token/delegation/delegation_test.go

package delegation_test

import (
	_ "embed"
	"encoding/base64"
	"testing"
	"time"

	"code.sonr.org/go/did-it/didtest"
	"github.com/stretchr/testify/require"

	"code.sonr.org/go/ucan/pkg/command"
	"code.sonr.org/go/ucan/pkg/policy"
	"code.sonr.org/go/ucan/token/delegation"
)

//go:embed testdata/new.dagjson
var newDagJson []byte

//go:embed testdata/powerline.dagjson
var powerlineDagJson []byte

//go:embed testdata/root.dagjson
var rootDagJson []byte

const (
	nonce = "6roDhGi0kiNriQAz7J3d+bOeoI/tj8ENikmQNbtjnD0"

	subJectCmd = "/foo/bar"
	subjectPol = `
[
  ["==", ".status", "draft"],
  ["all", ".reviewer",
    ["like", ".email", "*@example.com"]
  ],
  ["any", ".tags",
    ["or", [
      ["==", ".", "news"],
      ["==", ".", "press"]
    ]]
  ]
]
`

	aesKey = "xQklMmNTnVrmaPBq/0pwV5fEwuv/iClF5HWak9MsgI8="
)

func TestConstructors(t *testing.T) {
	t.Parallel()

	cmd, err := command.Parse(subJectCmd)
	require.NoError(t, err)

	pol, err := policy.FromDagJson(subjectPol)
	require.NoError(t, err)

	exp, err := time.Parse(time.RFC3339, "2200-01-01T00:00:00Z")
	require.NoError(t, err)

	t.Run("New", func(t *testing.T) {
		tkn, err := delegation.New(didtest.PersonaAlice.DID(), didtest.PersonaBob.DID(), cmd, pol, didtest.PersonaCarol.DID(),
			delegation.WithNonce([]byte(nonce)),
			delegation.WithExpiration(exp),
			delegation.WithMeta("foo", "fooo"),
			delegation.WithMeta("bar", "barr"),
		)
		require.NoError(t, err)

		require.False(t, tkn.IsRoot())
		require.False(t, tkn.IsPowerline())

		data, err := tkn.ToDagJson(didtest.PersonaAlice.PrivKey())
		require.NoError(t, err)

		require.Equal(t, newDagJson, data)
	})

	t.Run("Root", func(t *testing.T) {
		tkn, err := delegation.Root(didtest.PersonaAlice.DID(), didtest.PersonaBob.DID(), cmd, pol,
			delegation.WithNonce([]byte(nonce)),
			delegation.WithExpiration(exp),
			delegation.WithMeta("foo", "fooo"),
			delegation.WithMeta("bar", "barr"),
		)
		require.NoError(t, err)

		require.True(t, tkn.IsRoot())
		require.False(t, tkn.IsPowerline())

		data, err := tkn.ToDagJson(didtest.PersonaAlice.PrivKey())
		require.NoError(t, err)

		require.Equal(t, rootDagJson, data)
	})

	t.Run("Powerline", func(t *testing.T) {
		tkn, err := delegation.Powerline(didtest.PersonaAlice.DID(), didtest.PersonaBob.DID(), cmd, pol,
			delegation.WithNonce([]byte(nonce)),
			delegation.WithExpiration(exp),
			delegation.WithMeta("foo", "fooo"),
			delegation.WithMeta("bar", "barr"),
		)
		require.NoError(t, err)

		require.False(t, tkn.IsRoot())
		require.True(t, tkn.IsPowerline())

		data, err := tkn.ToDagJson(didtest.PersonaAlice.PrivKey())
		require.NoError(t, err)

		require.Equal(t, powerlineDagJson, data)
	})
}

func TestEncryptedMeta(t *testing.T) {
	t.Parallel()

	cmd, err := command.Parse(subJectCmd)
	require.NoError(t, err)
	pol, err := policy.FromDagJson(subjectPol)
	require.NoError(t, err)

