canic-core 0.30.33

Canic — a canister orchestration and management toolkit for the Internet Computer
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102

use super::{
    ATTESTATION_PATH_SEGMENT, DERIVATION_NAMESPACE, ROLE_ATTESTATION_KEY_ID_V1, ROOT_PATH_SEGMENT,
    SHARD_PATH_SEGMENT, delegated::canonical::public_key_hash,
};
use crate::{
    InternalError,
    cdk::types::Principal,
    dto::auth::{AttestationKey, AttestationKeyStatus},
    ops::{
        auth::AuthValidationError,
        config::ConfigOps,
        ic::ecdsa::EcdsaOps,
        storage::{auth::AuthStateOps, state::subnet::SubnetStateOps},
    },
};
use std::cmp::Reverse;

pub(super) fn attestation_keys_sorted(key_name: &str) -> Vec<AttestationKey> {
    let mut keys = AuthStateOps::attestation_keys(key_name);
    keys.sort_by_key(|entry| {
        let status_rank = match entry.status {
            AttestationKeyStatus::Current => 0u8,
            AttestationKeyStatus::Previous => 1u8,
        };
        (status_rank, Reverse(entry.key_id))
    });
    keys
}

pub(super) fn delegated_tokens_key_name() -> Result<String, InternalError> {
    let cfg = ConfigOps::delegated_tokens_config()?;
    if cfg.ecdsa_key_name.trim().is_empty() {
        return Err(AuthValidationError::EcdsaKeyNameMissing.into());
    }

    Ok(cfg.ecdsa_key_name)
}

pub(super) fn attestation_key_name() -> Result<String, InternalError> {
    let cfg = ConfigOps::role_attestation_config()?;
    if cfg.ecdsa_key_name.trim().is_empty() {
        return Err(AuthValidationError::AttestationKeyNameMissing.into());
    }

    Ok(cfg.ecdsa_key_name)
}

pub(super) fn root_derivation_path() -> Vec<Vec<u8>> {
    vec![DERIVATION_NAMESPACE.to_vec(), ROOT_PATH_SEGMENT.to_vec()]
}

pub(super) fn shard_derivation_path(shard_pid: Principal) -> Vec<Vec<u8>> {
    vec![
        DERIVATION_NAMESPACE.to_vec(),
        SHARD_PATH_SEGMENT.to_vec(),
        shard_pid.as_slice().to_vec(),
    ]
}

pub(super) fn attestation_derivation_path() -> Vec<Vec<u8>> {
    vec![
        DERIVATION_NAMESPACE.to_vec(),
        ATTESTATION_PATH_SEGMENT.to_vec(),
        ROOT_PATH_SEGMENT.to_vec(),
    ]
}

pub(super) async fn ensure_attestation_key_cached(
    key_name: &str,
    root_pid: Principal,
    now_secs: u64,
) -> Result<(), InternalError> {
    if AuthStateOps::attestation_public_key_sec1(ROLE_ATTESTATION_KEY_ID_V1, key_name).is_some() {
        return Ok(());
    }

    let public_key =
        EcdsaOps::public_key_sec1(key_name, attestation_derivation_path(), root_pid).await?;
    AuthStateOps::upsert_attestation_key(AttestationKey {
        key_id: ROLE_ATTESTATION_KEY_ID_V1,
        key_hash: public_key_hash(&public_key),
        key_name: key_name.to_string(),
        public_key,
        status: AttestationKeyStatus::Current,
        valid_from: Some(now_secs),
        valid_until: None,
    });

    Ok(())
}

pub(super) async fn ensure_root_public_key_published(
    key_name: &str,
    root_pid: Principal,
) -> Result<(), InternalError> {
    if SubnetStateOps::delegated_root_public_key(key_name).is_none() {
        let root_pk = EcdsaOps::public_key_sec1(key_name, root_derivation_path(), root_pid).await?;
        SubnetStateOps::set_delegated_root_public_key(key_name.to_string(), root_pk);
    }

    Ok(())
}