Skip to main content

canic_core/api/auth/
root.rs

1//! Module: api::auth::root
2//!
3//! Responsibility: adapt root-only issuer policy, renewal, and chain-key proof calls.
4//! Does not own: root timer execution, batch signing, or proof install state.
5//! Boundary: verifies root context and delegates to auth ops/workflow.
6
7use super::AuthApi;
8use crate::{
9    cdk::types::Principal,
10    dto::{
11        auth::{
12            RootDelegationProofBatchProof, RootIssuerPolicyResponse, RootIssuerPolicyUpsertRequest,
13            RootIssuerRenewalStatusRequest, RootIssuerRenewalStatusResponse,
14            RootIssuerRenewalTemplateResponse, RootIssuerRenewalTemplateUpsertRequest,
15        },
16        error::Error,
17    },
18    ops::{auth::AuthOps, ic::IcOps, runtime::env::EnvOps},
19    workflow::runtime::auth::RuntimeAuthWorkflow,
20};
21
22impl AuthApi {
23    /// Upsert root issuer policy from the local root controller path.
24    pub fn upsert_root_issuer_policy_root(
25        request: RootIssuerPolicyUpsertRequest,
26    ) -> Result<RootIssuerPolicyResponse, Error> {
27        EnvOps::require_root().map_err(Error::from)?;
28        AuthOps::upsert_root_issuer_policy(request, IcOps::now_nanos())
29            .map_err(Self::map_auth_error)
30    }
31
32    /// Upsert root-managed renewal template from the local root controller path.
33    pub fn upsert_root_issuer_renewal_template_root(
34        request: RootIssuerRenewalTemplateUpsertRequest,
35    ) -> Result<RootIssuerRenewalTemplateResponse, Error> {
36        EnvOps::require_root().map_err(Error::from)?;
37        let response = AuthOps::upsert_root_issuer_renewal_template(request, IcOps::now_nanos())
38            .map_err(Self::map_auth_error)?;
39        if response.template.enabled {
40            RuntimeAuthWorkflow::start_root_delegation_renewal_timer_soon_if_configured()
41                .map_err(Self::map_auth_error)?;
42        }
43        Ok(response)
44    }
45
46    /// Report root-managed renewal template/state for one issuer.
47    pub fn root_issuer_renewal_status_root(
48        request: RootIssuerRenewalStatusRequest,
49    ) -> Result<RootIssuerRenewalStatusResponse, Error> {
50        EnvOps::require_root().map_err(Error::from)?;
51        Ok(AuthOps::root_issuer_renewal_status(request))
52    }
53
54    /// Return or create a chain-key root delegation proof for the registered issuer caller.
55    pub async fn get_or_create_chain_key_delegation_proof_root()
56    -> Result<RootDelegationProofBatchProof, Error> {
57        EnvOps::require_root().map_err(Error::from)?;
58        RuntimeAuthWorkflow::get_or_create_chain_key_delegation_proof_for_issuer_root(
59            IcOps::msg_caller(),
60        )
61        .await
62        .map_err(Self::map_auth_error)
63    }
64
65    /// Create or reuse and install a chain-key delegation proof for one issuer.
66    ///
67    /// Root applications may call this after installing or reinstalling an
68    /// issuer so delegated-token issuance is ready before the first login.
69    pub async fn provision_chain_key_delegation_proof_for_issuer_root(
70        issuer_pid: Principal,
71    ) -> Result<(), Error> {
72        EnvOps::require_root().map_err(Error::from)?;
73        RuntimeAuthWorkflow::provision_chain_key_delegation_proof_for_issuer_root(issuer_pid)
74            .await
75            .map_err(Self::map_auth_error)
76    }
77}