	encryptionKey, err := base64.StdEncoding.DecodeString(aesKey)
	require.NoError(t, err)
	require.Len(t, encryptionKey, 32)

	tests := []struct {
		name        string
		key         string
		value       string
		expectError bool
	}{
		{
			name:  "simple string",
			key:   "secret1",
			value: "hello world",
		},
		{
			name:  "empty string",
			key:   "secret2",
			value: "",
		},
		{
			name:  "special characters",
			key:   "secret3",
			value: "!@#$%^&*()_+-=[]{}|;:,.<>?",
		},
		{
			name:  "unicode characters",
			key:   "secret4",
			value: "Hello, 世界! 👋",
		},
	}

	for _, tt := range tests {
		tt := tt
		t.Run(tt.name, func(t *testing.T) {
			t.Parallel()

			tkn, err := delegation.Root(didtest.PersonaAlice.DID(), didtest.PersonaBob.DID(), cmd, pol,
				delegation.WithEncryptedMetaString(tt.key, tt.value, encryptionKey),
			)
			require.NoError(t, err)

			data, err := tkn.ToDagCbor(didtest.PersonaAlice.PrivKey())
			require.NoError(t, err)

			decodedTkn, _, err := delegation.FromSealed(data)
			require.NoError(t, err)

			_, err = decodedTkn.Meta().GetString(tt.key)
			require.Error(t, err)

			decrypted, err := decodedTkn.Meta().GetEncryptedString(tt.key, encryptionKey)
			require.NoError(t, err)
			// Verify the decrypted value is equal to the original
			require.Equal(t, tt.value, decrypted)

			// Try to decrypt with wrong key
			wrongKey := make([]byte, 32)
			_, err = decodedTkn.Meta().GetEncryptedString(tt.key, wrongKey)
			require.Error(t, err)
		})
	}

	t.Run("multiple encrypted values in the same token", func(t *testing.T) {
		values := map[string]string{
			"secret1": "value1",
			"secret2": "value2",
			"secret3": "value3",
		}
		var opts []delegation.Option
		for k, v := range values {
			opts = append(opts, delegation.WithEncryptedMetaString(k, v, encryptionKey))
		}

		// Create token with multiple encrypted values
		tkn, err := delegation.Root(didtest.PersonaAlice.DID(), didtest.PersonaBob.DID(), cmd, pol, opts...)
		require.NoError(t, err)

		data, err := tkn.ToDagCbor(didtest.PersonaAlice.PrivKey())
		require.NoError(t, err)

		decodedTkn, _, err := delegation.FromSealed(data)
		require.NoError(t, err)

		for k, v := range values {
			decrypted, err := decodedTkn.Meta().GetEncryptedString(k, encryptionKey)
			require.NoError(t, err)
			require.Equal(t, v, decrypted)
		}
	})
}
feat(delegation): update to provide encoding/decoding straight from/to View 2024-09-18 12:20:54 -04:00			`package delegation_test`

			`import (`
Integrate go-varsig and go-did-it - go-varsig provides a varsig V1 implementation - go-did-it provides a complete and extensible DID implementation 2025-07-31 14:43:42 +02:00			`_ "embed"`
feat(meta): values symmetric encryption 2024-10-31 18:24:54 +01:00			`"encoding/base64"`
feat(delegation): update to provide encoding/decoding straight from/to View 2024-09-18 12:20:54 -04:00			`"testing"`
test(delegation): move the other relevant tests from the envelope branch 2024-09-18 15:54:46 -04:00			`"time"`
feat(delegation): update to provide encoding/decoding straight from/to View 2024-09-18 12:20:54 -04:00
refactor(delegation): migrate from github.com/ucan-wg to code.sonr.org/go 2026-01-08 15:45:53 -05:00			`"code.sonr.org/go/did-it/didtest"`
feat(delegation): update to provide encoding/decoding straight from/to View 2024-09-18 12:20:54 -04:00			`"github.com/stretchr/testify/require"`
delegation: use the fancy Meta 2024-09-19 10:48:25 +02:00
refactor(delegation): migrate from github.com/ucan-wg to code.sonr.org/go 2026-01-08 15:45:53 -05:00			`"code.sonr.org/go/ucan/pkg/command"`
			`"code.sonr.org/go/ucan/pkg/policy"`
			`"code.sonr.org/go/ucan/token/delegation"`
feat(delegation): update to provide encoding/decoding straight from/to View 2024-09-18 12:20:54 -04:00			`)`

