Skip to main content

canic_core/api/auth/
root.rs

1//! Module: api::auth::root
2//!
3//! Responsibility: adapt root-only issuer policy, renewal, and chain-key proof calls.
4//! Does not own: root timer execution, batch signing, or proof install state.
5//! Boundary: verifies root context and delegates to auth ops/workflow.
6
7use super::AuthApi;
8use crate::{
9    dto::{
10        auth::{
11            RootDelegationProofBatchProof, RootIssuerPolicyResponse, RootIssuerPolicyUpsertRequest,
12            RootIssuerRenewalStatusRequest, RootIssuerRenewalStatusResponse,
13            RootIssuerRenewalTemplateResponse, RootIssuerRenewalTemplateUpsertRequest,
14        },
15        error::Error,
16    },
17    ops::{auth::AuthOps, ic::IcOps, runtime::env::EnvOps},
18    workflow::runtime::auth::RuntimeAuthWorkflow,
19};
20
21impl AuthApi {
22    /// Upsert root issuer policy from the local root controller path.
23    pub fn upsert_root_issuer_policy_root(
24        request: RootIssuerPolicyUpsertRequest,
25    ) -> Result<RootIssuerPolicyResponse, Error> {
26        EnvOps::require_root().map_err(Error::from)?;
27        AuthOps::upsert_root_issuer_policy(request, IcOps::now_nanos())
28            .map_err(Self::map_auth_error)
29    }
30
31    /// Upsert root-managed renewal template from the local root controller path.
32    pub fn upsert_root_issuer_renewal_template_root(
33        request: RootIssuerRenewalTemplateUpsertRequest,
34    ) -> Result<RootIssuerRenewalTemplateResponse, Error> {
35        EnvOps::require_root().map_err(Error::from)?;
36        let response = AuthOps::upsert_root_issuer_renewal_template(request, IcOps::now_nanos())
37            .map_err(Self::map_auth_error)?;
38        if response.template.enabled {
39            RuntimeAuthWorkflow::start_root_delegation_renewal_timer_soon_if_configured()
40                .map_err(Self::map_auth_error)?;
41        }
42        Ok(response)
43    }
44
45    /// Report root-managed renewal template/state for one issuer.
46    pub fn root_issuer_renewal_status_root(
47        request: RootIssuerRenewalStatusRequest,
48    ) -> Result<RootIssuerRenewalStatusResponse, Error> {
49        EnvOps::require_root().map_err(Error::from)?;
50        Ok(AuthOps::root_issuer_renewal_status(request))
51    }
52
53    /// Return or create a chain-key root delegation proof for the registered issuer caller.
54    pub async fn get_or_create_chain_key_delegation_proof_root()
55    -> Result<RootDelegationProofBatchProof, Error> {
56        EnvOps::require_root().map_err(Error::from)?;
57        RuntimeAuthWorkflow::get_or_create_chain_key_delegation_proof_for_issuer_root(
58            IcOps::msg_caller(),
59        )
60        .await
61        .map_err(Self::map_auth_error)
62    }
63}