> {
127    let caller = msg_caller();
128
129    if rules.is_empty() {
130        return Err(AuthAccessError::NoRulesDefined.into());
131    }
132
133    let mut last_error = None;
134    for rule in rules {
135        match rule(caller).await {
136            Ok(()) => return Ok(()),
137            Err(e) => last_error = Some(e),
138        }
139    }
140
141    let err = last_error.unwrap_or_else(|| AuthAccessError::InvalidState.into());
142    log!(
143        Topic::Auth,
144        Warn,
145        "auth failed (any) caller={caller}: {err}",
146    );
147
148    Err(err)
149}
150
151// -----------------------------------------------------------------------------
152// Rule functions
153// -----------------------------------------------------------------------------
154
155/// Ensure the caller matches the subnet directory entry recorded for `role`.
156/// Use for admin endpoints that expect specific app directory canisters.
157#[must_use]
158pub fn is_app_directory_role(caller: Principal, role: CanisterRole) -> AuthRuleResult {
159    Box::pin(async move {
160        if AppDirectoryOps::matches(&role, caller) {
161            Ok(())
162        } else {
163            Err(AuthAccessError::NotAppDirectoryType(caller, role).into())
164        }
165    })
166}
167
168/// Require that the caller is a direct child of the current canister.
169/// Protects child-only endpoints (e.g., sync) from sibling/root callers.
170#[must_use]
171pub fn is_child(caller: Principal) -> AuthRuleResult {
172    Box::pin(async move {
173        if CanisterChildrenOps::contains_pid(&caller) {
174            Ok(())
175        } else {
176            Err(AuthAccessError::NotChild(caller).into())
177        }
178    })
179}
180
181/// Require that the caller controls the current canister.
182/// Allows controller-only maintenance calls.
183#[must_use]
184pub fn is_controller(caller: Principal) -> AuthRuleResult {
185    Box::pin(async move {
186        if crate::cdk::api::is_controller(&caller) {
187            Ok(())
188        } else {
189            Err(AuthAccessError::NotController(caller).into())
190        }
191    })
192}
193
194/// Require that the caller is the configured parent canister.
195/// Use on child sync endpoints to enforce parent-only calls.
196#[must_use]
197pub fn is_parent(caller: Principal) -> AuthRuleResult {
198    Box::pin(async move {
199        let parent_pid = EnvOps::parent_pid().map_err(to_access)?;
200
201        if parent_pid == caller {
202            Ok(())
203        } else {
204            Err(AuthAccessError::NotParent(caller).into())
205        }
206    })
207}
208
209/// Require that the caller equals the provided `expected` principal.
210/// Handy for single-tenant or pre-registered callers.
211#[must_use]
212pub fn is_principal(caller: Principal, expected: Principal) -> AuthRuleResult {
213    Box::pin(async move {
214        if caller == expected {
215            Ok(())
216        } else {
217            Err(AuthAccessError::NotPrincipal(caller, expected).into())
218        }
219    })
220}
221
222/// Require that the caller is registered as a canister on this subnet.
223///
224/// NOTE: Currently enforced only on the root canister.
225#[must_use]
226pub fn is_registered_to_subnet(caller: Principal) -> AuthRuleResult {
227    Box::pin(async move {
228        if SubnetRegistryOps::is_registered(caller) {
229            Ok(())
230        } else {
231            Err(AuthAccessError::NotRegisteredToSubnet(caller).into())
232        }
233    })
234}
235
236/// Require that the caller equals the configured root canister.
237/// Gate root-only operations (e.g., topology mutations).
238#[must_use]
239pub fn is_root(caller: Principal) -> AuthRuleResult {
240    Box::pin(async move {
241        let root_pid = EnvOps::root_pid().map_err(to_access)?;
242
243        if caller == root_pid {
244            Ok(())
245        } else {
246            Err(AuthAccessError::NotRoot(caller).into())
247        }
248    })
249}
250
251/// Require that the caller is the currently executing canister.
252/// For self-calls only.
253#[must_use]
254pub fn is_same_canister(caller: Principal) -> AuthRuleResult {
255    Box::pin(async move {
256        if caller == canister_self() {
257            Ok(())
258        } else {
259            Err(AuthAccessError::NotSameCanister(caller).into())
260        }
261    })
262}
263
264/// Ensure the caller matches the subnet directory entry recorded for `role`.
265/// Use for admin endpoints that expect specific app directory canisters.
266#[must_use]
267pub fn is_subnet_directory_role(caller: Principal, role: CanisterRole) -> AuthRuleResult {
268    Box::pin(async move {
269        match SubnetDirectoryOps::get(&role) {
270            Some(pid) if pid == caller => Ok(()),
271            _ => Err(AuthAccessError::NotSubnetDirectoryType(caller, role).into()),
272        }
273    })
274}
275
276/// Require that the caller appears in the active whitelist (IC deployments).
277/// No-op on local builds; enforces whitelist on IC.
278#[must_use]
279pub fn is_whitelisted(caller: Principal) -> AuthRuleResult {
280    Box::pin(async move {
281        use crate::config::Config;
282        let cfg = Config::get().map_err(to_access)?;
283
284        if !cfg.is_whitelisted(&caller) {
285            return Err(AuthAccessError::NotWhitelisted(caller).into());
286        }
287
288        Ok(())
289    })
290}
291
292/// to_access
293/// helper function
294fn to_access(err: Error) -> AccessError {
295    AuthAccessError::DependencyUnavailable(err.to_string()).into()
296}