Integrate go-varsig and go-did-it - go-varsig provides a varsig V1 implementation - go-did-it provides a complete and extensible DID implementation 2025-07-31 14:43:42 +02:00			`//go:embed testdata/new.dagjson`
			`var newDagJson []byte`

			`//go:embed testdata/powerline.dagjson`
			`var powerlineDagJson []byte`

			`//go:embed testdata/root.dagjson`
			`var rootDagJson []byte`

feat(delegation): update to provide encoding/decoding straight from/to View 2024-09-18 12:20:54 -04:00			`const (`
			`nonce = "6roDhGi0kiNriQAz7J3d+bOeoI/tj8ENikmQNbtjnD0"`

feat(delegation): make Token constructors resemble invocation.New() signature 2024-11-25 15:12:29 -05:00			`subJectCmd = "/foo/bar"`
			subjectPol = `
feat(delegation): update to provide encoding/decoding straight from/to View 2024-09-18 12:20:54 -04:00			`[`
delegation: add predicates to check if a delegation is a root or powerline 2025-01-29 14:07:49 +01:00			`["==", ".status", "draft"],`
			`["all", ".reviewer",`
			`["like", ".email", "*@example.com"]`
			`],`
			`["any", ".tags",`
			`["or", [`
			`["==", ".", "news"],`
			`["==", ".", "press"]`
			`]]`
			`]`
feat(delegation): update to provide encoding/decoding straight from/to View 2024-09-18 12:20:54 -04:00			`]`
			`
feat(cid): calculate the CID for decoded and newly created Tokeners 2024-09-19 13:29:33 -04:00
feat(meta): values symmetric encryption 2024-10-31 18:24:54 +01:00			`aesKey = "xQklMmNTnVrmaPBq/0pwV5fEwuv/iClF5HWak9MsgI8="`
feat(delegation): update to provide encoding/decoding straight from/to View 2024-09-18 12:20:54 -04:00			`)`

