Skip to main content

canic_core/api/auth/
attestation.rs

1//! Module: api::auth::attestation
2//!
3//! Responsibility: adapt role-attestation endpoint calls.
4//! Does not own: role-attestation signing, cache state, or verifier internals.
5//! Boundary: the canonical downstream boundary is workflow; the direct ops call
6//! below remains a product-code violation tracked by `CANIC-092-LAYERING-001`.
7
8use super::AuthApi;
9use crate::{
10    dto::{
11        auth::{
12            RoleAttestationGetRequest, RoleAttestationPrepareResponse, RoleAttestationRequest,
13            SignedRoleAttestation,
14        },
15        error::Error,
16    },
17    ops::{auth::AuthOps, ic::IcOps, runtime::env::EnvOps},
18    workflow::runtime::auth::RuntimeAuthWorkflow,
19};
20
21impl AuthApi {
22    /// Prepare a root-certified role attestation from the local root update path.
23    pub fn prepare_role_attestation_root(
24        request: RoleAttestationRequest,
25    ) -> Result<RoleAttestationPrepareResponse, Error> {
26        RuntimeAuthWorkflow::prepare_role_attestation_root(request).map_err(Self::map_auth_error)
27    }
28
29    /// Retrieve a prepared role attestation with its root canister-signature proof.
30    pub fn get_role_attestation_root(
31        request: RoleAttestationGetRequest,
32    ) -> Result<SignedRoleAttestation, Error> {
33        EnvOps::require_root().map_err(Error::from)?;
34        AuthOps::get_role_attestation(IcOps::msg_caller(), request.payload_hash)
35            .map_err(Self::map_auth_error)
36    }
37
38    /// Verify a role attestation locally from its embedded root proof.
39    pub async fn verify_role_attestation(
40        attestation: &SignedRoleAttestation,
41        min_accepted_epoch: u64,
42    ) -> Result<(), Error> {
43        RuntimeAuthWorkflow::verify_role_attestation(attestation, min_accepted_epoch)
44            .await
45            .map_err(Self::map_auth_error)
46    }
47}