canic-core 0.35.7

Canic — a canister orchestration and management toolkit for the Internet Computer
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54

use crate::ops::ic::IcOps;

mod attestation;
mod boundary;
mod crypto;
mod delegated;
mod delegation;
mod error;
mod keys;
mod token;
mod types;
mod verify;
pub use boundary::DelegatedSessionExpiryClamp;
pub use error::{
    AuthExpiryError, AuthOpsError, AuthScopeError, AuthSignatureError, AuthValidationError,
};
pub use types::{
    SignDelegatedTokenInput, SignDelegationProofInput, VerifyDelegatedTokenRuntimeInput,
};

const DERIVATION_NAMESPACE: &[u8] = b"canic";
const ROOT_PATH_SEGMENT: &[u8] = b"root";
const SHARD_PATH_SEGMENT: &[u8] = b"shard";
const ATTESTATION_PATH_SEGMENT: &[u8] = b"attestation";
const ROLE_ATTESTATION_SIGNING_DOMAIN: &[u8] = b"CANIC_ROLE_ATTESTATION_V1";
const ROLE_ATTESTATION_KEY_ID_V1: u32 = 1;

///
/// AuthOps
///

pub struct AuthOps;

impl AuthOps {
    // Publish the root delegated-token public key into cascaded subnet state.
    pub async fn publish_delegated_token_root_key_material() -> Result<(), crate::InternalError> {
        let root_pid = IcOps::canister_self();
        let delegated_key_name = keys::delegated_tokens_key_name()?;
        keys::ensure_root_public_key_published(&delegated_key_name, root_pid).await
    }

    // Publish root auth material and warm local root-owned auth keys once.
    pub async fn publish_root_auth_material() -> Result<(), crate::InternalError> {
        let root_pid = IcOps::canister_self();
        let now_secs = IcOps::now_secs();

        Self::publish_delegated_token_root_key_material().await?;

        let attestation_key_name = keys::attestation_key_name()?;
        keys::ensure_attestation_key_cached(&attestation_key_name, root_pid, now_secs).await?;

        Ok(())
    }
}