test(delegation): move the other relevant tests from the envelope branch 2024-09-18 15:54:46 -04:00			`func TestConstructors(t *testing.T) {`
			`t.Parallel()`
feat(delegation): update to provide encoding/decoding straight from/to View 2024-09-18 12:20:54 -04:00
test(delegation): move the other relevant tests from the envelope branch 2024-09-18 15:54:46 -04:00			`cmd, err := command.Parse(subJectCmd)`
			`require.NoError(t, err)`
feat(delegation): update to provide encoding/decoding straight from/to View 2024-09-18 12:20:54 -04:00
test(delegation): move the other relevant tests from the envelope branch 2024-09-18 15:54:46 -04:00			`pol, err := policy.FromDagJson(subjectPol)`
			`require.NoError(t, err)`
feat(delegation): update to provide encoding/decoding straight from/to View 2024-09-18 12:20:54 -04:00
test(delegation): move the other relevant tests from the envelope branch 2024-09-18 15:54:46 -04:00			`exp, err := time.Parse(time.RFC3339, "2200-01-01T00:00:00Z")`
			`require.NoError(t, err)`
feat(delegation): update to provide encoding/decoding straight from/to View 2024-09-18 12:20:54 -04:00
test(delegation): move the other relevant tests from the envelope branch 2024-09-18 15:54:46 -04:00			`t.Run("New", func(t *testing.T) {`
delegation: fix following constructor updates 2024-12-10 12:19:47 +01:00			`tkn, err := delegation.New(didtest.PersonaAlice.DID(), didtest.PersonaBob.DID(), cmd, pol, didtest.PersonaCarol.DID(),`
delegation: tune the validation step - avoid a double parsing when the flow already parsed (command, policy) - don't require a did:key, as other types are legal (but might require a resolver, TODO) - make the command a struct instead of a pointer: we don't need to avoid copy, and the pointer can be interpreted as nil - make the nonce parameter optional, but generate one if none is given 2024-09-19 11:16:33 +02:00			`delegation.WithNonce([]byte(nonce)),`
delegation: use the fancy Meta 2024-09-19 10:48:25 +02:00			`delegation.WithExpiration(exp),`
			`delegation.WithMeta("foo", "fooo"),`
			`delegation.WithMeta("bar", "barr"),`
			`)`
test(delegation): move the other relevant tests from the envelope branch 2024-09-18 15:54:46 -04:00			`require.NoError(t, err)`
feat(delegation): update to provide encoding/decoding straight from/to View 2024-09-18 12:20:54 -04:00
delegation: add predicates to check if a delegation is a root or powerline 2025-01-29 14:07:49 +01:00			`require.False(t, tkn.IsRoot())`
			`require.False(t, tkn.IsPowerline())`

feat(delegation): make Token constructors resemble invocation.New() signature 2024-11-25 15:12:29 -05:00			`data, err := tkn.ToDagJson(didtest.PersonaAlice.PrivKey())`
test(delegation): move the other relevant tests from the envelope branch 2024-09-18 15:54:46 -04:00			`require.NoError(t, err)`
feat(delegation): update to provide encoding/decoding straight from/to View 2024-09-18 12:20:54 -04:00
Integrate go-varsig and go-did-it - go-varsig provides a varsig V1 implementation - go-did-it provides a complete and extensible DID implementation 2025-07-31 14:43:42 +02:00			`require.Equal(t, newDagJson, data)`
test(delegation): move the other relevant tests from the envelope branch 2024-09-18 15:54:46 -04:00			`})`
feat(delegation): update to provide encoding/decoding straight from/to View 2024-09-18 12:20:54 -04:00
test(delegation): move the other relevant tests from the envelope branch 2024-09-18 15:54:46 -04:00			`t.Run("Root", func(t *testing.T) {`
feat(delegation): make Token constructors resemble invocation.New() signature 2024-11-25 15:12:29 -05:00			`tkn, err := delegation.Root(didtest.PersonaAlice.DID(), didtest.PersonaBob.DID(), cmd, pol,`
delegation: tune the validation step - avoid a double parsing when the flow already parsed (command, policy) - don't require a did:key, as other types are legal (but might require a resolver, TODO) - make the command a struct instead of a pointer: we don't need to avoid copy, and the pointer can be interpreted as nil - make the nonce parameter optional, but generate one if none is given 2024-09-19 11:16:33 +02:00			`delegation.WithNonce([]byte(nonce)),`
delegation: use the fancy Meta 2024-09-19 10:48:25 +02:00			`delegation.WithExpiration(exp),`
			`delegation.WithMeta("foo", "fooo"),`
			`delegation.WithMeta("bar", "barr"),`
			`)`
test(delegation): move the other relevant tests from the envelope branch 2024-09-18 15:54:46 -04:00			`require.NoError(t, err)`
feat(delegation): update to provide encoding/decoding straight from/to View 2024-09-18 12:20:54 -04:00
delegation: add predicates to check if a delegation is a root or powerline 2025-01-29 14:07:49 +01:00			`require.True(t, tkn.IsRoot())`
			`require.False(t, tkn.IsPowerline())`

