Skip to main content

canic_core/dto/auth/
renewal.rs

1//! Module: dto::auth::renewal
2//!
3//! Responsibility: root issuer policy and renewal status DTOs.
4//! Does not own: scheduling, proof batch creation, or install result mutation.
5//! Boundary: passive operator/root endpoint contracts for issuer renewal state.
6
7use super::{DelegatedRoleGrant, DelegationAudience, DelegationProof};
8use crate::dto::prelude::*;
9
10//
11// RootDelegationProofBatchProofRef
12//
13
14#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
15pub struct RootDelegationProofBatchProofRef {
16    pub issuer_pid: Principal,
17    pub cert_hash: [u8; 32],
18}
19
20//
21// RootDelegationProofBatchProof
22//
23
24#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
25pub struct RootDelegationProofBatchProof {
26    pub issuer_pid: Principal,
27    pub cert_hash: [u8; 32],
28    pub proof: DelegationProof,
29}
30
31//
32// RootDelegationProofBatchInstallRequest
33//
34
35#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
36pub struct RootDelegationProofBatchInstallRequest {
37    pub batch_id: [u8; 32],
38    pub proofs: Vec<RootDelegationProofBatchProof>,
39}
40
41//
42// RootDelegationProofInstallOutcome
43//
44
45#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
46pub enum RootDelegationProofInstallOutcome {
47    Installed,
48    AlreadyInstalled,
49    RejectedBySigner,
50    CallFailed,
51    ProofMismatch,
52    ExpiredOrSuperseded,
53}
54
55//
56// RootIssuerPolicyUpsertRequest
57//
58
59#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
60pub struct RootIssuerPolicyUpsertRequest {
61    pub issuer_pid: Principal,
62    pub enabled: bool,
63    pub allowed_audiences: Vec<DelegationAudience>,
64    pub allowed_grants: Vec<DelegatedRoleGrant>,
65    pub max_cert_ttl_ns: u64,
66    pub refresh_after_ratio_bps: u16,
67}
68
69//
70// RootIssuerPolicyView
71//
72
73#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
74pub struct RootIssuerPolicyView {
75    pub issuer_pid: Principal,
76    pub enabled: bool,
77    pub allowed_audiences: Vec<DelegationAudience>,
78    pub allowed_grants: Vec<DelegatedRoleGrant>,
79    pub max_cert_ttl_ns: u64,
80    pub refresh_after_ratio_bps: u16,
81}
82
83//
84// RootIssuerPolicyResponse
85//
86
87#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
88pub struct RootIssuerPolicyResponse {
89    pub issuer: RootIssuerPolicyView,
90}
91
92//
93// RootIssuerRenewalTemplateUpsertRequest
94//
95
96#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
97pub struct RootIssuerRenewalTemplateUpsertRequest {
98    pub issuer_pid: Principal,
99    pub enabled: bool,
100    pub aud: DelegationAudience,
101    pub grants: Vec<DelegatedRoleGrant>,
102    pub cert_ttl_ns: u64,
103}
104
105//
106// RootIssuerRenewalTemplateView
107//
108
109#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
110pub struct RootIssuerRenewalTemplateView {
111    pub issuer_pid: Principal,
112    pub enabled: bool,
113    pub aud: DelegationAudience,
114    pub grants: Vec<DelegatedRoleGrant>,
115    pub cert_ttl_ns: u64,
116}
117
118//
119// RootIssuerRenewalTemplateResponse
120//
121
122#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
123pub struct RootIssuerRenewalTemplateResponse {
124    pub template: RootIssuerRenewalTemplateView,
125}
126
127//
128// RootIssuerRenewalStatusRequest
129//
130
131#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
132pub struct RootIssuerRenewalStatusRequest {
133    pub issuer_pid: Principal,
134}
135
136//
137// RootIssuerRenewalOutcome
138//
139
140#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
141pub enum RootIssuerRenewalOutcome {
142    AlreadyInstalled,
143    DriftDetected,
144    InstallDeadlineExpired,
145    Installed,
146    IssuerCallFailed,
147    NeverRun,
148    PolicyRejected,
149    ProofMismatch,
150    QuotaExceeded,
151    RejectedByIssuer,
152    RetrievalExpired,
153    TemplateChanged,
154    TemplateDisabled,
155}
156
157//
158// RootIssuerRenewalAttemptStatus
159//
160
161#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
162pub enum RootIssuerRenewalAttemptStatus {
163    Prepared,
164    Installing,
165    Installed,
166    FailedRetryable,
167    FailedTerminal,
168    Disabled,
169    Expired,
170}
171
172//
173// RootIssuerRenewalAttemptView
174//
175
176#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
177pub struct RootIssuerRenewalAttemptView {
178    pub attempt_id: [u8; 32],
179    pub issuer_pid: Principal,
180    pub template_fingerprint: [u8; 32],
181    pub batch_id: [u8; 32],
182    pub proof_ref: RootDelegationProofBatchProofRef,
183    pub status: RootIssuerRenewalAttemptStatus,
184    pub prepared_at_ns: u64,
185    pub retrieval_expires_at_ns: u64,
186    pub install_deadline_ns: u64,
187    pub prepared_cert_hash: [u8; 32],
188    pub prepared_expires_at_ns: u64,
189    pub prepared_refresh_after_ns: u64,
190    pub failure: Option<RootIssuerRenewalOutcome>,
191}
192
193//
194// RootIssuerRenewalStateView
195//
196
197#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
198pub struct RootIssuerRenewalStateView {
199    pub issuer_pid: Principal,
200    pub template_fingerprint: [u8; 32],
201    pub last_installed_cert_hash: Option<[u8; 32]>,
202    pub last_installed_expires_at_ns: Option<u64>,
203    pub last_installed_refresh_after_ns: Option<u64>,
204    pub active_attempt_id: Option<[u8; 32]>,
205    pub last_outcome: RootIssuerRenewalOutcome,
206    pub consecutive_failures: u32,
207    pub next_attempt_after_ns: u64,
208    pub updated_at_ns: u64,
209}
210
211//
212// RootIssuerRenewalStatusResponse
213//
214
215#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
216pub struct RootIssuerRenewalStatusResponse {
217    pub template: Option<RootIssuerRenewalTemplateView>,
218    pub state: Option<RootIssuerRenewalStateView>,
219    pub active_attempt: Option<RootIssuerRenewalAttemptView>,
220}