Skip to main content

canic_core/api/auth/
root.rs

1//! Module: api::auth::root
2//!
3//! Responsibility: adapt root-only issuer policy, renewal, and chain-key proof calls.
4//! Does not own: root timer execution, batch signing, or proof install state.
5//! Boundary: verifies root context and delegates to auth workflow.
6
7use super::AuthApi;
8use crate::{
9    cdk::types::Principal,
10    dto::{
11        auth::{
12            RootDelegationProofBatchProof, RootIssuerPolicyResponse, RootIssuerPolicyUpsertRequest,
13            RootIssuerRenewalStatusRequest, RootIssuerRenewalStatusResponse,
14            RootIssuerRenewalTemplateResponse, RootIssuerRenewalTemplateUpsertRequest,
15        },
16        error::Error,
17    },
18    ops::{ic::IcOps, runtime::env::EnvOps},
19    workflow::runtime::auth::RuntimeAuthWorkflow,
20};
21
22impl AuthApi {
23    /// Upsert root issuer policy from the local root controller path.
24    pub fn upsert_root_issuer_policy_root(
25        request: RootIssuerPolicyUpsertRequest,
26    ) -> Result<RootIssuerPolicyResponse, Error> {
27        EnvOps::require_root().map_err(Error::from)?;
28        RuntimeAuthWorkflow::upsert_root_issuer_policy(request).map_err(Self::map_auth_error)
29    }
30
31    /// Upsert root-managed renewal template from the local root controller path.
32    pub fn upsert_root_issuer_renewal_template_root(
33        request: RootIssuerRenewalTemplateUpsertRequest,
34    ) -> Result<RootIssuerRenewalTemplateResponse, Error> {
35        EnvOps::require_root().map_err(Error::from)?;
36        RuntimeAuthWorkflow::upsert_root_issuer_renewal_template(request)
37            .map_err(Self::map_auth_error)
38    }
39
40    /// Report root-managed renewal template/state for one issuer.
41    pub fn root_issuer_renewal_status_root(
42        request: RootIssuerRenewalStatusRequest,
43    ) -> Result<RootIssuerRenewalStatusResponse, Error> {
44        EnvOps::require_root().map_err(Error::from)?;
45        Ok(RuntimeAuthWorkflow::root_issuer_renewal_status(request))
46    }
47
48    /// Return or create a chain-key root delegation proof for the registered issuer caller.
49    pub async fn get_or_create_chain_key_delegation_proof_root()
50    -> Result<RootDelegationProofBatchProof, Error> {
51        EnvOps::require_root().map_err(Error::from)?;
52        RuntimeAuthWorkflow::get_or_create_chain_key_delegation_proof_for_issuer_root(
53            IcOps::msg_caller(),
54        )
55        .await
56        .map_err(Self::map_auth_error)
57    }
58
59    /// Create or reuse and install a chain-key delegation proof for one issuer.
60    ///
61    /// Root applications may call this after installing or reinstalling an
62    /// issuer so delegated-token issuance is ready before the first login.
63    pub async fn provision_chain_key_delegation_proof_for_issuer_root(
64        issuer_pid: Principal,
65    ) -> Result<(), Error> {
66        EnvOps::require_root().map_err(Error::from)?;
67        RuntimeAuthWorkflow::provision_chain_key_delegation_proof_for_issuer_root(issuer_pid)
68            .await
69            .map_err(Self::map_auth_error)
70    }
71}