feat(delegation): make Token constructors resemble invocation.New() signature 2024-11-25 15:12:29 -05:00			`data, err := tkn.ToDagJson(didtest.PersonaAlice.PrivKey())`
test(delegation): move the other relevant tests from the envelope branch 2024-09-18 15:54:46 -04:00			`require.NoError(t, err)`
feat(delegation): update to provide encoding/decoding straight from/to View 2024-09-18 12:20:54 -04:00
Integrate go-varsig and go-did-it - go-varsig provides a varsig V1 implementation - go-did-it provides a complete and extensible DID implementation 2025-07-31 14:43:42 +02:00			`require.Equal(t, rootDagJson, data)`
test(delegation): move the other relevant tests from the envelope branch 2024-09-18 15:54:46 -04:00			`})`
(WIP) refine the token constructors: - for invocation, reorder the parameters for a more "natural language" mental model - for delegation, make "subject" a required parameter to avoid make powerline by mistake - for delegation, implement powerline 2024-12-09 20:39:47 +01:00
			`t.Run("Powerline", func(t *testing.T) {`
			`tkn, err := delegation.Powerline(didtest.PersonaAlice.DID(), didtest.PersonaBob.DID(), cmd, pol,`
			`delegation.WithNonce([]byte(nonce)),`
			`delegation.WithExpiration(exp),`
			`delegation.WithMeta("foo", "fooo"),`
			`delegation.WithMeta("bar", "barr"),`
			`)`
			`require.NoError(t, err)`

delegation: add predicates to check if a delegation is a root or powerline 2025-01-29 14:07:49 +01:00			`require.False(t, tkn.IsRoot())`
			`require.True(t, tkn.IsPowerline())`

(WIP) refine the token constructors: - for invocation, reorder the parameters for a more "natural language" mental model - for delegation, make "subject" a required parameter to avoid make powerline by mistake - for delegation, implement powerline 2024-12-09 20:39:47 +01:00			`data, err := tkn.ToDagJson(didtest.PersonaAlice.PrivKey())`
			`require.NoError(t, err)`

Integrate go-varsig and go-did-it - go-varsig provides a varsig V1 implementation - go-did-it provides a complete and extensible DID implementation 2025-07-31 14:43:42 +02:00			`require.Equal(t, powerlineDagJson, data)`
(WIP) refine the token constructors: - for invocation, reorder the parameters for a more "natural language" mental model - for delegation, make "subject" a required parameter to avoid make powerline by mistake - for delegation, implement powerline 2024-12-09 20:39:47 +01:00			`})`
test(delegation): move the other relevant tests from the envelope branch 2024-09-18 15:54:46 -04:00			`}`
feat(delegation): update to provide encoding/decoding straight from/to View 2024-09-18 12:20:54 -04:00
feat(meta): values symmetric encryption 2024-10-31 18:24:54 +01:00			`func TestEncryptedMeta(t *testing.T) {`
			`t.Parallel()`

			`cmd, err := command.Parse(subJectCmd)`
			`require.NoError(t, err)`
			`pol, err := policy.FromDagJson(subjectPol)`
			`require.NoError(t, err)`

			`encryptionKey, err := base64.StdEncoding.DecodeString(aesKey)`
			`require.NoError(t, err)`
			`require.Len(t, encryptionKey, 32)`

			`tests := []struct {`
			`name string`
			`key string`
			`value string`
			`expectError bool`
			`}{`
			`{`
			`name: "simple string",`
			`key: "secret1",`
			`value: "hello world",`
			`},`
			`{`
			`name: "empty string",`
			`key: "secret2",`
			`value: "",`
			`},`
			`{`
			`name: "special characters",`
			`key: "secret3",`
			`value: "!@#$%^&*()_+-=[]{}\|;:,.<>?",`
			`},`
			`{`
			`name: "unicode characters",`
			`key: "secret4",`
			`value: "Hello, 世界! 👋",`
			`},`
			`}`

