Skip to main content

canic_core/api/auth/
attestation.rs

1//! Module: api::auth::attestation
2//!
3//! Responsibility: adapt role-attestation endpoint calls.
4//! Does not own: role-attestation signing, cache state, or verifier internals.
5//! Boundary: delegates root preparation/retrieval and local verification to workflow/ops.
6
7use super::AuthApi;
8use crate::{
9    dto::{
10        auth::{
11            RoleAttestationGetRequest, RoleAttestationPrepareResponse, RoleAttestationRequest,
12            SignedRoleAttestation,
13        },
14        error::Error,
15    },
16    ops::{auth::AuthOps, ic::IcOps, runtime::env::EnvOps},
17    workflow::runtime::auth::RuntimeAuthWorkflow,
18};
19
20impl AuthApi {
21    /// Prepare a root-certified role attestation from the local root update path.
22    pub fn prepare_role_attestation_root(
23        request: RoleAttestationRequest,
24    ) -> Result<RoleAttestationPrepareResponse, Error> {
25        RuntimeAuthWorkflow::prepare_role_attestation_root(request).map_err(Self::map_auth_error)
26    }
27
28    /// Retrieve a prepared role attestation with its root canister-signature proof.
29    pub fn get_role_attestation_root(
30        request: RoleAttestationGetRequest,
31    ) -> Result<SignedRoleAttestation, Error> {
32        EnvOps::require_root().map_err(Error::from)?;
33        AuthOps::get_role_attestation(IcOps::msg_caller(), request.payload_hash)
34            .map_err(Self::map_auth_error)
35    }
36
37    /// Verify a role attestation locally from its embedded root proof.
38    pub async fn verify_role_attestation(
39        attestation: &SignedRoleAttestation,
40        min_accepted_epoch: u64,
41    ) -> Result<(), Error> {
42        RuntimeAuthWorkflow::verify_role_attestation(attestation, min_accepted_epoch)
43            .await
44            .map_err(Self::map_auth_error)
45    }
46}