junobuild-auth 0.4.2

Authentication toolkit for Juno.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192

pub mod state {
    use crate::delegation::types::Timestamp;
    use crate::openid::types::provider::{OpenIdCertificate, OpenIdProvider};
    use crate::state::types::automation::AutomationConfig;
    use crate::state::types::config::AuthenticationConfig;
    use candid::CandidType;
    use serde::{Deserialize, Serialize};
    use std::collections::HashMap;

    pub type Salt = [u8; 32];

    #[derive(Default, CandidType, Serialize, Deserialize, Clone)]
    pub struct AuthenticationHeapState {
        /// Configuration for user authentication via delegation (Internet Identity, Google, GitHub).
        /// Note: Field name kept as "config" for backward compatibility during upgrades.
        pub config: AuthenticationConfig,
        /// Configuration for CI/CD authentication.
        pub automation: Option<AutomationConfig>,
        pub salt: Option<Salt>,
        pub openid: Option<OpenIdState>,
    }

    #[derive(Default, CandidType, Serialize, Deserialize, Clone)]
    pub struct OpenIdState {
        pub certificates: HashMap<OpenIdProvider, OpenIdCachedCertificate>,
    }

    #[derive(CandidType, Serialize, Deserialize, Clone)]
    pub struct OpenIdCachedCertificate {
        pub certificate: Option<OpenIdCertificate>,
        pub last_fetch_attempt: OpenIdLastFetchAttempt,
    }

    #[derive(CandidType, Serialize, Deserialize, Clone)]
    pub struct OpenIdLastFetchAttempt {
        pub at: Timestamp,
        pub streak_count: u8,
    }
}

pub(crate) mod runtime_state {
    use candid::Deserialize;
    use ic_canister_sig_creation::signature_map::SignatureMap;
    use serde::Serialize;

    #[derive(Default, Serialize, Deserialize)]
    pub struct State {
        // Unstable state: State that resides only on the heap, that’s lost after an upgrade.
        #[serde(skip, default)]
        pub runtime: RuntimeState,
    }

    #[derive(Default)]
    pub struct RuntimeState {
        pub sigs: SignatureMap,
    }
}

pub mod config {
    use crate::delegation::types::DelegationTargets;
    use crate::openid::types::provider::OpenIdDelegationProvider;
    use candid::{CandidType, Deserialize, Principal};
    use junobuild_shared::types::core::DomainName;
    use junobuild_shared::types::state::{Timestamp, Version};
    use serde::Serialize;
    use std::collections::BTreeMap;

    #[derive(Default, CandidType, Serialize, Deserialize, Clone)]
    pub struct AuthenticationConfig {
        pub internet_identity: Option<AuthenticationConfigInternetIdentity>,
        pub openid: Option<AuthenticationConfigOpenId>,
        pub rules: Option<AuthenticationRules>,
        pub version: Option<Version>,
        pub created_at: Option<Timestamp>,
        pub updated_at: Option<Timestamp>,
    }

    #[derive(Default, CandidType, Serialize, Deserialize, Clone)]
    pub struct AuthenticationConfigOpenId {
        pub providers: OpenIdAuthProviders,
        pub observatory_id: Option<Principal>,
    }

    #[derive(Default, CandidType, Serialize, Deserialize, Clone)]
    pub struct AuthenticationConfigInternetIdentity {
        pub derivation_origin: Option<DomainName>,
        pub external_alternative_origins: Option<Vec<DomainName>>,
    }

    #[derive(Default, CandidType, Serialize, Deserialize, Clone)]
    pub struct AuthenticationRules {
        pub allowed_callers: Vec<Principal>,
    }

    pub type OpenIdAuthProviders = BTreeMap<OpenIdDelegationProvider, OpenIdAuthProviderConfig>;

    pub type OpenIdAuthProviderClientId = String;