			`for _, tt := range tests {`
			`tt := tt`
			`t.Run(tt.name, func(t *testing.T) {`
			`t.Parallel()`

(WIP) refine the token constructors: - for invocation, reorder the parameters for a more "natural language" mental model - for delegation, make "subject" a required parameter to avoid make powerline by mistake - for delegation, implement powerline 2024-12-09 20:39:47 +01:00			`tkn, err := delegation.Root(didtest.PersonaAlice.DID(), didtest.PersonaBob.DID(), cmd, pol,`
split WithEncryptedMeta in options.go by type 2024-11-12 16:07:39 +01:00			`delegation.WithEncryptedMetaString(tt.key, tt.value, encryptionKey),`
feat(meta): values symmetric encryption 2024-10-31 18:24:54 +01:00			`)`
			`require.NoError(t, err)`

feat(delegation): make Token constructors resemble invocation.New() signature 2024-11-25 15:12:29 -05:00			`data, err := tkn.ToDagCbor(didtest.PersonaAlice.PrivKey())`
feat(meta): values symmetric encryption 2024-10-31 18:24:54 +01:00			`require.NoError(t, err)`

			`decodedTkn, _, err := delegation.FromSealed(data)`
			`require.NoError(t, err)`

AddEncrypted adds ciphertext always as bytes 2024-11-12 16:37:53 +01:00			`_, err = decodedTkn.Meta().GetString(tt.key)`
			`require.Error(t, err)`
feat(meta): values symmetric encryption 2024-10-31 18:24:54 +01:00
			`decrypted, err := decodedTkn.Meta().GetEncryptedString(tt.key, encryptionKey)`
			`require.NoError(t, err)`
			`// Verify the decrypted value is equal to the original`
			`require.Equal(t, tt.value, decrypted)`

			`// Try to decrypt with wrong key`
			`wrongKey := make([]byte, 32)`
			`_, err = decodedTkn.Meta().GetEncryptedString(tt.key, wrongKey)`
			`require.Error(t, err)`
			`})`
			`}`

			`t.Run("multiple encrypted values in the same token", func(t *testing.T) {`
			`values := map[string]string{`
			`"secret1": "value1",`
			`"secret2": "value2",`
			`"secret3": "value3",`
			`}`
address pr remarks 2024-11-04 19:11:25 +01:00			`var opts []delegation.Option`
			`for k, v := range values {`
split WithEncryptedMeta in options.go by type 2024-11-12 16:07:39 +01:00			`opts = append(opts, delegation.WithEncryptedMetaString(k, v, encryptionKey))`
address pr remarks 2024-11-04 19:11:25 +01:00			`}`
feat(meta): values symmetric encryption 2024-10-31 18:24:54 +01:00
			`// Create token with multiple encrypted values`
(WIP) refine the token constructors: - for invocation, reorder the parameters for a more "natural language" mental model - for delegation, make "subject" a required parameter to avoid make powerline by mistake - for delegation, implement powerline 2024-12-09 20:39:47 +01:00			`tkn, err := delegation.Root(didtest.PersonaAlice.DID(), didtest.PersonaBob.DID(), cmd, pol, opts...)`
feat(meta): values symmetric encryption 2024-10-31 18:24:54 +01:00			`require.NoError(t, err)`

feat(delegation): make Token constructors resemble invocation.New() signature 2024-11-25 15:12:29 -05:00			`data, err := tkn.ToDagCbor(didtest.PersonaAlice.PrivKey())`
feat(meta): values symmetric encryption 2024-10-31 18:24:54 +01:00			`require.NoError(t, err)`

			`decodedTkn, _, err := delegation.FromSealed(data)`
			`require.NoError(t, err)`

			`for k, v := range values {`
			`decrypted, err := decodedTkn.Meta().GetEncryptedString(k, encryptionKey)`
			`require.NoError(t, err)`
			`require.Equal(t, v, decrypted)`
			`}`
			`})`
			`}`