bump go-ucan

toolkit/client/client.go

@@ -60,18 +60,18 @@ func (c *Client) PrepareInvoke(ctx context.Context, cmd command.Command, subject
 		return nil, err
 	}
 
-	invSealed, invCid, err := inv.ToSealed(c.privKey)
+	invSealed, _, err := inv.ToSealed(c.privKey)
 	if err != nil {
 		return nil, err
 	}
 
 	cont := container.NewWriter()
-	cont.AddSealed(invCid, invSealed)
+	cont.AddSealed(invSealed)
 	for bundle, err := range c.pool.GetBundles(proof) {
 		if err != nil {
 			return nil, err
 		}
-		cont.AddSealed(bundle.Cid, bundle.Sealed)
+		cont.AddSealed(bundle.Sealed)
 	}
 
 	return cont, nil

toolkit/client/proof.go

@@ -14,6 +14,8 @@ import (
 // - issuer: the DID of the client, also the issuer of the invocation token
 // - cmd: the command to execute
 // - subject: the DID of the resource to operate on, also the subject (or audience if defined) of the invocation token
+// The returned delegation chain is ordered starting from the leaf (the one matching the invocation) to the root
+// (the one given by the service).
 // Note: you can read it as "(issuer) wants to do (cmd) on (subject)".
 // Note: the returned delegation(s) don't have to match exactly the parameters, as long as they allow them.
 // Note: the implemented algorithm won't perform well with a large number of delegations.

toolkit/client/requester.go

@@ -16,6 +16,8 @@ type DelegationRequester interface {
 	// - cmd: the command to execute
 	// - audience: the DID of the client, also the issuer of the invocation token
 	// - subject: the DID of the resource to operate on, also the subject (or audience if defined) of the invocation token
+	// The returned delegations MUST be ordered starting from the leaf (the one matching the invocation) to the root
+	// (the one given by the service).
 	// Note: you can read it as "(audience) wants to do (cmd) on (subject)".
 	// Note: the returned delegation(s) don't have to match exactly the parameters, as long as they allow them.
 	RequestDelegation(ctx context.Context, audience did.DID, cmd command.Command, subject did.DID) (iter.Seq2[*delegation.Bundle, error], error)

toolkit/server/exectx/ucanctx.go

@@ -38,6 +38,9 @@ type UcanCtx struct {
 	infura  *extargs.InfuraExtArgs
 }
 
+// FromContainer prepare a UcanCtx from a UCAN container, for further evaluation in a server pipeline.
+// It is expected that the container holds a single invocation and the matching delegations. If not,
+// an error is returned.
 func FromContainer(cont container.Reader) (*UcanCtx, error) {
 	inv, err := cont.GetInvocation()
 	if err != nil {
@@ -95,7 +98,7 @@ func (ctn UcanCtx) Policies() policy.Policy {
 }
 
 // Meta returns all the meta values from the delegations.
-// They are accumulated from the root delegation to the leaf delegation, with no overwrite.
+// They are accumulated from the root delegation to the leaf delegation, with no overwriting.
 func (ctn UcanCtx) Meta() meta.ReadOnly {
 	return ctn.meta.ReadOnly()
 }

toolkit/server/exectx/ucanctx_test.go

@@ -57,13 +57,13 @@ func ExampleContext() {
 		invocation.WithExpirationIn(10*time.Minute),
 		invocation.WithArgument("myarg", "hello"), // we can specify invocation parameters
 	)
-	invBytes, invCid, _ := inv.ToSealed(user.PrivKey())
+	invBytes, _, _ := inv.ToSealed(user.PrivKey())
 
 	// PACKAGING: no obligation for the transport, but the user needs to give the service the invocation
 	// and all the proof delegations. We can use a container for that.
 	cont := container.NewWriter()
-	cont.AddSealed(dlgCid, dlgBytes)
-	cont.AddSealed(invCid, invBytes)
+	cont.AddSealed(dlgBytes)
+	cont.AddSealed(invBytes)
 	contBytes, _ := cont.ToBase64StdPadding()
 
 	// MAKING A REQUEST: we pass the container in the Bearer HTTP header

toolkit/server/extargs/http_test.go

@@ -107,15 +107,15 @@ func TestHttp(t *testing.T) {
 				// we don't test the args hash here
 				emptyArgs := args.New().ReadOnly()
 
-				extArgs := NewHttpExtArgs(pol, emptyArgs, r)
+				ctx := NewHttpExtArgs(pol, emptyArgs, r)
 
-				_, err := extArgs.Args()
+				_, err := ctx.Args()
 				require.NoError(t, err)
 
 				if tc.expected {
-					require.NoError(t, extArgs.Verify())
+					require.NoError(t, ctx.Verify())
 				} else {
-					require.Error(t, extArgs.Verify())
+					require.Error(t, ctx.Verify())
 				}
 			}
 
@@ -173,12 +173,12 @@ func TestHttpHash(t *testing.T) {
 			err := invArgs.Add(HttpArgsKey, tc.hash)
 			require.NoError(t, err)
 
-			extArgs := NewHttpExtArgs(pol, invArgs.ReadOnly(), req)
+			ctx := NewHttpExtArgs(pol, invArgs.ReadOnly(), req)
 
 			if tc.expected {
-				require.NoError(t, extArgs.Verify())
+				require.NoError(t, ctx.Verify())
 			} else {
-				require.Error(t, extArgs.Verify())
+				require.Error(t, ctx.Verify())
 			}
 		})
 	}

toolkit/server/extargs/jsonrpc_test.go

@@ -97,15 +97,15 @@ func TestJsonRpc(t *testing.T) {
 			// we don't test the args hash here
 			emptyArgs := args.New().ReadOnly()
 
-			extArgs := NewJsonRpcExtArgs(tc.pol, emptyArgs, tc.req)
+			ctx := NewJsonRpcExtArgs(tc.pol, emptyArgs, tc.req)
 
-			_, err := extArgs.Args()
+			_, err := ctx.Args()
 			require.NoError(t, err)
 
 			if tc.expected {
-				require.NoError(t, extArgs.Verify())
+				require.NoError(t, ctx.Verify())
 			} else {
-				require.Error(t, extArgs.Verify())
+				require.Error(t, ctx.Verify())
 			}
 		})
 	}
@@ -152,12 +152,12 @@ func TestJsonRpcHash(t *testing.T) {
 			err := invArgs.Add(JsonRpcArgsKey, tc.hash)
 			require.NoError(t, err)
 
-			extArgs := NewJsonRpcExtArgs(pol, invArgs.ReadOnly(), req)
+			ctx := NewJsonRpcExtArgs(pol, invArgs.ReadOnly(), req)
 
 			if tc.expected {
-				require.NoError(t, extArgs.Verify())
+				require.NoError(t, ctx.Verify())
 			} else {
-				require.Error(t, extArgs.Verify())
+				require.Error(t, ctx.Verify())
 			}
 		})
 	}