    #[derive(Default, CandidType, Serialize, Deserialize, Clone, Debug)]
    pub struct OpenIdAuthProviderConfig {
        pub client_id: OpenIdAuthProviderClientId,
        pub delegation: Option<OpenIdAuthProviderDelegationConfig>,
    }

    #[derive(Default, CandidType, Serialize, Deserialize, Clone, Debug)]
    pub struct OpenIdAuthProviderDelegationConfig {
        pub targets: Option<DelegationTargets>,
        pub max_time_to_live: Option<u64>,
    }
}

pub mod automation {
    use crate::automation::types::AutomationScope;
    use crate::openid::types::provider::OpenIdAutomationProvider;
    use candid::{CandidType, Deserialize, Principal};
    use junobuild_shared::types::state::{Timestamp, Version};
    use serde::Serialize;
    use std::collections::{BTreeMap, HashMap};

    #[derive(Default, CandidType, Serialize, Deserialize, Clone)]
    pub struct AutomationConfig {
        pub openid: Option<AutomationConfigOpenId>,
        pub version: Option<Version>,
        pub created_at: Option<Timestamp>,
        pub updated_at: Option<Timestamp>,
    }

    #[derive(Default, CandidType, Serialize, Deserialize, Clone)]
    pub struct AutomationConfigOpenId {
        pub providers: OpenIdAutomationProviders,
        pub observatory_id: Option<Principal>,
    }

    pub type OpenIdAutomationProviders =
        BTreeMap<OpenIdAutomationProvider, OpenIdAutomationProviderConfig>;

    // Repository identifier for GitHub automation.
    // Corresponds to the `repository` claim in GitHub OIDC tokens (e.g., "octo-org/octo-repo").
    // See: https://docs.github.com/en/actions/concepts/security/openid-connect#understanding-the-oidc-token
    #[derive(CandidType, Serialize, Deserialize, Clone, Debug, Hash, Eq, PartialEq)]
    pub struct RepositoryKey {
        // Repository owner (e.g. "octo-org")
        pub owner: String,
        // Repository name (e.g. "octo-repo")
        pub name: String,
    }

    pub type OpenIdAutomationRepositories =
        HashMap<RepositoryKey, OpenIdAutomationRepositoryConfig>;

    #[derive(Default, CandidType, Serialize, Deserialize, Clone, Debug)]
    pub struct OpenIdAutomationProviderConfig {
        pub repositories: OpenIdAutomationRepositories,
        pub controller: Option<OpenIdAutomationProviderControllerConfig>,
    }

    #[derive(CandidType, Serialize, Deserialize, Clone, Debug)]
    pub struct OpenIdAutomationRepositoryConfig {
        // Optionally restrict to specific references / branches (e.g. ["refs/heads/main", "refs/pull/74/merge"])
        pub refs: Option<Vec<String>>,
    }

    #[derive(CandidType, Serialize, Deserialize, Clone, Debug)]
    pub struct OpenIdAutomationProviderControllerConfig {
        pub scope: Option<AutomationScope>,
        pub max_time_to_live: Option<u64>,
    }
}

pub mod interface {
    use crate::state::types::automation::AutomationConfigOpenId;
    use crate::state::types::config::{
        AuthenticationConfigInternetIdentity, AuthenticationConfigOpenId, AuthenticationRules,
    };
    use candid::{CandidType, Deserialize};
    use junobuild_shared::types::state::Version;
    use serde::Serialize;

    #[derive(Default, CandidType, Serialize, Deserialize, Clone)]
    pub struct SetAuthenticationConfig {
        pub internet_identity: Option<AuthenticationConfigInternetIdentity>,
        pub openid: Option<AuthenticationConfigOpenId>,
        pub rules: Option<AuthenticationRules>,
        pub version: Option<Version>,
    }

    #[derive(Default, CandidType, Serialize, Deserialize, Clone)]
    pub struct SetAutomationConfig {
        pub openid: Option<AutomationConfigOpenId>,
        pub version: Option<Version>,
    }
}