canic-core 0.25.8

Canic — a canister orchestration and management toolkit for the Internet Computer
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133

use crate::dto::auth::DelegationCert;
use crate::ops::ic::IcOps;
#[cfg(test)]
use crate::{
    InternalError,
    cdk::types::Principal,
    dto::auth::{AttestationKey, DelegatedToken, RoleAttestation, SignedRoleAttestation},
    ops::storage::auth::DelegationStateOps,
    workflow::prelude::CanisterRole,
};

mod attestation;
pub mod audience;
mod boundary;
mod crypto;
mod delegation;
mod error;
mod keys;
mod token;
mod types;
mod verify;
pub use boundary::{BootstrapTokenAudienceSubset, DelegatedSessionExpiryClamp};
pub use error::{
    DelegatedTokenOpsError, DelegationExpiryError, DelegationScopeError, DelegationSignatureError,
    DelegationValidationError,
};
pub use types::{
    TokenAudience, TokenGrant, TokenLifetime, VerifiedDelegatedToken, VerifiedTokenClaims,
};

const DERIVATION_NAMESPACE: &[u8] = b"canic";
const ROOT_PATH_SEGMENT: &[u8] = b"root";
const SHARD_PATH_SEGMENT: &[u8] = b"shard";
const ATTESTATION_PATH_SEGMENT: &[u8] = b"attestation";
const CERT_SIGNING_DOMAIN: &[u8] = b"CANIC_DELEGATION_CERT_V1";
const TOKEN_SIGNING_DOMAIN: &[u8] = b"CANIC_DELEGATED_TOKEN_V1";
const ROLE_ATTESTATION_SIGNING_DOMAIN: &[u8] = b"CANIC_ROLE_ATTESTATION_V1";
const ROLE_ATTESTATION_KEY_ID_V1: u32 = 1;

///
/// DelegatedTokenOps
///

pub struct DelegatedTokenOps;

impl DelegatedTokenOps {
    // Warm the root delegation and attestation public-key caches once.
    pub async fn prewarm_root_key_material() -> Result<(), crate::InternalError> {
        let root_pid = IcOps::canister_self();
        let now_secs = IcOps::now_secs();

        let delegated_key_name = keys::delegated_tokens_key_name()?;
        keys::ensure_root_public_key_cached(&delegated_key_name, root_pid).await?;

        let attestation_key_name = keys::attestation_key_name()?;
        keys::ensure_attestation_key_cached(&attestation_key_name, root_pid, now_secs).await?;

        Ok(())
    }
}

pub fn delegation_cert_hash(cert: &DelegationCert) -> [u8; 32] {
    crypto::cert_hash(cert)
}

#[cfg(test)]
fn verify_role_attestation_claims(
    payload: &RoleAttestation,
    caller: Principal,
    self_pid: Principal,
    verifier_subnet: Option<Principal>,
    now_secs: u64,
    min_accepted_epoch: u64,
) -> Result<(), DelegatedTokenOpsError> {
    verify::verify_role_attestation_claims(
        payload,
        caller,
        self_pid,
        verifier_subnet,
        now_secs,
        min_accepted_epoch,
    )
}

#[cfg(test)]
fn attestation_keys_sorted() -> Vec<AttestationKey> {
    keys::attestation_keys_sorted()
}

#[cfg(test)]
fn root_derivation_path() -> Vec<Vec<u8>> {
    keys::root_derivation_path()
}

#[cfg(test)]
fn attestation_derivation_path() -> Vec<Vec<u8>> {
    keys::attestation_derivation_path()
}

#[cfg(test)]
fn role_attestation_hash(attestation: &RoleAttestation) -> Result<[u8; 32], InternalError> {
    crypto::role_attestation_hash(attestation)
}

#[cfg(test)]
fn trace_token_trust_chain(
    token: &DelegatedToken,
    authority_pid: Principal,
    now_secs: u64,
    self_pid: Principal,
) -> (Vec<&'static str>, Result<(), InternalError>) {
    verify::trace_token_trust_chain(token, authority_pid, now_secs, self_pid)
}

#[cfg(test)]
fn trace_token_trust_chain_with_forced_current_proof_failure(
    token: &DelegatedToken,
    authority_pid: Principal,
    now_secs: u64,
    self_pid: Principal,
    err: InternalError,
) -> (Vec<&'static str>, Result<(), InternalError>) {
    verify::trace_token_trust_chain_with_forced_current_proof_failure(
        token,
        authority_pid,
        now_secs,
        self_pid,
        err,
    )
}

#[cfg(test)]
mod tests;